[client] recreate gRPC ClientConn on every retry to prevent dual backoff

The flow client had two competing retry loops: our custom exponential
backoff and gRPC's internal subchannel reconnection. When establishStream
failed, the same ClientConn was reused, allowing gRPC's internal backoff
state to accumulate and control dial timing independently.

Changes:
- Consolidate error handling into handleRetryableError, which now
 handles context cancellation, permanent errors, backoff reset,
 and connection recreation in a single path
- Call recreateConnection on every retryable error so each retry
 gets a fresh ClientConn with no internal backoff state
- Remove connGen tracking since Receive is sequential and protected
 by a new receiving guard against concurrent calls
- Reduce RandomizationFactor from 1 to 0.5 to avoid near-zero
 backoff intervals

client/cmd/service_test.go

@@ -4,9 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"os/signal"
 	"runtime"
-	"syscall"
 	"testing"
 	"time"
 
@@ -15,22 +13,6 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-// TestMain intercepts when this test binary is run as a daemon subprocess.
-// On FreeBSD, the rc.d service script runs the binary via daemon(8) -r with
-// "service run ..." arguments. Since the test binary can't handle cobra CLI
-// args, it exits immediately, causing daemon -r to respawn rapidly until
-// hitting the rate limit and exiting. This makes service restart unreliable.
-// Blocking here keeps the subprocess alive until the init system sends SIGTERM.
-func TestMain(m *testing.M) {
-	if len(os.Args) > 2 && os.Args[1] == "service" && os.Args[2] == "run" {
-		sig := make(chan os.Signal, 1)
-		signal.Notify(sig, syscall.SIGTERM, os.Interrupt)
-		<-sig
-		return
-	}
-	os.Exit(m.Run())
-}
-
 const (
 	serviceStartTimeout = 10 * time.Second
 	serviceStopTimeout  = 5 * time.Second
@@ -97,34 +79,6 @@ func TestServiceLifecycle(t *testing.T) {
 	logLevel = "info"
 	daemonAddr = fmt.Sprintf("unix://%s/netbird-test.sock", tempDir)
 
-	// Ensure cleanup even if a subtest fails and Stop/Uninstall subtests don't run.
-	t.Cleanup(func() {
-		cfg, err := newSVCConfig()
-		if err != nil {
-			t.Errorf("cleanup: create service config: %v", err)
-			return
-		}
-		ctxSvc, cancel := context.WithCancel(context.Background())
-		defer cancel()
-		s, err := newSVC(newProgram(ctxSvc, cancel), cfg)
-		if err != nil {
-			t.Errorf("cleanup: create service: %v", err)
-			return
-		}
-
-		// If the subtests already cleaned up, there's nothing to do.
-		if _, err := s.Status(); err != nil {
-			return
-		}
-
-		if err := s.Stop(); err != nil {
-			t.Errorf("cleanup: stop service: %v", err)
-		}
-		if err := s.Uninstall(); err != nil {
-			t.Errorf("cleanup: uninstall service: %v", err)
-		}
-	})
-
 	ctx := context.Background()
 
 	t.Run("Install", func(t *testing.T) {

client/internal/auth/auth.go

@@ -155,7 +155,7 @@ func (a *Auth) IsLoginRequired(ctx context.Context) (bool, error) {
 	var needsLogin bool
 
 	err = a.withRetry(ctx, func(client *mgm.GrpcClient) error {
-		err := a.doMgmLogin(client, ctx, pubSSHKey)
+		_, _, err := a.doMgmLogin(client, ctx, pubSSHKey)
 		if isLoginNeeded(err) {
 			needsLogin = true
 			return nil
@@ -179,8 +179,8 @@ func (a *Auth) Login(ctx context.Context, setupKey string, jwtToken string) (err
 	var isAuthError bool
 
 	err = a.withRetry(ctx, func(client *mgm.GrpcClient) error {
-		err := a.doMgmLogin(client, ctx, pubSSHKey)
-		if isRegistrationNeeded(err) {
+		serverKey, _, err := a.doMgmLogin(client, ctx, pubSSHKey)
+		if serverKey != nil && isRegistrationNeeded(err) {
 			log.Debugf("peer registration required")
 			_, err = a.registerPeer(client, ctx, setupKey, jwtToken, pubSSHKey)
 			if err != nil {
@@ -201,7 +201,13 @@ func (a *Auth) Login(ctx context.Context, setupKey string, jwtToken string) (err
 
 // getPKCEFlow retrieves PKCE authorization flow configuration and creates a flow instance
 func (a *Auth) getPKCEFlow(client *mgm.GrpcClient) (*PKCEAuthorizationFlow, error) {
-	protoFlow, err := client.GetPKCEAuthorizationFlow()
+	serverKey, err := client.GetServerPublicKey()
+	if err != nil {
+		log.Errorf("failed while getting Management Service public key: %v", err)
+		return nil, err
+	}
+
+	protoFlow, err := client.GetPKCEAuthorizationFlow(*serverKey)
 	if err != nil {
 		if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
 			log.Warnf("server couldn't find pkce flow, contact admin: %v", err)
@@ -215,7 +221,6 @@ func (a *Auth) getPKCEFlow(client *mgm.GrpcClient) (*PKCEAuthorizationFlow, erro
 	config := &PKCEAuthProviderConfig{
 		Audience:              protoConfig.GetAudience(),
 		ClientID:              protoConfig.GetClientID(),
-		ClientSecret:          protoConfig.GetClientSecret(), //nolint:staticcheck
 		TokenEndpoint:         protoConfig.GetTokenEndpoint(),
 		AuthorizationEndpoint: protoConfig.GetAuthorizationEndpoint(),
 		Scope:                 protoConfig.GetScope(),
@@ -240,7 +245,13 @@ func (a *Auth) getPKCEFlow(client *mgm.GrpcClient) (*PKCEAuthorizationFlow, erro
 
 // getDeviceFlow retrieves device authorization flow configuration and creates a flow instance
 func (a *Auth) getDeviceFlow(client *mgm.GrpcClient) (*DeviceAuthorizationFlow, error) {
-	protoFlow, err := client.GetDeviceAuthorizationFlow()
+	serverKey, err := client.GetServerPublicKey()
+	if err != nil {
+		log.Errorf("failed while getting Management Service public key: %v", err)
+		return nil, err
+	}
+
+	protoFlow, err := client.GetDeviceAuthorizationFlow(*serverKey)
 	if err != nil {
 		if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
 			log.Warnf("server couldn't find device flow, contact admin: %v", err)
@@ -254,7 +265,6 @@ func (a *Auth) getDeviceFlow(client *mgm.GrpcClient) (*DeviceAuthorizationFlow,
 	config := &DeviceAuthProviderConfig{
 		Audience:           protoConfig.GetAudience(),
 		ClientID:           protoConfig.GetClientID(),
-		ClientSecret:       protoConfig.GetClientSecret(), //nolint:staticcheck
 		Domain:             protoConfig.Domain,
 		TokenEndpoint:      protoConfig.GetTokenEndpoint(),
 		DeviceAuthEndpoint: protoConfig.GetDeviceAuthEndpoint(),
@@ -280,16 +290,28 @@ func (a *Auth) getDeviceFlow(client *mgm.GrpcClient) (*DeviceAuthorizationFlow,
 }
 
 // doMgmLogin performs the actual login operation with the management service
-func (a *Auth) doMgmLogin(client *mgm.GrpcClient, ctx context.Context, pubSSHKey []byte) error {
+func (a *Auth) doMgmLogin(client *mgm.GrpcClient, ctx context.Context, pubSSHKey []byte) (*wgtypes.Key, *mgmProto.LoginResponse, error) {
+	serverKey, err := client.GetServerPublicKey()
+	if err != nil {
+		log.Errorf("failed while getting Management Service public key: %v", err)
+		return nil, nil, err
+	}
+
 	sysInfo := system.GetInfo(ctx)
 	a.setSystemInfoFlags(sysInfo)
-	_, err := client.Login(sysInfo, pubSSHKey, a.config.DNSLabels)
-	return err
+	loginResp, err := client.Login(*serverKey, sysInfo, pubSSHKey, a.config.DNSLabels)
+	return serverKey, loginResp, err
 }
 
 // registerPeer checks whether setupKey was provided via cmd line and if not then it prompts user to enter a key.
 // Otherwise tries to register with the provided setupKey via command line.
 func (a *Auth) registerPeer(client *mgm.GrpcClient, ctx context.Context, setupKey string, jwtToken string, pubSSHKey []byte) (*mgmProto.LoginResponse, error) {
+	serverPublicKey, err := client.GetServerPublicKey()
+	if err != nil {
+		log.Errorf("failed while getting Management Service public key: %v", err)
+		return nil, err
+	}
+
 	validSetupKey, err := uuid.Parse(setupKey)
 	if err != nil && jwtToken == "" {
 		return nil, status.Errorf(codes.InvalidArgument, "invalid setup-key or no sso information provided, err: %v", err)
@@ -298,7 +320,7 @@ func (a *Auth) registerPeer(client *mgm.GrpcClient, ctx context.Context, setupKe
 	log.Debugf("sending peer registration request to Management Service")
 	info := system.GetInfo(ctx)
 	a.setSystemInfoFlags(info)
-	loginResp, err := client.Register(validSetupKey.String(), jwtToken, info, pubSSHKey, a.config.DNSLabels)
+	loginResp, err := client.Register(*serverPublicKey, validSetupKey.String(), jwtToken, info, pubSSHKey, a.config.DNSLabels)
 	if err != nil {
 		log.Errorf("failed registering peer %v", err)
 		return nil, err

client/internal/auth/device_flow.go

@@ -29,8 +29,6 @@ var _ OAuthFlow = &DeviceAuthorizationFlow{}
 type DeviceAuthProviderConfig struct {
 	// ClientID An IDP application client id
 	ClientID string
-	// ClientSecret An IDP application client secret
-	ClientSecret string
 	// Domain An IDP API domain
 	// Deprecated. Use OIDCConfigEndpoint instead
 	Domain string

client/internal/auth/pkce_flow.go

@@ -38,8 +38,6 @@ const (
 type PKCEAuthProviderConfig struct {
 	// ClientID An IDP application client id
 	ClientID string
-	// ClientSecret An IDP application client secret
-	ClientSecret string
 	// Audience An Audience for to authorization validation
 	Audience string
 	// TokenEndpoint is the endpoint of an IDP manager where clients can obtain access token
@@ -111,8 +109,7 @@ func NewPKCEAuthorizationFlow(config PKCEAuthProviderConfig) (*PKCEAuthorization
 	}
 
 	cfg := &oauth2.Config{
-		ClientID:     config.ClientID,
-		ClientSecret: config.ClientSecret,
+		ClientID: config.ClientID,
 		Endpoint: oauth2.Endpoint{
 			AuthURL:  config.AuthorizationEndpoint,
 			TokenURL: config.TokenEndpoint,

client/internal/connect.go

@@ -44,10 +44,6 @@ import (
 	"github.com/netbirdio/netbird/version"
 )
 
-// androidRunOverride is set on Android to inject mobile dependencies
-// when using embed.Client (which calls Run() with empty MobileDependency).
-var androidRunOverride func(c *ConnectClient, runningChan chan struct{}, logPath string) error
-
 type ConnectClient struct {
 	ctx            context.Context
 	config         *profilemanager.Config
@@ -80,9 +76,6 @@ func (c *ConnectClient) SetUpdateManager(um *updater.Manager) {
 
 // Run with main logic.
 func (c *ConnectClient) Run(runningChan chan struct{}, logPath string) error {
-	if androidRunOverride != nil {
-		return androidRunOverride(c, runningChan, logPath)
-	}
 	return c.run(MobileDependency{}, runningChan, logPath)
 }
 
@@ -617,6 +610,12 @@ func connectToSignal(ctx context.Context, wtConfig *mgmProto.NetbirdConfig, ourP
 
 // loginToManagement creates Management ServiceDependencies client, establishes a connection, logs-in and gets a global Netbird config (signal, turn, stun hosts, etc)
 func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte, config *profilemanager.Config) (*mgmProto.LoginResponse, error) {
+
+	serverPublicKey, err := client.GetServerPublicKey()
+	if err != nil {
+		return nil, gstatus.Errorf(codes.FailedPrecondition, "failed while getting Management Service public key: %s", err)
+	}
+
 	sysInfo := system.GetInfo(ctx)
 	sysInfo.SetFlags(
 		config.RosenpassEnabled,
@@ -635,7 +634,12 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte,
 		config.EnableSSHRemotePortForwarding,
 		config.DisableSSHAuth,
 	)
-	return client.Login(sysInfo, pubSSHKey, config.DNSLabels)
+	loginResp, err := client.Login(*serverPublicKey, sysInfo, pubSSHKey, config.DNSLabels)
+	if err != nil {
+		return nil, err
+	}
+
+	return loginResp, nil
 }
 
 func statusRecorderToMgmConnStateNotifier(statusRecorder *peer.Status) mgm.ConnStateNotifier {

client/internal/connect_android_default.go

@@ -1,73 +0,0 @@
-//go:build android
-
-package internal
-
-import (
-	"net/netip"
-
-	"github.com/netbirdio/netbird/client/internal/dns"
-	"github.com/netbirdio/netbird/client/internal/listener"
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-)
-
-// noopIFaceDiscover is a stub ExternalIFaceDiscover for embed.Client on Android.
-// It returns an empty interface list, which means ICE P2P candidates won't be
-// discovered — connections will fall back to relay. Applications that need P2P
-// should provide a real implementation via runOnAndroidEmbed that uses
-// Android's ConnectivityManager to enumerate network interfaces.
-type noopIFaceDiscover struct{}
-
-func (noopIFaceDiscover) IFaces() (string, error) {
-	// Return empty JSON array — no local interfaces advertised for ICE.
-	// This is intentional: without Android's ConnectivityManager, we cannot
-	// reliably enumerate interfaces (netlink is restricted on Android 11+).
-	// Relay connections still work; only P2P hole-punching is disabled.
-	return "[]", nil
-}
-
-// noopNetworkChangeListener is a stub for embed.Client on Android.
-// Network change events are ignored since the embed client manages its own
-// reconnection logic via the engine's built-in retry mechanism.
-type noopNetworkChangeListener struct{}
-
-func (noopNetworkChangeListener) OnNetworkChanged(string) {
-	// No-op: embed.Client relies on the engine's internal reconnection
-	// logic rather than OS-level network change notifications.
-}
-
-func (noopNetworkChangeListener) SetInterfaceIP(string) {
-	// No-op: in netstack mode, the overlay IP is managed by the userspace
-	// network stack, not by OS-level interface configuration.
-}
-
-// noopDnsReadyListener is a stub for embed.Client on Android.
-// DNS readiness notifications are not needed in netstack/embed mode
-// since system DNS is disabled and DNS resolution happens externally.
-type noopDnsReadyListener struct{}
-
-func (noopDnsReadyListener) OnReady() {
-	// No-op: embed.Client does not need DNS readiness notifications.
-	// System DNS is disabled in netstack mode.
-}
-
-var _ stdnet.ExternalIFaceDiscover = noopIFaceDiscover{}
-var _ listener.NetworkChangeListener = noopNetworkChangeListener{}
-var _ dns.ReadyListener = noopDnsReadyListener{}
-
-func init() {
-	// Wire up the default override so embed.Client.Start() works on Android
-	// with netstack mode. Provides complete no-op stubs for all mobile
-	// dependencies so the engine's existing Android code paths work unchanged.
-	// Applications that need P2P ICE or real DNS should replace this by
-	// setting androidRunOverride before calling Start().
-	androidRunOverride = func(c *ConnectClient, runningChan chan struct{}, logPath string) error {
-		return c.runOnAndroidEmbed(
-			noopIFaceDiscover{},
-			noopNetworkChangeListener{},
-			[]netip.AddrPort{},
-			noopDnsReadyListener{},
-			runningChan,
-			logPath,
-		)
-	}
-}

client/internal/connect_android_embed.go

@@ -1,32 +0,0 @@
-//go:build android
-
-package internal
-
-import (
-	"net/netip"
-
-	"github.com/netbirdio/netbird/client/internal/dns"
-	"github.com/netbirdio/netbird/client/internal/listener"
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-)
-
-// runOnAndroidEmbed is like RunOnAndroid but accepts a runningChan
-// so embed.Client.Start() can detect when the engine is ready.
-// It provides complete MobileDependency so the engine's existing
-// Android code paths work unchanged.
-func (c *ConnectClient) runOnAndroidEmbed(
-	iFaceDiscover stdnet.ExternalIFaceDiscover,
-	networkChangeListener listener.NetworkChangeListener,
-	dnsAddresses []netip.AddrPort,
-	dnsReadyListener dns.ReadyListener,
-	runningChan chan struct{},
-	logPath string,
-) error {
-	mobileDependency := MobileDependency{
-		IFaceDiscover:         iFaceDiscover,
-		NetworkChangeListener: networkChangeListener,
-		HostDNSAddresses:      dnsAddresses,
-		DnsReadyListener:      dnsReadyListener,
-	}
-	return c.run(mobileDependency, runningChan, logPath)
-}

client/internal/engine.go

@@ -500,7 +500,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	e.routeManager.SetRouteChangeListener(e.mobileDep.NetworkChangeListener)
 
 	e.dnsServer.SetRouteChecker(func(ip netip.Addr) bool {
-		for _, routes := range e.routeManager.GetSelectedClientRoutes() {
+		for _, routes := range e.routeManager.GetClientRoutes() {
 			for _, r := range routes {
 				if r.Network.Contains(ip) {
 					return true
@@ -554,7 +554,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	e.connMgr.Start(e.ctx)
 
 	e.srWatcher = guard.NewSRWatcher(e.signal, e.relayManager, e.mobileDep.IFaceDiscover, iceCfg)
-	e.srWatcher.Start(peer.IsForceRelayed())
+	e.srWatcher.Start()
 
 	e.receiveSignalEvents()
 	e.receiveManagementEvents()

client/internal/engine_test.go

@@ -828,7 +828,7 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 				WgPrivateKey: key,
 				WgPort:       33100,
 				MTU:          iface.DefaultMTU,
-			}, EngineServices{
+	}, EngineServices{
 				SignalClient:   &signal.MockClient{},
 				MgmClient:      &mgmt.MockClient{},
 				RelayManager:   relayMgr,
@@ -1035,7 +1035,7 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 				WgPrivateKey: key,
 				WgPort:       33100,
 				MTU:          iface.DefaultMTU,
-			}, EngineServices{
+	}, EngineServices{
 				SignalClient:   &signal.MockClient{},
 				MgmClient:      &mgmt.MockClient{},
 				RelayManager:   relayMgr,
@@ -1538,8 +1538,13 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 		return nil, err
 	}
 
