Merge branch 'nat-pmp-upnp' into pcp-support

# Conflicts:
#	client/internal/portforward/manager.go

.github/workflows/check-license-dependencies.yml

@@ -31,7 +31,7 @@ jobs:
           while IFS= read -r dir; do
             echo "=== Checking $dir ==="
             # Search for problematic imports, excluding test files
-            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" | grep -v "tools/idp-migrate/" || true)
+            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
             if [ -n "$RESULTS" ]; then
               echo "❌ Found problematic dependencies:"
               echo "$RESULTS"
@@ -88,7 +88,7 @@ jobs:
               IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
 
               # Check if any importer is NOT in management/signal/relay
-              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\)" | head -1)
 
               if [ -n "$BSD_IMPORTER" ]; then
                 echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"

.github/workflows/golangci-lint.yml

@@ -19,7 +19,7 @@ jobs:
       - name: codespell
         uses: codespell-project/actions-codespell@v2
         with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te
           skip: go.mod,go.sum,**/proxy/web/**
   golangci:
     strategy:

.goreleaser.yaml

@@ -154,26 +154,6 @@ builds:
       - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.BuildDate={{.CommitDate}}
     mod_timestamp: "{{ .CommitTimestamp }}"
 
-  - id: netbird-idp-migrate
-    dir: tools/idp-migrate
-    env:
-      - CGO_ENABLED=1
-      - >-
-        {{- if eq .Runtime.Goos "linux" }}
-          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
-          {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
-        {{- end }}
-    binary: netbird-idp-migrate
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
 universal_binaries:
   - id: netbird
 
@@ -186,10 +166,6 @@ archives:
       - netbird-wasm
     name_template: "{{ .ProjectName }}_{{ .Version }}"
     format: binary
-  - id: netbird-idp-migrate
-    builds:
-      - netbird-idp-migrate
-    name_template: "netbird-idp-migrate_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
 
 nfpms:
   - maintainer: Netbird <dev@netbird.io>

CONTRIBUTOR_LICENSE_AGREEMENT.md

@@ -1,7 +1,7 @@
 ##  Contributor License Agreement
 
 This Contributor License Agreement (referred to as the "Agreement") is entered into by the individual 
-submitting this Agreement and NetBird GmbH, Brunnenstraße 196, 10119 Berlin, Germany, 
+submitting this Agreement and NetBird GmbH, c/o Max-Beer-Straße 2-4 Münzstraße 12 10178 Berlin, Germany, 
 referred to as "NetBird" (collectively, the "Parties"). The Agreement outlines the terms and conditions 
 under which NetBird may utilize software contributions provided by the Contributor for inclusion in 
 its software development projects. By submitting this Agreement, the Contributor confirms their acceptance 

client/android/client.go

@@ -205,7 +205,7 @@ func (c *Client) PeersList() *PeerInfoArray {
 		pi := PeerInfo{
 			p.IP,
 			p.FQDN,
-			int(p.ConnStatus),
+			p.ConnStatus.String(),
 			PeerRoutes{routes: maps.Keys(p.GetRoutes())},
 		}
 		peerInfos[n] = pi

client/android/peer_notifier.go

@@ -2,20 +2,11 @@
 
 package android
 
-import "github.com/netbirdio/netbird/client/internal/peer"
-
-// Connection status constants exported via gomobile.
-const (
-	ConnStatusIdle       = int(peer.StatusIdle)
-	ConnStatusConnecting = int(peer.StatusConnecting)
-	ConnStatusConnected  = int(peer.StatusConnected)
-)
-
 // PeerInfo describe information about the peers. It designed for the UI usage
 type PeerInfo struct {
 	IP         string
 	FQDN       string
-	ConnStatus int
+	ConnStatus string // Todo replace to enum
 	Routes     PeerRoutes
 }
 

client/cmd/service_params_test.go

@@ -25,10 +25,10 @@ func TestServiceParamsPath(t *testing.T) {
 	t.Cleanup(func() { configs.StateDir = original })
 
 	configs.StateDir = "/var/lib/netbird"
-	assert.Equal(t, filepath.Join("/var/lib/netbird", "service.json"), serviceParamsPath())
+	assert.Equal(t, "/var/lib/netbird/service.json", serviceParamsPath())
 
 	configs.StateDir = "/custom/state"
-	assert.Equal(t, filepath.Join("/custom/state", "service.json"), serviceParamsPath())
+	assert.Equal(t, "/custom/state/service.json", serviceParamsPath())
 }
 
 func TestSaveAndLoadServiceParams(t *testing.T) {

client/internal/auth/auth.go

@@ -221,7 +221,7 @@ func (a *Auth) getPKCEFlow(client *mgm.GrpcClient) (*PKCEAuthorizationFlow, erro
 	config := &PKCEAuthProviderConfig{
 		Audience:              protoConfig.GetAudience(),
 		ClientID:              protoConfig.GetClientID(),
-		ClientSecret:          protoConfig.GetClientSecret(), //nolint:staticcheck
+		ClientSecret:          protoConfig.GetClientSecret(),
 		TokenEndpoint:         protoConfig.GetTokenEndpoint(),
 		AuthorizationEndpoint: protoConfig.GetAuthorizationEndpoint(),
 		Scope:                 protoConfig.GetScope(),
@@ -266,7 +266,7 @@ func (a *Auth) getDeviceFlow(client *mgm.GrpcClient) (*DeviceAuthorizationFlow,
 	config := &DeviceAuthProviderConfig{
 		Audience:           protoConfig.GetAudience(),
 		ClientID:           protoConfig.GetClientID(),
-		ClientSecret:       protoConfig.GetClientSecret(), //nolint:staticcheck
+		ClientSecret:       protoConfig.GetClientSecret(),
 		Domain:             protoConfig.Domain,
 		TokenEndpoint:      protoConfig.GetTokenEndpoint(),
 		DeviceAuthEndpoint: protoConfig.GetDeviceAuthEndpoint(),

client/internal/connect.go

@@ -44,10 +44,6 @@ import (
 	"github.com/netbirdio/netbird/version"
 )
 
-// androidRunOverride is set on Android to inject mobile dependencies
-// when using embed.Client (which calls Run() with empty MobileDependency).
-var androidRunOverride func(c *ConnectClient, runningChan chan struct{}, logPath string) error
-
 type ConnectClient struct {
 	ctx            context.Context
 	config         *profilemanager.Config
@@ -80,9 +76,6 @@ func (c *ConnectClient) SetUpdateManager(um *updater.Manager) {
 
 // Run with main logic.
 func (c *ConnectClient) Run(runningChan chan struct{}, logPath string) error {
-	if androidRunOverride != nil {
-		return androidRunOverride(c, runningChan, logPath)
-	}
 	return c.run(MobileDependency{}, runningChan, logPath)
 }
 

client/internal/connect_android_default.go

@@ -1,73 +0,0 @@
-//go:build android
-
-package internal
-
-import (
-	"net/netip"
-
-	"github.com/netbirdio/netbird/client/internal/dns"
-	"github.com/netbirdio/netbird/client/internal/listener"
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-)
-
-// noopIFaceDiscover is a stub ExternalIFaceDiscover for embed.Client on Android.
-// It returns an empty interface list, which means ICE P2P candidates won't be
-// discovered — connections will fall back to relay. Applications that need P2P
-// should provide a real implementation via runOnAndroidEmbed that uses
-// Android's ConnectivityManager to enumerate network interfaces.
-type noopIFaceDiscover struct{}
-
-func (noopIFaceDiscover) IFaces() (string, error) {
-	// Return empty JSON array — no local interfaces advertised for ICE.
-	// This is intentional: without Android's ConnectivityManager, we cannot
-	// reliably enumerate interfaces (netlink is restricted on Android 11+).
-	// Relay connections still work; only P2P hole-punching is disabled.
-	return "[]", nil
-}
-
-// noopNetworkChangeListener is a stub for embed.Client on Android.
-// Network change events are ignored since the embed client manages its own
-// reconnection logic via the engine's built-in retry mechanism.
-type noopNetworkChangeListener struct{}
-
-func (noopNetworkChangeListener) OnNetworkChanged(string) {
-	// No-op: embed.Client relies on the engine's internal reconnection
-	// logic rather than OS-level network change notifications.
-}
-
-func (noopNetworkChangeListener) SetInterfaceIP(string) {
-	// No-op: in netstack mode, the overlay IP is managed by the userspace
-	// network stack, not by OS-level interface configuration.
-}
-
-// noopDnsReadyListener is a stub for embed.Client on Android.
-// DNS readiness notifications are not needed in netstack/embed mode
-// since system DNS is disabled and DNS resolution happens externally.
-type noopDnsReadyListener struct{}
-
-func (noopDnsReadyListener) OnReady() {
-	// No-op: embed.Client does not need DNS readiness notifications.
-	// System DNS is disabled in netstack mode.
-}
-
-var _ stdnet.ExternalIFaceDiscover = noopIFaceDiscover{}
-var _ listener.NetworkChangeListener = noopNetworkChangeListener{}
-var _ dns.ReadyListener = noopDnsReadyListener{}
-
-func init() {
-	// Wire up the default override so embed.Client.Start() works on Android
-	// with netstack mode. Provides complete no-op stubs for all mobile
-	// dependencies so the engine's existing Android code paths work unchanged.
-	// Applications that need P2P ICE or real DNS should replace this by
-	// setting androidRunOverride before calling Start().
-	androidRunOverride = func(c *ConnectClient, runningChan chan struct{}, logPath string) error {
-		return c.runOnAndroidEmbed(
-			noopIFaceDiscover{},
-			noopNetworkChangeListener{},
-			[]netip.AddrPort{},
-			noopDnsReadyListener{},
-			runningChan,
-			logPath,
-		)
-	}
-}

client/internal/connect_android_embed.go

@@ -1,32 +0,0 @@
-//go:build android
-
-package internal
-
-import (
-	"net/netip"
-
-	"github.com/netbirdio/netbird/client/internal/dns"
-	"github.com/netbirdio/netbird/client/internal/listener"
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-)
-
-// runOnAndroidEmbed is like RunOnAndroid but accepts a runningChan
-// so embed.Client.Start() can detect when the engine is ready.
-// It provides complete MobileDependency so the engine's existing
-// Android code paths work unchanged.
-func (c *ConnectClient) runOnAndroidEmbed(
-	iFaceDiscover stdnet.ExternalIFaceDiscover,
-	networkChangeListener listener.NetworkChangeListener,
-	dnsAddresses []netip.AddrPort,
-	dnsReadyListener dns.ReadyListener,
-	runningChan chan struct{},
-	logPath string,
-) error {
-	mobileDependency := MobileDependency{
-		IFaceDiscover:         iFaceDiscover,
-		NetworkChangeListener: networkChangeListener,
-		HostDNSAddresses:      dnsAddresses,
-		DnsReadyListener:      dnsReadyListener,
-	}
-	return c.run(mobileDependency, runningChan, logPath)
-}

client/internal/dns/local/local_test.go

@@ -1263,9 +1263,9 @@ func TestLocalResolver_AuthoritativeFlag(t *testing.T) {
 	})
 }
 
-// TestLocalResolver_Stop tests cleanup on Stop
+// TestLocalResolver_Stop tests cleanup on GracefullyStop
 func TestLocalResolver_Stop(t *testing.T) {
-	t.Run("Stop clears all state", func(t *testing.T) {
+	t.Run("GracefullyStop clears all state", func(t *testing.T) {
 		resolver := NewResolver()
 		resolver.Update([]nbdns.CustomZone{{
 			Domain: "example.com.",
@@ -1285,7 +1285,7 @@ func TestLocalResolver_Stop(t *testing.T) {
 		assert.False(t, resolver.isInManagedZone("host.example.com."))
 	})
 
-	t.Run("Stop is safe to call multiple times", func(t *testing.T) {
+	t.Run("GracefullyStop is safe to call multiple times", func(t *testing.T) {
 		resolver := NewResolver()
 		resolver.Update([]nbdns.CustomZone{{
 			Domain: "example.com.",
@@ -1299,7 +1299,7 @@ func TestLocalResolver_Stop(t *testing.T) {
 		resolver.Stop()
 	})
 
-	t.Run("Stop cancels in-flight external resolution", func(t *testing.T) {
+	t.Run("GracefullyStop cancels in-flight external resolution", func(t *testing.T) {
 		resolver := NewResolver()
 
 		lookupStarted := make(chan struct{})

client/internal/engine.go

@@ -46,6 +46,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer/guard"
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
+	"github.com/netbirdio/netbird/client/internal/portforward"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/client/internal/rosenpass"
@@ -210,9 +211,10 @@ type Engine struct {
 	// checks are the client-applied posture checks that need to be evaluated on the client
 	checks []*mgmProto.Checks
 
-	relayManager *relayClient.Manager
-	stateManager *statemanager.Manager
-	srWatcher    *guard.SRWatcher
+	relayManager       *relayClient.Manager
+	stateManager       *statemanager.Manager
+	portForwardManager *portforward.Manager
+	srWatcher          *guard.SRWatcher
 
 	// Sync response persistence (protected by syncRespMux)
 	syncRespMux         sync.RWMutex
@@ -259,26 +261,27 @@ func NewEngine(
 	mobileDep MobileDependency,
 ) *Engine {
 	engine := &Engine{
-		clientCtx:      clientCtx,
-		clientCancel:   clientCancel,
-		signal:         services.SignalClient,
-		signaler:       peer.NewSignaler(services.SignalClient, config.WgPrivateKey),
-		mgmClient:      services.MgmClient,
-		relayManager:   services.RelayManager,
-		peerStore:      peerstore.NewConnStore(),
-		syncMsgMux:     &sync.Mutex{},
-		config:         config,
-		mobileDep:      mobileDep,
-		STUNs:          []*stun.URI{},
-		TURNs:          []*stun.URI{},
-		networkSerial:  0,
-		statusRecorder: services.StatusRecorder,
-		stateManager:   services.StateManager,
-		checks:         services.Checks,
-		probeStunTurn:  relay.NewStunTurnProbe(relay.DefaultCacheTTL),
-		jobExecutor:    jobexec.NewExecutor(),
-		clientMetrics:  services.ClientMetrics,
-		updateManager:  services.UpdateManager,
+		clientCtx:          clientCtx,
+		clientCancel:       clientCancel,
+		signal:             services.SignalClient,
+		signaler:           peer.NewSignaler(services.SignalClient, config.WgPrivateKey),
+		mgmClient:          services.MgmClient,
+		relayManager:       services.RelayManager,
+		peerStore:          peerstore.NewConnStore(),
+		syncMsgMux:         &sync.Mutex{},
+		config:             config,
+		mobileDep:          mobileDep,
+		STUNs:              []*stun.URI{},
+		TURNs:              []*stun.URI{},
+		networkSerial:      0,
+		statusRecorder:     services.StatusRecorder,
+		stateManager:       services.StateManager,
+		portForwardManager: portforward.NewManager(),
+		checks:             services.Checks,
+		probeStunTurn:      relay.NewStunTurnProbe(relay.DefaultCacheTTL),
+		jobExecutor:        jobexec.NewExecutor(),
+		clientMetrics:      services.ClientMetrics,
+		updateManager:      services.UpdateManager,
 	}
 
 	log.Infof("I am: %s", config.WgPrivateKey.PublicKey().String())
@@ -532,6 +535,13 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	// conntrack entries from being created before the rules are in place
 	e.setupWGProxyNoTrack()
 
+	// Start after interface is up since port may have been resolved from 0 or changed if occupied
+	e.shutdownWg.Add(1)
+	go func() {
+		defer e.shutdownWg.Done()
+		e.portForwardManager.Start(e.ctx, uint16(e.config.WgPort))
+	}()
+
 	// Set the WireGuard interface for rosenpass after interface is up
 	if e.rpManager != nil {
 		e.rpManager.SetInterface(e.wgInterface)
@@ -1535,12 +1545,13 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix, agentV
 	}
 
 	serviceDependencies := peer.ServiceDependencies{
-		StatusRecorder:  e.statusRecorder,
-		Signaler:        e.signaler,
-		IFaceDiscover:   e.mobileDep.IFaceDiscover,
-		RelayManager:    e.relayManager,
-		SrWatcher:       e.srWatcher,
-		MetricsRecorder: e.clientMetrics,
+		StatusRecorder:     e.statusRecorder,
+		Signaler:           e.signaler,
+		IFaceDiscover:      e.mobileDep.IFaceDiscover,
+		RelayManager:       e.relayManager,
+		SrWatcher:          e.srWatcher,
+		PortForwardManager: e.portForwardManager,
+		MetricsRecorder:    e.clientMetrics,
 	}
 	peerConn, err := peer.NewConn(config, serviceDependencies)
 	if err != nil {
@@ -1697,6 +1708,12 @@ func (e *Engine) close() {
 	if e.rpManager != nil {
 		_ = e.rpManager.Close()
 	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	if err := e.portForwardManager.GracefullyStop(ctx); err != nil {
+		log.Warnf("failed to gracefully stop port forwarding manager: %s", err)
+	}
 }
 
 func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, bool, error) {

client/internal/peer/conn.go

@@ -22,6 +22,7 @@ import (
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/peer/id"
 	"github.com/netbirdio/netbird/client/internal/peer/worker"
+	"github.com/netbirdio/netbird/client/internal/portforward"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/route"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
@@ -45,6 +46,7 @@ type ServiceDependencies struct {
 	RelayManager       *relayClient.Manager
 	SrWatcher          *guard.SRWatcher
 	PeerConnDispatcher *dispatcher.ConnectionDispatcher
+	PortForwardManager *portforward.Manager
 	MetricsRecorder    MetricsRecorder
 }
 
@@ -87,16 +89,17 @@ type ConnConfig struct {
 }
 
 type Conn struct {
-	Log            *log.Entry
-	mu             sync.Mutex
-	ctx            context.Context
-	ctxCancel      context.CancelFunc
-	config         ConnConfig
-	statusRecorder *Status
-	signaler       *Signaler
-	iFaceDiscover  stdnet.ExternalIFaceDiscover
-	relayManager   *relayClient.Manager
-	srWatcher      *guard.SRWatcher
+	Log                *log.Entry
+	mu                 sync.Mutex
+	ctx                context.Context
+	ctxCancel          context.CancelFunc
+	config             ConnConfig
+	statusRecorder     *Status
+	signaler           *Signaler
+	iFaceDiscover      stdnet.ExternalIFaceDiscover
+	relayManager       *relayClient.Manager
+	srWatcher          *guard.SRWatcher
+	portForwardManager *portforward.Manager
 
 	onConnected                               func(remoteWireGuardKey string, remoteRosenpassPubKey []byte, wireGuardIP string, remoteRosenpassAddr string)
 	onDisconnected                            func(remotePeer string)
@@ -145,19 +148,20 @@ func NewConn(config ConnConfig, services ServiceDependencies) (*Conn, error) {
 
 	dumpState := newStateDump(config.Key, connLog, services.StatusRecorder)
 	var conn = &Conn{
-		Log:             connLog,
-		config:          config,
-		statusRecorder:  services.StatusRecorder,
-		signaler:        services.Signaler,
-		iFaceDiscover:   services.IFaceDiscover,
-		relayManager:    services.RelayManager,
-		srWatcher:       services.SrWatcher,
-		statusRelay:     worker.NewAtomicStatus(),
-		statusICE:       worker.NewAtomicStatus(),
-		dumpState:       dumpState,
-		endpointUpdater: NewEndpointUpdater(connLog, config.WgConfig, isController(config)),
-		wgWatcher:       NewWGWatcher(connLog, config.WgConfig.WgInterface, config.Key, dumpState),
-		metricsRecorder: services.MetricsRecorder,
+		Log:                connLog,
+		config:             config,
+		statusRecorder:     services.StatusRecorder,
+		signaler:           services.Signaler,
+		iFaceDiscover:      services.IFaceDiscover,
+		relayManager:       services.RelayManager,
+		srWatcher:          services.SrWatcher,
+		portForwardManager: services.PortForwardManager,
+		statusRelay:        worker.NewAtomicStatus(),
+		statusICE:          worker.NewAtomicStatus(),
+		dumpState:          dumpState,
+		endpointUpdater:    NewEndpointUpdater(connLog, config.WgConfig, isController(config)),
+		wgWatcher:          NewWGWatcher(connLog, config.WgConfig.WgInterface, config.Key, dumpState),
+		metricsRecorder:    services.MetricsRecorder,
 	}
 
 	return conn, nil

client/internal/peer/worker_ice.go

@@ -16,6 +16,7 @@ import (
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/internal/peer/conntype"
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
+	"github.com/netbirdio/netbird/client/internal/portforward"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/route"
 )
@@ -61,6 +62,9 @@ type WorkerICE struct {
 
 	// we record the last known state of the ICE agent to avoid duplicate on disconnected events
 	lastKnownState ice.ConnectionState
+
+	// portForwardAttempted tracks if we've already tried port forwarding this session
+	portForwardAttempted bool
 }
 
 func NewWorkerICE(ctx context.Context, log *log.Entry, config ConnConfig, conn *Conn, signaler *Signaler, ifaceDiscover stdnet.ExternalIFaceDiscover, statusRecorder *Status, hasRelayOnLocally bool) (*WorkerICE, error) {
@@ -214,6 +218,8 @@ func (w *WorkerICE) Close() {
 }
 
 func (w *WorkerICE) reCreateAgent(dialerCancel context.CancelFunc, candidates []ice.CandidateType) (*icemaker.ThreadSafeAgent, error) {
+	w.portForwardAttempted = false
+
 	agent, err := icemaker.NewAgent(w.ctx, w.iFaceDiscover, w.config.ICEConfig, candidates, w.localUfrag, w.localPwd)
 	if err != nil {
 		return nil, fmt.Errorf("create agent: %w", err)
@@ -370,6 +376,93 @@ func (w *WorkerICE) onICECandidate(candidate ice.Candidate) {
 			w.log.Errorf("failed signaling candidate to the remote peer %s %s", w.config.Key, err)
 		}
 	}()
+
+	if candidate.Type() == ice.CandidateTypeServerReflexive {
+		w.injectPortForwardedCandidate(candidate)
+	}
+}
+
+// injectPortForwardedCandidate signals an additional candidate using the pre-created port mapping.
+func (w *WorkerICE) injectPortForwardedCandidate(srflxCandidate ice.Candidate) {
+	pfManager := w.conn.portForwardManager
+	if pfManager == nil {
+		return
+	}
+
+	mapping := pfManager.GetMapping()
+	if mapping == nil {
+		return
+	}
+
+	w.muxAgent.Lock()
+	if w.portForwardAttempted {
+		w.muxAgent.Unlock()
+		return
+	}
+	w.portForwardAttempted = true
+	w.muxAgent.Unlock()
+
+	forwardedCandidate, err := w.createForwardedCandidate(srflxCandidate, mapping)
+	if err != nil {
+		w.log.Warnf("create forwarded candidate: %v", err)
+		return
+	}
+
+	w.log.Debugf("injecting port-forwarded candidate: %s (mapping: %d -> %d via %s, priority: %d)",
+		forwardedCandidate.String(), mapping.InternalPort, mapping.ExternalPort, mapping.NATType, forwardedCandidate.Priority())
+
+	go func() {
+		if err := w.signaler.SignalICECandidate(forwardedCandidate, w.config.Key); err != nil {
+			w.log.Errorf("signal port-forwarded candidate: %v", err)
+		}
+	}()
+}
+
+// createForwardedCandidate creates a new server reflexive candidate with the forwarded port.
+// It uses the NAT gateway's external IP with the forwarded port.
+func (w *WorkerICE) createForwardedCandidate(srflxCandidate ice.Candidate, mapping *portforward.Mapping) (ice.Candidate, error) {
+	var externalIP string
+	if mapping.ExternalIP != nil && !mapping.ExternalIP.IsUnspecified() {
+		externalIP = mapping.ExternalIP.String()
+	} else {
+		// Fallback to STUN-discovered address if NAT didn't provide external IP
+		externalIP = srflxCandidate.Address()
+	}
+
+	// Per RFC 8445, the related address for srflx is the base (host candidate address).
+	// If the original srflx has unspecified related address, use its own address as base.
+	relAddr := srflxCandidate.RelatedAddress().Address
+	if relAddr == "" || relAddr == "0.0.0.0" || relAddr == "::" {
+		relAddr = srflxCandidate.Address()
+	}
+
+	// Arbitrary +1000 boost on top of RFC 8445 priority to favor port-forwarded candidates
+	// over regular srflx during ICE connectivity checks.
+	priority := srflxCandidate.Priority() + 1000
+
+	candidate, err := ice.NewCandidateServerReflexive(&ice.CandidateServerReflexiveConfig{
+		Network:   srflxCandidate.NetworkType().String(),
+		Address:   externalIP,
+		Port:      int(mapping.ExternalPort),
+		Component: srflxCandidate.Component(),
+		Priority:  priority,
+		RelAddr:   relAddr,
+		RelPort:   int(mapping.InternalPort),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("create candidate: %w", err)
+	}
+
+	for _, e := range srflxCandidate.Extensions() {
+		if e.Key == ice.ExtensionKeyCandidateID {
+			e.Value = srflxCandidate.ID()
+		}
+		if err := candidate.AddExtension(e); err != nil {
+			return nil, fmt.Errorf("add extension: %w", err)
+		}
+	}
+
+	return candidate, nil
 }
 
 func (w *WorkerICE) onICESelectedCandidatePair(agent *icemaker.ThreadSafeAgent, c1, c2 ice.Candidate) {
@@ -411,10 +504,10 @@ func (w *WorkerICE) logSuccessfulPaths(agent *icemaker.ThreadSafeAgent) {
 			if !lok || !rok {
 				continue
 			}
-			w.log.Debugf("successful ICE path %s: [%s %s %s] <-> [%s %s %s] rtt=%.3fms",
+			w.log.Debugf("successful ICE path %s: [%s %s %s:%d] <-> [%s %s %s:%d] rtt=%.3fms",
 				sessionID,
-				local.NetworkType(), local.Type(), local.Address(),
-				remote.NetworkType(), remote.Type(), remote.Address(),
+				local.NetworkType(), local.Type(), local.Address(), local.Port(),
+				remote.NetworkType(), remote.Type(), remote.Address(), remote.Port(),
 				stat.CurrentRoundTripTime*1000)
 		}
 	}

client/internal/portforward/env.go

@@ -0,0 +1,35 @@
+package portforward
+
+import (
+	"os"
+	"strconv"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	envDisableNATMapper      = "NB_DISABLE_NAT_MAPPER"
+	envDisablePCPHealthCheck = "NB_DISABLE_PCP_HEALTH_CHECK"
+)
+
+func isDisabledByEnv() bool {
+	return parseBoolEnv(envDisableNATMapper)
+}
+
+func isHealthCheckDisabled() bool {
+	return parseBoolEnv(envDisablePCPHealthCheck)
+}
+
+func parseBoolEnv(key string) bool {
+	val := os.Getenv(key)
+	if val == "" {
+		return false
+	}
+
+	disabled, err := strconv.ParseBool(val)
+	if err != nil {
+		log.Warnf("failed to parse %s: %v", key, err)
+		return false
+	}
+	return disabled
+}

client/internal/portforward/manager.go

@@ -0,0 +1,298 @@
+//go:build !js
+
+package portforward
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"sync"
+	"time"
+
+	"github.com/libp2p/go-nat"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/portforward/pcp"
+)
+
+const (
+	defaultMappingTTL   = 2 * time.Hour
+	renewalInterval     = defaultMappingTTL / 2
+	healthCheckInterval = 1 * time.Minute
+	discoveryTimeout    = 10 * time.Second
+	mappingDescription  = "NetBird"
+)
+
+type Mapping struct {
+	Protocol     string
+	InternalPort uint16
+	ExternalPort uint16
+	ExternalIP   net.IP
+	NATType      string
+}
+
+type Manager struct {
+	cancel context.CancelFunc
+
+	mapping     *Mapping
+	mappingLock sync.Mutex
+
+	wgPort uint16
+
+	done    chan struct{}
+	stopCtx chan context.Context
+
+	// protect exported functions
+	mu sync.Mutex
+}
+
+func NewManager() *Manager {
+	return &Manager{
+		stopCtx: make(chan context.Context, 1),
+	}
+}
+
+func (m *Manager) Start(ctx context.Context, wgPort uint16) {
+	m.mu.Lock()
+	if m.cancel != nil {
+		m.mu.Unlock()
+		return
+	}
+
+	if isDisabledByEnv() {
+		log.Infof("NAT port mapper disabled via %s", envDisableNATMapper)
+		m.mu.Unlock()
+		return
+	}
+
+	if wgPort == 0 {
+		log.Warnf("invalid WireGuard port 0; NAT mapping disabled")
+		m.mu.Unlock()
+		return
+	}
+	m.wgPort = wgPort
+
+	m.done = make(chan struct{})
+	defer close(m.done)
+
+	ctx, m.cancel = context.WithCancel(ctx)
+	m.mu.Unlock()
+
+	gateway, mapping, err := m.setup(ctx)
+	if err != nil {
+		log.Errorf("failed to setup NAT port mapping: %v", err)
+
+		return
+	}
+
+	m.mappingLock.Lock()
+	m.mapping = mapping
+	m.mappingLock.Unlock()
+
+	m.renewLoop(ctx, gateway)
+
+	select {
+	case cleanupCtx := <-m.stopCtx:
+		// block the Start while cleaned up gracefully
+		m.cleanup(cleanupCtx, gateway)
+	default:
+		// return Start immediately and cleanup in background
+		cleanupCtx, cleanupCancel := context.WithTimeout(context.Background(), 10*time.Second)
+		go func() {
+			defer cleanupCancel()
+			m.cleanup(cleanupCtx, gateway)
+		}()
+	}
+}
+
+// GetMapping returns the current mapping if ready, nil otherwise
+func (m *Manager) GetMapping() *Mapping {
+	m.mappingLock.Lock()
+	defer m.mappingLock.Unlock()
+
+	if m.mapping == nil {
+		return nil
+	}
+
+	mapping := *m.mapping
+	return &mapping
+}
+
+// GracefullyStop cancels the manager and attempts to delete the port mapping.
+// After GracefullyStop returns, the manager cannot be restarted.
+func (m *Manager) GracefullyStop(ctx context.Context) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	if m.cancel == nil {
+		return nil
+	}
+
+	// Send cleanup context before cancelling, so Start picks it up after renewLoop exits.
+	m.startTearDown(ctx)
+
+	m.cancel()
+	m.cancel = nil
+
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	case <-m.done:
+		return nil
+	}
+}
+
+func (m *Manager) setup(ctx context.Context) (nat.NAT, *Mapping, error) {
+	discoverCtx, discoverCancel := context.WithTimeout(ctx, discoveryTimeout)
+	defer discoverCancel()
+
+	gateway, err := discoverGateway(discoverCtx)
+	if err != nil {
+		log.Infof("NAT gateway discovery failed: %v (port forwarding disabled)", err)
+		return nil, nil, err
+	}
+
+	log.Infof("discovered NAT gateway: %s", gateway.Type())
+
+	mapping, err := m.createMapping(ctx, gateway)
+	if err != nil {
+		log.Warnf("failed to create port mapping: %v", err)
+		return nil, nil, err
+	}
+	return gateway, mapping, nil
+}
+
+func (m *Manager) createMapping(ctx context.Context, gateway nat.NAT) (*Mapping, error) {
+	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+
+	externalPort, err := gateway.AddPortMapping(ctx, "udp", int(m.wgPort), mappingDescription, defaultMappingTTL)
+	if err != nil {
+		return nil, err
+	}
+
+	externalIP, err := gateway.GetExternalAddress()
+	if err != nil {
+		log.Debugf("failed to get external address: %v", err)
+	}
+
+	mapping := &Mapping{
+		Protocol:     "udp",
+		InternalPort: m.wgPort,
+		ExternalPort: uint16(externalPort),
+		ExternalIP:   externalIP,
+		NATType:      gateway.Type(),
+	}
+
+	log.Infof("created port mapping: %d -> %d via %s (external IP: %s)",
+		m.wgPort, externalPort, gateway.Type(), externalIP)
+	return mapping, nil
+}
+
+func (m *Manager) renewLoop(ctx context.Context, gateway nat.NAT) {
+	renewTicker := time.NewTicker(renewalInterval)
+	healthTicker := time.NewTicker(healthCheckInterval)
+	defer renewTicker.Stop()
+	defer healthTicker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-renewTicker.C:
+			if err := m.renewMapping(ctx, gateway); err != nil {
+				log.Warnf("failed to renew port mapping: %v", err)
+				continue
+			}
+		case <-healthTicker.C:
+			if m.checkHealthAndRecreate(ctx, gateway) {
+				renewTicker.Reset(renewalInterval)
+			}
+		}
+	}
+}
+
+func (m *Manager) checkHealthAndRecreate(ctx context.Context, gateway nat.NAT) bool {
+	if isHealthCheckDisabled() {
+		return false
+	}
+
+	m.mappingLock.Lock()
+	hasMapping := m.mapping != nil
+	m.mappingLock.Unlock()
+
+	if !hasMapping {
+		return false
+	}
+
+	pcpNAT, ok := gateway.(*pcp.NAT)
+	if !ok {
+		return false
+	}
+
+	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
+	defer cancel()
+
+	epoch, serverRestarted, err := pcpNAT.CheckServerHealth(ctx)
+	if err != nil {
+		log.Debugf("PCP health check failed: %v", err)
+		return false
+	}
+
+	if serverRestarted {
+		log.Warnf("PCP server restart detected (epoch=%d), recreating port mapping", epoch)
+		if err := m.renewMapping(ctx, gateway); err != nil {
+			log.Errorf("failed to recreate port mapping after server restart: %v", err)
+			return false
+		}
+		return true
+	}
+
+	return false
+}
+
+func (m *Manager) renewMapping(ctx context.Context, gateway nat.NAT) error {
+	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+
+	externalPort, err := gateway.AddPortMapping(ctx, m.mapping.Protocol, int(m.mapping.InternalPort), mappingDescription, defaultMappingTTL)
+	if err != nil {
+		return fmt.Errorf("add port mapping: %w", err)
+	}
+
+	if uint16(externalPort) != m.mapping.ExternalPort {
+		log.Warnf("external port changed on renewal: %d -> %d (candidate may be stale)", m.mapping.ExternalPort, externalPort)
+		m.mappingLock.Lock()
+		m.mapping.ExternalPort = uint16(externalPort)
+		m.mappingLock.Unlock()
+	}
+
+	log.Debugf("renewed port mapping: %d -> %d", m.mapping.InternalPort, m.mapping.ExternalPort)
+	return nil
+}
+
+func (m *Manager) cleanup(ctx context.Context, gateway nat.NAT) {
+	m.mappingLock.Lock()
+	mapping := m.mapping
+	m.mapping = nil
+	m.mappingLock.Unlock()
+
+	if mapping == nil {
+		return
+	}
+
+	if err := gateway.DeletePortMapping(ctx, mapping.Protocol, int(mapping.InternalPort)); err != nil {
+		log.Warnf("delete port mapping on stop: %v", err)
+		return
+	}
+
+	log.Infof("deleted port mapping for port %d", mapping.InternalPort)
+}
+
+func (m *Manager) startTearDown(ctx context.Context) {
+	select {
+	case m.stopCtx <- ctx:
+	default:
+	}
+}
+

client/internal/portforward/manager_js.go

@@ -0,0 +1,36 @@
+package portforward
+
+import (
+	"context"
+	"net"
+)
+
+// Mapping represents port mapping information.
+type Mapping struct {
+	Protocol     string
+	InternalPort uint16
+	ExternalPort uint16
+	ExternalIP   net.IP
+	NATType      string
+}
+
+// Manager is a stub for js/wasm builds where NAT-PMP/UPnP is not supported.
+type Manager struct{}
+
+// NewManager returns a stub manager for js/wasm builds.
+func NewManager() *Manager {
+	return &Manager{}
+}
+
+// Start is a no-op on js/wasm: NAT-PMP/UPnP is not available in browser environments.
+func (m *Manager) Start(context.Context, uint16) {
+	// no NAT traversal in wasm
+}
+
+// GracefullyStop is a no-op on js/wasm.
+func (m *Manager) GracefullyStop(context.Context) error { return nil }
+
+// GetMapping always returns nil on js/wasm.
+func (m *Manager) GetMapping() *Mapping {
+	return nil
+}

client/internal/portforward/manager_test.go

@@ -0,0 +1,159 @@
+//go:build !js
+
+package portforward
+
+import (
+	"context"
+	"net"
+	"testing"
+	"time"
+
+	"github.com/libp2p/go-nat"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+type mockNAT struct {
+	natType          string
+	deviceAddr       net.IP
+	externalAddr     net.IP
+	internalAddr     net.IP
+	mappings         map[int]int
+	addMappingErr    error
+	deleteMappingErr error
+}
+
+func newMockNAT() *mockNAT {
+	return &mockNAT{
+		natType:      "Mock-NAT",
+		deviceAddr:   net.ParseIP("192.168.1.1"),
+		externalAddr: net.ParseIP("203.0.113.50"),
+		internalAddr: net.ParseIP("192.168.1.100"),
+		mappings:     make(map[int]int),
+	}
+}
+
+func (m *mockNAT) Type() string {
+	return m.natType
+}
+
+func (m *mockNAT) GetDeviceAddress() (net.IP, error) {
+	return m.deviceAddr, nil
+}
+
+func (m *mockNAT) GetExternalAddress() (net.IP, error) {
+	return m.externalAddr, nil
+}
+
+func (m *mockNAT) GetInternalAddress() (net.IP, error) {
+	return m.internalAddr, nil
+}
+
+func (m *mockNAT) AddPortMapping(ctx context.Context, protocol string, internalPort int, description string, timeout time.Duration) (int, error) {
+	if m.addMappingErr != nil {
+		return 0, m.addMappingErr
+	}
+	externalPort := internalPort
+	m.mappings[internalPort] = externalPort
+	return externalPort, nil
+}
+
+func (m *mockNAT) DeletePortMapping(ctx context.Context, protocol string, internalPort int) error {
+	if m.deleteMappingErr != nil {
+		return m.deleteMappingErr
+	}
+	delete(m.mappings, internalPort)
+	return nil
+}
+
+func TestManager_CreateMapping(t *testing.T) {
+	m := NewManager()
+	m.wgPort = 51820
+
+	gateway := newMockNAT()
+	mapping, err := m.createMapping(context.Background(), gateway)
+	require.NoError(t, err)
+	require.NotNil(t, mapping)
+
+	assert.Equal(t, "udp", mapping.Protocol)
+	assert.Equal(t, uint16(51820), mapping.InternalPort)
+	assert.Equal(t, uint16(51820), mapping.ExternalPort)
+	assert.Equal(t, "Mock-NAT", mapping.NATType)
+	assert.Equal(t, net.ParseIP("203.0.113.50").To4(), mapping.ExternalIP.To4())
+}
+
+func TestManager_GetMapping_ReturnsNilWhenNotReady(t *testing.T) {
+	m := NewManager()
+	assert.Nil(t, m.GetMapping())
+}
+
+func TestManager_GetMapping_ReturnsCopy(t *testing.T) {
+	m := NewManager()
+	m.mapping = &Mapping{
+		Protocol:     "udp",
+		InternalPort: 51820,
+		ExternalPort: 51820,
+	}
+
+	mapping := m.GetMapping()
+	require.NotNil(t, mapping)
+	assert.Equal(t, uint16(51820), mapping.InternalPort)
+
+	// Mutating the returned copy should not affect the manager's mapping.
+	mapping.ExternalPort = 9999
+	assert.Equal(t, uint16(51820), m.GetMapping().ExternalPort)
+}
+
+func TestManager_Cleanup_DeletesMapping(t *testing.T) {
+	m := NewManager()
+	m.mapping = &Mapping{
+		Protocol:     "udp",
+		InternalPort: 51820,
+		ExternalPort: 51820,
+	}
+
+	gateway := newMockNAT()
+	// Seed the mock so we can verify deletion.
+	gateway.mappings[51820] = 51820
+
+	m.cleanup(context.Background(), gateway)
+
+	_, exists := gateway.mappings[51820]
+	assert.False(t, exists, "mapping should be deleted from gateway")
+	assert.Nil(t, m.GetMapping(), "in-memory mapping should be cleared")
+}
+
+func TestManager_Cleanup_NilMapping(t *testing.T) {
+	m := NewManager()
+	gateway := newMockNAT()
+
+	// Should not panic or call gateway.
+	m.cleanup(context.Background(), gateway)
+}
+
+func TestState_Cleanup(t *testing.T) {
+	origDiscover := discoverGateway
+	defer func() { discoverGateway = origDiscover }()
+
+	mockGateway := newMockNAT()
+	mockGateway.mappings[51820] = 51820
+	discoverGateway = func(ctx context.Context) (nat.NAT, error) {
+		return mockGateway, nil
+	}
+
+	state := &State{
+		Protocol:     "udp",
+		InternalPort: 51820,
+	}
+
+	err := state.Cleanup()
+	assert.NoError(t, err)
+
+	_, exists := mockGateway.mappings[51820]
+	assert.False(t, exists, "mapping should be deleted after cleanup")
+}
+
+func TestState_Name(t *testing.T) {
+	state := &State{}
+	assert.Equal(t, "port_forward_state", state.Name())
+}

