From b122eb257bec8ff61fe8757cd6d8acc98ad0c463 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Fri, 10 Apr 2026 17:28:02 +0300
Subject: [PATCH 01/37] feat(device-security): add TypeScript interfaces and
 DeviceSecurityProvider

---
 src/contexts/DeviceSecurityProvider.tsx | 176 ++++++++++++++++++++++++
 src/interfaces/DeviceSecurity.ts        |  43 ++++++
 2 files changed, 219 insertions(+)
 create mode 100644 src/contexts/DeviceSecurityProvider.tsx
 create mode 100644 src/interfaces/DeviceSecurity.ts

diff --git a/src/contexts/DeviceSecurityProvider.tsx b/src/contexts/DeviceSecurityProvider.tsx
new file mode 100644
index 00000000..6fe765e7
--- /dev/null
+++ b/src/contexts/DeviceSecurityProvider.tsx
@@ -0,0 +1,176 @@
+"use client";
+
+import useFetchApi, { useApiCall } from "@utils/api";
+import React, { useCallback, useMemo } from "react";
+import { useSWRConfig } from "swr";
+import type {
+  DeviceAuthSettings,
+  DeviceCert,
+  DeviceEnrollment,
+  TrustedCA,
+} from "@/interfaces/DeviceSecurity";
+
+type DeviceSecurityContextValue = {
+  // Settings
+  settings: DeviceAuthSettings | undefined;
+  settingsLoading: boolean;
+  updateSettings: (s: Partial<DeviceAuthSettings>) => Promise<DeviceAuthSettings>;
+
+  // Enrollments
+  enrollments: DeviceEnrollment[] | undefined;
+  enrollmentsLoading: boolean;
+  approveEnrollment: (id: string) => Promise<void>;
+  rejectEnrollment: (id: string, reason?: string) => Promise<void>;
+
+  // Devices (issued certs)
+  devices: DeviceCert[] | undefined;
+  devicesLoading: boolean;
+  revokeDevice: (id: string) => Promise<void>;
+  renewDevice: (id: string) => Promise<void>;
+
+  // Trusted CAs
+  trustedCAs: TrustedCA[] | undefined;
+  trustedCAsLoading: boolean;
+  addTrustedCA: (name: string, pem: string) => Promise<TrustedCA>;
+  deleteTrustedCA: (id: string) => Promise<void>;
+};
+
+const DeviceSecurityContext = React.createContext(
+  {} as DeviceSecurityContextValue,
+);
+
+export function DeviceSecurityProvider({
+  children,
+}: {
+  children: React.ReactNode;
+}) {
+  const { mutate } = useSWRConfig();
+
+  const { data: settings, isLoading: settingsLoading } =
+    useFetchApi<DeviceAuthSettings>("/device-auth/settings");
+
+  const { data: enrollments, isLoading: enrollmentsLoading } =
+    useFetchApi<DeviceEnrollment[]>(
+      "/device-auth/enrollments",
+      false,
+      true,
+      true,
+      { refreshInterval: 10_000 },
+    );
+
+  const { data: devices, isLoading: devicesLoading } =
+    useFetchApi<DeviceCert[]>("/device-auth/devices");
+
+  const { data: trustedCAs, isLoading: trustedCAsLoading } =
+    useFetchApi<TrustedCA[]>("/device-auth/trusted-cas");
+
+  const settingsRequest = useApiCall<DeviceAuthSettings>(
+    "/device-auth/settings",
+  );
+  const enrollmentRequest = useApiCall<void>("/device-auth/enrollments");
+  const deviceRequest = useApiCall<void>("/device-auth/devices");
+  const caRequest = useApiCall<TrustedCA>("/device-auth/trusted-cas");
+
+  const updateSettings = useCallback(
+    async (s: Partial<DeviceAuthSettings>) => {
+      const updated = await settingsRequest.put(s);
+      await mutate("/device-auth/settings");
+      return updated;
+    },
+    [settingsRequest, mutate],
+  );
+
+  const approveEnrollment = useCallback(
+    async (id: string) => {
+      await enrollmentRequest.post(null, `/${id}/approve`);
+      await mutate("/device-auth/enrollments");
+    },
+    [enrollmentRequest, mutate],
+  );
+
+  const rejectEnrollment = useCallback(
+    async (id: string, reason?: string) => {
+      await enrollmentRequest.post(reason ? { reason } : null, `/${id}/reject`);
+      await mutate("/device-auth/enrollments");
+    },
+    [enrollmentRequest, mutate],
+  );
+
+  const revokeDevice = useCallback(
+    async (id: string) => {
+      await deviceRequest.post(null, `/${id}/revoke`);
+      await mutate("/device-auth/devices");
+    },
+    [deviceRequest, mutate],
+  );
+
+  const renewDevice = useCallback(
+    async (id: string) => {
+      await deviceRequest.post(null, `/${id}/cert/renew`);
+      await mutate("/device-auth/devices");
+    },
+    [deviceRequest, mutate],
+  );
+
+  const addTrustedCA = useCallback(
+    async (name: string, pem: string) => {
+      const created = await caRequest.post({ name, pem });
+      await mutate("/device-auth/trusted-cas");
+      return created;
+    },
+    [caRequest, mutate],
+  );
+
+  const deleteTrustedCA = useCallback(
+    async (id: string) => {
+      await caRequest.del(null, `/${id}`);
+      await mutate("/device-auth/trusted-cas");
+    },
+    [caRequest, mutate],
+  );
+
+  const value = useMemo(
+    () => ({
+      settings,
+      settingsLoading,
+      updateSettings,
+      enrollments,
+      enrollmentsLoading,
+      approveEnrollment,
+      rejectEnrollment,
+      devices,
+      devicesLoading,
+      revokeDevice,
+      renewDevice,
+      trustedCAs,
+      trustedCAsLoading,
+      addTrustedCA,
+      deleteTrustedCA,
+    }),
+    [
+      settings,
+      settingsLoading,
+      updateSettings,
+      enrollments,
+      enrollmentsLoading,
+      approveEnrollment,
+      rejectEnrollment,
+      devices,
+      devicesLoading,
+      revokeDevice,
+      renewDevice,
+      trustedCAs,
+      trustedCAsLoading,
+      addTrustedCA,
+      deleteTrustedCA,
+    ],
+  );
+
+  return (
+    <DeviceSecurityContext.Provider value={value}>
+      {children}
+    </DeviceSecurityContext.Provider>
+  );
+}
+
+export const useDeviceSecurity = () => React.useContext(DeviceSecurityContext);
diff --git a/src/interfaces/DeviceSecurity.ts b/src/interfaces/DeviceSecurity.ts
new file mode 100644
index 00000000..a79de97d
--- /dev/null
+++ b/src/interfaces/DeviceSecurity.ts
@@ -0,0 +1,43 @@
+export type DeviceAuthMode =
+  | "disabled"
+  | "optional"
+  | "cert-only"
+  | "cert-and-sso";
+export type EnrollmentMode = "manual" | "attestation" | "both";
+export type CAType = "builtin" | "external";
+
+export interface DeviceAuthSettings {
+  mode: DeviceAuthMode;
+  enrollment_mode: EnrollmentMode;
+  ca_type: CAType;
+  cert_validity_days: number;
+  ocsp_enabled: boolean;
+  fail_open_on_ocsp_unavailable: boolean;
+  inventory_type: string;
+}
+
+export interface DeviceEnrollment {
+  id: string;
+  peer_id: string;
+  wg_public_key: string;
+  status: "pending" | "approved" | "rejected";
+  reason?: string;
+  created_at: string;
+}
+
+export interface DeviceCert {
+  id: string;
+  peer_id: string;
+  wg_public_key: string;
+  serial: string;
+  not_before: string;
+  not_after: string;
+  revoked: boolean;
+  revoked_at?: string;
+}
+
+export interface TrustedCA {
+  id: string;
+  name: string;
+  created_at: string;
+}

From b69c6eff5c2e6fea53e686bf3ee488a4f8041c07 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Fri, 10 Apr 2026 17:48:45 +0300
Subject: [PATCH 02/37] feat: add device security settings page

Add DeviceSecuritySettings form component with controls for authentication
mode, enrollment mode, CA type, certificate validity, and OCSP settings.
Includes cert-only mode warning when no devices have active certificates.
---
 .../device-security/settings/page.tsx         |  12 +
 .../DeviceSecuritySettings.tsx                | 330 ++++++++++++++++++
 2 files changed, 342 insertions(+)
 create mode 100644 src/app/(dashboard)/device-security/settings/page.tsx
 create mode 100644 src/modules/device-security/DeviceSecuritySettings.tsx

diff --git a/src/app/(dashboard)/device-security/settings/page.tsx b/src/app/(dashboard)/device-security/settings/page.tsx
new file mode 100644
index 00000000..3917d8c8
--- /dev/null
+++ b/src/app/(dashboard)/device-security/settings/page.tsx
@@ -0,0 +1,12 @@
+"use client";
+
+import DeviceSecuritySettings from "@/modules/device-security/DeviceSecuritySettings";
+import { DeviceSecurityProvider } from "@/contexts/DeviceSecurityProvider";
+
+export default function SettingsPage() {
+  return (
+    <DeviceSecurityProvider>
+      <DeviceSecuritySettings />
+    </DeviceSecurityProvider>
+  );
+}
diff --git a/src/modules/device-security/DeviceSecuritySettings.tsx b/src/modules/device-security/DeviceSecuritySettings.tsx
new file mode 100644
index 00000000..e907e50d
--- /dev/null
+++ b/src/modules/device-security/DeviceSecuritySettings.tsx
@@ -0,0 +1,330 @@
+"use client";
+
+import Breadcrumbs from "@components/Breadcrumbs";
+import Button from "@components/Button";
+import { Callout } from "@components/Callout";
+import FancyToggleSwitch from "@components/FancyToggleSwitch";
+import HelpText from "@components/HelpText";
+import { Input } from "@components/Input";
+import { Label } from "@components/Label";
+import { notify } from "@components/Notification";
+import Paragraph from "@components/Paragraph";
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from "@components/Select";
+import { useHasChanges } from "@hooks/useHasChanges";
+import {
+  AlertTriangleIcon,
+  KeyIcon,
+  ShieldCheckIcon,
+} from "lucide-react";
+import React, { useCallback, useEffect, useState } from "react";
+import Skeleton from "react-loading-skeleton";
+import { useDeviceSecurity } from "@/contexts/DeviceSecurityProvider";
+import type {
+  CAType,
+  DeviceAuthMode,
+  EnrollmentMode,
+} from "@/interfaces/DeviceSecurity";
+import PageContainer from "@/layouts/PageContainer";
+
+const MODE_LABELS: Record<DeviceAuthMode, string> = {
+  disabled: "Disabled",
+  optional: "Optional",
+  "cert-only": "Certificate Only",
+  "cert-and-sso": "Certificate + SSO",
+};
+
+const MODE_DESCRIPTIONS: Record<DeviceAuthMode, string> = {
+  disabled: "Device certificate authentication is not used",
+  optional: "Devices may authenticate with certificates but it is not required",
+  "cert-only": "Only devices with valid certificates can connect",
+  "cert-and-sso": "Devices must have a valid certificate and SSO authentication",
+};
+
+const ENROLLMENT_LABELS: Record<EnrollmentMode, string> = {
+  manual: "Manual",
+  attestation: "Attestation",
+  both: "Both",
+};
+
+const CA_TYPE_LABELS: Record<CAType, string> = {
+  builtin: "Built-in CA",
+  external: "External CA",
+};
+
+export default function DeviceSecuritySettings() {
+  const { settings, settingsLoading, updateSettings, devices } =
+    useDeviceSecurity();
+
+  const [mode, setMode] = useState<DeviceAuthMode>("disabled");
+  const [enrollmentMode, setEnrollmentMode] = useState<EnrollmentMode>("manual");
+  const [caType, setCaType] = useState<CAType>("builtin");
+  const [certValidityDays, setCertValidityDays] = useState(365);
+  const [ocspEnabled, setOcspEnabled] = useState(false);
+  const [failOpenOnOcsp, setFailOpenOnOcsp] = useState(false);
+
+  useEffect(() => {
+    if (!settings) return;
+    setMode(settings.mode);
+    setEnrollmentMode(settings.enrollment_mode);
+    setCaType(settings.ca_type);
+    setCertValidityDays(settings.cert_validity_days);
+    setOcspEnabled(settings.ocsp_enabled);
+    setFailOpenOnOcsp(settings.fail_open_on_ocsp_unavailable);
+  }, [settings]);
+
+  const { hasChanges, updateRef } = useHasChanges([
+    mode,
+    enrollmentMode,
+    caType,
+    certValidityDays,
+    ocspEnabled,
+    failOpenOnOcsp,
+  ]);
+
+  const activeCertCount =
+    devices?.filter((d) => !d.revoked).length ?? 0;
+
+  const showCertOnlyWarning =
+    mode === "cert-only" && activeCertCount === 0;
+
+  const handleSave = useCallback(async () => {
+    notify({
+      title: "Device Security Settings",
+      description: "Settings saved successfully.",
+      promise: updateSettings({
+        mode,
+        enrollment_mode: enrollmentMode,
+        ca_type: caType,
+        cert_validity_days: certValidityDays,
+        ocsp_enabled: ocspEnabled,
+        fail_open_on_ocsp_unavailable: failOpenOnOcsp,
+      }).then(() => {
+        updateRef([
+          mode,
+          enrollmentMode,
+          caType,
+          certValidityDays,
+          ocspEnabled,
+          failOpenOnOcsp,
+        ]);
+      }),
+      loadingMessage: "Saving device security settings...",
+    });
+  }, [
+    mode,
+    enrollmentMode,
+    caType,
+    certValidityDays,
+    ocspEnabled,
+    failOpenOnOcsp,
+    updateSettings,
+    updateRef,
+  ]);
+
+  if (settingsLoading) {
+    return (
+      <PageContainer>
+        <div className={"p-default py-6 max-w-2xl"}>
+          <Skeleton height={24} width={200} className={"mb-6"} />
+          <Skeleton height={32} width={110} className={"mb-10"} />
+          <div className={"mb-8"}>
+            <Skeleton height={17} width={200} className={"mb-2"} />
+            <Skeleton height={80} width={"100%"} />
+          </div>
+          <div className={"mb-8"}>
+            <Skeleton height={17} width={200} className={"mb-2"} />
+            <Skeleton height={80} width={"100%"} />
+          </div>
+          <Skeleton height={80} width={"100%"} />
+        </div>
+      </PageContainer>
+    );
+  }
+
+  return (
+    <PageContainer>
+      <div className={"p-default py-6 max-w-2xl"}>
+        <Breadcrumbs>
+          <Breadcrumbs.Item
+            href={"/device-security"}
+            label={"Device Security"}
+            icon={<ShieldCheckIcon size={13} />}
+          />
+          <Breadcrumbs.Item
+            href={"/device-security/settings"}
+            label={"Settings"}
+            active
+            icon={<KeyIcon size={14} />}
+          />
+        </Breadcrumbs>
+
+        <div className={"flex items-start justify-between"}>
+          <div>
+            <h1>Device Security Settings</h1>
+            <Paragraph>
+              Configure device certificate authentication and enrollment.
+            </Paragraph>
+          </div>
+          <Button
+            variant={"primary"}
+            disabled={!hasChanges}
+            onClick={handleSave}
+            data-cy={"save-settings"}
+          >
+            Save Changes
+          </Button>
+        </div>
+
+        <div className={"flex flex-col gap-6 w-full mt-8"}>
+          {/* Authentication Mode */}
+          <SettingRow
+            label="Authentication Mode"
+            help="Controls how device certificates are used for authentication"
+          >
+            <Select value={mode} onValueChange={(v) => setMode(v as DeviceAuthMode)}>
+              <SelectTrigger>
+                <SelectValue />
+              </SelectTrigger>
+              <SelectContent>
+                {Object.entries(MODE_LABELS).map(([value, label]) => (
+                  <SelectItem
+                    key={value}
+                    value={value}
+                    description={MODE_DESCRIPTIONS[value as DeviceAuthMode]}
+                  >
+                    {label}
+                  </SelectItem>
+                ))}
+              </SelectContent>
+            </Select>
+          </SettingRow>
+
+          {showCertOnlyWarning && (
+            <Callout variant={"warning"} icon={<AlertTriangleIcon size={14} />}>
+              No devices currently have active certificates. Switching to
+              certificate-only mode may lock out all devices.
+            </Callout>
+          )}
+
+          {/* Enrollment Mode */}
+          <SettingRow
+            label="Enrollment Mode"
+            help="How new devices are enrolled and issued certificates"
+          >
+            <Select
+              value={enrollmentMode}
+              onValueChange={(v) => setEnrollmentMode(v as EnrollmentMode)}
+            >
+              <SelectTrigger>
+                <SelectValue />
+              </SelectTrigger>
+              <SelectContent>
+                {Object.entries(ENROLLMENT_LABELS).map(([value, label]) => (
+                  <SelectItem key={value} value={value}>
+                    {label}
+                  </SelectItem>
+                ))}
+              </SelectContent>
+            </Select>
+          </SettingRow>
+
+          {/* CA Type */}
+          <SettingRow
+            label="Certificate Authority"
+            help="Choose between the built-in CA or an external CA for signing device certificates"
+          >
+            <Select
+              value={caType}
+              onValueChange={(v) => setCaType(v as CAType)}
+            >
+              <SelectTrigger>
+                <SelectValue />
+              </SelectTrigger>
+              <SelectContent>
+                {Object.entries(CA_TYPE_LABELS).map(([value, label]) => (
+                  <SelectItem key={value} value={value}>
+                    {label}
+                  </SelectItem>
+                ))}
+              </SelectContent>
+            </Select>
+          </SettingRow>
+
+          {/* Certificate Validity */}
+          <SettingRow
+            label="Certificate Validity (days)"
+            help="Number of days a device certificate remains valid after issuance"
+          >
+            <Input
+              type={"number"}
+              min={1}
+              max={3650}
+              value={certValidityDays}
+              onChange={(e) =>
+                setCertValidityDays(parseInt(e.target.value, 10) || 0)
+              }
+              data-cy={"cert-validity-days"}
+            />
+          </SettingRow>
+
+          {/* OCSP Enabled */}
+          <FancyToggleSwitch
+            value={ocspEnabled}
+            onChange={setOcspEnabled}
+            label={
+              <>
+                <ShieldCheckIcon size={15} />
+                Enable OCSP
+              </>
+            }
+            helpText={
+              "Enable Online Certificate Status Protocol for real-time certificate revocation checking"
+            }
+          />
+
+          {/* Fail Open on OCSP Unavailable */}
+          {ocspEnabled && (
+            <FancyToggleSwitch
+              value={failOpenOnOcsp}
+              onChange={setFailOpenOnOcsp}
+              label={"Fail open on OCSP unavailable"}
+              helpText={
+                "Allow connections when the OCSP responder is unreachable. Disabling this may cause connectivity issues if the OCSP service goes down."
+              }
+            />
+          )}
+        </div>
+      </div>
+    </PageContainer>
+  );
+}
+
+function SettingRow({
+  label,
+  help,
+  children,
+}: Readonly<{
+  label: string;
+  help: string;
+  children: React.ReactNode;
+}>) {
+  return (
+    <div
+      className={
+        "flex flex-col gap-1 sm:flex-row w-full sm:gap-4 items-center"
+      }
+    >
+      <div className={"min-w-[330px]"}>
+        <Label>{label}</Label>
+        <HelpText>{help}</HelpText>
+      </div>
+      <div className={"w-full"}>{children}</div>
+    </div>
+  );
+}

From eeed710e5c15bddc6f34cb965d2cf0cc387188d0 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Fri, 10 Apr 2026 17:51:21 +0300
Subject: [PATCH 03/37] feat: add device security enrollments page

Add enrollments table with approve/reject actions for pending device
enrollment requests. Follows existing DataTable patterns with Badge
status indicators, truncated IDs, and auto-refresh via provider.
---
 .../device-security/enrollments/page.tsx      |  45 ++++
 .../device-security/EnrollmentsTable.tsx      | 217 ++++++++++++++++++
 2 files changed, 262 insertions(+)
 create mode 100644 src/app/(dashboard)/device-security/enrollments/page.tsx
 create mode 100644 src/modules/device-security/EnrollmentsTable.tsx

diff --git a/src/app/(dashboard)/device-security/enrollments/page.tsx b/src/app/(dashboard)/device-security/enrollments/page.tsx
new file mode 100644
index 00000000..5e9d7297
--- /dev/null
+++ b/src/app/(dashboard)/device-security/enrollments/page.tsx
@@ -0,0 +1,45 @@
+"use client";
+
+import Breadcrumbs from "@components/Breadcrumbs";
+import Paragraph from "@components/Paragraph";
+import SkeletonTable from "@components/skeletons/SkeletonTable";
+import { ShieldCheckIcon } from "lucide-react";
+import React, { lazy, Suspense } from "react";
+import { DeviceSecurityProvider } from "@/contexts/DeviceSecurityProvider";
+import PageContainer from "@/layouts/PageContainer";
+
+const EnrollmentsTable = lazy(
+  () => import("@/modules/device-security/EnrollmentsTable"),
+);
+
+export default function EnrollmentsPage() {
+  return (
+    <PageContainer>
+      <DeviceSecurityProvider>
+        <div className="p-default py-6">
+          <Breadcrumbs>
+            <Breadcrumbs.Item
+              href="/device-security/enrollments"
+              label="Device Security"
+              icon={<ShieldCheckIcon size={13} />}
+            />
+            <Breadcrumbs.Item
+              href="/device-security/enrollments"
+              label="Enrollments"
+              active
+            />
+          </Breadcrumbs>
+          <h1>Device Enrollments</h1>
+          <Paragraph>
+            Review and manage device enrollment requests. Approve or reject
+            pending requests to control which devices can connect to your
+            network.
+          </Paragraph>
+        </div>
+        <Suspense fallback={<SkeletonTable />}>
+          <EnrollmentsTable />
+        </Suspense>
+      </DeviceSecurityProvider>
+    </PageContainer>
+  );
+}
diff --git a/src/modules/device-security/EnrollmentsTable.tsx b/src/modules/device-security/EnrollmentsTable.tsx
new file mode 100644
index 00000000..fb3bb80d
--- /dev/null
+++ b/src/modules/device-security/EnrollmentsTable.tsx
@@ -0,0 +1,217 @@
+"use client";
+
+import Badge from "@components/Badge";
+import Button from "@components/Button";
+import { DataTable } from "@components/table/DataTable";
+import DataTableHeader from "@components/table/DataTableHeader";
+import DataTableRefreshButton from "@components/table/DataTableRefreshButton";
+import NoResults from "@components/ui/NoResults";
+import { ColumnDef, SortingState } from "@tanstack/react-table";
+import dayjs from "dayjs";
+import { CheckCircleIcon, ShieldAlertIcon, XCircleIcon } from "lucide-react";
+import { usePathname } from "next/navigation";
+import React, { useCallback } from "react";
+import { useSWRConfig } from "swr";
+import { useDeviceSecurity } from "@/contexts/DeviceSecurityProvider";
+import { useLocalStorage } from "@/hooks/useLocalStorage";
+import type { DeviceEnrollment } from "@/interfaces/DeviceSecurity";
+
+const STATUS_BADGE_VARIANT = {
+  pending: "yellow",
+  approved: "green",
+  rejected: "red",
+} as const;
+
+const STATUS_LABEL = {
+  pending: "Pending",
+  approved: "Approved",
+  rejected: "Rejected",
+} as const;
+
+function truncate(value: string, length = 12): string {
+  if (value.length <= length) return value;
+  return `${value.slice(0, length)}...`;
+}
+
+function formatDate(iso: string): string {
+  return dayjs(iso).format("MMM D, YYYY HH:mm");
+}
+
+function StatusBadge({
+  status,
+}: Readonly<{ status: DeviceEnrollment["status"] }>) {
+  return (
+    <Badge variant={STATUS_BADGE_VARIANT[status]} size="xs">
+      {STATUS_LABEL[status]}
+    </Badge>
+  );
+}
+
+function ActionsCell({
+  enrollment,
+  onApprove,
+  onReject,
+}: Readonly<{
+  enrollment: DeviceEnrollment;
+  onApprove: (id: string) => void;
+  onReject: (id: string) => void;
+}>) {
+  if (enrollment.status !== "pending") {
+    return null;
+  }
+
+  return (
+    <div className="flex gap-2">
+      <Button
+        variant="primary"
+        size="xs"
+        onClick={() => onApprove(enrollment.id)}
+      >
+        <CheckCircleIcon size={14} />
+        Approve
+      </Button>
+      <Button
+        variant="danger"
+        size="xs"
+        onClick={() => onReject(enrollment.id)}
+      >
+        <XCircleIcon size={14} />
+        Reject
+      </Button>
+    </div>
+  );
+}
+
+function buildColumns(
+  onApprove: (id: string) => void,
+  onReject: (id: string) => void,
+): ColumnDef<DeviceEnrollment>[] {
+  return [
+    {
+      accessorKey: "id",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>ID</DataTableHeader>
+      ),
+      sortingFn: "text",
+      cell: ({ row }) => (
+        <span title={row.original.id}>{truncate(row.original.id)}</span>
+      ),
+    },
+    {
+      accessorKey: "peer_id",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Peer ID</DataTableHeader>
+      ),
+      sortingFn: "text",
+      cell: ({ row }) => (
+        <span title={row.original.peer_id}>
+          {truncate(row.original.peer_id)}
+        </span>
+      ),
+    },
+    {
+      accessorKey: "wg_public_key",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>WG Public Key</DataTableHeader>
+      ),
+      sortingFn: "text",
+      cell: ({ row }) => (
+        <span title={row.original.wg_public_key}>
+          {truncate(row.original.wg_public_key, 16)}
+        </span>
+      ),
+    },
+    {
+      accessorKey: "status",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Status</DataTableHeader>
+      ),
+      cell: ({ row }) => <StatusBadge status={row.original.status} />,
+    },
+    {
+      accessorKey: "created_at",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Created</DataTableHeader>
+      ),
+      sortingFn: "datetime",
+      cell: ({ row }) => <span>{formatDate(row.original.created_at)}</span>,
+    },
+    {
+      id: "actions",
+      header: "",
+      cell: ({ row }) => (
+        <ActionsCell
+          enrollment={row.original}
+          onApprove={onApprove}
+          onReject={onReject}
+        />
+      ),
+    },
+  ];
+}
+
+export default function EnrollmentsTable() {
+  const {
+    enrollments,
+    enrollmentsLoading,
+    approveEnrollment,
+    rejectEnrollment,
+  } = useDeviceSecurity();
+  const { mutate } = useSWRConfig();
+  const path = usePathname();
+
+  const [sorting, setSorting] = useLocalStorage<SortingState>(
+    "netbird-table-sort" + path,
+    [{ id: "created_at", desc: true }],
+  );
+
+  const handleApprove = useCallback(
+    async (id: string) => {
+      await approveEnrollment(id);
+    },
+    [approveEnrollment],
+  );
+
+  const handleReject = useCallback(
+    async (id: string) => {
+      await rejectEnrollment(id);
+    },
+    [rejectEnrollment],
+  );
+
+  const columns = React.useMemo(
+    () => buildColumns(handleApprove, handleReject),
+    [handleApprove, handleReject],
+  );
+
+  if (!enrollmentsLoading && (!enrollments || enrollments.length === 0)) {
+    return (
+      <NoResults
+        title="No pending enrollment requests"
+        description="There are no device enrollment requests at this time."
+        icon={<ShieldAlertIcon size={20} />}
+      />
+    );
+  }
+
+  return (
+    <DataTable
+      text="Enrollments"
+      sorting={sorting}
+      setSorting={setSorting}
+      columns={columns}
+      data={enrollments}
+      isLoading={enrollmentsLoading}
+      searchPlaceholder="Search by ID, peer, or key..."
+    >
+      {() => (
+        <DataTableRefreshButton
+          isDisabled={!enrollments || enrollments.length === 0}
+          onClick={() => {
+            mutate("/device-auth/enrollments");
+          }}
+        />
+      )}
+    </DataTable>
+  );
+}

From 5e51fb1f80a573d743cd0ba066189b4381596c07 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Fri, 10 Apr 2026 17:54:54 +0300
Subject: [PATCH 04/37] feat: add device security trusted CAs page

