[management] Account-scoped ephemeral peer cleanup

Replace the per-peer linked list with a per-account map keyed by
accountID. Each entry holds only the latest disconnect timestamp we
have observed for that account and a single timer that fires the next
sweep. Sweeps query the database for the authoritative stale set,
batch the deletes through peers.Manager.DeletePeers, then drop the
account from the tracker when lastDisc + lifeTime <= now (else
re-arm at horizon + cleanupWindow).

The drop rule is the entire termination story: an account stays
tracked only while OnPeerDisconnected keeps refreshing the
timestamp. There is no internal feedback loop that can advance
lastDisc on its own, so once disconnects stop the account drops in
at most one sweep.

A timestamp beats the ref-counter alternative because the counter
drifts positive in three real situations the cleanup loop has no
signal for: peers deleted via the API while offline, peers that
reconnect within the lifetime window, and management restarts. The
timestamp design never claims to know the size of the stale set —
it only knows the latest disconnect we observed and uses that to
bound when it is safe to drop the account.

OnPeerConnected becomes a no-op. The sweep query already filters
reconnected peers at the database level (peer_status_connected =
false in the WHERE clause), so there is nothing the in-memory
tracker needs to do on reconnect. The interface method is preserved
for call-site compatibility.

LoadInitialPeers no longer runs the catch-up query synchronously.
It schedules a deferred load via time.AfterFunc at a random delay
between 8 and 10 minutes. Without the jitter, every management
replica in a fleet-wide deploy would issue the catch-up query
simultaneously. The catch-up itself is one GROUP BY against the
peers table:
```sql
  SELECT account_id, MAX(peer_status_last_seen)
  FROM peers
  WHERE ephemeral = true AND peer_status_connected = false
  GROUP BY account_id
```
For each row the tracker seeds an entry and arms a sweep at
max(now, last_seen + lifeTime) + cleanupWindow — so accounts whose
backlog is already stale get cleaned soon after the delay elapses,
and accounts that disconnected recently wait the remaining window.
OnPeerDisconnected calls that arrive during the delay window seed
the tracker live, and the catch-up query skips accounts that are
already tracked.

Stop() cancels both the deferred initial-load timer and every
per-account sweep timer, and flips a stopped flag so subsequent
OnPeerDisconnected calls are ignored. This makes restarts and test
teardown clean.

Two new store methods:
  GetStaleEphemeralPeerIDsForAccount(ctx, accountID, olderThan)
  GetEphemeralAccountsLastDisconnect(ctx)
Both are scoped, indexable queries that the existing peers table
supports without schema changes.

The pending metric is renamed from
management.ephemeral.peers.pending to
management.ephemeral.accounts.tracked to reflect the new semantics
(it now counts accounts on the cleanup list, not peers). Method
names on the metrics type are unchanged so no production call site
has to move. No new metric labels, no per-account cardinality.

The algorithm was validated against an in-memory SQLite peers
table through an 11-scenario prototype kept under proto/, including
pathological-churn and 4-hour randomized simulations. All scenarios
terminate; max observed per-account sweep rate stays bounded near
the lifeTime + cleanupWindow cadence even under sustained
disconnect churn.

Verification: go build, go vet, race-clean tests across the
ephemeral, store, and telemetry packages, plus a clean
golangci-lint pass on the touched packages.

.github/pull_request_template.md

@@ -12,7 +12,6 @@
 - [ ] Is a feature enhancement
 - [ ] It is a refactor
 - [ ] Created tests that fail without the change (if possible)
-- [ ] This change does **not** modify the public API, gRPC protocols, functionality behavior, CLI / service flags, or introduce a new feature — **OR** I have discussed it with the NetBird team beforehand (link the issue / Slack thread in the description). See [CONTRIBUTING.md](https://github.com/netbirdio/netbird/blob/main/CONTRIBUTING.md#discuss-changes-with-the-netbird-team-first).
 
 > By submitting this pull request, you confirm that you have read and agree to the terms of the [Contributor License Agreement](https://github.com/netbirdio/netbird/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT.md).
 

