Filter DNS fallback upstreams matching our server IP to prevent loops

.github/pull_request_template.md

@@ -12,7 +12,6 @@
 - [ ] Is a feature enhancement
 - [ ] It is a refactor
 - [ ] Created tests that fail without the change (if possible)
-- [ ] This change does **not** modify the public API, gRPC protocols, functionality behavior, CLI / service flags, or introduce a new feature — **OR** I have discussed it with the NetBird team beforehand (link the issue / Slack thread in the description). See [CONTRIBUTING.md](https://github.com/netbirdio/netbird/blob/main/CONTRIBUTING.md#discuss-changes-with-the-netbird-team-first).
 
 > By submitting this pull request, you confirm that you have read and agree to the terms of the [Contributor License Agreement](https://github.com/netbirdio/netbird/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT.md).
 

CONTRIBUTING.md

@@ -15,7 +15,6 @@ If you haven't already, join our slack workspace [here](https://docs.netbird.io/
 - [Contributing to NetBird](#contributing-to-netbird)
     - [Contents](#contents)
     - [Code of conduct](#code-of-conduct)
-    - [Discuss changes with the NetBird team first](#discuss-changes-with-the-netbird-team-first)
     - [Directory structure](#directory-structure)
     - [Development setup](#development-setup)
         - [Requirements](#requirements)
@@ -34,14 +33,6 @@ Conduct which can be found in the file [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md).
 By participating, you are expected to uphold this code. Please report
 unacceptable behavior to community@netbird.io.
 
-## Discuss changes with the NetBird team first
-
-Changes to the **public API**, **gRPC protocols**, **functionality behavior**, **CLI / service flags**, or **new features** should be discussed with the NetBird team before you start the work. These surfaces are part of NetBird's contract with operators, self-hosters, and downstream integrators, and changes to them have compatibility, security, and release-planning implications that benefit from an early conversation.
-
-Open an issue or reach out on [Slack](https://docs.netbird.io/slack-url) to talk through what you have in mind. We'll help shape the change, flag any constraints we know about, and confirm the direction so the PR review can focus on implementation rather than design.
-
-Typical bug fixes, internal refactors, documentation updates, and tests do not need pre-discussion — open the PR directly.
-
 ## Directory structure
 
 The NetBird project monorepo is organized to maintain most of its individual dependencies code within their directories, except for a few auxiliary or shared packages.

README.md

@@ -1,134 +1,147 @@
 
 <div align="center">
-  <p align="center">
-    <img width="234" src="docs/media/logo-full.png" alt="NetBird logo"/>
-  </p>
-  <p align="center">
-    <a href="https://sonarcloud.io/dashboard?id=netbirdio_netbird">
-      <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" alt="SonarCloud alert status"/>
-    </a>
-    <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
-      <img src="https://img.shields.io/badge/license-BSD--3-blue" alt="BSD-3 License"/>
-    </a>
+<br/>
+  <br/>
+<p align="center">
+  <img width="234" src="docs/media/logo-full.png"/>
+</p>
+  <p>
+   <a href="https://img.shields.io/badge/license-BSD--3-blue)">
+       <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" />
+     </a> 
+     <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
+       <img src="https://img.shields.io/badge/license-BSD--3-blue" />
+     </a> 
+    <br>
     <a href="https://docs.netbird.io/slack-url">
-      <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack" alt="NetBird Slack"/>
-    </a>
+        <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack"/>
+     </a>
     <a href="https://forum.netbird.io">
-      <img src="https://img.shields.io/badge/community%20forum-@netbird-red.svg?logo=discourse" alt="Community forum"/>
-    </a>
+        <img src="https://img.shields.io/badge/community forum-@netbird-red.svg?logo=discourse"/>
+     </a>  
+     <br>
     <a href="https://gurubase.io/g/netbird">
-      <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF" alt="Gurubase: Ask NetBird Guru"/>
-    </a>
+        <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF"/>
+     </a>    
   </p>
 </div>
 
+
 <p align="center">
-  <strong>
-    Start using NetBird at <a href="https://netbird.io/pricing">netbird.io</a>
-    <br/>
-    See <a href="https://netbird.io/docs/">Documentation</a>
-    <br/>
-    Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>
-  </strong>
+<strong>
+  Start using NetBird at <a href="https://netbird.io/pricing">netbird.io</a>
   <br/>
+  See <a href="https://netbird.io/docs/">Documentation</a>
   <br/>
-  <strong>
-    🚀 <a href="https://careers.netbird.io">We are hiring! Join us at careers.netbird.io</a>
-  </strong>
+   Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>
+  <br/>
+ 
+</strong>
+<br>
+<strong>
+  🚀 <a href="https://careers.netbird.io">We are hiring! Join us at careers.netbird.io</a>
+</strong>
+<br>
+<br>
+<a href="https://registry.terraform.io/providers/netbirdio/netbird/latest">
+    New: NetBird terraform provider
+  </a> 
 </p>
 
+<br>
+
 **NetBird combines a configuration-free peer-to-peer private network and a centralized access control system in a single platform, making it easy to create secure private networks for your organization or home.**
 
 **Connect.** NetBird creates a WireGuard-based overlay network that automatically connects your machines over an encrypted tunnel, leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.
 
 **Secure.** NetBird enables secure remote access by applying granular access policies while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.
 
+### Open Source Network Security in a Single Platform
+
 https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2
 
-### Self-host NetBird (video)
-
+### Self-Host NetBird (Video)
 [![Watch the video](https://img.youtube.com/vi/bZAgpT6nzaQ/0.jpg)](https://youtu.be/bZAgpT6nzaQ)
 
 ### Key features
 
-| Connectivity | Management | Security | Automation | Platforms |
-|---|---|---|---|---|
-| ✓ [Kernel WireGuard](https://docs.netbird.io/about-netbird/why-wireguard-with-netbird) | ✓ [Admin Web UI](https://github.com/netbirdio/dashboard) | ✓ [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) | ✓ [Public API](https://docs.netbird.io/api) | ✓ [Linux](https://docs.netbird.io/get-started/install/linux) |
-| ✓ [Peer-to-peer connections](https://docs.netbird.io/about-netbird/how-netbird-works) | ✓ Auto peer discovery and configuration | ✓ [Access control: groups & rules](https://docs.netbird.io/how-to/manage-network-access) | ✓ [Setup keys for bulk provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) | ✓ [macOS](https://docs.netbird.io/get-started/install/macos) |
-| ✓ Connection relay fallback | ✓ [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) | ✓ [Activity logging](https://docs.netbird.io/how-to/audit-events-logging) | ✓ [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) | ✓ [Windows](https://docs.netbird.io/get-started/install/windows) |
-| ✓ [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) | ✓ [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) | ✓ [Traffic events](https://docs.netbird.io/manage/activity/traffic-events-logging) | ✓ [IdP groups sync with JWT](https://docs.netbird.io/manage/team/idp-sync) | ✓ [Android](https://docs.netbird.io/get-started/install/android) |
-| ✓ [Domain-based DNS routes](https://docs.netbird.io/manage/dns/dns-aliases-for-routed-networks) | ✓ [Custom DNS zones](https://docs.netbird.io/manage/dns/custom-zones) | ✓ [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks) | ✓ [Terraform provider](https://registry.terraform.io/providers/netbirdio/netbird/latest) | ✓ [Android TV](https://docs.netbird.io/get-started/install/android-tv) |
-| ✓ [Exit nodes](https://docs.netbird.io/manage/network-routes/use-cases/exit-nodes) | ✓ [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) | ✓ Peer-to-peer encryption | ✓ [Ansible collection](https://github.com/netbirdio/ansible-netbird) | ✓ [iOS](https://docs.netbird.io/get-started/install/ios) |
-| ✓ [IPv6 dual-stack overlay](https://docs.netbird.io/manage/settings/ipv6) | ✓ [Multi-account profile switching](https://docs.netbird.io/client/profiles) | ✓ [SSH with central access policies](https://docs.netbird.io/manage/peers/ssh) | | ✓ [Apple TV](https://docs.netbird.io/get-started/install/tvos) |
-| ✓ [Browser SSH & RDP](https://docs.netbird.io/manage/peers/browser-client) | | ✓ [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn) | | ✓ FreeBSD |
-| ✓ [Reverse proxy with auto-TLS](https://docs.netbird.io/manage/reverse-proxy) | | ✓ [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication) | | ✓ [pfSense](https://docs.netbird.io/get-started/install/pfsense) |
-| | | | | ✓ [OPNsense](https://docs.netbird.io/get-started/install/opnsense) |
-| | | | | ✓ [MikroTik RouterOS](https://docs.netbird.io/use-cases/homelab/client-on-mikrotik-router) |
-| | | | | ✓ OpenWRT |
-| | | | | ✓ [Synology](https://docs.netbird.io/get-started/install/synology) |
-| | | | | ✓ [TrueNAS](https://docs.netbird.io/get-started/install/truenas) |
-| | | | | ✓ [Proxmox](https://docs.netbird.io/get-started/install/proxmox-ve) |
-| | | | | ✓ [Raspberry Pi](https://docs.netbird.io/get-started/install/raspberrypi) |
-| | | | | ✓ [Serverless](https://docs.netbird.io/how-to/netbird-on-faas) |
-| | | | | ✓ [Container](https://docs.netbird.io/get-started/install/docker) |
+| Connectivity | Management | Security | Automation| Platforms |
+|----|----|----|----|----|
+| <ul><li>- \[x] Kernel WireGuard</ul></li> | <ul><li>- \[x] [Admin Web UI](https://github.com/netbirdio/dashboard)</ul></li> | <ul><li>- \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login)</ul></li> | <ul><li>- \[x] [Public API](https://docs.netbird.io/api)</ul></li> | <ul><li>- \[x] Linux</ul></li> |
+| <ul><li>- \[x] Peer-to-peer connections</ul></li> | <ul><li>- \[x] Auto peer discovery and configuration</ui></li> | <ul><li>- \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access)</ui></li> | <ul><li>- \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys)</ui></li> | <ul><li>- \[x] Mac</ui></li> |
+| <ul><li>- \[x] Connection relay fallback</ui></li> | <ul><li>- \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers)</ui></li> | <ul><li>- \[x] [Activity logging](https://docs.netbird.io/how-to/audit-events-logging)</ui></li> | <ul><li>- \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart)</ui></li> | <ul><li>- \[x] Windows</ui></li> |
+| <ul><li>- \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks)</ui></li> | <ul><li>- \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network)</ui></li> | <ul><li>- \[x] [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks)</ui></li> | <ul><li>- \[x] IdP groups sync with JWT</ui></li> | <ul><li>- \[x] Android</ui></li> |
+| <ul><li>- \[x] NAT traversal with BPF</ui></li> | <ul><li>- \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network)</ui></li> | <ul><li>- \[x] Peer-to-peer encryption</ui></li> || <ul><li>- \[x] iOS</ui></li> |
+||| <ul><li>- \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn)</ui></li> || <ul><li>- \[x] OpenWRT</ui></li> |
+||| <ul><li>- \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication)</ui></li> || <ul><li>- \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas)</ui></li> |
+||||| <ul><li>- \[x] Docker</ui></li> |
 
 ### Quickstart with NetBird Cloud
 
-- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install).
-- Follow the steps to sign up with Google, Microsoft, GitHub or your email address.
-- Check the NetBird [admin UI](https://app.netbird.io/).
+- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install)
+- Follow the steps to sign-up with Google, Microsoft, GitHub or your email address.
+- Check NetBird [admin UI](https://app.netbird.io/).
+- Add more machines.
 
 ### Quickstart with self-hosted NetBird
 
-This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM. Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IdPs.
+> This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM.
+Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IDPs.
 
 **Infrastructure requirements:**
-- A Linux VM with at least **1 CPU** and **2 GB** of memory.
-- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port **3478**.
-- A **public domain** name pointing to the VM.
+- A Linux VM with at least **1CPU** and **2GB** of memory.
+- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port: **3478**.
+- **Public domain** name pointing to the VM.
 
 **Software requirements:**
-- Docker with the Compose plugin (Compose v2 or higher). See the [Docker installation guide](https://docs.docker.com/engine/install/).
+- Docker installed on the VM with the docker-compose plugin ([Docker installation guide](https://docs.docker.com/engine/install/)) or docker with docker-compose in version 2 or higher.
+- [jq](https://jqlang.github.io/jq/) installed. In most distributions
+  Usually available in the official repositories and can be installed with `sudo apt install jq` or `sudo yum install jq`
+- [curl](https://curl.se/) installed.
+  Usually available in the official repositories and can be installed with `sudo apt install curl` or `sudo yum install curl`
 
 **Steps**
 - Download and run the installation script:
 ```bash
 export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash
 ```
+- Once finished, you can manage the resources via `docker-compose`
 
 ### A bit on NetBird internals
-- Every machine in the network runs the [NetBird agent](client/), which manages WireGuard.
-- Every agent connects to the [Management Service](management/), which holds network state, manages peer IPs, and distributes updates to agents.
-- Agents use ICE (via [pion/ice](https://github.com/pion/ice)) to discover connection candidates for peer-to-peer connections.
-- Candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
-- Agents negotiate a connection through the [Signal Service](signal/), exchanging end-to-end encrypted messages with candidates.
-- When NAT traversal fails (e.g. mobile carrier-grade NAT) and a direct p2p connection isn't possible, the system falls back to a [Relay Service](relay/) and a secure WireGuard tunnel is established through it.
+-  Every machine in the network runs [NetBird Agent (or Client)](client/) that manages WireGuard.
+-  Every agent connects to [Management Service](management/) that holds network state, manages peer IPs, and distributes network updates to agents (peers).
+-  NetBird agent uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between machines.
+-  Connection candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
+-  Agents negotiate a connection through [Signal Service](signal/) passing p2p encrypted messages with candidates.
+-  Sometimes the NAT traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT) and a p2p connection isn't possible. When this occurs the system falls back to a relay server called [TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT), and a secure WireGuard tunnel is established via the TURN server. 
+ 
+[Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in NetBird setups.
 
 <p float="left" align="middle">
-  <img src="https://docs.netbird.io/docs-static/img/about-netbird/high-level-dia.png" width="700" alt="NetBird high-level architecture diagram"/>
+  <img src="https://docs.netbird.io/docs-static/img/about-netbird/high-level-dia.png" width="700"/>
 </p>
 
 See a complete [architecture overview](https://docs.netbird.io/about-netbird/how-netbird-works#architecture) for details.
 
 ### Community projects
-- [NetBird installer script](https://github.com/physk/netbird-installer)
-- [netbird-tui](https://github.com/n0pashkov/netbird-tui) - terminal UI for managing NetBird peers, routes, and settings
-- [caddy-netbird](https://github.com/lixmal/caddy-netbird) - Caddy plugin that embeds a NetBird client for proxying HTTP and TCP/UDP traffic through NetBird networks
+-  [NetBird installer script](https://github.com/physk/netbird-installer)
+-  [NetBird ansible collection by Dominion Solutions](https://galaxy.ansible.com/ui/repo/published/dominion_solutions/netbird/)
+-  [netbird-tui](https://github.com/n0pashkov/netbird-tui) — terminal UI for managing NetBird peers, routes, and settings
 
 **Note**: The `main` branch may be in an *unstable or even broken state* during development.
 For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).
 
 ### Support acknowledgement
 
-In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by the Federal Ministry of Education and Research of the Federal Republic of Germany. Together with the [CISPA Helmholtz Center for Information Security](https://cispa.de/en), NetBird brings security best practices and simplicity to private networking.
+In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by The Federal Ministry of Education and Research of The Federal Republic of Germany. Together with [CISPA Helmholtz Center for Information Security](https://cispa.de/en) NetBird brings the security best practices and simplicity to private networking.
 
 ![CISPA_Logo_BLACK_EN_RZ_RGB (1)](https://user-images.githubusercontent.com/700848/203091324-c6d311a0-22b5-4b05-a288-91cbc6cdcc46.png)
 
-### Acknowledgements
-We build on open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE](https://github.com/pion/ice), and [Rosenpass](https://rosenpass.eu). We greatly appreciate the work these projects are doing, and we'd love it if you could support them too (e.g., by starring or contributing).
+### Testimonials
+We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn), and [Rosenpass](https://rosenpass.eu). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g., by giving a star or a contribution).
 
 ### Legal
-This repository is licensed under the BSD-3-Clause license, which applies to all parts of the repository except for the directories management/, signal/ and relay/.
+This repository is licensed under BSD-3-Clause license that applies to all parts of the repository except for the directories management/, signal/ and relay/.
 Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.
 
 _WireGuard_ and the _WireGuard_ logo are [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.

client/firewall/nftables/external_chain_monitor_linux.go

@@ -52,10 +52,9 @@ func (m *externalChainMonitor) start() {
 
 	ctx, cancel := context.WithCancel(context.Background())
 	m.cancel = cancel
-	done := make(chan struct{})
-	m.done = done
+	m.done = make(chan struct{})
 
-	go m.run(ctx, done)
+	go m.run(ctx)
 }
 
 func (m *externalChainMonitor) stop() {
@@ -73,8 +72,8 @@ func (m *externalChainMonitor) stop() {
 	<-done
 }
 
-func (m *externalChainMonitor) run(ctx context.Context, done chan struct{}) {
-	defer close(done)
+func (m *externalChainMonitor) run(ctx context.Context) {
+	defer close(m.done)
 
 	bo := &backoff.ExponentialBackOff{
 		InitialInterval:     externalMonitorInitInterval,

client/installer.nsis

@@ -260,15 +260,23 @@ WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "Publisher" "${COMP_NAME}"
 
 WriteRegStr ${REG_ROOT} "${UI_REG_APP_PATH}" "" "$INSTDIR\${UI_APP_EXE}"
 
-; Create autostart registry entry based on checkbox
+; Drop Run, App Paths and Uninstall entries left in the 32-bit registry view
+; or HKCU by legacy installers.
+DetailPrint "Cleaning legacy 32-bit / HKCU entries..."
+DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+SetRegView 32
+DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+DeleteRegKey HKLM "${REG_APP_PATH}"
+DeleteRegKey HKLM "${UI_REG_APP_PATH}"
+DeleteRegKey HKLM "${UNINSTALL_PATH}"
+SetRegView 64
+
 DetailPrint "Autostart enabled: $AutostartEnabled"
 ${If} $AutostartEnabled == "1"
     WriteRegStr HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}" '"$INSTDIR\${UI_APP_EXE}.exe"'
     DetailPrint "Added autostart registry entry: $INSTDIR\${UI_APP_EXE}.exe"
 ${Else}
     DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-    ; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
-    DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
     DetailPrint "Autostart not enabled by user"
 ${EndIf}
 
@@ -299,11 +307,16 @@ ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service uninstall'
 DetailPrint "Terminating Netbird UI process..."
 ExecWait `taskkill /im ${UI_APP_EXE}.exe /f`
 
-; Remove autostart registry entry
+; Remove autostart entries from every view a previous installer may have used.
 DetailPrint "Removing autostart registry entry if exists..."
 DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
 DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+SetRegView 32
+DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+DeleteRegKey HKLM "${REG_APP_PATH}"
+DeleteRegKey HKLM "${UI_REG_APP_PATH}"
+DeleteRegKey HKLM "${UNINSTALL_PATH}"
+SetRegView 64
 
 ; Handle data deletion based on checkbox
 DetailPrint "Checking if user requested data deletion..."

client/internal/dns/server.go

@@ -772,13 +772,24 @@ func (s *DefaultServer) applyHostConfig() {
 // context is released rather than leaked until GC.
 func (s *DefaultServer) registerFallback() {
 	originalNameservers := s.hostManager.getOriginalNameservers()
-	if len(originalNameservers) == 0 {
+
+	serverIP := s.service.RuntimeIP()
+	var servers []netip.AddrPort
+	for _, ns := range originalNameservers {
+		if ns == serverIP {
+			log.Debugf("skipping original nameserver %s as it is the same as the server IP %s", ns, serverIP)
+			continue
+		}
+		servers = append(servers, netip.AddrPortFrom(ns, DefaultPort))
+	}
+
+	if len(servers) == 0 {
 		log.Debugf("no fallback upstreams to register; clearing PriorityFallback handler")
 		s.clearFallback()
 		return
 	}
 
-	log.Infof("registering original nameservers %v as upstream handlers with priority %d", originalNameservers, PriorityFallback)
+	log.Infof("registering original nameservers %v as upstream handlers with priority %d", servers, PriorityFallback)
 
 	handler, err := newUpstreamResolver(
 		s.ctx,
@@ -792,11 +803,6 @@ func (s *DefaultServer) registerFallback() {
 		return
 	}
 	handler.selectedRoutes = s.selectedRoutes
-
-	var servers []netip.AddrPort
-	for _, ns := range originalNameservers {
-		servers = append(servers, netip.AddrPortFrom(ns, DefaultPort))
-	}
 	handler.addRace(servers)
 
 	prev := s.fallbackHandler

client/internal/sleep/detector_darwin.go

@@ -188,9 +188,7 @@ func (d *Detector) triggerCallback(event EventType, cb func(event EventType), do
 	}
 
 	doneChan := make(chan struct{})
-	// macOS forces sleep ~30s after kIOMessageSystemWillSleep, so block long
-	// enough for teardown to finish while staying under that deadline.
-	timeout := time.NewTimer(20 * time.Second)
+	timeout := time.NewTimer(500 * time.Millisecond)
 	defer timeout.Stop()
 
 	go func() {

client/netbird.wxs

@@ -64,6 +64,13 @@
 					<RegistryValue Name="InstalledByMSI" Type="integer" Value="1" KeyPath="yes" />
 				</RegistryKey>
 			</Component>
+			<!-- Drop the HKCU Run\Netbird value written by legacy NSIS installers. -->
+			<Component Id="NetbirdLegacyHKCUCleanup" Guid="*">
+				<RegistryValue Root="HKCU" Key="Software\NetBird GmbH\Installer"
+					Name="LegacyHKCUCleanup" Type="integer" Value="1" KeyPath="yes" />
+				<RemoveRegistryValue Root="HKCU"
+					Key="Software\Microsoft\Windows\CurrentVersion\Run" Name="Netbird" />
+			</Component>
 		</StandardDirectory>
 
 		<StandardDirectory Id="CommonAppDataFolder">
@@ -76,10 +83,28 @@
 			</Directory>
 		</StandardDirectory>
 
+		<!-- Drop Run, App Paths and Uninstall entries written by legacy NSIS
+		     installers into the 32-bit registry view (HKLM\Software\Wow6432Node). -->
+		<Component Id="NetbirdLegacyWow6432Cleanup" Directory="NetbirdInstallDir"
+			Guid="bda5d628-16bd-4086-b2c1-5099d8d51763" Bitness="always32">
+			<RegistryValue Root="HKLM" Key="Software\NetBird GmbH\Installer"
+				Name="LegacyWow6432Cleanup" Type="integer" Value="1" KeyPath="yes" />
+			<RemoveRegistryValue Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\Run" Name="Netbird" />
+			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\App Paths\Netbird" />
+			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\App Paths\Netbird-ui" />
+			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\Uninstall\Netbird" />
+		</Component>
+
 		<ComponentGroup Id="NetbirdFilesComponent">
 			<ComponentRef Id="NetbirdFiles" />
 			<ComponentRef Id="NetbirdAumidRegistry" />
 			<ComponentRef Id="NetbirdAutoStart" />
+			<ComponentRef Id="NetbirdLegacyHKCUCleanup" />
+			<ComponentRef Id="NetbirdLegacyWow6432Cleanup" />
 		</ComponentGroup>
 
 		<util:CloseApplication Id="CloseNetBird" CloseMessage="no" Target="netbird.exe" RebootPrompt="no" />

management/internals/modules/peers/ephemeral/manager/ephemeral.go

@@ -11,7 +11,6 @@ import (
 	"github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral"
 	"github.com/netbirdio/netbird/management/server/activity"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/telemetry"
 
 	"github.com/netbirdio/netbird/management/server/store"
 )
@@ -48,11 +47,6 @@ type EphemeralManager struct {
 
 	lifeTime      time.Duration
 	cleanupWindow time.Duration
-
-	// metrics is nil-safe; methods on telemetry.EphemeralPeersMetrics
-	// no-op when the receiver is nil so deployments without an app
-	// metrics provider work unchanged.
-	metrics *telemetry.EphemeralPeersMetrics
 }
 
 // NewEphemeralManager instantiate new EphemeralManager
@@ -66,15 +60,6 @@ func NewEphemeralManager(store store.Store, peersManager peers.Manager) *Ephemer
 	}
 }
 
-// SetMetrics attaches a metrics collector. Safe to call once before
-// LoadInitialPeers; later attachment is fine but earlier loads won't be
-// reflected in the gauge. Pass nil to detach.
-func (e *EphemeralManager) SetMetrics(m *telemetry.EphemeralPeersMetrics) {
-	e.peersLock.Lock()
-	e.metrics = m
-	e.peersLock.Unlock()
-}
-
 // LoadInitialPeers load from the database the ephemeral type of peers and schedule a cleanup procedure to the head
 // of the linked list (to the most deprecated peer). At the end of cleanup it schedules the next cleanup to the new
 // head.
@@ -112,9 +97,7 @@ func (e *EphemeralManager) OnPeerConnected(ctx context.Context, peer *nbpeer.Pee
 	e.peersLock.Lock()
 	defer e.peersLock.Unlock()
 
-	if e.removePeer(peer.ID) {
-		e.metrics.DecPending(1)
-	}
+	e.removePeer(peer.ID)
 
 	// stop the unnecessary timer
 	if e.headPeer == nil && e.timer != nil {
@@ -140,7 +123,6 @@ func (e *EphemeralManager) OnPeerDisconnected(ctx context.Context, peer *nbpeer.
 	}
 
 	e.addPeer(peer.AccountID, peer.ID, e.newDeadLine())
-	e.metrics.IncPending()
 	if e.timer == nil {
 		delay := e.headPeer.deadline.Sub(timeNow()) + e.cleanupWindow
 		if delay < 0 {
@@ -163,7 +145,6 @@ func (e *EphemeralManager) loadEphemeralPeers(ctx context.Context) {
 	for _, p := range peers {
 		e.addPeer(p.AccountID, p.ID, t)
 	}
-	e.metrics.AddPending(int64(len(peers)))
 
 	log.WithContext(ctx).Debugf("loaded ephemeral peer(s): %d", len(peers))
 }
@@ -200,15 +181,6 @@ func (e *EphemeralManager) cleanup(ctx context.Context) {
 
 	e.peersLock.Unlock()
 
-	// Drop the gauge by the number of entries we just took off the list,
-	// regardless of whether the subsequent DeletePeers call succeeds. The
-	// list invariant is what the gauge tracks; failed delete batches are
-	// counted separately via CountCleanupError so we can still see them.
-	if len(deletePeers) > 0 {
-		e.metrics.CountCleanupRun()
-		e.metrics.DecPending(int64(len(deletePeers)))
-	}
-
 	peerIDsPerAccount := make(map[string][]string)
 	for id, p := range deletePeers {
 		peerIDsPerAccount[p.accountID] = append(peerIDsPerAccount[p.accountID], id)
@@ -219,10 +191,7 @@ func (e *EphemeralManager) cleanup(ctx context.Context) {
 		err := e.peersManager.DeletePeers(ctx, accountID, peerIDs, activity.SystemInitiator, true)
 		if err != nil {
 			log.WithContext(ctx).Errorf("failed to delete ephemeral peers: %s", err)
-			e.metrics.CountCleanupError()
-			continue
 		}
-		e.metrics.CountPeersCleaned(int64(len(peerIDs)))
 	}
 }
 
@@ -242,12 +211,9 @@ func (e *EphemeralManager) addPeer(accountID string, peerID string, deadline tim
 	e.tailPeer = ep
 }
 
-// removePeer drops the entry from the linked list. Returns true if a
-// matching entry was found and removed so callers can keep the pending
-// metric gauge in sync.
-func (e *EphemeralManager) removePeer(id string) bool {
+func (e *EphemeralManager) removePeer(id string) {
 	if e.headPeer == nil {
-		return false
+		return
 	}
 
 	if e.headPeer.id == id {
@@ -255,7 +221,7 @@ func (e *EphemeralManager) removePeer(id string) bool {
 		if e.tailPeer.id == id {
 			e.tailPeer = nil
 		}
-		return true
+		return
 	}
 
 	for p := e.headPeer; p.next != nil; p = p.next {
@@ -265,10 +231,9 @@ func (e *EphemeralManager) removePeer(id string) bool {
 				e.tailPeer = p
 			}
 			p.next = p.next.next
-			return true
+			return
 		}
 	}
-	return false
 }
 
 func (e *EphemeralManager) isPeerOnList(id string) bool {

management/internals/modules/reverseproxy/proxy/manager/manager.go

@@ -17,7 +17,7 @@ type store interface {
 	UpdateProxyHeartbeat(ctx context.Context, p *proxy.Proxy) error
 	GetActiveProxyClusterAddresses(ctx context.Context) ([]string, error)
 	GetActiveProxyClusterAddressesForAccount(ctx context.Context, accountID string) ([]string, error)
-	GetProxyClusters(ctx context.Context, accountID string) ([]proxy.Cluster, error)
+	GetActiveProxyClusters(ctx context.Context, accountID string) ([]proxy.Cluster, error)
 	GetClusterSupportsCustomPorts(ctx context.Context, clusterAddr string) *bool
 	GetClusterRequireSubdomain(ctx context.Context, clusterAddr string) *bool
 	GetClusterSupportsCrowdSec(ctx context.Context, clusterAddr string) *bool

management/internals/modules/reverseproxy/proxy/manager/manager_test.go

@@ -57,7 +57,7 @@ func (m *mockStore) GetActiveProxyClusterAddressesForAccount(ctx context.Context
 	}
 	return nil, nil
 }
-func (m *mockStore) GetProxyClusters(_ context.Context, _ string) ([]proxy.Cluster, error) {
+func (m *mockStore) GetActiveProxyClusters(_ context.Context, _ string) ([]proxy.Cluster, error) {
 	return nil, nil
 }
 func (m *mockStore) CleanupStaleProxies(ctx context.Context, d time.Duration) error {

management/internals/modules/reverseproxy/proxy/proxy.go

@@ -42,35 +42,10 @@ func (Proxy) TableName() string {
 	return "proxies"
 }
 
-// ClusterType is the source of a proxy cluster.
-type ClusterType string
-
-const (
-	// ClusterTypeAccount is a cluster operated by the account itself (BYOP) —
-	// at least one proxy row in the cluster carries a non-NULL account_id.
-	ClusterTypeAccount ClusterType = "account"
-	// ClusterTypeShared is a cluster operated by NetBird and shared across
-	// accounts — all proxy rows in the cluster have account_id IS NULL.
-	ClusterTypeShared ClusterType = "shared"
-)
-
 // Cluster represents a group of proxy nodes serving the same address.
-//
-// Online and ConnectedProxies derive from the same 2-min active window
-// the rest of the module uses, but Cluster rows are not gated on it —
-// the cluster listing surfaces offline clusters too so operators can
-// see and clean them up. The 1-hour heartbeat reaper still bounds the
-// table eventually.
 type Cluster struct {
 	ID               string
 	Address          string
-	Type             ClusterType
-	Online           bool
 	ConnectedProxies int
-	// Capability flags. *bool because nil means "no proxy reported a
-	// capability for this cluster" — the dashboard renders these as
-	// unknown rather than false.
-	SupportsCustomPorts *bool
-	RequireSubdomain    *bool
-	SupportsCrowdSec    *bool
+	SelfHosted       bool
 }

management/internals/modules/reverseproxy/service/interface.go

@@ -9,7 +9,7 @@ import (
 )
 
 type Manager interface {
-	GetClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error)
+	GetActiveClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error)
 	DeleteAccountCluster(ctx context.Context, accountID, userID, clusterAddress string) error
 	GetAllServices(ctx context.Context, accountID, userID string) ([]*Service, error)
 	GetService(ctx context.Context, accountID, userID, serviceID string) (*Service, error)

management/internals/modules/reverseproxy/service/interface_mock.go

@@ -65,20 +65,6 @@ func (mr *MockManagerMockRecorder) CreateServiceFromPeer(ctx, accountID, peerID,
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateServiceFromPeer", reflect.TypeOf((*MockManager)(nil).CreateServiceFromPeer), ctx, accountID, peerID, req)
 }
 
-// DeleteAccountCluster mocks base method.
-func (m *MockManager) DeleteAccountCluster(ctx context.Context, accountID, userID, clusterAddress string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DeleteAccountCluster", ctx, accountID, userID, clusterAddress)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// DeleteAccountCluster indicates an expected call of DeleteAccountCluster.
-func (mr *MockManagerMockRecorder) DeleteAccountCluster(ctx, accountID, userID, clusterAddress interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAccountCluster", reflect.TypeOf((*MockManager)(nil).DeleteAccountCluster), ctx, accountID, userID, clusterAddress)
-}
-
 // DeleteAllServices mocks base method.
 func (m *MockManager) DeleteAllServices(ctx context.Context, accountID, userID string) error {
 	m.ctrl.T.Helper()
@@ -93,6 +79,20 @@ func (mr *MockManagerMockRecorder) DeleteAllServices(ctx, accountID, userID inte
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAllServices", reflect.TypeOf((*MockManager)(nil).DeleteAllServices), ctx, accountID, userID)
 }
 
+// DeleteAccountCluster mocks base method.
+func (m *MockManager) DeleteAccountCluster(ctx context.Context, accountID, userID, clusterAddress string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteAccountCluster", ctx, accountID, userID, clusterAddress)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteAccountCluster indicates an expected call of DeleteAccountCluster.
+func (mr *MockManagerMockRecorder) DeleteAccountCluster(ctx, accountID, userID, clusterAddress interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAccountCluster", reflect.TypeOf((*MockManager)(nil).DeleteAccountCluster), ctx, accountID, userID, clusterAddress)
+}
+
 // DeleteService mocks base method.
 func (m *MockManager) DeleteService(ctx context.Context, accountID, userID, serviceID string) error {
 	m.ctrl.T.Helper()
@@ -122,6 +122,21 @@ func (mr *MockManagerMockRecorder) GetAccountServices(ctx, accountID interface{}
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAccountServices", reflect.TypeOf((*MockManager)(nil).GetAccountServices), ctx, accountID)
 }
 