Add AddTrustedCAModal, TrustedCAsTable, and trusted-cas page for managing
trusted Certificate Authorities in the device security dashboard section.
---
 .../device-security/devices/page.tsx          |  12 +
 .../device-security/trusted-cas/page.tsx      |  12 +
 .../device-security/AddTrustedCAModal.tsx     | 136 ++++++++++++
 src/modules/device-security/DevicesTable.tsx  | 205 ++++++++++++++++++
 .../device-security/RevokeDeviceModal.tsx     |  93 ++++++++
 .../device-security/TrustedCAsTable.tsx       | 152 +++++++++++++
 6 files changed, 610 insertions(+)
 create mode 100644 src/app/(dashboard)/device-security/devices/page.tsx
 create mode 100644 src/app/(dashboard)/device-security/trusted-cas/page.tsx
 create mode 100644 src/modules/device-security/AddTrustedCAModal.tsx
 create mode 100644 src/modules/device-security/DevicesTable.tsx
 create mode 100644 src/modules/device-security/RevokeDeviceModal.tsx
 create mode 100644 src/modules/device-security/TrustedCAsTable.tsx

diff --git a/src/app/(dashboard)/device-security/devices/page.tsx b/src/app/(dashboard)/device-security/devices/page.tsx
new file mode 100644
index 00000000..4757659a
--- /dev/null
+++ b/src/app/(dashboard)/device-security/devices/page.tsx
@@ -0,0 +1,12 @@
+"use client";
+
+import { DeviceSecurityProvider } from "@/contexts/DeviceSecurityProvider";
+import DevicesTable from "@/modules/device-security/DevicesTable";
+
+export default function DevicesPage() {
+  return (
+    <DeviceSecurityProvider>
+      <DevicesTable />
+    </DeviceSecurityProvider>
+  );
+}
diff --git a/src/app/(dashboard)/device-security/trusted-cas/page.tsx b/src/app/(dashboard)/device-security/trusted-cas/page.tsx
new file mode 100644
index 00000000..d18ef565
--- /dev/null
+++ b/src/app/(dashboard)/device-security/trusted-cas/page.tsx
@@ -0,0 +1,12 @@
+"use client";
+
+import { DeviceSecurityProvider } from "@/contexts/DeviceSecurityProvider";
+import TrustedCAsTable from "@/modules/device-security/TrustedCAsTable";
+
+export default function TrustedCAsPage() {
+  return (
+    <DeviceSecurityProvider>
+      <TrustedCAsTable />
+    </DeviceSecurityProvider>
+  );
+}
diff --git a/src/modules/device-security/AddTrustedCAModal.tsx b/src/modules/device-security/AddTrustedCAModal.tsx
new file mode 100644
index 00000000..d9915151
--- /dev/null
+++ b/src/modules/device-security/AddTrustedCAModal.tsx
@@ -0,0 +1,136 @@
+"use client";
+
+import Button from "@components/Button";
+import HelpText from "@components/HelpText";
+import { Input } from "@components/Input";
+import { Label } from "@components/Label";
+import {
+  Modal,
+  ModalClose,
+  ModalContent,
+  ModalFooter,
+  ModalTrigger,
+} from "@components/modal/Modal";
+import ModalHeader from "@components/modal/ModalHeader";
+import { notify } from "@components/Notification";
+import Separator from "@components/Separator";
+import { Textarea } from "@components/Textarea";
+import { ShieldCheckIcon, PlusCircle } from "lucide-react";
+import React, { useMemo, useState } from "react";
+import { useDeviceSecurity } from "@/contexts/DeviceSecurityProvider";
+
+const PEM_HEADER = "-----BEGIN CERTIFICATE-----";
+
+type Props = {
+  children: React.ReactNode;
+};
+
+export default function AddTrustedCAModal({ children }: Readonly<Props>) {
+  const [open, setOpen] = useState(false);
+
+  return (
+    <Modal open={open} onOpenChange={setOpen} key={open ? 1 : 0}>
+      <ModalTrigger asChild>{children}</ModalTrigger>
+      <AddTrustedCAModalContent onSuccess={() => setOpen(false)} />
+    </Modal>
+  );
+}
+
+type ContentProps = {
+  onSuccess: () => void;
+};
+
+function AddTrustedCAModalContent({ onSuccess }: Readonly<ContentProps>) {
+  const { addTrustedCA } = useDeviceSecurity();
+
+  const [name, setName] = useState("");
+  const [pem, setPem] = useState("");
+
+  const pemError = useMemo(() => {
+    const trimmed = pem.trim();
+    if (trimmed.length === 0) return undefined;
+    if (!trimmed.startsWith(PEM_HEADER)) {
+      return `PEM certificate must start with "${PEM_HEADER}"`;
+    }
+    return undefined;
+  }, [pem]);
+
+  const isDisabled = useMemo(() => {
+    return (
+      name.trim().length === 0 ||
+      pem.trim().length === 0 ||
+      pemError !== undefined
+    );
+  }, [name, pem, pemError]);
+
+  const handleSubmit = () => {
+    const trimmedName = name.trim();
+    const trimmedPem = pem.trim();
+
+    notify({
+      title: "Adding trusted CA",
+      description: `"${trimmedName}" was added successfully`,
+      promise: addTrustedCA(trimmedName, trimmedPem).then(() => {
+        onSuccess();
+      }),
+      loadingMessage: "Adding trusted CA...",
+    });
+  };
+
+  return (
+    <ModalContent maxWidthClass="max-w-lg">
+      <ModalHeader
+        icon={<ShieldCheckIcon />}
+        title="Add Trusted CA"
+        description="Upload a trusted Certificate Authority to authenticate devices"
+        color="netbird"
+      />
+
+      <Separator />
+
+      <div className="px-8 py-6 flex flex-col gap-6">
+        <div>
+          <Label>Name</Label>
+          <HelpText>A descriptive name for this Certificate Authority</HelpText>
+          <Input
+            placeholder="e.g., Corporate Root CA"
+            value={name}
+            onChange={(e) => setName(e.target.value)}
+          />
+        </div>
+
+        <div>
+          <Label>PEM Certificate</Label>
+          <HelpText>
+            Paste the PEM-encoded certificate. Must begin with{" "}
+            <code className="text-xs">{PEM_HEADER}</code>
+          </HelpText>
+          <Textarea
+            placeholder={`${PEM_HEADER}\n...\n-----END CERTIFICATE-----`}
+            value={pem}
+            rows={8}
+            onChange={(e) => setPem(e.target.value)}
+            error={pemError}
+          />
+        </div>
+      </div>
+
+      <ModalFooter className="items-center">
+        <div className="flex gap-3 w-full justify-end">
+          <ModalClose asChild>
+            <Button variant="secondary">Cancel</Button>
+          </ModalClose>
+
+          <Button
+            variant="primary"
+            onClick={handleSubmit}
+            disabled={isDisabled}
+          >
+            <PlusCircle size={16} />
+            Add CA
+          </Button>
+        </div>
+      </ModalFooter>
+    </ModalContent>
+  );
+}
diff --git a/src/modules/device-security/DevicesTable.tsx b/src/modules/device-security/DevicesTable.tsx
new file mode 100644
index 00000000..e1e59a54
--- /dev/null
+++ b/src/modules/device-security/DevicesTable.tsx
@@ -0,0 +1,205 @@
+"use client";
+
+import Badge from "@components/Badge";
+import Button from "@components/Button";
+import { DataTable } from "@components/table/DataTable";
+import DataTableHeader from "@components/table/DataTableHeader";
+import DataTableRefreshButton from "@components/table/DataTableRefreshButton";
+import NoResults from "@components/ui/NoResults";
+import { ColumnDef, SortingState } from "@tanstack/react-table";
+import dayjs from "dayjs";
+import { RefreshCwIcon, ShieldIcon, ShieldOffIcon } from "lucide-react";
+import { usePathname } from "next/navigation";
+import React, { useCallback } from "react";
+import { useSWRConfig } from "swr";
+import { useDeviceSecurity } from "@/contexts/DeviceSecurityProvider";
+import { useLocalStorage } from "@/hooks/useLocalStorage";
+import type { DeviceCert } from "@/interfaces/DeviceSecurity";
+import RevokeDeviceModal from "./RevokeDeviceModal";
+
+function truncate(value: string, length = 16): string {
+  if (value.length <= length) return value;
+  return `${value.slice(0, length)}...`;
+}
+
+function formatDate(iso: string): string {
+  return dayjs(iso).format("MMM D, YYYY HH:mm");
+}
+
+function isExpired(notAfter: string): boolean {
+  return dayjs(notAfter).isBefore(dayjs());
+}
+
+function StatusBadge({ cert }: Readonly<{ cert: DeviceCert }>) {
+  if (cert.revoked) {
+    return (
+      <Badge variant="red" size="xs">
+        Revoked
+      </Badge>
+    );
+  }
+  if (isExpired(cert.not_after)) {
+    return (
+      <Badge variant="yellow" size="xs">
+        Expired
+      </Badge>
+    );
+  }
+  return (
+    <Badge variant="green" size="xs">
+      Active
+    </Badge>
+  );
+}
+
+type ActionsCellProps = {
+  cert: DeviceCert;
+  onRenew: (id: string) => void;
+};
+
+function ActionsCell({ cert, onRenew }: Readonly<ActionsCellProps>) {
+  if (cert.revoked) {
+    return null;
+  }
+
+  return (
+    <div className="flex gap-2 justify-end pr-4">
+      <Button
+        variant="secondary"
+        size="xs"
+        onClick={() => onRenew(cert.id)}
+      >
+        <RefreshCwIcon size={14} />
+        Renew
+      </Button>
+      <RevokeDeviceModal device={cert}>
+        <Button variant="danger-outline" size="xs">
+          <ShieldOffIcon size={14} />
+          Revoke
+        </Button>
+      </RevokeDeviceModal>
+    </div>
+  );
+}
+
+function buildColumns(
+  onRenew: (id: string) => void,
+): ColumnDef<DeviceCert>[] {
+  return [
+    {
+      accessorKey: "wg_public_key",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>WG Public Key</DataTableHeader>
+      ),
+      sortingFn: "text",
+      cell: ({ row }) => (
+        <span
+          className="font-mono"
+          title={row.original.wg_public_key}
+        >
+          {truncate(row.original.wg_public_key)}
+        </span>
+      ),
+    },
+    {
+      accessorKey: "serial",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Serial</DataTableHeader>
+      ),
+      sortingFn: "text",
+      cell: ({ row }) => (
+        <span className="font-mono" title={row.original.serial}>
+          {truncate(row.original.serial)}
+        </span>
+      ),
+    },
+    {
+      accessorKey: "not_before",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Valid From</DataTableHeader>
+      ),
+      sortingFn: "datetime",
+      cell: ({ row }) => (
+        <span>{formatDate(row.original.not_before)}</span>
+      ),
+    },
+    {
+      accessorKey: "not_after",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Expires</DataTableHeader>
+      ),
+      sortingFn: "datetime",
+      cell: ({ row }) => (
+        <span>{formatDate(row.original.not_after)}</span>
+      ),
+    },
+    {
+      accessorKey: "revoked",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Status</DataTableHeader>
+      ),
+      cell: ({ row }) => <StatusBadge cert={row.original} />,
+    },
+    {
+      id: "actions",
+      header: "",
+      cell: ({ row }) => (
+        <ActionsCell cert={row.original} onRenew={onRenew} />
+      ),
+    },
+  ];
+}
+
+export default function DevicesTable() {
+  const { devices, devicesLoading, renewDevice } = useDeviceSecurity();
+  const { mutate } = useSWRConfig();
+  const path = usePathname();
+
+  const [sorting, setSorting] = useLocalStorage<SortingState>(
+    "netbird-table-sort" + path,
+    [{ id: "not_after", desc: true }],
+  );
+
+  const handleRenew = useCallback(
+    async (id: string) => {
+      await renewDevice(id);
+    },
+    [renewDevice],
+  );
+
+  const columns = React.useMemo(
+    () => buildColumns(handleRenew),
+    [handleRenew],
+  );
+
+  if (!devicesLoading && (!devices || devices.length === 0)) {
+    return (
+      <NoResults
+        title="No device certificates issued"
+        description="No device certificates issued."
+        icon={<ShieldIcon size={20} />}
+      />
+    );
+  }
+
+  return (
+    <DataTable
+      text="Devices"
+      sorting={sorting}
+      setSorting={setSorting}
+      columns={columns}
+      data={devices}
+      isLoading={devicesLoading}
+      searchPlaceholder="Search by key or serial..."
+    >
+      {() => (
+        <DataTableRefreshButton
+          isDisabled={!devices || devices.length === 0}
+          onClick={() => {
+            mutate("/device-auth/devices");
+          }}
+        />
+      )}
+    </DataTable>
+  );
+}
diff --git a/src/modules/device-security/RevokeDeviceModal.tsx b/src/modules/device-security/RevokeDeviceModal.tsx
new file mode 100644
index 00000000..4d83d634
--- /dev/null
+++ b/src/modules/device-security/RevokeDeviceModal.tsx
@@ -0,0 +1,93 @@
+"use client";
+
+import Button from "@components/Button";
+import {
+  Modal,
+  ModalClose,
+  ModalContent,
+  ModalFooter,
+  ModalTrigger,
+} from "@components/modal/Modal";
+import ModalHeader from "@components/modal/ModalHeader";
+import { notify } from "@components/Notification";
+import Separator from "@components/Separator";
+import { ShieldOffIcon } from "lucide-react";
+import React, { useState } from "react";
+import { useDeviceSecurity } from "@/contexts/DeviceSecurityProvider";
+import type { DeviceCert } from "@/interfaces/DeviceSecurity";
+
+type Props = {
+  device: DeviceCert;
+  children: React.ReactNode;
+};
+
+function truncate(value: string, length = 20): string {
+  if (value.length <= length) return value;
+  return `${value.slice(0, length)}...`;
+}
+
+export default function RevokeDeviceModal({ device, children }: Readonly<Props>) {
+  const [open, setOpen] = useState(false);
+  const { revokeDevice } = useDeviceSecurity();
+
+  const handleRevoke = async () => {
+    notify({
+      title: "Revoking device certificate",
+      description: "Device certificate was successfully revoked",
+      promise: revokeDevice(device.id).then(() => {
+        setOpen(false);
+      }),
+      loadingMessage: "Revoking device certificate...",
+    });
+  };
+
+  return (
+    <Modal open={open} onOpenChange={setOpen}>
+      <ModalTrigger asChild>{children}</ModalTrigger>
+      <ModalContent maxWidthClass="max-w-md">
+        <ModalHeader
+          icon={<ShieldOffIcon />}
+          title="Revoke Device Certificate"
+          description="This action cannot be undone. The device will no longer be able to authenticate using this certificate."
+          color="red"
+        />
+        <Separator />
+        <div className="px-8 py-6 flex flex-col gap-4">
+          <div className="flex flex-col gap-1">
+            <span className="text-xs text-nb-gray-400 uppercase tracking-wide">
+              WireGuard Public Key
+            </span>
+            <span
+              className="font-mono text-sm text-nb-gray-200"
+              title={device.wg_public_key}
+            >
+              {truncate(device.wg_public_key, 32)}
+            </span>
+          </div>
+          <div className="flex flex-col gap-1">
+            <span className="text-xs text-nb-gray-400 uppercase tracking-wide">
+              Serial Number
+            </span>
+            <span
+              className="font-mono text-sm text-nb-gray-200"
+              title={device.serial}
+            >
+              {truncate(device.serial, 32)}
+            </span>
+          </div>
+        </div>
+        <ModalFooter className="items-center">
+          <div className="flex gap-3 w-full justify-end">
+            <ModalClose asChild>
+              <Button variant="secondary">Cancel</Button>
+            </ModalClose>
+            <Button variant="danger" onClick={handleRevoke}>
+              <ShieldOffIcon size={16} />
+              Revoke
+            </Button>
+          </div>
+        </ModalFooter>
+      </ModalContent>
+    </Modal>
+  );
+}
diff --git a/src/modules/device-security/TrustedCAsTable.tsx b/src/modules/device-security/TrustedCAsTable.tsx
new file mode 100644
index 00000000..50bf66c3
--- /dev/null
+++ b/src/modules/device-security/TrustedCAsTable.tsx
@@ -0,0 +1,152 @@
+"use client";
+
+import Button from "@components/Button";
+import { DataTable } from "@components/table/DataTable";
+import DataTableHeader from "@components/table/DataTableHeader";
+import { notify } from "@components/Notification";
+import NoResults from "@components/ui/NoResults";
+import { ColumnDef, SortingState } from "@tanstack/react-table";
+import dayjs from "dayjs";
+import { PlusCircle, ShieldCheckIcon, Trash2 } from "lucide-react";
+import { usePathname } from "next/navigation";
+import React, { useCallback, useMemo } from "react";
+import { useDialog } from "@/contexts/DialogProvider";
+import { useDeviceSecurity } from "@/contexts/DeviceSecurityProvider";
+import { useLocalStorage } from "@/hooks/useLocalStorage";
+import type { TrustedCA } from "@/interfaces/DeviceSecurity";
+import AddTrustedCAModal from "@/modules/device-security/AddTrustedCAModal";
+
+function formatDate(iso: string): string {
+  return dayjs(iso).format("MMM D, YYYY HH:mm");
+}
+
+type DeleteCellProps = {
+  ca: TrustedCA;
+  onDelete: (id: string) => void;
+};
+
+function DeleteCell({ ca, onDelete }: Readonly<DeleteCellProps>) {
+  return (
+    <div className="flex justify-end pr-4">
+      <Button
+        variant="danger-outline"
+        size="sm"
+        onClick={() => onDelete(ca.id)}
+      >
+        <Trash2 size={16} />
+        Delete
+      </Button>
+    </div>
+  );
+}
+
+function buildColumns(
+  onDelete: (id: string) => void,
+): ColumnDef<TrustedCA>[] {
+  return [
+    {
+      accessorKey: "name",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Name</DataTableHeader>
+      ),
+      sortingFn: "text",
+      cell: ({ row }) => (
+        <span className="font-medium">{row.original.name}</span>
+      ),
+    },
+    {
+      accessorKey: "created_at",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Created</DataTableHeader>
+      ),
+      sortingFn: "datetime",
+      cell: ({ row }) => (
+        <span className="text-nb-gray-400">
+          {formatDate(row.original.created_at)}
+        </span>
+      ),
+    },
+    {
+      id: "actions",
+      header: "",
+      cell: ({ row }) => (
+        <DeleteCell ca={row.original} onDelete={onDelete} />
+      ),
+    },
+  ];
+}
+
+export default function TrustedCAsTable() {
+  const { trustedCAs, trustedCAsLoading, deleteTrustedCA } = useDeviceSecurity();
+  const { confirm } = useDialog();
+  const path = usePathname();
+
+  const [sorting, setSorting] = useLocalStorage<SortingState>(
+    "netbird-table-sort" + path,
+    [{ id: "created_at", desc: true }],
+  );
+
+  const handleDelete = useCallback(
+    async (id: string) => {
+      const ca = trustedCAs?.find((c) => c.id === id);
+      const label = ca?.name ?? id;
+
+      const choice = await confirm({
+        title: `Delete '${label}'?`,
+        description:
+          "Are you sure you want to delete this trusted CA? Devices authenticated with this CA may lose access.",
+        confirmText: "Delete",
+        cancelText: "Cancel",
+        type: "danger",
+      });
+
+      if (!choice) return;
+
+      notify({
+        title: label,
+        description: "Trusted CA was successfully deleted",
+        promise: deleteTrustedCA(id),
+        loadingMessage: "Deleting trusted CA...",
+      });
+    },
+    [trustedCAs, confirm, deleteTrustedCA],
+  );
+
+  const columns = useMemo(() => buildColumns(handleDelete), [handleDelete]);
+
+  const addButton = (
+    <AddTrustedCAModal>
+      <Button variant="primary" size="sm">
+        <PlusCircle size={16} />
+        Add CA
+      </Button>
+    </AddTrustedCAModal>
+  );
+
+  if (!trustedCAsLoading && (!trustedCAs || trustedCAs.length === 0)) {
+    return (
+      <div>
+        <div className="flex justify-end mb-4">{addButton}</div>
+        <NoResults
+          title="No trusted CAs added."
+          description="Add a trusted Certificate Authority to enable device certificate authentication."
+          icon={<ShieldCheckIcon size={20} />}
+        />
+      </div>
+    );
+  }
+
+  return (
+    <DataTable
+      text="Trusted CAs"
+      sorting={sorting}
+      setSorting={setSorting}
+      columns={columns}
+      data={trustedCAs ?? []}
+      isLoading={trustedCAsLoading}
+      searchPlaceholder="Search by name..."
+    >
+      {() => addButton}
+    </DataTable>
+  );
+}

From dd937de65601f616c2e57b78f3136fe1ea947202 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Fri, 10 Apr 2026 17:58:15 +0300
Subject: [PATCH 05/37] fix: add type guards, inventory_type passthrough, error
 handling in device security UI

---
 .../DeviceSecuritySettings.tsx                | 22 ++++++++++++++++---
 .../device-security/EnrollmentsTable.tsx      | 12 ++++++++--
 2 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/src/modules/device-security/DeviceSecuritySettings.tsx b/src/modules/device-security/DeviceSecuritySettings.tsx
index e907e50d..e9d3bf22 100644
--- a/src/modules/device-security/DeviceSecuritySettings.tsx
+++ b/src/modules/device-security/DeviceSecuritySettings.tsx
@@ -32,6 +32,20 @@ import type {
 } from "@/interfaces/DeviceSecurity";
 import PageContainer from "@/layouts/PageContainer";
 
+const DEVICE_AUTH_MODES: DeviceAuthMode[] = ["disabled", "optional", "cert-only", "cert-and-sso"];
+const ENROLLMENT_MODES: EnrollmentMode[] = ["manual", "attestation", "both"];
+const CA_TYPES: CAType[] = ["builtin", "external"];
+
+function isDeviceAuthMode(v: string): v is DeviceAuthMode {
+  return DEVICE_AUTH_MODES.includes(v as DeviceAuthMode);
+}
+function isEnrollmentMode(v: string): v is EnrollmentMode {
+  return ENROLLMENT_MODES.includes(v as EnrollmentMode);
+}
+function isCAType(v: string): v is CAType {
+  return CA_TYPES.includes(v as CAType);
+}
+
 const MODE_LABELS: Record<DeviceAuthMode, string> = {
   disabled: "Disabled",
   optional: "Optional",
@@ -104,6 +118,7 @@ export default function DeviceSecuritySettings() {
         cert_validity_days: certValidityDays,
         ocsp_enabled: ocspEnabled,
         fail_open_on_ocsp_unavailable: failOpenOnOcsp,
+        inventory_type: settings?.inventory_type ?? "",
       }).then(() => {
         updateRef([
           mode,
@@ -123,6 +138,7 @@ export default function DeviceSecuritySettings() {
     certValidityDays,
     ocspEnabled,
     failOpenOnOcsp,
+    settings,
     updateSettings,
     updateRef,
   ]);
@@ -187,7 +203,7 @@ export default function DeviceSecuritySettings() {
             label="Authentication Mode"
             help="Controls how device certificates are used for authentication"
           >
-            <Select value={mode} onValueChange={(v) => setMode(v as DeviceAuthMode)}>
+            <Select value={mode} onValueChange={(v) => { if (isDeviceAuthMode(v)) setMode(v); }}>
               <SelectTrigger>
                 <SelectValue />
               </SelectTrigger>
@@ -219,7 +235,7 @@ export default function DeviceSecuritySettings() {
           >
             <Select
               value={enrollmentMode}
-              onValueChange={(v) => setEnrollmentMode(v as EnrollmentMode)}
+              onValueChange={(v) => { if (isEnrollmentMode(v)) setEnrollmentMode(v); }}
             >
               <SelectTrigger>
                 <SelectValue />
@@ -241,7 +257,7 @@ export default function DeviceSecuritySettings() {
           >
             <Select
               value={caType}
-              onValueChange={(v) => setCaType(v as CAType)}
+              onValueChange={(v) => { if (isCAType(v)) setCaType(v); }}
             >
               <SelectTrigger>
                 <SelectValue />
diff --git a/src/modules/device-security/EnrollmentsTable.tsx b/src/modules/device-security/EnrollmentsTable.tsx
index fb3bb80d..7301465b 100644
--- a/src/modules/device-security/EnrollmentsTable.tsx
+++ b/src/modules/device-security/EnrollmentsTable.tsx
@@ -167,14 +167,22 @@ export default function EnrollmentsTable() {
 
   const handleApprove = useCallback(
     async (id: string) => {
-      await approveEnrollment(id);
+      try {
+        await approveEnrollment(id);
+      } catch {
+        // Error is handled by the API error boundary in the provider
+      }
     },
     [approveEnrollment],
   );
 
   const handleReject = useCallback(
     async (id: string) => {
-      await rejectEnrollment(id);
+      try {
+        await rejectEnrollment(id);
+      } catch {
+        // Error is handled by the API error boundary in the provider
+      }
     },
     [rejectEnrollment],
   );

From 4d5c329e547d4db010dc03f140648d01265dc092 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Fri, 10 Apr 2026 17:59:11 +0300
Subject: [PATCH 06/37] fix: add error handling for renewDevice in DevicesTable

---
 src/modules/device-security/DevicesTable.tsx | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/modules/device-security/DevicesTable.tsx b/src/modules/device-security/DevicesTable.tsx
index e1e59a54..461f3fca 100644
--- a/src/modules/device-security/DevicesTable.tsx
+++ b/src/modules/device-security/DevicesTable.tsx
@@ -12,6 +12,7 @@ import { RefreshCwIcon, ShieldIcon, ShieldOffIcon } from "lucide-react";
 import { usePathname } from "next/navigation";
 import React, { useCallback } from "react";
 import { useSWRConfig } from "swr";
+import { notify } from "@components/Notification";
 import { useDeviceSecurity } from "@/contexts/DeviceSecurityProvider";
 import { useLocalStorage } from "@/hooks/useLocalStorage";
 import type { DeviceCert } from "@/interfaces/DeviceSecurity";
@@ -161,8 +162,13 @@ export default function DevicesTable() {
   );
 
   const handleRenew = useCallback(
-    async (id: string) => {
-      await renewDevice(id);
+    (id: string) => {
+      notify({
+        title: "Renewing certificate",
+        description: "Device certificate was successfully renewed",
+        promise: renewDevice(id),
+        loadingMessage: "Renewing device certificate...",
+      });
     },
     [renewDevice],
   );

From 860c7ce9e403f5bee974218fbbfbe11f4ea50af4 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Fri, 10 Apr 2026 18:01:49 +0300
Subject: [PATCH 07/37] feat: add device security navigation and layout

---
 .../(dashboard)/device-security/layout.tsx    |  8 +++++
 src/assets/icons/DeviceSecurityIcon.tsx       | 19 ++++++++++
 src/layouts/Navigation.tsx                    | 36 +++++++++++++++++++
 3 files changed, 63 insertions(+)
 create mode 100644 src/app/(dashboard)/device-security/layout.tsx
 create mode 100644 src/assets/icons/DeviceSecurityIcon.tsx

diff --git a/src/app/(dashboard)/device-security/layout.tsx b/src/app/(dashboard)/device-security/layout.tsx
new file mode 100644
index 00000000..fabc27ac
--- /dev/null
+++ b/src/app/(dashboard)/device-security/layout.tsx
@@ -0,0 +1,8 @@
+import { globalMetaTitle } from "@utils/meta";
+import type { Metadata } from "next";
+import BlankLayout from "@/layouts/BlankLayout";
+
+export const metadata: Metadata = {
+  title: `Device Security - ${globalMetaTitle}`,
+};
+export default BlankLayout;
diff --git a/src/assets/icons/DeviceSecurityIcon.tsx b/src/assets/icons/DeviceSecurityIcon.tsx
new file mode 100644
index 00000000..1e1905e9
--- /dev/null
+++ b/src/assets/icons/DeviceSecurityIcon.tsx
@@ -0,0 +1,19 @@
+import { iconProperties, IconProps } from "@/assets/icons/IconProperties";
+
+export default function DeviceSecurityIcon(props: IconProps) {
+  return (
+    <svg
+      width="16"
+      height="16"
+      viewBox="0 0 24 24"
+      xmlns="http://www.w3.org/2000/svg"
+      {...iconProperties(props)}
+    >
+      <path
+        fillRule="evenodd"
+        clipRule="evenodd"
+        d="M12 1L2 5.5V11c0 6.08 4.26 11.74 10 13.16C17.74 22.74 22 17.08 22 11V5.5L12 1zm0 2.28l8 3.74V11c0 5.07-3.44 9.79-8 11.12C7.44 20.79 4 16.07 4 11V7.02l8-3.74zM16.5 9.5l-5.17 5.17-2.83-2.84-1.41 1.41 4.24 4.25 6.58-6.58L16.5 9.5z"
+      />
+    </svg>
+  );
+}
diff --git a/src/layouts/Navigation.tsx b/src/layouts/Navigation.tsx
index 4f14c695..4db42cb1 100644
--- a/src/layouts/Navigation.tsx
+++ b/src/layouts/Navigation.tsx
@@ -5,6 +5,7 @@ import { cn } from "@utils/helpers";
 import AccessControlIcon from "@/assets/icons/AccessControlIcon";
 import ControlCenterIcon from "@/assets/icons/ControlCenterIcon";
 import DNSIcon from "@/assets/icons/DNSIcon";
+import DeviceSecurityIcon from "@/assets/icons/DeviceSecurityIcon";
 import DocsIcon from "@/assets/icons/DocsIcon";
 import PeerIcon from "@/assets/icons/PeerIcon";
 import SettingsIcon from "@/assets/icons/SettingsIcon";
@@ -193,6 +194,41 @@ export default function Navigation({
                     visible={permission.dns.read}
                   />
                 </SidebarItem>
+                <SidebarItem
+                  icon={<DeviceSecurityIcon size={16} />}
+                  label="Device Security"
+                  collapsible
+                  visible={true}
+                >
+                  <SidebarItem
+                    label="Settings"
+                    href="/device-security/settings"
+                    isChild
+                    exactPathMatch={true}
+                    visible={true}
+                  />
+                  <SidebarItem
+                    label="Enrollments"
+                    href="/device-security/enrollments"
+                    isChild
+                    exactPathMatch={true}
+                    visible={true}
+                  />
+                  <SidebarItem
+                    label="Devices"
+                    href="/device-security/devices"
+                    isChild
+                    exactPathMatch={true}
+                    visible={true}
+                  />
+                  <SidebarItem
+                    label="Trusted CAs"
+                    href="/device-security/trusted-cas"
+                    isChild
+                    exactPathMatch={true}
+                    visible={true}
+                  />
+                </SidebarItem>
                 <SidebarItem
                   icon={<TeamIcon />}
                   label="Team"

From d177e0424959da4038efd247d59afe7ea2387518 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Fri, 10 Apr 2026 18:05:15 +0300
Subject: [PATCH 08/37] fix: gate device security navigation by isRestricted
 permission

---
 src/layouts/Navigation.tsx | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/layouts/Navigation.tsx b/src/layouts/Navigation.tsx
index 4db42cb1..c202ca81 100644
--- a/src/layouts/Navigation.tsx
+++ b/src/layouts/Navigation.tsx
@@ -198,35 +198,35 @@ export default function Navigation({
                   icon={<DeviceSecurityIcon size={16} />}
                   label="Device Security"
                   collapsible
-                  visible={true}
+                  visible={!isRestricted}
                 >
                   <SidebarItem
                     label="Settings"
                     href="/device-security/settings"
                     isChild
                     exactPathMatch={true}
-                    visible={true}
+                    visible={!isRestricted}
                   />
                   <SidebarItem
                     label="Enrollments"
                     href="/device-security/enrollments"
                     isChild
                     exactPathMatch={true}
-                    visible={true}
+                    visible={!isRestricted}
                   />
                   <SidebarItem
                     label="Devices"
                     href="/device-security/devices"
                     isChild
                     exactPathMatch={true}
-                    visible={true}
+                    visible={!isRestricted}
                   />
                   <SidebarItem
                     label="Trusted CAs"
                     href="/device-security/trusted-cas"
                     isChild
                     exactPathMatch={true}
-                    visible={true}
+                    visible={!isRestricted}
                   />
                 </SidebarItem>
                 <SidebarItem

From 81fda0d15f2701d532a7027637fc7ca9a1b605ab Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Fri, 10 Apr 2026 18:25:45 +0300
Subject: [PATCH 09/37] fix: add error state, extend cert-and-sso lockout
 warning, clamp validity days

---
 .../DeviceSecuritySettings.tsx                | 22 +++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/src/modules/device-security/DeviceSecuritySettings.tsx b/src/modules/device-security/DeviceSecuritySettings.tsx
index e9d3bf22..bedf6c3f 100644
--- a/src/modules/device-security/DeviceSecuritySettings.tsx
+++ b/src/modules/device-security/DeviceSecuritySettings.tsx
@@ -105,7 +105,7 @@ export default function DeviceSecuritySettings() {
     devices?.filter((d) => !d.revoked).length ?? 0;
 
   const showCertOnlyWarning =
-    mode === "cert-only" && activeCertCount === 0;
+    (mode === "cert-only" || mode === "cert-and-sso") && activeCertCount === 0;
 
   const handleSave = useCallback(async () => {
     notify({
@@ -163,6 +163,18 @@ export default function DeviceSecuritySettings() {
     );
   }
 
+  if (!settingsLoading && !settings) {
+    return (
+      <PageContainer>
+        <div className={"p-default py-6 max-w-2xl"}>
+          <Callout variant={"error"} title={"Failed to load settings"}>
+            Could not load device security settings. Please refresh the page and try again.
+          </Callout>
+        </div>
+      </PageContainer>
+    );
+  }
+
   return (
     <PageContainer>
       <div className={"p-default py-6 max-w-2xl"}>
@@ -282,9 +294,11 @@ export default function DeviceSecuritySettings() {
               min={1}
               max={3650}
               value={certValidityDays}
-              onChange={(e) =>
-                setCertValidityDays(parseInt(e.target.value, 10) || 0)
-              }
+              onChange={(e) => {
+                const parsed = parseInt(e.target.value, 10);
+                if (Number.isNaN(parsed)) return;
+                setCertValidityDays(Math.max(1, Math.min(3650, parsed)));
+              }}
               data-cy={"cert-validity-days"}
             />
           </SettingRow>

From 5932bff808156c92044ff7626b791d715403ede3 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Fri, 10 Apr 2026 18:25:47 +0300
Subject: [PATCH 10/37] fix: add PEM END certificate marker validation in
 AddTrustedCAModal

---
 src/modules/device-security/AddTrustedCAModal.tsx | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/modules/device-security/AddTrustedCAModal.tsx b/src/modules/device-security/AddTrustedCAModal.tsx
index d9915151..8fa4f765 100644
--- a/src/modules/device-security/AddTrustedCAModal.tsx
+++ b/src/modules/device-security/AddTrustedCAModal.tsx
@@ -20,6 +20,7 @@ import React, { useMemo, useState } from "react";
 import { useDeviceSecurity } from "@/contexts/DeviceSecurityProvider";
 
 const PEM_HEADER = "-----BEGIN CERTIFICATE-----";
+const PEM_FOOTER = "-----END CERTIFICATE-----";
 
 type Props = {
   children: React.ReactNode;
@@ -50,7 +51,10 @@ function AddTrustedCAModalContent({ onSuccess }: Readonly<ContentProps>) {
     const trimmed = pem.trim();
     if (trimmed.length === 0) return undefined;
     if (!trimmed.startsWith(PEM_HEADER)) {
-      return `PEM certificate must start with "${PEM_HEADER}"`;
+      return `Must start with "${PEM_HEADER}"`;
+    }
+    if (!trimmed.endsWith(PEM_FOOTER)) {
+      return `Must end with "${PEM_FOOTER}"`;
     }
     return undefined;
   }, [pem]);

From 32e7cb99c6902588a81c11b02b97b0756b432c1d Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Fri, 10 Apr 2026 18:26:06 +0300
Subject: [PATCH 11/37] fix: fix empty state text, add reason column, add error
 feedback in enrollments