client/internal/portforward/pcp/client.go

@@ -0,0 +1,408 @@
+package pcp
+
+import (
+	"context"
+	"crypto/rand"
+	"errors"
+	"fmt"
+	"net"
+	"net/netip"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	defaultTimeout     = 3 * time.Second
+	responseBufferSize = 128
+
+	// RFC 6887 Section 8.1.1 retry timing
+	initialRetryDelay = 3 * time.Second
+	maxRetryDelay     = 1024 * time.Second
+	maxRetries        = 4 // 3s + 6s + 12s + 24s = 45s total worst case
+)
+
+// Client is a PCP protocol client.
+// All methods are safe for concurrent use.
+type Client struct {
+	gateway netip.Addr
+	timeout time.Duration
+
+	mu sync.Mutex
+	// localIP caches the resolved local IP address.
+	localIP netip.Addr
+	// lastEpoch is the last observed server epoch value.
+	lastEpoch uint32
+	// epochTime tracks when lastEpoch was received for state loss detection.
+	epochTime time.Time
+	// externalIP caches the external IP from the last successful MAP response.
+	externalIP netip.Addr
+	// epochStateLost is set when epoch indicates server restart.
+	epochStateLost bool
+}
+
+// NewClient creates a new PCP client for the gateway at the given IP.
+func NewClient(gateway net.IP) *Client {
+	addr, ok := netip.AddrFromSlice(gateway)
+	if !ok {
+		log.Debugf("invalid gateway IP: %v", gateway)
+	}
+	return &Client{
+		gateway: addr.Unmap(),
+		timeout: defaultTimeout,
+	}
+}
+
+// NewClientWithTimeout creates a new PCP client with a custom timeout.
+func NewClientWithTimeout(gateway net.IP, timeout time.Duration) *Client {
+	addr, ok := netip.AddrFromSlice(gateway)
+	if !ok {
+		log.Debugf("invalid gateway IP: %v", gateway)
+	}
+	return &Client{
+		gateway: addr.Unmap(),
+		timeout: timeout,
+	}
+}
+
+// SetLocalIP sets the local IP address to use in PCP requests.
+func (c *Client) SetLocalIP(ip net.IP) {
+	addr, ok := netip.AddrFromSlice(ip)
+	if !ok {
+		log.Debugf("invalid local IP: %v", ip)
+	}
+	c.mu.Lock()
+	c.localIP = addr.Unmap()
+	c.mu.Unlock()
+}
+
+// Gateway returns the gateway IP address.
+func (c *Client) Gateway() net.IP {
+	return c.gateway.AsSlice()
+}
+
+// Announce sends a PCP ANNOUNCE request to discover PCP support.
+// Returns the server's epoch time on success.
+func (c *Client) Announce(ctx context.Context) (epoch uint32, err error) {
+	localIP, err := c.getLocalIP()
+	if err != nil {
+		return 0, fmt.Errorf("get local IP: %w", err)
+	}
+
+	req := buildAnnounceRequest(localIP)
+	resp, err := c.sendRequest(ctx, req)
+	if err != nil {
+		return 0, fmt.Errorf("send announce: %w", err)
+	}
+
+	parsed, err := parseResponse(resp)
+	if err != nil {
+		return 0, fmt.Errorf("parse announce response: %w", err)
+	}
+
+	if parsed.ResultCode != ResultSuccess {
+		return 0, fmt.Errorf("PCP ANNOUNCE failed: %s", ResultCodeString(parsed.ResultCode))
+	}
+
+	c.mu.Lock()
+	if c.updateEpochLocked(parsed.Epoch) {
+		log.Warnf("PCP server epoch indicates state loss - mappings may need refresh")
+	}
+	c.mu.Unlock()
+	return parsed.Epoch, nil
+}
+
+// AddPortMapping requests a port mapping from the PCP server.
+func (c *Client) AddPortMapping(ctx context.Context, protocol string, internalPort int, lifetime time.Duration) (*MapResponse, error) {
+	return c.addPortMappingWithHint(ctx, protocol, internalPort, internalPort, netip.Addr{}, lifetime)
+}
+
+// AddPortMappingWithHint requests a port mapping with suggested external port and IP.
+// Use lifetime <= 0 to delete a mapping.
+func (c *Client) AddPortMappingWithHint(ctx context.Context, protocol string, internalPort, suggestedExtPort int, suggestedExtIP net.IP, lifetime time.Duration) (*MapResponse, error) {
+	var extIP netip.Addr
+	if suggestedExtIP != nil {
+		var ok bool
+		extIP, ok = netip.AddrFromSlice(suggestedExtIP)
+		if !ok {
+			log.Debugf("invalid suggested external IP: %v", suggestedExtIP)
+		}
+		extIP = extIP.Unmap()
+	}
+	return c.addPortMappingWithHint(ctx, protocol, internalPort, suggestedExtPort, extIP, lifetime)
+}
+
+func (c *Client) addPortMappingWithHint(ctx context.Context, protocol string, internalPort, suggestedExtPort int, suggestedExtIP netip.Addr, lifetime time.Duration) (*MapResponse, error) {
+	localIP, err := c.getLocalIP()
+	if err != nil {
+		return nil, fmt.Errorf("get local IP: %w", err)
+	}
+
+	proto, err := protocolNumber(protocol)
+	if err != nil {
+		return nil, fmt.Errorf("parse protocol: %w", err)
+	}
+
+	var nonce [12]byte
+	if _, err := rand.Read(nonce[:]); err != nil {
+		return nil, fmt.Errorf("generate nonce: %w", err)
+	}
+
+	// Convert lifetime to seconds. Lifetime 0 means delete, so only apply
+	// default for positive durations that round to 0 seconds.
+	var lifetimeSec uint32
+	if lifetime > 0 {
+		lifetimeSec = uint32(lifetime.Seconds())
+		if lifetimeSec == 0 {
+			lifetimeSec = DefaultLifetime
+		}
+	}
+
+	req := buildMapRequest(localIP, nonce, proto, uint16(internalPort), uint16(suggestedExtPort), suggestedExtIP, lifetimeSec)
+
+	resp, err := c.sendRequest(ctx, req)
+	if err != nil {
+		return nil, fmt.Errorf("send map request: %w", err)
+	}
+
+	mapResp, err := parseMapResponse(resp)
+	if err != nil {
+		return nil, fmt.Errorf("parse map response: %w", err)
+	}
+
+	if mapResp.Nonce != nonce {
+		return nil, fmt.Errorf("nonce mismatch in response")
+	}
+
+	if mapResp.Protocol != proto {
+		return nil, fmt.Errorf("protocol mismatch: requested %d, got %d", proto, mapResp.Protocol)
+	}
+	if mapResp.InternalPort != uint16(internalPort) {
+		return nil, fmt.Errorf("internal port mismatch: requested %d, got %d", internalPort, mapResp.InternalPort)
+	}
+
+	if mapResp.ResultCode != ResultSuccess {
+		return nil, &Error{
+			Code:    mapResp.ResultCode,
+			Message: ResultCodeString(mapResp.ResultCode),
+		}
+	}
+
+	c.mu.Lock()
+	if c.updateEpochLocked(mapResp.Epoch) {
+		log.Warnf("PCP server epoch indicates state loss - mappings may need refresh")
+	}
+	c.cacheExternalIPLocked(mapResp.ExternalIP)
+	c.mu.Unlock()
+	return mapResp, nil
+}
+
+// DeletePortMapping removes a port mapping by requesting zero lifetime.
+func (c *Client) DeletePortMapping(ctx context.Context, protocol string, internalPort int) error {
+	if _, err := c.addPortMappingWithHint(ctx, protocol, internalPort, 0, netip.Addr{}, 0); err != nil {
+		var pcpErr *Error
+		if errors.As(err, &pcpErr) && pcpErr.Code == ResultNotAuthorized {
+			return nil
+		}
+		return fmt.Errorf("delete mapping: %w", err)
+	}
+	return nil
+}
+
+// GetExternalAddress returns the external IP address.
+// First checks for a cached value from previous MAP responses.
+// If not cached, creates a short-lived mapping to discover the external IP.
+func (c *Client) GetExternalAddress(ctx context.Context) (net.IP, error) {
+	c.mu.Lock()
+	if c.externalIP.IsValid() {
+		ip := c.externalIP.AsSlice()
+		c.mu.Unlock()
+		return ip, nil
+	}
+	c.mu.Unlock()
+
+	// Use an ephemeral port in the dynamic range (49152-65535).
+	// Port 0 is not valid with UDP/TCP protocols per RFC 6887.
+	ephemeralPort := 49152 + int(uint16(time.Now().UnixNano()))%(65535-49152)
+
+	// Use minimal lifetime (1 second) for discovery.
+	resp, err := c.AddPortMapping(ctx, "udp", ephemeralPort, time.Second)
+	if err != nil {
+		return nil, fmt.Errorf("create temporary mapping: %w", err)
+	}
+
+	if err := c.DeletePortMapping(ctx, "udp", ephemeralPort); err != nil {
+		log.Debugf("cleanup temporary PCP mapping: %v", err)
+	}
+
+	return resp.ExternalIP.AsSlice(), nil
+}
+
+// LastEpoch returns the last observed server epoch value.
+// A decrease in epoch indicates the server may have restarted and mappings may be lost.
+func (c *Client) LastEpoch() uint32 {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return c.lastEpoch
+}
+
+// EpochStateLost returns true if epoch state loss was detected and clears the flag.
+func (c *Client) EpochStateLost() bool {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	lost := c.epochStateLost
+	c.epochStateLost = false
+	return lost
+}
+
+// updateEpoch updates the epoch tracking and detects potential state loss.
+// Returns true if state loss was detected (server likely restarted).
+// Caller must hold c.mu.
+func (c *Client) updateEpochLocked(newEpoch uint32) bool {
+	now := time.Now()
+	stateLost := false
+
+	// RFC 6887 Section 8.5: Detect invalid epoch indicating server state loss.
+	// client_delta = time since last response
+	// server_delta = epoch change since last response
+	// Invalid if: client_delta+2 < server_delta - server_delta/16
+	//         OR: server_delta+2 < client_delta - client_delta/16
+	// The +2 handles quantization, /16 (6.25%) handles clock drift.
+	if !c.epochTime.IsZero() && c.lastEpoch > 0 {
+		clientDelta := uint32(now.Sub(c.epochTime).Seconds())
+		serverDelta := newEpoch - c.lastEpoch
+
+		// Check for epoch going backwards or jumping unexpectedly.
+		// Subtraction is safe: serverDelta/16 is always <= serverDelta.
+		if clientDelta+2 < serverDelta-(serverDelta/16) ||
+			serverDelta+2 < clientDelta-(clientDelta/16) {
+			stateLost = true
+			c.epochStateLost = true
+		}
+	}
+
+	c.lastEpoch = newEpoch
+	c.epochTime = now
+	return stateLost
+}
+
+// cacheExternalIP stores the external IP from a successful MAP response.
+// Caller must hold c.mu.
+func (c *Client) cacheExternalIPLocked(ip netip.Addr) {
+	if ip.IsValid() && !ip.IsUnspecified() {
+		c.externalIP = ip
+	}
+}
+
+// sendRequest sends a PCP request with retries per RFC 6887 Section 8.1.1.
+func (c *Client) sendRequest(ctx context.Context, req []byte) ([]byte, error) {
+	addr := &net.UDPAddr{IP: c.gateway.AsSlice(), Port: Port}
+
+	var lastErr error
+	delay := initialRetryDelay
+
+	for range maxRetries {
+		resp, err := c.sendOnce(ctx, addr, req)
+		if err == nil {
+			return resp, nil
+		}
+		lastErr = err
+
+		if ctx.Err() != nil {
+			return nil, ctx.Err()
+		}
+
+		// RFC 6887 Section 8.1.1: RT = (1 + RAND) * MIN(2 * RTprev, MRT)
+		// RAND is random between -0.1 and +0.1
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case <-time.After(retryDelayWithJitter(delay)):
+		}
+		delay = min(delay*2, maxRetryDelay)
+	}
+
+	return nil, fmt.Errorf("PCP request failed after %d retries: %w", maxRetries, lastErr)
+}
+
+// retryDelayWithJitter applies RFC 6887 jitter: multiply by (1 + RAND) where RAND is [-0.1, +0.1].
+func retryDelayWithJitter(d time.Duration) time.Duration {
+	var b [1]byte
+	_, _ = rand.Read(b[:])
+	// Convert byte to range [-0.1, +0.1]: (b/255 * 0.2) - 0.1
+	jitter := (float64(b[0])/255.0)*0.2 - 0.1
+	return time.Duration(float64(d) * (1 + jitter))
+}
+
+func (c *Client) sendOnce(ctx context.Context, addr *net.UDPAddr, req []byte) ([]byte, error) {
+	// Use ListenUDP instead of DialUDP to validate response source address per RFC 6887 §8.3.
+	conn, err := net.ListenUDP("udp", nil)
+	if err != nil {
+		return nil, fmt.Errorf("listen: %w", err)
+	}
+	defer func() {
+		if err := conn.Close(); err != nil {
+			log.Debugf("close UDP connection: %v", err)
+		}
+	}()
+
+	timeout := c.timeout
+	if deadline, ok := ctx.Deadline(); ok {
+		if remaining := time.Until(deadline); remaining < timeout {
+			timeout = remaining
+		}
+	}
+
+	if err := conn.SetDeadline(time.Now().Add(timeout)); err != nil {
+		return nil, fmt.Errorf("set deadline: %w", err)
+	}
+
+	if _, err := conn.WriteToUDP(req, addr); err != nil {
+		return nil, fmt.Errorf("write: %w", err)
+	}
+
+	resp := make([]byte, responseBufferSize)
+	n, from, err := conn.ReadFromUDP(resp)
+	if err != nil {
+		return nil, fmt.Errorf("read: %w", err)
+	}
+
+	// RFC 6887 §8.3: Validate response came from expected PCP server.
+	if !from.IP.Equal(addr.IP) {
+		return nil, fmt.Errorf("response from unexpected source %s (expected %s)", from.IP, addr.IP)
+	}
+
+	return resp[:n], nil
+}
+
+func (c *Client) getLocalIP() (netip.Addr, error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if !c.localIP.IsValid() {
+		return netip.Addr{}, fmt.Errorf("local IP not set for gateway %s", c.gateway)
+	}
+	return c.localIP, nil
+}
+
+func protocolNumber(protocol string) (uint8, error) {
+	switch protocol {
+	case "udp", "UDP":
+		return ProtoUDP, nil
+	case "tcp", "TCP":
+		return ProtoTCP, nil
+	default:
+		return 0, fmt.Errorf("unsupported protocol: %s", protocol)
+	}
+}
+
+// Error represents a PCP error response.
+type Error struct {
+	Code    uint8
+	Message string
+}
+
+func (e *Error) Error() string {
+	return fmt.Sprintf("PCP error: %s (%d)", e.Message, e.Code)
+}

client/internal/portforward/pcp/client_test.go

@@ -0,0 +1,187 @@
+package pcp
+
+import (
+	"context"
+	"net"
+	"net/netip"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAddrConversion(t *testing.T) {
+	tests := []struct {
+		name string
+		addr netip.Addr
+	}{
+		{"IPv4", netip.MustParseAddr("192.168.1.100")},
+		{"IPv4 loopback", netip.MustParseAddr("127.0.0.1")},
+		{"IPv6", netip.MustParseAddr("2001:db8::1")},
+		{"IPv6 loopback", netip.MustParseAddr("::1")},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			b16 := addrTo16(tt.addr)
+
+			recovered := addrFrom16(b16)
+			assert.Equal(t, tt.addr, recovered, "address should round-trip")
+		})
+	}
+}
+
+func TestBuildAnnounceRequest(t *testing.T) {
+	clientIP := netip.MustParseAddr("192.168.1.100")
+	req := buildAnnounceRequest(clientIP)
+
+	require.Len(t, req, headerSize)
+	assert.Equal(t, byte(Version), req[0], "version")
+	assert.Equal(t, byte(OpAnnounce), req[1], "opcode")
+
+	// Check client IP is properly encoded as IPv4-mapped IPv6
+	assert.Equal(t, byte(0xff), req[18], "IPv4-mapped prefix byte 10")
+	assert.Equal(t, byte(0xff), req[19], "IPv4-mapped prefix byte 11")
+	assert.Equal(t, byte(192), req[20], "IP octet 1")
+	assert.Equal(t, byte(168), req[21], "IP octet 2")
+	assert.Equal(t, byte(1), req[22], "IP octet 3")
+	assert.Equal(t, byte(100), req[23], "IP octet 4")
+}
+
+func TestBuildMapRequest(t *testing.T) {
+	clientIP := netip.MustParseAddr("192.168.1.100")
+	nonce := [12]byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}
+	req := buildMapRequest(clientIP, nonce, ProtoUDP, 51820, 51820, netip.Addr{}, 3600)
+
+	require.Len(t, req, mapRequestSize)
+	assert.Equal(t, byte(Version), req[0], "version")
+	assert.Equal(t, byte(OpMap), req[1], "opcode")
+
+	// Lifetime at bytes 4-7
+	assert.Equal(t, uint32(3600), (uint32(req[4])<<24)|(uint32(req[5])<<16)|(uint32(req[6])<<8)|uint32(req[7]), "lifetime")
+
+	// Nonce at bytes 24-35
+	assert.Equal(t, nonce[:], req[24:36], "nonce")
+
+	// Protocol at byte 36
+	assert.Equal(t, byte(ProtoUDP), req[36], "protocol")
+
+	// Internal port at bytes 40-41
+	assert.Equal(t, uint16(51820), (uint16(req[40])<<8)|uint16(req[41]), "internal port")
+
+	// External port at bytes 42-43
+	assert.Equal(t, uint16(51820), (uint16(req[42])<<8)|uint16(req[43]), "external port")
+}
+
+func TestParseResponse(t *testing.T) {
+	// Construct a valid ANNOUNCE response
+	resp := make([]byte, headerSize)
+	resp[0] = Version
+	resp[1] = OpAnnounce | OpReply
+	// Result code = 0 (success)
+	// Lifetime = 0
+	// Epoch = 12345
+	resp[8] = 0
+	resp[9] = 0
+	resp[10] = 0x30
+	resp[11] = 0x39
+
+	parsed, err := parseResponse(resp)
+	require.NoError(t, err)
+	assert.Equal(t, uint8(Version), parsed.Version)
+	assert.Equal(t, uint8(OpAnnounce|OpReply), parsed.Opcode)
+	assert.Equal(t, uint8(ResultSuccess), parsed.ResultCode)
+	assert.Equal(t, uint32(12345), parsed.Epoch)
+}
+
+func TestParseResponseErrors(t *testing.T) {
+	t.Run("too short", func(t *testing.T) {
+		_, err := parseResponse([]byte{1, 2, 3})
+		assert.Error(t, err)
+	})
+
+	t.Run("wrong version", func(t *testing.T) {
+		resp := make([]byte, headerSize)
+		resp[0] = 1 // Wrong version
+		resp[1] = OpReply
+		_, err := parseResponse(resp)
+		assert.Error(t, err)
+	})
+
+	t.Run("missing reply bit", func(t *testing.T) {
+		resp := make([]byte, headerSize)
+		resp[0] = Version
+		resp[1] = OpAnnounce // Missing OpReply bit
+		_, err := parseResponse(resp)
+		assert.Error(t, err)
+	})
+}
+
+func TestResultCodeString(t *testing.T) {
+	assert.Equal(t, "SUCCESS", ResultCodeString(ResultSuccess))
+	assert.Equal(t, "NOT_AUTHORIZED", ResultCodeString(ResultNotAuthorized))
+	assert.Equal(t, "ADDRESS_MISMATCH", ResultCodeString(ResultAddressMismatch))
+	assert.Contains(t, ResultCodeString(255), "UNKNOWN")
+}
+
+func TestProtocolNumber(t *testing.T) {
+	proto, err := protocolNumber("udp")
+	require.NoError(t, err)
+	assert.Equal(t, uint8(ProtoUDP), proto)
+
+	proto, err = protocolNumber("tcp")
+	require.NoError(t, err)
+	assert.Equal(t, uint8(ProtoTCP), proto)
+
+	proto, err = protocolNumber("UDP")
+	require.NoError(t, err)
+	assert.Equal(t, uint8(ProtoUDP), proto)
+
+	_, err = protocolNumber("icmp")
+	assert.Error(t, err)
+}
+
+func TestClientCreation(t *testing.T) {
+	gateway := netip.MustParseAddr("192.168.1.1").AsSlice()
+
+	client := NewClient(gateway)
+	assert.Equal(t, net.IP(gateway), client.Gateway())
+	assert.Equal(t, defaultTimeout, client.timeout)
+
+	clientWithTimeout := NewClientWithTimeout(gateway, 5*time.Second)
+	assert.Equal(t, 5*time.Second, clientWithTimeout.timeout)
+}
+
+func TestNATType(t *testing.T) {
+	n := NewNAT(netip.MustParseAddr("192.168.1.1").AsSlice(), netip.MustParseAddr("192.168.1.100").AsSlice())
+	assert.Equal(t, "PCP", n.Type())
+}
+
+// Integration test - skipped unless PCP_TEST_GATEWAY env is set
+func TestClientIntegration(t *testing.T) {
+	t.Skip("Integration test - run manually with PCP_TEST_GATEWAY=<gateway-ip>")
+
+	gateway := netip.MustParseAddr("10.0.1.1").AsSlice()   // Change to your test gateway
+	localIP := netip.MustParseAddr("10.0.1.100").AsSlice() // Change to your local IP
+
+	client := NewClient(gateway)
+	client.SetLocalIP(localIP)
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	// Test ANNOUNCE
+	epoch, err := client.Announce(ctx)
+	require.NoError(t, err)
+	t.Logf("Server epoch: %d", epoch)
+
+	// Test MAP
+	resp, err := client.AddPortMapping(ctx, "udp", 51820, 1*time.Hour)
+	require.NoError(t, err)
+	t.Logf("Mapping: internal=%d external=%d externalIP=%s",
+		resp.InternalPort, resp.ExternalPort, resp.ExternalIP)
+
+	// Cleanup
+	err = client.DeletePortMapping(ctx, "udp", 51820)
+	require.NoError(t, err)
+}

client/internal/portforward/pcp/nat.go

@@ -0,0 +1,209 @@
+package pcp
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/netip"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/libp2p/go-nat"
+	"github.com/libp2p/go-netroute"
+)
+
+var _ nat.NAT = (*NAT)(nil)
+
+// NAT implements the go-nat NAT interface using PCP.
+// Supports dual-stack (IPv4 and IPv6) when available.
+// All methods are safe for concurrent use.
+//
+// TODO: IPv6 pinholes use the local IPv6 address. If the address changes
+// (e.g., due to SLAAC rotation or network change), the pinhole becomes stale
+// and needs to be recreated with the new address.
+type NAT struct {
+	client *Client
+
+	mu sync.RWMutex
+	// client6 is the IPv6 PCP client, nil if IPv6 is unavailable.
+	client6 *Client
+	// localIP6 caches the local IPv6 address used for PCP requests.
+	localIP6 netip.Addr
+}
+
+// NewNAT creates a new NAT instance backed by PCP.
+func NewNAT(gateway, localIP net.IP) *NAT {
+	client := NewClient(gateway)
+	client.SetLocalIP(localIP)
+	return &NAT{
+		client: client,
+	}
+}
+
+// Type returns "PCP" as the NAT type.
+func (n *NAT) Type() string {
+	return "PCP"
+}
+
+// GetDeviceAddress returns the gateway IP address.
+func (n *NAT) GetDeviceAddress() (net.IP, error) {
+	return n.client.Gateway(), nil
+}
+
+// GetExternalAddress returns the external IP address.
+func (n *NAT) GetExternalAddress() (net.IP, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	return n.client.GetExternalAddress(ctx)
+}
+
+// GetInternalAddress returns the local IP address used to communicate with the gateway.
+func (n *NAT) GetInternalAddress() (net.IP, error) {
+	addr, err := n.client.getLocalIP()
+	if err != nil {
+		return nil, err
+	}
+	return addr.AsSlice(), nil
+}
+
+// AddPortMapping creates a port mapping on both IPv4 and IPv6 (if available).
+func (n *NAT) AddPortMapping(ctx context.Context, protocol string, internalPort int, _ string, timeout time.Duration) (int, error) {
+	resp, err := n.client.AddPortMapping(ctx, protocol, internalPort, timeout)
+	if err != nil {
+		return 0, fmt.Errorf("add mapping: %w", err)
+	}
+
+	n.mu.RLock()
+	client6 := n.client6
+	localIP6 := n.localIP6
+	n.mu.RUnlock()
+
+	if client6 == nil {
+		return int(resp.ExternalPort), nil
+	}
+
+	if _, err := client6.AddPortMapping(ctx, protocol, internalPort, timeout); err != nil {
+		log.Warnf("IPv6 PCP mapping failed (continuing with IPv4): %v", err)
+		return int(resp.ExternalPort), nil
+	}
+
+	log.Infof("created IPv6 PCP pinhole: %s:%d", localIP6, internalPort)
+	return int(resp.ExternalPort), nil
+}
+
+// DeletePortMapping removes a port mapping from both IPv4 and IPv6.
+func (n *NAT) DeletePortMapping(ctx context.Context, protocol string, internalPort int) error {
+	err := n.client.DeletePortMapping(ctx, protocol, internalPort)
+
+	n.mu.RLock()
+	client6 := n.client6
+	n.mu.RUnlock()
+
+	if client6 != nil {
+		if err6 := client6.DeletePortMapping(ctx, protocol, internalPort); err6 != nil {
+			log.Warnf("IPv6 PCP delete mapping failed: %v", err6)
+		}
+	}
+
+	if err != nil {
+		return fmt.Errorf("delete mapping: %w", err)
+	}
+	return nil
+}
+
+// CheckServerHealth sends an ANNOUNCE to verify the server is still responsive.
+// Returns the current epoch and whether the server may have restarted (epoch state loss detected).
+func (n *NAT) CheckServerHealth(ctx context.Context) (epoch uint32, serverRestarted bool, err error) {
+	epoch, err = n.client.Announce(ctx)
+	if err != nil {
+		return 0, false, fmt.Errorf("announce: %w", err)
+	}
+	return epoch, n.client.EpochStateLost(), nil
+}
+
+// DiscoverPCP attempts to discover a PCP-capable gateway.
+// Returns a NAT interface if PCP is supported, or an error otherwise.
+// Discovers both IPv4 and IPv6 gateways when available.
+func DiscoverPCP(ctx context.Context) (nat.NAT, error) {
+	gateway, localIP, err := getDefaultGateway()
+	if err != nil {
+		return nil, fmt.Errorf("get default gateway: %w", err)
+	}
+
+	client := NewClient(gateway)
+	client.SetLocalIP(localIP)
+	if _, err := client.Announce(ctx); err != nil {
+		return nil, fmt.Errorf("PCP announce: %w", err)
+	}
+
+	result := &NAT{client: client}
+	discoverIPv6(ctx, result)
+
+	return result, nil
+}
+
+func discoverIPv6(ctx context.Context, result *NAT) {
+	gateway6, localIP6, err := getDefaultGateway6()
+	if err != nil {
+		log.Debugf("IPv6 gateway discovery failed: %v", err)
+		return
+	}
+
+	client6 := NewClient(gateway6)
+	client6.SetLocalIP(localIP6)
+	if _, err := client6.Announce(ctx); err != nil {
+		log.Debugf("PCP IPv6 announce failed: %v", err)
+		return
+	}
+
+	addr, ok := netip.AddrFromSlice(localIP6)
+	if !ok {
+		log.Debugf("invalid IPv6 local IP: %v", localIP6)
+		return
+	}
+	result.mu.Lock()
+	result.client6 = client6
+	result.localIP6 = addr
+	result.mu.Unlock()
+	log.Debugf("PCP IPv6 gateway discovered: %s (local: %s)", gateway6, localIP6)
+}
+
+// getDefaultGateway returns the default IPv4 gateway and local IP using the system routing table.
+func getDefaultGateway() (gateway net.IP, localIP net.IP, err error) {
+	router, err := netroute.New()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	_, gateway, localIP, err = router.Route(net.IPv4zero)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if gateway == nil {
+		return nil, nil, nat.ErrNoNATFound
+	}
+
+	return gateway, localIP, nil
+}
+
+// getDefaultGateway6 returns the default IPv6 gateway IP address using the system routing table.
+func getDefaultGateway6() (gateway net.IP, localIP net.IP, err error) {
+	router, err := netroute.New()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	_, gateway, localIP, err = router.Route(net.IPv6zero)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if gateway == nil {
+		return nil, nil, nat.ErrNoNATFound
+	}
+
+	return gateway, localIP, nil
+}

client/internal/portforward/pcp/protocol.go

@@ -0,0 +1,225 @@
+// Package pcp implements the Port Control Protocol (RFC 6887).
+//
+// # Implemented Features
+//
+//   - ANNOUNCE opcode: Discovers PCP server support
+//   - MAP opcode: Creates/deletes port mappings (IPv4 NAT) and firewall pinholes (IPv6)
+//   - Dual-stack: Simultaneous IPv4 and IPv6 support via separate clients
+//   - Nonce validation: Prevents response spoofing
+//   - Epoch tracking: Detects server restarts per Section 8.5
+//   - RFC-compliant retry timing: 3s initial, exponential backoff to 1024s max (Section 8.1.1)
+//
+// # Not Implemented
+//
+//   - PEER opcode: For outbound peer connections (not needed for inbound NAT traversal)
+//   - THIRD_PARTY option: For managing mappings on behalf of other devices
+//   - PREFER_FAILURE option: Requires exact external port or fail (IPv4 NAT only, not needed for IPv6 pinholing)
+//   - FILTER option: To restrict remote peer addresses
+//
+// These optional features are omitted because the primary use case is simple
+// port forwarding for WireGuard, which only requires MAP with default behavior.
+package pcp
+
+import (
+	"encoding/binary"
+	"fmt"
+	"net/netip"
+)
+
+const (
+	// Version is the PCP protocol version (RFC 6887).
+	Version = 2
+
+	// Port is the standard PCP server port.
+	Port = 5351
+
+	// DefaultLifetime is the default requested mapping lifetime in seconds.
+	DefaultLifetime = 7200 // 2 hours
+
+	// Header sizes
+	headerSize     = 24
+	mapPayloadSize = 36
+	mapRequestSize = headerSize + mapPayloadSize // 60 bytes
+)
+
+// Opcodes
+const (
+	OpAnnounce = 0
+	OpMap      = 1
+	OpPeer     = 2
+	OpReply    = 0x80 // OR'd with opcode in responses
+)
+
+// Protocol numbers for MAP requests
+const (
+	ProtoUDP = 17
+	ProtoTCP = 6
+)
+
+// Result codes (RFC 6887 Section 7.4)
+const (
+	ResultSuccess              = 0
+	ResultUnsuppVersion        = 1
+	ResultNotAuthorized        = 2
+	ResultMalformedRequest     = 3
+	ResultUnsuppOpcode         = 4
+	ResultUnsuppOption         = 5
+	ResultMalformedOption      = 6
+	ResultNetworkFailure       = 7
+	ResultNoResources          = 8
+	ResultUnsuppProtocol       = 9
+	ResultUserExQuota          = 10
+	ResultCannotProvideExt     = 11
+	ResultAddressMismatch      = 12
+	ResultExcessiveRemotePeers = 13
+)
+
+// ResultCodeString returns a human-readable string for a result code.
+func ResultCodeString(code uint8) string {
+	switch code {
+	case ResultSuccess:
+		return "SUCCESS"
+	case ResultUnsuppVersion:
+		return "UNSUPP_VERSION"
+	case ResultNotAuthorized:
+		return "NOT_AUTHORIZED"
+	case ResultMalformedRequest:
+		return "MALFORMED_REQUEST"
+	case ResultUnsuppOpcode:
+		return "UNSUPP_OPCODE"
+	case ResultUnsuppOption:
+		return "UNSUPP_OPTION"
+	case ResultMalformedOption:
+		return "MALFORMED_OPTION"
+	case ResultNetworkFailure:
+		return "NETWORK_FAILURE"
+	case ResultNoResources:
+		return "NO_RESOURCES"
+	case ResultUnsuppProtocol:
+		return "UNSUPP_PROTOCOL"
+	case ResultUserExQuota:
+		return "USER_EX_QUOTA"
+	case ResultCannotProvideExt:
+		return "CANNOT_PROVIDE_EXTERNAL"
+	case ResultAddressMismatch:
+		return "ADDRESS_MISMATCH"
+	case ResultExcessiveRemotePeers:
+		return "EXCESSIVE_REMOTE_PEERS"
+	default:
+		return fmt.Sprintf("UNKNOWN(%d)", code)
+	}
+}
+
+// Response represents a parsed PCP response header.
+type Response struct {
+	Version    uint8
+	Opcode     uint8
+	ResultCode uint8
+	Lifetime   uint32
+	Epoch      uint32
+}
+
+// MapResponse contains the full response to a MAP request.
+type MapResponse struct {
+	Response
+	Nonce        [12]byte
+	Protocol     uint8
+	InternalPort uint16
+	ExternalPort uint16
+	ExternalIP   netip.Addr
+}
+
+// addrTo16 converts an address to its 16-byte IPv4-mapped IPv6 representation.
+func addrTo16(addr netip.Addr) [16]byte {
+	if addr.Is4() {
+		return netip.AddrFrom4(addr.As4()).As16()
+	}
+	return addr.As16()
+}
+
+// addrFrom16 extracts an address from a 16-byte representation, unmapping IPv4.
+func addrFrom16(b [16]byte) netip.Addr {
+	return netip.AddrFrom16(b).Unmap()
+}
+
+// buildAnnounceRequest creates a PCP ANNOUNCE request packet.
+func buildAnnounceRequest(clientIP netip.Addr) []byte {
+	req := make([]byte, headerSize)
+	req[0] = Version
+	req[1] = OpAnnounce
+	mapped := addrTo16(clientIP)
+	copy(req[8:24], mapped[:])
+	return req
+}
+
+// buildMapRequest creates a PCP MAP request packet.
+func buildMapRequest(clientIP netip.Addr, nonce [12]byte, protocol uint8, internalPort, suggestedExtPort uint16, suggestedExtIP netip.Addr, lifetime uint32) []byte {
+	req := make([]byte, mapRequestSize)
+
+	// Header
+	req[0] = Version
+	req[1] = OpMap
+	binary.BigEndian.PutUint32(req[4:8], lifetime)
+	mapped := addrTo16(clientIP)
+	copy(req[8:24], mapped[:])
+
+	// MAP payload
+	copy(req[24:36], nonce[:])
+	req[36] = protocol
+	binary.BigEndian.PutUint16(req[40:42], internalPort)
+	binary.BigEndian.PutUint16(req[42:44], suggestedExtPort)
+	if suggestedExtIP.IsValid() {
+		extMapped := addrTo16(suggestedExtIP)
+		copy(req[44:60], extMapped[:])
+	}
+
+	return req
+}
+
+// parseResponse parses the common PCP response header.
+func parseResponse(data []byte) (*Response, error) {
+	if len(data) < headerSize {
+		return nil, fmt.Errorf("response too short: %d bytes", len(data))
+	}
+
+	resp := &Response{
+		Version:    data[0],
+		Opcode:     data[1],
+		ResultCode: data[3], // Byte 2 is reserved, byte 3 is result code (RFC 6887 §7.2)
+		Lifetime:   binary.BigEndian.Uint32(data[4:8]),
+		Epoch:      binary.BigEndian.Uint32(data[8:12]),
+	}
+
+	if resp.Version != Version {
+		return nil, fmt.Errorf("unsupported PCP version: %d", resp.Version)
+	}
+
+	if resp.Opcode&OpReply == 0 {
+		return nil, fmt.Errorf("response missing reply bit: opcode=0x%02x", resp.Opcode)
+	}
+
+	return resp, nil
+}
+
+// parseMapResponse parses a complete MAP response.
+func parseMapResponse(data []byte) (*MapResponse, error) {
+	if len(data) < mapRequestSize {
+		return nil, fmt.Errorf("MAP response too short: %d bytes", len(data))
+	}
+
+	resp, err := parseResponse(data)
+	if err != nil {
+		return nil, fmt.Errorf("parse header: %w", err)
+	}
+
+	mapResp := &MapResponse{
+		Response:     *resp,
+		Protocol:     data[36],
+		InternalPort: binary.BigEndian.Uint16(data[40:42]),
+		ExternalPort: binary.BigEndian.Uint16(data[42:44]),
+		ExternalIP:   addrFrom16([16]byte(data[44:60])),
+	}
+	copy(mapResp.Nonce[:], data[24:36])
+
+	return mapResp, nil
+}

client/internal/portforward/state.go

@@ -0,0 +1,63 @@
+//go:build !js
+
+package portforward
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/libp2p/go-nat"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/portforward/pcp"
+)
+
+// discoverGateway is the function used for NAT gateway discovery.
+// It can be replaced in tests to avoid real network operations.
+// Tries PCP first, then falls back to NAT-PMP/UPnP.
+var discoverGateway = defaultDiscoverGateway
+
+func defaultDiscoverGateway(ctx context.Context) (nat.NAT, error) {
+	pcpGateway, err := pcp.DiscoverPCP(ctx)
+	if err == nil {
+		return pcpGateway, nil
+	}
+	log.Debugf("PCP discovery failed: %v, trying NAT-PMP/UPnP", err)
+
+	return nat.DiscoverGateway(ctx)
+}
+
+// State is persisted only for crash recovery cleanup
+type State struct {
+	InternalPort uint16 `json:"internal_port,omitempty"`
+	Protocol     string `json:"protocol,omitempty"`
+}
+
+func (s *State) Name() string {
+	return "port_forward_state"
+}
+
+// Cleanup implements statemanager.CleanableState for crash recovery
+func (s *State) Cleanup() error {
+	if s.InternalPort == 0 {
+		return nil
+	}
+
+	log.Infof("cleaning up stale port mapping for port %d", s.InternalPort)
+
+	ctx, cancel := context.WithTimeout(context.Background(), discoveryTimeout)
+	defer cancel()
+
+	gateway, err := discoverGateway(ctx)
+	if err != nil {
+		// Discovery failure is not an error - gateway may not exist
+		log.Debugf("cleanup: no gateway found: %v", err)
+		return nil
+	}
+
+	if err := gateway.DeletePortMapping(ctx, s.Protocol, int(s.InternalPort)); err != nil {
+		return fmt.Errorf("delete port mapping: %w", err)
+	}
+
+	return nil
+}

client/internal/profilemanager/config.go

@@ -39,18 +39,6 @@ const (
 	DefaultAdminURL = "https://app.netbird.io:443"
 )
 
-// mgmProber is the subset of management client needed for URL migration probes.
-type mgmProber interface {
-	GetServerPublicKey() (*wgtypes.Key, error)
-	Close() error
-}
-
-// newMgmProber creates a management client for probing URL reachability.
-// Overridden in tests to avoid real network calls.
-var newMgmProber = func(ctx context.Context, addr string, key wgtypes.Key, tlsEnabled bool) (mgmProber, error) {
-	return mgm.NewClient(ctx, addr, key, tlsEnabled)
-}
-
 var DefaultInterfaceBlacklist = []string{
 	iface.WgInterfaceDefault, "wt", "utun", "tun0", "zt", "ZeroTier", "wg", "ts",
 	"Tailscale", "tailscale", "docker", "veth", "br-", "lo",
@@ -765,13 +753,14 @@ func UpdateOldManagementURL(ctx context.Context, config *Config, configPath stri
 		return config, err
 	}
 
-	client, err := newMgmProber(ctx, newURL.Host, key, mgmTlsEnabled)
+	client, err := mgm.NewClient(ctx, newURL.Host, key, mgmTlsEnabled)
 	if err != nil {
 		log.Infof("couldn't switch to the new Management %s", newURL.String())
 		return config, err
 	}
 	defer func() {
-		if err := client.Close(); err != nil {
+		err = client.Close()
+		if err != nil {
 			log.Warnf("failed to close the Management service client %v", err)
 		}
 	}()

client/internal/profilemanager/config_test.go

@@ -10,23 +10,12 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
 	"github.com/netbirdio/netbird/util"
 )
 
-type mockMgmProber struct {
-	key wgtypes.Key
-}
-
-func (m *mockMgmProber) GetServerPublicKey() (*wgtypes.Key, error) {
-	return &m.key, nil
-}
-
-func (m *mockMgmProber) Close() error { return nil }
-
 func TestGetConfig(t *testing.T) {
 	// case 1: new default config has to be generated
 	config, err := UpdateOrCreateConfig(ConfigInput{
@@ -245,16 +234,6 @@ func TestWireguardPortDefaultVsExplicit(t *testing.T) {
 }
 
 func TestUpdateOldManagementURL(t *testing.T) {
-	origProber := newMgmProber
-	newMgmProber = func(_ context.Context, _ string, _ wgtypes.Key, _ bool) (mgmProber, error) {
-		key, err := wgtypes.GenerateKey()
-		if err != nil {
-			return nil, err
-		}
-		return &mockMgmProber{key: key.PublicKey()}, nil
-	}
-	t.Cleanup(func() { newMgmProber = origProber })
-
 	tests := []struct {
 		name                  string
 		previousManagementURL string
@@ -294,17 +273,18 @@ func TestUpdateOldManagementURL(t *testing.T) {
 				ConfigPath:    configPath,
 			})
 			require.NoError(t, err, "failed to create testing config")
-			previousContent, err := os.ReadFile(configPath)
-			require.NoError(t, err, "failed to read initial config")
+			previousStats, err := os.Stat(configPath)
+			require.NoError(t, err, "failed to create testing config stats")
 			resultConfig, err := UpdateOldManagementURL(context.TODO(), config, configPath)
 			require.NoError(t, err, "got error when updating old management url")
 			require.Equal(t, tt.expectedManagementURL, resultConfig.ManagementURL.String())
-			newContent, err := os.ReadFile(configPath)
-			require.NoError(t, err, "failed to read updated config")
-			if tt.fileShouldNotChange {
-				require.Equal(t, string(previousContent), string(newContent), "file should not change")
-			} else {
-				require.NotEqual(t, string(previousContent), string(newContent), "file should have changed")
+			newStats, err := os.Stat(configPath)
+			require.NoError(t, err, "failed to create testing config stats")
+			switch tt.fileShouldNotChange {
+			case true:
+				require.Equal(t, previousStats.ModTime(), newStats.ModTime(), "file should not change")
+			case false:
+				require.NotEqual(t, previousStats.ModTime(), newStats.ModTime(), "file should have changed")
 			}
 		})
 	}

client/internal/routemanager/notifier/notifier_android.go

@@ -31,11 +31,26 @@ func (n *Notifier) SetListener(listener listener.NetworkChangeListener) {
 	n.listener = listener
 }
 
-// SetInitialClientRoutes stores the full initial route set (including fake IP blocks)
-// and a separate comparison set (without fake IP blocks) for diff detection.
 func (n *Notifier) SetInitialClientRoutes(initialRoutes []*route.Route, routesForComparison []*route.Route) {
-	n.initialRoutes = filterStatic(initialRoutes)
-	n.currentRoutes = filterStatic(routesForComparison)
+	// initialRoutes contains fake IP block for interface configuration
+	filteredInitial := make([]*route.Route, 0)
+	for _, r := range initialRoutes {
+		if r.IsDynamic() {
+			continue
+		}
+		filteredInitial = append(filteredInitial, r)
+	}
+	n.initialRoutes = filteredInitial
+
+	// routesForComparison excludes fake IP block for comparison with new routes
+	filteredComparison := make([]*route.Route, 0)
+	for _, r := range routesForComparison {
+		if r.IsDynamic() {
+			continue
+		}
+		filteredComparison = append(filteredComparison, r)
+	}
+	n.currentRoutes = filteredComparison
 }
 
 func (n *Notifier) OnNewRoutes(idMap route.HAMap) {
@@ -68,43 +83,13 @@ func (n *Notifier) notify() {
 		return
 	}
 
