Merge pull request #242 from fosrl/dev

1.10.0

.env.example

@@ -1,5 +1,5 @@
 # Copy this file to .env and fill in your values
 # Required for connecting to Pangolin service
-PANGOLIN_ENDPOINT=https://example.com
+PANGOLIN_ENDPOINT=https://app.pangolin.net
 NEWT_ID=changeme-id
 NEWT_SECRET=changeme-secret

.github/workflows/cicd.yml

@@ -48,7 +48,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
 
@@ -92,7 +92,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
 
@@ -104,7 +104,7 @@ jobs:
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Log in to Docker Hub
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -234,7 +234,7 @@ jobs:
 
       - name: Cache Go modules
         if: ${{ hashFiles('**/go.sum') != '' }}
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
         with:
           path: |
             ~/.cache/go-build
@@ -269,7 +269,7 @@ jobs:
           } >> "$GITHUB_ENV"
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: ${{ env.IMAGE_LIST }}
           tags: |
@@ -364,7 +364,7 @@ jobs:
 
       - name: Attest build provenance (GHCR)
         id: attest-ghcr
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
         with:
           subject-name: ${{ env.GHCR_IMAGE }}
           subject-digest: ${{ steps.build.outputs.digest }}
@@ -374,7 +374,7 @@ jobs:
       - name: Attest build provenance (Docker Hub)
         continue-on-error: true
         id: attest-dh
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
         with:
           subject-name: index.docker.io/fosrl/${{ github.event.repository.name }}
           subject-digest: ${{ steps.build.outputs.digest }}

.github/workflows/nix-build.yml

@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Install Nix
         uses: DeterminateSystems/nix-installer-action@main

.github/workflows/nix-dependabot-update-hash.yml

@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           ref: ${{ github.head_ref }}
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/stale-bot.yml

@@ -0,0 +1,37 @@
+name: Mark and Close Stale Issues
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch: # Allow manual trigger
+
+permissions:
+  contents: write # only for delete-branch option
+  issues: write
+  pull-requests: write
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
+        with:
+          days-before-stale: 14
+          days-before-close: 14
+          stale-issue-message: 'This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.'
+          close-issue-message: 'This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.'
+          stale-issue-label: 'stale'
+          
+          exempt-issue-labels: 'needs investigating, networking, new feature, reverse proxy, bug, api, authentication, documentation, enhancement, help wanted, good first issue, question'
+          
+          exempt-all-issue-assignees: true
+          
+          only-labels: ''
+          exempt-pr-labels: ''
+          days-before-pr-stale: -1
+          days-before-pr-close: -1
+          
+          operations-per-run: 100
+          remove-stale-when-updated: true
+          delete-branch: false
+          enable-statistics: true

.github/workflows/test.yml

@@ -28,7 +28,7 @@ jobs:
           - go-build-release-windows-amd64
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Set up Go
         uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0

authdaemon.go

@@ -0,0 +1,151 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"runtime"
+
+	"github.com/fosrl/newt/authdaemon"
+	"github.com/fosrl/newt/logger"
+)
+
+const (
+	defaultPrincipalsPath = "/var/run/auth-daemon/principals"
+	defaultCACertPath     = "/etc/ssh/ca.pem"
+)
+
+var (
+	errPresharedKeyRequired = errors.New("auth-daemon-key is required when --auth-daemon is enabled")
+	errRootRequired         = errors.New("auth-daemon must be run as root (use sudo)")
+	authDaemonServer        *authdaemon.Server // Global auth daemon server instance
+)
+
+// startAuthDaemon initializes and starts the auth daemon in the background.
+// It validates requirements (Linux, root, preshared key) and starts the server
+// in a goroutine so it runs alongside normal newt operation.
+func startAuthDaemon(ctx context.Context) error {
+	// Validation
+	if runtime.GOOS != "linux" {
+		return fmt.Errorf("auth-daemon is only supported on Linux, not %s", runtime.GOOS)
+	}
+	if os.Geteuid() != 0 {
+		return errRootRequired
+	}
+
+	// Use defaults if not set
+	principalsFile := authDaemonPrincipalsFile
+	if principalsFile == "" {
+		principalsFile = defaultPrincipalsPath
+	}
+	caCertPath := authDaemonCACertPath
+	if caCertPath == "" {
+		caCertPath = defaultCACertPath
+	}
+
+	// Create auth daemon server
+	cfg := authdaemon.Config{
+		DisableHTTPS:       true, // We run without HTTP server in newt
+		PresharedKey:       "this-key-is-not-used",   // Not used in embedded mode, but set to non-empty to satisfy validation
+		PrincipalsFilePath: principalsFile,
+		CACertPath:         caCertPath,
+		Force:              true,
+	}
+
+	srv, err := authdaemon.NewServer(cfg)
+	if err != nil {
+		return fmt.Errorf("create auth daemon server: %w", err)
+	}
+
+	authDaemonServer = srv
+
+	// Start the auth daemon in a goroutine so it runs alongside newt
+	go func() {
+		logger.Info("Auth daemon starting (native mode, no HTTP server)")
+		if err := srv.Run(ctx); err != nil {
+			logger.Error("Auth daemon error: %v", err)
+		}
+		logger.Info("Auth daemon stopped")
+	}()
+
+	return nil
+}
+
+
+
+// runPrincipalsCmd executes the principals subcommand logic
+func runPrincipalsCmd(args []string) {
+	opts := struct {
+		PrincipalsFile string
+		Username       string
+	}{
+		PrincipalsFile: defaultPrincipalsPath,
+	}
+
+	// Parse flags manually
+	for i := 0; i < len(args); i++ {
+		switch args[i] {
+		case "--principals-file":
+			if i+1 >= len(args) {
+				fmt.Fprintf(os.Stderr, "Error: --principals-file requires a value\n")
+				os.Exit(1)
+			}
+			opts.PrincipalsFile = args[i+1]
+			i++
+		case "--username":
+			if i+1 >= len(args) {
+				fmt.Fprintf(os.Stderr, "Error: --username requires a value\n")
+				os.Exit(1)
+			}
+			opts.Username = args[i+1]
+			i++
+		case "--help", "-h":
+			printPrincipalsHelp()
+			os.Exit(0)
+		default:
+			fmt.Fprintf(os.Stderr, "Error: unknown flag: %s\n", args[i])
+			printPrincipalsHelp()
+			os.Exit(1)
+		}
+	}
+
+	// Validation
+	if opts.Username == "" {
+		fmt.Fprintf(os.Stderr, "Error: username is required\n")
+		printPrincipalsHelp()
+		os.Exit(1)
+	}
+
+	// Get principals
+	list, err := authdaemon.GetPrincipals(opts.PrincipalsFile, opts.Username)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+	if len(list) == 0 {
+		fmt.Println("")
+		return
+	}
+	for _, principal := range list {
+		fmt.Println(principal)
+	}
+}
+
+func printPrincipalsHelp() {
+	fmt.Fprintf(os.Stderr, `Usage: newt principals [flags]
+
+Output principals for a username (for AuthorizedPrincipalsCommand in sshd_config).
+Read the principals file and print principals that match the given username, one per line.
+Configure in sshd_config with AuthorizedPrincipalsCommand and %%u for the username.
+
+Flags:
+  --principals-file string   Path to the principals file (default "%s")
+  --username string          Username to look up (required)
+  --help, -h                 Show this help message
+
+Example:
+  newt principals --username alice
+
+`, defaultPrincipalsPath)
+}

authdaemon/connection.go

@@ -0,0 +1,27 @@
+package authdaemon
+
+import (
+	"github.com/fosrl/newt/logger"
+)
+
+// ProcessConnection runs the same logic as POST /connection: CA cert, user create/reconcile, principals.
+// Use this when DisableHTTPS is true (e.g. embedded in Newt) instead of calling the API.
+func (s *Server) ProcessConnection(req ConnectionRequest) {
+	logger.Info("connection: niceId=%q username=%q metadata.sudoMode=%q metadata.sudoCommands=%v metadata.homedir=%v metadata.groups=%v",
+		req.NiceId, req.Username, req.Metadata.SudoMode, req.Metadata.SudoCommands, req.Metadata.Homedir, req.Metadata.Groups)
+
+	cfg := &s.cfg
+	if cfg.CACertPath != "" {
+		if err := writeCACertIfNotExists(cfg.CACertPath, req.CaCert, cfg.Force); err != nil {
+			logger.Warn("auth-daemon: write CA cert: %v", err)
+		}
+	}
+	if err := ensureUser(req.Username, req.Metadata); err != nil {
+		logger.Warn("auth-daemon: ensure user: %v", err)
+	}
+	if cfg.PrincipalsFilePath != "" {
+		if err := writePrincipals(cfg.PrincipalsFilePath, req.Username, req.NiceId); err != nil {
+			logger.Warn("auth-daemon: write principals: %v", err)
+		}
+	}
+}