+	publicKey, err := mgmtClient.GetServerPublicKey()
+	if err != nil {
+		return nil, err
+	}
+
 	info := system.GetInfo(ctx)
-	resp, err := mgmtClient.Register(setupKey, "", info, nil, nil)
+	resp, err := mgmtClient.Register(*publicKey, setupKey, "", info, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -1561,7 +1566,7 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 	}
 
 	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
-	e, err := NewEngine(ctx, cancel, conf, EngineServices{
+e, err := NewEngine(ctx, cancel, conf, EngineServices{
 		SignalClient:   signalClient,
 		MgmClient:      mgmtClient,
 		RelayManager:   relayMgr,

client/internal/peer/conn.go

@@ -181,20 +181,17 @@ func (conn *Conn) Open(engineCtx context.Context) error {
 
 	conn.workerRelay = NewWorkerRelay(conn.ctx, conn.Log, isController(conn.config), conn.config, conn, conn.relayManager)
 
-	forceRelay := IsForceRelayed()
-	if !forceRelay {
-		relayIsSupportedLocally := conn.workerRelay.RelayIsSupportedLocally()
-		workerICE, err := NewWorkerICE(conn.ctx, conn.Log, conn.config, conn, conn.signaler, conn.iFaceDiscover, conn.statusRecorder, relayIsSupportedLocally)
-		if err != nil {
-			return err
-		}
-		conn.workerICE = workerICE
+	relayIsSupportedLocally := conn.workerRelay.RelayIsSupportedLocally()
+	workerICE, err := NewWorkerICE(conn.ctx, conn.Log, conn.config, conn, conn.signaler, conn.iFaceDiscover, conn.statusRecorder, relayIsSupportedLocally)
+	if err != nil {
+		return err
 	}
+	conn.workerICE = workerICE
 
 	conn.handshaker = NewHandshaker(conn.Log, conn.config, conn.signaler, conn.workerICE, conn.workerRelay, conn.metricsStages)
 
 	conn.handshaker.AddRelayListener(conn.workerRelay.OnNewOffer)
-	if !forceRelay {
+	if !isForceRelayed() {
 		conn.handshaker.AddICEListener(conn.workerICE.OnNewOffer)
 	}
 
@@ -250,9 +247,7 @@ func (conn *Conn) Close(signalToRemote bool) {
 		conn.wgWatcherCancel()
 	}
 	conn.workerRelay.CloseConn()
-	if conn.workerICE != nil {
-		conn.workerICE.Close()
-	}
+	conn.workerICE.Close()
 
 	if conn.wgProxyRelay != nil {
 		err := conn.wgProxyRelay.CloseConn()
@@ -295,9 +290,7 @@ func (conn *Conn) OnRemoteAnswer(answer OfferAnswer) {
 // OnRemoteCandidate Handles ICE connection Candidate provided by the remote peer.
 func (conn *Conn) OnRemoteCandidate(candidate ice.Candidate, haRoutes route.HAMap) {
 	conn.dumpState.RemoteCandidate()
-	if conn.workerICE != nil {
-		conn.workerICE.OnRemoteCandidate(candidate, haRoutes)
-	}
+	conn.workerICE.OnRemoteCandidate(candidate, haRoutes)
 }
 
 // SetOnConnected sets a handler function to be triggered by Conn when a new connection to a remote peer established
@@ -724,19 +717,14 @@ func (conn *Conn) isConnectedOnAllWay() (connected bool) {
 		}
 	}()
 
-	// For force-relayed connections (JS or NB_FORCE_RELAY): only relay status matters
-	if IsForceRelayed() {
-		if !conn.workerRelay.IsRelayConnectionSupportedWithPeer() {
-			return false
-		}
+	// For JS platform: only relay connection is supported
+	if runtime.GOOS == "js" {
 		return conn.statusRelay.Get() == worker.StatusConnected
 	}
 
-	// For non-forced platforms: check ICE connection status only if remote peer supports ICE
-	if conn.handshaker.RemoteICESupported() {
-		if conn.statusICE.Get() == worker.StatusDisconnected && !conn.workerICE.InProgress() {
-			return false
-		}
+	// For non-JS platforms: check ICE connection status
+	if conn.statusICE.Get() == worker.StatusDisconnected && !conn.workerICE.InProgress() {
+		return false
 	}
 
 	// If relay is supported with peer, it must also be connected

client/internal/peer/env.go

@@ -10,7 +10,7 @@ const (
 	EnvKeyNBForceRelay = "NB_FORCE_RELAY"
 )
 
-func IsForceRelayed() bool {
+func isForceRelayed() bool {
 	if runtime.GOOS == "js" {
 		return true
 	}

client/internal/peer/guard/sr_watcher.go

@@ -39,7 +39,7 @@ func NewSRWatcher(signalClient chNotifier, relayManager chNotifier, iFaceDiscove
 	return srw
 }
 
-func (w *SRWatcher) Start(disableICEMonitor bool) {
+func (w *SRWatcher) Start() {
 	w.mu.Lock()
 	defer w.mu.Unlock()
 
@@ -50,10 +50,8 @@ func (w *SRWatcher) Start(disableICEMonitor bool) {
 	ctx, cancel := context.WithCancel(context.Background())
 	w.cancelIceMonitor = cancel
 
-	if !disableICEMonitor {
-		iceMonitor := NewICEMonitor(w.iFaceDiscover, w.iceConfig, GetICEMonitorPeriod())
-		go iceMonitor.Start(ctx, w.onICEChanged)
-	}
+	iceMonitor := NewICEMonitor(w.iFaceDiscover, w.iceConfig, GetICEMonitorPeriod())
+	go iceMonitor.Start(ctx, w.onICEChanged)
 	w.signalClient.SetOnReconnectedListener(w.onReconnected)
 	w.relayManager.SetOnReconnectedListener(w.onReconnected)
 

client/internal/peer/handshaker.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"sync"
-	"sync/atomic"
 
 	log "github.com/sirupsen/logrus"
 
@@ -60,10 +59,6 @@ type Handshaker struct {
 	relayListener *AsyncOfferListener
 	iceListener   func(remoteOfferAnswer *OfferAnswer)
 
-	// remoteICESupported tracks whether the remote peer includes ICE credentials in its offers/answers.
-	// When false, the local side skips ICE listener dispatch and suppresses ICE credentials in responses.
-	remoteICESupported atomic.Bool
-
 	// remoteOffersCh is a channel used to wait for remote credentials to proceed with the connection
 	remoteOffersCh chan OfferAnswer
 	// remoteAnswerCh is a channel used to wait for remote credentials answer (confirmation of our offer) to proceed with the connection
@@ -71,7 +66,7 @@ type Handshaker struct {
 }
 
 func NewHandshaker(log *log.Entry, config ConnConfig, signaler *Signaler, ice *WorkerICE, relay *WorkerRelay, metricsStages *MetricsStages) *Handshaker {
-	h := &Handshaker{
+	return &Handshaker{
 		log:            log,
 		config:         config,
 		signaler:       signaler,
@@ -81,13 +76,6 @@ func NewHandshaker(log *log.Entry, config ConnConfig, signaler *Signaler, ice *W
 		remoteOffersCh: make(chan OfferAnswer),
 		remoteAnswerCh: make(chan OfferAnswer),
 	}
-	// assume remote supports ICE until we learn otherwise from received offers
-	h.remoteICESupported.Store(ice != nil)
-	return h
-}
-
-func (h *Handshaker) RemoteICESupported() bool {
-	return h.remoteICESupported.Load()
 }
 
 func (h *Handshaker) AddRelayListener(offer func(remoteOfferAnswer *OfferAnswer)) {
@@ -109,13 +97,11 @@ func (h *Handshaker) Listen(ctx context.Context) {
 				h.metricsStages.RecordSignalingReceived()
 			}
 
-			h.updateRemoteICEState(&remoteOfferAnswer)
-
 			if h.relayListener != nil {
 				h.relayListener.Notify(&remoteOfferAnswer)
 			}
 
-			if h.iceListener != nil && h.RemoteICESupported() {
+			if h.iceListener != nil {
 				h.iceListener(&remoteOfferAnswer)
 			}
 
@@ -131,13 +117,11 @@ func (h *Handshaker) Listen(ctx context.Context) {
 				h.metricsStages.RecordSignalingReceived()
 			}
 
-			h.updateRemoteICEState(&remoteOfferAnswer)
-
 			if h.relayListener != nil {
 				h.relayListener.Notify(&remoteOfferAnswer)
 			}
 
-			if h.iceListener != nil && h.RemoteICESupported() {
+			if h.iceListener != nil {
 				h.iceListener(&remoteOfferAnswer)
 			}
 		case <-ctx.Done():
@@ -199,18 +183,15 @@ func (h *Handshaker) sendAnswer() error {
 }
 
 func (h *Handshaker) buildOfferAnswer() OfferAnswer {
+	uFrag, pwd := h.ice.GetLocalUserCredentials()
+	sid := h.ice.SessionID()
 	answer := OfferAnswer{
+		IceCredentials:  IceCredentials{uFrag, pwd},
 		WgListenPort:    h.config.LocalWgPort,
 		Version:         version.NetbirdVersion(),
 		RosenpassPubKey: h.config.RosenpassConfig.PubKey,
 		RosenpassAddr:   h.config.RosenpassConfig.Addr,
-	}
-
-	if h.ice != nil && h.RemoteICESupported() {
-		uFrag, pwd := h.ice.GetLocalUserCredentials()
-		sid := h.ice.SessionID()
-		answer.IceCredentials = IceCredentials{uFrag, pwd}
-		answer.SessionID = &sid
+		SessionID:       &sid,
 	}
 
 	if addr, err := h.relay.RelayInstanceAddress(); err == nil {
@@ -219,18 +200,3 @@ func (h *Handshaker) buildOfferAnswer() OfferAnswer {
 
 	return answer
 }
-
-func (h *Handshaker) updateRemoteICEState(offer *OfferAnswer) {
-	hasICE := offer.IceCredentials.UFrag != "" && offer.IceCredentials.Pwd != ""
-	prev := h.remoteICESupported.Swap(hasICE)
-	if prev != hasICE {
-		if hasICE {
-			h.log.Infof("remote peer started sending ICE credentials")
-		} else {
-			h.log.Infof("remote peer stopped sending ICE credentials")
-			if h.ice != nil {
-				h.ice.Close()
-			}
-		}
-	}
-}

client/internal/peer/signaler.go

@@ -46,13 +46,9 @@ func (s *Signaler) Ready() bool {
 
 // SignalOfferAnswer signals either an offer or an answer to remote peer
 func (s *Signaler) signalOfferAnswer(offerAnswer OfferAnswer, remoteKey string, bodyType sProto.Body_Type) error {
-	var sessionIDBytes []byte
-	if offerAnswer.SessionID != nil {
-		var err error
-		sessionIDBytes, err = offerAnswer.SessionID.Bytes()
-		if err != nil {
-			log.Warnf("failed to get session ID bytes: %v", err)
-		}
+	sessionIDBytes, err := offerAnswer.SessionID.Bytes()
+	if err != nil {
+		log.Warnf("failed to get session ID bytes: %v", err)
 	}
 	msg, err := signal.MarshalCredential(
 		s.wgPrivateKey,

client/internal/profilemanager/config.go

@@ -41,7 +41,7 @@ const (
 
 // mgmProber is the subset of management client needed for URL migration probes.
 type mgmProber interface {
-	HealthCheck() error
+	GetServerPublicKey() (*wgtypes.Key, error)
 	Close() error
 }
 
@@ -777,7 +777,8 @@ func UpdateOldManagementURL(ctx context.Context, config *Config, configPath stri
 	}()
 
 	// gRPC check
-	if err = client.HealthCheck(); err != nil {
+	_, err = client.GetServerPublicKey()
+	if err != nil {
 		log.Infof("couldn't switch to the new Management %s", newURL.String())
 		return nil, err
 	}

client/internal/profilemanager/config_test.go

@@ -17,10 +17,12 @@ import (
 	"github.com/netbirdio/netbird/util"
 )
 
-type mockMgmProber struct{}
+type mockMgmProber struct {
+	key wgtypes.Key
+}
 
-func (m *mockMgmProber) HealthCheck() error {
-	return nil
+func (m *mockMgmProber) GetServerPublicKey() (*wgtypes.Key, error) {
+	return &m.key, nil
 }
 
 func (m *mockMgmProber) Close() error { return nil }
@@ -245,7 +247,11 @@ func TestWireguardPortDefaultVsExplicit(t *testing.T) {
 func TestUpdateOldManagementURL(t *testing.T) {
 	origProber := newMgmProber
 	newMgmProber = func(_ context.Context, _ string, _ wgtypes.Key, _ bool) (mgmProber, error) {
-		return &mockMgmProber{}, nil
+		key, err := wgtypes.GenerateKey()
+		if err != nil {
+			return nil, err
+		}
+		return &mockMgmProber{key: key.PublicKey()}, nil
 	}
 	t.Cleanup(func() { newMgmProber = origProber })
 

client/internal/routemanager/manager.go

@@ -52,7 +52,6 @@ type Manager interface {
 	TriggerSelection(route.HAMap)
 	GetRouteSelector() *routeselector.RouteSelector
 	GetClientRoutes() route.HAMap
-	GetSelectedClientRoutes() route.HAMap
 	GetClientRoutesWithNetID() map[route.NetID][]*route.Route
 	SetRouteChangeListener(listener listener.NetworkChangeListener)
 	InitialRouteRange() []string
@@ -466,16 +465,6 @@ func (m *DefaultManager) GetClientRoutes() route.HAMap {
 	return maps.Clone(m.clientRoutes)
 }
 
-// GetSelectedClientRoutes returns only the currently selected/active client routes,
-// filtering out deselected exit nodes. Use this instead of GetClientRoutes when checking
-// if traffic should be routed through the tunnel.
-func (m *DefaultManager) GetSelectedClientRoutes() route.HAMap {
-	m.mux.Lock()
-	defer m.mux.Unlock()
-
-	return m.routeSelector.FilterSelectedExitNodes(maps.Clone(m.clientRoutes))
-}
-
 // GetClientRoutesWithNetID returns the current routes from the route map, but the keys consist of the network ID only
 func (m *DefaultManager) GetClientRoutesWithNetID() map[route.NetID][]*route.Route {
 	m.mux.Lock()

client/internal/routemanager/mock.go

@@ -18,7 +18,6 @@ type MockManager struct {
 	TriggerSelectionFunc         func(haMap route.HAMap)
 	GetRouteSelectorFunc         func() *routeselector.RouteSelector
 	GetClientRoutesFunc          func() route.HAMap
-	GetSelectedClientRoutesFunc  func() route.HAMap
 	GetClientRoutesWithNetIDFunc func() map[route.NetID][]*route.Route
 	StopFunc                     func(manager *statemanager.Manager)
 }
@@ -62,7 +61,7 @@ func (m *MockManager) GetRouteSelector() *routeselector.RouteSelector {
 	return nil
 }
 
-// GetClientRoutes mock implementation of GetClientRoutes from the Manager interface
+// GetClientRoutes mock implementation of GetClientRoutes from Manager interface
 func (m *MockManager) GetClientRoutes() route.HAMap {
 	if m.GetClientRoutesFunc != nil {
 		return m.GetClientRoutesFunc()
@@ -70,14 +69,6 @@ func (m *MockManager) GetClientRoutes() route.HAMap {
 	return nil
 }
 
-// GetSelectedClientRoutes mock implementation of GetSelectedClientRoutes from the Manager interface
-func (m *MockManager) GetSelectedClientRoutes() route.HAMap {
-	if m.GetSelectedClientRoutesFunc != nil {
-		return m.GetSelectedClientRoutesFunc()
-	}
-	return nil
-}
-
 // GetClientRoutesWithNetID mock implementation of GetClientRoutesWithNetID from Manager interface
 func (m *MockManager) GetClientRoutesWithNetID() map[route.NetID][]*route.Route {
 	if m.GetClientRoutesWithNetIDFunc != nil {

flow/client/client.go

@@ -14,7 +14,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/connectivity"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/keepalive"
@@ -26,11 +25,22 @@ import (
 	"github.com/netbirdio/netbird/util/wsproxy"
 )
 