-	allRoutes := slices.Clone(n.currentRoutes)
-	allRoutes = append(allRoutes, n.extraInitialRoutes()...)
-
-	routeStrings := n.routesToStrings(allRoutes)
+	routeStrings := n.routesToStrings(n.currentRoutes)
 	sort.Strings(routeStrings)
 	go func(l listener.NetworkChangeListener) {
-		l.OnNetworkChanged(strings.Join(n.addIPv6RangeIfNeeded(routeStrings, allRoutes), ","))
+		l.OnNetworkChanged(strings.Join(n.addIPv6RangeIfNeeded(routeStrings, n.currentRoutes), ","))
 	}(n.listener)
 }
 
-// extraInitialRoutes returns initialRoutes whose network prefix is absent
-// from currentRoutes (e.g. the fake IP block added at setup time).
-func (n *Notifier) extraInitialRoutes() []*route.Route {
-	currentNets := make(map[netip.Prefix]struct{}, len(n.currentRoutes))
-	for _, r := range n.currentRoutes {
-		currentNets[r.Network] = struct{}{}
-	}
-
-	var extra []*route.Route
-	for _, r := range n.initialRoutes {
-		if _, ok := currentNets[r.Network]; !ok {
-			extra = append(extra, r)
-		}
-	}
-	return extra
-}
-
-func filterStatic(routes []*route.Route) []*route.Route {
-	out := make([]*route.Route, 0, len(routes))
-	for _, r := range routes {
-		if !r.IsDynamic() {
-			out = append(out, r)
-		}
-	}
-	return out
-}
-
 func (n *Notifier) routesToStrings(routes []*route.Route) []string {
 	nets := make([]string, 0, len(routes))
 	for _, r := range routes {

client/server/state_generic.go

@@ -9,6 +9,11 @@ import (
 	"github.com/netbirdio/netbird/client/ssh/config"
 )
 
+// registerStates registers all states that need crash recovery cleanup.
+// Note: portforward.State is intentionally NOT registered here to avoid blocking startup
+// for up to 10 seconds during NAT gateway discovery when no gateway is present.
+// The gateway reference cannot be persisted across restarts, so cleanup requires re-discovery.
+// Port forward cleanup is handled by the Manager during normal operation instead.
 func registerStates(mgr *statemanager.Manager) {
 	mgr.RegisterState(&dns.ShutdownState{})
 	mgr.RegisterState(&systemops.ShutdownState{})

client/server/state_linux.go

@@ -11,6 +11,11 @@ import (
 	"github.com/netbirdio/netbird/client/ssh/config"
 )
 
+// registerStates registers all states that need crash recovery cleanup.
+// Note: portforward.State is intentionally NOT registered here to avoid blocking startup
+// for up to 10 seconds during NAT gateway discovery when no gateway is present.
+// The gateway reference cannot be persisted across restarts, so cleanup requires re-discovery.
+// Port forward cleanup is handled by the Manager during normal operation instead.
 func registerStates(mgr *statemanager.Manager) {
 	mgr.RegisterState(&dns.ShutdownState{})
 	mgr.RegisterState(&systemops.ShutdownState{})

go.mod

@@ -49,7 +49,6 @@ require (
 	github.com/eko/gocache/store/redis/v4 v4.2.2
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/gliderlabs/ssh v0.3.8
-	github.com/go-jose/go-jose/v4 v4.1.3
 	github.com/godbus/dbus/v5 v5.1.0
 	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/golang/mock v1.6.0
@@ -63,6 +62,7 @@ require (
 	github.com/hashicorp/go-version v1.6.0
 	github.com/jackc/pgx/v5 v5.5.5
 	github.com/libdns/route53 v1.5.0
+	github.com/libp2p/go-nat v0.2.0
 	github.com/libp2p/go-netroute v0.2.1
 	github.com/lrh3321/ipset-go v0.0.0-20250619021614-54a0a98ace81
 	github.com/mdlayher/socket v0.5.1
@@ -182,6 +182,7 @@ require (
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-gl/gl v0.0.0-20231021071112-07e5d0ea2e71 // indirect
 	github.com/go-gl/glfw/v3.3/glfw v0.0.0-20240506104042-037f3cc74f2a // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-ldap/ldap/v3 v3.4.12 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -200,10 +201,12 @@ require (
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/huin/goupnp v1.2.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
 	github.com/jackc/puddle/v2 v2.2.1 // indirect
+	github.com/jackpal/go-nat-pmp v1.0.2 // indirect
 	github.com/jeandeaual/go-locale v0.0.0-20250612000132-0ef82f21eade // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
@@ -213,6 +216,7 @@ require (
 	github.com/kelseyhightower/envconfig v1.4.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.7 // indirect
+	github.com/koron/go-ssdp v0.0.4 // indirect
 	github.com/kr/fs v0.1.0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/libdns/libdns v0.2.2 // indirect

go.sum

@@ -281,6 +281,8 @@ github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
+github.com/huin/goupnp v1.2.0 h1:uOKW26NG1hsSSbXIZ1IR7XP9Gjd1U8pnLaCMgntmkmY=
+github.com/huin/goupnp v1.2.0/go.mod h1:gnGPsThkYa7bFi/KWmEysQRf48l2dvR5bxr2OFckNX8=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
@@ -291,6 +293,8 @@ github.com/jackc/pgx/v5 v5.5.5 h1:amBjrZVmksIdNjxGW/IiIMzxMKZFelXbUoPNb+8sjQw=
 github.com/jackc/pgx/v5 v5.5.5/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A=
 github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=
 github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jackpal/go-nat-pmp v1.0.2 h1:KzKSgb7qkJvOUTqYl9/Hg/me3pWgBmERKrTGD7BdWus=
+github.com/jackpal/go-nat-pmp v1.0.2/go.mod h1:QPH045xvCAeXUZOxsnwmrtiCoxIr9eob+4orBN1SBKc=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
 github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
@@ -328,6 +332,8 @@ github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYW
 github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
 github.com/klauspost/cpuid/v2 v2.2.7 h1:ZWSB3igEs+d0qvnxR/ZBzXVmxkgt8DdzP6m9pfuVLDM=
 github.com/klauspost/cpuid/v2 v2.2.7/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
+github.com/koron/go-ssdp v0.0.4 h1:1IDwrghSKYM7yLf7XCzbByg2sJ/JcNOZRXS2jczTwz0=
+github.com/koron/go-ssdp v0.0.4/go.mod h1:oDXq+E5IL5q0U8uSBcoAXzTzInwy5lEgC91HoKtbmZk=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -346,6 +352,8 @@ github.com/libdns/libdns v0.2.2 h1:O6ws7bAfRPaBsgAYt8MDe2HcNBGC29hkZ9MX2eUSX3s=
 github.com/libdns/libdns v0.2.2/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/libdns/route53 v1.5.0 h1:2SKdpPFl/qgWsXQvsLNJJAoX7rSxlk7zgoL4jnWdXVA=
 github.com/libdns/route53 v1.5.0/go.mod h1:joT4hKmaTNKHEwb7GmZ65eoDz1whTu7KKYPS8ZqIh6Q=
+github.com/libp2p/go-nat v0.2.0 h1:Tyz+bUFAYqGyJ/ppPPymMGbIgNRH+WqC5QrT5fKrrGk=
+github.com/libp2p/go-nat v0.2.0/go.mod h1:3MJr+GRpRkyT65EpVPBstXLvOlAPzUVlG6Pwg9ohLJk=
 github.com/lrh3321/ipset-go v0.0.0-20250619021614-54a0a98ace81 h1:J56rFEfUTFT9j9CiRXhi1r8lUJ4W5idG3CiaBZGojNU=
 github.com/lrh3321/ipset-go v0.0.0-20250619021614-54a0a98ace81/go.mod h1:RD8ML/YdXctQ7qbcizZkw5mZ6l8Ogrl1dodBzVJduwI=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=

idp/dex/config.go

@@ -170,66 +170,20 @@ type Connector struct {
 }
 
 // ToStorageConnector converts a Connector to storage.Connector type.
-// It maps custom connector types (e.g., "zitadel", "entra") to Dex-native types
-// and augments the config with OIDC defaults when needed.
 func (c *Connector) ToStorageConnector() (storage.Connector, error) {
-	dexType, augmentedConfig := mapConnectorToDex(c.Type, c.Config)
-
-	data, err := json.Marshal(augmentedConfig)
+	data, err := json.Marshal(c.Config)
 	if err != nil {
 		return storage.Connector{}, fmt.Errorf("failed to marshal connector config: %v", err)
 	}
 
 	return storage.Connector{
 		ID:     c.ID,
-		Type:   dexType,
+		Type:   c.Type,
 		Name:   c.Name,
 		Config: data,
 	}, nil
 }
 
-// mapConnectorToDex maps custom connector types to Dex-native types and applies
-// OIDC defaults. This ensures static connectors from config files or env vars
-// are stored with types that Dex can open.
-func mapConnectorToDex(connType string, config map[string]interface{}) (string, map[string]interface{}) {
-	switch connType {
-	case "oidc", "zitadel", "entra", "okta", "pocketid", "authentik", "keycloak":
-		return "oidc", applyOIDCDefaults(connType, config)
-	default:
-		return connType, config
-	}
-}
-
-// applyOIDCDefaults clones the config map, sets common OIDC defaults,
-// and applies provider-specific overrides.
-func applyOIDCDefaults(connType string, config map[string]interface{}) map[string]interface{} {
-	augmented := make(map[string]interface{}, len(config)+4)
-	for k, v := range config {
-		augmented[k] = v
-	}
-	setDefault(augmented, "scopes", []string{"openid", "profile", "email"})
-	setDefault(augmented, "insecureEnableGroups", true)
-	setDefault(augmented, "insecureSkipEmailVerified", true)
-
-	switch connType {
-	case "zitadel":
-		setDefault(augmented, "getUserInfo", true)
-	case "entra":
-		setDefault(augmented, "claimMapping", map[string]string{"email": "preferred_username"})
-	case "okta", "pocketid":
-		augmented["scopes"] = []string{"openid", "profile", "email", "groups"}
-	}
-
-	return augmented
-}
-
-// setDefault sets a key in the map only if it doesn't already exist.
-func setDefault(m map[string]interface{}, key string, value interface{}) {
-	if _, ok := m[key]; !ok {
-		m[key] = value
-	}
-}
-
 // StorageConfig is a configuration that can create a storage.
 type StorageConfig interface {
 	Open(logger *slog.Logger) (storage.Storage, error)

idp/dex/provider.go

@@ -4,7 +4,6 @@ package dex
 import (
 	"context"
 	"encoding/base64"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"log/slog"
@@ -20,13 +19,10 @@ import (
 	"github.com/dexidp/dex/server"
 	"github.com/dexidp/dex/storage"
 	"github.com/dexidp/dex/storage/sql"
-	jose "github.com/go-jose/go-jose/v4"
 	"github.com/google/uuid"
 	"github.com/prometheus/client_golang/prometheus"
 	"golang.org/x/crypto/bcrypt"
 	"google.golang.org/grpc"
-
-	nbjwt "github.com/netbirdio/netbird/shared/auth/jwt"
 )
 
 // Config matches what management/internals/server/server.go expects
@@ -670,46 +666,3 @@ func (p *Provider) GetAuthorizationEndpoint() string {
 	}
 	return issuer + "/auth"
 }
-
-// GetJWKS reads signing keys directly from Dex storage and returns them as Jwks.
-// This avoids HTTP round-trips when the embedded IDP is co-located with the management server.
-// The key retrieval mirrors Dex's own handlePublicKeys/ValidationKeys logic:
-// SigningKeyPub first, then all VerificationKeys, serialized via go-jose.
-func (p *Provider) GetJWKS(ctx context.Context) (*nbjwt.Jwks, error) {
-	keys, err := p.storage.GetKeys(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get keys from storage: %w", err)
-	}
-
-	if keys.SigningKeyPub == nil {
-		return nil, fmt.Errorf("no public keys found in storage")
-	}
-
-	// Build the key set exactly as Dex's localSigner.ValidationKeys does:
-	// signing key first, then all verification (rotated) keys.
-	joseKeys := make([]jose.JSONWebKey, 0, len(keys.VerificationKeys)+1)
-	joseKeys = append(joseKeys, *keys.SigningKeyPub)
-	for _, vk := range keys.VerificationKeys {
-		if vk.PublicKey != nil {
-			joseKeys = append(joseKeys, *vk.PublicKey)
-		}
-	}
-
-	// Serialize through go-jose (same as Dex's handlePublicKeys handler)
-	// then deserialize into our Jwks type, so the JSON field mapping is identical
-	// to what the /keys HTTP endpoint would return.
-	joseSet := jose.JSONWebKeySet{Keys: joseKeys}
-	data, err := json.Marshal(joseSet)
-	if err != nil {
-		return nil, fmt.Errorf("failed to marshal JWKS: %w", err)
-	}
-
-	jwks := &nbjwt.Jwks{}
-	if err := json.Unmarshal(data, jwks); err != nil {
-		return nil, fmt.Errorf("failed to unmarshal JWKS: %w", err)
-	}
-
-	jwks.ExpiresInTime = keys.NextRotation
-
-	return jwks, nil
-}

idp/dex/provider_test.go

@@ -2,14 +2,11 @@ package dex
 
 import (
 	"context"
-	"encoding/json"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"testing"
 
-	"github.com/dexidp/dex/storage"
-	sqllib "github.com/dexidp/dex/storage/sql"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -200,295 +197,6 @@ enablePasswordDB: true
 	t.Logf("User lookup successful: rawID=%s, connectorID=%s", rawID, connID)
 }
 
-// openTestStorage creates a SQLite storage in the given directory for testing.
-func openTestStorage(t *testing.T, tmpDir string) storage.Storage {
-	t.Helper()
-	logger := slog.New(slog.NewTextHandler(os.Stderr, nil))
-	stor, err := (&sqllib.SQLite3{File: filepath.Join(tmpDir, "dex.db")}).Open(logger)
-	require.NoError(t, err)
-	return stor
-}
-
-func TestStaticConnectors_CreatedFromYAML(t *testing.T) {
-	ctx := context.Background()
-
-	tmpDir, err := os.MkdirTemp("", "dex-static-conn-*")
-	require.NoError(t, err)
-	defer os.RemoveAll(tmpDir)
-
-	yamlContent := `
-issuer: http://localhost:5556/dex
-storage:
-  type: sqlite3
-  config:
-    file: ` + filepath.Join(tmpDir, "dex.db") + `
-web:
-  http: 127.0.0.1:5556
-enablePasswordDB: true
-connectors:
-- type: oidc
-  id: my-oidc
-  name: My OIDC Provider
-  config:
-    issuer: https://accounts.example.com
-    clientID: test-client-id
-    clientSecret: test-client-secret
-    redirectURI: http://localhost:5556/dex/callback
-`
-	configPath := filepath.Join(tmpDir, "config.yaml")
-	err = os.WriteFile(configPath, []byte(yamlContent), 0644)
-	require.NoError(t, err)
-
-	yamlConfig, err := LoadConfig(configPath)
-	require.NoError(t, err)
-
-	// Open storage and run initializeStorage directly (avoids Dex server
-	// trying to dial the OIDC issuer)
-	stor := openTestStorage(t, tmpDir)
-	defer stor.Close()
-
-	err = initializeStorage(ctx, stor, yamlConfig)
-	require.NoError(t, err)
-
-	// Verify connector was created in storage
-	conn, err := stor.GetConnector(ctx, "my-oidc")
-	require.NoError(t, err)
-	assert.Equal(t, "my-oidc", conn.ID)
-	assert.Equal(t, "My OIDC Provider", conn.Name)
-	assert.Equal(t, "oidc", conn.Type)
-
-	// Verify config fields were serialized correctly
-	var configMap map[string]interface{}
-	err = json.Unmarshal(conn.Config, &configMap)
-	require.NoError(t, err)
-	assert.Equal(t, "https://accounts.example.com", configMap["issuer"])
-	assert.Equal(t, "test-client-id", configMap["clientID"])
-}
-
-func TestStaticConnectors_UpdatedOnRestart(t *testing.T) {
-	ctx := context.Background()
-
-	tmpDir, err := os.MkdirTemp("", "dex-static-conn-update-*")
-	require.NoError(t, err)
-	defer os.RemoveAll(tmpDir)
-
-	dbFile := filepath.Join(tmpDir, "dex.db")
-
-	// First: load config with initial connector
-	yamlContent1 := `
-issuer: http://localhost:5556/dex
-storage:
-  type: sqlite3
-  config:
-    file: ` + dbFile + `
-web:
-  http: 127.0.0.1:5556
-enablePasswordDB: true
-connectors:
-- type: oidc
-  id: my-oidc
-  name: Original Name
-  config:
-    issuer: https://accounts.example.com
-    clientID: original-client-id
-    clientSecret: original-secret
-`
-	configPath := filepath.Join(tmpDir, "config.yaml")
-	err = os.WriteFile(configPath, []byte(yamlContent1), 0644)
-	require.NoError(t, err)
-
-	yamlConfig1, err := LoadConfig(configPath)
-	require.NoError(t, err)
-
-	stor := openTestStorage(t, tmpDir)
-	err = initializeStorage(ctx, stor, yamlConfig1)
-	require.NoError(t, err)
-
-	// Verify initial state
-	conn, err := stor.GetConnector(ctx, "my-oidc")
-	require.NoError(t, err)
-	assert.Equal(t, "Original Name", conn.Name)
-
-	var configMap1 map[string]interface{}
-	err = json.Unmarshal(conn.Config, &configMap1)
-	require.NoError(t, err)
-	assert.Equal(t, "original-client-id", configMap1["clientID"])
-
-	// Close storage to simulate restart
-	stor.Close()
-
-	// Second: load updated config against the same DB
-	yamlContent2 := `
-issuer: http://localhost:5556/dex
-storage:
-  type: sqlite3
-  config:
-    file: ` + dbFile + `
-web:
-  http: 127.0.0.1:5556
-enablePasswordDB: true
-connectors:
-- type: oidc
-  id: my-oidc
-  name: Updated Name
-  config:
-    issuer: https://accounts.example.com
-    clientID: updated-client-id
-    clientSecret: updated-secret
-`
-	err = os.WriteFile(configPath, []byte(yamlContent2), 0644)
-	require.NoError(t, err)
-
-	yamlConfig2, err := LoadConfig(configPath)
-	require.NoError(t, err)
-
-	stor2 := openTestStorage(t, tmpDir)
-	defer stor2.Close()
-
-	err = initializeStorage(ctx, stor2, yamlConfig2)
-	require.NoError(t, err)
-
-	// Verify connector was updated, not duplicated
-	allConnectors, err := stor2.ListConnectors(ctx)
-	require.NoError(t, err)
-
-	nonLocalCount := 0
-	for _, c := range allConnectors {
-		if c.ID != "local" {
-			nonLocalCount++
-		}
-	}
-	assert.Equal(t, 1, nonLocalCount, "connector should be updated, not duplicated")
-
-	conn2, err := stor2.GetConnector(ctx, "my-oidc")
-	require.NoError(t, err)
-	assert.Equal(t, "Updated Name", conn2.Name)
-
-	var configMap2 map[string]interface{}
-	err = json.Unmarshal(conn2.Config, &configMap2)
-	require.NoError(t, err)
-	assert.Equal(t, "updated-client-id", configMap2["clientID"])
-}
-
-func TestStaticConnectors_MultipleConnectors(t *testing.T) {
-	ctx := context.Background()
-
-	tmpDir, err := os.MkdirTemp("", "dex-static-conn-multi-*")
-	require.NoError(t, err)
-	defer os.RemoveAll(tmpDir)
-
-	yamlContent := `
-issuer: http://localhost:5556/dex
-storage:
-  type: sqlite3
-  config:
-    file: ` + filepath.Join(tmpDir, "dex.db") + `
-web:
-  http: 127.0.0.1:5556
-enablePasswordDB: true
-connectors:
-- type: oidc
-  id: my-oidc
-  name: My OIDC Provider
-  config:
-    issuer: https://accounts.example.com
-    clientID: oidc-client-id
-    clientSecret: oidc-secret
-- type: google
-  id: my-google
-  name: Google Login
-  config:
-    clientID: google-client-id
-    clientSecret: google-secret
-`
-	configPath := filepath.Join(tmpDir, "config.yaml")
-	err = os.WriteFile(configPath, []byte(yamlContent), 0644)
-	require.NoError(t, err)
-
-	yamlConfig, err := LoadConfig(configPath)
-	require.NoError(t, err)
-
-	stor := openTestStorage(t, tmpDir)
-	defer stor.Close()
-
-	err = initializeStorage(ctx, stor, yamlConfig)
-	require.NoError(t, err)
-
-	allConnectors, err := stor.ListConnectors(ctx)
-	require.NoError(t, err)
-
-	// Build a map for easier assertion
-	connByID := make(map[string]storage.Connector)
-	for _, c := range allConnectors {
-		connByID[c.ID] = c
-	}
-
-	// Verify both static connectors exist
-	oidcConn, ok := connByID["my-oidc"]
-	require.True(t, ok, "oidc connector should exist")
-	assert.Equal(t, "My OIDC Provider", oidcConn.Name)
-	assert.Equal(t, "oidc", oidcConn.Type)
-
-	var oidcConfig map[string]interface{}
-	err = json.Unmarshal(oidcConn.Config, &oidcConfig)
-	require.NoError(t, err)
-	assert.Equal(t, "oidc-client-id", oidcConfig["clientID"])
-
-	googleConn, ok := connByID["my-google"]
-	require.True(t, ok, "google connector should exist")
-	assert.Equal(t, "Google Login", googleConn.Name)
-	assert.Equal(t, "google", googleConn.Type)
-
-	var googleConfig map[string]interface{}
-	err = json.Unmarshal(googleConn.Config, &googleConfig)
-	require.NoError(t, err)
-	assert.Equal(t, "google-client-id", googleConfig["clientID"])
-
-	// Verify local connector still exists alongside them (enablePasswordDB: true)
-	localConn, ok := connByID["local"]
-	require.True(t, ok, "local connector should exist")
-	assert.Equal(t, "local", localConn.Type)
-}
-
-func TestStaticConnectors_EmptyList(t *testing.T) {
-	ctx := context.Background()
-
-	tmpDir, err := os.MkdirTemp("", "dex-static-conn-empty-*")
-	require.NoError(t, err)
-	defer os.RemoveAll(tmpDir)
-
-	yamlContent := `
-issuer: http://localhost:5556/dex
-storage:
-  type: sqlite3
-  config:
-    file: ` + filepath.Join(tmpDir, "dex.db") + `
-web:
-  http: 127.0.0.1:5556
-enablePasswordDB: true
-`
-	configPath := filepath.Join(tmpDir, "config.yaml")
-	err = os.WriteFile(configPath, []byte(yamlContent), 0644)
-	require.NoError(t, err)
-
-	yamlConfig, err := LoadConfig(configPath)
-	require.NoError(t, err)
-
-	provider, err := NewProviderFromYAML(ctx, yamlConfig)
-	require.NoError(t, err)
-	defer func() { _ = provider.Stop(ctx) }()
-
-	// No static connectors configured, so ListConnectors should return empty
-	connectors, err := provider.ListConnectors(ctx)
-	require.NoError(t, err)
-	assert.Empty(t, connectors)
-
-	// But local connector should still exist
-	localConn, err := provider.Storage().GetConnector(ctx, "local")
-	require.NoError(t, err)
-	assert.Equal(t, "local", localConn.ID)
-}
-
 func TestNewProvider_ContinueOnConnectorFailure(t *testing.T) {
 	ctx := context.Background()
 

infrastructure_files/getting-started-with-dex.sh

@@ -172,11 +172,8 @@ init_environment() {
   echo "You can access the NetBird dashboard at $NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN"
   echo ""
   echo "Login with the following credentials:"
-  install -m 600 /dev/null .env
-  printf 'Email: admin@%s\nPassword: %s\n' \
-      "$NETBIRD_DOMAIN" "$NETBIRD_ADMIN_PASSWORD" >> .env
-  echo "Email: admin@$NETBIRD_DOMAIN"
-  echo "Password: $NETBIRD_ADMIN_PASSWORD"
+  echo "Email: admin@$NETBIRD_DOMAIN" | tee .env
+  echo "Password: $NETBIRD_ADMIN_PASSWORD" | tee -a .env
   echo ""
   echo "Dex admin UI is not available (Dex has no built-in UI)."
   echo "To add more users, edit dex.yaml and restart: $DOCKER_COMPOSE_COMMAND restart dex"

infrastructure_files/getting-started-with-zitadel.sh

@@ -563,11 +563,8 @@ initEnvironment() {
   echo -e "\nDone!\n"
   echo "You can access the NetBird dashboard at $NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN"
   echo "Login with the following credentials:"
-  install -m 600 /dev/null .env
-  printf 'Username: %s\nPassword: %s\n' \
-      "$ZITADEL_ADMIN_USERNAME" "$ZITADEL_ADMIN_PASSWORD" >> .env
-  echo "Username: $ZITADEL_ADMIN_USERNAME"
-  echo "Password: $ZITADEL_ADMIN_PASSWORD"
+  echo "Username: $ZITADEL_ADMIN_USERNAME" | tee .env
+  echo "Password: $ZITADEL_ADMIN_PASSWORD" | tee -a .env
 }
 
 renderCaddyfile() {

infrastructure_files/getting-started.sh

@@ -532,14 +532,13 @@ render_docker_compose_traefik_builtin() {
     traefik_dynamic_volume="      - ./traefik-dynamic.yaml:/etc/traefik/dynamic.yaml:ro"
     proxy_service="
   # NetBird Proxy - exposes internal resources to the internet
-  # Uses host network so it can listen on arbitrary ports for TCP/UDP services
   proxy:
     image: $NETBIRD_PROXY_IMAGE
     container_name: netbird-proxy
     ports:
     - 51820:51820/udp
     restart: unless-stopped
-    network_mode: host
+    networks: [netbird]
     depends_on:
       - netbird-server
     env_file:
@@ -647,7 +646,6 @@ $traefik_dynamic_volume
     networks: [netbird]
     ports:
       - '$NETBIRD_STUN_PORT:$NETBIRD_STUN_PORT/udp'
-$(if [[ "$ENABLE_PROXY" == "true" ]]; then echo "      - '$MANAGEMENT_HOST_PORT:80'"; fi)
     volumes:
       - netbird_data:/var/lib/netbird
       - ./config.yaml:/etc/netbird/config.yaml
@@ -768,8 +766,8 @@ render_proxy_env() {
   cat <<EOF
 # NetBird Proxy Configuration
 NB_PROXY_DEBUG_LOGS=false
-# Proxy runs in host network mode for L4 port binding, connect to management via localhost
-NB_PROXY_MANAGEMENT_ADDRESS=http://localhost:$MANAGEMENT_HOST_PORT
+# Use internal Docker network to connect to management (avoids hairpin NAT issues)
+NB_PROXY_MANAGEMENT_ADDRESS=http://netbird-server:80
 # Allow insecure gRPC connection to management (required for internal Docker network)
 NB_PROXY_ALLOW_INSECURE=true
 # Public URL where this proxy is reachable (used for cluster registration)
@@ -1156,16 +1154,7 @@ print_builtin_traefik_instructions() {
   echo "  - $NETBIRD_STUN_PORT/udp   (STUN - required for NAT traversal)"
   if [[ "$ENABLE_PROXY" == "true" ]]; then
     echo "  - 51820/udp (WIREGUARD - (optional) for P2P proxy connections)"
-  fi
-  echo ""
-  echo "This setup is ideal for homelabs and smaller organization deployments."
-  echo "For enterprise environments requiring high availability and advanced integrations,"
-  echo "consider a commercial on-prem license or scaling your open source deployment:"
-  echo ""
-  echo "  Commercial license: https://netbird.io/pricing#on-prem"
-  echo "  Scaling guide:      https://docs.netbird.io/scaling-your-self-hosted-deployment"
-  echo ""
-  if [[ "$ENABLE_PROXY" == "true" ]]; then
+    echo ""
     echo "NetBird Proxy:"
     echo "  The proxy service is enabled and running."
     echo "  Any domain NOT matching $NETBIRD_DOMAIN will be passed through to the proxy."

management/internals/modules/reverseproxy/service/manager/manager.go

@@ -288,8 +288,6 @@ func (m *Manager) validateSubdomainRequirement(ctx context.Context, domain, clus
 }
 
 func (m *Manager) persistNewService(ctx context.Context, accountID string, svc *service.Service) error {
-	customPorts := m.clusterCustomPorts(ctx, svc)
-
 	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if svc.Domain != "" {
 			if err := m.checkDomainAvailable(ctx, transaction, svc.Domain, ""); err != nil {
@@ -297,7 +295,7 @@ func (m *Manager) persistNewService(ctx context.Context, accountID string, svc *
 			}
 		}
 
-		if err := m.ensureL4Port(ctx, transaction, svc, customPorts); err != nil {
+		if err := m.ensureL4Port(ctx, transaction, svc); err != nil {
 			return err
 		}
 
@@ -317,23 +315,12 @@ func (m *Manager) persistNewService(ctx context.Context, accountID string, svc *
 	})
 }
 
-// clusterCustomPorts queries whether the cluster supports custom ports.
-// Must be called before entering a transaction: the underlying query uses
-// the main DB handle, which deadlocks when called inside a transaction
-// that already holds the connection.
-func (m *Manager) clusterCustomPorts(ctx context.Context, svc *service.Service) *bool {
-	if !service.IsL4Protocol(svc.Mode) {
-		return nil
-	}
-	return m.capabilities.ClusterSupportsCustomPorts(ctx, svc.ProxyCluster)
-}
-
 // ensureL4Port auto-assigns a listen port when needed and validates cluster support.
-// customPorts must be pre-computed via clusterCustomPorts before entering a transaction.
-func (m *Manager) ensureL4Port(ctx context.Context, tx store.Store, svc *service.Service, customPorts *bool) error {
+func (m *Manager) ensureL4Port(ctx context.Context, tx store.Store, svc *service.Service) error {
 	if !service.IsL4Protocol(svc.Mode) {
 		return nil
 	}
+	customPorts := m.capabilities.ClusterSupportsCustomPorts(ctx, svc.ProxyCluster)
 	if service.IsPortBasedProtocol(svc.Mode) && svc.ListenPort > 0 && (customPorts == nil || !*customPorts) {
 		if svc.Source != service.SourceEphemeral {
 			return status.Errorf(status.InvalidArgument, "custom ports not supported on cluster %s", svc.ProxyCluster)
@@ -417,14 +404,12 @@ func (m *Manager) assignPort(ctx context.Context, tx store.Store, cluster string
 // The count and exists queries use FOR UPDATE locking to serialize concurrent creates
 // for the same peer, preventing the per-peer limit from being bypassed.
 func (m *Manager) persistNewEphemeralService(ctx context.Context, accountID, peerID string, svc *service.Service) error {
-	customPorts := m.clusterCustomPorts(ctx, svc)
-
 	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err := m.validateEphemeralPreconditions(ctx, transaction, accountID, peerID, svc); err != nil {
 			return err
 		}
 
-		if err := m.ensureL4Port(ctx, transaction, svc, customPorts); err != nil {
+		if err := m.ensureL4Port(ctx, transaction, svc); err != nil {
 			return err
 		}
 
@@ -527,49 +512,16 @@ type serviceUpdateInfo struct {
 }
 
 func (m *Manager) persistServiceUpdate(ctx context.Context, accountID string, service *service.Service) (*serviceUpdateInfo, error) {
-	effectiveCluster, err := m.resolveEffectiveCluster(ctx, accountID, service)
-	if err != nil {
-		return nil, err
-	}
-
-	svcForCaps := *service
-	svcForCaps.ProxyCluster = effectiveCluster
-	customPorts := m.clusterCustomPorts(ctx, &svcForCaps)
-
 	var updateInfo serviceUpdateInfo
 
-	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		return m.executeServiceUpdate(ctx, transaction, accountID, service, &updateInfo, customPorts)
+	err := m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		return m.executeServiceUpdate(ctx, transaction, accountID, service, &updateInfo)
 	})
 
 	return &updateInfo, err
 }
 
-// resolveEffectiveCluster determines the cluster that will be used after the update.
-// It reads the existing service without locking and derives the new cluster if the domain changed.
-func (m *Manager) resolveEffectiveCluster(ctx context.Context, accountID string, svc *service.Service) (string, error) {
-	existing, err := m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, svc.ID)
-	if err != nil {
-		return "", err
-	}
-
-	if existing.Domain == svc.Domain {
-		return existing.ProxyCluster, nil
-	}
-
-	if m.clusterDeriver != nil {
-		derived, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, accountID, svc.Domain)
-		if err != nil {
-			log.WithError(err).Warnf("could not derive cluster from domain %s", svc.Domain)
-		} else {
-			return derived, nil
-		}
-	}
-
-	return existing.ProxyCluster, nil
-}
-
-func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.Store, accountID string, service *service.Service, updateInfo *serviceUpdateInfo, customPorts *bool) error {
+func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.Store, accountID string, service *service.Service, updateInfo *serviceUpdateInfo) error {
 	existingService, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, service.ID)
 	if err != nil {
 		return err
@@ -606,7 +558,7 @@ func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.St
 	m.preserveListenPort(service, existingService)
 	updateInfo.serviceEnabledChanged = existingService.Enabled != service.Enabled
 
-	if err := m.ensureL4Port(ctx, transaction, service, customPorts); err != nil {
+	if err := m.ensureL4Port(ctx, transaction, service); err != nil {
 		return err
 	}
 	if err := m.checkPortConflict(ctx, transaction, service); err != nil {

management/internals/modules/reverseproxy/service/service.go

@@ -787,11 +787,6 @@ func (s *Service) validateHTTPTargets() error {
 }
 
 func (s *Service) validateL4Target(target *Target) error {
-	// L4 services have a single target; per-target disable is meaningless
-	// (use the service-level Enabled flag instead). Force it on so that
-	// buildPathMappings always includes the target in the proto.
-	target.Enabled = true
-
 	if target.Port == 0 {
 		return errors.New("target port is required for L4 services")
 	}

management/internals/server/controllers.go

@@ -20,7 +20,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/job"
-	nbjwt "github.com/netbirdio/netbird/shared/auth/jwt"
 )
 
 func (s *BaseServer) PeersUpdateManager() network_map.PeersUpdateManager {
@@ -72,7 +71,6 @@ func (s *BaseServer) AuthManager() auth.Manager {
 	signingKeyRefreshEnabled := s.Config.HttpConfig.IdpSignKeyRefreshEnabled
 	issuer := s.Config.HttpConfig.AuthIssuer
 	userIDClaim := s.Config.HttpConfig.AuthUserIDClaim
-	var keyFetcher nbjwt.KeyFetcher
 
 	// Use embedded IdP configuration if available
 	if oauthProvider := s.OAuthConfigProvider(); oauthProvider != nil {
@@ -80,11 +78,8 @@ func (s *BaseServer) AuthManager() auth.Manager {
 		if len(audiences) > 0 {
 			audience = audiences[0] // Use the first client ID as the primary audience
 		}
-		keyFetcher = oauthProvider.GetKeyFetcher()
-		// Fall back to default keys location if direct key fetching is not available
-		if keyFetcher == nil {
-			keysLocation = oauthProvider.GetLocalKeysLocation()
-		}
+		// Use localhost keys location for internal validation (management has embedded Dex)
+		keysLocation = oauthProvider.GetLocalKeysLocation()
 		signingKeyRefreshEnabled = true
 		issuer = oauthProvider.GetIssuer()
 		userIDClaim = oauthProvider.GetUserIDClaim()
@@ -97,8 +92,7 @@ func (s *BaseServer) AuthManager() auth.Manager {
 			keysLocation,
 			userIDClaim,
 			audiences,
-			signingKeyRefreshEnabled,
-			keyFetcher)
+			signingKeyRefreshEnabled)
 	})
 }
 

management/internals/server/modules.go

@@ -117,11 +117,9 @@ func (s *BaseServer) IdpManager() idp.Manager {
 	return Create(s, func() idp.Manager {
 		var idpManager idp.Manager
 		var err error
-
 		// Use embedded IdP service if embedded Dex is configured and enabled.
 		// Legacy IdpManager won't be used anymore even if configured.
-		embeddedEnabled := s.Config.EmbeddedIdP != nil && s.Config.EmbeddedIdP.Enabled
-		if embeddedEnabled {
+		if s.Config.EmbeddedIdP != nil && s.Config.EmbeddedIdP.Enabled {
 			idpManager, err = idp.NewEmbeddedIdPManager(context.Background(), s.Config.EmbeddedIdP, s.Metrics())
 			if err != nil {
 				log.Fatalf("failed to create embedded IDP service: %v", err)

management/server/activity/store/sql_store_idp_migration.go

@@ -1,61 +0,0 @@
-package store
-
-// This file contains migration-only methods on Store.
-// They satisfy the migration.MigrationEventStore interface via duck typing.
-// Delete this file when migration tooling is no longer needed.
-
-import (
-	"context"
-	"fmt"
-
-	"gorm.io/gorm"
-
-	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/netbirdio/netbird/management/server/idp/migration"
-)
-
-// CheckSchema verifies that all tables and columns required by the migration exist in the event database.
-func (store *Store) CheckSchema(checks []migration.SchemaCheck) []migration.SchemaError {
-	migrator := store.db.Migrator()
-	var errs []migration.SchemaError
-
-	for _, check := range checks {
-		if !migrator.HasTable(check.Table) {
-			errs = append(errs, migration.SchemaError{Table: check.Table})
-			continue
-		}
-		for _, col := range check.Columns {
-			if !migrator.HasColumn(check.Table, col) {
-				errs = append(errs, migration.SchemaError{Table: check.Table, Column: col})
-			}
-		}
-	}
-
-	return errs
-}
-
-// UpdateUserID updates all references to oldUserID in events and deleted_users tables.
-func (store *Store) UpdateUserID(ctx context.Context, oldUserID, newUserID string) error {
-	return store.db.WithContext(ctx).Transaction(func(tx *gorm.DB) error {
-		if err := tx.Model(&activity.Event{}).
-			Where("initiator_id = ?", oldUserID).
-			Update("initiator_id", newUserID).Error; err != nil {
-			return fmt.Errorf("update events.initiator_id: %w", err)
-		}
-
-		if err := tx.Model(&activity.Event{}).
-			Where("target_id = ?", oldUserID).
-			Update("target_id", newUserID).Error; err != nil {
-			return fmt.Errorf("update events.target_id: %w", err)
-		}
-
-		// Raw exec: GORM can't update a PK via Model().Update()
-		if err := tx.Exec(
-			"UPDATE deleted_users SET id = ? WHERE id = ?", newUserID, oldUserID,
-		).Error; err != nil {
-			return fmt.Errorf("update deleted_users.id: %w", err)
-		}
-
-		return nil
-	})
-}

management/server/activity/store/sql_store_idp_migration_test.go

@@ -1,161 +0,0 @@
-package store
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-
-	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/netbirdio/netbird/util/crypt"
-)
-
-func TestUpdateUserID(t *testing.T) {
-	ctx := context.Background()
-
-	newStore := func(t *testing.T) *Store {
-		t.Helper()
-		key, _ := crypt.GenerateKey()
-		s, err := NewSqlStore(ctx, t.TempDir(), key)
-		if err != nil {
-			t.Fatal(err)
-		}
-		t.Cleanup(func() { s.Close(ctx) }) //nolint
-		return s
-	}
-
-	t.Run("updates initiator_id in events", func(t *testing.T) {
-		store := newStore(t)
-		accountID := "account_1"
-
-		_, err := store.Save(ctx, &activity.Event{
-			Timestamp:   time.Now().UTC(),
-			Activity:    activity.PeerAddedByUser,
-			InitiatorID: "old-user",
-			TargetID:    "some-peer",
-			AccountID:   accountID,
-		})
-		assert.NoError(t, err)
-
-		err = store.UpdateUserID(ctx, "old-user", "new-user")
-		assert.NoError(t, err)
-
-		result, err := store.Get(ctx, accountID, 0, 10, false)
-		assert.NoError(t, err)
-		assert.Len(t, result, 1)
-		assert.Equal(t, "new-user", result[0].InitiatorID)
-	})
-
-	t.Run("updates target_id in events", func(t *testing.T) {
-		store := newStore(t)
-		accountID := "account_1"
-
-		_, err := store.Save(ctx, &activity.Event{
-			Timestamp:   time.Now().UTC(),
-			Activity:    activity.PeerAddedByUser,
-			InitiatorID: "some-admin",
-			TargetID:    "old-user",
-			AccountID:   accountID,
-		})
-		assert.NoError(t, err)
-
-		err = store.UpdateUserID(ctx, "old-user", "new-user")
-		assert.NoError(t, err)
-
-		result, err := store.Get(ctx, accountID, 0, 10, false)
-		assert.NoError(t, err)
-		assert.Len(t, result, 1)
-		assert.Equal(t, "new-user", result[0].TargetID)
-	})
-
-	t.Run("updates deleted_users id", func(t *testing.T) {
-		store := newStore(t)
-		accountID := "account_1"
-
-		// Save an event with email/name meta to create a deleted_users row for "old-user"
-		_, err := store.Save(ctx, &activity.Event{
-			Timestamp:   time.Now().UTC(),
-			Activity:    activity.PeerAddedByUser,
-			InitiatorID: "admin",
-			TargetID:    "old-user",
-			AccountID:   accountID,
-			Meta: map[string]any{
-				"email": "user@example.com",
-				"name":  "Test User",
-			},
-		})
-		assert.NoError(t, err)
-
-		err = store.UpdateUserID(ctx, "old-user", "new-user")
-		assert.NoError(t, err)
-
-		// Save another event referencing new-user with email/name meta.
-		// This should upsert (not conflict) because the PK was already migrated.
-		_, err = store.Save(ctx, &activity.Event{
-			Timestamp:   time.Now().UTC(),
-			Activity:    activity.PeerAddedByUser,
-			InitiatorID: "admin",
-			TargetID:    "new-user",
-			AccountID:   accountID,
-			Meta: map[string]any{
-				"email": "user@example.com",
-				"name":  "Test User",
-			},
-		})
-		assert.NoError(t, err)
-
-		// The deleted user info should be retrievable via Get (joined on target_id)
-		result, err := store.Get(ctx, accountID, 0, 10, false)
-		assert.NoError(t, err)
-		assert.Len(t, result, 2)
-		for _, ev := range result {
-			assert.Equal(t, "new-user", ev.TargetID)
-		}
-	})
-
-	t.Run("no-op when old user ID does not exist", func(t *testing.T) {
-		store := newStore(t)
-
-		err := store.UpdateUserID(ctx, "nonexistent-user", "new-user")
-		assert.NoError(t, err)
-	})
-
-	t.Run("only updates matching user leaves others unchanged", func(t *testing.T) {
-		store := newStore(t)
-		accountID := "account_1"
-
-		_, err := store.Save(ctx, &activity.Event{
-			Timestamp:   time.Now().UTC(),
-			Activity:    activity.PeerAddedByUser,
-			InitiatorID: "user-a",
-			TargetID:    "peer-1",
-			AccountID:   accountID,
-		})
-		assert.NoError(t, err)
-
-		_, err = store.Save(ctx, &activity.Event{
-			Timestamp:   time.Now().UTC(),
-			Activity:    activity.PeerAddedByUser,
-			InitiatorID: "user-b",
-			TargetID:    "peer-2",
-			AccountID:   accountID,
-		})
-		assert.NoError(t, err)
-
-		err = store.UpdateUserID(ctx, "user-a", "user-a-new")
-		assert.NoError(t, err)
-
-		result, err := store.Get(ctx, accountID, 0, 10, false)
-		assert.NoError(t, err)
-		assert.Len(t, result, 2)
-
-		for _, ev := range result {
-			if ev.TargetID == "peer-1" {
-				assert.Equal(t, "user-a-new", ev.InitiatorID)
-			} else {
-				assert.Equal(t, "user-b", ev.InitiatorID)
-			}
-		}
-	})
-}

management/server/auth/manager.go

@@ -33,20 +33,15 @@ type manager struct {
 	extractor *nbjwt.ClaimsExtractor
 }
 
-func NewManager(store store.Store, issuer, audience, keysLocation, userIdClaim string, allAudiences []string, idpRefreshKeys bool, keyFetcher nbjwt.KeyFetcher) Manager {
-	var jwtValidator *nbjwt.Validator
-	if keyFetcher != nil {
-		jwtValidator = nbjwt.NewValidatorWithKeyFetcher(issuer, allAudiences, keyFetcher)
-	} else {
-		// @note if invalid/missing parameters are sent the validator will instantiate
-		// but it will fail when validating and parsing the token
-		jwtValidator = nbjwt.NewValidator(
-			issuer,
-			allAudiences,
-			keysLocation,
-			idpRefreshKeys,
-		)
-	}
+func NewManager(store store.Store, issuer, audience, keysLocation, userIdClaim string, allAudiences []string, idpRefreshKeys bool) Manager {
+	// @note if invalid/missing parameters are sent the validator will instantiate
+	// but it will fail when validating and parsing the token
+	jwtValidator := nbjwt.NewValidator(
+		issuer,
+		allAudiences,
+		keysLocation,
+		idpRefreshKeys,
+	)
 
 	claimsExtractor := nbjwt.NewClaimsExtractor(
 		nbjwt.WithAudience(audience),

management/server/auth/manager_test.go

@@ -52,7 +52,7 @@ func TestAuthManager_GetAccountInfoFromPAT(t *testing.T) {
 		t.Fatalf("Error when saving account: %s", err)
 	}
 