---
 .../device-security/EnrollmentsTable.tsx      | 35 +++++++++++++++++--
 1 file changed, 32 insertions(+), 3 deletions(-)

diff --git a/src/modules/device-security/EnrollmentsTable.tsx b/src/modules/device-security/EnrollmentsTable.tsx
index 7301465b..9c63a944 100644
--- a/src/modules/device-security/EnrollmentsTable.tsx
+++ b/src/modules/device-security/EnrollmentsTable.tsx
@@ -5,6 +5,7 @@ import Button from "@components/Button";
 import { DataTable } from "@components/table/DataTable";
 import DataTableHeader from "@components/table/DataTableHeader";
 import DataTableRefreshButton from "@components/table/DataTableRefreshButton";
+import { notify } from "@components/Notification";
 import NoResults from "@components/ui/NoResults";
 import { ColumnDef, SortingState } from "@tanstack/react-table";
 import dayjs from "dayjs";
@@ -128,6 +129,28 @@ function buildColumns(
       ),
       cell: ({ row }) => <StatusBadge status={row.original.status} />,
     },
+    {
+      id: "reason",
+      accessorKey: "reason",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Reason</DataTableHeader>
+      ),
+      cell: ({ row }) => {
+        const reason = row.original.reason;
+        return (
+          <span
+            className={"text-nb-gray-400 text-sm"}
+            title={reason}
+          >
+            {reason ? (
+              <span className={"text-nb-gray-100"}>{reason}</span>
+            ) : (
+              <span className={"text-nb-gray-500"}>—</span>
+            )}
+          </span>
+        );
+      },
+    },
     {
       accessorKey: "created_at",
       header: ({ column }) => (
@@ -170,7 +193,10 @@ export default function EnrollmentsTable() {
       try {
         await approveEnrollment(id);
       } catch {
-        // Error is handled by the API error boundary in the provider
+        notify({
+          title: "Failed to approve enrollment",
+          description: "Please try again.",
+        });
       }
     },
     [approveEnrollment],
@@ -181,7 +207,10 @@ export default function EnrollmentsTable() {
       try {
         await rejectEnrollment(id);
       } catch {
-        // Error is handled by the API error boundary in the provider
+        notify({
+          title: "Failed to reject enrollment",
+          description: "Please try again.",
+        });
       }
     },
     [rejectEnrollment],
@@ -195,7 +224,7 @@ export default function EnrollmentsTable() {
   if (!enrollmentsLoading && (!enrollments || enrollments.length === 0)) {
     return (
       <NoResults
-        title="No pending enrollment requests"
+        title="No enrollment requests"
         description="There are no device enrollment requests at this time."
         icon={<ShieldAlertIcon size={20} />}
       />

From af9c7f309ebb3c391d193105912b53edd3d7dd10 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Fri, 10 Apr 2026 18:26:32 +0300
Subject: [PATCH 12/37] fix: move DeviceSecurityProvider to layout, add
 /device-security redirect

---
 src/app/(dashboard)/device-security/devices/page.tsx |  7 +------
 .../(dashboard)/device-security/enrollments/page.tsx |  3 ---
 src/app/(dashboard)/device-security/layout.tsx       | 12 ++++++++++--
 src/app/(dashboard)/device-security/page.tsx         |  5 +++++
 .../(dashboard)/device-security/settings/page.tsx    |  7 +------
 .../(dashboard)/device-security/trusted-cas/page.tsx |  7 +------
 6 files changed, 18 insertions(+), 23 deletions(-)
 create mode 100644 src/app/(dashboard)/device-security/page.tsx

diff --git a/src/app/(dashboard)/device-security/devices/page.tsx b/src/app/(dashboard)/device-security/devices/page.tsx
index 4757659a..957b0584 100644
--- a/src/app/(dashboard)/device-security/devices/page.tsx
+++ b/src/app/(dashboard)/device-security/devices/page.tsx
@@ -1,12 +1,7 @@
 "use client";
 
-import { DeviceSecurityProvider } from "@/contexts/DeviceSecurityProvider";
 import DevicesTable from "@/modules/device-security/DevicesTable";
 
 export default function DevicesPage() {
-  return (
-    <DeviceSecurityProvider>
-      <DevicesTable />
-    </DeviceSecurityProvider>
-  );
+  return <DevicesTable />;
 }
diff --git a/src/app/(dashboard)/device-security/enrollments/page.tsx b/src/app/(dashboard)/device-security/enrollments/page.tsx
index 5e9d7297..ab928a6a 100644
--- a/src/app/(dashboard)/device-security/enrollments/page.tsx
+++ b/src/app/(dashboard)/device-security/enrollments/page.tsx
@@ -5,7 +5,6 @@ import Paragraph from "@components/Paragraph";
 import SkeletonTable from "@components/skeletons/SkeletonTable";
 import { ShieldCheckIcon } from "lucide-react";
 import React, { lazy, Suspense } from "react";
-import { DeviceSecurityProvider } from "@/contexts/DeviceSecurityProvider";
 import PageContainer from "@/layouts/PageContainer";
 
 const EnrollmentsTable = lazy(
@@ -15,7 +14,6 @@ const EnrollmentsTable = lazy(
 export default function EnrollmentsPage() {
   return (
     <PageContainer>
-      <DeviceSecurityProvider>
         <div className="p-default py-6">
           <Breadcrumbs>
             <Breadcrumbs.Item
@@ -39,7 +37,6 @@ export default function EnrollmentsPage() {
         <Suspense fallback={<SkeletonTable />}>
           <EnrollmentsTable />
         </Suspense>
-      </DeviceSecurityProvider>
     </PageContainer>
   );
 }
diff --git a/src/app/(dashboard)/device-security/layout.tsx b/src/app/(dashboard)/device-security/layout.tsx
index fabc27ac..6ad601b6 100644
--- a/src/app/(dashboard)/device-security/layout.tsx
+++ b/src/app/(dashboard)/device-security/layout.tsx
@@ -1,8 +1,16 @@
 import { globalMetaTitle } from "@utils/meta";
 import type { Metadata } from "next";
-import BlankLayout from "@/layouts/BlankLayout";
+import { DeviceSecurityProvider } from "@/contexts/DeviceSecurityProvider";
+import React from "react";
 
 export const metadata: Metadata = {
   title: `Device Security - ${globalMetaTitle}`,
 };
-export default BlankLayout;
+
+export default function DeviceSecurityLayout({
+  children,
+}: {
+  children: React.ReactNode;
+}) {
+  return <DeviceSecurityProvider>{children}</DeviceSecurityProvider>;
+}
diff --git a/src/app/(dashboard)/device-security/page.tsx b/src/app/(dashboard)/device-security/page.tsx
new file mode 100644
index 00000000..7ce120ef
--- /dev/null
+++ b/src/app/(dashboard)/device-security/page.tsx
@@ -0,0 +1,5 @@
+import { redirect } from "next/navigation";
+
+export default function DeviceSecurityPage() {
+  redirect("/device-security/settings");
+}
diff --git a/src/app/(dashboard)/device-security/settings/page.tsx b/src/app/(dashboard)/device-security/settings/page.tsx
index 3917d8c8..012b1181 100644
--- a/src/app/(dashboard)/device-security/settings/page.tsx
+++ b/src/app/(dashboard)/device-security/settings/page.tsx
@@ -1,12 +1,7 @@
 "use client";
 
 import DeviceSecuritySettings from "@/modules/device-security/DeviceSecuritySettings";
-import { DeviceSecurityProvider } from "@/contexts/DeviceSecurityProvider";
 
 export default function SettingsPage() {
-  return (
-    <DeviceSecurityProvider>
-      <DeviceSecuritySettings />
-    </DeviceSecurityProvider>
-  );
+  return <DeviceSecuritySettings />;
 }
diff --git a/src/app/(dashboard)/device-security/trusted-cas/page.tsx b/src/app/(dashboard)/device-security/trusted-cas/page.tsx
index d18ef565..c426fa12 100644
--- a/src/app/(dashboard)/device-security/trusted-cas/page.tsx
+++ b/src/app/(dashboard)/device-security/trusted-cas/page.tsx
@@ -1,12 +1,7 @@
 "use client";
 
-import { DeviceSecurityProvider } from "@/contexts/DeviceSecurityProvider";
 import TrustedCAsTable from "@/modules/device-security/TrustedCAsTable";
 
 export default function TrustedCAsPage() {
-  return (
-    <DeviceSecurityProvider>
-      <TrustedCAsTable />
-    </DeviceSecurityProvider>
-  );
+  return <TrustedCAsTable />;
 }

From f89fe657ed0d56736812a4929286dffdbb07124d Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Fri, 10 Apr 2026 18:27:40 +0300
Subject: [PATCH 13/37] fix: remove unsupported title prop from Callout in
 settings error state

---
 src/modules/device-security/DeviceSecuritySettings.tsx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/modules/device-security/DeviceSecuritySettings.tsx b/src/modules/device-security/DeviceSecuritySettings.tsx
index bedf6c3f..6842b2df 100644
--- a/src/modules/device-security/DeviceSecuritySettings.tsx
+++ b/src/modules/device-security/DeviceSecuritySettings.tsx
@@ -167,8 +167,8 @@ export default function DeviceSecuritySettings() {
     return (
       <PageContainer>
         <div className={"p-default py-6 max-w-2xl"}>
-          <Callout variant={"error"} title={"Failed to load settings"}>
-            Could not load device security settings. Please refresh the page and try again.
+          <Callout variant={"error"}>
+            Failed to load device security settings. Please refresh the page and try again.
           </Callout>
         </div>
       </PageContainer>

From 9f57b5170baaf83448cc5b3555620a3b042085fb Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Fri, 10 Apr 2026 18:30:35 +0300
Subject: [PATCH 14/37] fix: align CAType values with backend
 (builtin/vault/smallstep/scep, not external)

---
 src/interfaces/DeviceSecurity.ts                       | 2 +-
 src/modules/device-security/DeviceSecuritySettings.tsx | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/interfaces/DeviceSecurity.ts b/src/interfaces/DeviceSecurity.ts
index a79de97d..4eddc5b1 100644
--- a/src/interfaces/DeviceSecurity.ts
+++ b/src/interfaces/DeviceSecurity.ts
@@ -4,7 +4,7 @@ export type DeviceAuthMode =
   | "cert-only"
   | "cert-and-sso";
 export type EnrollmentMode = "manual" | "attestation" | "both";
-export type CAType = "builtin" | "external";
+export type CAType = "builtin" | "vault" | "smallstep" | "scep";
 
 export interface DeviceAuthSettings {
   mode: DeviceAuthMode;
diff --git a/src/modules/device-security/DeviceSecuritySettings.tsx b/src/modules/device-security/DeviceSecuritySettings.tsx
index 6842b2df..ebbd4ec0 100644
--- a/src/modules/device-security/DeviceSecuritySettings.tsx
+++ b/src/modules/device-security/DeviceSecuritySettings.tsx
@@ -34,7 +34,7 @@ import PageContainer from "@/layouts/PageContainer";
 
 const DEVICE_AUTH_MODES: DeviceAuthMode[] = ["disabled", "optional", "cert-only", "cert-and-sso"];
 const ENROLLMENT_MODES: EnrollmentMode[] = ["manual", "attestation", "both"];
-const CA_TYPES: CAType[] = ["builtin", "external"];
+const CA_TYPES: CAType[] = ["builtin", "vault", "smallstep", "scep"];
 
 function isDeviceAuthMode(v: string): v is DeviceAuthMode {
   return DEVICE_AUTH_MODES.includes(v as DeviceAuthMode);
@@ -68,7 +68,9 @@ const ENROLLMENT_LABELS: Record<EnrollmentMode, string> = {
 
 const CA_TYPE_LABELS: Record<CAType, string> = {
   builtin: "Built-in CA",
-  external: "External CA",
+  vault: "HashiCorp Vault",
+  smallstep: "Smallstep CA",
+  scep: "SCEP",
 };
 
 export default function DeviceSecuritySettings() {

From 44f00372238798185f37b3bb7ae53e20d5b4538e Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Sat, 11 Apr 2026 13:02:33 +0300
Subject: [PATCH 15/37] feat(device-security): add CA config and inventory
 types and provider methods

---
 src/contexts/DeviceSecurityProvider.tsx | 66 +++++++++++++++++++
 src/interfaces/DeviceSecurity.ts        | 88 +++++++++++++++++++++++++
 2 files changed, 154 insertions(+)

diff --git a/src/contexts/DeviceSecurityProvider.tsx b/src/contexts/DeviceSecurityProvider.tsx
index 6fe765e7..416517eb 100644
--- a/src/contexts/DeviceSecurityProvider.tsx
+++ b/src/contexts/DeviceSecurityProvider.tsx
@@ -4,9 +4,12 @@ import useFetchApi, { useApiCall } from "@utils/api";
 import React, { useCallback, useMemo } from "react";
 import { useSWRConfig } from "swr";
 import type {
+  CAConfig,
+  CATestResult,
   DeviceAuthSettings,
   DeviceCert,
   DeviceEnrollment,
+  InventoryConfig,
   TrustedCA,
 } from "@/interfaces/DeviceSecurity";
 
@@ -33,6 +36,17 @@ type DeviceSecurityContextValue = {
   trustedCAsLoading: boolean;
   addTrustedCA: (name: string, pem: string) => Promise<TrustedCA>;
   deleteTrustedCA: (id: string) => Promise<void>;
+
+  // CA Config
+  caConfig: CAConfig | undefined;
+  caConfigLoading: boolean;
+  updateCAConfig: (config: CAConfig) => Promise<CAConfig>;
+  testCAConnection: (config: CAConfig) => Promise<CATestResult>;
+
+  // Inventory Config
+  inventoryConfig: InventoryConfig | undefined;
+  inventoryConfigLoading: boolean;
+  updateInventoryConfig: (config: InventoryConfig) => Promise<InventoryConfig>;
 };
 
 const DeviceSecurityContext = React.createContext(
@@ -64,12 +78,23 @@ export function DeviceSecurityProvider({
   const { data: trustedCAs, isLoading: trustedCAsLoading } =
     useFetchApi<TrustedCA[]>("/device-auth/trusted-cas");
 
+  const { data: caConfig, isLoading: caConfigLoading } =
+    useFetchApi<CAConfig>("/device-auth/ca/config");
+
+  const { data: inventoryConfig, isLoading: inventoryConfigLoading } =
+    useFetchApi<InventoryConfig>("/device-auth/inventory/config");
+
   const settingsRequest = useApiCall<DeviceAuthSettings>(
     "/device-auth/settings",
   );
   const enrollmentRequest = useApiCall<void>("/device-auth/enrollments");
   const deviceRequest = useApiCall<void>("/device-auth/devices");
   const caRequest = useApiCall<TrustedCA>("/device-auth/trusted-cas");
+  const caConfigRequest = useApiCall<CAConfig>("/device-auth/ca/config");
+  const caTestRequest = useApiCall<CATestResult>("/device-auth/ca/test");
+  const inventoryConfigRequest = useApiCall<InventoryConfig>(
+    "/device-auth/inventory/config",
+  );
 
   const updateSettings = useCallback(
     async (s: Partial<DeviceAuthSettings>) => {
@@ -129,6 +154,31 @@ export function DeviceSecurityProvider({
     [caRequest, mutate],
   );
 
+  const updateCAConfig = useCallback(
+    async (config: CAConfig) => {
+      const updated = await caConfigRequest.put(config);
+      await mutate("/device-auth/ca/config");
+      return updated;
+    },
+    [caConfigRequest, mutate],
+  );
+
+  const testCAConnection = useCallback(
+    async (config: CAConfig) => {
+      return await caTestRequest.post(config);
+    },
+    [caTestRequest],
+  );
+
+  const updateInventoryConfig = useCallback(
+    async (config: InventoryConfig) => {
+      const updated = await inventoryConfigRequest.put(config);
+      await mutate("/device-auth/inventory/config");
+      return updated;
+    },
+    [inventoryConfigRequest, mutate],
+  );
+
   const value = useMemo(
     () => ({
       settings,
@@ -146,6 +196,13 @@ export function DeviceSecurityProvider({
       trustedCAsLoading,
       addTrustedCA,
       deleteTrustedCA,
+      caConfig,
+      caConfigLoading,
+      updateCAConfig,
+      testCAConnection,
+      inventoryConfig,
+      inventoryConfigLoading,
+      updateInventoryConfig,
     }),
     [
       settings,
@@ -163,6 +220,13 @@ export function DeviceSecurityProvider({
       trustedCAsLoading,
       addTrustedCA,
       deleteTrustedCA,
+      caConfig,
+      caConfigLoading,
+      updateCAConfig,
+      testCAConnection,
+      inventoryConfig,
+      inventoryConfigLoading,
+      updateInventoryConfig,
     ],
   );
 
@@ -174,3 +238,5 @@ export function DeviceSecurityProvider({
 }
 
 export const useDeviceSecurity = () => React.useContext(DeviceSecurityContext);
+export const useDeviceSecurityContext = () =>
+  React.useContext(DeviceSecurityContext);
diff --git a/src/interfaces/DeviceSecurity.ts b/src/interfaces/DeviceSecurity.ts
index 4eddc5b1..0b0c8f05 100644
--- a/src/interfaces/DeviceSecurity.ts
+++ b/src/interfaces/DeviceSecurity.ts
@@ -41,3 +41,91 @@ export interface TrustedCA {
   name: string;
   created_at: string;
 }
+
+// CA config types — for /device-auth/ca/config endpoints
+
+export interface VaultCAConfig {
+  address: string;
+  token: string; // empty in GET response (redacted)
+  has_token: boolean;
+  mount: string;
+  role: string;
+  namespace: string;
+  timeout_seconds: number;
+}
+
+export interface SmallstepCAConfig {
+  url: string;
+  provisioner_token: string; // empty in GET response
+  has_provisioner_token: boolean;
+  fingerprint: string;
+  timeout_seconds: number;
+}
+
+export interface SCEPCAConfig {
+  url: string;
+  challenge: string; // empty in GET response
+  has_challenge: boolean;
+  timeout_seconds: number;
+}
+
+export interface CAConfig {
+  ca_type: CAType;
+  vault?: VaultCAConfig;
+  smallstep?: SmallstepCAConfig;
+  scep?: SCEPCAConfig;
+}
+
+// CA test result types — for /device-auth/ca/test endpoint
+
+export type CATestStepStatus = "ok" | "error" | "skipped";
+
+export interface CATestStep {
+  name: string;
+  status: CATestStepStatus;
+  detail: string;
+  fix_hint?: string;
+  elapsed_ms: number;
+}
+
+export interface CATestResult {
+  success: boolean;
+  steps: CATestStep[];
+}
+
+// Inventory config types — for /device-auth/inventory/config endpoints
+
+export type InventoryType =
+  | "static"
+  | "intune"
+  | "jamf"
+  | "fleetdm"
+  | "webhook";
+
+export interface StaticInventoryConfig {
+  peers: string[];
+  serial_count: number;
+}
+
+export interface IntuneInventoryConfig {
+  tenant_id: string;
+  client_id: string;
+  client_secret: string; // empty in GET response
+  has_client_secret: boolean;
+  require_compliance: boolean;
+}
+
+export interface JamfInventoryConfig {
+  jamf_url: string;
+  username: string;
+  password: string; // empty in GET response
+  has_password: boolean;
+  require_management: boolean;
+}
+
+export interface InventoryConfig {
+  inventory_type: InventoryType;
+  static?: StaticInventoryConfig;
+  intune?: IntuneInventoryConfig;
+  jamf?: JamfInventoryConfig;
+}

From f046ee4521e029921abcd5db0dbe72c059f7f1aa Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Sat, 11 Apr 2026 13:48:23 +0300
Subject: [PATCH 16/37] feat(device-security): add Inventory nav item and
 update Trusted CAs callout

---
 .../device-security/trusted-cas/page.tsx      | 51 ++++++++++++++++++-
 src/layouts/Navigation.tsx                    |  7 +++
 2 files changed, 56 insertions(+), 2 deletions(-)

diff --git a/src/app/(dashboard)/device-security/trusted-cas/page.tsx b/src/app/(dashboard)/device-security/trusted-cas/page.tsx
index c426fa12..86551983 100644
--- a/src/app/(dashboard)/device-security/trusted-cas/page.tsx
+++ b/src/app/(dashboard)/device-security/trusted-cas/page.tsx
@@ -1,7 +1,54 @@
 "use client";
 
-import TrustedCAsTable from "@/modules/device-security/TrustedCAsTable";
+import Breadcrumbs from "@components/Breadcrumbs";
+import Paragraph from "@components/Paragraph";
+import SkeletonTable from "@components/skeletons/SkeletonTable";
+import { usePortalElement } from "@hooks/usePortalElement";
+import { InfoIcon, ShieldCheckIcon } from "lucide-react";
+import React, { lazy, Suspense } from "react";
+import PageContainer from "@/layouts/PageContainer";
+
+const TrustedCAsTable = lazy(
+  () => import("@/modules/device-security/TrustedCAsTable"),
+);
 
 export default function TrustedCAsPage() {
-  return <TrustedCAsTable />;
+  const { ref: headingRef, portalTarget } =
+    usePortalElement<HTMLHeadingElement>();
+
+  return (
+    <PageContainer>
+      <div className={"p-default py-6"}>
+        <Breadcrumbs>
+          <Breadcrumbs.Item
+            href={"/device-security/trusted-cas"}
+            label={"Device Security"}
+            icon={<ShieldCheckIcon size={13} />}
+          />
+          <Breadcrumbs.Item
+            href={"/device-security/trusted-cas"}
+            label={"Trusted CAs"}
+            active
+          />
+        </Breadcrumbs>
+        <h1 ref={headingRef}>Trusted CAs</h1>
+        <Paragraph>
+          Certificate Authorities trusted for device authentication. Upload CA
+          certificates when devices bring their own certificates signed by
+          external authorities.
+        </Paragraph>
+        <div className="mt-3 flex items-start gap-2 rounded-lg border border-blue-200 bg-blue-50 p-3 dark:border-blue-800 dark:bg-blue-950">
+          <InfoIcon className="mt-0.5 h-4 w-4 shrink-0 text-blue-500" />
+          <p className="text-sm text-blue-700 dark:text-blue-300">
+            Trusted CAs are used when devices present certificates signed by an
+            external CA. This is different from the built-in CA used for
+            certificate issuance.
+          </p>
+        </div>
+      </div>
+      <Suspense fallback={<SkeletonTable />}>
+        <TrustedCAsTable headingTarget={portalTarget} />
+      </Suspense>
+    </PageContainer>
+  );
 }
diff --git a/src/layouts/Navigation.tsx b/src/layouts/Navigation.tsx
index c202ca81..058710cd 100644
--- a/src/layouts/Navigation.tsx
+++ b/src/layouts/Navigation.tsx
@@ -207,6 +207,13 @@ export default function Navigation({
                     exactPathMatch={true}
                     visible={!isRestricted}
                   />
+                  <SidebarItem
+                    label="Inventory"
+                    href="/device-security/inventory"
+                    isChild
+                    exactPathMatch={true}
+                    visible={!isRestricted}
+                  />
                   <SidebarItem
                     label="Enrollments"
                     href="/device-security/enrollments"

From 285a409180be541a0b806debc2d6582bf0e8c044 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Sat, 11 Apr 2026 14:44:21 +0300
Subject: [PATCH 17/37] feat(device-security): redesign settings page with CA
 config, enrollment hints, and CRL section

---
 .../device-security/CAConfigSection.tsx       | 191 +++++++++++++++
 src/modules/device-security/CATestPanel.tsx   |  86 +++++++
 .../DeviceSecuritySettings.tsx                | 226 ++++++++++++------
 3 files changed, 424 insertions(+), 79 deletions(-)
 create mode 100644 src/modules/device-security/CAConfigSection.tsx
 create mode 100644 src/modules/device-security/CATestPanel.tsx

diff --git a/src/modules/device-security/CAConfigSection.tsx b/src/modules/device-security/CAConfigSection.tsx
new file mode 100644
index 00000000..1ed13139
--- /dev/null
+++ b/src/modules/device-security/CAConfigSection.tsx
@@ -0,0 +1,191 @@
+"use client";
+
+import { Eye, EyeOff } from "lucide-react";
+import React, { useState } from "react";
+import { Input } from "@components/Input";
+import { Label } from "@components/Label";
+import type {
+  CAConfig,
+  CAType,
+  SCEPCAConfig,
+  SmallstepCAConfig,
+  VaultCAConfig,
+} from "@/interfaces/DeviceSecurity";
+
+interface PasswordFieldProps {
+  id: string;
+  label: string;
+  value: string;
+  hasExisting?: boolean;
+  onChange: (value: string) => void;
+}
+
+function PasswordField({ id, label, value, hasExisting, onChange }: PasswordFieldProps) {
+  const [show, setShow] = useState(false);
+  return (
+    <div className="flex flex-col gap-1">
+      <Label htmlFor={id}>{label}</Label>
+      <div className="relative">
+        <Input
+          id={id}
+          type={show ? "text" : "password"}
+          value={value}
+          placeholder={hasExisting && !value ? "••••••••" : undefined}
+          onChange={(e) => onChange(e.target.value)}
+          className="pr-10"
+        />
+        <button
+          type="button"
+          className="absolute inset-y-0 right-0 flex items-center pr-3 text-gray-400 hover:text-gray-600 dark:hover:text-gray-300"
+          onClick={() => setShow((s) => !s)}
+          aria-label={show ? "Hide" : "Show"}
+        >
+          {show ? <EyeOff className="h-4 w-4" /> : <Eye className="h-4 w-4" />}
+        </button>
+      </div>
+    </div>
+  );
+}
+
+const DEFAULT_VAULT: VaultCAConfig = {
+  address: "",
+  token: "",
+  has_token: false,
+  mount: "pki",
+  role: "netbird",
+  namespace: "",
+  timeout_seconds: 30,
+};
+
+const DEFAULT_SMALLSTEP: SmallstepCAConfig = {
+  url: "",
+  provisioner_token: "",
+  has_provisioner_token: false,
+  fingerprint: "",
+  timeout_seconds: 30,
+};
+
+const DEFAULT_SCEP: SCEPCAConfig = {
+  url: "",
+  challenge: "",
+  has_challenge: false,
+  timeout_seconds: 30,
+};
+
+interface CAConfigSectionProps {
+  caType: CAType;
+  config: CAConfig;
+  onChange: (config: CAConfig) => void;
+}
+
+export function CAConfigSection({ caType, config, onChange }: CAConfigSectionProps) {
+  const updateVault = (updates: Partial<VaultCAConfig>) =>
+    onChange({ ...config, ca_type: caType, vault: { ...(config.vault ?? DEFAULT_VAULT), ...updates } });
+
+  const updateSmallstep = (updates: Partial<SmallstepCAConfig>) =>
+    onChange({ ...config, ca_type: caType, smallstep: { ...(config.smallstep ?? DEFAULT_SMALLSTEP), ...updates } });
+
+  const updateSCEP = (updates: Partial<SCEPCAConfig>) =>
+    onChange({ ...config, ca_type: caType, scep: { ...(config.scep ?? DEFAULT_SCEP), ...updates } });
+
+  if (caType === "builtin") return null;
+
+  const title =
+    caType === "vault"
+      ? "HashiCorp Vault Configuration"
+      : caType === "smallstep"
+        ? "Smallstep CA Configuration"
+        : "SCEP Configuration";
+
+  return (
+    <div className="flex flex-col gap-4 rounded-lg border border-gray-200 bg-gray-50 p-4 dark:border-zinc-700 dark:bg-zinc-900">
+      <p className="text-sm font-medium text-gray-700 dark:text-gray-300">{title}</p>
+
+      {caType === "vault" && (
+        <div className="flex flex-col gap-3">
+          <div className="flex flex-col gap-1">
+            <Label htmlFor="vault-address">Vault Address</Label>
+            <Input
+              id="vault-address"
+              type="url"
+              placeholder="https://vault.example.com:8200"
+              value={config.vault?.address ?? ""}
+              onChange={(e) => updateVault({ address: e.target.value })}
+            />
+          </div>
+          <PasswordField
+            id="vault-token"
+            label="Token"
+            value={config.vault?.token ?? ""}
+            hasExisting={config.vault?.has_token}
+            onChange={(v) => updateVault({ token: v })}
+          />
+          <div className="grid grid-cols-2 gap-3">
+            <div className="flex flex-col gap-1">
+              <Label htmlFor="vault-mount">Mount</Label>
+              <Input id="vault-mount" placeholder="pki" value={config.vault?.mount ?? ""} onChange={(e) => updateVault({ mount: e.target.value })} />
+            </div>
+            <div className="flex flex-col gap-1">
+              <Label htmlFor="vault-role">Role</Label>
+              <Input id="vault-role" placeholder="netbird" value={config.vault?.role ?? ""} onChange={(e) => updateVault({ role: e.target.value })} />
+            </div>
+          </div>
+          <div className="grid grid-cols-2 gap-3">
+            <div className="flex flex-col gap-1">
+              <Label htmlFor="vault-namespace">Namespace (optional)</Label>
+              <Input id="vault-namespace" value={config.vault?.namespace ?? ""} onChange={(e) => updateVault({ namespace: e.target.value })} />
+            </div>
+            <div className="flex flex-col gap-1">
+              <Label htmlFor="vault-timeout">Timeout (seconds)</Label>
+              <Input id="vault-timeout" type="number" min={1} max={300} value={config.vault?.timeout_seconds ?? 30} onChange={(e) => updateVault({ timeout_seconds: parseInt(e.target.value, 10) || 30 })} />
+            </div>
+          </div>
+        </div>
+      )}
+
+      {caType === "smallstep" && (
+        <div className="flex flex-col gap-3">
+          <div className="flex flex-col gap-1">
+            <Label htmlFor="step-url">Smallstep CA URL</Label>
+            <Input id="step-url" type="url" placeholder="https://ca.example.com" value={config.smallstep?.url ?? ""} onChange={(e) => updateSmallstep({ url: e.target.value })} />
+          </div>
+          <PasswordField
+            id="step-token"
+            label="Provisioner Token"
+            value={config.smallstep?.provisioner_token ?? ""}
+            hasExisting={config.smallstep?.has_provisioner_token}
+            onChange={(v) => updateSmallstep({ provisioner_token: v })}
+          />
+          <div className="flex flex-col gap-1">
+            <Label htmlFor="step-fingerprint">Root CA Fingerprint</Label>
+            <Input id="step-fingerprint" placeholder="sha256:abc123..." value={config.smallstep?.fingerprint ?? ""} onChange={(e) => updateSmallstep({ fingerprint: e.target.value })} />
+          </div>
+          <div className="flex flex-col gap-1">
+            <Label htmlFor="step-timeout">Timeout (seconds)</Label>
+            <Input id="step-timeout" type="number" min={1} max={300} value={config.smallstep?.timeout_seconds ?? 30} onChange={(e) => updateSmallstep({ timeout_seconds: parseInt(e.target.value, 10) || 30 })} />
+          </div>
+        </div>
+      )}
+
+      {caType === "scep" && (
+        <div className="flex flex-col gap-3">
+          <div className="flex flex-col gap-1">
+            <Label htmlFor="scep-url">SCEP URL</Label>
+            <Input id="scep-url" type="url" placeholder="https://scep.example.com/scep" value={config.scep?.url ?? ""} onChange={(e) => updateSCEP({ url: e.target.value })} />
+          </div>
+          <PasswordField
+            id="scep-challenge"
+            label="Challenge (optional)"
+            value={config.scep?.challenge ?? ""}
+            hasExisting={config.scep?.has_challenge}
+            onChange={(v) => updateSCEP({ challenge: v })}
+          />
+          <div className="flex flex-col gap-1">
+            <Label htmlFor="scep-timeout">Timeout (seconds)</Label>
+            <Input id="scep-timeout" type="number" min={1} max={300} value={config.scep?.timeout_seconds ?? 30} onChange={(e) => updateSCEP({ timeout_seconds: parseInt(e.target.value, 10) || 30 })} />
+          </div>
+        </div>
+      )}
+    </div>
+  );
+}
diff --git a/src/modules/device-security/CATestPanel.tsx b/src/modules/device-security/CATestPanel.tsx
new file mode 100644
index 00000000..7a79c7fa
--- /dev/null
+++ b/src/modules/device-security/CATestPanel.tsx
@@ -0,0 +1,86 @@
+"use client";
+
+import { CheckCircle, ChevronDown, ChevronUp, MinusCircle, XCircle } from "lucide-react";
+import React, { useState } from "react";
+import type { CATestResult, CATestStep } from "@/interfaces/DeviceSecurity";
+
+const STEP_LABELS: Record<string, string> = {
+  generate_csr: "Generate CSR",
+  sign_certificate: "Sign Certificate",
+  verify_certificate: "Verify Certificate",
+  revoke_certificate: "Revoke Certificate",
+  verify_crl: "Verify CRL",
+};
+
+function StepRow({ step }: { step: CATestStep }) {
+  const [expanded, setExpanded] = useState(step.status === "error");
+  const hasDetails = Boolean(step.detail || step.fix_hint);
+
+  const icon =
+    step.status === "ok" ? (
+      <CheckCircle className="h-4 w-4 shrink-0 text-green-500" />
+    ) : step.status === "error" ? (
+      <XCircle className="h-4 w-4 shrink-0 text-red-500" />
+    ) : (
+      <MinusCircle className="h-4 w-4 shrink-0 text-gray-400" />
+    );
+
+  return (
+    <div className="flex flex-col gap-1">
+      <div className="flex items-center justify-between gap-2">
+        <div className="flex items-center gap-2">
+          {icon}
+          <span className="text-sm font-medium">{STEP_LABELS[step.name] ?? step.name}</span>
+          {step.elapsed_ms > 0 && (
+            <span className="text-xs text-gray-400">{step.elapsed_ms}ms</span>
+          )}
+        </div>
+        {hasDetails && (
+          <button
+            type="button"
+            onClick={() => setExpanded((e) => !e)}
+            className="text-gray-400 hover:text-gray-600 dark:hover:text-gray-300"
+          >
+            {expanded ? <ChevronUp className="h-3 w-3" /> : <ChevronDown className="h-3 w-3" />}
+          </button>
+        )}
+      </div>
+      {expanded && step.detail && (
+        <p className="ml-6 text-xs text-gray-500 dark:text-gray-400">{step.detail}</p>
+      )}
+      {expanded && step.fix_hint && (
+        <div className="ml-6 rounded bg-red-50 p-2 text-xs text-red-700 dark:bg-red-950 dark:text-red-300">
+          <span className="font-medium">How to fix: </span>
+          {step.fix_hint}
+        </div>
+      )}
+    </div>
+  );
+}
+
+export function CATestPanel({ result }: { result: CATestResult }) {
+  return (
+    <div
+      className={`flex flex-col gap-3 rounded-lg border p-4 ${
+        result.success
+          ? "border-green-200 bg-green-50 dark:border-green-800 dark:bg-green-950"
+          : "border-red-200 bg-red-50 dark:border-red-800 dark:bg-red-950"
+      }`}
+    >
+      <p
+        className={`text-sm font-semibold ${
+          result.success
+            ? "text-green-700 dark:text-green-300"
+            : "text-red-700 dark:text-red-300"
+        }`}
+      >
+        {result.success ? "All tests passed" : "Test failed"}
+      </p>
+      <div className="flex flex-col gap-2">
+        {result.steps.map((step) => (
+          <StepRow key={step.name} step={step} />
+        ))}
+      </div>
+    </div>
+  );
+}
diff --git a/src/modules/device-security/DeviceSecuritySettings.tsx b/src/modules/device-security/DeviceSecuritySettings.tsx
index ebbd4ec0..0d1aaa81 100644
--- a/src/modules/device-security/DeviceSecuritySettings.tsx
+++ b/src/modules/device-security/DeviceSecuritySettings.tsx
@@ -3,7 +3,6 @@
 import Breadcrumbs from "@components/Breadcrumbs";
 import Button from "@components/Button";
 import { Callout } from "@components/Callout";
-import FancyToggleSwitch from "@components/FancyToggleSwitch";
 import HelpText from "@components/HelpText";
 import { Input } from "@components/Input";
 import { Label } from "@components/Label";
@@ -19,18 +18,24 @@ import {
 import { useHasChanges } from "@hooks/useHasChanges";
 import {
   AlertTriangleIcon,
+  InfoIcon,
   KeyIcon,
   ShieldCheckIcon,
 } from "lucide-react";
+import Link from "next/link";
 import React, { useCallback, useEffect, useState } from "react";
 import Skeleton from "react-loading-skeleton";
-import { useDeviceSecurity } from "@/contexts/DeviceSecurityProvider";
+import { useDeviceSecurityContext } from "@/contexts/DeviceSecurityProvider";
 import type {
+  CAConfig,
+  CATestResult,
   CAType,
   DeviceAuthMode,
   EnrollmentMode,
 } from "@/interfaces/DeviceSecurity";
 import PageContainer from "@/layouts/PageContainer";
+import { CAConfigSection } from "./CAConfigSection";
+import { CATestPanel } from "./CATestPanel";
 
 const DEVICE_AUTH_MODES: DeviceAuthMode[] = ["disabled", "optional", "cert-only", "cert-and-sso"];
 const ENROLLMENT_MODES: EnrollmentMode[] = ["manual", "attestation", "both"];
@@ -66,6 +71,12 @@ const ENROLLMENT_LABELS: Record<EnrollmentMode, string> = {
   both: "Both",
 };
 
