Pin actions with SHA, replace unmaintained, add dependabot for actions

[client] Revert "Clean up legacy 32-bit and HKCU registry entries on Windows install (#6176 )" (#6232 )
This reverts commit d927ef468a.
2026-05-23 09:09:56 +00:00 · 2026-05-22 18:51:57 +02:00 · 2026-05-21 16:27:12 +02:00 · 2026-05-20 18:46:51 +02:00 · 2026-05-20 18:24:00 +02:00 · 2026-05-20 18:21:22 +02:00
365 changed files with 10783 additions and 27363 deletions
--- a/.github/actions/parse-semver/action.yml
+++ b/.github/actions/parse-semver/action.yml
@@ -0,0 +1,46 @@
+name: Parse semver string
+description: Parse a refs/tags/vX.Y.Z[-prerelease][+build] ref into version components. Falls back to 0.0.0 when not run on a version tag.
+outputs:
+  major:
+    description: Major version number (e.g. "1" from v1.2.3).
+    value: ${{ steps.parse.outputs.major }}
+  minor:
+    description: Minor version number (e.g. "2" from v1.2.3).
+    value: ${{ steps.parse.outputs.minor }}
+  patch:
+    description: Patch version number (e.g. "3" from v1.2.3).
+    value: ${{ steps.parse.outputs.patch }}
+  prerelease:
+    description: Prerelease identifier (e.g. "rc.1" from v1.2.3-rc.1), empty when absent.
+    value: ${{ steps.parse.outputs.prerelease }}
+  build:
+    description: Build metadata (e.g. "build.7" from v1.2.3+build.7), empty when absent.
+    value: ${{ steps.parse.outputs.build }}
+  fullversion:
+    description: MAJOR.MINOR.PATCH joined (e.g. "1.2.3").
+    value: ${{ steps.parse.outputs.fullversion }}
+runs:
+  using: composite
+  steps:
+    - id: parse
+      shell: bash
+      run: |
+        set -euo pipefail
+        REF="${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}"
+        if [[ "$REF" =~ ^refs/tags/v([0-9]+)\.([0-9]+)\.([0-9]+)(-([0-9A-Za-z.-]+))?(\+([0-9A-Za-z.-]+))?$ ]]; then
+          MAJOR="${BASH_REMATCH[1]}"
+          MINOR="${BASH_REMATCH[2]}"
+          PATCH="${BASH_REMATCH[3]}"
+          PRERELEASE="${BASH_REMATCH[5]}"
+          BUILD="${BASH_REMATCH[7]}"
+        else
+          MAJOR=0; MINOR=0; PATCH=0; PRERELEASE=""; BUILD=""
+        fi
+        {
+          echo "major=$MAJOR"
+          echo "minor=$MINOR"
+          echo "patch=$PATCH"
+          echo "prerelease=$PRERELEASE"
+          echo "build=$BUILD"
+          echo "fullversion=$MAJOR.$MINOR.$PATCH"
+        } >> "$GITHUB_OUTPUT"
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,34 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 15
+    groups:
+      actions:
+        patterns:
+          - "*"
+
+  - package-ecosystem: "gomod"
+    directories:
+      - "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 15
+    groups:
+      aws-sdk:
+        patterns:
+          - "github.com/aws/aws-sdk-go-v2/*"
+      pion:
+        patterns:
+          - "github.com/pion/*"
+      gorm:
+        patterns:
+          - "gorm.io/*"
+      otel:
+        patterns:
+          - "go.opentelemetry.io/*"
+      testcontainers:
+        patterns:
+          - "github.com/testcontainers/testcontainers-go/*"
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -12,6 +12,7 @@
 - [ ] Is a feature enhancement
 - [ ] It is a refactor
 - [ ] Created tests that fail without the change (if possible)
+- [ ] This change does **not** modify the public API, gRPC protocols, functionality behavior, CLI / service flags, or introduce a new feature — **OR** I have discussed it with the NetBird team beforehand (link the issue / Slack thread in the description). See [CONTRIBUTING.md](https://github.com/netbirdio/netbird/blob/main/CONTRIBUTING.md#discuss-changes-with-the-netbird-team-first).

 > By submitting this pull request, you confirm that you have read and agree to the terms of the [Contributor License Agreement](https://github.com/netbirdio/netbird/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT.md).

--- a/.github/workflows/check-license-dependencies.yml
+++ b/.github/workflows/check-license-dependencies.yml
@@ -2,16 +2,16 @@ name: Check License Dependencies

 on:
  push:
-    branches: [ main ]
+    branches: [main]
    paths:
-      - 'go.mod'
-      - 'go.sum'
-      - '.github/workflows/check-license-dependencies.yml'
+      - "go.mod"
+      - "go.sum"
+      - ".github/workflows/check-license-dependencies.yml"
  pull_request:
    paths:
-      - 'go.mod'
-      - 'go.sum'
-      - '.github/workflows/check-license-dependencies.yml'
+      - "go.mod"
+      - "go.sum"
+      - ".github/workflows/check-license-dependencies.yml"

 jobs:
  check-internal-dependencies:
@@ -19,7 +19,8 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Check for problematic license dependencies
        run: |
@@ -56,55 +57,55 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-    - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-    - name: Set up Go
-      uses: actions/setup-go@v5
-      with:
-        go-version-file: 'go.mod'
-        cache: true
+      - name: Set up Go
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        with:
+          go-version-file: "go.mod"
+          cache: true

-    - name: Install go-licenses
-      run: go install github.com/google/go-licenses@v1.6.0
+      - name: Install go-licenses
+        run: go install github.com/google/go-licenses@v1.6.0

-    - name: Check for GPL/AGPL licensed dependencies
-      run: |
-        echo "Checking for GPL/AGPL/LGPL licensed dependencies..."
-        echo ""
-
-        # Check all Go packages for copyleft licenses, excluding internal netbird packages
-        COPYLEFT_DEPS=$(go-licenses report ./... 2>/dev/null | grep -E 'GPL|AGPL|LGPL' | grep -v 'github.com/netbirdio/netbird/' || true)
-
-        if [ -n "$COPYLEFT_DEPS" ]; then
-          echo "Found copyleft licensed dependencies:"
-          echo "$COPYLEFT_DEPS"
+      - name: Check for GPL/AGPL licensed dependencies
+        run: |
+          echo "Checking for GPL/AGPL/LGPL licensed dependencies..."
          echo ""

-          # Filter out dependencies that are only pulled in by internal AGPL packages
-          INCOMPATIBLE=""
-          while IFS=',' read -r package url license; do
-            if echo "$license" | grep -qE 'GPL-[0-9]|AGPL-[0-9]|LGPL-[0-9]'; then
-              # Find ALL packages that import this GPL package using go list
-              IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
+          # Check all Go packages for copyleft licenses, excluding internal netbird packages
+          COPYLEFT_DEPS=$(go-licenses report ./... 2>/dev/null | grep -E 'GPL|AGPL|LGPL' | grep -v 'github.com/netbirdio/netbird/' || true)

-              # Check if any importer is NOT in management/signal/relay
-              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)
-
-              if [ -n "$BSD_IMPORTER" ]; then
-                echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
-                INCOMPATIBLE="${INCOMPATIBLE}${package},${url},${license}\n"
-              else
-                echo "✓ $package ($license) is only used by internal AGPL packages - OK"
-              fi
-            fi
-          done <<< "$COPYLEFT_DEPS"
-
-          if [ -n "$INCOMPATIBLE" ]; then
+          if [ -n "$COPYLEFT_DEPS" ]; then
+            echo "Found copyleft licensed dependencies:"
+            echo "$COPYLEFT_DEPS"
            echo ""
-            echo "❌ INCOMPATIBLE licenses found that are used by BSD-licensed code:"
-            echo -e "$INCOMPATIBLE"
-            exit 1
-          fi
-        fi

-        echo "✅ All external license dependencies are compatible with BSD-3-Clause"
+            # Filter out dependencies that are only pulled in by internal AGPL packages
+            INCOMPATIBLE=""
+            while IFS=',' read -r package url license; do
+              if echo "$license" | grep -qE 'GPL-[0-9]|AGPL-[0-9]|LGPL-[0-9]'; then
+                # Find ALL packages that import this GPL package using go list
+                IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
+
+                # Check if any importer is NOT in management/signal/relay
+                BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)
+
+                if [ -n "$BSD_IMPORTER" ]; then
+                  echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
+                  INCOMPATIBLE="${INCOMPATIBLE}${package},${url},${license}\n"
+                else
+                  echo "✓ $package ($license) is only used by internal AGPL packages - OK"
+                fi
+              fi
+            done <<< "$COPYLEFT_DEPS"
+
+            if [ -n "$INCOMPATIBLE" ]; then
+              echo ""
+              echo "❌ INCOMPATIBLE licenses found that are used by BSD-licensed code:"
+              echo -e "$INCOMPATIBLE"
+              exit 1
+            fi
+          fi
+
+          echo "✅ All external license dependencies are compatible with BSD-3-Clause"
--- a/.github/workflows/docs-ack.yml
+++ b/.github/workflows/docs-ack.yml
@@ -83,7 +83,7 @@ jobs:

      - name: Verify docs PR exists (and is open or merged)
        if: steps.validate.outputs.mode == 'added'
-        uses: actions/github-script@v7
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        id: verify
        with:
          pr_number: ${{ steps.extract.outputs.pr_number }}
--- a/.github/workflows/forum.yml
+++ b/.github/workflows/forum.yml
@@ -8,11 +8,10 @@ jobs:
  post:
    runs-on: ubuntu-latest
    steps:
-      - uses: roots/discourse-topic-github-release-action@main
+      - uses: roots/discourse-topic-github-release-action@557d74ea05b6cc0c47f555c1d5d28a89d904005b # v1.1.0
        with:
          discourse-api-key: ${{ secrets.DISCOURSE_RELEASES_API_KEY }}
          discourse-base-url: https://forum.netbird.io
          discourse-author-username: NetBird
          discourse-category: 17
-          discourse-tags:
-            releases
+          discourse-tags: releases
--- a/.github/workflows/git-town.yml
+++ b/.github/workflows/git-town.yml
@@ -3,7 +3,7 @@ name: Git Town
 on:
  pull_request:
    branches:
-      - '**'
+      - "**"

 jobs:
  git-town:
@@ -15,7 +15,7 @@ jobs:
      pull-requests: write

    steps:
-      - uses: actions/checkout@v4
-      - uses: git-town/action@v1.2.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: git-town/action@670e1f4feb81fdef4226fc09deefe09018eb20d1 # v1.3.3
        with:
          skip-single-stacks: true
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -16,16 +16,16 @@ jobs:
    runs-on: macos-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false

      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/go/pkg/mod
          key: macos-gotest-${{ hashFiles('**/go.sum') }}
@@ -43,13 +43,4 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        # Exclude client/ui: its main.go uses //go:embed all:frontend/dist,
-        # which fails to compile until the frontend has been built. The Wails UI
-        # has no Go-side unit tests, and its release pipeline runs `pnpm build`
-        # before goreleaser.
-        # `go list -e` lets the listing succeed even though the embed fails to
-        # resolve; the grep then drops the broken package by path. Without -e,
-        # go list aborts with empty stdout and `go test` falls back to the repo
-        # root, which has no Go files.
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list -e ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui)
-
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
--- a/.github/workflows/golang-test-freebsd.yml
+++ b/.github/workflows/golang-test-freebsd.yml
@@ -15,20 +15,29 @@ jobs:
    name: "Client / Unit"
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Read Go version from go.mod
+        id: goversion
+        run: echo "version=$(awk '/^go / {print $2}' go.mod)" >> "$GITHUB_OUTPUT"
+
      - name: Test in FreeBSD
        id: test
-        uses: vmactions/freebsd-vm@v1
+        env:
+          GO_VERSION: ${{ steps.goversion.outputs.version }}
+        uses: vmactions/freebsd-vm@d1e65811565151536c0c894fff74f06351ed26e6 # v1.4.5
        with:
          usesh: true
          copyback: false
-          release: "14.2"
+          release: "15.0"
+          envs: "GO_VERSION"
          prepare: |
            pkg install -y curl pkgconf xorg
-            GO_TARBALL="go1.25.3.freebsd-amd64.tar.gz"
+            GO_TARBALL="go${GO_VERSION}.freebsd-amd64.tar.gz"
            GO_URL="https://go.dev/dl/$GO_TARBALL"
            curl -vLO "$GO_URL"
-            tar -C /usr/local -vxzf "$GO_TARBALL"            
+            tar -C /usr/local -vxzf "$GO_TARBALL"

          # -x - to print all executed commands
          # -e - to faile on first error
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -18,9 +18,9 @@ jobs:
      management: ${{ steps.filter.outputs.management }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - uses: dorny/paths-filter@v3
+      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
        id: filter
        with:
          filters: |
@@ -28,7 +28,7 @@ jobs:
              - 'management/**'

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -36,10 +36,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        id: cache
        with:
          path: |
@@ -51,7 +51,7 @@ jobs:

      - name: Install dependencies
        if: steps.cache.outputs.cache-hit != 'true'
-        run: sudo apt update && sudo apt install -y -q libgtk-4-dev libwebkitgtk-6.0-dev libsoup-3.0-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev

      - name: Install 32-bit libpcap
        if: steps.cache.outputs.cache-hit != 'true'
@@ -113,14 +113,14 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        arch: [ '386','amd64' ]
+        arch: ["386", "amd64"]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -128,10 +128,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -141,7 +141,7 @@ jobs:
            ${{ runner.os }}-gotest-cache-

      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-4-dev libwebkitgtk-6.0-dev libsoup-3.0-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev

      - name: Install 32-bit libpcap
        if: matrix.arch == '386'
@@ -154,26 +154,18 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        # Exclude client/ui: its main.go uses //go:embed all:frontend/dist,
-        # which fails to compile until the frontend has been built. The Wails UI
-        # has no Go-side unit tests, and its release pipeline runs `pnpm build`
-        # before goreleaser.
-        # `go list -e` lets the listing succeed even though the embed fails to
-        # resolve; the grep then drops the broken package by path. Without -e,
-        # go list aborts with empty stdout and `go test` falls back to the repo
-        # root, which has no Go files.
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list -e ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui)
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)

  test_client_on_docker:
    name: "Client (Docker) / Unit"
-    needs: [ build-cache ]
+    needs: [build-cache]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -185,7 +177,7 @@ jobs:
          echo "modcache_dir=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        id: cache-restore
        with:
          path: |
@@ -222,7 +214,7 @@ jobs:
            sh -c ' \
              apk update; apk add --no-cache \
                ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
-              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -e -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server)
+              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server)
            '

  test_relay:
@@ -239,10 +231,10 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -254,10 +246,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -285,14 +277,14 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        arch: [ '386','amd64' ]
+        arch: ["386", "amd64"]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -306,7 +298,7 @@ jobs:
          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -332,14 +324,14 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        arch: [ '386','amd64' ]
+        arch: ["386", "amd64"]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -351,10 +343,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -378,19 +370,19 @@ jobs:

  test_management:
    name: "Management / Unit"
-    needs: [ build-cache ]
+    needs: [build-cache]
    strategy:
      fail-fast: false
      matrix:
-        arch: [ 'amd64' ]
-        store: [ 'sqlite', 'postgres', 'mysql' ]
+        arch: ["amd64"]
+        store: ["sqlite", "postgres", "mysql"]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -398,10 +390,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -418,7 +410,7 @@ jobs:

      - name: Login to Docker hub
        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
@@ -435,7 +427,7 @@ jobs:
        run: docker pull mlsmaycon/warmed-mysql:8

      - name: Test
-        run: |          
+        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
            CI=true \
@@ -445,13 +437,13 @@ jobs:

  benchmark:
    name: "Management / Benchmark"
-    needs: [ build-cache ]
+    needs: [build-cache]
    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
    strategy:
      fail-fast: false
      matrix:
-        arch: [ 'amd64' ]
-        store: [ 'sqlite', 'postgres' ]
+        arch: ["amd64"]
+        store: ["sqlite", "postgres"]
    runs-on: ubuntu-22.04
    steps:
      - name: Create Docker network
@@ -482,10 +474,10 @@ jobs:
            prom/prometheus

      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -493,10 +485,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -513,7 +505,7 @@ jobs:

      - name: Login to Docker hub
        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
@@ -537,13 +529,13 @@ jobs:

  api_benchmark:
    name: "Management / Benchmark (API)"
-    needs: [ build-cache ]
+    needs: [build-cache]
    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
    strategy:
      fail-fast: false
      matrix:
-        arch: [ 'amd64' ]
-        store: [ 'sqlite', 'postgres' ]
+        arch: ["amd64"]
+        store: ["sqlite", "postgres"]
    runs-on: ubuntu-22.04
    steps:
      - name: Create Docker network
@@ -574,10 +566,10 @@ jobs:
            prom/prometheus

      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -585,10 +577,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -605,7 +597,7 @@ jobs:

      - name: Login to Docker hub
        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
@@ -631,20 +623,20 @@ jobs:

  api_integration_test:
    name: "Management / Integration"
-    needs: [ build-cache ]
+    needs: [build-cache]
    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
    strategy:
      fail-fast: false
      matrix:
-        arch: [ 'amd64' ]
-        store: [ 'sqlite', 'postgres']
+        arch: ["amd64"]
+        store: ["sqlite", "postgres"]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -652,10 +644,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -18,10 +18,10 @@ jobs:
    runs-on: windows-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        id: go
        with:
          go-version-file: "go.mod"
@@ -33,7 +33,7 @@ jobs:
          echo "modcache=$(go env GOMODCACHE)" >> $env:GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -44,16 +44,22 @@ jobs:
            ${{ runner.os }}-go-

      - name: Download wintun
-        uses: carlosperate/download-file-action@v2
        id: download-wintun
-        with:
-          file-url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
-          file-name: wintun.zip
-          location: ${{ env.downloadPath }}
-          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'
+        shell: pwsh
+        run: |
+          $url = "https://pkgs.netbird.io/wintun/wintun-0.14.1.zip"
+          $dest = "${env:downloadPath}\wintun.zip"
+          $expected = "07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51"
+
+          curl.exe --fail --location --retry 3 --retry-delay 2 -o $dest $url
+          $actual = (Get-FileHash $dest -Algorithm SHA256).Hash.ToLower()
+          if ($actual -ne $expected) {
+          throw "wintun.zip checksum mismatch: expected $expected, got $actual"
+          }
+          "file-path=$dest" | Out-File -FilePath $env:GITHUB_OUTPUT -Append -Encoding utf8

      - name: Decompressing wintun files
-        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
+        run: tar -xvf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}

      - run: mv ${{ env.downloadPath }}/wintun/bin/amd64/wintun.dll 'C:\Windows\System32\'

@@ -64,15 +70,8 @@ jobs:
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
      - name: Generate test script
-        # Exclude client/ui: its main.go uses //go:embed all:frontend/dist,
-        # which fails to compile until the frontend has been built. The Wails UI
-        # has no Go-side unit tests, and its release pipeline runs `pnpm build`
-        # before goreleaser.
-        # `go list -e` lets the listing succeed even though the embed fails to
-        # resolve; the Where-Object pipeline then drops the broken package by
-        # path. Without -e, go list aborts with empty stdout.
        run: |
-          $packages = go list -e ./... | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' } | Where-Object { $_ -notmatch '/combined' } | Where-Object { $_ -notmatch '/client/ui' }
+          $packages = go list ./... | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' } | Where-Object { $_ -notmatch '/combined' }
          $goExe = "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe"
          $cmd = "$goExe test -tags=devcert -timeout 10m -p 1 $($packages -join ' ') > test-out.txt 2>&1"
          Set-Content -Path "${{ github.workspace }}\run-tests.cmd" -Value $cmd
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -15,12 +15,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: codespell
-        uses: codespell-project/actions-codespell@v2
+        uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2.2
        with:
          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA,ede,additionals
-          skip: go.mod,go.sum,**/proxy/web/**,**/pnpm-lock.yaml,**/package-lock.json
+          skip: go.mod,go.sum,**/proxy/web/**
  golangci:
    strategy:
      fail-fast: false
@@ -38,30 +38,21 @@ jobs:
    timeout-minutes: 15
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Check for duplicate constants
        if: matrix.os == 'ubuntu-latest'
        run: |
          ! awk '/const \(/,/)/{print $0}' management/server/activity/codes.go | grep -o '= [0-9]*' | sort | uniq -d | grep .
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Install dependencies
        if: matrix.os == 'ubuntu-latest'
-        run: sudo apt update && sudo apt install -y -q libgtk-4-dev libwebkitgtk-6.0-dev libsoup-3.0-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
-      - name: Stub Wails frontend bundle
-        # client/ui/main.go has //go:embed all:frontend/dist. The
-        # directory is produced by `pnpm run build` and is gitignored, so
-        # lint-only runs (no frontend toolchain) need a placeholder file
-        # for the embed pattern to match.
-        shell: bash
-        run: |
-          mkdir -p client/ui/frontend/dist
-          touch client/ui/frontend/dist/.embed-placeholder
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee #v9.2.1
        with:
          version: latest
          skip-cache: true
--- a/.github/workflows/install-script-test.yml
+++ b/.github/workflows/install-script-test.yml
@@ -22,7 +22,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: run install script
        env:
--- a/.github/workflows/mobile-build-validation.yml
+++ b/.github/workflows/mobile-build-validation.yml
@@ -16,23 +16,23 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
      - name: Setup Android SDK
-        uses: android-actions/setup-android@v3
+        uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4.0.1
        with:
          cmdline-tools-version: 8512546
      - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
        with:
          java-version: "11"
          distribution: "adopt"
      - name: NDK Cache
        id: ndk-cache
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: /usr/local/lib/android/sdk/ndk
          key: ndk-cache-23.1.7779620
@@ -52,9 +52,9 @@ jobs:
    runs-on: macos-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
      - name: install gomobile
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -9,7 +9,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Validate PR title prefix
-        uses: actions/github-script@v7
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const title = context.payload.pull_request.title;
--- a/.github/workflows/proto-version-check.yml
+++ b/.github/workflows/proto-version-check.yml
@@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check for proto tool version changes
-        uses: actions/github-script@v7
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const files = await github.paginate(github.rest.pulls.listFiles, {
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,7 +24,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Generate FreeBSD port diff
        run: bash release_files/freebsd-port-diff.sh
@@ -51,19 +51,26 @@ jobs:
          echo "Generated files for version: $VERSION"
          cat netbird-*.diff

+      - name: Read Go version from go.mod
+        id: goversion
+        run: echo "version=$(awk '/^go / {print $2}' go.mod)" >> "$GITHUB_OUTPUT"
+
      - name: Test FreeBSD port
        if: steps.check_diff.outputs.diff_exists == 'true'
-        uses: vmactions/freebsd-vm@v1
+        env:
+          GO_VERSION: ${{ steps.goversion.outputs.version }}
+        uses: vmactions/freebsd-vm@d1e65811565151536c0c894fff74f06351ed26e6 # v1.4.5
        with:
          usesh: true
          copyback: false
          release: "15.0"
+          envs: "GO_VERSION"
          prepare: |
            # Install required packages
            pkg install -y git curl portlint go

            # Install Go for building
-            GO_TARBALL="go1.25.5.freebsd-amd64.tar.gz"
+            GO_TARBALL="go${GO_VERSION}.freebsd-amd64.tar.gz"
            GO_URL="https://go.dev/dl/$GO_TARBALL"
            curl -LO "$GO_URL"
            tar -C /usr/local -xzf "$GO_TARBALL"
@@ -93,19 +100,19 @@ jobs:

            # Show patched Makefile
            version=$(cat security/netbird/Makefile | grep -E '^DISTVERSION=' | awk '{print $NF}')
-            
+
            cd /usr/ports/security/netbird
            export BATCH=yes
            make package
            pkg add ./work/pkg/netbird-*.pkg
-            
+
            netbird version | grep "$version"

            echo "FreeBSD port test completed successfully!"