-	manager := auth.NewManager(store, "", "", "", "", []string{}, false, nil)
+	manager := auth.NewManager(store, "", "", "", "", []string{}, false)
 
 	user, pat, _, _, err := manager.GetPATInfo(context.Background(), token)
 	if err != nil {
@@ -92,7 +92,7 @@ func TestAuthManager_MarkPATUsed(t *testing.T) {
 		t.Fatalf("Error when saving account: %s", err)
 	}
 
-	manager := auth.NewManager(store, "", "", "", "", []string{}, false, nil)
+	manager := auth.NewManager(store, "", "", "", "", []string{}, false)
 
 	err = manager.MarkPATUsed(context.Background(), "tokenId")
 	if err != nil {
@@ -142,7 +142,7 @@ func TestAuthManager_EnsureUserAccessByJWTGroups(t *testing.T) {
 	// these tests only assert groups are parsed from token as per account settings
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{"idp-groups": []interface{}{"group1", "group2"}})
 
-	manager := auth.NewManager(store, "", "", "", "", []string{}, false, nil)
+	manager := auth.NewManager(store, "", "", "", "", []string{}, false)
 
 	t.Run("JWT groups disabled", func(t *testing.T) {
 		userAuth, err := manager.EnsureUserAccessByJWTGroups(context.Background(), userAuth, token)
@@ -225,7 +225,7 @@ func TestAuthManager_ValidateAndParseToken(t *testing.T) {
 	keyId := "test-key"
 
 	// note, we can use a nil store because ValidateAndParseToken does not use it in it's flow
-	manager := auth.NewManager(nil, issuer, audience, server.URL, userIdClaim, []string{audience}, false, nil)
+	manager := auth.NewManager(nil, issuer, audience, server.URL, userIdClaim, []string{audience}, false)
 
 	customClaim := func(name string) string {
 		return fmt.Sprintf("%s/%s", audience, name)

management/server/geolocation/geolocation.go

@@ -130,10 +130,6 @@ func (gl *geolocationImpl) Lookup(ip net.IP) (*Record, error) {
 	gl.mux.RLock()
 	defer gl.mux.RUnlock()
 
-	if gl.db == nil {
-		return nil, fmt.Errorf("geolocation database is not available")
-	}
-
 	var record Record
 	err := gl.db.Lookup(ip, &record)
 	if err != nil {
@@ -177,14 +173,8 @@ func (gl *geolocationImpl) GetCitiesByCountry(countryISOCode string) ([]City, er
 
 func (gl *geolocationImpl) Stop() error {
 	close(gl.stopCh)
-
-	gl.mux.Lock()
-	db := gl.db
-	gl.db = nil
-	gl.mux.Unlock()
-
-	if db != nil {
-		if err := db.Close(); err != nil {
+	if gl.db != nil {
+		if err := gl.db.Close(); err != nil {
 			return err
 		}
 	}

management/server/http/testing/testing_tools/channel/channel.go

@@ -119,7 +119,7 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 	am.SetServiceManager(serviceManager)
 
 	// @note this is required so that PAT's validate from store, but JWT's are mocked
-	authManager := serverauth.NewManager(store, "", "", "", "", []string{}, false, nil)
+	authManager := serverauth.NewManager(store, "", "", "", "", []string{}, false)
 	authManagerMock := &serverauth.MockManager{
 		ValidateAndParseTokenFunc:       mockValidateAndParseToken,
 		EnsureUserAccessByJWTGroupsFunc: authManager.EnsureUserAccessByJWTGroups,
@@ -248,7 +248,7 @@ func BuildApiBlackBoxWithDBStateAndPeerChannel(t testing_tools.TB, sqlFile strin
 	am.SetServiceManager(serviceManager)
 
 	// @note this is required so that PAT's validate from store, but JWT's are mocked
-	authManager := serverauth.NewManager(store, "", "", "", "", []string{}, false, nil)
+	authManager := serverauth.NewManager(store, "", "", "", "", []string{}, false)
 	authManagerMock := &serverauth.MockManager{
 		ValidateAndParseTokenFunc:       mockValidateAndParseToken,
 		EnsureUserAccessByJWTGroupsFunc: authManager.EnsureUserAccessByJWTGroups,

management/server/idp/embedded.go

@@ -13,7 +13,6 @@ import (
 
 	"github.com/netbirdio/netbird/idp/dex"
 	"github.com/netbirdio/netbird/management/server/telemetry"
-	nbjwt "github.com/netbirdio/netbird/shared/auth/jwt"
 )
 
 const (
@@ -49,8 +48,6 @@ type EmbeddedIdPConfig struct {
 	// Existing local users are preserved and will be able to login again if re-enabled.
 	// Cannot be enabled if no external identity provider connectors are configured.
 	LocalAuthDisabled bool
-	// StaticConnectors are additional connectors to seed during initialization
-	StaticConnectors []dex.Connector
 }
 
 // EmbeddedStorageConfig holds storage configuration for the embedded IdP.
@@ -160,7 +157,6 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 				RedirectURIs: cliRedirectURIs,
 			},
 		},
-		StaticConnectors: c.StaticConnectors,
 	}
 
 	// Add owner user if provided
@@ -197,9 +193,6 @@ type OAuthConfigProvider interface {
 	// Management server has embedded Dex and can validate tokens via localhost,
 	// avoiding external network calls and DNS resolution issues during startup.
 	GetLocalKeysLocation() string
-	// GetKeyFetcher returns a KeyFetcher that reads keys directly from the IDP storage,
-	// or nil if direct key fetching is not supported (falls back to HTTP).
-	GetKeyFetcher() nbjwt.KeyFetcher
 	GetClientIDs() []string
 	GetUserIDClaim() string
 	GetTokenEndpoint() string
@@ -600,11 +593,6 @@ func (m *EmbeddedIdPManager) GetCLIRedirectURLs() []string {
 	return m.config.CLIRedirectURIs
 }
 
-// GetKeyFetcher returns a KeyFetcher that reads keys directly from Dex storage.
-func (m *EmbeddedIdPManager) GetKeyFetcher() nbjwt.KeyFetcher {
-	return m.provider.GetJWKS
-}
-
 // GetKeysLocation returns the JWKS endpoint URL for token validation.
 func (m *EmbeddedIdPManager) GetKeysLocation() string {
 	return m.provider.GetKeysLocation()

management/server/idp/migration/migration.go

@@ -1,235 +0,0 @@
-// Package migration provides utility functions for migrating from the external IdP solution in pre v0.62.0
-// to the new embedded IdP manager (Dex based), which is the default in v0.62.0 and later.
-// It includes functions to seed connectors and migrate existing users to use these connectors.
-package migration
-
-import (
-	"context"
-	"encoding/base64"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"os"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/idp/dex"
-	"github.com/netbirdio/netbird/management/server/idp"
-	"github.com/netbirdio/netbird/management/server/types"
-)
-
-// Server is the dependency interface that migration functions use to access
-// the main data store and the activity event store.
-type Server interface {
-	Store() Store
-	EventStore() EventStore // may return nil
-}
-
-const idpSeedInfoKey = "IDP_SEED_INFO"
-const dryRunEnvKey = "NB_IDP_MIGRATION_DRY_RUN"
-
-func isDryRun() bool {
-	return os.Getenv(dryRunEnvKey) == "true"
-}
-
-var ErrNoSeedInfo = errors.New("no seed info found in environment")
-
-// SeedConnectorFromEnv reads the IDP_SEED_INFO env var, base64-decodes it,
-// and JSON-unmarshals it into a dex.Connector. Returns nil if not set.
-func SeedConnectorFromEnv() (*dex.Connector, error) {
-	val, ok := os.LookupEnv(idpSeedInfoKey)
-	if !ok || val == "" {
-		return nil, ErrNoSeedInfo
-	}
-
-	decoded, err := base64.StdEncoding.DecodeString(val)
-	if err != nil {
-		return nil, fmt.Errorf("base64 decode: %w", err)
-	}
-
-	var conn dex.Connector
-	if err := json.Unmarshal(decoded, &conn); err != nil {
-		return nil, fmt.Errorf("json unmarshal: %w", err)
-	}
-
-	return &conn, nil
-}
-
-// MigrateUsersToStaticConnectors re-keys every user ID in the main store (and
-// the activity store, if present) so that it encodes the given connector ID,
-// skipping users that have already been migrated. Set NB_IDP_MIGRATION_DRY_RUN=true
-// to log what would happen without writing any changes.
-func MigrateUsersToStaticConnectors(s Server, conn *dex.Connector) error {
-	ctx := context.Background()
-
-	if isDryRun() {
-		log.Info("[DRY RUN] migration dry-run mode enabled, no changes will be written")
-	}
-
-	users, err := s.Store().ListUsers(ctx)
-	if err != nil {
-		return fmt.Errorf("failed to list users: %w", err)
-	}
-
-	// Reconciliation pass: fix activity store for users already migrated in main DB
-	// but whose activity references may still use old IDs (from a previous partial failure).
-	if s.EventStore() != nil && !isDryRun() {
-		if err := reconcileActivityStore(ctx, s.EventStore(), users); err != nil {
-			return err
-		}
-	}
-
-	var migratedCount, skippedCount int
-
-	for _, user := range users {
-		_, _, decErr := dex.DecodeDexUserID(user.Id)
-		if decErr == nil {
-			skippedCount++
-			continue
-		}
-
-		newUserID := dex.EncodeDexUserID(user.Id, conn.ID)
-
-		if isDryRun() {
-			log.Infof("[DRY RUN] would migrate user %s -> %s (account: %s)", user.Id, newUserID, user.AccountID)
-			migratedCount++
-			continue
-		}
-
-		if err := migrateUser(ctx, s, user.Id, user.AccountID, newUserID); err != nil {
-			return err
-		}
-
-		migratedCount++
-	}
-
-	if isDryRun() {
-		log.Infof("[DRY RUN] migration summary: %d users would be migrated, %d already migrated", migratedCount, skippedCount)
-	} else {
-		log.Infof("migration complete: %d users migrated, %d already migrated", migratedCount, skippedCount)
-	}
-
-	return nil
-}
-
-// reconcileActivityStore updates activity store references for users already migrated
-// in the main DB whose activity entries may still use old IDs from a previous partial failure.
-func reconcileActivityStore(ctx context.Context, eventStore EventStore, users []*types.User) error {
-	for _, user := range users {
-		originalID, _, err := dex.DecodeDexUserID(user.Id)
-		if err != nil {
-			// skip users that aren't migrated, they will be handled in the main migration loop
-			continue
-		}
-		if err := eventStore.UpdateUserID(ctx, originalID, user.Id); err != nil {
-			return fmt.Errorf("reconcile activity store for user %s: %w", user.Id, err)
-		}
-	}
-	return nil
-}
-
-// migrateUser updates a single user's ID in both the main store and the activity store.
-func migrateUser(ctx context.Context, s Server, oldID, accountID, newID string) error {
-	if err := s.Store().UpdateUserID(ctx, accountID, oldID, newID); err != nil {
-		return fmt.Errorf("failed to update user ID for user %s: %w", oldID, err)
-	}
-
-	if s.EventStore() == nil {
-		return nil
-	}
-
-	if err := s.EventStore().UpdateUserID(ctx, oldID, newID); err != nil {
-		return fmt.Errorf("failed to update activity store user ID for user %s: %w", oldID, err)
-	}
-
-	return nil
-}
-
-// PopulateUserInfo fetches user email and name from the external IDP and updates
-// the store for users that are missing this information.
-func PopulateUserInfo(s Server, idpManager idp.Manager, dryRun bool) error {
-	ctx := context.Background()
-
-	users, err := s.Store().ListUsers(ctx)
-	if err != nil {
-		return fmt.Errorf("failed to list users: %w", err)
-	}
-
-	// Build a map of IDP user ID -> UserData from the external IDP
-	allAccounts, err := idpManager.GetAllAccounts(ctx)
-	if err != nil {
-		return fmt.Errorf("failed to fetch accounts from IDP: %w", err)
-	}
-
-	idpUsers := make(map[string]*idp.UserData)
-	for _, accountUsers := range allAccounts {
-		for _, userData := range accountUsers {
-			idpUsers[userData.ID] = userData
-		}
-	}
-
-	log.Infof("fetched %d users from IDP", len(idpUsers))
-
-	var updatedCount, skippedCount, notFoundCount int
-
-	for _, user := range users {
-		if user.IsServiceUser {
-			skippedCount++
-			continue
-		}
-
-		if user.Email != "" && user.Name != "" {
-			skippedCount++
-			continue
-		}
-
-		// The user ID in the store may be the original IDP ID or a Dex-encoded ID.
-		// Try to decode the Dex format first to get the original IDP ID.
-		lookupID := user.Id
-		if originalID, _, decErr := dex.DecodeDexUserID(user.Id); decErr == nil {
-			lookupID = originalID
-		}
-
-		idpUser, found := idpUsers[lookupID]
-		if !found {
-			notFoundCount++
-			log.Debugf("user %s (lookup: %s) not found in IDP, skipping", user.Id, lookupID)
-			continue
-		}
-
-		email := user.Email
-		name := user.Name
-		if email == "" && idpUser.Email != "" {
-			email = idpUser.Email
-		}
-		if name == "" && idpUser.Name != "" {
-			name = idpUser.Name
-		}
-
-		if email == user.Email && name == user.Name {
-			skippedCount++
-			continue
-		}
-
-		if dryRun {
-			log.Infof("[DRY RUN] would update user %s: email=%q, name=%q", user.Id, email, name)
-			updatedCount++
-			continue
-		}
-
-		if err := s.Store().UpdateUserInfo(ctx, user.Id, email, name); err != nil {
-			return fmt.Errorf("failed to update user info for %s: %w", user.Id, err)
-		}
-
-		log.Infof("updated user %s: email=%q, name=%q", user.Id, email, name)
-		updatedCount++
-	}
-
-	if dryRun {
-		log.Infof("[DRY RUN] user info summary: %d would be updated, %d skipped, %d not found in IDP", updatedCount, skippedCount, notFoundCount)
-	} else {
-		log.Infof("user info population complete: %d updated, %d skipped, %d not found in IDP", updatedCount, skippedCount, notFoundCount)
-	}
-
-	return nil
-}

management/server/idp/migration/migration_test.go

@@ -1,828 +0,0 @@
-package migration
-
-import (
-	"context"
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"os"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/idp/dex"
-	"github.com/netbirdio/netbird/management/server/idp"
-	"github.com/netbirdio/netbird/management/server/types"
-)
-
-// testStore is a hand-written mock for MigrationStore.
-type testStore struct {
-	listUsersFunc      func(ctx context.Context) ([]*types.User, error)
-	updateUserIDFunc   func(ctx context.Context, accountID, oldUserID, newUserID string) error
-	updateUserInfoFunc func(ctx context.Context, userID, email, name string) error
-	checkSchemaFunc    func(checks []SchemaCheck) []SchemaError
-	updateCalls        []updateUserIDCall
-	updateInfoCalls    []updateUserInfoCall
-}
-
-type updateUserIDCall struct {
-	AccountID string
-	OldUserID string
-	NewUserID string
-}
-
-type updateUserInfoCall struct {
-	UserID string
-	Email  string
-	Name   string
-}
-
-func (s *testStore) ListUsers(ctx context.Context) ([]*types.User, error) {
-	return s.listUsersFunc(ctx)
-}
-
-func (s *testStore) UpdateUserID(ctx context.Context, accountID, oldUserID, newUserID string) error {
-	s.updateCalls = append(s.updateCalls, updateUserIDCall{accountID, oldUserID, newUserID})
-	return s.updateUserIDFunc(ctx, accountID, oldUserID, newUserID)
-}
-
-func (s *testStore) UpdateUserInfo(ctx context.Context, userID, email, name string) error {
-	s.updateInfoCalls = append(s.updateInfoCalls, updateUserInfoCall{userID, email, name})
-	if s.updateUserInfoFunc != nil {
-		return s.updateUserInfoFunc(ctx, userID, email, name)
-	}
-	return nil
-}
-
-func (s *testStore) CheckSchema(checks []SchemaCheck) []SchemaError {
-	if s.checkSchemaFunc != nil {
-		return s.checkSchemaFunc(checks)
-	}
-	return nil
-}
-
-type testServer struct {
-	store      Store
-	eventStore EventStore
-}
-
-func (s *testServer) Store() Store           { return s.store }
-func (s *testServer) EventStore() EventStore { return s.eventStore }
-
-func TestSeedConnectorFromEnv(t *testing.T) {
-	t.Run("returns ErrNoSeedInfo when env var is not set", func(t *testing.T) {
-		os.Unsetenv(idpSeedInfoKey)
-
-		conn, err := SeedConnectorFromEnv()
-		assert.ErrorIs(t, err, ErrNoSeedInfo)
-		assert.Nil(t, conn)
-	})
-
-	t.Run("returns ErrNoSeedInfo when env var is empty", func(t *testing.T) {
-		t.Setenv(idpSeedInfoKey, "")
-
-		conn, err := SeedConnectorFromEnv()
-		assert.ErrorIs(t, err, ErrNoSeedInfo)
-		assert.Nil(t, conn)
-	})
-
-	t.Run("returns error on invalid base64", func(t *testing.T) {
-		t.Setenv(idpSeedInfoKey, "not-valid-base64!!!")
-
-		conn, err := SeedConnectorFromEnv()
-		assert.NotErrorIs(t, err, ErrNoSeedInfo)
-		assert.Error(t, err)
-		assert.Nil(t, conn)
-		assert.Contains(t, err.Error(), "base64 decode")
-	})
-
-	t.Run("returns error on invalid JSON", func(t *testing.T) {
-		encoded := base64.StdEncoding.EncodeToString([]byte("not json"))
-		t.Setenv(idpSeedInfoKey, encoded)
-
-		conn, err := SeedConnectorFromEnv()
-		assert.NotErrorIs(t, err, ErrNoSeedInfo)
-		assert.Error(t, err)
-		assert.Nil(t, conn)
-		assert.Contains(t, err.Error(), "json unmarshal")
-	})
-
-	t.Run("successfully decodes valid connector", func(t *testing.T) {
-		expected := dex.Connector{
-			Type: "oidc",
-			Name: "Test Provider",
-			ID:   "test-provider",
-			Config: map[string]any{
-				"issuer":       "https://example.com",
-				"clientID":     "my-client-id",
-				"clientSecret": "my-secret",
-			},
-		}
-
-		data, err := json.Marshal(expected)
-		require.NoError(t, err)
-
-		encoded := base64.StdEncoding.EncodeToString(data)
-		t.Setenv(idpSeedInfoKey, encoded)
-
-		conn, err := SeedConnectorFromEnv()
-		assert.NoError(t, err)
-		require.NotNil(t, conn)
-		assert.Equal(t, expected.Type, conn.Type)
-		assert.Equal(t, expected.Name, conn.Name)
-		assert.Equal(t, expected.ID, conn.ID)
-		assert.Equal(t, expected.Config["issuer"], conn.Config["issuer"])
-	})
-}
-
-func TestMigrateUsersToStaticConnectors(t *testing.T) {
-	connector := &dex.Connector{
-		Type: "oidc",
-		Name: "Test Provider",
-		ID:   "test-connector",
-	}
-
-	t.Run("succeeds with no users", func(t *testing.T) {
-		ms := &testStore{
-			listUsersFunc:    func(ctx context.Context) ([]*types.User, error) { return nil, nil },
-			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error { return nil },
-		}
-
-		srv := &testServer{store: ms}
-		err := MigrateUsersToStaticConnectors(srv, connector)
-		assert.NoError(t, err)
-	})
-
-	t.Run("returns error when ListUsers fails", func(t *testing.T) {
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return nil, fmt.Errorf("db error")
-			},
-			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error { return nil },
-		}
-
-		srv := &testServer{store: ms}
-		err := MigrateUsersToStaticConnectors(srv, connector)
-		assert.Error(t, err)
-		assert.Contains(t, err.Error(), "failed to list users")
-	})
-
-	t.Run("migrates single user with correct encoded ID", func(t *testing.T) {
-		user := &types.User{Id: "user-1", AccountID: "account-1"}
-		expectedNewID := dex.EncodeDexUserID("user-1", "test-connector")
-
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return []*types.User{user}, nil
-			},
-			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error {
-				return nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := MigrateUsersToStaticConnectors(srv, connector)
-		assert.NoError(t, err)
-		require.Len(t, ms.updateCalls, 1)
-		assert.Equal(t, "account-1", ms.updateCalls[0].AccountID)
-		assert.Equal(t, "user-1", ms.updateCalls[0].OldUserID)
-		assert.Equal(t, expectedNewID, ms.updateCalls[0].NewUserID)
-	})
-
-	t.Run("migrates multiple users", func(t *testing.T) {
-		users := []*types.User{
-			{Id: "user-1", AccountID: "account-1"},
-			{Id: "user-2", AccountID: "account-1"},
-			{Id: "user-3", AccountID: "account-2"},
-		}
-
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return users, nil
-			},
-			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error {
-				return nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := MigrateUsersToStaticConnectors(srv, connector)
-		assert.NoError(t, err)
-		assert.Len(t, ms.updateCalls, 3)
-	})
-
-	t.Run("returns error when UpdateUserID fails", func(t *testing.T) {
-		users := []*types.User{
-			{Id: "user-1", AccountID: "account-1"},
-			{Id: "user-2", AccountID: "account-1"},
-		}
-
-		callCount := 0
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return users, nil
-			},
-			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error {
-				callCount++
-				if callCount == 2 {
-					return fmt.Errorf("update failed")
-				}
-				return nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := MigrateUsersToStaticConnectors(srv, connector)
-		assert.Error(t, err)
-		assert.Contains(t, err.Error(), "failed to update user ID for user user-2")
-	})
-
-	t.Run("stops on first UpdateUserID error", func(t *testing.T) {
-		users := []*types.User{
-			{Id: "user-1", AccountID: "account-1"},
-			{Id: "user-2", AccountID: "account-1"},
-		}
-
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return users, nil
-			},
-			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error {
-				return fmt.Errorf("update failed")
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := MigrateUsersToStaticConnectors(srv, connector)
-		assert.Error(t, err)
-		assert.Len(t, ms.updateCalls, 1) // stopped after first error
-	})
-
-	t.Run("skips already migrated users", func(t *testing.T) {
-		alreadyMigratedID := dex.EncodeDexUserID("user-1", "test-connector")
-		users := []*types.User{
-			{Id: alreadyMigratedID, AccountID: "account-1"},
-		}
-
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return users, nil
-			},
-			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error {
-				return nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := MigrateUsersToStaticConnectors(srv, connector)
-		assert.NoError(t, err)
-		assert.Len(t, ms.updateCalls, 0)
-	})
-
-	t.Run("migrates only non-migrated users in mixed state", func(t *testing.T) {
-		alreadyMigratedID := dex.EncodeDexUserID("user-1", "test-connector")
-		users := []*types.User{
-			{Id: alreadyMigratedID, AccountID: "account-1"},
-			{Id: "user-2", AccountID: "account-1"},
-			{Id: "user-3", AccountID: "account-2"},
-		}
-
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return users, nil
-			},
-			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error {
-				return nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := MigrateUsersToStaticConnectors(srv, connector)
-		assert.NoError(t, err)
-		// Only user-2 and user-3 should be migrated
-		assert.Len(t, ms.updateCalls, 2)
-		assert.Equal(t, "user-2", ms.updateCalls[0].OldUserID)
-		assert.Equal(t, "user-3", ms.updateCalls[1].OldUserID)
-	})
-
-	t.Run("dry run does not call UpdateUserID", func(t *testing.T) {
-		t.Setenv(dryRunEnvKey, "true")
-
-		users := []*types.User{
-			{Id: "user-1", AccountID: "account-1"},
-			{Id: "user-2", AccountID: "account-1"},
-		}
-
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return users, nil
-			},
-			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error {
-				t.Fatal("UpdateUserID should not be called in dry-run mode")
-				return nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := MigrateUsersToStaticConnectors(srv, connector)
-		assert.NoError(t, err)
-		assert.Len(t, ms.updateCalls, 0)
-	})
-
-	t.Run("dry run skips already migrated users", func(t *testing.T) {
-		t.Setenv(dryRunEnvKey, "true")
-
-		alreadyMigratedID := dex.EncodeDexUserID("user-1", "test-connector")
-		users := []*types.User{
-			{Id: alreadyMigratedID, AccountID: "account-1"},
-			{Id: "user-2", AccountID: "account-1"},
-		}
-
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return users, nil
-			},
-			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error {
-				t.Fatal("UpdateUserID should not be called in dry-run mode")
-				return nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := MigrateUsersToStaticConnectors(srv, connector)
-		assert.NoError(t, err)
-	})
-
-	t.Run("dry run disabled by default", func(t *testing.T) {
-		user := &types.User{Id: "user-1", AccountID: "account-1"}
-
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return []*types.User{user}, nil
-			},
-			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error {
-				return nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := MigrateUsersToStaticConnectors(srv, connector)
-		assert.NoError(t, err)
-		assert.Len(t, ms.updateCalls, 1) // proves it's not in dry-run
-	})
-}
-
-func TestPopulateUserInfo(t *testing.T) {
-	noopUpdateID := func(ctx context.Context, accountID, oldUserID, newUserID string) error { return nil }
-
-	t.Run("succeeds with no users", func(t *testing.T) {
-		ms := &testStore{
-			listUsersFunc:    func(ctx context.Context) ([]*types.User, error) { return nil, nil },
-			updateUserIDFunc: noopUpdateID,
-		}
-		mockIDP := &idp.MockIDP{
-			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
-				return map[string][]*idp.UserData{}, nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := PopulateUserInfo(srv, mockIDP, false)
-		assert.NoError(t, err)
-		assert.Empty(t, ms.updateInfoCalls)
-	})
-
-	t.Run("returns error when ListUsers fails", func(t *testing.T) {
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return nil, fmt.Errorf("db error")
-			},
-			updateUserIDFunc: noopUpdateID,
-		}
-		mockIDP := &idp.MockIDP{}
-
-		srv := &testServer{store: ms}
-		err := PopulateUserInfo(srv, mockIDP, false)
-		assert.Error(t, err)
-		assert.Contains(t, err.Error(), "failed to list users")
-	})
-
-	t.Run("returns error when GetAllAccounts fails", func(t *testing.T) {
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return []*types.User{{Id: "user-1", AccountID: "acc-1"}}, nil
-			},
-			updateUserIDFunc: noopUpdateID,
-		}
-		mockIDP := &idp.MockIDP{
-			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
-				return nil, fmt.Errorf("idp error")
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := PopulateUserInfo(srv, mockIDP, false)
-		assert.Error(t, err)
-		assert.Contains(t, err.Error(), "failed to fetch accounts from IDP")
-	})
-
-	t.Run("updates user with missing email and name", func(t *testing.T) {
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return []*types.User{
-					{Id: "user-1", AccountID: "acc-1", Email: "", Name: ""},
-				}, nil
-			},
-			updateUserIDFunc: noopUpdateID,
-		}
-		mockIDP := &idp.MockIDP{
-			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
-				return map[string][]*idp.UserData{
-					"acc-1": {
-						{ID: "user-1", Email: "user1@example.com", Name: "User One"},
-					},
-				}, nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := PopulateUserInfo(srv, mockIDP, false)
-		assert.NoError(t, err)
-		require.Len(t, ms.updateInfoCalls, 1)
-		assert.Equal(t, "user-1", ms.updateInfoCalls[0].UserID)
-		assert.Equal(t, "user1@example.com", ms.updateInfoCalls[0].Email)
-		assert.Equal(t, "User One", ms.updateInfoCalls[0].Name)
-	})
-
-	t.Run("updates only missing email when name exists", func(t *testing.T) {
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return []*types.User{
-					{Id: "user-1", AccountID: "acc-1", Email: "", Name: "Existing Name"},
-				}, nil
-			},
-			updateUserIDFunc: noopUpdateID,
-		}
-		mockIDP := &idp.MockIDP{
-			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
-				return map[string][]*idp.UserData{
-					"acc-1": {{ID: "user-1", Email: "user1@example.com", Name: "IDP Name"}},
-				}, nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := PopulateUserInfo(srv, mockIDP, false)
-		assert.NoError(t, err)
-		require.Len(t, ms.updateInfoCalls, 1)
-		assert.Equal(t, "user1@example.com", ms.updateInfoCalls[0].Email)
-		assert.Equal(t, "Existing Name", ms.updateInfoCalls[0].Name)
-	})
-
-	t.Run("updates only missing name when email exists", func(t *testing.T) {
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return []*types.User{
-					{Id: "user-1", AccountID: "acc-1", Email: "existing@example.com", Name: ""},
-				}, nil
-			},
-			updateUserIDFunc: noopUpdateID,
-		}
-		mockIDP := &idp.MockIDP{
-			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
-				return map[string][]*idp.UserData{
-					"acc-1": {{ID: "user-1", Email: "idp@example.com", Name: "IDP Name"}},
-				}, nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := PopulateUserInfo(srv, mockIDP, false)
-		assert.NoError(t, err)
-		require.Len(t, ms.updateInfoCalls, 1)
-		assert.Equal(t, "existing@example.com", ms.updateInfoCalls[0].Email)
-		assert.Equal(t, "IDP Name", ms.updateInfoCalls[0].Name)
-	})
-
-	t.Run("skips users that already have both email and name", func(t *testing.T) {
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return []*types.User{
-					{Id: "user-1", AccountID: "acc-1", Email: "user1@example.com", Name: "User One"},
-				}, nil
-			},
-			updateUserIDFunc: noopUpdateID,
-		}
-		mockIDP := &idp.MockIDP{
-			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
-				return map[string][]*idp.UserData{
-					"acc-1": {{ID: "user-1", Email: "different@example.com", Name: "Different Name"}},
-				}, nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := PopulateUserInfo(srv, mockIDP, false)
-		assert.NoError(t, err)
-		assert.Empty(t, ms.updateInfoCalls)
-	})
-
-	t.Run("skips service users", func(t *testing.T) {
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return []*types.User{
-					{Id: "svc-1", AccountID: "acc-1", Email: "", Name: "", IsServiceUser: true},
-				}, nil
-			},
-			updateUserIDFunc: noopUpdateID,
-		}
-		mockIDP := &idp.MockIDP{
-			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
-				return map[string][]*idp.UserData{
-					"acc-1": {{ID: "svc-1", Email: "svc@example.com", Name: "Service"}},
-				}, nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := PopulateUserInfo(srv, mockIDP, false)
-		assert.NoError(t, err)
-		assert.Empty(t, ms.updateInfoCalls)
-	})
-
-	t.Run("skips users not found in IDP", func(t *testing.T) {
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return []*types.User{
-					{Id: "user-1", AccountID: "acc-1", Email: "", Name: ""},
-				}, nil
-			},
-			updateUserIDFunc: noopUpdateID,
-		}
-		mockIDP := &idp.MockIDP{
-			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
-				return map[string][]*idp.UserData{
-					"acc-1": {{ID: "different-user", Email: "other@example.com", Name: "Other"}},
-				}, nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := PopulateUserInfo(srv, mockIDP, false)
-		assert.NoError(t, err)
-		assert.Empty(t, ms.updateInfoCalls)
-	})
-
-	t.Run("looks up dex-encoded user IDs by original ID", func(t *testing.T) {
-		dexEncodedID := dex.EncodeDexUserID("original-idp-id", "my-connector")
-
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return []*types.User{
-					{Id: dexEncodedID, AccountID: "acc-1", Email: "", Name: ""},
-				}, nil
-			},
-			updateUserIDFunc: noopUpdateID,
-		}
-		mockIDP := &idp.MockIDP{
-			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
-				return map[string][]*idp.UserData{
-					"acc-1": {{ID: "original-idp-id", Email: "user@example.com", Name: "User"}},
-				}, nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := PopulateUserInfo(srv, mockIDP, false)
-		assert.NoError(t, err)
-		require.Len(t, ms.updateInfoCalls, 1)
-		assert.Equal(t, dexEncodedID, ms.updateInfoCalls[0].UserID)
-		assert.Equal(t, "user@example.com", ms.updateInfoCalls[0].Email)
-		assert.Equal(t, "User", ms.updateInfoCalls[0].Name)
-	})
-
-	t.Run("handles multiple users across multiple accounts", func(t *testing.T) {
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return []*types.User{
-					{Id: "user-1", AccountID: "acc-1", Email: "", Name: ""},
-					{Id: "user-2", AccountID: "acc-1", Email: "already@set.com", Name: "Already Set"},
-					{Id: "user-3", AccountID: "acc-2", Email: "", Name: ""},
-				}, nil
-			},
-			updateUserIDFunc: noopUpdateID,
-		}
-		mockIDP := &idp.MockIDP{
-			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
-				return map[string][]*idp.UserData{
-					"acc-1": {
-						{ID: "user-1", Email: "u1@example.com", Name: "User 1"},
-						{ID: "user-2", Email: "u2@example.com", Name: "User 2"},
-					},
-					"acc-2": {
-						{ID: "user-3", Email: "u3@example.com", Name: "User 3"},
-					},
-				}, nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := PopulateUserInfo(srv, mockIDP, false)
-		assert.NoError(t, err)
-		require.Len(t, ms.updateInfoCalls, 2)
-		assert.Equal(t, "user-1", ms.updateInfoCalls[0].UserID)
-		assert.Equal(t, "u1@example.com", ms.updateInfoCalls[0].Email)
-		assert.Equal(t, "user-3", ms.updateInfoCalls[1].UserID)
-		assert.Equal(t, "u3@example.com", ms.updateInfoCalls[1].Email)
-	})
-
-	t.Run("returns error when UpdateUserInfo fails", func(t *testing.T) {
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return []*types.User{
-					{Id: "user-1", AccountID: "acc-1", Email: "", Name: ""},
-				}, nil
-			},
-			updateUserIDFunc: noopUpdateID,
-			updateUserInfoFunc: func(ctx context.Context, userID, email, name string) error {
-				return fmt.Errorf("db write error")
-			},
-		}
-		mockIDP := &idp.MockIDP{
-			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
-				return map[string][]*idp.UserData{
-					"acc-1": {{ID: "user-1", Email: "u1@example.com", Name: "User 1"}},
-				}, nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := PopulateUserInfo(srv, mockIDP, false)
-		assert.Error(t, err)
-		assert.Contains(t, err.Error(), "failed to update user info for user-1")
-	})
-
-	t.Run("stops on first UpdateUserInfo error", func(t *testing.T) {
-		callCount := 0
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return []*types.User{
-					{Id: "user-1", AccountID: "acc-1", Email: "", Name: ""},
-					{Id: "user-2", AccountID: "acc-1", Email: "", Name: ""},
-				}, nil
-			},
-			updateUserIDFunc: noopUpdateID,
-			updateUserInfoFunc: func(ctx context.Context, userID, email, name string) error {
-				callCount++
-				return fmt.Errorf("db write error")
-			},
-		}
-		mockIDP := &idp.MockIDP{
-			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
-				return map[string][]*idp.UserData{
-					"acc-1": {
-						{ID: "user-1", Email: "u1@example.com", Name: "U1"},
-						{ID: "user-2", Email: "u2@example.com", Name: "U2"},
-					},
-				}, nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := PopulateUserInfo(srv, mockIDP, false)
-		assert.Error(t, err)
-		assert.Equal(t, 1, callCount)
-	})
-
-	t.Run("dry run does not call UpdateUserInfo", func(t *testing.T) {
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return []*types.User{
-					{Id: "user-1", AccountID: "acc-1", Email: "", Name: ""},
-					{Id: "user-2", AccountID: "acc-1", Email: "", Name: ""},
-				}, nil
-			},
-			updateUserIDFunc: noopUpdateID,
-			updateUserInfoFunc: func(ctx context.Context, userID, email, name string) error {
-				t.Fatal("UpdateUserInfo should not be called in dry-run mode")
-				return nil
-			},
-		}
-		mockIDP := &idp.MockIDP{
-			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
-				return map[string][]*idp.UserData{
-					"acc-1": {
-						{ID: "user-1", Email: "u1@example.com", Name: "U1"},
-						{ID: "user-2", Email: "u2@example.com", Name: "U2"},
-					},
-				}, nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := PopulateUserInfo(srv, mockIDP, true)
-		assert.NoError(t, err)
-		assert.Empty(t, ms.updateInfoCalls)
-	})
-
-	t.Run("skips user when IDP has empty email and name too", func(t *testing.T) {
-		ms := &testStore{
-			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
-				return []*types.User{
-					{Id: "user-1", AccountID: "acc-1", Email: "", Name: ""},
-				}, nil
-			},
-			updateUserIDFunc: noopUpdateID,
-		}
-		mockIDP := &idp.MockIDP{
-			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
-				return map[string][]*idp.UserData{
-					"acc-1": {{ID: "user-1", Email: "", Name: ""}},
-				}, nil
-			},
-		}
-
-		srv := &testServer{store: ms}
-		err := PopulateUserInfo(srv, mockIDP, false)
-		assert.NoError(t, err)
-		assert.Empty(t, ms.updateInfoCalls)
-	})
-}
-
-func TestSchemaError_String(t *testing.T) {
-	t.Run("missing table", func(t *testing.T) {
-		e := SchemaError{Table: "jobs"}
-		assert.Equal(t, `table "jobs" is missing`, e.String())
-	})
-
-	t.Run("missing column", func(t *testing.T) {
-		e := SchemaError{Table: "users", Column: "email"}
-		assert.Equal(t, `column "email" on table "users" is missing`, e.String())
-	})
-}
-
-func TestRequiredSchema(t *testing.T) {
-	// Verify RequiredSchema covers all the tables touched by UpdateUserID and UpdateUserInfo.
-	expectedTables := []string{
-		"users",
-		"personal_access_tokens",
-		"peers",
-		"accounts",
-		"user_invites",
-		"proxy_access_tokens",
-		"jobs",
-	}
-
-	schemaTableNames := make([]string, len(RequiredSchema))
-	for i, s := range RequiredSchema {
-		schemaTableNames[i] = s.Table
-	}
-
-	for _, expected := range expectedTables {
-		assert.Contains(t, schemaTableNames, expected, "RequiredSchema should include table %q", expected)
-	}
-}
-
-func TestCheckSchema_MockStore(t *testing.T) {
-	t.Run("returns nil when all schema exists", func(t *testing.T) {
-		ms := &testStore{
-			checkSchemaFunc: func(checks []SchemaCheck) []SchemaError {
-				return nil
-			},
-		}
-		errs := ms.CheckSchema(RequiredSchema)
-		assert.Empty(t, errs)
-	})
-
-	t.Run("returns errors for missing tables", func(t *testing.T) {
-		ms := &testStore{
-			checkSchemaFunc: func(checks []SchemaCheck) []SchemaError {
-				return []SchemaError{
-					{Table: "jobs"},
-					{Table: "proxy_access_tokens"},
-				}
-			},
-		}
-		errs := ms.CheckSchema(RequiredSchema)
-		require.Len(t, errs, 2)
-		assert.Equal(t, "jobs", errs[0].Table)
-		assert.Equal(t, "", errs[0].Column)
-		assert.Equal(t, "proxy_access_tokens", errs[1].Table)
-	})
-
-	t.Run("returns errors for missing columns", func(t *testing.T) {
-		ms := &testStore{
-			checkSchemaFunc: func(checks []SchemaCheck) []SchemaError {
-				return []SchemaError{
-					{Table: "users", Column: "email"},
-					{Table: "users", Column: "name"},
-				}
-			},
-		}
-		errs := ms.CheckSchema(RequiredSchema)
-		require.Len(t, errs, 2)
-		assert.Equal(t, "users", errs[0].Table)
-		assert.Equal(t, "email", errs[0].Column)
-	})
-}

management/server/idp/migration/store.go

@@ -1,82 +0,0 @@
-package migration
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/netbirdio/netbird/management/server/types"
-)
-
-// SchemaCheck represents a table and the columns required on it.
-type SchemaCheck struct {
-	Table   string
-	Columns []string
-}
-
-// RequiredSchema lists all tables and columns that the migration tool needs.
-// If any are missing, the user must upgrade their management server first so
-// that the automatic GORM migrations create them.
-var RequiredSchema = []SchemaCheck{
-	{Table: "users", Columns: []string{"id", "email", "name", "account_id"}},
-	{Table: "personal_access_tokens", Columns: []string{"user_id", "created_by"}},
-	{Table: "peers", Columns: []string{"user_id"}},
-	{Table: "accounts", Columns: []string{"created_by"}},
-	{Table: "user_invites", Columns: []string{"created_by"}},
-	{Table: "proxy_access_tokens", Columns: []string{"created_by"}},
-	{Table: "jobs", Columns: []string{"triggered_by"}},
-}
-
-// SchemaError describes a single missing table or column.
-type SchemaError struct {
-	Table  string
-	Column string // empty when the whole table is missing
-}
-
-func (e SchemaError) String() string {
-	if e.Column == "" {
-		return fmt.Sprintf("table %q is missing", e.Table)
-	}
-	return fmt.Sprintf("column %q on table %q is missing", e.Column, e.Table)
-}
-
-// Store defines the data store operations required for IdP user migration.
-// This interface is separate from the main store.Store interface because these methods
-// are only used during one-time migration and should be removed once migration tooling
-// is no longer needed.
-//
-// The SQL store implementations (SqlStore) already have these methods on their concrete
-// types, so they satisfy this interface via Go's structural typing with zero code changes.
-type Store interface {
-	// ListUsers returns all users across all accounts.
-	ListUsers(ctx context.Context) ([]*types.User, error)
-
-	// UpdateUserID atomically updates a user's ID and all foreign key references
-	// across the database (peers, groups, policies, PATs, etc.).
-	UpdateUserID(ctx context.Context, accountID, oldUserID, newUserID string) error
-
-	// UpdateUserInfo updates a user's email and name in the store.
-	UpdateUserInfo(ctx context.Context, userID, email, name string) error
-
-	// CheckSchema verifies that all tables and columns required by the migration
-	// exist in the database. Returns a list of problems; an empty slice means OK.
-	CheckSchema(checks []SchemaCheck) []SchemaError
-}
-
-// RequiredEventSchema lists all tables and columns that the migration tool needs
-// in the activity/event store.
-var RequiredEventSchema = []SchemaCheck{
-	{Table: "events", Columns: []string{"initiator_id", "target_id"}},
-	{Table: "deleted_users", Columns: []string{"id"}},
-}
-
-// EventStore defines the activity event store operations required for migration.
-// Like Store, this is a temporary interface for migration tooling only.
-type EventStore interface {
-	// CheckSchema verifies that all tables and columns required by the migration
-	// exist in the event database. Returns a list of problems; an empty slice means OK.
-	CheckSchema(checks []SchemaCheck) []SchemaError
-
-	// UpdateUserID updates all event references (initiator_id, target_id) and
-	// deleted_users records to use the new user ID format.
-	UpdateUserID(ctx context.Context, oldUserID, newUserID string) error
-}

management/server/instance/manager.go

@@ -64,19 +64,10 @@ type Manager interface {
 	GetVersionInfo(ctx context.Context) (*VersionInfo, error)
 }
 