authdaemon/host_linux.go

@@ -0,0 +1,371 @@
+//go:build linux
+
+package authdaemon
+
+import (
+	"bufio"
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/exec"
+	"os/user"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/fosrl/newt/logger"
+)
+
+// writeCACertIfNotExists writes contents to path. If the file already exists: when force is false, skip; when force is true, overwrite only if content differs.
+func writeCACertIfNotExists(path, contents string, force bool) error {
+	contents = strings.TrimSpace(contents)
+	if contents != "" && !strings.HasSuffix(contents, "\n") {
+		contents += "\n"
+	}
+	existing, err := os.ReadFile(path)
+	if err == nil {
+		existingStr := strings.TrimSpace(string(existing))
+		if existingStr != "" && !strings.HasSuffix(existingStr, "\n") {
+			existingStr += "\n"
+		}
+		if existingStr == contents {
+			logger.Debug("auth-daemon: CA cert unchanged at %s, skipping write", path)
+			return nil
+		}
+		if !force {
+			logger.Debug("auth-daemon: CA cert already exists at %s, skipping write (Force disabled)", path)
+			return nil
+		}
+	} else if !os.IsNotExist(err) {
+		return fmt.Errorf("read %s: %w", path, err)
+	}
+	dir := filepath.Dir(path)
+	if err := os.MkdirAll(dir, 0755); err != nil {
+		return fmt.Errorf("mkdir %s: %w", dir, err)
+	}
+	if err := os.WriteFile(path, []byte(contents), 0644); err != nil {
+		return fmt.Errorf("write CA cert: %w", err)
+	}
+	logger.Info("auth-daemon: wrote CA cert to %s", path)
+	return nil
+}
+
+// writePrincipals updates the principals file at path: JSON object keyed by username, value is array of principals. Adds username and niceId to that user's list (deduped).
+func writePrincipals(path, username, niceId string) error {
+	if path == "" {
+		return nil
+	}
+	username = strings.TrimSpace(username)
+	niceId = strings.TrimSpace(niceId)
+	if username == "" {
+		return nil
+	}
+	data := make(map[string][]string)
+	if raw, err := os.ReadFile(path); err == nil {
+		_ = json.Unmarshal(raw, &data)
+	}
+	list := data[username]
+	seen := make(map[string]struct{}, len(list)+2)
+	for _, p := range list {
+		seen[p] = struct{}{}
+	}
+	for _, p := range []string{username, niceId} {
+		if p == "" {
+			continue
+		}
+		if _, ok := seen[p]; !ok {
+			seen[p] = struct{}{}
+			list = append(list, p)
+		}
+	}
+	data[username] = list
+	body, err := json.Marshal(data)
+	if err != nil {
+		return fmt.Errorf("marshal principals: %w", err)
+	}
+	dir := filepath.Dir(path)
+	if err := os.MkdirAll(dir, 0755); err != nil {
+		return fmt.Errorf("mkdir %s: %w", dir, err)
+	}
+	if err := os.WriteFile(path, body, 0644); err != nil {
+		return fmt.Errorf("write principals: %w", err)
+	}
+	logger.Debug("auth-daemon: wrote principals to %s", path)
+	return nil
+}
+
+// sudoGroup returns the name of the sudo group (wheel or sudo) that exists on the system. Prefers wheel.
+func sudoGroup() string {
+	f, err := os.Open("/etc/group")
+	if err != nil {
+		return "sudo"
+	}
+	defer f.Close()
+	sc := bufio.NewScanner(f)
+	hasWheel := false
+	hasSudo := false
+	for sc.Scan() {
+		line := sc.Text()
+		if strings.HasPrefix(line, "wheel:") {
+			hasWheel = true
+		}
+		if strings.HasPrefix(line, "sudo:") {
+			hasSudo = true
+		}
+	}
+	if hasWheel {
+		return "wheel"
+	}
+	if hasSudo {
+		return "sudo"
+	}
+	return "sudo"
+}
+
+const skelDir = "/etc/skel"
+
+// copySkelInto copies files from srcDir (e.g. /etc/skel) into dstDir (e.g. user's home).
+// Only creates files that don't already exist. All created paths are chowned to uid:gid.
+func copySkelInto(srcDir, dstDir string, uid, gid int) {
+	entries, err := os.ReadDir(srcDir)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			logger.Warn("auth-daemon: read %s: %v", srcDir, err)
+		}
+		return
+	}
+	for _, e := range entries {
+		name := e.Name()
+		src := filepath.Join(srcDir, name)
+		dst := filepath.Join(dstDir, name)
+		if e.IsDir() {
+			if st, err := os.Stat(dst); err == nil && st.IsDir() {
+				copySkelInto(src, dst, uid, gid)
+				continue
+			}
+			if err := os.MkdirAll(dst, 0755); err != nil {
+				logger.Warn("auth-daemon: mkdir %s: %v", dst, err)
+				continue
+			}
+			if err := os.Chown(dst, uid, gid); err != nil {
+				logger.Warn("auth-daemon: chown %s: %v", dst, err)
+			}
+			copySkelInto(src, dst, uid, gid)
+			continue
+		}
+		if _, err := os.Stat(dst); err == nil {
+			continue
+		}
+		data, err := os.ReadFile(src)
+		if err != nil {
+			logger.Warn("auth-daemon: read %s: %v", src, err)
+			continue
+		}
+		if err := os.WriteFile(dst, data, 0644); err != nil {
+			logger.Warn("auth-daemon: write %s: %v", dst, err)
+			continue
+		}
+		if err := os.Chown(dst, uid, gid); err != nil {
+			logger.Warn("auth-daemon: chown %s: %v", dst, err)
+		}
+	}
+}
+
+// ensureUser creates the system user if missing, or reconciles sudo and homedir to match meta.
+func ensureUser(username string, meta ConnectionMetadata) error {
+	if username == "" {
+		return nil
+	}
+	u, err := user.Lookup(username)
+	if err != nil {
+		if _, ok := err.(user.UnknownUserError); !ok {
+			return fmt.Errorf("lookup user %s: %w", username, err)
+		}
+		return createUser(username, meta)
+	}
+	return reconcileUser(u, meta)
+}
+
+// desiredGroups returns the exact list of supplementary groups the user should have:
+// meta.Groups plus the sudo group when meta.SudoMode is "full" (deduped).
+func desiredGroups(meta ConnectionMetadata) []string {
+	seen := make(map[string]struct{})
+	var out []string
+	for _, g := range meta.Groups {
+		g = strings.TrimSpace(g)
+		if g == "" {
+			continue
+		}
+		if _, ok := seen[g]; ok {
+			continue
+		}
+		seen[g] = struct{}{}
+		out = append(out, g)
+	}
+	if meta.SudoMode == "full" {
+		sg := sudoGroup()
+		if _, ok := seen[sg]; !ok {
+			out = append(out, sg)
+		}
+	}
+	return out
+}
+
+// setUserGroups sets the user's supplementary groups to exactly groups (local mirrors metadata).
+// When groups is empty, clears all supplementary groups (usermod -G "").
+func setUserGroups(username string, groups []string) {
+	list := strings.Join(groups, ",")
+	cmd := exec.Command("usermod", "-G", list, username)
+	if out, err := cmd.CombinedOutput(); err != nil {
+		logger.Warn("auth-daemon: usermod -G %s: %v (output: %s)", list, err, string(out))
+	} else {
+		logger.Info("auth-daemon: set %s supplementary groups to %s", username, list)
+	}
+}
+
+func createUser(username string, meta ConnectionMetadata) error {
+	args := []string{"-s", "/bin/bash"}
+	if meta.Homedir {
+		args = append(args, "-m")
+	} else {
+		args = append(args, "-M")
+	}
+	args = append(args, username)
+	cmd := exec.Command("useradd", args...)
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("useradd %s: %w (output: %s)", username, err, string(out))
+	}
+	logger.Info("auth-daemon: created user %s (homedir=%v)", username, meta.Homedir)
+	if meta.Homedir {
+		if u, err := user.Lookup(username); err == nil && u.HomeDir != "" {
+			uid, gid := mustAtoi(u.Uid), mustAtoi(u.Gid)
+			copySkelInto(skelDir, u.HomeDir, uid, gid)
+		}
+	}
+	setUserGroups(username, desiredGroups(meta))
+	switch meta.SudoMode {
+	case "full":
+		if err := configurePasswordlessSudo(username); err != nil {
+			logger.Warn("auth-daemon: configure passwordless sudo for %s: %v", username, err)
+		}
+	case "commands":
+		if len(meta.SudoCommands) > 0 {
+			if err := configureSudoCommands(username, meta.SudoCommands); err != nil {
+				logger.Warn("auth-daemon: configure sudo commands for %s: %v", username, err)
+			}
+		}
+	default:
+		removeSudoers(username)
+	}
+	return nil
+}
+
+const sudoersFilePrefix = "90-pangolin-"
+
+func sudoersPath(username string) string {
+	return filepath.Join("/etc/sudoers.d", sudoersFilePrefix+username)
+}
+
+// writeSudoersFile writes content to the user's sudoers.d file and validates with visudo.
+func writeSudoersFile(username, content string) error {
+	sudoersFile := sudoersPath(username)
+	tmpFile := sudoersFile + ".tmp"
+	if err := os.WriteFile(tmpFile, []byte(content), 0440); err != nil {
+		return fmt.Errorf("write temp sudoers file: %w", err)
+	}
+	cmd := exec.Command("visudo", "-c", "-f", tmpFile)
+	if out, err := cmd.CombinedOutput(); err != nil {
+		os.Remove(tmpFile)
+		return fmt.Errorf("visudo validation failed: %w (output: %s)", err, string(out))
+	}
+	if err := os.Rename(tmpFile, sudoersFile); err != nil {
+		os.Remove(tmpFile)
+		return fmt.Errorf("move sudoers file: %w", err)
+	}
+	return nil
+}
+
+// configurePasswordlessSudo creates a sudoers.d file to allow passwordless sudo for the user.
+func configurePasswordlessSudo(username string) error {
+	content := fmt.Sprintf("# Created by Pangolin auth-daemon\n%s ALL=(ALL) NOPASSWD:ALL\n", username)
+	if err := writeSudoersFile(username, content); err != nil {
+		return err
+	}
+	logger.Info("auth-daemon: configured passwordless sudo for %s", username)
+	return nil
+}
+
+// configureSudoCommands creates a sudoers.d file allowing only the listed commands (NOPASSWD).
+// Each command should be a full path (e.g. /usr/bin/systemctl).
+func configureSudoCommands(username string, commands []string) error {
+	var b strings.Builder
+	b.WriteString("# Created by Pangolin auth-daemon (restricted commands)\n")
+	n := 0
+	for _, c := range commands {
+		c = strings.TrimSpace(c)
+		if c == "" {
+			continue
+		}
+		fmt.Fprintf(&b, "%s ALL=(ALL) NOPASSWD: %s\n", username, c)
+		n++
+	}
+	if n == 0 {
+		return fmt.Errorf("no valid sudo commands")
+	}
+	if err := writeSudoersFile(username, b.String()); err != nil {
+		return err
+	}
+	logger.Info("auth-daemon: configured restricted sudo for %s (%d commands)", username, len(commands))
+	return nil
+}
+
+// removeSudoers removes the sudoers.d file for the user.
+func removeSudoers(username string) {
+	sudoersFile := sudoersPath(username)
+	if err := os.Remove(sudoersFile); err != nil && !os.IsNotExist(err) {
+		logger.Warn("auth-daemon: remove sudoers for %s: %v", username, err)
+	} else if err == nil {
+		logger.Info("auth-daemon: removed sudoers for %s", username)
+	}
+}
+
+func mustAtoi(s string) int {
+	n, _ := strconv.Atoi(s)
+	return n
+}
+
+func reconcileUser(u *user.User, meta ConnectionMetadata) error {
+	setUserGroups(u.Username, desiredGroups(meta))
+	switch meta.SudoMode {
+	case "full":
+		if err := configurePasswordlessSudo(u.Username); err != nil {
+			logger.Warn("auth-daemon: configure passwordless sudo for %s: %v", u.Username, err)
+		}
+	case "commands":
+		if len(meta.SudoCommands) > 0 {
+			if err := configureSudoCommands(u.Username, meta.SudoCommands); err != nil {
+				logger.Warn("auth-daemon: configure sudo commands for %s: %v", u.Username, err)
+			}
+		} else {
+			removeSudoers(u.Username)
+		}
+	default:
+		removeSudoers(u.Username)
+	}
+	if meta.Homedir && u.HomeDir != "" {
+		uid, gid := mustAtoi(u.Uid), mustAtoi(u.Gid)
+		if st, err := os.Stat(u.HomeDir); err != nil || !st.IsDir() {
+			if err := os.MkdirAll(u.HomeDir, 0755); err != nil {
+				logger.Warn("auth-daemon: mkdir %s: %v", u.HomeDir, err)
+			} else {
+				_ = os.Chown(u.HomeDir, uid, gid)
+				copySkelInto(skelDir, u.HomeDir, uid, gid)
+				logger.Info("auth-daemon: created home %s for %s", u.HomeDir, u.Username)
+			}
+		} else {
+			// Ensure .bashrc etc. exist (e.g. home existed but was empty or skel was minimal)
+			copySkelInto(skelDir, u.HomeDir, uid, gid)
+		}
+	}
+	return nil
+}