      - name: Upload FreeBSD port files
        if: steps.check_diff.outputs.diff_exists == 'true'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: freebsd-port-files
          path: |
@@ -124,26 +131,24 @@ jobs:
    env:
      flags: ""
    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0 # It is required for GoReleaser to work properly
+
      - name: Parse semver string
        id: semver_parser
-        uses: booxmedialtd/ws-action-parse-semver@v1
-        with:
-          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
-          version_extractor_regex: '\/v(.*)$'
+        uses: ./.github/actions/parse-semver

      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0 # It is required for GoReleaser to work properly
      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ~/go/pkg/mod
@@ -156,18 +161,18 @@ jobs:
      - name: check git status
        run: git --no-pager diff --exit-code
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0
      - name: Login to Docker hub
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Log in to the GitHub container registry
        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -186,12 +191,12 @@ jobs:
      - name: Install goversioninfo
        run: go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@233067e
      - name: Generate windows syso amd64
-        run: goversioninfo  -icon client/ui/build/windows/icon.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_amd64.syso
+        run: goversioninfo  -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_amd64.syso
      - name: Generate windows syso arm64
-        run: goversioninfo -arm -64 -icon client/ui/build/windows/icon.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
+        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
      - name: Run GoReleaser
        id: goreleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
        with:
          version: ${{ env.GORELEASER_VER }}
          args: release --clean ${{ env.flags }}
@@ -282,28 +287,28 @@ jobs:
          } >> "$GITHUB_OUTPUT"
      - name: upload non tags for debug purposes
        id: upload_release
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: release
          path: dist/
          retention-days: 7
      - name: upload linux packages
        id: upload_linux_packages
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: linux-packages
          path: dist/netbird_linux**
          retention-days: 7
      - name: upload windows packages
        id: upload_windows_packages
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: windows-packages
          path: dist/netbird_windows**
          retention-days: 7
      - name: upload macos packages
        id: upload_macos_packages
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: macos-packages
          path: dist/netbird_darwin**
@@ -314,27 +319,25 @@ jobs:
    outputs:
      release_ui_artifact_url: ${{ steps.upload_release_ui.outputs.artifact-url }}
    steps:
-      - name: Parse semver string
-        id: semver_parser
-        uses: booxmedialtd/ws-action-parse-semver@v1
-        with:
-          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
-          version_extractor_regex: '\/v(.*)$'
-
-      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
-        run: echo "flags=--snapshot" >> $GITHUB_ENV
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly

+      - name: Parse semver string
+        id: semver_parser
+        uses: ./.github/actions/parse-semver
+
+      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
+        run: echo "flags=--snapshot" >> $GITHUB_ENV
+
      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ~/go/pkg/mod
@@ -349,18 +352,8 @@ jobs:
      - name: check git status
        run: git --no-pager diff --exit-code

-      - name: Set up Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-
-      - name: Set up pnpm
-        uses: pnpm/action-setup@v3
-        with:
-          version: 9
-
      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-4-dev libwebkitgtk-6.0-dev libsoup-3.0-dev libayatana-appindicator3-dev gcc-mingw-w64-x86-64
+        run: sudo apt update && sudo apt install -y -q libappindicator3-dev gir1.2-appindicator3-0.1 libxxf86vm-dev gcc-mingw-w64-x86-64

      - name: Decode GPG signing key
        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
@@ -379,19 +372,13 @@ jobs:
          echo "/tmp/llvm-mingw-20250709-ucrt-ubuntu-22.04-x86_64/bin" >> $GITHUB_PATH
      - name: Install goversioninfo
        run: go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@233067e
-      - name: Install wails3 CLI
-        # Version derived from go.mod so the binding generator always matches
-        # the wails runtime the binary links against.
-        run: |
-          WAILS_VERSION=$(go list -m -f '{{.Version}}' github.com/wailsapp/wails/v3)
-          go install github.com/wailsapp/wails/v3/cmd/wails3@$WAILS_VERSION
      - name: Generate windows syso amd64
-        run: goversioninfo -64 -icon client/ui/build/windows/icon.ico -manifest client/ui/build/windows/wails.exe.manifest -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_amd64.syso
+        run: goversioninfo -64 -icon client/ui/assets/netbird.ico -manifest client/ui/manifest.xml -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_amd64.syso
      - name: Generate windows syso arm64
-        run: goversioninfo -arm -64 -icon client/ui/build/windows/icon.ico -manifest client/ui/build/windows/wails.exe.manifest -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_arm64.syso
+        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/ui/manifest.xml -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_arm64.syso

      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
        with:
          version: ${{ env.GORELEASER_VER }}
          args: release --config .goreleaser_ui.yaml --clean ${{ env.flags }}
@@ -420,7 +407,7 @@ jobs:
        run: rm -f /tmp/gpg-rpm-signing-key.asc
      - name: upload non tags for debug purposes
        id: upload_release_ui
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: release-ui
          path: dist/
@@ -434,16 +421,16 @@ jobs:
      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly
      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ~/go/pkg/mod
@@ -455,23 +442,9 @@ jobs:
        run: go mod tidy
      - name: check git status
        run: git --no-pager diff --exit-code
-      - name: Set up Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-      - name: Set up pnpm
-        uses: pnpm/action-setup@v3
-        with:
-          version: 9
-      - name: Install wails3 CLI
-        # Version derived from go.mod so the binding generator always matches
-        # the wails runtime the binary links against.
-        run: |
-          WAILS_VERSION=$(go list -m -f '{{.Version}}' github.com/wailsapp/wails/v3)
-          go install github.com/wailsapp/wails/v3/cmd/wails3@$WAILS_VERSION
      - name: Run GoReleaser
        id: goreleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
        with:
          version: ${{ env.GORELEASER_VER }}
          args: release --config .goreleaser_ui_darwin.yaml --clean ${{ env.flags }}
@@ -479,7 +452,7 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: upload non tags for debug purposes
        id: upload_release_ui_darwin
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: release-ui-darwin
          path: dist/
@@ -504,27 +477,24 @@ jobs:
      PackageWorkdir: netbird_windows_${{ matrix.arch }}
      downloadPath: '${{ github.workspace }}\temp'
    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
      - name: Parse semver string
        id: semver_parser
-        uses: booxmedialtd/ws-action-parse-semver@v1
-        with:
-          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
-          version_extractor_regex: '\/v(.*)$'
-
-      - name: Checkout
-        uses: actions/checkout@v4
+        uses: ./.github/actions/parse-semver

      - name: Add 7-Zip to PATH
        run: echo "C:\Program Files\7-Zip" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append

      - name: Download release artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.1
        with:
          name: release
          path: release

      - name: Download UI release artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.1
        with:
          name: release-ui
          path: release-ui
@@ -544,72 +514,81 @@ jobs:
          Get-ChildItem $workdir

      - name: Download wintun
-        uses: carlosperate/download-file-action@v2
        id: download-wintun
-        with:
-          file-url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
-          file-name: wintun.zip
-          location: ${{ env.downloadPath }}
-          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'
+        shell: pwsh
+        run: |
+          $url = "https://pkgs.netbird.io/wintun/wintun-0.14.1.zip"
+          $dest = "${env:downloadPath}\wintun.zip"
+          $expected = "07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51"
+          curl.exe --fail --location --retry 3 --retry-delay 2 -o $dest $url
+          $actual = (Get-FileHash $dest -Algorithm SHA256).Hash.ToLower()
+          if ($actual -ne $expected) {
+            throw "wintun.zip checksum mismatch: expected $expected, got $actual"
+          }
+          "file-path=$dest" | Out-File -FilePath $env:GITHUB_OUTPUT -Append -Encoding utf8

      - name: Decompress wintun files
-        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
+        run: tar -xvf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}

      - name: Move wintun.dll into dist
        run: mv ${{ env.downloadPath }}\wintun\bin\${{ matrix.wintun_arch }}\wintun.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\

+      - name: Download Mesa3D (amd64 only)
+        id: download-mesa3d
+        if: matrix.arch == 'amd64'
+        shell: pwsh
+        run: |
+          $url = "https://downloads.fdossena.com/Projects/Mesa3D/Builds/MesaForWindows-x64-20.1.8.7z"
+          $dest = "${env:downloadPath}\mesa3d.7z"
+          $expected = "71c7cb64ec229a1d6b8d62fa08e1889ed2bd17c0eeede8689daf0f25cb31d6b9"
+          curl.exe --fail --location --retry 3 --retry-delay 2 -o $dest $url
+          $actual = (Get-FileHash $dest -Algorithm SHA256).Hash.ToLower()
+          if ($actual -ne $expected) {
+            throw "mesa3d.7z checksum mismatch: expected $expected, got $actual"
+          }
+          "file-path=$dest" | Out-File -FilePath $env:GITHUB_OUTPUT -Append -Encoding utf8
+
+      - name: Extract Mesa3D driver (amd64 only)
+        if: matrix.arch == 'amd64'
+        run: 7z x -o"${{ env.downloadPath }}" "${{ env.downloadPath }}/mesa3d.7z"
+
+      - name: Move opengl32.dll into dist (amd64 only)
+        if: matrix.arch == 'amd64'
+        run: mv ${{ env.downloadPath }}\opengl32.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\
+
      - name: Download EnVar plugin for NSIS
-        uses: carlosperate/download-file-action@v2
-        with:
-          file-url: https://nsis.sourceforge.io/mediawiki/images/7/7f/EnVar_plugin.zip
-          file-name: envar_plugin.zip
-          location: ${{ github.workspace }}
+        shell: pwsh
+        run: |
+          curl.exe --fail --location --retry 3 --retry-delay 2 `
+            -o "${{ github.workspace }}\envar_plugin.zip" `
+            "https://nsis.sourceforge.io/mediawiki/images/7/7f/EnVar_plugin.zip"

      - name: Extract EnVar plugin
        run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/envar_plugin.zip"

      - name: Download ShellExecAsUser plugin for NSIS (amd64 only)
-        uses: carlosperate/download-file-action@v2
        if: matrix.arch == 'amd64'
-        with:
-          file-url: https://nsis.sourceforge.io/mediawiki/images/6/68/ShellExecAsUser_amd64-Unicode.7z
-          file-name: ShellExecAsUser_amd64-Unicode.7z
-          location: ${{ github.workspace }}
+        shell: pwsh
+        run: |
+          curl.exe --fail --location --retry 3 --retry-delay 2 `
+            -o "${{ github.workspace }}\ShellExecAsUser_amd64-Unicode.7z" `
+            "https://nsis.sourceforge.io/mediawiki/images/6/68/ShellExecAsUser_amd64-Unicode.7z"

      - name: Extract ShellExecAsUser plugin (amd64 only)
        if: matrix.arch == 'amd64'
        run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/ShellExecAsUser_amd64-Unicode.7z"

-      - name: Set up Go for wails3 CLI
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: "go.mod"
-          cache: false
-
-      - name: Install wails3 CLI
-        # Version derived from go.mod so the bootstrapper payload always
-        # matches the wails runtime the binary links against.
-        shell: bash
-        run: |
-          WAILS_VERSION=$(go list -m -f '{{.Version}}' github.com/wailsapp/wails/v3)
-          go install github.com/wailsapp/wails/v3/cmd/wails3@$WAILS_VERSION
-
-      - name: Stage WebView2 bootstrapper for installers
-        # Both client/installer.nsis and client/netbird.wxs reference
-        # client/MicrosoftEdgeWebview2Setup.exe. wails3 writes it there.
-        # The signing pipeline (netbirdio/sign-pipelines) does the same
-        # step for release builds; this mirrors it for PR sanity testing.
-        shell: bash
-        run: wails3 generate webview2bootstrapper -dir client
-
      - name: Build NSIS installer
-        uses: joncloud/makensis-action@v3.3
-        with:
-          additional-plugin-paths: ${{ github.workspace }}/NSIS_Plugins/Plugins
-          script-file: client/installer.nsis
-          arguments: "/V4 /DARCH=${{ matrix.arch }}"
+        shell: pwsh
        env:
          APPVER: ${{ steps.semver_parser.outputs.major }}.${{ steps.semver_parser.outputs.minor }}.${{ steps.semver_parser.outputs.patch }}.${{ github.run_id }}
+        run: |
+          $nsisPluginDir = "C:\Program Files (x86)\NSIS\Plugins\x86-unicode"
+          $srcPlugins    = "${{ github.workspace }}\NSIS_Plugins\Plugins"
+          Get-ChildItem -Path $srcPlugins -Recurse -Filter *.dll |
+            Copy-Item -Destination $nsisPluginDir -Force
+          & "C:\Program Files (x86)\NSIS\makensis.exe" /V4 "/DARCH=${{ matrix.arch }}" client\installer.nsis
+          if ($LASTEXITCODE -ne 0) { throw "makensis failed with exit code $LASTEXITCODE" }

      - name: Rename NSIS installer
        run: mv netbird-installer.exe netbird_installer_test_windows_${{ matrix.arch }}.exe
@@ -626,7 +605,7 @@ jobs:

      - name: Upload installer artifacts
        if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: windows-installer-test-${{ matrix.arch }}
          path: |
@@ -645,7 +624,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Create or update PR comment
-        uses: actions/github-script@v7
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          RELEASE_RESULT: ${{ needs.release.result }}
          RELEASE_UI_RESULT: ${{ needs.release_ui.result }}
@@ -737,7 +716,7 @@ jobs:
    if: startsWith(github.ref, 'refs/tags/')
    steps:
      - name: Trigger binaries sign pipelines
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
        with:
          workflow: Sign bin and installer
          repo: netbirdio/sign-pipelines
--- a/.github/workflows/sync-main.yml
+++ b/.github/workflows/sync-main.yml
@@ -14,9 +14,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Trigger main branch sync
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
        with:
          workflow: sync-main.yml
          repo: ${{ secrets.UPSTREAM_REPO }}
          token: ${{ secrets.NC_GITHUB_TOKEN }}
-          inputs: '{ "sha": "${{ github.sha }}" }'
+          inputs: '{ "sha": "${{ github.sha }}" }'
--- a/.github/workflows/sync-tag.yml
+++ b/.github/workflows/sync-tag.yml
@@ -3,7 +3,7 @@ name: sync tag
 on:
  push:
    tags:
-      - 'v*'
+      - "v*"

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Trigger release tag sync
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
        with:
          workflow: sync-tag.yml
          ref: main
@@ -29,7 +29,7 @@ jobs:
    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
    steps:
      - name: Trigger android-client submodule bump
-        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
        with:
          workflow: bump-netbird.yml
          ref: main
@@ -42,10 +42,10 @@ jobs:
    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
    steps:
      - name: Trigger ios-client submodule bump
-        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
        with:
          workflow: bump-netbird.yml
          ref: main
          repo: netbirdio/ios-client
          token: ${{ secrets.NC_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref_name }}" }'
+          inputs: '{ "tag": "${{ github.ref_name }}" }'
--- a/.github/workflows/test-infrastructure-files.yml
+++ b/.github/workflows/test-infrastructure-files.yml
@@ -6,10 +6,10 @@ on:
      - main
  pull_request:
    paths:
-      - 'infrastructure_files/**'
-      - '.github/workflows/test-infrastructure-files.yml'
-      - 'management/cmd/**'
-      - 'signal/cmd/**'
+      - "infrastructure_files/**"
+      - ".github/workflows/test-infrastructure-files.yml"
+      - "management/cmd/**"
+      - "signal/cmd/**"

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
@@ -20,7 +20,7 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        store: [ 'sqlite', 'postgres', 'mysql' ]
+        store: ["sqlite", "postgres", "mysql"]
    services:
      postgres:
        image: ${{ (matrix.store == 'postgres') && 'postgres' || '' }}
@@ -68,15 +68,15 @@ jobs:
        run: sudo apt-get install -y curl

      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"

      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -139,8 +139,8 @@ jobs:
          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
          CI_NETBIRD_SIGNAL_PORT: 12345
          CI_NETBIRD_STORE_CONFIG_ENGINE: ${{ matrix.store }}
-          NETBIRD_STORE_ENGINE_POSTGRES_DSN: '${{ env.NETBIRD_STORE_ENGINE_POSTGRES_DSN }}$'
-          NETBIRD_STORE_ENGINE_MYSQL_DSN: '${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}$'
+          NETBIRD_STORE_ENGINE_POSTGRES_DSN: "${{ env.NETBIRD_STORE_ENGINE_POSTGRES_DSN }}$"
+          NETBIRD_STORE_ENGINE_MYSQL_DSN: "${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}$"
          CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
          CI_NETBIRD_TURN_EXTERNAL_IP: "1.2.3.4"
          CI_NETBIRD_MGMT_DISABLE_DEFAULT_POLICY: false
@@ -254,7 +254,7 @@ jobs:
        run: sudo apt-get install -y jq

      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: run script with Zitadel PostgreSQL
        run: NETBIRD_DOMAIN=use-ip bash -x infrastructure_files/getting-started-with-zitadel.sh
--- a/.github/workflows/update-docs.yml
+++ b/.github/workflows/update-docs.yml
@@ -3,9 +3,9 @@ name: update docs
 on:
  push:
    tags:
-      - 'v*'
+      - "v*"
    paths:
-      - 'shared/management/http/api/openapi.yml'
+      - "shared/management/http/api/openapi.yml"

 jobs:
  trigger_docs_api_update:
@@ -13,10 +13,10 @@ jobs:
    if: startsWith(github.ref, 'refs/tags/')
    steps:
      - name: Trigger API pages generation
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
        with:
          workflow: generate api pages
          repo: netbirdio/docs
          ref: "refs/heads/main"
          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref }}" }'
+          inputs: '{ "tag": "${{ github.ref }}" }'
--- a/.github/workflows/wasm-build-validation.yml
+++ b/.github/workflows/wasm-build-validation.yml
@@ -19,15 +19,15 @@ jobs:
      GOARCH: wasm
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-4-dev libwebkitgtk-6.0-dev libsoup-3.0-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: Install golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee #v9.2.1
        with:
          version: latest
          install-mode: binary
@@ -42,9 +42,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
      - name: Build Wasm client
@@ -65,4 +65,3 @@ jobs:
            echo "Wasm binary size (${SIZE_MB}MB) exceeds 56MB limit!"
            exit 1
          fi
-
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -114,16 +114,6 @@ linters:
      - linters:
          - staticcheck
        text: "QF1012"
-      # client/ui/main.go uses //go:embed all:frontend/dist; the
-      # directory is populated by `pnpm build` in the release pipeline
-      # and missing at lint time, so the embed parses to "no matching
-      # files found" — surfaced by golangci-lint's typecheck pre-pass.
-      # Suppress just that one diagnostic; the rest of the package
-      # (services/, tray.go, grpc.go, ...) still gets linted normally.
-      - linters:
-          - typecheck
-        path: client/ui/main\.go
-        text: "pattern all:frontend/dist"
    paths:
      - third_party$
      - builtin$
--- a/.goreleaser_ui.yaml
+++ b/.goreleaser_ui.yaml
@@ -1,15 +1,6 @@
 version: 2

 project_name: netbird-ui
-
-before:
-  hooks:
-    # Bindings are gitignored; regenerate before the frontend build so
-    # the @wailsio/runtime Vite plugin can resolve them (vite refuses to
-    # build without them).
-    - sh -c 'cd client/ui && wails3 generate bindings -clean=true -ts'
-    - sh -c 'cd client/ui/frontend && pnpm install --frozen-lockfile && pnpm build'
-
 builds:
  - id: netbird-ui
    dir: client/ui
@@ -79,15 +70,12 @@ nfpms:
    scripts:
      postinstall: "release_files/ui-post-install.sh"
    contents:
-      - src: client/ui/build/linux/netbird.desktop
+      - src: client/ui/build/netbird.desktop
        dst: /usr/share/applications/netbird.desktop
-      - src: client/ui/build/appicon.png
+      - src: client/ui/assets/netbird.png
        dst: /usr/share/pixmaps/netbird.png
    dependencies:
      - netbird
-      - libgtk-3-0
-      - libwebkit2gtk-4.1-0
-      - libayatana-appindicator3-1

  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client UI.
@@ -101,15 +89,12 @@ nfpms:
    scripts:
      postinstall: "release_files/ui-post-install.sh"
    contents:
-      - src: client/ui/build/linux/netbird.desktop
+      - src: client/ui/build/netbird.desktop
        dst: /usr/share/applications/netbird.desktop
-      - src: client/ui/build/appicon.png
+      - src: client/ui/assets/netbird.png
        dst: /usr/share/pixmaps/netbird.png
    dependencies:
      - netbird
-      - gtk3
-      - webkit2gtk4.1
-      - libayatana-appindicator-gtk3
    rpm:
      signature:
        key_file: '{{ if index .Env "GPG_RPM_KEY_FILE" }}{{ .Env.GPG_RPM_KEY_FILE }}{{ end }}'
--- a/.goreleaser_ui_darwin.yaml
+++ b/.goreleaser_ui_darwin.yaml
@@ -1,15 +1,6 @@
 version: 2

 project_name: netbird-ui
-
-before:
-  hooks:
-    # Bindings are gitignored; regenerate before the frontend build so
-    # the @wailsio/runtime Vite plugin can resolve them (vite refuses to
-    # build without them).
-    - sh -c 'cd client/ui && wails3 generate bindings -clean=true -ts'
-    - sh -c 'cd client/ui/frontend && pnpm install --frozen-lockfile && pnpm build'
-
 builds:
  - id: netbird-ui-darwin
    dir: client/ui
@@ -29,6 +20,8 @@ builds:
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
+    tags:
+      - load_wgnt_from_rsrc

 universal_binaries:
  - id: netbird-ui-darwin
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -15,6 +15,7 @@ If you haven't already, join our slack workspace [here](https://docs.netbird.io/
 - [Contributing to NetBird](#contributing-to-netbird)
    - [Contents](#contents)
    - [Code of conduct](#code-of-conduct)
+    - [Discuss changes with the NetBird team first](#discuss-changes-with-the-netbird-team-first)
    - [Directory structure](#directory-structure)
    - [Development setup](#development-setup)
        - [Requirements](#requirements)
@@ -33,6 +34,14 @@ Conduct which can be found in the file [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md).
 By participating, you are expected to uphold this code. Please report
 unacceptable behavior to community@netbird.io.

+## Discuss changes with the NetBird team first
+
+Changes to the **public API**, **gRPC protocols**, **functionality behavior**, **CLI / service flags**, or **new features** should be discussed with the NetBird team before you start the work. These surfaces are part of NetBird's contract with operators, self-hosters, and downstream integrators, and changes to them have compatibility, security, and release-planning implications that benefit from an early conversation.
+
+Open an issue or reach out on [Slack](https://docs.netbird.io/slack-url) to talk through what you have in mind. We'll help shape the change, flag any constraints we know about, and confirm the direction so the PR review can focus on implementation rather than design.
+
+Typical bug fixes, internal refactors, documentation updates, and tests do not need pre-discussion — open the PR directly.
+
 ## Directory structure

 The NetBird project monorepo is organized to maintain most of its individual dependencies code within their directories, except for a few auxiliary or shared packages.
--- a/README.md
+++ b/README.md
@@ -1,147 +1,134 @@

 <div align="center">
-<br/>
-  <br/>
-<p align="center">
-  <img width="234" src="docs/media/logo-full.png"/>
-</p>
-  <p>
-   <a href="https://img.shields.io/badge/license-BSD--3-blue)">
-       <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" />
-     </a> 
-     <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
-       <img src="https://img.shields.io/badge/license-BSD--3-blue" />
-     </a> 
-    <br>
+  <p align="center">
+    <img width="234" src="docs/media/logo-full.png" alt="NetBird logo"/>
+  </p>
+  <p align="center">
+    <a href="https://sonarcloud.io/dashboard?id=netbirdio_netbird">
+      <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" alt="SonarCloud alert status"/>
+    </a>
+    <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
+      <img src="https://img.shields.io/badge/license-BSD--3-blue" alt="BSD-3 License"/>
+    </a>
    <a href="https://docs.netbird.io/slack-url">
-        <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack"/>
-     </a>
+      <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack" alt="NetBird Slack"/>
+    </a>
    <a href="https://forum.netbird.io">
-        <img src="https://img.shields.io/badge/community forum-@netbird-red.svg?logo=discourse"/>
-     </a>  
-     <br>
+      <img src="https://img.shields.io/badge/community%20forum-@netbird-red.svg?logo=discourse" alt="Community forum"/>
+    </a>
    <a href="https://gurubase.io/g/netbird">
-        <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF"/>
-     </a>    
+      <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF" alt="Gurubase: Ask NetBird Guru"/>
+    </a>
  </p>
 </div>

-
 <p align="center">
-<strong>
-  Start using NetBird at <a href="https://netbird.io/pricing">netbird.io</a>
+  <strong>
+    Start using NetBird at <a href="https://netbird.io/pricing">netbird.io</a>
+    <br/>
+    See <a href="https://netbird.io/docs/">Documentation</a>
+    <br/>
+    Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>
+  </strong>
  <br/>
-  See <a href="https://netbird.io/docs/">Documentation</a>
  <br/>
-   Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>
-  <br/>
- 
-</strong>
-<br>
-<strong>
-  🚀 <a href="https://careers.netbird.io">We are hiring! Join us at careers.netbird.io</a>
-</strong>
-<br>
-<br>
-<a href="https://registry.terraform.io/providers/netbirdio/netbird/latest">
-    New: NetBird terraform provider
-  </a> 
+  <strong>
+    🚀 <a href="https://careers.netbird.io">We are hiring! Join us at careers.netbird.io</a>
+  </strong>
 </p>

-<br>
-
 **NetBird combines a configuration-free peer-to-peer private network and a centralized access control system in a single platform, making it easy to create secure private networks for your organization or home.**

 **Connect.** NetBird creates a WireGuard-based overlay network that automatically connects your machines over an encrypted tunnel, leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.

 **Secure.** NetBird enables secure remote access by applying granular access policies while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.

-### Open Source Network Security in a Single Platform
-
 https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2

-### Self-Host NetBird (Video)
+### Self-host NetBird (video)
+
 [![Watch the video](https://img.youtube.com/vi/bZAgpT6nzaQ/0.jpg)](https://youtu.be/bZAgpT6nzaQ)

 ### Key features

-| Connectivity | Management | Security | Automation| Platforms |
-|----|----|----|----|----|
-| <ul><li>- \[x] Kernel WireGuard</ul></li> | <ul><li>- \[x] [Admin Web UI](https://github.com/netbirdio/dashboard)</ul></li> | <ul><li>- \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login)</ul></li> | <ul><li>- \[x] [Public API](https://docs.netbird.io/api)</ul></li> | <ul><li>- \[x] Linux</ul></li> |
-| <ul><li>- \[x] Peer-to-peer connections</ul></li> | <ul><li>- \[x] Auto peer discovery and configuration</ui></li> | <ul><li>- \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access)</ui></li> | <ul><li>- \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys)</ui></li> | <ul><li>- \[x] Mac</ui></li> |
-| <ul><li>- \[x] Connection relay fallback</ui></li> | <ul><li>- \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers)</ui></li> | <ul><li>- \[x] [Activity logging](https://docs.netbird.io/how-to/audit-events-logging)</ui></li> | <ul><li>- \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart)</ui></li> | <ul><li>- \[x] Windows</ui></li> |
-| <ul><li>- \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks)</ui></li> | <ul><li>- \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network)</ui></li> | <ul><li>- \[x] [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks)</ui></li> | <ul><li>- \[x] IdP groups sync with JWT</ui></li> | <ul><li>- \[x] Android</ui></li> |
-| <ul><li>- \[x] NAT traversal with BPF</ui></li> | <ul><li>- \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network)</ui></li> | <ul><li>- \[x] Peer-to-peer encryption</ui></li> || <ul><li>- \[x] iOS</ui></li> |
-||| <ul><li>- \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn)</ui></li> || <ul><li>- \[x] OpenWRT</ui></li> |
-||| <ul><li>- \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication)</ui></li> || <ul><li>- \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas)</ui></li> |
-||||| <ul><li>- \[x] Docker</ui></li> |
+| Connectivity | Management | Security | Automation | Platforms |
+|---|---|---|---|---|
+| ✓ [Kernel WireGuard](https://docs.netbird.io/about-netbird/why-wireguard-with-netbird) | ✓ [Admin Web UI](https://github.com/netbirdio/dashboard) | ✓ [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) | ✓ [Public API](https://docs.netbird.io/api) | ✓ [Linux](https://docs.netbird.io/get-started/install/linux) |
+| ✓ [Peer-to-peer connections](https://docs.netbird.io/about-netbird/how-netbird-works) | ✓ Auto peer discovery and configuration | ✓ [Access control: groups & rules](https://docs.netbird.io/how-to/manage-network-access) | ✓ [Setup keys for bulk provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) | ✓ [macOS](https://docs.netbird.io/get-started/install/macos) |
+| ✓ Connection relay fallback | ✓ [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) | ✓ [Activity logging](https://docs.netbird.io/how-to/audit-events-logging) | ✓ [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) | ✓ [Windows](https://docs.netbird.io/get-started/install/windows) |
+| ✓ [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) | ✓ [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) | ✓ [Traffic events](https://docs.netbird.io/manage/activity/traffic-events-logging) | ✓ [IdP groups sync with JWT](https://docs.netbird.io/manage/team/idp-sync) | ✓ [Android](https://docs.netbird.io/get-started/install/android) |
+| ✓ [Domain-based DNS routes](https://docs.netbird.io/manage/dns/dns-aliases-for-routed-networks) | ✓ [Custom DNS zones](https://docs.netbird.io/manage/dns/custom-zones) | ✓ [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks) | ✓ [Terraform provider](https://registry.terraform.io/providers/netbirdio/netbird/latest) | ✓ [Android TV](https://docs.netbird.io/get-started/install/android-tv) |
+| ✓ [Exit nodes](https://docs.netbird.io/manage/network-routes/use-cases/exit-nodes) | ✓ [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) | ✓ Peer-to-peer encryption | ✓ [Ansible collection](https://github.com/netbirdio/ansible-netbird) | ✓ [iOS](https://docs.netbird.io/get-started/install/ios) |
+| ✓ [IPv6 dual-stack overlay](https://docs.netbird.io/manage/settings/ipv6) | ✓ [Multi-account profile switching](https://docs.netbird.io/client/profiles) | ✓ [SSH with central access policies](https://docs.netbird.io/manage/peers/ssh) | | ✓ [Apple TV](https://docs.netbird.io/get-started/install/tvos) |
+| ✓ [Browser SSH & RDP](https://docs.netbird.io/manage/peers/browser-client) | | ✓ [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn) | | ✓ FreeBSD |
+| ✓ [Reverse proxy with auto-TLS](https://docs.netbird.io/manage/reverse-proxy) | | ✓ [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication) | | ✓ [pfSense](https://docs.netbird.io/get-started/install/pfsense) |
+| | | | | ✓ [OPNsense](https://docs.netbird.io/get-started/install/opnsense) |
+| | | | | ✓ [MikroTik RouterOS](https://docs.netbird.io/use-cases/homelab/client-on-mikrotik-router) |
+| | | | | ✓ OpenWRT |
+| | | | | ✓ [Synology](https://docs.netbird.io/get-started/install/synology) |
+| | | | | ✓ [TrueNAS](https://docs.netbird.io/get-started/install/truenas) |
+| | | | | ✓ [Proxmox](https://docs.netbird.io/get-started/install/proxmox-ve) |
+| | | | | ✓ [Raspberry Pi](https://docs.netbird.io/get-started/install/raspberrypi) |
+| | | | | ✓ [Serverless](https://docs.netbird.io/how-to/netbird-on-faas) |
+| | | | | ✓ [Container](https://docs.netbird.io/get-started/install/docker) |

 ### Quickstart with NetBird Cloud

- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install)
- Follow the steps to sign-up with Google, Microsoft, GitHub or your email address.
- Check NetBird [admin UI](https://app.netbird.io/).
- Add more machines.
+- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install).
+- Follow the steps to sign up with Google, Microsoft, GitHub or your email address.
+- Check the NetBird [admin UI](https://app.netbird.io/).