-type instanceStore interface {
-	GetAccountsCounter(ctx context.Context) (int64, error)
-}
-
-type embeddedIdP interface {
-	CreateUserWithPassword(ctx context.Context, email, password, name string) (*idp.UserData, error)
-	GetAllAccounts(ctx context.Context) (map[string][]*idp.UserData, error)
-}
-
 // DefaultManager is the default implementation of Manager.
 type DefaultManager struct {
-	store              instanceStore
-	embeddedIdpManager embeddedIdP
+	store              store.Store
+	embeddedIdpManager *idp.EmbeddedIdPManager
 
 	setupRequired bool
 	setupMu       sync.RWMutex
@@ -91,18 +82,18 @@ type DefaultManager struct {
 // NewManager creates a new instance manager.
 // If idpManager is not an EmbeddedIdPManager, setup-related operations will return appropriate defaults.
 func NewManager(ctx context.Context, store store.Store, idpManager idp.Manager) (Manager, error) {
-	embeddedIdp, ok := idpManager.(*idp.EmbeddedIdPManager)
+	embeddedIdp, _ := idpManager.(*idp.EmbeddedIdPManager)
 
 	m := &DefaultManager{
-		store:         store,
-		setupRequired: false,
+		store:              store,
+		embeddedIdpManager: embeddedIdp,
+		setupRequired:      false,
 		httpClient: &http.Client{
 			Timeout: httpTimeout,
 		},
 	}
 
-	if ok && embeddedIdp != nil {
-		m.embeddedIdpManager = embeddedIdp
+	if embeddedIdp != nil {
 		err := m.loadSetupRequired(ctx)
 		if err != nil {
 			return nil, err
@@ -152,27 +143,20 @@ func (m *DefaultManager) IsSetupRequired(_ context.Context) (bool, error) {
 // CreateOwnerUser creates the initial owner user in the embedded IDP.
 func (m *DefaultManager) CreateOwnerUser(ctx context.Context, email, password, name string) (*idp.UserData, error) {
 
-	if m.embeddedIdpManager == nil {
-		return nil, errors.New("embedded IDP is not enabled")
-	}
-
 	if err := m.validateSetupInfo(email, password, name); err != nil {
 		return nil, err
 	}
 
-	m.setupMu.Lock()
-	defer m.setupMu.Unlock()
-
-	if !m.setupRequired {
-		return nil, status.Errorf(status.PreconditionFailed, "setup already completed")
+	if m.embeddedIdpManager == nil {
+		return nil, errors.New("embedded IDP is not enabled")
 	}
 
-	if err := m.checkSetupRequiredFromDB(ctx); err != nil {
-		var sErr *status.Error
-		if errors.As(err, &sErr) && sErr.Type() == status.PreconditionFailed {
-			m.setupRequired = false
-		}
-		return nil, err
+	m.setupMu.RLock()
+	setupRequired := m.setupRequired
+	m.setupMu.RUnlock()
+
+	if !setupRequired {
+		return nil, status.Errorf(status.PreconditionFailed, "setup already completed")
 	}
 
 	userData, err := m.embeddedIdpManager.CreateUserWithPassword(ctx, email, password, name)
@@ -180,33 +164,15 @@ func (m *DefaultManager) CreateOwnerUser(ctx context.Context, email, password, n
 		return nil, fmt.Errorf("failed to create user in embedded IdP: %w", err)
 	}
 
+	m.setupMu.Lock()
 	m.setupRequired = false
+	m.setupMu.Unlock()
 
 	log.WithContext(ctx).Infof("created owner user %s in embedded IdP", email)
 
 	return userData, nil
 }
 
-func (m *DefaultManager) checkSetupRequiredFromDB(ctx context.Context) error {
-	numAccounts, err := m.store.GetAccountsCounter(ctx)
-	if err != nil {
-		return fmt.Errorf("failed to check accounts: %w", err)
-	}
-	if numAccounts > 0 {
-		return status.Errorf(status.PreconditionFailed, "setup already completed")
-	}
-
-	users, err := m.embeddedIdpManager.GetAllAccounts(ctx)
-	if err != nil {
-		return fmt.Errorf("failed to check IdP users: %w", err)
-	}
-	if len(users) > 0 {
-		return status.Errorf(status.PreconditionFailed, "setup already completed")
-	}
-
-	return nil
-}
-
 func (m *DefaultManager) validateSetupInfo(email, password, name string) error {
 	if email == "" {
 		return status.Errorf(status.InvalidArgument, "email is required")
@@ -223,9 +189,6 @@ func (m *DefaultManager) validateSetupInfo(email, password, name string) error {
 	if len(password) < 8 {
 		return status.Errorf(status.InvalidArgument, "password must be at least 8 characters")
 	}
-	if len(password) > 72 {
-		return status.Errorf(status.InvalidArgument, "password must be at most 72 characters")
-	}
 	return nil
 }
 

management/server/instance/manager_test.go

@@ -3,12 +3,7 @@ package instance
 import (
 	"context"
 	"errors"
-	"fmt"
-	"net/http"
-	"sync"
-	"sync/atomic"
 	"testing"
-	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -16,215 +11,173 @@ import (
 	"github.com/netbirdio/netbird/management/server/idp"
 )
 
-type mockIdP struct {
-	mu              sync.Mutex
-	createUserFunc  func(ctx context.Context, email, password, name string) (*idp.UserData, error)
-	users           map[string][]*idp.UserData
-	getAllAccountsErr error
-}
-
-func (m *mockIdP) CreateUserWithPassword(ctx context.Context, email, password, name string) (*idp.UserData, error) {
-	if m.createUserFunc != nil {
-		return m.createUserFunc(ctx, email, password, name)
-	}
-	return &idp.UserData{ID: "test-user-id", Email: email, Name: name}, nil
-}
-
-func (m *mockIdP) GetAllAccounts(_ context.Context) (map[string][]*idp.UserData, error) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	if m.getAllAccountsErr != nil {
-		return nil, m.getAllAccountsErr
-	}
-	return m.users, nil
-}
-
+// mockStore implements a minimal store.Store for testing
 type mockStore struct {
 	accountsCount int64
 	err           error
 }
 
-func (m *mockStore) GetAccountsCounter(_ context.Context) (int64, error) {
+func (m *mockStore) GetAccountsCounter(ctx context.Context) (int64, error) {
 	if m.err != nil {
 		return 0, m.err
 	}
 	return m.accountsCount, nil
 }
 
-func newTestManager(idpMock *mockIdP, storeMock *mockStore) *DefaultManager {
-	return &DefaultManager{
-		store:              storeMock,
-		embeddedIdpManager: idpMock,
-		setupRequired:      true,
-		httpClient:         &http.Client{Timeout: httpTimeout},
+// mockEmbeddedIdPManager wraps the real EmbeddedIdPManager for testing
+type mockEmbeddedIdPManager struct {
+	createUserFunc func(ctx context.Context, email, password, name string) (*idp.UserData, error)
+}
+
+func (m *mockEmbeddedIdPManager) CreateUserWithPassword(ctx context.Context, email, password, name string) (*idp.UserData, error) {
+	if m.createUserFunc != nil {
+		return m.createUserFunc(ctx, email, password, name)
 	}
+	return &idp.UserData{
+		ID:    "test-user-id",
+		Email: email,
+		Name:  name,
+	}, nil
+}
+
+// testManager is a test implementation that accepts our mock types
+type testManager struct {
+	store              *mockStore
+	embeddedIdpManager *mockEmbeddedIdPManager
+}
+
+func (m *testManager) IsSetupRequired(ctx context.Context) (bool, error) {
+	if m.embeddedIdpManager == nil {
+		return false, nil
+	}
+
+	count, err := m.store.GetAccountsCounter(ctx)
+	if err != nil {
+		return false, err
+	}
+
+	return count == 0, nil
+}
+
+func (m *testManager) CreateOwnerUser(ctx context.Context, email, password, name string) (*idp.UserData, error) {
+	if m.embeddedIdpManager == nil {
+		return nil, errors.New("embedded IDP is not enabled")
+	}
+
+	return m.embeddedIdpManager.CreateUserWithPassword(ctx, email, password, name)
+}
+
+func TestIsSetupRequired_EmbeddedIdPDisabled(t *testing.T) {
+	manager := &testManager{
+		store:              &mockStore{accountsCount: 0},
+		embeddedIdpManager: nil, // No embedded IDP
+	}
+
+	required, err := manager.IsSetupRequired(context.Background())
+	require.NoError(t, err)
+	assert.False(t, required, "setup should not be required when embedded IDP is disabled")
+}
+
+func TestIsSetupRequired_NoAccounts(t *testing.T) {
+	manager := &testManager{
+		store:              &mockStore{accountsCount: 0},
+		embeddedIdpManager: &mockEmbeddedIdPManager{},
+	}
+
+	required, err := manager.IsSetupRequired(context.Background())
+	require.NoError(t, err)
+	assert.True(t, required, "setup should be required when no accounts exist")
+}
+
+func TestIsSetupRequired_AccountsExist(t *testing.T) {
+	manager := &testManager{
+		store:              &mockStore{accountsCount: 1},
+		embeddedIdpManager: &mockEmbeddedIdPManager{},
+	}
+
+	required, err := manager.IsSetupRequired(context.Background())
+	require.NoError(t, err)
+	assert.False(t, required, "setup should not be required when accounts exist")
+}
+
+func TestIsSetupRequired_MultipleAccounts(t *testing.T) {
+	manager := &testManager{
+		store:              &mockStore{accountsCount: 5},
+		embeddedIdpManager: &mockEmbeddedIdPManager{},
+	}
+
+	required, err := manager.IsSetupRequired(context.Background())
+	require.NoError(t, err)
+	assert.False(t, required, "setup should not be required when multiple accounts exist")
+}
+
+func TestIsSetupRequired_StoreError(t *testing.T) {
+	manager := &testManager{
+		store:              &mockStore{err: errors.New("database error")},
+		embeddedIdpManager: &mockEmbeddedIdPManager{},
+	}
+
+	_, err := manager.IsSetupRequired(context.Background())
+	assert.Error(t, err, "should return error when store fails")
 }
 
 func TestCreateOwnerUser_Success(t *testing.T) {
-	idpMock := &mockIdP{}
-	mgr := newTestManager(idpMock, &mockStore{})
+	expectedEmail := "admin@example.com"
+	expectedName := "Admin User"
+	expectedPassword := "securepassword123"
 
-	userData, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
+	manager := &testManager{
+		store: &mockStore{accountsCount: 0},
+		embeddedIdpManager: &mockEmbeddedIdPManager{
+			createUserFunc: func(ctx context.Context, email, password, name string) (*idp.UserData, error) {
+				assert.Equal(t, expectedEmail, email)
+				assert.Equal(t, expectedPassword, password)
+				assert.Equal(t, expectedName, name)
+				return &idp.UserData{
+					ID:    "created-user-id",
+					Email: email,
+					Name:  name,
+				}, nil
+			},
+		},
+	}
+
+	userData, err := manager.CreateOwnerUser(context.Background(), expectedEmail, expectedPassword, expectedName)
 	require.NoError(t, err)
-	assert.Equal(t, "admin@example.com", userData.Email)
-
-	_, err = mgr.CreateOwnerUser(context.Background(), "admin2@example.com", "password123", "Admin2")
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "setup already completed")
-}
-
-func TestCreateOwnerUser_SetupAlreadyCompleted(t *testing.T) {
-	mgr := newTestManager(&mockIdP{}, &mockStore{})
-	mgr.setupRequired = false
-
-	_, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "setup already completed")
+	assert.Equal(t, "created-user-id", userData.ID)
+	assert.Equal(t, expectedEmail, userData.Email)
+	assert.Equal(t, expectedName, userData.Name)
 }
 
 func TestCreateOwnerUser_EmbeddedIdPDisabled(t *testing.T) {
-	mgr := &DefaultManager{setupRequired: true}
+	manager := &testManager{
+		store:              &mockStore{accountsCount: 0},
+		embeddedIdpManager: nil,
+	}
 
-	_, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
-	require.Error(t, err)
+	_, err := manager.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
+	assert.Error(t, err, "should return error when embedded IDP is disabled")
 	assert.Contains(t, err.Error(), "embedded IDP is not enabled")
 }
 
 func TestCreateOwnerUser_IdPError(t *testing.T) {
-	idpMock := &mockIdP{
-		createUserFunc: func(_ context.Context, _, _, _ string) (*idp.UserData, error) {
-			return nil, errors.New("provider error")
+	manager := &testManager{
+		store: &mockStore{accountsCount: 0},
+		embeddedIdpManager: &mockEmbeddedIdPManager{
+			createUserFunc: func(ctx context.Context, email, password, name string) (*idp.UserData, error) {
+				return nil, errors.New("user already exists")
+			},
 		},
 	}
-	mgr := newTestManager(idpMock, &mockStore{})
 
-	_, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "provider error")
-
-	required, _ := mgr.IsSetupRequired(context.Background())
-	assert.True(t, required, "setup should still be required after IdP error")
-}
-
-func TestCreateOwnerUser_TransientDBError_DoesNotBlockSetup(t *testing.T) {
-	mgr := newTestManager(&mockIdP{}, &mockStore{err: errors.New("connection refused")})
-
-	_, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "connection refused")
-
-	required, _ := mgr.IsSetupRequired(context.Background())
-	assert.True(t, required, "setup should still be required after transient DB error")
-
-	mgr.store = &mockStore{}
-	userData, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
-	require.NoError(t, err)
-	assert.Equal(t, "admin@example.com", userData.Email)
-}
-
-func TestCreateOwnerUser_TransientIdPError_DoesNotBlockSetup(t *testing.T) {
-	idpMock := &mockIdP{getAllAccountsErr: errors.New("connection reset")}
-	mgr := newTestManager(idpMock, &mockStore{})
-
-	_, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "connection reset")
-
-	required, _ := mgr.IsSetupRequired(context.Background())
-	assert.True(t, required, "setup should still be required after transient IdP error")
-
-	idpMock.getAllAccountsErr = nil
-	userData, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
-	require.NoError(t, err)
-	assert.Equal(t, "admin@example.com", userData.Email)
-}
-
-func TestCreateOwnerUser_DBCheckBlocksConcurrent(t *testing.T) {
-	idpMock := &mockIdP{
-		users: map[string][]*idp.UserData{
-			"acc1": {{ID: "existing-user"}},
-		},
-	}
-	mgr := newTestManager(idpMock, &mockStore{})
-
-	_, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "setup already completed")
-}
-
-func TestCreateOwnerUser_DBCheckBlocksWhenAccountsExist(t *testing.T) {
-	mgr := newTestManager(&mockIdP{}, &mockStore{accountsCount: 1})
-
-	_, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "setup already completed")
-}
-
-func TestCreateOwnerUser_ConcurrentRequests(t *testing.T) {
-	var idpCallCount atomic.Int32
-	var successCount atomic.Int32
-	var failCount atomic.Int32
-
-	idpMock := &mockIdP{
-		createUserFunc: func(_ context.Context, email, _, _ string) (*idp.UserData, error) {
-			idpCallCount.Add(1)
-			time.Sleep(50 * time.Millisecond)
-			return &idp.UserData{ID: "user-1", Email: email, Name: "Owner"}, nil
-		},
-	}
-	mgr := newTestManager(idpMock, &mockStore{})
-
-	var wg sync.WaitGroup
-	for i := range 10 {
-		wg.Add(1)
-		go func(idx int) {
-			defer wg.Done()
-			_, err := mgr.CreateOwnerUser(
-				context.Background(),
-				fmt.Sprintf("owner%d@example.com", idx),
-				"password1234",
-				fmt.Sprintf("Owner%d", idx),
-			)
-			if err != nil {
-				failCount.Add(1)
-			} else {
-				successCount.Add(1)
-			}
-		}(i)
-	}
-	wg.Wait()
-
-	assert.Equal(t, int32(1), successCount.Load(), "exactly one concurrent setup request should succeed")
-	assert.Equal(t, int32(9), failCount.Load(), "remaining concurrent requests should fail")
-	assert.Equal(t, int32(1), idpCallCount.Load(), "IdP CreateUser should be called exactly once")
-}
-
-func TestIsSetupRequired_EmbeddedIdPDisabled(t *testing.T) {
-	mgr := &DefaultManager{}
-
-	required, err := mgr.IsSetupRequired(context.Background())
-	require.NoError(t, err)
-	assert.False(t, required)
-}
-
-func TestIsSetupRequired_ReturnsFlag(t *testing.T) {
-	mgr := newTestManager(&mockIdP{}, &mockStore{})
-
-	required, err := mgr.IsSetupRequired(context.Background())
-	require.NoError(t, err)
-	assert.True(t, required)
-
-	mgr.setupMu.Lock()
-	mgr.setupRequired = false
-	mgr.setupMu.Unlock()
-
-	required, err = mgr.IsSetupRequired(context.Background())
-	require.NoError(t, err)
-	assert.False(t, required)
+	_, err := manager.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
+	assert.Error(t, err, "should return error when IDP fails")
 }
 
 func TestDefaultManager_ValidateSetupRequest(t *testing.T) {
-	manager := &DefaultManager{setupRequired: true}
+	manager := &DefaultManager{
+		setupRequired: true,
+	}
 
 	tests := []struct {
 		name        string
@@ -235,10 +188,11 @@ func TestDefaultManager_ValidateSetupRequest(t *testing.T) {
 		errorMsg    string
 	}{
 		{
-			name:     "valid request",
-			email:    "admin@example.com",
-			password: "password123",
-			userName: "Admin User",
+			name:        "valid request",
+			email:       "admin@example.com",
+			password:    "password123",
+			userName:    "Admin User",
+			expectError: false,
 		},
 		{
 			name:        "empty email",
@@ -281,24 +235,11 @@ func TestDefaultManager_ValidateSetupRequest(t *testing.T) {
 			errorMsg:    "password must be at least 8 characters",
 		},
 		{
-			name:     "password exactly 8 characters",
-			email:    "admin@example.com",
-			password: "12345678",
-			userName: "Admin User",
-		},
-		{
-			name:     "password exactly 72 characters",
-			email:    "admin@example.com",
-			password: "aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffgggggggghhhhhhhhiiiiiiii",
-			userName: "Admin User",
-		},
-		{
-			name:        "password too long",
+			name:        "password exactly 8 characters",
 			email:       "admin@example.com",
-			password:    "aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffgggggggghhhhhhhhiiiiiiiij",
+			password:    "12345678",
 			userName:    "Admin User",
-			expectError: true,
-			errorMsg:    "password must be at most 72 characters",
+			expectError: false,
 		},
 	}
 
@@ -314,3 +255,14 @@ func TestDefaultManager_ValidateSetupRequest(t *testing.T) {
 		})
 	}
 }
+
+func TestDefaultManager_CreateOwnerUser_SetupAlreadyCompleted(t *testing.T) {
+	manager := &DefaultManager{
+		setupRequired:      false,
+		embeddedIdpManager: &idp.EmbeddedIdPManager{},
+	}
+
+	_, err := manager.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "setup already completed")
+}

management/server/posture_checks.go

@@ -84,7 +84,7 @@ func (am *DefaultAccountManager) SavePostureChecks(ctx context.Context, accountI
 
 // DeletePostureChecks deletes a posture check by ID.
 func (am *DefaultAccountManager) DeletePostureChecks(ctx context.Context, accountID, postureChecksID, userID string) error {
-	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operations.Delete)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Read)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}

management/server/store/sql_store_idp_migration.go

@@ -1,177 +0,0 @@
-package store
-
-// This file contains migration-only methods on SqlStore.
-// They satisfy the migration.Store interface via duck typing.
-// Delete this file when migration tooling is no longer needed.
-
-import (
-	"context"
-	"fmt"
-
-	log "github.com/sirupsen/logrus"
-	"gorm.io/gorm"
-
-	"github.com/netbirdio/netbird/management/server/idp/migration"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/shared/management/status"
-)
-
-func (s *SqlStore) CheckSchema(checks []migration.SchemaCheck) []migration.SchemaError {
-	migrator := s.db.Migrator()
-	var errs []migration.SchemaError
-
-	for _, check := range checks {
-		if !migrator.HasTable(check.Table) {
-			errs = append(errs, migration.SchemaError{Table: check.Table})
-			continue
-		}
-		for _, col := range check.Columns {
-			if !migrator.HasColumn(check.Table, col) {
-				errs = append(errs, migration.SchemaError{Table: check.Table, Column: col})
-			}
-		}
-	}
-
-	return errs
-}
-
-func (s *SqlStore) ListUsers(ctx context.Context) ([]*types.User, error) {
-	tx := s.db
-	var users []*types.User
-	result := tx.Find(&users)
-	if result.Error != nil {
-		log.WithContext(ctx).Errorf("error when listing users from the store: %s", result.Error)
-		return nil, status.Errorf(status.Internal, "issue listing users from store")
-	}
-
-	for _, user := range users {
-		if err := user.DecryptSensitiveData(s.fieldEncrypt); err != nil {
-			return nil, fmt.Errorf("decrypt user: %w", err)
-		}
-	}
-
-	return users, nil
-}
-
-// txDeferFKConstraints defers foreign key constraint checks for the duration of the transaction.
-// MySQL is already handled by s.transaction (SET FOREIGN_KEY_CHECKS = 0).
-func (s *SqlStore) txDeferFKConstraints(tx *gorm.DB) error {
-	if s.storeEngine == types.SqliteStoreEngine {
-		return tx.Exec("PRAGMA defer_foreign_keys = ON").Error
-	}
-
-	if s.storeEngine != types.PostgresStoreEngine {
-		return nil
-	}
-
-	// GORM creates FK constraints as NOT DEFERRABLE by default, so
-	// SET CONSTRAINTS ALL DEFERRED is a no-op unless we ALTER them first.
-	err := tx.Exec(`
-			DO $$ DECLARE r RECORD;
-			BEGIN
-				FOR r IN SELECT conname, conrelid::regclass AS tbl
-				         FROM pg_constraint WHERE contype = 'f' AND NOT condeferrable
-				LOOP
-					EXECUTE format('ALTER TABLE %s ALTER CONSTRAINT %I DEFERRABLE INITIALLY IMMEDIATE', r.tbl, r.conname);
-				END LOOP;
-			END $$
-		`).Error
-	if err != nil {
-		return fmt.Errorf("make FK constraints deferrable: %w", err)
-	}
-	return tx.Exec("SET CONSTRAINTS ALL DEFERRED").Error
-}
-
-// txRestoreFKConstraints reverts FK constraints back to NOT DEFERRABLE after the
-// deferred updates are done but before the transaction commits.
-func (s *SqlStore) txRestoreFKConstraints(tx *gorm.DB) error {
-	if s.storeEngine != types.PostgresStoreEngine {
-		return nil
-	}
-
-	return tx.Exec(`
-		DO $$ DECLARE r RECORD;
-		BEGIN
-			FOR r IN SELECT conname, conrelid::regclass AS tbl
-			         FROM pg_constraint WHERE contype = 'f' AND condeferrable
-			LOOP
-				EXECUTE format('ALTER TABLE %s ALTER CONSTRAINT %I NOT DEFERRABLE', r.tbl, r.conname);
-			END LOOP;
-		END $$
-	`).Error
-}
-
-func (s *SqlStore) UpdateUserInfo(ctx context.Context, userID, email, name string) error {
-	user := &types.User{Email: email, Name: name}
-	if err := user.EncryptSensitiveData(s.fieldEncrypt); err != nil {
-		return fmt.Errorf("encrypt user info: %w", err)
-	}
-
-	result := s.db.Model(&types.User{}).Where("id = ?", userID).Updates(map[string]any{
-		"email": user.Email,
-		"name":  user.Name,
-	})
-	if result.Error != nil {
-		log.WithContext(ctx).Errorf("error updating user info for %s: %s", userID, result.Error)
-		return status.Errorf(status.Internal, "failed to update user info")
-	}
-
-	return nil
-}
-
-func (s *SqlStore) UpdateUserID(ctx context.Context, accountID, oldUserID, newUserID string) error {
-	type fkUpdate struct {
-		model  any
-		column string
-		where  string
-	}
-
-	updates := []fkUpdate{
-		{&types.PersonalAccessToken{}, "user_id", "user_id = ?"},
-		{&types.PersonalAccessToken{}, "created_by", "created_by = ?"},
-		{&nbpeer.Peer{}, "user_id", "user_id = ?"},
-		{&types.UserInviteRecord{}, "created_by", "created_by = ?"},
-		{&types.Account{}, "created_by", "created_by = ?"},
-		{&types.ProxyAccessToken{}, "created_by", "created_by = ?"},
-		{&types.Job{}, "triggered_by", "triggered_by = ?"},
-	}
-
-	log.Info("Updating user ID in the store")
-	err := s.transaction(func(tx *gorm.DB) error {
-		if err := s.txDeferFKConstraints(tx); err != nil {
-			return err
-		}
-
-		for _, u := range updates {
-			if err := tx.Model(u.model).Where(u.where, oldUserID).Update(u.column, newUserID).Error; err != nil {
-				return fmt.Errorf("update %s: %w", u.column, err)
-			}
-		}
-
-		if err := tx.Model(&types.User{}).Where(accountAndIDQueryCondition, accountID, oldUserID).Update("id", newUserID).Error; err != nil {
-			return fmt.Errorf("update users: %w", err)
-		}
-
-		return nil
-	})
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to update user ID in the store: %s", err)
-		return status.Errorf(status.Internal, "failed to update user ID in store")
-	}
-
-	log.Info("Restoring FK constraints")
-	err = s.transaction(func(tx *gorm.DB) error {
-		if err := s.txRestoreFKConstraints(tx); err != nil {
-			return fmt.Errorf("restore FK constraints: %w", err)
-		}
-
-		return nil
-	})
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to restore FK constraints after user ID update: %s", err)
-		return status.Errorf(status.Internal, "failed to restore FK constraints after user ID update")
-	}
-
-	return nil
-}

management/server/types/account_test.go

@@ -84,12 +84,6 @@ func setupTestAccount() *Account {
 			},
 		},
 		Groups: map[string]*Group{
-			"groupAll": {
-				ID:    "groupAll",
-				Name:  "All",
-				Peers: []string{"peer1", "peer2", "peer3", "peer11", "peer12", "peer21", "peer31", "peer32", "peer41", "peer51", "peer61"},
-				Issued: GroupIssuedAPI,
-			},
 			"group1": {
 				ID:    "group1",
 				Peers: []string{"peer11", "peer12"},

management/server/user.go

@@ -417,10 +417,6 @@ func (am *DefaultAccountManager) CreatePAT(ctx context.Context, accountID string
 		return nil, err
 	}
 
-	if targetUser.AccountID != accountID {
-		return nil, status.NewPermissionDeniedError()
-	}
-
 	// @note this is essential to prevent non admin users with Pats create permission frpm creating one for a service user
 	if initiatorUserID != targetUserID && !(initiatorUser.HasAdminPower() && targetUser.IsServiceUser) {
 		return nil, status.NewAdminPermissionError()
@@ -461,10 +457,6 @@ func (am *DefaultAccountManager) DeletePAT(ctx context.Context, accountID string
 		return err
 	}
 
-	if targetUser.AccountID != accountID {
-		return status.NewPermissionDeniedError()
-	}
-
 	if initiatorUserID != targetUserID && !(initiatorUser.HasAdminPower() && targetUser.IsServiceUser) {
 		return status.NewAdminPermissionError()
 	}
@@ -504,10 +496,6 @@ func (am *DefaultAccountManager) GetPAT(ctx context.Context, accountID string, i
 		return nil, err
 	}
 
-	if targetUser.AccountID != accountID {
-		return nil, status.NewPermissionDeniedError()
-	}
-
 	if initiatorUserID != targetUserID && !(initiatorUser.HasAdminPower() && targetUser.IsServiceUser) {
 		return nil, status.NewAdminPermissionError()
 	}
@@ -535,10 +523,6 @@ func (am *DefaultAccountManager) GetAllPATs(ctx context.Context, accountID strin
 		return nil, err
 	}
 
-	if targetUser.AccountID != accountID {
-		return nil, status.NewPermissionDeniedError()
-	}
-
 	if initiatorUserID != targetUserID && !(initiatorUser.HasAdminPower() && targetUser.IsServiceUser) {
 		return nil, status.NewAdminPermissionError()
 	}
@@ -780,15 +764,9 @@ func (am *DefaultAccountManager) processUserUpdate(ctx context.Context, transact
 	updatedUser.Role = update.Role
 	updatedUser.Blocked = update.Blocked
 	updatedUser.AutoGroups = update.AutoGroups
-	// these fields can't be set via API, only via direct call to the method
+	// these two fields can't be set via API, only via direct call to the method
 	updatedUser.Issued = update.Issued
 	updatedUser.IntegrationReference = update.IntegrationReference
-	if update.Name != "" {
-		updatedUser.Name = update.Name
-	}
-	if update.Email != "" {
-		updatedUser.Email = update.Email
-	}
 
 	var transferredOwnerRole bool
 	result, err := handleOwnerRoleTransfer(ctx, transaction, initiatorUser, update)

management/server/user_test.go

@@ -336,104 +336,6 @@ func TestUser_GetAllPATs(t *testing.T) {
 	assert.Equal(t, 2, len(pats))
 }
 
-func TestUser_PAT_CrossAccountProtection(t *testing.T) {
-	const (
-		accountAID     = "accountA"
-		accountBID     = "accountB"
-		userAID        = "userA"
-		adminBID       = "adminB"
-		serviceUserBID = "serviceUserB"
-		regularUserBID = "regularUserB"
-		tokenBID       = "tokenB1"
-		hashedTokenB   = "SoMeHaShEdToKeNB"
-	)
-
-	setupStore := func(t *testing.T) (*DefaultAccountManager, func()) {
-		t.Helper()
-
-		s, cleanup, err := store.NewTestStoreFromSQL(context.Background(), "", t.TempDir())
-		require.NoError(t, err, "creating store")
-
-		accountA := newAccountWithId(context.Background(), accountAID, userAID, "", "", "", false)
-		require.NoError(t, s.SaveAccount(context.Background(), accountA))
-
-		accountB := newAccountWithId(context.Background(), accountBID, adminBID, "", "", "", false)
-		accountB.Users[serviceUserBID] = &types.User{
-			Id:              serviceUserBID,
-			AccountID:       accountBID,
-			IsServiceUser:   true,
-			ServiceUserName: "svcB",
-			Role:            types.UserRoleAdmin,
-			PATs: map[string]*types.PersonalAccessToken{
-				tokenBID: {
-					ID:          tokenBID,
-					HashedToken: hashedTokenB,
-				},
-			},
-		}
-		accountB.Users[regularUserBID] = &types.User{
-			Id:        regularUserBID,
-			AccountID: accountBID,
-			Role:      types.UserRoleUser,
-		}
-		require.NoError(t, s.SaveAccount(context.Background(), accountB))
-
-		pm := permissions.NewManager(s)
-		am := &DefaultAccountManager{
-			Store:              s,
-			eventStore:         &activity.InMemoryEventStore{},
-			permissionsManager: pm,
-		}
-		return am, cleanup
-	}
-
-	t.Run("CreatePAT for user in different account is denied", func(t *testing.T) {
-		am, cleanup := setupStore(t)
-		t.Cleanup(cleanup)
-
-		_, err := am.CreatePAT(context.Background(), accountAID, userAID, serviceUserBID, "xss-token", 7)
-		require.Error(t, err, "cross-account CreatePAT must fail")
-
-		_, err = am.CreatePAT(context.Background(), accountAID, userAID, regularUserBID, "xss-token", 7)
-		require.Error(t, err, "cross-account CreatePAT for regular user must fail")
-
-		_, err = am.CreatePAT(context.Background(), accountBID, adminBID, serviceUserBID, "legit-token", 7)
-		require.NoError(t, err, "same-account CreatePAT should succeed")
-	})
-
-	t.Run("DeletePAT for user in different account is denied", func(t *testing.T) {
-		am, cleanup := setupStore(t)
-		t.Cleanup(cleanup)
-
-		err := am.DeletePAT(context.Background(), accountAID, userAID, serviceUserBID, tokenBID)
-		require.Error(t, err, "cross-account DeletePAT must fail")
-	})
-
-	t.Run("GetPAT for user in different account is denied", func(t *testing.T) {
-		am, cleanup := setupStore(t)
-		t.Cleanup(cleanup)
-
-		_, err := am.GetPAT(context.Background(), accountAID, userAID, serviceUserBID, tokenBID)
-		require.Error(t, err, "cross-account GetPAT must fail")
-	})
-
-	t.Run("GetAllPATs for user in different account is denied", func(t *testing.T) {
-		am, cleanup := setupStore(t)
-		t.Cleanup(cleanup)
-
-		_, err := am.GetAllPATs(context.Background(), accountAID, userAID, serviceUserBID)
-		require.Error(t, err, "cross-account GetAllPATs must fail")
-	})
-
-	t.Run("CreatePAT with forged accountID targeting foreign user is denied", func(t *testing.T) {
-		am, cleanup := setupStore(t)
-		t.Cleanup(cleanup)
-
-		_, err := am.CreatePAT(context.Background(), accountAID, userAID, adminBID, "forged", 7)
-		require.Error(t, err, "forged accountID CreatePAT must fail")
-	})
-}
-
 func TestUser_Copy(t *testing.T) {
 	// this is an imaginary case which will never be in DB this way
 	user := types.User{

proxy/cmd/proxy/main.go

@@ -1,13 +1,8 @@
 package main
 
 import (
-	"net/http"
-	// nolint:gosec
-	_ "net/http/pprof"
 	"runtime"
 
-	log "github.com/sirupsen/logrus"
-
 	"github.com/netbirdio/netbird/proxy/cmd/proxy/cmd"
 )
 
@@ -26,9 +21,6 @@ var (
 )
 
 func main() {
-	go func() {
-		log.Println(http.ListenAndServe("localhost:6060", nil))
-	}()
 	cmd.SetVersionInfo(Version, Commit, BuildDate, GoVersion)
 	cmd.Execute()
 }

shared/auth/jwt/validator.go

@@ -25,7 +25,7 @@ import (
 // Jwks is a collection of JSONWebKey obtained from Config.HttpServerConfig.AuthKeysLocation
 type Jwks struct {
 	Keys          []JSONWebKey `json:"keys"`
-	ExpiresInTime time.Time    `json:"-"`
+	expiresInTime time.Time
 }
 
 // The supported elliptic curves types
@@ -53,17 +53,12 @@ type JSONWebKey struct {
 	X5c []string `json:"x5c"`
 }
 
-// KeyFetcher is a function that retrieves JWKS keys directly (e.g., from Dex storage)
-// bypassing HTTP. When set on a Validator, it is used instead of the HTTP-based getPemKeys.
-type KeyFetcher func(ctx context.Context) (*Jwks, error)
-
 type Validator struct {
 	lock                     sync.Mutex
 	issuer                   string
 	audienceList             []string
 	keysLocation             string
 	idpSignkeyRefreshEnabled bool
-	keyFetcher               KeyFetcher
 	keys                     *Jwks
 	lastForcedRefresh        time.Time
 }
@@ -90,39 +85,10 @@ func NewValidator(issuer string, audienceList []string, keysLocation string, idp
 	}
 }
 
-// NewValidatorWithKeyFetcher creates a Validator that fetches keys directly using the
-// provided KeyFetcher (e.g., from Dex storage) instead of via HTTP.
-func NewValidatorWithKeyFetcher(issuer string, audienceList []string, keyFetcher KeyFetcher) *Validator {
-	ctx := context.Background()
-	keys, err := keyFetcher(ctx)
-	if err != nil {
-		log.Warnf("could not get keys from key fetcher: %s, it will try again on the next http request", err)
-	}
-	if keys == nil {
-		keys = &Jwks{}
-	}
-
-	return &Validator{
-		keys:                     keys,
-		issuer:                   issuer,
-		audienceList:             audienceList,
-		idpSignkeyRefreshEnabled: true,
-		keyFetcher:               keyFetcher,
-	}
-}
-
 // forcedRefreshCooldown is the minimum time between forced key refreshes
 // to prevent abuse from invalid tokens with fake kid values
 const forcedRefreshCooldown = 30 * time.Second
 
-// fetchKeys retrieves keys using the keyFetcher if available, otherwise falls back to HTTP.
-func (v *Validator) fetchKeys(ctx context.Context) (*Jwks, error) {
-	if v.keyFetcher != nil {
-		return v.keyFetcher(ctx)
-	}
-	return getPemKeys(v.keysLocation)
-}
-
 func (v *Validator) getKeyFunc(ctx context.Context) jwt.Keyfunc {
 	return func(token *jwt.Token) (interface{}, error) {
 		// If keys are rotated, verify the keys prior to token validation
@@ -165,13 +131,13 @@ func (v *Validator) refreshKeys(ctx context.Context) {
 	v.lock.Lock()
 	defer v.lock.Unlock()
 
-	refreshedKeys, err := v.fetchKeys(ctx)
+	refreshedKeys, err := getPemKeys(v.keysLocation)
 	if err != nil {
 		log.WithContext(ctx).Debugf("cannot get JSONWebKey: %v, falling back to old keys", err)
 		return
 	}
 
-	log.WithContext(ctx).Debugf("keys refreshed, new UTC expiration time: %s", refreshedKeys.ExpiresInTime.UTC())
+	log.WithContext(ctx).Debugf("keys refreshed, new UTC expiration time: %s", refreshedKeys.expiresInTime.UTC())
 	v.keys = refreshedKeys
 }
 
@@ -189,13 +155,13 @@ func (v *Validator) forceRefreshKeys(ctx context.Context) bool {
 
 	log.WithContext(ctx).Debugf("key not found in cache, forcing JWKS refresh")
 
-	refreshedKeys, err := v.fetchKeys(ctx)
+	refreshedKeys, err := getPemKeys(v.keysLocation)
 	if err != nil {
 		log.WithContext(ctx).Debugf("cannot get JSONWebKey: %v, falling back to old keys", err)
 		return false
 	}
 
-	log.WithContext(ctx).Debugf("keys refreshed, new UTC expiration time: %s", refreshedKeys.ExpiresInTime.UTC())
+	log.WithContext(ctx).Debugf("keys refreshed, new UTC expiration time: %s", refreshedKeys.expiresInTime.UTC())
 	v.keys = refreshedKeys
 	v.lastForcedRefresh = time.Now()
 	return true
@@ -237,7 +203,7 @@ func (v *Validator) ValidateAndParse(ctx context.Context, token string) (*jwt.To
 