+// GetActiveClusters mocks base method.
+func (m *MockManager) GetActiveClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetActiveClusters", ctx, accountID, userID)
+	ret0, _ := ret[0].([]proxy.Cluster)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetActiveClusters indicates an expected call of GetActiveClusters.
+func (mr *MockManagerMockRecorder) GetActiveClusters(ctx, accountID, userID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetActiveClusters", reflect.TypeOf((*MockManager)(nil).GetActiveClusters), ctx, accountID, userID)
+}
+
 // GetAllServices mocks base method.
 func (m *MockManager) GetAllServices(ctx context.Context, accountID, userID string) ([]*Service, error) {
 	m.ctrl.T.Helper()
@@ -137,19 +152,19 @@ func (mr *MockManagerMockRecorder) GetAllServices(ctx, accountID, userID interfa
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAllServices", reflect.TypeOf((*MockManager)(nil).GetAllServices), ctx, accountID, userID)
 }
 
-// GetClusters mocks base method.
-func (m *MockManager) GetClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error) {
+// GetServiceByDomain mocks base method.
+func (m *MockManager) GetServiceByDomain(ctx context.Context, domain string) (*Service, error) {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetClusters", ctx, accountID, userID)
-	ret0, _ := ret[0].([]proxy.Cluster)
+	ret := m.ctrl.Call(m, "GetServiceByDomain", ctx, domain)
+	ret0, _ := ret[0].(*Service)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
 
-// GetClusters indicates an expected call of GetClusters.
-func (mr *MockManagerMockRecorder) GetClusters(ctx, accountID, userID interface{}) *gomock.Call {
+// GetServiceByDomain indicates an expected call of GetServiceByDomain.
+func (mr *MockManagerMockRecorder) GetServiceByDomain(ctx, domain interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetClusters", reflect.TypeOf((*MockManager)(nil).GetClusters), ctx, accountID, userID)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetServiceByDomain", reflect.TypeOf((*MockManager)(nil).GetServiceByDomain), ctx, domain)
 }
 
 // GetGlobalServices mocks base method.
@@ -182,21 +197,6 @@ func (mr *MockManagerMockRecorder) GetService(ctx, accountID, userID, serviceID
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetService", reflect.TypeOf((*MockManager)(nil).GetService), ctx, accountID, userID, serviceID)
 }
 
-// GetServiceByDomain mocks base method.
-func (m *MockManager) GetServiceByDomain(ctx context.Context, domain string) (*Service, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetServiceByDomain", ctx, domain)
-	ret0, _ := ret[0].(*Service)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetServiceByDomain indicates an expected call of GetServiceByDomain.
-func (mr *MockManagerMockRecorder) GetServiceByDomain(ctx, domain interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetServiceByDomain", reflect.TypeOf((*MockManager)(nil).GetServiceByDomain), ctx, domain)
-}
-
 // GetServiceByID mocks base method.
 func (m *MockManager) GetServiceByID(ctx context.Context, accountID, serviceID string) (*Service, error) {
 	m.ctrl.T.Helper()

management/internals/modules/reverseproxy/service/manager/api.go

@@ -187,7 +187,7 @@ func (h *handler) getClusters(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	clusters, err := h.manager.GetClusters(r.Context(), userAuth.AccountId, userAuth.UserId)
+	clusters, err := h.manager.GetActiveClusters(r.Context(), userAuth.AccountId, userAuth.UserId)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -196,14 +196,10 @@ func (h *handler) getClusters(w http.ResponseWriter, r *http.Request) {
 	apiClusters := make([]api.ProxyCluster, 0, len(clusters))
 	for _, c := range clusters {
 		apiClusters = append(apiClusters, api.ProxyCluster{
-			Id:                  c.ID,
-			Address:             c.Address,
-			Type:                api.ProxyClusterType(c.Type),
-			Online:              c.Online,
-			ConnectedProxies:    c.ConnectedProxies,
-			SupportsCustomPorts: c.SupportsCustomPorts,
-			RequireSubdomain:    c.RequireSubdomain,
-			SupportsCrowdsec:    c.SupportsCrowdSec,
+			Id:               c.ID,
+			Address:          c.Address,
+			ConnectedProxies: c.ConnectedProxies,
+			SelfHosted:       c.SelfHosted,
 		})
 	}
 

management/internals/modules/reverseproxy/service/manager/manager.go

@@ -81,7 +81,6 @@ type ClusterDeriver interface {
 type CapabilityProvider interface {
 	ClusterSupportsCustomPorts(ctx context.Context, clusterAddr string) *bool
 	ClusterRequireSubdomain(ctx context.Context, clusterAddr string) *bool
-	ClusterSupportsCrowdSec(ctx context.Context, clusterAddr string) *bool
 }
 
 type Manager struct {
@@ -113,12 +112,8 @@ func (m *Manager) StartExposeReaper(ctx context.Context) {
 	m.exposeReaper.StartExposeReaper(ctx)
 }
 
-// GetClusters returns every proxy cluster visible to the account
-// (shared + its own BYOP), regardless of whether any proxy in the
-// cluster is currently heartbeating. Each cluster is enriched with the
-// capability flags reported by its active proxies so the dashboard can
-// render feature support without a second round-trip.
-func (m *Manager) GetClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error) {
+// GetActiveClusters returns all active proxy clusters with their connected proxy count.
+func (m *Manager) GetActiveClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error) {
 	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
@@ -127,18 +122,7 @@ func (m *Manager) GetClusters(ctx context.Context, accountID, userID string) ([]
 		return nil, status.NewPermissionDeniedError()
 	}
 
-	clusters, err := m.store.GetProxyClusters(ctx, accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	for i := range clusters {
-		clusters[i].SupportsCustomPorts = m.capabilities.ClusterSupportsCustomPorts(ctx, clusters[i].Address)
-		clusters[i].RequireSubdomain = m.capabilities.ClusterRequireSubdomain(ctx, clusters[i].Address)
-		clusters[i].SupportsCrowdSec = m.capabilities.ClusterSupportsCrowdSec(ctx, clusters[i].Address)
-	}
-
-	return clusters, nil
+	return m.store.GetActiveProxyClusters(ctx, accountID)
 }
 
 // DeleteAccountCluster removes all proxy registrations for the given cluster address

management/internals/server/controllers.go

@@ -112,11 +112,7 @@ func (s *BaseServer) AuthManager() auth.Manager {
 
 func (s *BaseServer) EphemeralManager() ephemeral.Manager {
 	return Create(s, func() ephemeral.Manager {
-		em := manager.NewEphemeralManager(s.Store(), s.PeersManager())
-		if metrics := s.Metrics(); metrics != nil {
-			em.SetMetrics(metrics.EphemeralPeersMetrics())
-		}
-		return em
+		return manager.NewEphemeralManager(s.Store(), s.PeersManager())
 	})
 }
 

management/internals/shared/grpc/proxy.go

@@ -9,7 +9,6 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
-	"io"
 	"net"
 	"net/http"
 	"net/url"
@@ -137,12 +136,9 @@ type proxyConnection struct {
 	tokenID      string
 	capabilities *proto.ProxyCapabilities
 	stream       proto.ProxyService_GetMappingUpdateServer
-	// syncStream is set when the proxy connected via SyncMappings.
-	// When non-nil, the sender goroutine uses this instead of stream.
-	syncStream proto.ProxyService_SyncMappingsServer
-	sendChan   chan *proto.GetMappingUpdateResponse
-	ctx        context.Context
-	cancel     context.CancelFunc
+	sendChan     chan *proto.GetMappingUpdateResponse
+	ctx          context.Context
+	cancel       context.CancelFunc
 }
 
 func enforceAccountScope(ctx context.Context, requestAccountID string) error {
@@ -210,322 +206,145 @@ func (s *ProxyServiceServer) SetProxyController(proxyController proxy.Controller
 	s.proxyController = proxyController
 }
 
-// proxyConnectParams holds the validated parameters extracted from either
-// a GetMappingUpdateRequest or a SyncMappingsInit message.
-type proxyConnectParams struct {
-	proxyID      string
-	address      string
-	capabilities *proto.ProxyCapabilities
-}
-
 // GetMappingUpdate handles the control stream with proxy clients
 func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest, stream proto.ProxyService_GetMappingUpdateServer) error {
-	params, err := s.validateProxyConnect(req.GetProxyId(), req.GetAddress(), stream.Context())
-	if err != nil {
-		return err
-	}
-	params.capabilities = req.GetCapabilities()
+	ctx := stream.Context()
 
-	conn, proxyRecord, err := s.registerProxyConnection(stream.Context(), params, &proxyConnection{
-		stream: stream,
-	})
-	if err != nil {
-		return err
-	}
-
-	if err := s.sendSnapshot(stream.Context(), conn); err != nil {
-		s.cleanupFailedSnapshot(stream.Context(), conn)
-		return fmt.Errorf("send snapshot to proxy %s: %w", params.proxyID, err)
-	}
-
-	errChan := make(chan error, 2)
-	go s.sender(conn, errChan)
-
-	return s.serveProxyConnection(conn, proxyRecord, errChan, false)
-}
-
-// SyncMappings implements the bidirectional SyncMappings RPC.
-// It mirrors GetMappingUpdate but provides application-level back-pressure:
-// management waits for an ack from the proxy before sending the next batch.
-func (s *ProxyServiceServer) SyncMappings(stream proto.ProxyService_SyncMappingsServer) error {
-	init, err := recvSyncInit(stream)
-	if err != nil {
-		return err
-	}
-
-	params, err := s.validateProxyConnect(init.GetProxyId(), init.GetAddress(), stream.Context())
-	if err != nil {
-		return err
-	}
-	params.capabilities = init.GetCapabilities()
-
-	conn, proxyRecord, err := s.registerProxyConnection(stream.Context(), params, &proxyConnection{
-		syncStream: stream,
-	})
-	if err != nil {
-		return err
-	}
-
-	if err := s.sendSnapshotSync(stream.Context(), conn, stream); err != nil {
-		s.cleanupFailedSnapshot(stream.Context(), conn)
-		return fmt.Errorf("send snapshot to proxy %s: %w", params.proxyID, err)
-	}
-
-	errChan := make(chan error, 2)
-	go s.sender(conn, errChan)
-	go s.drainRecv(stream, errChan)
-
-	return s.serveProxyConnection(conn, proxyRecord, errChan, true)
-}
-
-// recvSyncInit receives and validates the first message on a SyncMappings stream.
-func recvSyncInit(stream proto.ProxyService_SyncMappingsServer) (*proto.SyncMappingsInit, error) {
-	firstMsg, err := stream.Recv()
-	if err != nil {
-		return nil, status.Errorf(codes.Internal, "receive init: %v", err)
-	}
-	init := firstMsg.GetInit()
-	if init == nil {
-		return nil, status.Errorf(codes.InvalidArgument, "first message must be init")
-	}
-	return init, nil
-}
-
-// validateProxyConnect validates the proxy ID and address, and checks cluster
-// address availability for account-scoped tokens.
-func (s *ProxyServiceServer) validateProxyConnect(proxyID, address string, ctx context.Context) (proxyConnectParams, error) {
-	if proxyID == "" {
-		return proxyConnectParams{}, status.Errorf(codes.InvalidArgument, "proxy_id is required")
-	}
-	if !isProxyAddressValid(address) {
-		return proxyConnectParams{}, status.Errorf(codes.InvalidArgument, "proxy address is invalid")
-	}
-
-	token := GetProxyTokenFromContext(ctx)
-	if token != nil && token.AccountID != nil {
-		available, err := s.proxyManager.IsClusterAddressAvailable(ctx, address, *token.AccountID)
-		if err != nil {
-			return proxyConnectParams{}, status.Errorf(codes.Internal, "check cluster address: %v", err)
-		}
-		if !available {
-			return proxyConnectParams{}, status.Errorf(codes.AlreadyExists, "cluster address %s is already in use", address)
-		}
-	}
-
-	return proxyConnectParams{proxyID: proxyID, address: address}, nil
-}
-
-// registerProxyConnection creates a proxyConnection, registers it with the
-// proxy manager and cluster, and stores it in connectedProxies. The caller
-// provides a partially initialised connSeed with stream-specific fields set;
-// the remaining fields are filled in here.
-func (s *ProxyServiceServer) registerProxyConnection(ctx context.Context, params proxyConnectParams, connSeed *proxyConnection) (*proxyConnection, *proxy.Proxy, error) {
 	peerInfo := PeerIPFromContext(ctx)
+	log.Infof("New proxy connection from %s", peerInfo)
+
+	proxyID := req.GetProxyId()
+	if proxyID == "" {
+		return status.Errorf(codes.InvalidArgument, "proxy_id is required")
+	}
+
+	proxyAddress := req.GetAddress()
+	if !isProxyAddressValid(proxyAddress) {
+		return status.Errorf(codes.InvalidArgument, "proxy address is invalid")
+	}
 
 	var accountID *string
-	var tokenID string
-	if token := GetProxyTokenFromContext(ctx); token != nil {
-		if token.AccountID != nil {
-			accountID = token.AccountID
+	token := GetProxyTokenFromContext(ctx)
+	if token != nil && token.AccountID != nil {
+		accountID = token.AccountID
+
+		available, err := s.proxyManager.IsClusterAddressAvailable(ctx, proxyAddress, *accountID)
+		if err != nil {
+			return status.Errorf(codes.Internal, "check cluster address: %v", err)
 		}
+		if !available {
+			return status.Errorf(codes.AlreadyExists, "cluster address %s is already in use", proxyAddress)
+		}
+	}
+
+	var tokenID string
+	if token != nil {
 		tokenID = token.ID
 	}
 
 	sessionID := uuid.NewString()
-	s.supersedePriorConnection(params.proxyID, sessionID)
+
+	if old, loaded := s.connectedProxies.Load(proxyID); loaded {
+		oldConn := old.(*proxyConnection)
+		log.WithFields(log.Fields{
+			"proxy_id":       proxyID,
+			"old_session_id": oldConn.sessionID,
+			"new_session_id": sessionID,
+		}).Info("Superseding existing proxy connection")
+		oldConn.cancel()
+	}
 
 	connCtx, cancel := context.WithCancel(ctx)
-	connSeed.proxyID = params.proxyID
-	connSeed.sessionID = sessionID
-	connSeed.address = params.address
-	connSeed.accountID = accountID
-	connSeed.tokenID = tokenID
-	connSeed.capabilities = params.capabilities
-	connSeed.sendChan = make(chan *proto.GetMappingUpdateResponse, 100)
-	connSeed.ctx = connCtx
-	connSeed.cancel = cancel
+	conn := &proxyConnection{
+		proxyID:      proxyID,
+		sessionID:    sessionID,
+		address:      proxyAddress,
+		accountID:    accountID,
+		tokenID:      tokenID,
+		capabilities: req.GetCapabilities(),
+		stream:       stream,
+		sendChan:     make(chan *proto.GetMappingUpdateResponse, 100),
+		ctx:          connCtx,
+		cancel:       cancel,
+	}
 
 	var caps *proxy.Capabilities
-	if c := params.capabilities; c != nil {
+	if c := req.GetCapabilities(); c != nil {
 		caps = &proxy.Capabilities{
 			SupportsCustomPorts: c.SupportsCustomPorts,
 			RequireSubdomain:    c.RequireSubdomain,
 			SupportsCrowdsec:    c.SupportsCrowdsec,
 		}
 	}
-
-	proxyRecord, err := s.proxyManager.Connect(ctx, params.proxyID, sessionID, params.address, peerInfo, accountID, caps)
+	proxyRecord, err := s.proxyManager.Connect(ctx, proxyID, sessionID, proxyAddress, peerInfo, accountID, caps)
 	if err != nil {
 		cancel()
 		if accountID != nil {
-			return nil, nil, status.Errorf(codes.Internal, "failed to register BYOP proxy: %v", err)
+			return status.Errorf(codes.Internal, "failed to register BYOP proxy: %v", err)
 		}
-		log.WithContext(ctx).Warnf("failed to register proxy %s in database: %v", params.proxyID, err)
-		return nil, nil, status.Errorf(codes.Internal, "register proxy in database: %v", err)
+		log.WithContext(ctx).Warnf("failed to register proxy %s in database: %v", proxyID, err)
+		return status.Errorf(codes.Internal, "register proxy in database: %v", err)
 	}
 
-	s.connectedProxies.Store(params.proxyID, connSeed)
-	if err := s.proxyController.RegisterProxyToCluster(ctx, params.address, params.proxyID); err != nil {
-		log.WithContext(ctx).Warnf("Failed to register proxy %s in cluster: %v", params.proxyID, err)
+	s.connectedProxies.Store(proxyID, conn)
+	if err := s.proxyController.RegisterProxyToCluster(ctx, conn.address, proxyID); err != nil {
+		log.WithContext(ctx).Warnf("Failed to register proxy %s in cluster: %v", proxyID, err)
 	}
 
-	return connSeed, proxyRecord, nil
-}
-
-// supersedePriorConnection cancels any existing connection for the given proxy.
-func (s *ProxyServiceServer) supersedePriorConnection(proxyID, newSessionID string) {
-	if old, loaded := s.connectedProxies.Load(proxyID); loaded {
-		oldConn := old.(*proxyConnection)
-		log.WithFields(log.Fields{
-			"proxy_id":       proxyID,
-			"old_session_id": oldConn.sessionID,
-			"new_session_id": newSessionID,
-		}).Info("Superseding existing proxy connection")
-		oldConn.cancel()
-	}
-}
-
-// cleanupFailedSnapshot removes the connection from the cluster and store
-// after a snapshot send failure.
-func (s *ProxyServiceServer) cleanupFailedSnapshot(ctx context.Context, conn *proxyConnection) {
-	if s.connectedProxies.CompareAndDelete(conn.proxyID, conn) {
-		if err := s.proxyController.UnregisterProxyFromCluster(context.Background(), conn.address, conn.proxyID); err != nil {
-			log.WithContext(ctx).Debugf("cleanup after snapshot failure for proxy %s: %v", conn.proxyID, err)
+	if err := s.sendSnapshot(ctx, conn); err != nil {
+		if s.connectedProxies.CompareAndDelete(proxyID, conn) {
+			if unregErr := s.proxyController.UnregisterProxyFromCluster(context.Background(), conn.address, proxyID); unregErr != nil {
+				log.WithContext(ctx).Debugf("cleanup after snapshot failure for proxy %s: %v", proxyID, unregErr)
+			}
 		}
-	}
-	conn.cancel()
-	if err := s.proxyManager.Disconnect(context.Background(), conn.proxyID, conn.sessionID); err != nil {
-		log.WithContext(ctx).Debugf("cleanup after snapshot failure for proxy %s: %v", conn.proxyID, err)
-	}
-}
-
-// drainRecv consumes and discards messages from a bidirectional stream.
-// The proxy sends an ack for every incremental update; we don't need them
-// after the snapshot phase. Recv errors are forwarded to errChan.
-func (s *ProxyServiceServer) drainRecv(stream proto.ProxyService_SyncMappingsServer, errChan chan<- error) {
-	for {
-		if _, err := stream.Recv(); err != nil {
-			errChan <- err
-			return
+		cancel()
+		if disconnErr := s.proxyManager.Disconnect(context.Background(), proxyID, sessionID); disconnErr != nil {
+			log.WithContext(ctx).Debugf("cleanup after snapshot failure for proxy %s: %v", proxyID, disconnErr)
 		}
+		return fmt.Errorf("send snapshot to proxy %s: %w", proxyID, err)
 	}
-}
 
-// serveProxyConnection runs the post-snapshot lifecycle: heartbeat, sender,
-// and wait for termination. When bidi is true, normal stream closure (EOF,
-// canceled) is treated as a clean disconnect rather than an error.
-func (s *ProxyServiceServer) serveProxyConnection(conn *proxyConnection, proxyRecord *proxy.Proxy, errChan <-chan error, bidi bool) error {
+	errChan := make(chan error, 2)
+	go s.sender(conn, errChan)
+
 	log.WithFields(log.Fields{
-		"proxy_id":      conn.proxyID,
-		"session_id":    conn.sessionID,
-		"address":       conn.address,
-		"cluster_addr":  conn.address,
-		"account_id":    conn.accountID,
+		"proxy_id":      proxyID,
+		"session_id":    sessionID,
+		"address":       proxyAddress,
+		"cluster_addr":  proxyAddress,
+		"account_id":    accountID,
 		"total_proxies": len(s.GetConnectedProxies()),
 	}).Info("Proxy registered in cluster")
+	defer func() {
+		if !s.connectedProxies.CompareAndDelete(proxyID, conn) {
+			log.Infof("Proxy %s session %s: skipping cleanup, superseded by new connection", proxyID, sessionID)
+			cancel()
+			return
+		}
 
-	defer s.disconnectProxy(conn)
-	go s.heartbeat(conn.ctx, conn, proxyRecord)
+		if err := s.proxyController.UnregisterProxyFromCluster(context.Background(), conn.address, proxyID); err != nil {
+			log.Warnf("Failed to unregister proxy %s from cluster: %v", proxyID, err)
+		}
+		if err := s.proxyManager.Disconnect(context.Background(), proxyID, sessionID); err != nil {
+			log.Warnf("Failed to mark proxy %s as disconnected: %v", proxyID, err)
+		}
+
+		cancel()
+		log.Infof("Proxy %s session %s disconnected", proxyID, sessionID)
+	}()
+
+	go s.heartbeat(connCtx, conn, proxyRecord)
 
 	select {
 	case err := <-errChan:
-		if bidi && isStreamClosed(err) {
-			log.Infof("Proxy %s stream closed", conn.proxyID)
-			return nil
-		}
-		log.Warnf("Failed to send update: %v", err)
-		return fmt.Errorf("send update to proxy %s: %w", conn.proxyID, err)
-	case <-conn.ctx.Done():
-		log.Infof("Proxy %s context canceled", conn.proxyID)
-		return conn.ctx.Err()
+		log.WithContext(ctx).Warnf("Failed to send update: %v", err)
+		return fmt.Errorf("send update to proxy %s: %w", proxyID, err)
+	case <-connCtx.Done():
+		log.WithContext(ctx).Infof("Proxy %s context canceled", proxyID)
+		return connCtx.Err()
 	}
 }
 
-// disconnectProxy removes the connection from cluster and store, unless it
-// has already been superseded by a newer connection.
-func (s *ProxyServiceServer) disconnectProxy(conn *proxyConnection) {
-	if !s.connectedProxies.CompareAndDelete(conn.proxyID, conn) {
-		log.Infof("Proxy %s session %s: skipping cleanup, superseded by new connection", conn.proxyID, conn.sessionID)
-		conn.cancel()
-		return
-	}
-
-	if err := s.proxyController.UnregisterProxyFromCluster(context.Background(), conn.address, conn.proxyID); err != nil {
-		log.Warnf("Failed to unregister proxy %s from cluster: %v", conn.proxyID, err)
-	}
-	if err := s.proxyManager.Disconnect(context.Background(), conn.proxyID, conn.sessionID); err != nil {
-		log.Warnf("Failed to mark proxy %s as disconnected: %v", conn.proxyID, err)
-	}
-
-	conn.cancel()
-	log.Infof("Proxy %s session %s disconnected", conn.proxyID, conn.sessionID)
-}
-
-// sendSnapshotSync sends the initial snapshot with back-pressure: it sends
-// one batch, then waits for the proxy to ack before sending the next.
-func (s *ProxyServiceServer) sendSnapshotSync(ctx context.Context, conn *proxyConnection, stream proto.ProxyService_SyncMappingsServer) error {
-	if !isProxyAddressValid(conn.address) {
-		return fmt.Errorf("proxy address is invalid")
-	}
-	if s.snapshotBatchSize <= 0 {
-		return fmt.Errorf("invalid snapshot batch size: %d", s.snapshotBatchSize)
-	}
-
-	mappings, err := s.snapshotServiceMappings(ctx, conn)
-	if err != nil {
-		return err
-	}
-
-	for i := 0; i < len(mappings); i += s.snapshotBatchSize {
-		end := i + s.snapshotBatchSize
-		if end > len(mappings) {
-			end = len(mappings)
-		}
-		for _, m := range mappings[i:end] {
-			token, err := s.tokenStore.GenerateToken(m.AccountId, m.Id, s.proxyTokenTTL())
-			if err != nil {
-				return fmt.Errorf("generate auth token for service %s: %w", m.Id, err)
-			}
-			m.AuthToken = token
-		}
-		if err := stream.Send(&proto.SyncMappingsResponse{
-			Mapping:             mappings[i:end],
-			InitialSyncComplete: end == len(mappings),
-		}); err != nil {
-			return fmt.Errorf("send snapshot batch: %w", err)
-		}
-
-		if err := waitForAck(stream); err != nil {
-			return err
-		}
-	}
-
-	if len(mappings) == 0 {
-		if err := stream.Send(&proto.SyncMappingsResponse{
-			InitialSyncComplete: true,
-		}); err != nil {
-			return fmt.Errorf("send snapshot completion: %w", err)
-		}
-
-		if err := waitForAck(stream); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func waitForAck(stream proto.ProxyService_SyncMappingsServer) error {
-	msg, err := stream.Recv()
-	if err != nil {
-		return fmt.Errorf("receive ack: %w", err)
-	}
-	if msg.GetAck() == nil {
-		return fmt.Errorf("expected ack, got %T", msg.GetMsg())
-	}
-	return nil
-}
-
 // heartbeat updates the proxy's last_seen timestamp every minute and
 // disconnects the proxy if its access token has been revoked.
 func (s *ProxyServiceServer) heartbeat(ctx context.Context, conn *proxyConnection, p *proxy.Proxy) {
@@ -562,9 +381,6 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec
 	if !isProxyAddressValid(conn.address) {
 		return fmt.Errorf("proxy address is invalid")
 	}
-	if s.snapshotBatchSize <= 0 {
-		return fmt.Errorf("invalid snapshot batch size: %d", s.snapshotBatchSize)
-	}
 
 	mappings, err := s.snapshotServiceMappings(ctx, conn)
 	if err != nil {
@@ -644,26 +460,12 @@ func isProxyAddressValid(addr string) bool {
 	return err == nil
 }
 
-// isStreamClosed returns true for errors that indicate normal stream
-// termination: io.EOF, context cancellation, or gRPC Canceled.
-func isStreamClosed(err error) bool {
-	if err == nil {
-		return false
-	}
-	if errors.Is(err, io.EOF) || errors.Is(err, context.Canceled) {
-		return true
-	}
-	return status.Code(err) == codes.Canceled
-}
-
-// sender handles sending messages to proxy.
-// When conn.syncStream is set the message is sent as SyncMappingsResponse;
-// otherwise the legacy GetMappingUpdateResponse stream is used.
+// sender handles sending messages to proxy
 func (s *ProxyServiceServer) sender(conn *proxyConnection, errChan chan<- error) {
 	for {
 		select {
 		case resp := <-conn.sendChan:
-			if err := conn.sendResponse(resp); err != nil {
+			if err := conn.stream.Send(resp); err != nil {
 				errChan <- err
 				return
 			}
@@ -673,17 +475,6 @@ func (s *ProxyServiceServer) sender(conn *proxyConnection, errChan chan<- error)
 	}
 }
 
-// sendResponse sends a mapping update on whichever stream the proxy connected with.
-func (conn *proxyConnection) sendResponse(resp *proto.GetMappingUpdateResponse) error {
-	if conn.syncStream != nil {
-		return conn.syncStream.Send(&proto.SyncMappingsResponse{
-			Mapping:             resp.Mapping,
-			InitialSyncComplete: resp.InitialSyncComplete,
-		})
-	}
-	return conn.stream.Send(resp)
-}
-
 // SendAccessLog processes access log from proxy
 func (s *ProxyServiceServer) SendAccessLog(ctx context.Context, req *proto.SendAccessLogRequest) (*proto.SendAccessLogResponse, error) {
 	accessLog := req.GetLog()
@@ -750,8 +541,8 @@ func (s *ProxyServiceServer) SendServiceUpdate(update *proto.GetMappingUpdateRes
 				return true
 			}
 			connUpdate = &proto.GetMappingUpdateResponse{
-				Mapping:             filtered,
-				InitialSyncComplete: update.InitialSyncComplete,
+				Mapping:              filtered,
+				InitialSyncComplete:  update.InitialSyncComplete,
 			}
 		}
 		resp := s.perProxyMessage(connUpdate, conn.proxyID)

management/internals/shared/grpc/proxy_group_access_test.go

@@ -109,7 +109,7 @@ func (m *mockReverseProxyManager) GetServiceByDomain(_ context.Context, domain s
 	return nil, errors.New("service not found for domain: " + domain)
 }
 
-func (m *mockReverseProxyManager) GetClusters(_ context.Context, _, _ string) ([]proxy.Cluster, error) {
+func (m *mockReverseProxyManager) GetActiveClusters(_ context.Context, _, _ string) ([]proxy.Cluster, error) {
 	return nil, nil
 }
 