 ### Quickstart with self-hosted NetBird

-> This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM.
-Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IDPs.
+This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM. Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IdPs.

 **Infrastructure requirements:**
- A Linux VM with at least **1CPU** and **2GB** of memory.
- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port: **3478**.
- **Public domain** name pointing to the VM.
+- A Linux VM with at least **1 CPU** and **2 GB** of memory.
+- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port **3478**.
+- A **public domain** name pointing to the VM.

 **Software requirements:**
- Docker installed on the VM with the docker-compose plugin ([Docker installation guide](https://docs.docker.com/engine/install/)) or docker with docker-compose in version 2 or higher.
- [jq](https://jqlang.github.io/jq/) installed. In most distributions
-  Usually available in the official repositories and can be installed with `sudo apt install jq` or `sudo yum install jq`
- [curl](https://curl.se/) installed.
-  Usually available in the official repositories and can be installed with `sudo apt install curl` or `sudo yum install curl`
+- Docker with the Compose plugin (Compose v2 or higher). See the [Docker installation guide](https://docs.docker.com/engine/install/).

 **Steps**
 - Download and run the installation script:
 ```bash
 export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash
 ```
- Once finished, you can manage the resources via `docker-compose`

 ### A bit on NetBird internals
-  Every machine in the network runs [NetBird Agent (or Client)](client/) that manages WireGuard.
-  Every agent connects to [Management Service](management/) that holds network state, manages peer IPs, and distributes network updates to agents (peers).
-  NetBird agent uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between machines.
-  Connection candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
-  Agents negotiate a connection through [Signal Service](signal/) passing p2p encrypted messages with candidates.
-  Sometimes the NAT traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT) and a p2p connection isn't possible. When this occurs the system falls back to a relay server called [TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT), and a secure WireGuard tunnel is established via the TURN server. 
- 
-[Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in NetBird setups.
+- Every machine in the network runs the [NetBird agent](client/), which manages WireGuard.
+- Every agent connects to the [Management Service](management/), which holds network state, manages peer IPs, and distributes updates to agents.
+- Agents use ICE (via [pion/ice](https://github.com/pion/ice)) to discover connection candidates for peer-to-peer connections.
+- Candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
+- Agents negotiate a connection through the [Signal Service](signal/), exchanging end-to-end encrypted messages with candidates.
+- When NAT traversal fails (e.g. mobile carrier-grade NAT) and a direct p2p connection isn't possible, the system falls back to a [Relay Service](relay/) and a secure WireGuard tunnel is established through it.

 <p float="left" align="middle">
-  <img src="https://docs.netbird.io/docs-static/img/about-netbird/high-level-dia.png" width="700"/>
+  <img src="https://docs.netbird.io/docs-static/img/about-netbird/high-level-dia.png" width="700" alt="NetBird high-level architecture diagram"/>
 </p>

 See a complete [architecture overview](https://docs.netbird.io/about-netbird/how-netbird-works#architecture) for details.

 ### Community projects
-  [NetBird installer script](https://github.com/physk/netbird-installer)
-  [NetBird ansible collection by Dominion Solutions](https://galaxy.ansible.com/ui/repo/published/dominion_solutions/netbird/)
-  [netbird-tui](https://github.com/n0pashkov/netbird-tui) — terminal UI for managing NetBird peers, routes, and settings
+- [NetBird installer script](https://github.com/physk/netbird-installer)
+- [netbird-tui](https://github.com/n0pashkov/netbird-tui) - terminal UI for managing NetBird peers, routes, and settings
+- [caddy-netbird](https://github.com/lixmal/caddy-netbird) - Caddy plugin that embeds a NetBird client for proxying HTTP and TCP/UDP traffic through NetBird networks

 **Note**: The `main` branch may be in an *unstable or even broken state* during development.
 For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).

 ### Support acknowledgement

-In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by The Federal Ministry of Education and Research of The Federal Republic of Germany. Together with [CISPA Helmholtz Center for Information Security](https://cispa.de/en) NetBird brings the security best practices and simplicity to private networking.
+In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by the Federal Ministry of Education and Research of the Federal Republic of Germany. Together with the [CISPA Helmholtz Center for Information Security](https://cispa.de/en), NetBird brings security best practices and simplicity to private networking.

 ![CISPA_Logo_BLACK_EN_RZ_RGB (1)](https://user-images.githubusercontent.com/700848/203091324-c6d311a0-22b5-4b05-a288-91cbc6cdcc46.png)

-### Testimonials
-We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn), and [Rosenpass](https://rosenpass.eu). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g., by giving a star or a contribution).
+### Acknowledgements
+We build on open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE](https://github.com/pion/ice), and [Rosenpass](https://rosenpass.eu). We greatly appreciate the work these projects are doing, and we'd love it if you could support them too (e.g., by starring or contributing).

 ### Legal
-This repository is licensed under BSD-3-Clause license that applies to all parts of the repository except for the directories management/, signal/ and relay/.
+This repository is licensed under the BSD-3-Clause license, which applies to all parts of the repository except for the directories management/, signal/ and relay/.
 Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.

 _WireGuard_ and the _WireGuard_ logo are [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -22,19 +22,11 @@ import (
 	"github.com/netbirdio/netbird/util"
 )

-// extendSessionFlag drives the `netbird login --extend` flow: refresh the
-// SSO session expiry on the management server without tearing down the
-// tunnel. Mutually exclusive with setup-key login (a setup-key cannot
-// refresh an SSO-tracked peer — see auth.errSetupKeyOnSSOExpiredPeer).
-var extendSessionFlag bool
-
 func init() {
 	loginCmd.PersistentFlags().BoolVar(&noBrowser, noBrowserFlag, false, noBrowserDesc)
 	loginCmd.PersistentFlags().BoolVar(&showQR, showQRFlag, false, showQRDesc)
 	loginCmd.PersistentFlags().StringVar(&profileName, profileNameFlag, "", profileNameDesc)
 	loginCmd.PersistentFlags().StringVarP(&configPath, "config", "c", "", "(DEPRECATED) Netbird config file location")
-	loginCmd.PersistentFlags().BoolVar(&extendSessionFlag, "extend", false,
-		"refresh the SSO session expiry without tearing down the tunnel (requires an active connection)")
 }

 var loginCmd = &cobra.Command{
@@ -69,16 +61,6 @@ var loginCmd = &cobra.Command{
 			return err
 		}

-		if extendSessionFlag {
-			if providedSetupKey != "" {
-				return fmt.Errorf("--extend cannot be combined with a setup key; setup keys can only enrol new peers")
-			}
-			if err := doExtendSession(ctx, cmd); err != nil {
-				return fmt.Errorf("extend session failed: %v", err)
-			}
-			return nil
-		}
-
 		// workaround to run without service
 		if util.FindFirstLogPath(logFiles) == "" {
 			if err := doForegroundLogin(ctx, cmd, providedSetupKey, activeProf); err != nil {
@@ -168,65 +150,6 @@ func doDaemonLogin(ctx context.Context, cmd *cobra.Command, providedSetupKey str
 	return nil
 }

-// doExtendSession drives the daemon's RequestExtendAuthSession /
-// WaitExtendAuthSession pair. The user is sent through a regular SSO flow
-// (browser + verification URL) and the resulting JWT is forwarded to the
-// management server's ExtendAuthSession RPC. The tunnel stays up
-// throughout — no Down/Up, no network-map resync.
-func doExtendSession(ctx context.Context, cmd *cobra.Command) error {
-	conn, err := DialClientGRPCServer(ctx, daemonAddr)
-	if err != nil {
-		//nolint
-		return fmt.Errorf("failed to connect to daemon error: %v\n"+
-			"If the daemon is not running please run: "+
-			"\nnetbird service install \nnetbird service start\n", err)
-	}
-	defer conn.Close()
-
-	client := proto.NewDaemonServiceClient(conn)
-
-	req := &proto.RequestExtendAuthSessionRequest{}
-	// Pre-fill the IdP login hint from the active profile so the user
-	// doesn't have to retype their email. Best-effort: we still proceed
-	// without a hint if the lookup fails.
-	pm := profilemanager.NewProfileManager()
-	if active, perr := pm.GetActiveProfile(); perr == nil {
-		if profState, sperr := pm.GetProfileState(active.Name); sperr == nil && profState.Email != "" {
-			req.Hint = &profState.Email
-		}
-	}
-
-	startResp, err := client.RequestExtendAuthSession(ctx, req)
-	if err != nil {
-		return fmt.Errorf("start extend session: %v", err)
-	}
-
-	uri := startResp.GetVerificationURIComplete()
-	if uri == "" {
-		uri = startResp.GetVerificationURI()
-	}
-	openURL(cmd, uri, startResp.GetUserCode(), noBrowser, showQR)
-
-	waitResp, err := client.WaitExtendAuthSession(ctx, &proto.WaitExtendAuthSessionRequest{
-		DeviceCode: startResp.GetDeviceCode(),
-		UserCode:   startResp.GetUserCode(),
-	})
-	if err != nil {
-		return fmt.Errorf("wait for extend session: %v", err)
-	}
-
-	if ts := waitResp.GetSessionExpiresAt(); ts.IsValid() && !ts.AsTime().IsZero() {
-		deadline := ts.AsTime().Local()
-		cmd.Printf("Session extended. New expiry: %s\n", deadline.Format("2006-01-02 15:04:05 MST"))
-	} else {
-		// Management reported the peer is not eligible (e.g. login
-		// expiration disabled on the account). Surface that fact
-		// instead of pretending the call succeeded.
-		cmd.Println("Session extension call completed, but the management server did not return a new deadline (peer may not be SSO-tracked or login expiration is disabled).")
-	}
-	return nil
-}
-
 func getActiveProfile(ctx context.Context, pm *profilemanager.ProfileManager, profileName string, username string) (*profilemanager.Profile, error) {
 	// switch profile if provided

--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -6,7 +6,6 @@ import (
 	"net"
 	"net/netip"
 	"strings"
-	"time"

 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
@@ -118,11 +117,6 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		profName = activeProf.Name
 	}

-	var sessionExpiresAt time.Time
-	if ts := resp.GetSessionExpiresAt(); ts.IsValid() {
-		sessionExpiresAt = ts.AsTime().UTC()
-	}
-
 	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp.GetFullStatus(), nbstatus.ConvertOptions{
 		Anonymize:            anonymizeFlag,
 		DaemonVersion:        resp.GetDaemonVersion(),
@@ -133,7 +127,6 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		IPsFilter:            ipsFilterMap,
 		ConnectionTypeFilter: connectionTypeFilter,
 		ProfileName:          profName,
-		SessionExpiresAt:     sessionExpiresAt,
 	})
 	var statusOutputString string
 	switch {
--- a/client/firewall/nftables/external_chain_monitor_linux.go
+++ b/client/firewall/nftables/external_chain_monitor_linux.go
@@ -52,9 +52,10 @@ func (m *externalChainMonitor) start() {

 	ctx, cancel := context.WithCancel(context.Background())
 	m.cancel = cancel
-	m.done = make(chan struct{})
+	done := make(chan struct{})
+	m.done = done

-	go m.run(ctx)
+	go m.run(ctx, done)
 }

 func (m *externalChainMonitor) stop() {
@@ -72,8 +73,8 @@ func (m *externalChainMonitor) stop() {
 	<-done
 }

-func (m *externalChainMonitor) run(ctx context.Context) {
-	defer close(m.done)
+func (m *externalChainMonitor) run(ctx context.Context, done chan struct{}) {
+	defer close(done)

 	bo := &backoff.ExponentialBackOff{
 		InitialInterval:     externalMonitorInitInterval,
--- a/client/installer.nsis
+++ b/client/installer.nsis
@@ -6,7 +6,7 @@
 !define DESCRIPTION "Connect your devices into a secure WireGuard-based overlay network with SSO, MFA, and granular access controls."
 !define INSTALLER_NAME "netbird-installer.exe"
 !define MAIN_APP_EXE "Netbird"
-!define ICON "ui\\build\\windows\\icon.ico"
+!define ICON "ui\\assets\\netbird.ico"
 !define BANNER "ui\\build\\banner.bmp"
 !define LICENSE_DATA "..\\LICENSE"

@@ -260,23 +260,15 @@ WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "Publisher" "${COMP_NAME}"

 WriteRegStr ${REG_ROOT} "${UI_REG_APP_PATH}" "" "$INSTDIR\${UI_APP_EXE}"

-; Drop Run, App Paths and Uninstall entries left in the 32-bit registry view
-; or HKCU by legacy installers.
-DetailPrint "Cleaning legacy 32-bit / HKCU entries..."
-DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-SetRegView 32
-DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-DeleteRegKey HKLM "${REG_APP_PATH}"
-DeleteRegKey HKLM "${UI_REG_APP_PATH}"
-DeleteRegKey HKLM "${UNINSTALL_PATH}"
-SetRegView 64
-
+; Create autostart registry entry based on checkbox
 DetailPrint "Autostart enabled: $AutostartEnabled"
 ${If} $AutostartEnabled == "1"
    WriteRegStr HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}" '"$INSTDIR\${UI_APP_EXE}.exe"'
    DetailPrint "Added autostart registry entry: $INSTDIR\${UI_APP_EXE}.exe"
 ${Else}
    DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+    ; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
+    DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
    DetailPrint "Autostart not enabled by user"
 ${EndIf}

@@ -288,43 +280,6 @@ CreateShortCut "$SMPROGRAMS\${APP_NAME}.lnk" "$INSTDIR\${UI_APP_EXE}"
 CreateShortCut "$DESKTOP\${APP_NAME}.lnk" "$INSTDIR\${UI_APP_EXE}"
 SectionEnd

-# Install the Microsoft Edge WebView2 runtime if it isn't already present.
-# Macro adapted from Wails3's NSIS template (wails_tools.nsh): a registry
-# probe followed by a silent install of the embedded evergreen bootstrapper.
-# The MicrosoftEdgeWebview2Setup.exe payload is staged next to this script
-# by the sign-pipelines build step (`wails3 generate webview2bootstrapper`).
-!macro nb.webview2runtime
-    SetRegView 64
-    # Per-machine install marker — populated when the runtime ships with
-    # Edge or has been installed by an admin previously.
-    ReadRegStr $0 HKLM "SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\Clients\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}" "pv"
-    ${If} $0 != ""
-        Goto webview2_ok
-    ${EndIf}
-    # Per-user fallback for HKCU installs.
-    ReadRegStr $0 HKCU "Software\Microsoft\EdgeUpdate\Clients\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}" "pv"
-    ${If} $0 != ""
-        Goto webview2_ok
-    ${EndIf}
-
-    SetDetailsPrint both
-    DetailPrint "Installing: WebView2 Runtime"
-    SetDetailsPrint listonly
-
-    InitPluginsDir
-    CreateDirectory "$pluginsdir\webview2bootstrapper"
-    SetOutPath "$pluginsdir\webview2bootstrapper"
-    File "MicrosoftEdgeWebview2Setup.exe"
-    ExecWait '"$pluginsdir\webview2bootstrapper\MicrosoftEdgeWebview2Setup.exe" /silent /install'
-
-    SetDetailsPrint both
-    webview2_ok:
-!macroend
-
-Section -WebView2
-    !insertmacro nb.webview2runtime
-SectionEnd
-
 Section -Post
 ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service install'
 ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service start'
@@ -344,16 +299,11 @@ ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service uninstall'
 DetailPrint "Terminating Netbird UI process..."
 ExecWait `taskkill /im ${UI_APP_EXE}.exe /f`

-; Remove autostart entries from every view a previous installer may have used.
+; Remove autostart registry entry
 DetailPrint "Removing autostart registry entry if exists..."
 DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
 DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-SetRegView 32
-DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-DeleteRegKey HKLM "${REG_APP_PATH}"
-DeleteRegKey HKLM "${UI_REG_APP_PATH}"
-DeleteRegKey HKLM "${UNINSTALL_PATH}"
-SetRegView 64

 ; Handle data deletion based on checkbox
 DetailPrint "Checking if user requested data deletion..."
@@ -376,9 +326,9 @@ DetailPrint "Deleting application files..."
 Delete "$INSTDIR\${UI_APP_EXE}"
 Delete "$INSTDIR\${MAIN_APP_EXE}"
 Delete "$INSTDIR\wintun.dll"
-# Legacy: pre-Wails installs shipped opengl32.dll (Mesa3D for Fyne); remove
-# any leftover copy on uninstall so old upgrades don't leave it behind.
+!if ${ARCH} == "amd64"
 Delete "$INSTDIR\opengl32.dll"
+!endif
 DetailPrint "Removing application directory..."
 RmDir /r "$INSTDIR"

--- a/client/internal/auth/auth.go
+++ b/client/internal/auth/auth.go
@@ -3,7 +3,6 @@ package auth
 import (
 	"context"
 	"net/url"
-	"strings"
 	"sync"
 	"time"

@@ -22,25 +21,6 @@ import (
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 )