CONTRIBUTING.md

@@ -15,7 +15,6 @@ If you haven't already, join our slack workspace [here](https://docs.netbird.io/
 - [Contributing to NetBird](#contributing-to-netbird)
     - [Contents](#contents)
     - [Code of conduct](#code-of-conduct)
-    - [Discuss changes with the NetBird team first](#discuss-changes-with-the-netbird-team-first)
     - [Directory structure](#directory-structure)
     - [Development setup](#development-setup)
         - [Requirements](#requirements)
@@ -34,14 +33,6 @@ Conduct which can be found in the file [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md).
 By participating, you are expected to uphold this code. Please report
 unacceptable behavior to community@netbird.io.
 
-## Discuss changes with the NetBird team first
-
-Changes to the **public API**, **gRPC protocols**, **functionality behavior**, **CLI / service flags**, or **new features** should be discussed with the NetBird team before you start the work. These surfaces are part of NetBird's contract with operators, self-hosters, and downstream integrators, and changes to them have compatibility, security, and release-planning implications that benefit from an early conversation.
-
-Open an issue or reach out on [Slack](https://docs.netbird.io/slack-url) to talk through what you have in mind. We'll help shape the change, flag any constraints we know about, and confirm the direction so the PR review can focus on implementation rather than design.
-
-Typical bug fixes, internal refactors, documentation updates, and tests do not need pre-discussion — open the PR directly.
-
 ## Directory structure
 
 The NetBird project monorepo is organized to maintain most of its individual dependencies code within their directories, except for a few auxiliary or shared packages.

README.md

@@ -1,134 +1,147 @@
 
 <div align="center">
-  <p align="center">
-    <img width="234" src="docs/media/logo-full.png" alt="NetBird logo"/>
-  </p>
-  <p align="center">
-    <a href="https://sonarcloud.io/dashboard?id=netbirdio_netbird">
-      <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" alt="SonarCloud alert status"/>
-    </a>
-    <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
-      <img src="https://img.shields.io/badge/license-BSD--3-blue" alt="BSD-3 License"/>
-    </a>
+<br/>
+  <br/>
+<p align="center">
+  <img width="234" src="docs/media/logo-full.png"/>
+</p>
+  <p>
+   <a href="https://img.shields.io/badge/license-BSD--3-blue)">
+       <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" />
+     </a> 
+     <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
+       <img src="https://img.shields.io/badge/license-BSD--3-blue" />
+     </a> 
+    <br>
     <a href="https://docs.netbird.io/slack-url">
-      <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack" alt="NetBird Slack"/>
-    </a>
+        <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack"/>
+     </a>
     <a href="https://forum.netbird.io">
-      <img src="https://img.shields.io/badge/community%20forum-@netbird-red.svg?logo=discourse" alt="Community forum"/>
-    </a>
+        <img src="https://img.shields.io/badge/community forum-@netbird-red.svg?logo=discourse"/>
+     </a>  
+     <br>
     <a href="https://gurubase.io/g/netbird">
-      <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF" alt="Gurubase: Ask NetBird Guru"/>
-    </a>
+        <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF"/>
+     </a>    
   </p>
 </div>
 
+
 <p align="center">
-  <strong>
-    Start using NetBird at <a href="https://netbird.io/pricing">netbird.io</a>
-    <br/>
-    See <a href="https://netbird.io/docs/">Documentation</a>
-    <br/>
-    Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>
-  </strong>
+<strong>
+  Start using NetBird at <a href="https://netbird.io/pricing">netbird.io</a>
   <br/>
+  See <a href="https://netbird.io/docs/">Documentation</a>
   <br/>
-  <strong>
-    🚀 <a href="https://careers.netbird.io">We are hiring! Join us at careers.netbird.io</a>
-  </strong>
+   Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>
+  <br/>
+ 
+</strong>
+<br>
+<strong>
+  🚀 <a href="https://careers.netbird.io">We are hiring! Join us at careers.netbird.io</a>
+</strong>
+<br>
+<br>
+<a href="https://registry.terraform.io/providers/netbirdio/netbird/latest">
+    New: NetBird terraform provider
+  </a> 
 </p>
 
+<br>
+
 **NetBird combines a configuration-free peer-to-peer private network and a centralized access control system in a single platform, making it easy to create secure private networks for your organization or home.**
 
 **Connect.** NetBird creates a WireGuard-based overlay network that automatically connects your machines over an encrypted tunnel, leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.
 