management/internals/shared/grpc/sync_mappings_test.go

@@ -1,411 +0,0 @@
-package grpc
-
-import (
-	"context"
-	"fmt"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/golang/mock/gomock"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/metadata"
-
-	rpservice "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-// syncRecordingStream is a mock ProxyService_SyncMappingsServer that records
-// sent messages and returns pre-loaded ack responses from Recv.
-type syncRecordingStream struct {
-	grpc.ServerStream
-
-	mu       sync.Mutex
-	sent     []*proto.SyncMappingsResponse
-	recvMsgs []*proto.SyncMappingsRequest
-	recvIdx  int
-}
-
-func (s *syncRecordingStream) Send(m *proto.SyncMappingsResponse) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	s.sent = append(s.sent, m)
-	return nil
-}
-
-func (s *syncRecordingStream) Recv() (*proto.SyncMappingsRequest, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if s.recvIdx >= len(s.recvMsgs) {
-		return nil, fmt.Errorf("no more recv messages")
-	}
-	msg := s.recvMsgs[s.recvIdx]
-	s.recvIdx++
-	return msg, nil
-}
-
-func (s *syncRecordingStream) Context() context.Context     { return context.Background() }
-func (s *syncRecordingStream) SetHeader(metadata.MD) error  { return nil }
-func (s *syncRecordingStream) SendHeader(metadata.MD) error { return nil }
-func (s *syncRecordingStream) SetTrailer(metadata.MD)       {}
-func (s *syncRecordingStream) SendMsg(any) error            { return nil }
-func (s *syncRecordingStream) RecvMsg(any) error            { return nil }
-
-func ackMsg() *proto.SyncMappingsRequest {
-	return &proto.SyncMappingsRequest{
-		Msg: &proto.SyncMappingsRequest_Ack{Ack: &proto.SyncMappingsAck{}},
-	}
-}
-
-func TestSendSnapshotSync_BatchesWithAcks(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 3
-	const totalServices = 7 // 3 + 3 + 1 → 3 batches, 3 acks (one per batch, including final)
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-
-	stream := &syncRecordingStream{
-		recvMsgs: []*proto.SyncMappingsRequest{ackMsg(), ackMsg(), ackMsg()},
-	}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.NoError(t, err)
-
-	require.Len(t, stream.sent, 3, "should send ceil(7/3) = 3 batches")
-
-	assert.Len(t, stream.sent[0].Mapping, 3)
-	assert.False(t, stream.sent[0].InitialSyncComplete)
-
-	assert.Len(t, stream.sent[1].Mapping, 3)
-	assert.False(t, stream.sent[1].InitialSyncComplete)
-
-	assert.Len(t, stream.sent[2].Mapping, 1)
-	assert.True(t, stream.sent[2].InitialSyncComplete)
-
-	// All 3 acks consumed — including the final batch.
-	assert.Equal(t, 3, stream.recvIdx)
-}
-
-func TestSendSnapshotSync_SingleBatchWaitsForAck(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 100
-	const totalServices = 5
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-
-	stream := &syncRecordingStream{
-		recvMsgs: []*proto.SyncMappingsRequest{ackMsg()},
-	}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.NoError(t, err)
-
-	require.Len(t, stream.sent, 1)
-	assert.Len(t, stream.sent[0].Mapping, totalServices)
-	assert.True(t, stream.sent[0].InitialSyncComplete)
-	assert.Equal(t, 1, stream.recvIdx, "final batch ack must be consumed")
-}
-
-func TestSendSnapshotSync_EmptySnapshot(t *testing.T) {
-	const cluster = "cluster.example.com"
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(nil, nil)
-
-	s := newSnapshotTestServer(t, 500)
-	s.serviceManager = mgr
-
-	stream := &syncRecordingStream{
-		recvMsgs: []*proto.SyncMappingsRequest{ackMsg()},
-	}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.NoError(t, err)
-
-	require.Len(t, stream.sent, 1, "empty snapshot must still send sync-complete")
-	assert.Empty(t, stream.sent[0].Mapping)
-	assert.True(t, stream.sent[0].InitialSyncComplete)
-	assert.Equal(t, 1, stream.recvIdx, "empty snapshot ack must be consumed")
-}
-
-func TestSendSnapshotSync_MissingAckReturnsError(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 2
-	const totalServices = 4 // 2 batches → 1 ack needed, but we provide none
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-
-	// No acks available — Recv will return error.
-	stream := &syncRecordingStream{}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "receive ack")
-	// First batch should have been sent before the error.
-	require.Len(t, stream.sent, 1)
-}
-
-func TestSendSnapshotSync_WrongMessageInsteadOfAck(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 2
-	const totalServices = 4
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-
-	// Send an init message instead of an ack.
-	stream := &syncRecordingStream{
-		recvMsgs: []*proto.SyncMappingsRequest{
-			{Msg: &proto.SyncMappingsRequest_Init{Init: &proto.SyncMappingsInit{ProxyId: "bad"}}},
-		},
-	}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "expected ack")
-}
-
-func TestSendSnapshotSync_BackPressureOrdering(t *testing.T) {
-	// Verify batches are sent strictly sequentially — batch N+1 is not sent
-	// until the ack for batch N is received, including the final batch.
-	const cluster = "cluster.example.com"
-	const batchSize = 2
-	const totalServices = 6 // 3 batches, 3 acks
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-
-	var mu sync.Mutex
-	var events []string
-
-	// Build a stream that logs send/recv events so we can verify ordering.
-	ackCh := make(chan struct{}, 3)
-	stream := &orderTrackingStream{
-		mu:     &mu,
-		events: &events,
-		ackCh:  ackCh,
-	}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	// Feed acks asynchronously after a short delay to simulate real proxy.
-	go func() {
-		for range 3 {
-			time.Sleep(10 * time.Millisecond)
-			ackCh <- struct{}{}
-		}
-	}()
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.NoError(t, err)
-
-	mu.Lock()
-	defer mu.Unlock()
-
-	// Expected: send, recv-ack, send, recv-ack, send, recv-ack.
-	require.Len(t, events, 6)
-	assert.Equal(t, "send", events[0])
-	assert.Equal(t, "recv", events[1])
-	assert.Equal(t, "send", events[2])
-	assert.Equal(t, "recv", events[3])
-	assert.Equal(t, "send", events[4])
-	assert.Equal(t, "recv", events[5])
-}
-
-// orderTrackingStream logs "send" and "recv" events and blocks Recv until
-// an ack is signaled via ackCh.
-type orderTrackingStream struct {
-	grpc.ServerStream
-	mu     *sync.Mutex
-	events *[]string
-	ackCh  chan struct{}
-}
-
-func (s *orderTrackingStream) Send(_ *proto.SyncMappingsResponse) error {
-	s.mu.Lock()
-	*s.events = append(*s.events, "send")
-	s.mu.Unlock()
-	return nil
-}
-
-func (s *orderTrackingStream) Recv() (*proto.SyncMappingsRequest, error) {
-	<-s.ackCh
-	s.mu.Lock()
-	*s.events = append(*s.events, "recv")
-	s.mu.Unlock()
-	return ackMsg(), nil
-}
-
-func (s *orderTrackingStream) Context() context.Context     { return context.Background() }
-func (s *orderTrackingStream) SetHeader(metadata.MD) error  { return nil }
-func (s *orderTrackingStream) SendHeader(metadata.MD) error { return nil }
-func (s *orderTrackingStream) SetTrailer(metadata.MD)       {}
-func (s *orderTrackingStream) SendMsg(any) error            { return nil }
-func (s *orderTrackingStream) RecvMsg(any) error            { return nil }
-
-func TestSendSnapshotSync_TokensGeneratedPerBatch(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 2
-	const totalServices = 4
-	const ttl = 100 * time.Millisecond
-	const ackDelay = 200 * time.Millisecond
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-	s.tokenTTL = ttl
-
-	// Build a stream that validates tokens immediately on Send, then
-	// delays the ack to ensure the next batch's tokens are generated fresh.
-	var validateErrs []error
-	ackCh := make(chan struct{}, 2)
-	stream := &tokenValidatingSyncStream{
-		tokenStore:   s.tokenStore,
-		validateErrs: &validateErrs,
-		ackCh:        ackCh,
-	}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	go func() {
-		// Delay first ack so that if tokens were all generated upfront they'd expire.
-		time.Sleep(ackDelay)
-		ackCh <- struct{}{}
-		// Final batch ack — immediate.
-		ackCh <- struct{}{}
-	}()
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.NoError(t, err)
-	require.Empty(t, validateErrs,
-		"tokens must remain valid: per-batch generation guarantees freshness")
-}
-
-type tokenValidatingSyncStream struct {
-	grpc.ServerStream
-	tokenStore   *OneTimeTokenStore
-	validateErrs *[]error
-	ackCh        chan struct{}
-}
-
-func (s *tokenValidatingSyncStream) Send(m *proto.SyncMappingsResponse) error {
-	for _, mapping := range m.Mapping {
-		if err := s.tokenStore.ValidateAndConsume(mapping.AuthToken, mapping.AccountId, mapping.Id); err != nil {
-			*s.validateErrs = append(*s.validateErrs, fmt.Errorf("svc %s: %w", mapping.Id, err))
-		}
-	}
-	return nil
-}
-
-func (s *tokenValidatingSyncStream) Recv() (*proto.SyncMappingsRequest, error) {
-	<-s.ackCh
-	return ackMsg(), nil
-}
-
-func (s *tokenValidatingSyncStream) Context() context.Context     { return context.Background() }
-func (s *tokenValidatingSyncStream) SetHeader(metadata.MD) error  { return nil }
-func (s *tokenValidatingSyncStream) SendHeader(metadata.MD) error { return nil }
-func (s *tokenValidatingSyncStream) SetTrailer(metadata.MD)       {}
-func (s *tokenValidatingSyncStream) SendMsg(any) error            { return nil }
-func (s *tokenValidatingSyncStream) RecvMsg(any) error            { return nil }
-
-func TestConnectionSendResponse_RoutesToSyncStream(t *testing.T) {
-	stream := &syncRecordingStream{}
-	conn := &proxyConnection{
-		syncStream: stream,
-	}
-
-	resp := &proto.GetMappingUpdateResponse{
-		Mapping: []*proto.ProxyMapping{
-			{Id: "svc-1", AccountId: "acct-1", Domain: "example.com"},
-		},
-		InitialSyncComplete: true,
-	}
-
-	err := conn.sendResponse(resp)
-	require.NoError(t, err)
-
-	require.Len(t, stream.sent, 1)
-	assert.Len(t, stream.sent[0].Mapping, 1)
-	assert.Equal(t, "svc-1", stream.sent[0].Mapping[0].Id)
-	assert.True(t, stream.sent[0].InitialSyncComplete)
-}
-
-func TestConnectionSendResponse_RoutesToLegacyStream(t *testing.T) {
-	stream := &recordingStream{}
-	conn := &proxyConnection{
-		stream: stream,
-	}
-
-	resp := &proto.GetMappingUpdateResponse{
-		Mapping: []*proto.ProxyMapping{
-			{Id: "svc-2", AccountId: "acct-2"},
-		},
-	}
-
-	err := conn.sendResponse(resp)
-	require.NoError(t, err)
-
-	require.Len(t, stream.messages, 1)
-	assert.Equal(t, "svc-2", stream.messages[0].Mapping[0].Id)
-}

management/internals/shared/grpc/validate_session_test.go

@@ -322,7 +322,7 @@ func (m *testValidateSessionServiceManager) GetServiceByDomain(ctx context.Conte
 	return m.store.GetServiceByDomain(ctx, domain)
 }
 
-func (m *testValidateSessionServiceManager) GetClusters(_ context.Context, _, _ string) ([]proxy.Cluster, error) {
+func (m *testValidateSessionServiceManager) GetActiveClusters(_ context.Context, _, _ string) ([]proxy.Cluster, error) {
 	return nil, nil
 }
 

management/server/account.go

@@ -1868,32 +1868,35 @@ func domainIsUpToDate(domain string, domainCategory string, userAuth auth.UserAu
 	return domainCategory == types.PrivateCategory || userAuth.DomainCategory != types.PrivateCategory || domain != userAuth.Domain
 }
 
-// SyncAndMarkPeer is the per-Sync entry point: it refreshes the peer's
-// network map and then marks the peer connected with a session token
-// derived from syncTime (the moment the gRPC stream opened). Any
-// concurrent stream that started earlier loses the optimistic-lock race
-// in MarkPeerConnected and bails without writing.
 func (am *DefaultAccountManager) SyncAndMarkPeer(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP, syncTime time.Time) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error) {
 	peer, netMap, postureChecks, dnsfwdPort, err := am.SyncPeer(ctx, types.PeerSync{WireGuardPubKey: peerPubKey, Meta: meta}, accountID)
 	if err != nil {
 		return nil, nil, nil, 0, fmt.Errorf("error syncing peer: %w", err)
 	}
 
-	if err := am.MarkPeerConnected(ctx, peerPubKey, realIP, accountID, syncTime.UnixNano()); err != nil {
+	err = am.MarkPeerConnected(ctx, peerPubKey, true, realIP, accountID, syncTime)
+	if err != nil {
 		log.WithContext(ctx).Warnf("failed marking peer as connected %s %v", peerPubKey, err)
 	}
 
 	return peer, netMap, postureChecks, dnsfwdPort, nil
 }
 
-// OnPeerDisconnected is invoked when a sync stream ends. It marks the
-// peer disconnected only when the stored SessionStartedAt matches the
-// nanosecond token derived from streamStartTime — i.e. only when this
-// is the stream that currently owns the peer's session. A mismatch
-// means a newer stream has already replaced us, so the disconnect is
-// dropped.
 func (am *DefaultAccountManager) OnPeerDisconnected(ctx context.Context, accountID string, peerPubKey string, streamStartTime time.Time) error {
-	if err := am.MarkPeerDisconnected(ctx, peerPubKey, accountID, streamStartTime.UnixNano()); err != nil {
+	peer, err := am.Store.GetPeerByPeerPubKey(ctx, store.LockingStrengthNone, peerPubKey)
+	if err != nil {
+		log.WithContext(ctx).Warnf("failed to get peer %s for disconnect check: %v", peerPubKey, err)
+		return nil
+	}
+
+	if peer.Status.LastSeen.After(streamStartTime) {
+		log.WithContext(ctx).Tracef("peer %s has newer activity (lastSeen=%s > streamStart=%s), skipping disconnect",
+			peerPubKey, peer.Status.LastSeen.Format(time.RFC3339), streamStartTime.Format(time.RFC3339))
+		return nil
+	}
+
+	err = am.MarkPeerConnected(ctx, peerPubKey, false, nil, accountID, time.Now().UTC())
+	if err != nil {
 		log.WithContext(ctx).Warnf("failed marking peer as disconnected %s %v", peerPubKey, err)
 	}
 	return nil

management/server/account/manager.go

@@ -61,8 +61,7 @@ type Manager interface {
 	GetUserFromUserAuth(ctx context.Context, userAuth auth.UserAuth) (*types.User, error)
 	ListUsers(ctx context.Context, accountID string) ([]*types.User, error)
 	GetPeers(ctx context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error)
-	MarkPeerConnected(ctx context.Context, peerKey string, realIP net.IP, accountID string, sessionStartedAt int64) error
-	MarkPeerDisconnected(ctx context.Context, peerKey string, accountID string, sessionStartedAt int64) error
+	MarkPeerConnected(ctx context.Context, peerKey string, connected bool, realIP net.IP, accountID string, syncTime time.Time) error
 	DeletePeer(ctx context.Context, accountID, peerID, userID string) error
 	UpdatePeer(ctx context.Context, accountID, userID string, p *nbpeer.Peer) (*nbpeer.Peer, error)
 	UpdatePeerIP(ctx context.Context, accountID, userID, peerID string, newIP netip.Addr) error

management/server/account/manager_mock.go

@@ -1305,31 +1305,17 @@ func (mr *MockManagerMockRecorder) LoginPeer(ctx, login interface{}) *gomock.Cal
 }
 
 // MarkPeerConnected mocks base method.
-func (m *MockManager) MarkPeerConnected(ctx context.Context, peerKey string, realIP net.IP, accountID string, sessionStartedAt int64) error {
+func (m *MockManager) MarkPeerConnected(ctx context.Context, peerKey string, connected bool, realIP net.IP, accountID string, syncTime time.Time) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "MarkPeerConnected", ctx, peerKey, realIP, accountID, sessionStartedAt)
+	ret := m.ctrl.Call(m, "MarkPeerConnected", ctx, peerKey, connected, realIP, accountID, syncTime)
 	ret0, _ := ret[0].(error)
 	return ret0
 }
 
 // MarkPeerConnected indicates an expected call of MarkPeerConnected.
-func (mr *MockManagerMockRecorder) MarkPeerConnected(ctx, peerKey, realIP, accountID, sessionStartedAt interface{}) *gomock.Call {
+func (mr *MockManagerMockRecorder) MarkPeerConnected(ctx, peerKey, connected, realIP, accountID, syncTime interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MarkPeerConnected", reflect.TypeOf((*MockManager)(nil).MarkPeerConnected), ctx, peerKey, realIP, accountID, sessionStartedAt)
-}
-
-// MarkPeerDisconnected mocks base method.
-func (m *MockManager) MarkPeerDisconnected(ctx context.Context, peerKey string, accountID string, sessionStartedAt int64) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "MarkPeerDisconnected", ctx, peerKey, accountID, sessionStartedAt)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// MarkPeerDisconnected indicates an expected call of MarkPeerDisconnected.
-func (mr *MockManagerMockRecorder) MarkPeerDisconnected(ctx, peerKey, accountID, sessionStartedAt interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MarkPeerDisconnected", reflect.TypeOf((*MockManager)(nil).MarkPeerDisconnected), ctx, peerKey, accountID, sessionStartedAt)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MarkPeerConnected", reflect.TypeOf((*MockManager)(nil).MarkPeerConnected), ctx, peerKey, connected, realIP, accountID, syncTime)
 }
 
 // OnPeerDisconnected mocks base method.

management/server/account_test.go

@@ -1813,7 +1813,7 @@ func TestDefaultAccountManager_UpdatePeer_PeerLoginExpiration(t *testing.T) {
 	accountID, err := manager.GetAccountIDByUserID(context.Background(), auth.UserAuth{UserId: userID})
 	require.NoError(t, err, "unable to get the account")
 
-	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), nil, accountID, time.Now().UTC().UnixNano())
+	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, accountID, time.Now().UTC())
 	require.NoError(t, err, "unable to mark peer connected")
 
 	_, err = manager.UpdateAccountSettings(context.Background(), accountID, userID, &types.Settings{
@@ -1884,7 +1884,7 @@ func TestDefaultAccountManager_MarkPeerConnected_PeerLoginExpiration(t *testing.
 	require.NoError(t, err, "unable to get the account")
 
 	// when we mark peer as connected, the peer login expiration routine should trigger
-	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), nil, accountID, time.Now().UTC().UnixNano())
+	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, accountID, time.Now().UTC())
 	require.NoError(t, err, "unable to mark peer connected")
 
 	failed := waitTimeout(wg, time.Second)
@@ -1910,16 +1910,15 @@ func TestDefaultAccountManager_OnPeerDisconnected_LastSeenCheck(t *testing.T) {
 	}, false)
 	require.NoError(t, err, "unable to add peer")
 
-	t.Run("disconnect peer when session token matches", func(t *testing.T) {
-		streamStartTime := time.Now().UTC()
-		err = manager.MarkPeerConnected(context.Background(), peerPubKey, nil, accountID, streamStartTime.UnixNano())
+	t.Run("disconnect peer when streamStartTime is after LastSeen", func(t *testing.T) {
+		err = manager.MarkPeerConnected(context.Background(), peerPubKey, true, nil, accountID, time.Now().UTC())
 		require.NoError(t, err, "unable to mark peer connected")
 
 		peer, err := manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
 		require.NoError(t, err, "unable to get peer")
 		require.True(t, peer.Status.Connected, "peer should be connected")
-		require.Equal(t, streamStartTime.UnixNano(), peer.Status.SessionStartedAt,
-			"SessionStartedAt should equal the token we passed in")
+
+		streamStartTime := time.Now().UTC()
 
 		err = manager.OnPeerDisconnected(context.Background(), accountID, peerPubKey, streamStartTime)
 		require.NoError(t, err)
@@ -1927,127 +1926,49 @@ func TestDefaultAccountManager_OnPeerDisconnected_LastSeenCheck(t *testing.T) {
 		peer, err = manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
 		require.NoError(t, err)
 		require.False(t, peer.Status.Connected, "peer should be disconnected")
-		require.Equal(t, int64(0), peer.Status.SessionStartedAt, "SessionStartedAt should be reset to 0")
 	})
 
-	t.Run("skip disconnect when stored session is newer (zombie stream protection)", func(t *testing.T) {
-		// Newer stream wins on connect (sets SessionStartedAt = now ns).
-		streamStartTime := time.Now().UTC()
-		err = manager.MarkPeerConnected(context.Background(), peerPubKey, nil, accountID, streamStartTime.UnixNano())
+	t.Run("skip disconnect when LastSeen is after streamStartTime (zombie stream protection)", func(t *testing.T) {
+		err = manager.MarkPeerConnected(context.Background(), peerPubKey, true, nil, accountID, time.Now().UTC())
 		require.NoError(t, err, "unable to mark peer connected")
 
 		peer, err := manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
 		require.NoError(t, err)
 		require.True(t, peer.Status.Connected, "peer should be connected")
 
-		// Older stream tries to mark disconnect with its own (older) session token —
-		// fencing kicks in and the write is dropped.
-		staleStreamStartTime := streamStartTime.Add(-1 * time.Hour)
+		streamStartTime := peer.Status.LastSeen.Add(-1 * time.Hour)
 
-		err = manager.OnPeerDisconnected(context.Background(), accountID, peerPubKey, staleStreamStartTime)
+		err = manager.OnPeerDisconnected(context.Background(), accountID, peerPubKey, streamStartTime)
 		require.NoError(t, err)
 
 		peer, err = manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
 		require.NoError(t, err)
 		require.True(t, peer.Status.Connected,
-			"peer should remain connected because the stored session is newer than the disconnect token")
-		require.Equal(t, streamStartTime.UnixNano(), peer.Status.SessionStartedAt,
-			"SessionStartedAt should still hold the winning stream's token")
+			"peer should remain connected because LastSeen > streamStartTime (zombie stream protection)")
 	})
 
-	t.Run("skip stale connect when stored session is newer (blocked goroutine protection)", func(t *testing.T) {
+	t.Run("skip stale connect when peer already has newer LastSeen (blocked goroutine protection)", func(t *testing.T) {
 		node2SyncTime := time.Now().UTC()
-		err = manager.MarkPeerConnected(context.Background(), peerPubKey, nil, accountID, node2SyncTime.UnixNano())
+		err = manager.MarkPeerConnected(context.Background(), peerPubKey, true, nil, accountID, node2SyncTime)
 		require.NoError(t, err, "node 2 should connect peer")
 
 		peer, err := manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
 		require.NoError(t, err)
 		require.True(t, peer.Status.Connected, "peer should be connected")
-		require.Equal(t, node2SyncTime.UnixNano(), peer.Status.SessionStartedAt,
-			"SessionStartedAt should equal node2SyncTime token")
+		require.Equal(t, node2SyncTime.Unix(), peer.Status.LastSeen.Unix(), "LastSeen should be node2SyncTime")
 
 		node1StaleSyncTime := node2SyncTime.Add(-1 * time.Minute)
-		err = manager.MarkPeerConnected(context.Background(), peerPubKey, nil, accountID, node1StaleSyncTime.UnixNano())
+		err = manager.MarkPeerConnected(context.Background(), peerPubKey, true, nil, accountID, node1StaleSyncTime)
 		require.NoError(t, err, "stale connect should not return error")
 
 		peer, err = manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
 		require.NoError(t, err)
 		require.True(t, peer.Status.Connected, "peer should still be connected")
-		require.Equal(t, node2SyncTime.UnixNano(), peer.Status.SessionStartedAt,
-			"SessionStartedAt should NOT be overwritten by stale token from blocked goroutine")
+		require.Equal(t, node2SyncTime.Unix(), peer.Status.LastSeen.Unix(),
+			"LastSeen should NOT be overwritten by stale syncTime from blocked goroutine")
 	})
 }
 
-// TestDefaultAccountManager_MarkPeerConnected_ConcurrentRace exercises the
-// fencing protocol under contention: many goroutines race to mark the
-// same peer connected with distinct session tokens at the same time.
-// The contract is that the highest token always wins and is what remains
-// in the store, regardless of execution order.
-func TestDefaultAccountManager_MarkPeerConnected_ConcurrentRace(t *testing.T) {
-	manager, _, err := createManager(t)
-	require.NoError(t, err, "unable to create account manager")
-
-	accountID, err := manager.GetAccountIDByUserID(context.Background(), auth.UserAuth{UserId: userID})
-	require.NoError(t, err, "unable to get account")
-
-	key, err := wgtypes.GenerateKey()
-	require.NoError(t, err, "unable to generate WireGuard key")
-	peerPubKey := key.PublicKey().String()
-
-	_, _, _, err = manager.AddPeer(context.Background(), "", "", userID, &nbpeer.Peer{
-		Key:  peerPubKey,
-		Meta: nbpeer.PeerSystemMeta{Hostname: "race-peer"},
-	}, false)
-	require.NoError(t, err, "unable to add peer")
-
-	const workers = 16
-	base := time.Now().UTC().UnixNano()
-	tokens := make([]int64, workers)
-	for i := range tokens {
-		// Spread tokens by 1ms so the comparison is unambiguous; the
-		// largest is index workers-1.
-		tokens[i] = base + int64(i)*int64(time.Millisecond)
-	}
-	expected := tokens[workers-1]
-
-	var ready sync.WaitGroup
-	ready.Add(workers)
-	var start sync.WaitGroup
-	start.Add(1)
-	var done sync.WaitGroup
-	done.Add(workers)
-
-	// require.* calls t.FailNow which is documented as unsafe from
-	// non-test goroutines (it calls runtime.Goexit on the wrong stack and
-	// races with the WaitGroup). Collect errors here and assert from the
-	// main goroutine after done.Wait().
-	errs := make(chan error, workers)
-
-	for i := 0; i < workers; i++ {
-		token := tokens[i]
-		go func() {
-			defer done.Done()
-			ready.Done()
-			start.Wait()
-			errs <- manager.MarkPeerConnected(context.Background(), peerPubKey, nil, accountID, token)
-		}()
-	}
-
-	ready.Wait()
-	start.Done()
-	done.Wait()
-	close(errs)
-	for err := range errs {
-		require.NoError(t, err, "MarkPeerConnected must not error under contention")
-	}
-
-	peer, err := manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
-	require.NoError(t, err)
-	require.True(t, peer.Status.Connected, "peer should be connected after the race")
-	require.Equal(t, expected, peer.Status.SessionStartedAt,
-		"the largest token must win regardless of execution order")
-}
-
 func TestDefaultAccountManager_UpdateAccountSettings_PeerLoginExpiration(t *testing.T) {
 	manager, _, err := createManager(t)
 	require.NoError(t, err, "unable to create account manager")
@@ -2070,7 +1991,7 @@ func TestDefaultAccountManager_UpdateAccountSettings_PeerLoginExpiration(t *test
 	account, err := manager.Store.GetAccount(context.Background(), accountID)
 	require.NoError(t, err, "unable to get the account")
 
-	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), nil, accountID, time.Now().UTC().UnixNano())
+	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, accountID, time.Now().UTC())
 	require.NoError(t, err, "unable to mark peer connected")
 
 	wg := &sync.WaitGroup{}

management/server/http/handlers/proxy/auth_callback_integration_test.go

@@ -444,7 +444,7 @@ func (m *testServiceManager) GetServiceByDomain(ctx context.Context, domain stri
 	return m.store.GetServiceByDomain(ctx, domain)
 }
 
-func (m *testServiceManager) GetClusters(_ context.Context, _, _ string) ([]nbproxy.Cluster, error) {
+func (m *testServiceManager) GetActiveClusters(_ context.Context, _, _ string) ([]nbproxy.Cluster, error) {
 	return nil, nil
 }
 

management/server/http/testing/integration/networks_handler_integration_test.go

@@ -1319,7 +1319,7 @@ func Test_NetworkRouters_Update(t *testing.T) {
 			},
 		},
 		{
-			name:      "Update non-existing router returns not found",
+			name:      "Update non-existing router creates it",
 			networkId: "testNetworkId",
 			routerId:  "nonExistingRouterId",
 			requestBody: &api.NetworkRouterRequest{
@@ -1328,7 +1328,11 @@ func Test_NetworkRouters_Update(t *testing.T) {
 				Metric:     100,
 				Enabled:    true,
 			},
-			expectedStatus: http.StatusNotFound,
+			expectedStatus: http.StatusOK,
+			verifyResponse: func(t *testing.T, router *api.NetworkRouter) {
+				t.Helper()
+				assert.Equal(t, "nonExistingRouterId", router.Id)
+			},
 		},
 		{
 			name:      "Update router with both peer and peer_groups",

management/server/idp/embedded.go

@@ -6,9 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"net/url"
 	"os"
-	"path"
 	"strings"
 
 	"github.com/dexidp/dex/storage"
@@ -140,13 +138,10 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 		return nil, fmt.Errorf("invalid IdP storage config: %w", err)
 	}
 
-	// Build CLI redirect URIs including the device callback. Dex uses the issuer-relative
-	// path (for example, /oauth2/device/callback) when completing the device flow, so
-	// include it explicitly in addition to the legacy bare path and absolute URL.
+	// Build CLI redirect URIs including the device callback (both relative and absolute)
 	cliRedirectURIs := c.CLIRedirectURIs
 	cliRedirectURIs = append(cliRedirectURIs, "/device/callback")
-	cliRedirectURIs = append(cliRedirectURIs, issuerRelativeDeviceCallback(c.Issuer))
-	cliRedirectURIs = append(cliRedirectURIs, strings.TrimSuffix(c.Issuer, "/")+"/device/callback")
+	cliRedirectURIs = append(cliRedirectURIs, c.Issuer+"/device/callback")
 
 	// Build dashboard redirect URIs including the OAuth callback for proxy authentication
 	dashboardRedirectURIs := c.DashboardRedirectURIs
@@ -159,10 +154,6 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 	// MGMT api and the dashboard, adding baseURL means less configuration for the instance admin
 	dashboardPostLogoutRedirectURIs = append(dashboardPostLogoutRedirectURIs, baseURL)
 
-	redirectURIs := make([]string, 0)
-	redirectURIs = append(redirectURIs, cliRedirectURIs...)
-	redirectURIs = append(redirectURIs, dashboardRedirectURIs...)
-
 	cfg := &dex.YAMLConfig{
 		Issuer: c.Issuer,
 		Storage: dex.Storage{
@@ -188,14 +179,14 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 				ID:                     staticClientDashboard,
 				Name:                   "NetBird Dashboard",
 				Public:                 true,
-				RedirectURIs:           redirectURIs,
+				RedirectURIs:           dashboardRedirectURIs,
 				PostLogoutRedirectURIs: sanitizePostLogoutRedirectURIs(dashboardPostLogoutRedirectURIs),
 			},
 			{
 				ID:           staticClientCLI,
 				Name:         "NetBird CLI",
 				Public:       true,
-				RedirectURIs: redirectURIs,
+				RedirectURIs: cliRedirectURIs,
 			},
 		},
 		StaticConnectors: c.StaticConnectors,
@@ -226,14 +217,6 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 	return cfg, nil
 }
 
-func issuerRelativeDeviceCallback(issuer string) string {
-	u, err := url.Parse(issuer)
-	if err != nil || u.Path == "" {
-		return "/device/callback"
-	}
-	return path.Join(u.Path, "/device/callback")
-}
-
 // Due to how the frontend generates the logout, sometimes it appends a trailing slash
 // and because Dex only allows exact matches, we need to make sure we always have both
 // versions of each provided uri
@@ -316,7 +299,7 @@ func resolveSessionCookieEncryptionKey(configuredKey string) (string, error) {
 		}
 	}
 
-	return "", fmt.Errorf("invalid embedded IdP session cookie encryption key:%s (or sessionCookieEncryptionKey) must be 16, 24, or 32 bytes as a raw string or base64-encoded to one of those lengths; got %d raw bytes", sessionCookieEncryptionKeyEnv, len([]byte(key)))
+	return "", fmt.Errorf("invalid embedded IdP session cookie encryption key: %s (or sessionCookieEncryptionKey) must be 16, 24, or 32 bytes as a raw string or base64-encoded to one of those lengths; got %d raw bytes", sessionCookieEncryptionKeyEnv, len([]byte(key)))
 }
 
 func validSessionCookieEncryptionKeyLength(length int) bool {

management/server/idp/embedded_test.go

@@ -314,34 +314,6 @@ func TestEmbeddedIdPManager_UpdateUserPassword(t *testing.T) {
 	})
 }
 
-func TestEmbeddedIdPConfig_ToYAMLConfig_IncludesDeviceCallbackRedirectURI(t *testing.T) {
-	config := &EmbeddedIdPConfig{
-		Enabled: true,
-		Issuer:  "https://example.com/oauth2",
-		Storage: EmbeddedStorageConfig{
-			Type: "sqlite3",
-			Config: EmbeddedStorageTypeConfig{
-				File: filepath.Join(t.TempDir(), "dex.db"),
-			},
-		},
-	}
-
-	yamlConfig, err := config.ToYAMLConfig()
-	require.NoError(t, err)
-
-	var cliRedirectURIs []string
-	for _, client := range yamlConfig.StaticClients {
-		if client.ID == staticClientCLI {
-			cliRedirectURIs = client.RedirectURIs
-			break
-		}
-	}
-	require.NotEmpty(t, cliRedirectURIs)
-	assert.Contains(t, cliRedirectURIs, "/device/callback")
-	assert.Contains(t, cliRedirectURIs, "/oauth2/device/callback")
-	assert.Contains(t, cliRedirectURIs, "https://example.com/oauth2/device/callback")
-}
-
 func TestEmbeddedIdPConfig_ToYAMLConfig_SessionCookieEncryptionKey(t *testing.T) {
 	t.Setenv(sessionCookieEncryptionKeyEnv, "")
 

management/server/migration/migration_test.go

@@ -198,11 +198,7 @@ func TestMigrateNetIPFieldFromBlobToJSON_WithJSONData(t *testing.T) {
 	require.NoError(t, err, "Failed to insert account")
 
 	account.PeersG = []nbpeer.Peer{
-		{
-			AccountID: "1234",
-			Location:  nbpeer.Location{ConnectionIP: net.IP{10, 0, 0, 1}},
-			Status:    &nbpeer.PeerStatus{LastSeen: time.Now()},
-		},
+		{AccountID: "1234", Location: nbpeer.Location{ConnectionIP: net.IP{10, 0, 0, 1}}},
 	}
 
 	err = db.Save(account).Error

management/server/mock_server/account_mock.go

@@ -38,8 +38,7 @@ type MockAccountManager struct {
 	GetUserFromUserAuthFunc               func(ctx context.Context, userAuth auth.UserAuth) (*types.User, error)
 	ListUsersFunc                         func(ctx context.Context, accountID string) ([]*types.User, error)
 	GetPeersFunc                          func(ctx context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error)
-	MarkPeerConnectedFunc                 func(ctx context.Context, peerKey string, realIP net.IP, accountID string, sessionStartedAt int64) error
-	MarkPeerDisconnectedFunc              func(ctx context.Context, peerKey string, accountID string, sessionStartedAt int64) error
+	MarkPeerConnectedFunc                 func(ctx context.Context, peerKey string, connected bool, realIP net.IP, syncTime time.Time) error
 	SyncAndMarkPeerFunc                   func(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP, syncTime time.Time) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error)
 	DeletePeerFunc                        func(ctx context.Context, accountID, peerKey, userID string) error
 	GetNetworkMapFunc                     func(ctx context.Context, peerKey string) (*types.NetworkMap, error)
@@ -228,14 +227,7 @@ func (am *MockAccountManager) SyncAndMarkPeer(ctx context.Context, accountID str
 	return nil, nil, nil, 0, status.Errorf(codes.Unimplemented, "method MarkPeerConnected is not implemented")
 }
 
-func (am *MockAccountManager) OnPeerDisconnected(ctx context.Context, accountID string, peerPubKey string, streamStartTime time.Time) error {
-	// Mirror DefaultAccountManager.OnPeerDisconnected: drive the fencing
-	// hook so tests that inject MarkPeerDisconnectedFunc actually observe
-	// disconnect events. Falls through to nil when no hook is set, which
-	// is the original behaviour.
-	if am.MarkPeerDisconnectedFunc != nil {
-		return am.MarkPeerDisconnectedFunc(ctx, peerPubKey, accountID, streamStartTime.UnixNano())
-	}
+func (am *MockAccountManager) OnPeerDisconnected(_ context.Context, accountID string, peerPubKey string, streamStartTime time.Time) error {
 	return nil
 }
 
@@ -336,21 +328,13 @@ func (am *MockAccountManager) GetAccountIDByUserID(ctx context.Context, userAuth
 }
 
 // MarkPeerConnected mock implementation of MarkPeerConnected from server.AccountManager interface
-func (am *MockAccountManager) MarkPeerConnected(ctx context.Context, peerKey string, realIP net.IP, accountID string, sessionStartedAt int64) error {
+func (am *MockAccountManager) MarkPeerConnected(ctx context.Context, peerKey string, connected bool, realIP net.IP, accountID string, syncTime time.Time) error {
 	if am.MarkPeerConnectedFunc != nil {
-		return am.MarkPeerConnectedFunc(ctx, peerKey, realIP, accountID, sessionStartedAt)
+		return am.MarkPeerConnectedFunc(ctx, peerKey, connected, realIP, syncTime)
 	}
 	return status.Errorf(codes.Unimplemented, "method MarkPeerConnected is not implemented")
 }
 
-// MarkPeerDisconnected mock implementation of MarkPeerDisconnected from server.AccountManager interface
-func (am *MockAccountManager) MarkPeerDisconnected(ctx context.Context, peerKey string, accountID string, sessionStartedAt int64) error {
-	if am.MarkPeerDisconnectedFunc != nil {
-		return am.MarkPeerDisconnectedFunc(ctx, peerKey, accountID, sessionStartedAt)
-	}
-	return status.Errorf(codes.Unimplemented, "method MarkPeerDisconnected is not implemented")
-}
-
 // DeleteAccount mock implementation of DeleteAccount from server.AccountManager interface
 func (am *MockAccountManager) DeleteAccount(ctx context.Context, accountID, userID string) error {
 	if am.DeleteAccountFunc != nil {

management/server/networks/manager_test.go

@@ -34,11 +34,8 @@ func Test_GetAllNetworksReturnsNetworks(t *testing.T) {
 
 	networks, err := manager.GetAllNetworks(ctx, accountID, userID)
 	require.NoError(t, err)
-	ids := make([]string, 0, len(networks))
-	for _, n := range networks {
-		ids = append(ids, n.ID)
-	}
-	require.ElementsMatch(t, []string{"testNetworkId", "secondNetworkId"}, ids)
+	require.Len(t, networks, 1)
+	require.Equal(t, "testNetworkId", networks[0].ID)
 }
 
 func Test_GetAllNetworksReturnsPermissionDenied(t *testing.T) {

management/server/networks/routers/manager.go

@@ -102,7 +102,7 @@ func (m *managerImpl) CreateRouter(ctx context.Context, userID string, router *t
 
 		router.ID = xid.New().String()
 