-// peerLoginExpiredMsg is the exact phrase the management server returns
-// when a previously SSO-enrolled peer's login has expired. Sourced from
-// shared/management/status/error.go (NewPeerLoginExpiredError). Matched
-// by substring so a future server-side rewording that keeps the phrase
-// still triggers the friendly fallback in Login().
-const peerLoginExpiredMsg = "peer login has expired"
-
-// errSetupKeyOnSSOExpiredPeer replaces the raw management error when the
-// user runs `netbird login -k <setup-key>` against a peer that was
-// originally enrolled via SSO. Wrapped in a PermissionDenied gRPC status
-// so callers' existing isPermissionDenied / isAuthError checks still
-// classify it correctly (early-exit from retry backoff, StatusNeedsLogin
-// in the server state machine).
-var errSetupKeyOnSSOExpiredPeer = status.Error(
-	codes.PermissionDenied,
-	"this peer was originally enrolled via SSO and its session has expired. "+
-		"Setup keys can only enrol new peers — run `netbird up` (interactive SSO) to re-login.",
-)
-
 // Auth manages authentication operations with the management server
 // It maintains a long-lived connection and automatically handles reconnection with backoff
 type Auth struct {
@@ -204,15 +184,6 @@ func (a *Auth) Login(ctx context.Context, setupKey string, jwtToken string) (err
 			log.Debugf("peer registration required")
 			_, err = a.registerPeer(client, ctx, setupKey, jwtToken, pubSSHKey)
 			if err != nil {
-				// The peer pub-key is already on file with the management
-				// server (originally enrolled via SSO) and the session has
-				// expired. The setup-key path can only enrol new peers, so
-				// retrying with -k will keep failing. Replace the raw mgm
-				// message with an actionable hint that tells the user to
-				// re-authenticate via SSO instead.
-				if setupKey != "" && jwtToken == "" && isPeerLoginExpired(err) {
-					err = errSetupKeyOnSSOExpiredPeer
-				}
 				isAuthError = isPermissionDenied(err)
 				return err
 			}
@@ -503,16 +474,3 @@ func isLoginNeeded(err error) bool {
 func isRegistrationNeeded(err error) bool {
 	return isPermissionDenied(err)
 }
-
-// isPeerLoginExpired reports whether err is the management server's
-// "peer login has expired" PermissionDenied response. Used by Login to
-// detect the case where the caller passed a setup-key but the peer is
-// actually an SSO-enrolled record whose session needs refreshing — the
-// setup-key path cannot help there.
-func isPeerLoginExpired(err error) bool {
-	if !isPermissionDenied(err) {
-		return false
-	}
-	s, _ := status.FromError(err)
-	return strings.Contains(s.Message(), peerLoginExpiredMsg)
-}
--- a/client/internal/auth/auth_test.go
+++ b/client/internal/auth/auth_test.go
@@ -1,80 +0,0 @@
-package auth
-
-import (
-	"errors"
-	"strings"
-	"testing"
-
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-)
-
-func TestIsPeerLoginExpired(t *testing.T) {
-	cases := []struct {
-		name string
-		err  error
-		want bool
-	}{
-		{
-			name: "nil",
-			err:  nil,
-			want: false,
-		},
-		{
-			name: "plain error (not a gRPC status)",
-			err:  errors.New("network read: connection reset"),
-			want: false,
-		},
-		{
-			name: "PermissionDenied with different message",
-			err:  status.Error(codes.PermissionDenied, "user is blocked"),
-			want: false,
-		},
-		{
-			name: "Unauthenticated with the expected phrase",
-			// Wrong status code — must still return false.
-			err:  status.Error(codes.Unauthenticated, "peer login has expired, please log in once more"),
-			want: false,
-		},
-		{
-			name: "exact server message",
-			err:  status.Error(codes.PermissionDenied, "peer login has expired, please log in once more"),
-			want: true,
-		},
-		{
-			name: "phrase as substring",
-			// Future-proofing: if mgm reworords but keeps the phrase,
-			// the friendly fallback must still kick in.
-			err:  status.Error(codes.PermissionDenied, "session refused: peer login has expired (account=foo)"),
-			want: true,
-		},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			if got := isPeerLoginExpired(tc.err); got != tc.want {
-				t.Fatalf("isPeerLoginExpired(%v) = %v, want %v", tc.err, got, tc.want)
-			}
-		})
-	}
-}
-
-func TestErrSetupKeyOnSSOExpiredPeer(t *testing.T) {
-	// Sentinel must surface as PermissionDenied so the upstream
-	// isPermissionDenied / isAuthError checks classify it correctly
-	// (short-circuit retry backoff, set StatusNeedsLogin).
-	if !isPermissionDenied(errSetupKeyOnSSOExpiredPeer) {
-		t.Fatalf("errSetupKeyOnSSOExpiredPeer must be a PermissionDenied gRPC error")
-	}
-
-	// Message must actually mention SSO and `netbird up` so it is
-	// actionable for the end user. Loose substring checks keep the
-	// test resilient to copy edits.
-	s, _ := status.FromError(errSetupKeyOnSSOExpiredPeer)
-	msg := strings.ToLower(s.Message())
-	for _, want := range []string{"sso", "netbird up"} {
-		if !strings.Contains(msg, want) {
-			t.Errorf("sentinel message should contain %q, got %q", want, s.Message())
-		}
-	}
-}
--- a/client/internal/auth/pending_flow.go
+++ b/client/internal/auth/pending_flow.go
@@ -1,89 +0,0 @@
-package auth
-
-import (
-	"context"
-	"sync"
-	"time"
-)
-
-// PendingFlow stores an in-progress OAuth flow between the RPC that
-// initiates it (returns the verification URI to the UI) and the RPC
-// that waits for the user to complete it. The flow handle, the
-// device-code info, and the absolute expiry are kept together so the
-// waiting RPC can validate the device code and reuse the same flow.
-//
-// PendingFlow is safe for concurrent use; callers must not access the
-// stored fields directly.
-type PendingFlow struct {
-	mu         sync.Mutex
-	flow       OAuthFlow
-	info       AuthFlowInfo
-	expiresAt  time.Time
-	waitCancel context.CancelFunc
-}
-
-// NewPendingFlow returns an empty PendingFlow ready to be populated by Set.
-func NewPendingFlow() *PendingFlow {
-	return &PendingFlow{}
-}
-
-// Set stores the flow and its authorization info, computing the absolute
-// expiry from info.ExpiresIn (seconds, as returned by the IdP).
-func (p *PendingFlow) Set(flow OAuthFlow, info AuthFlowInfo) {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	p.flow = flow
-	p.info = info
-	p.expiresAt = time.Now().Add(time.Duration(info.ExpiresIn) * time.Second)
-}
-
-// Get returns the stored flow, info, and whether a flow is currently
-// pending. Returns (nil, zero, false) after Clear or before Set.
-func (p *PendingFlow) Get() (OAuthFlow, AuthFlowInfo, bool) {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	if p.flow == nil {
-		return nil, AuthFlowInfo{}, false
-	}
-	return p.flow, p.info, true
-}
-
-// ExpiresAt returns the absolute expiry of the pending flow. Returns
-// the zero time when no flow is pending.
-func (p *PendingFlow) ExpiresAt() time.Time {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	return p.expiresAt
-}
-
-// SetWaitCancel records the cancel function for the goroutine currently
-// blocked in WaitToken so a new RequestAuth can preempt it.
-func (p *PendingFlow) SetWaitCancel(cancel context.CancelFunc) {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	p.waitCancel = cancel
-}
-
-// CancelWait invokes and clears the stored wait-cancel, if any. Safe to
-// call when no wait is in progress.
-func (p *PendingFlow) CancelWait() {
-	p.mu.Lock()
-	cancel := p.waitCancel
-	p.waitCancel = nil
-	p.mu.Unlock()
-	if cancel != nil {
-		cancel()
-	}
-}
-
-// Clear resets the pending flow to empty. Any stored wait-cancel is
-// dropped without being invoked — call CancelWait first if the waiting
-// goroutine must be stopped.
-func (p *PendingFlow) Clear() {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	p.flow = nil
-	p.info = AuthFlowInfo{}
-	p.expiresAt = time.Time{}
-	p.waitCancel = nil
-}
--- a/client/internal/auth/sessionwatch/event.go
+++ b/client/internal/auth/sessionwatch/event.go
@@ -1,74 +0,0 @@
-package sessionwatch
-
-import (
-	"strconv"
-	"time"
-)
-
-// internal event kinds are no longer exposed: the watcher drives the Sink
-// directly (NotifyStateChange on deadline change/clear, PublishEvent at
-// each warning lead). Tests use a mock Sink to observe what the watcher
-// emits.
-
-// Metadata keys attached by the daemon to session-warning SystemEvents.
-// The UI tray reads these to build a locale-aware notification without
-// relying on the daemon's locale-less UserMessage string, and to
-// disambiguate the T-WarningLead notification from the T-FinalWarningLead
-// fallback that auto-opens the SessionAboutToExpire dialog.
-const (
-	// MetaSessionWarning is set to "true" on both warning events (T-10 and
-	// T-2) so the UI can detect a session-warning SystemEvent without
-	// matching on the message text. Use MetaSessionFinal to distinguish
-	// the two.
-	MetaSessionWarning = "session_warning"
-	// MetaSessionFinal is set to "true" on the T-FinalWarningLead event
-	// only. Consumers that need to auto-open the SessionAboutToExpire
-	// dialog gate on this; T-WarningLead events leave the field unset.
-	MetaSessionFinal = "session_final_warning"
-	// MetaSessionExpiresAt carries the absolute UTC deadline encoded with
-	// FormatExpiresAt; consumers must decode with ParseExpiresAt so a
-	// future format change stays a single edit.
-	MetaSessionExpiresAt = "session_expires_at"
-	// MetaSessionLeadMinutes carries the lead in whole minutes (WarningLead
-	// for the T-10 event, FinalWarningLead for the T-2 event) so the UI
-	// can show "expires in ~N minutes" without hardcoding either constant.
-	MetaSessionLeadMinutes = "lead_minutes"
-)
-
-// expiresAtLayout is the wire format used for MetaSessionExpiresAt.
-// Producer and consumers both go through FormatExpiresAt/ParseExpiresAt
-// so this layout stays a single source of truth.
-const expiresAtLayout = time.RFC3339
-
-// FormatExpiresAt encodes a deadline for MetaSessionExpiresAt. Always
-// emits UTC so a consumer in another timezone reads the same wall-clock
-// deadline.
-func FormatExpiresAt(t time.Time) string {
-	return t.UTC().Format(expiresAtLayout)
-}
-
-// ParseExpiresAt decodes the MetaSessionExpiresAt value back to a UTC
-// time. Returns an error when the field is empty or malformed; the
-// caller decides whether to fall back (zero value) or propagate.
-func ParseExpiresAt(s string) (time.Time, error) {
-	t, err := time.Parse(expiresAtLayout, s)
-	if err != nil {
-		return time.Time{}, err
-	}
-	return t.UTC(), nil
-}
-
-// FormatLeadMinutes encodes a lead duration for MetaSessionLeadMinutes
-// as the integer count of whole minutes. Sub-minute residuals are
-// truncated — the field is informational ("expires in ~N minutes") and
-// fractional minutes don't change what the UI displays.
-func FormatLeadMinutes(d time.Duration) string {
-	return strconv.Itoa(int(d / time.Minute))
-}
-
-// ParseLeadMinutes decodes a MetaSessionLeadMinutes value. Returns 0
-// and the parse error for malformed input; consumers that prefer a
-// silent fallback can simply ignore the error.
-func ParseLeadMinutes(s string) (int, error) {
-	return strconv.Atoi(s)
-}
--- a/client/internal/auth/sessionwatch/watcher.go
+++ b/client/internal/auth/sessionwatch/watcher.go
@@ -1,362 +0,0 @@
-// Package sessionwatch tracks the SSO session expiry deadline that the
-// management server publishes via LoginResponse / SyncResponse and fires
-// two warning events at fixed lead times before expiry: an interactive
-// T-WarningLead notification and a dismiss-gated T-FinalWarningLead
-// fallback dialog.
-//
-// The watcher is idempotent: Update may be called as often as the network
-// map snapshots arrive. Repeating the same deadline is a no-op; a new
-// deadline reschedules the timers and arms a fresh warning cycle.
-//
-// Warning firing is edge-detected. Each unique deadline value fires each
-// warning callback at most once.
-package sessionwatch
-
-import (
-	"errors"
-	"fmt"
-	"sync"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-
-	cProto "github.com/netbirdio/netbird/client/proto"
-)
-
-const (
-	// Skew tolerates a small clock difference between the management
-	// server and this peer before treating a deadline as "in the past".
-	// Slightly above typical NTP drift; tight enough that the UI doesn't
-	// paint a stale expiry as if it were valid.
-	Skew = 30 * time.Second
-
-	// maxDeadlineHorizon caps how far in the future an accepted deadline
-	// can sit. A timestamp beyond this is almost certainly a protocol
-	// glitch, and silently arming a 100-year timer would hide the bug.
-	maxDeadlineHorizon = 10 * 365 * 24 * time.Hour
-
-	// WarningLead is how far before expiry the first (interactive)
-	// warning fires. Drives the T-10 OS notification with
-	// Extend/Dismiss actions.
-	WarningLead = 10 * time.Minute
-
-	// FinalWarningLead is how far before expiry the fallback final
-	// warning fires. Drives the auto-opened SessionAboutToExpire dialog,
-	// but only when the user has not dismissed the T-WarningLead warning
-	// for the same deadline. Must be strictly less than WarningLead.
-	FinalWarningLead = 2 * time.Minute
-)
-
-var (
-	// ErrDeadlineBeforeEpoch is returned by Update when the supplied
-	// deadline pre-dates 1970-01-01.
-	ErrDeadlineBeforeEpoch = errors.New("session deadline before unix epoch")
-
-	// ErrDeadlineTooFarFuture is returned by Update when the supplied
-	// deadline is more than maxDeadlineHorizon in the future.
-	ErrDeadlineTooFarFuture = errors.New("session deadline too far in the future")
-
-	// ErrDeadlineInPast is returned by Update when the supplied deadline
-	// is more than Skew in the past.
-	ErrDeadlineInPast = errors.New("session deadline in the past")
-)
-
-// StatusRecorder is the side-effect surface the watcher drives on every
-// state transition. Production wires this to peer.Status (NotifyStateChange
-// for deadline change/clear, PublishEvent for the two warnings); tests pass
-// a fake recorder so the same surface is observable without an engine.
-//
-// PublishEvent's signature mirrors peer.Status.PublishEvent: the watcher
-// composes the metadata internally so the wire format (MetaSession*) is
-// owned by sessionwatch, not the caller.
-type StatusRecorder interface {
-	NotifyStateChange()
-	PublishEvent(
-		severity cProto.SystemEvent_Severity,
-		category cProto.SystemEvent_Category,
-		message string,
-		userMessage string,
-		metadata map[string]string,
-	)
-}
-
-// Watcher observes the latest session deadline and fires two warnings
-// before it expires: the interactive T-WarningLead notification, and the
-// fallback T-FinalWarningLead dialog (suppressed when the user dismissed
-// the first one for the same deadline). Safe for concurrent use.
-type Watcher struct {
-	lead      time.Duration
-	finalLead time.Duration
-
-	mu           sync.Mutex
-	current      time.Time
-	timer        *time.Timer
-	finalTimer   *time.Timer
-	firedAt      time.Time // deadline value the T-WarningLead callback last fired against
-	finalFiredAt time.Time // deadline value the T-FinalWarningLead callback last fired against
-	dismissedAt  time.Time // deadline value the user dismissed via Dismiss(); gates fireFinal
-	closed       bool
-	recorder     StatusRecorder
-}
-
-// New returns a watcher with the package defaults WarningLead and
-// FinalWarningLead. Pass nil for recorder to silence side effects (handy
-// in unit tests that exercise sanity checks without observing the publish
-// path).
-func New(recorder StatusRecorder) *Watcher {
-	return NewWithLeads(WarningLead, FinalWarningLead, recorder)
-}
-
-// NewWithLeads returns a watcher with custom lead times. Useful for tests.
-// final must be strictly less than lead; otherwise both timers fire in the
-// wrong order or simultaneously and the UI flow breaks. A zero final lead
-// disables the final-warning timer entirely (see armTimerLocked) so a
-// millisecond-scale deadline doesn't flush both timers in one tick.
-func NewWithLeads(lead, final time.Duration, recorder StatusRecorder) *Watcher {
-	return &Watcher{
-		lead:      lead,
-		finalLead: final,
-		recorder:  recorder,
-	}
-}
-
-// Update sets the latest deadline. Pass the zero time to clear (e.g. when
-// a Sync push from the server omits the field because login expiration
-// was disabled).
-//
-// Same-value updates are no-ops. A different non-zero value cancels any
-// pending timer, resets the "already fired" guard, and arms a new one.
-//
-// Returns one of the sentinel Err* values when the deadline fails the
-// sanity checks (pre-epoch, far future, or in the past beyond Skew).
-// In every error case the watcher first clears its state so it stays
-// consistent with what the caller will push into its other sinks (e.g.
-// applySessionDeadline forces a zero deadline into the status recorder
-// after a non-nil error).
-func (w *Watcher) Update(deadline time.Time) error {
-	w.mu.Lock()
-	if w.closed {
-		w.mu.Unlock()
-		return nil
-	}
-
-	if deadline.IsZero() {
-		w.clearLocked()
-		return nil
-	}
-
-	now := time.Now()
-	switch {
-	case deadline.Before(time.Unix(0, 0)):
-		w.clearLocked()
-		return fmt.Errorf("%w: %v", ErrDeadlineBeforeEpoch, deadline)
-	case deadline.After(now.Add(maxDeadlineHorizon)):
-		w.clearLocked()
-		return fmt.Errorf("%w: %v", ErrDeadlineTooFarFuture, deadline)
-	case deadline.Before(now.Add(-Skew)):
-		w.clearLocked()
-		return fmt.Errorf("%w: %v (now=%v)", ErrDeadlineInPast, deadline, now)
-	}
-
-	if deadline.Equal(w.current) {
-		w.mu.Unlock()
-		return nil
-	}
-
-	w.stopTimerLocked()
-	w.current = deadline
-	// Reset every per-deadline guard so a refreshed deadline arms a fresh
-	// warning cycle: both edge triggers and the user Dismiss decision
-	// (the user agreed to the old deadline expiring; a new deadline
-	// restarts the contract).
-	w.firedAt = time.Time{}
-	w.finalFiredAt = time.Time{}
-	w.dismissedAt = time.Time{}
-
-	w.armTimerLocked(deadline)
-	recorder := w.recorder
-	w.mu.Unlock()
-	if recorder != nil {
-		recorder.NotifyStateChange()
-	}
-	log.Infof("auth session deadline set to: %s (in %s)", deadline.Format(time.RFC3339), time.Until(deadline).Round(time.Second))
-	return nil
-}
-
-// Deadline returns the most recently observed deadline. Zero when no
-// deadline is currently tracked.
-func (w *Watcher) Deadline() time.Time {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-	return w.current
-}
-
-// Dismiss records the user's "Dismiss" action against the current deadline
-// and suppresses the upcoming final-warning callback for that deadline.
-// Idempotent: repeated calls are no-ops. A subsequent Update with a fresh
-// deadline resets the dismissal so the final-warning cycle re-arms.
-//
-// No-op when the watcher holds no deadline or has been closed.
-func (w *Watcher) Dismiss() {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-	if w.closed || w.current.IsZero() {
-		return
-	}
-	if w.dismissedAt.Equal(w.current) {
-		return
-	}
-	w.dismissedAt = w.current
-	// Cancel the armed final-warning timer eagerly. fireFinal would also
-	// gate on dismissedAt, but stopping the timer avoids a wakeup with
-	// nothing to do and makes the intent visible.
-	if w.finalTimer != nil {
-		w.finalTimer.Stop()
-		w.finalTimer = nil
-	}
-	log.Infof("auth session final-warning dismissed for deadline %s", w.current.Format(time.RFC3339))
-}
-
-// Close stops any pending timer. Update calls after Close are ignored.
-func (w *Watcher) Close() {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-	if w.closed {
-		return
-	}
-	w.closed = true
-	w.stopTimerLocked()
-}
-
-// clearLocked drops the tracked deadline and notifies the recorder so
-// downstream consumers (SubscribeStatus stream, UI) drop their anchor.
-// The caller must hold w.mu; this helper releases it before invoking
-// the recorder.
-func (w *Watcher) clearLocked() {
-	if w.current.IsZero() {
-		w.mu.Unlock()
-		return
-	}
-	w.stopTimerLocked()
-	w.current = time.Time{}
-	w.firedAt = time.Time{}
-	w.finalFiredAt = time.Time{}
-	w.dismissedAt = time.Time{}
-	recorder := w.recorder
-	w.mu.Unlock()
-	if recorder != nil {
-		recorder.NotifyStateChange()
-	}
-	log.Infof("auth session deadline cleared")
-}
-
-func (w *Watcher) stopTimerLocked() {
-	if w.timer != nil {
-		w.timer.Stop()
-		w.timer = nil
-	}
-	if w.finalTimer != nil {
-		w.finalTimer.Stop()
-		w.finalTimer = nil
-	}
-}
-
-func (w *Watcher) armTimerLocked(deadline time.Time) {
-	w.timer = armOneShotLocked(deadline.Add(-w.lead), func() { w.fire(deadline) })
-	// finalLead <= 0 disables the final-warning timer entirely. Used by
-	// tests that predate the final-warning fallback so a millisecond-scale
-	// deadline does not flush both timers at once.
-	if w.finalLead > 0 {
-		w.finalTimer = armOneShotLocked(deadline.Add(-w.finalLead), func() { w.fireFinal(deadline) })
-	}
-}
-
-func (w *Watcher) fire(armedFor time.Time) {
-	w.mu.Lock()
-	if w.closed || !w.current.Equal(armedFor) {
-		// Deadline moved while we were waiting (e.g. a successful extend).
-		// The reschedule path armed a fresh timer; this one is stale.
-		w.mu.Unlock()
-		return
-	}
-	if !w.firedAt.IsZero() && w.firedAt.Equal(armedFor) {
-		w.mu.Unlock()
-		return
-	}
-	w.firedAt = armedFor
-	recorder := w.recorder
-	w.mu.Unlock()
-	if recorder == nil {
-		return
-	}
-	log.Infof("auth session expiry soon warning fired")
-	publishWarning(recorder, armedFor, false)
-}
-
-// fireFinal mirrors fire for the T-FinalWarningLead timer with an extra
-// dismiss-gate: if the user dismissed the T-WarningLead notification for
-// this deadline, the final warning is suppressed entirely.
-func (w *Watcher) fireFinal(armedFor time.Time) {
-	w.mu.Lock()
-	if w.closed || !w.current.Equal(armedFor) {
-		w.mu.Unlock()
-		return
-	}
-	if !w.finalFiredAt.IsZero() && w.finalFiredAt.Equal(armedFor) {
-		w.mu.Unlock()
-		return
-	}
-	if w.dismissedAt.Equal(armedFor) {
-		w.mu.Unlock()
-		log.Infof("auth session final-warning skipped (dismissed by user)")
-		return
-	}
-	w.finalFiredAt = armedFor
-	recorder := w.recorder
-	w.mu.Unlock()
-	if recorder == nil {
-		return
-	}
-	log.Infof("auth session final-warning fired")
-	publishWarning(recorder, armedFor, true)
-}
-
-// armOneShotLocked schedules cb at fireAt. When fireAt is already in the
-// past it dispatches on the next scheduler tick so a state-change recorder
-// notification (invoked after w.mu is released) lands first. Caller must
-// hold w.mu.
-func armOneShotLocked(fireAt time.Time, cb func()) *time.Timer {
-	delay := time.Until(fireAt)
-	if delay <= 0 {
-		return time.AfterFunc(0, cb)
-	}
-	return time.AfterFunc(delay, cb)
-}
-
-// publishWarning composes the SystemEvent for a watcher-fired warning and
-// pushes it through the recorder. Severity is CRITICAL on both — bypassing
-// the user's Notifications toggle is deliberate: missing the warning
-// window forces the post-mortem SessionExpired flow (tunnel torn down,
-// lock icon, manual re-login), which is the UX we are trying to avoid.
-func publishWarning(recorder StatusRecorder, deadline time.Time, final bool) {
-	lead := WarningLead
-	message := "session expiry warning"
-	meta := map[string]string{
-		MetaSessionWarning:   "true",
-		MetaSessionExpiresAt: FormatExpiresAt(deadline),
-	}
-	if final {
-		lead = FinalWarningLead
-		message = "session expiry final warning"
-		meta[MetaSessionFinal] = "true"
-	}
-	meta[MetaSessionLeadMinutes] = FormatLeadMinutes(lead)
-
-	recorder.PublishEvent(
-		cProto.SystemEvent_CRITICAL,
-		cProto.SystemEvent_AUTHENTICATION,
-		message,
-		"",
-		meta,
-	)
-}
--- a/client/internal/auth/sessionwatch/watcher_test.go
+++ b/client/internal/auth/sessionwatch/watcher_test.go
@@ -1,463 +0,0 @@
-package sessionwatch
-
-import (
-	"errors"
-	"sync"
-	"testing"
-	"time"
-
-	cProto "github.com/netbirdio/netbird/client/proto"
-)
-
-// fakeRecorder satisfies StatusRecorder and records every call so tests
-// can observe what the watcher emits. NotifyStateChange and PublishEvent
-// land in the same ordered events slice (with the Kind distinguishing
-// them) so tests that care about ordering still work.
-type fakeRecorder struct {
-	mu     sync.Mutex
-	events []event
-}
-
-type eventKind int
-
-const (
-	stateChange eventKind = iota
-	publish
-)
-
-type event struct {
-	kind eventKind
-	// Set only for publish events.
-	severity cProto.SystemEvent_Severity
-	category cProto.SystemEvent_Category
-	message  string
-	meta     map[string]string
-}
-
-func (r *fakeRecorder) NotifyStateChange() {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	r.events = append(r.events, event{kind: stateChange})
-}
-
-func (r *fakeRecorder) PublishEvent(
-	severity cProto.SystemEvent_Severity,
-	category cProto.SystemEvent_Category,
-	message string,
-	_ string,
-	metadata map[string]string,
-) {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	r.events = append(r.events, event{
-		kind:     publish,
-		severity: severity,
-		category: category,
-		message:  message,
-		meta:     metadata,
-	})
-}
-
-func (r *fakeRecorder) snapshot() []event {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	out := make([]event, len(r.events))
-	copy(out, r.events)
-	return out
-}
-
-func (e event) isFinalWarning() bool {
-	return e.kind == publish && e.meta[MetaSessionFinal] == "true"
-}
-
-func (e event) isWarning() bool {
-	return e.kind == publish && e.meta[MetaSessionWarning] == "true" && e.meta[MetaSessionFinal] != "true"
-}
-
-func countWhere(events []event, pred func(event) bool) int {
-	n := 0
-	for _, e := range events {
-		if pred(e) {
-			n++
-		}
-	}
-	return n
-}
-
-func waitForEvents(t *testing.T, r *fakeRecorder, want int) []event {
-	t.Helper()
-	deadline := time.Now().Add(500 * time.Millisecond)
-	for time.Now().Before(deadline) {
-		if got := r.snapshot(); len(got) >= want {
-			return got
-		}
-		time.Sleep(5 * time.Millisecond)
-	}
-	got := r.snapshot()
-	t.Fatalf("timed out waiting for %d events, got %d: %+v", want, len(got), got)
-	return nil
-}
-
-// newWatcher builds a watcher with the final timer disabled (finalLead=0),
-// matching the lead-only behaviour the pre-final-warning tests assume.
-func newWatcher(lead time.Duration, r *fakeRecorder) *Watcher {
-	return NewWithLeads(lead, 0, r)
-}
-
-func TestUpdateZeroBeforeAnythingIsNoop(t *testing.T) {
-	r := &fakeRecorder{}
-	w := newWatcher(50*time.Millisecond, r)
-	defer w.Close()
-
-	_ = w.Update(time.Time{})
-
-	if got := r.snapshot(); len(got) != 0 {
-		t.Fatalf("expected no events on initial zero, got %+v", got)
-	}
-}
-
-func TestUpdateNonZeroFiresStateChange(t *testing.T) {
-	r := &fakeRecorder{}
-	w := newWatcher(50*time.Millisecond, r)
-	defer w.Close()
-
-	d := time.Now().Add(time.Hour)
-	_ = w.Update(d)
-
-	events := waitForEvents(t, r, 1)
-	if events[0].kind != stateChange {
-		t.Fatalf("expected stateChange, got %+v", events[0])
-	}
-	if !w.Deadline().Equal(d) {
-		t.Fatalf("deadline mismatch: %v vs %v", w.Deadline(), d)
-	}
-}
-
-func TestSameDeadlineIsNoop(t *testing.T) {
-	r := &fakeRecorder{}
-	w := newWatcher(50*time.Millisecond, r)
-	defer w.Close()
-
-	d := time.Now().Add(time.Hour)
-	_ = w.Update(d)
-	_ = w.Update(d)
-	_ = w.Update(d)
-
-	events := waitForEvents(t, r, 1)
-	if len(events) != 1 {
-		t.Fatalf("expected exactly 1 event for repeated same deadline, got %d: %+v", len(events), events)
-	}
-}
-
-func TestWarningFiresOnceWithinLeadWindow(t *testing.T) {
-	r := &fakeRecorder{}
-	lead := 50 * time.Millisecond
-	w := newWatcher(lead, r)
-	defer w.Close()
-
-	// Deadline 80ms out — warning should fire after ~30ms.
-	d := time.Now().Add(80 * time.Millisecond)
-	_ = w.Update(d)
-
-	events := waitForEvents(t, r, 2)
-	if events[0].kind != stateChange {
-		t.Fatalf("event[0] should be stateChange, got %+v", events[0])
-	}
-	if !events[1].isWarning() {
-		t.Fatalf("event[1] should be a warning publish, got %+v", events[1])
-	}
-}
-
-func TestWarningFiresImmediatelyWhenAlreadyInsideWindow(t *testing.T) {
-	r := &fakeRecorder{}
-	w := newWatcher(time.Hour, r) // lead > delta => fire immediately
-	defer w.Close()
-
-	d := time.Now().Add(10 * time.Millisecond)
-	_ = w.Update(d)
-
-	events := waitForEvents(t, r, 2)
-	if !events[1].isWarning() {
-		t.Fatalf("expected immediate warning publish, got %+v", events[1])
-	}
-}
-
-func TestNewDeadlineCancelsPriorTimer(t *testing.T) {
-	r := &fakeRecorder{}
-	lead := 50 * time.Millisecond
-	w := newWatcher(lead, r)
-	defer w.Close()
-
-	first := time.Now().Add(80 * time.Millisecond) // would fire warning ~30ms in
-	_ = w.Update(first)
-
-	// Replace with a far-future deadline before the warning fires.
-	time.Sleep(5 * time.Millisecond)
-	second := time.Now().Add(time.Hour)
-	_ = w.Update(second)
-
-	// Wait past when first's warning would have fired.
-	time.Sleep(80 * time.Millisecond)
-
-	if n := countWhere(r.snapshot(), event.isWarning); n != 0 {
-		t.Fatalf("warning fired for cancelled deadline: %+v", r.snapshot())
-	}
-}
-
-func TestRefreshAfterFireArmsNewWarning(t *testing.T) {
-	r := &fakeRecorder{}
-	lead := 30 * time.Millisecond
-	w := newWatcher(lead, r)
-	defer w.Close()
-
-	first := time.Now().Add(50 * time.Millisecond)
-	_ = w.Update(first)
-
-	// Wait for stateChange + warning of the first cycle.
-	waitForEvents(t, r, 2)
-
-	// Simulate a successful extend: brand new deadline.
-	second := time.Now().Add(60 * time.Millisecond)
-	_ = w.Update(second)
-
-	// 4 events total: stateChange, warning (first), stateChange, warning (second).
-	events := waitForEvents(t, r, 4)
-	if events[2].kind != stateChange {
-		t.Fatalf("event[2] should be stateChange for the new deadline, got %+v", events[2])
-	}
-	if !events[3].isWarning() {
-		t.Fatalf("event[3] should be a warning publish for the new deadline, got %+v", events[3])
-	}
-}
-
-func TestUpdateZeroAfterNonZeroClearsState(t *testing.T) {
-	r := &fakeRecorder{}
-	w := newWatcher(time.Hour, r)
-	defer w.Close()
-
-	d := time.Now().Add(2 * time.Hour)
-	_ = w.Update(d)
-	waitForEvents(t, r, 1)
-
-	_ = w.Update(time.Time{})
-
-	events := waitForEvents(t, r, 2)
-	if events[1].kind != stateChange {
-		t.Fatalf("expected stateChange on clear, got %+v", events[1])
-	}
-	if !w.Deadline().IsZero() {
-		t.Fatalf("Deadline should be zero after clear")
-	}
-}
-
-func TestUpdateRejectsBeforeEpoch(t *testing.T) {
-	r := &fakeRecorder{}
-	w := newWatcher(50*time.Millisecond, r)
-	defer w.Close()
-
-	good := time.Now().Add(time.Hour)
-	if err := w.Update(good); err != nil {
-		t.Fatalf("seed Update: %v", err)
-	}
-
-	err := w.Update(time.Unix(-100, 0))
-	if !errors.Is(err, ErrDeadlineBeforeEpoch) {
-		t.Fatalf("want ErrDeadlineBeforeEpoch, got %v", err)
-	}
-	if !w.Deadline().IsZero() {
-		t.Fatalf("rejected pre-epoch update must clear deadline; got %v", w.Deadline())
-	}
-}
-
-func TestUpdateRejectsTooFarFuture(t *testing.T) {
-	r := &fakeRecorder{}
-	w := newWatcher(50*time.Millisecond, r)
-	defer w.Close()
-
-	good := time.Now().Add(time.Hour)
-	if err := w.Update(good); err != nil {
-		t.Fatalf("seed Update: %v", err)
-	}
-
-	err := w.Update(time.Now().Add(50 * 365 * 24 * time.Hour))
-	if !errors.Is(err, ErrDeadlineTooFarFuture) {
-		t.Fatalf("want ErrDeadlineTooFarFuture, got %v", err)
-	}
-	if !w.Deadline().IsZero() {
-		t.Fatalf("rejected far-future update must clear deadline; got %v", w.Deadline())
-	}
-}
-
-func TestUpdateInPastClearsDeadline(t *testing.T) {
-	r := &fakeRecorder{}
-	w := newWatcher(50*time.Millisecond, r)
-	defer w.Close()
-
-	good := time.Now().Add(time.Hour)
-	if err := w.Update(good); err != nil {
-		t.Fatalf("seed Update: %v", err)
-	}
-	// Drain the stateChange from the seed.
-	waitForEvents(t, r, 1)
-
-	err := w.Update(time.Now().Add(-1 * time.Hour))
-	if !errors.Is(err, ErrDeadlineInPast) {
-		t.Fatalf("want ErrDeadlineInPast, got %v", err)
-	}
-	if !w.Deadline().IsZero() {
-		t.Fatalf("in-past update must clear the deadline, got %v", w.Deadline())
-	}
-	events := waitForEvents(t, r, 2)
-	if events[1].kind != stateChange {
-		t.Fatalf("expected stateChange on clear, got %+v", events[1])
-	}
-}
-
-func TestUpdateWithinSkewAccepted(t *testing.T) {
-	r := &fakeRecorder{}
-	w := newWatcher(50*time.Millisecond, r)
-	defer w.Close()
-
-	// 5 seconds in the past is within the 30s Skew tolerance — accept it.
-	d := time.Now().Add(-5 * time.Second)
-	if err := w.Update(d); err != nil {
-		t.Fatalf("within-skew Update should succeed, got %v", err)
-	}
-	if !w.Deadline().Equal(d) {
-		t.Fatalf("expected deadline to be applied, got %v want %v", w.Deadline(), d)
-	}
-}
-
-func TestCloseSilencesUpdates(t *testing.T) {
-	r := &fakeRecorder{}
-	w := newWatcher(50*time.Millisecond, r)
-	w.Close()
-
-	_ = w.Update(time.Now().Add(time.Hour))
-
-	time.Sleep(20 * time.Millisecond)
-	if got := r.snapshot(); len(got) != 0 {
-		t.Fatalf("expected no events after Close, got %+v", got)
-	}
-}
-
-func TestFinalWarningFiresAfterRegularWarning(t *testing.T) {
-	r := &fakeRecorder{}
-	// Warning fires at deadline-80ms, final at deadline-30ms.
-	w := NewWithLeads(80*time.Millisecond, 30*time.Millisecond, r)
-	defer w.Close()
-
-	d := time.Now().Add(100 * time.Millisecond)
-	_ = w.Update(d)
-
-	// Expect stateChange + warning + final-warning.
-	events := waitForEvents(t, r, 3)
-
-	if countWhere(events, func(e event) bool { return e.kind == stateChange }) != 1 {
-		t.Fatalf("expected exactly 1 stateChange, got %+v", events)
-	}
-	if countWhere(events, event.isWarning) != 1 {
-		t.Fatalf("expected exactly 1 warning publish, got %+v", events)
-	}
-	if countWhere(events, event.isFinalWarning) != 1 {
-		t.Fatalf("expected exactly 1 final-warning publish, got %+v", events)
-	}
-
-	// Warning must precede final (same deadline, longer lead fires first).
-	var wIdx, fIdx int
-	for i, e := range events {
-		switch {
-		case e.isWarning():
-			wIdx = i
-		case e.isFinalWarning():
-			fIdx = i
-		}
-	}
-	if wIdx > fIdx {
-		t.Fatalf("warning must publish before final-warning, got order %+v", events)
-	}
-}
-
-func TestDismissSuppressesFinalWarning(t *testing.T) {
-	r := &fakeRecorder{}
-	w := NewWithLeads(80*time.Millisecond, 30*time.Millisecond, r)
-	defer w.Close()
-
-	d := time.Now().Add(100 * time.Millisecond)
-	_ = w.Update(d)
-
-	// Wait for the warning publish so we know we're inside the warning
-	// window, then dismiss before the final timer would fire.
-	deadline := time.Now().Add(500 * time.Millisecond)
-	for time.Now().Before(deadline) {
-		if countWhere(r.snapshot(), event.isWarning) >= 1 {
-			break
-		}
-		time.Sleep(2 * time.Millisecond)
-	}
-	if countWhere(r.snapshot(), event.isWarning) < 1 {
-		t.Fatalf("warning did not publish in time, events=%+v", r.snapshot())
-	}
-
-	w.Dismiss()
-
-	// Now wait past when the final would have fired.
-	time.Sleep(120 * time.Millisecond)
-
-	if n := countWhere(r.snapshot(), event.isFinalWarning); n != 0 {
-		t.Fatalf("final-warning published after Dismiss(), events=%+v", r.snapshot())
-	}
-}
-
-func TestDismissResetByNewDeadline(t *testing.T) {
-	r := &fakeRecorder{}
-	w := NewWithLeads(80*time.Millisecond, 30*time.Millisecond, r)
-	defer w.Close()
-
-	first := time.Now().Add(100 * time.Millisecond)
-	_ = w.Update(first)
-
-	// Dismiss against the first deadline.
-	w.Dismiss()
-
-	// Replace with a fresh deadline before the first's timers complete.
-	time.Sleep(10 * time.Millisecond)
-	second := time.Now().Add(100 * time.Millisecond)
-	_ = w.Update(second)
-
-	// The second cycle must publish a final-warning (the dismiss state
-	// did not carry over).
-	deadline := time.Now().Add(500 * time.Millisecond)
-	for time.Now().Before(deadline) {
-		if countWhere(r.snapshot(), event.isFinalWarning) >= 1 {
-			break
-		}
-		time.Sleep(5 * time.Millisecond)
-	}
-	if countWhere(r.snapshot(), event.isFinalWarning) < 1 {
-		t.Fatalf("final-warning did not publish on fresh deadline after Dismiss reset, events=%+v", r.snapshot())
-	}
-}
-
-func TestDismissBeforeUpdateIsNoop(t *testing.T) {
-	r := &fakeRecorder{}
-	w := NewWithLeads(80*time.Millisecond, 30*time.Millisecond, r)
-	defer w.Close()
-
-	// No deadline tracked yet; Dismiss must be a no-op (no panic, no state).
-	w.Dismiss()
-
-	d := time.Now().Add(100 * time.Millisecond)
-	_ = w.Update(d)
-
-	// Final warning should still publish — Dismiss only acts on the current
-	// deadline, and there was none at the time of the call.
-	deadline := time.Now().Add(500 * time.Millisecond)
-	for time.Now().Before(deadline) {
-		if countWhere(r.snapshot(), event.isFinalWarning) >= 1 {
-			return
-		}
-		time.Sleep(5 * time.Millisecond)
-	}
-	t.Fatalf("final-warning did not publish after no-op pre-Update Dismiss, events=%+v", r.snapshot())
-}
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -256,15 +256,6 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		log.Debugf("connecting to the Management service %s", c.config.ManagementURL.Host)
 		mgmClient, err := mgm.NewClient(engineCtx, c.config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
 		if err != nil {
-			// On daemon shutdown / Down() the parent context is cancelled
-			// and the dial fails with "context canceled". Wrapping that
-			// into state would leave the snapshot stuck at Connecting+err
-			// until the backoff loop wakes up — instead let the operation
-			// return cleanly so the deferred state.Set(StatusIdle) takes
-			// effect on the next iteration.
-			if c.ctx.Err() != nil {
-				return nil
-			}
 			return wrapErr(gstatus.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err))
 		}
 		mgmNotifier := statusRecorderToMgmConnStateNotifier(c.statusRecorder)
@@ -393,10 +384,6 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			return wrapErr(err)
 		}