+const ENROLLMENT_DESCRIPTIONS: Record<EnrollmentMode, string> = {
+  manual: "You approve each device. New devices wait in the Enrollments queue until an admin clicks Approve",
+  attestation: "Managed devices are approved automatically. Requires MDM (Intune or Jamf) or a static device allow-list",
+  both: "Managed devices get in automatically; unmanaged devices wait for manual approval",
+};
+
 const CA_TYPE_LABELS: Record<CAType, string> = {
   builtin: "Built-in CA",
   vault: "HashiCorp Vault",
@@ -74,15 +85,23 @@ const CA_TYPE_LABELS: Record<CAType, string> = {
 };
 
 export default function DeviceSecuritySettings() {
-  const { settings, settingsLoading, updateSettings, devices } =
-    useDeviceSecurity();
+  const {
+    settings,
+    settingsLoading,
+    updateSettings,
+    devices,
+    caConfig,
+    updateCAConfig,
+    testCAConnection,
+  } = useDeviceSecurityContext();
 
   const [mode, setMode] = useState<DeviceAuthMode>("disabled");
   const [enrollmentMode, setEnrollmentMode] = useState<EnrollmentMode>("manual");
   const [caType, setCaType] = useState<CAType>("builtin");
   const [certValidityDays, setCertValidityDays] = useState(365);
-  const [ocspEnabled, setOcspEnabled] = useState(false);
-  const [failOpenOnOcsp, setFailOpenOnOcsp] = useState(false);
+  const [localCAConfig, setLocalCAConfig] = useState<CAConfig>({ ca_type: "builtin" });
+  const [testResult, setTestResult] = useState<CATestResult | null>(null);
+  const [testing, setTesting] = useState(false);
 
   useEffect(() => {
     if (!settings) return;
@@ -90,22 +109,21 @@ export default function DeviceSecuritySettings() {
     setEnrollmentMode(settings.enrollment_mode);
     setCaType(settings.ca_type);
     setCertValidityDays(settings.cert_validity_days);
-    setOcspEnabled(settings.ocsp_enabled);
-    setFailOpenOnOcsp(settings.fail_open_on_ocsp_unavailable);
   }, [settings]);
 
+  useEffect(() => {
+    if (caConfig) setLocalCAConfig(caConfig);
+  }, [caConfig]);
+
   const { hasChanges, updateRef } = useHasChanges([
     mode,
     enrollmentMode,
     caType,
     certValidityDays,
-    ocspEnabled,
-    failOpenOnOcsp,
+    localCAConfig,
   ]);
 
-  const activeCertCount =
-    devices?.filter((d) => !d.revoked).length ?? 0;
-
+  const activeCertCount = devices?.filter((d) => !d.revoked).length ?? 0;
   const showCertOnlyWarning =
     (mode === "cert-only" || mode === "cert-and-sso") && activeCertCount === 0;
 
@@ -113,24 +131,19 @@ export default function DeviceSecuritySettings() {
     notify({
       title: "Device Security Settings",
       description: "Settings saved successfully.",
-      promise: updateSettings({
-        mode,
-        enrollment_mode: enrollmentMode,
-        ca_type: caType,
-        cert_validity_days: certValidityDays,
-        ocsp_enabled: ocspEnabled,
-        fail_open_on_ocsp_unavailable: failOpenOnOcsp,
-        inventory_type: settings?.inventory_type ?? "",
-      }).then(() => {
-        updateRef([
+      promise: (async () => {
+        await updateSettings({
           mode,
-          enrollmentMode,
-          caType,
-          certValidityDays,
-          ocspEnabled,
-          failOpenOnOcsp,
-        ]);
-      }),
+          enrollment_mode: enrollmentMode,
+          ca_type: caType,
+          cert_validity_days: certValidityDays,
+          inventory_type: settings?.inventory_type ?? "",
+        });
+        if (caType !== "builtin") {
+          await updateCAConfig(localCAConfig);
+        }
+        updateRef([mode, enrollmentMode, caType, certValidityDays, localCAConfig]);
+      })(),
       loadingMessage: "Saving device security settings...",
     });
   }, [
@@ -138,13 +151,24 @@ export default function DeviceSecuritySettings() {
     enrollmentMode,
     caType,
     certValidityDays,
-    ocspEnabled,
-    failOpenOnOcsp,
+    localCAConfig,
     settings,
     updateSettings,
+    updateCAConfig,
     updateRef,
   ]);
 
+  const handleTestCA = useCallback(async () => {
+    setTesting(true);
+    setTestResult(null);
+    try {
+      const result = await testCAConnection(localCAConfig);
+      setTestResult(result);
+    } finally {
+      setTesting(false);
+    }
+  }, [localCAConfig, testCAConnection]);
+
   if (settingsLoading) {
     return (
       <PageContainer>
@@ -217,7 +241,12 @@ export default function DeviceSecuritySettings() {
             label="Authentication Mode"
             help="Controls how device certificates are used for authentication"
           >
-            <Select value={mode} onValueChange={(v) => { if (isDeviceAuthMode(v)) setMode(v); }}>
+            <Select
+              value={mode}
+              onValueChange={(v) => {
+                if (isDeviceAuthMode(v)) setMode(v);
+              }}
+            >
               <SelectTrigger>
                 <SelectValue />
               </SelectTrigger>
@@ -249,14 +278,20 @@ export default function DeviceSecuritySettings() {
           >
             <Select
               value={enrollmentMode}
-              onValueChange={(v) => { if (isEnrollmentMode(v)) setEnrollmentMode(v); }}
+              onValueChange={(v) => {
+                if (isEnrollmentMode(v)) setEnrollmentMode(v);
+              }}
             >
               <SelectTrigger>
                 <SelectValue />
               </SelectTrigger>
               <SelectContent>
                 {Object.entries(ENROLLMENT_LABELS).map(([value, label]) => (
-                  <SelectItem key={value} value={value}>
+                  <SelectItem
+                    key={value}
+                    value={value}
+                    description={ENROLLMENT_DESCRIPTIONS[value as EnrollmentMode]}
+                  >
                     {label}
                   </SelectItem>
                 ))}
@@ -264,14 +299,34 @@ export default function DeviceSecuritySettings() {
             </Select>
           </SettingRow>
 
-          {/* CA Type */}
+          {/* Attestation callout */}
+          {(enrollmentMode === "attestation" || enrollmentMode === "both") && (
+            <div className="flex items-start gap-3 rounded-lg border border-blue-200 bg-blue-50 p-3 dark:border-blue-800 dark:bg-blue-950">
+              <InfoIcon className="mt-0.5 h-4 w-4 shrink-0 text-blue-500" />
+              <div className="flex-1">
+                <p className="text-sm text-blue-700 dark:text-blue-300">
+                  Attestation requires inventory configuration. Configure your MDM (Intune, Jamf) or a static device allow-list.
+                </p>
+              </div>
+              <Link
+                href="/device-security/inventory"
+                className="shrink-0 text-sm font-medium text-blue-600 hover:underline dark:text-blue-400"
+              >
+                Go to Inventory →
+              </Link>
+            </div>
+          )}
+
+          {/* Certificate Authority */}
           <SettingRow
             label="Certificate Authority"
             help="Choose between the built-in CA or an external CA for signing device certificates"
           >
             <Select
               value={caType}
-              onValueChange={(v) => { if (isCAType(v)) setCaType(v); }}
+              onValueChange={(v) => {
+                if (isCAType(v)) setCaType(v);
+              }}
             >
               <SelectTrigger>
                 <SelectValue />
@@ -286,51 +341,64 @@ export default function DeviceSecuritySettings() {
             </Select>
           </SettingRow>
 
-          {/* Certificate Validity */}
-          <SettingRow
-            label="Certificate Validity (days)"
-            help="Number of days a device certificate remains valid after issuance"
-          >
-            <Input
-              type={"number"}
-              min={1}
-              max={3650}
-              value={certValidityDays}
-              onChange={(e) => {
-                const parsed = parseInt(e.target.value, 10);
-                if (Number.isNaN(parsed)) return;
-                setCertValidityDays(Math.max(1, Math.min(3650, parsed)));
-              }}
-              data-cy={"cert-validity-days"}
+          {/* CA-specific config section */}
+          {caType !== "builtin" && (
+            <CAConfigSection
+              caType={caType}
+              config={localCAConfig}
+              onChange={setLocalCAConfig}
             />
-          </SettingRow>
+          )}
 
-          {/* OCSP Enabled */}
-          <FancyToggleSwitch
-            value={ocspEnabled}
-            onChange={setOcspEnabled}
-            label={
-              <>
-                <ShieldCheckIcon size={15} />
-                Enable OCSP
-              </>
-            }
-            helpText={
-              "Enable Online Certificate Status Protocol for real-time certificate revocation checking"
-            }
-          />
+          {/* Test Connection */}
+          {caType !== "builtin" && (
+            <div className="flex items-center gap-3">
+              <Button
+                variant={"secondary"}
+                disabled={testing}
+                onClick={handleTestCA}
+              >
+                {testing ? "Testing..." : "Test Connection"}
+              </Button>
+              {testing && (
+                <span className="text-sm text-gray-500">Running CA test...</span>
+              )}
+            </div>
+          )}
 
-          {/* Fail Open on OCSP Unavailable */}
-          {ocspEnabled && (
-            <FancyToggleSwitch
-              value={failOpenOnOcsp}
-              onChange={setFailOpenOnOcsp}
-              label={"Fail open on OCSP unavailable"}
-              helpText={
-                "Allow connections when the OCSP responder is unreachable. Disabling this may cause connectivity issues if the OCSP service goes down."
-              }
-            />
+          {/* CA test results */}
+          {testResult && <CATestPanel result={testResult} />}
+
+          {/* Certificate Validity — only for built-in CA */}
+          {caType === "builtin" && (
+            <SettingRow
+              label="Certificate Validity (days)"
+              help="Number of days a device certificate remains valid after issuance"
+            >
+              <Input
+                type={"number"}
+                min={1}
+                max={3650}
+                value={certValidityDays}
+                onChange={(e) => {
+                  const parsed = parseInt(e.target.value, 10);
+                  if (Number.isNaN(parsed)) return;
+                  setCertValidityDays(Math.max(1, Math.min(3650, parsed)));
+                }}
+                data-cy={"cert-validity-days"}
+              />
+            </SettingRow>
           )}
+
+          {/* Certificate Revocation */}
+          <SettingRow
+            label="Certificate Revocation"
+            help="Revocation uses CRL (Certificate Revocation List), published every 12 hours."
+          >
+            <p className="font-mono text-sm text-gray-500 dark:text-gray-400">
+              {"GET /api/v1/device-auth/crl?account=<id>"}
+            </p>
+          </SettingRow>
         </div>
       </div>
     </PageContainer>
@@ -349,7 +417,7 @@ function SettingRow({
   return (
     <div
       className={
-        "flex flex-col gap-1 sm:flex-row w-full sm:gap-4 items-center"
+        "flex flex-col gap-1 sm:flex-row w-full sm:gap-4 items-start"
       }
     >
       <div className={"min-w-[330px]"}>

From 69dc5e0463b87a2af18bb83aa100d5c29a3c9257 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Sat, 11 Apr 2026 15:21:34 +0300
Subject: [PATCH 18/37] fix: spec compliance corrections for settings page

---
 .../device-security/DeviceSecuritySettings.tsx | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/src/modules/device-security/DeviceSecuritySettings.tsx b/src/modules/device-security/DeviceSecuritySettings.tsx
index 0d1aaa81..71346c67 100644
--- a/src/modules/device-security/DeviceSecuritySettings.tsx
+++ b/src/modules/device-security/DeviceSecuritySettings.tsx
@@ -18,7 +18,6 @@ import {
 import { useHasChanges } from "@hooks/useHasChanges";
 import {
   AlertTriangleIcon,
-  InfoIcon,
   KeyIcon,
   ShieldCheckIcon,
 } from "lucide-react";
@@ -73,7 +72,7 @@ const ENROLLMENT_LABELS: Record<EnrollmentMode, string> = {
 
 const ENROLLMENT_DESCRIPTIONS: Record<EnrollmentMode, string> = {
   manual: "You approve each device. New devices wait in the Enrollments queue until an admin clicks Approve",
-  attestation: "Managed devices are approved automatically. Requires MDM (Intune or Jamf) or a static device allow-list",
+  attestation: "Managed devices are approved automatically. Requires your MDM (Intune or Jamf) or a static device allow-list to be configured.",
   both: "Managed devices get in automatically; unmanaged devices wait for manual approval",
 };
 
@@ -301,20 +300,15 @@ export default function DeviceSecuritySettings() {
 
           {/* Attestation callout */}
           {(enrollmentMode === "attestation" || enrollmentMode === "both") && (
-            <div className="flex items-start gap-3 rounded-lg border border-blue-200 bg-blue-50 p-3 dark:border-blue-800 dark:bg-blue-950">
-              <InfoIcon className="mt-0.5 h-4 w-4 shrink-0 text-blue-500" />
-              <div className="flex-1">
-                <p className="text-sm text-blue-700 dark:text-blue-300">
-                  Attestation requires inventory configuration. Configure your MDM (Intune, Jamf) or a static device allow-list.
-                </p>
-              </div>
+            <Callout variant="info">
+              Attestation requires inventory configuration. Configure your MDM (Intune, Jamf) or a static device allow-list.{" "}
               <Link
                 href="/device-security/inventory"
-                className="shrink-0 text-sm font-medium text-blue-600 hover:underline dark:text-blue-400"
+                className="font-medium underline"
               >
                 Go to Inventory →
               </Link>
-            </div>
+            </Callout>
           )}
 
           {/* Certificate Authority */}
@@ -396,7 +390,7 @@ export default function DeviceSecuritySettings() {
             help="Revocation uses CRL (Certificate Revocation List), published every 12 hours."
           >
             <p className="font-mono text-sm text-gray-500 dark:text-gray-400">
-              {"GET /api/v1/device-auth/crl?account=<id>"}
+              {"GET /api/v1/device-auth/crl?account_id=<id>"}
             </p>
           </SettingRow>
         </div>

From 976eaad9131bf7626832223b5bbf663b935f139a Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Sat, 11 Apr 2026 15:23:20 +0300
Subject: [PATCH 19/37] fix: improve accessibility in CA test panel and
 settings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add descriptive aria-label to the expand/collapse button in CATestPanel
StepRow, including the step name for screen reader context.

The SettingRow Label in DeviceSecuritySettings.tsx is intentionally left
without htmlFor — it is a visual label wrapping Radix Select components
that manage their own accessibility internally.
---
 src/modules/device-security/CATestPanel.tsx | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/modules/device-security/CATestPanel.tsx b/src/modules/device-security/CATestPanel.tsx
index 7a79c7fa..abf35d60 100644
--- a/src/modules/device-security/CATestPanel.tsx
+++ b/src/modules/device-security/CATestPanel.tsx
@@ -38,6 +38,7 @@ function StepRow({ step }: { step: CATestStep }) {
         {hasDetails && (
           <button
             type="button"
+            aria-label={expanded ? `Hide ${STEP_LABELS[step.name] ?? step.name} details` : `Show ${STEP_LABELS[step.name] ?? step.name} details`}
             onClick={() => setExpanded((e) => !e)}
             className="text-gray-400 hover:text-gray-600 dark:hover:text-gray-300"
           >

From 5af0b2ac119dfdffaa36d8780674304d6208a0e0 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Sat, 11 Apr 2026 15:26:00 +0300
Subject: [PATCH 20/37] feat: add inventory configuration page

---
 .../device-security/inventory/page.tsx        |   2 +
 src/modules/device-security/InventoryPage.tsx | 415 ++++++++++++++++++
 2 files changed, 417 insertions(+)
 create mode 100644 src/app/(dashboard)/device-security/inventory/page.tsx
 create mode 100644 src/modules/device-security/InventoryPage.tsx

diff --git a/src/app/(dashboard)/device-security/inventory/page.tsx b/src/app/(dashboard)/device-security/inventory/page.tsx
new file mode 100644
index 00000000..52191cd9
--- /dev/null
+++ b/src/app/(dashboard)/device-security/inventory/page.tsx
@@ -0,0 +1,2 @@
+import InventoryPage from "@/modules/device-security/InventoryPage";
+export default InventoryPage;
diff --git a/src/modules/device-security/InventoryPage.tsx b/src/modules/device-security/InventoryPage.tsx
new file mode 100644
index 00000000..e7172dbe
--- /dev/null
+++ b/src/modules/device-security/InventoryPage.tsx
@@ -0,0 +1,415 @@
+"use client";
+
+import Breadcrumbs from "@components/Breadcrumbs";
+import Button from "@components/Button";
+import { Callout } from "@components/Callout";
+import HelpText from "@components/HelpText";
+import { Input } from "@components/Input";
+import { Label } from "@components/Label";
+import { notify } from "@components/Notification";
+import Paragraph from "@components/Paragraph";
+import { Eye, EyeOff, LayoutListIcon, ShieldCheckIcon } from "lucide-react";
+import React, { useCallback, useEffect, useState } from "react";
+import Skeleton from "react-loading-skeleton";
+import { useDeviceSecurityContext } from "@/contexts/DeviceSecurityProvider";
+import type {
+  InventoryConfig,
+  InventoryType,
+  IntuneInventoryConfig,
+  JamfInventoryConfig,
+  StaticInventoryConfig,
+} from "@/interfaces/DeviceSecurity";
+import PageContainer from "@/layouts/PageContainer";
+
+// ---- PasswordField local component ----
+
+interface PasswordFieldProps {
+  id: string;
+  label: string;
+  value: string;
+  hasExisting?: boolean;
+  onChange: (value: string) => void;
+}
+
+function PasswordField({ id, label, value, hasExisting, onChange }: PasswordFieldProps) {
+  const [show, setShow] = useState(false);
+  return (
+    <div className="flex flex-col gap-1">
+      <Label htmlFor={id}>{label}</Label>
+      <div className="relative">
+        <Input
+          id={id}
+          type={show ? "text" : "password"}
+          value={value}
+          placeholder={hasExisting && !value ? "••••••••" : undefined}
+          onChange={(e) => onChange(e.target.value)}
+          className="pr-10"
+        />
+        <button
+          type="button"
+          className="absolute inset-y-0 right-0 flex items-center pr-3 text-gray-400 hover:text-gray-600 dark:hover:text-gray-300"
+          onClick={() => setShow((s) => !s)}
+          aria-label={show ? "Hide" : "Show"}
+        >
+          {show ? <EyeOff className="h-4 w-4" /> : <Eye className="h-4 w-4" />}
+        </button>
+      </div>
+    </div>
+  );
+}
+
+// ---- Default configs ----
+
+const DEFAULT_STATIC: StaticInventoryConfig = {
+  peers: [],
+  serial_count: 0,
+};
+
+const DEFAULT_INTUNE: IntuneInventoryConfig = {
+  tenant_id: "",
+  client_id: "",
+  client_secret: "",
+  has_client_secret: false,
+  require_compliance: false,
+};
+
+const DEFAULT_JAMF: JamfInventoryConfig = {
+  jamf_url: "",
+  username: "",
+  password: "",
+  has_password: false,
+  require_management: false,
+};
+
+// ---- Inventory type options ----
+
+const INVENTORY_TYPE_OPTIONS: Array<{ value: InventoryType; label: string; description: string }> = [
+  { value: "static", label: "Static List", description: "Manually maintained list of allowed peer IDs" },
+  { value: "intune", label: "Microsoft Intune", description: "Sync managed devices from Microsoft Intune" },
+  { value: "jamf", label: "Jamf Pro", description: "Sync managed devices from Jamf Pro MDM" },
+];
+
+// ---- Sub-forms ----
+
+interface StaticFormProps {
+  config: StaticInventoryConfig;
+  onChange: (config: StaticInventoryConfig) => void;
+}
+
+function StaticForm({ config, onChange }: StaticFormProps) {
+  const value = config.peers.join("\n");
+
+  const handleChange = (raw: string) => {
+    const peers = raw
+      .split(/[\n,]+/)
+      .map((s) => s.trim())
+      .filter(Boolean);
+    onChange({ ...config, peers });
+  };
+
+  return (
+    <div className="flex flex-col gap-4 rounded-lg border border-gray-200 bg-gray-50 p-4 dark:border-zinc-700 dark:bg-zinc-900">
+      <p className="text-sm font-medium text-gray-700 dark:text-gray-300">Static Device List</p>
+      <div className="flex flex-col gap-1">
+        <Label htmlFor="static-peers">Peer IDs</Label>
+        <textarea
+          id="static-peers"
+          rows={6}
+          value={value}
+          onChange={(e) => handleChange(e.target.value)}
+          placeholder={"Enter one peer ID per line, or comma-separated"}
+          className={
+            "w-full rounded-md border border-gray-200 bg-white px-3 py-2 text-sm " +
+            "font-mono text-gray-900 placeholder:text-gray-400 " +
+            "focus:outline-none focus:ring-2 focus:ring-nb-gray-900 " +
+            "dark:border-zinc-700 dark:bg-zinc-950 dark:text-gray-100 dark:placeholder:text-gray-600"
+          }
+        />
+        <HelpText>
+          {config.peers.length > 0
+            ? `${config.peers.length} peer ID${config.peers.length !== 1 ? "s" : ""} in list`
+            : "No peers configured"}
+        </HelpText>
+      </div>
+    </div>
+  );
+}
+
+interface IntuneFormProps {
+  config: IntuneInventoryConfig;
+  onChange: (config: IntuneInventoryConfig) => void;
+}
+
+function IntuneForm({ config, onChange }: IntuneFormProps) {
+  const update = (patch: Partial<IntuneInventoryConfig>) =>
+    onChange({ ...config, ...patch });
+
+  return (
+    <div className="flex flex-col gap-4 rounded-lg border border-gray-200 bg-gray-50 p-4 dark:border-zinc-700 dark:bg-zinc-900">
+      <p className="text-sm font-medium text-gray-700 dark:text-gray-300">Microsoft Intune Configuration</p>
+      <div className="flex flex-col gap-3">
+        <div className="flex flex-col gap-1">
+          <Label htmlFor="intune-tenant-id">Tenant ID</Label>
+          <Input
+            id="intune-tenant-id"
+            placeholder="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+            value={config.tenant_id}
+            onChange={(e) => update({ tenant_id: e.target.value })}
+          />
+        </div>
+        <div className="flex flex-col gap-1">
+          <Label htmlFor="intune-client-id">Client ID</Label>
+          <Input
+            id="intune-client-id"
+            placeholder="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+            value={config.client_id}
+            onChange={(e) => update({ client_id: e.target.value })}
+          />
+        </div>
+        <PasswordField
+          id="intune-client-secret"
+          label="Client Secret"
+          value={config.client_secret}
+          hasExisting={config.has_client_secret}
+          onChange={(v) => update({ client_secret: v })}
+        />
+        <div className="flex items-center gap-2">
+          <input
+            id="intune-require-compliance"
+            type="checkbox"
+            checked={config.require_compliance}
+            onChange={(e) => update({ require_compliance: e.target.checked })}
+            className="h-4 w-4 rounded border-gray-300 text-nb-gray-900 focus:ring-nb-gray-900"
+          />
+          <Label htmlFor="intune-require-compliance" className="cursor-pointer">
+            Require compliance
+          </Label>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+interface JamfFormProps {
+  config: JamfInventoryConfig;
+  onChange: (config: JamfInventoryConfig) => void;
+}
+
+function JamfForm({ config, onChange }: JamfFormProps) {
+  const update = (patch: Partial<JamfInventoryConfig>) =>
+    onChange({ ...config, ...patch });
+
+  return (
+    <div className="flex flex-col gap-4 rounded-lg border border-gray-200 bg-gray-50 p-4 dark:border-zinc-700 dark:bg-zinc-900">
+      <p className="text-sm font-medium text-gray-700 dark:text-gray-300">Jamf Pro Configuration</p>
+      <div className="flex flex-col gap-3">
+        <div className="flex flex-col gap-1">
+          <Label htmlFor="jamf-server-url">Server URL</Label>
+          <Input
+            id="jamf-server-url"
+            type="url"
+            placeholder="https://yourorg.jamfcloud.com"
+            value={config.jamf_url}
+            onChange={(e) => update({ jamf_url: e.target.value })}
+          />
+        </div>
+        <div className="flex flex-col gap-1">
+          <Label htmlFor="jamf-username">Username</Label>
+          <Input
+            id="jamf-username"
+            placeholder="api-user"
+            value={config.username}
+            onChange={(e) => update({ username: e.target.value })}
+          />
+        </div>
+        <PasswordField
+          id="jamf-password"
+          label="Password"
+          value={config.password}
+          hasExisting={config.has_password}
+          onChange={(v) => update({ password: v })}
+        />
+        <div className="flex items-center gap-2">
+          <input
+            id="jamf-require-management"
+            type="checkbox"
+            checked={config.require_management}
+            onChange={(e) => update({ require_management: e.target.checked })}
+            className="h-4 w-4 rounded border-gray-300 text-nb-gray-900 focus:ring-nb-gray-900"
+          />
+          <Label htmlFor="jamf-require-management" className="cursor-pointer">
+            Require management
+          </Label>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+// ---- Main page ----
+
+const DEFAULT_CONFIG: InventoryConfig = {
+  inventory_type: "static",
+  static: DEFAULT_STATIC,
+};
+
+export default function InventoryPage() {
+  const { inventoryConfig, inventoryConfigLoading, updateInventoryConfig } =
+    useDeviceSecurityContext();
+
+  const [localConfig, setLocalConfig] = useState<InventoryConfig>(DEFAULT_CONFIG);
+
+  useEffect(() => {
+    if (inventoryConfig) setLocalConfig(inventoryConfig);
+  }, [inventoryConfig]);
+
+  const handleTypeChange = (type: InventoryType) => {
+    setLocalConfig((prev) => ({
+      ...prev,
+      inventory_type: type,
+      static: prev.static ?? DEFAULT_STATIC,
+      intune: prev.intune ?? DEFAULT_INTUNE,
+      jamf: prev.jamf ?? DEFAULT_JAMF,
+    }));
+  };
+
+  const handleStaticChange = (config: StaticInventoryConfig) =>
+    setLocalConfig((prev) => ({ ...prev, static: config }));
+
+  const handleIntuneChange = (config: IntuneInventoryConfig) =>
+    setLocalConfig((prev) => ({ ...prev, intune: config }));
+
+  const handleJamfChange = (config: JamfInventoryConfig) =>
+    setLocalConfig((prev) => ({ ...prev, jamf: config }));
+
+  const handleSave = useCallback(() => {
+    notify({
+      title: "Device Inventory",
+      description: "Inventory configuration saved successfully.",
+      promise: updateInventoryConfig(localConfig),
+      loadingMessage: "Saving inventory configuration...",
+    });
+  }, [localConfig, updateInventoryConfig]);
+
+  if (inventoryConfigLoading) {
+    return (
+      <PageContainer>
+        <div className="p-default py-6 max-w-2xl">
+          <Skeleton height={24} width={200} className="mb-6" />
+          <Skeleton height={32} width={160} className="mb-10" />
+          <div className="mb-8">
+            <Skeleton height={17} width={200} className="mb-2" />
+            <Skeleton height={80} width="100%" />
+          </div>
+          <Skeleton height={120} width="100%" />
+        </div>
+      </PageContainer>
+    );
+  }
+
+  if (!inventoryConfigLoading && !inventoryConfig) {
+    return (
+      <PageContainer>
+        <div className="p-default py-6 max-w-2xl">
+          <Callout variant="error">
+            Failed to load inventory configuration. Please refresh the page and try again.
+          </Callout>
+        </div>
+      </PageContainer>
+    );
+  }
+
+  return (
+    <PageContainer>
+      <div className="p-default py-6 max-w-2xl">
+        <Breadcrumbs>
+          <Breadcrumbs.Item
+            href="/device-security"
+            label="Device Security"
+            icon={<ShieldCheckIcon size={13} />}
+          />
+          <Breadcrumbs.Item
+            href="/device-security/inventory"
+            label="Inventory"
+            active
+            icon={<LayoutListIcon size={14} />}
+          />
+        </Breadcrumbs>
+
+        <div className="flex items-start justify-between">
+          <div>
+            <h1>Device Inventory</h1>
+            <Paragraph>
+              Configure the device allow-list or MDM integration used for attestation-mode enrollment.
+            </Paragraph>
+          </div>
+          <Button
+            variant="primary"
+            onClick={handleSave}
+            data-cy="save-inventory"
+          >
+            Save Changes
+          </Button>
+        </div>
+
+        <div className="flex flex-col gap-6 w-full mt-8">
+          {/* Inventory type selector */}
+          <div className="flex flex-col gap-1 sm:flex-row w-full sm:gap-4 items-start">
+            <div className="min-w-[330px]">
+              <Label>Inventory Source</Label>
+              <HelpText>
+                Choose how NetBird determines which devices are allowed to enroll via attestation
+              </HelpText>
+            </div>
+            <div className="w-full flex flex-col gap-2">
+              {INVENTORY_TYPE_OPTIONS.map(({ value, label, description }) => (
+                <label
+                  key={value}
+                  className={
+                    "flex items-start gap-3 rounded-lg border p-3 cursor-pointer transition-colors " +
+                    (localConfig.inventory_type === value
+                      ? "border-nb-gray-900 bg-gray-50 dark:border-zinc-500 dark:bg-zinc-800"
+                      : "border-gray-200 hover:border-gray-300 dark:border-zinc-700 dark:hover:border-zinc-600")
+                  }
+                >
+                  <input
+                    type="radio"
+                    name="inventory-type"
+                    value={value}
+                    checked={localConfig.inventory_type === value}
+                    onChange={() => handleTypeChange(value)}
+                    className="mt-0.5 h-4 w-4 text-nb-gray-900 border-gray-300 focus:ring-nb-gray-900"
+                  />
+                  <div>
+                    <p className="text-sm font-medium text-gray-900 dark:text-gray-100">{label}</p>
+                    <p className="text-xs text-gray-500 dark:text-gray-400">{description}</p>
+                  </div>
+                </label>
+              ))}
+            </div>
+          </div>
+
+          {/* Type-specific config form */}
+          {localConfig.inventory_type === "static" && (
+            <StaticForm
+              config={localConfig.static ?? DEFAULT_STATIC}
+              onChange={handleStaticChange}
+            />
+          )}
+          {localConfig.inventory_type === "intune" && (
+            <IntuneForm
+              config={localConfig.intune ?? DEFAULT_INTUNE}
+              onChange={handleIntuneChange}
+            />
+          )}
+          {localConfig.inventory_type === "jamf" && (
+            <JamfForm
+              config={localConfig.jamf ?? DEFAULT_JAMF}
+              onChange={handleJamfChange}
+            />
+          )}
+        </div>
+      </div>
+    </PageContainer>
+  );
+}

