netbirdio · MichaelUray · May 1, 2026 · May 1, 2026 · May 1, 2026 · May 1, 2026
diff --git a/.gitignore b/.gitignore
@@ -22,6 +22,7 @@ infrastructure_files/**/docker-compose.yml.bkp.**
 infrastructure_files/**/openid-configuration.json.bkp.**
 infrastructure_files/**/turnserver.conf.bkp.**
 management/management
+management/netbird-mgmt
 client/client
 client/client.exe
 *.syso

diff --git a/client/android/client.go b/client/android/client.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"os"
 	"slices"
+	"strings"
 	"sync"
 	"time"
 
@@ -295,17 +296,56 @@ func (c *Client) SetInfoLogLevel() {
 
 // PeersList return with the list of the PeerInfos
 func (c *Client) PeersList() *PeerInfoArray {
+	// Refresh WireGuard counters (BytesRx/Tx + LastWireguardHandshake)
+	// from the kernel/uapi interface before snapshotting. Without this
+	// the Android UI sees the stale values that were last written when
+	// the peer was opened/closed (typically 0), because the desktop
+	// CLI's Status RPC is what normally drives RefreshWireGuardStats.
+	// Phase 3.7i.
+	if err := c.recorder.RefreshWireGuardStats(); err != nil {
+		log.Debugf("PeersList: refresh wg stats: %v", err)
+	}
 
 	fullStatus := c.recorder.GetFullStatus()
 
 	peerInfos := make([]PeerInfo, len(fullStatus.Peers))
 	for n, p := range fullStatus.Peers {
 		pi := PeerInfo{
-			p.IP,
-			p.FQDN,
-			int(p.ConnStatus),
-			PeerRoutes{routes: maps.Keys(p.GetRoutes())},
+			IP:         p.IP,
+			FQDN:       p.FQDN,
+			ConnStatus: int(p.ConnStatus),
+			Routes:     PeerRoutes{routes: maps.Keys(p.GetRoutes())},
+		}
+
+		// Phase 3.7i (#5989): enrichment fields.
+		pi.Relayed = p.Relayed
+		pi.ServerOnline = p.ServerOnline
+		pi.LocalIceCandidateEndpoint = p.LocalIceCandidateEndpoint
+		pi.RemoteIceCandidateEndpoint = p.RemoteIceCandidateEndpoint
+		pi.RelayServerAddress = p.RelayServerAddress
+		if !p.LastWireguardHandshake.IsZero() {
+			pi.LastWireguardHandshake = p.LastWireguardHandshake.Format(time.RFC3339)
+		}
+		if !p.RemoteLastSeenAtServer.IsZero() {
+			pi.LastSeenAtServer = p.RemoteLastSeenAtServer.Format(time.RFC3339)
+		}
+		pi.LatencyMs = p.Latency.Milliseconds()
+		pi.BytesRx = p.BytesRx
+		pi.BytesTx = p.BytesTx
+		pi.EffectiveConnectionMode = p.RemoteEffectiveConnectionMode
+		pi.ConfiguredConnectionMode = p.RemoteConfiguredConnectionMode
+		if len(p.RemoteGroups) > 0 {
+			pi.Groups = strings.Join(p.RemoteGroups, ",")
+		}
+		pi.ConnectionTypeExtended = peer.DeriveConnectionTypeExtended(p)
+		pi.IceBackoffFailures = int32(p.IceBackoffFailures)
+		if !p.IceBackoffNextRetry.IsZero() {
+			pi.IceBackoffNextRetry = p.IceBackoffNextRetry.Format(time.RFC3339)
 		}
+		pi.IceBackoffSuspended = p.IceBackoffSuspended
+		// AgentVersion / OsVersion: peer.State does not expose these fields;
+		// left empty until daemon surfaces them (future phase).
+
 		peerInfos[n] = pi
 	}
 	return &PeerInfoArray{items: peerInfos}
@@ -394,6 +434,102 @@ func (c *Client) RemoveConnectionListener() {
 	c.recorder.RemoveConnectionListener()
 }
 