authdaemon/host_stub.go

@@ -0,0 +1,22 @@
+//go:build !linux
+
+package authdaemon
+
+import "fmt"
+
+var errLinuxOnly = fmt.Errorf("auth-daemon PAM agent is only supported on Linux")
+
+// writeCACertIfNotExists returns an error on non-Linux.
+func writeCACertIfNotExists(path, contents string, force bool) error {
+	return errLinuxOnly
+}
+
+// ensureUser returns an error on non-Linux.
+func ensureUser(username string, meta ConnectionMetadata) error {
+	return errLinuxOnly
+}
+
+// writePrincipals returns an error on non-Linux.
+func writePrincipals(path, username, niceId string) error {
+	return errLinuxOnly
+}

authdaemon/principals.go

@@ -0,0 +1,28 @@
+package authdaemon
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+)
+
+// GetPrincipals reads the principals data file at path, looks up the given user, and returns that user's principals as a string slice.
+// The file format is JSON: object with username keys and array-of-principals values, e.g. {"alice":["alice","usr-123"],"bob":["bob","usr-456"]}.
+// If the user is not found or the file is missing, returns nil and nil.
+func GetPrincipals(path, user string) ([]string, error) {
+	if path == "" {
+		return nil, fmt.Errorf("principals file path is required")
+	}
+	data, err := os.ReadFile(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil
+		}
+		return nil, fmt.Errorf("read principals file: %w", err)
+	}
+	var m map[string][]string
+	if err := json.Unmarshal(data, &m); err != nil {
+		return nil, fmt.Errorf("parse principals file: %w", err)
+	}
+	return m[user], nil
+}

authdaemon/routes.go

@@ -0,0 +1,58 @@
+package authdaemon
+
+import (
+	"encoding/json"
+	"net/http"
+)
+
+// registerRoutes registers all API routes. Add new endpoints here.
+func (s *Server) registerRoutes() {
+	s.mux.HandleFunc("/health", s.handleHealth)
+	s.mux.HandleFunc("/connection", s.handleConnection)
+}
+
+// ConnectionMetadata is the metadata object in POST /connection.
+type ConnectionMetadata struct {
+	SudoMode     string   `json:"sudoMode"`     // "none" | "full" | "commands"
+	SudoCommands []string `json:"sudoCommands"`  // used when sudoMode is "commands"
+	Homedir      bool     `json:"homedir"`
+	Groups       []string `json:"groups"`        // system groups to add the user to
+}
+
+// ConnectionRequest is the JSON body for POST /connection.
+type ConnectionRequest struct {
+	CaCert   string             `json:"caCert"`
+	NiceId   string             `json:"niceId"`
+	Username string             `json:"username"`
+	Metadata ConnectionMetadata `json:"metadata"`
+}
+
+// healthResponse is the JSON body for GET /health.
+type healthResponse struct {
+	Status string `json:"status"`
+}
+
+// handleHealth responds with 200 and {"status":"ok"}.
+func (s *Server) handleHealth(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	_ = json.NewEncoder(w).Encode(healthResponse{Status: "ok"})
+}
+
+// handleConnection accepts POST with connection payload and delegates to ProcessConnection.
+func (s *Server) handleConnection(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
+		return
+	}
+	var req ConnectionRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Bad Request", http.StatusBadRequest)
+		return
+	}
+	s.ProcessConnection(req)
+	w.WriteHeader(http.StatusOK)
+}

