fix(ci): improve system prompt for partial fixes and stale issues

- Add rules for partial fixes: PRs that only address some items in a
  multi-item request or explicitly say "partially addresses" do not
  count as resolution
- Clarify that maintainer-offered alternatives without reporter
  confirmation are not fixes
- Add stale issue guidance: 12+ months inactive with unanswered
  maintainer response should be MANUAL_REVIEW not KEEP_OPEN

.github/issue-resolution/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "issue-resolution",
+  "private": true,
+  "type": "module"
+}

.github/issue-resolution/prompts/issue-resolution-system.txt

@@ -0,0 +1,41 @@
+You are a GitHub issue resolution classifier.
+
+Your job is to decide whether an open GitHub issue is:
+- AUTO_CLOSE
+- MANUAL_REVIEW
+- KEEP_OPEN
+
+Rules:
+1. AUTO_CLOSE is only allowed if there is objective, hard evidence:
+   - a merged linked PR that clearly resolves the issue, or
+   - an explicit maintainer/member/owner/collaborator comment saying the issue is fixed, resolved, duplicate, or superseded
+2. If there is any contradictory later evidence, do NOT AUTO_CLOSE.
+3. If evidence is promising but not airtight, choose MANUAL_REVIEW.
+4. If the issue still appears active or unresolved, choose KEEP_OPEN.
+5. Do not invent evidence.
+6. Output valid JSON only.
+
+Maintainer-authoritative roles:
+- MEMBER
+- OWNER
+- COLLABORATOR
+
+Partial fixes and multi-item issues:
+- A merged PR that only addresses SOME items in a multi-item request does NOT resolve the issue. If the issue lists 5 feature requests and a PR fixes 1, the issue is still open.
+- If a PR description or comment says "partially addresses", "partial fix", or similar, the issue is NOT resolved. Classify as KEEP_OPEN.
+- If a merged PR addresses the core ask but a later comment objects or reports a regression, classify as MANUAL_REVIEW (not resolved).
+
+Workarounds vs. actual fixes:
+- A WORKAROUND is when a user changes their own setup to avoid the problem (editing configs, using a different setting, manual SQL fixes, switching tools, scripts). Workarounds do NOT count as resolution — the underlying issue is still present in the product.
+- An ACTUAL FIX is when a user reports the problem went away after upgrading to a specific version (e.g., "fixed after updating to v0.65.1") or after a specific PR was merged. This suggests the fix was shipped in the product itself.
+- A maintainer pointing to an existing alternative feature is NOT the same as fixing the issue. If the reporter never confirmed the alternative works for them, classify as KEEP_OPEN.
+- If only workarounds exist and no maintainer has confirmed a fix, classify as KEEP_OPEN.
+- If a user reports an actual fix via a version upgrade but no maintainer confirmed it, classify as MANUAL_REVIEW (not AUTO_CLOSE).
+
+Stale issues:
+- An issue with no activity for over 12 months, where a maintainer offered an alternative or asked for more info and the reporter never responded, is a candidate for MANUAL_REVIEW — not necessarily KEEP_OPEN.
+
+Important:
+- Later comments outweigh earlier ones.
+- A non-maintainer saying "fixed for me" is not enough for AUTO_CLOSE.
+- If uncertain, prefer MANUAL_REVIEW or KEEP_OPEN.

.github/issue-resolution/schemas/issue-resolution-output.json

@@ -0,0 +1,80 @@
+{
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "decision",
+    "reason_code",
+    "confidence",
+    "hard_signals",
+    "contradictions",
+    "summary",
+    "close_comment",
+    "manual_review_note"
+  ],
+  "properties": {
+    "decision": {
+      "type": "string",
+      "enum": ["AUTO_CLOSE", "MANUAL_REVIEW", "KEEP_OPEN"]
+    },
+    "reason_code": {
+      "type": "string",
+      "enum": [
+        "resolved_by_merged_pr",
+        "maintainer_confirmed_resolved",
+        "duplicate_confirmed",
+        "superseded_confirmed",
+        "likely_fixed_but_unconfirmed",
+        "still_open",
+        "unclear"
+      ]
+    },
+    "confidence": {
+      "type": "number",
+      "minimum": 0,
+      "maximum": 1
+    },
+    "hard_signals": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["type", "url"],
+        "properties": {
+          "type": {
+            "type": "string",
+            "enum": [
+              "merged_pr",
+              "maintainer_comment",
+              "duplicate_reference",
+              "superseded_reference"
+            ]
+          },
+          "url": { "type": "string" }
+        }
+      }
+    },
+    "contradictions": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["type", "url"],
+        "properties": {
+          "type": {
+            "type": "string",
+            "enum": [
+              "reporter_still_broken",
+              "later_unresolved_comment",
+              "ambiguous_pr_link",
+              "other"
+            ]
+          },
+          "url": { "type": "string" }
+        }
+      }
+    },
+    "summary": { "type": "string" },
+    "close_comment": { "type": "string" },
+    "manual_review_note": { "type": "string" }
+  }
+}

.github/issue-resolution/scripts/apply-decisions.mjs

@@ -0,0 +1,213 @@
+import fs from "node:fs/promises";
+
+const decisions = JSON.parse(await fs.readFile("decisions.json", "utf8"));
+const dryRun = String(process.env.DRY_RUN).toLowerCase() === "true";
+
+const ghHeaders = {
+  Authorization: `Bearer ${process.env.GH_TOKEN}`,
+  Accept: "application/vnd.github+json",
+  "X-GitHub-Api-Version": "2022-11-28",
+};
+
+// Use PROJECT_PAT for project board operations, fall back to GH_TOKEN
+const projectHeaders = {
+  Authorization: `Bearer ${process.env.PROJECT_PAT || process.env.GH_TOKEN}`,
+  Accept: "application/vnd.github+json",
+  "X-GitHub-Api-Version": "2022-11-28",
+};
+
+async function rest(url, method = "GET", body) {
+  const res = await fetch(url, {
+    method,
+    headers: ghHeaders,
+    body: body ? JSON.stringify(body) : undefined
+  });
+  if (!res.ok) throw new Error(`${res.status} ${url}: ${await res.text()}`);
+  return res.status === 204 ? null : res.json();
+}
+
+async function graphql(query, variables) {
+  const res = await fetch("https://api.github.com/graphql", {
+    method: "POST",
+    headers: projectHeaders,
+    body: JSON.stringify({ query, variables })
+  });
+  if (!res.ok) throw new Error(`${res.status}: ${await res.text()}`);
+  const json = await res.json();
+  if (json.errors) throw new Error(JSON.stringify(json.errors));
+  return json.data;
+}
+
+async function addLabel(owner, repo, issueNumber, labels) {
+  return rest(
+    `https://api.github.com/repos/${owner}/${repo}/issues/${issueNumber}/labels`,
+    "POST",
+    { labels }
+  );
+}
+
+async function addComment(owner, repo, issueNumber, body) {
+  return rest(
+    `https://api.github.com/repos/${owner}/${repo}/issues/${issueNumber}/comments`,
+    "POST",
+    { body }
+  );
+}
+
+async function closeIssue(owner, repo, issueNumber) {
+  return rest(
+    `https://api.github.com/repos/${owner}/${repo}/issues/${issueNumber}`,
+    "PATCH",
+    { state: "closed", state_reason: "completed" }
+  );
+}
+
+async function getIssueNodeId(owner, repo, issueNumber) {
+  const issue = await rest(`https://api.github.com/repos/${owner}/${repo}/issues/${issueNumber}`);
+  return issue.node_id;
+}
+
+async function addToProject(issueNodeId) {
+  const mutation = `
+    mutation($projectId: ID!, $contentId: ID!) {
+      addProjectV2ItemById(input: {projectId: $projectId, contentId: $contentId}) {
+        item { id }
+      }
+    }
+  `;
+
+  try {
+    const data = await graphql(mutation, {
+      projectId: process.env.PROJECT_ID,
+      contentId: issueNodeId
+    });
+    return data.addProjectV2ItemById.item.id;
+  } catch (err) {
+    console.warn(`[WARN] Could not add to project (needs PAT with project scope): ${err.message}`);
+    return null;
+  }
+}
+
+async function setTextField(itemId, fieldId, value) {
+  const mutation = `
+    mutation($projectId: ID!, $itemId: ID!, $fieldId: ID!, $value: String!) {
+      updateProjectV2ItemFieldValue(input: {
+        projectId: $projectId,
+        itemId: $itemId,
+        fieldId: $fieldId,
+        value: { text: $value }
+      }) {
+        projectV2Item { id }
+      }
+    }
+  `;
+
+  return graphql(mutation, {
+    projectId: process.env.PROJECT_ID,
+    itemId,
+    fieldId,
+    value
+  });
+}
+
+async function setNumberField(itemId, fieldId, value) {
+  const mutation = `
+    mutation($projectId: ID!, $itemId: ID!, $fieldId: ID!, $value: Float!) {
+      updateProjectV2ItemFieldValue(input: {
+        projectId: $projectId,
+        itemId: $itemId,
+        fieldId: $fieldId,
+        value: { number: $value }
+      }) {
+        projectV2Item { id }
+      }
+    }
+  `;
+
+  return graphql(mutation, {
+    projectId: process.env.PROJECT_ID,
+    itemId,
+    fieldId,
+    value
+  });
+}
+
+async function setSingleSelectField(itemId, fieldId, optionId) {
+  const mutation = `
+    mutation($projectId: ID!, $itemId: ID!, $fieldId: ID!, $optionId: String!) {
+      updateProjectV2ItemFieldValue(input: {
+        projectId: $projectId,
+        itemId: $itemId,
+        fieldId: $fieldId,
+        value: { singleSelectOptionId: $optionId }
+      }) {
+        projectV2Item { id }
+      }
+    }
+  `;
+
+  return graphql(mutation, {
+    projectId: process.env.PROJECT_ID,
+    itemId,
+    fieldId,
+    optionId
+  });
+}
+
+async function addToProjectWithFields(owner, repo, d) {
+  const issueNodeId = await getIssueNodeId(owner, repo, d.issue_number);
+  const itemId = await addToProject(issueNodeId);
+
+  if (itemId) {
+    if (process.env.PROJECT_STATUS_FIELD_ID && process.env.PROJECT_STATUS_OPTION_NEEDS_REVIEW_ID) {
+      await setSingleSelectField(itemId, process.env.PROJECT_STATUS_FIELD_ID, process.env.PROJECT_STATUS_OPTION_NEEDS_REVIEW_ID);
+    }
+    if (process.env.PROJECT_CONFIDENCE_FIELD_ID) {
+      await setNumberField(itemId, process.env.PROJECT_CONFIDENCE_FIELD_ID, d.model.confidence);
+    }
+    if (process.env.PROJECT_REASON_FIELD_ID) {
+      await setTextField(itemId, process.env.PROJECT_REASON_FIELD_ID, d.model.reason_code);
+    }
+    if (process.env.PROJECT_EVIDENCE_FIELD_ID) {
+      await setTextField(itemId, process.env.PROJECT_EVIDENCE_FIELD_ID, d.issue_url);
+    }
+    console.log(`  → Added to project board (Status: Needs Review)`);
+  }
+}
+
+for (const d of decisions) {
+  const [owner, repo] = d.repository.split("/");
+
+  if (d.final_decision === "KEEP_OPEN") {
+    console.log(`#${d.issue_number} → KEEP_OPEN (confidence: ${d.model.confidence}, reason: ${d.model.reason_code})`);
+    continue;
+  }
+
+  if (dryRun) {
+    console.log(`[DRY RUN] #${d.issue_number} → ${d.final_decision} (confidence: ${d.model.confidence}, reason: ${d.model.reason_code})`);
+    // In dry-run: populate project board but don't touch issues
+    if (d.final_decision === "MANUAL_REVIEW" || d.final_decision === "AUTO_CLOSE") {
+      await addToProjectWithFields(owner, repo, d);
+    }
+    continue;
+  }
+
+  if (d.final_decision === "AUTO_CLOSE") {
+    await addLabel(owner, repo, d.issue_number, ["auto-closed-resolved"]);
+    await addComment(owner, repo, d.issue_number, d.model.close_comment);
+    await closeIssue(owner, repo, d.issue_number);
+    await addToProjectWithFields(owner, repo, d);
+  }
+
+  if (d.final_decision === "MANUAL_REVIEW") {
+    await addLabel(owner, repo, d.issue_number, ["resolution-candidate"]);
+    await addToProjectWithFields(owner, repo, d);
+    await addComment(
+      owner,
+      repo,
+      d.issue_number,
+      d.model.manual_review_note ||
+        "This issue looks like a possible resolution candidate, but not with enough certainty for automatic closure. Added to the review queue."
+    );
+  }
+}