+// GetServerPushedConnectionMode returns the canonical name of the
+// connection mode the management server most recently pushed via
+// PeerConfig (independent of any local profile/env override). Returns
+// an empty string when the engine has not connected yet or the server
+// has not pushed a value -- the Android UI then knows to display
+// just "Follow server" without the (currently: ...) suffix.
+func (c *Client) GetServerPushedConnectionMode() string {
+	cm := c.connMgrSafe()
+	if cm == nil {
+		return ""
+	}
+	return cm.ServerPushedMode().String()
+}
+
+// GetServerPushedRelayTimeoutSecs returns the relay timeout in seconds
+// most recently pushed by the management server, or 0 when no value
+// has been received. Used by the Android UI as a hint.
+func (c *Client) GetServerPushedRelayTimeoutSecs() int64 {
+	cm := c.connMgrSafe()
+	if cm == nil {
+		return 0
+	}
+	return int64(cm.ServerPushedRelayTimeoutSecs())
+}
+
+// GetServerPushedP2pTimeoutSecs returns the ICE-only timeout (seconds)
+// most recently pushed by the management server.
+func (c *Client) GetServerPushedP2pTimeoutSecs() int64 {
+	cm := c.connMgrSafe()
+	if cm == nil {
+		return 0
+	}
+	return int64(cm.ServerPushedP2pTimeoutSecs())
+}
+
+// GetServerPushedP2pRetryMaxSecs returns the ICE-backoff cap (seconds)
+// most recently pushed by the management server.
+func (c *Client) GetServerPushedP2pRetryMaxSecs() int64 {
+	cm := c.connMgrSafe()
+	if cm == nil {
+		return 0
+	}
+	return int64(cm.ServerPushedP2pRetryMaxSecs())
+}
+
+// GetConfiguredPeersTotal returns the total number of configured peers
+// (server-online + server-offline). Phase 3.7i (#5989).
+func (c *Client) GetConfiguredPeersTotal() int64 {
+	return int64(c.recorder.GetFullStatus().ConfiguredPeersTotal)
+}
+
+// GetServerOnlinePeers returns the number of peers that are reachable via
+// the server (P2P + Relayed + Idle). Phase 3.7i (#5989).
+func (c *Client) GetServerOnlinePeers() int64 {
+	return int64(c.recorder.GetFullStatus().ServerOnlinePeers)
+}
+
+// GetP2PConnectedPeers returns the number of peers connected via direct
+// P2P (ICE). Phase 3.7i (#5989).
+func (c *Client) GetP2PConnectedPeers() int64 {
+	return int64(c.recorder.GetFullStatus().P2PConnectedPeers)
+}
+
+// GetRelayedConnectedPeers returns the number of peers connected via relay.
+// Phase 3.7i (#5989).
+func (c *Client) GetRelayedConnectedPeers() int64 {
+	return int64(c.recorder.GetFullStatus().RelayedConnectedPeers)
+}
+
+// GetIdleOnlinePeers returns the number of peers that are online on the
+// server but have no active connection yet. Phase 3.7i (#5989).
+func (c *Client) GetIdleOnlinePeers() int64 {
+	return int64(c.recorder.GetFullStatus().IdleOnlinePeers)
+}
+
+// GetServerOfflinePeers returns the number of peers that are not reachable
+// via the server. Phase 3.7i (#5989).
+func (c *Client) GetServerOfflinePeers() int64 {
+	return int64(c.recorder.GetFullStatus().ServerOfflinePeers)
+}
+
+// connMgrSafe is a small helper that walks the Client -> ConnectClient
+// -> Engine -> ConnMgr chain and returns nil at the first nil pointer.
+// Each accessor that surfaces engine state to the Android UI uses it.
+func (c *Client) connMgrSafe() *internal.ConnMgr {
+	cc := c.getConnectClient()
+	if cc == nil {
+		return nil
+	}
+	engine := cc.Engine()
+	if engine == nil {
+		return nil
+	}
+	return engine.ConnMgr()
+}
+
 func (c *Client) toggleRoute(command routeCommand) error {
 	return command.toggleRoute()
 }