authdaemon/server.go

@@ -0,0 +1,179 @@
+package authdaemon
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/subtle"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"net/http"
+	"os"
+	"runtime"
+	"strings"
+	"time"
+
+	"github.com/fosrl/newt/logger"
+)
+
+type Config struct {
+	// DisableHTTPS: when true, Run() does not start the HTTPS server (for embedded use inside Newt). Call ProcessConnection directly for connection events.
+	DisableHTTPS       bool
+	Port               int    // Required when DisableHTTPS is false. Listen port for the HTTPS server. No default.
+	PresharedKey       string // Required when DisableHTTPS is false. HTTP auth (Authorization: Bearer <key> or X-Preshared-Key: <key>). No default.
+	CACertPath         string // Required. Where to write the CA cert (e.g. /etc/ssh/ca.pem). No default.
+	Force              bool   // If true, overwrite existing CA cert (and other items) when content differs. Default false.
+	PrincipalsFilePath string // Required. Path to the principals data file (JSON: username -> array of principals). No default.
+}
+
+type Server struct {
+	cfg          Config
+	addr         string
+	presharedKey string
+	mux          *http.ServeMux
+	tlsCert      tls.Certificate
+}
+
+// generateTLSCert creates a self-signed certificate and key in memory (no disk).
+func generateTLSCert() (tls.Certificate, error) {
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("generate key: %w", err)
+	}
+	serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("serial: %w", err)
+	}
+	tmpl := &x509.Certificate{
+		SerialNumber: serial,
+		Subject: pkix.Name{
+			CommonName: "localhost",
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(365 * 24 * time.Hour),
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		DNSNames:              []string{"localhost", "127.0.0.1"},
+	}
+	certDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, key.Public(), key)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("create certificate: %w", err)
+	}
+	keyDER, err := x509.MarshalECPrivateKey(key)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("marshal key: %w", err)
+	}
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
+	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER})
+	cert, err := tls.X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("x509 key pair: %w", err)
+	}
+	return cert, nil
+}
+
+// authMiddleware wraps next and requires a valid preshared key on every request.
+// Accepts Authorization: Bearer <key> or X-Preshared-Key: <key>.
+func (s *Server) authMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		key := ""
+		if v := r.Header.Get("Authorization"); strings.HasPrefix(v, "Bearer ") {
+			key = strings.TrimSpace(strings.TrimPrefix(v, "Bearer "))
+		}
+		if key == "" {
+			key = strings.TrimSpace(r.Header.Get("X-Preshared-Key"))
+		}
+		if key == "" || subtle.ConstantTimeCompare([]byte(key), []byte(s.presharedKey)) != 1 {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+// NewServer builds a new auth-daemon server from cfg. Port, PresharedKey, CACertPath, and PrincipalsFilePath are required (no defaults).
+func NewServer(cfg Config) (*Server, error) {
+	if runtime.GOOS != "linux" {
+		return nil, fmt.Errorf("auth-daemon is only supported on Linux, not %s", runtime.GOOS)
+	}
+	if !cfg.DisableHTTPS {
+		if cfg.Port <= 0 {
+			return nil, fmt.Errorf("port is required and must be positive")
+		}
+		if cfg.PresharedKey == "" {
+			return nil, fmt.Errorf("preshared key is required")
+		}
+	}
+	if cfg.CACertPath == "" {
+		return nil, fmt.Errorf("CACertPath is required")
+	}
+	if cfg.PrincipalsFilePath == "" {
+		return nil, fmt.Errorf("PrincipalsFilePath is required")
+	}
+	s := &Server{cfg: cfg}
+	if !cfg.DisableHTTPS {
+		cert, err := generateTLSCert()
+		if err != nil {
+			return nil, err
+		}
+		s.addr = fmt.Sprintf(":%d", cfg.Port)
+		s.presharedKey = cfg.PresharedKey
+		s.mux = http.NewServeMux()
+		s.tlsCert = cert
+		s.registerRoutes()
+	}
+	return s, nil
+}
+
+// Run starts the HTTPS server (unless DisableHTTPS) and blocks until ctx is cancelled or the server errors.
+// When DisableHTTPS is true, Run() blocks on ctx only and does not listen; use ProcessConnection for connection events.
+func (s *Server) Run(ctx context.Context) error {
+	if s.cfg.DisableHTTPS {
+		logger.Info("auth-daemon running (HTTPS disabled)")
+		<-ctx.Done()
+		s.cleanupPrincipalsFile()
+		return nil
+	}
+	tcfg := &tls.Config{
+		Certificates: []tls.Certificate{s.tlsCert},
+		MinVersion:   tls.VersionTLS12,
+	}
+	handler := s.authMiddleware(s.mux)
+	srv := &http.Server{
+		Addr:              s.addr,
+		Handler:           handler,
+		TLSConfig:         tcfg,
+		ReadTimeout:       10 * time.Second,
+		WriteTimeout:      10 * time.Second,
+		ReadHeaderTimeout: 5 * time.Second,
+		IdleTimeout:       60 * time.Second,
+	}
+	go func() {
+		<-ctx.Done()
+		shutdownCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+		defer cancel()
+		if err := srv.Shutdown(shutdownCtx); err != nil {
+			logger.Warn("auth-daemon shutdown: %v", err)
+		}
+	}()
+	logger.Info("auth-daemon listening on https://127.0.0.1%s", s.addr)
+	if err := srv.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed {
+		return err
+	}
+	s.cleanupPrincipalsFile()
+	return nil
+}
+
+func (s *Server) cleanupPrincipalsFile() {
+	if s.cfg.PrincipalsFilePath != "" {
+		if err := os.Remove(s.cfg.PrincipalsFilePath); err != nil && !os.IsNotExist(err) {
+			logger.Warn("auth-daemon: remove principals file: %v", err)
+		}
+	}
+}

bind/shared_bind.go

@@ -144,6 +144,10 @@ type SharedBind struct {
 
 	// Callback for magic test responses (used for holepunch testing)
 	magicResponseCallback atomic.Pointer[func(addr netip.AddrPort, echoData []byte)]
+
+	// Rebinding state - used to keep receive goroutines alive during socket transition
+	rebinding     bool       // true when socket is being replaced
+	rebindingCond *sync.Cond // signaled when rebind completes
 }
 
 // MagicResponseCallback is the function signature for magic packet response callbacks
@@ -163,6 +167,9 @@ func New(udpConn *net.UDPConn) (*SharedBind, error) {
 		closeChan:       make(chan struct{}),
 	}
 
+	// Initialize the rebinding condition variable
+	bind.rebindingCond = sync.NewCond(&bind.mu)
+
 	// Initialize reference count to 1 (the creator holds the first reference)
 	bind.refCount.Store(1)
 
@@ -310,6 +317,109 @@ func (b *SharedBind) IsClosed() bool {
 	return b.closed.Load()
 }
 