+var ErrClientClosed = errors.New("client is closed")
+
+// minHealthyDuration is the minimum time a stream must survive before a failure
+// resets the backoff timer. Streams that fail faster are considered unhealthy and
+// should not reset backoff, so that MaxElapsedTime can eventually stop retries.
+const minHealthyDuration = 5 * time.Second
+
 type GRPCClient struct {
 	realClient proto.FlowServiceClient
 	clientConn *grpc.ClientConn
 	stream     proto.FlowService_EventsClient
-	streamMu   sync.Mutex
+	target     string
+	opts       []grpc.DialOption
+	closed     bool       // prevent creating conn in the middle of the Close
+	receiving  bool       // prevent concurrent Receive calls
+	mu         sync.Mutex // protects clientConn, realClient, stream, closed, and receiving
 }
 
 func NewClient(addr, payload, signature string, interval time.Duration) (*GRPCClient, error) {
@@ -65,7 +75,8 @@ func NewClient(addr, payload, signature string, interval time.Duration) (*GRPCCl
 		grpc.WithDefaultServiceConfig(`{"healthCheckConfig": {"serviceName": ""}}`),
 	)
 
-	conn, err := grpc.NewClient(fmt.Sprintf("%s:%s", parsedURL.Hostname(), parsedURL.Port()), opts...)
+	target := parsedURL.Host
+	conn, err := grpc.NewClient(target, opts...)
 	if err != nil {
 		return nil, fmt.Errorf("creating new grpc client: %w", err)
 	}
@@ -73,30 +84,73 @@ func NewClient(addr, payload, signature string, interval time.Duration) (*GRPCCl
 	return &GRPCClient{
 		realClient: proto.NewFlowServiceClient(conn),
 		clientConn: conn,
+		target:     target,
+		opts:       opts,
 	}, nil
 }
 
 func (c *GRPCClient) Close() error {
-	c.streamMu.Lock()
-	defer c.streamMu.Unlock()
-
+	c.mu.Lock()
+	c.closed = true
 	c.stream = nil
-	if err := c.clientConn.Close(); err != nil && !errors.Is(err, context.Canceled) {
+	conn := c.clientConn
+	c.clientConn = nil
+	c.mu.Unlock()
+
+	if conn == nil {
+		return nil
+	}
+
+	if err := conn.Close(); err != nil && !errors.Is(err, context.Canceled) {
 		return fmt.Errorf("close client connection: %w", err)
 	}
 
 	return nil
 }
 
+func (c *GRPCClient) Send(event *proto.FlowEvent) error {
+	c.mu.Lock()
+	stream := c.stream
+	c.mu.Unlock()
+
+	if stream == nil {
+		return errors.New("stream not initialized")
+	}
+
+	if err := stream.Send(event); err != nil {
+		return fmt.Errorf("send flow event: %w", err)
+	}
+
+	return nil
+}
+
 func (c *GRPCClient) Receive(ctx context.Context, interval time.Duration, msgHandler func(msg *proto.FlowEventAck) error) error {
+	c.mu.Lock()
+	if c.receiving {
+		c.mu.Unlock()
+		return errors.New("concurrent Receive calls are not supported")
+	}
+	c.receiving = true
+	c.mu.Unlock()
+	defer func() {
+		c.mu.Lock()
+		c.receiving = false
+		c.mu.Unlock()
+	}()
+
 	backOff := defaultBackoff(ctx, interval)
 	operation := func() error {
-		if err := c.establishStreamAndReceive(ctx, msgHandler); err != nil {
-			if s, ok := status.FromError(err); ok && s.Code() == codes.Canceled {
-				return fmt.Errorf("receive: %w: %w", err, context.Canceled)
-			}
+		stream, err := c.establishStream(ctx)
+		if err != nil {
+			log.Errorf("failed to establish flow stream, retrying: %v", err)
+			return c.handleRetryableError(err, time.Time{}, backOff)
+		}
+
+		streamStart := time.Now()
+
+		if err := c.receive(stream, msgHandler); err != nil {
 			log.Errorf("receive failed: %v", err)
-			return fmt.Errorf("receive: %w", err)
+			return c.handleRetryableError(err, streamStart, backOff)
 		}
 		return nil
 	}
@@ -108,37 +162,106 @@ func (c *GRPCClient) Receive(ctx context.Context, interval time.Duration, msgHan
 	return nil
 }
 
-func (c *GRPCClient) establishStreamAndReceive(ctx context.Context, msgHandler func(msg *proto.FlowEventAck) error) error {
-	if c.clientConn.GetState() == connectivity.Shutdown {
-		return errors.New("connection to flow receiver has been shut down")
+// handleRetryableError resets the backoff timer if the stream was healthy long
+// enough and recreates the underlying ClientConn so that gRPC's internal
+// subchannel backoff does not accumulate and compete with our own retry timer.
+// A zero streamStart means the stream was never established.
+func (c *GRPCClient) handleRetryableError(err error, streamStart time.Time, backOff backoff.BackOff) error {
+	if isContextDone(err) {
+		return backoff.Permanent(err)
 	}
 
-	stream, err := c.realClient.Events(ctx, grpc.WaitForReady(true))
-	if err != nil {
-		return fmt.Errorf("create event stream: %w", err)
+	var permErr *backoff.PermanentError
+	if errors.As(err, &permErr) {
+		return err
 	}
 
-	err = stream.Send(&proto.FlowEvent{IsInitiator: true})
+	// Reset the backoff so the next retry starts with a short delay instead of
+	// continuing the already-elapsed timer. Only do this if the stream was healthy
+	// long enough; short-lived connect/drop cycles must not defeat MaxElapsedTime.
+	if !streamStart.IsZero() && time.Since(streamStart) >= minHealthyDuration {
+		backOff.Reset()
+	}
+
+	if recreateErr := c.recreateConnection(); recreateErr != nil {
+		log.Errorf("recreate connection: %v", recreateErr)
+		return recreateErr
+	}
+
+	log.Infof("connection recreated, retrying stream")
+	return fmt.Errorf("retrying after error: %w", err)
+}
+
+func (c *GRPCClient) recreateConnection() error {
+	c.mu.Lock()
+	if c.closed {
+		c.mu.Unlock()
+		return backoff.Permanent(ErrClientClosed)
+	}
+
+	conn, err := grpc.NewClient(c.target, c.opts...)
 	if err != nil {
-		log.Infof("failed to send initiator message to flow receiver but will attempt to continue. Error: %s", err)
+		c.mu.Unlock()
+		return fmt.Errorf("create new connection: %w", err)
+	}
+
+	old := c.clientConn
+	c.clientConn = conn
+	c.realClient = proto.NewFlowServiceClient(conn)
+	c.stream = nil
+	c.mu.Unlock()
+
+	_ = old.Close()
+
+	return nil
+}
+
+func (c *GRPCClient) establishStream(ctx context.Context) (proto.FlowService_EventsClient, error) {
+	c.mu.Lock()
+	if c.closed {
+		c.mu.Unlock()
+		return nil, backoff.Permanent(ErrClientClosed)
+	}
+	cl := c.realClient
+	c.mu.Unlock()
+
+	// open stream outside the lock — blocking operation
+	stream, err := cl.Events(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("create event stream: %w", err)
+	}
+	streamReady := false
+	defer func() {
+		if !streamReady {
+			_ = stream.CloseSend()
+		}
+	}()
+
+	if err = stream.Send(&proto.FlowEvent{IsInitiator: true}); err != nil {
+		return nil, fmt.Errorf("send initiator: %w", err)
 	}
 
 	if err = checkHeader(stream); err != nil {
-		return fmt.Errorf("check header: %w", err)
+		return nil, fmt.Errorf("check header: %w", err)
 	}
 
-	c.streamMu.Lock()
+	c.mu.Lock()
+	if c.closed {
+		c.mu.Unlock()
+		return nil, backoff.Permanent(ErrClientClosed)
+	}
 	c.stream = stream
-	c.streamMu.Unlock()
+	c.mu.Unlock()
+	streamReady = true
 
-	return c.receive(stream, msgHandler)
+	return stream, nil
 }
 
 func (c *GRPCClient) receive(stream proto.FlowService_EventsClient, msgHandler func(msg *proto.FlowEventAck) error) error {
 	for {
 		msg, err := stream.Recv()
 		if err != nil {
-			return fmt.Errorf("receive from stream: %w", err)
+			return err
 		}
 
 		if msg.IsInitiator {
@@ -169,7 +292,7 @@ func checkHeader(stream proto.FlowService_EventsClient) error {
 func defaultBackoff(ctx context.Context, interval time.Duration) backoff.BackOff {
 	return backoff.WithContext(&backoff.ExponentialBackOff{
 		InitialInterval:     800 * time.Millisecond,
-		RandomizationFactor: 1,
+		RandomizationFactor: 0.5,
 		Multiplier:          1.7,
 		MaxInterval:         interval / 2,
 		MaxElapsedTime:      3 * 30 * 24 * time.Hour, // 3 months
@@ -178,18 +301,12 @@ func defaultBackoff(ctx context.Context, interval time.Duration) backoff.BackOff
 	}, ctx)
 }
 
-func (c *GRPCClient) Send(event *proto.FlowEvent) error {
-	c.streamMu.Lock()
-	stream := c.stream
-	c.streamMu.Unlock()
-
-	if stream == nil {
-		return errors.New("stream not initialized")
+func isContextDone(err error) bool {
+	if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+		return true
 	}
-
-	if err := stream.Send(event); err != nil {
-		return fmt.Errorf("send flow event: %w", err)
+	if s, ok := status.FromError(err); ok {
+		return s.Code() == codes.Canceled || s.Code() == codes.DeadlineExceeded
 	}
-
-	return nil
+	return false
 }

flow/client/client_test.go

@@ -2,8 +2,11 @@ package client_test
 
 import (
 	"context"
+	"encoding/binary"
 	"errors"
 	"net"
+	"sync"
+	"sync/atomic"
 	"testing"
 	"time"
 
@@ -11,6 +14,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 
 	flow "github.com/netbirdio/netbird/flow/client"
 	"github.com/netbirdio/netbird/flow/proto"
@@ -18,21 +23,89 @@ import (
 
 type testServer struct {
 	proto.UnimplementedFlowServiceServer
-	events  chan *proto.FlowEvent
-	acks    chan *proto.FlowEventAck
-	grpcSrv *grpc.Server
-	addr    string
+	events         chan *proto.FlowEvent
+	acks           chan *proto.FlowEventAck
+	grpcSrv        *grpc.Server
+	addr           string
+	listener       *connTrackListener
+	closeStream    chan struct{} // signal server to close the stream
+	handlerDone    chan struct{} // signaled each time Events() exits
+	handlerStarted chan struct{} // signaled each time Events() begins
+}
+
+// connTrackListener wraps a net.Listener to track accepted connections
+// so tests can forcefully close them to simulate PROTOCOL_ERROR/RST_STREAM.
+type connTrackListener struct {
+	net.Listener
+	mu    sync.Mutex
+	conns []net.Conn
+}
+
+func (l *connTrackListener) Accept() (net.Conn, error) {
+	c, err := l.Listener.Accept()
+	if err != nil {
+		return nil, err
+	}
+	l.mu.Lock()
+	l.conns = append(l.conns, c)
+	l.mu.Unlock()
+	return c, nil
+}
+
+// sendRSTStream writes a raw HTTP/2 RST_STREAM frame with PROTOCOL_ERROR
+// (error code 0x1) on every tracked connection. This produces the exact error:
+//
+//	rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: PROTOCOL_ERROR
+//
+// HTTP/2 RST_STREAM frame format (9-byte header + 4-byte payload):
+//
+//	Length (3 bytes): 0x000004
+//	Type   (1 byte):  0x03 (RST_STREAM)
+//	Flags  (1 byte):  0x00
+//	Stream ID (4 bytes): target stream (must have bit 31 clear)
+//	Error Code (4 bytes): 0x00000001 (PROTOCOL_ERROR)
+func (l *connTrackListener) connCount() int {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+	return len(l.conns)
+}
+
+func (l *connTrackListener) sendRSTStream(streamID uint32) {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+
+	frame := make([]byte, 13) // 9-byte header + 4-byte payload
+	// Length = 4 (3 bytes, big-endian)
+	frame[0], frame[1], frame[2] = 0, 0, 4
+	// Type = RST_STREAM (0x03)
+	frame[3] = 0x03
+	// Flags = 0
+	frame[4] = 0x00
+	// Stream ID (4 bytes, big-endian, bit 31 reserved = 0)
+	binary.BigEndian.PutUint32(frame[5:9], streamID)
+	// Error Code = PROTOCOL_ERROR (0x1)
+	binary.BigEndian.PutUint32(frame[9:13], 0x1)
+
+	for _, c := range l.conns {
+		_, _ = c.Write(frame)
+	}
 }
 
 func newTestServer(t *testing.T) *testServer {
-	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	rawListener, err := net.Listen("tcp", "127.0.0.1:0")
 	require.NoError(t, err)
 
+	listener := &connTrackListener{Listener: rawListener}
+
 	s := &testServer{
-		events:  make(chan *proto.FlowEvent, 100),
-		acks:    make(chan *proto.FlowEventAck, 100),
-		grpcSrv: grpc.NewServer(),
-		addr:    listener.Addr().String(),
+		events:         make(chan *proto.FlowEvent, 100),
+		acks:           make(chan *proto.FlowEventAck, 100),
+		grpcSrv:        grpc.NewServer(),
+		addr:           rawListener.Addr().String(),
+		listener:       listener,
+		closeStream:    make(chan struct{}, 1),
+		handlerDone:    make(chan struct{}, 10),
+		handlerStarted: make(chan struct{}, 10),
 	}
 
 	proto.RegisterFlowServiceServer(s.grpcSrv, s)
@@ -51,11 +124,23 @@ func newTestServer(t *testing.T) *testServer {
 }
 
 func (s *testServer) Events(stream proto.FlowService_EventsServer) error {
+	defer func() {
+		select {
+		case s.handlerDone <- struct{}{}:
+		default:
+		}
+	}()
+
 	err := stream.Send(&proto.FlowEventAck{IsInitiator: true})
 	if err != nil {
 		return err
 	}
 
+	select {
+	case s.handlerStarted <- struct{}{}:
+	default:
+	}
+
 	ctx, cancel := context.WithCancel(stream.Context())
 	defer cancel()
 
@@ -91,6 +176,8 @@ func (s *testServer) Events(stream proto.FlowService_EventsServer) error {
 			if err := stream.Send(ack); err != nil {
 				return err
 			}
+		case <-s.closeStream:
+			return status.Errorf(codes.Internal, "server closing stream")
 		case <-ctx.Done():
 			return ctx.Err()
 		}
@@ -110,16 +197,13 @@ func TestReceive(t *testing.T) {
 		assert.NoError(t, err, "failed to close flow")
 	})
 
-	receivedAcks := make(map[string]bool)
+	var ackCount atomic.Int32
 	receiveDone := make(chan struct{})
 
 	go func() {
 		err := client.Receive(ctx, 1*time.Second, func(msg *proto.FlowEventAck) error {
 			if !msg.IsInitiator && len(msg.EventId) > 0 {
-				id := string(msg.EventId)
-				receivedAcks[id] = true
-
-				if len(receivedAcks) >= 3 {
+				if ackCount.Add(1) >= 3 {
 					close(receiveDone)
 				}
 			}
@@ -130,7 +214,11 @@ func TestReceive(t *testing.T) {
 		}
 	}()
 
-	time.Sleep(500 * time.Millisecond)
+	select {
+	case <-server.handlerStarted:
+	case <-time.After(3 * time.Second):
+		t.Fatal("timeout waiting for stream to be established")
+	}
 
 	for i := 0; i < 3; i++ {
 		eventID := uuid.New().String()
@@ -153,7 +241,7 @@ func TestReceive(t *testing.T) {
 		t.Fatal("timeout waiting for acks to be processed")
 	}
 
