diff --git a/.ci/image/Dockerfile b/.ci/image/Dockerfile
index 817ffaaa..2336f1d9 100644
--- a/.ci/image/Dockerfile
+++ b/.ci/image/Dockerfile
@@ -13,12 +13,13 @@ RUN apt-get update && \
         python3-pip \
         python3-setuptools \
         python3-venv \
-        # libmsi and libgcab are libraries the wixl binary depends on.
-        libmsi-dev \
-        libgcab-dev \
-        # deb and rpm build tools
-        rubygem-fpm \
+        # tool to create msi packages
+        wixl \
+        # install ruby and rpm which are required to install fpm package builder
         rpm \
+        ruby \
+        ruby-dev \
+        rubygems \
         # create deb and rpm repository files
         reprepro \
         createrepo-c \
@@ -26,9 +27,13 @@ RUN apt-get update && \
         gcc-aarch64-linux-gnu \
         libc6-dev-arm64-cross && \
     rm -rf /var/lib/apt/lists/* && \
-    # Install wixl
-    curl -o /usr/local/bin/wixl -L https://pkg.cloudflare.com/binaries/wixl && \
-    chmod a+x /usr/local/bin/wixl && \
+    # Install fpm gem
+    gem install fpm --no-document && \
+    # Initialize rpm repository, SQL Lite DB
+    mkdir -p /var/lib/rpm && \
+    rpm --initdb && \
+    chmod -R 777 /var/lib/rpm && \
+    # Create work directory
     mkdir -p opt
 
 WORKDIR /opt
diff --git a/.ci/scripts/component-tests.sh b/.ci/scripts/component-tests.sh
index 68abbf1d..1a54a02b 100755
--- a/.ci/scripts/component-tests.sh
+++ b/.ci/scripts/component-tests.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-set -e -o pipefail
+set -e -u -o pipefail
 
 # Fetch cloudflared from the artifacts folder
 mv ./artifacts/cloudflared ./cloudflared
diff --git a/.ci/scripts/fmt-check.sh b/.ci/scripts/fmt-check.sh
index 4c1cbad0..3776ec4f 100755
--- a/.ci/scripts/fmt-check.sh
+++ b/.ci/scripts/fmt-check.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-set -e -o pipefail
+set -e -u -o pipefail
 
 OUTPUT=$(go run -mod=readonly golang.org/x/tools/cmd/goimports@v0.30.0 -l -d -local github.com/cloudflare/cloudflared $(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc))
 
diff --git a/.ci/scripts/github-push.sh b/.ci/scripts/github-push.sh
index b9859e12..12312dd2 100755
--- a/.ci/scripts/github-push.sh
+++ b/.ci/scripts/github-push.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-set -e -o pipefail
+set -e -u -o pipefail
 
 BRANCH="master"
 TMP_PATH="$PWD/tmp"
diff --git a/.ci/scripts/linux/build-packages-fips.sh b/.ci/scripts/linux/build-packages-fips.sh
index e1b6e791..4fec3bc5 100755
--- a/.ci/scripts/linux/build-packages-fips.sh
+++ b/.ci/scripts/linux/build-packages-fips.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+set -e -u -o pipefail
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 
diff --git a/.ci/scripts/linux/build-packages.sh b/.ci/scripts/linux/build-packages.sh
index a6ca2037..842b030b 100755
--- a/.ci/scripts/linux/build-packages.sh
+++ b/.ci/scripts/linux/build-packages.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+set -e -u -o pipefail
 
 # Check if architecture argument is provided
 if [ $# -eq 0 ]; then
diff --git a/.ci/scripts/package-windows.sh b/.ci/scripts/package-windows.sh
index d0020f03..98d7b032 100755
--- a/.ci/scripts/package-windows.sh
+++ b/.ci/scripts/package-windows.sh
@@ -1,4 +1,6 @@
 #!/bin/bash
+set -e -u -o pipefail
+
 python3 -m venv env
 . env/bin/activate
 pip install pynacl==1.4.0 pygithub==1.55
diff --git a/.ci/scripts/release-target.sh b/.ci/scripts/release-target.sh
index 8c998310..8eaeca73 100755
--- a/.ci/scripts/release-target.sh
+++ b/.ci/scripts/release-target.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-set -e -o pipefail
+set -e -u -o pipefail
 
 # Check if a make target is provided as an argument
 if [ $# -eq 0 ]; then
@@ -14,5 +14,5 @@ python3 -m venv venv
 source venv/bin/activate
 
 # Our release scripts are written in python, so we should install their dependecies here.
-pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
+pip install pynacl==1.4.0 pygithub==1.55 boto3==1.42.30 python-gnupg==0.4.9
 make $MAKE_TARGET
diff --git a/.ci/scripts/vuln-check.sh b/.ci/scripts/vuln-check.sh
index 4c4e1d0c..a4a82e0e 100755
--- a/.ci/scripts/vuln-check.sh
+++ b/.ci/scripts/vuln-check.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-set -e
+set -e -u
 