From 329940e4928a308350024935597d898e51ee2ad7 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Sat, 11 Apr 2026 15:30:10 +0300
Subject: [PATCH 21/37] fix: add validation and accessibility improvements to
 inventory page

- Add pre-save validation in handleSave for intune (tenant_id, client_id) and jamf (jamf_url) required fields using notify.error
- Add aria-describedby="static-peers-help" on static peer IDs textarea and id="static-peers-help" on its HelpText
- Extract PEER_SEPARATOR_RE regex constant and use it in the split call
- Add notify.error helper to Notification component
- Add id prop to HelpText component
---
 src/components/HelpText.tsx                   |  3 +++
 src/components/Notification.tsx               |  8 +++++++
 src/modules/device-security/InventoryPage.tsx | 23 +++++++++++++++++--
 3 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/src/components/HelpText.tsx b/src/components/HelpText.tsx
index 87555949..1e8448a1 100644
--- a/src/components/HelpText.tsx
+++ b/src/components/HelpText.tsx
@@ -5,14 +5,17 @@ type Props = {
   children?: React.ReactNode;
   margin?: boolean;
   className?: string;
+  id?: string;
 };
 export default function HelpText({
   children,
   margin = true,
   className,
+  id,
 }: Props) {
   return (
     <span
+      id={id}
       className={cn(
         "text-[.8rem] dark:text-nb-gray-300 block font-light tracking-wide",
         margin && "mb-2",
diff --git a/src/components/Notification.tsx b/src/components/Notification.tsx
index 045d5117..e0409059 100644
--- a/src/components/Notification.tsx
+++ b/src/components/Notification.tsx
@@ -214,3 +214,11 @@ export function notify<T>(props: NotifyProps<T>) {
     duration: Infinity,
   });
 }
+
+notify.error = function notifyError(message: string) {
+  return notify({
+    title: "Error",
+    description: message,
+    promise: Promise.reject(new Error(message)),
+  });
+};
diff --git a/src/modules/device-security/InventoryPage.tsx b/src/modules/device-security/InventoryPage.tsx
index e7172dbe..def80059 100644
--- a/src/modules/device-security/InventoryPage.tsx
+++ b/src/modules/device-security/InventoryPage.tsx
@@ -58,6 +58,10 @@ function PasswordField({ id, label, value, hasExisting, onChange }: PasswordFiel
   );
 }
 
+// ---- Constants ----
+
+const PEER_SEPARATOR_RE = /[\n,]+/;
+
 // ---- Default configs ----
 
 const DEFAULT_STATIC: StaticInventoryConfig = {
@@ -101,7 +105,7 @@ function StaticForm({ config, onChange }: StaticFormProps) {
 
   const handleChange = (raw: string) => {
     const peers = raw
-      .split(/[\n,]+/)
+      .split(PEER_SEPARATOR_RE)
       .map((s) => s.trim())
       .filter(Boolean);
     onChange({ ...config, peers });
@@ -118,6 +122,7 @@ function StaticForm({ config, onChange }: StaticFormProps) {
           value={value}
           onChange={(e) => handleChange(e.target.value)}
           placeholder={"Enter one peer ID per line, or comma-separated"}
+          aria-describedby="static-peers-help"
           className={
             "w-full rounded-md border border-gray-200 bg-white px-3 py-2 text-sm " +
             "font-mono text-gray-900 placeholder:text-gray-400 " +
@@ -125,7 +130,7 @@ function StaticForm({ config, onChange }: StaticFormProps) {
             "dark:border-zinc-700 dark:bg-zinc-950 dark:text-gray-100 dark:placeholder:text-gray-600"
           }
         />
-        <HelpText>
+        <HelpText id="static-peers-help">
           {config.peers.length > 0
             ? `${config.peers.length} peer ID${config.peers.length !== 1 ? "s" : ""} in list`
             : "No peers configured"}
@@ -283,6 +288,20 @@ export default function InventoryPage() {
     setLocalConfig((prev) => ({ ...prev, jamf: config }));
 
   const handleSave = useCallback(() => {
+    if (localConfig.inventory_type === "intune") {
+      const intune = localConfig.intune ?? DEFAULT_INTUNE;
+      if (!intune.tenant_id || !intune.client_id) {
+        notify.error("Tenant ID and Client ID are required for Intune");
+        return;
+      }
+    }
+    if (localConfig.inventory_type === "jamf") {
+      const jamf = localConfig.jamf ?? DEFAULT_JAMF;
+      if (!jamf.jamf_url) {
+        notify.error("Server URL is required for Jamf");
+        return;
+      }
+    }
     notify({
       title: "Device Inventory",
       description: "Inventory configuration saved successfully.",

From 81f4f38d30aed03904f123b4dd5248589300ec51 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Sat, 11 Apr 2026 15:47:36 +0300
Subject: [PATCH 22/37] fix: remove OCSP fields, fix handleSave error handling,
 fix handleTestCA, fix updateRef drift

- Remove ocsp_enabled and fail_open_on_ocsp_unavailable from DeviceAuthSettings interface
- Fix handleSave to call updateSettings and updateCAConfig as independent notify calls,
  aborting CA config save if settings save fails
- Fix handleTestCA to handle null result and caught errors, always setting testResult
  so the user gets feedback even on network failure
- Fix updateRef drift by calling updateRef after hydrating state from settings/caConfig
  so hasChanges starts false on fresh load
- Extract shared PasswordField into its own file, removing duplicate copies from
  CAConfigSection.tsx and InventoryPage.tsx
---
 src/interfaces/DeviceSecurity.ts              |  2 -
 .../device-security/CAConfigSection.tsx       | 39 +-------
 .../DeviceSecuritySettings.tsx                | 96 +++++++++++++------
 src/modules/device-security/InventoryPage.tsx | 40 +-------
 src/modules/device-security/PasswordField.tsx | 41 ++++++++
 5 files changed, 114 insertions(+), 104 deletions(-)
 create mode 100644 src/modules/device-security/PasswordField.tsx

diff --git a/src/interfaces/DeviceSecurity.ts b/src/interfaces/DeviceSecurity.ts
index 0b0c8f05..2db34c27 100644
--- a/src/interfaces/DeviceSecurity.ts
+++ b/src/interfaces/DeviceSecurity.ts
@@ -11,8 +11,6 @@ export interface DeviceAuthSettings {
   enrollment_mode: EnrollmentMode;
   ca_type: CAType;
   cert_validity_days: number;
-  ocsp_enabled: boolean;
-  fail_open_on_ocsp_unavailable: boolean;
   inventory_type: string;
 }
 
diff --git a/src/modules/device-security/CAConfigSection.tsx b/src/modules/device-security/CAConfigSection.tsx
index 1ed13139..9d6a8d38 100644
--- a/src/modules/device-security/CAConfigSection.tsx
+++ b/src/modules/device-security/CAConfigSection.tsx
@@ -1,7 +1,6 @@
 "use client";
 
-import { Eye, EyeOff } from "lucide-react";
-import React, { useState } from "react";
+import React from "react";
 import { Input } from "@components/Input";
 import { Label } from "@components/Label";
 import type {
@@ -11,41 +10,7 @@ import type {
   SmallstepCAConfig,
   VaultCAConfig,
 } from "@/interfaces/DeviceSecurity";
-
-interface PasswordFieldProps {
-  id: string;
-  label: string;
-  value: string;
-  hasExisting?: boolean;
-  onChange: (value: string) => void;
-}
-
-function PasswordField({ id, label, value, hasExisting, onChange }: PasswordFieldProps) {
-  const [show, setShow] = useState(false);
-  return (
-    <div className="flex flex-col gap-1">
-      <Label htmlFor={id}>{label}</Label>
-      <div className="relative">
-        <Input
-          id={id}
-          type={show ? "text" : "password"}
-          value={value}
-          placeholder={hasExisting && !value ? "••••••••" : undefined}
-          onChange={(e) => onChange(e.target.value)}
-          className="pr-10"
-        />
-        <button
-          type="button"
-          className="absolute inset-y-0 right-0 flex items-center pr-3 text-gray-400 hover:text-gray-600 dark:hover:text-gray-300"
-          onClick={() => setShow((s) => !s)}
-          aria-label={show ? "Hide" : "Show"}
-        >
-          {show ? <EyeOff className="h-4 w-4" /> : <Eye className="h-4 w-4" />}
-        </button>
-      </div>
-    </div>
-  );
-}
+import { PasswordField } from "./PasswordField";
 
 const DEFAULT_VAULT: VaultCAConfig = {
   address: "",
diff --git a/src/modules/device-security/DeviceSecuritySettings.tsx b/src/modules/device-security/DeviceSecuritySettings.tsx
index 71346c67..49c69332 100644
--- a/src/modules/device-security/DeviceSecuritySettings.tsx
+++ b/src/modules/device-security/DeviceSecuritySettings.tsx
@@ -102,18 +102,6 @@ export default function DeviceSecuritySettings() {
   const [testResult, setTestResult] = useState<CATestResult | null>(null);
   const [testing, setTesting] = useState(false);
 
-  useEffect(() => {
-    if (!settings) return;
-    setMode(settings.mode);
-    setEnrollmentMode(settings.enrollment_mode);
-    setCaType(settings.ca_type);
-    setCertValidityDays(settings.cert_validity_days);
-  }, [settings]);
-
-  useEffect(() => {
-    if (caConfig) setLocalCAConfig(caConfig);
-  }, [caConfig]);
-
   const { hasChanges, updateRef } = useHasChanges([
     mode,
     enrollmentMode,
@@ -122,29 +110,65 @@ export default function DeviceSecuritySettings() {
     localCAConfig,
   ]);
 
+  useEffect(() => {
+    if (!settings) return;
+    const newMode = settings.mode;
+    const newEnrollment = settings.enrollment_mode;
+    const newCAType = settings.ca_type;
+    const newCertValidity = settings.cert_validity_days;
+    setMode(newMode);
+    setEnrollmentMode(newEnrollment);
+    setCaType(newCAType);
+    setCertValidityDays(newCertValidity);
+    updateRef([newMode, newEnrollment, newCAType, newCertValidity, localCAConfig]);
+  }, [settings]); // eslint-disable-line react-hooks/exhaustive-deps
+
+  useEffect(() => {
+    if (!caConfig) return;
+    setLocalCAConfig(caConfig);
+    updateRef([mode, enrollmentMode, caType, certValidityDays, caConfig]);
+  }, [caConfig]); // eslint-disable-line react-hooks/exhaustive-deps
+
   const activeCertCount = devices?.filter((d) => !d.revoked).length ?? 0;
   const showCertOnlyWarning =
     (mode === "cert-only" || mode === "cert-and-sso") && activeCertCount === 0;
 
   const handleSave = useCallback(async () => {
+    const settingsPromise = updateSettings({
+      mode,
+      enrollment_mode: enrollmentMode,
+      ca_type: caType,
+      cert_validity_days: certValidityDays,
+      inventory_type: settings?.inventory_type ?? "",
+    });
     notify({
       title: "Device Security Settings",
       description: "Settings saved successfully.",
-      promise: (async () => {
-        await updateSettings({
-          mode,
-          enrollment_mode: enrollmentMode,
-          ca_type: caType,
-          cert_validity_days: certValidityDays,
-          inventory_type: settings?.inventory_type ?? "",
-        });
-        if (caType !== "builtin") {
-          await updateCAConfig(localCAConfig);
-        }
-        updateRef([mode, enrollmentMode, caType, certValidityDays, localCAConfig]);
-      })(),
-      loadingMessage: "Saving device security settings...",
+      promise: settingsPromise,
+      loadingMessage: "Saving settings...",
     });
+    try {
+      await settingsPromise;
+    } catch {
+      return;
+    }
+
+    if (caType !== "builtin") {
+      const caPromise = updateCAConfig(localCAConfig);
+      notify({
+        title: "CA Configuration",
+        description: "CA configuration saved successfully.",
+        promise: caPromise,
+        loadingMessage: "Saving CA configuration...",
+      });
+      try {
+        await caPromise;
+      } catch {
+        return;
+      }
+    }
+
+    updateRef([mode, enrollmentMode, caType, certValidityDays, localCAConfig]);
   }, [
     mode,
     enrollmentMode,
@@ -162,7 +186,25 @@ export default function DeviceSecuritySettings() {
     setTestResult(null);
     try {
       const result = await testCAConnection(localCAConfig);
-      setTestResult(result);
+      setTestResult(result ?? {
+        success: false,
+        steps: [{
+          name: "generate_csr",
+          status: "error" as const,
+          detail: "Request failed. Check network connection and try again.",
+          elapsed_ms: 0,
+        }],
+      });
+    } catch (e) {
+      setTestResult({
+        success: false,
+        steps: [{
+          name: "generate_csr",
+          status: "error" as const,
+          detail: e instanceof Error ? e.message : "Unexpected error",
+          elapsed_ms: 0,
+        }],
+      });
     } finally {
       setTesting(false);
     }
diff --git a/src/modules/device-security/InventoryPage.tsx b/src/modules/device-security/InventoryPage.tsx
index def80059..b989c2f0 100644
--- a/src/modules/device-security/InventoryPage.tsx
+++ b/src/modules/device-security/InventoryPage.tsx
@@ -8,7 +8,7 @@ import { Input } from "@components/Input";
 import { Label } from "@components/Label";
 import { notify } from "@components/Notification";
 import Paragraph from "@components/Paragraph";
-import { Eye, EyeOff, LayoutListIcon, ShieldCheckIcon } from "lucide-react";
+import { LayoutListIcon, ShieldCheckIcon } from "lucide-react";
 import React, { useCallback, useEffect, useState } from "react";
 import Skeleton from "react-loading-skeleton";
 import { useDeviceSecurityContext } from "@/contexts/DeviceSecurityProvider";
@@ -20,43 +20,7 @@ import type {
   StaticInventoryConfig,
 } from "@/interfaces/DeviceSecurity";
 import PageContainer from "@/layouts/PageContainer";
-
-// ---- PasswordField local component ----
-
-interface PasswordFieldProps {
-  id: string;
-  label: string;
-  value: string;
-  hasExisting?: boolean;
-  onChange: (value: string) => void;
-}
-
-function PasswordField({ id, label, value, hasExisting, onChange }: PasswordFieldProps) {
-  const [show, setShow] = useState(false);
-  return (
-    <div className="flex flex-col gap-1">
-      <Label htmlFor={id}>{label}</Label>
-      <div className="relative">
-        <Input
-          id={id}
-          type={show ? "text" : "password"}
-          value={value}
-          placeholder={hasExisting && !value ? "••••••••" : undefined}
-          onChange={(e) => onChange(e.target.value)}
-          className="pr-10"
-        />
-        <button
-          type="button"
-          className="absolute inset-y-0 right-0 flex items-center pr-3 text-gray-400 hover:text-gray-600 dark:hover:text-gray-300"
-          onClick={() => setShow((s) => !s)}
-          aria-label={show ? "Hide" : "Show"}
-        >
-          {show ? <EyeOff className="h-4 w-4" /> : <Eye className="h-4 w-4" />}
-        </button>
-      </div>
-    </div>
-  );
-}
+import { PasswordField } from "./PasswordField";
 
 // ---- Constants ----
 
diff --git a/src/modules/device-security/PasswordField.tsx b/src/modules/device-security/PasswordField.tsx
new file mode 100644
index 00000000..97076f33
--- /dev/null
+++ b/src/modules/device-security/PasswordField.tsx
@@ -0,0 +1,41 @@
+"use client";
+
+import { Input } from "@components/Input";
+import { Label } from "@components/Label";
+import { Eye, EyeOff } from "lucide-react";
+import React, { useState } from "react";
+
+export interface PasswordFieldProps {
+  id: string;
+  label: string;
+  value: string;
+  hasExisting?: boolean;
+  onChange: (value: string) => void;
+}
+
+export function PasswordField({ id, label, value, hasExisting, onChange }: PasswordFieldProps) {
+  const [show, setShow] = useState(false);
+  return (
+    <div className="flex flex-col gap-1">
+      <Label htmlFor={id}>{label}</Label>
+      <div className="relative">
+        <Input
+          id={id}
+          type={show ? "text" : "password"}
+          value={value}
+          placeholder={hasExisting && !value ? "••••••••" : undefined}
+          onChange={(e) => onChange(e.target.value)}
+          className="pr-10"
+        />
+        <button
+          type="button"
+          className="absolute inset-y-0 right-0 flex items-center pr-3 text-gray-400 hover:text-gray-600 dark:hover:text-gray-300"
+          onClick={() => setShow((s) => !s)}
+          aria-label={show ? "Hide" : "Show"}
+        >
+          {show ? <EyeOff className="h-4 w-4" /> : <Eye className="h-4 w-4" />}
+        </button>
+      </div>
+    </div>
+  );
+}

From 50c7516dc050e627f8ec286cf51a3bbed4f1eb93 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Sat, 11 Apr 2026 15:48:56 +0300
Subject: [PATCH 23/37] feat: inventory page - two-tab static list, status
 callout, coming-soon providers, hasChanges

- Replace single textarea with two-tab UI (NetBird Peers / Serial Numbers)
  - Peers tab: WireGuard public keys textarea with description
  - Serials tab: warning callout + serial numbers textarea, stored with serial: prefix
- Add status callout at top of page driven by settings.enrollment_mode
  - success variant when attestation/both is active
  - warning variant when attestation is not enabled
- Add fleetdm (Fleet) and webhook providers to type selector, disabled with Coming soon badge
- Wire useHasChanges: Save button disabled until form has unsaved changes, updateRef called after successful save
---
 src/modules/device-security/InventoryPage.tsx | 221 ++++++++++++++----
 1 file changed, 180 insertions(+), 41 deletions(-)

diff --git a/src/modules/device-security/InventoryPage.tsx b/src/modules/device-security/InventoryPage.tsx
index b989c2f0..17983481 100644
--- a/src/modules/device-security/InventoryPage.tsx
+++ b/src/modules/device-security/InventoryPage.tsx
@@ -8,7 +8,9 @@ import { Input } from "@components/Input";
 import { Label } from "@components/Label";
 import { notify } from "@components/Notification";
 import Paragraph from "@components/Paragraph";
+import { useHasChanges } from "@hooks/useHasChanges";
 import { LayoutListIcon, ShieldCheckIcon } from "lucide-react";
+import Link from "next/link";
 import React, { useCallback, useEffect, useState } from "react";
 import Skeleton from "react-loading-skeleton";
 import { useDeviceSecurityContext } from "@/contexts/DeviceSecurityProvider";
@@ -24,7 +26,7 @@ import { PasswordField } from "./PasswordField";
 
 // ---- Constants ----
 
-const PEER_SEPARATOR_RE = /[\n,]+/;
+const SERIAL_SEPARATOR_RE = /[\n,]+/;
 
 // ---- Default configs ----
 
@@ -51,13 +53,25 @@ const DEFAULT_JAMF: JamfInventoryConfig = {
 
 // ---- Inventory type options ----
 
-const INVENTORY_TYPE_OPTIONS: Array<{ value: InventoryType; label: string; description: string }> = [
+interface InventoryTypeOption {
+  value: InventoryType;
+  label: string;
+  description: string;
+  disabled?: boolean;
+  comingSoon?: boolean;
+}
+
+const INVENTORY_TYPE_OPTIONS: InventoryTypeOption[] = [
   { value: "static", label: "Static List", description: "Manually maintained list of allowed peer IDs" },
   { value: "intune", label: "Microsoft Intune", description: "Sync managed devices from Microsoft Intune" },
   { value: "jamf", label: "Jamf Pro", description: "Sync managed devices from Jamf Pro MDM" },
+  { value: "fleetdm", label: "Fleet", description: "Sync managed devices from FleetDM / osquery", disabled: true, comingSoon: true },
+  { value: "webhook", label: "Webhook", description: "Approve devices via a custom webhook", disabled: true, comingSoon: true },
 ];
 
-// ---- Sub-forms ----
+// ---- Static form with two-tab UI ----
+
+type StaticTab = "peers" | "serials";
 
 interface StaticFormProps {
   config: StaticInventoryConfig;
@@ -65,41 +79,125 @@ interface StaticFormProps {
 }
 
 function StaticForm({ config, onChange }: StaticFormProps) {
-  const value = config.peers.join("\n");
+  const [activeTab, setActiveTab] = useState<StaticTab>("peers");
+
+  const wgKeys = config.peers.filter((p) => !p.startsWith("serial:"));
+  const peersValue = wgKeys.join("\n");
 
-  const handleChange = (raw: string) => {
-    const peers = raw
-      .split(PEER_SEPARATOR_RE)
+  const handlePeersChange = (raw: string) => {
+    const newKeys = raw
+      .split(/[\n,]+/)
       .map((s) => s.trim())
       .filter(Boolean);
-    onChange({ ...config, peers });
+    const serials = config.peers.filter((p) => p.startsWith("serial:"));
+    onChange({ ...config, peers: [...newKeys, ...serials] });
+  };
+
+  const serialsValue = config.peers
+    .filter((p) => p.startsWith("serial:"))
+    .map((p) => p.replace(/^serial:/, ""))
+    .join("\n");
+
+  const handleSerialsChange = (raw: string) => {
+    const newSerials = raw
+      .split(SERIAL_SEPARATOR_RE)
+      .map((s) => s.trim())
+      .filter(Boolean)
+      .map((s) => (s.startsWith("serial:") ? s : `serial:${s}`));
+    onChange({ ...config, peers: [...wgKeys, ...newSerials] });
   };
 
   return (
     <div className="flex flex-col gap-4 rounded-lg border border-gray-200 bg-gray-50 p-4 dark:border-zinc-700 dark:bg-zinc-900">
-      <p className="text-sm font-medium text-gray-700 dark:text-gray-300">Static Device List</p>
-      <div className="flex flex-col gap-1">
-        <Label htmlFor="static-peers">Peer IDs</Label>
-        <textarea
-          id="static-peers"
-          rows={6}
-          value={value}
-          onChange={(e) => handleChange(e.target.value)}
-          placeholder={"Enter one peer ID per line, or comma-separated"}
-          aria-describedby="static-peers-help"
+      {/* Tab buttons */}
+      <div className="flex gap-0 border-b border-gray-200 dark:border-zinc-700">
+        <button
+          type="button"
+          onClick={() => setActiveTab("peers")}
           className={
-            "w-full rounded-md border border-gray-200 bg-white px-3 py-2 text-sm " +
-            "font-mono text-gray-900 placeholder:text-gray-400 " +
-            "focus:outline-none focus:ring-2 focus:ring-nb-gray-900 " +
-            "dark:border-zinc-700 dark:bg-zinc-950 dark:text-gray-100 dark:placeholder:text-gray-600"
+            "px-4 py-2 text-sm font-medium border-b-2 -mb-px transition-colors " +
+            (activeTab === "peers"
+              ? "border-nb-gray-900 text-gray-900 dark:border-zinc-400 dark:text-gray-100"
+              : "border-transparent text-gray-500 hover:text-gray-700 dark:text-gray-400 dark:hover:text-gray-200")
           }
-        />
-        <HelpText id="static-peers-help">
-          {config.peers.length > 0
-            ? `${config.peers.length} peer ID${config.peers.length !== 1 ? "s" : ""} in list`
-            : "No peers configured"}
-        </HelpText>
+        >
+          NetBird Peers
+        </button>
+        <button
+          type="button"
+          onClick={() => setActiveTab("serials")}
+          className={
+            "px-4 py-2 text-sm font-medium border-b-2 -mb-px transition-colors " +
+            (activeTab === "serials"
+              ? "border-nb-gray-900 text-gray-900 dark:border-zinc-400 dark:text-gray-100"
+              : "border-transparent text-gray-500 hover:text-gray-700 dark:text-gray-400 dark:hover:text-gray-200")
+          }
+        >
+          Serial Numbers
+        </button>
       </div>
+
+      {/* Tab: NetBird Peers */}
+      {activeTab === "peers" && (
+        <div className="flex flex-col gap-3">
+          <p className="text-sm text-gray-600 dark:text-gray-400">
+            Select NetBird peers that are allowed to enroll. The device&apos;s WireGuard public key is matched during attestation.
+          </p>
+          <div className="flex flex-col gap-1">
+            <Label htmlFor="static-wg-keys">WireGuard Public Keys</Label>
+            <textarea
+              id="static-wg-keys"
+              rows={6}
+              value={peersValue}
+              onChange={(e) => handlePeersChange(e.target.value)}
+              placeholder={"Enter one WireGuard public key per line"}
+              aria-describedby="static-wg-keys-help"
+              className={
+                "w-full rounded-md border border-gray-200 bg-white px-3 py-2 text-sm " +
+                "font-mono text-gray-900 placeholder:text-gray-400 " +
+                "focus:outline-none focus:ring-2 focus:ring-nb-gray-900 " +
+                "dark:border-zinc-700 dark:bg-zinc-950 dark:text-gray-100 dark:placeholder:text-gray-600"
+              }
+            />
+            <HelpText id="static-wg-keys-help">
+              {wgKeys.length > 0
+                ? `${wgKeys.length} WireGuard key${wgKeys.length !== 1 ? "s" : ""} in list`
+                : "No peers configured"}
+            </HelpText>
+          </div>
+        </div>
+      )}
+
+      {/* Tab: Serial Numbers */}
+      {activeTab === "serials" && (
+        <div className="flex flex-col gap-3">
+          <Callout variant="warning">
+            Serial numbers are less secure than WireGuard keys. Use only if your MDM enforces serial uniqueness.
+          </Callout>
+          <div className="flex flex-col gap-1">
+            <Label htmlFor="static-serials">Serial Numbers</Label>
+            <textarea
+              id="static-serials"
+              rows={6}
+              value={serialsValue}
+              onChange={(e) => handleSerialsChange(e.target.value)}
+              placeholder={"Enter one serial number per line"}
+              aria-describedby="static-serials-help"
+              className={
+                "w-full rounded-md border border-gray-200 bg-white px-3 py-2 text-sm " +
+                "font-mono text-gray-900 placeholder:text-gray-400 " +
+                "focus:outline-none focus:ring-2 focus:ring-nb-gray-900 " +
+                "dark:border-zinc-700 dark:bg-zinc-950 dark:text-gray-100 dark:placeholder:text-gray-600"
+              }
+            />
+            <HelpText id="static-serials-help">
+              {config.serial_count > 0
+                ? `${config.serial_count} serial number${config.serial_count !== 1 ? "s" : ""} stored`
+                : "No serial numbers configured"}
+            </HelpText>
+          </div>
+        </div>
+      )}
     </div>
   );
 }
@@ -223,14 +321,18 @@ const DEFAULT_CONFIG: InventoryConfig = {
 };
 
 export default function InventoryPage() {
-  const { inventoryConfig, inventoryConfigLoading, updateInventoryConfig } =
+  const { inventoryConfig, inventoryConfigLoading, updateInventoryConfig, settings } =
     useDeviceSecurityContext();
 
   const [localConfig, setLocalConfig] = useState<InventoryConfig>(DEFAULT_CONFIG);
 
+  const { hasChanges, updateRef } = useHasChanges([localConfig]);
+
   useEffect(() => {
-    if (inventoryConfig) setLocalConfig(inventoryConfig);
-  }, [inventoryConfig]);
+    if (!inventoryConfig) return;
+    setLocalConfig(inventoryConfig);
+    updateRef([inventoryConfig]);
+  }, [inventoryConfig, updateRef]);
 
   const handleTypeChange = (type: InventoryType) => {
     setLocalConfig((prev) => ({
@@ -269,10 +371,16 @@ export default function InventoryPage() {
     notify({
       title: "Device Inventory",
       description: "Inventory configuration saved successfully.",
-      promise: updateInventoryConfig(localConfig),
+      promise: updateInventoryConfig(localConfig).then((saved) => {
+        updateRef([saved]);
+      }),
       loadingMessage: "Saving inventory configuration...",
     });
-  }, [localConfig, updateInventoryConfig]);
+  }, [localConfig, updateInventoryConfig, updateRef]);
+
+  const enrollmentMode = settings?.enrollment_mode;
+  const attestationActive =
+    enrollmentMode === "attestation" || enrollmentMode === "both";
 
   if (inventoryConfigLoading) {
     return (
@@ -329,12 +437,32 @@ export default function InventoryPage() {
           <Button
             variant="primary"
             onClick={handleSave}
+            disabled={!hasChanges}
             data-cy="save-inventory"
           >
             Save Changes
           </Button>
         </div>
 