.github/issue-resolution/scripts/classify-candidates.mjs

@@ -0,0 +1,259 @@
+import fs from "node:fs/promises";
+
+const candidates = JSON.parse(await fs.readFile("candidates.json", "utf8"));
+const systemPrompt = await fs.readFile("prompts/issue-resolution-system.txt", "utf8");
+const outputSchema = JSON.parse(await fs.readFile("schemas/issue-resolution-output.json", "utf8"));
+
+function isMaintainerRole(role) {
+  return ["MEMBER", "OWNER", "COLLABORATOR"].includes(role || "");
+}
+
+function preScore(candidate) {
+  let score = 0;
+  const hardSignals = [];
+  const contradictions = [];
+
+  for (const t of candidate.timeline) {
+    const sourceIssue = t.source?.issue;
+
+    if (t.event === "cross-referenced" && sourceIssue?.pull_request?.html_url) {
+      hardSignals.push({
+        type: "merged_pr",
+        url: sourceIssue.html_url
+      });
+      score += 40; // provisional until PR merged state is verified
+    }
+
+    if (["referenced", "connected"].includes(t.event)) {
+      score += 10;
+    }
+  }
+
+  for (const c of candidate.comments) {
+    const body = c.body.toLowerCase();
+
+    if (
+      isMaintainerRole(c.author_association) &&
+      /\b(fixed|resolved|duplicate|superseded|closing)\b/.test(body)
+    ) {
+      score += 25;
+      hardSignals.push({
+        type: "maintainer_comment",
+        url: c.html_url
+      });
+    }
+
+    if (/\b(still broken|still happening|not fixed|reproducible)\b/.test(body)) {
+      score -= 50;
+      contradictions.push({
+        type: "later_unresolved_comment",
+        url: c.html_url
+      });
+    }
+  }
+
+  return { score, hardSignals, contradictions };
+}
+
+// GitHub Models gpt-4o has an 8000 token input limit.
+// Reserve ~2000 tokens for system prompt + response overhead.
+// 1 token ~= 4 chars, so cap user message at ~24000 chars.
+const MAX_USER_MESSAGE_CHARS = 24000;
+
+function truncate(text, maxChars) {
+  if (text.length <= maxChars) return text;
+  return text.slice(0, maxChars) + "\n\n[... truncated due to length]";
+}
+
+function buildUserMessage(candidate, pre) {
+  const { issue, comments, timeline } = candidate;
+
+  const commentBlock = comments
+    .map((c) => `[${c.author_association}] ${c.user} (${c.created_at}):\n${c.body}`)
+    .join("\n---\n");
+
+  const timelineBlock = timeline
+    .filter((t) => ["cross-referenced", "referenced", "connected", "closed", "reopened"].includes(t.event))
+    .map((t) => {
+      let line = `${t.event} (${t.created_at})`;
+      if (t.source?.issue?.html_url) line += ` — ${t.source.issue.html_url}`;
+      if (t.source?.issue?.pull_request?.html_url) line += ` (PR: ${t.source.issue.pull_request.html_url})`;
+      return line;
+    })
+    .join("\n");
+
+  const sections = [
+    `## Issue #${issue.number}: ${issue.title}`,
+    `URL: ${issue.html_url}`,
+    `Created: ${issue.created_at} | Updated: ${issue.updated_at}`,
+    `Labels: ${issue.labels.join(", ") || "none"}`,
+    "",
+    "### Body",
+    truncate(issue.body || "(empty)", 4000),
+    "",
+    "### Comments",
+    commentBlock || "(none)",
+    "",
+    "### Timeline events",
+    timelineBlock || "(none)",
+  ];
+
+  if (candidate.linked_prs?.length) {
+    sections.push("");
+    sections.push("### Linked PRs (verified state)");
+    for (const pr of candidate.linked_prs) {
+      const status = pr.merged ? `MERGED (${pr.merged_at})` : pr.state.toUpperCase();
+      sections.push(`- PR #${pr.number}: ${pr.title} — ${status} — ${pr.url}`);
+    }
+  }
+
+  if (pre.hardSignals.length || pre.contradictions.length) {
+    sections.push("");
+    sections.push("### Automated evidence scan");
+    for (const s of pre.hardSignals) {
+      sections.push(`- SIGNAL: ${s.type} — ${s.url}`);
+    }
+    for (const c of pre.contradictions) {
+      sections.push(`- CONTRADICTION: ${c.type} — ${c.url}`);
+    }
+  }
+
+  return truncate(sections.join("\n"), MAX_USER_MESSAGE_CHARS);
+}
+
+const MODEL = "gpt-4o-mini";
+const MAX_RETRIES = 5;
+
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+async function callGitHubModel(candidate, pre) {
+  const body = JSON.stringify({
+    model: MODEL,
+    messages: [
+      { role: "system", content: systemPrompt },
+      { role: "user", content: buildUserMessage(candidate, pre) },
+    ],
+    response_format: {
+      type: "json_schema",
+      json_schema: {
+        name: "issue_resolution",
+        strict: true,
+        schema: outputSchema,
+      },
+    },
+    temperature: 0.1,
+  });
+
+  for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+    const res = await fetch("https://models.inference.ai.azure.com/chat/completions", {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${process.env.GH_TOKEN}`,
+        "Content-Type": "application/json",
+      },
+      body,
+    });
+
+    if (res.status === 429) {
+      const retryAfter = Number(res.headers.get("retry-after")) || 30;
+      if (retryAfter > 120) {
+        console.warn(`  [QUOTA EXHAUSTED] API wants ${retryAfter}s wait — skipping remaining issues.`);
+        return null;
+      }
+      console.warn(`  [RATE LIMITED] Waiting ${retryAfter}s (attempt ${attempt + 1}/${MAX_RETRIES})...`);
+      await sleep(retryAfter * 1000);
+      continue;
+    }
+
+    if (!res.ok) {
+      const text = await res.text();
+      throw new Error(`GitHub Models ${res.status}: ${text}`);
+    }
+
+    const data = await res.json();
+    return JSON.parse(data.choices[0].message.content);
+  }
+
+  throw new Error(`GitHub Models: exceeded ${MAX_RETRIES} retries due to rate limiting`);
+}
+
+function enforcePolicy(modelOut, pre) {
+  const approvedReasons = new Set([
+    "resolved_by_merged_pr",
+    "maintainer_confirmed_resolved",
+    "duplicate_confirmed",
+    "superseded_confirmed"
+  ]);
+
+  const hasHardSignal =
+    (modelOut.hard_signals || []).some(s =>
+      ["merged_pr", "maintainer_comment", "duplicate_reference", "superseded_reference"].includes(s.type)
+    ) || pre.hardSignals.length > 0;
+
+  const hasContradiction =
+    (modelOut.contradictions || []).length > 0 || pre.contradictions.length > 0;
+
+  // Only auto-close with very strict criteria
+  if (
+    modelOut.decision === "AUTO_CLOSE" &&
+    modelOut.confidence >= 0.97 &&
+    approvedReasons.has(modelOut.reason_code) &&
+    hasHardSignal &&
+    !hasContradiction
+  ) {
+    return "AUTO_CLOSE";
+  }
+
+  // Downgrade AUTO_CLOSE that didn't pass the gate
+  if (modelOut.decision === "AUTO_CLOSE") {
+    return "MANUAL_REVIEW";
+  }
+
+  // Otherwise trust the model
+  return modelOut.decision;
+}
+
+console.log(`Classifying ${candidates.length} candidates with ${MODEL}...\n`);
+
+// 15 req/min limit → 1 request every 4s. Use 4.5s for safety margin.
+const PACE_MS = 4500;
+let lastRequestTime = 0;
+
+async function paced(fn) {
+  const elapsed = Date.now() - lastRequestTime;
+  if (elapsed < PACE_MS) await sleep(PACE_MS - elapsed);
+  lastRequestTime = Date.now();
+  return fn();
+}
+
+const decisions = [];
+for (const candidate of candidates) {
+  const pre = preScore(candidate);
+  const modelOut = await paced(() => callGitHubModel(candidate, pre));
+
+  if (modelOut === null) {
+    console.warn(`\nQuota exhausted after ${decisions.length} issues. Writing partial results.`);
+    break;
+  }
+
+  const finalDecision = enforcePolicy(modelOut, pre);
+
+  decisions.push({
+    repository: candidate.repository,
+    issue_number: candidate.issue.number,
+    issue_url: candidate.issue.html_url,
+    title: candidate.issue.title,
+    pre_score: pre.score,
+    final_decision: finalDecision,
+    model: modelOut
+  });
+
+  console.log(
+    `#${candidate.issue.number} | pre_score: ${pre.score} | model: ${modelOut.decision} @ ${modelOut.confidence} | final: ${finalDecision} | ${modelOut.reason_code}`
+  );
+}
+
+await fs.writeFile("decisions.json", JSON.stringify(decisions, null, 2));
+console.log(`\nWrote ${decisions.length} decisions to decisions.json`);

.github/issue-resolution/scripts/fetch-candidates.mjs

@@ -0,0 +1,123 @@
+import fs from "node:fs/promises";
+
+const token = process.env.GH_TOKEN;
+const repo = process.env.REPO; // "owner/repo"
+const maxIssues = Number(process.env.MAX_ISSUES) || 100;
+
+const headers = {
+  Authorization: `Bearer ${token}`,
+  Accept: "application/vnd.github+json",
+  "X-GitHub-Api-Version": "2022-11-28",
+};
+
+async function rest(url) {
+  const res = await fetch(url, { headers });
+  if (!res.ok) throw new Error(`${res.status} ${url}: ${await res.text()}`);
+  return res.json();
+}
+
+async function restSafe(url) {
+  const res = await fetch(url, { headers });
+  if (!res.ok) return null;
+  return res.json();
+}
+
+async function paginate(url, max) {
+  const items = [];
+  let page = 1;
+  while (items.length < max) {
+    const perPage = Math.min(100, max - items.length);
+    const sep = url.includes("?") ? "&" : "?";
+    const batch = await rest(`${url}${sep}per_page=${perPage}&page=${page}`);
+    if (!batch.length) break;
+    items.push(...batch);
+    page++;
+  }
+  return items.slice(0, max);
+}
+
+console.log(`Fetching up to ${maxIssues} open issues from ${repo}...`);
+
+const issues = await paginate(
+  `https://api.github.com/repos/${repo}/issues?state=open&sort=updated&direction=asc`,
+  maxIssues
+);
+
+// Filter out pull requests (GitHub API returns PRs as issues too)
+const realIssues = issues.filter((i) => !i.pull_request);
+console.log(`Found ${realIssues.length} open issues (excluded PRs).`);
+
+const candidates = [];
+for (const issue of realIssues) {
+  const [comments, timeline] = await Promise.all([
+    rest(`https://api.github.com/repos/${repo}/issues/${issue.number}/comments?per_page=100`),
+    rest(`https://api.github.com/repos/${repo}/issues/${issue.number}/timeline?per_page=100`),
+  ]);
+
+  candidates.push({
+    repository: repo,
+    issue: {
+      number: issue.number,
+      html_url: issue.html_url,
+      title: issue.title,
+      body: issue.body,
+      created_at: issue.created_at,
+      updated_at: issue.updated_at,
+      labels: issue.labels.map((l) => l.name),
+    },
+    comments: comments.map((c) => ({
+      body: c.body,
+      author_association: c.author_association,
+      html_url: c.html_url,
+      created_at: c.created_at,
+      user: c.user?.login,
+    })),
+    timeline: timeline.map((t) => ({
+      event: t.event,
+      created_at: t.created_at,
+      source: t.source
+        ? {
+            issue: {
+              html_url: t.source.issue?.html_url,
+              pull_request: t.source.issue?.pull_request
+                ? { html_url: t.source.issue.pull_request.html_url }
+                : undefined,
+            },
+          }
+        : undefined,
+    })),
+    linked_prs: [],
+  });
+
+  // Fetch merge status for cross-referenced PRs
+  const prUrls = new Set();
+  for (const t of timeline) {
+    const prHtml = t.source?.issue?.pull_request?.html_url;
+    if (t.event === "cross-referenced" && prHtml) {
+      prUrls.add(prHtml);
+    }
+  }
+
+  const candidate = candidates[candidates.length - 1];
+  for (const prHtml of prUrls) {
+    // Extract owner/repo and PR number from URL like https://github.com/owner/repo/pull/123
+    const match = prHtml.match(/github\.com\/([^/]+\/[^/]+)\/pull\/(\d+)/);
+    if (!match) continue;
+    const [, prRepo, prNum] = match;
+    const pr = await restSafe(`https://api.github.com/repos/${prRepo}/pulls/${prNum}`);
+    if (!pr) continue;
+    candidate.linked_prs.push({
+      number: pr.number,
+      title: pr.title,
+      url: prHtml,
+      state: pr.state,
+      merged: pr.merged || false,
+      merged_at: pr.merged_at,
+    });
+  }
+
+  console.log(`  #${issue.number} — ${comments.length} comments, ${timeline.length} timeline events, ${candidate.linked_prs.length} linked PRs`);
+}
+
+await fs.writeFile("candidates.json", JSON.stringify(candidates, null, 2));
+console.log(`Wrote ${candidates.length} candidates to candidates.json`);

.github/workflows/issue-resolution-triage.yml

@@ -0,0 +1,63 @@
+name: issue-resolution-triage
+
+on:
+  push:
+    branches: [github-issue-resolver]
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: "If true, do not close issues"
+        required: false
+        default: "true"
+      max_issues:
+        description: "How many issues to process"
+        required: false
+        default: "100"
+  schedule:
+    - cron: "17 2 * * *"
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: read
+  models: read
+
+#  todo: remove hardcoded values
+jobs:
+  triage:
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      PROJECT_PAT: ${{ secrets.PROJECT_PAT }}
+      DRY_RUN: "true"
+      MAX_ISSUES: "100"
+      REPO: ${{ github.repository }}
+      PROJECT_ID: "PVT_kwDOBfz4Jc4BVeWR"
+      PROJECT_STATUS_FIELD_ID: "PVTSSF_lADOBfz4Jc4BVeWRzhQ56sU"
+      PROJECT_STATUS_OPTION_NEEDS_REVIEW_ID: "a55a2be9"
+      PROJECT_CONFIDENCE_FIELD_ID: "PVTF_lADOBfz4Jc4BVeWRzhQ57x4"
+      PROJECT_REASON_FIELD_ID: "PVTF_lADOBfz4Jc4BVeWRzhQ5-Lg"
+      PROJECT_EVIDENCE_FIELD_ID: "PVTF_lADOBfz4Jc4BVeWRzhQ5-Pw"
+
+    defaults:
+      run:
+        working-directory: .github/issue-resolution
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - run: node scripts/fetch-candidates.mjs
+      - run: node scripts/classify-candidates.mjs
+      - run: node scripts/apply-decisions.mjs
+
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: triage-results
+          path: |
+            .github/issue-resolution/candidates.json
+            .github/issue-resolution/decisions.json