diff --git a/client/android/peer_notifier.go b/client/android/peer_notifier.go
@@ -17,6 +17,37 @@ type PeerInfo struct {
 	FQDN       string
 	ConnStatus int
 	Routes     PeerRoutes
+
+	// Phase 3.7i (#5989): per-peer enrichment fields. Strings for
+	// gomobile-friendliness (no time.Time / no []string).
+	Relayed                       bool
+	ServerOnline                  bool
+	LocalIceCandidateEndpoint     string
+	RemoteIceCandidateEndpoint    string
+	RelayServerAddress            string
+	LastWireguardHandshake        string // RFC3339; "" if zero
+	LastSeenAtServer              string // RFC3339; "" if zero
+	LatencyMs                     int64
+	BytesRx                       int64
+	BytesTx                       int64
+	EffectiveConnectionMode       string
+	ConfiguredConnectionMode      string
+	Groups                        string // comma-separated
+	AgentVersion                  string
+	OsVersion                     string
+	// Phase 3.7i hybrid display: daemon-derived UI label.
+	// Values: "", "P2P", "Relayed", "Relayed (negotiating P2P)".
+	// UIs should prefer this over (Relayed bool) when non-empty so the
+	// transient post-wakeup negotiation window renders identically
+	// across Android / Windows / Dashboard.
+	ConnectionTypeExtended string
+
+	// Phase 3.7i lifecycle hardening: ICE-backoff snapshot. Lets the UI
+	// explain why a peer is staying on Relayed when failures pile up
+	// (gomobile-friendly: no time.Time exported — RFC3339 string).
+	IceBackoffFailures  int32
+	IceBackoffNextRetry string // RFC3339; "" if zero
+	IceBackoffSuspended bool
 }
 
 func (p *PeerInfo) GetPeerRoutes() *PeerRoutes {

diff --git a/client/android/preferences.go b/client/android/preferences.go
@@ -307,6 +307,107 @@ func (p *Preferences) SetBlockInbound(block bool) {
 	p.configInput.BlockInbound = &block
 }
 