-		err = transaction.CreateNetworkRouter(ctx, router)
+		err = transaction.SaveNetworkRouter(ctx, router)
 		if err != nil {
 			return fmt.Errorf("failed to create network router: %w", err)
 		}
@@ -162,20 +162,11 @@ func (m *managerImpl) UpdateRouter(ctx context.Context, userID string, router *t
 			return fmt.Errorf("failed to get network: %w", err)
 		}
 
-		existing, err := transaction.GetNetworkRouterByID(ctx, store.LockingStrengthUpdate, router.AccountID, router.ID)
-		if err != nil {
-			return fmt.Errorf("failed to get network router: %w", err)
-		}
-
-		if existing.AccountID != router.AccountID {
-			return status.NewNetworkRouterNotFoundError(router.ID)
-		}
-
-		if existing.NetworkID != router.NetworkID {
+		if network.ID != router.NetworkID {
 			return status.NewRouterNotPartOfNetworkError(router.ID, router.NetworkID)
 		}
 
-		err = transaction.UpdateNetworkRouter(ctx, router)
+		err = transaction.SaveNetworkRouter(ctx, router)
 		if err != nil {
 			return fmt.Errorf("failed to update network router: %w", err)
 		}

management/server/networks/routers/manager_test.go

@@ -195,7 +195,6 @@ func Test_UpdateRouterSuccessfully(t *testing.T) {
 	if err != nil {
 		require.NoError(t, err)
 	}
-	router.ID = "testRouterId"
 
 	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
 	if err != nil {
@@ -211,102 +210,6 @@ func Test_UpdateRouterSuccessfully(t *testing.T) {
 	require.Equal(t, router.Metric, updatedRouter.Metric)
 }
 
-func Test_UpdateRouterRejectsCrossAccountID(t *testing.T) {
-	ctx := context.Background()
-	userID := "testAdminId"
-
-	// Admin of testAccountId tries to update a router that belongs to otherAccountId
-	// by passing the other account's router ID through the URL.
-	router, err := types.NewNetworkRouter("testAccountId", "testNetworkId", "testPeerId", []string{}, false, 1, true)
-	if err != nil {
-		require.NoError(t, err)
-	}
-	router.ID = "otherRouterId"
-
-	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Cleanup(cleanUp)
-	permissionsManager := permissions.NewManager(s)
-	am := mock_server.MockAccountManager{}
-	manager := NewManager(s, permissionsManager, &am)
-
-	updatedRouter, err := manager.UpdateRouter(ctx, userID, router)
-	require.Error(t, err)
-	require.Nil(t, updatedRouter)
-
-	// The other account's router must be untouched.
-	stored, err := s.GetNetworkRouterByID(ctx, store.LockingStrengthNone, "otherAccountId", "otherRouterId")
-	require.NoError(t, err)
-	require.Equal(t, "otherAccountId", stored.AccountID)
-	require.Equal(t, "otherNetworkId", stored.NetworkID)
-	require.Equal(t, "otherPeer", stored.Peer)
-	require.Equal(t, 1, stored.Metric)
-}
-
-func Test_CreateRouterRejectsCrossAccountID(t *testing.T) {
-	ctx := context.Background()
-	userID := "testAdminId"
-
-	// Admin of testAccountId tries to create a router in otherAccountId's network.
-	// The permission check is on router.AccountID (their own), but the network
-	// lookup must fail because (testAccountId, otherNetworkId) does not exist.
-	router, err := types.NewNetworkRouter("testAccountId", "otherNetworkId", "testPeerId", []string{}, false, 1, true)
-	if err != nil {
-		require.NoError(t, err)
-	}
-
-	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Cleanup(cleanUp)
-	permissionsManager := permissions.NewManager(s)
-	am := mock_server.MockAccountManager{}
-	manager := NewManager(s, permissionsManager, &am)
-
-	createdRouter, err := manager.CreateRouter(ctx, userID, router)
-	require.Error(t, err)
-	require.Nil(t, createdRouter)
-
-	// No router should have been created in either account's scope under otherNetworkId.
-	routersInOther, err := s.GetNetworkRoutersByNetID(ctx, store.LockingStrengthNone, "otherAccountId", "otherNetworkId")
-	require.NoError(t, err)
-	require.Len(t, routersInOther, 1)
-	require.Equal(t, "otherRouterId", routersInOther[0].ID)
-}
-
-func Test_UpdateRouterRejectsNetworkMismatch(t *testing.T) {
-	ctx := context.Background()
-	userID := "testAdminId"
-
-	// The router exists in testNetworkId, but the caller submits secondNetworkId
-	// (a different network in the same account). The update must be refused.
-	router, err := types.NewNetworkRouter("testAccountId", "secondNetworkId", "testPeerId", []string{}, false, 1, true)
-	if err != nil {
-		require.NoError(t, err)
-	}
-	router.ID = "testRouterId"
-
-	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Cleanup(cleanUp)
-	permissionsManager := permissions.NewManager(s)
-	am := mock_server.MockAccountManager{}
-	manager := NewManager(s, permissionsManager, &am)
-
-	updatedRouter, err := manager.UpdateRouter(ctx, userID, router)
-	require.Error(t, err)
-	require.Nil(t, updatedRouter)
-
-	stored, err := s.GetNetworkRouterByID(ctx, store.LockingStrengthNone, "testAccountId", "testRouterId")
-	require.NoError(t, err)
-	require.Equal(t, "testNetworkId", stored.NetworkID)
-}
-
 func Test_UpdateRouterFailsWithPermissionDenied(t *testing.T) {
 	ctx := context.Background()
 	userID := "testUserId"

management/server/peer.go

@@ -16,6 +16,7 @@ import (
 	"golang.org/x/exp/maps"
 
 	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/server/geolocation"
 	"github.com/netbirdio/netbird/management/server/idp"
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
@@ -28,7 +29,6 @@ import (
 
 	"github.com/netbirdio/netbird/management/server/activity"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/netbirdio/netbird/shared/management/status"
 )
 
@@ -63,64 +63,56 @@ func (am *DefaultAccountManager) GetPeers(ctx context.Context, accountID, userID
 	return am.Store.GetUserPeers(ctx, store.LockingStrengthNone, accountID, userID)
 }
 
-// MarkPeerConnected marks a peer as connected with optimistic-locked
-// fencing on PeerStatus.SessionStartedAt. The sessionStartedAt argument
-// is the start time of the gRPC sync stream that owns this update,
-// expressed as Unix nanoseconds — only the call whose token is greater
-// than what's stored wins. LastSeen is written by the database itself;
-// we never pass it down.
-//
-// Disconnects use MarkPeerDisconnected and require the session to match
-// exactly; see PeerStatus.SessionStartedAt for the protocol.
-func (am *DefaultAccountManager) MarkPeerConnected(ctx context.Context, peerPubKey string, realIP net.IP, accountID string, sessionStartedAt int64) error {
-	start := time.Now()
-	defer func() {
-		am.metrics.AccountManagerMetrics().RecordPeerStatusUpdateDuration(telemetry.PeerStatusConnect, time.Since(start))
-	}()
+// MarkPeerConnected marks peer as connected (true) or disconnected (false)
+// syncTime is used as the LastSeen timestamp and for stale request detection
+func (am *DefaultAccountManager) MarkPeerConnected(ctx context.Context, peerPubKey string, connected bool, realIP net.IP, accountID string, syncTime time.Time) error {
+	var peer *nbpeer.Peer
+	var settings *types.Settings
+	var expired bool
+	var err error
+	var skipped bool
 
-	peer, err := am.Store.GetPeerByPeerPubKey(ctx, store.LockingStrengthNone, peerPubKey)
-	if err != nil {
-		outcome := telemetry.PeerStatusError
-		if s, ok := status.FromError(err); ok && s.Type() == status.NotFound {
-			outcome = telemetry.PeerStatusPeerNotFound
-		}
-		am.metrics.AccountManagerMetrics().CountPeerStatusUpdate(telemetry.PeerStatusConnect, outcome)
-		return err
-	}
-
-	updated, err := am.Store.MarkPeerConnectedIfNewerSession(ctx, accountID, peer.ID, sessionStartedAt)
-	if err != nil {
-		am.metrics.AccountManagerMetrics().CountPeerStatusUpdate(telemetry.PeerStatusConnect, telemetry.PeerStatusError)
-		return err
-	}
-	if !updated {
-		am.metrics.AccountManagerMetrics().CountPeerStatusUpdate(telemetry.PeerStatusConnect, telemetry.PeerStatusStale)
-		log.WithContext(ctx).Tracef("peer %s already has a newer session in store, skipping connect", peer.ID)
-		return nil
-	}
-	am.metrics.AccountManagerMetrics().CountPeerStatusUpdate(telemetry.PeerStatusConnect, telemetry.PeerStatusApplied)
-
-	if am.geo != nil && realIP != nil {
-		am.updatePeerLocationIfChanged(ctx, accountID, peer, realIP)
-	}
-
-	expired := peer.Status != nil && peer.Status.LoginExpired
-
-	if peer.AddedWithSSOLogin() {
-		settings, err := am.Store.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
+	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		peer, err = transaction.GetPeerByPeerPubKey(ctx, store.LockingStrengthUpdate, peerPubKey)
 		if err != nil {
 			return err
 		}
+
+		if connected && !syncTime.After(peer.Status.LastSeen) {
+			log.WithContext(ctx).Tracef("peer %s has newer activity (lastSeen=%s >= syncTime=%s), skipping connect",
+				peer.ID, peer.Status.LastSeen.Format(time.RFC3339), syncTime.Format(time.RFC3339))
+			skipped = true
+			return nil
+		}
+
+		expired, err = updatePeerStatusAndLocation(ctx, am.geo, transaction, peer, connected, realIP, accountID, syncTime)
+		return err
+	})
+	if skipped {
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+
+	if peer.AddedWithSSOLogin() {
+		settings, err = am.Store.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
+		if err != nil {
+			return err
+		}
+
 		if peer.LoginExpirationEnabled && settings.PeerLoginExpirationEnabled {
 			am.schedulePeerLoginExpiration(ctx, accountID)
 		}
+
 		if peer.InactivityExpirationEnabled && settings.PeerInactivityExpirationEnabled {
 			am.checkAndSchedulePeerInactivityExpiration(ctx, accountID)
 		}
 	}
 
 	if expired {
-		if err = am.networkMapController.OnPeersUpdated(ctx, accountID, []string{peer.ID}); err != nil {
+		err = am.networkMapController.OnPeersUpdated(ctx, accountID, []string{peer.ID})
+		if err != nil {
 			return fmt.Errorf("notify network map controller of peer update: %w", err)
 		}
 	}
@@ -128,60 +120,41 @@ func (am *DefaultAccountManager) MarkPeerConnected(ctx context.Context, peerPubK
 	return nil
 }
 
-// MarkPeerDisconnected marks a peer as disconnected, but only when the
-// stored session token matches the one passed in. A mismatch means a
-// newer stream has already taken ownership of the peer — disconnects from
-// the older stream are ignored. LastSeen is written by the database.
-func (am *DefaultAccountManager) MarkPeerDisconnected(ctx context.Context, peerPubKey string, accountID string, sessionStartedAt int64) error {
-	start := time.Now()
-	defer func() {
-		am.metrics.AccountManagerMetrics().RecordPeerStatusUpdateDuration(telemetry.PeerStatusDisconnect, time.Since(start))
-	}()
+func updatePeerStatusAndLocation(ctx context.Context, geo geolocation.Geolocation, transaction store.Store, peer *nbpeer.Peer, connected bool, realIP net.IP, accountID string, syncTime time.Time) (bool, error) {
+	oldStatus := peer.Status.Copy()
+	newStatus := oldStatus
+	newStatus.LastSeen = syncTime
+	newStatus.Connected = connected
+	// whenever peer got connected that means that it logged in successfully
+	if newStatus.Connected {
+		newStatus.LoginExpired = false
+	}
+	peer.Status = newStatus
 
-	peer, err := am.Store.GetPeerByPeerPubKey(ctx, store.LockingStrengthNone, peerPubKey)
-	if err != nil {
-		outcome := telemetry.PeerStatusError
-		if s, ok := status.FromError(err); ok && s.Type() == status.NotFound {
-			outcome = telemetry.PeerStatusPeerNotFound
+	if geo != nil && realIP != nil {
+		location, err := geo.Lookup(realIP)
+		if err != nil {
+			log.WithContext(ctx).Warnf("failed to get location for peer %s realip: [%s]: %v", peer.ID, realIP.String(), err)
+		} else {
+			peer.Location.ConnectionIP = realIP
+			peer.Location.CountryCode = location.Country.ISOCode
+			peer.Location.CityName = location.City.Names.En
+			peer.Location.GeoNameID = location.City.GeonameID
+			err = transaction.SavePeerLocation(ctx, accountID, peer)
+			if err != nil {
+				log.WithContext(ctx).Warnf("could not store location for peer %s: %s", peer.ID, err)
+			}
 		}
-		am.metrics.AccountManagerMetrics().CountPeerStatusUpdate(telemetry.PeerStatusDisconnect, outcome)
-		return err
 	}
 
-	updated, err := am.Store.MarkPeerDisconnectedIfSameSession(ctx, accountID, peer.ID, sessionStartedAt)
-	if err != nil {
-		am.metrics.AccountManagerMetrics().CountPeerStatusUpdate(telemetry.PeerStatusDisconnect, telemetry.PeerStatusError)
-		return err
-	}
-	if !updated {
-		am.metrics.AccountManagerMetrics().CountPeerStatusUpdate(telemetry.PeerStatusDisconnect, telemetry.PeerStatusStale)
-		log.WithContext(ctx).Tracef("peer %s session token mismatch on disconnect (token=%d), skipping",
-			peer.ID, sessionStartedAt)
-		return nil
-	}
-	am.metrics.AccountManagerMetrics().CountPeerStatusUpdate(telemetry.PeerStatusDisconnect, telemetry.PeerStatusApplied)
-	return nil
-}
+	log.WithContext(ctx).Debugf("saving peer status for peer %s is connected: %t", peer.ID, connected)
 
-// updatePeerLocationIfChanged refreshes the geolocation on a separate
-// row update, only when the connection IP actually changed. Geo lookups
-// are expensive so we skip same-IP reconnects.
-func (am *DefaultAccountManager) updatePeerLocationIfChanged(ctx context.Context, accountID string, peer *nbpeer.Peer, realIP net.IP) {
-	if peer.Location.ConnectionIP != nil && peer.Location.ConnectionIP.Equal(realIP) {
-		return
-	}
-	location, err := am.geo.Lookup(realIP)
+	err := transaction.SavePeerStatus(ctx, accountID, peer.ID, *newStatus)
 	if err != nil {
-		log.WithContext(ctx).Warnf("failed to get location for peer %s realip: [%s]: %v", peer.ID, realIP.String(), err)
-		return
-	}
-	peer.Location.ConnectionIP = realIP
-	peer.Location.CountryCode = location.Country.ISOCode
-	peer.Location.CityName = location.City.Names.En
-	peer.Location.GeoNameID = location.City.GeonameID
-	if err := am.Store.SavePeerLocation(ctx, accountID, peer); err != nil {
-		log.WithContext(ctx).Warnf("could not store location for peer %s: %s", peer.ID, err)
+		return false, err
 	}
+
+	return oldStatus.LoginExpired, nil
 }
 
 // UpdatePeer updates peer. Only Peer.Name, Peer.SSHEnabled, Peer.LoginExpirationEnabled and Peer.InactivityExpirationEnabled can be updated.

management/server/peer/peer.go

@@ -74,19 +74,8 @@ type ProxyMeta struct {
 }
 
 type PeerStatus struct { //nolint:revive
-	// LastSeen is the last time the peer status was updated (i.e. the last
-	// time we observed the peer being alive on a sync stream). Written by
-	// the database (CURRENT_TIMESTAMP) — callers do not supply it.
+	// LastSeen is the last time peer was connected to the management service
 	LastSeen time.Time
-	// SessionStartedAt records when the currently-active sync stream began,
-	// stored as Unix nanoseconds. It acts as the optimistic-locking token
-	// for status updates: a stream is only allowed to mutate the peer's
-	// status when its own token strictly exceeds the stored token (when connecting)
-	// or matches it exactly (for disconnects). Zero means "no
-	// active session". Integer nanoseconds are used so equality is
-	// precision-safe across drivers, and so the predicates compose to a
-	// single bigint comparison.
-	SessionStartedAt int64 `gorm:"not null;default:0"`
 	// Connected indicates whether peer is connected to the management service or not
 	Connected bool
 	// LoginExpired
@@ -386,14 +375,10 @@ func (p *Peer) EventMeta(dnsDomain string) map[string]any {
 	return meta
 }
 
-// Copy PeerStatus. SessionStartedAt must be propagated so clone-based
-// callers (Peer.Copy, MarkLoginExpired, UpdateLastLogin) don't silently
-// reset the fencing token to zero — that would let any subsequent
-// SavePeerStatus write reopen the optimistic-lock window.
+// Copy PeerStatus
 func (p *PeerStatus) Copy() *PeerStatus {
 	return &PeerStatus{
 		LastSeen:         p.LastSeen,
-		SessionStartedAt: p.SessionStartedAt,
 		Connected:        p.Connected,
 		LoginExpired:     p.LoginExpired,
 		RequiresApproval: p.RequiresApproval,

management/server/peer_test.go

@@ -2218,9 +2218,6 @@ func Test_IsUniqueConstraintError(t *testing.T) {
 		ID:        "test-peer-id",
 		AccountID: "bf1c8084-ba50-4ce7-9439-34653001fc3b",
 		DNSLabel:  "test-peer-dns-label",
-		Status: &nbpeer.PeerStatus{
-			LastSeen: time.Now(),
-		},
 	}
 
 	for _, tt := range tests {

management/server/store/sql_store.go

@@ -498,9 +498,8 @@ func (s *SqlStore) SavePeerStatus(ctx context.Context, accountID, peerID string,
 	peerCopy.Status = &peerStatus
 
 	fieldsToUpdate := []string{
-		"peer_status_last_seen", "peer_status_session_started_at",
-		"peer_status_connected", "peer_status_login_expired",
-		"peer_status_requires_approval",
+		"peer_status_last_seen", "peer_status_connected",
+		"peer_status_login_expired", "peer_status_required_approval",
 	}
 	result := s.db.Model(&nbpeer.Peer{}).
 		Select(fieldsToUpdate).
@@ -517,69 +516,6 @@ func (s *SqlStore) SavePeerStatus(ctx context.Context, accountID, peerID string,
 	return nil
 }
 
-// MarkPeerConnectedIfNewerSession is an atomic optimistic-locked update.
-// The peer is marked connected with the given session token only when
-// the stored SessionStartedAt is strictly smaller than the incoming
-// one — equivalently, when no newer stream has already taken ownership.
-// The sentinel zero (set on peer creation or after a disconnect) counts
-// as the smallest possible token. This is the write half of the
-// fencing protocol described on PeerStatus.SessionStartedAt.
-//
-// The post-write side effects in the caller — geo lookup,
-// schedulePeerLoginExpiration, checkAndSchedulePeerInactivityExpiration,
-// OnPeersUpdated — all run AFTER this method returns and are deliberately
-// outside the database write so they cannot extend the row-lock window.
-//
-// LastSeen is set to the database's clock (CURRENT_TIMESTAMP) at the
-// moment the row is written. The caller never supplies LastSeen because
-// the value would otherwise drift under lock contention — a Go-side
-// time.Now() taken before the write can land minutes later than the
-// actual UPDATE under load, which previously caused real ordering bugs.
-func (s *SqlStore) MarkPeerConnectedIfNewerSession(ctx context.Context, accountID, peerID string, newSessionStartedAt int64) (bool, error) {
-	result := s.db.WithContext(ctx).
-		Model(&nbpeer.Peer{}).
-		Where(accountAndIDQueryCondition, accountID, peerID).
-		Where("peer_status_session_started_at < ?", newSessionStartedAt).
-		Updates(map[string]any{
-			"peer_status_connected":          true,
-			"peer_status_last_seen":          gorm.Expr("CURRENT_TIMESTAMP"),
-			"peer_status_session_started_at": newSessionStartedAt,
-			"peer_status_login_expired":      false,
-		})
-	if result.Error != nil {
-		return false, status.Errorf(status.Internal, "mark peer connected: %v", result.Error)
-	}
-	return result.RowsAffected > 0, nil
-}
-
-// MarkPeerDisconnectedIfSameSession is an atomic optimistic-locked update.
-// The peer is marked disconnected only when the stored SessionStartedAt
-// matches the incoming token — meaning the stream that owns the current
-// session is the one ending. If a newer stream has already replaced the
-// session, the update is skipped. LastSeen is set to CURRENT_TIMESTAMP at
-// write time; see MarkPeerConnectedIfNewerSession for the rationale.
-//
-// A zero sessionStartedAt is rejected at the call site; the underlying
-// WHERE on equality would otherwise match every never-connected peer.
-func (s *SqlStore) MarkPeerDisconnectedIfSameSession(ctx context.Context, accountID, peerID string, sessionStartedAt int64) (bool, error) {
-	if sessionStartedAt == 0 {
-		return false, nil
-	}
-	result := s.db.WithContext(ctx).
-		Model(&nbpeer.Peer{}).
-		Where(accountAndIDQueryCondition, accountID, peerID).
-		Where("peer_status_session_started_at = ?", sessionStartedAt).
-		Updates(map[string]any{
-			"peer_status_connected":          false,
-			"peer_status_last_seen":          gorm.Expr("CURRENT_TIMESTAMP"),
-			"peer_status_session_started_at": int64(0),
-		})
-	if result.Error != nil {
-		return false, status.Errorf(status.Internal, "mark peer disconnected: %v", result.Error)
-	}
-	return result.RowsAffected > 0, nil
-}
-
 func (s *SqlStore) SavePeerLocation(ctx context.Context, accountID string, peerWithLocation *nbpeer.Peer) error {
 	// To maintain data integrity, we create a copy of the peer's location to prevent unintended updates to other fields.
 	var peerCopy nbpeer.Peer
@@ -1787,10 +1723,9 @@ func (s *SqlStore) getPeers(ctx context.Context, accountID string) ([]nbpeer.Pee
 	inactivity_expiration_enabled, last_login, created_at, ephemeral, extra_dns_labels, allow_extra_dns_labels, meta_hostname,
 	meta_go_os, meta_kernel, meta_core, meta_platform, meta_os, meta_os_version, meta_wt_version, meta_ui_version,
 	meta_kernel_version, meta_network_addresses, meta_system_serial_number, meta_system_product_name, meta_system_manufacturer,
-	meta_environment, meta_flags, meta_files, meta_capabilities, peer_status_last_seen, peer_status_session_started_at,
-	peer_status_connected, peer_status_login_expired, peer_status_requires_approval, location_connection_ip,
-	location_country_code, location_city_name, location_geo_name_id, proxy_meta_embedded, proxy_meta_cluster, ipv6
-	FROM peers WHERE account_id = $1`
+	meta_environment, meta_flags, meta_files, meta_capabilities, peer_status_last_seen, peer_status_connected, peer_status_login_expired,
+	peer_status_requires_approval, location_connection_ip, location_country_code, location_city_name,
+	location_geo_name_id, proxy_meta_embedded, proxy_meta_cluster, ipv6 FROM peers WHERE account_id = $1`
 	rows, err := s.pool.Query(ctx, query, accountID)
 	if err != nil {
 		return nil, err
@@ -1803,7 +1738,6 @@ func (s *SqlStore) getPeers(ctx context.Context, accountID string) ([]nbpeer.Pee
 			lastLogin, createdAt                                                                            sql.NullTime
 			sshEnabled, loginExpirationEnabled, inactivityExpirationEnabled, ephemeral, allowExtraDNSLabels sql.NullBool
 			peerStatusLastSeen                                                                              sql.NullTime
-			peerStatusSessionStartedAt                                                                      sql.NullInt64
 			peerStatusConnected, peerStatusLoginExpired, peerStatusRequiresApproval, proxyEmbedded          sql.NullBool
 			ip, extraDNS, netAddr, env, flags, files, capabilities, connIP, ipv6                            []byte
 			metaHostname, metaGoOS, metaKernel, metaCore, metaPlatform                                      sql.NullString
@@ -1818,9 +1752,8 @@ func (s *SqlStore) getPeers(ctx context.Context, accountID string) ([]nbpeer.Pee
 			&allowExtraDNSLabels, &metaHostname, &metaGoOS, &metaKernel, &metaCore, &metaPlatform,
 			&metaOS, &metaOSVersion, &metaWtVersion, &metaUIVersion, &metaKernelVersion, &netAddr,
 			&metaSystemSerialNumber, &metaSystemProductName, &metaSystemManufacturer, &env, &flags, &files, &capabilities,
-			&peerStatusLastSeen, &peerStatusSessionStartedAt, &peerStatusConnected, &peerStatusLoginExpired,
-			&peerStatusRequiresApproval, &connIP, &locationCountryCode, &locationCityName, &locationGeoNameID,
-			&proxyEmbedded, &proxyCluster, &ipv6)
+			&peerStatusLastSeen, &peerStatusConnected, &peerStatusLoginExpired, &peerStatusRequiresApproval, &connIP,
+			&locationCountryCode, &locationCityName, &locationGeoNameID, &proxyEmbedded, &proxyCluster, &ipv6)
 
 		if err == nil {
 			if lastLogin.Valid {
@@ -1847,9 +1780,6 @@ func (s *SqlStore) getPeers(ctx context.Context, accountID string) ([]nbpeer.Pee
 			if peerStatusLastSeen.Valid {
 				p.Status.LastSeen = peerStatusLastSeen.Time
 			}
-			if peerStatusSessionStartedAt.Valid {
-				p.Status.SessionStartedAt = peerStatusSessionStartedAt.Int64
-			}
 			if peerStatusConnected.Valid {
 				p.Status.Connected = peerStatusConnected.Bool
 			}
@@ -4315,27 +4245,11 @@ func (s *SqlStore) GetNetworkRouterByID(ctx context.Context, lockStrength Lockin
 	return netRouter, nil
 }
 
-func (s *SqlStore) CreateNetworkRouter(ctx context.Context, router *routerTypes.NetworkRouter) error {
-	if err := s.db.Create(router).Error; err != nil {
-		log.WithContext(ctx).Errorf("failed to create network router in store: %v", err)
-		return status.Errorf(status.Internal, "failed to create network router in store")
-	}
-
-	return nil
-}
-
-func (s *SqlStore) UpdateNetworkRouter(ctx context.Context, router *routerTypes.NetworkRouter) error {
-	result := s.db.
-		Select("*").
-		Where(accountAndIDQueryCondition, router.AccountID, router.ID).
-		Updates(router)
+func (s *SqlStore) SaveNetworkRouter(ctx context.Context, router *routerTypes.NetworkRouter) error {
+	result := s.db.Save(router)
 	if result.Error != nil {
-		log.WithContext(ctx).Errorf("failed to update network router in store: %v", result.Error)
-		return status.Errorf(status.Internal, "failed to update network router in store")
-	}
-
-	if result.RowsAffected == 0 {
-		return status.NewNetworkRouterNotFoundError(router.ID)
+		log.WithContext(ctx).Errorf("failed to save network router to store: %v", result.Error)
+		return status.Errorf(status.Internal, "failed to save network router to store")
 	}
 
 	return nil
@@ -5752,67 +5666,19 @@ func (s *SqlStore) DeleteAccountCluster(ctx context.Context, clusterAddress, acc
 	return nil
 }
 
-// GetProxyClusters returns every cluster the account can see (shared
-// plus its own BYOP), regardless of whether any proxy in the cluster
-// is currently heartbeating. Online and ConnectedProxies are derived
-// from the 2-min active window so the dashboard can render offline
-// clusters distinctly; the 1-hour heartbeat reaper still removes rows
-// that go quiet for too long.
-//
-// AccountOwned is determined by whether any proxy row in the group
-// carries a non-NULL account_id; the caller maps that to Cluster.Type.
-// Capability flags are NOT filled here — the handler enriches them via
-// the per-cluster capability lookups.
-func (s *SqlStore) GetProxyClusters(ctx context.Context, accountID string) ([]proxy.Cluster, error) {
-	activeCutoff := time.Now().Add(-proxyActiveThreshold)
+func (s *SqlStore) GetActiveProxyClusters(ctx context.Context, accountID string) ([]proxy.Cluster, error) {
+	var clusters []proxy.Cluster
 
-	type clusterRow struct {
-		ID               string
-		Address          string
-		ConnectedProxies int
-		Online           bool
-		AccountOwned     bool
-	}
-
-	var rows []clusterRow
 	result := s.db.Model(&proxy.Proxy{}).
-		Select(
-			"MIN(id) AS id, "+
-				"cluster_address AS address, "+
-				// COUNT(CASE WHEN ... THEN 1 END) counts only non-NULL — i.e. only
-				// rows that satisfy the predicate — so it works portably across
-				// sqlite/postgres/mysql without dialect-specific FILTER syntax.
-				"COUNT(CASE WHEN status = ? AND last_seen > ? THEN 1 END) AS connected_proxies, "+
-				// MAX(CASE …) > 0 expresses BOOL_OR in a way Postgres tolerates
-				// (Postgres can't MAX a boolean column).
-				"MAX(CASE WHEN status = ? AND last_seen > ? THEN 1 ELSE 0 END) > 0 AS online, "+
-				"MAX(CASE WHEN account_id IS NOT NULL THEN 1 ELSE 0 END) > 0 AS account_owned",
-			proxy.StatusConnected, activeCutoff,
-			proxy.StatusConnected, activeCutoff,
-		).
-		Where("account_id IS NULL OR account_id = ?", accountID).
+		Select("MIN(id) as id, cluster_address as address, COUNT(*) as connected_proxies, COUNT(account_id) > 0 as self_hosted").
+		Where("status = ? AND last_seen > ? AND (account_id IS NULL OR account_id = ?)",
+			proxy.StatusConnected, time.Now().Add(-proxyActiveThreshold), accountID).
 		Group("cluster_address").
-		Scan(&rows)
+		Scan(&clusters)
 
 	if result.Error != nil {
-		log.WithContext(ctx).Errorf("failed to get proxy clusters: %v", result.Error)
-		return nil, status.Errorf(status.Internal, "get proxy clusters")
-	}
-
-	clusters := make([]proxy.Cluster, 0, len(rows))
-	for _, r := range rows {
-		c := proxy.Cluster{
-			ID:               r.ID,
-			Address:          r.Address,
-			Online:           r.Online,
-			ConnectedProxies: r.ConnectedProxies,
-		}
-		if r.AccountOwned {
-			c.Type = proxy.ClusterTypeAccount
-		} else {
-			c.Type = proxy.ClusterTypeShared
-		}
-		clusters = append(clusters, c)
+		log.WithContext(ctx).Errorf("failed to get active proxy clusters: %v", result.Error)
+		return nil, status.Errorf(status.Internal, "get active proxy clusters")
 	}
 
 	return clusters, nil

management/server/store/sql_store_proxy_clusters_test.go

@@ -1,109 +0,0 @@
-package store
-
-import (
-	"context"
-	"os"
-	"runtime"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	rpproxy "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy"
-)
-
-// TestSqlStore_GetProxyClusters_DerivesOnlineAndType guards the
-// account-visible cluster list against silent regressions in two
-// dimensions:
-//
-//  1. Online derivation: a cluster with one stale and one fresh proxy
-//     is online and counts only the fresh proxy; a cluster whose
-//     proxies all heartbeated outside the 2-min window appears offline
-//     with connected_proxies = 0 (rather than disappearing, which is
-//     what the old query did).
-//  2. Type derivation: a cluster scoped to the calling account is
-//     reported as `account`; a cluster with account_id IS NULL is
-//     reported as `shared`. Clusters scoped to other accounts must not
-//     leak into the result.
-//
-// Capability flags are intentionally not asserted here — they're filled
-// by the manager (handler) layer from the per-cluster capability
-// lookups, not by the store query.
-func TestSqlStore_GetProxyClusters_DerivesOnlineAndType(t *testing.T) {
-	if (os.Getenv("CI") == "true" && runtime.GOOS == "darwin") || runtime.GOOS == "windows" {
-		t.Skip("skip CI tests on darwin and windows")
-	}
-
-	runTestForAllEngines(t, "", func(t *testing.T, store Store) {
-		ctx := context.Background()
-		accountID := "acct-clusters"
-		require.NoError(t, store.SaveAccount(ctx, newAccountWithId(ctx, accountID, "user-1", "")))
-
-		otherAccountID := "acct-other"
-		require.NoError(t, store.SaveAccount(ctx, newAccountWithId(ctx, otherAccountID, "user-2", "")))
-
-		acctID := accountID
-		otherID := otherAccountID
-
-		fresh := time.Now().Add(-30 * time.Second)
-		stale := time.Now().Add(-30 * time.Minute)
-
-		mustSave := func(id, cluster string, accID *string, status string, lastSeen time.Time) {
-			require.NoError(t, store.SaveProxy(ctx, &rpproxy.Proxy{
-				ID:             id,
-				SessionID:      id + "-sess",
-				ClusterAddress: cluster,
-				IPAddress:      "10.0.0.1",
-				AccountID:      accID,
-				LastSeen:       lastSeen,
-				Status:         status,
-			}))
-		}
-
-		// shared-mixed: one fresh + one stale proxy → online, connected=1
-		mustSave("p-shared-fresh", "shared-mixed.netbird.io", nil, rpproxy.StatusConnected, fresh)
-		mustSave("p-shared-stale", "shared-mixed.netbird.io", nil, rpproxy.StatusConnected, stale)
-
-		// shared-offline: only stale proxies → offline, connected=0,
-		// but row must still appear (this is the new semantic — old
-		// query would have dropped it entirely).
-		mustSave("p-shared-off", "shared-offline.netbird.io", nil, rpproxy.StatusConnected, stale)
-
-		// account-online: BYOP cluster owned by acctID, fresh
-		mustSave("p-acct-fresh", "byop.acct.example", &acctID, rpproxy.StatusConnected, fresh)
-
-		// other-account: must not surface for acctID
-		mustSave("p-other", "byop.other.example", &otherID, rpproxy.StatusConnected, fresh)
-
-		clusters, err := store.GetProxyClusters(ctx, accountID)
-		require.NoError(t, err)
-
-		byAddr := map[string]rpproxy.Cluster{}
-		for _, c := range clusters {
-			byAddr[c.Address] = c
-		}
-
-		assert.NotContains(t, byAddr, "byop.other.example",
-			"another account's BYOP cluster must not leak into this account's listing")
-
-		require.Contains(t, byAddr, "shared-mixed.netbird.io")
-		mixed := byAddr["shared-mixed.netbird.io"]
-		assert.Equal(t, rpproxy.ClusterTypeShared, mixed.Type, "shared cluster (account_id IS NULL) must be reported as Type=shared")
-		assert.True(t, mixed.Online, "cluster with a fresh proxy must be online")
-		assert.Equal(t, 1, mixed.ConnectedProxies, "connected_proxies must count only fresh proxies; the stale one should not bump the count")
-
-		require.Contains(t, byAddr, "shared-offline.netbird.io",
-			"offline clusters must still appear so the dashboard can render them — the old GetActiveProxyClusters would have dropped this row, which is the regression this test guards against")
-		offline := byAddr["shared-offline.netbird.io"]
-		assert.Equal(t, rpproxy.ClusterTypeShared, offline.Type)
-		assert.False(t, offline.Online, "no fresh heartbeat → offline")
-		assert.Equal(t, 0, offline.ConnectedProxies, "no fresh proxies → connected_proxies=0")
-
-		require.Contains(t, byAddr, "byop.acct.example")
-		acct := byAddr["byop.acct.example"]
-		assert.Equal(t, rpproxy.ClusterTypeAccount, acct.Type, "BYOP cluster owned by the account must be reported as Type=account")
-		assert.True(t, acct.Online)
-		assert.Equal(t, 1, acct.ConnectedProxies)
-	})
-}

management/server/store/sql_store_test.go

@@ -2399,7 +2399,7 @@ func TestSqlStore_GetNetworkRouterByID(t *testing.T) {
 	}
 }
 