 **Secure.** NetBird enables secure remote access by applying granular access policies while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.
 
+### Open Source Network Security in a Single Platform
+
 https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2
 
-### Self-host NetBird (video)
-
+### Self-Host NetBird (Video)
 [![Watch the video](https://img.youtube.com/vi/bZAgpT6nzaQ/0.jpg)](https://youtu.be/bZAgpT6nzaQ)
 
 ### Key features
 
-| Connectivity | Management | Security | Automation | Platforms |
-|---|---|---|---|---|
-| ✓ [Kernel WireGuard](https://docs.netbird.io/about-netbird/why-wireguard-with-netbird) | ✓ [Admin Web UI](https://github.com/netbirdio/dashboard) | ✓ [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) | ✓ [Public API](https://docs.netbird.io/api) | ✓ [Linux](https://docs.netbird.io/get-started/install/linux) |
-| ✓ [Peer-to-peer connections](https://docs.netbird.io/about-netbird/how-netbird-works) | ✓ Auto peer discovery and configuration | ✓ [Access control: groups & rules](https://docs.netbird.io/how-to/manage-network-access) | ✓ [Setup keys for bulk provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) | ✓ [macOS](https://docs.netbird.io/get-started/install/macos) |
-| ✓ Connection relay fallback | ✓ [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) | ✓ [Activity logging](https://docs.netbird.io/how-to/audit-events-logging) | ✓ [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) | ✓ [Windows](https://docs.netbird.io/get-started/install/windows) |
-| ✓ [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) | ✓ [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) | ✓ [Traffic events](https://docs.netbird.io/manage/activity/traffic-events-logging) | ✓ [IdP groups sync with JWT](https://docs.netbird.io/manage/team/idp-sync) | ✓ [Android](https://docs.netbird.io/get-started/install/android) |
-| ✓ [Domain-based DNS routes](https://docs.netbird.io/manage/dns/dns-aliases-for-routed-networks) | ✓ [Custom DNS zones](https://docs.netbird.io/manage/dns/custom-zones) | ✓ [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks) | ✓ [Terraform provider](https://registry.terraform.io/providers/netbirdio/netbird/latest) | ✓ [Android TV](https://docs.netbird.io/get-started/install/android-tv) |
-| ✓ [Exit nodes](https://docs.netbird.io/manage/network-routes/use-cases/exit-nodes) | ✓ [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) | ✓ Peer-to-peer encryption | ✓ [Ansible collection](https://github.com/netbirdio/ansible-netbird) | ✓ [iOS](https://docs.netbird.io/get-started/install/ios) |
-| ✓ [IPv6 dual-stack overlay](https://docs.netbird.io/manage/settings/ipv6) | ✓ [Multi-account profile switching](https://docs.netbird.io/client/profiles) | ✓ [SSH with central access policies](https://docs.netbird.io/manage/peers/ssh) | | ✓ [Apple TV](https://docs.netbird.io/get-started/install/tvos) |
-| ✓ [Browser SSH & RDP](https://docs.netbird.io/manage/peers/browser-client) | | ✓ [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn) | | ✓ FreeBSD |
-| ✓ [Reverse proxy with auto-TLS](https://docs.netbird.io/manage/reverse-proxy) | | ✓ [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication) | | ✓ [pfSense](https://docs.netbird.io/get-started/install/pfsense) |
-| | | | | ✓ [OPNsense](https://docs.netbird.io/get-started/install/opnsense) |
-| | | | | ✓ [MikroTik RouterOS](https://docs.netbird.io/use-cases/homelab/client-on-mikrotik-router) |
-| | | | | ✓ OpenWRT |
-| | | | | ✓ [Synology](https://docs.netbird.io/get-started/install/synology) |
-| | | | | ✓ [TrueNAS](https://docs.netbird.io/get-started/install/truenas) |
-| | | | | ✓ [Proxmox](https://docs.netbird.io/get-started/install/proxmox-ve) |
-| | | | | ✓ [Raspberry Pi](https://docs.netbird.io/get-started/install/raspberrypi) |
-| | | | | ✓ [Serverless](https://docs.netbird.io/how-to/netbird-on-faas) |
-| | | | | ✓ [Container](https://docs.netbird.io/get-started/install/docker) |
+| Connectivity | Management | Security | Automation| Platforms |
+|----|----|----|----|----|
+| <ul><li>- \[x] Kernel WireGuard</ul></li> | <ul><li>- \[x] [Admin Web UI](https://github.com/netbirdio/dashboard)</ul></li> | <ul><li>- \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login)</ul></li> | <ul><li>- \[x] [Public API](https://docs.netbird.io/api)</ul></li> | <ul><li>- \[x] Linux</ul></li> |
+| <ul><li>- \[x] Peer-to-peer connections</ul></li> | <ul><li>- \[x] Auto peer discovery and configuration</ui></li> | <ul><li>- \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access)</ui></li> | <ul><li>- \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys)</ui></li> | <ul><li>- \[x] Mac</ui></li> |
+| <ul><li>- \[x] Connection relay fallback</ui></li> | <ul><li>- \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers)</ui></li> | <ul><li>- \[x] [Activity logging](https://docs.netbird.io/how-to/audit-events-logging)</ui></li> | <ul><li>- \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart)</ui></li> | <ul><li>- \[x] Windows</ui></li> |
+| <ul><li>- \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks)</ui></li> | <ul><li>- \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network)</ui></li> | <ul><li>- \[x] [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks)</ui></li> | <ul><li>- \[x] IdP groups sync with JWT</ui></li> | <ul><li>- \[x] Android</ui></li> |
+| <ul><li>- \[x] NAT traversal with BPF</ui></li> | <ul><li>- \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network)</ui></li> | <ul><li>- \[x] Peer-to-peer encryption</ui></li> || <ul><li>- \[x] iOS</ui></li> |
+||| <ul><li>- \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn)</ui></li> || <ul><li>- \[x] OpenWRT</ui></li> |
+||| <ul><li>- \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication)</ui></li> || <ul><li>- \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas)</ui></li> |
+||||| <ul><li>- \[x] Docker</ui></li> |
 