-	assert.Equal(t, 3, len(receivedAcks))
+	assert.Equal(t, int32(3), ackCount.Load())
 }
 
 func TestReceive_ContextCancellation(t *testing.T) {
@@ -254,3 +342,195 @@ func TestSend(t *testing.T) {
 		t.Fatal("timeout waiting for ack to be received by flow")
 	}
 }
+
+func TestNewClient_PermanentClose(t *testing.T) {
+	server := newTestServer(t)
+
+	client, err := flow.NewClient("http://"+server.addr, "test-payload", "test-signature", 1*time.Second)
+	require.NoError(t, err)
+
+	err = client.Close()
+	require.NoError(t, err)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	t.Cleanup(cancel)
+
+	done := make(chan error, 1)
+	go func() {
+		done <- client.Receive(ctx, 1*time.Second, func(msg *proto.FlowEventAck) error {
+			return nil
+		})
+	}()
+
+	select {
+	case err := <-done:
+		require.ErrorIs(t, err, flow.ErrClientClosed)
+	case <-time.After(2 * time.Second):
+		t.Fatal("Receive did not return after Close — stuck in retry loop")
+	}
+}
+
+func TestNewClient_CloseVerify(t *testing.T) {
+	server := newTestServer(t)
+
+	client, err := flow.NewClient("http://"+server.addr, "test-payload", "test-signature", 1*time.Second)
+	require.NoError(t, err)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	t.Cleanup(cancel)
+
+	done := make(chan error, 1)
+	go func() {
+		done <- client.Receive(ctx, 1*time.Second, func(msg *proto.FlowEventAck) error {
+			return nil
+		})
+	}()
+
+	closeDone := make(chan struct{}, 1)
+	go func() {
+		_ = client.Close()
+		closeDone <- struct{}{}
+	}()
+
+	select {
+	case err := <-done:
+		require.Error(t, err)
+	case <-time.After(2 * time.Second):
+		t.Fatal("Receive did not return after Close — stuck in retry loop")
+	}
+
+	select {
+	case <-closeDone:
+		return
+	case <-time.After(2 * time.Second):
+		t.Fatal("Close did not return — blocked in retry loop")
+	}
+
+}
+
+func TestClose_WhileReceiving(t *testing.T) {
+	server := newTestServer(t)
+	client, err := flow.NewClient("http://"+server.addr, "test-payload", "test-signature", 1*time.Second)
+	require.NoError(t, err)
+
+	ctx := context.Background() // no timeout — intentional
+	receiveDone := make(chan struct{})
+	go func() {
+		_ = client.Receive(ctx, 1*time.Second, func(msg *proto.FlowEventAck) error {
+			return nil
+		})
+		close(receiveDone)
+	}()
+
+	// Wait for the server-side handler to confirm the stream is established.
+	select {
+	case <-server.handlerStarted:
+	case <-time.After(3 * time.Second):
+		t.Fatal("timeout waiting for stream to be established")
+	}
+
+	closeDone := make(chan struct{})
+	go func() {
+		_ = client.Close()
+		close(closeDone)
+	}()
+
+	select {
+	case <-closeDone:
+		// Close returned — good
+	case <-time.After(2 * time.Second):
+		t.Fatal("Close blocked forever — Receive stuck in retry loop")
+	}
+
+	select {
+	case <-receiveDone:
+	case <-time.After(2 * time.Second):
+		t.Fatal("Receive did not exit after Close")
+	}
+}
+
+func TestReceive_ProtocolErrorStreamReconnect(t *testing.T) {
+	server := newTestServer(t)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	t.Cleanup(cancel)
+
+	client, err := flow.NewClient("http://"+server.addr, "test-payload", "test-signature", 1*time.Second)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		err := client.Close()
+		assert.NoError(t, err, "failed to close flow")
+	})
+
+	// Track acks received before and after server-side stream close
+	var ackCount atomic.Int32
+	receivedFirst := make(chan struct{})
+	receivedAfterReconnect := make(chan struct{})
+
+	go func() {
+		err := client.Receive(ctx, 1*time.Second, func(msg *proto.FlowEventAck) error {
+			if msg.IsInitiator || len(msg.EventId) == 0 {
+				return nil
+			}
+			n := ackCount.Add(1)
+			if n == 1 {
+				close(receivedFirst)
+			}
+			if n == 2 {
+				close(receivedAfterReconnect)
+			}
+			return nil
+		})
+		if err != nil && !errors.Is(err, context.Canceled) {
+			t.Logf("receive error: %v", err)
+		}
+	}()
+
+	// Wait for stream to be established, then send first ack
+	select {
+	case <-server.handlerStarted:
+	case <-time.After(3 * time.Second):
+		t.Fatal("timeout waiting for stream to be established")
+	}
+	server.acks <- &proto.FlowEventAck{EventId: []byte("before-close")}
+
+	select {
+	case <-receivedFirst:
+	case <-time.After(3 * time.Second):
+		t.Fatal("timeout waiting for first ack")
+	}
+
+	// Snapshot connection count before injecting the fault.
+	connsBefore := server.listener.connCount()
+
+	// Send a raw HTTP/2 RST_STREAM frame with PROTOCOL_ERROR on the TCP connection.
+	// gRPC multiplexes streams on stream IDs 1, 3, 5, ... (odd, client-initiated).
+	// Stream ID 1 is the client's first stream (our Events bidi stream).
+	// This produces the exact error the client sees in production:
+	//   "stream terminated by RST_STREAM with error code: PROTOCOL_ERROR"
+	server.listener.sendRSTStream(1)
+
+	// Wait for the old Events() handler to fully exit so it can no longer
+	// drain s.acks and drop our injected ack on a broken stream.
+	select {
+	case <-server.handlerDone:
+	case <-time.After(5 * time.Second):
+		t.Fatal("old Events() handler did not exit after RST_STREAM")
+	}
+
+	require.Eventually(t, func() bool {
+		return server.listener.connCount() > connsBefore
+	}, 5*time.Second, 50*time.Millisecond, "client did not open a new TCP connection after RST_STREAM")
+
+	server.acks <- &proto.FlowEventAck{EventId: []byte("after-close")}
+
+	select {
+	case <-receivedAfterReconnect:
+		// Client successfully reconnected and received ack after server-side stream close
+	case <-time.After(5 * time.Second):
+		t.Fatal("timeout waiting for ack after server-side stream close — client did not reconnect")
+	}
+
+	assert.GreaterOrEqual(t, int(ackCount.Load()), 2, "should have received acks before and after stream close")
+	assert.GreaterOrEqual(t, server.listener.connCount(), 2, "client should have created at least 2 TCP connections (original + reconnect)")
+}

infrastructure_files/getting-started.sh

@@ -1154,16 +1154,7 @@ print_builtin_traefik_instructions() {
   echo "  - $NETBIRD_STUN_PORT/udp   (STUN - required for NAT traversal)"
   if [[ "$ENABLE_PROXY" == "true" ]]; then
     echo "  - 51820/udp (WIREGUARD - (optional) for P2P proxy connections)"
-  fi
-  echo ""
-  echo "This setup is ideal for homelabs and smaller organization deployments."
-  echo "For enterprise environments requiring high availability and advanced integrations,"
-  echo "consider a commercial on-prem license or scaling your open source deployment:"
-  echo ""
-  echo "  Commercial license: https://netbird.io/pricing#on-prem"
-  echo "  Scaling guide:      https://docs.netbird.io/scaling-your-self-hosted-deployment"
-  echo ""
-  if [[ "$ENABLE_PROXY" == "true" ]]; then
+    echo ""
     echo "NetBird Proxy:"
     echo "  The proxy service is enabled and running."
     echo "  Any domain NOT matching $NETBIRD_DOMAIN will be passed through to the proxy."

management/internals/modules/reverseproxy/service/manager/manager.go

@@ -288,8 +288,6 @@ func (m *Manager) validateSubdomainRequirement(ctx context.Context, domain, clus
 }
 
 func (m *Manager) persistNewService(ctx context.Context, accountID string, svc *service.Service) error {
-	customPorts := m.clusterCustomPorts(ctx, svc)
-
 	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if svc.Domain != "" {
 			if err := m.checkDomainAvailable(ctx, transaction, svc.Domain, ""); err != nil {
@@ -297,7 +295,7 @@ func (m *Manager) persistNewService(ctx context.Context, accountID string, svc *
 			}
 		}
 
-		if err := m.ensureL4Port(ctx, transaction, svc, customPorts); err != nil {
+		if err := m.ensureL4Port(ctx, transaction, svc); err != nil {
 			return err
 		}
 
@@ -317,23 +315,12 @@ func (m *Manager) persistNewService(ctx context.Context, accountID string, svc *
 	})
 }
 
-// clusterCustomPorts queries whether the cluster supports custom ports.
-// Must be called before entering a transaction: the underlying query uses
-// the main DB handle, which deadlocks when called inside a transaction
-// that already holds the connection.
-func (m *Manager) clusterCustomPorts(ctx context.Context, svc *service.Service) *bool {
-	if !service.IsL4Protocol(svc.Mode) {
-		return nil
-	}
-	return m.capabilities.ClusterSupportsCustomPorts(ctx, svc.ProxyCluster)
-}
-
 // ensureL4Port auto-assigns a listen port when needed and validates cluster support.
-// customPorts must be pre-computed via clusterCustomPorts before entering a transaction.
-func (m *Manager) ensureL4Port(ctx context.Context, tx store.Store, svc *service.Service, customPorts *bool) error {
+func (m *Manager) ensureL4Port(ctx context.Context, tx store.Store, svc *service.Service) error {
 	if !service.IsL4Protocol(svc.Mode) {
 		return nil
 	}
+	customPorts := m.capabilities.ClusterSupportsCustomPorts(ctx, svc.ProxyCluster)
 	if service.IsPortBasedProtocol(svc.Mode) && svc.ListenPort > 0 && (customPorts == nil || !*customPorts) {
 		if svc.Source != service.SourceEphemeral {
 			return status.Errorf(status.InvalidArgument, "custom ports not supported on cluster %s", svc.ProxyCluster)
@@ -417,14 +404,12 @@ func (m *Manager) assignPort(ctx context.Context, tx store.Store, cluster string
 // The count and exists queries use FOR UPDATE locking to serialize concurrent creates
 // for the same peer, preventing the per-peer limit from being bypassed.
 func (m *Manager) persistNewEphemeralService(ctx context.Context, accountID, peerID string, svc *service.Service) error {
-	customPorts := m.clusterCustomPorts(ctx, svc)
-
 	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err := m.validateEphemeralPreconditions(ctx, transaction, accountID, peerID, svc); err != nil {
 			return err
 		}
 
-		if err := m.ensureL4Port(ctx, transaction, svc, customPorts); err != nil {
+		if err := m.ensureL4Port(ctx, transaction, svc); err != nil {
 			return err
 		}
 
@@ -527,49 +512,16 @@ type serviceUpdateInfo struct {
 }
 
 func (m *Manager) persistServiceUpdate(ctx context.Context, accountID string, service *service.Service) (*serviceUpdateInfo, error) {
-	effectiveCluster, err := m.resolveEffectiveCluster(ctx, accountID, service)
-	if err != nil {
-		return nil, err
-	}
-
-	svcForCaps := *service
-	svcForCaps.ProxyCluster = effectiveCluster
-	customPorts := m.clusterCustomPorts(ctx, &svcForCaps)
-
 	var updateInfo serviceUpdateInfo
 
-	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		return m.executeServiceUpdate(ctx, transaction, accountID, service, &updateInfo, customPorts)
+	err := m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		return m.executeServiceUpdate(ctx, transaction, accountID, service, &updateInfo)
 	})
 
 	return &updateInfo, err
 }
 
-// resolveEffectiveCluster determines the cluster that will be used after the update.
-// It reads the existing service without locking and derives the new cluster if the domain changed.
-func (m *Manager) resolveEffectiveCluster(ctx context.Context, accountID string, svc *service.Service) (string, error) {
-	existing, err := m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, svc.ID)
-	if err != nil {
-		return "", err
-	}
-
-	if existing.Domain == svc.Domain {
-		return existing.ProxyCluster, nil
-	}
-
-	if m.clusterDeriver != nil {
-		derived, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, accountID, svc.Domain)
-		if err != nil {
-			log.WithError(err).Warnf("could not derive cluster from domain %s", svc.Domain)
-		} else {
-			return derived, nil
-		}
-	}
-
-	return existing.ProxyCluster, nil
-}
-
-func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.Store, accountID string, service *service.Service, updateInfo *serviceUpdateInfo, customPorts *bool) error {
+func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.Store, accountID string, service *service.Service, updateInfo *serviceUpdateInfo) error {
 	existingService, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, service.ID)
 	if err != nil {
 		return err
@@ -606,7 +558,7 @@ func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.St
 	m.preserveListenPort(service, existingService)
 	updateInfo.serviceEnabledChanged = existingService.Enabled != service.Enabled
 
-	if err := m.ensureL4Port(ctx, transaction, service, customPorts); err != nil {
+	if err := m.ensureL4Port(ctx, transaction, service); err != nil {
 		return err
 	}
 	if err := m.checkPortConflict(ctx, transaction, service); err != nil {

management/internals/modules/reverseproxy/service/service.go

@@ -787,11 +787,6 @@ func (s *Service) validateHTTPTargets() error {
 }
 
 func (s *Service) validateL4Target(target *Target) error {
-	// L4 services have a single target; per-target disable is meaningless
-	// (use the service-level Enabled flag instead). Force it on so that
-	// buildPathMappings always includes the target in the proto.
-	target.Enabled = true
-
 	if target.Port == 0 {
 		return errors.New("target port is required for L4 services")
 	}

management/internals/shared/grpc/server.go

@@ -966,7 +966,6 @@ func (s *Server) GetDeviceAuthorizationFlow(ctx context.Context, req *proto.Encr
 			Provider: proto.DeviceAuthorizationFlowProvider(provider),
 			ProviderConfig: &proto.ProviderConfig{
 				ClientID:           s.config.DeviceAuthorizationFlow.ProviderConfig.ClientID,
-				ClientSecret:       s.config.DeviceAuthorizationFlow.ProviderConfig.ClientSecret,
 				Domain:             s.config.DeviceAuthorizationFlow.ProviderConfig.Domain,
 				Audience:           s.config.DeviceAuthorizationFlow.ProviderConfig.Audience,
 				DeviceAuthEndpoint: s.config.DeviceAuthorizationFlow.ProviderConfig.DeviceAuthEndpoint,
@@ -1037,7 +1036,6 @@ func (s *Server) GetPKCEAuthorizationFlow(ctx context.Context, req *proto.Encryp
 			ProviderConfig: &proto.ProviderConfig{
 				Audience:              s.config.PKCEAuthorizationFlow.ProviderConfig.Audience,
 				ClientID:              s.config.PKCEAuthorizationFlow.ProviderConfig.ClientID,
-				ClientSecret:          s.config.PKCEAuthorizationFlow.ProviderConfig.ClientSecret,
 				TokenEndpoint:         s.config.PKCEAuthorizationFlow.ProviderConfig.TokenEndpoint,
 				AuthorizationEndpoint: s.config.PKCEAuthorizationFlow.ProviderConfig.AuthorizationEndpoint,
 				Scope:                 s.config.PKCEAuthorizationFlow.ProviderConfig.Scope,

management/server/instance/manager.go

@@ -64,19 +64,10 @@ type Manager interface {
 	GetVersionInfo(ctx context.Context) (*VersionInfo, error)
 }
 
-type instanceStore interface {
-	GetAccountsCounter(ctx context.Context) (int64, error)
-}
-
-type embeddedIdP interface {
-	CreateUserWithPassword(ctx context.Context, email, password, name string) (*idp.UserData, error)
-	GetAllAccounts(ctx context.Context) (map[string][]*idp.UserData, error)
-}
-
 // DefaultManager is the default implementation of Manager.
 type DefaultManager struct {
-	store              instanceStore
-	embeddedIdpManager embeddedIdP
+	store              store.Store
+	embeddedIdpManager *idp.EmbeddedIdPManager
 
 	setupRequired bool
 	setupMu       sync.RWMutex
@@ -91,18 +82,18 @@ type DefaultManager struct {
 // NewManager creates a new instance manager.
 // If idpManager is not an EmbeddedIdPManager, setup-related operations will return appropriate defaults.
 func NewManager(ctx context.Context, store store.Store, idpManager idp.Manager) (Manager, error) {
-	embeddedIdp, ok := idpManager.(*idp.EmbeddedIdPManager)
+	embeddedIdp, _ := idpManager.(*idp.EmbeddedIdPManager)
 
 	m := &DefaultManager{
-		store:         store,
-		setupRequired: false,
+		store:              store,
+		embeddedIdpManager: embeddedIdp,
+		setupRequired:      false,
 		httpClient: &http.Client{
 			Timeout: httpTimeout,
 		},
 	}
 
-	if ok && embeddedIdp != nil {
-		m.embeddedIdpManager = embeddedIdp
+	if embeddedIdp != nil {
 		err := m.loadSetupRequired(ctx)
 		if err != nil {
 			return nil, err
@@ -152,27 +143,20 @@ func (m *DefaultManager) IsSetupRequired(_ context.Context) (bool, error) {
 // CreateOwnerUser creates the initial owner user in the embedded IDP.
 func (m *DefaultManager) CreateOwnerUser(ctx context.Context, email, password, name string) (*idp.UserData, error) {
 
-	if m.embeddedIdpManager == nil {
-		return nil, errors.New("embedded IDP is not enabled")
-	}
-
 	if err := m.validateSetupInfo(email, password, name); err != nil {
 		return nil, err
 	}
 
-	m.setupMu.Lock()
-	defer m.setupMu.Unlock()
-
-	if !m.setupRequired {
-		return nil, status.Errorf(status.PreconditionFailed, "setup already completed")
+	if m.embeddedIdpManager == nil {
+		return nil, errors.New("embedded IDP is not enabled")
 	}
 
-	if err := m.checkSetupRequiredFromDB(ctx); err != nil {
-		var sErr *status.Error
-		if errors.As(err, &sErr) && sErr.Type() == status.PreconditionFailed {
-			m.setupRequired = false
-		}
-		return nil, err
+	m.setupMu.RLock()
+	setupRequired := m.setupRequired
+	m.setupMu.RUnlock()
+
+	if !setupRequired {
+		return nil, status.Errorf(status.PreconditionFailed, "setup already completed")
 	}
 
 	userData, err := m.embeddedIdpManager.CreateUserWithPassword(ctx, email, password, name)
@@ -180,33 +164,15 @@ func (m *DefaultManager) CreateOwnerUser(ctx context.Context, email, password, n
 		return nil, fmt.Errorf("failed to create user in embedded IdP: %w", err)
 	}
 