.github/workflows/release.yml

@@ -115,12 +115,6 @@ jobs:
 
   release:
     runs-on: ubuntu-latest-m
-    outputs:
-      release_artifact_url: ${{ steps.upload_release.outputs.artifact-url }}
-      linux_packages_artifact_url: ${{ steps.upload_linux_packages.outputs.artifact-url }}
-      windows_packages_artifact_url: ${{ steps.upload_windows_packages.outputs.artifact-url }}
-      macos_packages_artifact_url: ${{ steps.upload_macos_packages.outputs.artifact-url }}
-      ghcr_images: ${{ steps.tag_and_push_images.outputs.images_markdown }}
     env:
       flags: ""
     steps:
@@ -219,13 +213,10 @@ jobs:
         if: always()
         run: rm -f /tmp/gpg-rpm-signing-key.asc
       - name: Tag and push images (amd64 only)
-        id: tag_and_push_images
         if: |
           (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
           (github.event_name == 'push' && github.ref == 'refs/heads/main')
         run: |
-          set -euo pipefail
-
           resolve_tags() {
             if [[ "${{ github.event_name }}" == "pull_request" ]]; then
               echo "pr-${{ github.event.pull_request.number }}"
@@ -234,17 +225,6 @@ jobs:
             fi
           }
 
-          ghcr_package_url() {
-            local image="$1" package encoded_package
-            package="${image#ghcr.io/}"
-            package="${package#*/}"
-            package="${package%%:*}"
-            encoded_package="${package//\//%2F}"
-            echo "https://github.com/orgs/netbirdio/packages/container/package/${encoded_package}"
-          }
-
-          image_refs=()
-
           tag_and_push() {
             local src="$1" img_name tag dst
             img_name="${src%%:*}"
@@ -253,56 +233,35 @@ jobs:
               echo "Tagging ${src} -> ${dst}"
               docker tag "$src" "$dst"
               docker push "$dst"
-              image_refs+=("$dst")
             done
           }
 
-          cat > /tmp/goreleaser-artifacts.json <<'JSON'
-          ${{ steps.goreleaser.outputs.artifacts }}
-          JSON
+          export -f tag_and_push resolve_tags
 
-          mapfile -t src_images < <(
-            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name | select(startswith("ghcr.io/"))' /tmp/goreleaser-artifacts.json
-          )
-
-          for src in "${src_images[@]}"; do
-            tag_and_push "$src"
-          done
-
-          {
-            echo "images_markdown<<EOF"
-            if [[ ${#image_refs[@]} -eq 0 ]]; then
-              echo "_No GHCR images were pushed._"
-            else
-              printf '%s\n' "${image_refs[@]}" | sort -u | while read -r image; do
-                printf -- '- [`%s`](%s)\n' "$image" "$(ghcr_package_url "$image")"
-              done
-            fi
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
+          echo '${{ steps.goreleaser.outputs.artifacts }}' | \
+            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name' | \
+            grep '^ghcr.io/' | while read -r SRC; do
+              tag_and_push "$SRC"
+            done
       - name: upload non tags for debug purposes
-        id: upload_release
         uses: actions/upload-artifact@v4
         with:
           name: release
           path: dist/
           retention-days: 7
       - name: upload linux packages
-        id: upload_linux_packages
         uses: actions/upload-artifact@v4
         with:
           name: linux-packages
           path: dist/netbird_linux**
           retention-days: 7
       - name: upload windows packages
-        id: upload_windows_packages
         uses: actions/upload-artifact@v4
         with:
           name: windows-packages
           path: dist/netbird_windows**
           retention-days: 7
       - name: upload macos packages
-        id: upload_macos_packages
         uses: actions/upload-artifact@v4
         with:
           name: macos-packages
@@ -311,8 +270,6 @@ jobs:
 
   release_ui:
     runs-on: ubuntu-latest
-    outputs:
-      release_ui_artifact_url: ${{ steps.upload_release_ui.outputs.artifact-url }}
     steps:
       - name: Parse semver string
         id: semver_parser
@@ -403,7 +360,6 @@ jobs:
         if: always()
         run: rm -f /tmp/gpg-rpm-signing-key.asc
       - name: upload non tags for debug purposes
-        id: upload_release_ui
         uses: actions/upload-artifact@v4
         with:
           name: release-ui
@@ -412,8 +368,6 @@ jobs:
 
   release_ui_darwin:
     runs-on: macos-latest
-    outputs:
-      release_ui_darwin_artifact_url: ${{ steps.upload_release_ui_darwin.outputs.artifact-url }}
     steps:
       - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
         run: echo "flags=--snapshot" >> $GITHUB_ENV
@@ -448,110 +402,12 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: upload non tags for debug purposes
-        id: upload_release_ui_darwin
         uses: actions/upload-artifact@v4
         with:
           name: release-ui-darwin
           path: dist/
           retention-days: 3
 
-  comment_release_artifacts:
-    name: Comment release artifacts
-    runs-on: ubuntu-latest
-    needs: [release, release_ui, release_ui_darwin]
-    if: ${{ always() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository }}
-    permissions:
-      contents: read
-      issues: write
-      pull-requests: write
-    steps:
-      - name: Create or update PR comment
-        uses: actions/github-script@v7
-        env:
-          RELEASE_RESULT: ${{ needs.release.result }}
-          RELEASE_UI_RESULT: ${{ needs.release_ui.result }}
-          RELEASE_UI_DARWIN_RESULT: ${{ needs.release_ui_darwin.result }}
-          RELEASE_ARTIFACT_URL: ${{ needs.release.outputs.release_artifact_url }}
-          LINUX_PACKAGES_ARTIFACT_URL: ${{ needs.release.outputs.linux_packages_artifact_url }}
-          WINDOWS_PACKAGES_ARTIFACT_URL: ${{ needs.release.outputs.windows_packages_artifact_url }}
-          MACOS_PACKAGES_ARTIFACT_URL: ${{ needs.release.outputs.macos_packages_artifact_url }}
-          RELEASE_UI_ARTIFACT_URL: ${{ needs.release_ui.outputs.release_ui_artifact_url }}
-          RELEASE_UI_DARWIN_ARTIFACT_URL: ${{ needs.release_ui_darwin.outputs.release_ui_darwin_artifact_url }}
-          GHCR_IMAGES_MARKDOWN: ${{ needs.release.outputs.ghcr_images }}
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const marker = '<!-- netbird-release-artifacts -->';
-            const { owner, repo } = context.repo;
-            const issue_number = context.payload.pull_request.number;
-            const runUrl = `${context.serverUrl}/${owner}/${repo}/actions/runs/${context.runId}`;
-            const shortSha = context.payload.pull_request.head.sha.slice(0, 7);
-
-            const artifactCell = (url, result) => {
-              if (url) return `[Download](${url})`;
-              return result && result !== 'success' ? `_Not available (${result})_` : '_Not available_';
-            };
-
-            const artifacts = [
-              ['All release artifacts', process.env.RELEASE_ARTIFACT_URL, process.env.RELEASE_RESULT],
-              ['Linux packages', process.env.LINUX_PACKAGES_ARTIFACT_URL, process.env.RELEASE_RESULT],
-              ['Windows packages', process.env.WINDOWS_PACKAGES_ARTIFACT_URL, process.env.RELEASE_RESULT],
-              ['macOS packages', process.env.MACOS_PACKAGES_ARTIFACT_URL, process.env.RELEASE_RESULT],
-              ['UI artifacts', process.env.RELEASE_UI_ARTIFACT_URL, process.env.RELEASE_UI_RESULT],
-              ['UI macOS artifacts', process.env.RELEASE_UI_DARWIN_ARTIFACT_URL, process.env.RELEASE_UI_DARWIN_RESULT],
-            ];
-
-            const artifactRows = artifacts
-              .map(([name, url, result]) => `| ${name} | ${artifactCell(url, result)} |`)
-              .join('\n');
-
-            const ghcrImages = (process.env.GHCR_IMAGES_MARKDOWN || '').trim() || '_No GHCR images were pushed._';
-
-            const body = [
-              marker,
-              '## Release artifacts',
-              '',
-              `Built for PR head \`${shortSha}\` in [workflow run #${process.env.GITHUB_RUN_NUMBER}](${runUrl}).`,
-              '',
-              '| Artifact | Link |',
-              '| --- | --- |',
-              artifactRows,
-              '',
-              '### GHCR images (amd64)',
-              ghcrImages,
-              '',
-              '_This comment is updated by the Release workflow. Artifact links expire according to the workflow retention policy._',
-            ].join('\n');
-
-            const comments = await github.paginate(github.rest.issues.listComments, {
-              owner,
-              repo,
-              issue_number,
-              per_page: 100,
-            });
-
-            const previous = comments.find(comment =>
-              comment.user?.type === 'Bot' && comment.body?.includes(marker)
-            );
-
-            if (previous) {
-              await github.rest.issues.updateComment({
-                owner,
-                repo,
-                comment_id: previous.id,
-                body,
-              });
-              core.info(`Updated release artifacts comment ${previous.id}`);
-            } else {
-              const { data } = await github.rest.issues.createComment({
-                owner,
-                repo,
-                issue_number,
-                body,
-              });
-              core.info(`Created release artifacts comment ${data.id}`);
-            }
-
   trigger_signer:
     runs-on: ubuntu-latest
     needs: [release, release_ui, release_ui_darwin]

.github/workflows/sync-tag.yml

@@ -9,8 +9,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
   cancel-in-progress: true
 
-# Receiving workflows (cloud sync-tag, mobile bump-netbird) expect the short
-# tag form (e.g. v0.30.0), not refs/tags/v0.30.0 — github.ref_name, not github.ref.
 jobs:
   trigger_sync_tag:
     runs-on: ubuntu-latest
@@ -22,30 +20,4 @@ jobs:
           ref: main
           repo: ${{ secrets.UPSTREAM_REPO }}
           token: ${{ secrets.NC_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref_name }}" }'
-
-  trigger_android_bump:
-    runs-on: ubuntu-latest
-    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
-    steps:
-      - name: Trigger android-client submodule bump
-        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
-        with:
-          workflow: bump-netbird.yml
-          ref: main
-          repo: netbirdio/android-client
-          token: ${{ secrets.NC_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref_name }}" }'
-
-  trigger_ios_bump:
-    runs-on: ubuntu-latest
-    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
-    steps:
-      - name: Trigger ios-client submodule bump
-        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
-        with:
-          workflow: bump-netbird.yml
-          ref: main
-          repo: netbirdio/ios-client
-          token: ${{ secrets.NC_GITHUB_TOKEN }}
           inputs: '{ "tag": "${{ github.ref_name }}" }'

client/cmd/testutil_test.go

@@ -135,7 +135,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	if err != nil {
 		t.Fatal(err)
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		t.Fatal(err)
 	}

client/installer.nsis

@@ -201,18 +201,7 @@ Pop $0
 
 Function .onInit
 StrCpy $INSTDIR "${INSTALL_DIR}"
-; Default autostart to enabled so silent installs (/S) match the interactive default
-StrCpy $AutostartEnabled "1"
-
-; Pre-0.70.1 installers ran without SetRegView, so their uninstall keys live
-; in the 32-bit view. Fall back to it so upgrades still find them.
-SetRegView 64
 ReadRegStr $R0 HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$(^NAME)" "UninstallString"
-${If} $R0 == ""
-    SetRegView 32
-    ReadRegStr $R0 HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$(^NAME)" "UninstallString"
-    SetRegView 64
-${EndIf}
 ${If} $R0 != ""
     # if silent install jump to uninstall step
     IfSilent uninstall
@@ -225,10 +214,6 @@ ${If} $R0 != ""
 
 ${EndIf}
 FunctionEnd
-
-Function un.onInit
-SetRegView 64
-FunctionEnd
 ######################################################################
 Section -MainProgram
     ${INSTALL_TYPE}
@@ -243,7 +228,6 @@ Section -MainProgram
     !else
         File /r "..\\dist\\netbird_windows_amd64\\"
     !endif
-    File "..\\client\\ui\\assets\\netbird.png"
 SectionEnd
 ######################################################################
 
@@ -263,11 +247,9 @@ WriteRegStr ${REG_ROOT} "${UI_REG_APP_PATH}" "" "$INSTDIR\${UI_APP_EXE}"
 ; Create autostart registry entry based on checkbox
 DetailPrint "Autostart enabled: $AutostartEnabled"
 ${If} $AutostartEnabled == "1"
-    WriteRegStr HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}" '"$INSTDIR\${UI_APP_EXE}.exe"'
+    WriteRegStr HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}" "$INSTDIR\${UI_APP_EXE}.exe"
     DetailPrint "Added autostart registry entry: $INSTDIR\${UI_APP_EXE}.exe"
 ${Else}
-    DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-    ; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
     DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
     DetailPrint "Autostart not enabled by user"
 ${EndIf}
@@ -301,8 +283,6 @@ ExecWait `taskkill /im ${UI_APP_EXE}.exe /f`
 