-func TestSqlStore_CreateNetworkRouter(t *testing.T) {
+func TestSqlStore_SaveNetworkRouter(t *testing.T) {
 	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", t.TempDir())
 	t.Cleanup(cleanup)
 	require.NoError(t, err)
@@ -2410,7 +2410,7 @@ func TestSqlStore_CreateNetworkRouter(t *testing.T) {
 	netRouter, err := routerTypes.NewNetworkRouter(accountID, networkID, "", []string{"net-router-grp"}, true, 0, true)
 	require.NoError(t, err)
 
-	err = store.CreateNetworkRouter(context.Background(), netRouter)
+	err = store.SaveNetworkRouter(context.Background(), netRouter)
 	require.NoError(t, err)
 
 	savedNetRouter, err := store.GetNetworkRouterByID(context.Background(), LockingStrengthNone, accountID, netRouter.ID)
@@ -2418,39 +2418,6 @@ func TestSqlStore_CreateNetworkRouter(t *testing.T) {
 	require.Equal(t, netRouter, savedNetRouter)
 }
 
-func TestSqlStore_UpdateNetworkRouter(t *testing.T) {
-	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", t.TempDir())
-	t.Cleanup(cleanup)
-	require.NoError(t, err)
-
-	accountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
-	networkID := "ct286bi7qv930dsrrug0"
-	routerID := "ctc20ji7qv9ck2sebc80"
-
-	netRouter := &routerTypes.NetworkRouter{
-		ID:         routerID,
-		AccountID:  accountID,
-		NetworkID:  networkID,
-		Peer:       "",
-		PeerGroups: []string{"net-router-grp"},
-		Masquerade: true,
-		Metric:     42,
-		Enabled:    true,
-	}
-
-	err = store.UpdateNetworkRouter(context.Background(), netRouter)
-	require.NoError(t, err)
-
-	savedNetRouter, err := store.GetNetworkRouterByID(context.Background(), LockingStrengthNone, accountID, routerID)
-	require.NoError(t, err)
-	require.Equal(t, netRouter, savedNetRouter)
-
-	// Updating a router under a different account must not match any row.
-	netRouter.AccountID = "non-existent-account"
-	err = store.UpdateNetworkRouter(context.Background(), netRouter)
-	require.Error(t, err)
-}
-
 func TestSqlStore_DeleteNetworkRouter(t *testing.T) {
 	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", t.TempDir())
 	t.Cleanup(cleanup)

management/server/store/store.go

@@ -167,21 +167,6 @@ type Store interface {
 	GetAllEphemeralPeers(ctx context.Context, lockStrength LockingStrength) ([]*nbpeer.Peer, error)
 	SavePeer(ctx context.Context, accountID string, peer *nbpeer.Peer) error
 	SavePeerStatus(ctx context.Context, accountID, peerID string, status nbpeer.PeerStatus) error
-	// MarkPeerConnectedIfNewerSession sets the peer to connected with the
-	// given session token, but only when the stored SessionStartedAt is
-	// strictly less than newSessionStartedAt (the sentinel zero counts as
-	// "older"). LastSeen is recorded by the database at the moment the
-	// row is updated — never by the caller — so it always reflects the
-	// real write time even under lock contention.
-	// Returns true when the update happened, false when this stream lost
-	// the race against a newer session.
-	MarkPeerConnectedIfNewerSession(ctx context.Context, accountID, peerID string, newSessionStartedAt int64) (bool, error)
-	// MarkPeerDisconnectedIfSameSession sets the peer to disconnected and
-	// resets SessionStartedAt to zero, but only when the stored
-	// SessionStartedAt equals the given sessionStartedAt. LastSeen is
-	// recorded by the database. Returns true when the update happened,
-	// false when a newer session has taken over.
-	MarkPeerDisconnectedIfSameSession(ctx context.Context, accountID, peerID string, sessionStartedAt int64) (bool, error)
 	SavePeerLocation(ctx context.Context, accountID string, peer *nbpeer.Peer) error
 	ApproveAccountPeers(ctx context.Context, accountID string) (int, error)
 	DeletePeer(ctx context.Context, accountID string, peerID string) error
@@ -228,8 +213,7 @@ type Store interface {
 	GetNetworkRoutersByNetID(ctx context.Context, lockStrength LockingStrength, accountID, netID string) ([]*routerTypes.NetworkRouter, error)
 	GetNetworkRoutersByAccountID(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*routerTypes.NetworkRouter, error)
 	GetNetworkRouterByID(ctx context.Context, lockStrength LockingStrength, accountID, routerID string) (*routerTypes.NetworkRouter, error)
-	CreateNetworkRouter(ctx context.Context, router *routerTypes.NetworkRouter) error
-	UpdateNetworkRouter(ctx context.Context, router *routerTypes.NetworkRouter) error
+	SaveNetworkRouter(ctx context.Context, router *routerTypes.NetworkRouter) error
 	DeleteNetworkRouter(ctx context.Context, accountID, routerID string) error
 
 	GetNetworkResourcesByNetID(ctx context.Context, lockStrength LockingStrength, accountID, netID string) ([]*resourceTypes.NetworkResource, error)
@@ -308,7 +292,7 @@ type Store interface {
 	UpdateProxyHeartbeat(ctx context.Context, p *proxy.Proxy) error
 	GetActiveProxyClusterAddresses(ctx context.Context) ([]string, error)
 	GetActiveProxyClusterAddressesForAccount(ctx context.Context, accountID string) ([]string, error)
-	GetProxyClusters(ctx context.Context, accountID string) ([]proxy.Cluster, error)
+	GetActiveProxyClusters(ctx context.Context, accountID string) ([]proxy.Cluster, error)
 	GetClusterSupportsCustomPorts(ctx context.Context, clusterAddr string) *bool
 	GetClusterRequireSubdomain(ctx context.Context, clusterAddr string) *bool
 	GetClusterSupportsCrowdSec(ctx context.Context, clusterAddr string) *bool
@@ -472,9 +456,6 @@ func getMigrationsPreAuto(ctx context.Context) []migrationFunc {
 		func(db *gorm.DB) error {
 			return migration.MigrateNewField[types.User](ctx, db, "email", "")
 		},
-		func(db *gorm.DB) error {
-			return migration.MigrateNewField[nbpeer.Peer](ctx, db, "peer_status_session_started_at", int64(0))
-		},
 		func(db *gorm.DB) error {
 			return migration.RemoveDuplicatePeerKeys(ctx, db)
 		},

management/server/store/store_mock.go

@@ -310,20 +310,6 @@ func (mr *MockStoreMockRecorder) CreateGroups(ctx, accountID, groups interface{}
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateGroups", reflect.TypeOf((*MockStore)(nil).CreateGroups), ctx, accountID, groups)
 }
 
-// CreateNetworkRouter mocks base method.
-func (m *MockStore) CreateNetworkRouter(ctx context.Context, router *types0.NetworkRouter) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "CreateNetworkRouter", ctx, router)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// CreateNetworkRouter indicates an expected call of CreateNetworkRouter.
-func (mr *MockStoreMockRecorder) CreateNetworkRouter(ctx, router interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateNetworkRouter", reflect.TypeOf((*MockStore)(nil).CreateNetworkRouter), ctx, router)
-}
-
 // CreatePeerJob mocks base method.
 func (m *MockStore) CreatePeerJob(ctx context.Context, job *types2.Job) error {
 	m.ctrl.T.Helper()
@@ -394,20 +380,6 @@ func (mr *MockStoreMockRecorder) DeleteAccount(ctx, account interface{}) *gomock
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAccount", reflect.TypeOf((*MockStore)(nil).DeleteAccount), ctx, account)
 }
 
-// DeleteAccountCluster mocks base method.
-func (m *MockStore) DeleteAccountCluster(ctx context.Context, clusterAddress, accountID string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DeleteAccountCluster", ctx, clusterAddress, accountID)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// DeleteAccountCluster indicates an expected call of DeleteAccountCluster.
-func (mr *MockStoreMockRecorder) DeleteAccountCluster(ctx, clusterAddress, accountID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAccountCluster", reflect.TypeOf((*MockStore)(nil).DeleteAccountCluster), ctx, clusterAddress, accountID)
-}
-
 // DeleteCustomDomain mocks base method.
 func (m *MockStore) DeleteCustomDomain(ctx context.Context, accountID, domainID string) error {
 	m.ctrl.T.Helper()
@@ -605,6 +577,20 @@ func (mr *MockStoreMockRecorder) DeletePostureChecks(ctx, accountID, postureChec
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeletePostureChecks", reflect.TypeOf((*MockStore)(nil).DeletePostureChecks), ctx, accountID, postureChecksID)
 }
 
+// DeleteAccountCluster mocks base method.
+func (m *MockStore) DeleteAccountCluster(ctx context.Context, clusterAddress, accountID string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteAccountCluster", ctx, clusterAddress, accountID)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteAccountCluster indicates an expected call of DeleteAccountCluster.
+func (mr *MockStoreMockRecorder) DeleteAccountCluster(ctx, clusterAddress, accountID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAccountCluster", reflect.TypeOf((*MockStore)(nil).DeleteAccountCluster), ctx, clusterAddress, accountID)
+}
+
 // DeleteRoute mocks base method.
 func (m *MockStore) DeleteRoute(ctx context.Context, accountID, routeID string) error {
 	m.ctrl.T.Helper()
@@ -745,20 +731,6 @@ func (mr *MockStoreMockRecorder) DeleteZoneDNSRecords(ctx, accountID, zoneID int
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteZoneDNSRecords", reflect.TypeOf((*MockStore)(nil).DeleteZoneDNSRecords), ctx, accountID, zoneID)
 }
 
-// DisconnectProxy mocks base method.
-func (m *MockStore) DisconnectProxy(ctx context.Context, proxyID, sessionID string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DisconnectProxy", ctx, proxyID, sessionID)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// DisconnectProxy indicates an expected call of DisconnectProxy.
-func (mr *MockStoreMockRecorder) DisconnectProxy(ctx, proxyID, sessionID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DisconnectProxy", reflect.TypeOf((*MockStore)(nil).DisconnectProxy), ctx, proxyID, sessionID)
-}
-
 // EphemeralServiceExists mocks base method.
 func (m *MockStore) EphemeralServiceExists(ctx context.Context, lockStrength LockingStrength, accountID, peerID, domain string) (bool, error) {
 	m.ctrl.T.Helper()
@@ -1360,6 +1332,21 @@ func (mr *MockStoreMockRecorder) GetActiveProxyClusterAddressesForAccount(ctx, a
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetActiveProxyClusterAddressesForAccount", reflect.TypeOf((*MockStore)(nil).GetActiveProxyClusterAddressesForAccount), ctx, accountID)
 }
 
+// GetActiveProxyClusters mocks base method.
+func (m *MockStore) GetActiveProxyClusters(ctx context.Context, accountID string) ([]proxy.Cluster, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetActiveProxyClusters", ctx, accountID)
+	ret0, _ := ret[0].([]proxy.Cluster)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetActiveProxyClusters indicates an expected call of GetActiveProxyClusters.
+func (mr *MockStoreMockRecorder) GetActiveProxyClusters(ctx, accountID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetActiveProxyClusters", reflect.TypeOf((*MockStore)(nil).GetActiveProxyClusters), ctx, accountID)
+}
+
 // GetAllAccounts mocks base method.
 func (m *MockStore) GetAllAccounts(ctx context.Context) []*types2.Account {
 	m.ctrl.T.Helper()
@@ -2061,21 +2048,6 @@ func (mr *MockStoreMockRecorder) GetProxyByAccountID(ctx, accountID interface{})
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetProxyByAccountID", reflect.TypeOf((*MockStore)(nil).GetProxyByAccountID), ctx, accountID)
 }
 
-// GetProxyClusters mocks base method.
-func (m *MockStore) GetProxyClusters(ctx context.Context, accountID string) ([]proxy.Cluster, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetProxyClusters", ctx, accountID)
-	ret0, _ := ret[0].([]proxy.Cluster)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetProxyClusters indicates an expected call of GetProxyClusters.
-func (mr *MockStoreMockRecorder) GetProxyClusters(ctx, accountID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetProxyClusters", reflect.TypeOf((*MockStore)(nil).GetProxyClusters), ctx, accountID)
-}
-
 // GetResourceGroups mocks base method.
 func (m *MockStore) GetResourceGroups(ctx context.Context, lockStrength LockingStrength, accountID, resourceID string) ([]*types2.Group, error) {
 	m.ctrl.T.Helper()
@@ -2626,36 +2598,6 @@ func (mr *MockStoreMockRecorder) MarkPATUsed(ctx, patID interface{}) *gomock.Cal
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MarkPATUsed", reflect.TypeOf((*MockStore)(nil).MarkPATUsed), ctx, patID)
 }
 
-// MarkPeerConnectedIfNewerSession mocks base method.
-func (m *MockStore) MarkPeerConnectedIfNewerSession(ctx context.Context, accountID, peerID string, newSessionStartedAt int64) (bool, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "MarkPeerConnectedIfNewerSession", ctx, accountID, peerID, newSessionStartedAt)
-	ret0, _ := ret[0].(bool)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// MarkPeerConnectedIfNewerSession indicates an expected call of MarkPeerConnectedIfNewerSession.
-func (mr *MockStoreMockRecorder) MarkPeerConnectedIfNewerSession(ctx, accountID, peerID, newSessionStartedAt interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MarkPeerConnectedIfNewerSession", reflect.TypeOf((*MockStore)(nil).MarkPeerConnectedIfNewerSession), ctx, accountID, peerID, newSessionStartedAt)
-}
-
-// MarkPeerDisconnectedIfSameSession mocks base method.
-func (m *MockStore) MarkPeerDisconnectedIfSameSession(ctx context.Context, accountID, peerID string, sessionStartedAt int64) (bool, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "MarkPeerDisconnectedIfSameSession", ctx, accountID, peerID, sessionStartedAt)
-	ret0, _ := ret[0].(bool)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// MarkPeerDisconnectedIfSameSession indicates an expected call of MarkPeerDisconnectedIfSameSession.
-func (mr *MockStoreMockRecorder) MarkPeerDisconnectedIfSameSession(ctx, accountID, peerID, sessionStartedAt interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MarkPeerDisconnectedIfSameSession", reflect.TypeOf((*MockStore)(nil).MarkPeerDisconnectedIfSameSession), ctx, accountID, peerID, sessionStartedAt)
-}
-
 // MarkPendingJobsAsFailed mocks base method.
 func (m *MockStore) MarkPendingJobsAsFailed(ctx context.Context, accountID, peerID, jobID, reason string) error {
 	m.ctrl.T.Helper()
@@ -2866,6 +2808,20 @@ func (mr *MockStoreMockRecorder) SaveNetworkResource(ctx, resource interface{})
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SaveNetworkResource", reflect.TypeOf((*MockStore)(nil).SaveNetworkResource), ctx, resource)
 }
 
+// SaveNetworkRouter mocks base method.
+func (m *MockStore) SaveNetworkRouter(ctx context.Context, router *types0.NetworkRouter) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SaveNetworkRouter", ctx, router)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SaveNetworkRouter indicates an expected call of SaveNetworkRouter.
+func (mr *MockStoreMockRecorder) SaveNetworkRouter(ctx, router interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SaveNetworkRouter", reflect.TypeOf((*MockStore)(nil).SaveNetworkRouter), ctx, router)
+}
+
 // SavePAT mocks base method.
 func (m *MockStore) SavePAT(ctx context.Context, pat *types2.PersonalAccessToken) error {
 	m.ctrl.T.Helper()
@@ -2964,6 +2920,20 @@ func (mr *MockStoreMockRecorder) SaveProxy(ctx, proxy interface{}) *gomock.Call
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SaveProxy", reflect.TypeOf((*MockStore)(nil).SaveProxy), ctx, proxy)
 }
 
+// DisconnectProxy mocks base method.
+func (m *MockStore) DisconnectProxy(ctx context.Context, proxyID, sessionID string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DisconnectProxy", ctx, proxyID, sessionID)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DisconnectProxy indicates an expected call of DisconnectProxy.
+func (mr *MockStoreMockRecorder) DisconnectProxy(ctx, proxyID, sessionID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DisconnectProxy", reflect.TypeOf((*MockStore)(nil).DisconnectProxy), ctx, proxyID, sessionID)
+}
+
 // SaveProxyAccessToken mocks base method.
 func (m *MockStore) SaveProxyAccessToken(ctx context.Context, token *types2.ProxyAccessToken) error {
 	m.ctrl.T.Helper()
@@ -3173,20 +3143,6 @@ func (mr *MockStoreMockRecorder) UpdateGroups(ctx, accountID, groups interface{}
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateGroups", reflect.TypeOf((*MockStore)(nil).UpdateGroups), ctx, accountID, groups)
 }
 
-// UpdateNetworkRouter mocks base method.
-func (m *MockStore) UpdateNetworkRouter(ctx context.Context, router *types0.NetworkRouter) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "UpdateNetworkRouter", ctx, router)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// UpdateNetworkRouter indicates an expected call of UpdateNetworkRouter.
-func (mr *MockStoreMockRecorder) UpdateNetworkRouter(ctx, router interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateNetworkRouter", reflect.TypeOf((*MockStore)(nil).UpdateNetworkRouter), ctx, router)
-}
-
 // UpdateProxyHeartbeat mocks base method.
 func (m *MockStore) UpdateProxyHeartbeat(ctx context.Context, p *proxy.Proxy) error {
 	m.ctrl.T.Helper()

management/server/telemetry/accountmanager_metrics.go

@@ -16,8 +16,6 @@ type AccountManagerMetrics struct {
 	getPeerNetworkMapDurationMs  metric.Float64Histogram
 	networkMapObjectCount        metric.Int64Histogram
 	peerMetaUpdateCount          metric.Int64Counter
-	peerStatusUpdateCounter      metric.Int64Counter
-	peerStatusUpdateDurationMs   metric.Float64Histogram
 }
 
 // NewAccountManagerMetrics creates an instance of AccountManagerMetrics
@@ -66,24 +64,6 @@ func NewAccountManagerMetrics(ctx context.Context, meter metric.Meter) (*Account
 		return nil, err
 	}
 
-	// peerStatusUpdateCounter records every attempt to mark a peer as connected or disconnected
-	peerStatusUpdateCounter, err := meter.Int64Counter("management.account.peer.status.update.counter",
-		metric.WithUnit("1"),
-		metric.WithDescription("Number of peer status update attempts, labeled by operation (connect|disconnect) and outcome (applied|stale|error|peer_not_found)"))
-	if err != nil {
-		return nil, err
-	}
-
-	peerStatusUpdateDurationMs, err := meter.Float64Histogram("management.account.peer.status.update.duration.ms",
-		metric.WithUnit("milliseconds"),
-		metric.WithExplicitBucketBoundaries(
-			1, 5, 15, 25, 50, 100, 250, 500, 1000, 2000, 5000,
-		),
-		metric.WithDescription("Duration of a peer status update (fence UPDATE + post-write side effects), labeled by operation"))
-	if err != nil {
-		return nil, err
-	}
-
 	return &AccountManagerMetrics{
 		ctx:                          ctx,
 		getPeerNetworkMapDurationMs:  getPeerNetworkMapDurationMs,
@@ -91,35 +71,10 @@ func NewAccountManagerMetrics(ctx context.Context, meter metric.Meter) (*Account
 		updateAccountPeersCounter:    updateAccountPeersCounter,
 		networkMapObjectCount:        networkMapObjectCount,
 		peerMetaUpdateCount:          peerMetaUpdateCount,
-		peerStatusUpdateCounter:      peerStatusUpdateCounter,
-		peerStatusUpdateDurationMs:   peerStatusUpdateDurationMs,
 	}, nil
 
 }
 
-// PeerStatusOperation labels the kind of fence-locked peer status write.
-type PeerStatusOperation string
-
-// PeerStatusOutcome labels how a fence-locked peer status write resolved.
-type PeerStatusOutcome string
-
-const (
-	PeerStatusConnect    PeerStatusOperation = "connect"
-	PeerStatusDisconnect PeerStatusOperation = "disconnect"
-
-	// PeerStatusApplied — the fence WHERE matched and the UPDATE landed.
-	PeerStatusApplied PeerStatusOutcome = "applied"
-	// PeerStatusStale — the fence WHERE rejected the write because a
-	// newer session has already taken ownership (connect: stored token
-	// >= incoming; disconnect: stored token != incoming).
-	PeerStatusStale PeerStatusOutcome = "stale"
-	// PeerStatusError — the store returned a non-NotFound error.
-	PeerStatusError PeerStatusOutcome = "error"
-	// PeerStatusPeerNotFound — the peer lookup failed (the peer was
-	// deleted between the gRPC sync handshake and the status write).
-	PeerStatusPeerNotFound PeerStatusOutcome = "peer_not_found"
-)
-
 // CountUpdateAccountPeersDuration counts the duration of updating account peers
 func (metrics *AccountManagerMetrics) CountUpdateAccountPeersDuration(duration time.Duration) {
 	metrics.updateAccountPeersDurationMs.Record(metrics.ctx, float64(duration.Nanoseconds())/1e6)
@@ -149,23 +104,3 @@ func (metrics *AccountManagerMetrics) CountUpdateAccountPeersTriggered(resource,
 func (metrics *AccountManagerMetrics) CountPeerMetUpdate() {
 	metrics.peerMetaUpdateCount.Add(metrics.ctx, 1)
 }
-
-// CountPeerStatusUpdate increments the connect/disconnect counter,
-// labeled by operation and outcome. Both labels are bounded enums.
-func (metrics *AccountManagerMetrics) CountPeerStatusUpdate(op PeerStatusOperation, outcome PeerStatusOutcome) {
-	metrics.peerStatusUpdateCounter.Add(metrics.ctx, 1,
-		metric.WithAttributes(
-			attribute.String("operation", string(op)),
-			attribute.String("outcome", string(outcome)),
-		),
-	)
-}
-
-// RecordPeerStatusUpdateDuration records the wall-clock time spent
-// running a peer status update (including post-write side effects),
-// labeled by operation.
-func (metrics *AccountManagerMetrics) RecordPeerStatusUpdateDuration(op PeerStatusOperation, d time.Duration) {
-	metrics.peerStatusUpdateDurationMs.Record(metrics.ctx, float64(d.Nanoseconds())/1e6,
-		metric.WithAttributes(attribute.String("operation", string(op))),
-	)
-}

management/server/telemetry/app_metrics.go

@@ -29,7 +29,6 @@ type MockAppMetrics struct {
 	StoreMetricsFunc             func() *StoreMetrics
 	UpdateChannelMetricsFunc     func() *UpdateChannelMetrics
 	AddAccountManagerMetricsFunc func() *AccountManagerMetrics
-	EphemeralPeersMetricsFunc    func() *EphemeralPeersMetrics
 }
 
 // GetMeter mocks the GetMeter function of the AppMetrics interface
@@ -104,14 +103,6 @@ func (mock *MockAppMetrics) AccountManagerMetrics() *AccountManagerMetrics {
 	return nil
 }
 
-// EphemeralPeersMetrics mocks the MockAppMetrics function of the EphemeralPeersMetrics interface
-func (mock *MockAppMetrics) EphemeralPeersMetrics() *EphemeralPeersMetrics {
-	if mock.EphemeralPeersMetricsFunc != nil {
-		return mock.EphemeralPeersMetricsFunc()
-	}
-	return nil
-}
-
 // AppMetrics is metrics interface
 type AppMetrics interface {
 	GetMeter() metric2.Meter
@@ -123,7 +114,6 @@ type AppMetrics interface {
 	StoreMetrics() *StoreMetrics
 	UpdateChannelMetrics() *UpdateChannelMetrics
 	AccountManagerMetrics() *AccountManagerMetrics
-	EphemeralPeersMetrics() *EphemeralPeersMetrics
 }
 
 // defaultAppMetrics are core application metrics based on OpenTelemetry https://opentelemetry.io/
@@ -139,7 +129,6 @@ type defaultAppMetrics struct {
 	storeMetrics          *StoreMetrics
 	updateChannelMetrics  *UpdateChannelMetrics
 	accountManagerMetrics *AccountManagerMetrics
-	ephemeralMetrics      *EphemeralPeersMetrics
 }
 
 // IDPMetrics returns metrics for the idp package
@@ -172,11 +161,6 @@ func (appMetrics *defaultAppMetrics) AccountManagerMetrics() *AccountManagerMetr
 	return appMetrics.accountManagerMetrics
 }
 
-// EphemeralPeersMetrics returns metrics for the ephemeral peer cleanup loop
-func (appMetrics *defaultAppMetrics) EphemeralPeersMetrics() *EphemeralPeersMetrics {
-	return appMetrics.ephemeralMetrics
-}
-
 // Close stop application metrics HTTP handler and closes listener.
 func (appMetrics *defaultAppMetrics) Close() error {
 	if appMetrics.listener == nil {
@@ -261,11 +245,6 @@ func NewDefaultAppMetrics(ctx context.Context) (AppMetrics, error) {
 		return nil, fmt.Errorf("failed to initialize account manager metrics: %w", err)
 	}
 
-	ephemeralMetrics, err := NewEphemeralPeersMetrics(ctx, meter)
-	if err != nil {
-		return nil, fmt.Errorf("failed to initialize ephemeral peers metrics: %w", err)
-	}
-
 	return &defaultAppMetrics{
 		Meter:                 meter,
 		ctx:                   ctx,
@@ -275,7 +254,6 @@ func NewDefaultAppMetrics(ctx context.Context) (AppMetrics, error) {
 		storeMetrics:          storeMetrics,
 		updateChannelMetrics:  updateChannelMetrics,
 		accountManagerMetrics: accountManagerMetrics,
-		ephemeralMetrics:      ephemeralMetrics,
 	}, nil
 }
 
@@ -312,11 +290,6 @@ func NewAppMetricsWithMeter(ctx context.Context, meter metric2.Meter) (AppMetric
 		return nil, fmt.Errorf("failed to initialize account manager metrics: %w", err)
 	}
 
-	ephemeralMetrics, err := NewEphemeralPeersMetrics(ctx, meter)
-	if err != nil {
-		return nil, fmt.Errorf("failed to initialize ephemeral peers metrics: %w", err)
-	}
-
 	return &defaultAppMetrics{
 		Meter:                 meter,
 		ctx:                   ctx,
@@ -327,6 +300,5 @@ func NewAppMetricsWithMeter(ctx context.Context, meter metric2.Meter) (AppMetric
 		storeMetrics:          storeMetrics,
 		updateChannelMetrics:  updateChannelMetrics,
 		accountManagerMetrics: accountManagerMetrics,
-		ephemeralMetrics:      ephemeralMetrics,
 	}, nil
 }

management/server/telemetry/ephemeral_metrics.go

@@ -1,115 +0,0 @@
-package telemetry
-
-import (
-	"context"
-
-	"go.opentelemetry.io/otel/metric"
-)
-
-// EphemeralPeersMetrics tracks the ephemeral peer cleanup pipeline: how
-// many peers are currently scheduled for deletion, how many tick runs
-// the cleaner has performed, how many peers it has removed, and how
-// many delete batches failed.
-type EphemeralPeersMetrics struct {
-	ctx context.Context
-
-	pending      metric.Int64UpDownCounter
-	cleanupRuns  metric.Int64Counter
-	peersCleaned metric.Int64Counter
-	errors       metric.Int64Counter
-}
-
-// NewEphemeralPeersMetrics constructs the ephemeral cleanup counters.
-func NewEphemeralPeersMetrics(ctx context.Context, meter metric.Meter) (*EphemeralPeersMetrics, error) {
-	pending, err := meter.Int64UpDownCounter("management.ephemeral.peers.pending",
-		metric.WithUnit("1"),
-		metric.WithDescription("Number of ephemeral peers currently waiting to be cleaned up"))
-	if err != nil {
-		return nil, err
-	}
-
-	cleanupRuns, err := meter.Int64Counter("management.ephemeral.cleanup.runs.counter",
-		metric.WithUnit("1"),
-		metric.WithDescription("Number of ephemeral cleanup ticks that processed at least one peer"))
-	if err != nil {
-		return nil, err
-	}
-
-	peersCleaned, err := meter.Int64Counter("management.ephemeral.peers.cleaned.counter",
-		metric.WithUnit("1"),
-		metric.WithDescription("Total number of ephemeral peers deleted by the cleanup loop"))
-	if err != nil {
-		return nil, err
-	}
-
-	errors, err := meter.Int64Counter("management.ephemeral.cleanup.errors.counter",
-		metric.WithUnit("1"),
-		metric.WithDescription("Number of ephemeral cleanup batches (per account) that failed to delete"))
-	if err != nil {
-		return nil, err
-	}
-
-	return &EphemeralPeersMetrics{
-		ctx:          ctx,
-		pending:      pending,
-		cleanupRuns:  cleanupRuns,
-		peersCleaned: peersCleaned,
-		errors:       errors,
-	}, nil
-}
-
-// All methods are nil-receiver safe so callers that haven't wired metrics
-// (tests, self-hosted with metrics off) can invoke them unconditionally.
-
-// IncPending bumps the pending gauge when a peer is added to the cleanup list.
-func (m *EphemeralPeersMetrics) IncPending() {
-	if m == nil {
-		return
-	}
-	m.pending.Add(m.ctx, 1)
-}
-
-// AddPending bumps the pending gauge by n — used at startup when the
-// initial set of ephemeral peers is loaded from the store.
-func (m *EphemeralPeersMetrics) AddPending(n int64) {
-	if m == nil || n <= 0 {
-		return
-	}
-	m.pending.Add(m.ctx, n)
-}
-
-// DecPending decreases the pending gauge — used both when a peer reconnects
-// before its deadline (removed from the list) and when a cleanup tick
-// actually deletes it.
-func (m *EphemeralPeersMetrics) DecPending(n int64) {
-	if m == nil || n <= 0 {
-		return
-	}
-	m.pending.Add(m.ctx, -n)
-}
-
-// CountCleanupRun records one cleanup pass that processed >0 peers. Idle
-// ticks (nothing to do) deliberately don't increment so the rate
-// reflects useful work.
-func (m *EphemeralPeersMetrics) CountCleanupRun() {
-	if m == nil {
-		return
-	}
-	m.cleanupRuns.Add(m.ctx, 1)
-}
-
-// CountPeersCleaned records the number of peers a single tick deleted.
-func (m *EphemeralPeersMetrics) CountPeersCleaned(n int64) {
-	if m == nil || n <= 0 {
-		return
-	}
-	m.peersCleaned.Add(m.ctx, n)
-}
-
-// CountCleanupError records a failed delete batch.
-func (m *EphemeralPeersMetrics) CountCleanupError() {
-	if m == nil {
-		return
-	}
-	m.errors.Add(m.ctx, 1)
-}

management/server/testdata/networks.sql

@@ -9,13 +9,9 @@ INSERT INTO peers VALUES('testPeerId','testAccountId','5rvhvriKJZ3S9oxYToVj5TzDM
 
 CREATE TABLE `networks` (`id` text,`account_id` text,`name` text,`description` text,PRIMARY KEY (`id`),CONSTRAINT `fk_accounts_networks` FOREIGN KEY (`account_id`) REFERENCES `accounts`(`id`));
 INSERT INTO networks VALUES('testNetworkId','testAccountId','some-name','some-description');
-INSERT INTO networks VALUES('secondNetworkId','testAccountId','second-name','second-description');
 