+	m.setupMu.Lock()
 	m.setupRequired = false
+	m.setupMu.Unlock()
 
 	log.WithContext(ctx).Infof("created owner user %s in embedded IdP", email)
 
 	return userData, nil
 }
 
-func (m *DefaultManager) checkSetupRequiredFromDB(ctx context.Context) error {
-	numAccounts, err := m.store.GetAccountsCounter(ctx)
-	if err != nil {
-		return fmt.Errorf("failed to check accounts: %w", err)
-	}
-	if numAccounts > 0 {
-		return status.Errorf(status.PreconditionFailed, "setup already completed")
-	}
-
-	users, err := m.embeddedIdpManager.GetAllAccounts(ctx)
-	if err != nil {
-		return fmt.Errorf("failed to check IdP users: %w", err)
-	}
-	if len(users) > 0 {
-		return status.Errorf(status.PreconditionFailed, "setup already completed")
-	}
-
-	return nil
-}
-
 func (m *DefaultManager) validateSetupInfo(email, password, name string) error {
 	if email == "" {
 		return status.Errorf(status.InvalidArgument, "email is required")
@@ -223,9 +189,6 @@ func (m *DefaultManager) validateSetupInfo(email, password, name string) error {
 	if len(password) < 8 {
 		return status.Errorf(status.InvalidArgument, "password must be at least 8 characters")
 	}
-	if len(password) > 72 {
-		return status.Errorf(status.InvalidArgument, "password must be at most 72 characters")
-	}
 	return nil
 }
 

management/server/instance/manager_test.go

@@ -3,12 +3,7 @@ package instance
 import (
 	"context"
 	"errors"
-	"fmt"
-	"net/http"
-	"sync"
-	"sync/atomic"
 	"testing"
-	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -16,215 +11,173 @@ import (
 	"github.com/netbirdio/netbird/management/server/idp"
 )
 
-type mockIdP struct {
-	mu              sync.Mutex
-	createUserFunc  func(ctx context.Context, email, password, name string) (*idp.UserData, error)
-	users           map[string][]*idp.UserData
-	getAllAccountsErr error
-}
-
-func (m *mockIdP) CreateUserWithPassword(ctx context.Context, email, password, name string) (*idp.UserData, error) {
-	if m.createUserFunc != nil {
-		return m.createUserFunc(ctx, email, password, name)
-	}
-	return &idp.UserData{ID: "test-user-id", Email: email, Name: name}, nil
-}
-
-func (m *mockIdP) GetAllAccounts(_ context.Context) (map[string][]*idp.UserData, error) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	if m.getAllAccountsErr != nil {
-		return nil, m.getAllAccountsErr
-	}
-	return m.users, nil
-}
-
+// mockStore implements a minimal store.Store for testing
 type mockStore struct {
 	accountsCount int64
 	err           error
 }
 
-func (m *mockStore) GetAccountsCounter(_ context.Context) (int64, error) {
+func (m *mockStore) GetAccountsCounter(ctx context.Context) (int64, error) {
 	if m.err != nil {
 		return 0, m.err
 	}
 	return m.accountsCount, nil
 }
 
-func newTestManager(idpMock *mockIdP, storeMock *mockStore) *DefaultManager {
-	return &DefaultManager{
-		store:              storeMock,
-		embeddedIdpManager: idpMock,
-		setupRequired:      true,
-		httpClient:         &http.Client{Timeout: httpTimeout},
+// mockEmbeddedIdPManager wraps the real EmbeddedIdPManager for testing
+type mockEmbeddedIdPManager struct {
+	createUserFunc func(ctx context.Context, email, password, name string) (*idp.UserData, error)
+}
+
+func (m *mockEmbeddedIdPManager) CreateUserWithPassword(ctx context.Context, email, password, name string) (*idp.UserData, error) {
+	if m.createUserFunc != nil {
+		return m.createUserFunc(ctx, email, password, name)
 	}
+	return &idp.UserData{
+		ID:    "test-user-id",
+		Email: email,
+		Name:  name,
+	}, nil
+}
+
+// testManager is a test implementation that accepts our mock types
+type testManager struct {
+	store              *mockStore
+	embeddedIdpManager *mockEmbeddedIdPManager
+}
+
+func (m *testManager) IsSetupRequired(ctx context.Context) (bool, error) {
+	if m.embeddedIdpManager == nil {
+		return false, nil
+	}
+
+	count, err := m.store.GetAccountsCounter(ctx)
+	if err != nil {
+		return false, err
+	}
+
+	return count == 0, nil
+}
+
+func (m *testManager) CreateOwnerUser(ctx context.Context, email, password, name string) (*idp.UserData, error) {
+	if m.embeddedIdpManager == nil {
+		return nil, errors.New("embedded IDP is not enabled")
+	}
+
+	return m.embeddedIdpManager.CreateUserWithPassword(ctx, email, password, name)
+}
+
+func TestIsSetupRequired_EmbeddedIdPDisabled(t *testing.T) {
+	manager := &testManager{
+		store:              &mockStore{accountsCount: 0},
+		embeddedIdpManager: nil, // No embedded IDP
+	}
+
+	required, err := manager.IsSetupRequired(context.Background())
+	require.NoError(t, err)
+	assert.False(t, required, "setup should not be required when embedded IDP is disabled")
+}
+
+func TestIsSetupRequired_NoAccounts(t *testing.T) {
+	manager := &testManager{
+		store:              &mockStore{accountsCount: 0},
+		embeddedIdpManager: &mockEmbeddedIdPManager{},
+	}
+
+	required, err := manager.IsSetupRequired(context.Background())
+	require.NoError(t, err)
+	assert.True(t, required, "setup should be required when no accounts exist")
+}
+
+func TestIsSetupRequired_AccountsExist(t *testing.T) {
+	manager := &testManager{
+		store:              &mockStore{accountsCount: 1},
+		embeddedIdpManager: &mockEmbeddedIdPManager{},
+	}
+
+	required, err := manager.IsSetupRequired(context.Background())
+	require.NoError(t, err)
+	assert.False(t, required, "setup should not be required when accounts exist")
+}
+
+func TestIsSetupRequired_MultipleAccounts(t *testing.T) {
+	manager := &testManager{
+		store:              &mockStore{accountsCount: 5},
+		embeddedIdpManager: &mockEmbeddedIdPManager{},
+	}
+
+	required, err := manager.IsSetupRequired(context.Background())
+	require.NoError(t, err)
+	assert.False(t, required, "setup should not be required when multiple accounts exist")
+}
+
+func TestIsSetupRequired_StoreError(t *testing.T) {
+	manager := &testManager{
+		store:              &mockStore{err: errors.New("database error")},
+		embeddedIdpManager: &mockEmbeddedIdPManager{},
+	}
+
+	_, err := manager.IsSetupRequired(context.Background())
+	assert.Error(t, err, "should return error when store fails")
 }
 
 func TestCreateOwnerUser_Success(t *testing.T) {
-	idpMock := &mockIdP{}
-	mgr := newTestManager(idpMock, &mockStore{})
+	expectedEmail := "admin@example.com"
+	expectedName := "Admin User"
+	expectedPassword := "securepassword123"
 
-	userData, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
+	manager := &testManager{
+		store: &mockStore{accountsCount: 0},
+		embeddedIdpManager: &mockEmbeddedIdPManager{
+			createUserFunc: func(ctx context.Context, email, password, name string) (*idp.UserData, error) {
+				assert.Equal(t, expectedEmail, email)
+				assert.Equal(t, expectedPassword, password)
+				assert.Equal(t, expectedName, name)
+				return &idp.UserData{
+					ID:    "created-user-id",
+					Email: email,
+					Name:  name,
+				}, nil
+			},
+		},
+	}
+
+	userData, err := manager.CreateOwnerUser(context.Background(), expectedEmail, expectedPassword, expectedName)
 	require.NoError(t, err)
-	assert.Equal(t, "admin@example.com", userData.Email)
-
-	_, err = mgr.CreateOwnerUser(context.Background(), "admin2@example.com", "password123", "Admin2")
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "setup already completed")
-}
-
-func TestCreateOwnerUser_SetupAlreadyCompleted(t *testing.T) {
-	mgr := newTestManager(&mockIdP{}, &mockStore{})
-	mgr.setupRequired = false
-
-	_, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "setup already completed")
+	assert.Equal(t, "created-user-id", userData.ID)
+	assert.Equal(t, expectedEmail, userData.Email)
+	assert.Equal(t, expectedName, userData.Name)
 }
 
 func TestCreateOwnerUser_EmbeddedIdPDisabled(t *testing.T) {
-	mgr := &DefaultManager{setupRequired: true}
+	manager := &testManager{
+		store:              &mockStore{accountsCount: 0},
+		embeddedIdpManager: nil,
+	}
 
-	_, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
-	require.Error(t, err)
+	_, err := manager.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
+	assert.Error(t, err, "should return error when embedded IDP is disabled")
 	assert.Contains(t, err.Error(), "embedded IDP is not enabled")
 }
 
 func TestCreateOwnerUser_IdPError(t *testing.T) {
-	idpMock := &mockIdP{
-		createUserFunc: func(_ context.Context, _, _, _ string) (*idp.UserData, error) {
-			return nil, errors.New("provider error")
+	manager := &testManager{
+		store: &mockStore{accountsCount: 0},
+		embeddedIdpManager: &mockEmbeddedIdPManager{
+			createUserFunc: func(ctx context.Context, email, password, name string) (*idp.UserData, error) {
+				return nil, errors.New("user already exists")
+			},
 		},
 	}
-	mgr := newTestManager(idpMock, &mockStore{})
 
-	_, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "provider error")
-
-	required, _ := mgr.IsSetupRequired(context.Background())
-	assert.True(t, required, "setup should still be required after IdP error")
-}
-
-func TestCreateOwnerUser_TransientDBError_DoesNotBlockSetup(t *testing.T) {
-	mgr := newTestManager(&mockIdP{}, &mockStore{err: errors.New("connection refused")})
-
-	_, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "connection refused")
-
-	required, _ := mgr.IsSetupRequired(context.Background())
-	assert.True(t, required, "setup should still be required after transient DB error")
-
-	mgr.store = &mockStore{}
-	userData, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
-	require.NoError(t, err)
-	assert.Equal(t, "admin@example.com", userData.Email)
-}
-
-func TestCreateOwnerUser_TransientIdPError_DoesNotBlockSetup(t *testing.T) {
-	idpMock := &mockIdP{getAllAccountsErr: errors.New("connection reset")}
-	mgr := newTestManager(idpMock, &mockStore{})
-
-	_, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "connection reset")
-
-	required, _ := mgr.IsSetupRequired(context.Background())
-	assert.True(t, required, "setup should still be required after transient IdP error")
-
-	idpMock.getAllAccountsErr = nil
-	userData, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
-	require.NoError(t, err)
-	assert.Equal(t, "admin@example.com", userData.Email)
-}
-
-func TestCreateOwnerUser_DBCheckBlocksConcurrent(t *testing.T) {
-	idpMock := &mockIdP{
-		users: map[string][]*idp.UserData{
-			"acc1": {{ID: "existing-user"}},
-		},
-	}
-	mgr := newTestManager(idpMock, &mockStore{})
-
-	_, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "setup already completed")
-}
-
-func TestCreateOwnerUser_DBCheckBlocksWhenAccountsExist(t *testing.T) {
-	mgr := newTestManager(&mockIdP{}, &mockStore{accountsCount: 1})
-
-	_, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "setup already completed")
-}
-
-func TestCreateOwnerUser_ConcurrentRequests(t *testing.T) {
-	var idpCallCount atomic.Int32
-	var successCount atomic.Int32
-	var failCount atomic.Int32
-
-	idpMock := &mockIdP{
-		createUserFunc: func(_ context.Context, email, _, _ string) (*idp.UserData, error) {
-			idpCallCount.Add(1)
-			time.Sleep(50 * time.Millisecond)
-			return &idp.UserData{ID: "user-1", Email: email, Name: "Owner"}, nil
-		},
-	}
-	mgr := newTestManager(idpMock, &mockStore{})
-
-	var wg sync.WaitGroup
-	for i := range 10 {
-		wg.Add(1)
-		go func(idx int) {
-			defer wg.Done()
-			_, err := mgr.CreateOwnerUser(
-				context.Background(),
-				fmt.Sprintf("owner%d@example.com", idx),
-				"password1234",
-				fmt.Sprintf("Owner%d", idx),
-			)
-			if err != nil {
-				failCount.Add(1)
-			} else {
-				successCount.Add(1)
-			}
-		}(i)
-	}
-	wg.Wait()
-
-	assert.Equal(t, int32(1), successCount.Load(), "exactly one concurrent setup request should succeed")
-	assert.Equal(t, int32(9), failCount.Load(), "remaining concurrent requests should fail")
-	assert.Equal(t, int32(1), idpCallCount.Load(), "IdP CreateUser should be called exactly once")
-}
-
-func TestIsSetupRequired_EmbeddedIdPDisabled(t *testing.T) {
-	mgr := &DefaultManager{}
-
-	required, err := mgr.IsSetupRequired(context.Background())
-	require.NoError(t, err)
-	assert.False(t, required)
-}
-
-func TestIsSetupRequired_ReturnsFlag(t *testing.T) {
-	mgr := newTestManager(&mockIdP{}, &mockStore{})
-
-	required, err := mgr.IsSetupRequired(context.Background())
-	require.NoError(t, err)
-	assert.True(t, required)
-
-	mgr.setupMu.Lock()
-	mgr.setupRequired = false
-	mgr.setupMu.Unlock()
-
-	required, err = mgr.IsSetupRequired(context.Background())
-	require.NoError(t, err)
-	assert.False(t, required)
+	_, err := manager.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
+	assert.Error(t, err, "should return error when IDP fails")
 }
 
 func TestDefaultManager_ValidateSetupRequest(t *testing.T) {
-	manager := &DefaultManager{setupRequired: true}
+	manager := &DefaultManager{
+		setupRequired: true,
+	}
 
 	tests := []struct {
 		name        string
@@ -235,10 +188,11 @@ func TestDefaultManager_ValidateSetupRequest(t *testing.T) {
 		errorMsg    string
 	}{
 		{
-			name:     "valid request",
-			email:    "admin@example.com",
-			password: "password123",
-			userName: "Admin User",
+			name:        "valid request",
+			email:       "admin@example.com",
+			password:    "password123",
+			userName:    "Admin User",
+			expectError: false,
 		},
 		{
 			name:        "empty email",
@@ -281,24 +235,11 @@ func TestDefaultManager_ValidateSetupRequest(t *testing.T) {
 			errorMsg:    "password must be at least 8 characters",
 		},
 		{
-			name:     "password exactly 8 characters",
-			email:    "admin@example.com",
-			password: "12345678",
-			userName: "Admin User",
-		},
-		{
-			name:     "password exactly 72 characters",
-			email:    "admin@example.com",
-			password: "aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffgggggggghhhhhhhhiiiiiiii",
-			userName: "Admin User",
-		},
-		{
-			name:        "password too long",
+			name:        "password exactly 8 characters",
 			email:       "admin@example.com",
-			password:    "aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffgggggggghhhhhhhhiiiiiiiij",
+			password:    "12345678",
 			userName:    "Admin User",
-			expectError: true,
-			errorMsg:    "password must be at most 72 characters",
+			expectError: false,
 		},
 	}
 
@@ -314,3 +255,14 @@ func TestDefaultManager_ValidateSetupRequest(t *testing.T) {
 		})
 	}
 }
+
+func TestDefaultManager_CreateOwnerUser_SetupAlreadyCompleted(t *testing.T) {
+	manager := &DefaultManager{
+		setupRequired:      false,
+		embeddedIdpManager: &idp.EmbeddedIdPManager{},
+	}
+
+	_, err := manager.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "setup already completed")
+}

management/server/user.go

@@ -780,15 +780,9 @@ func (am *DefaultAccountManager) processUserUpdate(ctx context.Context, transact
 	updatedUser.Role = update.Role
 	updatedUser.Blocked = update.Blocked
 	updatedUser.AutoGroups = update.AutoGroups
-	// these fields can't be set via API, only via direct call to the method
+	// these two fields can't be set via API, only via direct call to the method
 	updatedUser.Issued = update.Issued
 	updatedUser.IntegrationReference = update.IntegrationReference
-	if update.Name != "" {
-		updatedUser.Name = update.Name
-	}
-	if update.Email != "" {
-		updatedUser.Email = update.Email
-	}
 
 	var transferredOwnerRole bool
 	result, err := handleOwnerRoleTransfer(ctx, transaction, initiatorUser, update)