 ; Remove autostart registry entry
 DetailPrint "Removing autostart registry entry if exists..."
-DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
 DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
 
 ; Handle data deletion based on checkbox
@@ -341,7 +321,6 @@ DetailPrint "Removing registry keys..."
 DeleteRegKey ${REG_ROOT} "${REG_APP_PATH}"
 DeleteRegKey ${REG_ROOT} "${UNINSTALL_PATH}"
 DeleteRegKey ${REG_ROOT} "${UI_REG_APP_PATH}"
-DeleteRegKey HKCU "Software\Classes\AppUserModelId\${APP_NAME}"
 
 DetailPrint "Removing application directory from PATH..."
 EnVar::SetHKLM

client/internal/engine_test.go

@@ -1671,7 +1671,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	if err != nil {
 		return nil, "", err
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		return nil, "", err
 	}

client/internal/lazyconn/activity/listener_bind_test.go

@@ -3,6 +3,7 @@ package activity
 import (
 	"net"
 	"net/netip"
+	"runtime"
 	"testing"
 	"time"
 
@@ -17,6 +18,10 @@ import (
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
 )
 
+func isBindListenerPlatform() bool {
+	return runtime.GOOS == "windows" || runtime.GOOS == "js"
+}
+
 // mockEndpointManager implements device.EndpointManager for testing
 type mockEndpointManager struct {
 	endpoints map[netip.Addr]net.Conn
@@ -176,6 +181,10 @@ func TestBindListener_Close(t *testing.T) {
 }
 
 func TestManager_BindMode(t *testing.T) {
+	if !isBindListenerPlatform() {
+		t.Skip("BindListener only used on Windows/JS platforms")
+	}
+
 	mockEndpointMgr := newMockEndpointManager()
 	mockIface := &MockWGIfaceBind{endpointMgr: mockEndpointMgr}
 
@@ -217,6 +226,10 @@ func TestManager_BindMode(t *testing.T) {
 }
 
 func TestManager_BindMode_MultiplePeers(t *testing.T) {
+	if !isBindListenerPlatform() {
+		t.Skip("BindListener only used on Windows/JS platforms")
+	}
+
 	mockEndpointMgr := newMockEndpointManager()
 	mockIface := &MockWGIfaceBind{endpointMgr: mockEndpointMgr}
 

client/internal/lazyconn/activity/manager.go

@@ -4,12 +4,14 @@ import (
 	"errors"
 	"net"
 	"net/netip"
+	"runtime"
 	"sync"
 	"time"
 
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
+	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
@@ -73,6 +75,16 @@ func (m *Manager) createListener(peerCfg lazyconn.PeerConfig) (listener, error)
 		return NewUDPListener(m.wgIface, peerCfg)
 	}
 
+	// BindListener is used on Windows, JS, and netstack platforms:
+	// - JS: Cannot listen to UDP sockets
+	// - Windows: IP_UNICAST_IF socket option forces packets out the interface the default
+	//   gateway points to, preventing them from reaching the loopback interface.
+	// - Netstack: Allows multiple instances on the same host without port conflicts.
+	// BindListener bypasses these issues by passing data directly through the bind.
+	if runtime.GOOS != "windows" && runtime.GOOS != "js" && !netstack.IsEnabled() {
+		return NewUDPListener(m.wgIface, peerCfg)
+	}
+
 	provider, ok := m.wgIface.(bindProvider)
 	if !ok {
 		return nil, errors.New("interface claims userspace bind but doesn't implement bindProvider")

client/internal/routemanager/systemops/systemops_darwin.go

@@ -89,16 +89,8 @@ func (r *SysOps) installScopedDefaultFor(unspec netip.Addr) (bool, error) {
 		return false, fmt.Errorf("unusable default nexthop for %s (no interface)", unspec)
 	}
 
-	reused := false
 	if err := r.addScopedDefault(unspec, nexthop); err != nil {
-		if !errors.Is(err, unix.EEXIST) {
-			return false, fmt.Errorf("add scoped default on %s: %w", nexthop.Intf.Name, err)
-		}
-		// macOS installs its own RTF_IFSCOPE defaults for primary service
-		// selection on multi-NIC setups, so a route on this ifindex can
-		// already exist before we try. Binding to it via IP[V6]_BOUND_IF
-		// still produces the scoped lookup we need.
-		reused = true
+		return false, fmt.Errorf("add scoped default on %s: %w", nexthop.Intf.Name, err)
 	}
 
 	af := unix.AF_INET
@@ -110,11 +102,7 @@ func (r *SysOps) installScopedDefaultFor(unspec netip.Addr) (bool, error) {
 	if nexthop.IP.IsValid() {
 		via = nexthop.IP.String()
 	}
-	verb := "installed"
-	if reused {
-		verb = "reused existing"
-	}
-	log.Infof("%s scoped default route via %s on %s for %s", verb, via, nexthop.Intf.Name, afOf(unspec))
+	log.Infof("installed scoped default route via %s on %s for %s", via, nexthop.Intf.Name, afOf(unspec))
 	return true, nil
 }
 

client/internal/sleep/detector_darwin.go

@@ -2,358 +2,217 @@
 
 package sleep
 
+/*
+#cgo LDFLAGS: -framework IOKit -framework CoreFoundation
+#include <IOKit/pwr_mgt/IOPMLib.h>
+#include <IOKit/IOMessage.h>
+#include <CoreFoundation/CoreFoundation.h>
+
+extern void sleepCallbackBridge();
+extern void poweredOnCallbackBridge();
+extern void suspendedCallbackBridge();
+extern void resumedCallbackBridge();
+
+
+// C global variables for IOKit state
+static IONotificationPortRef g_notifyPortRef = NULL;
+static io_object_t g_notifierObject = 0;
+static io_object_t g_generalInterestNotifier = 0;
+static io_connect_t g_rootPort = 0;
+static CFRunLoopRef g_runLoop = NULL;
+
+static void sleepCallback(void* refCon, io_service_t service, natural_t messageType, void* messageArgument) {
+	switch (messageType) {
+		case kIOMessageSystemWillSleep:
+			sleepCallbackBridge();
+			IOAllowPowerChange(g_rootPort, (long)messageArgument);
+			break;
+        case kIOMessageSystemHasPoweredOn:
+          	poweredOnCallbackBridge();
+          	break;
+        case kIOMessageServiceIsSuspended:
+			suspendedCallbackBridge();
+			break;
+		case kIOMessageServiceIsResumed:
+			resumedCallbackBridge();
+			break;
+		default:
+			break;
+	}
+}
+
+static void registerNotifications() {
+	g_rootPort = IORegisterForSystemPower(
+		NULL,
+		&g_notifyPortRef,
+		(IOServiceInterestCallback)sleepCallback,
+		&g_notifierObject
+	);
+
+	if (g_rootPort == 0) {
+		return;
+	}
+
+	CFRunLoopAddSource(CFRunLoopGetCurrent(),
+		IONotificationPortGetRunLoopSource(g_notifyPortRef),
+		kCFRunLoopCommonModes);
+
+	g_runLoop = CFRunLoopGetCurrent();
+	CFRunLoopRun();
+}
+
+static void unregisterNotifications() {
+	CFRunLoopRemoveSource(g_runLoop,
+		IONotificationPortGetRunLoopSource(g_notifyPortRef),
+		kCFRunLoopCommonModes);
+
+	IODeregisterForSystemPower(&g_notifierObject);
+	IOServiceClose(g_rootPort);
+	IONotificationPortDestroy(g_notifyPortRef);
+	CFRunLoopStop(g_runLoop);
+
+	g_notifyPortRef = NULL;
+	g_notifierObject = 0;
+	g_rootPort = 0;
+	g_runLoop = NULL;
+}
+
+*/
+import "C"
+
 import (
+	"context"
 	"fmt"
 	"runtime"
 	"sync"
 	"time"
-	"unsafe"
 
-	"github.com/ebitengine/purego"
 	log "github.com/sirupsen/logrus"
 )
 
-// IOKit message types from IOKit/IOMessage.h.
-const (
-	kIOMessageCanSystemSleep     uintptr = 0xe0000270
-	kIOMessageSystemWillSleep    uintptr = 0xe0000280
-	kIOMessageSystemHasPoweredOn uintptr = 0xe0000300
-)
-
 var (
-	ioKit         iokitFuncs
-	cf            cfFuncs
-	cfCommonModes uintptr
-
-	libInitOnce sync.Once
-	libInitErr  error
-
-	// callbackThunk is the single C-callable trampoline registered with IOKit.
-	callbackThunk uintptr
-
 	serviceRegistry   = make(map[*Detector]struct{})
 	serviceRegistryMu sync.Mutex
-	session           *runLoopSession
-
-	// lifecycleMu serializes Register/Deregister so a new registration can't
-	// start a second runloop while a previous teardown is still pending.
-	lifecycleMu sync.Mutex
 )
 
-// iokitFuncs holds IOKit symbols resolved once at init.
-type iokitFuncs struct {
-	IORegisterForSystemPower           func(refcon uintptr, portRef *uintptr, callback uintptr, notifier *uintptr) uintptr
-	IODeregisterForSystemPower         func(notifier *uintptr) int32
-	IOAllowPowerChange                 func(kernelPort uintptr, notificationID uintptr) int32
-	IOServiceClose                     func(connect uintptr) int32
-	IONotificationPortGetRunLoopSource func(port uintptr) uintptr
-	IONotificationPortDestroy          func(port uintptr)
-}
-
-// cfFuncs holds CoreFoundation symbols resolved once at init.
-type cfFuncs struct {
-	CFRunLoopGetCurrent   func() uintptr
-	CFRunLoopRun          func()
-	CFRunLoopStop         func(rl uintptr)
-	CFRunLoopAddSource    func(rl, source, mode uintptr)
-	CFRunLoopRemoveSource func(rl, source, mode uintptr)
-}
-
-// runLoopSession bundles the handles owned by one CFRunLoop lifetime. A nil
-// session means no runloop is active and the next Register must start one.
-type runLoopSession struct {
-	rl       uintptr
-	port     uintptr
-	notifier uintptr
-	rp       uintptr
-}
-
-// detectorSnapshot pins a detector's callback and done channel so dispatch
-// runs with values valid at snapshot time, even if a concurrent
-// Deregister/Register rewrites the detector's fields.
-type detectorSnapshot struct {
-	detector *Detector
-	callback func(event EventType)
-	done     <-chan struct{}
-}
-
-// Detector delivers sleep and wake events to a registered callback.
-type Detector struct {
-	callback func(event EventType)
-	done     chan struct{}
-}
-
-// Register installs callback for power events. The first registration starts
-// the CFRunLoop on a dedicated OS-locked thread and blocks until IOKit
-// registration succeeds or fails; subsequent registrations just add to the
-// dispatch set.
-func (d *Detector) Register(callback func(event EventType)) error {
-	lifecycleMu.Lock()
-	defer lifecycleMu.Unlock()
+//export sleepCallbackBridge
+func sleepCallbackBridge() {
+	log.Info("sleepCallbackBridge event triggered")
 
 	serviceRegistryMu.Lock()
+	defer serviceRegistryMu.Unlock()
+
+	for svc := range serviceRegistry {
+		svc.triggerCallback(EventTypeSleep)
+	}
+}
+
+//export resumedCallbackBridge
+func resumedCallbackBridge() {
+	log.Info("resumedCallbackBridge event triggered")
+}
+
+//export suspendedCallbackBridge
+func suspendedCallbackBridge() {
+	log.Info("suspendedCallbackBridge event triggered")
+}
+
+//export poweredOnCallbackBridge
+func poweredOnCallbackBridge() {
+	log.Info("poweredOnCallbackBridge event triggered")
+	serviceRegistryMu.Lock()
+	defer serviceRegistryMu.Unlock()
+
+	for svc := range serviceRegistry {
+		svc.triggerCallback(EventTypeWakeUp)
+	}
+}
+
+type Detector struct {
+	callback func(event EventType)
+	ctx      context.Context
+	cancel   context.CancelFunc
+}
+
+func NewDetector() (*Detector, error) {
+	return &Detector{}, nil
+}
+
+func (d *Detector) Register(callback func(event EventType)) error {
+	serviceRegistryMu.Lock()
+	defer serviceRegistryMu.Unlock()
+
 	if _, exists := serviceRegistry[d]; exists {
-		serviceRegistryMu.Unlock()
 		return fmt.Errorf("detector service already registered")
 	}
-	d.callback = callback
-	d.done = make(chan struct{})
-	serviceRegistry[d] = struct{}{}
-	needSetup := session == nil
-	serviceRegistryMu.Unlock()
 
-	if !needSetup {
+	d.callback = callback
+
+	d.ctx, d.cancel = context.WithCancel(context.Background())
+
+	if len(serviceRegistry) > 0 {
+		serviceRegistry[d] = struct{}{}
 		return nil
 	}
 