+// GetPort returns the current UDP port the bind is using.
+// This is useful when rebinding to try to reuse the same port.
+func (b *SharedBind) GetPort() uint16 {
+	b.mu.RLock()
+	defer b.mu.RUnlock()
+	return b.port
+}
+
+// CloseSocket closes the underlying UDP connection to release the port,
+// but keeps the SharedBind in a state where it can accept a new connection via Rebind.
+// This allows the caller to close the old socket first, then bind a new socket
+// to the same port before calling Rebind.
+//
+// Returns the port that was being used, so the caller can attempt to rebind to it.
+// Sets the rebinding flag so receive goroutines will wait for the new socket
+// instead of exiting.
+func (b *SharedBind) CloseSocket() (uint16, error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	if b.closed.Load() {
+		return 0, fmt.Errorf("bind is closed")
+	}
+
+	port := b.port
+
+	// Set rebinding flag BEFORE closing the socket so receive goroutines
+	// know to wait instead of exit
+	b.rebinding = true
+
+	// Close the old connection to release the port
+	if b.udpConn != nil {
+		logger.Debug("Closing UDP connection to release port %d (rebinding)", port)
+		b.udpConn.Close()
+		b.udpConn = nil
+	}
+
+	return port, nil
+}
+
+// Rebind replaces the underlying UDP connection with a new one.
+// This is necessary when network connectivity changes (e.g., WiFi to cellular
+// transition on macOS/iOS) and the old socket becomes stale.
+//
+// The caller is responsible for creating the new UDP connection and passing it here.
+// After rebind, the caller should trigger a hole punch to re-establish NAT mappings.
+//
+// Note: Call CloseSocket() first if you need to rebind to the same port, as the
+// old socket must be closed before a new socket can bind to the same port.
+func (b *SharedBind) Rebind(newConn *net.UDPConn) error {
+	if newConn == nil {
+		return fmt.Errorf("newConn cannot be nil")
+	}
+
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	if b.closed.Load() {
+		return fmt.Errorf("bind is closed")
+	}
+
+	// Close the old connection if it's still open
+	// (it may have already been closed via CloseSocket)
+	if b.udpConn != nil {
+		logger.Debug("Closing old UDP connection during rebind")
+		b.udpConn.Close()
+	}
+
+	// Set up the new connection
+	b.udpConn = newConn
+
+	// Update packet connections for the new socket
+	if runtime.GOOS == "linux" || runtime.GOOS == "android" {
+		b.ipv4PC = ipv4.NewPacketConn(newConn)
+		b.ipv6PC = ipv6.NewPacketConn(newConn)
+
+		// Re-initialize message buffers for batch operations
+		batchSize := wgConn.IdealBatchSize
+		b.ipv4Msgs = make([]ipv4.Message, batchSize)
+		for i := range b.ipv4Msgs {
+			b.ipv4Msgs[i].OOB = make([]byte, 0)
+		}
+	} else {
+		// For non-Linux platforms, still set up ipv4PC for consistency
+		b.ipv4PC = ipv4.NewPacketConn(newConn)
+		b.ipv6PC = ipv6.NewPacketConn(newConn)
+	}
+
+	// Update the port
+	if addr, ok := newConn.LocalAddr().(*net.UDPAddr); ok {
+		b.port = uint16(addr.Port)
+		logger.Info("Rebound UDP socket to port %d", b.port)
+	}
+
+	// Clear the rebinding flag and wake up any waiting receive goroutines
+	b.rebinding = false
+	b.rebindingCond.Broadcast()
+
+	logger.Debug("Rebind complete, signaled waiting receive goroutines")
+
+	return nil
+}
+
 // SetMagicResponseCallback sets a callback function that will be called when
 // a magic test response packet is received. This is used for holepunch testing.
 // Pass nil to clear the callback.
@@ -392,24 +502,77 @@ func (b *SharedBind) Open(uport uint16) ([]wgConn.ReceiveFunc, uint16, error) {
 // makeReceiveSocket creates a receive function for physical UDP socket packets
 func (b *SharedBind) makeReceiveSocket() wgConn.ReceiveFunc {
 	return func(bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (n int, err error) {
-		if b.closed.Load() {
-			return 0, net.ErrClosed
-		}
+		for {
+			if b.closed.Load() {
+				return 0, net.ErrClosed
+			}
 
-		b.mu.RLock()
-		conn := b.udpConn
-		pc := b.ipv4PC
-		b.mu.RUnlock()
+			b.mu.RLock()
+			conn := b.udpConn
+			pc := b.ipv4PC
+			b.mu.RUnlock()
 
-		if conn == nil {
-			return 0, net.ErrClosed
-		}
+			if conn == nil {
+				// Socket is nil - check if we're rebinding or truly closed
+				if b.closed.Load() {
+					return 0, net.ErrClosed
+				}
 
-		// Use batch reading on Linux for performance
-		if pc != nil && (runtime.GOOS == "linux" || runtime.GOOS == "android") {
-			return b.receiveIPv4Batch(pc, bufs, sizes, eps)
+				// Wait for rebind to complete
+				b.mu.Lock()
+				for b.rebinding && !b.closed.Load() {
+					logger.Debug("Receive goroutine waiting for socket rebind to complete")
+					b.rebindingCond.Wait()
+				}
+				b.mu.Unlock()
+
+				// Check again after waking up
+				if b.closed.Load() {
+					return 0, net.ErrClosed
+				}
+
+				// Loop back to retry with new socket
+				continue
+			}
+
+			// Use batch reading on Linux for performance
+			var n int
+			var err error
+			if pc != nil && (runtime.GOOS == "linux" || runtime.GOOS == "android") {
+				n, err = b.receiveIPv4Batch(pc, bufs, sizes, eps)
+			} else {
+				n, err = b.receiveIPv4Simple(conn, bufs, sizes, eps)
+			}
+
+			if err != nil {
+				// Check if this error is due to rebinding
+				b.mu.RLock()
+				rebinding := b.rebinding
+				b.mu.RUnlock()
+
+				if rebinding {
+					logger.Debug("Receive got error during rebind, waiting for new socket: %v", err)
+					// Wait for rebind to complete and retry
+					b.mu.Lock()
+					for b.rebinding && !b.closed.Load() {
+						b.rebindingCond.Wait()
+					}
+					b.mu.Unlock()
+
+					if b.closed.Load() {
+						return 0, net.ErrClosed
+					}
+
+					// Retry with new socket
+					continue
+				}
+
+				// Not rebinding, return the error
+				return 0, err
+			}
+
+			return n, nil
 		}
-		return b.receiveIPv4Simple(conn, bufs, sizes, eps)
 	}
 }
 
@@ -492,6 +655,8 @@ func (b *SharedBind) receiveIPv4Batch(pc *ipv4.PacketConn, bufs [][]byte, sizes
 
 // receiveIPv4Simple uses simple ReadFromUDP for non-Linux platforms
 func (b *SharedBind) receiveIPv4Simple(conn *net.UDPConn, bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (int, error) {
+	// No read deadline - we rely on socket close to unblock during rebind.
+	// The caller (makeReceiveSocket) handles rebind state when errors occur.
 	for {
 		n, addr, err := conn.ReadFromUDP(bufs[0])
 		if err != nil {

clients/clients.go

@@ -1035,21 +1035,22 @@ func (s *WireGuardService) processPeerBandwidth(publicKey string, rxBytes, txByt
 			// Update the last reading
 			s.lastReadings[publicKey] = currentReading
 
-			return &PeerBandwidth{
-				PublicKey: publicKey,
-				BytesIn:   bytesInMB,
-				BytesOut:  bytesOutMB,
+			// Only return bandwidth data if there was an increase
+			if bytesInDiff > 0 || bytesOutDiff > 0 {
+				return &PeerBandwidth{
+					PublicKey: publicKey,
+					BytesIn:   bytesInMB,
+					BytesOut:  bytesOutMB,
+				}
 			}
+			
+			return nil
 		}
 	}
 
-	// For first reading or if readings are too close together, report 0
+	// For first reading or if readings are too close together, don't report
 	s.lastReadings[publicKey] = currentReading
-	return &PeerBandwidth{
-		PublicKey: publicKey,
-		BytesIn:   0,
-		BytesOut:  0,
-	}
+	return nil
 }
 
 func (s *WireGuardService) reportPeerBandwidth() error {

docker-compose.yml

@@ -4,7 +4,7 @@ services:
     container_name: newt
     restart: unless-stopped
     environment:
-      - PANGOLIN_ENDPOINT=https://example.com
+      - PANGOLIN_ENDPOINT=https://app.pangolin.net
       - NEWT_ID=2ix2t8xk22ubpfy 
       - NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2 
       - LOG_LEVEL=DEBUG

flake.nix

@@ -35,7 +35,7 @@
             inherit version;
             src = pkgs.nix-gitignore.gitignoreSource [ ] ./.;
 