-		// Seed the session-expiry deadline from the LoginResponse. Subsequent
-		// changes flow in through SyncResponse and are applied in handleSync.
-		engine.ApplySessionDeadline(loginResp.GetSessionExpiresAt())
-
 		log.Infof("Netbird engine started, the IP is: %s", peerConfig.GetAddress())
 		state.Set(StatusConnected)

@@ -437,11 +424,7 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 	}

 	c.statusRecorder.ClientStart()
-	// Wrap the backoff with c.ctx so Down()/actCancel propagates into the
-	// inter-attempt sleep — otherwise a 15s MaxInterval can keep the retry
-	// loop alive long after the caller asked to give up, leaving the
-	// status stream stuck at Connecting.
-	err = backoff.Retry(operation, backoff.WithContext(backOff, c.ctx))
+	err = backoff.Retry(operation, backOff)
 	if err != nil {
 		log.Debugf("exiting client retry loop due to unrecoverable error: %s", err)
 		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.PermissionDenied) {
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -35,7 +35,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/acl"
-	"github.com/netbirdio/netbird/client/internal/auth/sessionwatch"
 	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
@@ -251,8 +250,6 @@ type Engine struct {
 	jobExecutorWG sync.WaitGroup

 	exposeManager *expose.Manager
-
-	sessionWatcher *sessionwatch.Watcher
 }

 // Peer is an instance of the Connection Peer
@@ -296,17 +293,6 @@ func NewEngine(
 		clientMetrics:      services.ClientMetrics,
 		updateManager:      services.UpdateManager,
 	}
-	// sessionWatcher keeps the SubscribeStatus consumers in sync with the
-	// session expiry deadline. Deadline-change ticks come for free via
-	// Status.SetSessionExpiresAt; the watcher exists to push a wake-up at
-	// T-WarningLead and T-FinalWarningLead so the UI repaints the remaining
-	// time / warning state even when nothing else changed, and to publish
-	// two SystemEvents (the warning composition lives in sessionwatch so
-	// the wire format stays owned by one package):
-	//   - T-WarningLead   → interactive "Extend now / Dismiss" notification
-	//   - T-FinalWarningLead → auto-opened SessionAboutToExpire dialog,
-	//     suppressed when the user dismissed the earlier warning
-	engine.sessionWatcher = sessionwatch.New(engine.statusRecorder)

 	log.Infof("I am: %s", config.WgPrivateKey.PublicKey().String())
 	return engine
@@ -347,10 +333,6 @@ func (e *Engine) Stop() error {
 		e.srWatcher.Close()
 	}

-	if e.sessionWatcher != nil {
-		e.sessionWatcher.Close()
-	}
-
 	if e.updateManager != nil {
 		e.updateManager.SetDownloadOnly()
 	}
@@ -883,8 +865,6 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 		return e.ctx.Err()
 	}

-	e.ApplySessionDeadline(update.GetSessionExpiresAt())
-
 	if update.NetworkMap != nil && update.NetworkMap.PeerConfig != nil {
 		e.handleAutoUpdateVersion(update.NetworkMap.PeerConfig.AutoUpdate)
 	}
--- a/client/internal/engine_authsession.go
+++ b/client/internal/engine_authsession.go
@@ -1,97 +0,0 @@
-package internal
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/protobuf/types/known/timestamppb"
-
-	"github.com/netbirdio/netbird/client/system"
-)
-
-// ApplySessionDeadline propagates the absolute SSO session deadline carried on
-// LoginResponse / SyncResponse to both the watcher (for the edge-triggered
-// warning) and the status recorder (for the SubscribeStatus / Status RPC
-// snapshot the UI consumes).
-//
-// The wire field is 3-state:
-//   - nil                        → snapshot carries no info; keep the
-//     previously-anchored deadline (no-op)
-//   - explicit zero (s=0, n=0)   → peer is not SSO-registered or expiry is
-//     disabled; clear both sinks
-//   - valid timestamp            → new deadline; arm watcher, expose on
-//     status recorder
-//
-// Deadline sanity-checks live in sessionwatch.Watcher.Update. Any rejected
-// value is treated as a clear on both sinks: the alternative — leaving the
-// previously-known deadline in place — risks the UI confidently displaying
-// a stale "expires in X" while the server has actually invalidated it.
-func (e *Engine) ApplySessionDeadline(ts *timestamppb.Timestamp) {
-	if ts == nil {
-		return
-	}
-	var deadline time.Time
-	// Explicit zero (seconds=0 AND nanos=0) is the sentinel for "disabled".
-	// Everything else flows through Watcher.Update, whose sanity-checks
-	// reject out-of-range / pre-epoch / far-future / too-stale values; the
-	// catch-block below converts any rejection into a clear.
-	if ts.GetSeconds() != 0 || ts.GetNanos() != 0 {
-		deadline = ts.AsTime().UTC()
-	}
-	if e.sessionWatcher != nil {
-		if err := e.sessionWatcher.Update(deadline); err != nil {
-			log.Errorf("auth session deadline rejected: %v, clearing", err)
-			deadline = time.Time{}
-		}
-	}
-	if e.statusRecorder != nil {
-		e.statusRecorder.SetSessionExpiresAt(deadline)
-	}
-}
-
-// DismissSessionWarning records the user's "Dismiss" click on the
-// T-WarningLead interactive notification and suppresses the upcoming
-// T-FinalWarningLead fallback for the current deadline. No-op when the
-// watcher is not running or holds no deadline.
-func (e *Engine) DismissSessionWarning() {
-	if e.sessionWatcher == nil {
-		return
-	}
-	e.sessionWatcher.Dismiss()
-}
-
-// ExtendAuthSession asks the management server to refresh the SSO session
-// expiry deadline using the supplied JWT, then mirrors the new deadline into
-// the daemon's state. The tunnel is untouched; no resync, no reconnect.
-//
-// Returns the new absolute UTC deadline (or zero time when the server
-// reports the peer is not eligible for extension).
-func (e *Engine) ExtendAuthSession(ctx context.Context, jwtToken string) (time.Time, error) {
-	if jwtToken == "" {
-		return time.Time{}, errors.New("jwt token is required")
-	}
-	if e.mgmClient == nil {
-		return time.Time{}, errors.New("management client is not initialised")
-	}
-
-	info, err := system.GetInfoWithChecks(ctx, e.checks)
-	if err != nil {
-		log.Warnf("failed to collect system info for session extend: %v", err)
-		info = system.GetInfo(ctx)
-	}
-
-	resp, err := e.mgmClient.ExtendAuthSession(info, jwtToken)
-	if err != nil {
-		return time.Time{}, fmt.Errorf("extend auth session on management: %w", err)
-	}
-
-	e.ApplySessionDeadline(resp.GetSessionExpiresAt())
-
-	if resp.GetSessionExpiresAt().IsValid() {
-		return resp.GetSessionExpiresAt().AsTime().UTC(), nil
-	}
-	return time.Time{}, nil
-}
--- a/client/internal/engine_session_deadline_test.go
+++ b/client/internal/engine_session_deadline_test.go
@@ -1,78 +0,0 @@
-package internal
-
-import (
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-	"google.golang.org/protobuf/types/known/timestamppb"
-
-	"github.com/netbirdio/netbird/client/internal/auth/sessionwatch"
-	"github.com/netbirdio/netbird/client/internal/peer"
-)
-
-// TestApplySessionDeadline_ThreeState pins down the 3-state semantics of the
-// wire field carried on LoginResponse / SyncResponse:
-//
-//   - nil pointer            → no info; previously-anchored deadline survives
-//   - explicit zero value    → "expiry disabled" sentinel; both sinks cleared
-//   - valid future timestamp → new deadline propagated to both sinks
-func TestApplySessionDeadline_ThreeState(t *testing.T) {
-	newEngine := func() *Engine {
-		recorder := peer.NewRecorder("")
-		return &Engine{
-			statusRecorder: recorder,
-			sessionWatcher: sessionwatch.New(recorder),
-		}
-	}
-
-	t.Run("valid timestamp sets deadline on both sinks", func(t *testing.T) {
-		e := newEngine()
-		deadline := time.Now().Add(time.Hour).UTC().Truncate(time.Second)
-
-		e.ApplySessionDeadline(timestamppb.New(deadline))
-
-		require.True(t, e.statusRecorder.GetSessionExpiresAt().Equal(deadline),
-			"status recorder should hold the new deadline")
-	})
-
-	t.Run("nil is a no-op and preserves previous deadline", func(t *testing.T) {
-		e := newEngine()
-		seeded := time.Now().Add(time.Hour).UTC().Truncate(time.Second)
-		e.ApplySessionDeadline(timestamppb.New(seeded))
-		require.True(t, e.statusRecorder.GetSessionExpiresAt().Equal(seeded))
-
-		e.ApplySessionDeadline(nil)
-
-		require.True(t, e.statusRecorder.GetSessionExpiresAt().Equal(seeded),
-			"nil snapshot must not disturb the existing deadline")
-	})
-
-	t.Run("explicit zero clears a previously-anchored deadline", func(t *testing.T) {
-		e := newEngine()
-		seeded := time.Now().Add(time.Hour).UTC().Truncate(time.Second)
-		e.ApplySessionDeadline(timestamppb.New(seeded))
-		require.True(t, e.statusRecorder.GetSessionExpiresAt().Equal(seeded))
-
-		// Explicit zero Timestamp{} (seconds=0, nanos=0) is the
-		// "expiry disabled / not SSO" sentinel.
-		e.ApplySessionDeadline(&timestamppb.Timestamp{})
-
-		require.True(t, e.statusRecorder.GetSessionExpiresAt().IsZero(),
-			"explicit zero sentinel must clear the deadline")
-	})
-
-	t.Run("invalid timestamp clears the deadline", func(t *testing.T) {
-		e := newEngine()
-		seeded := time.Now().Add(time.Hour).UTC().Truncate(time.Second)
-		e.ApplySessionDeadline(timestamppb.New(seeded))
-		require.True(t, e.statusRecorder.GetSessionExpiresAt().Equal(seeded))
-
-		// Out-of-range nanos → IsValid()==false; same-meaning as the
-		// disabled sentinel for downstream sinks.
-		e.ApplySessionDeadline(&timestamppb.Timestamp{Seconds: 1, Nanos: -1})
-
-		require.True(t, e.statusRecorder.GetSessionExpiresAt().IsZero(),
-			"invalid timestamp must clear the deadline")
-	})
-}
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -202,12 +202,6 @@ type Status struct {
 	notifier              *notifier
 	rosenpassEnabled      bool
 	rosenpassPermissive   bool
-	// sessionExpiresAt is the absolute UTC instant at which the peer's SSO
-	// session expires. Zero when the peer is not SSO-tracked or login
-	// expiration is disabled. Populated from management LoginResponse /
-	// SyncResponse and exposed via the daemon's Status / SubscribeStatus RPC
-	// so the UI can show remaining time without itself talking to mgm.
-	sessionExpiresAt      time.Time
 	nsGroupStates         []NSGroupState
 	resolvedDomainsStates map[domain.Domain]ResolvedDomainInfo
 	lazyConnectionEnabled bool
@@ -223,14 +217,6 @@ type Status struct {
 	eventStreams map[string]chan *proto.SystemEvent
 	eventQueue   *EventQueue

-	// stateChangeStreams fan-out connection-state changes (connected /
-	// disconnected / connecting / address change / peers list change) to
-	// every active SubscribeStatus gRPC stream. Each subscriber gets a
-	// buffered chan; the notifier non-blockingly pings them so a slow
-	// consumer can never stall the daemon.
-	stateChangeMux     sync.Mutex
-	stateChangeStreams map[string]chan struct{}
-
 	ingressGwMgr *ingressgw.Manager

 	routeIDLookup routeIDLookup
@@ -244,7 +230,6 @@ func NewRecorder(mgmAddress string) *Status {
 		changeNotify:          make(map[string]map[string]*StatusChangeSubscription),
 		eventStreams:          make(map[string]chan *proto.SystemEvent),
 		eventQueue:            NewEventQueue(eventQueueSize),
-		stateChangeStreams:    make(map[string]chan struct{}),
 		offlinePeers:          make([]State, 0),
 		notifier:              newNotifier(),
 		mgmAddress:            mgmAddress,
@@ -375,7 +360,6 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 	if notifyRouter {
 		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
-	d.notifyStateChange()
 	return nil
 }

@@ -401,7 +385,6 @@ func (d *Status) AddPeerStateRoute(peer string, route string, resourceId route.R

 	// todo: consider to make sense of this notification or not
 	d.notifier.peerListChanged(numPeers)
-	d.notifyStateChange()
 	return nil
 }

@@ -427,7 +410,6 @@ func (d *Status) RemovePeerStateRoute(peer string, route string) error {

 	// todo: consider to make sense of this notification or not
 	d.notifier.peerListChanged(numPeers)
-	d.notifyStateChange()
 	return nil
 }

@@ -477,7 +459,6 @@ func (d *Status) UpdatePeerICEState(receivedState State) error {
 	if notifyRouter {
 		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
-	d.notifyStateChange()
 	return nil
 }

@@ -514,7 +495,6 @@ func (d *Status) UpdatePeerRelayedState(receivedState State) error {
 	if notifyRouter {
 		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
-	d.notifyStateChange()
 	return nil
 }

@@ -550,7 +530,6 @@ func (d *Status) UpdatePeerRelayedStateToDisconnected(receivedState State) error
 	if notifyRouter {
 		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
-	d.notifyStateChange()
 	return nil
 }

@@ -589,7 +568,6 @@ func (d *Status) UpdatePeerICEStateToDisconnected(receivedState State) error {
 	if notifyRouter {
 		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
-	d.notifyStateChange()
 	return nil
 }

@@ -683,7 +661,6 @@ func (d *Status) FinishPeerListModifications() {
 	for _, rd := range dispatches {
 		d.dispatchRouterPeers(rd.peerID, rd.snapshot)
 	}
-	d.notifyStateChange()
 }

 func (d *Status) SubscribeToPeerStateChanges(ctx context.Context, peerID string) *StatusChangeSubscription {
@@ -742,32 +719,6 @@ func (d *Status) UpdateLocalPeerState(localPeerState LocalPeerState) {
 	d.mux.Unlock()

 	d.notifier.localAddressChanged(fqdn, ip)
-	d.notifyStateChange()
-}
-
-// SetSessionExpiresAt records the absolute UTC instant at which the peer's
-// SSO session is set to expire. Pass the zero value to clear (e.g. when the
-// management server stops publishing a deadline because login expiration was
-// disabled or the peer is not SSO-tracked). Same-value updates are no-ops;
-// real changes fan out via notifyStateChange so SubscribeStatus consumers
-// pick up the new deadline on their next read.
-func (d *Status) SetSessionExpiresAt(deadline time.Time) {
-	d.mux.Lock()
-	if d.sessionExpiresAt.Equal(deadline) {
-		d.mux.Unlock()
-		return
-	}
-	d.sessionExpiresAt = deadline
-	d.mux.Unlock()
-	d.notifyStateChange()
-}
-
-// GetSessionExpiresAt returns the most recently recorded SSO session deadline,
-// or the zero value when no deadline is tracked.
-func (d *Status) GetSessionExpiresAt() time.Time {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-	return d.sessionExpiresAt
 }

 // AddLocalPeerStateRoute adds a route to the local peer state
@@ -836,7 +787,6 @@ func (d *Status) CleanLocalPeerState() {
 	d.mux.Unlock()

 	d.notifier.localAddressChanged(fqdn, ip)
-	d.notifyStateChange()
 }

 // MarkManagementDisconnected sets ManagementState to disconnected
@@ -849,7 +799,6 @@ func (d *Status) MarkManagementDisconnected(err error) {
 	d.mux.Unlock()

 	d.notifier.updateServerStates(mgm, sig)
-	d.notifyStateChange()
 }

 // MarkManagementConnected sets ManagementState to connected
@@ -862,7 +811,6 @@ func (d *Status) MarkManagementConnected() {
 	d.mux.Unlock()

 	d.notifier.updateServerStates(mgm, sig)
-	d.notifyStateChange()
 }

 // UpdateSignalAddress update the address of the signal server
@@ -903,7 +851,6 @@ func (d *Status) MarkSignalDisconnected(err error) {
 	d.mux.Unlock()

 	d.notifier.updateServerStates(mgm, sig)
-	d.notifyStateChange()
 }

 // MarkSignalConnected sets SignalState to connected
@@ -916,7 +863,6 @@ func (d *Status) MarkSignalConnected() {
 	d.mux.Unlock()

 	d.notifier.updateServerStates(mgm, sig)
-	d.notifyStateChange()
 }

 func (d *Status) UpdateRelayStates(relayResults []relay.ProbeResult) {
@@ -1114,19 +1060,16 @@ func (d *Status) GetFullStatus() FullStatus {
 // ClientStart will notify all listeners about the new service state
 func (d *Status) ClientStart() {
 	d.notifier.clientStart()
-	d.notifyStateChange()
 }

 // ClientStop will notify all listeners about the new service state
 func (d *Status) ClientStop() {
 	d.notifier.clientStop()
-	d.notifyStateChange()
 }

 // ClientTeardown will notify all listeners about the service is under teardown
 func (d *Status) ClientTeardown() {
 	d.notifier.clientTearDown()
-	d.notifyStateChange()
 }

 // SetConnectionListener set a listener to the notifier
@@ -1268,62 +1211,6 @@ func (d *Status) GetEventHistory() []*proto.SystemEvent {
 	return d.eventQueue.GetAll()
 }