 // stillValid returns true if the JSONWebKey still valid and have enough time to be used
 func (jwks *Jwks) stillValid() bool {
-	return !jwks.ExpiresInTime.IsZero() && time.Now().Add(5*time.Second).Before(jwks.ExpiresInTime)
+	return !jwks.expiresInTime.IsZero() && time.Now().Add(5*time.Second).Before(jwks.expiresInTime)
 }
 
 func getPemKeys(keysLocation string) (*Jwks, error) {
@@ -261,7 +227,7 @@ func getPemKeys(keysLocation string) (*Jwks, error) {
 
 	cacheControlHeader := resp.Header.Get("Cache-Control")
 	expiresIn := getMaxAgeFromCacheHeader(cacheControlHeader)
-	jwks.ExpiresInTime = time.Now().Add(time.Duration(expiresIn) * time.Second)
+	jwks.expiresInTime = time.Now().Add(time.Duration(expiresIn) * time.Second)
 
 	return jwks, nil
 }

shared/management/client/client_test.go

@@ -569,5 +569,5 @@ func Test_GetPKCEAuthorizationFlow(t *testing.T) {
 	}
 
 	assert.Equal(t, expectedFlowInfo.ProviderConfig.ClientID, flowInfo.ProviderConfig.ClientID, "provider configured client ID should match")
-	assert.Equal(t, expectedFlowInfo.ProviderConfig.ClientSecret, flowInfo.ProviderConfig.ClientSecret, "provider configured client secret should match") //nolint:staticcheck
+	assert.Equal(t, expectedFlowInfo.ProviderConfig.ClientSecret, flowInfo.ProviderConfig.ClientSecret, "provider configured client secret should match")
 }

shared/management/client/rest/edr.go

@@ -265,65 +265,6 @@ func (a *EDRAPI) DeleteHuntressIntegration(ctx context.Context) error {
 	return nil
 }
 
-// GetFleetDMIntegration retrieves the EDR FleetDM integration.
-func (a *EDRAPI) GetFleetDMIntegration(ctx context.Context) (*api.EDRFleetDMResponse, error) {
-	resp, err := a.c.NewRequest(ctx, "GET", "/api/integrations/edr/fleetdm", nil, nil)
-	if err != nil {
-		return nil, err
-	}
-	if resp.Body != nil {
-		defer resp.Body.Close()
-	}
-	ret, err := parseResponse[api.EDRFleetDMResponse](resp)
-	return &ret, err
-}
-
-// CreateFleetDMIntegration creates a new EDR FleetDM integration.
-func (a *EDRAPI) CreateFleetDMIntegration(ctx context.Context, request api.EDRFleetDMRequest) (*api.EDRFleetDMResponse, error) {
-	requestBytes, err := json.Marshal(request)
-	if err != nil {
-		return nil, err
-	}
-	resp, err := a.c.NewRequest(ctx, "POST", "/api/integrations/edr/fleetdm", bytes.NewReader(requestBytes), nil)
-	if err != nil {
-		return nil, err
-	}
-	if resp.Body != nil {
-		defer resp.Body.Close()
-	}
-	ret, err := parseResponse[api.EDRFleetDMResponse](resp)
-	return &ret, err
-}
-
-// UpdateFleetDMIntegration updates an existing EDR FleetDM integration.
-func (a *EDRAPI) UpdateFleetDMIntegration(ctx context.Context, request api.EDRFleetDMRequest) (*api.EDRFleetDMResponse, error) {
-	requestBytes, err := json.Marshal(request)
-	if err != nil {
-		return nil, err
-	}
-	resp, err := a.c.NewRequest(ctx, "PUT", "/api/integrations/edr/fleetdm", bytes.NewReader(requestBytes), nil)
-	if err != nil {
-		return nil, err
-	}
-	if resp.Body != nil {
-		defer resp.Body.Close()
-	}
-	ret, err := parseResponse[api.EDRFleetDMResponse](resp)
-	return &ret, err
-}
-
-// DeleteFleetDMIntegration deletes the EDR FleetDM integration.
-func (a *EDRAPI) DeleteFleetDMIntegration(ctx context.Context) error {
-	resp, err := a.c.NewRequest(ctx, "DELETE", "/api/integrations/edr/fleetdm", nil, nil)
-	if err != nil {
-		return err
-	}
-	if resp.Body != nil {
-		defer resp.Body.Close()
-	}
-	return nil
-}
-
 // BypassPeerCompliance bypasses compliance for a non-compliant peer
 // See more: https://docs.netbird.io/api/resources/edr#bypass-peer-compliance
 func (a *EDRAPI) BypassPeerCompliance(ctx context.Context, peerID string) (*api.BypassResponse, error) {

shared/management/http/api/openapi.yml

@@ -92,9 +92,6 @@ tags:
   - name: EDR Huntress Integrations
     description: Manage Huntress EDR integrations.
     x-cloud-only: true
-  - name: EDR FleetDM Integrations
-    description: Manage FleetDM EDR integrations.
-    x-cloud-only: true
   - name: EDR Peers
     description: Manage EDR compliance bypass for peers.
     x-cloud-only: true
@@ -4279,126 +4276,6 @@ components:
           description: Status of agent firewall. Can be one of Disabled, Enabled, Pending Isolation, Isolated, Pending Release.
           example: "Enabled"
 
-    EDRFleetDMRequest:
-      type: object
-      description: Request payload for creating or updating a FleetDM EDR integration
-      properties:
-        api_url:
-          type: string
-          description: FleetDM server URL
-        api_token:
-          type: string
-          description: FleetDM API token
-        groups:
-          type: array
-          description: The Groups this integrations applies to
-          items:
-            type: string
-        last_synced_interval:
-          type: integer
-          description: The devices last sync requirement interval in hours. Minimum value is 24 hours
-          minimum: 24
-        enabled:
-          type: boolean
-          description: Indicates whether the integration is enabled
-          default: true
-        match_attributes:
-          $ref: '#/components/schemas/FleetDMMatchAttributes'
-      required:
-        - api_url
-        - api_token
-        - groups
-        - last_synced_interval
-        - match_attributes
-    EDRFleetDMResponse:
-      type: object
-      description: Represents a FleetDM EDR integration configuration
-      required:
-        - id
-        - account_id
-        - api_url
-        - created_by
-        - last_synced_at
-        - created_at
-        - updated_at
-        - groups
-        - last_synced_interval
-        - match_attributes
-        - enabled
-      properties:
-        id:
-          type: integer
-          format: int64
-          description: The unique numeric identifier for the integration.
-          example: 123
-        account_id:
-          type: string
-          description: The identifier of the account this integration belongs to.
-          example: "ch8i4ug6lnn4g9hqv7l0"
-        api_url:
-          type: string
-          description: FleetDM server URL
-        last_synced_at:
-          type: string
-          format: date-time
-          description: Timestamp of when the integration was last synced.
-          example: "2023-05-15T10:30:00Z"
-        created_by:
-          type: string
-          description: The user id that created the integration
-        created_at:
-          type: string
-          format: date-time
-          description: Timestamp of when the integration was created.
-          example: "2023-05-15T10:30:00Z"
-        updated_at:
-          type: string
-          format: date-time
-          description: Timestamp of when the integration was last updated.
-          example: "2023-05-16T11:45:00Z"
-        groups:
-          type: array
-          description: List of groups
-          items:
-            $ref: '#/components/schemas/Group'
-        last_synced_interval:
-          type: integer
-          description: The devices last sync requirement interval in hours.
-        enabled:
-          type: boolean
-          description: Indicates whether the integration is enabled
-          default: true
-        match_attributes:
-          $ref: '#/components/schemas/FleetDMMatchAttributes'
-
-    FleetDMMatchAttributes:
-      type: object
-      description: Attribute conditions to match when approving FleetDM hosts. Most attributes work with FleetDM's free/open-source version. Premium-only attributes are marked accordingly
-      additionalProperties: false
-      properties:
-        disk_encryption_enabled:
-          type: boolean
-          description: Whether disk encryption (FileVault/BitLocker) must be enabled on the host
-        failing_policies_count_max:
-          type: integer
-          description: Maximum number of allowed failing policies. Use 0 to require all policies to pass
-          minimum: 0
-          example: 0
-        vulnerable_software_count_max:
-          type: integer
-          description: Maximum number of allowed vulnerable software on the host
-          minimum: 0
-          example: 0
-        status_online:
-          type: boolean
-          description: Whether the host must be online (recently seen by Fleet)
-        required_policies:
-          type: array
-          description: List of FleetDM policy IDs that must be passing on the host. If any of these policies is failing, the host is non-compliant
-          items:
-            type: integer
-          example: [1, 5, 12]
-
     IntegrationSyncFilters:
       type: object
       properties:
@@ -4414,9 +4291,6 @@ components:
           items:
             type: string
           example: [ "Users" ]
-        connector_id:
-          type: string
-          description: DEX connector ID for embedded IDP setups
     IntegrationEnabled:
       type: object
       properties:
@@ -10810,161 +10684,6 @@ paths:
               schema:
                 $ref: '#/components/schemas/ErrorResponse'
 
-  /api/integrations/edr/fleetdm:
-    post:
-      tags:
-        - EDR FleetDM Integrations
-      summary: Create EDR FleetDM Integration
-      description: Creates a new EDR FleetDM integration
-      operationId: createFleetDMEDRIntegration
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/EDRFleetDMRequest'
-      responses:
-        '200':
-          description: Integration created successfully. Returns the created integration.
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/EDRFleetDMResponse'
-        '400':
-          description: Bad Request (e.g., invalid JSON, missing required fields, validation error).
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResponse'
-        '401':
-          description: Unauthorized (e.g., missing or invalid authentication token).
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResponse'
-        '500':
-          description: Internal Server Error.
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResponse'
-    get:
-      tags:
-        - EDR FleetDM Integrations
-      summary: Get EDR FleetDM Integration
-      description: Retrieves a specific EDR FleetDM integration by its ID.
-      responses:
-        '200':
-          description: Successfully retrieved the integration details.
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/EDRFleetDMResponse'
-        '400':
-          description: Bad Request (e.g., invalid integration ID format).
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResponse'
-        '401':
-          description: Unauthorized.
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResponse'
-        '404':
-          description: Not Found (e.g., integration with the given ID does not exist).
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResponse'
-        '500':
-          description: Internal Server Error.
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResponse'
-    put:
-      tags:
-        - EDR FleetDM Integrations
-      summary: Update EDR FleetDM Integration
-      description: Updates an existing EDR FleetDM Integration.
-      operationId: updateFleetDMEDRIntegration
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/EDRFleetDMRequest'
-      responses:
-        '200':
-          description: Integration updated successfully. Returns the updated integration.
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/EDRFleetDMResponse'
-        '400':
-          description: Bad Request (e.g., invalid JSON, validation error, invalid ID).
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResponse'
-        '401':
-          description: Unauthorized.
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResponse'
-        '404':
-          description: Not Found.
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResponse'
-        '500':
-          description: Internal Server Error.
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResponse'
-    delete:
-      tags:
-        - EDR FleetDM Integrations
-      summary: Delete EDR FleetDM Integration
-      description: Deletes an EDR FleetDM Integration by its ID.
-      responses:
-        '200':
-          description: Integration deleted successfully. Returns an empty object.
-          content:
-            application/json:
-              schema:
-                type: object
-                example: { }
-        '400':
-          description: Bad Request (e.g., invalid integration ID format).
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResponse'
-        '401':
-          description: Unauthorized.
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResponse'
-        '404':
-          description: Not Found.
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResponse'
-        '500':
-          description: Internal Server Error.
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResponse'
-
   /api/peers/{peer-id}/edr/bypass:
     parameters:
       - name: peer-id

shared/management/http/api/types.gen.go

@@ -1492,9 +1492,6 @@ type AzureIntegration struct {
 	// ClientId Azure AD application (client) ID
 	ClientId string `json:"client_id"`
 
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// Enabled Whether the integration is enabled
 	Enabled bool `json:"enabled"`
 
@@ -1635,9 +1632,6 @@ type CreateAzureIntegrationRequest struct {
 	// ClientSecret Base64-encoded Azure AD client secret
 	ClientSecret string `json:"client_secret"`
 
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// GroupPrefixes List of start_with string patterns for groups to sync
 	GroupPrefixes *[]string `json:"group_prefixes,omitempty"`
 
@@ -1659,9 +1653,6 @@ type CreateAzureIntegrationRequestHost string
 
 // CreateGoogleIntegrationRequest defines model for CreateGoogleIntegrationRequest.
 type CreateGoogleIntegrationRequest struct {
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// CustomerId Customer ID from Google Workspace Account Settings
 	CustomerId string `json:"customer_id"`
 
@@ -1698,9 +1689,6 @@ type CreateOktaScimIntegrationRequest struct {
 	// ConnectionName The Okta enterprise connection name on Auth0
 	ConnectionName string `json:"connection_name"`
 
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// GroupPrefixes List of start_with string patterns for groups to sync
 	GroupPrefixes *[]string `json:"group_prefixes,omitempty"`
 
@@ -1710,9 +1698,6 @@ type CreateOktaScimIntegrationRequest struct {
 
 // CreateScimIntegrationRequest defines model for CreateScimIntegrationRequest.
 type CreateScimIntegrationRequest struct {
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// GroupPrefixes List of start_with string patterns for groups to sync
 	GroupPrefixes *[]string `json:"group_prefixes,omitempty"`
 
@@ -1864,63 +1849,6 @@ type EDRFalconResponse struct {
 	ZtaScoreThreshold int `json:"zta_score_threshold"`
 }
 
-// EDRFleetDMRequest Request payload for creating or updating a FleetDM EDR integration
-type EDRFleetDMRequest struct {
-	// ApiToken FleetDM API token
-	ApiToken string `json:"api_token"`
-
-	// ApiUrl FleetDM server URL
-	ApiUrl string `json:"api_url"`
-
-	// Enabled Indicates whether the integration is enabled
-	Enabled *bool `json:"enabled,omitempty"`
-
-	// Groups The Groups this integrations applies to
-	Groups []string `json:"groups"`
-
-	// LastSyncedInterval The devices last sync requirement interval in hours. Minimum value is 24 hours
-	LastSyncedInterval int `json:"last_synced_interval"`
-
-	// MatchAttributes Attribute conditions to match when approving FleetDM hosts. Most attributes work with FleetDM's free/open-source version. Premium-only attributes are marked accordingly
-	MatchAttributes FleetDMMatchAttributes `json:"match_attributes"`
-}
-
-// EDRFleetDMResponse Represents a FleetDM EDR integration configuration
-type EDRFleetDMResponse struct {
-	// AccountId The identifier of the account this integration belongs to.
-	AccountId string `json:"account_id"`
-
-	// ApiUrl FleetDM server URL
-	ApiUrl string `json:"api_url"`
-
-	// CreatedAt Timestamp of when the integration was created.
-	CreatedAt time.Time `json:"created_at"`
-
-	// CreatedBy The user id that created the integration
-	CreatedBy string `json:"created_by"`
-
-	// Enabled Indicates whether the integration is enabled
-	Enabled bool `json:"enabled"`
-
-	// Groups List of groups
-	Groups []Group `json:"groups"`
-
-	// Id The unique numeric identifier for the integration.
-	Id int64 `json:"id"`
-
-	// LastSyncedAt Timestamp of when the integration was last synced.
-	LastSyncedAt time.Time `json:"last_synced_at"`
-
-	// LastSyncedInterval The devices last sync requirement interval in hours.
-	LastSyncedInterval int `json:"last_synced_interval"`
-
-	// MatchAttributes Attribute conditions to match when approving FleetDM hosts. Most attributes work with FleetDM's free/open-source version. Premium-only attributes are marked accordingly
-	MatchAttributes FleetDMMatchAttributes `json:"match_attributes"`
-
-	// UpdatedAt Timestamp of when the integration was last updated.
-	UpdatedAt time.Time `json:"updated_at"`
-}
-
 // EDRHuntressRequest Request payload for creating or updating a EDR Huntress integration
 type EDRHuntressRequest struct {
 	// ApiKey Huntress API key
@@ -2134,24 +2062,6 @@ type Event struct {
 // EventActivityCode The string code of the activity that occurred during the event
 type EventActivityCode string
 
-// FleetDMMatchAttributes Attribute conditions to match when approving FleetDM hosts. Most attributes work with FleetDM's free/open-source version. Premium-only attributes are marked accordingly
-type FleetDMMatchAttributes struct {
-	// DiskEncryptionEnabled Whether disk encryption (FileVault/BitLocker) must be enabled on the host
-	DiskEncryptionEnabled *bool `json:"disk_encryption_enabled,omitempty"`
-
-	// FailingPoliciesCountMax Maximum number of allowed failing policies. Use 0 to require all policies to pass
-	FailingPoliciesCountMax *int `json:"failing_policies_count_max,omitempty"`
-
-	// RequiredPolicies List of FleetDM policy IDs that must be passing on the host. If any of these policies is failing, the host is non-compliant
-	RequiredPolicies *[]int `json:"required_policies,omitempty"`
-
-	// StatusOnline Whether the host must be online (recently seen by Fleet)
-	StatusOnline *bool `json:"status_online,omitempty"`
-
-	// VulnerableSoftwareCountMax Maximum number of allowed vulnerable software on the host
-	VulnerableSoftwareCountMax *int `json:"vulnerable_software_count_max,omitempty"`
-}
-
 // GeoLocationCheck Posture check for geo location
 type GeoLocationCheck struct {
 	// Action Action to take upon policy match
@@ -2169,9 +2079,6 @@ type GetTenantsResponse = []TenantResponse
 
 // GoogleIntegration defines model for GoogleIntegration.
 type GoogleIntegration struct {
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// CustomerId Customer ID from Google Workspace
 	CustomerId string `json:"customer_id"`
 
@@ -2520,9 +2427,6 @@ type IntegrationResponsePlatform string
 
 // IntegrationSyncFilters defines model for IntegrationSyncFilters.
 type IntegrationSyncFilters struct {
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// GroupPrefixes List of start_with string patterns for groups to sync
 	GroupPrefixes *[]string `json:"group_prefixes,omitempty"`
 
@@ -3015,9 +2919,6 @@ type OktaScimIntegration struct {
 	// AuthToken SCIM API token (full on creation/regeneration, masked on retrieval)
 	AuthToken string `json:"auth_token"`
 
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// Enabled Whether the integration is enabled
 	Enabled bool `json:"enabled"`
 
@@ -3888,9 +3789,6 @@ type ScimIntegration struct {
 	// AuthToken SCIM API token (full on creation, masked otherwise)
 	AuthToken string `json:"auth_token"`
 
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// Enabled Whether the integration is enabled
 	Enabled bool `json:"enabled"`
 
@@ -4368,9 +4266,6 @@ type UpdateAzureIntegrationRequest struct {
 	// ClientSecret Base64-encoded Azure AD client secret
 	ClientSecret *string `json:"client_secret,omitempty"`
 
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// Enabled Whether the integration is enabled
 	Enabled *bool `json:"enabled,omitempty"`
 
@@ -4389,9 +4284,6 @@ type UpdateAzureIntegrationRequest struct {
 
 // UpdateGoogleIntegrationRequest defines model for UpdateGoogleIntegrationRequest.
 type UpdateGoogleIntegrationRequest struct {
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// CustomerId Customer ID from Google Workspace Account Settings
 	CustomerId *string `json:"customer_id,omitempty"`
 
@@ -4413,9 +4305,6 @@ type UpdateGoogleIntegrationRequest struct {
 
 // UpdateOktaScimIntegrationRequest defines model for UpdateOktaScimIntegrationRequest.
 type UpdateOktaScimIntegrationRequest struct {
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// Enabled Whether the integration is enabled
 	Enabled *bool `json:"enabled,omitempty"`
 
@@ -4428,9 +4317,6 @@ type UpdateOktaScimIntegrationRequest struct {
 
 // UpdateScimIntegrationRequest defines model for UpdateScimIntegrationRequest.
 type UpdateScimIntegrationRequest struct {
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// Enabled Whether the integration is enabled
 	Enabled *bool `json:"enabled,omitempty"`
 
@@ -4983,12 +4869,6 @@ type CreateFalconEDRIntegrationJSONRequestBody = EDRFalconRequest
 // UpdateFalconEDRIntegrationJSONRequestBody defines body for UpdateFalconEDRIntegration for application/json ContentType.
 type UpdateFalconEDRIntegrationJSONRequestBody = EDRFalconRequest
 
-// CreateFleetDMEDRIntegrationJSONRequestBody defines body for CreateFleetDMEDRIntegration for application/json ContentType.
-type CreateFleetDMEDRIntegrationJSONRequestBody = EDRFleetDMRequest
-
-// UpdateFleetDMEDRIntegrationJSONRequestBody defines body for UpdateFleetDMEDRIntegration for application/json ContentType.
-type UpdateFleetDMEDRIntegrationJSONRequestBody = EDRFleetDMRequest
-
 // CreateHuntressEDRIntegrationJSONRequestBody defines body for CreateHuntressEDRIntegration for application/json ContentType.
 type CreateHuntressEDRIntegrationJSONRequestBody = EDRHuntressRequest
 

shared/management/proto/management.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.26.0
-// 	protoc        v7.34.1
+// 	protoc        v6.33.0
 // source: management.proto
 
 package proto
@@ -2259,8 +2259,8 @@ type AutoUpdateSettings struct {
 	unknownFields protoimpl.UnknownFields
 
 	Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
-	// alwaysUpdate = true → Updates are installed automatically in the background
-	// alwaysUpdate = false → Updates require user interaction from the UI
+	// alwaysUpdate = true → Updates happen automatically in the background
+	// alwaysUpdate = false → Updates only happen when triggered by a peer connection
 	AlwaysUpdate bool `protobuf:"varint,2,opt,name=alwaysUpdate,proto3" json:"alwaysUpdate,omitempty"`
 }
 
@@ -2928,9 +2928,7 @@ type ProviderConfig struct {
 
 	// An IDP application client id
 	ClientID string `protobuf:"bytes,1,opt,name=ClientID,proto3" json:"ClientID,omitempty"`
-	// Deprecated: use embedded IdP for providers that require a client secret (e.g. Google Workspace).
-	//
-	// Deprecated: Do not use.
+	// An IDP application client secret
 	ClientSecret string `protobuf:"bytes,2,opt,name=ClientSecret,proto3" json:"ClientSecret,omitempty"`
 	// An IDP API domain
 	// Deprecated. Use a DeviceAuthEndpoint and TokenEndpoint
@@ -2994,7 +2992,6 @@ func (x *ProviderConfig) GetClientID() string {
 	return ""
 }
 
-// Deprecated: Do not use.
 func (x *ProviderConfig) GetClientSecret() string {
 	if x != nil {
 		return x.ClientSecret
@@ -4850,287 +4847,287 @@ var file_management_proto_rawDesc = []byte{
 	0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
 	0x65, 0x6e, 0x74, 0x2e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66,
 	0x69, 0x67, 0x52, 0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x22, 0xbc, 0x03, 0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43,
+	0x69, 0x67, 0x22, 0xb8, 0x03, 0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43,
 	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49,
 	0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49,
-	0x44, 0x12, 0x26, 0x0a, 0x0c, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65,
-	0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x02, 0x18, 0x01, 0x52, 0x0c, 0x43, 0x6c, 0x69,
-	0x65, 0x6e, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x44, 0x6f, 0x6d,
-	0x61, 0x69, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69,
-	0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x41, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x04, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x08, 0x41, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x2e, 0x0a,
-	0x12, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x45, 0x6e, 0x64, 0x70, 0x6f,
-	0x69, 0x6e, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x44, 0x65, 0x76, 0x69, 0x63,
-	0x65, 0x41, 0x75, 0x74, 0x68, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x24, 0x0a,
-	0x0d, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x06,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f,
-	0x69, 0x6e, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x18, 0x07, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x05, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x55, 0x73, 0x65,
-	0x49, 0x44, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x55,
-	0x73, 0x65, 0x49, 0x44, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x34, 0x0a, 0x15, 0x41, 0x75, 0x74,
-	0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69,
-	0x6e, 0x74, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x15, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
-	0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12,
-	0x22, 0x0a, 0x0c, 0x52, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x55, 0x52, 0x4c, 0x73, 0x18,
-	0x0a, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x52, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x55,
-	0x52, 0x4c, 0x73, 0x12, 0x2e, 0x0a, 0x12, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x50, 0x72,
-	0x6f, 0x6d, 0x70, 0x74, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x08, 0x52,
-	0x12, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x6d, 0x70, 0x74, 0x4c, 0x6f,
-	0x67, 0x69, 0x6e, 0x12, 0x1c, 0x0a, 0x09, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x46, 0x6c, 0x61, 0x67,
-	0x18, 0x0c, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x09, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x46, 0x6c, 0x61,
-	0x67, 0x22, 0x93, 0x02, 0x0a, 0x05, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x49,
-	0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x44, 0x12, 0x18, 0x0a, 0x07, 0x4e,
-	0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x4e, 0x65,
-	0x74, 0x77, 0x6f, 0x72, 0x6b, 0x12, 0x20, 0x0a, 0x0b, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
-	0x54, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x4e, 0x65, 0x74, 0x77,
-	0x6f, 0x72, 0x6b, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x65, 0x65, 0x72, 0x18,
-	0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x50, 0x65, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x4d,
-	0x65, 0x74, 0x72, 0x69, 0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x4d, 0x65, 0x74,
-	0x72, 0x69, 0x63, 0x12, 0x1e, 0x0a, 0x0a, 0x4d, 0x61, 0x73, 0x71, 0x75, 0x65, 0x72, 0x61, 0x64,
-	0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x4d, 0x61, 0x73, 0x71, 0x75, 0x65, 0x72,
-	0x61, 0x64, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x4e, 0x65, 0x74, 0x49, 0x44, 0x18, 0x07, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x05, 0x4e, 0x65, 0x74, 0x49, 0x44, 0x12, 0x18, 0x0a, 0x07, 0x44, 0x6f, 0x6d,
-	0x61, 0x69, 0x6e, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x44, 0x6f, 0x6d, 0x61,
-	0x69, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x6b, 0x65, 0x65, 0x70, 0x52, 0x6f, 0x75, 0x74, 0x65,
-	0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x6b, 0x65, 0x65, 0x70, 0x52, 0x6f, 0x75, 0x74,
-	0x65, 0x12, 0x24, 0x0a, 0x0d, 0x73, 0x6b, 0x69, 0x70, 0x41, 0x75, 0x74, 0x6f, 0x41, 0x70, 0x70,
-	0x6c, 0x79, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x73, 0x6b, 0x69, 0x70, 0x41, 0x75,
-	0x74, 0x6f, 0x41, 0x70, 0x70, 0x6c, 0x79, 0x22, 0xde, 0x01, 0x0a, 0x09, 0x44, 0x4e, 0x53, 0x43,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x24, 0x0a, 0x0d, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
-	0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x53, 0x65,
-	0x72, 0x76, 0x69, 0x63, 0x65, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x47, 0x0a, 0x10, 0x4e,
-	0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18,
-	0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
-	0x6e, 0x74, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f,
-	0x75, 0x70, 0x52, 0x10, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72,
-	0x6f, 0x75, 0x70, 0x73, 0x12, 0x38, 0x0a, 0x0b, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f,
-	0x6e, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
-	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e,
-	0x65, 0x52, 0x0b, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x73, 0x12, 0x28,
-	0x0a, 0x0d, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x65, 0x72, 0x50, 0x6f, 0x72, 0x74, 0x18,
-	0x04, 0x20, 0x01, 0x28, 0x03, 0x42, 0x02, 0x18, 0x01, 0x52, 0x0d, 0x46, 0x6f, 0x72, 0x77, 0x61,
-	0x72, 0x64, 0x65, 0x72, 0x50, 0x6f, 0x72, 0x74, 0x22, 0xb8, 0x01, 0x0a, 0x0a, 0x43, 0x75, 0x73,
-	0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69,
-	0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12,
-	0x32, 0x0a, 0x07, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b,
-	0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x69,
-	0x6d, 0x70, 0x6c, 0x65, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x52, 0x07, 0x52, 0x65, 0x63, 0x6f,
-	0x72, 0x64, 0x73, 0x12, 0x32, 0x0a, 0x14, 0x53, 0x65, 0x61, 0x72, 0x63, 0x68, 0x44, 0x6f, 0x6d,
-	0x61, 0x69, 0x6e, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28,
-	0x08, 0x52, 0x14, 0x53, 0x65, 0x61, 0x72, 0x63, 0x68, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x44,
-	0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x2a, 0x0a, 0x10, 0x4e, 0x6f, 0x6e, 0x41, 0x75,
-	0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x61, 0x74, 0x69, 0x76, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28,
-	0x08, 0x52, 0x10, 0x4e, 0x6f, 0x6e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x61, 0x74,
-	0x69, 0x76, 0x65, 0x22, 0x74, 0x0a, 0x0c, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x52, 0x65, 0x63,
-	0x6f, 0x72, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x04, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x43,
-	0x6c, 0x61, 0x73, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x43, 0x6c, 0x61, 0x73,
-	0x73, 0x12, 0x10, 0x0a, 0x03, 0x54, 0x54, 0x4c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x03,
-	0x54, 0x54, 0x4c, 0x12, 0x14, 0x0a, 0x05, 0x52, 0x44, 0x61, 0x74, 0x61, 0x18, 0x05, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x05, 0x52, 0x44, 0x61, 0x74, 0x61, 0x22, 0xb3, 0x01, 0x0a, 0x0f, 0x4e, 0x61,
-	0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x12, 0x38, 0x0a,
-	0x0b, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03,
-	0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
-	0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x0b, 0x4e, 0x61, 0x6d, 0x65,
-	0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x50, 0x72, 0x69, 0x6d, 0x61,
-	0x72, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72,
-	0x79, 0x12, 0x18, 0x0a, 0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x18, 0x03, 0x20, 0x03,
-	0x28, 0x09, 0x52, 0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x12, 0x32, 0x0a, 0x14, 0x53,
-	0x65, 0x61, 0x72, 0x63, 0x68, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x45, 0x6e, 0x61, 0x62,
-	0x6c, 0x65, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x14, 0x53, 0x65, 0x61, 0x72, 0x63,
-	0x68, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x22,
-	0x48, 0x0a, 0x0a, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x0e, 0x0a,
-	0x02, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x50, 0x12, 0x16, 0x0a,
-	0x06, 0x4e, 0x53, 0x54, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x4e,
-	0x53, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x03, 0x20,
-	0x01, 0x28, 0x03, 0x52, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x22, 0xa7, 0x02, 0x0a, 0x0c, 0x46, 0x69,
-	0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x50, 0x65,
-	0x65, 0x72, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x50, 0x65, 0x65, 0x72,
-	0x49, 0x50, 0x12, 0x37, 0x0a, 0x09, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x19, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
-	0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e,
-	0x52, 0x09, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x2e, 0x0a, 0x06, 0x41,
-	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x6d, 0x61,
-	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x41, 0x63, 0x74,
-	0x69, 0x6f, 0x6e, 0x52, 0x06, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x08, 0x50,
-	0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x18, 0x2e,
-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x50,
-	0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
-	0x6c, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x04, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x30, 0x0a, 0x08, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66,
-	0x6f, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
-	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x08, 0x50,
-	0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1a, 0x0a, 0x08, 0x50, 0x6f, 0x6c, 0x69, 0x63,
-	0x79, 0x49, 0x44, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x50, 0x6f, 0x6c, 0x69, 0x63,
-	0x79, 0x49, 0x44, 0x22, 0x38, 0x0a, 0x0e, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x41, 0x64,
-	0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x65, 0x74, 0x49, 0x50, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6e, 0x65, 0x74, 0x49, 0x50, 0x12, 0x10, 0x0a, 0x03, 0x6d,
-	0x61, 0x63, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6d, 0x61, 0x63, 0x22, 0x1e, 0x0a,
-	0x06, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x46, 0x69, 0x6c, 0x65, 0x73,
-	0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x22, 0x96, 0x01,
-	0x0a, 0x08, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x14, 0x0a, 0x04, 0x70, 0x6f,
-	0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x48, 0x00, 0x52, 0x04, 0x70, 0x6f, 0x72, 0x74,
-	0x12, 0x32, 0x0a, 0x05, 0x72, 0x61, 0x6e, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72,
-	0x74, 0x49, 0x6e, 0x66, 0x6f, 0x2e, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x48, 0x00, 0x52, 0x05, 0x72,
-	0x61, 0x6e, 0x67, 0x65, 0x1a, 0x2f, 0x0a, 0x05, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x14, 0x0a,
-	0x05, 0x73, 0x74, 0x61, 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x05, 0x73, 0x74,
-	0x61, 0x72, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x65, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d,
-	0x52, 0x03, 0x65, 0x6e, 0x64, 0x42, 0x0f, 0x0a, 0x0d, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x6c,
-	0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x87, 0x03, 0x0a, 0x11, 0x52, 0x6f, 0x75, 0x74, 0x65,
-	0x46, 0x69, 0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x22, 0x0a, 0x0c,
-	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03,
-	0x28, 0x09, 0x52, 0x0c, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73,
-	0x12, 0x2e, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e,
-	0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75,
-	0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e,
-	0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18,
-	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x04,
-	0x20, 0x01, 0x28, 0x0e, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
-	0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x30, 0x0a, 0x08, 0x70, 0x6f, 0x72, 0x74,
-	0x49, 0x6e, 0x66, 0x6f, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6d, 0x61, 0x6e,
-	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f,
-	0x52, 0x08, 0x70, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1c, 0x0a, 0x09, 0x69, 0x73,
-	0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69,
-	0x73, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x6f, 0x6d, 0x61,
-	0x69, 0x6e, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x64, 0x6f, 0x6d, 0x61, 0x69,
-	0x6e, 0x73, 0x12, 0x26, 0x0a, 0x0e, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x50, 0x72, 0x6f, 0x74,
-	0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0e, 0x63, 0x75, 0x73, 0x74,
-	0x6f, 0x6d, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x1a, 0x0a, 0x08, 0x50, 0x6f,
-	0x6c, 0x69, 0x63, 0x79, 0x49, 0x44, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x50, 0x6f,
-	0x6c, 0x69, 0x63, 0x79, 0x49, 0x44, 0x12, 0x18, 0x0a, 0x07, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x49,
-	0x44, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x49, 0x44,
-	0x22, 0xf2, 0x01, 0x0a, 0x0e, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x52,
-	0x75, 0x6c, 0x65, 0x12, 0x34, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
-	0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52,
-	0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x3e, 0x0a, 0x0f, 0x64, 0x65, 0x73,
-	0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
-	0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x0f, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x2c, 0x0a, 0x11, 0x74, 0x72, 0x61,
-	0x6e, 0x73, 0x6c, 0x61, 0x74, 0x65, 0x64, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x03,
-	0x20, 0x01, 0x28, 0x0c, 0x52, 0x11, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6c, 0x61, 0x74, 0x65, 0x64,
-	0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x3c, 0x0a, 0x0e, 0x74, 0x72, 0x61, 0x6e, 0x73,
-	0x6c, 0x61, 0x74, 0x65, 0x64, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x14, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72,
-	0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x0e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6c, 0x61, 0x74, 0x65,
-	0x64, 0x50, 0x6f, 0x72, 0x74, 0x22, 0x8b, 0x02, 0x0a, 0x14, 0x45, 0x78, 0x70, 0x6f, 0x73, 0x65,
-	0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x12,
-	0x0a, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x04, 0x70, 0x6f,
-	0x72, 0x74, 0x12, 0x36, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x0e, 0x32, 0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
-	0x74, 0x2e, 0x45, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
-	0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x10, 0x0a, 0x03, 0x70, 0x69,
-	0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x70, 0x69, 0x6e, 0x12, 0x1a, 0x0a, 0x08,
-	0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08,
-	0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x75, 0x73, 0x65, 0x72,
-	0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x75,
-	0x73, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d,
-	0x61, 0x69, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69,
-	0x6e, 0x12, 0x1f, 0x0a, 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78,
-	0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x6e, 0x61, 0x6d, 0x65, 0x50, 0x72, 0x65, 0x66,
-	0x69, 0x78, 0x12, 0x1f, 0x0a, 0x0b, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x5f, 0x70, 0x6f, 0x72,
-	0x74, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0a, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x50,
-	0x6f, 0x72, 0x74, 0x22, 0xa1, 0x01, 0x0a, 0x15, 0x45, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x53, 0x65,
-	0x72, 0x76, 0x69, 0x63, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x21, 0x0a,
-	0x0c, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65,
-	0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x75, 0x72, 0x6c, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x72,
-	0x6c, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x2c, 0x0a, 0x12, 0x70, 0x6f, 0x72,
-	0x74, 0x5f, 0x61, 0x75, 0x74, 0x6f, 0x5f, 0x61, 0x73, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x18,
-	0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x70, 0x6f, 0x72, 0x74, 0x41, 0x75, 0x74, 0x6f, 0x41,
-	0x73, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x22, 0x2c, 0x0a, 0x12, 0x52, 0x65, 0x6e, 0x65, 0x77,
+	0x44, 0x12, 0x22, 0x0a, 0x0c, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65,
+	0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53,
+	0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x1a, 0x0a,
+	0x08, 0x41, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x08, 0x41, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x2e, 0x0a, 0x12, 0x44, 0x65, 0x76,
+	0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18,
+	0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74,
+	0x68, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x24, 0x0a, 0x0d, 0x54, 0x6f, 0x6b,
+	0x65, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x0d, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12,
+	0x14, 0x0a, 0x05, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
+	0x53, 0x63, 0x6f, 0x70, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x55, 0x73, 0x65, 0x49, 0x44, 0x54, 0x6f,
+	0x6b, 0x65, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x55, 0x73, 0x65, 0x49, 0x44,
+	0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x34, 0x0a, 0x15, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
+	0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x09,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x15, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x22, 0x0a, 0x0c, 0x52,
+	0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x55, 0x52, 0x4c, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28,
+	0x09, 0x52, 0x0c, 0x52, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x55, 0x52, 0x4c, 0x73, 0x12,
+	0x2e, 0x0a, 0x12, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x6d, 0x70, 0x74,
+	0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x08, 0x52, 0x12, 0x44, 0x69, 0x73,
+	0x61, 0x62, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x6d, 0x70, 0x74, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12,
+	0x1c, 0x0a, 0x09, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x46, 0x6c, 0x61, 0x67, 0x18, 0x0c, 0x20, 0x01,
+	0x28, 0x0d, 0x52, 0x09, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x46, 0x6c, 0x61, 0x67, 0x22, 0x93, 0x02,
+	0x0a, 0x05, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x49, 0x44, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x44, 0x12, 0x18, 0x0a, 0x07, 0x4e, 0x65, 0x74, 0x77, 0x6f,
+	0x72, 0x6b, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72,
+	0x6b, 0x12, 0x20, 0x0a, 0x0b, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x54, 0x79, 0x70, 0x65,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x54,
+	0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x65, 0x65, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x04, 0x50, 0x65, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x4d, 0x65, 0x74, 0x72, 0x69,
+	0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x12,
+	0x1e, 0x0a, 0x0a, 0x4d, 0x61, 0x73, 0x71, 0x75, 0x65, 0x72, 0x61, 0x64, 0x65, 0x18, 0x06, 0x20,
+	0x01, 0x28, 0x08, 0x52, 0x0a, 0x4d, 0x61, 0x73, 0x71, 0x75, 0x65, 0x72, 0x61, 0x64, 0x65, 0x12,
+	0x14, 0x0a, 0x05, 0x4e, 0x65, 0x74, 0x49, 0x44, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
+	0x4e, 0x65, 0x74, 0x49, 0x44, 0x12, 0x18, 0x0a, 0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73,
+	0x18, 0x08, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x12,
+	0x1c, 0x0a, 0x09, 0x6b, 0x65, 0x65, 0x70, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x18, 0x09, 0x20, 0x01,
+	0x28, 0x08, 0x52, 0x09, 0x6b, 0x65, 0x65, 0x70, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x24, 0x0a,
+	0x0d, 0x73, 0x6b, 0x69, 0x70, 0x41, 0x75, 0x74, 0x6f, 0x41, 0x70, 0x70, 0x6c, 0x79, 0x18, 0x0a,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x73, 0x6b, 0x69, 0x70, 0x41, 0x75, 0x74, 0x6f, 0x41, 0x70,
+	0x70, 0x6c, 0x79, 0x22, 0xde, 0x01, 0x0a, 0x09, 0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69,
+	0x67, 0x12, 0x24, 0x0a, 0x0d, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x45, 0x6e, 0x61, 0x62,
+	0x6c, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63,
+	0x65, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x47, 0x0a, 0x10, 0x4e, 0x61, 0x6d, 0x65, 0x53,
+	0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28,
+	0x0b, 0x32, 0x1b, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x4e,
+	0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x52, 0x10,
+	0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73,
+	0x12, 0x38, 0x0a, 0x0b, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x73, 0x18,
+	0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
+	0x6e, 0x74, 0x2e, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x52, 0x0b, 0x43,
+	0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x73, 0x12, 0x28, 0x0a, 0x0d, 0x46, 0x6f,
+	0x72, 0x77, 0x61, 0x72, 0x64, 0x65, 0x72, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28,
+	0x03, 0x42, 0x02, 0x18, 0x01, 0x52, 0x0d, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x65, 0x72,
+	0x50, 0x6f, 0x72, 0x74, 0x22, 0xb8, 0x01, 0x0a, 0x0a, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a,
+	0x6f, 0x6e, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x32, 0x0a, 0x07, 0x52,
+	0x65, 0x63, 0x6f, 0x72, 0x64, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x6d,
+	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65,
+	0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x52, 0x07, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x73, 0x12,
+	0x32, 0x0a, 0x14, 0x53, 0x65, 0x61, 0x72, 0x63, 0x68, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x44,
+	0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x14, 0x53,
+	0x65, 0x61, 0x72, 0x63, 0x68, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x44, 0x69, 0x73, 0x61, 0x62,
+	0x6c, 0x65, 0x64, 0x12, 0x2a, 0x0a, 0x10, 0x4e, 0x6f, 0x6e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
+	0x69, 0x74, 0x61, 0x74, 0x69, 0x76, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x4e,
+	0x6f, 0x6e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x61, 0x74, 0x69, 0x76, 0x65, 0x22,
+	0x74, 0x0a, 0x0c, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x12,
+	0x12, 0x0a, 0x04, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x4e,
+	0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x03, 0x52, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x43, 0x6c, 0x61, 0x73, 0x73,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x12, 0x10, 0x0a,
+	0x03, 0x54, 0x54, 0x4c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x03, 0x54, 0x54, 0x4c, 0x12,
+	0x14, 0x0a, 0x05, 0x52, 0x44, 0x61, 0x74, 0x61, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
+	0x52, 0x44, 0x61, 0x74, 0x61, 0x22, 0xb3, 0x01, 0x0a, 0x0f, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65,
+	0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x12, 0x38, 0x0a, 0x0b, 0x4e, 0x61, 0x6d,
+	0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16,
+	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x4e, 0x61, 0x6d, 0x65,
+	0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x0b, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76,
+	0x65, 0x72, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x12, 0x18, 0x0a,
+	0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07,
+	0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x12, 0x32, 0x0a, 0x14, 0x53, 0x65, 0x61, 0x72, 0x63,
+	0x68, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18,
+	0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x14, 0x53, 0x65, 0x61, 0x72, 0x63, 0x68, 0x44, 0x6f, 0x6d,
+	0x61, 0x69, 0x6e, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x22, 0x48, 0x0a, 0x0a, 0x4e,
+	0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x49, 0x50, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x50, 0x12, 0x16, 0x0a, 0x06, 0x4e, 0x53, 0x54,
+	0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x4e, 0x53, 0x54, 0x79, 0x70,
+	0x65, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52,
+	0x04, 0x50, 0x6f, 0x72, 0x74, 0x22, 0xa7, 0x02, 0x0a, 0x0c, 0x46, 0x69, 0x72, 0x65, 0x77, 0x61,
+	0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x50, 0x65, 0x65, 0x72, 0x49, 0x50,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x50, 0x65, 0x65, 0x72, 0x49, 0x50, 0x12, 0x37,
+	0x0a, 0x09, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x0e, 0x32, 0x19, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52,
+	0x75, 0x6c, 0x65, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x09, 0x44, 0x69,
+	0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x2e, 0x0a, 0x06, 0x41, 0x63, 0x74, 0x69, 0x6f,
+	0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
+	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52,
+	0x06, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x08, 0x50, 0x72, 0x6f, 0x74, 0x6f,
+	0x63, 0x6f, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
+	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f,
+	0x63, 0x6f, 0x6c, 0x52, 0x08, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x12, 0x0a,
+	0x04, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x50, 0x6f, 0x72,
+	0x74, 0x12, 0x30, 0x0a, 0x08, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x18, 0x06, 0x20,
+	0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+	0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x08, 0x50, 0x6f, 0x72, 0x74, 0x49,
+	0x6e, 0x66, 0x6f, 0x12, 0x1a, 0x0a, 0x08, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x49, 0x44, 0x18,
+	0x07, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x49, 0x44, 0x22,
+	0x38, 0x0a, 0x0e, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73,
+	0x73, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x65, 0x74, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x05, 0x6e, 0x65, 0x74, 0x49, 0x50, 0x12, 0x10, 0x0a, 0x03, 0x6d, 0x61, 0x63, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6d, 0x61, 0x63, 0x22, 0x1e, 0x0a, 0x06, 0x43, 0x68, 0x65,
+	0x63, 0x6b, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03,
+	0x28, 0x09, 0x52, 0x05, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x22, 0x96, 0x01, 0x0a, 0x08, 0x50, 0x6f,
+	0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x14, 0x0a, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x0d, 0x48, 0x00, 0x52, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x32, 0x0a, 0x05,
+	0x72, 0x61, 0x6e, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6d, 0x61,
+	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66,
+	0x6f, 0x2e, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x48, 0x00, 0x52, 0x05, 0x72, 0x61, 0x6e, 0x67, 0x65,
+	0x1a, 0x2f, 0x0a, 0x05, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x73, 0x74, 0x61,
+	0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x05, 0x73, 0x74, 0x61, 0x72, 0x74, 0x12,
+	0x10, 0x0a, 0x03, 0x65, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x03, 0x65, 0x6e,
+	0x64, 0x42, 0x0f, 0x0a, 0x0d, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x69,
+	0x6f, 0x6e, 0x22, 0x87, 0x03, 0x0a, 0x11, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x46, 0x69, 0x72, 0x65,
+	0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x73, 0x6f, 0x75, 0x72,
+	0x63, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c,
+	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x12, 0x2e, 0x0a, 0x06,
+	0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x6d,
+	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x41, 0x63,
+	0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x20, 0x0a, 0x0b,
+	0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x34,
+	0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e,
+	0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75,
+	0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x30, 0x0a, 0x08, 0x70, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f,
+	0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
+	0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x08, 0x70, 0x6f,
+	0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1c, 0x0a, 0x09, 0x69, 0x73, 0x44, 0x79, 0x6e, 0x61,
+	0x6d, 0x69, 0x63, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69, 0x73, 0x44, 0x79, 0x6e,
+	0x61, 0x6d, 0x69, 0x63, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x18,
+	0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x12, 0x26,
+	0x0a, 0x0e, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
+	0x18, 0x08, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0e, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x50, 0x72,
+	0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x1a, 0x0a, 0x08, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+	0x49, 0x44, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+	0x49, 0x44, 0x12, 0x18, 0x0a, 0x07, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x49, 0x44, 0x18, 0x0a, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x07, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x49, 0x44, 0x22, 0xf2, 0x01, 0x0a,
+	0x0e, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x12,
+	0x34, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x0e, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52,
+	0x75, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x3e, 0x0a, 0x0f, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14,
+	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74,
+	0x49, 0x6e, 0x66, 0x6f, 0x52, 0x0f, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f,
+	0x6e, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x2c, 0x0a, 0x11, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6c, 0x61,
+	0x74, 0x65, 0x64, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c,
+	0x52, 0x11, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6c, 0x61, 0x74, 0x65, 0x64, 0x41, 0x64, 0x64, 0x72,
+	0x65, 0x73, 0x73, 0x12, 0x3c, 0x0a, 0x0e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6c, 0x61, 0x74, 0x65,
+	0x64, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6d, 0x61,
+	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66,
+	0x6f, 0x52, 0x0e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6c, 0x61, 0x74, 0x65, 0x64, 0x50, 0x6f, 0x72,
+	0x74, 0x22, 0x8b, 0x02, 0x0a, 0x14, 0x45, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x53, 0x65, 0x72, 0x76,
+	0x69, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x6f,
+	0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x36,
+	0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e,
+	0x32, 0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x78,
+	0x70, 0x6f, 0x73, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x10, 0x0a, 0x03, 0x70, 0x69, 0x6e, 0x18, 0x03, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x03, 0x70, 0x69, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x61, 0x73, 0x73,
+	0x77, 0x6f, 0x72, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, 0x73, 0x73,
+	0x77, 0x6f, 0x72, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x67, 0x72, 0x6f,
+	0x75, 0x70, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x75, 0x73, 0x65, 0x72, 0x47,
+	0x72, 0x6f, 0x75, 0x70, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18,
+	0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x1f, 0x0a,
+	0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x07, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x0a, 0x6e, 0x61, 0x6d, 0x65, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x1f,
+	0x0a, 0x0b, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x08, 0x20,
+	0x01, 0x28, 0x0d, 0x52, 0x0a, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x50, 0x6f, 0x72, 0x74, 0x22,
+	0xa1, 0x01, 0x0a, 0x15, 0x45, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63,
+	0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, 0x72,
+	0x76, 0x69, 0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0b, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1f, 0x0a, 0x0b,
+	0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0a, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x55, 0x72, 0x6c, 0x12, 0x16, 0x0a,
+	0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64,
+	0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x2c, 0x0a, 0x12, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x61, 0x75,
+	0x74, 0x6f, 0x5f, 0x61, 0x73, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28,
+	0x08, 0x52, 0x10, 0x70, 0x6f, 0x72, 0x74, 0x41, 0x75, 0x74, 0x6f, 0x41, 0x73, 0x73, 0x69, 0x67,
+	0x6e, 0x65, 0x64, 0x22, 0x2c, 0x0a, 0x12, 0x52, 0x65, 0x6e, 0x65, 0x77, 0x45, 0x78, 0x70, 0x6f,
+	0x73, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d,
+	0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69,
+	0x6e, 0x22, 0x15, 0x0a, 0x13, 0x52, 0x65, 0x6e, 0x65, 0x77, 0x45, 0x78, 0x70, 0x6f, 0x73, 0x65,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2b, 0x0a, 0x11, 0x53, 0x74, 0x6f, 0x70,
 	0x45, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x16, 0x0a,
 	0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64,
-	0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x22, 0x15, 0x0a, 0x13, 0x52, 0x65, 0x6e, 0x65, 0x77, 0x45, 0x78,
-	0x70, 0x6f, 0x73, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2b, 0x0a, 0x11,
-	0x53, 0x74, 0x6f, 0x70, 0x45, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x22, 0x14, 0x0a, 0x12, 0x53, 0x74, 0x6f,
-	0x70, 0x45, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2a,
-	0x3a, 0x0a, 0x09, 0x4a, 0x6f, 0x62, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x12, 0x0a, 0x0e,
-	0x75, 0x6e, 0x6b, 0x6e, 0x6f, 0x77, 0x6e, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x10, 0x00,
-	0x12, 0x0d, 0x0a, 0x09, 0x73, 0x75, 0x63, 0x63, 0x65, 0x65, 0x64, 0x65, 0x64, 0x10, 0x01, 0x12,
-	0x0a, 0x0a, 0x06, 0x66, 0x61, 0x69, 0x6c, 0x65, 0x64, 0x10, 0x02, 0x2a, 0x4c, 0x0a, 0x0c, 0x52,
-	0x75, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x0b, 0x0a, 0x07, 0x55,
-	0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x4c, 0x4c, 0x10,
-	0x01, 0x12, 0x07, 0x0a, 0x03, 0x54, 0x43, 0x50, 0x10, 0x02, 0x12, 0x07, 0x0a, 0x03, 0x55, 0x44,
-	0x50, 0x10, 0x03, 0x12, 0x08, 0x0a, 0x04, 0x49, 0x43, 0x4d, 0x50, 0x10, 0x04, 0x12, 0x0a, 0x0a,
-	0x06, 0x43, 0x55, 0x53, 0x54, 0x4f, 0x4d, 0x10, 0x05, 0x2a, 0x20, 0x0a, 0x0d, 0x52, 0x75, 0x6c,
-	0x65, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x06, 0x0a, 0x02, 0x49, 0x4e,
-	0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x4f, 0x55, 0x54, 0x10, 0x01, 0x2a, 0x22, 0x0a, 0x0a, 0x52,
-	0x75, 0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0a, 0x0a, 0x06, 0x41, 0x43, 0x43,
-	0x45, 0x50, 0x54, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x44, 0x52, 0x4f, 0x50, 0x10, 0x01, 0x2a,
-	0x63, 0x0a, 0x0e, 0x45, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
-	0x6c, 0x12, 0x0f, 0x0a, 0x0b, 0x45, 0x58, 0x50, 0x4f, 0x53, 0x45, 0x5f, 0x48, 0x54, 0x54, 0x50,
-	0x10, 0x00, 0x12, 0x10, 0x0a, 0x0c, 0x45, 0x58, 0x50, 0x4f, 0x53, 0x45, 0x5f, 0x48, 0x54, 0x54,
-	0x50, 0x53, 0x10, 0x01, 0x12, 0x0e, 0x0a, 0x0a, 0x45, 0x58, 0x50, 0x4f, 0x53, 0x45, 0x5f, 0x54,
-	0x43, 0x50, 0x10, 0x02, 0x12, 0x0e, 0x0a, 0x0a, 0x45, 0x58, 0x50, 0x4f, 0x53, 0x45, 0x5f, 0x55,
-	0x44, 0x50, 0x10, 0x03, 0x12, 0x0e, 0x0a, 0x0a, 0x45, 0x58, 0x50, 0x4f, 0x53, 0x45, 0x5f, 0x54,
-	0x4c, 0x53, 0x10, 0x04, 0x32, 0xfd, 0x06, 0x0a, 0x11, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
-	0x65, 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x45, 0x0a, 0x05, 0x4c, 0x6f,
-	0x67, 0x69, 0x6e, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+	0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x22, 0x14, 0x0a, 0x12, 0x53, 0x74, 0x6f, 0x70, 0x45, 0x78, 0x70,
+	0x6f, 0x73, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2a, 0x3a, 0x0a, 0x09, 0x4a,
+	0x6f, 0x62, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x12, 0x0a, 0x0e, 0x75, 0x6e, 0x6b, 0x6e,
+	0x6f, 0x77, 0x6e, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x10, 0x00, 0x12, 0x0d, 0x0a, 0x09,
+	0x73, 0x75, 0x63, 0x63, 0x65, 0x65, 0x64, 0x65, 0x64, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x66,
+	0x61, 0x69, 0x6c, 0x65, 0x64, 0x10, 0x02, 0x2a, 0x4c, 0x0a, 0x0c, 0x52, 0x75, 0x6c, 0x65, 0x50,
+	0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f,
+	0x57, 0x4e, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x4c, 0x4c, 0x10, 0x01, 0x12, 0x07, 0x0a,
+	0x03, 0x54, 0x43, 0x50, 0x10, 0x02, 0x12, 0x07, 0x0a, 0x03, 0x55, 0x44, 0x50, 0x10, 0x03, 0x12,
+	0x08, 0x0a, 0x04, 0x49, 0x43, 0x4d, 0x50, 0x10, 0x04, 0x12, 0x0a, 0x0a, 0x06, 0x43, 0x55, 0x53,
+	0x54, 0x4f, 0x4d, 0x10, 0x05, 0x2a, 0x20, 0x0a, 0x0d, 0x52, 0x75, 0x6c, 0x65, 0x44, 0x69, 0x72,
+	0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x06, 0x0a, 0x02, 0x49, 0x4e, 0x10, 0x00, 0x12, 0x07,
+	0x0a, 0x03, 0x4f, 0x55, 0x54, 0x10, 0x01, 0x2a, 0x22, 0x0a, 0x0a, 0x52, 0x75, 0x6c, 0x65, 0x41,
+	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0a, 0x0a, 0x06, 0x41, 0x43, 0x43, 0x45, 0x50, 0x54, 0x10,
+	0x00, 0x12, 0x08, 0x0a, 0x04, 0x44, 0x52, 0x4f, 0x50, 0x10, 0x01, 0x2a, 0x63, 0x0a, 0x0e, 0x45,
+	0x78, 0x70, 0x6f, 0x73, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x0f, 0x0a,
+	0x0b, 0x45, 0x58, 0x50, 0x4f, 0x53, 0x45, 0x5f, 0x48, 0x54, 0x54, 0x50, 0x10, 0x00, 0x12, 0x10,
+	0x0a, 0x0c, 0x45, 0x58, 0x50, 0x4f, 0x53, 0x45, 0x5f, 0x48, 0x54, 0x54, 0x50, 0x53, 0x10, 0x01,
+	0x12, 0x0e, 0x0a, 0x0a, 0x45, 0x58, 0x50, 0x4f, 0x53, 0x45, 0x5f, 0x54, 0x43, 0x50, 0x10, 0x02,
+	0x12, 0x0e, 0x0a, 0x0a, 0x45, 0x58, 0x50, 0x4f, 0x53, 0x45, 0x5f, 0x55, 0x44, 0x50, 0x10, 0x03,
+	0x12, 0x0e, 0x0a, 0x0a, 0x45, 0x58, 0x50, 0x4f, 0x53, 0x45, 0x5f, 0x54, 0x4c, 0x53, 0x10, 0x04,
+	0x32, 0xfd, 0x06, 0x0a, 0x11, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53,
+	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x45, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12,
+	0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63,
+	0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e,
+	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79,
+	0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x46, 0x0a,
+	0x04, 0x53, 0x79, 0x6e, 0x63, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
+	0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73,
+	0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
 	0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67,
-	0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45,
-	0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22,
-	0x00, 0x12, 0x46, 0x0a, 0x04, 0x53, 0x79, 0x6e, 0x63, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
+	0x65, 0x22, 0x00, 0x30, 0x01, 0x12, 0x42, 0x0a, 0x0c, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76,
+	0x65, 0x72, 0x4b, 0x65, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
+	0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33, 0x0a, 0x09, 0x69, 0x73, 0x48,
+	0x65, 0x61, 0x6c, 0x74, 0x68, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
+	0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
+	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x5a,
+	0x0a, 0x1a, 0x47, 0x65, 0x74, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f,
+	0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x1c, 0x2e, 0x6d,
+	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70,
+	0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e,
+	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
+	0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x58, 0x0a, 0x18, 0x47, 0x65,
+	0x74, 0x50, 0x4b, 0x43, 0x45, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69,
+	0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
+	0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73,
+	0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
+	0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61,
+	0x67, 0x65, 0x22, 0x00, 0x12, 0x3d, 0x0a, 0x08, 0x53, 0x79, 0x6e, 0x63, 0x4d, 0x65, 0x74, 0x61,
+	0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e,
+	0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x11,
+	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74,
+	0x79, 0x22, 0x00, 0x12, 0x3b, 0x0a, 0x06, 0x4c, 0x6f, 0x67, 0x6f, 0x75, 0x74, 0x12, 0x1c, 0x2e,
+	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79,
+	0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x11, 0x2e, 0x6d, 0x61,
+	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00,
+	0x12, 0x47, 0x0a, 0x03, 0x4a, 0x6f, 0x62, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
+	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65,
+	0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
+	0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73,
+	0x61, 0x67, 0x65, 0x22, 0x00, 0x28, 0x01, 0x30, 0x01, 0x12, 0x4c, 0x0a, 0x0c, 0x43, 0x72, 0x65,
+	0x61, 0x74, 0x65, 0x45, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
 	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64,
 	0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
 	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65,
-	0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x30, 0x01, 0x12, 0x42, 0x0a, 0x0c, 0x47, 0x65, 0x74,
-	0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
-	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1d, 0x2e, 0x6d,
-	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
-	0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33, 0x0a,
-	0x09, 0x69, 0x73, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e,
-	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e,
-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79,
-	0x22, 0x00, 0x12, 0x5a, 0x0a, 0x1a, 0x47, 0x65, 0x74, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41,
-	0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77,
-	0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e,
-	0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c,
-	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72,
-	0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x58,
-	0x0a, 0x18, 0x47, 0x65, 0x74, 0x50, 0x4b, 0x43, 0x45, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
-	0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e,
-	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
-	0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
-	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x3d, 0x0a, 0x08, 0x53, 0x79, 0x6e, 0x63,
-	0x4d, 0x65, 0x74, 0x61, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
-	0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61,
-	0x67, 0x65, 0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
-	0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x3b, 0x0a, 0x06, 0x4c, 0x6f, 0x67, 0x6f, 0x75,
-	0x74, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45,
-	0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a,
-	0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70,
-	0x74, 0x79, 0x22, 0x00, 0x12, 0x47, 0x0a, 0x03, 0x4a, 0x6f, 0x62, 0x12, 0x1c, 0x2e, 0x6d, 0x61,
-	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
-	0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
-	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64,
-	0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x28, 0x01, 0x30, 0x01, 0x12, 0x4c, 0x0a,
-	0x0c, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x45, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x12, 0x1c, 0x2e,
-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79,
-	0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61,
-	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
-	0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x4b, 0x0a, 0x0b, 0x52,
-	0x65, 0x6e, 0x65, 0x77, 0x45, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e,
-	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
-	0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
-	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x4a, 0x0a, 0x0a, 0x53, 0x74, 0x6f, 0x70,
+	0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x4b, 0x0a, 0x0b, 0x52, 0x65, 0x6e, 0x65, 0x77,
 	0x45, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
 	0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73,
 	0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
 	0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61,
-	0x67, 0x65, 0x22, 0x00, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x67, 0x65, 0x22, 0x00, 0x12, 0x4a, 0x0a, 0x0a, 0x53, 0x74, 0x6f, 0x70, 0x45, 0x78, 0x70, 0x6f,
+	0x73, 0x65, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
+	0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
+	0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e,
+	0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00,
+	0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x33,
 }
 