 ### Quickstart with NetBird Cloud
 
-- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install).
-- Follow the steps to sign up with Google, Microsoft, GitHub or your email address.
-- Check the NetBird [admin UI](https://app.netbird.io/).
+- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install)
+- Follow the steps to sign-up with Google, Microsoft, GitHub or your email address.
+- Check NetBird [admin UI](https://app.netbird.io/).
+- Add more machines.
 
 ### Quickstart with self-hosted NetBird
 
-This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM. Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IdPs.
+> This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM.
+Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IDPs.
 
 **Infrastructure requirements:**
-- A Linux VM with at least **1 CPU** and **2 GB** of memory.
-- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port **3478**.
-- A **public domain** name pointing to the VM.
+- A Linux VM with at least **1CPU** and **2GB** of memory.
+- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port: **3478**.
+- **Public domain** name pointing to the VM.
 
 **Software requirements:**
-- Docker with the Compose plugin (Compose v2 or higher). See the [Docker installation guide](https://docs.docker.com/engine/install/).
+- Docker installed on the VM with the docker-compose plugin ([Docker installation guide](https://docs.docker.com/engine/install/)) or docker with docker-compose in version 2 or higher.
+- [jq](https://jqlang.github.io/jq/) installed. In most distributions
+  Usually available in the official repositories and can be installed with `sudo apt install jq` or `sudo yum install jq`
+- [curl](https://curl.se/) installed.
+  Usually available in the official repositories and can be installed with `sudo apt install curl` or `sudo yum install curl`
 
 **Steps**
 - Download and run the installation script:
 ```bash
 export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash
 ```
+- Once finished, you can manage the resources via `docker-compose`
 