-	errCh := make(chan error, 1)
-	go runRunLoop(errCh)
-	if err := <-errCh; err != nil {
-		serviceRegistryMu.Lock()
-		delete(serviceRegistry, d)
-		close(d.done)
-		d.done = nil
-		serviceRegistryMu.Unlock()
-		return err
-	}
+	serviceRegistry[d] = struct{}{}
+
+	// CFRunLoop must run on a single fixed OS thread
+	go func() {
+		runtime.LockOSThread()
+		defer runtime.UnlockOSThread()
+
+		C.registerNotifications()
+	}()
 
 	log.Info("sleep detection service started on macOS")
 	return nil
 }
 
-// Deregister removes the detector. When the last detector leaves, IOKit
-// notifications are torn down and the runloop is stopped.
+// Deregister removes the detector. When the last detector is removed, IOKit registration is torn down
+// and the runloop is stopped and cleaned up.
 func (d *Detector) Deregister() error {
-	lifecycleMu.Lock()
-	defer lifecycleMu.Unlock()
-
 	serviceRegistryMu.Lock()
-	if _, exists := serviceRegistry[d]; !exists {
-		serviceRegistryMu.Unlock()
+	defer serviceRegistryMu.Unlock()
+	_, exists := serviceRegistry[d]
+	if !exists {
 		return nil
 	}
-	close(d.done)
+
+	// cancel and remove this detector
+	d.cancel()
 	delete(serviceRegistry, d)
 
+	// If other Detectors still exist, leave IOKit running
 	if len(serviceRegistry) > 0 {
-		serviceRegistryMu.Unlock()
 		return nil
 	}
-	sess := session
-	serviceRegistryMu.Unlock()
 
 	log.Info("sleep detection service stopping (deregister)")
 
-	if sess == nil {
-		return nil
-	}
-
-	if sess.rl != 0 && sess.port != 0 {
-		source := ioKit.IONotificationPortGetRunLoopSource(sess.port)
-		cf.CFRunLoopRemoveSource(sess.rl, source, cfCommonModes)
-	}
-	if sess.notifier != 0 {
-		n := sess.notifier
-		ioKit.IODeregisterForSystemPower(&n)
-	}
-
-	// Clear session only after IODeregisterForSystemPower returns so any
-	// in-flight powerCallback can still look up session.rp to ack sleep.
-	serviceRegistryMu.Lock()
-	session = nil
-	serviceRegistryMu.Unlock()
-
-	if sess.rp != 0 {
-		ioKit.IOServiceClose(sess.rp)
-	}
-	if sess.port != 0 {
-		ioKit.IONotificationPortDestroy(sess.port)
-	}
-	if sess.rl != 0 {
-		cf.CFRunLoopStop(sess.rl)
-	}
+	// Deregister IOKit notifications, stop runloop, and free resources
+	C.unregisterNotifications()
 
 	return nil
 }
 
-func (d *Detector) triggerCallback(event EventType, cb func(event EventType), done <-chan struct{}) {
-	if cb == nil || done == nil {
-		return
-	}
-
-	select {
-	case <-done:
-		return
-	default:
-	}
-
+func (d *Detector) triggerCallback(event EventType) {
 	doneChan := make(chan struct{})
+
 	timeout := time.NewTimer(500 * time.Millisecond)
 	defer timeout.Stop()
 
-	go func() {
-		defer close(doneChan)
-		defer func() {
-			if r := recover(); r != nil {
-				log.Errorf("panic in sleep callback: %v", r)
-			}
-		}()
+	cb := d.callback
+	go func(callback func(event EventType)) {
 		log.Info("sleep detection event fired")
-		cb(event)
-	}()
+		callback(event)
+		close(doneChan)
+	}(cb)
 
 	select {
 	case <-doneChan:
-	case <-done:
+	case <-d.ctx.Done():
 	case <-timeout.C:
-		log.Warn("sleep callback timed out")
+		log.Warnf("sleep callback timed out")
 	}
 }
-
-// NewDetector initializes IOKit/CoreFoundation bindings and returns a Detector.
-func NewDetector() (*Detector, error) {
-	if err := initLibs(); err != nil {
-		return nil, err
-	}
-	return &Detector{}, nil
-}
-
-func initLibs() error {
-	libInitOnce.Do(func() {
-		iokit, err := purego.Dlopen("/System/Library/Frameworks/IOKit.framework/IOKit", purego.RTLD_NOW|purego.RTLD_GLOBAL)
-		if err != nil {
-			libInitErr = fmt.Errorf("dlopen IOKit: %w", err)
-			return
-		}
-		cfLib, err := purego.Dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", purego.RTLD_NOW|purego.RTLD_GLOBAL)
-		if err != nil {
-			libInitErr = fmt.Errorf("dlopen CoreFoundation: %w", err)
-			return
-		}
-
-		purego.RegisterLibFunc(&ioKit.IORegisterForSystemPower, iokit, "IORegisterForSystemPower")
-		purego.RegisterLibFunc(&ioKit.IODeregisterForSystemPower, iokit, "IODeregisterForSystemPower")
-		purego.RegisterLibFunc(&ioKit.IOAllowPowerChange, iokit, "IOAllowPowerChange")
-		purego.RegisterLibFunc(&ioKit.IOServiceClose, iokit, "IOServiceClose")
-		purego.RegisterLibFunc(&ioKit.IONotificationPortGetRunLoopSource, iokit, "IONotificationPortGetRunLoopSource")
-		purego.RegisterLibFunc(&ioKit.IONotificationPortDestroy, iokit, "IONotificationPortDestroy")
-
-		purego.RegisterLibFunc(&cf.CFRunLoopGetCurrent, cfLib, "CFRunLoopGetCurrent")
-		purego.RegisterLibFunc(&cf.CFRunLoopRun, cfLib, "CFRunLoopRun")
-		purego.RegisterLibFunc(&cf.CFRunLoopStop, cfLib, "CFRunLoopStop")
-		purego.RegisterLibFunc(&cf.CFRunLoopAddSource, cfLib, "CFRunLoopAddSource")
-		purego.RegisterLibFunc(&cf.CFRunLoopRemoveSource, cfLib, "CFRunLoopRemoveSource")
-
-		modeAddr, err := purego.Dlsym(cfLib, "kCFRunLoopCommonModes")
-		if err != nil {
-			libInitErr = fmt.Errorf("dlsym kCFRunLoopCommonModes: %w", err)
-			return
-		}
-		// Launder the uintptr-to-pointer conversion through a Go variable so
-		// go vet's unsafeptr analyzer doesn't flag a system-library global.
-		cfCommonModes = **(**uintptr)(unsafe.Pointer(&modeAddr))
-
-		// NewCallback slots are a finite, non-reclaimable resource, so register
-		// a single thunk that dispatches to the current Detector set.
-		callbackThunk = purego.NewCallback(powerCallback)
-	})
-	return libInitErr
-}
-
-// powerCallback is the IOServiceInterestCallback trampoline, invoked on the
-// runloop thread. A Go panic crossing the purego boundary has undefined
-// behavior, so contain it here.
-func powerCallback(refcon, service, messageType, messageArgument uintptr) uintptr {
-	defer func() {
-		if r := recover(); r != nil {
-			log.Errorf("panic in sleep powerCallback: %v", r)
-		}
-	}()
-	switch messageType {
-	case kIOMessageCanSystemSleep:
-		// Not acknowledging forces a 30s IOKit timeout before idle sleep.
-		allowPowerChange(messageArgument)
-	case kIOMessageSystemWillSleep:
-		dispatchEvent(EventTypeSleep)
-		allowPowerChange(messageArgument)
-	case kIOMessageSystemHasPoweredOn:
-		dispatchEvent(EventTypeWakeUp)
-	}
-	return 0
-}
-
-func allowPowerChange(messageArgument uintptr) {
-	serviceRegistryMu.Lock()
-	var port uintptr
-	if session != nil {
-		port = session.rp
-	}
-	serviceRegistryMu.Unlock()
-	if port != 0 {
-		ioKit.IOAllowPowerChange(port, messageArgument)
-	}
-}
-
-func dispatchEvent(event EventType) {
-	serviceRegistryMu.Lock()
-	snaps := make([]detectorSnapshot, 0, len(serviceRegistry))
-	for d := range serviceRegistry {
-		snaps = append(snaps, detectorSnapshot{
-			detector: d,
-			callback: d.callback,
-			done:     d.done,
-		})
-	}
-	serviceRegistryMu.Unlock()
-
-	for _, s := range snaps {
-		s.detector.triggerCallback(event, s.callback, s.done)
-	}
-}
-
-// runRunLoop owns the OS-locked thread that CFRunLoop is pinned to. Setup
-// result is reported on errCh so Register can surface failures synchronously.
-func runRunLoop(errCh chan<- error) {
-	runtime.LockOSThread()
-	defer runtime.UnlockOSThread()
-
-	sess, err := setupSession()
-	if err == nil {
-		serviceRegistryMu.Lock()
-		session = sess
-		serviceRegistryMu.Unlock()
-	}
-	errCh <- err
-	if err != nil {
-		return
-	}
-
-	defer func() {
-		if r := recover(); r != nil {
-			log.Errorf("panic in sleep runloop: %v", r)
-		}
-	}()
-	cf.CFRunLoopRun()
-}
-
-// setupSession performs the IOKit registration on the current thread. Panics
-// are converted to errors so runRunLoop never leaves errCh unsent.
-func setupSession() (s *runLoopSession, err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			err = fmt.Errorf("panic during runloop setup: %v", r)
-		}
-	}()
-
-	var portRef, notifier uintptr
-	rp := ioKit.IORegisterForSystemPower(0, &portRef, callbackThunk, &notifier)
-	if rp == 0 {
-		return nil, fmt.Errorf("IORegisterForSystemPower returned zero")
-	}
-
-	rl := cf.CFRunLoopGetCurrent()
-	source := ioKit.IONotificationPortGetRunLoopSource(portRef)
-	cf.CFRunLoopAddSource(rl, source, cfCommonModes)
-
-	return &runLoopSession{rl: rl, port: portRef, notifier: notifier, rp: rp}, nil
-}

client/netbird.wxs

@@ -13,25 +13,15 @@
 
 		<MajorUpgrade AllowSameVersionUpgrades='yes' DowngradeErrorMessage="A newer version of [ProductName] is already installed. Setup will now exit."/>
 
-		<!-- Autostart: enabled by default, disable with AUTOSTART=0 on the msiexec command line -->
-		<Property Id="AUTOSTART" Value="1" />
-
 		<StandardDirectory Id="ProgramFiles64Folder">
 			<Directory Id="NetbirdInstallDir" Name="Netbird">
 				<Component Id="NetbirdFiles" Guid="db3165de-cc6e-4922-8396-9d892950e23e" Bitness="always64">
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\netbird.exe" KeyPath="yes" />
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\netbird-ui.exe">
-						<Shortcut Id="NetbirdDesktopShortcut" Directory="DesktopFolder" Name="NetBird" WorkingDirectory="NetbirdInstallDir" Icon="NetbirdIcon">
-							<ShortcutProperty Key="System.AppUserModel.ID" Value="NetBird" />
-							<ShortcutProperty Key="System.AppUserModel.ToastActivatorCLSID" Value="{0E1B4DE7-E148-432B-9814-544F941826EC}" />
-						</Shortcut>
-						<Shortcut Id="NetbirdStartMenuShortcut" Directory="StartMenuFolder" Name="NetBird" WorkingDirectory="NetbirdInstallDir" Icon="NetbirdIcon">
-							<ShortcutProperty Key="System.AppUserModel.ID" Value="NetBird" />
-							<ShortcutProperty Key="System.AppUserModel.ToastActivatorCLSID" Value="{0E1B4DE7-E148-432B-9814-544F941826EC}" />
-						</Shortcut>
+						<Shortcut Id="NetbirdDesktopShortcut" Directory="DesktopFolder" Name="NetBird" WorkingDirectory="NetbirdInstallDir" Icon="NetbirdIcon" />
+						<Shortcut Id="NetbirdStartMenuShortcut" Directory="StartMenuFolder" Name="NetBird" WorkingDirectory="NetbirdInstallDir" Icon="NetbirdIcon" />
 					</File>
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\wintun.dll" />
-					<File Id="NetbirdToastIcon" Name="netbird.png" Source=".\client\ui\assets\netbird.png" />
 					<?if $(var.ArchSuffix) = "amd64" ?>
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\opengl32.dll" />
 					<?endif ?>
@@ -56,31 +46,8 @@
 			</Directory>
 		</StandardDirectory>
 
-		<!-- Per-user component: HKCU keypath (auto GUID via "*"), separate from
-		     the per-machine NetbirdFiles component to satisfy ICE57. -->
-		<StandardDirectory Id="ProgramMenuFolder">
-			<Component Id="NetbirdAumidRegistry" Guid="*">
-				<RegistryKey Root="HKCU" Key="Software\Classes\AppUserModelId\NetBird" ForceDeleteOnUninstall="yes">
-					<RegistryValue Name="InstalledByMSI" Type="integer" Value="1" KeyPath="yes" />
-				</RegistryKey>
-			</Component>
-		</StandardDirectory>
-
-		<StandardDirectory Id="CommonAppDataFolder">
-			<Directory Id="NetbirdAutoStartDir" Name="Netbird">
-				<Component Id="NetbirdAutoStart" Guid="b199eaca-b0dd-4032-af19-679cfad48eb3" Bitness="always64">
-					<Condition>AUTOSTART = "1"</Condition>
-					<RegistryValue Root="HKLM" Key="Software\Microsoft\Windows\CurrentVersion\Run"
-						Name="Netbird" Value="&quot;[NetbirdInstallDir]netbird-ui.exe&quot;"
-						Type="string" KeyPath="yes" />
-				</Component>
-			</Directory>
-		</StandardDirectory>
-
 		<ComponentGroup Id="NetbirdFilesComponent">
 			<ComponentRef Id="NetbirdFiles" />
-			<ComponentRef Id="NetbirdAumidRegistry" />
-			<ComponentRef Id="NetbirdAutoStart" />
 		</ComponentGroup>
 