proxy/web/package-lock.json

@@ -15,7 +15,7 @@
         "tailwind-merge": "^2.6.0"
       },
       "devDependencies": {
-        "@eslint/js": "9.39.2",
+        "@eslint/js": "^9.39.1",
         "@tailwindcss/vite": "^4.1.18",
         "@types/node": "^24.10.1",
         "@types/react": "^19.2.5",
@@ -29,7 +29,7 @@
         "tsx": "^4.21.0",
         "typescript": "~5.9.3",
         "typescript-eslint": "^8.46.4",
-        "vite": "7.3.2"
+        "vite": "^7.2.4"
       }
     },
     "node_modules/@babel/code-frame": {
@@ -1024,9 +1024,9 @@
       "license": "MIT"
     },
     "node_modules/@rollup/rollup-android-arm-eabi": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.60.0.tgz",
-      "integrity": "sha512-WOhNW9K8bR3kf4zLxbfg6Pxu2ybOUbB2AjMDHSQx86LIF4rH4Ft7vmMwNt0loO0eonglSNy4cpD3MKXXKQu0/A==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.57.1.tgz",
+      "integrity": "sha512-A6ehUVSiSaaliTxai040ZpZ2zTevHYbvu/lDoeAteHI8QnaosIzm4qwtezfRg1jOYaUmnzLX1AOD6Z+UJjtifg==",
       "cpu": [
         "arm"
       ],
@@ -1038,9 +1038,9 @@
       ]
     },
     "node_modules/@rollup/rollup-android-arm64": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.60.0.tgz",
-      "integrity": "sha512-u6JHLll5QKRvjciE78bQXDmqRqNs5M/3GVqZeMwvmjaNODJih/WIrJlFVEihvV0MiYFmd+ZyPr9wxOVbPAG2Iw==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.57.1.tgz",
+      "integrity": "sha512-dQaAddCY9YgkFHZcFNS/606Exo8vcLHwArFZ7vxXq4rigo2bb494/xKMMwRRQW6ug7Js6yXmBZhSBRuBvCCQ3w==",
       "cpu": [
         "arm64"
       ],
@@ -1052,9 +1052,9 @@
       ]
     },
     "node_modules/@rollup/rollup-darwin-arm64": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.60.0.tgz",
-      "integrity": "sha512-qEF7CsKKzSRc20Ciu2Zw1wRrBz4g56F7r/vRwY430UPp/nt1x21Q/fpJ9N5l47WWvJlkNCPJz3QRVw008fi7yA==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.57.1.tgz",
+      "integrity": "sha512-crNPrwJOrRxagUYeMn/DZwqN88SDmwaJ8Cvi/TN1HnWBU7GwknckyosC2gd0IqYRsHDEnXf328o9/HC6OkPgOg==",
       "cpu": [
         "arm64"
       ],
@@ -1066,9 +1066,9 @@
       ]
     },
     "node_modules/@rollup/rollup-darwin-x64": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.60.0.tgz",
-      "integrity": "sha512-WADYozJ4QCnXCH4wPB+3FuGmDPoFseVCUrANmA5LWwGmC6FL14BWC7pcq+FstOZv3baGX65tZ378uT6WG8ynTw==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.57.1.tgz",
+      "integrity": "sha512-Ji8g8ChVbKrhFtig5QBV7iMaJrGtpHelkB3lsaKzadFBe58gmjfGXAOfI5FV0lYMH8wiqsxKQ1C9B0YTRXVy4w==",
       "cpu": [
         "x64"
       ],
@@ -1080,9 +1080,9 @@
       ]
     },
     "node_modules/@rollup/rollup-freebsd-arm64": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.60.0.tgz",
-      "integrity": "sha512-6b8wGHJlDrGeSE3aH5mGNHBjA0TTkxdoNHik5EkvPHCt351XnigA4pS7Wsj/Eo9Y8RBU6f35cjN9SYmCFBtzxw==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.57.1.tgz",
+      "integrity": "sha512-R+/WwhsjmwodAcz65guCGFRkMb4gKWTcIeLy60JJQbXrJ97BOXHxnkPFrP+YwFlaS0m+uWJTstrUA9o+UchFug==",
       "cpu": [
         "arm64"
       ],
@@ -1094,9 +1094,9 @@
       ]
     },
     "node_modules/@rollup/rollup-freebsd-x64": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.60.0.tgz",
-      "integrity": "sha512-h25Ga0t4jaylMB8M/JKAyrvvfxGRjnPQIR8lnCayyzEjEOx2EJIlIiMbhpWxDRKGKF8jbNH01NnN663dH638mA==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.57.1.tgz",
+      "integrity": "sha512-IEQTCHeiTOnAUC3IDQdzRAGj3jOAYNr9kBguI7MQAAZK3caezRrg0GxAb6Hchg4lxdZEI5Oq3iov/w/hnFWY9Q==",
       "cpu": [
         "x64"
       ],
@@ -1108,9 +1108,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-arm-gnueabihf": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.60.0.tgz",
-      "integrity": "sha512-RzeBwv0B3qtVBWtcuABtSuCzToo2IEAIQrcyB/b2zMvBWVbjo8bZDjACUpnaafaxhTw2W+imQbP2BD1usasK4g==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.57.1.tgz",
+      "integrity": "sha512-F8sWbhZ7tyuEfsmOxwc2giKDQzN3+kuBLPwwZGyVkLlKGdV1nvnNwYD0fKQ8+XS6hp9nY7B+ZeK01EBUE7aHaw==",
       "cpu": [
         "arm"
       ],
@@ -1122,9 +1122,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-arm-musleabihf": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.60.0.tgz",
-      "integrity": "sha512-Sf7zusNI2CIU1HLzuu9Tc5YGAHEZs5Lu7N1ssJG4Tkw6e0MEsN7NdjUDDfGNHy2IU+ENyWT+L2obgWiguWibWQ==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.57.1.tgz",
+      "integrity": "sha512-rGfNUfn0GIeXtBP1wL5MnzSj98+PZe/AXaGBCRmT0ts80lU5CATYGxXukeTX39XBKsxzFpEeK+Mrp9faXOlmrw==",
       "cpu": [
         "arm"
       ],
@@ -1136,9 +1136,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-arm64-gnu": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.60.0.tgz",
-      "integrity": "sha512-DX2x7CMcrJzsE91q7/O02IJQ5/aLkVtYFryqCjduJhUfGKG6yJV8hxaw8pZa93lLEpPTP/ohdN4wFz7yp/ry9A==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.57.1.tgz",
+      "integrity": "sha512-MMtej3YHWeg/0klK2Qodf3yrNzz6CGjo2UntLvk2RSPlhzgLvYEB3frRvbEF2wRKh1Z2fDIg9KRPe1fawv7C+g==",
       "cpu": [
         "arm64"
       ],
@@ -1150,9 +1150,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-arm64-musl": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.60.0.tgz",
-      "integrity": "sha512-09EL+yFVbJZlhcQfShpswwRZ0Rg+z/CsSELFCnPt3iK+iqwGsI4zht3secj5vLEs957QvFFXnzAT0FFPIxSrkQ==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.57.1.tgz",
+      "integrity": "sha512-1a/qhaaOXhqXGpMFMET9VqwZakkljWHLmZOX48R0I/YLbhdxr1m4gtG1Hq7++VhVUmf+L3sTAf9op4JlhQ5u1Q==",
       "cpu": [
         "arm64"
       ],
@@ -1164,9 +1164,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-loong64-gnu": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.60.0.tgz",
-      "integrity": "sha512-i9IcCMPr3EXm8EQg5jnja0Zyc1iFxJjZWlb4wr7U2Wx/GrddOuEafxRdMPRYVaXjgbhvqalp6np07hN1w9kAKw==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.57.1.tgz",
+      "integrity": "sha512-QWO6RQTZ/cqYtJMtxhkRkidoNGXc7ERPbZN7dVW5SdURuLeVU7lwKMpo18XdcmpWYd0qsP1bwKPf7DNSUinhvA==",
       "cpu": [
         "loong64"
       ],
@@ -1178,9 +1178,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-loong64-musl": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-musl/-/rollup-linux-loong64-musl-4.60.0.tgz",
-      "integrity": "sha512-DGzdJK9kyJ+B78MCkWeGnpXJ91tK/iKA6HwHxF4TAlPIY7GXEvMe8hBFRgdrR9Ly4qebR/7gfUs9y2IoaVEyog==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-musl/-/rollup-linux-loong64-musl-4.57.1.tgz",
+      "integrity": "sha512-xpObYIf+8gprgWaPP32xiN5RVTi/s5FCR+XMXSKmhfoJjrpRAjCuuqQXyxUa/eJTdAE6eJ+KDKaoEqjZQxh3Gw==",
       "cpu": [
         "loong64"
       ],
@@ -1192,9 +1192,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-ppc64-gnu": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.60.0.tgz",
-      "integrity": "sha512-RwpnLsqC8qbS8z1H1AxBA1H6qknR4YpPR9w2XX0vo2Sz10miu57PkNcnHVaZkbqyw/kUWfKMI73jhmfi9BRMUQ==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.57.1.tgz",
+      "integrity": "sha512-4BrCgrpZo4hvzMDKRqEaW1zeecScDCR+2nZ86ATLhAoJ5FQ+lbHVD3ttKe74/c7tNT9c6F2viwB3ufwp01Oh2w==",
       "cpu": [
         "ppc64"
       ],
@@ -1206,9 +1206,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-ppc64-musl": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-musl/-/rollup-linux-ppc64-musl-4.60.0.tgz",
-      "integrity": "sha512-Z8pPf54Ly3aqtdWC3G4rFigZgNvd+qJlOE52fmko3KST9SoGfAdSRCwyoyG05q1HrrAblLbk1/PSIV+80/pxLg==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-musl/-/rollup-linux-ppc64-musl-4.57.1.tgz",
+      "integrity": "sha512-NOlUuzesGauESAyEYFSe3QTUguL+lvrN1HtwEEsU2rOwdUDeTMJdO5dUYl/2hKf9jWydJrO9OL/XSSf65R5+Xw==",
       "cpu": [
         "ppc64"
       ],
@@ -1220,9 +1220,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-riscv64-gnu": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.60.0.tgz",
-      "integrity": "sha512-3a3qQustp3COCGvnP4SvrMHnPQ9d1vzCakQVRTliaz8cIp/wULGjiGpbcqrkv0WrHTEp8bQD/B3HBjzujVWLOA==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.57.1.tgz",
+      "integrity": "sha512-ptA88htVp0AwUUqhVghwDIKlvJMD/fmL/wrQj99PRHFRAG6Z5nbWoWG4o81Nt9FT+IuqUQi+L31ZKAFeJ5Is+A==",
       "cpu": [
         "riscv64"
       ],
@@ -1234,9 +1234,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-riscv64-musl": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.60.0.tgz",
-      "integrity": "sha512-pjZDsVH/1VsghMJ2/kAaxt6dL0psT6ZexQVrijczOf+PeP2BUqTHYejk3l6TlPRydggINOeNRhvpLa0AYpCWSQ==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.57.1.tgz",
+      "integrity": "sha512-S51t7aMMTNdmAMPpBg7OOsTdn4tySRQvklmL3RpDRyknk87+Sp3xaumlatU+ppQ+5raY7sSTcC2beGgvhENfuw==",
       "cpu": [
         "riscv64"
       ],
@@ -1248,9 +1248,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-s390x-gnu": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.60.0.tgz",
-      "integrity": "sha512-3ObQs0BhvPgiUVZrN7gqCSvmFuMWvWvsjG5ayJ3Lraqv+2KhOsp+pUbigqbeWqueGIsnn+09HBw27rJ+gYK4VQ==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.57.1.tgz",
+      "integrity": "sha512-Bl00OFnVFkL82FHbEqy3k5CUCKH6OEJL54KCyx2oqsmZnFTR8IoNqBF+mjQVcRCT5sB6yOvK8A37LNm/kPJiZg==",
       "cpu": [
         "s390x"
       ],
@@ -1262,9 +1262,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-x64-gnu": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.60.0.tgz",
-      "integrity": "sha512-EtylprDtQPdS5rXvAayrNDYoJhIz1/vzN2fEubo3yLE7tfAw+948dO0g4M0vkTVFhKojnF+n6C8bDNe+gDRdTg==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.57.1.tgz",
+      "integrity": "sha512-ABca4ceT4N+Tv/GtotnWAeXZUZuM/9AQyCyKYyKnpk4yoA7QIAuBt6Hkgpw8kActYlew2mvckXkvx0FfoInnLg==",
       "cpu": [
         "x64"
       ],
@@ -1276,9 +1276,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-x64-musl": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.60.0.tgz",
-      "integrity": "sha512-k09oiRCi/bHU9UVFqD17r3eJR9bn03TyKraCrlz5ULFJGdJGi7VOmm9jl44vOJvRJ6P7WuBi/s2A97LxxHGIdw==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.57.1.tgz",
+      "integrity": "sha512-HFps0JeGtuOR2convgRRkHCekD7j+gdAuXM+/i6kGzQtFhlCtQkpwtNzkNj6QhCDp7DRJ7+qC/1Vg2jt5iSOFw==",
       "cpu": [
         "x64"
       ],
@@ -1290,9 +1290,9 @@
       ]
     },
     "node_modules/@rollup/rollup-openbsd-x64": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-openbsd-x64/-/rollup-openbsd-x64-4.60.0.tgz",
-      "integrity": "sha512-1o/0/pIhozoSaDJoDcec+IVLbnRtQmHwPV730+AOD29lHEEo4F5BEUB24H0OBdhbBBDwIOSuf7vgg0Ywxdfiiw==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-openbsd-x64/-/rollup-openbsd-x64-4.57.1.tgz",
+      "integrity": "sha512-H+hXEv9gdVQuDTgnqD+SQffoWoc0Of59AStSzTEj/feWTBAnSfSD3+Dql1ZruJQxmykT/JVY0dE8Ka7z0DH1hw==",
       "cpu": [
         "x64"
       ],
@@ -1304,9 +1304,9 @@
       ]
     },
     "node_modules/@rollup/rollup-openharmony-arm64": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.60.0.tgz",
-      "integrity": "sha512-pESDkos/PDzYwtyzB5p/UoNU/8fJo68vcXM9ZW2V0kjYayj1KaaUfi1NmTUTUpMn4UhU4gTuK8gIaFO4UGuMbA==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.57.1.tgz",
+      "integrity": "sha512-4wYoDpNg6o/oPximyc/NG+mYUejZrCU2q+2w6YZqrAs2UcNUChIZXjtafAiiZSUc7On8v5NyNj34Kzj/Ltk6dQ==",
       "cpu": [
         "arm64"
       ],
@@ -1318,9 +1318,9 @@
       ]
     },
     "node_modules/@rollup/rollup-win32-arm64-msvc": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.60.0.tgz",
-      "integrity": "sha512-hj1wFStD7B1YBeYmvY+lWXZ7ey73YGPcViMShYikqKT1GtstIKQAtfUI6yrzPjAy/O7pO0VLXGmUVWXQMaYgTQ==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.57.1.tgz",
+      "integrity": "sha512-O54mtsV/6LW3P8qdTcamQmuC990HDfR71lo44oZMZlXU4tzLrbvTii87Ni9opq60ds0YzuAlEr/GNwuNluZyMQ==",
       "cpu": [
         "arm64"
       ],
@@ -1332,9 +1332,9 @@
       ]
     },
     "node_modules/@rollup/rollup-win32-ia32-msvc": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.60.0.tgz",
-      "integrity": "sha512-SyaIPFoxmUPlNDq5EHkTbiKzmSEmq/gOYFI/3HHJ8iS/v1mbugVa7dXUzcJGQfoytp9DJFLhHH4U3/eTy2Bq4w==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.57.1.tgz",
+      "integrity": "sha512-P3dLS+IerxCT/7D2q2FYcRdWRl22dNbrbBEtxdWhXrfIMPP9lQhb5h4Du04mdl5Woq05jVCDPCMF7Ub0NAjIew==",
       "cpu": [
         "ia32"
       ],
@@ -1346,9 +1346,9 @@
       ]
     },
     "node_modules/@rollup/rollup-win32-x64-gnu": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.60.0.tgz",
-      "integrity": "sha512-RdcryEfzZr+lAr5kRm2ucN9aVlCCa2QNq4hXelZxb8GG0NJSazq44Z3PCCc8wISRuCVnGs0lQJVX5Vp6fKA+IA==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.57.1.tgz",
+      "integrity": "sha512-VMBH2eOOaKGtIJYleXsi2B8CPVADrh+TyNxJ4mWPnKfLB/DBUmzW+5m1xUrcwWoMfSLagIRpjUFeW5CO5hyciQ==",
       "cpu": [
         "x64"
       ],
@@ -1360,9 +1360,9 @@
       ]
     },
     "node_modules/@rollup/rollup-win32-x64-msvc": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.60.0.tgz",
-      "integrity": "sha512-PrsWNQ8BuE00O3Xsx3ALh2Df8fAj9+cvvX9AIA6o4KpATR98c9mud4XtDWVvsEuyia5U4tVSTKygawyJkjm60w==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.57.1.tgz",
+      "integrity": "sha512-mxRFDdHIWRxg3UfIIAwCm6NzvxG0jDX/wBN6KsQFTvKFqqg9vTrWUE68qEjHt19A5wwx5X5aUi2zuZT7YR0jrA==",
       "cpu": [
         "x64"
       ],
@@ -1926,9 +1926,9 @@
       }
     },
     "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.3.tgz",
-      "integrity": "sha512-MCV/fYJEbqx68aE58kv2cA/kiky1G8vux3OR6/jbS+jIMe/6fJWa0DTzJU7dqijOWYwHi1t29FlfYI9uytqlpA==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1936,13 +1936,13 @@
       }
     },
     "node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch": {
-      "version": "9.0.9",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
-      "integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
+      "version": "9.0.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
+      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
-        "brace-expansion": "^2.0.2"
+        "brace-expansion": "^2.0.1"
       },
       "engines": {
         "node": ">=16 || 14 >=14.17"
@@ -2052,9 +2052,9 @@
       }
     },
     "node_modules/ajv": {
-      "version": "6.14.0",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz",
-      "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==",
+      "version": "6.12.6",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
+      "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -2109,9 +2109,9 @@
       }
     },
     "node_modules/brace-expansion": {
-      "version": "1.1.13",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
-      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
+      "version": "1.1.12",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
+      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -2657,9 +2657,9 @@
       }
     },
     "node_modules/flatted": {
-      "version": "3.4.2",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
-      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
+      "version": "3.3.3",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.3.tgz",
+      "integrity": "sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==",
       "dev": true,
       "license": "ISC"
     },
@@ -3243,9 +3243,9 @@
       }
     },
     "node_modules/minimatch": {
-      "version": "3.1.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
-      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
+      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
@@ -3386,9 +3386,9 @@
       "license": "ISC"
     },
     "node_modules/picomatch": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
-      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
+      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
       "dev": true,
       "license": "MIT",
       "peer": true,
@@ -3501,9 +3501,9 @@
       }
     },
     "node_modules/rollup": {
-      "version": "4.60.0",
-      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.60.0.tgz",
-      "integrity": "sha512-yqjxruMGBQJ2gG4HtjZtAfXArHomazDHoFwFFmZZl0r7Pdo7qCIXKqKHZc8yeoMgzJJ+pO6pEEHa+V7uzWlrAQ==",
+      "version": "4.57.1",
+      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.57.1.tgz",
+      "integrity": "sha512-oQL6lgK3e2QZeQ7gcgIkS2YZPg5slw37hYufJ3edKlfQSGGm8ICoxswK15ntSzF/a8+h7ekRy7k7oWc3BQ7y8A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -3517,31 +3517,31 @@
         "npm": ">=8.0.0"
       },
       "optionalDependencies": {
-        "@rollup/rollup-android-arm-eabi": "4.60.0",
-        "@rollup/rollup-android-arm64": "4.60.0",
-        "@rollup/rollup-darwin-arm64": "4.60.0",
-        "@rollup/rollup-darwin-x64": "4.60.0",
-        "@rollup/rollup-freebsd-arm64": "4.60.0",
-        "@rollup/rollup-freebsd-x64": "4.60.0",
-        "@rollup/rollup-linux-arm-gnueabihf": "4.60.0",
-        "@rollup/rollup-linux-arm-musleabihf": "4.60.0",
-        "@rollup/rollup-linux-arm64-gnu": "4.60.0",
-        "@rollup/rollup-linux-arm64-musl": "4.60.0",
-        "@rollup/rollup-linux-loong64-gnu": "4.60.0",
-        "@rollup/rollup-linux-loong64-musl": "4.60.0",
-        "@rollup/rollup-linux-ppc64-gnu": "4.60.0",
-        "@rollup/rollup-linux-ppc64-musl": "4.60.0",
-        "@rollup/rollup-linux-riscv64-gnu": "4.60.0",
-        "@rollup/rollup-linux-riscv64-musl": "4.60.0",
-        "@rollup/rollup-linux-s390x-gnu": "4.60.0",
-        "@rollup/rollup-linux-x64-gnu": "4.60.0",
-        "@rollup/rollup-linux-x64-musl": "4.60.0",
-        "@rollup/rollup-openbsd-x64": "4.60.0",
-        "@rollup/rollup-openharmony-arm64": "4.60.0",
-        "@rollup/rollup-win32-arm64-msvc": "4.60.0",
-        "@rollup/rollup-win32-ia32-msvc": "4.60.0",
-        "@rollup/rollup-win32-x64-gnu": "4.60.0",
-        "@rollup/rollup-win32-x64-msvc": "4.60.0",
+        "@rollup/rollup-android-arm-eabi": "4.57.1",
+        "@rollup/rollup-android-arm64": "4.57.1",
+        "@rollup/rollup-darwin-arm64": "4.57.1",
+        "@rollup/rollup-darwin-x64": "4.57.1",
+        "@rollup/rollup-freebsd-arm64": "4.57.1",
+        "@rollup/rollup-freebsd-x64": "4.57.1",
+        "@rollup/rollup-linux-arm-gnueabihf": "4.57.1",
+        "@rollup/rollup-linux-arm-musleabihf": "4.57.1",
+        "@rollup/rollup-linux-arm64-gnu": "4.57.1",
+        "@rollup/rollup-linux-arm64-musl": "4.57.1",
+        "@rollup/rollup-linux-loong64-gnu": "4.57.1",
+        "@rollup/rollup-linux-loong64-musl": "4.57.1",
+        "@rollup/rollup-linux-ppc64-gnu": "4.57.1",
+        "@rollup/rollup-linux-ppc64-musl": "4.57.1",
+        "@rollup/rollup-linux-riscv64-gnu": "4.57.1",
+        "@rollup/rollup-linux-riscv64-musl": "4.57.1",
+        "@rollup/rollup-linux-s390x-gnu": "4.57.1",
+        "@rollup/rollup-linux-x64-gnu": "4.57.1",
+        "@rollup/rollup-linux-x64-musl": "4.57.1",
+        "@rollup/rollup-openbsd-x64": "4.57.1",
+        "@rollup/rollup-openharmony-arm64": "4.57.1",
+        "@rollup/rollup-win32-arm64-msvc": "4.57.1",
+        "@rollup/rollup-win32-ia32-msvc": "4.57.1",
+        "@rollup/rollup-win32-x64-gnu": "4.57.1",
+        "@rollup/rollup-win32-x64-msvc": "4.57.1",
         "fsevents": "~2.3.2"
       }
     },
@@ -3803,9 +3803,9 @@
       }
     },
     "node_modules/vite": {
-      "version": "7.3.2",
-      "resolved": "https://registry.npmjs.org/vite/-/vite-7.3.2.tgz",
-      "integrity": "sha512-Bby3NOsna2jsjfLVOHKes8sGwgl4TT0E6vvpYgnAYDIF/tie7MRaFthmKuHx1NSXjiTueXH3do80FMQgvEktRg==",
+      "version": "7.3.1",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-7.3.1.tgz",
+      "integrity": "sha512-w+N7Hifpc3gRjZ63vYBXA56dvvRlNWRczTdmCBBa+CotUzAPf5b7YMdMR/8CQoeYE5LX3W4wj6RYTgonm1b9DA==",
       "dev": true,
       "license": "MIT",
       "peer": true,