 ### A bit on NetBird internals
-- Every machine in the network runs the [NetBird agent](client/), which manages WireGuard.
-- Every agent connects to the [Management Service](management/), which holds network state, manages peer IPs, and distributes updates to agents.
-- Agents use ICE (via [pion/ice](https://github.com/pion/ice)) to discover connection candidates for peer-to-peer connections.
-- Candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
-- Agents negotiate a connection through the [Signal Service](signal/), exchanging end-to-end encrypted messages with candidates.
-- When NAT traversal fails (e.g. mobile carrier-grade NAT) and a direct p2p connection isn't possible, the system falls back to a [Relay Service](relay/) and a secure WireGuard tunnel is established through it.
+-  Every machine in the network runs [NetBird Agent (or Client)](client/) that manages WireGuard.
+-  Every agent connects to [Management Service](management/) that holds network state, manages peer IPs, and distributes network updates to agents (peers).
+-  NetBird agent uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between machines.
+-  Connection candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
+-  Agents negotiate a connection through [Signal Service](signal/) passing p2p encrypted messages with candidates.
+-  Sometimes the NAT traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT) and a p2p connection isn't possible. When this occurs the system falls back to a relay server called [TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT), and a secure WireGuard tunnel is established via the TURN server. 
+ 
+[Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in NetBird setups.
 
 <p float="left" align="middle">
-  <img src="https://docs.netbird.io/docs-static/img/about-netbird/high-level-dia.png" width="700" alt="NetBird high-level architecture diagram"/>
+  <img src="https://docs.netbird.io/docs-static/img/about-netbird/high-level-dia.png" width="700"/>
 </p>
 
 See a complete [architecture overview](https://docs.netbird.io/about-netbird/how-netbird-works#architecture) for details.
 
 ### Community projects
-- [NetBird installer script](https://github.com/physk/netbird-installer)
-- [netbird-tui](https://github.com/n0pashkov/netbird-tui) - terminal UI for managing NetBird peers, routes, and settings
-- [caddy-netbird](https://github.com/lixmal/caddy-netbird) - Caddy plugin that embeds a NetBird client for proxying HTTP and TCP/UDP traffic through NetBird networks
+-  [NetBird installer script](https://github.com/physk/netbird-installer)
+-  [NetBird ansible collection by Dominion Solutions](https://galaxy.ansible.com/ui/repo/published/dominion_solutions/netbird/)
+-  [netbird-tui](https://github.com/n0pashkov/netbird-tui) — terminal UI for managing NetBird peers, routes, and settings
 
 **Note**: The `main` branch may be in an *unstable or even broken state* during development.
 For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).
 
 ### Support acknowledgement
 
-In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by the Federal Ministry of Education and Research of the Federal Republic of Germany. Together with the [CISPA Helmholtz Center for Information Security](https://cispa.de/en), NetBird brings security best practices and simplicity to private networking.
+In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by The Federal Ministry of Education and Research of The Federal Republic of Germany. Together with [CISPA Helmholtz Center for Information Security](https://cispa.de/en) NetBird brings the security best practices and simplicity to private networking.
 
 ![CISPA_Logo_BLACK_EN_RZ_RGB (1)](https://user-images.githubusercontent.com/700848/203091324-c6d311a0-22b5-4b05-a288-91cbc6cdcc46.png)
 
-### Acknowledgements
-We build on open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE](https://github.com/pion/ice), and [Rosenpass](https://rosenpass.eu). We greatly appreciate the work these projects are doing, and we'd love it if you could support them too (e.g., by starring or contributing).
+### Testimonials
+We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn), and [Rosenpass](https://rosenpass.eu). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g., by giving a star or a contribution).
 
 ### Legal
-This repository is licensed under the BSD-3-Clause license, which applies to all parts of the repository except for the directories management/, signal/ and relay/.
+This repository is licensed under BSD-3-Clause license that applies to all parts of the repository except for the directories management/, signal/ and relay/.
 Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.
 