 		<util:CloseApplication Id="CloseNetBird" CloseMessage="no" Target="netbird.exe" RebootPrompt="no" />

client/proto/daemon.proto

@@ -104,6 +104,8 @@ service DaemonService {
   // StopCPUProfile stops CPU profiling in the daemon
   rpc StopCPUProfile(StopCPUProfileRequest) returns (StopCPUProfileResponse) {}
 
+  rpc NotifyOSLifecycle(OSLifecycleRequest) returns(OSLifecycleResponse) {}
+
   rpc GetInstallerResult(InstallerResultRequest) returns (InstallerResultResponse) {}
 
   // ExposeService exposes a local port via the NetBird reverse proxy
@@ -112,6 +114,20 @@ service DaemonService {
 
 
 
+message OSLifecycleRequest {
+  // avoid collision with loglevel enum
+  enum CycleType {
+    UNKNOWN = 0;
+    SLEEP = 1;
+    WAKEUP = 2;
+  }
+
+  CycleType type = 1;
+}
+
+message OSLifecycleResponse {}
+
+
 message LoginRequest {
   // setupKey netbird setup key.
   string setupKey = 1;

client/server/server.go

@@ -120,7 +120,6 @@ func New(ctx context.Context, logFile string, configFile string, profilesDisable
 	}
 	agent := &serverAgent{s}
 	s.sleepHandler = sleephandler.New(agent)
-	s.startSleepDetector()
 
 	return s
 }

client/server/server_test.go

@@ -335,7 +335,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	if err != nil {
 		return nil, "", err
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		return nil, "", err
 	}

client/server/sleep.go

@@ -2,18 +2,13 @@ package server
 
 import (
 	"context"
-	"os"
-	"strconv"
 
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/sleep"
 	"github.com/netbirdio/netbird/client/proto"
 )
 
-const envDisableSleepDetector = "NB_DISABLE_SLEEP_DETECTOR"
-
 // serverAgent adapts Server to the handler.Agent and handler.StatusChecker interfaces
 type serverAgent struct {
 	s *Server
@@ -33,61 +28,19 @@ func (a *serverAgent) Status() (internal.StatusType, error) {
 	return internal.CtxGetState(a.s.rootCtx).Status()
 }
 
-// startSleepDetector starts the OS sleep/wake detector and forwards events to
-// the sleep handler. On platforms without a supported detector the attempt
-// logs a warning and returns. Setting NB_DISABLE_SLEEP_DETECTOR=true skips
-// registration entirely.
-func (s *Server) startSleepDetector() {
-	if sleepDetectorDisabled() {
-		log.Info("sleep detection disabled via " + envDisableSleepDetector)
-		return
-	}
-
-	svc, err := sleep.New()
-	if err != nil {
-		log.Warnf("failed to initialize sleep detection: %v", err)
-		return
-	}
-
-	err = svc.Register(func(event sleep.EventType) {
-		switch event {
-		case sleep.EventTypeSleep:
-			log.Info("handling sleep event")
-			if err := s.sleepHandler.HandleSleep(s.rootCtx); err != nil {
-				log.Errorf("failed to handle sleep event: %v", err)
-			}
-		case sleep.EventTypeWakeUp:
-			log.Info("handling wakeup event")
-			if err := s.sleepHandler.HandleWakeUp(s.rootCtx); err != nil {
-				log.Errorf("failed to handle wakeup event: %v", err)
-			}
+// NotifyOSLifecycle handles operating system lifecycle events by executing appropriate logic based on the request type.
+func (s *Server) NotifyOSLifecycle(callerCtx context.Context, req *proto.OSLifecycleRequest) (*proto.OSLifecycleResponse, error) {
+	switch req.GetType() {
+	case proto.OSLifecycleRequest_WAKEUP:
+		if err := s.sleepHandler.HandleWakeUp(callerCtx); err != nil {
+			return &proto.OSLifecycleResponse{}, err
 		}
-	})
-	if err != nil {
-		log.Errorf("failed to register sleep detector: %v", err)
-		return
-	}
-
-	log.Info("sleep detection service initialized")
-
-	go func() {
-		<-s.rootCtx.Done()
-		log.Info("stopping sleep event listener")
-		if err := svc.Deregister(); err != nil {
-			log.Errorf("failed to deregister sleep detector: %v", err)
+	case proto.OSLifecycleRequest_SLEEP:
+		if err := s.sleepHandler.HandleSleep(callerCtx); err != nil {
+			return &proto.OSLifecycleResponse{}, err
 		}
-	}()
-}
-
-func sleepDetectorDisabled() bool {
-	val := os.Getenv(envDisableSleepDetector)
-	if val == "" {
-		return false
+	default:
+		log.Errorf("unknown OSLifecycleRequest type: %v", req.GetType())
 	}
-	disabled, err := strconv.ParseBool(val)
-	if err != nil {
-		log.Warnf("failed to parse %s=%q: %v", envDisableSleepDetector, val, err)
-		return false
-	}
-	return disabled
+	return &proto.OSLifecycleResponse{}, nil
 }

client/ui/client_ui.go

@@ -38,10 +38,10 @@ import (
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
+	"github.com/netbirdio/netbird/client/internal/sleep"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/ui/desktop"
 	"github.com/netbirdio/netbird/client/ui/event"
-	"github.com/netbirdio/netbird/client/ui/notifier"
 	"github.com/netbirdio/netbird/client/ui/process"
 	"github.com/netbirdio/netbird/util"
 
@@ -260,7 +260,6 @@ type serviceClient struct {
 
 	// application with main windows.
 	app                  fyne.App
-	notifier             notifier.Notifier
 	wSettings            fyne.Window
 	showAdvancedSettings bool
 	sendNotification     bool
@@ -365,7 +364,6 @@ func newServiceClient(args *newServiceClientArgs) *serviceClient {
 		cancel:           cancel,
 		addr:             args.addr,
 		app:              args.app,
-		notifier:         notifier.New(args.app),
 		logFile:          args.logFile,
 		sendNotification: false,
 
@@ -894,7 +892,7 @@ func (s *serviceClient) updateStatus() error {
 		if err != nil {
 			log.Errorf("get service status: %v", err)
 			if s.connected {
-				s.notifier.Send("Error", "Connection to service lost")
+				s.app.SendNotification(fyne.NewNotification("Error", "Connection to service lost"))
 			}
 			s.setDisconnectedStatus()
 			return err
@@ -1111,7 +1109,7 @@ func (s *serviceClient) onTrayReady() {
 		}
 	}()
 
-	s.eventManager = event.NewManager(s.notifier, s.addr)
+	s.eventManager = event.NewManager(s.app, s.addr)
 	s.eventManager.SetNotificationsEnabled(s.mNotifications.Checked())
 	s.eventManager.AddHandler(func(event *proto.SystemEvent) {
 		if event.Category == proto.SystemEvent_SYSTEM {
@@ -1148,6 +1146,9 @@ func (s *serviceClient) onTrayReady() {
 
 	go s.eventManager.Start(s.ctx)
 	go s.eventHandler.listen(s.ctx)
+
+	// Start sleep detection listener
+	go s.startSleepListener()
 }
 
 func (s *serviceClient) attachOutput(cmd *exec.Cmd) *os.File {
@@ -1208,6 +1209,62 @@ func (s *serviceClient) getSrvClient(timeout time.Duration) (proto.DaemonService
 	return s.conn, nil
 }
 
+// startSleepListener initializes the sleep detection service and listens for sleep events
+func (s *serviceClient) startSleepListener() {
+	sleepService, err := sleep.New()
+	if err != nil {
+		log.Warnf("%v", err)
+		return
+	}
+
+	if err := sleepService.Register(s.handleSleepEvents); err != nil {
+		log.Errorf("failed to start sleep detection: %v", err)
+		return
+	}
+
+	log.Info("sleep detection service initialized")
+
+	// Cleanup on context cancellation
+	go func() {
+		<-s.ctx.Done()
+		log.Info("stopping sleep event listener")
+		if err := sleepService.Deregister(); err != nil {
+			log.Errorf("failed to deregister sleep detection: %v", err)
+		}
+	}()
+}
+
+// handleSleepEvents sends a sleep notification to the daemon via gRPC
+func (s *serviceClient) handleSleepEvents(event sleep.EventType) {
+	conn, err := s.getSrvClient(0)
+	if err != nil {
+		log.Errorf("failed to get daemon client for sleep notification: %v", err)
+		return
+	}
+
+	req := &proto.OSLifecycleRequest{}
+
+	switch event {
+	case sleep.EventTypeWakeUp:
+		log.Infof("handle wakeup event: %v", event)
+		req.Type = proto.OSLifecycleRequest_WAKEUP
+	case sleep.EventTypeSleep:
+		log.Infof("handle sleep event: %v", event)
+		req.Type = proto.OSLifecycleRequest_SLEEP
+	default:
+		log.Infof("unknown event: %v", event)
+		return
+	}
+
+	_, err = conn.NotifyOSLifecycle(s.ctx, req)
+	if err != nil {
+		log.Errorf("failed to notify daemon about os lifecycle notification: %v", err)
+		return
+	}
+
+	log.Info("successfully notified daemon about os lifecycle")
+}
+
 // setSettingsEnabled enables or disables the settings menu based on the provided state
 func (s *serviceClient) setSettingsEnabled(enabled bool) {
 	if s.mSettings != nil {
@@ -1491,7 +1548,7 @@ func (s *serviceClient) onUpdateAvailable(newVersion string, enforced bool) {
 
 	if enforced && s.lastNotifiedVersion != newVersion {
 		s.lastNotifiedVersion = newVersion
-		s.notifier.Send("Update available", "A new version "+newVersion+" is ready to install")
+		s.app.SendNotification(fyne.NewNotification("Update available", "A new version "+newVersion+" is ready to install"))
 	}
 }
 

client/ui/event/event.go

@@ -8,6 +8,7 @@ import (
 	"sync"
 	"time"
 
+	"fyne.io/fyne/v2"
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
@@ -17,17 +18,11 @@ import (
 	"github.com/netbirdio/netbird/client/ui/desktop"
 )
 
-// Notifier sends desktop notifications. Defined here so the event package
-// does not depend on fyne or the platform-specific notifier implementation.
-type Notifier interface {
-	Send(title, body string)
-}
-
 type Handler func(*proto.SystemEvent)
 
 type Manager struct {
-	notifier Notifier
-	addr     string
+	app  fyne.App
+	addr string
 
 	mu       sync.Mutex
 	ctx      context.Context
@@ -36,10 +31,10 @@ type Manager struct {
 	handlers []Handler
 }
 
-func NewManager(notifier Notifier, addr string) *Manager {
+func NewManager(app fyne.App, addr string) *Manager {
 	return &Manager{
-		notifier: notifier,
-		addr:     addr,
+		app:  app,
+		addr: addr,
 	}
 }
 
@@ -119,7 +114,7 @@ func (e *Manager) handleEvent(event *proto.SystemEvent) {
 		if id != "" {
 			body += fmt.Sprintf(" ID: %s", id)
 		}
-		e.notifier.Send(title, body)
+		e.app.SendNotification(fyne.NewNotification(title, body))
 	}
 
 	for _, handler := range handlers {

client/ui/event_handler.go

@@ -9,6 +9,7 @@ import (
 	"os"
 	"os/exec"
 
+	"fyne.io/fyne/v2"
 	"fyne.io/systray"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"
@@ -86,7 +87,7 @@ func (h *eventHandler) handleConnectClick() {
 			if errors.Is(err, context.Canceled) || (ok && st.Code() == codes.Canceled) {
 				log.Debugf("connect operation cancelled by user")
 			} else {
-				h.client.notifier.Send("Error", "Failed to connect")
+				h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to connect"))
 				log.Errorf("connect failed: %v", err)
 			}
 		}
@@ -111,7 +112,7 @@ func (h *eventHandler) handleDisconnectClick() {
 		if err := h.client.menuDownClick(); err != nil {
 			st, ok := status.FromError(err)
 			if !errors.Is(err, context.Canceled) && !(ok && st.Code() == codes.Canceled) {
-				h.client.notifier.Send("Error", "Failed to disconnect")
+				h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to disconnect"))
 				log.Errorf("disconnect failed: %v", err)
 			} else {
 				log.Debugf("disconnect cancelled or already disconnecting")
@@ -129,7 +130,7 @@ func (h *eventHandler) handleAllowSSHClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mAllowSSH) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.notifier.Send("Error", "Failed to update SSH settings")
+		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update SSH settings"))
 	}
 
 }
@@ -139,7 +140,7 @@ func (h *eventHandler) handleAutoConnectClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mAutoConnect) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.notifier.Send("Error", "Failed to update auto-connect settings")
+		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update auto-connect settings"))
 	}
 }
 
@@ -148,7 +149,7 @@ func (h *eventHandler) handleRosenpassClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mEnableRosenpass) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.notifier.Send("Error", "Failed to update Rosenpass settings")
+		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update Rosenpass settings"))
 	}
 }
 
@@ -157,7 +158,7 @@ func (h *eventHandler) handleLazyConnectionClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mLazyConnEnabled) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.notifier.Send("Error", "Failed to update lazy connection settings")
+		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update lazy connection settings"))
 	}
 }
 
@@ -166,7 +167,7 @@ func (h *eventHandler) handleBlockInboundClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mBlockInbound) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.notifier.Send("Error", "Failed to update block inbound settings")
+		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update block inbound settings"))
 	}
 }
 