+        {/* Status callout */}
+        <div className="mt-6">
+          {attestationActive ? (
+            <Callout variant="success">
+              Inventory is active. Managed devices are automatically approved during enrollment.{" "}
+              <Link href="/device-security/settings" className="underline font-medium">
+                View Settings →
+              </Link>
+            </Callout>
+          ) : (
+            <Callout variant="warning">
+              Attestation is not enabled. To use inventory-based enrollment, enable Attestation mode in{" "}
+              <Link href="/device-security/settings" className="underline font-medium">
+                Settings →
+              </Link>
+            </Callout>
+          )}
+        </div>
+
         <div className="flex flex-col gap-6 w-full mt-8">
           {/* Inventory type selector */}
           <div className="flex flex-col gap-1 sm:flex-row w-full sm:gap-4 items-start">
@@ -345,14 +473,17 @@ export default function InventoryPage() {
               </HelpText>
             </div>
             <div className="w-full flex flex-col gap-2">
-              {INVENTORY_TYPE_OPTIONS.map(({ value, label, description }) => (
+              {INVENTORY_TYPE_OPTIONS.map(({ value, label, description, disabled, comingSoon }) => (
                 <label
                   key={value}
                   className={
-                    "flex items-start gap-3 rounded-lg border p-3 cursor-pointer transition-colors " +
-                    (localConfig.inventory_type === value
-                      ? "border-nb-gray-900 bg-gray-50 dark:border-zinc-500 dark:bg-zinc-800"
-                      : "border-gray-200 hover:border-gray-300 dark:border-zinc-700 dark:hover:border-zinc-600")
+                    "flex items-start gap-3 rounded-lg border p-3 transition-colors " +
+                    (disabled
+                      ? "opacity-50 cursor-not-allowed border-gray-200 dark:border-zinc-700"
+                      : "cursor-pointer " +
+                        (localConfig.inventory_type === value
+                          ? "border-nb-gray-900 bg-gray-50 dark:border-zinc-500 dark:bg-zinc-800"
+                          : "border-gray-200 hover:border-gray-300 dark:border-zinc-700 dark:hover:border-zinc-600"))
                   }
                 >
                   <input
@@ -360,11 +491,19 @@ export default function InventoryPage() {
                     name="inventory-type"
                     value={value}
                     checked={localConfig.inventory_type === value}
-                    onChange={() => handleTypeChange(value)}
+                    onChange={() => !disabled && handleTypeChange(value)}
+                    disabled={disabled}
                     className="mt-0.5 h-4 w-4 text-nb-gray-900 border-gray-300 focus:ring-nb-gray-900"
                   />
-                  <div>
-                    <p className="text-sm font-medium text-gray-900 dark:text-gray-100">{label}</p>
+                  <div className="flex-1">
+                    <div className="flex items-center gap-2">
+                      <p className="text-sm font-medium text-gray-900 dark:text-gray-100">{label}</p>
+                      {comingSoon && (
+                        <span className="inline-flex items-center rounded-full bg-gray-100 px-2 py-0.5 text-xs font-medium text-gray-500 dark:bg-zinc-700 dark:text-gray-400">
+                          Coming soon
+                        </span>
+                      )}
+                    </div>
                     <p className="text-xs text-gray-500 dark:text-gray-400">{description}</p>
                   </div>
                 </label>

From e43239ff7737dd9cd78d1daca8f9703aced4f2b9 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Sat, 11 Apr 2026 15:57:54 +0300
Subject: [PATCH 24/37] fix: prevent race in inventory save, guard disabled
 provider types

- handleSave now awaits the save promise sequentially before calling
  updateRef, matching the pattern in DeviceSecuritySettings.tsx to
  ensure ref is only updated on confirmed success (no .then() race)
- handleTypeChange gains an early-return guard for "fleetdm" and
  "webhook" types that are disabled/coming-soon, preventing state
  mutations from disabled radio inputs
---
 src/modules/device-security/InventoryPage.tsx | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/modules/device-security/InventoryPage.tsx b/src/modules/device-security/InventoryPage.tsx
index 17983481..a45ac3f2 100644
--- a/src/modules/device-security/InventoryPage.tsx
+++ b/src/modules/device-security/InventoryPage.tsx
@@ -334,7 +334,8 @@ export default function InventoryPage() {
     updateRef([inventoryConfig]);
   }, [inventoryConfig, updateRef]);
 
-  const handleTypeChange = (type: InventoryType) => {
+  const handleTypeChange = useCallback((type: InventoryType) => {
+    if (type === "fleetdm" || type === "webhook") return;
     setLocalConfig((prev) => ({
       ...prev,
       inventory_type: type,
@@ -342,7 +343,7 @@ export default function InventoryPage() {
       intune: prev.intune ?? DEFAULT_INTUNE,
       jamf: prev.jamf ?? DEFAULT_JAMF,
     }));
-  };
+  }, []);
 
   const handleStaticChange = (config: StaticInventoryConfig) =>
     setLocalConfig((prev) => ({ ...prev, static: config }));
@@ -353,7 +354,7 @@ export default function InventoryPage() {
   const handleJamfChange = (config: JamfInventoryConfig) =>
     setLocalConfig((prev) => ({ ...prev, jamf: config }));
 
-  const handleSave = useCallback(() => {
+  const handleSave = useCallback(async () => {
     if (localConfig.inventory_type === "intune") {
       const intune = localConfig.intune ?? DEFAULT_INTUNE;
       if (!intune.tenant_id || !intune.client_id) {
@@ -368,14 +369,19 @@ export default function InventoryPage() {
         return;
       }
     }
+    const savePromise = updateInventoryConfig(localConfig);
     notify({
       title: "Device Inventory",
       description: "Inventory configuration saved successfully.",
-      promise: updateInventoryConfig(localConfig).then((saved) => {
-        updateRef([saved]);
-      }),
+      promise: savePromise,
       loadingMessage: "Saving inventory configuration...",
     });
+    try {
+      const saved = await savePromise;
+      updateRef([saved ?? localConfig]);
+    } catch {
+      return;
+    }
   }, [localConfig, updateInventoryConfig, updateRef]);
 
   const enrollmentMode = settings?.enrollment_mode;

From 7d0bb313d6699d273531d340d4d5f811dcf69768 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Sat, 11 Apr 2026 17:05:59 +0300
Subject: [PATCH 25/37] fix: update Dockerfile to nginx:alpine, fix stand for
 reviewers

- Replace EOL alpine:3.14 base with nginx:alpine (stable, maintained)
- Remove supervisor/certbot/apk install - nginx:alpine has everything needed
- Convert init_react_envs.sh from bash to POSIX sh (no bash dep needed)
- Fix nginx include path: http.d -> conf.d (matches nginx:alpine layout)
- Use /docker-entrypoint.d/ hook for runtime env var substitution
---
 docker/Dockerfile         | 28 +++++++-----------
 docker/init_react_envs.sh | 60 +++++++++++++++++++--------------------
 docker/nginx.conf         |  2 +-
 3 files changed, 41 insertions(+), 49 deletions(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 360da5e0..9a14b340 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,24 +1,16 @@
-FROM alpine:3.14
+FROM nginx:alpine
 
-RUN apk add --no-cache bash curl less ca-certificates git tzdata zip gettext \
-    nginx curl supervisor certbot-nginx && \
-    rm -rf /var/cache/apk/* && mkdir -p /run/nginx
-
-STOPSIGNAL SIGINT
 EXPOSE 80
-EXPOSE 443
-ENTRYPOINT ["/usr/bin/supervisord","-c","/etc/supervisord.conf"]
 
 WORKDIR /usr/share/nginx/html
-# copy configuration files
-COPY docker/default.conf /etc/nginx/http.d/default.conf
+
+# Copy nginx configs
 COPY docker/nginx.conf /etc/nginx/nginx.conf
-COPY docker/init_cert.sh /usr/local/init_cert.sh
-COPY docker/init_react_envs.sh /usr/local/init_react_envs.sh
-RUN chmod +x /usr/local/init_cert.sh && rm /etc/crontabs/root
-RUN chmod +x /usr/local/init_react_envs.sh
+COPY docker/default.conf /etc/nginx/conf.d/default.conf
+
+# Copy init script as an entrypoint hook (runs before nginx starts)
+COPY docker/init_react_envs.sh /docker-entrypoint.d/40-init-react-envs.sh
+RUN chmod +x /docker-entrypoint.d/40-init-react-envs.sh
 
-# configure supervisor
-COPY docker/supervisord.conf /etc/supervisord.conf
-# copy build files
-COPY out/ /usr/share/nginx/html/
\ No newline at end of file
+# Copy static build output
+COPY out/ /usr/share/nginx/html/
diff --git a/docker/init_react_envs.sh b/docker/init_react_envs.sh
index d1c5a182..4324c1e5 100644
--- a/docker/init_react_envs.sh
+++ b/docker/init_react_envs.sh
@@ -1,67 +1,67 @@
-#!/bin/bash
+#!/bin/sh
 set -e
 
-if [[ -z "${AUTH_AUTHORITY}" ]]; then
-    if [[ -z "${AUTH0_DOMAIN}" ]]; then
+if [ -z "${AUTH_AUTHORITY}" ]; then
+    if [ -z "${AUTH0_DOMAIN}" ]; then
         echo "AUTH_AUTHORITY or AUTH0_DOMAIN environment variable must be set"
         exit 1
     fi
 fi
 
-if [[ -z "${AUTH_CLIENT_ID}" ]]; then
-    if [[ -z "${AUTH0_CLIENT_ID}" ]]; then
+if [ -z "${AUTH_CLIENT_ID}" ]; then
+    if [ -z "${AUTH0_CLIENT_ID}" ]; then
         echo "AUTH_CLIENT_ID or AUTH0_CLIENT_ID environment variable must be set"
         exit 1
     fi
 fi
 
-if [[ -z "${AUTH_AUDIENCE}" ]]; then
-    if [[ -z "${AUTH0_AUDIENCE}" ]]; then
+if [ -z "${AUTH_AUDIENCE}" ]; then
+    if [ -z "${AUTH0_AUDIENCE}" ]; then
         echo "AUTH_AUDIENCE or AUTH0_AUDIENCE environment variable must be set"
         exit 1
     fi
 fi
 
-if [[ "${AUTH_AUDIENCE}" == "none" ]]; then
+if [ "${AUTH_AUDIENCE}" = "none" ]; then
     unset AUTH_AUDIENCE
 fi
 
-if [[ -z "${AUTH_SUPPORTED_SCOPES}" ]]; then
-    if [[ -z "${AUTH0_DOMAIN}" ]]; then
+if [ -z "${AUTH_SUPPORTED_SCOPES}" ]; then
+    if [ -z "${AUTH0_DOMAIN}" ]; then
         echo "AUTH_SUPPORTED_SCOPES environment variable must be set"
         exit 1
     fi
 fi
 
-if [[ -z "${USE_AUTH0}" ]]; then
-    if [[ -z "${AUTH0_DOMAIN}" ]]; then
+if [ -z "${USE_AUTH0}" ]; then
+    if [ -z "${AUTH0_DOMAIN}" ]; then
         echo "USE_AUTH0 environment variable must be set"
         exit 1
     fi
 fi
 
-if [[ -z "${NETBIRD_MGMT_API_ENDPOINT}" ]]; then
+if [ -z "${NETBIRD_MGMT_API_ENDPOINT}" ]; then
     echo "NETBIRD_MGMT_API_ENDPOINT environment variable must be set"
     exit 1
 fi
 
-export AUTH_AUTHORITY=${AUTH_AUTHORITY:-https://$AUTH0_DOMAIN}
-export AUTH_CLIENT_ID=${AUTH_CLIENT_ID:-$AUTH0_CLIENT_ID}
-export AUTH_CLIENT_SECRET=${AUTH_CLIENT_SECRET}
-export AUTH_AUDIENCE=${AUTH_AUDIENCE:-$AUTH0_AUDIENCE}
-export AUTH_REDIRECT_URI=${AUTH_REDIRECT_URI}
-export AUTH_SILENT_REDIRECT_URI=${AUTH_SILENT_REDIRECT_URI}
-export USE_AUTH0=${USE_AUTH0:-true}
-export AUTH_SUPPORTED_SCOPES=${AUTH_SUPPORTED_SCOPES:-openid profile email api offline_access email_verified}
+export AUTH_AUTHORITY="${AUTH_AUTHORITY:-https://${AUTH0_DOMAIN}}"
+export AUTH_CLIENT_ID="${AUTH_CLIENT_ID:-${AUTH0_CLIENT_ID}}"
+export AUTH_CLIENT_SECRET="${AUTH_CLIENT_SECRET}"
+export AUTH_AUDIENCE="${AUTH_AUDIENCE:-${AUTH0_AUDIENCE}}"
+export AUTH_REDIRECT_URI="${AUTH_REDIRECT_URI}"
+export AUTH_SILENT_REDIRECT_URI="${AUTH_SILENT_REDIRECT_URI}"
+export USE_AUTH0="${USE_AUTH0:-true}"
+export AUTH_SUPPORTED_SCOPES="${AUTH_SUPPORTED_SCOPES:-openid profile email api offline_access email_verified}"
 
-export NETBIRD_MGMT_API_ENDPOINT=$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//')
-export NETBIRD_MGMT_GRPC_API_ENDPOINT=${NETBIRD_MGMT_GRPC_API_ENDPOINT}
-export NETBIRD_HOTJAR_TRACK_ID=${NETBIRD_HOTJAR_TRACK_ID}
-export NETBIRD_GOOGLE_ANALYTICS_ID=${NETBIRD_GOOGLE_ANALYTICS_ID}
-export NETBIRD_GOOGLE_TAG_MANAGER_ID=${NETBIRD_GOOGLE_TAG_MANAGER_ID}
-export NETBIRD_TOKEN_SOURCE=${NETBIRD_TOKEN_SOURCE:-accessToken}
-export NETBIRD_DRAG_QUERY_PARAMS=${NETBIRD_DRAG_QUERY_PARAMS:-false}
-export NETBIRD_WASM_PATH=${NETBIRD_WASM_PATH}
+export NETBIRD_MGMT_API_ENDPOINT="$(echo "$NETBIRD_MGMT_API_ENDPOINT" | sed -E 's/(:80|:443)$//')"
+export NETBIRD_MGMT_GRPC_API_ENDPOINT="${NETBIRD_MGMT_GRPC_API_ENDPOINT}"
+export NETBIRD_HOTJAR_TRACK_ID="${NETBIRD_HOTJAR_TRACK_ID}"
+export NETBIRD_GOOGLE_ANALYTICS_ID="${NETBIRD_GOOGLE_ANALYTICS_ID}"
+export NETBIRD_GOOGLE_TAG_MANAGER_ID="${NETBIRD_GOOGLE_TAG_MANAGER_ID}"
+export NETBIRD_TOKEN_SOURCE="${NETBIRD_TOKEN_SOURCE:-accessToken}"
+export NETBIRD_DRAG_QUERY_PARAMS="${NETBIRD_DRAG_QUERY_PARAMS:-false}"
+export NETBIRD_WASM_PATH="${NETBIRD_WASM_PATH}"
 
 echo "NetBird latest version: ${NETBIRD_LATEST_VERSION}"
 
@@ -74,4 +74,4 @@ for f in $(grep -R -l AUTH_SUPPORTED_SCOPES /usr/share/nginx/html); do
     cp "$f" "$f".copy
     envsubst "$ENV_STR" < "$f".copy > "$f"
     rm "$f".copy
-done
\ No newline at end of file
+done
diff --git a/docker/nginx.conf b/docker/nginx.conf
index 94024677..8b16d578 100644
--- a/docker/nginx.conf
+++ b/docker/nginx.conf
@@ -136,7 +136,7 @@ http {
 
 
 	# Includes virtual hosts configs.
-	include /etc/nginx/http.d/*.conf;
+	include /etc/nginx/conf.d/*.conf;
 }
 
 # TIP: Uncomment if you use stream module.

From a6dab03b185c4a4f918b6adb31db37fc5a9eca2c Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Sat, 11 Apr 2026 17:11:35 +0300
Subject: [PATCH 26/37] fix: remove duplicate daemon directive in nginx.conf

---
 docker/nginx.conf | 2 --
 1 file changed, 2 deletions(-)

diff --git a/docker/nginx.conf b/docker/nginx.conf
index 8b16d578..5b04b0cf 100644
--- a/docker/nginx.conf
+++ b/docker/nginx.conf
@@ -1,6 +1,4 @@
 # /etc/nginx/nginx.conf
-daemon off;
-
 user nginx;
 
 # Set number of worker processes automatically based on number of CPU cores.

From 6471257ff3c5d814a67a9f40953cd4bec5d38f40 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Sat, 11 Apr 2026 20:51:43 +0300
Subject: [PATCH 27/37] feat: multi-source inventory, fix defaults and styling

- Inventory page redesigned: three independent sources (Static/Intune/Jamf)
  each with FancyToggleSwitch toggle, enabled simultaneously (e.g. Intune
  for Windows + Jamf for Mac)
- JamfForm updated to OAuth fields (client_id/client_secret) matching backend
- Settings page: fix ca_type/mode/enrollment_mode fallback to defaults when
  backend returns empty strings; remove inventory_type from save payload
- TrustedCAs: fix two Add buttons by using rightSide prop instead of children
- CAConfigSection: replace gray-*/zinc-* palette with nb-gray-* tokens
- trusted-cas/page: replace raw info callout with Callout variant='info'
- DeviceAuthSettings interface: remove inventory_type field (removed from API)
---
 .../device-security/trusted-cas/page.tsx      |  10 +-
 src/interfaces/DeviceSecurity.ts              |  31 +-
 .../device-security/CAConfigSection.tsx       |   4 +-
 .../DeviceSecuritySettings.tsx                |  13 +-
 src/modules/device-security/InventoryPage.tsx | 605 +++++++++---------
 .../device-security/TrustedCAsTable.tsx       |  36 +-
 6 files changed, 354 insertions(+), 345 deletions(-)

diff --git a/src/app/(dashboard)/device-security/trusted-cas/page.tsx b/src/app/(dashboard)/device-security/trusted-cas/page.tsx
index 86551983..1f201ad3 100644
--- a/src/app/(dashboard)/device-security/trusted-cas/page.tsx
+++ b/src/app/(dashboard)/device-security/trusted-cas/page.tsx
@@ -1,10 +1,11 @@
 "use client";
 
 import Breadcrumbs from "@components/Breadcrumbs";
+import { Callout } from "@components/Callout";
 import Paragraph from "@components/Paragraph";
 import SkeletonTable from "@components/skeletons/SkeletonTable";
 import { usePortalElement } from "@hooks/usePortalElement";
-import { InfoIcon, ShieldCheckIcon } from "lucide-react";
+import { ShieldCheckIcon } from "lucide-react";
 import React, { lazy, Suspense } from "react";
 import PageContainer from "@/layouts/PageContainer";
 
@@ -37,13 +38,12 @@ export default function TrustedCAsPage() {
           certificates when devices bring their own certificates signed by
           external authorities.
         </Paragraph>
-        <div className="mt-3 flex items-start gap-2 rounded-lg border border-blue-200 bg-blue-50 p-3 dark:border-blue-800 dark:bg-blue-950">
-          <InfoIcon className="mt-0.5 h-4 w-4 shrink-0 text-blue-500" />
-          <p className="text-sm text-blue-700 dark:text-blue-300">
+        <div className="mt-3">
+          <Callout variant="info">
             Trusted CAs are used when devices present certificates signed by an
             external CA. This is different from the built-in CA used for
             certificate issuance.
-          </p>
+          </Callout>
         </div>
       </div>
       <Suspense fallback={<SkeletonTable />}>
diff --git a/src/interfaces/DeviceSecurity.ts b/src/interfaces/DeviceSecurity.ts
index 2db34c27..ee10c438 100644
--- a/src/interfaces/DeviceSecurity.ts
+++ b/src/interfaces/DeviceSecurity.ts
@@ -11,7 +11,6 @@ export interface DeviceAuthSettings {
   enrollment_mode: EnrollmentMode;
   ca_type: CAType;
   cert_validity_days: number;
-  inventory_type: string;
 }
 
 export interface DeviceEnrollment {
@@ -92,38 +91,34 @@ export interface CATestResult {
 }
 
 // Inventory config types — for /device-auth/inventory/config endpoints
-
-export type InventoryType =
-  | "static"
-  | "intune"
-  | "jamf"
-  | "fleetdm"
-  | "webhook";
+// Multiple sources can be enabled simultaneously (e.g., Intune for Windows + Jamf for Mac).
 
 export interface StaticInventoryConfig {
-  peers: string[];
-  serial_count: number;
+  enabled: boolean;
+  peers: string[];        // WireGuard public keys
+  serial_count: number;   // read-only in GET; serials are managed by upload
 }
 
 export interface IntuneInventoryConfig {
+  enabled: boolean;
   tenant_id: string;
   client_id: string;
-  client_secret: string; // empty in GET response
+  client_secret: string;    // empty in GET response
   has_client_secret: boolean;
   require_compliance: boolean;
 }
 
 export interface JamfInventoryConfig {
+  enabled: boolean;
   jamf_url: string;
-  username: string;
-  password: string; // empty in GET response
-  has_password: boolean;
+  client_id: string;
+  client_secret: string;    // empty in GET response
+  has_client_secret: boolean;
   require_management: boolean;
 }
 
 export interface InventoryConfig {
-  inventory_type: InventoryType;
-  static?: StaticInventoryConfig;
-  intune?: IntuneInventoryConfig;
-  jamf?: JamfInventoryConfig;
+  static: StaticInventoryConfig;
+  intune: IntuneInventoryConfig;
+  jamf: JamfInventoryConfig;
 }
diff --git a/src/modules/device-security/CAConfigSection.tsx b/src/modules/device-security/CAConfigSection.tsx
index 9d6a8d38..2a798d2f 100644
--- a/src/modules/device-security/CAConfigSection.tsx
+++ b/src/modules/device-security/CAConfigSection.tsx
@@ -63,8 +63,8 @@ export function CAConfigSection({ caType, config, onChange }: CAConfigSectionPro
         : "SCEP Configuration";
 
   return (
-    <div className="flex flex-col gap-4 rounded-lg border border-gray-200 bg-gray-50 p-4 dark:border-zinc-700 dark:bg-zinc-900">
-      <p className="text-sm font-medium text-gray-700 dark:text-gray-300">{title}</p>
+    <div className="flex flex-col gap-4 rounded-md border border-nb-gray-900 bg-nb-gray-940 p-4">
+      <p className="text-sm font-medium text-nb-gray-300">{title}</p>
 
       {caType === "vault" && (
         <div className="flex flex-col gap-3">
diff --git a/src/modules/device-security/DeviceSecuritySettings.tsx b/src/modules/device-security/DeviceSecuritySettings.tsx
index 49c69332..53e3fc7a 100644
--- a/src/modules/device-security/DeviceSecuritySettings.tsx
+++ b/src/modules/device-security/DeviceSecuritySettings.tsx
@@ -112,10 +112,10 @@ export default function DeviceSecuritySettings() {
 
   useEffect(() => {
     if (!settings) return;
-    const newMode = settings.mode;
-    const newEnrollment = settings.enrollment_mode;
-    const newCAType = settings.ca_type;
-    const newCertValidity = settings.cert_validity_days;
+    const newMode = isDeviceAuthMode(settings.mode) ? settings.mode : "disabled";
+    const newEnrollment = isEnrollmentMode(settings.enrollment_mode) ? settings.enrollment_mode : "manual";
+    const newCAType = isCAType(settings.ca_type) ? settings.ca_type : "builtin";
+    const newCertValidity = settings.cert_validity_days > 0 ? settings.cert_validity_days : 365;
     setMode(newMode);
     setEnrollmentMode(newEnrollment);
     setCaType(newCAType);
@@ -139,7 +139,6 @@ export default function DeviceSecuritySettings() {
       enrollment_mode: enrollmentMode,
       ca_type: caType,
       cert_validity_days: certValidityDays,
-      inventory_type: settings?.inventory_type ?? "",
     });
     notify({
       title: "Device Security Settings",
@@ -397,7 +396,7 @@ export default function DeviceSecuritySettings() {
                 {testing ? "Testing..." : "Test Connection"}
               </Button>
               {testing && (
-                <span className="text-sm text-gray-500">Running CA test...</span>
+                <span className="text-sm text-nb-gray-400">Running CA test...</span>
               )}
             </div>
           )}
@@ -431,7 +430,7 @@ export default function DeviceSecuritySettings() {
             label="Certificate Revocation"
             help="Revocation uses CRL (Certificate Revocation List), published every 12 hours."
           >
-            <p className="font-mono text-sm text-gray-500 dark:text-gray-400">
+            <p className="font-mono text-sm text-nb-gray-400">
               {"GET /api/v1/device-auth/crl?account_id=<id>"}
             </p>
           </SettingRow>
diff --git a/src/modules/device-security/InventoryPage.tsx b/src/modules/device-security/InventoryPage.tsx
index a45ac3f2..c3dc12ca 100644
--- a/src/modules/device-security/InventoryPage.tsx
+++ b/src/modules/device-security/InventoryPage.tsx
@@ -3,20 +3,28 @@
 import Breadcrumbs from "@components/Breadcrumbs";
 import Button from "@components/Button";
 import { Callout } from "@components/Callout";
+import { Checkbox } from "@components/Checkbox";
+import FancyToggleSwitch from "@components/FancyToggleSwitch";
 import HelpText from "@components/HelpText";
 import { Input } from "@components/Input";
 import { Label } from "@components/Label";
 import { notify } from "@components/Notification";
 import Paragraph from "@components/Paragraph";
+import { cn } from "@utils/helpers";
 import { useHasChanges } from "@hooks/useHasChanges";
-import { LayoutListIcon, ShieldCheckIcon } from "lucide-react";
+import {
+  DatabaseIcon,
+  LayoutListIcon,
+  MonitorSmartphoneIcon,
+  ShieldCheckIcon,
+  SmartphoneIcon,
+} from "lucide-react";
 import Link from "next/link";
 import React, { useCallback, useEffect, useState } from "react";
 import Skeleton from "react-loading-skeleton";
 import { useDeviceSecurityContext } from "@/contexts/DeviceSecurityProvider";
 import type {
   InventoryConfig,
-  InventoryType,
   IntuneInventoryConfig,
   JamfInventoryConfig,
   StaticInventoryConfig,
@@ -24,18 +32,16 @@ import type {
 import PageContainer from "@/layouts/PageContainer";
 import { PasswordField } from "./PasswordField";
 
-// ---- Constants ----
-
-const SERIAL_SEPARATOR_RE = /[\n,]+/;
-
-// ---- Default configs ----
+// ── Defaults ──────────────────────────────────────────────────────────────────
 
 const DEFAULT_STATIC: StaticInventoryConfig = {
+  enabled: false,
   peers: [],
   serial_count: 0,
 };
 
 const DEFAULT_INTUNE: IntuneInventoryConfig = {
+  enabled: false,
   tenant_id: "",
   client_id: "",
   client_secret: "",
@@ -44,32 +50,21 @@ const DEFAULT_INTUNE: IntuneInventoryConfig = {
 };
 
 const DEFAULT_JAMF: JamfInventoryConfig = {
+  enabled: false,
   jamf_url: "",
-  username: "",
-  password: "",
-  has_password: false,
+  client_id: "",
+  client_secret: "",
+  has_client_secret: false,
   require_management: false,
 };
 
-// ---- Inventory type options ----
-
-interface InventoryTypeOption {
-  value: InventoryType;
-  label: string;
-  description: string;
-  disabled?: boolean;
-  comingSoon?: boolean;
-}
-
-const INVENTORY_TYPE_OPTIONS: InventoryTypeOption[] = [
-  { value: "static", label: "Static List", description: "Manually maintained list of allowed peer IDs" },
-  { value: "intune", label: "Microsoft Intune", description: "Sync managed devices from Microsoft Intune" },
-  { value: "jamf", label: "Jamf Pro", description: "Sync managed devices from Jamf Pro MDM" },
-  { value: "fleetdm", label: "Fleet", description: "Sync managed devices from FleetDM / osquery", disabled: true, comingSoon: true },
-  { value: "webhook", label: "Webhook", description: "Approve devices via a custom webhook", disabled: true, comingSoon: true },
-];
+const DEFAULT_CONFIG: InventoryConfig = {
+  static: DEFAULT_STATIC,
+  intune: DEFAULT_INTUNE,
+  jamf: DEFAULT_JAMF,
+};
 
-// ---- Static form with two-tab UI ----
+// ── Static source form ────────────────────────────────────────────────────────
 
 type StaticTab = "peers" | "serials";
 
@@ -80,128 +75,100 @@ interface StaticFormProps {
 
 function StaticForm({ config, onChange }: StaticFormProps) {
   const [activeTab, setActiveTab] = useState<StaticTab>("peers");
-
-  const wgKeys = config.peers.filter((p) => !p.startsWith("serial:"));
-  const peersValue = wgKeys.join("\n");
+  const peersValue = config.peers.join("\n");
 
   const handlePeersChange = (raw: string) => {
-    const newKeys = raw
+    const newPeers = raw
       .split(/[\n,]+/)
       .map((s) => s.trim())
       .filter(Boolean);
-    const serials = config.peers.filter((p) => p.startsWith("serial:"));
-    onChange({ ...config, peers: [...newKeys, ...serials] });
-  };
-
-  const serialsValue = config.peers
-    .filter((p) => p.startsWith("serial:"))
-    .map((p) => p.replace(/^serial:/, ""))
-    .join("\n");
-
-  const handleSerialsChange = (raw: string) => {
-    const newSerials = raw
-      .split(SERIAL_SEPARATOR_RE)
-      .map((s) => s.trim())
-      .filter(Boolean)
-      .map((s) => (s.startsWith("serial:") ? s : `serial:${s}`));
-    onChange({ ...config, peers: [...wgKeys, ...newSerials] });
+    onChange({ ...config, peers: newPeers });
   };
 
   return (
-    <div className="flex flex-col gap-4 rounded-lg border border-gray-200 bg-gray-50 p-4 dark:border-zinc-700 dark:bg-zinc-900">
-      {/* Tab buttons */}
-      <div className="flex gap-0 border-b border-gray-200 dark:border-zinc-700">
-        <button
-          type="button"
-          onClick={() => setActiveTab("peers")}
-          className={
-            "px-4 py-2 text-sm font-medium border-b-2 -mb-px transition-colors " +
-            (activeTab === "peers"
-              ? "border-nb-gray-900 text-gray-900 dark:border-zinc-400 dark:text-gray-100"
-              : "border-transparent text-gray-500 hover:text-gray-700 dark:text-gray-400 dark:hover:text-gray-200")
-          }
-        >
-          NetBird Peers
-        </button>
-        <button
-          type="button"
-          onClick={() => setActiveTab("serials")}
-          className={
-            "px-4 py-2 text-sm font-medium border-b-2 -mb-px transition-colors " +
-            (activeTab === "serials"
-              ? "border-nb-gray-900 text-gray-900 dark:border-zinc-400 dark:text-gray-100"
-              : "border-transparent text-gray-500 hover:text-gray-700 dark:text-gray-400 dark:hover:text-gray-200")
-          }
-        >
-          Serial Numbers
-        </button>
+    <div
+      className={cn(
+        "border border-nb-gray-900 border-t-0 rounded-b-md bg-nb-gray-940",
+        "px-5 pt-3 pb-5 mx-[0.25rem]",
+      )}
+    >
+      {/* Sub-tabs */}
+      <div className="flex border-b border-nb-gray-900 mb-4">
+        {(["peers", "serials"] as StaticTab[]).map((tab) => (
+          <button
+            key={tab}
+            type="button"
+            onClick={() => setActiveTab(tab)}
+            className={cn(
+              "px-4 py-2 text-sm font-medium border-b-2 -mb-px transition-colors",
+              activeTab === tab
+                ? "border-netbird text-netbird"
+                : "border-transparent text-nb-gray-400 hover:text-nb-gray-200",
+            )}
+          >
+            {tab === "peers" ? "WireGuard Keys" : "Serial Numbers"}
+          </button>
+        ))}
       </div>
 
-      {/* Tab: NetBird Peers */}
       {activeTab === "peers" && (
-        <div className="flex flex-col gap-3">
-          <p className="text-sm text-gray-600 dark:text-gray-400">
-            Select NetBird peers that are allowed to enroll. The device&apos;s WireGuard public key is matched during attestation.
-          </p>
-          <div className="flex flex-col gap-1">
-            <Label htmlFor="static-wg-keys">WireGuard Public Keys</Label>
-            <textarea
-              id="static-wg-keys"
-              rows={6}
-              value={peersValue}
-              onChange={(e) => handlePeersChange(e.target.value)}
-              placeholder={"Enter one WireGuard public key per line"}
-              aria-describedby="static-wg-keys-help"
-              className={
-                "w-full rounded-md border border-gray-200 bg-white px-3 py-2 text-sm " +
-                "font-mono text-gray-900 placeholder:text-gray-400 " +
-                "focus:outline-none focus:ring-2 focus:ring-nb-gray-900 " +
-                "dark:border-zinc-700 dark:bg-zinc-950 dark:text-gray-100 dark:placeholder:text-gray-600"
-              }
-            />
-            <HelpText id="static-wg-keys-help">
-              {wgKeys.length > 0
-                ? `${wgKeys.length} WireGuard key${wgKeys.length !== 1 ? "s" : ""} in list`
-                : "No peers configured"}
-            </HelpText>
-          </div>
+        <div className="flex flex-col gap-2">
+          <HelpText>
+            WireGuard public keys of NetBird peers allowed to enroll automatically.
+            The key is matched against the peer&apos;s WireGuard identity during attestation.
+          </HelpText>
+          <textarea
+            rows={6}
+            value={peersValue}
+            onChange={(e) => handlePeersChange(e.target.value)}
+            placeholder={"Paste one WireGuard public key per line"}
+            spellCheck={false}
+            className={cn(
+              "w-full rounded-md border border-nb-gray-900 bg-nb-gray-950",
+              "px-3 py-2 text-sm font-mono text-nb-gray-100",
+              "placeholder:text-nb-gray-600",
+              "focus:outline-none focus:ring-1 focus:ring-netbird focus:border-netbird",
+              "resize-y min-h-[120px]",
+            )}
+          />
+          <HelpText>
+            {config.peers.length > 0
+              ? `${config.peers.length} key${config.peers.length !== 1 ? "s" : ""} in list`
+              : "No keys configured"}
+          </HelpText>
         </div>
       )}
 