-            vendorHash = "sha256-5Xr6mwPtsqEliKeKv2rhhp6JC7u3coP4nnhIxGMqccU=";
+            vendorHash = "sha256-Sib6AUCpMgxlMpTc2Esvs+UU0yduVOxWUgT44FHAI+k=";
 
             nativeInstallCheckInputs = [ pkgs.versionCheckHook ];
 

go.mod

@@ -7,26 +7,26 @@ require (
 	github.com/gorilla/websocket v1.5.3
 	github.com/prometheus/client_golang v1.23.2
 	github.com/vishvananda/netlink v1.3.1
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0
-	go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0
-	go.opentelemetry.io/otel v1.38.0
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0
-	go.opentelemetry.io/otel/exporters/prometheus v0.60.0
-	go.opentelemetry.io/otel/metric v1.38.0
-	go.opentelemetry.io/otel/sdk v1.38.0
-	go.opentelemetry.io/otel/sdk/metric v1.38.0
-	golang.org/x/crypto v0.45.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0
+	go.opentelemetry.io/contrib/instrumentation/runtime v0.64.0
+	go.opentelemetry.io/otel v1.39.0
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0
+	go.opentelemetry.io/otel/exporters/prometheus v0.61.0
+	go.opentelemetry.io/otel/metric v1.39.0
+	go.opentelemetry.io/otel/sdk v1.39.0
+	go.opentelemetry.io/otel/sdk/metric v1.39.0
+	golang.org/x/crypto v0.46.0
 	golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6
-	golang.org/x/net v0.47.0
-	golang.org/x/sys v0.38.0
+	golang.org/x/net v0.48.0
+	golang.org/x/sys v0.39.0
 	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
 	golang.zx2c4.com/wireguard/windows v0.5.3
-	google.golang.org/grpc v1.76.0
+	google.golang.org/grpc v1.77.0
 	gopkg.in/yaml.v3 v3.0.1
 	gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c
-	software.sslmate.com/src/go-pkcs12 v0.6.0
+	software.sslmate.com/src/go-pkcs12 v0.7.0
 )
 
 require (
@@ -44,8 +44,7 @@ require (
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
@@ -55,23 +54,23 @@ require (
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.66.1 // indirect
-	github.com/prometheus/otlptranslator v0.0.2 // indirect
-	github.com/prometheus/procfs v0.17.0 // indirect
+	github.com/prometheus/common v0.67.4 // indirect
+	github.com/prometheus/otlptranslator v1.0.0 // indirect
+	github.com/prometheus/procfs v0.19.2 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 // indirect
-	go.opentelemetry.io/otel/trace v1.38.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.7.1 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.opentelemetry.io/otel/trace v1.39.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	golang.org/x/mod v0.30.0 // indirect
-	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 	golang.org/x/tools v0.39.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect
-	google.golang.org/protobuf v1.36.8 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
 )

go.sum

@@ -41,10 +41,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc h1:GN2Lv3MGO7AS6PrRoT6yV5+wkrOpcszoIsO4+4ds248=
-github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc/go.mod h1:+JKpmjMGhpgPL+rXZ5nsZieVzvarn86asRlBg4uNGnk=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 h1:NmZ1PKzSTQbuGHw9DGPFomqkkLWMC+vZCkfs+FHv1Vg=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3/go.mod h1:zQrxl1YP88HQlA6i9c63DSVPFklWpGX4OWAc9bFuaH4=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -77,14 +75,14 @@ github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h
 github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
-github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
-github.com/prometheus/otlptranslator v0.0.2 h1:+1CdeLVrRQ6Psmhnobldo0kTp96Rj80DRXRd5OSnMEQ=
-github.com/prometheus/otlptranslator v0.0.2/go.mod h1:P8AwMgdD7XEr6QRUJ2QWLpiAZTgTE2UYgjlu3svompI=
-github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0=
-github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/prometheus/common v0.67.4 h1:yR3NqWO1/UyO1w2PhUvXlGQs/PtFmoveVO0KZ4+Lvsc=
+github.com/prometheus/common v0.67.4/go.mod h1:gP0fq6YjjNCLssJCQp0yk4M8W6ikLURwkdd/YKtTbyI=
+github.com/prometheus/otlptranslator v1.0.0 h1:s0LJW/iN9dkIH+EnhiD3BlkkP5QVIUVEoIwkU+A6qos=
+github.com/prometheus/otlptranslator v1.0.0/go.mod h1:vRYWnXvI6aWGpsdY/mOT/cbeVRBlPWtBNDb7kGR3uKM=
+github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
+github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
@@ -93,54 +91,54 @@ github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW
 github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
 github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
 github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg=
-go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0 h1:PeBoRj6af6xMI7qCupwFvTbbnd49V7n5YpG6pg8iDYQ=
-go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0/go.mod h1:ingqBCtMCe8I4vpz/UVzCW6sxoqgZB37nao91mLQ3Bw=
-go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
-go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 h1:vl9obrcoWVKp/lwl8tRE33853I8Xru9HFbw/skNeLs8=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0/go.mod h1:GAXRxmLJcVM3u22IjTg74zWBrRCKq8BnOqUVLodpcpw=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 h1:lwI4Dc5leUqENgGuQImwLo4WnuXFPetmPpkLi2IrX54=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0/go.mod h1:Kz/oCE7z5wuyhPxsXDuaPteSWqjSBD5YaSdbxZYGbGk=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 h1:ssfIgGNANqpVFCndZvcuyKbl0g+UAVcbBcqGkG28H0Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0/go.mod h1:GQ/474YrbE4Jx8gZ4q5I4hrhUzM6UPzyrqJYV2AqPoQ=
+go.opentelemetry.io/contrib/instrumentation/runtime v0.64.0 h1:/+/+UjlXjFcdDlXxKL1PouzX8Z2Vl0OxolRKeBEgYDw=
+go.opentelemetry.io/contrib/instrumentation/runtime v0.64.0/go.mod h1:Ldm/PDuzY2DP7IypudopCR3OCOW42NJlN9+mNEroevo=
+go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
+go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0 h1:cEf8jF6WbuGQWUVcqgyWtTR0kOOAWY1DYZ+UhvdmQPw=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0/go.mod h1:k1lzV5n5U3HkGvTCJHraTAGJ7MqsgL1wrGwTj1Isfiw=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 h1:f0cb2XPmrqn4XMy9PNliTgRKJgS5WcL/u0/WRYGz4t0=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0/go.mod h1:vnakAaFckOMiMtOIhFI2MNH4FYrZzXCYxmb1LlhoGz8=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0 h1:in9O8ESIOlwJAEGTkkf34DesGRAc/Pn8qJ7k3r/42LM=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0/go.mod h1:Rp0EXBm5tfnv0WL+ARyO/PHBEaEAT8UUHQ6AGJcSq6c=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4=
-go.opentelemetry.io/otel/exporters/prometheus v0.60.0 h1:cGtQxGvZbnrWdC2GyjZi0PDKVSLWP/Jocix3QWfXtbo=
-go.opentelemetry.io/otel/exporters/prometheus v0.60.0/go.mod h1:hkd1EekxNo69PTV4OWFGZcKQiIqg0RfuWExcPKFvepk=
-go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
-go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
-go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
-go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
-go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
-go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
-go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
-go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
-go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4=
-go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE=
+go.opentelemetry.io/otel/exporters/prometheus v0.61.0 h1:cCyZS4dr67d30uDyh8etKM2QyDsQ4zC9ds3bdbrVoD0=
+go.opentelemetry.io/otel/exporters/prometheus v0.61.0/go.mod h1:iivMuj3xpR2DkUrUya3TPS/Z9h3dz7h01GxU+fQBRNg=
+go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
+go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
+go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
+go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
+go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
+go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
+go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
+go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
+go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A=
+go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
 golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 h1:zfMcR1Cs4KNuomFFgGefv5N0czO2XZpUbxGUy8i8ug0=
 golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6/go.mod h1:46edojNIoXTNOhySWIWdix628clX9ODXwPsQuG6hsK0=
 golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
 golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
@@ -155,14 +153,14 @@ golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY=
-google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 h1:eaY8u2EuxbRv7c3NiGK0/NedzVsCcV6hDuU5qPX5EGE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5/go.mod h1:M4/wBTSeyLxupu3W3tJtOgB14jILAS/XWPSSa3TAlJc=
-google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
-google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
-google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
-google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
+google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls=
+google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
+google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
@@ -172,5 +170,5 @@ gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
 gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
 gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c h1:m/r7OM+Y2Ty1sgBQ7Qb27VgIMBW8ZZhT4gLnUyDIhzI=
 gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c/go.mod h1:3r5CMtNQMKIvBlrmM9xWUNamjKBYPOWyXOjmg5Kts3g=
-software.sslmate.com/src/go-pkcs12 v0.6.0 h1:f3sQittAeF+pao32Vb+mkli+ZyT+VwKaD014qFGq6oU=
-software.sslmate.com/src/go-pkcs12 v0.6.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
+software.sslmate.com/src/go-pkcs12 v0.7.0 h1:Db8W44cB54TWD7stUFFSWxdfpdn6fZVcDl0w3R4RVM0=
+software.sslmate.com/src/go-pkcs12 v0.7.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=

main.go

@@ -1,7 +1,9 @@
 package main
 
 import (
+	"bytes"
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"flag"
@@ -11,12 +13,12 @@ import (
 	"net/netip"
 	"os"
 	"os/signal"
-	"path/filepath"
 	"strconv"
 	"strings"
 	"syscall"
 	"time"
 
+	"github.com/fosrl/newt/authdaemon"
 	"github.com/fosrl/newt/docker"
 	"github.com/fosrl/newt/healthcheck"
 	"github.com/fosrl/newt/logger"
@@ -58,10 +60,6 @@ type ExitNodeData struct {
 	ExitNodes []ExitNode `json:"exitNodes"`
 }
 