 CREATE TABLE `network_routers` (`id` text,`network_id` text,`account_id` text,`peer` text,`peer_groups` text,`masquerade` numeric,`metric` integer,PRIMARY KEY (`id`),CONSTRAINT `fk_accounts_network_routers` FOREIGN KEY (`account_id`) REFERENCES `accounts`(`id`));
 INSERT INTO network_routers VALUES('testRouterId','testNetworkId','testAccountId','','["csquuo4jcko732k1ag00"]',0,9999);
-INSERT INTO accounts VALUES('otherAccountId','','2024-10-02 16:01:38.000000000+00:00','other.com','private',1,'otherNetworkIdentifier','{"IP":"100.65.0.0","Mask":"//8AAA=="}','',0,'[]',0,86400000000000,0,0,0,'',NULL,NULL,NULL);
-INSERT INTO networks VALUES('otherNetworkId','otherAccountId','other-net','other-description');
-INSERT INTO network_routers VALUES('otherRouterId','otherNetworkId','otherAccountId','otherPeer',NULL,0,1);
 
 CREATE TABLE `network_resources` (`id` text,`network_id` text,`account_id` text,`name` text,`description` text,`type` text,`address` text,PRIMARY KEY (`id`),CONSTRAINT `fk_accounts_network_resources` FOREIGN KEY (`account_id`) REFERENCES `accounts`(`id`));
 INSERT INTO network_resources VALUES('testResourceId','testNetworkId','testAccountId','some-name','some-description','host','3.3.3.3/32');

proxy/handle_mapping_stream_test.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"io"
 	"testing"
-	"time"
 
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
@@ -60,7 +59,7 @@ func TestHandleMappingStream_SyncCompleteFlag(t *testing.T) {
 	}
 
 	syncDone := false
-	err := s.handleMappingStream(context.Background(), stream, &syncDone, time.Time{})
+	err := s.handleMappingStream(context.Background(), stream, &syncDone)
 	assert.NoError(t, err)
 	assert.True(t, syncDone, "initial sync should be marked done when flag is set")
 }
@@ -80,7 +79,7 @@ func TestHandleMappingStream_NoSyncFlagDoesNotMarkDone(t *testing.T) {
 	}
 
 	syncDone := false
-	err := s.handleMappingStream(context.Background(), stream, &syncDone, time.Time{})
+	err := s.handleMappingStream(context.Background(), stream, &syncDone)
 	assert.NoError(t, err)
 	assert.False(t, syncDone, "initial sync should not be marked done without flag")
 }
@@ -98,7 +97,7 @@ func TestHandleMappingStream_NilHealthChecker(t *testing.T) {
 	}
 
 	syncDone := false
-	err := s.handleMappingStream(context.Background(), stream, &syncDone, time.Time{})
+	err := s.handleMappingStream(context.Background(), stream, &syncDone)
 	assert.NoError(t, err)
 	assert.True(t, syncDone, "sync done flag should be set even without health checker")
 }

proxy/internal/metrics/metrics.go

@@ -25,11 +25,6 @@ type Metrics struct {
 	backendDuration          metric.Int64Histogram
 	certificateIssueDuration metric.Int64Histogram
 
-	// Management sync metrics.
-	snapshotSyncDuration  metric.Int64Histogram
-	snapshotBatchDuration metric.Int64Histogram
-	addPeerDuration       metric.Int64Histogram
-
 	// L4 service-level metrics.
 	l4Services metric.Int64UpDownCounter
 
@@ -59,9 +54,6 @@ func New(ctx context.Context, meter metric.Meter) (*Metrics, error) {
 	if err := m.initHTTPMetrics(meter); err != nil {
 		return nil, err
 	}
-	if err := m.initSyncMetrics(meter); err != nil {
-		return nil, err
-	}
 	if err := m.initL4Metrics(meter); err != nil {
 		return nil, err
 	}
@@ -134,59 +126,6 @@ func (m *Metrics) initHTTPMetrics(meter metric.Meter) error {
 	return err
 }
 
-func (m *Metrics) initSyncMetrics(meter metric.Meter) error {
-	var err error
-
-	m.snapshotSyncDuration, err = meter.Int64Histogram(
-		"proxy.sync.snapshot.duration.ms",
-		metric.WithUnit("milliseconds"),
-		metric.WithDescription("Duration from management connect until the initial snapshot sync is complete"),
-		metric.WithExplicitBucketBoundaries(100, 250, 500, 1000, 2500, 5000, 10000, 30000, 60000, 120000, 300000),
-	)
-	if err != nil {
-		return err
-	}
-
-	m.snapshotBatchDuration, err = meter.Int64Histogram(
-		"proxy.sync.batch.duration.ms",
-		metric.WithUnit("milliseconds"),
-		metric.WithDescription("Duration to process a single mapping batch during initial snapshot sync"),
-		metric.WithExplicitBucketBoundaries(100, 250, 500, 1000, 2500, 5000, 10000, 30000, 60000, 120000, 300000),
-	)
-	if err != nil {
-		return err
-	}
-
-	m.addPeerDuration, err = meter.Int64Histogram(
-		"proxy.peer.add.duration.ms",
-		metric.WithUnit("milliseconds"),
-		metric.WithDescription("Duration to add a peer for an account (keygen + gRPC CreateProxyPeer + embed.New)"),
-		metric.WithExplicitBucketBoundaries(10, 25, 50, 100, 250, 500, 1000, 2500, 5000, 10000),
-	)
-	return err
-}
-
-// RecordSnapshotSyncDuration records the total time from connect to sync-complete.
-func (m *Metrics) RecordSnapshotSyncDuration(d time.Duration) {
-	m.snapshotSyncDuration.Record(m.ctx, d.Milliseconds())
-}
-
-// RecordSnapshotBatchDuration records the time to process one mapping batch during initial sync.
-func (m *Metrics) RecordSnapshotBatchDuration(d time.Duration) {
-	m.snapshotBatchDuration.Record(m.ctx, d.Milliseconds())
-}
-
-// RecordAddPeerDuration records the time to create a new peer for an account.
-func (m *Metrics) RecordAddPeerDuration(d time.Duration, err error) {
-	result := "success"
-	if err != nil {
-		result = "error"
-	}
-	m.addPeerDuration.Record(m.ctx, d.Milliseconds(), metric.WithAttributes(
-		attribute.String("result", result),
-	))
-}
-
 func (m *Metrics) initL4Metrics(meter metric.Meter) error {
 	var err error
 

proxy/internal/roundtrip/netbird.go

@@ -76,11 +76,6 @@ type clientEntry struct {
 	services          map[ServiceKey]serviceInfo
 	createdAt         time.Time
 	started           bool
-	// ready is closed once the client has been fully initialized.
-	// Callers that find a pending entry wait on this channel before
-	// accessing the client. A nil initErr means success.
-	ready   chan struct{}
-	initErr error
 	// Per-backend in-flight limiting keyed by target host:port.
 	// TODO: clean up stale entries when backend targets change.
 	inflightMu  sync.Mutex
@@ -142,11 +137,6 @@ type NetBird struct {
 	clients        map[types.AccountID]*clientEntry
 	initLogOnce    sync.Once
 	statusNotifier statusNotifier
-
-	// OnAddPeer, when set, is called after AddPeer completes for a new account
-	// (i.e. when a new client was actually created, not when an existing one
-	// was reused). The duration covers keygen + gRPC CreateProxyPeer + embed.New.
-	OnAddPeer func(d time.Duration, err error)
 }
 
 // ClientDebugInfo contains debug information about a client.
@@ -167,9 +157,6 @@ type skipTLSVerifyContextKey struct{}
 // AddPeer registers a service for an account. If the account doesn't have a client yet,
 // one is created by authenticating with the management server using the provided token.
 // Multiple services can share the same client.
-//
-// Client creation (WG keygen, gRPC, embed.New) runs without holding clientsMux
-// so that concurrent AddPeer calls for different accounts execute in parallel.
 func (n *NetBird) AddPeer(ctx context.Context, accountID types.AccountID, key ServiceKey, authToken string, serviceID types.ServiceID) error {
 	si := serviceInfo{serviceID: serviceID}
 
@@ -177,23 +164,10 @@ func (n *NetBird) AddPeer(ctx context.Context, accountID types.AccountID, key Se
 
 	entry, exists := n.clients[accountID]
 	if exists {
-		ready := entry.ready
 		entry.services[key] = si
 		started := entry.started
 		n.clientsMux.Unlock()
 
-		// If the entry is still being initialized by another goroutine, wait.
-		if ready != nil {
-			select {
-			case <-ready:
-			case <-ctx.Done():
-				return ctx.Err()
-			}
-			if entry.initErr != nil {
-				return fmt.Errorf("peer initialization failed: %w", entry.initErr)
-			}
-		}
-
 		n.logger.WithFields(log.Fields{
 			"account_id":  accountID,
 			"service_key": key,
@@ -210,43 +184,15 @@ func (n *NetBird) AddPeer(ctx context.Context, accountID types.AccountID, key Se
 		return nil
 	}
 
-	// Insert a placeholder so other goroutines calling AddPeer for the same
-	// account will wait on the ready channel instead of starting a second
-	// client creation.
-	entry = &clientEntry{
-		services: map[ServiceKey]serviceInfo{key: si},
-		ready:    make(chan struct{}),
-	}
-	n.clients[accountID] = entry
-	n.clientsMux.Unlock()
-
-	createStart := time.Now()
-	created, err := n.createClientEntry(ctx, accountID, key, authToken, si)
-	if n.OnAddPeer != nil {
-		n.OnAddPeer(time.Since(createStart), err)
-	}
+	entry, err := n.createClientEntry(ctx, accountID, key, authToken, si)
 	if err != nil {
-		entry.initErr = err
-		close(entry.ready)
-
-		n.clientsMux.Lock()
-		delete(n.clients, accountID)
 		n.clientsMux.Unlock()
 		return err
 	}
 
-	// Transfer any services that were registered by concurrent AddPeer calls
-	// while we were creating the client.
-	n.clientsMux.Lock()
-	for k, v := range entry.services {
-		created.services[k] = v
-	}
-	created.ready = nil
-	n.clients[accountID] = created
+	n.clients[accountID] = entry
 	n.clientsMux.Unlock()
 
-	close(entry.ready)
-
 	n.logger.WithFields(log.Fields{
 		"account_id":  accountID,
 		"service_key": key,
@@ -254,13 +200,13 @@ func (n *NetBird) AddPeer(ctx context.Context, accountID types.AccountID, key Se
 
 	// Attempt to start the client in the background; if this fails we will
 	// retry on the first request via RoundTrip.
-	go n.runClientStartup(ctx, accountID, created.client)
+	go n.runClientStartup(ctx, accountID, entry.client)
 
 	return nil
 }
 
 // createClientEntry generates a WireGuard keypair, authenticates with management,
-// and creates an embedded NetBird client.
+// and creates an embedded NetBird client. Must be called with clientsMux held.
 func (n *NetBird) createClientEntry(ctx context.Context, accountID types.AccountID, key ServiceKey, authToken string, si serviceInfo) (*clientEntry, error) {
 	serviceID := si.serviceID
 	n.logger.WithFields(log.Fields{

proxy/management_integration_test.go

@@ -366,7 +366,7 @@ func (m *storeBackedServiceManager) GetServiceByDomain(ctx context.Context, doma
 	return m.store.GetServiceByDomain(ctx, domain)
 }
 
-func (m *storeBackedServiceManager) GetClusters(_ context.Context, _, _ string) ([]nbproxy.Cluster, error) {
+func (m *storeBackedServiceManager) GetActiveClusters(_ context.Context, _, _ string) ([]nbproxy.Cluster, error) {
 	return nil, nil
 }
 

proxy/process_mappings_bench_test.go

@@ -1,300 +0,0 @@
-package proxy
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"testing"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/grpc"
-
-	"github.com/netbirdio/netbird/proxy/internal/auth"
-	"github.com/netbirdio/netbird/proxy/internal/conntrack"
-	"github.com/netbirdio/netbird/proxy/internal/crowdsec"
-	proxymetrics "github.com/netbirdio/netbird/proxy/internal/metrics"
-	"github.com/netbirdio/netbird/proxy/internal/proxy"
-	"github.com/netbirdio/netbird/proxy/internal/roundtrip"
-	nbtcp "github.com/netbirdio/netbird/proxy/internal/tcp"
-	"github.com/netbirdio/netbird/proxy/internal/types"
-	udprelay "github.com/netbirdio/netbird/proxy/internal/udp"
-	"github.com/netbirdio/netbird/shared/management/proto"
-
-	"go.opentelemetry.io/otel/metric/noop"
-)
-
-// latencyMockClient simulates realistic gRPC latency for management calls.
-type latencyMockClient struct {
-	proto.ProxyServiceClient
-	createPeerDelay   time.Duration
-	statusUpdateDelay time.Duration
-}
-
-func (m *latencyMockClient) SendStatusUpdate(ctx context.Context, _ *proto.SendStatusUpdateRequest, _ ...grpc.CallOption) (*proto.SendStatusUpdateResponse, error) {
-	if m.statusUpdateDelay > 0 {
-		select {
-		case <-time.After(m.statusUpdateDelay):
-		case <-ctx.Done():
-			return nil, ctx.Err()
-		}
-	}
-	return &proto.SendStatusUpdateResponse{}, nil
-}
-
-func (m *latencyMockClient) CreateProxyPeer(ctx context.Context, _ *proto.CreateProxyPeerRequest, _ ...grpc.CallOption) (*proto.CreateProxyPeerResponse, error) {
-	if m.createPeerDelay > 0 {
-		select {
-		case <-time.After(m.createPeerDelay):
-		case <-ctx.Done():
-			return nil, ctx.Err()
-		}
-	}
-	return &proto.CreateProxyPeerResponse{Success: true}, nil
-}
-
-type discardWriter struct{}
-
-func (discardWriter) Write(p []byte) (int, error) { return len(p), nil }
-
-func benchServerWithLatency(b *testing.B, createPeerDelay, statusDelay time.Duration) *Server {
-	b.Helper()
-	logger := log.New()
-	logger.SetLevel(log.FatalLevel)
-	logger.SetOutput(&discardWriter{})
-
-	meter, err := proxymetrics.New(context.Background(), noop.Meter{})
-	if err != nil {
-		b.Fatal(err)
-	}
-
-	mgmtClient := &latencyMockClient{
-		createPeerDelay:   createPeerDelay,
-		statusUpdateDelay: statusDelay,
-	}
-
-	nb := roundtrip.NewNetBird("bench-proxy", "bench.test",
-		roundtrip.ClientConfig{MgmtAddr: "http://bench.test:9999"},
-		logger, nil, mgmtClient)
-
-	mainRouter := nbtcp.NewRouter(logger, func(accountID types.AccountID) (types.DialContextFunc, error) {
-		return (&net.Dialer{}).DialContext, nil
-	}, &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 443})
-
-	return &Server{
-		Logger:           logger,
-		mgmtClient:       mgmtClient,
-		netbird:          nb,
-		proxy:            proxy.NewReverseProxy(nil, "auto", nil, logger),
-		auth:             auth.NewMiddleware(logger, nil, nil),
-		mainRouter:       mainRouter,
-		mainPort:         443,
-		meter:            meter,
-		hijackTracker:    conntrack.HijackTracker{},
-		crowdsecRegistry: crowdsec.NewRegistry("", "", log.NewEntry(logger)),
-		crowdsecServices: make(map[types.ServiceID]bool),
-		lastMappings:     make(map[types.ServiceID]*proto.ProxyMapping),
-		portRouters:      make(map[uint16]*portRouter),
-		svcPorts:         make(map[types.ServiceID][]uint16),
-		udpRelays:        make(map[types.ServiceID]*udprelay.Relay),
-	}
-}
-
-// generateHTTPMappings creates N HTTP-mode mappings with the given update type.
-// All belong to a single account to share the embedded client.
-func generateHTTPMappings(n int, updateType proto.ProxyMappingUpdateType) []*proto.ProxyMapping {
-	mappings := make([]*proto.ProxyMapping, n)
-	for i := range n {
-		mappings[i] = &proto.ProxyMapping{
-			Type:      updateType,
-			Id:        fmt.Sprintf("svc-%d", i),
-			AccountId: "account-1",
-			Domain:    fmt.Sprintf("svc-%d.bench.example.com", i),
-			Mode:      "http",
-			Path: []*proto.PathMapping{
-				{
-					Path:   "/",
-					Target: fmt.Sprintf("http://10.0.%d.%d:8080", (i/256)%256, i%256),
-				},
-			},
-			Auth: &proto.Authentication{},
-		}
-	}
-	return mappings
-}
-
-// generateMultiAccountHTTPMappings creates N HTTP-mode CREATED mappings spread
-// across the given number of accounts. This stresses the AddPeer new-account
-// path which calls CreateProxyPeer + embed.New per unique account.
-func generateMultiAccountHTTPMappings(n, accounts int) []*proto.ProxyMapping {
-	mappings := make([]*proto.ProxyMapping, n)
-	for i := range n {
-		mappings[i] = &proto.ProxyMapping{
-			Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED,
-			Id:        fmt.Sprintf("svc-%d", i),
-			AccountId: fmt.Sprintf("account-%d", i%accounts),
-			Domain:    fmt.Sprintf("svc-%d.bench.example.com", i),
-			Mode:      "http",
-			Path: []*proto.PathMapping{
-				{
-					Path:   "/",
-					Target: fmt.Sprintf("http://10.0.%d.%d:8080", (i/256)%256, i%256),
-				},
-			},
-			Auth: &proto.Authentication{},
-		}
-	}
-	return mappings
-}
-
-// generateMixedMappings creates mappings with a realistic distribution:
-// 70% HTTP create, 15% modify existing, 10% TLS on main port, 5% remove.
-// All use a single account to avoid embed.New dialing.
-func generateMixedMappings(n int) []*proto.ProxyMapping {
-	mappings := make([]*proto.ProxyMapping, n)
-	for i := range n {
-		var m *proto.ProxyMapping
-		switch {
-		case i%20 < 14: // 70% HTTP create
-			m = &proto.ProxyMapping{
-				Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED,
-				Id:        fmt.Sprintf("svc-http-%d", i),
-				AccountId: "account-1",
-				Domain:    fmt.Sprintf("svc-%d.bench.example.com", i),
-				Mode:      "http",
-				Path: []*proto.PathMapping{
-					{Path: "/", Target: fmt.Sprintf("http://10.0.%d.%d:8080", (i/256)%256, i%256)},
-					{Path: "/api", Target: fmt.Sprintf("http://10.0.%d.%d:8081", (i/256)%256, i%256)},
-				},
-				Auth: &proto.Authentication{},
-			}
-		case i%20 < 17: // 15% modify
-			m = &proto.ProxyMapping{
-				Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_MODIFIED,
-				Id:        fmt.Sprintf("svc-http-%d", i%100),
-				AccountId: "account-1",
-				Domain:    fmt.Sprintf("svc-%d.bench.example.com", i%100),
-				Mode:      "http",
-				Path: []*proto.PathMapping{
-					{Path: "/", Target: fmt.Sprintf("http://10.1.%d.%d:8080", (i/256)%256, i%256)},
-				},
-				Auth: &proto.Authentication{},
-			}
-		case i%20 < 19: // 10% TLS passthrough on main port
-			m = &proto.ProxyMapping{
-				Type:       proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED,
-				Id:         fmt.Sprintf("svc-tls-%d", i),
-				AccountId:  "account-1",
-				Domain:     fmt.Sprintf("tls-%d.bench.example.com", i),
-				Mode:       "tls",
-				ListenPort: 443,
-				Path: []*proto.PathMapping{
-					{Path: "/", Target: fmt.Sprintf("10.2.%d.%d:443", (i/256)%256, i%256)},
-				},
-			}
-		default: // 5% remove
-			m = &proto.ProxyMapping{
-				Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED,
-				Id:        fmt.Sprintf("svc-http-%d", i%50),
-				AccountId: "account-1",
-				Domain:    fmt.Sprintf("svc-%d.bench.example.com", i%50),
-				Mode:      "http",
-			}
-		}
-		mappings[i] = m
-	}
-	return mappings
-}
-
-const (
-	createPeerLatency   = 100 * time.Millisecond
-	statusUpdateLatency = 50 * time.Millisecond
-)
-
-// BenchmarkProcessMappings_HTTPCreate_SingleAccount benchmarks the initial sync
-// scenario: N HTTP mappings all on a single account. Only the first mapping
-// triggers CreateProxyPeer (100ms gRPC). The rest just register with the
-// existing client. This is the "best case" production path.
-func BenchmarkProcessMappings_HTTPCreate_SingleAccount(b *testing.B) {
-	for _, n := range []int{100, 1000, 5000} {
-		b.Run(fmt.Sprintf("n=%d", n), func(b *testing.B) {
-			mappings := generateHTTPMappings(n, proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED)
-			for range b.N {
-				s := benchServerWithLatency(b, createPeerLatency, statusUpdateLatency)
-				s.processMappings(b.Context(), mappings)
-			}
-		})
-	}
-}
-
-// BenchmarkProcessMappings_HTTPCreate_MultiAccount benchmarks the worst-case
-// initial sync: every mapping belongs to a different account, so each one
-// triggers a full CreateProxyPeer gRPC round-trip (100ms) + embed.New.
-// With 500 accounts this serializes to ~50s of blocking I/O.
-func BenchmarkProcessMappings_HTTPCreate_MultiAccount(b *testing.B) {
-	for _, tc := range []struct {
-		mappings int
-		accounts int
-	}{
-		{100, 10},
-		{100, 50},
-		{1000, 50},
-		{1000, 200},
-		{3000, 500},
-	} {
-		b.Run(fmt.Sprintf("mappings=%d/accounts=%d", tc.mappings, tc.accounts), func(b *testing.B) {
-			mappings := generateMultiAccountHTTPMappings(tc.mappings, tc.accounts)
-			for range b.N {
-				s := benchServerWithLatency(b, createPeerLatency, statusUpdateLatency)
-				s.processMappings(b.Context(), mappings)
-			}
-		})
-	}
-}
-
-// BenchmarkProcessMappings_Mixed benchmarks a realistic mixed workload
-// of creates, modifies, TLS, and removes with production-like latency.
-// TLS mappings call SendStatusUpdate (50ms each), serialized.
-func BenchmarkProcessMappings_Mixed(b *testing.B) {
-	for _, n := range []int{100, 1000, 5000} {
-		b.Run(fmt.Sprintf("n=%d", n), func(b *testing.B) {
-			mappings := generateMixedMappings(n)
-			for range b.N {
-				s := benchServerWithLatency(b, createPeerLatency, statusUpdateLatency)
-				creates := generateHTTPMappings(100, proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED)
-				s.processMappings(b.Context(), creates)
-				s.processMappings(b.Context(), mappings)
-			}
-		})
-	}
-}
-
-// BenchmarkProcessMappings_ModifyOnly benchmarks bulk modification of
-// already-registered mappings (no new peers needed, no gRPC).
-func BenchmarkProcessMappings_ModifyOnly(b *testing.B) {
-	for _, n := range []int{100, 1000, 5000} {
-		b.Run(fmt.Sprintf("n=%d", n), func(b *testing.B) {
-			creates := generateHTTPMappings(n, proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED)
-			modifies := generateHTTPMappings(n, proto.ProxyMappingUpdateType_UPDATE_TYPE_MODIFIED)
-			for range b.N {
-				s := benchServerWithLatency(b, createPeerLatency, statusUpdateLatency)
-				s.processMappings(b.Context(), creates)
-				s.processMappings(b.Context(), modifies)
-			}
-		})
-	}
-}
-
-// BenchmarkProcessMappings_NoLatency measures pure CPU/allocation overhead
-// with zero I/O latency for profiling purposes.
-func BenchmarkProcessMappings_NoLatency(b *testing.B) {
-	for _, n := range []int{1000, 5000} {
-		b.Run(fmt.Sprintf("n=%d", n), func(b *testing.B) {
-			mappings := generateHTTPMappings(n, proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED)
-			for range b.N {
-				s := benchServerWithLatency(b, 0, 0)
-				s.processMappings(b.Context(), mappings)
-			}
-		})
-	}
-}

proxy/server.go

@@ -32,11 +32,9 @@ import (
 	"go.opentelemetry.io/otel/sdk/metric"
 	"golang.org/x/exp/maps"
 	"google.golang.org/grpc"
-	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/keepalive"
-	grpcstatus "google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/netbirdio/netbird/proxy/internal/accesslog"
@@ -284,7 +282,6 @@ func (s *Server) ListenAndServe(ctx context.Context, addr string) (err error) {
 		WGPort:       s.WireguardPort,
 		PreSharedKey: s.PreSharedKey,
 	}, s.Logger, s, s.mgmtClient)
-	s.netbird.OnAddPeer = s.meter.RecordAddPeerDuration
 
 	// Create health checker before the mapping worker so it can track
 	// management connectivity from the first stream connection.
@@ -941,9 +938,6 @@ func (s *Server) newManagementMappingWorker(ctx context.Context, client proto.Pr
 		Clock:               backoff.SystemClock,
 	}
 
-	// syncSupported tracks whether management supports SyncMappings.
-	// Starts true; set to false on first Unimplemented error.
-	syncSupported := true
 	initialSyncDone := false
 
 	operation := func() error {
@@ -955,25 +949,36 @@ func (s *Server) newManagementMappingWorker(ctx context.Context, client proto.Pr
 			s.healthChecker.SetManagementConnected(false)
 		}
 
-		var streamErr error
-		if syncSupported {
-			streamErr = s.trySyncMappings(ctx, client, &initialSyncDone)
-			if isSyncUnimplemented(streamErr) {
-				syncSupported = false
-				s.Logger.Info("management does not support SyncMappings, falling back to GetMappingUpdate")
-				streamErr = s.tryGetMappingUpdate(ctx, client, &initialSyncDone)
-			}
-		} else {
-			streamErr = s.tryGetMappingUpdate(ctx, client, &initialSyncDone)
+		supportsCrowdSec := s.crowdsecRegistry.Available()
+		mappingClient, err := client.GetMappingUpdate(ctx, &proto.GetMappingUpdateRequest{
+			ProxyId:   s.ID,
+			Version:   s.Version,
+			StartedAt: timestamppb.New(s.startTime),
+			Address:   s.ProxyURL,
+			Capabilities: &proto.ProxyCapabilities{
+				SupportsCustomPorts: &s.SupportsCustomPorts,
+				RequireSubdomain:    &s.RequireSubdomain,
+				SupportsCrowdsec:    &supportsCrowdSec,
+			},
+		})
+		if err != nil {
+			return fmt.Errorf("create mapping stream: %w", err)
 		}
 
+		if s.healthChecker != nil {
+			s.healthChecker.SetManagementConnected(true)
+		}
+		s.Logger.Debug("management mapping stream established")
+
+		// Stream established — reset backoff so the next failure retries quickly.
+		bo.Reset()
+
+		streamErr := s.handleMappingStream(ctx, mappingClient, &initialSyncDone)
+
 		if s.healthChecker != nil {
 			s.healthChecker.SetManagementConnected(false)
 		}
 
-		// Stream established — reset backoff so the next failure retries quickly.
-		bo.Reset()
-
 		if streamErr == nil {
 			return fmt.Errorf("stream closed by server")
 		}
@@ -990,187 +995,56 @@ func (s *Server) newManagementMappingWorker(ctx context.Context, client proto.Pr
 	}
 }
 
-func (s *Server) proxyCapabilities() *proto.ProxyCapabilities {
-	supportsCrowdSec := s.crowdsecRegistry.Available()
-	return &proto.ProxyCapabilities{
-		SupportsCustomPorts: &s.SupportsCustomPorts,
-		RequireSubdomain:    &s.RequireSubdomain,
-		SupportsCrowdsec:    &supportsCrowdSec,
-	}
-}
-
-func (s *Server) tryGetMappingUpdate(ctx context.Context, client proto.ProxyServiceClient, initialSyncDone *bool) error {
-	connectTime := time.Now()
-	mappingClient, err := client.GetMappingUpdate(ctx, &proto.GetMappingUpdateRequest{
-		ProxyId:      s.ID,
-		Version:      s.Version,
-		StartedAt:    timestamppb.New(s.startTime),
-		Address:      s.ProxyURL,
-		Capabilities: s.proxyCapabilities(),
-	})
-	if err != nil {
-		return fmt.Errorf("create mapping stream: %w", err)
-	}
-
-	if s.healthChecker != nil {
-		s.healthChecker.SetManagementConnected(true)
-	}
-	s.Logger.Debug("management mapping stream established (GetMappingUpdate)")
-
-	return s.handleMappingStream(ctx, mappingClient, initialSyncDone, connectTime)
-}
-
-func (s *Server) trySyncMappings(ctx context.Context, client proto.ProxyServiceClient, initialSyncDone *bool) error {
-	connectTime := time.Now()
-	stream, err := client.SyncMappings(ctx)
-	if err != nil {
-		return fmt.Errorf("create sync stream: %w", err)
-	}
-
-	// Send init message.
-	if err := stream.Send(&proto.SyncMappingsRequest{
-		Msg: &proto.SyncMappingsRequest_Init{
-			Init: &proto.SyncMappingsInit{
-				ProxyId:      s.ID,
-				Version:      s.Version,
-				StartedAt:    timestamppb.New(s.startTime),
-				Address:      s.ProxyURL,
-				Capabilities: s.proxyCapabilities(),
-			},
-		},
-	}); err != nil {
-		return fmt.Errorf("send sync init: %w", err)
-	}
-
-	if s.healthChecker != nil {
-		s.healthChecker.SetManagementConnected(true)
-	}
-	s.Logger.Debug("management mapping stream established (SyncMappings)")
-
-	return s.handleSyncMappingsStream(ctx, stream, initialSyncDone, connectTime)
-}
-
-func isSyncUnimplemented(err error) bool {
-	if err == nil {
-		return false
-	}
-	st, ok := grpcstatus.FromError(err)
-	return ok && st.Code() == codes.Unimplemented
-}
-
-func (s *Server) handleSyncMappingsStream(ctx context.Context, stream proto.ProxyService_SyncMappingsClient, initialSyncDone *bool, connectTime time.Time) error {
+func (s *Server) handleMappingStream(ctx context.Context, mappingClient proto.ProxyService_GetMappingUpdateClient, initialSyncDone *bool) error {
 	select {
 	case <-s.routerReady:
 	case <-ctx.Done():
 		return ctx.Err()
 	}
 
-	tracker := s.newSnapshotTracker(initialSyncDone, connectTime)
-
-	for {
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		default:
-			msg, err := stream.Recv()
-			switch {
-			case errors.Is(err, io.EOF):
-				return nil
-			case err != nil:
-				return fmt.Errorf("receive msg: %w", err)
-			}
-
-			batchStart := time.Now()
-			s.Logger.Debug("Received mapping update, starting processing")
-			s.processMappings(ctx, msg.GetMapping())
-			s.Logger.Debug("Processing mapping update completed")
-			tracker.recordBatch(ctx, s, msg.GetMapping(), msg.GetInitialSyncComplete(), batchStart)
-
-			if err := stream.Send(&proto.SyncMappingsRequest{
-				Msg: &proto.SyncMappingsRequest_Ack{Ack: &proto.SyncMappingsAck{}},
-			}); err != nil {
-				return fmt.Errorf("send ack: %w", err)
-			}
-		}
-	}
-}
-
-func (s *Server) handleMappingStream(ctx context.Context, mappingClient proto.ProxyService_GetMappingUpdateClient, initialSyncDone *bool, connectTime time.Time) error {
-	select {
-	case <-s.routerReady:
-	case <-ctx.Done():
-		return ctx.Err()
+	var snapshotIDs map[types.ServiceID]struct{}
+	if !*initialSyncDone {
+		snapshotIDs = make(map[types.ServiceID]struct{})
 	}
 
-	tracker := s.newSnapshotTracker(initialSyncDone, connectTime)
-
 	for {
+		// Check for context completion to gracefully shutdown.
 		select {
 		case <-ctx.Done():
+			// Shutting down.
 			return ctx.Err()
 		default:
 			msg, err := mappingClient.Recv()
 			switch {
 			case errors.Is(err, io.EOF):
+				// Mapping connection gracefully terminated by server.
 				return nil
 			case err != nil:
+				// Something has gone horribly wrong, return and hope the parent retries the connection.
 				return fmt.Errorf("receive msg: %w", err)
 			}
-
-			batchStart := time.Now()
 			s.Logger.Debug("Received mapping update, starting processing")
 			s.processMappings(ctx, msg.GetMapping())
 			s.Logger.Debug("Processing mapping update completed")
-			tracker.recordBatch(ctx, s, msg.GetMapping(), msg.GetInitialSyncComplete(), batchStart)
+
+			if !*initialSyncDone {
+				for _, m := range msg.GetMapping() {
+					snapshotIDs[types.ServiceID(m.GetId())] = struct{}{}
+				}
+				if msg.GetInitialSyncComplete() {
+					s.reconcileSnapshot(ctx, snapshotIDs)
+					snapshotIDs = nil
+					if s.healthChecker != nil {
+						s.healthChecker.SetInitialSyncComplete()
+					}
+					*initialSyncDone = true
+					s.Logger.Info("Initial mapping sync complete")
+				}
+			}
 		}
 	}
 }
 