@@ -175,7 +176,7 @@ func (h *eventHandler) handleNotificationsClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mNotifications) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.notifier.Send("Error", "Failed to update notifications settings")
+		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update notifications settings"))
 	} else if h.client.eventManager != nil {
 		h.client.eventManager.SetNotificationsEnabled(h.client.mNotifications.Checked())
 	}

client/ui/notifier/notifier.go

@@ -1,27 +0,0 @@
-// Package notifier sends desktop notifications. On Windows it uses the WinRT
-// COM API directly via go-toast/v2 to avoid the PowerShell window flash that
-// fyne's default implementation produces. On other platforms it delegates to
-// fyne.
-package notifier
-
-import "fyne.io/fyne/v2"
-
-// Notifier sends desktop notifications.
-type Notifier interface {
-	Send(title, body string)
-}
-
-// New returns a platform-specific Notifier. The fyne app is used as the
-// fallback notifier on platforms where no native implementation is wired up,
-// and on Windows when the COM path fails to initialize.
-func New(app fyne.App) Notifier {
-	return newNotifier(app)
-}
-
-type fyneNotifier struct {
-	app fyne.App
-}
-
-func (f *fyneNotifier) Send(title, body string) {
-	f.app.SendNotification(fyne.NewNotification(title, body))
-}

client/ui/notifier/notifier_other.go

@@ -1,9 +0,0 @@
-//go:build !windows
-
-package notifier
-
-import "fyne.io/fyne/v2"
-
-func newNotifier(app fyne.App) Notifier {
-	return &fyneNotifier{app: app}
-}

client/ui/notifier/notifier_windows.go

@@ -1,88 +0,0 @@
-package notifier
-
-import (
-	"os"
-	"path/filepath"
-	"sync"
-
-	"fyne.io/fyne/v2"
-	toast "git.sr.ht/~jackmordaunt/go-toast/v2"
-	"git.sr.ht/~jackmordaunt/go-toast/v2/wintoast"
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	// appID is the AppUserModelID shown in the Windows Action Center. It
-	// must match the System.AppUserModel.ID property set on the Start Menu
-	// shortcut by the MSI (see client/netbird.wxs); otherwise Windows
-	// groups toasts under a separate, unbranded entry.
-	appID = "NetBird"
-
-	// appGUID identifies the COM activation callback class. Generated once
-	// for NetBird; do not change without coordinating an installer bump,
-	// since old registry entries pointing at the previous GUID would orphan.
-	appGUID = "{0E1B4DE7-E148-432B-9814-544F941826EC}"
-)
-
-type comNotifier struct {
-	fallback *fyneNotifier
-	ready    bool
-	iconPath string
-}
-
-var (
-	initOnce sync.Once
-	initErr  error
-)
-
-func newNotifier(app fyne.App) Notifier {
-	n := &comNotifier{
-		fallback: &fyneNotifier{app: app},
-		iconPath: resolveIcon(),
-	}
-	initOnce.Do(func() {
-		initErr = wintoast.SetAppData(wintoast.AppData{
-			AppID:    appID,
-			GUID:     appGUID,
-			IconPath: n.iconPath,
-		})
-	})
-	if initErr != nil {
-		log.Warnf("toast: register app data failed, falling back to fyne notifications: %v", initErr)
-		return n.fallback
-	}
-	n.ready = true
-	return n
-}
-
-func (n *comNotifier) Send(title, body string) {
-	if !n.ready {
-		n.fallback.Send(title, body)
-		return
-	}
-	notification := toast.Notification{
-		AppID: appID,
-		Title: title,
-		Body:  body,
-		Icon:  n.iconPath,
-	}
-	if err := notification.Push(); err != nil {
-		log.Warnf("toast: push failed, using fyne fallback: %v", err)
-		n.fallback.Send(title, body)
-	}
-}
-
-// resolveIcon returns an absolute path to the toast icon, or an empty string
-// when no icon can be located. Windows requires a PNG/JPG for the
-// AppUserModelId IconUri registry value; .ico is silently ignored.
-func resolveIcon() string {
-	exe, err := os.Executable()
-	if err != nil {
-		return ""
-	}
-	candidate := filepath.Join(filepath.Dir(exe), "netbird.png")
-	if _, err := os.Stat(candidate); err == nil {
-		return candidate
-	}
-	return ""
-}

client/ui/profile.go

@@ -548,7 +548,7 @@ func (p *profileMenu) refresh() {
 					if err != nil {
 						log.Errorf("failed to switch profile: %v", err)
 						// show  notification dialog
-						p.serviceClient.notifier.Send("Error", "Failed to switch profile")
+						p.app.SendNotification(fyne.NewNotification("Error", "Failed to switch profile"))
 						return
 					}
 
@@ -628,9 +628,9 @@ func (p *profileMenu) refresh() {
 				}
 				if err := p.eventHandler.logout(p.ctx); err != nil {
 					log.Errorf("logout failed: %v", err)
-					p.serviceClient.notifier.Send("Error", "Failed to deregister")
+					p.app.SendNotification(fyne.NewNotification("Error", "Failed to deregister"))
 				} else {
-					p.serviceClient.notifier.Send("Success", "Deregistered successfully")
+					p.app.SendNotification(fyne.NewNotification("Success", "Deregistered successfully"))
 				}
 			}
 		}

go.mod

@@ -30,7 +30,6 @@ require (
 require (
 	fyne.io/fyne/v2 v2.7.0
 	fyne.io/systray v1.12.1-0.20260116214250-81f8e1a496f9
-	git.sr.ht/~jackmordaunt/go-toast/v2 v2.0.3
 	github.com/awnumar/memguard v0.23.0
 	github.com/aws/aws-sdk-go-v2 v1.38.3
 	github.com/aws/aws-sdk-go-v2/config v1.31.6
@@ -47,7 +46,6 @@ require (
 	github.com/crowdsecurity/go-cs-bouncer v0.0.21
 	github.com/dexidp/dex v0.0.0-00010101000000-000000000000
 	github.com/dexidp/dex/api/v2 v2.4.0
-	github.com/ebitengine/purego v0.8.4
 	github.com/eko/gocache/lib/v4 v4.2.0
 	github.com/eko/gocache/store/go_cache/v4 v4.2.2
 	github.com/eko/gocache/store/redis/v4 v4.2.2
@@ -180,6 +178,7 @@ require (
 	github.com/docker/docker v28.0.1+incompatible // indirect
 	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
+	github.com/ebitengine/purego v0.8.4 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fredbi/uri v1.1.1 // indirect
 	github.com/fyne-io/gl-js v0.2.0 // indirect

go.sum

@@ -15,8 +15,6 @@ fyne.io/fyne/v2 v2.7.0 h1:GvZSpE3X0liU/fqstInVvRsaboIVpIWQ4/sfjDGIGGQ=
 fyne.io/fyne/v2 v2.7.0/go.mod h1:xClVlrhxl7D+LT+BWYmcrW4Nf+dJTvkhnPgji7spAwE=
 fyne.io/systray v1.12.1-0.20260116214250-81f8e1a496f9 h1:829+77I4TaMrcg9B3wf+gHhdSgoCVEgH2czlPXPbfj4=
 fyne.io/systray v1.12.1-0.20260116214250-81f8e1a496f9/go.mod h1:RVwqP9nYMo7h5zViCBHri2FgjXF7H2cub7MAq4NSoLs=
-git.sr.ht/~jackmordaunt/go-toast/v2 v2.0.3 h1:N3IGoHHp9pb6mj1cbXbuaSXV/UMKwmbKLf53nQmtqMA=
-git.sr.ht/~jackmordaunt/go-toast/v2 v2.0.3/go.mod h1:QtOLZGz8olr4qH2vWK0QH0w0O4T9fEIjMuWpKUsH7nc=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/AppsFlyer/go-sundheit v0.6.0 h1:d2hBvCjBSb2lUsEWGfPigr4MCOt04sxB+Rppl0yUMSk=

infrastructure_files/getting-started.sh

@@ -231,20 +231,7 @@ get_upstream_host() {
 
 wait_management_proxy() {
   local proxy_container="${1:-traefik}"
-  local use_docker_logs=false
   set +e
-
-  if [[ "$proxy_container" == "detect-traefik" ]]; then
-    proxy_container=$(docker ps --format "{{.ID}}\t{{.Image}}\t{{.Ports}}" \
-    | awk -F'\t' '$2 ~ /traefik/ && $3 ~ /:(80|443)->/ {print $1; exit}')
-
-    if [[ -z "$proxy_container" ]]; then
-      echo "Warning: could not auto-detect Traefik container, log output will be skipped on timeout." > /dev/stderr
-    else
-      use_docker_logs=true
-    fi
-  fi
-
   echo -n "Waiting for NetBird server to become ready"
   counter=1
   while true; do
@@ -255,13 +242,7 @@ wait_management_proxy() {
     if [[ $counter -eq 60 ]]; then
       echo ""
       echo "Taking too long. Checking logs..."
-      if [[ -n "$proxy_container" ]]; then
-        if [[ "$use_docker_logs" == "true" ]]; then
-          docker logs --tail=20 "$proxy_container"
-        else
-          $DOCKER_COMPOSE_COMMAND logs --tail=20 "$proxy_container"
-        fi
-      fi
+      $DOCKER_COMPOSE_COMMAND logs --tail=20 "$proxy_container"
       $DOCKER_COMPOSE_COMMAND logs --tail=20 netbird-server
     fi
     echo -n " ."
@@ -537,7 +518,7 @@ start_services_and_show_instructions() {
     $DOCKER_COMPOSE_COMMAND up -d
 
     sleep 3
-    wait_management_proxy detect-traefik
+    wait_management_direct
 
     echo -e "$MSG_DONE"
     print_post_setup_instructions

management/internals/server/boot.go

@@ -173,7 +173,7 @@ func (s *BaseServer) GRPCServer() *grpc.Server {
 		}
 
 		gRPCAPIHandler := grpc.NewServer(gRPCOpts...)
-		srv, err := nbgrpc.NewServer(s.Config, s.AccountManager(), s.SettingsManager(), s.JobManager(), s.SecretsManager(), s.Metrics(), s.AuthManager(), s.IntegratedValidator(), s.NetworkMapController(), s.OAuthConfigProvider(), s.SessionStore())
+		srv, err := nbgrpc.NewServer(s.Config, s.AccountManager(), s.SettingsManager(), s.JobManager(), s.SecretsManager(), s.Metrics(), s.AuthManager(), s.IntegratedValidator(), s.NetworkMapController(), s.OAuthConfigProvider())
 		if err != nil {
 			log.Fatalf("failed to create management server: %v", err)
 		}

management/internals/server/controllers.go

@@ -6,7 +6,6 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/management-integrations/integrations"
-
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy"
 	proxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy/manager"
 
@@ -67,12 +66,6 @@ func (s *BaseServer) SecretsManager() grpc.SecretsManager {
 	})
 }
 
-func (s *BaseServer) SessionStore() *auth.SessionStore {
-	return Create(s, func() *auth.SessionStore {
-		return auth.NewSessionStore(s.CacheStore())
-	})
-}
-
 func (s *BaseServer) AuthManager() auth.Manager {
 	audiences := s.Config.GetAuthAudiences()
 	audience := s.Config.HttpConfig.AuthAudience

management/internals/shared/grpc/server.go

@@ -14,7 +14,6 @@ import (
 	"sync/atomic"
 	"time"
 
-	jwtv5 "github.com/golang-jwt/jwt/v5"
 	pb "github.com/golang/protobuf/proto" // nolint
 	"github.com/golang/protobuf/ptypes/timestamp"
 	"github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/realip"
@@ -68,7 +67,6 @@ type Server struct {
 	appMetrics     telemetry.AppMetrics
 	peerLocks      sync.Map
 	authManager    auth.Manager
-	sessionStore   *auth.SessionStore
 
 	logBlockedPeers          bool
 	blockPeersWithSameConfig bool
@@ -100,7 +98,6 @@ func NewServer(
 	integratedPeerValidator integrated_validator.IntegratedValidator,
 	networkMapController network_map.Controller,
 	oAuthConfigProvider idp.OAuthConfigProvider,
-	sessionStore *auth.SessionStore,
 ) (*Server, error) {
 	if appMetrics != nil {
 		// update gauge based on number of connected peers which is equal to open gRPC streams
@@ -143,7 +140,6 @@ func NewServer(
 		integratedPeerValidator:  integratedPeerValidator,
 		networkMapController:     networkMapController,
 		oAuthConfigProvider:      oAuthConfigProvider,
-		sessionStore:             sessionStore,
 
 		loginFilter: newLoginFilter(),
 
@@ -539,7 +535,7 @@ func (s *Server) cancelPeerRoutinesWithoutLock(ctx context.Context, accountID st
 	log.WithContext(ctx).Debugf("peer %s has been disconnected", peer.Key)
 }
 
-func (s *Server) validateToken(ctx context.Context, peerKey, jwtToken string) (string, error) {
+func (s *Server) validateToken(ctx context.Context, jwtToken string) (string, error) {
 	if s.authManager == nil {
 		return "", status.Errorf(codes.Internal, "missing auth manager")
 	}
@@ -549,10 +545,6 @@ func (s *Server) validateToken(ctx context.Context, peerKey, jwtToken string) (s
 		return "", status.Errorf(codes.InvalidArgument, "invalid jwt token, err: %v", err)
 	}
 
-	if err := s.claimLoginToken(ctx, peerKey, jwtToken, token); err != nil {
-		return "", err
-	}
-
 	// we need to call this method because if user is new, we will automatically add it to existing or create a new account
 	accountId, _, err := s.accountManager.GetAccountIDFromUserAuth(ctx, userAuth)
 	if err != nil {
@@ -836,31 +828,6 @@ func (s *Server) prepareLoginResponse(ctx context.Context, peer *nbpeer.Peer, ne
 	return loginResp, nil
 }
 