 _WireGuard_ and the _WireGuard_ logo are [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.

client/firewall/iptables/dnat_refcount_linux_test.go

@@ -1,199 +0,0 @@
-package iptables
-
-import (
-	"net/netip"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	fw "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-)
-
-func iptRefcountIfaceV4() *iFaceMock {
-	return &iFaceMock{
-		NameFunc: func() string { return "wt-refcount" },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      netip.MustParseAddr("10.20.0.1"),
-				Network: netip.MustParsePrefix("10.20.0.0/24"),
-			}
-		},
-	}
-}
-
-func iptRefcountIfaceDual() *iFaceMock {
-	return &iFaceMock{
-		NameFunc: func() string { return "wt-refcount" },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      netip.MustParseAddr("10.20.0.1"),
-				Network: netip.MustParsePrefix("10.20.0.0/24"),
-				IPv6:    netip.MustParseAddr("fd00::1"),
-				IPv6Net: netip.MustParsePrefix("fd00::/64"),
-			}
-		},
-	}
-}
-
-func newIptRefcountManager(t *testing.T, dual bool) *Manager {
-	t.Helper()
-	var ifMock *iFaceMock
-	if dual {
-		ifMock = iptRefcountIfaceDual()
-	} else {
-		ifMock = iptRefcountIfaceV4()
-	}
-	m, err := Create(ifMock, iface.DefaultMTU)
-	require.NoError(t, err, "create manager")
-	require.NoError(t, m.Init(nil), "init manager")
-	t.Cleanup(func() {
-		require.NoError(t, m.Close(nil), "close manager")
-	})
-	return m
-}
-
-func iptDnatV4(port uint16) fw.ForwardRule {
-	return fw.ForwardRule{
-		Protocol:          fw.ProtocolTCP,
-		DestinationPort:   fw.Port{Values: []uint16{port}},
-		TranslatedAddress: netip.MustParseAddr("10.20.0.2"),
-		TranslatedPort:    fw.Port{Values: []uint16{80}},
-	}
-}
-
-func iptDnatV6(port uint16) fw.ForwardRule {
-	return fw.ForwardRule{
-		Protocol:          fw.ProtocolTCP,
-		DestinationPort:   fw.Port{Values: []uint16{port}},
-		TranslatedAddress: netip.MustParseAddr("fd00::2"),
-		TranslatedPort:    fw.Port{Values: []uint16{80}},
-	}
-}
-
-// TestIptablesDNAT_RefcountBalancedV4 covers a Balanced Add/Delete pair on v4.
-func TestIptablesDNAT_RefcountBalancedV4(t *testing.T) {
-	m := newIptRefcountManager(t, false)
-	state := m.router.ipFwdState
-
-	r1, err := m.AddDNATRule(iptDnatV4(7081))
-	require.NoError(t, err, "add v4 dnat 1")
-	v4, v6 := state.Counts()
-	require.Equal(t, 1, v4, "v4 refcount after first add")
-	require.Equal(t, 0, v6, "v6 refcount unchanged")
-
-	r2, err := m.AddDNATRule(iptDnatV4(7082))
-	require.NoError(t, err, "add v4 dnat 2")
-	v4, v6 = state.Counts()
-	require.Equal(t, 2, v4, "v4 refcount after second add")
-	require.Equal(t, 0, v6, "v6 refcount unchanged")
-
-	require.NoError(t, m.DeleteDNATRule(r1))
-	v4, v6 = state.Counts()
-	require.Equal(t, 1, v4, "v4 refcount after first delete")
-	require.Equal(t, 0, v6, "v6 refcount unchanged")
-
-	require.NoError(t, m.DeleteDNATRule(r2))
-	v4, v6 = state.Counts()
-	require.Equal(t, 0, v4, "v4 refcount after second delete")
-	require.Equal(t, 0, v6, "v6 refcount unchanged")
-}
-
-// TestIptablesDNAT_RefcountBalancedV6 checks the v6 path increments v6 only and
-// decrements back to zero.