-type SSHPublicKeyData struct {
-	PublicKey string `json:"publicKey"`
-}
-
 // ExitNode represents an exit node with an ID, endpoint, and weight.
 type ExitNode struct {
 	ID                     int     `json:"exitNodeId"`
@@ -134,6 +132,10 @@ var (
 	preferEndpoint                     string
 	healthMonitor                      *healthcheck.Monitor
 	enforceHealthcheckCert             bool
+	authDaemonKey                      string
+	authDaemonPrincipalsFile           string
+	authDaemonCACertPath               string
+	authDaemonEnabled                  bool
 	// Build/version (can be overridden via -ldflags "-X main.newtVersion=...")
 	newtVersion = "version_replaceme"
 
@@ -156,6 +158,28 @@ var (
 )
 
 func main() {
+	// Check for subcommands first (only principals exits early)
+	if len(os.Args) > 1 {
+		switch os.Args[1] {
+		case "auth-daemon":
+			// Run principals subcommand only if the next argument is "principals"
+			if len(os.Args) > 2 && os.Args[2] == "principals" {
+				runPrincipalsCmd(os.Args[3:])
+				return
+			}
+
+			// auth-daemon subcommand without "principals" - show help
+			fmt.Println("Error: auth-daemon subcommand requires 'principals' argument")
+			fmt.Println()
+			fmt.Println("Usage:")
+			fmt.Println("  newt auth-daemon principals [options]")
+			fmt.Println()
+
+			// If not "principals", exit the switch to continue with normal execution
+			return
+		}
+	}
+
 	// Check if we're running as a Windows service
 	if isWindowsService() {
 		runService("NewtWireguardService", false, os.Args[1:])
@@ -187,6 +211,10 @@ func runNewtMain(ctx context.Context) {
 	updownScript = os.Getenv("UPDOWN_SCRIPT")
 	interfaceName = os.Getenv("INTERFACE")
 	portStr := os.Getenv("PORT")
+	authDaemonKey = os.Getenv("AD_KEY")
+	authDaemonPrincipalsFile = os.Getenv("AD_PRINCIPALS_FILE")
+	authDaemonCACertPath = os.Getenv("AD_CA_CERT_PATH")
+	authDaemonEnabledEnv := os.Getenv("AUTH_DAEMON_ENABLED")
 
 	// Metrics/observability env mirrors
 	metricsEnabledEnv := os.Getenv("NEWT_METRICS_PROMETHEUS_ENABLED")
@@ -279,10 +307,6 @@ func runNewtMain(ctx context.Context) {
 	// load the prefer endpoint just as a flag
 	flag.StringVar(&preferEndpoint, "prefer-endpoint", "", "Prefer this endpoint for the connection (if set, will override the endpoint from the server)")
 
-	// if authorizedKeysFile == "" {
-	// 	flag.StringVar(&authorizedKeysFile, "authorized-keys-file", "~/.ssh/authorized_keys", "Path to authorized keys file (if unset, no keys will be authorized)")
-	// }
-
 	// Add new mTLS flags
 	if tlsClientCert == "" {
 		flag.StringVar(&tlsClientCert, "tls-client-cert-file", "", "Path to client certificate file (PEM/DER format)")
@@ -344,7 +368,7 @@ func runNewtMain(ctx context.Context) {
 
 	// Metrics/observability flags (mirror ENV if unset)
 	if metricsEnabledEnv == "" {
-		flag.BoolVar(&metricsEnabled, "metrics", true, "Enable Prometheus /metrics exporter")
+		flag.BoolVar(&metricsEnabled, "metrics", false, "Enable Prometheus metrics exporter")
 	} else {
 		if v, err := strconv.ParseBool(metricsEnabledEnv); err == nil {
 			metricsEnabled = v
@@ -379,6 +403,24 @@ func runNewtMain(ctx context.Context) {
 		region = regionEnv
 	}
 
+	// Auth daemon flags
+	if authDaemonKey == "" {
+		flag.StringVar(&authDaemonKey, "ad-pre-shared-key", "", "Pre-shared key for auth daemon authentication")
+	}
+	if authDaemonPrincipalsFile == "" {
+		flag.StringVar(&authDaemonPrincipalsFile, "ad-principals-file", "/var/run/auth-daemon/principals", "Path to the principals file for auth daemon")
+	}
+	if authDaemonCACertPath == "" {
+		flag.StringVar(&authDaemonCACertPath, "ad-ca-cert-path", "/etc/ssh/ca.pem", "Path to the CA certificate file for auth daemon")
+	}
+	if authDaemonEnabledEnv == "" {
+		flag.BoolVar(&authDaemonEnabled, "auth-daemon", false, "Enable auth daemon mode (runs alongside normal newt operation)")
+	} else {
+		if v, err := strconv.ParseBool(authDaemonEnabledEnv); err == nil {
+			authDaemonEnabled = v
+		}
+	}
+
 	// do a --version check
 	version := flag.Bool("version", false, "Print the version")
 
@@ -398,6 +440,13 @@ func runNewtMain(ctx context.Context) {
 
 	logger.Init(nil)
 	loggerLevel := util.ParseLogLevel(logLevel)
+
+	// Start auth daemon if enabled
+	if authDaemonEnabled {
+		if err := startAuthDaemon(ctx); err != nil {
+			logger.Fatal("Failed to start auth daemon: %v", err)
+		}
+	}
 	logger.GetLogger().SetLevel(loggerLevel)
 
 	// Initialize telemetry after flags are parsed (so flags override env)
@@ -694,8 +743,8 @@ func runNewtMain(ctx context.Context) {
 
 		relayPort := wgData.RelayPort
 		if relayPort == 0 {
-            relayPort = 21820
-        }
+			relayPort = 21820
+		}
 
 		clientsHandleNewtConnection(wgData.PublicKey, endpoint, relayPort)
 
@@ -1168,94 +1217,6 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey(
 		}
 	})
 
-	// EXPERIMENTAL: WHAT SHOULD WE DO ABOUT SECURITY?
-	client.RegisterHandler("newt/send/ssh/publicKey", func(msg websocket.WSMessage) {
-		logger.Debug("Received SSH public key request")
-
-		var sshPublicKeyData SSHPublicKeyData
-
-		jsonData, err := json.Marshal(msg.Data)
-		if err != nil {
-			logger.Info(fmtErrMarshaling, err)
-			return
-		}
-		if err := json.Unmarshal(jsonData, &sshPublicKeyData); err != nil {
-			logger.Info("Error unmarshaling SSH public key data: %v", err)
-			return
-		}
-
-		sshPublicKey := sshPublicKeyData.PublicKey
-
-		if authorizedKeysFile == "" {
-			logger.Debug("No authorized keys file set, skipping public key response")
-			return
-		}
-
-		// Expand tilde to home directory if present
-		expandedPath := authorizedKeysFile
-		if strings.HasPrefix(authorizedKeysFile, "~/") {
-			homeDir, err := os.UserHomeDir()
-			if err != nil {
-				logger.Error("Failed to get user home directory: %v", err)
-				return
-			}
-			expandedPath = filepath.Join(homeDir, authorizedKeysFile[2:])
-		}
-
-		// if it is set but the file does not exist, create it
-		if _, err := os.Stat(expandedPath); os.IsNotExist(err) {
-			logger.Debug("Authorized keys file does not exist, creating it: %s", expandedPath)
-			if err := os.MkdirAll(filepath.Dir(expandedPath), 0755); err != nil {
-				logger.Error("Failed to create directory for authorized keys file: %v", err)
-				return
-			}
-			if _, err := os.Create(expandedPath); err != nil {
-				logger.Error("Failed to create authorized keys file: %v", err)
-				return
-			}
-		}
-
-		// Check if the public key already exists in the file
-		fileContent, err := os.ReadFile(expandedPath)
-		if err != nil {
-			logger.Error("Failed to read authorized keys file: %v", err)
-			return
-		}
-
-		// Check if the key already exists (trim whitespace for comparison)
-		existingKeys := strings.Split(string(fileContent), "\n")
-		keyAlreadyExists := false
-		trimmedNewKey := strings.TrimSpace(sshPublicKey)
-
-		for _, existingKey := range existingKeys {
-			if strings.TrimSpace(existingKey) == trimmedNewKey && trimmedNewKey != "" {
-				keyAlreadyExists = true
-				break
-			}
-		}
-
-		if keyAlreadyExists {
-			logger.Info("SSH public key already exists in authorized keys file, skipping")
-			return
-		}
-
-		// append the public key to the authorized keys file
-		logger.Debug("Appending public key to authorized keys file: %s", sshPublicKey)
-		file, err := os.OpenFile(expandedPath, os.O_APPEND|os.O_WRONLY, 0644)
-		if err != nil {
-			logger.Error("Failed to open authorized keys file: %v", err)
-			return
-		}
-		defer file.Close()
-
-		if _, err := file.WriteString(sshPublicKey + "\n"); err != nil {
-			logger.Error("Failed to write public key to authorized keys file: %v", err)
-			return
-		}
-
-		logger.Info("SSH public key appended to authorized keys file")
-	})
-
 	// Register handler for adding health check targets
 	client.RegisterHandler("newt/healthcheck/add", func(msg websocket.WSMessage) {
 		logger.Debug("Received health check add request: %+v", msg)
@@ -1411,6 +1372,175 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey(
 		}
 	})
 