-// SubscribeToStateChanges hands back a channel that receives a tick on
-// every connection-state change (connected / disconnected / connecting /
-// address change / peers-list change). The channel is buffered to one
-// pending tick so a coalesced burst still wakes the consumer exactly
-// once. Pass the returned id to UnsubscribeFromStateChanges to detach.
-func (d *Status) SubscribeToStateChanges() (string, <-chan struct{}) {
-	d.stateChangeMux.Lock()
-	defer d.stateChangeMux.Unlock()
-
-	id := uuid.New().String()
-	ch := make(chan struct{}, 1)
-	d.stateChangeStreams[id] = ch
-	return id, ch
-}
-
-// UnsubscribeFromStateChanges releases a SubscribeToStateChanges channel
-// and closes it so any consumer goroutine selecting on the channel
-// unblocks cleanly.
-func (d *Status) UnsubscribeFromStateChanges(id string) {
-	d.stateChangeMux.Lock()
-	defer d.stateChangeMux.Unlock()
-
-	if ch, ok := d.stateChangeStreams[id]; ok {
-		close(ch)
-		delete(d.stateChangeStreams, id)
-	}
-}
-
-// notifyStateChange wakes every SubscribeToStateChanges subscriber. Drops
-// the tick if a subscriber's buffer is full — by definition the consumer
-// is already going to fetch the latest snapshot, so multiple pending ticks
-// would be redundant.
-func (d *Status) notifyStateChange() {
-	d.stateChangeMux.Lock()
-	defer d.stateChangeMux.Unlock()
-
-	for _, ch := range d.stateChangeStreams {
-		select {
-		case ch <- struct{}{}:
-		default:
-		}
-	}
-}
-
-// NotifyStateChange is the public wake-the-subscribers entry point used by
-// callers that mutate state outside the peer recorder — most importantly
-// the connect-state machine, which writes StatusNeedsLogin into the
-// shared contextState (client/internal/state.go) without touching any
-// recorder field. Without this push the SubscribeStatus stream stays on
-// the previous snapshot until an unrelated peer/management/signal
-// change happens to fire notifyStateChange, leaving the UI's status
-// out of sync with the daemon.
-func (d *Status) NotifyStateChange() {
-	d.notifyStateChange()
-}
-
 func (d *Status) SetWgIface(wgInterface WGIfaceStatus) {
 	d.mux.Lock()
 	defer d.mux.Unlock()
--- a/client/internal/sleep/detector_darwin.go
+++ b/client/internal/sleep/detector_darwin.go
@@ -188,7 +188,9 @@ func (d *Detector) triggerCallback(event EventType, cb func(event EventType), do
 	}

 	doneChan := make(chan struct{})
-	timeout := time.NewTimer(500 * time.Millisecond)
+	// macOS forces sleep ~30s after kIOMessageSystemWillSleep, so block long
+	// enough for teardown to finish while staying under that deadline.
+	timeout := time.NewTimer(20 * time.Second)
 	defer timeout.Stop()

 	go func() {
--- a/client/internal/state.go
+++ b/client/internal/state.go
@@ -33,34 +33,17 @@ func CtxGetState(ctx context.Context) *contextState {
 }

 type contextState struct {
-	err      error
-	status   StatusType
-	mutex    sync.Mutex
-	onChange func()
-}
-
-// SetOnChange installs a callback fired after every successful Set. Used by
-// the daemon to wire the status recorder's notifyStateChange so any
-// state.Set in the connect/login paths pushes a fresh snapshot to
-// SubscribeStatus subscribers without each callsite having to opt in.
-// The callback runs outside the contextState mutex to avoid a lock-order
-// dependency with the recorder's stateChangeMux.
-func (c *contextState) SetOnChange(fn func()) {
-	c.mutex.Lock()
-	c.onChange = fn
-	c.mutex.Unlock()
+	err    error
+	status StatusType
+	mutex  sync.Mutex
 }

 func (c *contextState) Set(update StatusType) {
 	c.mutex.Lock()
+	defer c.mutex.Unlock()
+
 	c.status = update
 	c.err = nil
-	cb := c.onChange
-	c.mutex.Unlock()
-
-	if cb != nil {
-		cb()
-	}
 }

 func (c *contextState) Status() (StatusType, error) {
@@ -74,17 +57,6 @@ func (c *contextState) Status() (StatusType, error) {
 	return c.status, nil
 }

-// CurrentStatus returns the last status set via Set, ignoring any wrapped
-// error. Use when the status is needed for reporting purposes (e.g. the
-// status snapshot stream) and a transient wrapped error from a retry loop
-// shouldn't blank out the underlying status.
-func (c *contextState) CurrentStatus() StatusType {
-	c.mutex.Lock()
-	defer c.mutex.Unlock()
-
-	return c.status
-}
-
 func (c *contextState) Wrap(err error) error {
 	c.mutex.Lock()
 	defer c.mutex.Unlock()
--- a/client/netbird.wxs
+++ b/client/netbird.wxs
@@ -32,6 +32,9 @@
 					</File>
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\wintun.dll" />
 					<File Id="NetbirdToastIcon" Name="netbird.png" Source=".\client\ui\assets\netbird.png" />
+					<?if $(var.ArchSuffix) = "amd64" ?>
+					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\opengl32.dll" />
+					<?endif ?>

 					<ServiceInstall
                                     Id="NetBirdService"
@@ -59,23 +62,8 @@
 			<Component Id="NetbirdAumidRegistry" Guid="*">
 				<RegistryKey Root="HKCU" Key="Software\Classes\AppUserModelId\NetBird" ForceDeleteOnUninstall="yes">
 					<RegistryValue Name="InstalledByMSI" Type="integer" Value="1" KeyPath="yes" />
-					<!-- Pre-seed the CLSID the Wails notifications service reads on
-					     first startup (notifications_windows.go:getGUID looks for
-					     the CustomActivator value under this key). Without this
-					     the service generates a fresh per-install UUID, which
-					     diverges from the ToastActivatorCLSID set on the Start
-					     Menu / Desktop shortcuts above and the COM activator
-					     never fires when a toast is clicked. -->
-					<RegistryValue Name="CustomActivator" Type="string" Value="{0E1B4DE7-E148-432B-9814-544F941826EC}" />
 				</RegistryKey>
 			</Component>
-			<!-- Drop the HKCU Run\Netbird value written by legacy NSIS installers. -->
-			<Component Id="NetbirdLegacyHKCUCleanup" Guid="*">
-				<RegistryValue Root="HKCU" Key="Software\NetBird GmbH\Installer"
-					Name="LegacyHKCUCleanup" Type="integer" Value="1" KeyPath="yes" />
-				<RemoveRegistryValue Root="HKCU"
-					Key="Software\Microsoft\Windows\CurrentVersion\Run" Name="Netbird" />
-			</Component>
 		</StandardDirectory>

 		<StandardDirectory Id="CommonAppDataFolder">
@@ -88,67 +76,19 @@
 			</Directory>
 		</StandardDirectory>

-		<!-- Drop Run, App Paths and Uninstall entries written by legacy NSIS
-		     installers into the 32-bit registry view (HKLM\Software\Wow6432Node). -->
-		<Component Id="NetbirdLegacyWow6432Cleanup" Directory="NetbirdInstallDir"
-			Guid="bda5d628-16bd-4086-b2c1-5099d8d51763" Bitness="always32">
-			<RegistryValue Root="HKLM" Key="Software\NetBird GmbH\Installer"
-				Name="LegacyWow6432Cleanup" Type="integer" Value="1" KeyPath="yes" />
-			<RemoveRegistryValue Root="HKLM"
-				Key="Software\Microsoft\Windows\CurrentVersion\Run" Name="Netbird" />
-			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
-				Key="Software\Microsoft\Windows\CurrentVersion\App Paths\Netbird" />
-			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
-				Key="Software\Microsoft\Windows\CurrentVersion\App Paths\Netbird-ui" />
-			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
-				Key="Software\Microsoft\Windows\CurrentVersion\Uninstall\Netbird" />
-		</Component>
-
 		<ComponentGroup Id="NetbirdFilesComponent">
 			<ComponentRef Id="NetbirdFiles" />
 			<ComponentRef Id="NetbirdAumidRegistry" />
 			<ComponentRef Id="NetbirdAutoStart" />
-			<ComponentRef Id="NetbirdLegacyHKCUCleanup" />
-			<ComponentRef Id="NetbirdLegacyWow6432Cleanup" />
 		</ComponentGroup>

 		<util:CloseApplication Id="CloseNetBird" CloseMessage="no" Target="netbird.exe" RebootPrompt="no" />
 		<util:CloseApplication Id="CloseNetBirdUI" CloseMessage="no" Target="netbird-ui.exe" RebootPrompt="no" TerminateProcess="0" />

-		<!-- WebView2 evergreen runtime detection.
-		     Probe both the per-machine and per-user EdgeUpdate keys; if either
-		     reports a non-empty `pv` value the runtime is already installed
-		     and we skip the bootstrapper. -->
-		<Property Id="WEBVIEW2_VERSION_HKLM">
-			<RegistrySearch Id="WV2HKLM" Root="HKLM"
-				Key="SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\Clients\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}"
-				Name="pv" Type="raw" Bitness="always64" />
-		</Property>
-		<Property Id="WEBVIEW2_VERSION_HKCU">
-			<RegistrySearch Id="WV2HKCU" Root="HKCU"
-				Key="Software\Microsoft\EdgeUpdate\Clients\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}"
-				Name="pv" Type="raw" />
-		</Property>

-		<!-- Embed the bootstrapper payload. Path is relative to the WiX
-		     working directory; sign-pipelines stages it next to client/
-		     via `wails3 generate webview2bootstrapper`. -->
-		<Binary Id="WebView2Bootstrapper" SourceFile=".\client\MicrosoftEdgeWebview2Setup.exe" />
-
-		<CustomAction Id="InstallWebView2"
-			BinaryRef="WebView2Bootstrapper"
-			ExeCommand="/silent /install"
-			Execute="deferred"
-			Impersonate="no"
-			Return="check" />
-
-		<InstallExecuteSequence>
-			<Custom Action="InstallWebView2" Before="InstallFinalize"
-				Condition="NOT WEBVIEW2_VERSION_HKLM AND NOT WEBVIEW2_VERSION_HKCU AND NOT REMOVE" />
-		</InstallExecuteSequence>

 		<!-- Icons -->
-		<Icon Id="NetbirdIcon" SourceFile=".\client\ui\build\windows\icon.ico" />
+		<Icon Id="NetbirdIcon" SourceFile=".\client\ui\assets\netbird.ico" />
 		<Property Id="ARPPRODUCTICON" Value="NetbirdIcon" />

 	</Package>
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -24,12 +24,6 @@ service DaemonService {
  // Status of the service.
  rpc Status(StatusRequest) returns (StatusResponse) {}

-  // SubscribeStatus pushes a fresh StatusResponse on connection state
-  // changes (Connected / Disconnected / Connecting / address change /
-  // peers list change). The first message on the stream is the current
-  // snapshot, so a freshly-subscribed UI doesn't need to also call Status.
-  rpc SubscribeStatus(StatusRequest) returns (stream StatusResponse) {}
-
  // Down stops engine work in the daemon.
  rpc Down(DownRequest) returns (DownResponse) {}

@@ -115,25 +109,6 @@ service DaemonService {
  // WaitJWTToken waits for JWT authentication completion
  rpc WaitJWTToken(WaitJWTTokenRequest) returns (WaitJWTTokenResponse) {}

-  // RequestExtendAuthSession initiates an SSO session-extension flow.
-  // The daemon prepares a PKCE/device-code request against the IdP and
-  // returns the verification URI; the UI is expected to open it. The flow
-  // state is kept in the daemon until WaitExtendAuthSession completes it.
-  rpc RequestExtendAuthSession(RequestExtendAuthSessionRequest) returns (RequestExtendAuthSessionResponse) {}
-
-  // WaitExtendAuthSession blocks until the user finishes the SSO step
-  // started by RequestExtendAuthSession, then forwards the resulting JWT
-  // to the management server's ExtendAuthSession RPC. Returns the new
-  // session expiry deadline. The tunnel stays up the entire time.
-  rpc WaitExtendAuthSession(WaitExtendAuthSessionRequest) returns (WaitExtendAuthSessionResponse) {}
-
-  // DismissSessionWarning records that the user clicked "Dismiss" on the
-  // T-WarningLead interactive notification, suppressing the auto-opened
-  // SessionAboutToExpire dialog that would otherwise fire at
-  // T-FinalWarningLead for the current deadline. Idempotent and best-effort:
-  // a missed call only means the fallback dialog will still appear.
-  rpc DismissSessionWarning(DismissSessionWarningRequest) returns (DismissSessionWarningResponse) {}
-
 // StartCPUProfile starts CPU profiling in the daemon
  rpc StartCPUProfile(StartCPUProfileRequest) returns (StartCPUProfileResponse) {}

@@ -252,12 +227,6 @@ message UpRequest {
  optional string profileName = 1;
  optional string username = 2;
  reserved 3;
-  // async instructs the daemon to start the connection attempt and return
-  // immediately without waiting for the engine to become ready. Status updates
-  // are delivered via the SubscribeStatus stream. When false (the default) the
-  // RPC blocks until the engine is running or gives up, which is the behaviour
-  // needed by the CLI.
-  bool async = 4;
 }

 message UpResponse {}
@@ -275,10 +244,6 @@ message StatusResponse{
  FullStatus fullStatus = 2;
  // NetBird daemon version
  string daemonVersion = 3;
-  // Absolute UTC instant at which the peer's SSO session expires.
-  // Unset when the peer is not SSO-registered or login expiration is disabled.
-  // The UI derives "warning active" from this value and its own clock.
-  google.protobuf.Timestamp sessionExpiresAt = 4;
 }

 message DownRequest {}
@@ -833,55 +798,6 @@ message WaitJWTTokenResponse {
  int64 expiresIn = 3;
 }

-// RequestExtendAuthSessionRequest kicks off the session-extension SSO flow.
-message RequestExtendAuthSessionRequest {
-  // Optional OIDC login_hint (typically the user's email) to pre-fill the
-  // IdP login form.
-  optional string hint = 1;
-}
-
-// RequestExtendAuthSessionResponse carries the verification URI the UI
-// should open in a browser. The daemon retains the flow state and resolves
-// it via WaitExtendAuthSession.
-message RequestExtendAuthSessionResponse {
-  // verification URI for the user to open in the browser
-  string verificationURI = 1;
-  // complete verification URI (with embedded user code)
-  string verificationURIComplete = 2;
-  // user code to enter on verification URI (for device-code flows)
-  string userCode = 3;
-  // device code for matching the WaitExtendAuthSession call to this flow
-  string deviceCode = 4;
-  // expiration time in seconds for the device code / PKCE flow
-  int64 expiresIn = 5;
-}
-
-// WaitExtendAuthSessionRequest is sent by the UI after it opens the
-// verification URI. The daemon blocks on this call until the user
-// completes (or aborts) the SSO step.
-message WaitExtendAuthSessionRequest {
-  // device code returned by RequestExtendAuthSession
-  string deviceCode = 1;
-  // user code for verification
-  string userCode = 2;
-}
-
-// WaitExtendAuthSessionResponse carries the refreshed deadline returned
-// by the management server. Unset when the management server reports the
-// peer is not eligible for session extension.
-message WaitExtendAuthSessionResponse {
-  google.protobuf.Timestamp sessionExpiresAt = 1;
-}
-
-// DismissSessionWarningRequest is sent by the UI when the user clicks
-// "Dismiss" on the T-WarningLead notification.
-message DismissSessionWarningRequest {}
-
-// DismissSessionWarningResponse acknowledges the dismissal. Carries no
-// payload — the daemon's only obligation is to silence the upcoming
-// T-FinalWarningLead fallback for the current deadline.
-message DismissSessionWarningResponse {}
-
 // StartCPUProfileRequest for starting CPU profiling
 message StartCPUProfileRequest {}

--- a/client/proto/daemon_grpc.pb.go
+++ b/client/proto/daemon_grpc.pb.go
--- a/client/server/server.go
+++ b/client/server/server.go
@@ -19,7 +19,6 @@ import (
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
 	gstatus "google.golang.org/grpc/status"
-	"google.golang.org/protobuf/types/known/timestamppb"

 	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/internal/expose"
@@ -68,12 +67,6 @@ type Server struct {
 	logFile string

 	oauthAuthFlow oauthAuthFlow
-	// extendAuthSessionFlow holds the pending PKCE flow created by
-	// RequestExtendAuthSession until WaitExtendAuthSession resolves it.
-	// Kept separate from oauthAuthFlow (which is reserved for the SSH
-	// JWT path) so a concurrent SSH auth doesn't clobber the session
-	// extend flow or vice versa.
-	extendAuthSessionFlow *auth.PendingFlow

 	mutex  sync.Mutex
 	config *profilemanager.Config
@@ -130,7 +123,6 @@ func New(ctx context.Context, logFile string, configFile string, profilesDisable
 		captureEnabled:         captureEnabled,
 		networksDisabled:       networksDisabled,
 		jwtCache:               newJWTCache(),
-		extendAuthSessionFlow:  auth.NewPendingFlow(),
 	}
 	agent := &serverAgent{s}
 	s.sleepHandler = sleephandler.New(agent)
@@ -148,15 +140,6 @@ func (s *Server) Start() error {
 	}

 	state := internal.CtxGetState(s.rootCtx)
-	// Every contextState.Set in the connect/login/server paths must push a
-	// SubscribeStatus snapshot, otherwise transitions that don't happen to
-	// be accompanied by a Mark{Management,Signal,...} call (e.g. plain
-	// StatusNeedsLogin after a PermissionDenied login, StatusLoginFailed
-	// after OAuth init failure, StatusIdle in the Login defer) leave the
-	// UI stuck on the previous status until the next unrelated peer event.
-	// Binding the recorder here means new state.Set callsites don't have
-	// to opt in individually.
-	state.SetOnChange(s.statusRecorder.NotifyStateChange)

 	if err := handlePanicLog(); err != nil {
 		log.Warnf("failed to redirect stderr: %v", err)
@@ -237,20 +220,10 @@ func (s *Server) Start() error {
 // mechanism to keep the client connected even when the connection is lost.
 // we cancel retry if the client receive a stop or down command, or if disable auto connect is configured.
 func (s *Server) connectWithRetryRuns(ctx context.Context, profileConfig *profilemanager.Config, statusRecorder *peer.Status, runningChan chan struct{}, giveUpChan chan struct{}) {
-	// close(giveUpChan) MUST run on every exit path (DisableAutoConnect
-	// return, backoff.Retry return, panic) — Down() blocks for up to 5s
-	// waiting on this signal before flipping the state to Idle, and a
-	// missed close leaves Down() always hitting the timeout. The signal
-	// fires AFTER clientRunning=false is committed under the mutex so a
-	// Down/Up racing with the goroutine exit never observes a half-state
-	// (chan closed but clientRunning still true).
 	defer func() {
 		s.mutex.Lock()
 		s.clientRunning = false
 		s.mutex.Unlock()
-		if giveUpChan != nil {
-			close(giveUpChan)
-		}
 	}()

 	if s.config.DisableAutoConnect {
@@ -285,15 +258,6 @@ func (s *Server) connectWithRetryRuns(ctx context.Context, profileConfig *profil
 	runOperation := func() error {
 		err := s.connect(ctx, profileConfig, statusRecorder, runningChan)
 		if err != nil {
-			// PermissionDenied means the daemon transitioned to NeedsLogin
-			// inside connect(). Without backoff.Permanent the outer retry
-			// re-enters connect(), which resets the state to Connecting and
-			// makes the tray flicker between NeedsLogin and Connecting until
-			// the user logs in. Stop retrying and let the state stick.
-			if s, ok := gstatus.FromError(err); ok && s.Code() == codes.PermissionDenied {
-				log.Debugf("run client connection exited with PermissionDenied, waiting for login")
-				return backoff.Permanent(err)
-			}
 			log.Debugf("run client connection exited with error: %v. Will retry in the background", err)
 			return err
 		}
@@ -305,6 +269,10 @@ func (s *Server) connectWithRetryRuns(ctx context.Context, profileConfig *profil
 	if err := backoff.Retry(runOperation, backOff); err != nil {
 		log.Errorf("operation failed: %v", err)
 	}
+
+	if giveUpChan != nil {
+		close(giveUpChan)
+	}
 }

 // loginAttempt attempts to login using the provided information. it returns a status in case something fails
@@ -373,7 +341,9 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques
 	}

 	if msg.OptionalPreSharedKey != nil {
-		config.PreSharedKey = msg.OptionalPreSharedKey
+		if *msg.OptionalPreSharedKey != "" {
+			config.PreSharedKey = msg.OptionalPreSharedKey
+		}
 	}

 	if msg.CleanDNSLabels {
@@ -599,35 +569,8 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 	return &proto.LoginResponse{}, nil
 }

-// WaitSSOLogin validates the supplied userCode against the in-flight OAuth
-// device/PKCE flow and blocks until the user finishes the browser leg.
-//
-// State transitions on exit:
-//
-//	┌──────────────────────────────────────────┬──────────────────────────────────┐
-//	│ Outcome                                  │ contextState                     │
-//	├──────────────────────────────────────────┼──────────────────────────────────┤
-//	│ Success → loginAttempt → Connected       │ StatusConnected (loginAttempt)   │
-//	│ Success → loginAttempt → still-NeedsLogin│ StatusNeedsLogin (loginAttempt)  │
-//	│ Success → loginAttempt error             │ StatusLoginFailed (loginAttempt) │
-//	│ UserCode mismatch                        │ StatusLoginFailed                │
-//	│ WaitToken: context.Canceled (external    │ defer runs: status untouched if  │
-//	│   abort — profile switch invokes         │   already NeedsLogin/LoginFailed,│
-//	│   actCancel/waitCancel, app quit,        │   else StatusIdle. Keeps the     │
-//	│   another WaitSSOLogin started)          │   cancel from leaking as a       │
-//	│                                          │   spurious LoginFailed on the    │
-//	│                                          │   next profile's Up.             │
-//	│ WaitToken: context.DeadlineExceeded      │ StatusNeedsLogin                 │
-//	│   (OAuth device-code window expired      │   (retryable; the UI's "Connect" │
-//	│   while waiting on the browser leg)      │   re-enters the Login flow)      │
-//	│ WaitToken: any other error               │ StatusLoginFailed                │
-//	│   (access_denied, expired_token, HTTP    │   (genuine auth/IO failure;      │
-//	│   failure, token validation rejection)   │   surfaced verbatim to caller)   │
-//	└──────────────────────────────────────────┴──────────────────────────────────┘
-//
-// The defer at the top of the function applies the Idle fallback so callers
-// that bypass the explicit Set calls (the Canceled branch above, the success
-// path before loginAttempt) still land on a sensible terminal status.
+// WaitSSOLogin uses the userCode to validate the TokenInfo and
+// waits for the user to continue with the login on a browser
 func (s *Server) WaitSSOLogin(callerCtx context.Context, msg *proto.WaitSSOLoginRequest) (*proto.WaitSSOLoginResponse, error) {
 	s.mutex.Lock()
 	if s.actCancel != nil {
@@ -687,21 +630,7 @@ func (s *Server) WaitSSOLogin(callerCtx context.Context, msg *proto.WaitSSOLogin
 		s.mutex.Lock()
 		s.oauthAuthFlow.expiresAt = time.Now()
 		s.mutex.Unlock()
-		switch {
-		case errors.Is(err, context.Canceled):
-			// External abort (profile switch, app quit, another
-			// WaitSSOLogin started). Not a login failure — let the
-			// top-level defer fall through to StatusIdle so the next
-			// flow starts from a clean state.
-		case errors.Is(err, context.DeadlineExceeded):
-			// OAuth device-code window expired with no user action.
-			// Retryable — leave the daemon in NeedsLogin so the UI
-			// keeps the Login affordance instead of reading as a
-			// hard failure.
-			state.Set(internal.StatusNeedsLogin)
-		default:
-			state.Set(internal.StatusLoginFailed)
-		}
+		state.Set(internal.StatusLoginFailed)
 		log.Errorf("waiting for browser login failed: %v", err)
 		return nil, err
 	}
@@ -816,9 +745,6 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 	go s.connectWithRetryRuns(ctx, s.config, s.statusRecorder, s.clientRunningChan, s.clientGiveUpChan)

 	s.mutex.Unlock()
-	if msg.GetAsync() {
-		return &proto.UpResponse{}, nil
-	}
 	return s.waitForUp(callerCtx)
 }

@@ -918,37 +844,23 @@ func (s *Server) Down(ctx context.Context, _ *proto.DownRequest) (*proto.DownRes
 		return nil, err
 	}

+	state := internal.CtxGetState(s.rootCtx)
+	state.Set(internal.StatusIdle)
+
 	s.mutex.Unlock()

 	// Wait for the connectWithRetryRuns goroutine to finish with a short timeout.
 	// This prevents the goroutine from setting ErrResetConnection after Down() returns.
-	// The giveUpChan is closed by the goroutine's deferred cleanup (see
-	// connectWithRetryRuns) on every exit path. A timeout here typically
-	// means the goroutine is still wedged inside a slow teardown step.
+	// The giveUpChan is closed at the end of connectWithRetryRuns.
 	if giveUpChan != nil {
 		select {
 		case <-giveUpChan:
-			log.Debugf("client goroutine finished, giveUpChan closed")
+			log.Debugf("client goroutine finished successfully")
 		case <-time.After(5 * time.Second):
 			log.Warnf("timeout waiting for client goroutine to finish, proceeding anyway")
 		}
 	}

-	// Set Idle only after the retry goroutine has exited (or timed out).
-	// Setting it earlier races with the goroutine's own Set(StatusConnecting)
-	// at the top of each retry attempt, which would leave the snapshot
-	// stuck at Connecting long after the user asked to disconnect.
-	internal.CtxGetState(s.rootCtx).Set(internal.StatusIdle)
-
-	// Clear stale management/signal errors so the next Up() (typically for a
-	// different profile) starts with a clean status snapshot. Without this,
-	// a managementError left over from a LoginFailed cycle persists in the
-	// statusRecorder and appears in the new profile's initial
-	// SubscribeStatus snapshot, making the new profile look like it also
-	// failed to log in.
-	s.statusRecorder.MarkManagementDisconnected(nil)
-	s.statusRecorder.MarkSignalDisconnected(nil)
-
 	return &proto.DownResponse{}, nil
 }

@@ -1202,23 +1114,9 @@ func (s *Server) Status(
 		}
 	}

-	return s.buildStatusResponse(msg)
-}
-
-// buildStatusResponse composes a StatusResponse from the current daemon
-// state. Shared between the unary Status RPC and the SubscribeStatus
-// stream so both paths return identical snapshots.
-func (s *Server) buildStatusResponse(msg *proto.StatusRequest) (*proto.StatusResponse, error) {
-	state := internal.CtxGetState(s.rootCtx)
-	status, err := state.Status()
+	status, err := internal.CtxGetState(s.rootCtx).Status()
 	if err != nil {
-		// state.Status() blanks the status when err is set (e.g. management
-		// retry loop wrapped a connection error). The underlying status is
-		// still meaningful and the failure is already surfaced via
-		// FullStatus.ManagementState.Error, so don't propagate err — that
-		// would tear down the SubscribeStatus stream and cause the UI to
-		// mark the daemon as unreachable on every retry.
-		status = state.CurrentStatus()
+		return nil, err
 	}

 	if status == internal.StatusNeedsLogin && s.isSessionActive.Load() {
@@ -1229,10 +1127,6 @@ func (s *Server) buildStatusResponse(msg *proto.StatusRequest) (*proto.StatusRes

 	statusResponse := proto.StatusResponse{Status: string(status), DaemonVersion: version.NetbirdVersion()}

-	if deadline := s.statusRecorder.GetSessionExpiresAt(); !deadline.IsZero() {
-		statusResponse.SessionExpiresAt = timestamppb.New(deadline)
-	}
-
 	s.statusRecorder.UpdateManagementAddress(s.config.ManagementURL.String())
 	s.statusRecorder.UpdateRosenpass(s.config.RosenpassEnabled, s.config.RosenpassPermissive)