 # Define the file to store the list of vulnerabilities to ignore.
 IGNORE_FILE=".vulnignore"
diff --git a/.gitignore b/.gitignore
index 2af7a1ed..46e818f1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,4 @@ ssh_server_tests/.env
 /.cover
 built_artifacts/
 component-tests/.venv
+/artifacts
diff --git a/RELEASE_NOTES b/RELEASE_NOTES
index a891a998..a6e8807e 100644
--- a/RELEASE_NOTES
+++ b/RELEASE_NOTES
@@ -1,3 +1,16 @@
+2026.1.1
+- 2026-01-19 fix: Update boto3 to run on trixie
+- 2026-01-19 fix: Fix wixl bundling tool for windows msi packages
+- 2026-01-19 fix: rpm bundling and rpm key import
+
+2026.1.0
+- 2026-01-13 TUN-10162: Update go to 1.24.11 and Debian distroless to debian13
+- 2025-11-21 Replace jira.cfops.it with jira.cfdata.org in connection/http2_test.go
+- 2025-11-19 TUN-9863: Update pipelines to use cloudflared EV Certificate
+- 2025-11-07 TUN-9800: Migrate apt internal builds to Gitlab
+- 2025-11-04 TUN-9998: Don't need to read origin cert to determine if the endpoint is fedramp
+- 2025-10-13 TUN-9910: Make the metadata key to carry HTTP status over QUIC transport a constant
+
 2025.11.1
 - 2025-11-07 TUN-9800: Fix docker hub push step
 
diff --git a/cmd/cloudflared/tunnel/cmd.go b/cmd/cloudflared/tunnel/cmd.go
index 925333a4..4bd08dc2 100644
--- a/cmd/cloudflared/tunnel/cmd.go
+++ b/cmd/cloudflared/tunnel/cmd.go
@@ -427,15 +427,16 @@ func StartServer(
 		return waitToShutdown(&wg, cancel, errC, graceShutdownC, 0, log)
 	}
 
+	if namedTunnel == nil {
+		return fmt.Errorf("namedTunnel is nil outside of DNS proxy stand-alone mode")
+	}
+
 	logTransport := logger.CreateTransportLoggerFromContext(c, logger.EnableTerminalLog)
 
 	observer := connection.NewObserver(log, logTransport)
 
 	// Send Quick Tunnel URL to UI if applicable
-	var quickTunnelURL string
-	if namedTunnel != nil {
-		quickTunnelURL = namedTunnel.QuickTunnelUrl
-	}
+	quickTunnelURL := namedTunnel.QuickTunnelUrl
 	if quickTunnelURL != "" {
 		observer.SendURL(quickTunnelURL)
 	}
@@ -459,14 +460,7 @@ func StartServer(
 		}
 	}
 
-	userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)
-	var isFEDEndpoint bool
-	if err != nil {
-		isFEDEndpoint = false
-	} else {
-		isFEDEndpoint = userCreds.IsFEDEndpoint()
-	}
-
+	isFEDEndpoint := namedTunnel.Credentials.Endpoint == credentials.FedEndpoint
 	var managementHostname string
 	if isFEDEndpoint {
 		managementHostname = credentials.FedRampHostname
diff --git a/cmd/cloudflared/tunnel/credential_finder.go b/cmd/cloudflared/tunnel/credential_finder.go
index c50ff457..1d7129a8 100644
--- a/cmd/cloudflared/tunnel/credential_finder.go
+++ b/cmd/cloudflared/tunnel/credential_finder.go
@@ -63,12 +63,14 @@ func (s searchByID) Path() (string, error) {
 		Str("originCertPath", originCertPath).
 		Logger()
 
-	// Fallback to look for tunnel credentials in the origin cert directory
-	if originCertPath, err := credentials.FindOriginCert(originCertPath, &originCertLog); err == nil {
-		originCertDir := filepath.Dir(originCertPath)
-		if filePath, err := tunnelFilePath(s.id, originCertDir); err == nil {
-			if s.fs.validFilePath(filePath) {
-				return filePath, nil
+	if originCertPath != "" {
+		// Look for tunnel credentials in the origin cert directory if the flag is provided
+		if originCertPath, err := credentials.FindOriginCert(originCertPath, &originCertLog); err == nil {
+			originCertDir := filepath.Dir(originCertPath)
+			if filePath, err := tunnelFilePath(s.id, originCertDir); err == nil {
+				if s.fs.validFilePath(filePath) {
+					return filePath, nil
+				}
 			}
 		}
 	}