+	// Register handler for SSH certificate issued events
+	client.RegisterHandler("newt/pam/connection", func(msg websocket.WSMessage) {
+		logger.Debug("Received SSH certificate issued message")
+
+		// Define the structure of the incoming message
+		type SSHCertData struct {
+			MessageId          int    `json:"messageId"`
+			AgentPort          int    `json:"agentPort"`
+			AgentHost          string `json:"agentHost"`
+			ExternalAuthDaemon bool   `json:"externalAuthDaemon"`
+			CACert             string `json:"caCert"`
+			Username           string `json:"username"`
+			NiceID             string `json:"niceId"`
+			Metadata           struct {
+				SudoMode     string   `json:"sudoMode"`
+				SudoCommands []string `json:"sudoCommands"`
+				Homedir      bool     `json:"homedir"`
+				Groups       []string `json:"groups"`
+			} `json:"metadata"`
+		}
+
+		var certData SSHCertData
+		jsonData, err := json.Marshal(msg.Data)
+		if err != nil {
+			logger.Error("Error marshaling SSH cert data: %v", err)
+			return
+		}
+
+		// print the received data for debugging
+		logger.Debug("Received SSH cert data: %s", string(jsonData))
+
+		if err := json.Unmarshal(jsonData, &certData); err != nil {
+			logger.Error("Error unmarshaling SSH cert data: %v", err)
+			return
+		}
+
+		// Check if we're running the auth daemon internally
+		if authDaemonServer != nil && !certData.ExternalAuthDaemon { // if the auth daemon is running internally and the external auth daemon is not enabled
+			// Call ProcessConnection directly when running internally
+			logger.Debug("Calling internal auth daemon ProcessConnection for user %s", certData.Username)
+
+			authDaemonServer.ProcessConnection(authdaemon.ConnectionRequest{
+				CaCert:   certData.CACert,
+				NiceId:   certData.NiceID,
+				Username: certData.Username,
+				Metadata: authdaemon.ConnectionMetadata{
+					SudoMode:     certData.Metadata.SudoMode,
+					SudoCommands: certData.Metadata.SudoCommands,
+					Homedir:      certData.Metadata.Homedir,
+					Groups:       certData.Metadata.Groups,
+				},
+			})
+
+			// Send success response back to cloud
+			err = client.SendMessage("ws/round-trip/complete", map[string]interface{}{
+				"messageId": certData.MessageId,
+				"complete":  true,
+			})
+
+			logger.Info("Successfully processed connection via internal auth daemon for user %s", certData.Username)
+		} else {
+			// External auth daemon mode - make HTTP request
+			// Check if auth daemon key is configured
+			if authDaemonKey == "" {
+				logger.Error("Auth daemon key not configured, cannot communicate with daemon")
+				// Send failure response back to cloud
+				err := client.SendMessage("ws/round-trip/complete", map[string]interface{}{
+					"messageId": certData.MessageId,
+					"complete":  true,
+					"error":     "auth daemon key not configured",
+				})
+				if err != nil {
+					logger.Error("Failed to send SSH cert failure response: %v", err)
+				}
+				return
+			}
+
+			// Prepare the request body for the auth daemon
+			requestBody := map[string]interface{}{
+				"caCert":   certData.CACert,
+				"niceId":   certData.NiceID,
+				"username": certData.Username,
+				"metadata": map[string]interface{}{
+					"sudoMode":     certData.Metadata.SudoMode,
+					"sudoCommands": certData.Metadata.SudoCommands,
+					"homedir":      certData.Metadata.Homedir,
+					"groups":       certData.Metadata.Groups,
+				},
+			}
+
+			requestJSON, err := json.Marshal(requestBody)
+			if err != nil {
+				logger.Error("Failed to marshal auth daemon request: %v", err)
+				// Send failure response
+				client.SendMessage("ws/round-trip/complete", map[string]interface{}{
+					"messageId": certData.MessageId,
+					"complete":  true,
+					"error":     fmt.Sprintf("failed to marshal request: %v", err),
+				})
+				return
+			}
+
+			// Create HTTPS client that skips certificate verification
+			// (auth daemon uses self-signed cert)
+			httpClient := &http.Client{
+				Transport: &http.Transport{
+					TLSClientConfig: &tls.Config{
+						InsecureSkipVerify: true,
+					},
+				},
+				Timeout: 10 * time.Second,
+			}
+
+			// Make the request to the auth daemon
+			url := fmt.Sprintf("https://%s:%d/connection", certData.AgentHost, certData.AgentPort)
+			req, err := http.NewRequest("POST", url, bytes.NewBuffer(requestJSON))
+			if err != nil {
+				logger.Error("Failed to create auth daemon request: %v", err)
+				client.SendMessage("ws/round-trip/complete", map[string]interface{}{
+					"messageId": certData.MessageId,
+					"complete":  true,
+					"error":     fmt.Sprintf("failed to create request: %v", err),
+				})
+				return
+			}
+
+			// Set headers
+			req.Header.Set("Content-Type", "application/json")
+			req.Header.Set("Authorization", "Bearer "+authDaemonKey)
+
+			logger.Debug("Sending SSH cert to auth daemon at %s", url)
+
+			// Send the request
+			resp, err := httpClient.Do(req)
+			if err != nil {
+				logger.Error("Failed to connect to auth daemon: %v", err)
+				client.SendMessage("ws/round-trip/complete", map[string]interface{}{
+					"messageId": certData.MessageId,
+					"complete":  true,
+					"error":     fmt.Sprintf("failed to connect to auth daemon: %v", err),
+				})
+				return
+			}
+			defer resp.Body.Close()
+
+			// Check response status
+			if resp.StatusCode != http.StatusOK {
+				logger.Error("Auth daemon returned non-OK status: %d", resp.StatusCode)
+				client.SendMessage("ws/round-trip/complete", map[string]interface{}{
+					"messageId": certData.MessageId,
+					"complete":  true,
+					"error":     fmt.Sprintf("auth daemon returned status %d", resp.StatusCode),
+				})
+				return
+			}
+
+			logger.Info("Successfully registered SSH certificate with external auth daemon for user %s", certData.Username)
+		}
+
+		// Send success response back to cloud
+		err = client.SendMessage("ws/round-trip/complete", map[string]interface{}{
+			"messageId": certData.MessageId,
+			"complete":  true,
+		})
+		if err != nil {
+			logger.Error("Failed to send SSH cert success response: %v", err)
+		}
+	})
+
 	client.OnConnect(func() error {
 		publicKey = privateKey.PublicKey()
 		logger.Debug("Public key: %s", publicKey)

updates/updates.go

@@ -119,7 +119,7 @@ func CheckForUpdate(owner, repo, currentVersion string) error {
 
 	// Check if update is available
 	if currentVer.isNewer(latestVer) {
-		printUpdateBanner(currentVer.String(), latestVer.String(), release.HTMLURL)
+		printUpdateBanner(currentVer.String(), latestVer.String(), "curl -fsSL https://static.pangolin.net/get-newt.sh | bash")
 	}
 
 	return nil
@@ -145,7 +145,7 @@ func printUpdateBanner(currentVersion, latestVersion, releaseURL string) {
 		"║  A newer version is available! Please update to get the" + padRight("", contentWidth-56) + "║",
 		"║  latest features, bug fixes, and security improvements." + padRight("", contentWidth-56) + "║",
 		emptyLine,
-		"║  Release URL: " + padRight(releaseURL, contentWidth-15) + "║",
+		"║  Update: " + padRight(releaseURL, contentWidth-10) + "║",
 		emptyLine,
 		borderBot,
 	}