@@ -1462,131 +1356,6 @@ func (s *Server) WaitJWTToken(
 	}, nil
 }

-// RequestExtendAuthSession initiates the SSO session-extension flow and
-// returns the verification URI the UI should open. The flow state is held
-// in s.extendAuthSessionFlow until WaitExtendAuthSession resolves it.
-func (s *Server) RequestExtendAuthSession(
-	ctx context.Context,
-	msg *proto.RequestExtendAuthSessionRequest,
-) (*proto.RequestExtendAuthSessionResponse, error) {
-	if ctx.Err() != nil {
-		return nil, ctx.Err()
-	}
-
-	s.mutex.Lock()
-	config := s.config
-	connectClient := s.connectClient
-	s.mutex.Unlock()
-
-	if config == nil {
-		return nil, gstatus.Errorf(codes.FailedPrecondition, "client is not configured")
-	}
-	if connectClient == nil {
-		return nil, gstatus.Errorf(codes.FailedPrecondition, "client is not running")
-	}
-
-	hint := ""
-	if msg.Hint != nil {
-		hint = *msg.Hint
-	}
-	if hint == "" {
-		hint = profilemanager.GetLoginHint()
-	}
-
-	isDesktop := isUnixRunningDesktop()
-	oAuthFlow, err := auth.NewOAuthFlow(ctx, config, isDesktop, false, hint)
-	if err != nil {
-		return nil, gstatus.Errorf(codes.Internal, "failed to create OAuth flow: %v", err)
-	}
-
-	authInfo, err := oAuthFlow.RequestAuthInfo(ctx)
-	if err != nil {
-		return nil, gstatus.Errorf(codes.Internal, "failed to request auth info: %v", err)
-	}
-
-	s.extendAuthSessionFlow.Set(oAuthFlow, authInfo)
-
-	return &proto.RequestExtendAuthSessionResponse{
-		VerificationURI:         authInfo.VerificationURI,
-		VerificationURIComplete: authInfo.VerificationURIComplete,
-		UserCode:                authInfo.UserCode,
-		DeviceCode:              authInfo.DeviceCode,
-		ExpiresIn:               int64(authInfo.ExpiresIn),
-	}, nil
-}
-
-// WaitExtendAuthSession blocks until the user completes the SSO step
-// initiated by RequestExtendAuthSession, then forwards the resulting JWT
-// to the management server's ExtendAuthSession RPC. The returned deadline
-// is also applied locally via the engine so SubscribeStatus consumers see
-// the refreshed state.
-func (s *Server) WaitExtendAuthSession(
-	ctx context.Context,
-	req *proto.WaitExtendAuthSessionRequest,
-) (*proto.WaitExtendAuthSessionResponse, error) {
-	if ctx.Err() != nil {
-		return nil, ctx.Err()
-	}
-
-	oAuthFlow, authInfo, ok := s.extendAuthSessionFlow.Get()
-
-	s.mutex.Lock()
-	connectClient := s.connectClient
-	s.mutex.Unlock()
-
-	if !ok || authInfo.DeviceCode != req.DeviceCode {
-		return nil, gstatus.Errorf(codes.InvalidArgument, "invalid device code or no active extend-session flow")
-	}
-
-	tokenInfo, err := oAuthFlow.WaitToken(ctx, authInfo)
-	if err != nil {
-		return nil, gstatus.Errorf(codes.Internal, "failed to obtain JWT token: %v", err)
-	}
-
-	// Clear pending flow before talking to mgm so a retry can re-initiate.
-	s.extendAuthSessionFlow.Clear()
-
-	if connectClient == nil {
-		return nil, gstatus.Errorf(codes.FailedPrecondition, "client is not running")
-	}
-	engine := connectClient.Engine()
-	if engine == nil {
-		return nil, gstatus.Errorf(codes.FailedPrecondition, "engine is not initialised")
-	}
-
-	deadline, err := engine.ExtendAuthSession(ctx, tokenInfo.GetTokenToUse())
-	if err != nil {
-		return nil, gstatus.Errorf(codes.Internal, "management ExtendAuthSession failed: %v", err)
-	}
-
-	resp := &proto.WaitExtendAuthSessionResponse{}
-	if !deadline.IsZero() {
-		resp.SessionExpiresAt = timestamppb.New(deadline)
-	}
-	return resp, nil
-}
-
-// DismissSessionWarning forwards the user's "Dismiss" click on the
-// T-WarningLead notification down to the engine's sessionWatcher so the
-// T-FinalWarningLead fallback is suppressed for the current deadline.
-// Best-effort: when the client/engine is not yet running the call is a
-// successful no-op (the watcher has no deadline to dismiss anyway).
-func (s *Server) DismissSessionWarning(
-	_ context.Context,
-	_ *proto.DismissSessionWarningRequest,
-) (*proto.DismissSessionWarningResponse, error) {
-	s.mutex.Lock()
-	connectClient := s.connectClient
-	s.mutex.Unlock()
-	if connectClient == nil {
-		return &proto.DismissSessionWarningResponse{}, nil
-	}
-	if engine := connectClient.Engine(); engine != nil {
-		engine.DismissSessionWarning()
-	}
-	return &proto.DismissSessionWarningResponse{}, nil
-}
-
 // ExposeService exposes a local port via the NetBird reverse proxy.
 func (s *Server) ExposeService(req *proto.ExposeServiceRequest, srv proto.DaemonService_ExposeServiceServer) error {
 	s.mutex.Lock()
--- a/client/server/status_stream.go
+++ b/client/server/status_stream.go
@@ -1,57 +0,0 @@
-package server
-
-import (
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-// SubscribeStatus pushes a fresh StatusResponse on every connection state
-// change. The first message is the current snapshot, so a re-subscribing
-// client doesn't need to also call Status. Subsequent messages fire when
-// the peer recorder reports any of: connected/disconnected/connecting,
-// management or signal flip, address change, or peers list change.
-//
-// The change channel coalesces bursts to a single tick. If the consumer
-// is slow the daemon drops extras (not blocks), and the next snapshot
-// the consumer pulls already reflects everything.
-func (s *Server) SubscribeStatus(req *proto.StatusRequest, stream proto.DaemonService_SubscribeStatusServer) error {
-	subID, ch := s.statusRecorder.SubscribeToStateChanges()
-	defer func() {
-		s.statusRecorder.UnsubscribeFromStateChanges(subID)
-		log.Debug("client unsubscribed from status updates")
-	}()
-
-	log.Debug("client subscribed to status updates")
-
-	if err := s.sendStatusSnapshot(req, stream); err != nil {
-		return err
-	}
-
-	for {
-		select {
-		case _, ok := <-ch:
-			if !ok {
-				return nil
-			}
-			if err := s.sendStatusSnapshot(req, stream); err != nil {
-				return err
-			}
-		case <-stream.Context().Done():
-			return nil
-		}
-	}
-}
-
-func (s *Server) sendStatusSnapshot(req *proto.StatusRequest, stream proto.DaemonService_SubscribeStatusServer) error {
-	resp, err := s.buildStatusResponse(req)
-	if err != nil {
-		log.Warnf("build status snapshot for stream: %v", err)
-		return err
-	}
-	if err := stream.Send(resp); err != nil {
-		log.Warnf("send status snapshot to stream: %v", err)
-		return err
-	}
-	return nil
-}
--- a/client/status/status.go
+++ b/client/status/status.go
@@ -55,10 +55,6 @@ type ConvertOptions struct {
 	IPsFilter            map[string]struct{}
 	ConnectionTypeFilter string
 	ProfileName          string
-	// SessionExpiresAt is the absolute UTC instant at which the peer's SSO
-	// session expires. Zero when the peer is not SSO-tracked or login
-	// expiration is disabled. Sourced from StatusResponse.SessionExpiresAt.
-	SessionExpiresAt time.Time
 }

 type PeerStateDetailOutput struct {
@@ -157,11 +153,6 @@ type OutputOverview struct {
 	LazyConnectionEnabled   bool                       `json:"lazyConnectionEnabled" yaml:"lazyConnectionEnabled"`
 	ProfileName             string                     `json:"profileName" yaml:"profileName"`
 	SSHServerState          SSHServerStateOutput       `json:"sshServer" yaml:"sshServer"`
-	// SessionExpiresAt is the absolute UTC instant at which the peer's SSO
-	// session expires. nil when the peer is not SSO-tracked or login
-	// expiration is disabled. Pointer (rather than zero-value time.Time) so
-	// JSON / YAML omit the field entirely with `,omitempty`.
-	SessionExpiresAt *time.Time `json:"sessionExpiresAt,omitempty" yaml:"sessionExpiresAt,omitempty"`
 }

 // ConvertToStatusOutputOverview converts protobuf status to the output overview.
@@ -207,10 +198,6 @@ func ConvertToStatusOutputOverview(pbFullStatus *proto.FullStatus, opts ConvertO
 		ProfileName:             opts.ProfileName,
 		SSHServerState:          sshServerOverview,
 	}
-	if !opts.SessionExpiresAt.IsZero() {
-		t := opts.SessionExpiresAt
-		overview.SessionExpiresAt = &t
-	}

 	if opts.Anonymize {
 		anonymizer := anonymize.NewAnonymizer(anonymize.DefaultAddresses())
@@ -548,15 +535,6 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS

 	peersCountString := fmt.Sprintf("%d/%d Connected", o.Peers.Connected, o.Peers.Total)