 var (

shared/management/proto/management.proto

@@ -464,8 +464,8 @@ message PKCEAuthorizationFlow {
 message ProviderConfig {
   // An IDP application client id
   string ClientID = 1;
-  // Deprecated: use embedded IdP for providers that require a client secret (e.g. Google Workspace).
-  string ClientSecret = 2 [deprecated = true];
+  // An IDP application client secret
+  string ClientSecret = 2;
   // An IDP API domain
   // Deprecated. Use a DeviceAuthEndpoint and TokenEndpoint
   string Domain = 3;

shared/relay/client/dialer/quic/quic.go

@@ -89,12 +89,12 @@ func prepareURL(address string) (string, error) {
 	finalHost, finalPort, err := net.SplitHostPort(host)
 	if err != nil {
 		if strings.Contains(err.Error(), "missing port") {
-			return net.JoinHostPort(strings.Trim(host, "[]"), defaultPort), nil
+			return host + ":" + defaultPort, nil
 		}
 
 		// return any other split error as is
 		return "", err
 	}
 
-	return net.JoinHostPort(finalHost, finalPort), nil
+	return finalHost + ":" + finalPort, nil
 }

tools/idp-migrate/DEVELOPMENT.md

@@ -1,209 +0,0 @@
-# IdP Migration Tool — Developer Guide
-
-## Overview
-
-This tool migrates NetBird deployments from an external IdP (Auth0, Zitadel, Okta, etc.) to the embedded Dex IdP introduced in v0.62.0. It does two things:
-
-1. **DB migration** — Re-encodes every user ID from `{original_id}` to Dex's protobuf-encoded format `base64(proto{original_id, connector_id})`.
-2. **Config generation** — Transforms `management.json`: removes `IdpManagerConfig`, `PKCEAuthorizationFlow`, and `DeviceAuthorizationFlow`; strips `HttpConfig` to only `CertFile`/`CertKey`; adds `EmbeddedIdP` with the static connector configuration.
-
-## Code Layout
-
-```
-tools/idp-migrate/
-├── config.go            # migrationConfig struct, CLI flags, env vars, validation
-├── main.go              # CLI entry point, migration phases, config generation
-├── main_test.go         # 8 test functions (18 subtests) covering config, connector, URL builder, config generation
-└── DEVELOPMENT.md       # this file
-
-management/server/idp/migration/
-├── migration.go         # Server interface, MigrateUsersToStaticConnectors(), PopulateUserInfo(), migrateUser(), reconcileActivityStore()
-├── migration_test.go    # 6 top-level tests (with subtests) using hand-written mocks
-└── store.go             # Store, EventStore interfaces, SchemaCheck, RequiredSchema, SchemaError types
-
-management/server/store/
-└── sql_store_idp_migration.go   # CheckSchema(), ListUsers(), UpdateUserInfo(), UpdateUserID(), txDeferFKConstraints() on SqlStore
-
-management/server/activity/store/
-├── sql_store_idp_migration.go      # UpdateUserID() on activity Store
-└── sql_store_idp_migration_test.go # 5 subtests for activity UpdateUserID
-
-```
-
-## Release / Distribution
-
-The tool is included in `.goreleaser.yaml` as the `netbird-idp-migrate` build target. Each NetBird release produces pre-built archives for Linux (amd64, arm64, arm) that are uploaded to GitHub Releases. The archive naming convention is:
-
-```
-netbird-idp-migrate_<version>_linux_<arch>.tar.gz
-```
-
-The build requires `CGO_ENABLED=1` because it links the SQLite driver used by `SqlStore`. The cross-compilation setup (CC env for arm64/arm) mirrors the `netbird-mgmt` build.
-
-## CLI Flags
-
-| Flag | Type | Default | Description |
-|------|------|---------|-------------|
-| `--config` | string | *(required)* | Path to management.json |
-| `--datadir` | string | *(required)* | Data directory (containing store.db / events.db) |
-| `--idp-seed-info` | string | *(required)* | Base64-encoded connector JSON |
-| `--domain` | string | `""` | Sets both dashboard and API domain (convenience shorthand) |
-| `--dashboard-domain` | string | *(required)* | Dashboard domain (for redirect URIs) |
-| `--api-domain` | string | *(required)* | API domain (for Dex issuer and callback URLs) |
-| `--dry-run` | bool | `false` | Preview changes without writing |
-| `--force` | bool | `false` | Skip interactive confirmation prompt |
-| `--skip-config` | bool | `false` | Skip config generation (DB-only migration) |
-| `--skip-populate-user-info` | bool | `false` | Skip populating user info (user ID migration only) |
-| `--log-level` | string | `"info"` | Log level (debug, info, warn, error) |
-
-## Environment Variables
-
-All flags can be overridden via environment variables. Env vars take precedence over flags.
-
-| Env Var | Overrides |
-|---------|-----------|
-| `NETBIRD_DOMAIN` | Sets both `--dashboard-domain` and `--api-domain` |
-| `NETBIRD_API_URL` | `--api-domain` |
-| `NETBIRD_DASHBOARD_URL` | `--dashboard-domain` |
-| `NETBIRD_CONFIG_PATH` | `--config` |
-| `NETBIRD_DATA_DIR` | `--datadir` |
-| `NETBIRD_IDP_SEED_INFO` | `--idp-seed-info` |
-| `NETBIRD_DRY_RUN` | `--dry-run` (set to `"true"`) |
-| `NETBIRD_FORCE` | `--force` (set to `"true"`) |
-| `NETBIRD_SKIP_CONFIG` | `--skip-config` (set to `"true"`) |
-| `NETBIRD_SKIP_POPULATE_USER_INFO` | `--skip-populate-user-info` (set to `"true"`) |
-| `NETBIRD_LOG_LEVEL` | `--log-level` |
-
-Resolution order: CLI flags are parsed first, then `--domain` sets both URLs, then `NETBIRD_DOMAIN` overrides both, then `NETBIRD_API_URL` / `NETBIRD_DASHBOARD_URL` override individually. After all resolution, `validateConfig()` ensures all required fields are set.
-
-## Migration Flow
-
-### Phase 0: Schema Validation
-
-`validateSchema()` opens the store and calls `CheckSchema(RequiredSchema)` to verify that all tables and columns required by the migration exist in the database. If anything is missing, the tool exits with a descriptive error instructing the operator to start the management server (v0.66.4+) at least once so that automatic GORM migrations create the required schema.
-
-### Phase 1: Populate User Info
-
-Unless `--skip-populate-user-info` is set, `populateUserInfoFromIDP()` runs before connector resolution:
-
-1. Creates an IDP manager from the existing `IdpManagerConfig` in management.json.
-2. Calls `idpManager.GetAllAccounts()` to fetch email and name for all users from the external IDP.
-3. Calls `migration.PopulateUserInfo()` which iterates over all store users, skipping service users and users that already have both email and name populated. For Dex-encoded user IDs, it decodes back to the original IDP ID for lookup.
-4. Updates the store with any missing email/name values.
-
-This ensures user contact info is preserved before the ID migration makes the original IDP IDs inaccessible.
-
-### Phase 2: Connector Decoding
-
-`decodeConnectorConfig()` base64-decodes and JSON-unmarshals the connector JSON provided via `--idp-seed-info` (or `NETBIRD_IDP_SEED_INFO`). It validates that the connector ID is non-empty. There is no auto-detection or fallback — the operator must provide the full connector configuration.
-
-### Phase 3: DB Migration
-
-`migrateDB()` orchestrates the database migration:
-
-1. `openStores()` opens the main store (`SqlStore`) and activity store (non-fatal if missing).
-2. Type-asserts both to `migration.Store` / `migration.EventStore`.
-3. `previewUsers()` scans all users — counts pending vs already-migrated (using `DecodeDexUserID`).
-4. `confirmPrompt()` asks for interactive confirmation (unless `--force` or `--dry-run`).
-5. Calls `migration.MigrateUsersToStaticConnectors(srv, conn)`:
-   - **Reconciliation pass**: fixes activity store references for users already migrated in the main DB but whose events still reference old IDs (from a previous partial failure).
-   - **Main loop**: for each non-migrated user, calls `migrateUser()` which atomically updates the user ID in both the main store and activity store.
-   - **Dry-run**: logs what would happen, skips all writes.
-
-`SqlStore.UpdateUserID()` atomically updates the user's primary key and all foreign key references (peers, PATs, groups, policies, jobs, etc.) in a single transaction.
-
-### Phase 4: Config Generation
-
-Unless `--skip-config` is set, `generateConfig()` runs:
-
-1. **Read** — loads existing `management.json` as raw JSON to preserve unknown fields.
-
-2. **Strip** — removes keys that are no longer needed:
-   - `IdpManagerConfig`
-   - `PKCEAuthorizationFlow`
-   - `DeviceAuthorizationFlow`
-   - All `HttpConfig` fields except `CertFile` and `CertKey`
-
-3. **Add EmbeddedIdP** — inserts a minimal section with:
-   - `Enabled: true`
-   - `Issuer` built from `--api-domain` + `/oauth2`
-   - `DashboardRedirectURIs` built from `--dashboard-domain` + `/nb-auth` and `/nb-silent-auth`
-   - `StaticConnectors` containing the decoded connector, with `redirectURI` overridden to `--api-domain` + `/oauth2/callback`
-
-4. **Write** — backs up original as `management.json.bak`, writes new config. In dry-run mode, prints to stdout instead.
-
-## Interface Decoupling
-
-Migration methods (`ListUsers`, `UpdateUserID`) are **not** on the core `store.Store` or `activity.Store` interfaces. Instead, they're defined in `migration/store.go`:
-
-```go
-type Store interface {
-    ListUsers(ctx context.Context) ([]*types.User, error)
-    UpdateUserID(ctx context.Context, accountID, oldUserID, newUserID string) error
-    UpdateUserInfo(ctx context.Context, userID, email, name string) error
-    CheckSchema(checks []SchemaCheck) []SchemaError
-}
-
-type EventStore interface {
-    UpdateUserID(ctx context.Context, oldUserID, newUserID string) error
-}
-```
-
-A `Server` interface wraps both stores for dependency injection:
-
-```go
-type Server interface {
-    Store() Store
-    EventStore() EventStore // may return nil
-}
-```
-
-The concrete `SqlStore` types already have these methods (in their respective `sql_store_idp_migration.go` files), so they satisfy the interfaces via Go's structural typing — zero changes needed on the core store interfaces. At runtime, the standalone tool type-asserts:
-
-```go
-migStore, ok := mainStore.(migration.Store)
-```
-
-This keeps migration concerns completely separate from the core store contract.
-
-## Dex User ID Encoding
-
-`EncodeDexUserID(userID, connectorID)` produces a manually-encoded protobuf with two string fields, then base64-encodes the result (raw, no padding). `DecodeDexUserID` reverses this. The migration loop uses `DecodeDexUserID` to detect already-migrated users (decode succeeds → skip).
-
-See `idp/dex/provider.go` for the implementation.
-
-## Standalone Tool
-
-The standalone tool (`tools/idp-migrate/main.go`) is the primary migration entry point. It opens stores directly, runs schema validation, populates user info from the external IDP, migrates user IDs, and generates the new config — then exits. Configuration is handled entirely through `config.go` which parses CLI flags and environment variables.
-
-## Running Tests
-
-```bash
-# Migration library
-go test -v ./management/server/idp/migration/...
-
-# Standalone tool
-go test -v ./tools/idp-migrate/...
-
-# Activity store migration tests
-go test -v -run TestUpdateUserID ./management/server/activity/store/...
-
-# Build locally
-go build ./tools/idp-migrate/
-```
-
-## Clean Removal
-
-When migration tooling is no longer needed, delete:
-
-1. `tools/idp-migrate/` — entire directory
-2. `management/server/idp/migration/` — entire directory
-3. `management/server/store/sql_store_idp_migration.go` — migration methods on main SqlStore
-4. `management/server/activity/store/sql_store_idp_migration.go` — migration method on activity Store
-5. `management/server/activity/store/sql_store_idp_migration_test.go` — tests for the above
-6. In `.goreleaser.yaml`:
-   - Remove the `netbird-idp-migrate` build entry
-   - Remove the `netbird-idp-migrate` archive entry
-7. Run `go mod tidy`
-
-No core interfaces or mocks need editing — that's the point of the decoupling.

tools/idp-migrate/LICENSE

@@ -1,661 +0,0 @@
-                    GNU AFFERO GENERAL PUBLIC LICENSE
-                       Version 3, 19 November 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU Affero General Public License is a free, copyleft license for
-software and other kinds of works, specifically designed to ensure
-cooperation with the community in the case of network server software.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-our General Public Licenses are intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-  Developers that use our General Public Licenses protect your rights
-with two steps: (1) assert copyright on the software, and (2) offer
-you this License which gives you legal permission to copy, distribute
-and/or modify the software.
-
-  A secondary benefit of defending all users' freedom is that
-improvements made in alternate versions of the program, if they
-receive widespread use, become available for other developers to
-incorporate.  Many developers of free software are heartened and
-encouraged by the resulting cooperation.  However, in the case of
-software used on network servers, this result may fail to come about.
-The GNU General Public License permits making a modified version and
-letting the public access it on a server without ever releasing its
-source code to the public.
-
-  The GNU Affero General Public License is designed specifically to
-ensure that, in such cases, the modified source code becomes available
-to the community.  It requires the operator of a network server to
-provide the source code of the modified version running there to the
-users of that server.  Therefore, public use of a modified version, on
-a publicly accessible server, gives the public access to the source
-code of the modified version.
-
-  An older license, called the Affero General Public License and
-published by Affero, was designed to accomplish similar goals.  This is
-a different license, not a version of the Affero GPL, but Affero has
-released a new version of the Affero GPL which permits relicensing under
-this license.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                       TERMS AND CONDITIONS
-
-  0. Definitions.
-
-  "This License" refers to version 3 of the GNU Affero General Public License.
-
-  "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-  "The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-  To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-  A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-  To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-  To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-  An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-  1. Source Code.
-
-  The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-  A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-  The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-  The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-  The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-  The Corresponding Source for a work in source code form is that
-same work.
-
-  2. Basic Permissions.
-
-  All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-  You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-  Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-  No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-  When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
-  4. Conveying Verbatim Copies.
-
-  You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-  You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-  5. Conveying Modified Source Versions.
-
-  You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-    a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
-
-    b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under section
-    7.  This requirement modifies the requirement in section 4 to
-    "keep intact all notices".
-
-    c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy.  This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged.  This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
-
-    d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-  A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-  6. Conveying Non-Source Forms.
-
-  You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-    a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
-
-    b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the
-    Corresponding Source from a network server at no charge.
-
-    c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source.  This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
-
-    d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge.  You need not require recipients to copy the
-    Corresponding Source along with the object code.  If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source.  Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
-
-    e) Convey the object code using peer-to-peer transmission, provided
-    you inform other peers where the object code and Corresponding
-    Source of the work are being offered to the general public at no
-    charge under subsection 6d.
-
-  A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-  A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-  If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-  The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-  Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-  7. Additional Terms.
-
-  "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-  When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-  Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-    a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
-
-    b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
-
-    c) Prohibiting misrepresentation of the origin of that material, or
-    requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
-
-    d) Limiting the use for publicity purposes of names of licensors or
-    authors of the material; or
-
-    e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
-
-    f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions of
-    it) with contractual assumptions of liability to the recipient, for
-    any liability that these contractual assumptions directly impose on
-    those licensors and authors.
-
-  All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-  If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-  Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-  8. Termination.
-
-  You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-  However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-  Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-  Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-  9. Acceptance Not Required for Having Copies.
-
-  You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-  10. Automatic Licensing of Downstream Recipients.
-
-  Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-  An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-  You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-  11. Patents.
-
-  A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor's "contributor version".
-
-  A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-  Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-  In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-  If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-  If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-  A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-  Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-  12. No Surrender of Others' Freedom.
-
-  If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-  13. Remote Network Interaction; Use with the GNU General Public License.
-
-  Notwithstanding any other provision of this License, if you modify the
-Program, your modified version must prominently offer all users
-interacting with it remotely through a computer network (if your version
-supports such interaction) an opportunity to receive the Corresponding
-Source of your version by providing access to the Corresponding Source
-from a network server at no charge, through some standard or customary
-means of facilitating copying of software.  This Corresponding Source
-shall include the Corresponding Source for any work covered by version 3
-of the GNU General Public License that is incorporated pursuant to the
-following paragraph.
-
-  Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the work with which it is combined will remain governed by version
-3 of the GNU General Public License.
-
-  14. Revised Versions of this License.
-
-  The Free Software Foundation may publish revised and/or new versions of
-the GNU Affero General Public License from time to time.  Such new versions
-will be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU Affero General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU Affero General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-  If the Program specifies that a proxy can decide which future
-versions of the GNU Affero General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-  Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-  15. Disclaimer of Warranty.
-
-  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. Limitation of Liability.
-
-  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-  17. Interpretation of Sections 15 and 16.
-
-  If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU Affero General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU Affero General Public License for more details.
-
-    You should have received a copy of the GNU Affero General Public License
-    along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-  If your software can interact with users remotely through a computer
-network, you should also make sure that it provides a way for users to
-get its source.  For example, if your program is a web application, its
-interface could display a "Source" link that leads users to an archive
-of the code.  There are many ways you could offer source, and different
-solutions will be better for different programs; see section 13 for the
-specific requirements.
-
-  You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU AGPL, see
-<https://www.gnu.org/licenses/>.