-// snapshotTracker accumulates service IDs during the initial snapshot and
-// finalises sync state when the complete flag arrives.
-type snapshotTracker struct {
-	done        *bool
-	connectTime time.Time
-	snapshotIDs map[types.ServiceID]struct{}
-}
-
-func (s *Server) newSnapshotTracker(done *bool, connectTime time.Time) *snapshotTracker {
-	var ids map[types.ServiceID]struct{}
-	if !*done {
-		ids = make(map[types.ServiceID]struct{})
-	}
-	return &snapshotTracker{done: done, connectTime: connectTime, snapshotIDs: ids}
-}
-
-func (t *snapshotTracker) recordBatch(ctx context.Context, s *Server, mappings []*proto.ProxyMapping, syncComplete bool, batchStart time.Time) {
-	if *t.done {
-		return
-	}
-
-	if s.meter != nil {
-		s.meter.RecordSnapshotBatchDuration(time.Since(batchStart))
-	}
-
-	for _, m := range mappings {
-		t.snapshotIDs[types.ServiceID(m.GetId())] = struct{}{}
-	}
-
-	if !syncComplete {
-		return
-	}
-
-	s.reconcileSnapshot(ctx, t.snapshotIDs)
-	t.snapshotIDs = nil
-	if s.healthChecker != nil {
-		s.healthChecker.SetInitialSyncComplete()
-	}
-	*t.done = true
-	if s.meter != nil {
-		s.meter.RecordSnapshotSyncDuration(time.Since(t.connectTime))
-	}
-	s.Logger.Info("Initial mapping sync complete")
-}
-
 // reconcileSnapshot removes local mappings that are absent from the snapshot.
 // This ensures services deleted while the proxy was disconnected get cleaned up.
 func (s *Server) reconcileSnapshot(ctx context.Context, snapshotIDs map[types.ServiceID]struct{}) {
@@ -1193,8 +1067,6 @@ func (s *Server) reconcileSnapshot(ctx context.Context, snapshotIDs map[types.Se
 }
 
 func (s *Server) processMappings(ctx context.Context, mappings []*proto.ProxyMapping) {
-	s.ensurePeers(ctx, mappings)
-
 	for _, mapping := range mappings {
 		s.Logger.WithFields(log.Fields{
 			"type":   mapping.GetType(),
@@ -1228,60 +1100,6 @@ func (s *Server) processMappings(ctx context.Context, mappings []*proto.ProxyMap
 	}
 }
 
-// ensurePeers pre-creates NetBird peers for all unique accounts referenced by
-// CREATED mappings. Peers for different accounts are created concurrently,
-// which avoids serializing N×100ms gRPC round-trips during large initial syncs.
-func (s *Server) ensurePeers(ctx context.Context, mappings []*proto.ProxyMapping) {
-	// Collect one representative mapping per account that needs a new peer.
-	type peerReq struct {
-		accountID types.AccountID
-		svcKey    roundtrip.ServiceKey
-		authToken string
-		svcID     types.ServiceID
-	}
-	seen := make(map[types.AccountID]struct{})
-	var reqs []peerReq
-	for _, m := range mappings {
-		if m.GetType() != proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED {
-			continue
-		}
-		accountID := types.AccountID(m.GetAccountId())
-		if _, ok := seen[accountID]; ok {
-			continue
-		}
-		seen[accountID] = struct{}{}
-		if s.netbird.HasClient(accountID) {
-			continue
-		}
-		reqs = append(reqs, peerReq{
-			accountID: accountID,
-			svcKey:    s.serviceKeyForMapping(m),
-			authToken: m.GetAuthToken(),
-			svcID:     types.ServiceID(m.GetId()),
-		})
-	}
-
-	if len(reqs) <= 1 {
-		return
-	}
-
-	var wg sync.WaitGroup
-	wg.Add(len(reqs))
-	for _, r := range reqs {
-		go func() {
-			defer wg.Done()
-			if err := s.netbird.AddPeer(ctx, r.accountID, r.svcKey, r.authToken, r.svcID); err != nil {
-				s.Logger.WithFields(log.Fields{
-					"account_id": r.accountID,
-					"service_id": r.svcID,
-					"error":      err,
-				}).Warn("failed to pre-create peer for account")
-			}
-		}()
-	}
-	wg.Wait()
-}
-
 // addMapping registers a service mapping and starts the appropriate relay or routes.
 func (s *Server) addMapping(ctx context.Context, mapping *proto.ProxyMapping) error {
 	accountID := types.AccountID(mapping.GetAccountId())

proxy/snapshot_reconcile_test.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"io"
 	"testing"
-	"time"
 
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
@@ -140,7 +139,7 @@ func TestHandleMappingStream_BatchedSnapshotSyncComplete(t *testing.T) {
 	}
 
 	syncDone := false
-	err := s.handleMappingStream(context.Background(), stream, &syncDone, time.Time{})
+	err := s.handleMappingStream(context.Background(), stream, &syncDone)
 	assert.NoError(t, err)
 	assert.True(t, syncDone, "sync should be marked done after final batch")
 }
@@ -165,7 +164,7 @@ func TestHandleMappingStream_PostSyncDoesNotReconcile(t *testing.T) {
 	}
 
 	syncDone := true // sync already completed in a previous stream
-	err := s.handleMappingStream(context.Background(), stream, &syncDone, time.Time{})
+	err := s.handleMappingStream(context.Background(), stream, &syncDone)
 	require.NoError(t, err)
 
 	assert.Len(t, s.lastMappings, 2,
@@ -186,7 +185,7 @@ func TestHandleMappingStream_ImmediateEOF_NoReconciliation(t *testing.T) {
 	stream := &mockMappingStream{} // no messages → immediate EOF
 
 	syncDone := false
-	err := s.handleMappingStream(context.Background(), stream, &syncDone, time.Time{})
+	err := s.handleMappingStream(context.Background(), stream, &syncDone)
 	assert.NoError(t, err)
 	assert.False(t, syncDone, "sync should not be marked done on immediate EOF")
 
@@ -219,7 +218,7 @@ func TestHandleMappingStream_ErrorMidSync_NoReconciliation(t *testing.T) {
 	s.lastMappings["svc-stale"] = &proto.ProxyMapping{Id: "svc-stale", AccountId: "acct-1"}
 
 	syncDone := false
-	err := s.handleMappingStream(context.Background(), &mockErrRecvStream{}, &syncDone, time.Time{})
+	err := s.handleMappingStream(context.Background(), &mockErrRecvStream{}, &syncDone)
 	assert.Error(t, err)
 	assert.False(t, syncDone)
 

proxy/sync_mappings_test.go

@@ -1,525 +0,0 @@
-package proxy
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/credentials/insecure"
-	grpcstatus "google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-func TestIntegration_SyncMappings_HappyPath(t *testing.T) {
-	setup := setupIntegrationTest(t)
-	defer setup.cleanup()
-
-	conn, err := grpc.NewClient(setup.grpcAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
-	require.NoError(t, err)
-	defer conn.Close()
-
-	client := proto.NewProxyServiceClient(conn)
-
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-
-	stream, err := client.SyncMappings(ctx)
-	require.NoError(t, err)
-
-	// Send init.
-	err = stream.Send(&proto.SyncMappingsRequest{
-		Msg: &proto.SyncMappingsRequest_Init{
-			Init: &proto.SyncMappingsInit{
-				ProxyId: "sync-proxy-1",
-				Version: "test-v1",
-				Address: "test.proxy.io",
-			},
-		},
-	})
-	require.NoError(t, err)
-
-	mappingsByID := make(map[string]*proto.ProxyMapping)
-	for {
-		msg, err := stream.Recv()
-		require.NoError(t, err)
-		for _, m := range msg.GetMapping() {
-			mappingsByID[m.GetId()] = m
-		}
-
-		// Ack every batch.
-		err = stream.Send(&proto.SyncMappingsRequest{
-			Msg: &proto.SyncMappingsRequest_Ack{Ack: &proto.SyncMappingsAck{}},
-		})
-		require.NoError(t, err)
-
-		if msg.GetInitialSyncComplete() {
-			break
-		}
-	}
-
-	assert.Len(t, mappingsByID, 2, "Should receive 2 mappings")
-
-	rp1 := mappingsByID["rp-1"]
-	require.NotNil(t, rp1)
-	assert.Equal(t, "app1.test.proxy.io", rp1.GetDomain())
-	assert.Equal(t, "test-account-1", rp1.GetAccountId())
-	assert.Equal(t, proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED, rp1.GetType())
-	assert.NotEmpty(t, rp1.GetAuthToken(), "Should have auth token")
-
-	rp2 := mappingsByID["rp-2"]
-	require.NotNil(t, rp2)
-	assert.Equal(t, "app2.test.proxy.io", rp2.GetDomain())
-}
-
-func TestIntegration_SyncMappings_BackPressure(t *testing.T) {
-	setup := setupIntegrationTest(t)
-	defer setup.cleanup()
-
-	// Add enough services to guarantee multiple batches (default batch size 500).
-	addServicesToStore(t, setup, 600, "test.proxy.io")
-
-	conn, err := grpc.NewClient(setup.grpcAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
-	require.NoError(t, err)
-	defer conn.Close()
-
-	client := proto.NewProxyServiceClient(conn)
-
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	defer cancel()
-
-	stream, err := client.SyncMappings(ctx)
-	require.NoError(t, err)
-
-	err = stream.Send(&proto.SyncMappingsRequest{
-		Msg: &proto.SyncMappingsRequest_Init{
-			Init: &proto.SyncMappingsInit{
-				ProxyId: "sync-proxy-backpressure",
-				Version: "test-v1",
-				Address: "test.proxy.io",
-			},
-		},
-	})
-	require.NoError(t, err)
-
-	// Strategy: receive batch 1, then hold for a significant delay before
-	// acking. If back-pressure works, batch 2 cannot arrive until after
-	// the ack is sent — so its receive timestamp must be >= the ack
-	// timestamp. If management were fire-and-forget, all batches would
-	// already be buffered in the gRPC transport and batch 2 would arrive
-	// well before the ack time.
-	const ackDelay = 300 * time.Millisecond
-
-	type batchEvent struct {
-		recvAt time.Time
-		ackAt  time.Time
-		count  int
-	}
-	var batches []batchEvent
-	var totalMappings int
-
-	for {
-		msg, err := stream.Recv()
-		require.NoError(t, err)
-
-		recvAt := time.Now()
-		totalMappings += len(msg.GetMapping())
-
-		// Delay the ack on non-final batches to create a measurable gap.
-		if !msg.GetInitialSyncComplete() {
-			time.Sleep(ackDelay)
-		}
-
-		ackAt := time.Now()
-		batches = append(batches, batchEvent{
-			recvAt: recvAt,
-			ackAt:  ackAt,
-			count:  len(msg.GetMapping()),
-		})
-
-		err = stream.Send(&proto.SyncMappingsRequest{
-			Msg: &proto.SyncMappingsRequest_Ack{Ack: &proto.SyncMappingsAck{}},
-		})
-		require.NoError(t, err)
-
-		if msg.GetInitialSyncComplete() {
-			break
-		}
-	}
-
-	// 2 original + 600 added = 602 services total.
-	assert.Equal(t, 602, totalMappings, "should receive all 602 mappings")
-	require.GreaterOrEqual(t, len(batches), 2, "need at least 2 batches to verify back-pressure")
-
-	// For every batch after the first, its receive time must be after the
-	// previous batch's ack time. This proves management waited for the ack
-	// before sending the next batch.
-	for i := 1; i < len(batches); i++ {
-		prevAckAt := batches[i-1].ackAt
-		thisRecvAt := batches[i].recvAt
-		assert.True(t, !thisRecvAt.Before(prevAckAt),
-			"batch %d received at %v, but batch %d was acked at %v — "+
-				"management sent the next batch before receiving the ack",
-			i, thisRecvAt, i-1, prevAckAt)
-	}
-}
-
-func TestIntegration_SyncMappings_IncrementalUpdate(t *testing.T) {
-	setup := setupIntegrationTest(t)
-	defer setup.cleanup()
-
-	conn, err := grpc.NewClient(setup.grpcAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
-	require.NoError(t, err)
-	defer conn.Close()
-
-	client := proto.NewProxyServiceClient(conn)
-
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-
-	stream, err := client.SyncMappings(ctx)
-	require.NoError(t, err)
-
-	err = stream.Send(&proto.SyncMappingsRequest{
-		Msg: &proto.SyncMappingsRequest_Init{
-			Init: &proto.SyncMappingsInit{
-				ProxyId: "sync-proxy-incremental",
-				Version: "test-v1",
-				Address: "test.proxy.io",
-			},
-		},
-	})
-	require.NoError(t, err)
-
-	// Drain initial snapshot.
-	for {
-		msg, err := stream.Recv()
-		require.NoError(t, err)
-
-		err = stream.Send(&proto.SyncMappingsRequest{
-			Msg: &proto.SyncMappingsRequest_Ack{Ack: &proto.SyncMappingsAck{}},
-		})
-		require.NoError(t, err)
-
-		if msg.GetInitialSyncComplete() {
-			break
-		}
-	}
-
-	// Now send an incremental update via the management server.
-	setup.proxyService.SendServiceUpdate(&proto.GetMappingUpdateResponse{
-		Mapping: []*proto.ProxyMapping{{
-			Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED,
-			Id:        "rp-1",
-			AccountId: "test-account-1",
-			Domain:    "app1.test.proxy.io",
-		}},
-	})
-
-	// Receive the incremental update on the sync stream.
-	msg, err := stream.Recv()
-	require.NoError(t, err)
-	require.NotEmpty(t, msg.GetMapping())
-	assert.Equal(t, "rp-1", msg.GetMapping()[0].GetId())
-	assert.Equal(t, proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED, msg.GetMapping()[0].GetType())
-}
-
-func TestIntegration_SyncMappings_MixedProxyVersions(t *testing.T) {
-	setup := setupIntegrationTest(t)
-	defer setup.cleanup()
-
-	conn, err := grpc.NewClient(setup.grpcAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
-	require.NoError(t, err)
-	defer conn.Close()
-
-	client := proto.NewProxyServiceClient(conn)
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-
-	// Old proxy uses GetMappingUpdate.
-	legacyStream, err := client.GetMappingUpdate(ctx, &proto.GetMappingUpdateRequest{
-		ProxyId: "legacy-proxy",
-		Version: "old-v1",
-		Address: "test.proxy.io",
-	})
-	require.NoError(t, err)
-
-	var legacyMappings []*proto.ProxyMapping
-	for {
-		msg, err := legacyStream.Recv()
-		require.NoError(t, err)
-		legacyMappings = append(legacyMappings, msg.GetMapping()...)
-		if msg.GetInitialSyncComplete() {
-			break
-		}
-	}
-
-	// New proxy uses SyncMappings.
-	syncStream, err := client.SyncMappings(ctx)
-	require.NoError(t, err)
-
-	err = syncStream.Send(&proto.SyncMappingsRequest{
-		Msg: &proto.SyncMappingsRequest_Init{
-			Init: &proto.SyncMappingsInit{
-				ProxyId: "new-proxy",
-				Version: "new-v2",
-				Address: "test.proxy.io",
-			},
-		},
-	})
-	require.NoError(t, err)
-
-	var syncMappings []*proto.ProxyMapping
-	for {
-		msg, err := syncStream.Recv()
-		require.NoError(t, err)
-		syncMappings = append(syncMappings, msg.GetMapping()...)
-
-		err = syncStream.Send(&proto.SyncMappingsRequest{
-			Msg: &proto.SyncMappingsRequest_Ack{Ack: &proto.SyncMappingsAck{}},
-		})
-		require.NoError(t, err)
-
-		if msg.GetInitialSyncComplete() {
-			break
-		}
-	}
-
-	// Both should receive the same set of mappings.
-	assert.Equal(t, len(legacyMappings), len(syncMappings),
-		"legacy and sync proxies should receive the same number of mappings")
-
-	legacyIDs := make(map[string]bool)
-	for _, m := range legacyMappings {
-		legacyIDs[m.GetId()] = true
-	}
-	for _, m := range syncMappings {
-		assert.True(t, legacyIDs[m.GetId()],
-			"mapping %s should be present in both streams", m.GetId())
-	}
-
-	// Both proxies should be connected.
-	proxies := setup.proxyService.GetConnectedProxies()
-	assert.Contains(t, proxies, "legacy-proxy")
-	assert.Contains(t, proxies, "new-proxy")
-
-	// Both should receive incremental updates.
-	setup.proxyService.SendServiceUpdate(&proto.GetMappingUpdateResponse{
-		Mapping: []*proto.ProxyMapping{{
-			Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED,
-			Id:        "rp-1",
-			AccountId: "test-account-1",
-			Domain:    "app1.test.proxy.io",
-		}},
-	})
-
-	// Legacy proxy receives via GetMappingUpdateResponse.
-	legacyMsg, err := legacyStream.Recv()
-	require.NoError(t, err)
-	assert.Equal(t, "rp-1", legacyMsg.GetMapping()[0].GetId())
-
-	// Sync proxy receives via SyncMappingsResponse.
-	syncMsg, err := syncStream.Recv()
-	require.NoError(t, err)
-	assert.Equal(t, "rp-1", syncMsg.GetMapping()[0].GetId())
-}
-
-func TestIntegration_SyncMappings_Reconnect(t *testing.T) {
-	setup := setupIntegrationTest(t)
-	defer setup.cleanup()
-
-	conn, err := grpc.NewClient(setup.grpcAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
-	require.NoError(t, err)
-	defer conn.Close()
-
-	client := proto.NewProxyServiceClient(conn)
-	proxyID := "sync-proxy-reconnect"
-
-	receiveMappings := func() []*proto.ProxyMapping {
-		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-		defer cancel()
-
-		stream, err := client.SyncMappings(ctx)
-		require.NoError(t, err)
-
-		err = stream.Send(&proto.SyncMappingsRequest{
-			Msg: &proto.SyncMappingsRequest_Init{
-				Init: &proto.SyncMappingsInit{
-					ProxyId: proxyID,
-					Version: "test-v1",
-					Address: "test.proxy.io",
-				},
-			},
-		})
-		require.NoError(t, err)
-
-		var mappings []*proto.ProxyMapping
-		for {
-			msg, err := stream.Recv()
-			require.NoError(t, err)
-			mappings = append(mappings, msg.GetMapping()...)
-
-			err = stream.Send(&proto.SyncMappingsRequest{
-				Msg: &proto.SyncMappingsRequest_Ack{Ack: &proto.SyncMappingsAck{}},
-			})
-			require.NoError(t, err)
-
-			if msg.GetInitialSyncComplete() {
-				break
-			}
-		}
-		return mappings
-	}
-
-	first := receiveMappings()
-	time.Sleep(100 * time.Millisecond)
-	second := receiveMappings()
-
-	assert.Equal(t, len(first), len(second),
-		"should receive same mappings on reconnect")
-
-	firstIDs := make(map[string]bool)
-	for _, m := range first {
-		firstIDs[m.GetId()] = true
-	}
-	for _, m := range second {
-		assert.True(t, firstIDs[m.GetId()],
-			"mapping %s should be present in both connections", m.GetId())
-	}
-}
-
-// --- Fallback tests: old management returns Unimplemented ---
-
-// unimplementedProxyServer embeds UnimplementedProxyServiceServer so
-// SyncMappings returns codes.Unimplemented while GetMappingUpdate works.
-type unimplementedSyncServer struct {
-	proto.UnimplementedProxyServiceServer
-	getMappingCalls atomic.Int32
-}
-
-func (s *unimplementedSyncServer) GetMappingUpdate(_ *proto.GetMappingUpdateRequest, stream proto.ProxyService_GetMappingUpdateServer) error {
-	s.getMappingCalls.Add(1)
-	return stream.Send(&proto.GetMappingUpdateResponse{
-		Mapping:             []*proto.ProxyMapping{{Id: "svc-1", AccountId: "acct-1", Domain: "example.com"}},
-		InitialSyncComplete: true,
-	})
-}
-
-func TestIntegration_FallbackToGetMappingUpdate(t *testing.T) {
-	// Start a gRPC server that does NOT implement SyncMappings.
-	lis, err := net.Listen("tcp", "127.0.0.1:0")
-	require.NoError(t, err)
-
-	srv := &unimplementedSyncServer{}
-	grpcServer := grpc.NewServer()
-	proto.RegisterProxyServiceServer(grpcServer, srv)
-	go func() { _ = grpcServer.Serve(lis) }()
-	defer grpcServer.GracefulStop()
-
-	conn, err := grpc.NewClient(lis.Addr().String(), grpc.WithTransportCredentials(insecure.NewCredentials()))
-	require.NoError(t, err)
-	defer conn.Close()
-
-	client := proto.NewProxyServiceClient(conn)
-
-	// Try SyncMappings — should get Unimplemented.
-	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-	defer cancel()
-
-	stream, err := client.SyncMappings(ctx)
-	require.NoError(t, err)
-
-	err = stream.Send(&proto.SyncMappingsRequest{
-		Msg: &proto.SyncMappingsRequest_Init{
-			Init: &proto.SyncMappingsInit{
-				ProxyId: "test-proxy",
-				Address: "test.example.com",
-			},
-		},
-	})
-	require.NoError(t, err)
-
-	_, err = stream.Recv()
-	require.Error(t, err)
-	st, ok := grpcstatus.FromError(err)
-	require.True(t, ok)
-	assert.Equal(t, codes.Unimplemented, st.Code(),
-		"unimplemented SyncMappings should return Unimplemented code")
-
-	// isSyncUnimplemented should detect this.
-	assert.True(t, isSyncUnimplemented(err))
-
-	// The actual fallback: GetMappingUpdate should work.
-	legacyStream, err := client.GetMappingUpdate(ctx, &proto.GetMappingUpdateRequest{
-		ProxyId: "test-proxy",
-		Address: "test.example.com",
-	})
-	require.NoError(t, err)
-
-	msg, err := legacyStream.Recv()
-	require.NoError(t, err)
-	assert.True(t, msg.GetInitialSyncComplete())
-	assert.Len(t, msg.GetMapping(), 1)
-	assert.Equal(t, int32(1), srv.getMappingCalls.Load())
-}
-
-func TestIsSyncUnimplemented(t *testing.T) {
-	tests := []struct {
-		name string
-		err  error
-		want bool
-	}{
-		{"nil error", nil, false},
-		{"non-grpc error", errors.New("random"), false},
-		{"grpc internal", grpcstatus.Error(codes.Internal, "fail"), false},
-		{"grpc unavailable", grpcstatus.Error(codes.Unavailable, "fail"), false},
-		{"grpc unimplemented", grpcstatus.Error(codes.Unimplemented, "method not found"), true},
-		{
-			"wrapped unimplemented",
-			fmt.Errorf("create sync stream: %w", grpcstatus.Error(codes.Unimplemented, "nope")),
-			// grpc/status.FromError unwraps in recent versions of grpc-go.
-			true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			assert.Equal(t, tt.want, isSyncUnimplemented(tt.err))
-		})
-	}
-}
-
-// addServicesToStore adds n extra services to the test store for the given cluster.
-func addServicesToStore(t *testing.T, setup *integrationTestSetup, n int, cluster string) {
-	t.Helper()
-	ctx := context.Background()
-	for i := 0; i < n; i++ {
-		svc := &service.Service{
-			ID:           fmt.Sprintf("extra-svc-%d", i),
-			AccountID:    "test-account-1",
-			Name:         fmt.Sprintf("Extra Service %d", i),
-			Domain:       fmt.Sprintf("extra-%d.test.proxy.io", i),
-			ProxyCluster: cluster,
-			Enabled:      true,
-			Targets: []*service.Target{{
-				Path:       strPtr("/"),
-				Host:       fmt.Sprintf("10.0.1.%d", i%256),
-				Port:       8080,
-				Protocol:   "http",
-				TargetId:   fmt.Sprintf("peer-extra-%d", i),
-				TargetType: "peer",
-				Enabled:    true,
-			}},
-		}
-		require.NoError(t, setup.store.CreateService(ctx, svc))
-	}
-}

shared/management/http/api/openapi.yml

@@ -3417,43 +3417,19 @@ components:
           type: string
           description: Cluster address used for CNAME targets
           example: "eu.proxy.netbird.io"
-        type:
-          $ref: '#/components/schemas/ProxyClusterType'
-        online:
-          type: boolean
-          description: Whether at least one proxy in the cluster has heartbeated within the active window
-          example: true
         connected_proxies:
           type: integer
-          description: Number of proxy nodes currently connected (heartbeat within the active window)
+          description: Number of proxy nodes connected in this cluster
           example: 3
-        supports_custom_ports:
+        self_hosted:
           type: boolean
-          description: Whether the cluster supports binding arbitrary TCP/UDP ports
-          example: true
-        require_subdomain:
-          type: boolean
-          description: Whether services on this cluster must include a subdomain label
-          example: false
-        supports_crowdsec:
-          type: boolean
-          description: Whether all active proxies in the cluster have CrowdSec configured
+          description: Whether this cluster is a self-hosted (BYOP) proxy managed by the account owner
           example: false
       required:
         - id
         - address
-        - type
-        - online
         - connected_proxies
-    ProxyClusterType:
-      type: string
-      description: |
-        Source of the proxy cluster. `account` clusters are owned and operated by the account (BYOP);
-        `shared` clusters are operated by NetBird and shared across accounts.
-      enum:
-        - account
-        - shared
-      example: shared
+        - self_hosted
     ReverseProxyDomainType:
       type: string
       description: Type of Reverse Proxy Domain

shared/management/http/api/types.gen.go

@@ -1,6 +1,6 @@
 // Package api provides primitives to interact with the openapi HTTP API.
 //
-// Code generated by github.com/oapi-codegen/oapi-codegen/v2 version v2.7.0 DO NOT EDIT.
+// Code generated by github.com/oapi-codegen/oapi-codegen/v2 version v2.6.0 DO NOT EDIT.
 package api
 
 import (
@@ -13,8 +13,8 @@ import (
 )
 
 const (
-	BearerAuthScopes bearerAuthContextKey = "BearerAuth.Scopes"
-	TokenAuthScopes  tokenAuthContextKey  = "TokenAuth.Scopes"
+	BearerAuthScopes = "BearerAuth.Scopes"
+	TokenAuthScopes  = "TokenAuth.Scopes"
 )
 
 // Defines values for AccessRestrictionsCrowdsecMode.
@@ -511,7 +511,6 @@ func (e GroupMinimumIssued) Valid() bool {
 
 // Defines values for IdentityProviderType.
 const (
-	IdentityProviderTypeAdfs      IdentityProviderType = "adfs"
 	IdentityProviderTypeEntra     IdentityProviderType = "entra"
 	IdentityProviderTypeGoogle    IdentityProviderType = "google"
 	IdentityProviderTypeMicrosoft IdentityProviderType = "microsoft"
@@ -519,13 +518,12 @@ const (
 	IdentityProviderTypeOkta      IdentityProviderType = "okta"
 	IdentityProviderTypePocketid  IdentityProviderType = "pocketid"
 	IdentityProviderTypeZitadel   IdentityProviderType = "zitadel"
+	IdentityProviderTypeAdfs      IdentityProviderType = "adfs"
 )
 
 // Valid indicates whether the value is a known member of the IdentityProviderType enum.
 func (e IdentityProviderType) Valid() bool {
 	switch e {
-	case IdentityProviderTypeAdfs:
-		return true
 	case IdentityProviderTypeEntra:
 		return true
 	case IdentityProviderTypeGoogle:
@@ -540,6 +538,8 @@ func (e IdentityProviderType) Valid() bool {
 		return true
 	case IdentityProviderTypeZitadel:
 		return true
+	case IdentityProviderTypeAdfs:
+		return true
 	default:
 		return false
 	}
@@ -878,24 +878,6 @@ func (e PolicyRuleUpdateProtocol) Valid() bool {
 	}
 }
 
-// Defines values for ProxyClusterType.
-const (
-	ProxyClusterTypeAccount ProxyClusterType = "account"
-	ProxyClusterTypeShared  ProxyClusterType = "shared"
-)
-
-// Valid indicates whether the value is a known member of the ProxyClusterType enum.
-func (e ProxyClusterType) Valid() bool {
-	switch e {
-	case ProxyClusterTypeAccount:
-		return true
-	case ProxyClusterTypeShared:
-		return true
-	default:
-		return false
-	}
-}
-
 // Defines values for ResourceType.
 const (
 	ResourceTypeDomain ResourceType = "domain"
@@ -1656,9 +1638,7 @@ type Checks struct {
 	// OsVersionCheck Posture check for the version of operating system
 	OsVersionCheck *OSVersionCheck `json:"os_version_check,omitempty"`
 
-	// PeerNetworkRangeCheck Posture check for allow or deny access based on the peer's IP addresses. A range matches when it
-	// contains any of the peer's local network interface IPs or its public connection (NAT egress) IP,
-	// so ranges may target private subnets, public CIDRs, or single hosts via a /32 or /128.
+	// PeerNetworkRangeCheck Posture check for allow or deny access based on the peer's IP addresses. A range matches when it contains any of the peer's local network interface IPs or its public connection (NAT egress) IP, so ranges may target private subnets, public CIDRs, or single hosts via a /32 or /128.
 	PeerNetworkRangeCheck *PeerNetworkRangeCheck `json:"peer_network_range_check,omitempty"`
 
 	// ProcessCheck Posture Check for binaries exist and are running in the peer’s system
@@ -3350,9 +3330,7 @@ type PeerMinimum struct {
 	Name string `json:"name"`
 }
 
-// PeerNetworkRangeCheck Posture check for allow or deny access based on the peer's IP addresses. A range matches when it
-// contains any of the peer's local network interface IPs or its public connection (NAT egress) IP,
-// so ranges may target private subnets, public CIDRs, or single hosts via a /32 or /128.
+// PeerNetworkRangeCheck Posture check for allow or deny access based on the peer's IP addresses. A range matches when it contains any of the peer's local network interface IPs or its public connection (NAT egress) IP, so ranges may target private subnets, public CIDRs, or single hosts via a /32 or /128.
 type PeerNetworkRangeCheck struct {
 	// Action Action to take upon policy match
 	Action PeerNetworkRangeCheckAction `json:"action"`
@@ -3807,36 +3785,19 @@ type ProxyAccessLogsResponse struct {
 
 // ProxyCluster A proxy cluster represents a group of proxy nodes serving the same address
 type ProxyCluster struct {
-	// Address Cluster address used for CNAME targets
-	Address string `json:"address"`
-
-	// ConnectedProxies Number of proxy nodes currently connected (heartbeat within the active window)
-	ConnectedProxies int `json:"connected_proxies"`
-
 	// Id Unique identifier of a proxy in this cluster
 	Id string `json:"id"`
 
-	// Online Whether at least one proxy in the cluster has heartbeated within the active window
-	Online bool `json:"online"`
+	// Address Cluster address used for CNAME targets
+	Address string `json:"address"`
 
-	// RequireSubdomain Whether services on this cluster must include a subdomain label
-	RequireSubdomain *bool `json:"require_subdomain,omitempty"`
+	// ConnectedProxies Number of proxy nodes connected in this cluster
+	ConnectedProxies int `json:"connected_proxies"`
 
-	// SupportsCrowdsec Whether all active proxies in the cluster have CrowdSec configured
-	SupportsCrowdsec *bool `json:"supports_crowdsec,omitempty"`
-
-	// SupportsCustomPorts Whether the cluster supports binding arbitrary TCP/UDP ports
-	SupportsCustomPorts *bool `json:"supports_custom_ports,omitempty"`
-
-	// Type Source of the proxy cluster. `account` clusters are owned and operated by the account (BYOP);
-	// `shared` clusters are operated by NetBird and shared across accounts.
-	Type ProxyClusterType `json:"type"`
+	// SelfHosted Whether this cluster is a self-hosted (BYOP) proxy managed by the account owner
+	SelfHosted bool `json:"self_hosted"`
 }
 
-// ProxyClusterType Source of the proxy cluster. `account` clusters are owned and operated by the account (BYOP);
-// `shared` clusters are operated by NetBird and shared across accounts.
-type ProxyClusterType string
-
 // ProxyToken defines model for ProxyToken.
 type ProxyToken struct {
 	CreatedAt time.Time  `json:"created_at"`
@@ -4859,12 +4820,6 @@ type ZoneRequest struct {
 // Conflict Standard error response. Note: The exact structure of this error response is inferred from `util.WriteErrorResponse` and `util.WriteError` usage in the provided Go code, as a specific Go struct for errors was not provided.
 type Conflict = ErrorResponse
 
-// bearerAuthContextKey is the context key for BearerAuth security scheme
-type bearerAuthContextKey string
-
-// tokenAuthContextKey is the context key for TokenAuth security scheme
-type tokenAuthContextKey string
-
 // GetApiEventsNetworkTrafficParams defines parameters for GetApiEventsNetworkTraffic.
 type GetApiEventsNetworkTrafficParams struct {
 	// Page Page number

shared/management/proto/proxy_service.pb.go

@@ -1970,269 +1970,6 @@ func (x *ValidateSessionResponse) GetDeniedReason() string {
 	return ""
 }
 