-func TestIptablesDNAT_RefcountBalancedV6(t *testing.T) {
-	m := newIptRefcountManager(t, true)
-	require.NotNil(t, m.router6, "v6 router")
-	require.Same(t, m.router.ipFwdState, m.router6.ipFwdState, "shared state")
-	state := m.router.ipFwdState
-
-	r1, err := m.AddDNATRule(iptDnatV6(9081))
-	require.NoError(t, err, "add v6 dnat 1")
-	v4, v6 := state.Counts()
-	require.Equal(t, 0, v4)
-	require.Equal(t, 1, v6, "v6 refcount after first add")
-
-	r2, err := m.AddDNATRule(iptDnatV6(9082))
-	require.NoError(t, err, "add v6 dnat 2")
-	v4, v6 = state.Counts()
-	require.Equal(t, 0, v4, "v4 refcount unchanged")
-	require.Equal(t, 2, v6, "v6 refcount after second add")
-
-	require.NoError(t, m.DeleteDNATRule(r1))
-	v4, v6 = state.Counts()
-	require.Equal(t, 0, v4, "v4 refcount unchanged")
-	require.Equal(t, 1, v6, "v6 refcount after first delete")
-
-	require.NoError(t, m.DeleteDNATRule(r2))
-	v4, v6 = state.Counts()
-	require.Equal(t, 0, v4)
-	require.Equal(t, 0, v6, "v6 refcount after second delete")
-}
-
-// TestIptablesDNAT_DuplicateAddNoLeak verifies the duplicate-rule path returns
-// without bumping the refcount.
-func TestIptablesDNAT_DuplicateAddNoLeak(t *testing.T) {
-	m := newIptRefcountManager(t, true)
-	state := m.router.ipFwdState
-
-	rule := iptDnatV4(7083)
-	r1, err := m.AddDNATRule(rule)
-	require.NoError(t, err)
-	v4, _ := state.Counts()
-	require.Equal(t, 1, v4)
-
-	_, err = m.AddDNATRule(rule)
-	require.NoError(t, err, "duplicate add")
-	v4, _ = state.Counts()
-	require.Equal(t, 1, v4, "duplicate add must not increment")
-
-	require.NoError(t, m.DeleteDNATRule(r1))
-	v4, _ = state.Counts()
-	require.Equal(t, 0, v4, "single delete must drop to zero")
-}
-
-// TestIptablesDNAT_DeleteMissingNoUnderflow verifies Delete on an unknown rule
-// neither errors nor releases the refcount.
-func TestIptablesDNAT_DeleteMissingNoUnderflow(t *testing.T) {
-	m := newIptRefcountManager(t, true)
-	state := m.router.ipFwdState
-
-	phantom := iptDnatV4(7099)
-	require.NoError(t, m.DeleteDNATRule(&phantom), "delete missing v4")
-	v4, v6 := state.Counts()
-	require.Equal(t, 0, v4)
-	require.Equal(t, 0, v6)
-
-	phantom6 := iptDnatV6(9099)
-	require.NoError(t, m.DeleteDNATRule(&phantom6), "delete missing v6")
-	v4, v6 = state.Counts()
-	require.Equal(t, 0, v4)
-	require.Equal(t, 0, v6)
-
-	r1, err := m.AddDNATRule(iptDnatV4(7100))
-	require.NoError(t, err)
-	v4, _ = state.Counts()
-	require.Equal(t, 1, v4, "real add still increments after phantom delete")
-	require.NoError(t, m.DeleteDNATRule(r1))
-}
-
-// TestIptablesDNAT_DoubleDeleteNoUnderflow verifies a second Delete on the same
-// rule is a no-op.
-func TestIptablesDNAT_DoubleDeleteNoUnderflow(t *testing.T) {
-	m := newIptRefcountManager(t, true)
-	state := m.router.ipFwdState
-
-	r1, err := m.AddDNATRule(iptDnatV6(9083))
-	require.NoError(t, err)
-	_, v6 := state.Counts()
-	require.Equal(t, 1, v6)
-
-	require.NoError(t, m.DeleteDNATRule(r1), "first delete")
-	_, v6 = state.Counts()
-	require.Equal(t, 0, v6)
-
-	require.NoError(t, m.DeleteDNATRule(r1), "second delete must be no-op")
-	_, v6 = state.Counts()
-	require.Equal(t, 0, v6, "double delete must not underflow")
-}