+// GetConnectionMode returns the locally configured connection-mode override
+// (canonical lower-kebab-case: "relay-forced", "p2p", "p2p-lazy",
+// "p2p-dynamic", "follow-server"), or empty string if no local override
+// is configured -- the daemon will then follow the server-pushed value.
+func (p *Preferences) GetConnectionMode() (string, error) {
+	if p.configInput.ConnectionMode != nil {
+		return *p.configInput.ConnectionMode, nil
+	}
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return "", err
+	}
+	return cfg.ConnectionMode, nil
+}
+
+// SetConnectionMode stores a local override for the connection mode.
+// Pass an empty string to clear the override (revert to following the
+// server-pushed value).
+func (p *Preferences) SetConnectionMode(mode string) {
+	m := mode
+	p.configInput.ConnectionMode = &m
+}
+
+// GetRelayTimeoutSeconds returns the locally configured relay-worker
+// inactivity timeout in seconds, or 0 if no override is set (follow
+// server-pushed value, or built-in default if the server has none).
+func (p *Preferences) GetRelayTimeoutSeconds() (int64, error) {
+	if p.configInput.RelayTimeoutSeconds != nil {
+		return int64(*p.configInput.RelayTimeoutSeconds), nil
+	}
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return 0, err
+	}
+	return int64(cfg.RelayTimeoutSeconds), nil
+}
+
+// SetRelayTimeoutSeconds stores a local override for the relay timeout.
+// Pass 0 to clear the override. Negative values are clamped to 0;
+// values larger than MaxUint32 are clamped to MaxUint32. The Android
+// AdvancedFragment UI already clamps negatives but a Java caller using
+// the bare gomobile API directly would otherwise wrap silently.
+func (p *Preferences) SetRelayTimeoutSeconds(secs int64) {
+	v := clampUint32Seconds(secs)
+	p.configInput.RelayTimeoutSeconds = &v
+}
+
+// GetP2pTimeoutSeconds returns the locally configured ICE-worker
+// inactivity timeout in seconds (only effective in p2p-dynamic mode),
+// or 0 if no override is set.
+func (p *Preferences) GetP2pTimeoutSeconds() (int64, error) {
+	if p.configInput.P2pTimeoutSeconds != nil {
+		return int64(*p.configInput.P2pTimeoutSeconds), nil
+	}
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return 0, err
+	}
+	return int64(cfg.P2pTimeoutSeconds), nil
+}
+
+// SetP2pTimeoutSeconds stores a local override for the p2p timeout.
+// Pass 0 to clear the override. See SetRelayTimeoutSeconds for clamping.
+func (p *Preferences) SetP2pTimeoutSeconds(secs int64) {
+	v := clampUint32Seconds(secs)
+	p.configInput.P2pTimeoutSeconds = &v
+}
+
+// GetP2pRetryMaxSeconds returns the locally configured cap on the
+// per-peer ICE-failure backoff schedule, or 0 if no override is set.
+func (p *Preferences) GetP2pRetryMaxSeconds() (int64, error) {
+	if p.configInput.P2pRetryMaxSeconds != nil {
+		return int64(*p.configInput.P2pRetryMaxSeconds), nil
+	}
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return 0, err
+	}
+	return int64(cfg.P2pRetryMaxSeconds), nil
+}
+
+// SetP2pRetryMaxSeconds stores a local override for the backoff cap.
+// Pass 0 to clear the override. See SetRelayTimeoutSeconds for clamping.
+func (p *Preferences) SetP2pRetryMaxSeconds(secs int64) {
+	v := clampUint32Seconds(secs)
+	p.configInput.P2pRetryMaxSeconds = &v
+}
+
+// clampUint32Seconds maps an int64 seconds value into the uint32 range
+// the daemon stores internally. Negative -> 0. >MaxUint32 -> MaxUint32.
+// Defensive against Java callers that bypass UI validation.
+func clampUint32Seconds(secs int64) uint32 {
+	if secs <= 0 {
+		return 0
+	}
+	if secs > int64(^uint32(0)) {
+		return ^uint32(0)
+	}
+	return uint32(secs)
+}
+
 // Commit writes out the changes to the config file
 func (p *Preferences) Commit() error {
 	_, err := profilemanager.UpdateOrCreateConfig(p.configInput)

diff --git a/client/android/preferences_clamp_test.go b/client/android/preferences_clamp_test.go
@@ -0,0 +1,37 @@
+package android
+
+import (
+	"math"
+	"testing"
+)
+
+// Codex review: Preferences.SetXxxSeconds used to cast int64 directly
+// to uint32, silently wrapping negatives into huge positives and
+// truncating values >MaxUint32. Lock down the new clamp behavior.
+func TestClampUint32Seconds(t *testing.T) {
+	maxU := uint32(math.MaxUint32)
+	tests := []struct {
+		name  string
+		input int64
+		want  uint32
+	}{
+		{"zero", 0, 0},
+		{"one", 1, 1},
+		{"3h_typical", 10800, 10800},
+		{"24h_typical", 86400, 86400},
+		{"max_uint32_exact", int64(math.MaxUint32), maxU},
+		{"max_uint32_plus_one_clamps", int64(math.MaxUint32) + 1, maxU},
+		{"int64_max_clamps", math.MaxInt64, maxU},
+		{"negative_one_clamps_to_zero", -1, 0},
+		{"negative_huge_clamps_to_zero", -86400, 0},
+		{"int64_min_clamps_to_zero", math.MinInt64, 0},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := clampUint32Seconds(tc.input)
+			if got != tc.want {
+				t.Errorf("clampUint32Seconds(%d) = %d, want %d", tc.input, got, tc.want)
+			}
+		})
+	}
+}