-// SyncMappingsRequest is sent by the proxy on the bidirectional SyncMappings
-// stream. The first message MUST be an init; all subsequent messages MUST be
-// acks.
-type SyncMappingsRequest struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	// Types that are assignable to Msg:
-	//
-	//	*SyncMappingsRequest_Init
-	//	*SyncMappingsRequest_Ack
-	Msg isSyncMappingsRequest_Msg `protobuf_oneof:"msg"`
-}
-
-func (x *SyncMappingsRequest) Reset() {
-	*x = SyncMappingsRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_proxy_service_proto_msgTypes[25]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *SyncMappingsRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*SyncMappingsRequest) ProtoMessage() {}
-
-func (x *SyncMappingsRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_proxy_service_proto_msgTypes[25]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use SyncMappingsRequest.ProtoReflect.Descriptor instead.
-func (*SyncMappingsRequest) Descriptor() ([]byte, []int) {
-	return file_proxy_service_proto_rawDescGZIP(), []int{25}
-}
-
-func (m *SyncMappingsRequest) GetMsg() isSyncMappingsRequest_Msg {
-	if m != nil {
-		return m.Msg
-	}
-	return nil
-}
-
-func (x *SyncMappingsRequest) GetInit() *SyncMappingsInit {
-	if x, ok := x.GetMsg().(*SyncMappingsRequest_Init); ok {
-		return x.Init
-	}
-	return nil
-}
-
-func (x *SyncMappingsRequest) GetAck() *SyncMappingsAck {
-	if x, ok := x.GetMsg().(*SyncMappingsRequest_Ack); ok {
-		return x.Ack
-	}
-	return nil
-}
-
-type isSyncMappingsRequest_Msg interface {
-	isSyncMappingsRequest_Msg()
-}
-
-type SyncMappingsRequest_Init struct {
-	Init *SyncMappingsInit `protobuf:"bytes,1,opt,name=init,proto3,oneof"`
-}
-
-type SyncMappingsRequest_Ack struct {
-	Ack *SyncMappingsAck `protobuf:"bytes,2,opt,name=ack,proto3,oneof"`
-}
-
-func (*SyncMappingsRequest_Init) isSyncMappingsRequest_Msg() {}
-
-func (*SyncMappingsRequest_Ack) isSyncMappingsRequest_Msg() {}
-
-// SyncMappingsInit is the first message on the stream, carrying the same
-// identification fields as GetMappingUpdateRequest.
-type SyncMappingsInit struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	ProxyId      string                 `protobuf:"bytes,1,opt,name=proxy_id,json=proxyId,proto3" json:"proxy_id,omitempty"`
-	Version      string                 `protobuf:"bytes,2,opt,name=version,proto3" json:"version,omitempty"`
-	StartedAt    *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=started_at,json=startedAt,proto3" json:"started_at,omitempty"`
-	Address      string                 `protobuf:"bytes,4,opt,name=address,proto3" json:"address,omitempty"`
-	Capabilities *ProxyCapabilities     `protobuf:"bytes,5,opt,name=capabilities,proto3" json:"capabilities,omitempty"`
-}
-
-func (x *SyncMappingsInit) Reset() {
-	*x = SyncMappingsInit{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_proxy_service_proto_msgTypes[26]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *SyncMappingsInit) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*SyncMappingsInit) ProtoMessage() {}
-
-func (x *SyncMappingsInit) ProtoReflect() protoreflect.Message {
-	mi := &file_proxy_service_proto_msgTypes[26]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use SyncMappingsInit.ProtoReflect.Descriptor instead.
-func (*SyncMappingsInit) Descriptor() ([]byte, []int) {
-	return file_proxy_service_proto_rawDescGZIP(), []int{26}
-}
-
-func (x *SyncMappingsInit) GetProxyId() string {
-	if x != nil {
-		return x.ProxyId
-	}
-	return ""
-}
-
-func (x *SyncMappingsInit) GetVersion() string {
-	if x != nil {
-		return x.Version
-	}
-	return ""
-}
-
-func (x *SyncMappingsInit) GetStartedAt() *timestamppb.Timestamp {
-	if x != nil {
-		return x.StartedAt
-	}
-	return nil
-}
-
-func (x *SyncMappingsInit) GetAddress() string {
-	if x != nil {
-		return x.Address
-	}
-	return ""
-}
-
-func (x *SyncMappingsInit) GetCapabilities() *ProxyCapabilities {
-	if x != nil {
-		return x.Capabilities
-	}
-	return nil
-}
-
-// SyncMappingsAck is sent by the proxy after it has fully processed a batch.
-// Management waits for this before sending the next batch.
-type SyncMappingsAck struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-}
-
-func (x *SyncMappingsAck) Reset() {
-	*x = SyncMappingsAck{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_proxy_service_proto_msgTypes[27]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *SyncMappingsAck) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*SyncMappingsAck) ProtoMessage() {}
-
-func (x *SyncMappingsAck) ProtoReflect() protoreflect.Message {
-	mi := &file_proxy_service_proto_msgTypes[27]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use SyncMappingsAck.ProtoReflect.Descriptor instead.
-func (*SyncMappingsAck) Descriptor() ([]byte, []int) {
-	return file_proxy_service_proto_rawDescGZIP(), []int{27}
-}
-
-// SyncMappingsResponse is a batch of mappings sent by management.
-// Identical semantics to GetMappingUpdateResponse.
-type SyncMappingsResponse struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Mapping []*ProxyMapping `protobuf:"bytes,1,rep,name=mapping,proto3" json:"mapping,omitempty"`
-	// initial_sync_complete is set on the last message of the initial snapshot.
-	InitialSyncComplete bool `protobuf:"varint,2,opt,name=initial_sync_complete,json=initialSyncComplete,proto3" json:"initial_sync_complete,omitempty"`
-}
-
-func (x *SyncMappingsResponse) Reset() {
-	*x = SyncMappingsResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_proxy_service_proto_msgTypes[28]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *SyncMappingsResponse) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*SyncMappingsResponse) ProtoMessage() {}
-
-func (x *SyncMappingsResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_proxy_service_proto_msgTypes[28]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use SyncMappingsResponse.ProtoReflect.Descriptor instead.
-func (*SyncMappingsResponse) Descriptor() ([]byte, []int) {
-	return file_proxy_service_proto_rawDescGZIP(), []int{28}
-}
-
-func (x *SyncMappingsResponse) GetMapping() []*ProxyMapping {
-	if x != nil {
-		return x.Mapping
-	}
-	return nil
-}
-
-func (x *SyncMappingsResponse) GetInitialSyncComplete() bool {
-	if x != nil {
-		return x.InitialSyncComplete
-	}
-	return false
-}
-
 var File_proxy_service_proto protoreflect.FileDescriptor
 
 var file_proxy_service_proto_rawDesc = []byte{
@@ -2517,74 +2254,37 @@ var file_proxy_service_proto_rawDesc = []byte{
 	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x75, 0x73, 0x65, 0x72, 0x45, 0x6d, 0x61, 0x69,
 	0x6c, 0x12, 0x23, 0x0a, 0x0d, 0x64, 0x65, 0x6e, 0x69, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x61, 0x73,
 	0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x64, 0x65, 0x6e, 0x69, 0x65, 0x64,
-	0x52, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x22, 0x81, 0x01, 0x0a, 0x13, 0x53, 0x79, 0x6e, 0x63, 0x4d,
-	0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x32,
-	0x0a, 0x04, 0x69, 0x6e, 0x69, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x6d,
-	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x4d, 0x61,
-	0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x49, 0x6e, 0x69, 0x74, 0x48, 0x00, 0x52, 0x04, 0x69, 0x6e,
-	0x69, 0x74, 0x12, 0x2f, 0x0a, 0x03, 0x61, 0x63, 0x6b, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x1b, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x79, 0x6e,
-	0x63, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x41, 0x63, 0x6b, 0x48, 0x00, 0x52, 0x03,
-	0x61, 0x63, 0x6b, 0x42, 0x05, 0x0a, 0x03, 0x6d, 0x73, 0x67, 0x22, 0xdf, 0x01, 0x0a, 0x10, 0x53,
-	0x79, 0x6e, 0x63, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x49, 0x6e, 0x69, 0x74, 0x12,
-	0x19, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x07, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x49, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65,
-	0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72,
-	0x73, 0x69, 0x6f, 0x6e, 0x12, 0x39, 0x0a, 0x0a, 0x73, 0x74, 0x61, 0x72, 0x74, 0x65, 0x64, 0x5f,
-	0x61, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73,
-	0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x73, 0x74, 0x61, 0x72, 0x74, 0x65, 0x64, 0x41, 0x74, 0x12,
-	0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x41, 0x0a, 0x0c, 0x63, 0x61, 0x70,
-	0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x72, 0x6f,
-	0x78, 0x79, 0x43, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x52, 0x0c,
-	0x63, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x22, 0x11, 0x0a, 0x0f,
-	0x53, 0x79, 0x6e, 0x63, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x41, 0x63, 0x6b, 0x22,
-	0x7e, 0x0a, 0x14, 0x53, 0x79, 0x6e, 0x63, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x32, 0x0a, 0x07, 0x6d, 0x61, 0x70, 0x70, 0x69,
-	0x6e, 0x67, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
-	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4d, 0x61, 0x70, 0x70, 0x69,
-	0x6e, 0x67, 0x52, 0x07, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x32, 0x0a, 0x15, 0x69,
-	0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x73, 0x79, 0x6e, 0x63, 0x5f, 0x63, 0x6f, 0x6d, 0x70,
-	0x6c, 0x65, 0x74, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x69, 0x6e, 0x69, 0x74,
-	0x69, 0x61, 0x6c, 0x53, 0x79, 0x6e, 0x63, 0x43, 0x6f, 0x6d, 0x70, 0x6c, 0x65, 0x74, 0x65, 0x2a,
-	0x64, 0x0a, 0x16, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55,
-	0x70, 0x64, 0x61, 0x74, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x17, 0x0a, 0x13, 0x55, 0x50, 0x44,
-	0x41, 0x54, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, 0x41, 0x54, 0x45, 0x44,
-	0x10, 0x00, 0x12, 0x18, 0x0a, 0x14, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x5f, 0x54, 0x59, 0x50,
-	0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13,
-	0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x52, 0x45, 0x4d, 0x4f,
-	0x56, 0x45, 0x44, 0x10, 0x02, 0x2a, 0x46, 0x0a, 0x0f, 0x50, 0x61, 0x74, 0x68, 0x52, 0x65, 0x77,
-	0x72, 0x69, 0x74, 0x65, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x18, 0x0a, 0x14, 0x50, 0x41, 0x54, 0x48,
-	0x5f, 0x52, 0x45, 0x57, 0x52, 0x49, 0x54, 0x45, 0x5f, 0x44, 0x45, 0x46, 0x41, 0x55, 0x4c, 0x54,
-	0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, 0x50, 0x41, 0x54, 0x48, 0x5f, 0x52, 0x45, 0x57, 0x52, 0x49,
-	0x54, 0x45, 0x5f, 0x50, 0x52, 0x45, 0x53, 0x45, 0x52, 0x56, 0x45, 0x10, 0x01, 0x2a, 0xc8, 0x01,
-	0x0a, 0x0b, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x18, 0x0a,
-	0x14, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x50, 0x45,
-	0x4e, 0x44, 0x49, 0x4e, 0x47, 0x10, 0x00, 0x12, 0x17, 0x0a, 0x13, 0x50, 0x52, 0x4f, 0x58, 0x59,
-	0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x56, 0x45, 0x10, 0x01,
-	0x12, 0x23, 0x0a, 0x1f, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53,
-	0x5f, 0x54, 0x55, 0x4e, 0x4e, 0x45, 0x4c, 0x5f, 0x4e, 0x4f, 0x54, 0x5f, 0x43, 0x52, 0x45, 0x41,
-	0x54, 0x45, 0x44, 0x10, 0x02, 0x12, 0x24, 0x0a, 0x20, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53,
-	0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54,
-	0x45, 0x5f, 0x50, 0x45, 0x4e, 0x44, 0x49, 0x4e, 0x47, 0x10, 0x03, 0x12, 0x23, 0x0a, 0x1f, 0x50,
-	0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x43, 0x45, 0x52, 0x54,
-	0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x5f, 0x46, 0x41, 0x49, 0x4c, 0x45, 0x44, 0x10, 0x04,
-	0x12, 0x16, 0x0a, 0x12, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53,
-	0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x05, 0x32, 0xd3, 0x05, 0x0a, 0x0c, 0x50, 0x72, 0x6f,
-	0x78, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x5f, 0x0a, 0x10, 0x47, 0x65, 0x74,
-	0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x12, 0x23, 0x2e,
-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61,
-	0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x1a, 0x24, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
-	0x47, 0x65, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x30, 0x01, 0x12, 0x55, 0x0a, 0x0c, 0x53, 0x79,
-	0x6e, 0x63, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x1f, 0x2e, 0x6d, 0x61, 0x6e,
-	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x4d, 0x61, 0x70, 0x70,
-	0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x6d, 0x61,
-	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x4d, 0x61, 0x70,
-	0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x28, 0x01, 0x30,
+	0x52, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x2a, 0x64, 0x0a, 0x16, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4d,
+	0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x54, 0x79, 0x70, 0x65,
+	0x12, 0x17, 0x0a, 0x13, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f,
+	0x43, 0x52, 0x45, 0x41, 0x54, 0x45, 0x44, 0x10, 0x00, 0x12, 0x18, 0x0a, 0x14, 0x55, 0x50, 0x44,
+	0x41, 0x54, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x49, 0x46, 0x49, 0x45,
+	0x44, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x5f, 0x54, 0x59,
+	0x50, 0x45, 0x5f, 0x52, 0x45, 0x4d, 0x4f, 0x56, 0x45, 0x44, 0x10, 0x02, 0x2a, 0x46, 0x0a, 0x0f,
+	0x50, 0x61, 0x74, 0x68, 0x52, 0x65, 0x77, 0x72, 0x69, 0x74, 0x65, 0x4d, 0x6f, 0x64, 0x65, 0x12,
+	0x18, 0x0a, 0x14, 0x50, 0x41, 0x54, 0x48, 0x5f, 0x52, 0x45, 0x57, 0x52, 0x49, 0x54, 0x45, 0x5f,
+	0x44, 0x45, 0x46, 0x41, 0x55, 0x4c, 0x54, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, 0x50, 0x41, 0x54,
+	0x48, 0x5f, 0x52, 0x45, 0x57, 0x52, 0x49, 0x54, 0x45, 0x5f, 0x50, 0x52, 0x45, 0x53, 0x45, 0x52,
+	0x56, 0x45, 0x10, 0x01, 0x2a, 0xc8, 0x01, 0x0a, 0x0b, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x53, 0x74,
+	0x61, 0x74, 0x75, 0x73, 0x12, 0x18, 0x0a, 0x14, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54,
+	0x41, 0x54, 0x55, 0x53, 0x5f, 0x50, 0x45, 0x4e, 0x44, 0x49, 0x4e, 0x47, 0x10, 0x00, 0x12, 0x17,
+	0x0a, 0x13, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x41,
+	0x43, 0x54, 0x49, 0x56, 0x45, 0x10, 0x01, 0x12, 0x23, 0x0a, 0x1f, 0x50, 0x52, 0x4f, 0x58, 0x59,
+	0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x55, 0x4e, 0x4e, 0x45, 0x4c, 0x5f, 0x4e,
+	0x4f, 0x54, 0x5f, 0x43, 0x52, 0x45, 0x41, 0x54, 0x45, 0x44, 0x10, 0x02, 0x12, 0x24, 0x0a, 0x20,
+	0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x43, 0x45, 0x52,
+	0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x5f, 0x50, 0x45, 0x4e, 0x44, 0x49, 0x4e, 0x47,
+	0x10, 0x03, 0x12, 0x23, 0x0a, 0x1f, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54,
+	0x55, 0x53, 0x5f, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x5f, 0x46,
+	0x41, 0x49, 0x4c, 0x45, 0x44, 0x10, 0x04, 0x12, 0x16, 0x0a, 0x12, 0x50, 0x52, 0x4f, 0x58, 0x59,
+	0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x05, 0x32,
+	0xfc, 0x04, 0x0a, 0x0c, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
+	0x12, 0x5f, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70,
+	0x64, 0x61, 0x74, 0x65, 0x12, 0x23, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
+	0x74, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61,
+	0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
+	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e,
+	0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x30,
 	0x01, 0x12, 0x54, 0x0a, 0x0d, 0x53, 0x65, 0x6e, 0x64, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c,
 	0x6f, 0x67, 0x12, 0x20, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
 	0x53, 0x65, 0x6e, 0x64, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x71,
@@ -2634,7 +2334,7 @@ func file_proxy_service_proto_rawDescGZIP() []byte {
 }
 
 var file_proxy_service_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
-var file_proxy_service_proto_msgTypes = make([]protoimpl.MessageInfo, 31)
+var file_proxy_service_proto_msgTypes = make([]protoimpl.MessageInfo, 27)
 var file_proxy_service_proto_goTypes = []interface{}{
 	(ProxyMappingUpdateType)(0),      // 0: management.ProxyMappingUpdateType
 	(PathRewriteMode)(0),             // 1: management.PathRewriteMode
@@ -2664,23 +2364,19 @@ var file_proxy_service_proto_goTypes = []interface{}{
 	(*GetOIDCURLResponse)(nil),       // 25: management.GetOIDCURLResponse
 	(*ValidateSessionRequest)(nil),   // 26: management.ValidateSessionRequest
 	(*ValidateSessionResponse)(nil),  // 27: management.ValidateSessionResponse
-	(*SyncMappingsRequest)(nil),      // 28: management.SyncMappingsRequest
-	(*SyncMappingsInit)(nil),         // 29: management.SyncMappingsInit
-	(*SyncMappingsAck)(nil),          // 30: management.SyncMappingsAck
-	(*SyncMappingsResponse)(nil),     // 31: management.SyncMappingsResponse
-	nil,                              // 32: management.PathTargetOptions.CustomHeadersEntry
-	nil,                              // 33: management.AccessLog.MetadataEntry
-	(*timestamppb.Timestamp)(nil),    // 34: google.protobuf.Timestamp
-	(*durationpb.Duration)(nil),      // 35: google.protobuf.Duration
+	nil,                              // 28: management.PathTargetOptions.CustomHeadersEntry
+	nil,                              // 29: management.AccessLog.MetadataEntry
+	(*timestamppb.Timestamp)(nil),    // 30: google.protobuf.Timestamp
+	(*durationpb.Duration)(nil),      // 31: google.protobuf.Duration
 }
 var file_proxy_service_proto_depIdxs = []int32{
-	34, // 0: management.GetMappingUpdateRequest.started_at:type_name -> google.protobuf.Timestamp
+	30, // 0: management.GetMappingUpdateRequest.started_at:type_name -> google.protobuf.Timestamp
 	3,  // 1: management.GetMappingUpdateRequest.capabilities:type_name -> management.ProxyCapabilities
 	11, // 2: management.GetMappingUpdateResponse.mapping:type_name -> management.ProxyMapping
-	35, // 3: management.PathTargetOptions.request_timeout:type_name -> google.protobuf.Duration
+	31, // 3: management.PathTargetOptions.request_timeout:type_name -> google.protobuf.Duration
 	1,  // 4: management.PathTargetOptions.path_rewrite:type_name -> management.PathRewriteMode
-	32, // 5: management.PathTargetOptions.custom_headers:type_name -> management.PathTargetOptions.CustomHeadersEntry
-	35, // 6: management.PathTargetOptions.session_idle_timeout:type_name -> google.protobuf.Duration
+	28, // 5: management.PathTargetOptions.custom_headers:type_name -> management.PathTargetOptions.CustomHeadersEntry
+	31, // 6: management.PathTargetOptions.session_idle_timeout:type_name -> google.protobuf.Duration
 	6,  // 7: management.PathMapping.options:type_name -> management.PathTargetOptions
 	8,  // 8: management.Authentication.header_auths:type_name -> management.HeaderAuth
 	0,  // 9: management.ProxyMapping.type:type_name -> management.ProxyMappingUpdateType
@@ -2688,38 +2384,31 @@ var file_proxy_service_proto_depIdxs = []int32{
 	9,  // 11: management.ProxyMapping.auth:type_name -> management.Authentication
 	10, // 12: management.ProxyMapping.access_restrictions:type_name -> management.AccessRestrictions
 	14, // 13: management.SendAccessLogRequest.log:type_name -> management.AccessLog
-	34, // 14: management.AccessLog.timestamp:type_name -> google.protobuf.Timestamp
-	33, // 15: management.AccessLog.metadata:type_name -> management.AccessLog.MetadataEntry
+	30, // 14: management.AccessLog.timestamp:type_name -> google.protobuf.Timestamp
+	29, // 15: management.AccessLog.metadata:type_name -> management.AccessLog.MetadataEntry
 	17, // 16: management.AuthenticateRequest.password:type_name -> management.PasswordRequest
 	18, // 17: management.AuthenticateRequest.pin:type_name -> management.PinRequest
 	16, // 18: management.AuthenticateRequest.header_auth:type_name -> management.HeaderAuthRequest
 	2,  // 19: management.SendStatusUpdateRequest.status:type_name -> management.ProxyStatus
-	29, // 20: management.SyncMappingsRequest.init:type_name -> management.SyncMappingsInit
-	30, // 21: management.SyncMappingsRequest.ack:type_name -> management.SyncMappingsAck
-	34, // 22: management.SyncMappingsInit.started_at:type_name -> google.protobuf.Timestamp
-	3,  // 23: management.SyncMappingsInit.capabilities:type_name -> management.ProxyCapabilities
-	11, // 24: management.SyncMappingsResponse.mapping:type_name -> management.ProxyMapping
-	4,  // 25: management.ProxyService.GetMappingUpdate:input_type -> management.GetMappingUpdateRequest
-	28, // 26: management.ProxyService.SyncMappings:input_type -> management.SyncMappingsRequest
-	12, // 27: management.ProxyService.SendAccessLog:input_type -> management.SendAccessLogRequest
-	15, // 28: management.ProxyService.Authenticate:input_type -> management.AuthenticateRequest
-	20, // 29: management.ProxyService.SendStatusUpdate:input_type -> management.SendStatusUpdateRequest
-	22, // 30: management.ProxyService.CreateProxyPeer:input_type -> management.CreateProxyPeerRequest
-	24, // 31: management.ProxyService.GetOIDCURL:input_type -> management.GetOIDCURLRequest
-	26, // 32: management.ProxyService.ValidateSession:input_type -> management.ValidateSessionRequest
-	5,  // 33: management.ProxyService.GetMappingUpdate:output_type -> management.GetMappingUpdateResponse
-	31, // 34: management.ProxyService.SyncMappings:output_type -> management.SyncMappingsResponse
-	13, // 35: management.ProxyService.SendAccessLog:output_type -> management.SendAccessLogResponse
-	19, // 36: management.ProxyService.Authenticate:output_type -> management.AuthenticateResponse
-	21, // 37: management.ProxyService.SendStatusUpdate:output_type -> management.SendStatusUpdateResponse
-	23, // 38: management.ProxyService.CreateProxyPeer:output_type -> management.CreateProxyPeerResponse
-	25, // 39: management.ProxyService.GetOIDCURL:output_type -> management.GetOIDCURLResponse
-	27, // 40: management.ProxyService.ValidateSession:output_type -> management.ValidateSessionResponse
-	33, // [33:41] is the sub-list for method output_type
-	25, // [25:33] is the sub-list for method input_type
-	25, // [25:25] is the sub-list for extension type_name
-	25, // [25:25] is the sub-list for extension extendee
-	0,  // [0:25] is the sub-list for field type_name
+	4,  // 20: management.ProxyService.GetMappingUpdate:input_type -> management.GetMappingUpdateRequest
+	12, // 21: management.ProxyService.SendAccessLog:input_type -> management.SendAccessLogRequest
+	15, // 22: management.ProxyService.Authenticate:input_type -> management.AuthenticateRequest
+	20, // 23: management.ProxyService.SendStatusUpdate:input_type -> management.SendStatusUpdateRequest
+	22, // 24: management.ProxyService.CreateProxyPeer:input_type -> management.CreateProxyPeerRequest
+	24, // 25: management.ProxyService.GetOIDCURL:input_type -> management.GetOIDCURLRequest
+	26, // 26: management.ProxyService.ValidateSession:input_type -> management.ValidateSessionRequest
+	5,  // 27: management.ProxyService.GetMappingUpdate:output_type -> management.GetMappingUpdateResponse
+	13, // 28: management.ProxyService.SendAccessLog:output_type -> management.SendAccessLogResponse
+	19, // 29: management.ProxyService.Authenticate:output_type -> management.AuthenticateResponse
+	21, // 30: management.ProxyService.SendStatusUpdate:output_type -> management.SendStatusUpdateResponse
+	23, // 31: management.ProxyService.CreateProxyPeer:output_type -> management.CreateProxyPeerResponse
+	25, // 32: management.ProxyService.GetOIDCURL:output_type -> management.GetOIDCURLResponse
+	27, // 33: management.ProxyService.ValidateSession:output_type -> management.ValidateSessionResponse
+	27, // [27:34] is the sub-list for method output_type
+	20, // [20:27] is the sub-list for method input_type
+	20, // [20:20] is the sub-list for extension type_name
+	20, // [20:20] is the sub-list for extension extendee
+	0,  // [0:20] is the sub-list for field type_name
 }
 
 func init() { file_proxy_service_proto_init() }
@@ -3028,54 +2717,6 @@ func file_proxy_service_proto_init() {
 				return nil
 			}
 		}
-		file_proxy_service_proto_msgTypes[25].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SyncMappingsRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_proxy_service_proto_msgTypes[26].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SyncMappingsInit); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_proxy_service_proto_msgTypes[27].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SyncMappingsAck); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_proxy_service_proto_msgTypes[28].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SyncMappingsResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
 	}
 	file_proxy_service_proto_msgTypes[0].OneofWrappers = []interface{}{}
 	file_proxy_service_proto_msgTypes[12].OneofWrappers = []interface{}{
@@ -3085,17 +2726,13 @@ func file_proxy_service_proto_init() {
 	}
 	file_proxy_service_proto_msgTypes[17].OneofWrappers = []interface{}{}
 	file_proxy_service_proto_msgTypes[20].OneofWrappers = []interface{}{}
-	file_proxy_service_proto_msgTypes[25].OneofWrappers = []interface{}{
-		(*SyncMappingsRequest_Init)(nil),
-		(*SyncMappingsRequest_Ack)(nil),
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_proxy_service_proto_rawDesc,
 			NumEnums:      3,
-			NumMessages:   31,
+			NumMessages:   27,
 			NumExtensions: 0,
 			NumServices:   1,
 		},

shared/management/proto/proxy_service.proto

@@ -12,15 +12,6 @@ import "google/protobuf/timestamp.proto";
 service ProxyService {
   rpc GetMappingUpdate(GetMappingUpdateRequest) returns (stream GetMappingUpdateResponse);
 
-  // SyncMappings is a bidirectional stream that replaces GetMappingUpdate for
-  // new proxies. The proxy sends an initial SyncMappingsRequest to start the
-  // stream and then sends an ack after each batch is fully processed.
-  // Management waits for the ack before sending the next batch, providing
-  // application-level back-pressure during large initial syncs.
-  // Old proxies continue using GetMappingUpdate; old management servers
-  // return Unimplemented for this RPC and proxies fall back.
-  rpc SyncMappings(stream SyncMappingsRequest) returns (stream SyncMappingsResponse);
-
   rpc SendAccessLog(SendAccessLogRequest) returns (SendAccessLogResponse);
 
   rpc Authenticate(AuthenticateRequest) returns (AuthenticateResponse);
@@ -255,35 +246,3 @@ message ValidateSessionResponse {
   string user_email = 3;
   string denied_reason = 4;
 }
-
-// SyncMappingsRequest is sent by the proxy on the bidirectional SyncMappings
-// stream. The first message MUST be an init; all subsequent messages MUST be
-// acks.
-message SyncMappingsRequest {
-  oneof msg {
-    SyncMappingsInit init = 1;
-    SyncMappingsAck ack = 2;
-  }
-}
-
-// SyncMappingsInit is the first message on the stream, carrying the same
-// identification fields as GetMappingUpdateRequest.
-message SyncMappingsInit {
-  string proxy_id = 1;
-  string version = 2;
-  google.protobuf.Timestamp started_at = 3;
-  string address = 4;
-  ProxyCapabilities capabilities = 5;
-}
-
-// SyncMappingsAck is sent by the proxy after it has fully processed a batch.
-// Management waits for this before sending the next batch.
-message SyncMappingsAck {}
-
-// SyncMappingsResponse is a batch of mappings sent by management.
-// Identical semantics to GetMappingUpdateResponse.
-message SyncMappingsResponse {
-  repeated ProxyMapping mapping = 1;
-  // initial_sync_complete is set on the last message of the initial snapshot.
-  bool initial_sync_complete = 2;
-}

shared/management/proto/proxy_service_grpc.pb.go

@@ -19,14 +19,6 @@ const _ = grpc.SupportPackageIsVersion7
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type ProxyServiceClient interface {
 	GetMappingUpdate(ctx context.Context, in *GetMappingUpdateRequest, opts ...grpc.CallOption) (ProxyService_GetMappingUpdateClient, error)
-	// SyncMappings is a bidirectional stream that replaces GetMappingUpdate for
-	// new proxies. The proxy sends an initial SyncMappingsRequest to start the
-	// stream and then sends an ack after each batch is fully processed.
-	// Management waits for the ack before sending the next batch, providing
-	// application-level back-pressure during large initial syncs.
-	// Old proxies continue using GetMappingUpdate; old management servers
-	// return Unimplemented for this RPC and proxies fall back.
-	SyncMappings(ctx context.Context, opts ...grpc.CallOption) (ProxyService_SyncMappingsClient, error)
 	SendAccessLog(ctx context.Context, in *SendAccessLogRequest, opts ...grpc.CallOption) (*SendAccessLogResponse, error)
 	Authenticate(ctx context.Context, in *AuthenticateRequest, opts ...grpc.CallOption) (*AuthenticateResponse, error)
 	SendStatusUpdate(ctx context.Context, in *SendStatusUpdateRequest, opts ...grpc.CallOption) (*SendStatusUpdateResponse, error)
@@ -77,37 +69,6 @@ func (x *proxyServiceGetMappingUpdateClient) Recv() (*GetMappingUpdateResponse,
 	return m, nil
 }
 
-func (c *proxyServiceClient) SyncMappings(ctx context.Context, opts ...grpc.CallOption) (ProxyService_SyncMappingsClient, error) {
-	stream, err := c.cc.NewStream(ctx, &ProxyService_ServiceDesc.Streams[1], "/management.ProxyService/SyncMappings", opts...)
-	if err != nil {
-		return nil, err
-	}
-	x := &proxyServiceSyncMappingsClient{stream}
-	return x, nil
-}
-
-type ProxyService_SyncMappingsClient interface {
-	Send(*SyncMappingsRequest) error
-	Recv() (*SyncMappingsResponse, error)
-	grpc.ClientStream
-}
-
-type proxyServiceSyncMappingsClient struct {
-	grpc.ClientStream
-}
-
-func (x *proxyServiceSyncMappingsClient) Send(m *SyncMappingsRequest) error {
-	return x.ClientStream.SendMsg(m)
-}
-
-func (x *proxyServiceSyncMappingsClient) Recv() (*SyncMappingsResponse, error) {
-	m := new(SyncMappingsResponse)
-	if err := x.ClientStream.RecvMsg(m); err != nil {
-		return nil, err
-	}
-	return m, nil
-}
-
 func (c *proxyServiceClient) SendAccessLog(ctx context.Context, in *SendAccessLogRequest, opts ...grpc.CallOption) (*SendAccessLogResponse, error) {
 	out := new(SendAccessLogResponse)
 	err := c.cc.Invoke(ctx, "/management.ProxyService/SendAccessLog", in, out, opts...)
@@ -167,14 +128,6 @@ func (c *proxyServiceClient) ValidateSession(ctx context.Context, in *ValidateSe
 // for forward compatibility
 type ProxyServiceServer interface {
 	GetMappingUpdate(*GetMappingUpdateRequest, ProxyService_GetMappingUpdateServer) error
-	// SyncMappings is a bidirectional stream that replaces GetMappingUpdate for
-	// new proxies. The proxy sends an initial SyncMappingsRequest to start the
-	// stream and then sends an ack after each batch is fully processed.
-	// Management waits for the ack before sending the next batch, providing
-	// application-level back-pressure during large initial syncs.
-	// Old proxies continue using GetMappingUpdate; old management servers
-	// return Unimplemented for this RPC and proxies fall back.
-	SyncMappings(ProxyService_SyncMappingsServer) error
 	SendAccessLog(context.Context, *SendAccessLogRequest) (*SendAccessLogResponse, error)
 	Authenticate(context.Context, *AuthenticateRequest) (*AuthenticateResponse, error)
 	SendStatusUpdate(context.Context, *SendStatusUpdateRequest) (*SendStatusUpdateResponse, error)
@@ -193,9 +146,6 @@ type UnimplementedProxyServiceServer struct {
 func (UnimplementedProxyServiceServer) GetMappingUpdate(*GetMappingUpdateRequest, ProxyService_GetMappingUpdateServer) error {
 	return status.Errorf(codes.Unimplemented, "method GetMappingUpdate not implemented")
 }
-func (UnimplementedProxyServiceServer) SyncMappings(ProxyService_SyncMappingsServer) error {
-	return status.Errorf(codes.Unimplemented, "method SyncMappings not implemented")
-}
 func (UnimplementedProxyServiceServer) SendAccessLog(context.Context, *SendAccessLogRequest) (*SendAccessLogResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method SendAccessLog not implemented")
 }
@@ -248,32 +198,6 @@ func (x *proxyServiceGetMappingUpdateServer) Send(m *GetMappingUpdateResponse) e
 	return x.ServerStream.SendMsg(m)
 }
 
-func _ProxyService_SyncMappings_Handler(srv interface{}, stream grpc.ServerStream) error {
-	return srv.(ProxyServiceServer).SyncMappings(&proxyServiceSyncMappingsServer{stream})
-}
-
-type ProxyService_SyncMappingsServer interface {
-	Send(*SyncMappingsResponse) error
-	Recv() (*SyncMappingsRequest, error)
-	grpc.ServerStream
-}
-
-type proxyServiceSyncMappingsServer struct {
-	grpc.ServerStream
-}
-
-func (x *proxyServiceSyncMappingsServer) Send(m *SyncMappingsResponse) error {
-	return x.ServerStream.SendMsg(m)
-}
-
-func (x *proxyServiceSyncMappingsServer) Recv() (*SyncMappingsRequest, error) {
-	m := new(SyncMappingsRequest)
-	if err := x.ServerStream.RecvMsg(m); err != nil {
-		return nil, err
-	}
-	return m, nil
-}
-
 func _ProxyService_SendAccessLog_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(SendAccessLogRequest)
 	if err := dec(in); err != nil {
@@ -420,12 +344,6 @@ var ProxyService_ServiceDesc = grpc.ServiceDesc{
 			Handler:       _ProxyService_GetMappingUpdate_Handler,
 			ServerStreams: true,
 		},
-		{
-			StreamName:    "SyncMappings",
-			Handler:       _ProxyService_SyncMappings_Handler,
-			ServerStreams: true,
-			ClientStreams: true,
-		},
 	},
 	Metadata: "proxy_service.proto",
 }