-func (s *Server) claimLoginToken(ctx context.Context, peerKey, jwtToken string, token *jwtv5.Token) error {
-	if s.sessionStore == nil || token == nil {
-		return nil
-	}
-
-	exp, err := token.Claims.GetExpirationTime()
-	if err != nil || exp == nil {
-		log.WithContext(ctx).Warnf("JWT has no usable exp claim for peer %s", peerKey)
-		return status.Error(codes.Unauthenticated, "jwt token has no expiration")
-	}
-
-	err = s.sessionStore.RegisterToken(ctx, jwtToken, exp.Time)
-	if err == nil {
-		return nil
-	}
-
-	if errors.Is(err, auth.ErrTokenAlreadyUsed) || errors.Is(err, auth.ErrTokenExpired) {
-		log.WithContext(ctx).Warnf("%v for peer %s", err, peerKey)
-		return status.Error(codes.Unauthenticated, err.Error())
-	}
-
-	log.WithContext(ctx).Warnf("failed to claim JWT for peer %s: %v", peerKey, err)
-	return status.Error(codes.Unavailable, "failed to claim jwt token")
-}
-
 // processJwtToken validates the existence of a JWT token in the login request, and returns the corresponding user ID if
 // the token is valid.
 //
@@ -871,7 +838,7 @@ func (s *Server) processJwtToken(ctx context.Context, loginReq *proto.LoginReque
 	if loginReq.GetJwtToken() != "" {
 		var err error
 		for i := 0; i < 3; i++ {
-			userID, err = s.validateToken(ctx, peerKey.String(), loginReq.GetJwtToken())
+			userID, err = s.validateToken(ctx, loginReq.GetJwtToken())
 			if err == nil {
 				break
 			}

management/server/auth/session.go

@@ -1,61 +0,0 @@
-package auth
-
-import (
-	"context"
-	"crypto/sha256"
-	"encoding/hex"
-	"errors"
-	"fmt"
-	"time"
-
-	"github.com/eko/gocache/lib/v4/cache"
-	"github.com/eko/gocache/lib/v4/store"
-)
-
-const (
-	usedTokenKeyPrefix = "jwt-used:"
-	usedTokenMarker    = "1"
-)
-
-var (
-	ErrTokenAlreadyUsed = errors.New("JWT already used")
-	ErrTokenExpired     = errors.New("JWT expired")
-)
-
-type SessionStore struct {
-	cache *cache.Cache[string]
-}
-
-func NewSessionStore(cacheStore store.StoreInterface) *SessionStore {
-	return &SessionStore{cache: cache.New[string](cacheStore)}
-}
-
-// RegisterToken records a JWT until its exp time and rejects reuse.
-func (s *SessionStore) RegisterToken(ctx context.Context, token string, expiresAt time.Time) error {
-	ttl := time.Until(expiresAt)
-	if ttl <= 0 {
-		return ErrTokenExpired
-	}
-
-	key := usedTokenKeyPrefix + hashToken(token)
-	_, err := s.cache.Get(ctx, key)
-	if err == nil {
-		return ErrTokenAlreadyUsed
-	}
-
-	var notFound *store.NotFound
-	if !errors.As(err, &notFound) {
-		return fmt.Errorf("failed to lookup used token entry: %w", err)
-	}
-
-	if err := s.cache.Set(ctx, key, usedTokenMarker, store.WithExpiration(ttl)); err != nil {
-		return fmt.Errorf("failed to store used token entry: %w", err)
-	}
-
-	return nil
-}
-
-func hashToken(token string) string {
-	sum := sha256.Sum256([]byte(token))
-	return hex.EncodeToString(sum[:])
-}

management/server/auth/session_test.go

@@ -1,82 +0,0 @@
-package auth
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	nbcache "github.com/netbirdio/netbird/management/server/cache"
-)
-
-func newTestSessionStore(t *testing.T) *SessionStore {
-	t.Helper()
-	cacheStore, err := nbcache.NewStore(context.Background(), time.Hour, time.Hour, 100)
-	require.NoError(t, err)
-	return NewSessionStore(cacheStore)
-}
-
-func TestSessionStore_FirstRegisterSucceeds(t *testing.T) {
-	s := newTestSessionStore(t)
-	ctx := context.Background()
-
-	require.NoError(t, s.RegisterToken(ctx, "token", time.Now().Add(time.Hour)))
-}
-
-func TestSessionStore_RegisterSameTokenTwiceIsRejected(t *testing.T) {
-	s := newTestSessionStore(t)
-	ctx := context.Background()
-	token := "token"
-	exp := time.Now().Add(time.Hour)
-
-	require.NoError(t, s.RegisterToken(ctx, token, exp))
-
-	err := s.RegisterToken(ctx, token, exp)
-	require.Error(t, err)
-	assert.ErrorIs(t, err, ErrTokenAlreadyUsed)
-}
-
-func TestSessionStore_RegisterDifferentTokensAreIndependent(t *testing.T) {
-	s := newTestSessionStore(t)
-	ctx := context.Background()
-	exp := time.Now().Add(time.Hour)
-
-	require.NoError(t, s.RegisterToken(ctx, "tokenA", exp))
-	require.NoError(t, s.RegisterToken(ctx, "tokenB", exp))
-}
-
-func TestSessionStore_RegisterWithPastExpiryIsRejected(t *testing.T) {
-	s := newTestSessionStore(t)
-	ctx := context.Background()
-	token := "token"
-
-	err := s.RegisterToken(ctx, token, time.Now().Add(-time.Second))
-	require.Error(t, err)
-	assert.ErrorIs(t, err, ErrTokenExpired)
-}
-
-func TestSessionStore_EntryEvictsAtTTLAndAllowsReRegistration(t *testing.T) {
-	s := newTestSessionStore(t)
-	ctx := context.Background()
-	token := "token"
-
-	require.NoError(t, s.RegisterToken(ctx, token, time.Now().Add(50*time.Millisecond)))
-
-	err := s.RegisterToken(ctx, token, time.Now().Add(50*time.Millisecond))
-	assert.ErrorIs(t, err, ErrTokenAlreadyUsed)
-
-	time.Sleep(120 * time.Millisecond)
-
-	require.NoError(t, s.RegisterToken(ctx, token, time.Now().Add(time.Hour)))
-}
-
-func TestHashToken_StableAndDoesNotLeak(t *testing.T) {
-	a := hashToken("tokenA")
-	b := hashToken("tokenB")
-	assert.Equal(t, a, hashToken("tokenA"), "hash must be deterministic")
-	assert.NotEqual(t, a, b, "different tokens must hash differently")
-	assert.Len(t, a, 64, "sha256 hex must be 64 chars")
-	assert.NotContains(t, a, "tokenA", "raw token must not appear in hash")
-}

management/server/management_proto_test.go

@@ -391,7 +391,7 @@ func startManagementForTest(t *testing.T, testFile string, config *config.Config
 		return nil, nil, "", cleanup, err
 	}
 
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, MockIntegratedValidator{}, networkMapController, nil, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		return nil, nil, "", cleanup, err
 	}

management/server/management_test.go

@@ -256,7 +256,6 @@ func startServer(
 		server.MockIntegratedValidator{},
 		networkMapController,
 		nil,
-		nil,
 	)
 	if err != nil {
 		t.Fatalf("failed creating management server: %v", err)

management/server/peer.go

@@ -33,8 +33,8 @@ import (
 
 const remoteJobsMinVer = "0.64.0"
 
-// GetPeers returns peers visible to the user within an account.
-// Users with "peers:read" see all peers. Otherwise, users see only their own peers, or none if restricted by account settings.
+// GetPeers returns a list of peers under the given account filtering out peers that do not belong to a user if
+// the current user is not an admin.
 func (am *DefaultAccountManager) GetPeers(ctx context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error) {
 	user, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
 	if err != nil {
@@ -46,8 +46,14 @@ func (am *DefaultAccountManager) GetPeers(ctx context.Context, accountID, userID
 		return nil, status.NewPermissionValidationError(err)
 	}
 
+	accountPeers, err := am.Store.GetAccountPeers(ctx, store.LockingStrengthNone, accountID, nameFilter, ipFilter)
+	if err != nil {
+		return nil, err
+	}
+
+	// @note if the user has permission to read peers it shows all account peers
 	if allowed {
-		return am.Store.GetAccountPeers(ctx, store.LockingStrengthNone, accountID, nameFilter, ipFilter)
+		return accountPeers, nil
 	}
 
 	settings, err := am.Store.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
@@ -59,7 +65,41 @@ func (am *DefaultAccountManager) GetPeers(ctx context.Context, accountID, userID
 		return []*nbpeer.Peer{}, nil
 	}
 
-	return am.Store.GetUserPeers(ctx, store.LockingStrengthNone, accountID, userID)
+	// @note if it does not have permission read peers then only display it's own peers
+	peers := make([]*nbpeer.Peer, 0)
+	peersMap := make(map[string]*nbpeer.Peer)
+
+	for _, peer := range accountPeers {
+		if user.Id != peer.UserID {
+			continue
+		}
+		peers = append(peers, peer)
+		peersMap[peer.ID] = peer
+	}
+
+	return am.getUserAccessiblePeers(ctx, accountID, peersMap, peers)
+}
+
+func (am *DefaultAccountManager) getUserAccessiblePeers(ctx context.Context, accountID string, peersMap map[string]*nbpeer.Peer, peers []*nbpeer.Peer) ([]*nbpeer.Peer, error) {
+	account, err := am.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+	if err != nil {
+		return nil, err
+	}
+
+	approvedPeersMap, err := am.integratedPeerValidator.GetValidatedPeers(ctx, accountID, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
+	if err != nil {
+		return nil, err
+	}
+
+	// fetch all the peers that have access to the user's peers
+	for _, peer := range peers {
+		aclPeers, _, _, _ := account.GetPeerConnectionResources(ctx, peer, approvedPeersMap, account.GetActiveGroupUsers())
+		for _, p := range aclPeers {
+			peersMap[p.ID] = p
+		}
+	}
+
+	return maps.Values(peersMap), nil
 }
 
 // MarkPeerConnected marks peer as connected (true) or disconnected (false)
@@ -1190,8 +1230,7 @@ func peerLoginExpired(ctx context.Context, peer *nbpeer.Peer, settings *types.Se
 	return false
 }
 
-// GetPeer returns a peer visible to the user within an account.
-// Users with "peers:read" permission can access any peer. Otherwise, users can access only their own peer.
+// GetPeer for a given accountID, peerID and userID error if not found.
 func (am *DefaultAccountManager) GetPeer(ctx context.Context, accountID, peerID, userID string) (*nbpeer.Peer, error) {
 	peer, err := am.Store.GetPeerByID(ctx, store.LockingStrengthNone, accountID, peerID)
 	if err != nil {
@@ -1216,6 +1255,36 @@ func (am *DefaultAccountManager) GetPeer(ctx context.Context, accountID, peerID,
 		return peer, nil
 	}
 
+	return am.checkIfUserOwnsPeer(ctx, accountID, userID, peer)
+}
+
+func (am *DefaultAccountManager) checkIfUserOwnsPeer(ctx context.Context, accountID, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, error) {
+	account, err := am.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+	if err != nil {
+		return nil, err
+	}
+
+	approvedPeersMap, err := am.integratedPeerValidator.GetValidatedPeers(ctx, accountID, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
+	if err != nil {
+		return nil, err
+	}
+
+	// it is also possible that user doesn't own the peer but some of his peers have access to it,
+	// this is a valid case, show the peer as well.
+	userPeers, err := am.Store.GetUserPeers(ctx, store.LockingStrengthNone, accountID, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, p := range userPeers {
+		aclPeers, _, _, _ := account.GetPeerConnectionResources(ctx, p, approvedPeersMap, account.GetActiveGroupUsers())
+		for _, aclPeer := range aclPeers {
+			if aclPeer.ID == peer.ID {
+				return peer, nil
+			}
+		}
+	}
+
 	return nil, status.Errorf(status.Internal, "user %s has no access to peer %s under account %s", userID, peer.ID, accountID)
 }
 

management/server/peer_test.go

@@ -559,9 +559,25 @@ func TestDefaultAccountManager_GetPeer(t *testing.T) {
 	}
 	assert.NotNil(t, peer)
 
-	// the user can NOT see peer2 because it is not owned by them.
-	// Regular users only see peers they directly own.
-	_, err = manager.GetPeer(context.Background(), accountID, peer2.ID, someUser)
+	// the user can see peer2 because peer1 of the user has access to peer2 due to the All group and the default rule 0 all-to-all access
+	peer, err = manager.GetPeer(context.Background(), accountID, peer2.ID, someUser)
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+	assert.NotNil(t, peer)
+
+	// delete the all-to-all policy so that user's peer1 has no access to peer2
+	for _, policy := range account.Policies {
+		err = manager.DeletePolicy(context.Background(), accountID, policy.ID, adminUser)
+		if err != nil {
+			t.Fatal(err)
+			return
+		}
+	}
+
+	// at this point the user can't see the details of peer2
+	peer, err = manager.GetPeer(context.Background(), accountID, peer2.ID, someUser) //nolint
 	assert.Error(t, err)
 
 	// admin users can always access all the peers

shared/management/client/client_test.go

@@ -138,7 +138,7 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, mgmt.MockIntegratedValidator{}, networkMapController, nil, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, mgmt.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		t.Fatal(err)
 	}