-	var sessionExpiryString string
-	if o.SessionExpiresAt != nil && !o.SessionExpiresAt.IsZero() {
-		sessionExpiryString = fmt.Sprintf(
-			"Session expires: %s (in %s)\n",
-			o.SessionExpiresAt.Format(time.RFC3339),
-			FormatRemainingDuration(time.Until(*o.SessionExpiresAt)),
-		)
-	}
-
 	var forwardingRulesString string
 	if o.NumberOfForwardingRules > 0 {
 		forwardingRulesString = fmt.Sprintf("Forwarding rules: %d\n", o.NumberOfForwardingRules)
@@ -587,7 +565,6 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS
 			"SSH Server: %s\n"+
 			"Networks: %s\n"+
 			"%s"+
-			"%s"+
 			"Peers count: %s\n",
 		fmt.Sprintf("%s/%s%s", goos, goarch, goarm),
 		o.DaemonVersion,
@@ -606,7 +583,6 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS
 		sshServerStatus,
 		networks,
 		forwardingRulesString,
-		sessionExpiryString,
 		peersCountString,
 	)
 	return summary
@@ -1020,57 +996,3 @@ func anonymizeOverview(a *anonymize.Anonymizer, overview *OutputOverview) {
 		overview.SSHServerState.Sessions[i].Command = a.AnonymizeString(session.Command)
 	}
 }
-
-// FormatRemainingDuration renders a time.Duration for the "Session expires"
-// line. Examples: "2h 15m", "47m 12s", "8s", "expired 3m ago".
-//
-// Granularity drops to seconds only under a minute, otherwise minutes are
-// the smallest unit shown — sub-minute precision is noise for a deadline
-// that's hours or days out.
-func FormatRemainingDuration(d time.Duration) string {
-	if d <= 0 {
-		return "expired " + HumaniseDuration(-d) + " ago"
-	}
-	return HumaniseDuration(d)
-}
-
-// HumaniseDuration renders a positive duration in compact form (e.g.
-// "2h 15m", "47m", "8s"). Exposed alongside FormatRemainingDuration so
-// callers that don't need the "expired … ago" wording can format
-// positive durations directly.
-func HumaniseDuration(d time.Duration) string {
-	if d < time.Minute {
-		s := int(d.Round(time.Second).Seconds())
-		if s < 1 {
-			s = 1
-		}
-		return fmt.Sprintf("%ds", s)
-	}
-
-	const (
-		day    = 24 * time.Hour
-		hour   = time.Hour
-		minute = time.Minute
-	)
-
-	days := int64(d / day)
-	d -= time.Duration(days) * day
-	hours := int64(d / hour)
-	d -= time.Duration(hours) * hour
-	minutes := int64(d / minute)
-
-	switch {
-	case days > 0:
-		if hours == 0 {
-			return fmt.Sprintf("%dd", days)
-		}
-		return fmt.Sprintf("%dd %dh", days, hours)
-	case hours > 0:
-		if minutes == 0 {
-			return fmt.Sprintf("%dh", hours)
-		}
-		return fmt.Sprintf("%dh %dm", hours, minutes)
-	default:
-		return fmt.Sprintf("%dm", minutes)
-	}
-}
--- a/client/status/status_test.go
+++ b/client/status/status_test.go
@@ -641,50 +641,3 @@ func TestTimeAgo(t *testing.T) {
 		})
 	}
 }
-
-func TestHumaniseDuration(t *testing.T) {
-	cases := []struct {
-		in   time.Duration
-		want string
-	}{
-		{0, "1s"},
-		{500 * time.Millisecond, "1s"},
-		{8 * time.Second, "8s"},
-		{59 * time.Second, "59s"},
-		{time.Minute, "1m"},
-		{47*time.Minute + 12*time.Second, "47m"},
-		{time.Hour, "1h"},
-		{2*time.Hour + 15*time.Minute, "2h 15m"},
-		{2 * time.Hour, "2h"},
-		{24 * time.Hour, "1d"},
-		{2*24*time.Hour + 3*time.Hour, "2d 3h"},
-	}
-	for _, tc := range cases {
-		got := HumaniseDuration(tc.in)
-		assert.Equal(t, tc.want, got, "input %s", tc.in)
-	}
-}
-
-func TestFormatRemainingDuration_Expired(t *testing.T) {
-	assert.Equal(t, "expired 3m ago", FormatRemainingDuration(-3*time.Minute))
-	assert.Equal(t, "expired 1s ago", FormatRemainingDuration(-500*time.Millisecond))
-}
-
-func TestSessionExpiresLineRendered(t *testing.T) {
-	in := overview // copy of the package-level fixture
-	deadline := time.Now().Add(2*time.Hour + 30*time.Minute).UTC()
-	in.SessionExpiresAt = &deadline
-
-	out := in.GeneralSummary(false, false, false, false)
-	assert.Contains(t, out, "Session expires: ")
-	assert.Contains(t, out, deadline.Format(time.RFC3339))
-	// 2h 30m drifts to "2h 29m" within 60s — match the family prefix.
-	assert.Contains(t, out, "(in 2h ")
-}
-
-func TestSessionExpiresLineOmittedWhenNil(t *testing.T) {
-	in := overview
-	in.SessionExpiresAt = nil
-	out := in.GeneralSummary(false, false, false, false)
-	assert.NotContains(t, out, "Session expires")
-}
--- a/client/ui/.gitignore
+++ b/client/ui/.gitignore
@@ -1,8 +0,0 @@
-.task
-bin
-frontend/dist
-frontend/node_modules
-frontend/bindings
-frontend/.vite
-build/linux/appimage/build
-build/windows/nsis/MicrosoftEdgeWebview2Setup.exe
--- a/client/ui/CLAUDE.md
+++ b/client/ui/CLAUDE.md
@@ -1,152 +0,0 @@
-# NetBird Wails UI — Working Notes
-
-This is the Wails v3 desktop UI for NetBird. Go services live in `services/`; the React/TS frontend lives in `frontend/`; bindings between them are generated under `frontend/bindings/`.
-
-> **Keep these notes current.** When working in this directory with Claude, update this file (and `frontend/CLAUDE.md` for frontend-only changes) whenever you add a service, change an event name, shift a convention, rename a key directory, or land any other change that future-you would want to know about before reading the code. The goal is that a cold-start agent can orient itself from these notes without re-deriving the codebase.
-
-## Layout
-
-### Go (top-level package `main`)
- `main.go` — app entry. Builds the shared gRPC `Conn`, constructs services, registers them with Wails, creates the main webview window, then starts (in order) the Linux SNI watcher → tray → `peers.Watch` → `app.Run`. CLI flags: `--daemon-addr`, `--log-file` (repeatable; first user-provided value drops the seeded `console` default), `--log-level` (`trace|debug|info|warn|error`, default `info`).
- `tray.go` — `Tray` struct + menu. Subscribes to `EventStatus`, `EventSystem`, `EventUpdateAvailable`, `EventUpdateProgress`. Owns per-status icon/dot, Profiles submenu, Connect/Disconnect swap, About → Update, session-expired toast.
- `tray_linux.go` — `init()` sets `WEBKIT_DISABLE_DMABUF_RENDERER=1` to avoid the blank-white window on VMs / minimal WMs.
- `tray_watcher_linux.go`, `xembed_host_linux.go`, `xembed_tray_linux.{c,h}` — in-process SNI watcher + XEmbed bridge for minimal WMs. See `LINUX-TRAY.md`.
- `signal_unix.go` / `signal_windows.go` — `listenForShowSignal`. Unix uses SIGUSR1; Windows uses a named event `Global\NetBirdQuickActionsTriggerEvent`. Mirrors the legacy Fyne UI's external-trigger contract so the installer / CLI keep working.
- `grpc.go` — lazy, mutex-protected gRPC `Conn` shared by every service. `DaemonAddr()`: `unix:///var/run/netbird.sock` on Linux/macOS, `tcp://127.0.0.1:41731` on Windows.
- `icons.go` — `//go:embed` tray/window PNGs. macOS uses template variants (`*-macos.png`); Linux ships light + dark PNGs; Windows reuses the light PNG (multi-frame `.ico` never redrew on Wails3's `NIM_MODIFY`).
-
-### Wails services (`services/*.go`)
-Each service is registered via `app.RegisterService(application.NewService(svc))`. Every method becomes a TS function in `frontend/bindings/.../services/`. Frontend-facing details (TS signatures, push events, models) are in `frontend/WAILS-API.md`. After editing any `services/*.go` or the proto, regenerate with `wails3 generate bindings -clean=true -ts` (or `pnpm bindings` from `frontend/`). `frontend/bindings/**` is gitignored.
-
-For frontend-side conventions (routing, providers, contexts) see `frontend/CLAUDE.md`.
-
-## Services rundown
-
-All services live in `services/` and assume a build tag `!android && !ios && !freebsd && !js`. Each takes a shared `DaemonConn` (`conn.go`) and is registered in `main.go`.
-
-| Service | File | Responsibility |
-|---|---|---|
-| `Connection` | `connection.go` | `Login` / `WaitSSOLogin` / `Up` / `Down` / `Logout` / `OpenURL`. `Up` is always async (`Async: true`); status flows back through `Peers`. `Login` Down-resets the daemon first to dislodge a stale WaitSSOLogin. `OpenURL` honors `$BROWSER`. |
-| `Settings` | `settings.go` | `GetConfig` / `SetConfig` (partial update — pointer fields are sent, nil fields preserved) / `GetFeatures` (operator-disabled UI surfaces). |
-| `Profiles` | `profile.go` | `Username` / `List` / `GetActive` / `Switch` / `Add` / `Remove`. `List` populates `Email` from the **user-side** state file (`profilemanager.NewProfileManager().GetProfileState`) — the daemon runs as root and can't read it. |
-| `ProfileSwitcher` | `profileswitcher.go` | `SwitchActive` — the single entry point both tray and frontend should use for profile flips. Applies the reconnect policy (see "Profile switching" below), mirrors the daemon switch into the user-side `profilemanager`, drives optimistic feedback via `Peers.BeginProfileSwitch`. |
-| `Peers` | `peers.go` | Daemon status snapshot + two long-running streams (`SubscribeStatus` → `EventStatus`, `SubscribeEvents` → `EventSystem`). Emits synthetic `StatusDaemonUnavailable` when the socket is unreachable. Owns the profile-switch suppression filter (`BeginProfileSwitch` / `CancelProfileSwitch` / `shouldSuppress`). Fan-outs update metadata into dedicated `EventUpdateAvailable` / `EventUpdateProgress` events. |
-| `Networks` | `network.go` | `List` / `Select` / `Deselect` of routed networks. |
-| `Forwarding` | `forwarding.go` | `List` exposed/forwarded services from the daemon's reverse-proxy table. |
-| `Debug` | `debug.go` | `Bundle` (debug bundle creation + optional upload) / `Get|SetLogLevel` / `RevealFile` (cross-platform "show in file manager"). |
-| `Update` | `update.go` | `GetState` / `Trigger` (enforced installer) / `GetInstallerResult` / `Quit`. The install-progress UI lives in its own auxiliary window (`/#/install-progress`), opened by `WindowManager.OpenInstallProgress` — the daemon goes unreachable mid-install so it can't be inside the main window. |
-| `WindowManager` | `windowmanager.go` | `OpenSettings(tab)` / `OpenBrowserLogin(uri)` / `CloseBrowserLogin` / `OpenSessionExpired` / `OpenSessionAboutToExpire(seconds)` / `OpenInstallProgress(version)` / `CloseInstallProgress`. `OpenSettings("")` opens the General tab; pass a tab id (e.g. `"profiles"`) to deep-link, encoded as `?tab=…` in the start URL. `OpenInstallProgress` is `AlwaysOnTop` and hides every other visible window for the duration of the install (restored on close). Auxiliary windows are created on first open and **destroyed** on close (Wails-recommended singleton pattern; prevents the macOS dock-reopen from resurrecting hidden windows). |
-| `I18n` | `i18n.go` | Thin facade over `i18n.Bundle`. `Languages()` returns the shipped locales (`_index.json`); `Bundle(code)` returns the full key→text map for one language so the React layer can drive its own translation library. |
-| `Preferences` | `preferences.go` | Thin facade over `preferences.Store`. `Get()` returns `{language}`; `SetLanguage(code)` validates against `i18n.Bundle.HasLanguage`, persists, and broadcasts `netbird:preferences:changed`. |
-
-`DaemonConn` is defined in `services/conn.go`; `ptrStr` (string-to-*string helper for proto pointer fields) lives there too.
-
-## Daemon proto
- Proto source: `../proto/daemon.proto`. Generated Go in `../proto/*.pb.go`.
- Regen: `cd ../proto && protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative daemon.proto`
- Pinned versions (see `daemon.pb.go` header): `protoc v7.34.1`, `protoc-gen-go v1.36.6`. CI's `proto-version-check` workflow fails on mismatch.
- After proto regen, also regen Wails bindings so the TS layer picks up new fields.
-
-## Events bus
-
-`main.go` registers five typed events for the frontend: `netbird:status` (`Status`), `netbird:event` (`SystemEvent`), `netbird:profile:changed` (`ProfileRef`), `netbird:update:available` (`UpdateAvailable`), `netbird:update:progress` (`UpdateProgress`). `netbird:profile:changed` fires from `ProfileSwitcher.SwitchActive` after a successful daemon-side switch — both the React `ProfileContext` and the tray subscribe so a flip driven from one surface paints in the others (the daemon itself does not emit a profile event). Plus three plain-string events:
-
- `EventTriggerLogin = "trigger-login"` — tray asking the frontend's `startLogin()` to begin an SSO flow. The tray does **not** show the main window when emitting — the hidden webview is alive and subscribed, so `startLogin` runs and the only visible surface is the BrowserLogin popup it opens.
- `EventBrowserLoginCancel = "browser-login:cancel"` — the `BrowserLogin` window's Cancel button or red-X close. `startLogin()` listens and tears down the daemon's pending `WaitSSOLogin`.
- `preferences.EventPreferencesChanged = "netbird:preferences:changed"` — emitted after every successful `SetLanguage` (payload `{language}`). Both the tray menu rebuild and the React `i18next.changeLanguage` subscribe so a flip from any window paints everywhere.
-
-Daemon connection status strings (`services/peers.go`) mirror `internal.Status*` in `client/internal/state.go`: `Connected`, `Connecting`, `Idle`, `NeedsLogin`, `LoginFailed`, `SessionExpired`, plus the synthetic `DaemonUnavailable` emitted by `Peers` when the socket is unreachable.
-
-## Profile switching
-
-`services/profileswitcher.go` is the single source of truth for the reconnect policy. Both the tray (`tray.go switchProfile`) and the frontend (via `modules/profile/ProfileContext.tsx`'s `switchProfile`, which `modules/settings/SettingsProfiles.tsx` and the header `ProfileDropdown` go through) call `ProfileSwitcher.SwitchActive`; identical inputs give identical state transitions.
-
-Reconnect policy (driven by `prevStatus` from `Peers.Get`):
-
-| Previous status | Action | Optimistic UI | Suppressed events until new flow begins |
-|---|---|---|---|
-| Connected | Switch + Down + Up | Connecting (synthetic) | Connected, Idle |
-| Connecting | Switch + Down + Up | Connecting (unchanged) | Connected, Idle |
-| NeedsLogin / LoginFailed / SessionExpired | Switch + Down | (no change) | — |
-| Idle | Switch only | (no change) | — |
-
-Only Connected/Connecting trigger `Peers.BeginProfileSwitch`. That:
-1. Sets a 30s `switchInProgress` guard.
-2. Emits a synthetic `Status{Status: StatusConnecting}` so both tray and React paint immediately.
-3. Tells `statusStreamLoop` to drop the daemon's stale Connected updates (peer count drops as the engine tears down) and the transient Idle in between Down and the new Up.
-
-`shouldSuppress` releases the guard as soon as a status that signals the new flow began arrives:
- **Suppressed**: Connected, Idle
- **Pass through and clear**: Connecting / NeedsLogin / LoginFailed / SessionExpired / DaemonUnavailable
- **Timeout fallback**: 30s elapsed → clear flag, emit normally.
-
-`Peers.CancelProfileSwitch` aborts the suppression — called by `tray.go handleDisconnect` so the user's "Disconnect while Connecting" click paints through immediately.
-
-Also: `ProfileSwitcher.SwitchActive` mirrors the daemon switch into the user-side `profilemanager` (`~/Library/Application Support/netbird/active_profile`). The CLI's `netbird up` reads this file and sends the resolved profile name back; if it diverges from the daemon's `/var/lib/netbird/active_profile.json`, the daemon silently flips back. Mirror failures don't abort the switch — surfaced as a warning.
-
-## Auxiliary windows (`WindowManager`)
-
-The main window is created up front in `main.go`. Auxiliary windows are created on demand by `services.WindowManager`:
-
- **Settings** (`/#/settings`) — opened from the header gear icon (`layouts/Header.tsx → WindowManager.OpenSettings("")`), the tray's Settings menu entry (`tray.go openSettings`), and the profile dropdown's "Manage Profiles" entry (`WindowManager.OpenSettings("profiles")`, which sets `?tab=profiles` in the start URL — `Settings.tsx` reads it via `useSearchParams`). The window hosts every settings tab — including **Profiles** (`SettingsProfiles.tsx`, `UserCircle` icon, sits between Security and SSH), which lists profiles in a table with Deregister/Delete in a per-row kebab and an Add Profile button. Both call sites go through `WindowManager` so the user sees the same dedicated frameless window from either trigger — the tray used to repurpose the main window via `SetURL("/#/settings")`, which replaced the main UI in place. Frameless-look (opaque macOS backdrop, hidden inset title bar), fixed 900×640, no resize, no minimise/maximise.
- **BrowserLogin** (`/#/browser-login?uri=…`) — opened by the connection toggle's SSO flow (`layouts/ConnectionStatusSwitch.tsx`). 460×440, fixed size. The close button (red X) fires `EventBrowserLoginCancel` so the JS-side `startLogin()` can tear down the daemon's pending `WaitSSOLogin`. `WindowManager.CloseBrowserLogin` closes it programmatically when the flow completes.
- **SessionExpired** (`/#/session-expired`) and **SessionAboutToExpire** (`/#/session-about-to-expire?seconds=<n>`) — opened by `WindowManager.OpenSessionExpired` / `OpenSessionAboutToExpire(seconds)`. 460×380, fixed size, `AlwaysOnTop: true` (the user can't miss them). The React-side buttons close the window via `WindowManager.CloseSession*` and (for Sign-in / Stay-connected) emit `EventTriggerLogin` so the main window's `startLogin()` orchestrator handles the SSO flow. Currently triggered only by the DEV-only "Development" Settings tab; daemon-status integration is a follow-up.
- **InstallProgress** (`/#/install-progress?version=<v>`) — opened by `WindowManager.OpenInstallProgress(version)` from `ClientVersionContext` (force-install branch on `installing` flip, user-driven enforced branch from `triggerUpdate`). 360-wide auto-sized via `useAutoSizeWindow`, `AlwaysOnTop`. Owns its own polling loop against `Update.GetInstallerResult` with the 5-second daemon-down-grace (sustained gRPC failure = success → call `Update.Quit()`). Hides every other visible window on open (restored on close). The DEV-only "Development" tab has a "Show updating dialog" button that opens this window directly for preview.
-
-All five auxiliary windows are **destroyed** on close (mutex-guarded singleton; `closing` hook nils the field). Destroying rather than hiding is deliberate — Wails' macOS dock-reopen handler resurrects hidden windows, which we don't want for auxiliaries.
-
-The main window is **hidden** on close (the `WindowClosing` hook calls `e.Cancel(); window.Hide()`). The user reaches "really quit" through the tray → Quit menu entry.
-
-## Localisation (i18n)
-
-The locale tree under `frontend/src/i18n/locales/` is the single source of truth for both Go (tray, OS notifications) and React (every user-facing string). Layout: `_index.json` lists shipped languages (`code` / `displayName` / `englishName`); `<code>/common.json` per language. `en/common.json` must exist (the `Bundle` loader hard-fails without it); languages listed in `_index.json` without a bundle are skipped with a warning. Placeholders are single-braced (`"Install version {version}"`) — Go substitutes via `Bundle.Translate(lang, key, "name", value, ...)`; React uses i18next with `interpolation: { prefix: "{", suffix: "}" }`.
-
-Adding a language: drop a `<code>/common.json`, append a row to `_index.json`, add the static import in `frontend/src/i18n/index.ts`, rebuild. Embed lives in `client/ui/main.go`'s `embed.FS`.
-
-Package layout:
- `client/ui/i18n/` — pure `LanguageCode` / `Language` / `Bundle` loader. No Wails / no daemon. Reads the tree from an `fs.FS` passed in by `main.go`.
- `client/ui/preferences/` — `Store` persists `UIPreferences{language}` to `os.UserConfigDir()/netbird/ui-preferences.json` (per-OS-user, shared across daemon profiles). Validates against an injected `LanguageValidator` (`*i18n.Bundle`). No file → in-memory default `en`, persisted on first `SetLanguage`. Broadcasts via in-process pub/sub + optional Wails event emitter.
- `services/i18n.go` + `services/preferences.go` — Wails facades. Preferences emits `netbird:preferences:changed` (payload `{language}`) on every `SetLanguage`.
-
-Key conventions: `tray.*` / `notify.*` (Go-side), `common.* / connect.* / nav.* / profile.* / settings.* / update.* / browserLogin.* / sessionExpired.* / peers.*` (frontend). Keep keys stable — renames cascade everywhere.
-
-## Linux tray support
-
-The in-process `StatusNotifierWatcher` + XEmbed host that lets the tray work on minimal WMs is detailed in `LINUX-TRAY.md` (sibling). Touch that doc when modifying `tray_watcher_linux.go` / `xembed_host_linux.go` / `xembed_tray_linux.{c,h}`.
-
-## Wails Dialogs (frontend, `@wailsio/runtime`)
-
-API surface — `Dialogs.Info` / `Warning` / `Error` / `Question` / `OpenFile` / `SaveFile`, options shape, per-OS behaviour, and the Go-side frameless-window pattern — lives in `WAILS-DIALOGS.md` (sibling). The conventions for **when** to use a native dialog vs inline UI are in the "Conventions" section below.
-
-## Conventions in this codebase
-
-### Errors → native dialogs
-
-User-actionable operation failures (config save, profile switch, debug bundle, update, etc.) surface via `Dialogs.Error` with an action-named title — "Save Settings Failed", "Switch Profile Failed", not "Error" / "Something went wrong". The dialog itself already says "Error" visually.
-
-Confirmations use `Dialogs.Warning` with explicit `Buttons`. The promise resolves with the **button Label string**, not an index — pin the label into a variable before comparing (especially with i18n, where labels translate). Full API in `WAILS-DIALOGS.md`.
-
-**Skip native dialogs** for: inline form validation (`Input.tsx`, URL-format checks — too heavy for keystroke feedback); transient link errors on the dashboard (flap in/out with daemon — use an inline indicator); "partial success" notes inside an otherwise-OK flow (e.g. "bundle saved but upload failed" stays inline). The install-progress window owns its own error UI in-place (timeout/canceled/failed phases) — no native dialog needed there.
-
-### OS notifications
-
-The tray uses Wails' built-in `notifications` service. One `notifications.NotificationService` is created in `main.go` and passed into `TrayServices.Notifier`. Notification IDs are prefixed for coalescing: `netbird-update-<version>`, `netbird-event-<id>`, `netbird-tray-error`, `netbird-session-expired`. Notifications are gated by the user's "Notifications" toggle (cached in `Tray.notificationsEnabled`, seeded from `Settings.GetConfig` at boot). `Severity == "critical"` events bypass the gate, mirroring the legacy Fyne `event.Manager`.
-
-### Profile switching invariants
-
-`ProfileSwitcher.SwitchActive` is the only switch path on the TS side — `ProfileContext.switchProfile` is the single TS wrapper, and `modules/settings/SettingsProfiles.tsx` + the header `ProfileDropdown` both go through it. The Go side captures `prevStatus`, drives the optimistic-Connecting paint via `Peers.BeginProfileSwitch`, mirrors into the user-side `profilemanager`, and conditionally fires Down/Up per the reconnect-policy table above.
-
-**Never call `Connection.Up` on an Idle/NeedsLogin daemon** — the daemon's internal 50s `waitForUp` blocks until `DeadlineExceeded`. `Connection.Up` from the frontend is reserved for the explicit Connect button (`ConnectionStatusSwitch.connect`) and the post-SSO resume inside `startLogin`; the gating for profile-switch reconnects lives Go-side in `ProfileSwitcher.SwitchActive`.
-
-## Build / dev tasks
-
-`task dev` (Wails dev, live reload), `task build` (prod build for the current OS, dispatches to `build/{darwin,linux,windows}/Taskfile.yml`), `task build:server` / `run:server` / `build:docker` / `run:docker` (server-mode variants in `build/Taskfile.yml`). **No** `task generate:bindings` alias — run `wails3 generate bindings -clean=true -ts` directly from this directory. CLI flags + log-target semantics are documented in the `main.go` bullet under "Layout".
-
-## Useful references
- `WAILS-DIALOGS.md` (sibling) — full `@wailsio/runtime` `Dialogs` API + per-OS behaviour + frameless-window pattern.
- `LINUX-TRAY.md` (sibling) — StatusNotifierWatcher + XEmbed host details.
- `frontend/WAILS-API.md` — frontend-facing binding signatures and model shapes.
- Wails v3 dialog docs: https://v3.wails.io/features/dialogs/message/ and https://v3.wails.io/features/dialogs/custom/ (may 403 from some clients).
- Wails v3 multiple-windows guidance: https://v3.wails.io/learn/multiple-windows/
- Authoritative TS signatures: `frontend/node_modules/@wailsio/runtime/types/dialogs.d.ts`.
- Wails examples: https://github.com/wailsapp/wails/tree/master/v3/examples/dialogs
--- a/client/ui/LINUX-TRAY.md
+++ b/client/ui/LINUX-TRAY.md
@@ -1,8 +0,0 @@
-# Linux tray support (StatusNotifierWatcher + XEmbed)
-
-Minimal WMs (Fluxbox, OpenBox, i3, dwm, vanilla GNOME without the AppIndicator extension) don't ship a `StatusNotifierWatcher`, so tray icons using libayatana-appindicator / freedesktop StatusNotifier silently fail. `main.go` calls `startStatusNotifierWatcher()` *before* `NewTray` so the Wails systray's `RegisterStatusNotifierItem` call hits the in-process watcher we control.
-
- `tray_watcher_linux.go` — owns `org.kde.StatusNotifierWatcher` on the session bus if no other process has it. Safe to call unconditionally.
- `xembed_host_linux.go` + `xembed_tray_linux.{c,h}` — when an XEmbed tray (`_NET_SYSTEM_TRAY_S0`) is available, also start an in-process XEmbed host that bridges the SNI icon into the XEmbed tray. Reads `IconPixmap` over D-Bus, draws via cairo+X11, polls for clicks, fetches `com.canonical.dbusmenu.GetLayout` for the popup menu, fires `com.canonical.dbusmenu.Event` on click.
-
-Build is gated on `linux && !386`; the 386 build (no cgo) and non-Linux builds use the `tray_watcher_other.go` no-op.
--- a/client/ui/Netbird.icns
+++ b/client/ui/Netbird.icns
--- a/client/ui/README.md
+++ b/client/ui/README.md
@@ -1,100 +0,0 @@
-# NetBird desktop UI (Wails3 + React)
-
-Replaces `client/ui` (Fyne). One binary on Windows / macOS / Linux,
-talks to the NetBird daemon over gRPC, renders a React frontend in a
-WebView.
-
-## Prerequisites
-
- Go ≥ 1.25, Node ≥ 20, **pnpm** (`corepack enable && corepack prepare pnpm@latest --activate`)
- `wails3` CLI: `go install github.com/wailsapp/wails/v3/cmd/wails3@latest`
- `task`: `go install github.com/go-task/task/v3/cmd/task@latest`
- A running NetBird daemon (default: `unix:///var/run/netbird.sock`,
-  Windows `tcp://127.0.0.1:41731`)
- Linux only: `libwebkit2gtk-4.1-dev`, `libgtk-3-dev`,
-  `libayatana-appindicator3-dev`
-
-## Develop without rebuilding
-
-```bash
-cd client/ui
-task dev
-```
-
-`task dev` runs Vite (port 9245) + the Go binary + a `*.go` watcher.
-Frontend edits hot-reload instantly. Go edits trigger a rebuild and
-relaunch. Pass daemon flags after `--`:
-
-```bash
-task dev -- --daemon-addr=tcp://127.0.0.1:41731
-```
-
-For pure UI work (no native window, fastest loop):
-
-```bash
-cd frontend && pnpm dev
-```
-
-## Production build
-
-```bash
-task build
-```
-
-Output in `bin/`. Frontend assets are embedded into the binary.
-
-### Cross-compile Windows from Linux
-
-Install the mingw-w64 toolchain once:
-
-```bash
-sudo apt install gcc-mingw-w64-x86-64           # Debian/Ubuntu
-sudo dnf install mingw64-gcc                    # Fedora
-sudo pacman -S mingw-w64-gcc                    # Arch
-```
-
-Then:
-
-```bash
-CGO_ENABLED=1 task windows:build
-```
-
-Produces `bin/netbird-ui.exe`. macOS cross-compile from Linux is not
-supported (signing and notarization need a real Mac).
-
-### Windows console build (logs in the terminal)
-
-Default `windows:build` links the binary as a Windows GUI app, which
-detaches from the launching console — `logrus` output, `fmt.Println`,
-and panics go nowhere visible. To debug tray/event/daemon issues:
-
-```bash
-CGO_ENABLED=1 task windows:build:console
-```
-
-Produces `bin/netbird-ui-console.exe`. Run it from `cmd.exe` /
-PowerShell / Windows Terminal and stdout/stderr land in that
-terminal. Same flag works on a native Windows build (drop the
-`CGO_ENABLED=1` if your toolchain already has it set).
-
-## Regenerating bindings
-
-When a Go service signature changes:
-
-```bash
-wails3 generate bindings
-```
-
-`task dev` does this automatically on `*.go` save.
-
-## Tray icons
-
-Source SVGs live in `assets/svg/` (state.svg + state-macos.svg). After editing
-any SVG, rasterize to the PNGs the Go side embeds:
-
-```bash
-task common:generate:tray:icons
-```
-
-Requires Inkscape. Commit the resulting `assets/*.png` files alongside the
-SVG change so CI doesn't need Inkscape installed.
--- a/client/ui/Taskfile.yml
+++ b/client/ui/Taskfile.yml
@@ -1,58 +0,0 @@
-version: '3'
-
-includes:
-  common: ./build/Taskfile.yml
-  windows: ./build/windows/Taskfile.yml
-  darwin: ./build/darwin/Taskfile.yml
-  linux: ./build/linux/Taskfile.yml
-
-vars:
-  APP_NAME: "netbird-ui"
-  BIN_DIR: "bin"
-  VITE_PORT: '{{.WAILS_VITE_PORT | default 9245}}'
-
-tasks:
-  build:
-    summary: Builds the application
-    cmds:
-      - task: "{{OS}}:build"
-
-  package:
-    summary: Packages a production build of the application
-    cmds:
-      - task: "{{OS}}:package"
-
-  run:
-    summary: Runs the application
-    cmds:
-      - task: "{{OS}}:run"
-
-  dev:
-    summary: Runs the application in development mode
-    cmds:
-      - wails3 dev -config ./build/config.yml -port {{.VITE_PORT}}
-
-  setup:docker:
-    summary: Builds Docker image for cross-compilation (~800MB download)
-    cmds:
-      - task: common:setup:docker
-
-  build:server:
-    summary: Builds the application in server mode (no GUI, HTTP server only)
-    cmds:
-      - task: common:build:server
-
-  run:server:
-    summary: Runs the application in server mode
-    cmds:
-      - task: common:run:server
-
-  build:docker:
-    summary: Builds a Docker image for server mode deployment
-    cmds:
-      - task: common:build:docker
-
-  run:docker:
-    summary: Builds and runs the Docker image
-    cmds:
-      - task: common:run:docker
--- a/client/ui/WAILS-DIALOGS.md
+++ b/client/ui/WAILS-DIALOGS.md
@@ -1,56 +0,0 @@
-# Wails Dialogs (frontend, `@wailsio/runtime`)
-
-The frontend dialog API lives in `@wailsio/runtime` as `Dialogs`. Authoritative signatures are in
-`frontend/node_modules/@wailsio/runtime/types/dialogs.d.ts`.
-
-See `CLAUDE.md` for project conventions on *when* to use these (errors vs. inline validation, confirmation flow, etc.).
-
-## Message dialogs
-
-```ts
-import { Dialogs } from "@wailsio/runtime";
-
-await Dialogs.Info({ Title, Message, Buttons?, Detached? });
-await Dialogs.Warning({ Title, Message, Buttons?, Detached? });
-await Dialogs.Error({ Title, Message, Buttons?, Detached? });
-await Dialogs.Question({ Title, Message, Buttons?, Detached? });
-```
-
-All four return `Promise<string>` resolving to the **Label** of the button the user clicked. With no `Buttons` provided you get a single OK button — the promise just resolves when the user dismisses.
-
-`MessageDialogOptions` fields:
- `Title?: string` — window title (short).
- `Message?: string` — the body text.
- `Buttons?: Button[]` — custom buttons. Each `Button` is `{ Label?, IsCancel?, IsDefault? }`. `IsCancel` is what Esc/⌘. triggers; `IsDefault` is what Enter triggers.
- `Detached?: boolean` — when `true`, the dialog isn't tied to the parent window (no sheet behavior on macOS).
-
-## File dialogs
-
-`Dialogs.OpenFile(options)` and `Dialogs.SaveFile(options)` — see `dialogs.d.ts` for the full `OpenFileDialogOptions` / `SaveFileDialogOptions` field set (filters, ButtonText, multi-select, hidden files, alias resolution, directory mode, etc).
-
-## Per-OS behavior
-
-| Platform | Behavior |
-|---|---|
-| **macOS** | Sheet-style when attached to a parent window. Up to ~4 custom buttons render naturally. Keyboard: Enter = default, ⌘. or Esc = cancel. Follows system theme. Accessibility is built-in. |
-| **Windows** | Modal `TaskDialog`-style. Standard button labels are nudged toward OS conventions. Keyboard: Enter = default, Esc = cancel. Follows system theme. |
-| **Linux** | GTK dialogs — appearance varies by desktop environment (GNOME/KDE). Follows desktop theme. Standard keyboard nav. |
-
-Behavioural notes that affect us:
- The promise resolves with the **button label string**, not an index. Compare against the literal `Label` you passed (e.g. `if (result !== "Delete") return;`).
- `Buttons[]` on Linux/Windows uses the labels you supply, but the OS layout/styling is fixed.
- `Dialogs.Error` plays the platform error sound and uses the platform error icon. Don't use it for confirmations — use `Dialogs.Warning` or `Dialogs.Question`.
- Don't fire dialogs in a tight loop or from every keystroke — they interrupt focus and (on macOS) animate in/out. Debounce or guard with a `busy` flag.
-
-## Frameless / custom-window dialogs (Go side)
-
-When the native dialog API isn't enough — rich content, embedded webview, multi-screen flow — open a regular Wails window. This is done on the **Go side** via `app.Window.NewWithOptions(application.WebviewWindowOptions{...})`. Useful options:
- `Parent` — attach to a parent so OS treats it as a child.
- `AlwaysOnTop: true` — float above the parent.
- `Frameless: true` — no titlebar/chrome.
- `Resizable: false` (also `DisableResize: true` in v3) — fixed-size dialog feel.
- `Hidden: true` initially, then `dialog.Show()` + `dialog.SetFocus()`.
-
-We **do** use this pattern, but pragmatically: `WindowManager.OpenSettings` and `OpenBrowserLogin` are regular small webview windows (not modal sheets) with no resize, hidden minimise/maximise buttons, and a translucent macOS title bar. They're not classic "OS modal dialogs"; they're just lightweight ancillary windows that look the part. Modal behaviour (`parent.SetEnabled(false)`) is intentionally not used — the user can still click back to the main window.
-
-In-app modals (`NewProfileDialog`, delete-profile confirmation, etc.) are Radix `Dialog` primitives inside the main webview. Reach for a custom OS window only when content must escape the main window (BrowserLogin is the canonical example — its lifecycle is tied to the SSO wait) or when the window needs its own taskbar entry / dock icon.
--- a/client/ui/assets/connected.png
+++ b/client/ui/assets/connected.png
--- a/client/ui/assets/disconnected.png
+++ b/client/ui/assets/disconnected.png
--- a/client/ui/assets/netbird-disconnected.ico
+++ b/client/ui/assets/netbird-disconnected.ico
--- a/client/ui/assets/netbird-disconnected.png
+++ b/client/ui/assets/netbird-disconnected.png
--- a/client/ui/assets/netbird-menu-16.png
+++ b/client/ui/assets/netbird-menu-16.png
--- a/client/ui/assets/netbird-menu-24.png
+++ b/client/ui/assets/netbird-menu-24.png
--- a/client/ui/assets/netbird-menu-dot-connected-16.png
+++ b/client/ui/assets/netbird-menu-dot-connected-16.png
--- a/client/ui/assets/netbird-menu-dot-connected-22.png
+++ b/client/ui/assets/netbird-menu-dot-connected-22.png
--- a/client/ui/assets/netbird-menu-dot-connected.png
+++ b/client/ui/assets/netbird-menu-dot-connected.png
--- a/client/ui/assets/netbird-menu-dot-connecting-16.png
+++ b/client/ui/assets/netbird-menu-dot-connecting-16.png
--- a/client/ui/assets/netbird-menu-dot-connecting-22.png
+++ b/client/ui/assets/netbird-menu-dot-connecting-22.png
--- a/client/ui/assets/netbird-menu-dot-connecting.png
+++ b/client/ui/assets/netbird-menu-dot-connecting.png
--- a/client/ui/assets/netbird-menu-dot-error-16.png
+++ b/client/ui/assets/netbird-menu-dot-error-16.png
--- a/client/ui/assets/netbird-menu-dot-error-22.png
+++ b/client/ui/assets/netbird-menu-dot-error-22.png
--- a/client/ui/assets/netbird-menu-dot-error.png
+++ b/client/ui/assets/netbird-menu-dot-error.png
--- a/client/ui/assets/netbird-menu-dot-idle-16.png
+++ b/client/ui/assets/netbird-menu-dot-idle-16.png
--- a/client/ui/assets/netbird-menu-dot-idle-22.png
+++ b/client/ui/assets/netbird-menu-dot-idle-22.png
--- a/client/ui/assets/netbird-menu-dot-idle.png
+++ b/client/ui/assets/netbird-menu-dot-idle.png
--- a/client/ui/assets/netbird-menu-dot-login-16.png
+++ b/client/ui/assets/netbird-menu-dot-login-16.png
--- a/client/ui/assets/netbird-menu-dot-login-22.png
+++ b/client/ui/assets/netbird-menu-dot-login-22.png
--- a/client/ui/assets/netbird-menu-dot-login.png
+++ b/client/ui/assets/netbird-menu-dot-login.png
--- a/client/ui/assets/netbird-menu-dot-offline-16.png
+++ b/client/ui/assets/netbird-menu-dot-offline-16.png
--- a/client/ui/assets/netbird-menu-dot-offline-22.png
+++ b/client/ui/assets/netbird-menu-dot-offline-22.png
--- a/client/ui/assets/netbird-menu-dot-offline.png
+++ b/client/ui/assets/netbird-menu-dot-offline.png
--- a/client/ui/assets/netbird-systemtray-connected-dark.ico
+++ b/client/ui/assets/netbird-systemtray-connected-dark.ico
--- a/client/ui/assets/netbird-systemtray-connected-macos.png
+++ b/client/ui/assets/netbird-systemtray-connected-macos.png
--- a/client/ui/assets/netbird-systemtray-connected.ico
+++ b/client/ui/assets/netbird-systemtray-connected.ico
--- a/client/ui/assets/netbird-systemtray-connecting-dark.ico
+++ b/client/ui/assets/netbird-systemtray-connecting-dark.ico
--- a/client/ui/assets/netbird-systemtray-connecting-macos.png
+++ b/client/ui/assets/netbird-systemtray-connecting-macos.png
--- a/client/ui/assets/netbird-systemtray-connecting.ico
+++ b/client/ui/assets/netbird-systemtray-connecting.ico
--- a/client/ui/assets/netbird-systemtray-disconnected-macos.png
+++ b/client/ui/assets/netbird-systemtray-disconnected-macos.png
--- a/client/ui/assets/netbird-systemtray-disconnected.ico
+++ b/client/ui/assets/netbird-systemtray-disconnected.ico
--- a/client/ui/assets/netbird-systemtray-error-dark.ico
+++ b/client/ui/assets/netbird-systemtray-error-dark.ico
--- a/client/ui/assets/netbird-systemtray-error-macos.png
+++ b/client/ui/assets/netbird-systemtray-error-macos.png
--- a/client/ui/assets/netbird-systemtray-error.ico
+++ b/client/ui/assets/netbird-systemtray-error.ico
--- a/client/ui/assets/netbird-systemtray-needs-login-macos.png
+++ b/client/ui/assets/netbird-systemtray-needs-login-macos.png
--- a/client/ui/assets/netbird-systemtray-needs-login.png
+++ b/client/ui/assets/netbird-systemtray-needs-login.png
--- a/client/ui/assets/netbird-systemtray-update-connected-dark.ico
+++ b/client/ui/assets/netbird-systemtray-update-connected-dark.ico
--- a/client/ui/assets/netbird-systemtray-update-connected-macos.png
+++ b/client/ui/assets/netbird-systemtray-update-connected-macos.png
--- a/client/ui/assets/netbird-systemtray-update-connected.ico
+++ b/client/ui/assets/netbird-systemtray-update-connected.ico
--- a/client/ui/assets/netbird-systemtray-update-disconnected-dark.ico
+++ b/client/ui/assets/netbird-systemtray-update-disconnected-dark.ico
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Theodor S. Midtlien	2b59191665	Pin actions with SHA, replace unmaintained, add dependabot for actions	2026-05-22 18:51:57 +02:00
Viktor Liu	0358be2313	[client] Revert "Clean up legacy 32-bit and HKCU registry entries on Windows install (#6176 )" (#6232 ) This reverts commit `d927ef468a`.	2026-05-21 16:27:12 +02:00
Viktor Liu	37052fd5bc	[client] Fix nil channel panic in external chain monitor stop (#6224 )	2026-05-20 18:46:51 +02:00
Pascal Fischer	454ff66518	[management] scope network router update call (#6222 )	2026-05-20 18:24:00 +02:00
Pascal Fischer	6137a1fcc5	[proxy] concurrent proxy snapshot apply (#6207 )	2026-05-20 18:21:22 +02:00
Viktor Liu	4955c345d5	Clean up README header, key features table, and self-hosted quickstart (#6178 )	2026-05-20 16:25:56 +02:00
Viktor Liu	9192b4f029	[client] Bump macOS sleep callback timeout to 20s (#6220 )	2026-05-20 13:09:22 +02:00
Maycon Santos	c784b02550	[misc] Update contribution guidelines (#6219 ) Update contribution guidelines and PR template to require discussing impactful changes with the team	2026-05-20 12:21:03 +02:00
Maycon Santos	d250f92c43	feat(reverse-proxy): clusters API surfaces type, online status, and capability flags (#6148 ) The cluster listing now answers three questions in one round-trip instead of forcing the dashboard to cross-reference the domains API: which clusters can this account see, are they currently up, and what do they support. The ProxyCluster wire type drops the boolean self_hosted in favour of a `type` enum (`account` / `shared`) plus explicit `online`, `supports_custom_ports`, `require_subdomain`, and `supports_crowdsec` fields. Store query reworked so offline clusters still appear (no last_seen WHERE), with online and connected_proxies both derived from the existing 2-min active window via portable CASE expressions; the 1-hour heartbeat reaper still removes long-stale rows. Service manager enriches each cluster with the capability flags via the existing per-cluster lookups (CapabilityProvider now also exposes ClusterSupportsCrowdSec). GetActiveClusterAddresses* keep their tight 2-min filter so service routing and domain enumeration aren't pulled into the wider window. The hard cut removes self_hosted from the response — the dashboard is the only consumer and is updated in the matching PR; no transitional field is shipped. Adds a cross-engine regression test asserting offline clusters surface, connected_proxies counts only fresh proxies, and account-scoped BYOP clusters never leak across accounts.	2026-05-20 10:08:34 +02:00
Maycon Santos	80966ab1b0	[management] Ensure SessionStartedAt has a default value (#6211 ) * [management] Ensure SessionStartedAt has a default value Avoid null values for the new column * [management] Add PeerStatus with LastSeen in peer_test * [management] Add migration for PeerStatusSessionStartedAt default value * [management] Add PeerStatus with LastSeen in migration tests	2026-05-20 08:25:30 +02:00