proxy/web/package.json

@@ -17,7 +17,7 @@
     "tailwind-merge": "^2.6.0"
   },
   "devDependencies": {
-    "@eslint/js": "9.39.2",
+    "@eslint/js": "^9.39.1",
     "@tailwindcss/vite": "^4.1.18",
     "@types/node": "^24.10.1",
     "@types/react": "^19.2.5",
@@ -31,6 +31,6 @@
     "tsx": "^4.21.0",
     "typescript": "~5.9.3",
     "typescript-eslint": "^8.46.4",
-    "vite": "7.3.2"
+    "vite": "^7.2.4"
   }
 }

shared/management/client/client.go

@@ -4,6 +4,8 @@ import (
 	"context"
 	"io"
 
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/shared/management/proto"
@@ -14,18 +16,14 @@ type Client interface {
 	io.Closer
 	Sync(ctx context.Context, sysInfo *system.Info, msgHandler func(msg *proto.SyncResponse) error) error
 	Job(ctx context.Context, msgHandler func(msg *proto.JobRequest) *proto.JobResponse) error
-	Register(setupKey string, jwtToken string, sysInfo *system.Info, sshKey []byte, dnsLabels domain.List) (*proto.LoginResponse, error)
-	Login(sysInfo *system.Info, sshKey []byte, dnsLabels domain.List) (*proto.LoginResponse, error)
-	GetDeviceAuthorizationFlow() (*proto.DeviceAuthorizationFlow, error)
-	GetPKCEAuthorizationFlow() (*proto.PKCEAuthorizationFlow, error)
+	GetServerPublicKey() (*wgtypes.Key, error)
+	Register(serverKey wgtypes.Key, setupKey string, jwtToken string, sysInfo *system.Info, sshKey []byte, dnsLabels domain.List) (*proto.LoginResponse, error)
+	Login(serverKey wgtypes.Key, sysInfo *system.Info, sshKey []byte, dnsLabels domain.List) (*proto.LoginResponse, error)
+	GetDeviceAuthorizationFlow(serverKey wgtypes.Key) (*proto.DeviceAuthorizationFlow, error)
+	GetPKCEAuthorizationFlow(serverKey wgtypes.Key) (*proto.PKCEAuthorizationFlow, error)
 	GetNetworkMap(sysInfo *system.Info) (*proto.NetworkMap, error)
 	GetServerURL() string
-	// IsHealthy returns the current connection status without blocking.
-	// Used by the engine to monitor connectivity in the background.
 	IsHealthy() bool
-	// HealthCheck actively probes the management server and returns an error if unreachable.
-	// Used to validate connectivity before committing configuration changes.
-	HealthCheck() error
 	SyncMeta(sysInfo *system.Info) error
 	Logout() error
 	CreateExpose(ctx context.Context, req ExposeRequest) (*ExposeResponse, error)

shared/management/client/client_test.go

@@ -189,7 +189,7 @@ func closeManagementSilently(s *grpc.Server, listener net.Listener) {
 	}
 }
 
-func TestClient_HealthCheck(t *testing.T) {
+func TestClient_GetServerPublicKey(t *testing.T) {
 	testKey, err := wgtypes.GenerateKey()
 	if err != nil {
 		t.Fatal(err)
@@ -203,8 +203,12 @@ func TestClient_HealthCheck(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	if err := client.HealthCheck(); err != nil {
-		t.Errorf("health check failed: %v", err)
+	key, err := client.GetServerPublicKey()
+	if err != nil {
+		t.Error("couldn't retrieve management public key")
+	}
+	if key == nil {
+		t.Error("got an empty management public key")
 	}
 }
 
@@ -221,8 +225,12 @@ func TestClient_LoginUnregistered_ShouldThrow_401(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	key, err := client.GetServerPublicKey()
+	if err != nil {
+		t.Fatal(err)
+	}
 	sysInfo := system.GetInfo(context.TODO())
-	_, err = client.Login(sysInfo, nil, nil)
+	_, err = client.Login(*key, sysInfo, nil, nil)
 	if err == nil {
 		t.Error("expecting err on unregistered login, got nil")
 	}
@@ -245,8 +253,12 @@ func TestClient_LoginRegistered(t *testing.T) {
 		t.Fatal(err)
 	}
 
+	key, err := client.GetServerPublicKey()
+	if err != nil {
+		t.Error(err)
+	}
 	info := system.GetInfo(context.TODO())
-	resp, err := client.Register(ValidKey, "", info, nil, nil)
+	resp, err := client.Register(*key, ValidKey, "", info, nil, nil)
 	if err != nil {
 		t.Error(err)
 	}
@@ -270,8 +282,13 @@ func TestClient_Sync(t *testing.T) {
 		t.Fatal(err)
 	}
 
+	serverKey, err := client.GetServerPublicKey()
+	if err != nil {
+		t.Error(err)
+	}
+
 	info := system.GetInfo(context.TODO())
-	_, err = client.Register(ValidKey, "", info, nil, nil)
+	_, err = client.Register(*serverKey, ValidKey, "", info, nil, nil)
 	if err != nil {
 		t.Error(err)
 	}
@@ -287,7 +304,7 @@ func TestClient_Sync(t *testing.T) {
 	}
 
 	info = system.GetInfo(context.TODO())
-	_, err = remoteClient.Register(ValidKey, "", info, nil, nil)
+	_, err = remoteClient.Register(*serverKey, ValidKey, "", info, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -347,6 +364,11 @@ func Test_SystemMetaDataFromClient(t *testing.T) {
 		t.Fatalf("error while creating testClient: %v", err)
 	}
 
+	key, err := testClient.GetServerPublicKey()
+	if err != nil {
+		t.Fatalf("error while getting server public key from testclient, %v", err)
+	}
+
 	var actualMeta *mgmtProto.PeerSystemMeta
 	var actualValidKey string
 	var wg sync.WaitGroup
@@ -383,7 +405,7 @@ func Test_SystemMetaDataFromClient(t *testing.T) {
 	}
 
 	info := system.GetInfo(context.TODO())
-	_, err = testClient.Register(ValidKey, "", info, nil, nil)
+	_, err = testClient.Register(*key, ValidKey, "", info, nil, nil)
 	if err != nil {
 		t.Errorf("error while trying to register client: %v", err)
 	}
@@ -483,7 +505,7 @@ func Test_GetDeviceAuthorizationFlow(t *testing.T) {
 	}
 
 	mgmtMockServer.GetDeviceAuthorizationFlowFunc = func(ctx context.Context, req *mgmtProto.EncryptedMessage) (*mgmtProto.EncryptedMessage, error) {
-		encryptedResp, err := encryption.EncryptMessage(client.key.PublicKey(), serverKey, expectedFlowInfo)
+		encryptedResp, err := encryption.EncryptMessage(serverKey, client.key, expectedFlowInfo)
 		if err != nil {
 			return nil, err
 		}
@@ -495,7 +517,7 @@ func Test_GetDeviceAuthorizationFlow(t *testing.T) {
 		}, nil
 	}
 
-	flowInfo, err := client.GetDeviceAuthorizationFlow()
+	flowInfo, err := client.GetDeviceAuthorizationFlow(serverKey)
 	if err != nil {
 		t.Error("error while retrieving device auth flow information")
 	}
@@ -523,13 +545,12 @@ func Test_GetPKCEAuthorizationFlow(t *testing.T) {
 
 	expectedFlowInfo := &mgmtProto.PKCEAuthorizationFlow{
 		ProviderConfig: &mgmtProto.ProviderConfig{
-			ClientID:     "client",
-			ClientSecret: "secret",
+			ClientID: "client",
 		},
 	}
 
 	mgmtMockServer.GetPKCEAuthorizationFlowFunc = func(ctx context.Context, req *mgmtProto.EncryptedMessage) (*mgmtProto.EncryptedMessage, error) {
-		encryptedResp, err := encryption.EncryptMessage(client.key.PublicKey(), serverKey, expectedFlowInfo)
+		encryptedResp, err := encryption.EncryptMessage(serverKey, client.key, expectedFlowInfo)
 		if err != nil {
 			return nil, err
 		}
@@ -541,11 +562,10 @@ func Test_GetPKCEAuthorizationFlow(t *testing.T) {
 		}, nil
 	}
 
-	flowInfo, err := client.GetPKCEAuthorizationFlow()
+	flowInfo, err := client.GetPKCEAuthorizationFlow(serverKey)
 	if err != nil {
 		t.Error("error while retrieving pkce auth flow information")
 	}
 
 	assert.Equal(t, expectedFlowInfo.ProviderConfig.ClientID, flowInfo.ProviderConfig.ClientID, "provider configured client ID should match")
-	assert.Equal(t, expectedFlowInfo.ProviderConfig.ClientSecret, flowInfo.ProviderConfig.ClientSecret, "provider configured client secret should match") //nolint:staticcheck
 }

shared/management/client/grpc.go

@@ -202,7 +202,7 @@ func (c *GrpcClient) withMgmtStream(
 			return fmt.Errorf("connection to management is not ready and in %s state", connState)
 		}
 
-		serverPubKey, err := c.getServerPublicKey()
+		serverPubKey, err := c.GetServerPublicKey()
 		if err != nil {
 			log.Debugf(errMsgMgmtPublicKey, err)
 			return err
@@ -404,7 +404,7 @@ func (c *GrpcClient) handleSyncStream(ctx context.Context, serverPubKey wgtypes.
 
 // GetNetworkMap return with the network map
 func (c *GrpcClient) GetNetworkMap(sysInfo *system.Info) (*proto.NetworkMap, error) {
-	serverPubKey, err := c.getServerPublicKey()
+	serverPubKey, err := c.GetServerPublicKey()
 	if err != nil {
 		log.Debugf("failed getting Management Service public key: %s", err)
 		return nil, err
@@ -490,24 +490,18 @@ func (c *GrpcClient) receiveUpdatesEvents(stream proto.ManagementService_SyncCli
 	}
 }
 
-// HealthCheck actively probes the management server and returns an error if unreachable.
-// Used to validate connectivity before committing configuration changes.
-func (c *GrpcClient) HealthCheck() error {
+// GetServerPublicKey returns server's WireGuard public key (used later for encrypting messages sent to the server)
+func (c *GrpcClient) GetServerPublicKey() (*wgtypes.Key, error) {
 	if !c.ready() {
-		return errors.New(errMsgNoMgmtConnection)
+		return nil, errors.New(errMsgNoMgmtConnection)
 	}
 
-	_, err := c.getServerPublicKey()
-	return err
-}
-
-// getServerPublicKey fetches the server's WireGuard public key.
-func (c *GrpcClient) getServerPublicKey() (*wgtypes.Key, error) {
 	mgmCtx, cancel := context.WithTimeout(c.ctx, 5*time.Second)
 	defer cancel()
 	resp, err := c.realClient.GetServerKey(mgmCtx, &proto.Empty{})
 	if err != nil {
-		return nil, fmt.Errorf("failed getting Management Service public key: %w", err)
+		log.Errorf("failed while getting Management Service public key: %v", err)
+		return nil, fmt.Errorf("failed while getting Management Service public key")
 	}
 
 	serverKey, err := wgtypes.ParseKey(resp.Key)
@@ -518,8 +512,7 @@ func (c *GrpcClient) getServerPublicKey() (*wgtypes.Key, error) {
 	return &serverKey, nil
 }
 
-// IsHealthy returns the current connection status without blocking.
-// Used by the engine to monitor connectivity in the background.
+// IsHealthy probes the gRPC connection and returns false on errors
 func (c *GrpcClient) IsHealthy() bool {
 	switch c.conn.GetState() {
 	case connectivity.TransientFailure:
@@ -545,17 +538,12 @@ func (c *GrpcClient) IsHealthy() bool {
 	return true
 }
 
-func (c *GrpcClient) login(req *proto.LoginRequest) (*proto.LoginResponse, error) {
+func (c *GrpcClient) login(serverKey wgtypes.Key, req *proto.LoginRequest) (*proto.LoginResponse, error) {
 	if !c.ready() {
 		return nil, errors.New(errMsgNoMgmtConnection)
 	}
 