-      {/* Tab: Serial Numbers */}
       {activeTab === "serials" && (
-        <div className="flex flex-col gap-3">
+        <div className="flex flex-col gap-2">
           <Callout variant="warning">
-            Serial numbers are less secure than WireGuard keys. Use only if your MDM enforces serial uniqueness.
+            Serial numbers are less secure than WireGuard keys. Use only if your
+            MDM enforces serial uniqueness.
           </Callout>
-          <div className="flex flex-col gap-1">
-            <Label htmlFor="static-serials">Serial Numbers</Label>
-            <textarea
-              id="static-serials"
-              rows={6}
-              value={serialsValue}
-              onChange={(e) => handleSerialsChange(e.target.value)}
-              placeholder={"Enter one serial number per line"}
-              aria-describedby="static-serials-help"
-              className={
-                "w-full rounded-md border border-gray-200 bg-white px-3 py-2 text-sm " +
-                "font-mono text-gray-900 placeholder:text-gray-400 " +
-                "focus:outline-none focus:ring-2 focus:ring-nb-gray-900 " +
-                "dark:border-zinc-700 dark:bg-zinc-950 dark:text-gray-100 dark:placeholder:text-gray-600"
-              }
-            />
-            <HelpText id="static-serials-help">
-              {config.serial_count > 0
-                ? `${config.serial_count} serial number${config.serial_count !== 1 ? "s" : ""} stored`
-                : "No serial numbers configured"}
-            </HelpText>
+          <HelpText>
+            TPM EK serial numbers (decimal format) allowed to enroll automatically.
+            One serial per line. For large fleets, consider using an MDM integration instead.
+          </HelpText>
+          <div className="flex items-center justify-between">
+            <Label>Serial Numbers</Label>
+            {config.serial_count > 0 && (
+              <span className="text-xs text-nb-gray-400">
+                {config.serial_count} stored
+              </span>
+            )}
           </div>
+          <p className="text-xs text-nb-gray-400">
+            Serial numbers are write-only. Existing entries are preserved unless you upload a new list.
+            Contact support or use the API to manage large serial lists.
+          </p>
         </div>
       )}
     </div>
   );
 }
 
+// ── Intune source form ─────────────────────────────────────────────────────────
+
 interface IntuneFormProps {
   config: IntuneInventoryConfig;
   onChange: (config: IntuneInventoryConfig) => void;
@@ -212,51 +179,60 @@ function IntuneForm({ config, onChange }: IntuneFormProps) {
     onChange({ ...config, ...patch });
 
   return (
-    <div className="flex flex-col gap-4 rounded-lg border border-gray-200 bg-gray-50 p-4 dark:border-zinc-700 dark:bg-zinc-900">
-      <p className="text-sm font-medium text-gray-700 dark:text-gray-300">Microsoft Intune Configuration</p>
-      <div className="flex flex-col gap-3">
-        <div className="flex flex-col gap-1">
-          <Label htmlFor="intune-tenant-id">Tenant ID</Label>
-          <Input
-            id="intune-tenant-id"
-            placeholder="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
-            value={config.tenant_id}
-            onChange={(e) => update({ tenant_id: e.target.value })}
-          />
-        </div>
-        <div className="flex flex-col gap-1">
-          <Label htmlFor="intune-client-id">Client ID</Label>
-          <Input
-            id="intune-client-id"
-            placeholder="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
-            value={config.client_id}
-            onChange={(e) => update({ client_id: e.target.value })}
-          />
-        </div>
-        <PasswordField
-          id="intune-client-secret"
-          label="Client Secret"
-          value={config.client_secret}
-          hasExisting={config.has_client_secret}
-          onChange={(v) => update({ client_secret: v })}
+    <div
+      className={cn(
+        "border border-nb-gray-900 border-t-0 rounded-b-md bg-nb-gray-940",
+        "px-5 pt-4 pb-5 flex flex-col gap-4 mx-[0.25rem]",
+      )}
+    >
+      <div className="flex flex-col gap-1">
+        <Label htmlFor="intune-tenant-id">Tenant ID</Label>
+        <Input
+          id="intune-tenant-id"
+          placeholder="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+          value={config.tenant_id}
+          onChange={(e) => update({ tenant_id: e.target.value })}
         />
-        <div className="flex items-center gap-2">
-          <input
-            id="intune-require-compliance"
-            type="checkbox"
-            checked={config.require_compliance}
-            onChange={(e) => update({ require_compliance: e.target.checked })}
-            className="h-4 w-4 rounded border-gray-300 text-nb-gray-900 focus:ring-nb-gray-900"
-          />
+      </div>
+      <div className="flex flex-col gap-1">
+        <Label htmlFor="intune-client-id">Client ID (Application ID)</Label>
+        <Input
+          id="intune-client-id"
+          placeholder="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+          value={config.client_id}
+          onChange={(e) => update({ client_id: e.target.value })}
+        />
+      </div>
+      <PasswordField
+        id="intune-client-secret"
+        label="Client Secret"
+        value={config.client_secret}
+        hasExisting={config.has_client_secret}
+        onChange={(v) => update({ client_secret: v })}
+      />
+      <div className="flex items-center gap-3">
+        <Checkbox
+          id="intune-require-compliance"
+          checked={config.require_compliance}
+          onCheckedChange={(checked) =>
+            update({ require_compliance: checked === true })
+          }
+        />
+        <div>
           <Label htmlFor="intune-require-compliance" className="cursor-pointer">
-            Require compliance
+            Require device compliance
           </Label>
+          <HelpText>
+            Only enroll devices that are marked as compliant in Intune.
+          </HelpText>
         </div>
       </div>
     </div>
   );
 }
 
+// ── Jamf source form ──────────────────────────────────────────────────────────
+
 interface JamfFormProps {
   config: JamfInventoryConfig;
   onChange: (config: JamfInventoryConfig) => void;
@@ -267,58 +243,87 @@ function JamfForm({ config, onChange }: JamfFormProps) {
     onChange({ ...config, ...patch });
 
   return (
-    <div className="flex flex-col gap-4 rounded-lg border border-gray-200 bg-gray-50 p-4 dark:border-zinc-700 dark:bg-zinc-900">
-      <p className="text-sm font-medium text-gray-700 dark:text-gray-300">Jamf Pro Configuration</p>
-      <div className="flex flex-col gap-3">
-        <div className="flex flex-col gap-1">
-          <Label htmlFor="jamf-server-url">Server URL</Label>
-          <Input
-            id="jamf-server-url"
-            type="url"
-            placeholder="https://yourorg.jamfcloud.com"
-            value={config.jamf_url}
-            onChange={(e) => update({ jamf_url: e.target.value })}
-          />
-        </div>
-        <div className="flex flex-col gap-1">
-          <Label htmlFor="jamf-username">Username</Label>
-          <Input
-            id="jamf-username"
-            placeholder="api-user"
-            value={config.username}
-            onChange={(e) => update({ username: e.target.value })}
-          />
-        </div>
-        <PasswordField
-          id="jamf-password"
-          label="Password"
-          value={config.password}
-          hasExisting={config.has_password}
-          onChange={(v) => update({ password: v })}
+    <div
+      className={cn(
+        "border border-nb-gray-900 border-t-0 rounded-b-md bg-nb-gray-940",
+        "px-5 pt-4 pb-5 flex flex-col gap-4 mx-[0.25rem]",
+      )}
+    >
+      <div className="flex flex-col gap-1">
+        <Label htmlFor="jamf-server-url">Server URL</Label>
+        <Input
+          id="jamf-server-url"
+          type="url"
+          placeholder="https://yourorg.jamfcloud.com"
+          value={config.jamf_url}
+          onChange={(e) => update({ jamf_url: e.target.value })}
         />
-        <div className="flex items-center gap-2">
-          <input
-            id="jamf-require-management"
-            type="checkbox"
-            checked={config.require_management}
-            onChange={(e) => update({ require_management: e.target.checked })}
-            className="h-4 w-4 rounded border-gray-300 text-nb-gray-900 focus:ring-nb-gray-900"
-          />
+      </div>
+      <div className="flex flex-col gap-1">
+        <Label htmlFor="jamf-client-id">Client ID (API Role)</Label>
+        <Input
+          id="jamf-client-id"
+          placeholder="netbird-integration"
+          value={config.client_id}
+          onChange={(e) => update({ client_id: e.target.value })}
+        />
+      </div>
+      <PasswordField
+        id="jamf-client-secret"
+        label="Client Secret"
+        value={config.client_secret}
+        hasExisting={config.has_client_secret}
+        onChange={(v) => update({ client_secret: v })}
+      />
+      <div className="flex items-center gap-3">
+        <Checkbox
+          id="jamf-require-management"
+          checked={config.require_management}
+          onCheckedChange={(checked) =>
+            update({ require_management: checked === true })
+          }
+        />
+        <div>
           <Label htmlFor="jamf-require-management" className="cursor-pointer">
-            Require management
+            Require device management
           </Label>
+          <HelpText>
+            Only enroll devices that are actively managed in Jamf Pro.
+          </HelpText>
         </div>
       </div>
     </div>
   );
 }
 
-// ---- Main page ----
+// ── Coming soon placeholder ───────────────────────────────────────────────────
 
-const DEFAULT_CONFIG: InventoryConfig = {
-  inventory_type: "static",
-  static: DEFAULT_STATIC,
-};
+function ComingSoonSource({
+  icon,
+  label,
+  description,
+}: {
+  icon: React.ReactNode;
+  label: string;
+  description: string;
+}) {
+  return (
+    <div className="flex items-center gap-4 px-5 py-4 rounded-md border border-nb-gray-910 bg-nb-gray-900/30 opacity-60">
+      <div className="text-nb-gray-400">{icon}</div>
+      <div className="flex-1">
+        <div className="flex items-center gap-2">
+          <span className="text-sm font-medium text-nb-gray-200">{label}</span>
+          <span className="inline-flex items-center rounded-full bg-nb-gray-800 px-2 py-0.5 text-xs font-medium text-nb-gray-400">
+            Coming soon
+          </span>
+        </div>
+        <p className="text-xs text-nb-gray-500">{description}</p>
+      </div>
+    </div>
+  );
+}
+
+// ── Main page ─────────────────────────────────────────────────────────────────
 
 export default function InventoryPage() {
   const { inventoryConfig, inventoryConfigLoading, updateInventoryConfig, settings } =
@@ -330,41 +335,41 @@ export default function InventoryPage() {
 
   useEffect(() => {
     if (!inventoryConfig) return;
-    setLocalConfig(inventoryConfig);
+    setLocalConfig({
+      static: inventoryConfig.static ?? DEFAULT_STATIC,
+      intune: inventoryConfig.intune ?? DEFAULT_INTUNE,
+      jamf: inventoryConfig.jamf ?? DEFAULT_JAMF,
+    });
     updateRef([inventoryConfig]);
   }, [inventoryConfig, updateRef]);
 
-  const handleTypeChange = useCallback((type: InventoryType) => {
-    if (type === "fleetdm" || type === "webhook") return;
-    setLocalConfig((prev) => ({
-      ...prev,
-      inventory_type: type,
-      static: prev.static ?? DEFAULT_STATIC,
-      intune: prev.intune ?? DEFAULT_INTUNE,
-      jamf: prev.jamf ?? DEFAULT_JAMF,
-    }));
-  }, []);
-
-  const handleStaticChange = (config: StaticInventoryConfig) =>
-    setLocalConfig((prev) => ({ ...prev, static: config }));
+  const updateStatic = useCallback(
+    (patch: Partial<StaticInventoryConfig>) =>
+      setLocalConfig((prev) => ({ ...prev, static: { ...prev.static, ...patch } })),
+    [],
+  );
 
-  const handleIntuneChange = (config: IntuneInventoryConfig) =>
-    setLocalConfig((prev) => ({ ...prev, intune: config }));
+  const updateIntune = useCallback(
+    (cfg: IntuneInventoryConfig) =>
+      setLocalConfig((prev) => ({ ...prev, intune: cfg })),
+    [],
+  );
 
-  const handleJamfChange = (config: JamfInventoryConfig) =>
-    setLocalConfig((prev) => ({ ...prev, jamf: config }));
+  const updateJamf = useCallback(
+    (cfg: JamfInventoryConfig) =>
+      setLocalConfig((prev) => ({ ...prev, jamf: cfg })),
+    [],
+  );
 
   const handleSave = useCallback(async () => {
-    if (localConfig.inventory_type === "intune") {
-      const intune = localConfig.intune ?? DEFAULT_INTUNE;
-      if (!intune.tenant_id || !intune.client_id) {
+    if (localConfig.intune.enabled) {
+      if (!localConfig.intune.tenant_id || !localConfig.intune.client_id) {
         notify.error("Tenant ID and Client ID are required for Intune");
         return;
       }
     }
-    if (localConfig.inventory_type === "jamf") {
-      const jamf = localConfig.jamf ?? DEFAULT_JAMF;
-      if (!jamf.jamf_url) {
+    if (localConfig.jamf.enabled) {
+      if (!localConfig.jamf.jamf_url) {
         notify.error("Server URL is required for Jamf");
         return;
       }
@@ -395,10 +400,10 @@ export default function InventoryPage() {
           <Skeleton height={24} width={200} className="mb-6" />
           <Skeleton height={32} width={160} className="mb-10" />
           <div className="mb-8">
-            <Skeleton height={17} width={200} className="mb-2" />
-            <Skeleton height={80} width="100%" />
+            <Skeleton height={60} width="100%" className="mb-3" />
+            <Skeleton height={60} width="100%" className="mb-3" />
+            <Skeleton height={60} width="100%" />
           </div>
-          <Skeleton height={120} width="100%" />
         </div>
       </PageContainer>
     );
@@ -437,7 +442,8 @@ export default function InventoryPage() {
           <div>
             <h1>Device Inventory</h1>
             <Paragraph>
-              Configure the device allow-list or MDM integration used for attestation-mode enrollment.
+              Configure device allow-lists or MDM integrations for attestation enrollment.
+              Multiple sources can be active simultaneously.
             </Paragraph>
           </div>
           <Button
@@ -451,7 +457,7 @@ export default function InventoryPage() {
         </div>
 
         {/* Status callout */}
-        <div className="mt-6">
+        <div className="mt-6 mb-8">
           {attestationActive ? (
             <Callout variant="success">
               Inventory is active. Managed devices are automatically approved during enrollment.{" "}
@@ -461,7 +467,8 @@ export default function InventoryPage() {
             </Callout>
           ) : (
             <Callout variant="warning">
-              Attestation is not enabled. To use inventory-based enrollment, enable Attestation mode in{" "}
+              Attestation is not enabled. To use inventory-based enrollment, enable Attestation
+              mode in{" "}
               <Link href="/device-security/settings" className="underline font-medium">
                 Settings →
               </Link>
@@ -469,73 +476,77 @@ export default function InventoryPage() {
           )}
         </div>
 
-        <div className="flex flex-col gap-6 w-full mt-8">
-          {/* Inventory type selector */}
-          <div className="flex flex-col gap-1 sm:flex-row w-full sm:gap-4 items-start">
-            <div className="min-w-[330px]">
-              <Label>Inventory Source</Label>
-              <HelpText>
-                Choose how NetBird determines which devices are allowed to enroll via attestation
-              </HelpText>
-            </div>
-            <div className="w-full flex flex-col gap-2">
-              {INVENTORY_TYPE_OPTIONS.map(({ value, label, description, disabled, comingSoon }) => (
-                <label
-                  key={value}
-                  className={
-                    "flex items-start gap-3 rounded-lg border p-3 transition-colors " +
-                    (disabled
-                      ? "opacity-50 cursor-not-allowed border-gray-200 dark:border-zinc-700"
-                      : "cursor-pointer " +
-                        (localConfig.inventory_type === value
-                          ? "border-nb-gray-900 bg-gray-50 dark:border-zinc-500 dark:bg-zinc-800"
-                          : "border-gray-200 hover:border-gray-300 dark:border-zinc-700 dark:hover:border-zinc-600"))
-                  }
-                >
-                  <input
-                    type="radio"
-                    name="inventory-type"
-                    value={value}
-                    checked={localConfig.inventory_type === value}
-                    onChange={() => !disabled && handleTypeChange(value)}
-                    disabled={disabled}
-                    className="mt-0.5 h-4 w-4 text-nb-gray-900 border-gray-300 focus:ring-nb-gray-900"
-                  />
-                  <div className="flex-1">
-                    <div className="flex items-center gap-2">
-                      <p className="text-sm font-medium text-gray-900 dark:text-gray-100">{label}</p>
-                      {comingSoon && (
-                        <span className="inline-flex items-center rounded-full bg-gray-100 px-2 py-0.5 text-xs font-medium text-gray-500 dark:bg-zinc-700 dark:text-gray-400">
-                          Coming soon
-                        </span>
-                      )}
-                    </div>
-                    <p className="text-xs text-gray-500 dark:text-gray-400">{description}</p>
-                  </div>
-                </label>
-              ))}
-            </div>
+        <div className="flex flex-col gap-4">
+          {/* Static allow-list */}
+          <div className="flex flex-col">
+            <FancyToggleSwitch
+              value={localConfig.static.enabled}
+              onChange={(v) => updateStatic({ enabled: v })}
+              label={
+                <>
+                  <DatabaseIcon size={15} />
+                  Static Allow-List
+                </>
+              }
+              helpText="Manually maintained list of WireGuard keys or serial numbers."
+            />
+            {localConfig.static.enabled && (
+              <StaticForm
+                config={localConfig.static}
+                onChange={(cfg) =>
+                  setLocalConfig((prev) => ({ ...prev, static: cfg }))
+                }
+              />
+            )}
           </div>
 
-          {/* Type-specific config form */}
-          {localConfig.inventory_type === "static" && (
-            <StaticForm
-              config={localConfig.static ?? DEFAULT_STATIC}
-              onChange={handleStaticChange}
-            />
-          )}
-          {localConfig.inventory_type === "intune" && (
-            <IntuneForm
-              config={localConfig.intune ?? DEFAULT_INTUNE}
-              onChange={handleIntuneChange}
+          {/* Microsoft Intune */}
+          <div className="flex flex-col">
+            <FancyToggleSwitch
+              value={localConfig.intune.enabled}
+              onChange={(v) => updateIntune({ ...localConfig.intune, enabled: v })}
+              label={
+                <>
+                  <MonitorSmartphoneIcon size={15} />
+                  Microsoft Intune
+                </>
+              }
+              helpText="Approve Windows and other managed devices from Microsoft Intune."
             />
-          )}
-          {localConfig.inventory_type === "jamf" && (
-            <JamfForm
-              config={localConfig.jamf ?? DEFAULT_JAMF}
-              onChange={handleJamfChange}
+            {localConfig.intune.enabled && (
+              <IntuneForm config={localConfig.intune} onChange={updateIntune} />
+            )}
+          </div>
+
+          {/* Jamf Pro */}
+          <div className="flex flex-col">
+            <FancyToggleSwitch
+              value={localConfig.jamf.enabled}
+              onChange={(v) => updateJamf({ ...localConfig.jamf, enabled: v })}
+              label={
+                <>
+                  <SmartphoneIcon size={15} />
+                  Jamf Pro
+                </>
+              }
+              helpText="Approve macOS and iOS devices managed by Jamf Pro."
             />
-          )}
+            {localConfig.jamf.enabled && (
+              <JamfForm config={localConfig.jamf} onChange={updateJamf} />
+            )}
+          </div>
+
+          {/* Coming soon */}
+          <ComingSoonSource
+            icon={<MonitorSmartphoneIcon size={18} />}
+            label="Fleet"
+            description="Sync managed devices from FleetDM / osquery"
+          />
+          <ComingSoonSource
+            icon={<ShieldCheckIcon size={18} />}
+            label="Webhook"
+            description="Approve devices via a custom webhook endpoint"
+          />
         </div>
       </div>
     </PageContainer>
diff --git a/src/modules/device-security/TrustedCAsTable.tsx b/src/modules/device-security/TrustedCAsTable.tsx
index 50bf66c3..9d206e05 100644
--- a/src/modules/device-security/TrustedCAsTable.tsx
+++ b/src/modules/device-security/TrustedCAsTable.tsx
@@ -76,7 +76,11 @@ function buildColumns(
   ];
 }
 
-export default function TrustedCAsTable() {
+type Props = {
+  headingTarget?: HTMLHeadingElement | null;
+};
+
+export default function TrustedCAsTable({ headingTarget }: Readonly<Props>) {
   const { trustedCAs, trustedCAsLoading, deleteTrustedCA } = useDeviceSecurity();
   const { confirm } = useDialog();
   const path = usePathname();
@@ -123,18 +127,15 @@ export default function TrustedCAsTable() {
     </AddTrustedCAModal>
   );
 
-  if (!trustedCAsLoading && (!trustedCAs || trustedCAs.length === 0)) {
-    return (
-      <div>
-        <div className="flex justify-end mb-4">{addButton}</div>
-        <NoResults
-          title="No trusted CAs added."
-          description="Add a trusted Certificate Authority to enable device certificate authentication."
-          icon={<ShieldCheckIcon size={20} />}
-        />
-      </div>
-    );
-  }
+  const emptyState = (
+    <NoResults
+      title="No trusted CAs added."
+      description="Add a trusted Certificate Authority to enable device certificate authentication."
+      icon={<ShieldCheckIcon size={20} />}
+    >
+      <div className={"mt-6"}>{addButton}</div>
+    </NoResults>
+  );
 
   return (
     <DataTable
@@ -145,8 +146,11 @@ export default function TrustedCAsTable() {
       data={trustedCAs ?? []}
       isLoading={trustedCAsLoading}
       searchPlaceholder="Search by name..."
-    >
-      {() => addButton}
-    </DataTable>
+      headingTarget={headingTarget}
+      getStartedCard={emptyState}
+      rightSide={() =>
+        trustedCAs && trustedCAs.length > 0 ? addButton : null
+      }
+    />
   );
 }

From 79577bdd7a6702c3e9ba36c154ccfd94bcc593f4 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Sun, 12 Apr 2026 15:58:17 +0300
Subject: [PATCH 28/37] fix: prevent Bearer undefined requests when OIDC token
 not yet loaded

Guard isTokenExpired() against undefined token (OIDC loading race) that
caused API calls to fire with 'Authorization: Bearer undefined'.

Also improve devices page layout (breadcrumbs, description, empty state).
---
 cypress/support/commands.ts                   |  2 +-
 .../device-security/devices/page.tsx          | 38 ++++++++++++++++++-
 src/modules/device-security/DevicesTable.tsx  | 17 ++++-----
 src/utils/api.tsx                             |  1 +
 4 files changed, 46 insertions(+), 12 deletions(-)

diff --git a/cypress/support/commands.ts b/cypress/support/commands.ts
index 698b01a4..95857aea 100644
--- a/cypress/support/commands.ts
+++ b/cypress/support/commands.ts
@@ -34,4 +34,4 @@
 //       visit(originalFn: CommandOriginalFn, url: string, options: Partial<VisitOptions>): Chainable<Element>
 //     }
 //   }
-// }
\ No newline at end of file
+// }
diff --git a/src/app/(dashboard)/device-security/devices/page.tsx b/src/app/(dashboard)/device-security/devices/page.tsx
index 957b0584..22a44885 100644
--- a/src/app/(dashboard)/device-security/devices/page.tsx
+++ b/src/app/(dashboard)/device-security/devices/page.tsx
@@ -1,7 +1,41 @@
 "use client";
 
-import DevicesTable from "@/modules/device-security/DevicesTable";
+import Breadcrumbs from "@components/Breadcrumbs";
+import Paragraph from "@components/Paragraph";
+import SkeletonTable from "@components/skeletons/SkeletonTable";
+import { ShieldCheckIcon } from "lucide-react";
+import React, { lazy, Suspense } from "react";
+import PageContainer from "@/layouts/PageContainer";
+
+const DevicesTable = lazy(
+  () => import("@/modules/device-security/DevicesTable"),
+);
 
 export default function DevicesPage() {
-  return <DevicesTable />;
+  return (
+    <PageContainer>
+      <div className={"p-default py-6"}>
+        <Breadcrumbs>
+          <Breadcrumbs.Item
+            href={"/device-security/devices"}
+            label={"Device Security"}
+            icon={<ShieldCheckIcon size={13} />}
+          />
+          <Breadcrumbs.Item
+            href={"/device-security/devices"}
+            label={"Devices"}
+            active
+          />
+        </Breadcrumbs>
+        <h1>Device Certificates</h1>
+        <Paragraph>
+          Certificates issued to devices in your network. Renew or revoke
+          certificates to control device access.
+        </Paragraph>
+      </div>
+      <Suspense fallback={<SkeletonTable />}>
+        <DevicesTable />
+      </Suspense>
+    </PageContainer>
+  );
 }
diff --git a/src/modules/device-security/DevicesTable.tsx b/src/modules/device-security/DevicesTable.tsx
index 461f3fca..b5aa57d2 100644
--- a/src/modules/device-security/DevicesTable.tsx
+++ b/src/modules/device-security/DevicesTable.tsx
@@ -178,15 +178,13 @@ export default function DevicesTable() {
     [handleRenew],
   );
 
-  if (!devicesLoading && (!devices || devices.length === 0)) {
-    return (
-      <NoResults
-        title="No device certificates issued"
-        description="No device certificates issued."
-        icon={<ShieldIcon size={20} />}
-      />
-    );
-  }
+  const emptyState = (
+    <NoResults
+      title="No device certificates issued"
+      description="Device certificates will appear here once devices enroll and are issued certificates."
+      icon={<ShieldIcon size={20} />}
+    />
+  );
 
   return (
     <DataTable
@@ -197,6 +195,7 @@ export default function DevicesTable() {
       data={devices}
       isLoading={devicesLoading}
       searchPlaceholder="Search by key or serial..."
+      getStartedCard={emptyState}
     >
       {() => (
         <DataTableRefreshButton
diff --git a/src/utils/api.tsx b/src/utils/api.tsx
index ddba852a..14d535b8 100644
--- a/src/utils/api.tsx
+++ b/src/utils/api.tsx
@@ -81,6 +81,7 @@ export function useNetBirdFetch(ignoreError: boolean = false): {
   const handleErrors = useApiErrorHandling(ignoreError);
 
   const isTokenExpired = async () => {
+    if (!token) return true;
     let attempts = 4;
     while (isExpired(token) && attempts > 0) {
       await sleep(500);

From b003023f4d3bd2c3c603218de04756cfec5223bd Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Sun, 12 Apr 2026 18:58:25 +0300
Subject: [PATCH 29/37] feat: add require_inventory_check toggle and
 cert_approver role

Device Security Settings:
- Add require_inventory_check toggle (FancyToggleSwitch) for manual/both enrollment modes
- Syncs with backend via DeviceAuthSettings interface (new require_inventory_check field)
- Links to Inventory config page in helpText

Users / RBAC:
- Add CertApprover role to Role enum
- UserRoleSelector, UserRoleCell, UserInvitesTable, UsersProvider updated for cert_approver
- isCertApprover helper in useLoggedInUser()
---
 src/contexts/UsersProvider.tsx                |  4 +++
 src/interfaces/DeviceSecurity.ts              |  2 ++
 src/interfaces/User.ts                        |  1 +
 .../DeviceSecuritySettings.tsx                | 36 +++++++++++++++++--
 src/modules/users/UserInvitesTable.tsx        |  7 ++++
 src/modules/users/UserRoleSelector.tsx        |  6 ++++
 .../users/table-cells/UserRoleCell.tsx        |  8 ++++-
 7 files changed, 60 insertions(+), 4 deletions(-)

diff --git a/src/contexts/UsersProvider.tsx b/src/contexts/UsersProvider.tsx
index 67a79f6a..c467e2ee 100644
--- a/src/contexts/UsersProvider.tsx
+++ b/src/contexts/UsersProvider.tsx
@@ -106,6 +106,9 @@ export const useLoggedInUser = () => {
   const { setGlobalApiParams } = useApplicationContext();
   const isOwner = loggedInUser ? loggedInUser?.role === Role.Owner : false;
   const isAdmin = loggedInUser ? loggedInUser?.role === Role.Admin : false;
+  const isCertApprover = loggedInUser
+    ? loggedInUser?.role === Role.CertApprover
+    : false;
 
   const isUser = !isOwner && !isAdmin;
   const isOwnerOrAdmin = isOwner || isAdmin;
@@ -120,6 +123,7 @@ export const useLoggedInUser = () => {
     loggedInUser,
     isOwner,
     isAdmin,
+    isCertApprover,
     isUser,
     isOwnerOrAdmin,
     logout,
diff --git a/src/interfaces/DeviceSecurity.ts b/src/interfaces/DeviceSecurity.ts
index ee10c438..9c7cf014 100644
--- a/src/interfaces/DeviceSecurity.ts
+++ b/src/interfaces/DeviceSecurity.ts
@@ -11,6 +11,8 @@ export interface DeviceAuthSettings {
   enrollment_mode: EnrollmentMode;
   ca_type: CAType;
   cert_validity_days: number;
+  inventory_type: string;
+  require_inventory_check: boolean;
 }
 
 export interface DeviceEnrollment {
diff --git a/src/interfaces/User.ts b/src/interfaces/User.ts
index 9d6cf531..cb0adf1a 100644
--- a/src/interfaces/User.ts
+++ b/src/interfaces/User.ts
@@ -69,4 +69,5 @@ export enum Role {
   BillingAdmin = "billing_admin",
   Auditor = "auditor",
   NetworkAdmin = "network_admin",
+  CertApprover = "cert_approver",
 }
diff --git a/src/modules/device-security/DeviceSecuritySettings.tsx b/src/modules/device-security/DeviceSecuritySettings.tsx
index 53e3fc7a..ea8426fc 100644
--- a/src/modules/device-security/DeviceSecuritySettings.tsx
+++ b/src/modules/device-security/DeviceSecuritySettings.tsx
@@ -3,6 +3,7 @@
 import Breadcrumbs from "@components/Breadcrumbs";
 import Button from "@components/Button";
 import { Callout } from "@components/Callout";
+import FancyToggleSwitch from "@components/FancyToggleSwitch";
 import HelpText from "@components/HelpText";
 import { Input } from "@components/Input";
 import { Label } from "@components/Label";
@@ -98,6 +99,7 @@ export default function DeviceSecuritySettings() {
   const [enrollmentMode, setEnrollmentMode] = useState<EnrollmentMode>("manual");
   const [caType, setCaType] = useState<CAType>("builtin");
   const [certValidityDays, setCertValidityDays] = useState(365);
+  const [requireInventoryCheck, setRequireInventoryCheck] = useState(false);
   const [localCAConfig, setLocalCAConfig] = useState<CAConfig>({ ca_type: "builtin" });
   const [testResult, setTestResult] = useState<CATestResult | null>(null);
   const [testing, setTesting] = useState(false);
@@ -107,6 +109,7 @@ export default function DeviceSecuritySettings() {
     enrollmentMode,
     caType,
     certValidityDays,
+    requireInventoryCheck,
     localCAConfig,
   ]);
 