tools/idp-migrate/config.go

@@ -1,174 +0,0 @@
-package main
-
-import (
-	"flag"
-	"fmt"
-	"os"
-	"strconv"
-
-	"github.com/netbirdio/netbird/util"
-)
-
-type migrationConfig struct {
-	// Data
-	dashboardURL string
-	apiURL       string
-	configPath   string
-	dataDir      string
-	idpSeedInfo  string
-
-	// Options
-	dryRun               bool
-	force                bool
-	skipConfig           bool
-	skipPopulateUserInfo bool
-
-	// Logging
-	logLevel string
-}
-
-func config() (*migrationConfig, error) {
-	cfg, err := configFromArgs(os.Args[1:])
-	if err != nil {
-		return nil, err
-	}
-
-	if err := util.InitLog(cfg.logLevel, util.LogConsole); err != nil {
-		return nil, fmt.Errorf("init logger: %w", err)
-	}
-
-	return cfg, nil
-}
-
-func configFromArgs(args []string) (*migrationConfig, error) {
-	var cfg migrationConfig
-	var domain string
-
-	fs := flag.NewFlagSet("netbird-idp-migrate", flag.ContinueOnError)
-	fs.StringVar(&domain, "domain", "", "domain for both dashboard and API")
-	fs.StringVar(&cfg.dashboardURL, "dashboard-url", "", "dashboard URL")
-	fs.StringVar(&cfg.apiURL, "api-url", "", "API URL")
-	fs.StringVar(&cfg.configPath, "config", "", "path to management.json (required)")
-	fs.StringVar(&cfg.dataDir, "datadir", "", "override data directory from config")
-	fs.StringVar(&cfg.idpSeedInfo, "idp-seed-info", "", "base64-encoded connector JSON (overrides auto-detection)")
-	fs.BoolVar(&cfg.dryRun, "dry-run", false, "preview changes without writing")
-	fs.BoolVar(&cfg.force, "force", false, "skip confirmation prompt")
-	fs.BoolVar(&cfg.skipConfig, "skip-config", false, "skip config generation (DB migration only)")
-	fs.BoolVar(&cfg.skipPopulateUserInfo, "skip-populate-user-info", false, "skip populating user info (user id migration only)")
-	fs.StringVar(&cfg.logLevel, "log-level", "info", "log level (debug, info, warn, error)")
-
-	if err := fs.Parse(args); err != nil {
-		return nil, err
-	}
-
-	applyOverrides(&cfg, domain)
-
-	if err := validateConfig(&cfg); err != nil {
-		return nil, err
-	}
-
-	return &cfg, nil
-}
-
-// applyOverrides resolves domain configuration from broad to narrow sources.
-// The most granular value always wins:
-//
-//	--domain flag (broadest, only fills blanks)
-//	NETBIRD_DOMAIN env (overrides flags, sets both)
-//	--api-domain / --dashboard-domain flags (more specific than --domain)
-//	NETBIRD_API_URL / NETBIRD_DASHBOARD_URL env (most specific, always wins)
-//
-// Other env vars unconditionally override their corresponding flags.
-func applyOverrides(cfg *migrationConfig, domain string) {
-	// --domain is a convenience shorthand: only fills in values not already
-	// set by the more specific --api-domain / --dashboard-domain flags.
-	if domain != "" {
-		if cfg.apiURL == "" {
-			cfg.apiURL = domain
-		}
-		if cfg.dashboardURL == "" {
-			cfg.dashboardURL = domain
-		}
-	}
-
-	// Env vars override flags. Broad env var first, then narrow ones on top,
-	// so the most granular value always wins.
-	if val, ok := os.LookupEnv("NETBIRD_DOMAIN"); ok {
-		cfg.dashboardURL = val
-		cfg.apiURL = val
-	}
-
-	if val, ok := os.LookupEnv("NETBIRD_API_URL"); ok {
-		cfg.apiURL = val
-	}
-
-	if val, ok := os.LookupEnv("NETBIRD_DASHBOARD_URL"); ok {
-		cfg.dashboardURL = val
-	}
-
-	if val, ok := os.LookupEnv("NETBIRD_CONFIG_PATH"); ok {
-		cfg.configPath = val
-	}
-
-	if val, ok := os.LookupEnv("NETBIRD_DATA_DIR"); ok {
-		cfg.dataDir = val
-	}
-
-	if val, ok := os.LookupEnv("NETBIRD_IDP_SEED_INFO"); ok {
-		cfg.idpSeedInfo = val
-	}
-
-	// Enforce dry run if any value is provided
-	if sval, ok := os.LookupEnv("NETBIRD_DRY_RUN"); ok {
-		if val, err := strconv.ParseBool(sval); err == nil {
-			cfg.dryRun = val
-		}
-	}
-
-	cfg.dryRun = parseBool("NETBIRD_DRY_RUN", cfg.dryRun)
-	cfg.force = parseBool("NETBIRD_FORCE", cfg.force)
-	cfg.skipConfig = parseBool("NETBIRD_SKIP_CONFIG", cfg.skipConfig)
-	cfg.skipPopulateUserInfo = parseBool("NETBIRD_SKIP_POPULATE_USER_INFO", cfg.skipPopulateUserInfo)
-
-	if val, ok := os.LookupEnv("NETBIRD_LOG_LEVEL"); ok {
-		cfg.logLevel = val
-	}
-}
-
-func parseBool(varName string, defaultVal bool) bool {
-	stringValue, ok := os.LookupEnv(varName)
-	if !ok {
-		return defaultVal
-	}
-
-	boolValue, err := strconv.ParseBool(stringValue)
-	if err != nil {
-		return defaultVal
-	}
-
-	return boolValue
-}
-
-func validateConfig(cfg *migrationConfig) error {
-	if cfg.configPath == "" {
-		return fmt.Errorf("--config is required")
-	}
-
-	if cfg.dataDir == "" {
-		return fmt.Errorf("--datadir is required")
-	}
-
-	if cfg.idpSeedInfo == "" {
-		return fmt.Errorf("--idp-seed-info is required")
-	}
-
-	if cfg.apiURL == "" {
-		return fmt.Errorf("--api-domain is required")
-	}
-
-	if cfg.dashboardURL == "" {
-		return fmt.Errorf("--dashboard-domain is required")
-	}
-
-	return nil
-}

tools/idp-migrate/main.go

@@ -1,449 +0,0 @@
-// Package main provides a standalone CLI tool to migrate user IDs from an
-// external IdP format to the embedded Dex IdP format used by NetBird >= v0.62.0.
-//
-// This tool reads management.json to auto-detect the current external IdP
-// configuration (issuer, clientID, clientSecret, type) and re-encodes all user
-// IDs in the database to the Dex protobuf-encoded format. It works independently
-// of migrate.sh and the combined server, allowing operators to migrate their
-// database before switching to the combined server.
-//
-// Usage:
-//
-//	netbird-idp-migrate --config /etc/netbird/management.json [--dry-run] [--force]
-package main
-
-import (
-	"bufio"
-	"context"
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"maps"
-	"net/url"
-	"os"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/idp/dex"
-	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
-	activitystore "github.com/netbirdio/netbird/management/server/activity/store"
-	"github.com/netbirdio/netbird/management/server/idp"
-	"github.com/netbirdio/netbird/management/server/idp/migration"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/util"
-	"github.com/netbirdio/netbird/util/crypt"
-)
-
-// migrationServer implements migration.Server by wrapping the migration-specific interfaces.
-type migrationServer struct {
-	store      migration.Store
-	eventStore migration.EventStore
-}
-
-func (s *migrationServer) Store() migration.Store           { return s.store }
-func (s *migrationServer) EventStore() migration.EventStore { return s.eventStore }
-
-func main() {
-	cfg, err := config()
-	if err != nil {
-		log.Fatalf("config error: %v", err)
-	}
-
-	if err := run(cfg); err != nil {
-		log.Fatalf("migration failed: %v", err)
-	}
-
-	if !cfg.dryRun {
-		printPostMigrationInstructions(cfg)
-	}
-}
-
-func run(cfg *migrationConfig) error {
-	mgmtConfig := &nbconfig.Config{}
-	if _, err := util.ReadJsonWithEnvSub(cfg.configPath, mgmtConfig); err != nil {
-		return err
-	}
-
-	// Validate the database schema before attempting any operations.
-	if err := validateSchema(mgmtConfig, cfg.dataDir); err != nil {
-		return err
-	}
-
-	if !cfg.skipPopulateUserInfo {
-		err := populateUserInfoFromIDP(cfg, mgmtConfig)
-		if err != nil {
-			return fmt.Errorf("populate user info: %w", err)
-		}
-	}
-
-	connectorConfig, err := decodeConnectorConfig(cfg.idpSeedInfo)
-	if err != nil {
-		return fmt.Errorf("resolve connector: %w", err)
-	}
-
-	log.Infof(
-		"resolved connector: type=%s, id=%s, name=%s",
-		connectorConfig.Type,
-		connectorConfig.ID,
-		connectorConfig.Name,
-	)
-
-	if err := migrateDB(cfg, mgmtConfig, connectorConfig); err != nil {
-		return err
-	}
-
-	if cfg.skipConfig {
-		log.Info("skipping config generation (--skip-config)")
-		return nil
-	}
-
-	return generateConfig(cfg, connectorConfig)
-}
-
-// validateSchema opens the store and checks that all required tables and columns
-// exist. If anything is missing, it returns a descriptive error telling the user
-// to upgrade their management server.
-func validateSchema(mgmtConfig *nbconfig.Config, dataDir string) error {
-	ctx := context.Background()
-	migStore, migEventStore, cleanup, err := openStores(ctx, mgmtConfig, dataDir)
-	if err != nil {
-		return err
-	}
-	defer cleanup()
-
-	errs := migStore.CheckSchema(migration.RequiredSchema)
-	if len(errs) > 0 {
-		return fmt.Errorf("%s", formatSchemaErrors(errs))
-	}
-
-	if migEventStore != nil {
-		eventErrs := migEventStore.CheckSchema(migration.RequiredEventSchema)
-		if len(eventErrs) > 0 {
-			return fmt.Errorf("activity store schema check failed (upgrade management server first):\n%s", formatSchemaErrors(eventErrs))
-		}
-	}
-
-	log.Info("database schema check passed")
-	return nil
-}
-
-// formatSchemaErrors returns a user-friendly message listing all missing schema
-// elements and instructing the operator to upgrade.
-func formatSchemaErrors(errs []migration.SchemaError) string {
-	var b strings.Builder
-	b.WriteString("database schema is incomplete — the following tables/columns are missing:\n")
-	for _, e := range errs {
-		fmt.Fprintf(&b, "  - %s\n", e.String())
-	}
-	b.WriteString("\nPlease start the NetBird management server (v0.66.4+) at least once so that automatic database migrations create the required schema, then re-run this tool.\n")
-	return b.String()
-}
-
-// populateUserInfoFromIDP creates an IDP manager from the config, fetches all
-// user data (email, name) from the external IDP, and updates the store for users
-// that are missing this information.
-func populateUserInfoFromIDP(cfg *migrationConfig, mgmtConfig *nbconfig.Config) error {
-	ctx := context.Background()
-
-	if mgmtConfig.IdpManagerConfig == nil {
-		return fmt.Errorf("IdpManagerConfig is not set in management.json; cannot fetch user info from IDP")
-	}
-
-	idpManager, err := idp.NewManager(ctx, *mgmtConfig.IdpManagerConfig, nil)
-	if err != nil {
-		return fmt.Errorf("create IDP manager: %w", err)
-	}
-	if idpManager == nil {
-		return fmt.Errorf("IDP manager type is 'none' or empty; cannot fetch user info")
-	}
-
-	log.Infof("created IDP manager (type: %s)", mgmtConfig.IdpManagerConfig.ManagerType)
-
-	migStore, _, cleanup, err := openStores(ctx, mgmtConfig, cfg.dataDir)
-	if err != nil {
-		return err
-	}
-	defer cleanup()
-
-	srv := &migrationServer{store: migStore}
-	return migration.PopulateUserInfo(srv, idpManager, cfg.dryRun)
-}
-
-// openStores opens the main and activity stores, returning migration-specific interfaces.
-// The caller must call the returned cleanup function to close the stores.
-func openStores(ctx context.Context, cfg *nbconfig.Config, dataDir string) (migration.Store, migration.EventStore, func(), error) {
-	engine := cfg.StoreConfig.Engine
-	if engine == "" {
-		engine = types.SqliteStoreEngine
-	}
-
-	mainStore, err := store.NewStore(ctx, engine, dataDir, nil, true)
-	if err != nil {
-		return nil, nil, nil, fmt.Errorf("open main store: %w", err)
-	}
-
-	if cfg.DataStoreEncryptionKey != "" {
-		fieldEncrypt, err := crypt.NewFieldEncrypt(cfg.DataStoreEncryptionKey)
-		if err != nil {
-			_ = mainStore.Close(ctx)
-			return nil, nil, nil, fmt.Errorf("init field encryption: %w", err)
-		}
-		mainStore.SetFieldEncrypt(fieldEncrypt)
-	}
-
-	migStore, ok := mainStore.(migration.Store)
-	if !ok {
-		_ = mainStore.Close(ctx)
-		return nil, nil, nil, fmt.Errorf("store does not support migration operations (ListUsers/UpdateUserID)")
-	}
-
-	cleanup := func() { _ = mainStore.Close(ctx) }
-
-	var migEventStore migration.EventStore
-	actStore, err := activitystore.NewSqlStore(ctx, dataDir, cfg.DataStoreEncryptionKey)
-	if err != nil {
-		log.Warnf("could not open activity store (events.db may not exist): %v", err)
-	} else {
-		migEventStore = actStore
-		prevCleanup := cleanup
-		cleanup = func() { _ = actStore.Close(ctx); prevCleanup() }
-	}
-
-	return migStore, migEventStore, cleanup, nil
-}
-
-// migrateDB opens the stores, previews pending users, and runs the DB migration.
-func migrateDB(cfg *migrationConfig, mgmtConfig *nbconfig.Config, connectorConfig *dex.Connector) error {
-	ctx := context.Background()
-
-	migStore, migEventStore, cleanup, err := openStores(ctx, mgmtConfig, cfg.dataDir)
-	if err != nil {
-		return err
-	}
-	defer cleanup()
-
-	pending, err := previewUsers(ctx, migStore)
-	if err != nil {
-		return err
-	}
-
-	if cfg.dryRun {
-		if err := os.Setenv("NB_IDP_MIGRATION_DRY_RUN", "true"); err != nil {
-			return fmt.Errorf("set dry-run env: %w", err)
-		}
-		defer os.Unsetenv("NB_IDP_MIGRATION_DRY_RUN") //nolint:errcheck
-	}
-
-	if !cfg.dryRun && !cfg.force {
-		if !confirmPrompt(pending) {
-			log.Info("migration cancelled by user")
-			return nil
-		}
-	}
-
-	srv := &migrationServer{store: migStore, eventStore: migEventStore}
-	if err := migration.MigrateUsersToStaticConnectors(srv, connectorConfig); err != nil {
-		return fmt.Errorf("migrate users: %w", err)
-	}
-
-	if !cfg.dryRun {
-		log.Info("DB migration completed successfully")
-	}
-	return nil
-}
-
-// previewUsers counts pending vs already-migrated users and logs a summary.
-// Returns the number of users still needing migration.
-func previewUsers(ctx context.Context, migStore migration.Store) (int, error) {
-	users, err := migStore.ListUsers(ctx)
-	if err != nil {
-		return 0, fmt.Errorf("list users: %w", err)
-	}
-
-	var pending, alreadyMigrated int
-	for _, u := range users {
-		if _, _, decErr := dex.DecodeDexUserID(u.Id); decErr == nil {
-			alreadyMigrated++
-		} else {
-			pending++
-		}
-	}
-
-	log.Infof("found %d total users: %d pending migration, %d already migrated", len(users), pending, alreadyMigrated)
-	return pending, nil
-}
-
-// confirmPrompt asks the user for interactive confirmation. Returns true if they accept.
-func confirmPrompt(pending int) bool {
-	log.Infof("About to migrate %d users. This cannot be easily undone. Continue? [y/N] ", pending)
-	reader := bufio.NewReader(os.Stdin)
-	answer, _ := reader.ReadString('\n')
-	answer = strings.TrimSpace(strings.ToLower(answer))
-	return answer == "y" || answer == "yes"
-}
-
-// decodeConnectorConfig base64-decodes and JSON-unmarshals a connector.
-func decodeConnectorConfig(encoded string) (*dex.Connector, error) {
-	decoded, err := base64.StdEncoding.DecodeString(encoded)
-	if err != nil {
-		return nil, fmt.Errorf("base64 decode: %w", err)
-	}
-
-	var conn dex.Connector
-	if err := json.Unmarshal(decoded, &conn); err != nil {
-		return nil, fmt.Errorf("json unmarshal: %w", err)
-	}
-
-	if conn.ID == "" {
-		return nil, fmt.Errorf("connector ID is empty")
-	}
-
-	return &conn, nil
-}
-
-// generateConfig reads the existing management.json as raw JSON, removes
-// IdpManagerConfig, adds EmbeddedIdP, updates HttpConfig fields, and writes
-// the result. In dry-run mode, it prints the new config to stdout instead.
-func generateConfig(cfg *migrationConfig, connectorConfig *dex.Connector) error {
-	// Read existing config as raw JSON to preserve all fields
-	raw, err := os.ReadFile(cfg.configPath)
-	if err != nil {
-		return fmt.Errorf("read config file: %w", err)
-	}
-
-	var configMap map[string]any
-	if err := json.Unmarshal(raw, &configMap); err != nil {
-		return fmt.Errorf("parse config JSON: %w", err)
-	}
-
-	// Remove unused information
-	delete(configMap, "IdpManagerConfig")
-	delete(configMap, "PKCEAuthorizationFlow")
-	delete(configMap, "DeviceAuthorizationFlow")
-
-	httpConfig, ok := configMap["HttpConfig"].(map[string]any)
-	if httpConfig != nil && ok {
-		certFilePath := httpConfig["CertFile"]
-		certKeyPath := httpConfig["CertKey"]
-
-		delete(configMap, "HttpConfig")
-
-		configMap["HttpConfig"] = map[string]any{
-			"CertFile": certFilePath,
-			"CertKey":  certKeyPath,
-		}
-	}
-
-	// Ensure the connector's redirectURI points to the management server (Dex callback),
-	// not the external IdP. The auto-detection may have used the IdP issuer URL.
-	connConfig := make(map[string]any, len(connectorConfig.Config))
-	maps.Copy(connConfig, connectorConfig.Config)
-
-	redirectURI, err := buildURL(cfg.apiURL, "/oauth2/callback")
-	if err != nil {
-		return fmt.Errorf("build redirect URI: %w", err)
-	}
-	connConfig["redirectURI"] = redirectURI
-
-	issuer, err := buildURL(cfg.apiURL, "/oauth2")
-	if err != nil {
-		return fmt.Errorf("build issuer URL: %w", err)
-	}
-
-	dashboardRedirectURL, err := buildURL(cfg.dashboardURL, "/nb-auth")
-	if err != nil {
-		return fmt.Errorf("build dashboard redirect URL: %w", err)
-	}
-
-	dashboardSilentRedirectURL, err := buildURL(cfg.dashboardURL, "/nb-silent-auth")
-	if err != nil {
-		return fmt.Errorf("build dashboard silent redirect URL: %w", err)
-	}
-
-	// Add minimal EmbeddedIdP section
-	configMap["EmbeddedIdP"] = map[string]any{
-		"Enabled": true,
-		"Issuer":  issuer,
-		"DashboardRedirectURIs": []string{
-			dashboardRedirectURL,
-			dashboardSilentRedirectURL,
-		},
-		"StaticConnectors": []any{
-			map[string]any{
-				"type":   connectorConfig.Type,
-				"name":   connectorConfig.Name,
-				"id":     connectorConfig.ID,
-				"config": connConfig,
-			},
-		},
-	}
-
-	newJSON, err := json.MarshalIndent(configMap, "", "  ")
-	if err != nil {
-		return fmt.Errorf("marshal new config: %w", err)
-	}
-
-	if cfg.dryRun {
-		log.Info("[DRY RUN] new management.json would be:")
-		log.Infoln(string(newJSON))
-		return nil
-	}
-
-	// Backup original
-	backupPath := cfg.configPath + ".bak"
-	if err := os.WriteFile(backupPath, raw, 0o600); err != nil {
-		return fmt.Errorf("write backup: %w", err)
-	}
-	log.Infof("backed up original config to %s", backupPath)
-
-	// Write new config
-	if err := os.WriteFile(cfg.configPath, newJSON, 0o600); err != nil {
-		return fmt.Errorf("write new config: %w", err)
-	}
-	log.Infof("wrote new config to %s", cfg.configPath)
-
-	return nil
-}
-
-func buildURL(uri, path string) (string, error) {
-	// Case for domain without scheme, e.g. "example.com" or "example.com:8080"
-	if !strings.HasPrefix(uri, "http://") && !strings.HasPrefix(uri, "https://") {
-		uri = "https://" + uri
-	}
-
-	val, err := url.JoinPath(uri, path)
-	if err != nil {
-		return "", err
-	}
-
-	return val, nil
-}
-
-func printPostMigrationInstructions(cfg *migrationConfig) {
-	authAuthority, err := buildURL(cfg.apiURL, "/oauth2")
-	if err != nil {
-		authAuthority = "https://<your-domain>/oauth2"
-	}
-
-	log.Info("Congratulations! You have successfully migrated your NetBird management server to the embedded Dex IdP.")
-	log.Info("Next steps:")
-	log.Info("1. Make sure the following environment variables are set for your dashboard server:")
-	log.Infof(`
-AUTH_AUDIENCE=netbird-dashboard
-AUTH_CLIENT_ID=netbird-dashboard
-AUTH_AUTHORITY=%s
-AUTH_SUPPORTED_SCOPES=openid profile email groups
-AUTH_REDIRECT_URI=/nb-auth
-AUTH_SILENT_REDIRECT_URI=/nb-silent-auth
-	`,
-		authAuthority,
-	)
-	log.Info("2. Make sure you restart the dashboard & management servers to pick up the new config and environment variables.")
-	log.Info("eg. docker compose up -d --force-recreate management dashboard")
-	log.Info("3. Optional: If you have a reverse proxy configured, make sure the path `/oauth2/*` points to the management api server.")
-}
-
-// Compile-time check that migrationServer implements migration.Server.
-var _ migration.Server = (*migrationServer)(nil)

tools/idp-migrate/main_test.go

@@ -1,487 +0,0 @@
-package main
-
-import (
-	"encoding/base64"
-	"encoding/json"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/idp/dex"
-	"github.com/netbirdio/netbird/management/server/idp/migration"
-)
-
-// TestMigrationServerInterface is a compile-time check that migrationServer
-// implements the migration.Server interface.
-func TestMigrationServerInterface(t *testing.T) {
-	var _ migration.Server = (*migrationServer)(nil)
-}
-
-func TestDecodeConnectorConfig(t *testing.T) {
-	conn := dex.Connector{
-		Type: "oidc",
-		Name: "test",
-		ID:   "test-id",
-		Config: map[string]any{
-			"issuer":       "https://example.com",
-			"clientID":     "cid",
-			"clientSecret": "csecret",
-		},
-	}
-
-	data, err := json.Marshal(conn)
-	require.NoError(t, err)
-	encoded := base64.StdEncoding.EncodeToString(data)
-
-	result, err := decodeConnectorConfig(encoded)
-	require.NoError(t, err)
-	assert.Equal(t, "test-id", result.ID)
-	assert.Equal(t, "oidc", result.Type)
-	assert.Equal(t, "https://example.com", result.Config["issuer"])
-}
-
-func TestDecodeConnectorConfig_InvalidBase64(t *testing.T) {
-	_, err := decodeConnectorConfig("not-valid-base64!!!")
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "base64 decode")
-}
-
-func TestDecodeConnectorConfig_InvalidJSON(t *testing.T) {
-	encoded := base64.StdEncoding.EncodeToString([]byte("not json"))
-	_, err := decodeConnectorConfig(encoded)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "json unmarshal")
-}
-
-func TestDecodeConnectorConfig_EmptyConnectorID(t *testing.T) {
-	conn := dex.Connector{
-		Type: "oidc",
-		Name: "no-id",
-		ID:   "",
-	}
-	data, err := json.Marshal(conn)
-	require.NoError(t, err)
-
-	encoded := base64.StdEncoding.EncodeToString(data)
-	_, err = decodeConnectorConfig(encoded)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "connector ID is empty")
-}
-
-func TestValidateConfig(t *testing.T) {
-	valid := &migrationConfig{
-		configPath:   "/etc/netbird/management.json",
-		dataDir:      "/var/lib/netbird",
-		idpSeedInfo:  "some-base64",
-		apiURL:       "https://api.example.com",
-		dashboardURL: "https://dash.example.com",
-	}
-
-	t.Run("valid config", func(t *testing.T) {
-		require.NoError(t, validateConfig(valid))
-	})
-
-	t.Run("missing configPath", func(t *testing.T) {
-		cfg := *valid
-		cfg.configPath = ""
-		err := validateConfig(&cfg)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "--config")
-	})
-
-	t.Run("missing dataDir", func(t *testing.T) {
-		cfg := *valid
-		cfg.dataDir = ""
-		err := validateConfig(&cfg)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "--datadir")
-	})
-
-	t.Run("missing idpSeedInfo", func(t *testing.T) {
-		cfg := *valid
-		cfg.idpSeedInfo = ""
-		err := validateConfig(&cfg)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "--idp-seed-info")
-	})
-
-	t.Run("missing apiUrl", func(t *testing.T) {
-		cfg := *valid
-		cfg.apiURL = ""
-		err := validateConfig(&cfg)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "--api-domain")
-	})
-
-	t.Run("missing dashboardUrl", func(t *testing.T) {
-		cfg := *valid
-		cfg.dashboardURL = ""
-		err := validateConfig(&cfg)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "--dashboard-domain")
-	})
-}
-
-func TestConfigFromArgs_EnvVarsApplied(t *testing.T) {
-	t.Run("env vars fill in for missing flags", func(t *testing.T) {
-		t.Setenv("NETBIRD_CONFIG_PATH", "/env/management.json")
-		t.Setenv("NETBIRD_DATA_DIR", "/env/data")
-		t.Setenv("NETBIRD_IDP_SEED_INFO", "env-seed")
-		t.Setenv("NETBIRD_API_URL", "https://api.env.com")
-		t.Setenv("NETBIRD_DASHBOARD_URL", "https://dash.env.com")
-
-		cfg, err := configFromArgs([]string{})
-		require.NoError(t, err)
-
-		assert.Equal(t, "/env/management.json", cfg.configPath)
-		assert.Equal(t, "/env/data", cfg.dataDir)
-		assert.Equal(t, "env-seed", cfg.idpSeedInfo)
-		assert.Equal(t, "https://api.env.com", cfg.apiURL)
-		assert.Equal(t, "https://dash.env.com", cfg.dashboardURL)
-	})
-
-	t.Run("flags work without env vars", func(t *testing.T) {
-		cfg, err := configFromArgs([]string{
-			"--config", "/flag/management.json",
-			"--datadir", "/flag/data",
-			"--idp-seed-info", "flag-seed",
-			"--api-url", "https://api.flag.com",
-			"--dashboard-url", "https://dash.flag.com",
-		})
-		require.NoError(t, err)
-
-		assert.Equal(t, "/flag/management.json", cfg.configPath)
-		assert.Equal(t, "/flag/data", cfg.dataDir)
-		assert.Equal(t, "flag-seed", cfg.idpSeedInfo)
-		assert.Equal(t, "https://api.flag.com", cfg.apiURL)
-		assert.Equal(t, "https://dash.flag.com", cfg.dashboardURL)
-	})
-
-	t.Run("env vars override flags", func(t *testing.T) {
-		t.Setenv("NETBIRD_CONFIG_PATH", "/env/management.json")
-		t.Setenv("NETBIRD_API_URL", "https://api.env.com")
-
-		cfg, err := configFromArgs([]string{
-			"--config", "/flag/management.json",
-			"--datadir", "/flag/data",
-			"--idp-seed-info", "flag-seed",
-			"--api-url", "https://api.flag.com",
-			"--dashboard-url", "https://dash.flag.com",
-		})
-		require.NoError(t, err)
-
-		assert.Equal(t, "/env/management.json", cfg.configPath, "env should override flag")
-		assert.Equal(t, "https://api.env.com", cfg.apiURL, "env should override flag")
-		assert.Equal(t, "https://dash.flag.com", cfg.dashboardURL, "flag preserved when no env override")
-	})
-
-	t.Run("--domain flag with specific env var override", func(t *testing.T) {
-		t.Setenv("NETBIRD_API_URL", "https://api.env.com")
-
-		cfg, err := configFromArgs([]string{
-			"--domain", "both.flag.com",
-			"--config", "/path",
-			"--datadir", "/data",
-			"--idp-seed-info", "seed",
-		})
-		require.NoError(t, err)
-
-		assert.Equal(t, "https://api.env.com", cfg.apiURL, "specific env beats --domain")
-		assert.Equal(t, "both.flag.com", cfg.dashboardURL, "--domain fills dashboard")
-	})
-}
-
-func TestApplyOverrides_MostGranularWins(t *testing.T) {
-	t.Run("specific flags beat --domain", func(t *testing.T) {
-		cfg := &migrationConfig{
-			apiURL:       "api.specific.com",
-			dashboardURL: "dash.specific.com",
-		}
-		applyOverrides(cfg, "broad.com")
-
-		assert.Equal(t, "api.specific.com", cfg.apiURL)
-		assert.Equal(t, "dash.specific.com", cfg.dashboardURL)
-	})
-
-	t.Run("--domain fills blanks when specific flags missing", func(t *testing.T) {
-		cfg := &migrationConfig{}
-		applyOverrides(cfg, "broad.com")
-
-		assert.Equal(t, "broad.com", cfg.apiURL)
-		assert.Equal(t, "broad.com", cfg.dashboardURL)
-	})
-
-	t.Run("--domain fills only the missing specific flag", func(t *testing.T) {
-		cfg := &migrationConfig{
-			apiURL: "api.specific.com",
-		}
-		applyOverrides(cfg, "broad.com")
-
-		assert.Equal(t, "api.specific.com", cfg.apiURL)
-		assert.Equal(t, "broad.com", cfg.dashboardURL)
-	})
-
-	t.Run("NETBIRD_DOMAIN overrides flags", func(t *testing.T) {
-		cfg := &migrationConfig{
-			apiURL:       "api.flag.com",
-			dashboardURL: "dash.flag.com",
-		}
-		t.Setenv("NETBIRD_DOMAIN", "env-broad.com")
-
-		applyOverrides(cfg, "")
-
-		assert.Equal(t, "env-broad.com", cfg.apiURL)
-		assert.Equal(t, "env-broad.com", cfg.dashboardURL)
-	})
-
-	t.Run("specific env vars beat NETBIRD_DOMAIN", func(t *testing.T) {
-		cfg := &migrationConfig{}
-		t.Setenv("NETBIRD_DOMAIN", "env-broad.com")
-		t.Setenv("NETBIRD_API_URL", "api.env-specific.com")
-		t.Setenv("NETBIRD_DASHBOARD_URL", "dash.env-specific.com")
-
-		applyOverrides(cfg, "")
-
-		assert.Equal(t, "api.env-specific.com", cfg.apiURL)
-		assert.Equal(t, "dash.env-specific.com", cfg.dashboardURL)
-	})
-
-	t.Run("one specific env var overrides only its field", func(t *testing.T) {
-		cfg := &migrationConfig{}
-		t.Setenv("NETBIRD_DOMAIN", "env-broad.com")
-		t.Setenv("NETBIRD_API_URL", "api.env-specific.com")
-
-		applyOverrides(cfg, "")
-
-		assert.Equal(t, "api.env-specific.com", cfg.apiURL)
-		assert.Equal(t, "env-broad.com", cfg.dashboardURL)
-	})
-
-	t.Run("specific env vars beat all flags combined", func(t *testing.T) {
-		cfg := &migrationConfig{
-			apiURL:       "api.flag.com",
-			dashboardURL: "dash.flag.com",
-		}
-		t.Setenv("NETBIRD_API_URL", "api.env.com")
-		t.Setenv("NETBIRD_DASHBOARD_URL", "dash.env.com")
-
-		applyOverrides(cfg, "domain-flag.com")
-
-		assert.Equal(t, "api.env.com", cfg.apiURL)
-		assert.Equal(t, "dash.env.com", cfg.dashboardURL)
-	})
-
-	t.Run("env vars override all non-domain flags", func(t *testing.T) {
-		cfg := &migrationConfig{
-			configPath:           "/flag/path",
-			dataDir:              "/flag/data",
-			idpSeedInfo:          "flag-seed",
-			dryRun:               false,
-			force:                false,
-			skipConfig:           false,
-			skipPopulateUserInfo: false,
-			logLevel:             "info",
-		}
-		t.Setenv("NETBIRD_CONFIG_PATH", "/env/path")
-		t.Setenv("NETBIRD_DATA_DIR", "/env/data")
-		t.Setenv("NETBIRD_IDP_SEED_INFO", "env-seed")
-		t.Setenv("NETBIRD_DRY_RUN", "true")
-		t.Setenv("NETBIRD_FORCE", "true")
-		t.Setenv("NETBIRD_SKIP_CONFIG", "true")
-		t.Setenv("NETBIRD_SKIP_POPULATE_USER_INFO", "true")
-		t.Setenv("NETBIRD_LOG_LEVEL", "debug")
-
-		applyOverrides(cfg, "")
-
-		assert.Equal(t, "/env/path", cfg.configPath)
-		assert.Equal(t, "/env/data", cfg.dataDir)
-		assert.Equal(t, "env-seed", cfg.idpSeedInfo)
-		assert.True(t, cfg.dryRun)
-		assert.True(t, cfg.force)
-		assert.True(t, cfg.skipConfig)
-		assert.True(t, cfg.skipPopulateUserInfo)
-		assert.Equal(t, "debug", cfg.logLevel)
-	})
-
-	t.Run("boolean env vars properly parse false values", func(t *testing.T) {
-		cfg := &migrationConfig{}
-		t.Setenv("NETBIRD_DRY_RUN", "false")
-		t.Setenv("NETBIRD_FORCE", "yes")
-		t.Setenv("NETBIRD_SKIP_CONFIG", "0")
-
-		applyOverrides(cfg, "")
-
-		assert.False(t, cfg.dryRun)
-		assert.False(t, cfg.force)
-		assert.False(t, cfg.skipConfig)
-	})
-
-	t.Run("unset env vars do not override flags", func(t *testing.T) {
-		cfg := &migrationConfig{
-			configPath:  "/flag/path",
-			dataDir:     "/flag/data",
-			idpSeedInfo: "flag-seed",
-			dryRun:      true,
-			logLevel:    "warn",
-		}
-
-		applyOverrides(cfg, "")
-
-		assert.Equal(t, "/flag/path", cfg.configPath)
-		assert.Equal(t, "/flag/data", cfg.dataDir)
-		assert.Equal(t, "flag-seed", cfg.idpSeedInfo)
-		assert.True(t, cfg.dryRun)
-		assert.Equal(t, "warn", cfg.logLevel)
-	})
-}
-
-func TestBuildUrl(t *testing.T) {
-	tests := []struct {
-		name     string
-		uri      string
-		path     string
-		expected string
-	}{
-		{"with https scheme", "https://example.com", "/oauth2", "https://example.com/oauth2"},
-		{"with http scheme", "http://example.com", "/oauth2/callback", "http://example.com/oauth2/callback"},
-		{"bare domain", "example.com", "/oauth2", "https://example.com/oauth2"},
-		{"domain with port", "example.com:8080", "/nb-auth", "https://example.com:8080/nb-auth"},
-		{"trailing slash on uri", "https://example.com/", "/oauth2", "https://example.com/oauth2"},
-		{"nested path", "https://example.com", "/oauth2/callback", "https://example.com/oauth2/callback"},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			url, err := buildURL(tt.uri, tt.path)
-			assert.NoError(t, err)
-			assert.Equal(t, tt.expected, url)
-		})
-	}
-}
-
-func TestGenerateConfig(t *testing.T) {
-	t.Run("generates valid config", func(t *testing.T) {
-		dir := t.TempDir()
-		configPath := filepath.Join(dir, "management.json")
-
-		originalConfig := `{
-  "Datadir": "/var/lib/netbird",
-  "HttpConfig": {
-    "LetsEncryptDomain": "mgmt.example.com",
-    "CertFile": "/etc/ssl/cert.pem",
-    "CertKey": "/etc/ssl/key.pem",
-    "AuthIssuer": "https://zitadel.example.com/oauth2",
-    "AuthKeysLocation": "https://zitadel.example.com/oauth2/keys",
-    "OIDCConfigEndpoint": "https://zitadel.example.com/.well-known/openid-configuration",
-    "AuthClientID": "old-client-id",
-    "AuthUserIDClaim": "preferred_username"
-  },
-  "IdpManagerConfig": {
-    "ManagerType": "zitadel",
-    "ClientConfig": {
-      "Issuer": "https://zitadel.example.com",
-      "ClientID": "zit-id",
-      "ClientSecret": "zit-secret"
-    }
-  }
-}`
-		require.NoError(t, os.WriteFile(configPath, []byte(originalConfig), 0o600))
-
-		cfg := &migrationConfig{
-			configPath:   configPath,
-			dashboardURL: "https://mgmt.example.com",
-			apiURL:       "https://mgmt.example.com",
-		}
-		conn := &dex.Connector{
-			Type: "zitadel",
-			Name: "zitadel",
-			ID:   "zitadel",
-			Config: map[string]any{
-				"issuer":       "https://zitadel.example.com",
-				"clientID":     "zit-id",
-				"clientSecret": "zit-secret",
-			},
-		}
-
-		err := generateConfig(cfg, conn)
-		require.NoError(t, err)
-
-		// Check backup was created
-		backupPath := configPath + ".bak"
-		backupData, err := os.ReadFile(backupPath)
-		require.NoError(t, err)
-		assert.Equal(t, originalConfig, string(backupData))
-
-		// Read and parse the new config
-		newData, err := os.ReadFile(configPath)
-		require.NoError(t, err)
-
-		var result map[string]any
-		require.NoError(t, json.Unmarshal(newData, &result))
-
-		// IdpManagerConfig should be removed
-		_, hasOldIdp := result["IdpManagerConfig"]
-		assert.False(t, hasOldIdp, "IdpManagerConfig should be removed")
-
-		_, hasPKCE := result["PKCEAuthorizationFlow"]
-		assert.False(t, hasPKCE, "PKCEAuthorizationFlow should be removed")
-
-		// EmbeddedIdP should be present with minimal fields
-		embeddedIDP, ok := result["EmbeddedIdP"].(map[string]any)
-		require.True(t, ok, "EmbeddedIdP should be present")
-		assert.Equal(t, true, embeddedIDP["Enabled"])
-		assert.Equal(t, "https://mgmt.example.com/oauth2", embeddedIDP["Issuer"])
-		assert.Nil(t, embeddedIDP["LocalAuthDisabled"], "LocalAuthDisabled should not be set")
-		assert.Nil(t, embeddedIDP["SignKeyRefreshEnabled"], "SignKeyRefreshEnabled should not be set")
-		assert.Nil(t, embeddedIDP["CLIRedirectURIs"], "CLIRedirectURIs should not be set")
-
-		// Static connector's redirectURI should use the management domain
-		connectors := embeddedIDP["StaticConnectors"].([]any)
-		require.Len(t, connectors, 1)
-		firstConn := connectors[0].(map[string]any)
-		connCfg := firstConn["config"].(map[string]any)
-		assert.Equal(t, "https://mgmt.example.com/oauth2/callback", connCfg["redirectURI"],
-			"redirectURI should be overridden to use the management domain")
-
-		// HttpConfig should only have CertFile and CertKey
-		httpConfig, ok := result["HttpConfig"].(map[string]any)
-		require.True(t, ok, "HttpConfig should be present")
-		assert.Equal(t, "/etc/ssl/cert.pem", httpConfig["CertFile"])
-		assert.Equal(t, "/etc/ssl/key.pem", httpConfig["CertKey"])
-		assert.Nil(t, httpConfig["AuthIssuer"], "AuthIssuer should be stripped")
-
-		// Datadir should be preserved
-		assert.Equal(t, "/var/lib/netbird", result["Datadir"])
-	})
-
-	t.Run("dry run does not write files", func(t *testing.T) {
-		dir := t.TempDir()
-		configPath := filepath.Join(dir, "management.json")
-
-		originalConfig := `{"HttpConfig": {"CertFile": "", "CertKey": ""}}`
-		require.NoError(t, os.WriteFile(configPath, []byte(originalConfig), 0o600))
-
-		cfg := &migrationConfig{
-			configPath:   configPath,
-			dashboardURL: "https://mgmt.example.com",
-			apiURL:       "https://mgmt.example.com",
-			dryRun:       true,
-		}
-		conn := &dex.Connector{Type: "oidc", Name: "test", ID: "test"}
-
-		err := generateConfig(cfg, conn)
-		require.NoError(t, err)
-
-		// Original should be unchanged
-		data, err := os.ReadFile(configPath)
-		require.NoError(t, err)
-		assert.Equal(t, originalConfig, string(data))
-
-		// No backup should exist
-		_, err = os.Stat(configPath + ".bak")
-		assert.True(t, os.IsNotExist(err))
-	})
-}

upload-server/server/local.go

@@ -7,7 +7,6 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
-	"strings"
 
 	log "github.com/sirupsen/logrus"
 
@@ -83,18 +82,15 @@ func (l *local) getUploadURL(objectKey string) (string, error) {
 	return newURL.String(), nil
 }
 
-const maxUploadSize = 150 << 20
-
 func (l *local) handlePutRequest(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodPut {
 		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
 		return
 	}
 
-	r.Body = http.MaxBytesReader(w, r.Body, maxUploadSize)
 	body, err := io.ReadAll(r.Body)
 	if err != nil {
-		http.Error(w, "request body too large or failed to read", http.StatusRequestEntityTooLarge)
+		http.Error(w, fmt.Sprintf("failed to read body: %v", err), http.StatusInternalServerError)
 		return
 	}
 
@@ -109,47 +105,20 @@ func (l *local) handlePutRequest(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	cleanBase := filepath.Clean(l.dir) + string(filepath.Separator)
-
-	dirPath := filepath.Clean(filepath.Join(l.dir, uploadDir))
-	if !strings.HasPrefix(dirPath, cleanBase) {
-		http.Error(w, "invalid path", http.StatusBadRequest)
-		log.Warnf("Path traversal attempt blocked (dir): %s", dirPath)
-		return
-	}
-
-	filePath := filepath.Clean(filepath.Join(dirPath, uploadFile))
-	if !strings.HasPrefix(filePath, cleanBase) {
-		http.Error(w, "invalid path", http.StatusBadRequest)
-		log.Warnf("Path traversal attempt blocked (file): %s", filePath)
-		return
-	}
-
-	if err = os.MkdirAll(dirPath, 0750); err != nil {
+	dirPath := filepath.Join(l.dir, uploadDir)
+	err = os.MkdirAll(dirPath, 0750)
+	if err != nil {
 		http.Error(w, "failed to create upload dir", http.StatusInternalServerError)
 		log.Errorf("Failed to create upload dir: %v", err)
 		return
 	}
 
-	flags := os.O_WRONLY | os.O_CREATE | os.O_EXCL
-	f, err := os.OpenFile(filePath, flags, 0600)
-	if err != nil {
-		if os.IsExist(err) {
-			http.Error(w, "file already exists", http.StatusConflict)
-			return
-		}
-		http.Error(w, "failed to create file", http.StatusInternalServerError)
-		log.Errorf("Failed to create file %s: %v", filePath, err)
-		return
-	}
-	defer func() { _ = f.Close() }()
-
-	if _, err = f.Write(body); err != nil {
+	file := filepath.Join(dirPath, uploadFile)
+	if err := os.WriteFile(file, body, 0600); err != nil {
 		http.Error(w, "failed to write file", http.StatusInternalServerError)
-		log.Errorf("Failed to write file %s: %v", filePath, err)
+		log.Errorf("Failed to write file %s: %v", file, err)
 		return
 	}
-
-	log.Infof("Uploaded file %s", filePath)
+	log.Infof("Uploading file %s", file)
 	w.WriteHeader(http.StatusOK)
 }

upload-server/server/local_test.go

@@ -63,90 +63,3 @@ func Test_LocalHandlePutRequest(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, fileContent, createdFileContent)
 }
-
-func Test_LocalHandlePutRequest_PathTraversal(t *testing.T) {
-	mockDir := t.TempDir()
-	mockURL := "http://localhost:8080"
-	t.Setenv("SERVER_URL", mockURL)
-	t.Setenv("STORE_DIR", mockDir)
-
-	mux := http.NewServeMux()
-	err := configureLocalHandlers(mux)
-	require.NoError(t, err)
-
-	fileContent := []byte("malicious content")
-	req := httptest.NewRequest(http.MethodPut, putURLPath+"/uploads/%2e%2e%2f%2e%2e%2fetc%2fpasswd", bytes.NewReader(fileContent))
-
-	rec := httptest.NewRecorder()
-	mux.ServeHTTP(rec, req)
-
-	require.Equal(t, http.StatusBadRequest, rec.Code)
-
-	_, err = os.Stat(filepath.Join(mockDir, "..", "..", "etc", "passwd"))
-	require.True(t, os.IsNotExist(err), "traversal file should not exist")
-}
-
-func Test_LocalHandlePutRequest_DirTraversal(t *testing.T) {
-	mockDir := t.TempDir()
-	t.Setenv("SERVER_URL", "http://localhost:8080")
-	t.Setenv("STORE_DIR", mockDir)
-
-	l := &local{url: "http://localhost:8080", dir: mockDir}
-
-	body := bytes.NewReader([]byte("bad"))
-	req := httptest.NewRequest(http.MethodPut, putURLPath+"/x/evil.txt", body)
-	req.SetPathValue("dir", "../../../tmp")
-	req.SetPathValue("file", "evil.txt")
-
-	rec := httptest.NewRecorder()
-	l.handlePutRequest(rec, req)
-
-	require.Equal(t, http.StatusBadRequest, rec.Code)
-
-	_, err := os.Stat(filepath.Join("/tmp", "evil.txt"))
-	require.True(t, os.IsNotExist(err), "traversal file should not exist outside store dir")
-}
-
-func Test_LocalHandlePutRequest_DuplicateFile(t *testing.T) {
-	mockDir := t.TempDir()
-	t.Setenv("SERVER_URL", "http://localhost:8080")
-	t.Setenv("STORE_DIR", mockDir)
-
-	mux := http.NewServeMux()
-	err := configureLocalHandlers(mux)
-	require.NoError(t, err)
-
-	req := httptest.NewRequest(http.MethodPut, putURLPath+"/dir/dup.txt", bytes.NewReader([]byte("first")))
-	rec := httptest.NewRecorder()
-	mux.ServeHTTP(rec, req)
-	require.Equal(t, http.StatusOK, rec.Code)
-
-	req = httptest.NewRequest(http.MethodPut, putURLPath+"/dir/dup.txt", bytes.NewReader([]byte("second")))
-	rec = httptest.NewRecorder()
-	mux.ServeHTTP(rec, req)
-	require.Equal(t, http.StatusConflict, rec.Code)
-
-	content, err := os.ReadFile(filepath.Join(mockDir, "dir", "dup.txt"))
-	require.NoError(t, err)
-	require.Equal(t, []byte("first"), content)
-}
-
-func Test_LocalHandlePutRequest_BodyTooLarge(t *testing.T) {
-	mockDir := t.TempDir()
-	t.Setenv("SERVER_URL", "http://localhost:8080")
-	t.Setenv("STORE_DIR", mockDir)
-
-	mux := http.NewServeMux()
-	err := configureLocalHandlers(mux)
-	require.NoError(t, err)
-
-	largeBody := make([]byte, maxUploadSize+1)
-	req := httptest.NewRequest(http.MethodPut, putURLPath+"/dir/big.txt", bytes.NewReader(largeBody))
-	rec := httptest.NewRecorder()
-	mux.ServeHTTP(rec, req)
-
-	require.Equal(t, http.StatusRequestEntityTooLarge, rec.Code)
-
-	_, err = os.Stat(filepath.Join(mockDir, "dir", "big.txt"))
-	require.True(t, os.IsNotExist(err))
-}