-	serverKey, err := c.getServerPublicKey()
-	if err != nil {
-		return nil, err
-	}
-
-	loginReq, err := encryption.EncryptMessage(*serverKey, c.key, req)
+	loginReq, err := encryption.EncryptMessage(serverKey, c.key, req)
 	if err != nil {
 		log.Errorf("failed to encrypt message: %s", err)
 		return nil, err
@@ -589,7 +577,7 @@ func (c *GrpcClient) login(req *proto.LoginRequest) (*proto.LoginResponse, error
 	}
 
 	loginResp := &proto.LoginResponse{}
-	err = encryption.DecryptMessage(*serverKey, c.key, resp.Body, loginResp)
+	err = encryption.DecryptMessage(serverKey, c.key, resp.Body, loginResp)
 	if err != nil {
 		log.Errorf("failed to decrypt login response: %s", err)
 		return nil, err
@@ -601,40 +589,34 @@ func (c *GrpcClient) login(req *proto.LoginRequest) (*proto.LoginResponse, error
 // Register registers peer on Management Server. It actually calls a Login endpoint with a provided setup key
 // Takes care of encrypting and decrypting messages.
 // This method will also collect system info and send it with the request (e.g. hostname, os, etc)
-func (c *GrpcClient) Register(setupKey string, jwtToken string, sysInfo *system.Info, pubSSHKey []byte, dnsLabels domain.List) (*proto.LoginResponse, error) {
+func (c *GrpcClient) Register(serverKey wgtypes.Key, setupKey string, jwtToken string, sysInfo *system.Info, pubSSHKey []byte, dnsLabels domain.List) (*proto.LoginResponse, error) {
 	keys := &proto.PeerKeys{
 		SshPubKey: pubSSHKey,
 		WgPubKey:  []byte(c.key.PublicKey().String()),
 	}
-	return c.login(&proto.LoginRequest{SetupKey: setupKey, Meta: infoToMetaData(sysInfo), JwtToken: jwtToken, PeerKeys: keys, DnsLabels: dnsLabels.ToPunycodeList()})
+	return c.login(serverKey, &proto.LoginRequest{SetupKey: setupKey, Meta: infoToMetaData(sysInfo), JwtToken: jwtToken, PeerKeys: keys, DnsLabels: dnsLabels.ToPunycodeList()})
 }
 
 // Login attempts login to Management Server. Takes care of encrypting and decrypting messages.
-func (c *GrpcClient) Login(sysInfo *system.Info, pubSSHKey []byte, dnsLabels domain.List) (*proto.LoginResponse, error) {
+func (c *GrpcClient) Login(serverKey wgtypes.Key, sysInfo *system.Info, pubSSHKey []byte, dnsLabels domain.List) (*proto.LoginResponse, error) {
 	keys := &proto.PeerKeys{
 		SshPubKey: pubSSHKey,
 		WgPubKey:  []byte(c.key.PublicKey().String()),
 	}
-	return c.login(&proto.LoginRequest{Meta: infoToMetaData(sysInfo), PeerKeys: keys, DnsLabels: dnsLabels.ToPunycodeList()})
+	return c.login(serverKey, &proto.LoginRequest{Meta: infoToMetaData(sysInfo), PeerKeys: keys, DnsLabels: dnsLabels.ToPunycodeList()})
 }
 
 // GetDeviceAuthorizationFlow returns a device authorization flow information.
 // It also takes care of encrypting and decrypting messages.
-func (c *GrpcClient) GetDeviceAuthorizationFlow() (*proto.DeviceAuthorizationFlow, error) {
+func (c *GrpcClient) GetDeviceAuthorizationFlow(serverKey wgtypes.Key) (*proto.DeviceAuthorizationFlow, error) {
 	if !c.ready() {
 		return nil, fmt.Errorf("no connection to management in order to get device authorization flow")
 	}
-
-	serverKey, err := c.getServerPublicKey()
-	if err != nil {
-		return nil, err
-	}
-
 	mgmCtx, cancel := context.WithTimeout(c.ctx, time.Second*2)
 	defer cancel()
 
 	message := &proto.DeviceAuthorizationFlowRequest{}
-	encryptedMSG, err := encryption.EncryptMessage(*serverKey, c.key, message)
+	encryptedMSG, err := encryption.EncryptMessage(serverKey, c.key, message)
 	if err != nil {
 		return nil, err
 	}
@@ -648,7 +630,7 @@ func (c *GrpcClient) GetDeviceAuthorizationFlow() (*proto.DeviceAuthorizationFlo
 	}
 
 	flowInfoResp := &proto.DeviceAuthorizationFlow{}
-	err = encryption.DecryptMessage(*serverKey, c.key, resp.Body, flowInfoResp)
+	err = encryption.DecryptMessage(serverKey, c.key, resp.Body, flowInfoResp)
 	if err != nil {
 		errWithMSG := fmt.Errorf("failed to decrypt device authorization flow message: %s", err)
 		log.Error(errWithMSG)
@@ -660,21 +642,15 @@ func (c *GrpcClient) GetDeviceAuthorizationFlow() (*proto.DeviceAuthorizationFlo
 
 // GetPKCEAuthorizationFlow returns a pkce authorization flow information.
 // It also takes care of encrypting and decrypting messages.
-func (c *GrpcClient) GetPKCEAuthorizationFlow() (*proto.PKCEAuthorizationFlow, error) {
+func (c *GrpcClient) GetPKCEAuthorizationFlow(serverKey wgtypes.Key) (*proto.PKCEAuthorizationFlow, error) {
 	if !c.ready() {
 		return nil, fmt.Errorf("no connection to management in order to get pkce authorization flow")
 	}
-
-	serverKey, err := c.getServerPublicKey()
-	if err != nil {
-		return nil, err
-	}
-
 	mgmCtx, cancel := context.WithTimeout(c.ctx, time.Second*2)
 	defer cancel()
 
 	message := &proto.PKCEAuthorizationFlowRequest{}
-	encryptedMSG, err := encryption.EncryptMessage(*serverKey, c.key, message)
+	encryptedMSG, err := encryption.EncryptMessage(serverKey, c.key, message)
 	if err != nil {
 		return nil, err
 	}
@@ -688,7 +664,7 @@ func (c *GrpcClient) GetPKCEAuthorizationFlow() (*proto.PKCEAuthorizationFlow, e
 	}
 
 	flowInfoResp := &proto.PKCEAuthorizationFlow{}
-	err = encryption.DecryptMessage(*serverKey, c.key, resp.Body, flowInfoResp)
+	err = encryption.DecryptMessage(serverKey, c.key, resp.Body, flowInfoResp)
 	if err != nil {
 		errWithMSG := fmt.Errorf("failed to decrypt pkce authorization flow message: %s", err)
 		log.Error(errWithMSG)
@@ -705,7 +681,7 @@ func (c *GrpcClient) SyncMeta(sysInfo *system.Info) error {
 		return errors.New(errMsgNoMgmtConnection)
 	}
 
-	serverPubKey, err := c.getServerPublicKey()
+	serverPubKey, err := c.GetServerPublicKey()
 	if err != nil {
 		log.Debugf(errMsgMgmtPublicKey, err)
 		return err
@@ -748,7 +724,7 @@ func (c *GrpcClient) notifyConnected() {
 }
 
 func (c *GrpcClient) Logout() error {
-	serverKey, err := c.getServerPublicKey()
+	serverKey, err := c.GetServerPublicKey()
 	if err != nil {
 		return fmt.Errorf("get server public key: %w", err)
 	}
@@ -775,7 +751,7 @@ func (c *GrpcClient) Logout() error {
 
 // CreateExpose calls the management server to create a new expose service.
 func (c *GrpcClient) CreateExpose(ctx context.Context, req ExposeRequest) (*ExposeResponse, error) {
-	serverPubKey, err := c.getServerPublicKey()
+	serverPubKey, err := c.GetServerPublicKey()
 	if err != nil {
 		return nil, err
 	}
@@ -811,7 +787,7 @@ func (c *GrpcClient) CreateExpose(ctx context.Context, req ExposeRequest) (*Expo
 
 // RenewExpose extends the TTL of an active expose session on the management server.
 func (c *GrpcClient) RenewExpose(ctx context.Context, domain string) error {
-	serverPubKey, err := c.getServerPublicKey()
+	serverPubKey, err := c.GetServerPublicKey()
 	if err != nil {
 		return err
 	}
@@ -834,7 +810,7 @@ func (c *GrpcClient) RenewExpose(ctx context.Context, domain string) error {
 
 // StopExpose terminates an active expose session on the management server.
 func (c *GrpcClient) StopExpose(ctx context.Context, domain string) error {
-	serverPubKey, err := c.getServerPublicKey()
+	serverPubKey, err := c.GetServerPublicKey()
 	if err != nil {
 		return err
 	}

shared/management/client/mock.go

@@ -3,6 +3,8 @@ package client
 import (
 	"context"
 
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/shared/management/proto"
@@ -12,12 +14,12 @@ import (
 type MockClient struct {
 	CloseFunc                      func() error
 	SyncFunc                       func(ctx context.Context, sysInfo *system.Info, msgHandler func(msg *proto.SyncResponse) error) error
-	RegisterFunc                   func(setupKey string, jwtToken string, info *system.Info, sshKey []byte, dnsLabels domain.List) (*proto.LoginResponse, error)
-	LoginFunc                      func(info *system.Info, sshKey []byte, dnsLabels domain.List) (*proto.LoginResponse, error)
-	GetDeviceAuthorizationFlowFunc func() (*proto.DeviceAuthorizationFlow, error)
-	GetPKCEAuthorizationFlowFunc   func() (*proto.PKCEAuthorizationFlow, error)
+	GetServerPublicKeyFunc         func() (*wgtypes.Key, error)
+	RegisterFunc                   func(serverKey wgtypes.Key, setupKey string, jwtToken string, info *system.Info, sshKey []byte, dnsLabels domain.List) (*proto.LoginResponse, error)
+	LoginFunc                      func(serverKey wgtypes.Key, info *system.Info, sshKey []byte, dnsLabels domain.List) (*proto.LoginResponse, error)
+	GetDeviceAuthorizationFlowFunc func(serverKey wgtypes.Key) (*proto.DeviceAuthorizationFlow, error)
+	GetPKCEAuthorizationFlowFunc   func(serverKey wgtypes.Key) (*proto.PKCEAuthorizationFlow, error)
 	GetServerURLFunc               func() string
-	HealthCheckFunc                func() error
 	SyncMetaFunc                   func(sysInfo *system.Info) error
 	LogoutFunc                     func() error
 	JobFunc                        func(ctx context.Context, msgHandler func(msg *proto.JobRequest) *proto.JobResponse) error
@@ -51,39 +53,39 @@ func (m *MockClient) Job(ctx context.Context, msgHandler func(msg *proto.JobRequ
 	return m.JobFunc(ctx, msgHandler)
 }
 
-func (m *MockClient) Register(setupKey string, jwtToken string, info *system.Info, sshKey []byte, dnsLabels domain.List) (*proto.LoginResponse, error) {
+func (m *MockClient) GetServerPublicKey() (*wgtypes.Key, error) {
+	if m.GetServerPublicKeyFunc == nil {
+		return nil, nil
+	}
+	return m.GetServerPublicKeyFunc()
+}
+
+func (m *MockClient) Register(serverKey wgtypes.Key, setupKey string, jwtToken string, info *system.Info, sshKey []byte, dnsLabels domain.List) (*proto.LoginResponse, error) {
 	if m.RegisterFunc == nil {
 		return nil, nil
 	}
-	return m.RegisterFunc(setupKey, jwtToken, info, sshKey, dnsLabels)
+	return m.RegisterFunc(serverKey, setupKey, jwtToken, info, sshKey, dnsLabels)
 }
 
-func (m *MockClient) Login(info *system.Info, sshKey []byte, dnsLabels domain.List) (*proto.LoginResponse, error) {
+func (m *MockClient) Login(serverKey wgtypes.Key, info *system.Info, sshKey []byte, dnsLabels domain.List) (*proto.LoginResponse, error) {
 	if m.LoginFunc == nil {
 		return nil, nil
 	}
-	return m.LoginFunc(info, sshKey, dnsLabels)
+	return m.LoginFunc(serverKey, info, sshKey, dnsLabels)
 }
 
-func (m *MockClient) GetDeviceAuthorizationFlow() (*proto.DeviceAuthorizationFlow, error) {
+func (m *MockClient) GetDeviceAuthorizationFlow(serverKey wgtypes.Key) (*proto.DeviceAuthorizationFlow, error) {
 	if m.GetDeviceAuthorizationFlowFunc == nil {
 		return nil, nil
 	}
-	return m.GetDeviceAuthorizationFlowFunc()
+	return m.GetDeviceAuthorizationFlowFunc(serverKey)
 }
 
-func (m *MockClient) GetPKCEAuthorizationFlow() (*proto.PKCEAuthorizationFlow, error) {
+func (m *MockClient) GetPKCEAuthorizationFlow(serverKey wgtypes.Key) (*proto.PKCEAuthorizationFlow, error) {
 	if m.GetPKCEAuthorizationFlowFunc == nil {
 		return nil, nil
 	}
-	return m.GetPKCEAuthorizationFlowFunc()
-}
-
-func (m *MockClient) HealthCheck() error {
-	if m.HealthCheckFunc == nil {
-		return nil
-	}
-	return m.HealthCheckFunc()
+	return m.GetPKCEAuthorizationFlowFunc(serverKey)
 }
 
 // GetNetworkMap mock implementation of GetNetworkMap from Client interface.

shared/management/http/api/openapi.yml

@@ -4414,9 +4414,6 @@ components:
           items:
             type: string
           example: [ "Users" ]
-        connector_id:
-          type: string
-          description: DEX connector ID for embedded IDP setups
     IntegrationEnabled:
       type: object
       properties:

shared/management/http/api/types.gen.go

@@ -1492,9 +1492,6 @@ type AzureIntegration struct {
 	// ClientId Azure AD application (client) ID
 	ClientId string `json:"client_id"`
 
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// Enabled Whether the integration is enabled
 	Enabled bool `json:"enabled"`
 
@@ -1635,9 +1632,6 @@ type CreateAzureIntegrationRequest struct {
 	// ClientSecret Base64-encoded Azure AD client secret
 	ClientSecret string `json:"client_secret"`
 
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// GroupPrefixes List of start_with string patterns for groups to sync
 	GroupPrefixes *[]string `json:"group_prefixes,omitempty"`
 
@@ -1659,9 +1653,6 @@ type CreateAzureIntegrationRequestHost string
 
 // CreateGoogleIntegrationRequest defines model for CreateGoogleIntegrationRequest.
 type CreateGoogleIntegrationRequest struct {
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// CustomerId Customer ID from Google Workspace Account Settings
 	CustomerId string `json:"customer_id"`
 
@@ -1698,9 +1689,6 @@ type CreateOktaScimIntegrationRequest struct {
 	// ConnectionName The Okta enterprise connection name on Auth0
 	ConnectionName string `json:"connection_name"`
 
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// GroupPrefixes List of start_with string patterns for groups to sync
 	GroupPrefixes *[]string `json:"group_prefixes,omitempty"`
 
@@ -1710,9 +1698,6 @@ type CreateOktaScimIntegrationRequest struct {
 
 // CreateScimIntegrationRequest defines model for CreateScimIntegrationRequest.
 type CreateScimIntegrationRequest struct {
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// GroupPrefixes List of start_with string patterns for groups to sync
 	GroupPrefixes *[]string `json:"group_prefixes,omitempty"`
 
@@ -2169,9 +2154,6 @@ type GetTenantsResponse = []TenantResponse
 
 // GoogleIntegration defines model for GoogleIntegration.
 type GoogleIntegration struct {
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// CustomerId Customer ID from Google Workspace
 	CustomerId string `json:"customer_id"`
 
@@ -2520,9 +2502,6 @@ type IntegrationResponsePlatform string
 
 // IntegrationSyncFilters defines model for IntegrationSyncFilters.
 type IntegrationSyncFilters struct {
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// GroupPrefixes List of start_with string patterns for groups to sync
 	GroupPrefixes *[]string `json:"group_prefixes,omitempty"`
 
@@ -3015,9 +2994,6 @@ type OktaScimIntegration struct {
 	// AuthToken SCIM API token (full on creation/regeneration, masked on retrieval)
 	AuthToken string `json:"auth_token"`
 
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// Enabled Whether the integration is enabled
 	Enabled bool `json:"enabled"`
 
@@ -3888,9 +3864,6 @@ type ScimIntegration struct {
 	// AuthToken SCIM API token (full on creation, masked otherwise)
 	AuthToken string `json:"auth_token"`
 
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// Enabled Whether the integration is enabled
 	Enabled bool `json:"enabled"`
 
@@ -4368,9 +4341,6 @@ type UpdateAzureIntegrationRequest struct {
 	// ClientSecret Base64-encoded Azure AD client secret
 	ClientSecret *string `json:"client_secret,omitempty"`
 
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// Enabled Whether the integration is enabled
 	Enabled *bool `json:"enabled,omitempty"`
 
@@ -4389,9 +4359,6 @@ type UpdateAzureIntegrationRequest struct {
 
 // UpdateGoogleIntegrationRequest defines model for UpdateGoogleIntegrationRequest.
 type UpdateGoogleIntegrationRequest struct {
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// CustomerId Customer ID from Google Workspace Account Settings
 	CustomerId *string `json:"customer_id,omitempty"`
 
@@ -4413,9 +4380,6 @@ type UpdateGoogleIntegrationRequest struct {
 
 // UpdateOktaScimIntegrationRequest defines model for UpdateOktaScimIntegrationRequest.
 type UpdateOktaScimIntegrationRequest struct {
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// Enabled Whether the integration is enabled
 	Enabled *bool `json:"enabled,omitempty"`
 
@@ -4428,9 +4392,6 @@ type UpdateOktaScimIntegrationRequest struct {
 
 // UpdateScimIntegrationRequest defines model for UpdateScimIntegrationRequest.
 type UpdateScimIntegrationRequest struct {
-	// ConnectorId DEX connector ID for embedded IDP setups
-	ConnectorId *string `json:"connector_id,omitempty"`
-
 	// Enabled Whether the integration is enabled
 	Enabled *bool `json:"enabled,omitempty"`