@@ -116,17 +119,19 @@ export default function DeviceSecuritySettings() {
     const newEnrollment = isEnrollmentMode(settings.enrollment_mode) ? settings.enrollment_mode : "manual";
     const newCAType = isCAType(settings.ca_type) ? settings.ca_type : "builtin";
     const newCertValidity = settings.cert_validity_days > 0 ? settings.cert_validity_days : 365;
+    const newRequireInventoryCheck = settings.require_inventory_check ?? false;
     setMode(newMode);
     setEnrollmentMode(newEnrollment);
     setCaType(newCAType);
     setCertValidityDays(newCertValidity);
-    updateRef([newMode, newEnrollment, newCAType, newCertValidity, localCAConfig]);
+    setRequireInventoryCheck(newRequireInventoryCheck);
+    updateRef([newMode, newEnrollment, newCAType, newCertValidity, newRequireInventoryCheck, localCAConfig]);
   }, [settings]); // eslint-disable-line react-hooks/exhaustive-deps
 
   useEffect(() => {
     if (!caConfig) return;
     setLocalCAConfig(caConfig);
-    updateRef([mode, enrollmentMode, caType, certValidityDays, caConfig]);
+    updateRef([mode, enrollmentMode, caType, certValidityDays, requireInventoryCheck, caConfig]);
   }, [caConfig]); // eslint-disable-line react-hooks/exhaustive-deps
 
   const activeCertCount = devices?.filter((d) => !d.revoked).length ?? 0;
@@ -139,6 +144,7 @@ export default function DeviceSecuritySettings() {
       enrollment_mode: enrollmentMode,
       ca_type: caType,
       cert_validity_days: certValidityDays,
+      require_inventory_check: requireInventoryCheck,
     });
     notify({
       title: "Device Security Settings",
@@ -167,12 +173,13 @@ export default function DeviceSecuritySettings() {
       }
     }
 
-    updateRef([mode, enrollmentMode, caType, certValidityDays, localCAConfig]);
+    updateRef([mode, enrollmentMode, caType, certValidityDays, requireInventoryCheck, localCAConfig]);
   }, [
     mode,
     enrollmentMode,
     caType,
     certValidityDays,
+    requireInventoryCheck,
     localCAConfig,
     settings,
     updateSettings,
@@ -352,6 +359,29 @@ export default function DeviceSecuritySettings() {
             </Callout>
           )}
 
+          {/* Inventory check for manual enrollment */}
+          {(enrollmentMode === "manual" || enrollmentMode === "both") && (
+            <FancyToggleSwitch
+              value={requireInventoryCheck}
+              onChange={setRequireInventoryCheck}
+              label="Require inventory check before enrollment"
+              helpText={
+                <>
+                  When enabled, a device serial number must be found in your{" "}
+                  <Link
+                    href="/device-security/inventory"
+                    className="font-medium underline"
+                    onClick={(e) => e.stopPropagation()}
+                  >
+                    configured inventory
+                  </Link>{" "}
+                  before its enrollment request is accepted. Devices not in the inventory are silently rejected and never appear in the approval queue.
+                </>
+              }
+              data-cy={"require-inventory-check"}
+            />
+          )}
+
           {/* Certificate Authority */}
           <SettingRow
             label="Certificate Authority"
diff --git a/src/modules/users/UserInvitesTable.tsx b/src/modules/users/UserInvitesTable.tsx
index e898573f..857856eb 100644
--- a/src/modules/users/UserInvitesTable.tsx
+++ b/src/modules/users/UserInvitesTable.tsx
@@ -26,6 +26,7 @@ import {
   Link2,
   MailPlus,
   NetworkIcon,
+  ShieldCheckIcon,
   Trash2,
   User2,
 } from "lucide-react";
@@ -115,6 +116,12 @@ function InviteRoleCell({ invite }: { invite: UserInvite }) {
             Network Admin
           </>
         )}
+        {role === Role.CertApprover && (
+          <>
+            <ShieldCheckIcon size={14} />
+            Cert Approver
+          </>
+        )}
       </Badge>
     </div>
   );
diff --git a/src/modules/users/UserRoleSelector.tsx b/src/modules/users/UserRoleSelector.tsx
index 401d1883..180992e3 100644
--- a/src/modules/users/UserRoleSelector.tsx
+++ b/src/modules/users/UserRoleSelector.tsx
@@ -11,6 +11,7 @@ import {
   CreditCard,
   EyeIcon,
   NetworkIcon,
+  ShieldCheckIcon,
   User2,
 } from "lucide-react";
 import * as React from "react";
@@ -64,6 +65,11 @@ export const UserRoles = [
     value: Role.User,
     icon: User2,
   },
+  {
+    name: "Cert Approver",
+    value: Role.CertApprover,
+    icon: ShieldCheckIcon,
+  },
 ];
 
 export function UserRoleSelector({
diff --git a/src/modules/users/table-cells/UserRoleCell.tsx b/src/modules/users/table-cells/UserRoleCell.tsx
index 08fb7d8e..76a7ccf9 100644
--- a/src/modules/users/table-cells/UserRoleCell.tsx
+++ b/src/modules/users/table-cells/UserRoleCell.tsx
@@ -1,6 +1,6 @@
 import Badge from "@components/Badge";
 import { cn } from "@utils/helpers";
-import { Cog, CreditCardIcon, EyeIcon, NetworkIcon, User2 } from "lucide-react";
+import { Cog, CreditCardIcon, EyeIcon, NetworkIcon, ShieldCheckIcon, User2 } from "lucide-react";
 import React from "react";
 import NetBirdIcon from "@/assets/icons/NetBirdIcon";
 import { Role, User } from "@/interfaces/User";
@@ -51,6 +51,12 @@ export default function UserRoleCell({ user }: Readonly<Props>) {
             Network Admin
           </>
         )}
+        {role === Role.CertApprover && (
+          <>
+            <ShieldCheckIcon size={14} />
+            Cert Approver
+          </>
+        )}
       </Badge>
     </div>
   );

From daed6543af2a6ebf4b21f262b89ad52ac55b3313 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Sun, 12 Apr 2026 20:32:55 +0300
Subject: [PATCH 30/37] chore: update package-lock.json

---
 package-lock.json | 20 +-------------------
 1 file changed, 1 insertion(+), 19 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 00a5a540..1e03991b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -168,7 +168,6 @@
       "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@babel/code-frame": "^7.29.0",
         "@babel/generator": "^7.29.0",
@@ -3031,7 +3030,6 @@
       "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.10.tgz",
       "integrity": "sha512-WPigyYuGhgZ/cTPRXB2EwUw+XvsRA3GqHlsP4qteqrnnjDrApbS7MxcGr/hke5iUoeB7E/gQtrs9I37zAJ0Vjw==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "csstype": "^3.2.2"
       }
@@ -3041,7 +3039,6 @@
       "resolved": "https://registry.npmjs.org/@types/react-dom/-/react-dom-19.2.3.tgz",
       "integrity": "sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ==",
       "license": "MIT",
-      "peer": true,
       "peerDependencies": {
         "@types/react": "^19.2.0"
       }
@@ -3100,7 +3097,6 @@
       "integrity": "sha512-BtE0k6cjwjLZoZixN0t5AKP0kSzlGu7FctRXYuPAm//aaiZhmfq1JwdYpYr1brzEspYyFeF+8XF5j2VK6oalrA==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@typescript-eslint/scope-manager": "8.54.0",
         "@typescript-eslint/types": "8.54.0",
@@ -3581,8 +3577,7 @@
       "version": "5.5.0",
       "resolved": "https://registry.npmjs.org/@xterm/xterm/-/xterm-5.5.0.tgz",
       "integrity": "sha512-hqJHYaQb5OptNunnyAnkHyM8aCjZ1MEIDTQu1iIbbTD/xops91NB5yq1ZK/dC2JDbVWtF23zUtl9JE2NqwT87A==",
-      "license": "MIT",
-      "peer": true
+      "license": "MIT"
     },
     "node_modules/@xyflow/react": {
       "version": "12.10.0",
@@ -3621,7 +3616,6 @@
       "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz",
       "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
       "license": "MIT",
-      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -4044,7 +4038,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "baseline-browser-mapping": "^2.9.0",
         "caniuse-lite": "^1.0.30001759",
@@ -4667,7 +4660,6 @@
       "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-3.0.0.tgz",
       "integrity": "sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ==",
       "license": "ISC",
-      "peer": true,
       "engines": {
         "node": ">=12"
       }
@@ -5196,7 +5188,6 @@
       "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.39.2.tgz",
       "integrity": "sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.8.0",
         "@eslint-community/regexpp": "^4.12.1",
@@ -5394,7 +5385,6 @@
       "integrity": "sha512-whOE1HFo/qJDyX4SnXzP4N6zOWn79WhnCUY/iDR0mPfQZO8wcYE4JClzI2oZrhBnnMUCBCHZhO6VQyoBU95mZA==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@rtsao/scc": "^1.1.0",
         "array-includes": "^3.1.9",
@@ -6688,7 +6678,6 @@
       "resolved": "https://registry.npmjs.org/jiti/-/jiti-1.21.7.tgz",
       "integrity": "sha512-/imKNG4EbWNrVjoNC/1H5/9GFy+tqjGBHCaSsN+P2RnPqjsLmv6UD3Ej+Kj8nBWaRAwyk7kK5ZUc+OEatnTR3A==",
       "license": "MIT",
-      "peer": true,
       "bin": {
         "jiti": "bin/jiti.js"
       }
@@ -7446,7 +7435,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "nanoid": "^3.3.11",
         "picocolors": "^1.1.1",
@@ -7654,7 +7642,6 @@
       "resolved": "https://registry.npmjs.org/react/-/react-19.2.4.tgz",
       "integrity": "sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ==",
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=0.10.0"
       }
@@ -7695,7 +7682,6 @@
       "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.4.tgz",
       "integrity": "sha512-AXJdLo8kgMbimY95O2aKQqsz2iWi9jMgKJhRBAxECE4IFxfcazB2LmzloIoibJI3C12IlY20+KFaLv+71bUJeQ==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "scheduler": "^0.27.0"
       },
@@ -8590,7 +8576,6 @@
       "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.4.19.tgz",
       "integrity": "sha512-3ofp+LL8E+pK/JuPLPggVAIaEuhvIz4qNcf3nA1Xn2o/7fb7s/TYpHhwGDv1ZU3PkBluUVaF8PyCHcm48cKLWQ==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@alloc/quick-lru": "^5.2.0",
         "arg": "^5.0.2",
@@ -8757,7 +8742,6 @@
       "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
       "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -8923,7 +8907,6 @@
       "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
       "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
       "license": "Apache-2.0",
-      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -9251,7 +9234,6 @@
       "integrity": "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "funding": {
         "url": "https://github.com/sponsors/colinhacks"
       }

From 99b82b254ccaaa81c88080848a04071f581786e5 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Mon, 13 Apr 2026 12:26:28 +0300
Subject: [PATCH 31/37] feat: add Beta badge to Device Security nav item

---
 src/layouts/Navigation.tsx | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/layouts/Navigation.tsx b/src/layouts/Navigation.tsx
index 058710cd..878bf6ac 100644
--- a/src/layouts/Navigation.tsx
+++ b/src/layouts/Navigation.tsx
@@ -196,7 +196,17 @@ export default function Navigation({
                 </SidebarItem>
                 <SidebarItem
                   icon={<DeviceSecurityIcon size={16} />}
-                  label="Device Security"
+                  label={
+                    <div className={"flex items-center gap-2"}>
+                      Device Security
+                      <SmallBadge
+                        text={"Beta"}
+                        variant={"sky"}
+                        className={"text-[8px] leading-none py-[3px] px-[5px]"}
+                        textClassName={"top-0"}
+                      />
+                    </div>
+                  }
                   collapsible
                   visible={!isRestricted}
                 >

From 4b61a0831f9937ff37a81f819bfe224219760ab8 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Mon, 13 Apr 2026 12:28:14 +0300
Subject: [PATCH 32/37] fix: sync caType into localCAConfig so Test Connection
 sends correct ca_type

---
 src/modules/device-security/DeviceSecuritySettings.tsx | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/modules/device-security/DeviceSecuritySettings.tsx b/src/modules/device-security/DeviceSecuritySettings.tsx
index ea8426fc..04fe6b8e 100644
--- a/src/modules/device-security/DeviceSecuritySettings.tsx
+++ b/src/modules/device-security/DeviceSecuritySettings.tsx
@@ -390,7 +390,10 @@ export default function DeviceSecuritySettings() {
             <Select
               value={caType}
               onValueChange={(v) => {
-                if (isCAType(v)) setCaType(v);
+                if (isCAType(v)) {
+                  setCaType(v);
+                  setLocalCAConfig((prev) => ({ ...prev, ca_type: v }));
+                }
               }}
             >
               <SelectTrigger>

From 578c243ff44b3876ee3d688e6fd5c3f045b64bee Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Mon, 13 Apr 2026 12:30:09 +0300
Subject: [PATCH 33/37] feat: show peer name as link in enrollments table

---
 .../device-security/EnrollmentsTable.tsx      | 46 +++++++++++++++----
 1 file changed, 38 insertions(+), 8 deletions(-)

diff --git a/src/modules/device-security/EnrollmentsTable.tsx b/src/modules/device-security/EnrollmentsTable.tsx
index 9c63a944..26eb7cb4 100644
--- a/src/modules/device-security/EnrollmentsTable.tsx
+++ b/src/modules/device-security/EnrollmentsTable.tsx
@@ -16,6 +16,9 @@ import { useSWRConfig } from "swr";
 import { useDeviceSecurity } from "@/contexts/DeviceSecurityProvider";
 import { useLocalStorage } from "@/hooks/useLocalStorage";
 import type { DeviceEnrollment } from "@/interfaces/DeviceSecurity";
+import type { Peer } from "@/interfaces/Peer";
+import useFetchApi from "@utils/api";
+import Link from "next/link";
 
 const STATUS_BADGE_VARIANT = {
   pending: "yellow",
@@ -86,6 +89,7 @@ function ActionsCell({
 function buildColumns(
   onApprove: (id: string) => void,
   onReject: (id: string) => void,
+  peerMap: Map<string, Peer>,
 ): ColumnDef<DeviceEnrollment>[] {
   return [
     {
@@ -101,14 +105,33 @@ function buildColumns(
     {
       accessorKey: "peer_id",
       header: ({ column }) => (
-        <DataTableHeader column={column}>Peer ID</DataTableHeader>
+        <DataTableHeader column={column}>Peer</DataTableHeader>
       ),
       sortingFn: "text",
-      cell: ({ row }) => (
-        <span title={row.original.peer_id}>
-          {truncate(row.original.peer_id)}
-        </span>
-      ),
+      cell: ({ row }) => {
+        const peer = peerMap.get(row.original.peer_id);
+        if (peer) {
+          return (
+            <Link
+              href={`/peer?id=${peer.id}`}
+              className="group flex flex-col"
+              onClick={(e) => e.stopPropagation()}
+            >
+              <span className="font-medium text-nb-gray-100 group-hover:text-netbird transition-colors">
+                {peer.name}
+              </span>
+              <span className="text-xs text-nb-gray-500" title={row.original.peer_id}>
+                {truncate(row.original.peer_id)}
+              </span>
+            </Link>
+          );
+        }
+        return (
+          <span className="text-nb-gray-400" title={row.original.peer_id}>
+            {truncate(row.original.peer_id)}
+          </span>
+        );
+      },
     },
     {
       accessorKey: "wg_public_key",
@@ -188,6 +211,13 @@ export default function EnrollmentsTable() {
     [{ id: "created_at", desc: true }],
   );
 
+  const { data: peers } = useFetchApi<Peer[]>("/peers");
+
+  const peerMap = React.useMemo(() => {
+    if (!peers) return new Map<string, Peer>();
+    return new Map(peers.map((p) => [p.id ?? "", p]));
+  }, [peers]);
+
   const handleApprove = useCallback(
     async (id: string) => {
       try {
@@ -217,8 +247,8 @@ export default function EnrollmentsTable() {
   );
 
   const columns = React.useMemo(
-    () => buildColumns(handleApprove, handleReject),
-    [handleApprove, handleReject],
+    () => buildColumns(handleApprove, handleReject, peerMap),
+    [handleApprove, handleReject, peerMap],
   );
 
   if (!enrollmentsLoading && (!enrollments || enrollments.length === 0)) {

From 193ce1aca15216fab2e7976b567f12ae986913b7 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Mon, 13 Apr 2026 12:31:56 +0300
Subject: [PATCH 34/37] feat: show peer name as link in device certificates
 table

---
 src/modules/device-security/DevicesTable.tsx | 45 +++++++++++++++++++-
 1 file changed, 43 insertions(+), 2 deletions(-)

diff --git a/src/modules/device-security/DevicesTable.tsx b/src/modules/device-security/DevicesTable.tsx
index b5aa57d2..58dcac53 100644
--- a/src/modules/device-security/DevicesTable.tsx
+++ b/src/modules/device-security/DevicesTable.tsx
@@ -16,6 +16,9 @@ import { notify } from "@components/Notification";
 import { useDeviceSecurity } from "@/contexts/DeviceSecurityProvider";
 import { useLocalStorage } from "@/hooks/useLocalStorage";
 import type { DeviceCert } from "@/interfaces/DeviceSecurity";
+import type { Peer } from "@/interfaces/Peer";
+import useFetchApi from "@utils/api";
+import Link from "next/link";
 import RevokeDeviceModal from "./RevokeDeviceModal";
 
 function truncate(value: string, length = 16): string {
@@ -85,8 +88,39 @@ function ActionsCell({ cert, onRenew }: Readonly<ActionsCellProps>) {
 
 function buildColumns(
   onRenew: (id: string) => void,
+  peerMap: Map<string, Peer>,
 ): ColumnDef<DeviceCert>[] {
   return [
+    {
+      id: "peer",
+      header: ({ column }) => (
+        <DataTableHeader column={column}>Peer</DataTableHeader>
+      ),
+      cell: ({ row }) => {
+        const peer = peerMap.get(row.original.peer_id);
+        if (peer) {
+          return (
+            <Link
+              href={`/peer?id=${peer.id}`}
+              className="group flex flex-col"
+              onClick={(e) => e.stopPropagation()}
+            >
+              <span className="font-medium text-nb-gray-100 group-hover:text-netbird transition-colors">
+                {peer.name}
+              </span>
+              <span className="text-xs text-nb-gray-500">
+                {peer.ip}
+              </span>
+            </Link>
+          );
+        }
+        return (
+          <span className="text-nb-gray-400 text-sm" title={row.original.peer_id}>
+            {truncate(row.original.peer_id)}
+          </span>
+        );
+      },
+    },
     {
       accessorKey: "wg_public_key",
       header: ({ column }) => (
@@ -153,6 +187,13 @@ function buildColumns(
 
 export default function DevicesTable() {
   const { devices, devicesLoading, renewDevice } = useDeviceSecurity();
+  const { data: peers } = useFetchApi<Peer[]>("/peers");
+
+  const peerMap = React.useMemo(() => {
+    if (!peers) return new Map<string, Peer>();
+    return new Map(peers.map((p) => [p.id ?? "", p]));
+  }, [peers]);
+
   const { mutate } = useSWRConfig();
   const path = usePathname();
 
@@ -174,8 +215,8 @@ export default function DevicesTable() {
   );
 
   const columns = React.useMemo(
-    () => buildColumns(handleRenew),
-    [handleRenew],
+    () => buildColumns(handleRenew, peerMap),
+    [handleRenew, peerMap],
   );
 
   const emptyState = (

From c95455deb942c2f2dbc982c503970d71c3c27342 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Mon, 13 Apr 2026 12:39:13 +0300
Subject: [PATCH 35/37] feat: add serial numbers CRUD in inventory static
 allow-list

---
 src/interfaces/DeviceSecurity.ts              |  4 +-
 src/modules/device-security/InventoryPage.tsx | 53 ++++++++++++-------
 2 files changed, 37 insertions(+), 20 deletions(-)

diff --git a/src/interfaces/DeviceSecurity.ts b/src/interfaces/DeviceSecurity.ts
index 9c7cf014..2766173f 100644
--- a/src/interfaces/DeviceSecurity.ts
+++ b/src/interfaces/DeviceSecurity.ts
@@ -97,8 +97,8 @@ export interface CATestResult {
 
 export interface StaticInventoryConfig {
   enabled: boolean;
-  peers: string[];        // WireGuard public keys
-  serial_count: number;   // read-only in GET; serials are managed by upload
+  peers: string[];     // WireGuard public keys
+  serials: string[];   // hardware serial numbers (string format, e.g. "C02XL1YLJHD5")
 }
 
 export interface IntuneInventoryConfig {
diff --git a/src/modules/device-security/InventoryPage.tsx b/src/modules/device-security/InventoryPage.tsx
index c3dc12ca..8226157e 100644
--- a/src/modules/device-security/InventoryPage.tsx
+++ b/src/modules/device-security/InventoryPage.tsx
@@ -37,7 +37,7 @@ import { PasswordField } from "./PasswordField";
 const DEFAULT_STATIC: StaticInventoryConfig = {
   enabled: false,
   peers: [],
-  serial_count: 0,
+  serials: [],
 };
 
 const DEFAULT_INTUNE: IntuneInventoryConfig = {
@@ -141,26 +141,43 @@ function StaticForm({ config, onChange }: StaticFormProps) {
 
       {activeTab === "serials" && (
         <div className="flex flex-col gap-2">
-          <Callout variant="warning">
-            Serial numbers are less secure than WireGuard keys. Use only if your
-            MDM enforces serial uniqueness.
-          </Callout>
           <HelpText>
-            TPM EK serial numbers (decimal format) allowed to enroll automatically.
-            One serial per line. For large fleets, consider using an MDM integration instead.
+            Hardware serial numbers of devices allowed to enroll automatically.
+            Use the serial number reported by the OS — on macOS:{" "}
+            <code className="bg-nb-gray-900 px-1 rounded text-xs">
+              system_profiler SPHardwareDataType | grep Serial
+            </code>
+            , on Windows:{" "}
+            <code className="bg-nb-gray-900 px-1 rounded text-xs">
+              wmic bios get SerialNumber
+            </code>
+            . One serial per line.
           </HelpText>
-          <div className="flex items-center justify-between">
-            <Label>Serial Numbers</Label>
-            {config.serial_count > 0 && (
-              <span className="text-xs text-nb-gray-400">
-                {config.serial_count} stored
-              </span>
+          <textarea
+            rows={8}
+            value={config.serials.join("\n")}
+            onChange={(e) => {
+              const newSerials = e.target.value
+                .split(/[\n,]+/)
+                .map((s) => s.trim())
+                .filter(Boolean);
+              onChange({ ...config, serials: newSerials });
+            }}
+            placeholder={"Paste one serial number per line\nC02XL1YLJHD5\nPF2RJKAM\nR90VM1XXPK"}
+            spellCheck={false}
+            className={cn(
+              "w-full rounded-md border border-nb-gray-900 bg-nb-gray-950",
+              "px-3 py-2 text-sm font-mono text-nb-gray-100",
+              "placeholder:text-nb-gray-600",
+              "focus:outline-none focus:ring-1 focus:ring-netbird focus:border-netbird",
+              "resize-y min-h-[150px]",
             )}
-          </div>
-          <p className="text-xs text-nb-gray-400">
-            Serial numbers are write-only. Existing entries are preserved unless you upload a new list.
-            Contact support or use the API to manage large serial lists.
-          </p>
+          />
+          <HelpText>
+            {config.serials.length > 0
+              ? `${config.serials.length} serial${config.serials.length !== 1 ? "s" : ""} in list`
+              : "No serials configured"}
+          </HelpText>
         </div>
       )}
     </div>

From b00c705cb5c95b8934361653f9092afe8867a102 Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Mon, 13 Apr 2026 12:40:14 +0300
Subject: [PATCH 36/37] feat: expandable certificate PEM viewer in trusted CAs
 table

---
 src/interfaces/DeviceSecurity.ts              |  1 +
 .../device-security/TrustedCAsTable.tsx       | 47 +++++++++++++++++--
 2 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/src/interfaces/DeviceSecurity.ts b/src/interfaces/DeviceSecurity.ts
index 2766173f..743f5532 100644
--- a/src/interfaces/DeviceSecurity.ts
+++ b/src/interfaces/DeviceSecurity.ts
@@ -39,6 +39,7 @@ export interface TrustedCA {
   id: string;
   name: string;
   created_at: string;
+  pem?: string;
 }
 
 // CA config types — for /device-auth/ca/config endpoints
diff --git a/src/modules/device-security/TrustedCAsTable.tsx b/src/modules/device-security/TrustedCAsTable.tsx
index 9d206e05..bbaaff18 100644
--- a/src/modules/device-security/TrustedCAsTable.tsx
+++ b/src/modules/device-security/TrustedCAsTable.tsx
@@ -7,9 +7,9 @@ import { notify } from "@components/Notification";
 import NoResults from "@components/ui/NoResults";
 import { ColumnDef, SortingState } from "@tanstack/react-table";
 import dayjs from "dayjs";
-import { PlusCircle, ShieldCheckIcon, Trash2 } from "lucide-react";
+import { ChevronDown, ChevronUp, ClipboardCopyIcon, PlusCircle, ShieldCheckIcon, Trash2 } from "lucide-react";
 import { usePathname } from "next/navigation";
-import React, { useCallback, useMemo } from "react";
+import React, { useCallback, useMemo, useState } from "react";
 import { useDialog } from "@/contexts/DialogProvider";
 import { useDeviceSecurity } from "@/contexts/DeviceSecurityProvider";
 import { useLocalStorage } from "@/hooks/useLocalStorage";
@@ -40,6 +40,42 @@ function DeleteCell({ ca, onDelete }: Readonly<DeleteCellProps>) {
   );
 }
 
+function CertPEMViewer({ pem }: { pem: string }) {
+  const [expanded, setExpanded] = useState(false);
+
+  const handleCopy = () => {
+    navigator.clipboard.writeText(pem);
+  };
+
+  return (
+    <div className="flex flex-col">
+      <button
+        type="button"
+        onClick={() => setExpanded((v) => !v)}
+        className="flex items-center gap-1 text-xs text-nb-gray-400 hover:text-nb-gray-200 transition-colors w-fit"
+      >
+        {expanded ? <ChevronUp size={12} /> : <ChevronDown size={12} />}
+        {expanded ? "Hide certificate" : "View certificate"}
+      </button>
+      {expanded && (
+        <div className="relative mt-2">
+          <pre className="text-xs font-mono text-nb-gray-300 bg-nb-gray-950 border border-nb-gray-900 rounded-md p-3 overflow-x-auto whitespace-pre-wrap break-all max-h-48 overflow-y-auto">
+            {pem}
+          </pre>
+          <button
+            type="button"
+            onClick={handleCopy}
+            title="Copy PEM"
+            className="absolute top-2 right-2 text-nb-gray-400 hover:text-nb-gray-100 transition-colors"
+          >
+            <ClipboardCopyIcon size={14} />
+          </button>
+        </div>
+      )}
+    </div>
+  );
+}
+
 function buildColumns(
   onDelete: (id: string) => void,
 ): ColumnDef<TrustedCA>[] {
@@ -51,7 +87,12 @@ function buildColumns(
       ),
       sortingFn: "text",
       cell: ({ row }) => (
-        <span className="font-medium">{row.original.name}</span>
+        <div className="flex flex-col gap-1">
+          <span className="font-medium">{row.original.name}</span>
+          {row.original.pem && (
+            <CertPEMViewer pem={row.original.pem} />
+          )}
+        </div>
       ),
     },
     {

From 0cc8df8f00df571c70d9af50448456c4b586fbee Mon Sep 17 00:00:00 2001
From: beLIEai <beLIEai@example.local>
Date: Mon, 13 Apr 2026 14:38:09 +0300
Subject: [PATCH 37/37] security: confirmation dialogs for enrollment actions,
 strip inactive CA secrets

- Add buildCleanCAConfig() helper that strips sub-objects for inactive CA
  types before save/test, preventing credential leakage of unused providers
- Apply buildCleanCAConfig in handleSave and handleTestCA
- Add useDialog confirmation dialogs for Approve and Reject enrollment actions
- Pass explicit undefined for rejection reason with TODO for reason modal
---
 .../DeviceSecuritySettings.tsx                | 16 ++++++++--
 .../device-security/EnrollmentsTable.tsx      | 29 +++++++++++++++++--
 2 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/src/modules/device-security/DeviceSecuritySettings.tsx b/src/modules/device-security/DeviceSecuritySettings.tsx
index 04fe6b8e..0a154775 100644
--- a/src/modules/device-security/DeviceSecuritySettings.tsx
+++ b/src/modules/device-security/DeviceSecuritySettings.tsx
@@ -84,6 +84,18 @@ const CA_TYPE_LABELS: Record<CAType, string> = {
   scep: "SCEP",
 };
 
+/**
+ * Returns a copy of config that only includes the sub-object for the active
+ * caType. Strips credentials for inactive CA types before sending to the API.
+ */
+function buildCleanCAConfig(config: CAConfig, caType: CAType): CAConfig {
+  const clean: CAConfig = { ca_type: caType };
+  if (caType === "vault" && config.vault) clean.vault = config.vault;
+  else if (caType === "smallstep" && config.smallstep) clean.smallstep = config.smallstep;
+  else if (caType === "scep" && config.scep) clean.scep = config.scep;
+  return clean;
+}
+
 export default function DeviceSecuritySettings() {
   const {
     settings,
@@ -159,7 +171,7 @@ export default function DeviceSecuritySettings() {
     }
 
     if (caType !== "builtin") {
-      const caPromise = updateCAConfig(localCAConfig);
+      const caPromise = updateCAConfig(buildCleanCAConfig(localCAConfig, caType));
       notify({
         title: "CA Configuration",
         description: "CA configuration saved successfully.",
@@ -191,7 +203,7 @@ export default function DeviceSecuritySettings() {
     setTesting(true);
     setTestResult(null);
     try {
-      const result = await testCAConnection(localCAConfig);
+      const result = await testCAConnection(buildCleanCAConfig(localCAConfig, caType));
       setTestResult(result ?? {
         success: false,
         steps: [{
diff --git a/src/modules/device-security/EnrollmentsTable.tsx b/src/modules/device-security/EnrollmentsTable.tsx
index 26eb7cb4..3d8fde09 100644
--- a/src/modules/device-security/EnrollmentsTable.tsx
+++ b/src/modules/device-security/EnrollmentsTable.tsx
@@ -13,6 +13,7 @@ import { CheckCircleIcon, ShieldAlertIcon, XCircleIcon } from "lucide-react";
 import { usePathname } from "next/navigation";
 import React, { useCallback } from "react";
 import { useSWRConfig } from "swr";
+import { useDialog } from "@/contexts/DialogProvider";
 import { useDeviceSecurity } from "@/contexts/DeviceSecurityProvider";
 import { useLocalStorage } from "@/hooks/useLocalStorage";
 import type { DeviceEnrollment } from "@/interfaces/DeviceSecurity";
@@ -203,6 +204,7 @@ export default function EnrollmentsTable() {
     approveEnrollment,
     rejectEnrollment,
   } = useDeviceSecurity();
+  const { confirm } = useDialog();
   const { mutate } = useSWRConfig();
   const path = usePathname();
 
@@ -220,6 +222,16 @@ export default function EnrollmentsTable() {
 
   const handleApprove = useCallback(
     async (id: string) => {
+      const choice = await confirm({
+        title: "Approve enrollment?",
+        description: "This device will be issued a certificate and allowed to connect.",
+        confirmText: "Approve",
+        cancelText: "Cancel",
+        type: "default",
+      });
+
+      if (!choice) return;
+
       try {
         await approveEnrollment(id);
       } catch {
@@ -229,13 +241,24 @@ export default function EnrollmentsTable() {
         });
       }
     },
-    [approveEnrollment],
+    [approveEnrollment, confirm],
   );
 
   const handleReject = useCallback(
     async (id: string) => {
+      const choice = await confirm({
+        title: "Reject enrollment?",
+        description: "The device will be denied access. You can set a reason below.",
+        confirmText: "Reject",
+        cancelText: "Cancel",
+        type: "danger",
+      });
+
+      if (!choice) return;
+
+      // TODO: prompt for rejection reason via a dedicated modal
       try {
-        await rejectEnrollment(id);
+        await rejectEnrollment(id, undefined);
       } catch {
         notify({
           title: "Failed to reject enrollment",
@@ -243,7 +266,7 @@ export default function EnrollmentsTable() {
         });
       }
     },
-    [rejectEnrollment],
+    [rejectEnrollment, confirm],
   );
 
   const columns = React.useMemo(