client/firewall/iptables/manager_linux.go

@@ -89,7 +89,7 @@ func (m *Manager) createIPv6Components(wgIface iFaceMapper, mtu uint16) error {
 	}
 
 	// Share the same IP forwarding state with the v4 router, since
-	// Forwarding refcounter is per-family but shared between v4 and v6 routers.
+	// EnableIPForwarding controls both v4 and v6 sysctls.
 	m.router6.ipFwdState = m.router.ipFwdState
 
 	m.aclMgr6, err = newAclManager(ip6Client, wgIface)
@@ -402,33 +402,17 @@ func (m *Manager) SetLogLevel(log.Level) {
 }
 
 func (m *Manager) EnableRouting() error {
-	if err := m.router.ipFwdState.RequestForwarding(false); err != nil {
-		return fmt.Errorf("enable IPv4 forwarding: %w", err)
-	}
-	// v6 only when the overlay actually has v6.
-	if m.router6 == nil {
-		return nil
-	}
-	if err := m.router.ipFwdState.RequestForwarding(true); err != nil {
-		if rerr := m.router.ipFwdState.ReleaseForwarding(false); rerr != nil {
-			log.Warnf("rollback v4 forwarding: %v", rerr)
-		}
-		return fmt.Errorf("enable IPv6 forwarding: %w", err)
+	if err := m.router.ipFwdState.RequestForwarding(); err != nil {
+		return fmt.Errorf("enable IP forwarding: %w", err)
 	}
 	return nil
 }
 
 func (m *Manager) DisableRouting() error {
-	var merr *multierror.Error
-	if err := m.router.ipFwdState.ReleaseForwarding(false); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("disable IPv4 forwarding: %w", err))
+	if err := m.router.ipFwdState.ReleaseForwarding(); err != nil {
+		return fmt.Errorf("disable IP forwarding: %w", err)
 	}
-	if m.router6 != nil {
-		if err := m.router.ipFwdState.ReleaseForwarding(true); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("disable IPv6 forwarding: %w", err))
-		}
-	}
-	return nberrors.FormatErrorOrNil(merr)
+	return nil
 }
 
 // AddDNATRule adds a DNAT rule

client/firewall/iptables/router_linux.go

@@ -101,7 +101,7 @@ func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper, mtu uint1
 		wgIface:        wgIface,
 		mtu:            mtu,
 		v6:             iptablesClient.Proto() == iptables.ProtocolIPv6,
-		ipFwdState:     ipfwdstate.NewIPForwardingState(wgIface.Name()),
+		ipFwdState:     ipfwdstate.NewIPForwardingState(),
 	}
 
 	r.ipsetCounter = refcounter.New(
@@ -763,6 +763,10 @@ func (r *router) updateState() {
 }
 
 func (r *router) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
+	if err := r.ipFwdState.RequestForwarding(); err != nil {
+		return nil, err
+	}
+
 	ruleKey := rule.ID()
 	if _, exists := r.rules[ruleKey+dnatSuffix]; exists {
 		return rule, nil
@@ -837,16 +841,6 @@ func (r *router) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
 		r.rules[key] = ruleInfo.rule
 	}
 
-	if err := r.ipFwdState.RequestForwarding(r.v6); err != nil {
-		if rollbackErr := r.rollbackRules(rules); rollbackErr != nil {
-			log.Errorf("rollback failed: %v", rollbackErr)
-		}
-		for key := range rules {
-			delete(r.rules, key)
-		}
-		return nil, fmt.Errorf("enable forwarding: %w", err)
-	}
-
 	r.updateState()
 	return rule, nil
 }
@@ -867,15 +861,12 @@ func (r *router) rollbackRules(rules map[string]ruleInfo) error {
 }
 
 func (r *router) DeleteDNATRule(rule firewall.Rule) error {
-	ruleKey := rule.ID()
-
-	_, hadDNAT := r.rules[ruleKey+dnatSuffix]
-	_, hadSNAT := r.rules[ruleKey+snatSuffix]
-	_, hadFWD := r.rules[ruleKey+fwdSuffix]
-	if !hadDNAT && !hadSNAT && !hadFWD {
-		return nil
+	if err := r.ipFwdState.ReleaseForwarding(); err != nil {
+		log.Errorf("%v", err)
 	}
 
+	ruleKey := rule.ID()
+
 	var merr *multierror.Error
 	if dnatRule, exists := r.rules[ruleKey+dnatSuffix]; exists {
 		if err := r.iptablesClient.Delete(tableNat, chainRTRDR, dnatRule...); err != nil {
@@ -898,10 +889,6 @@ func (r *router) DeleteDNATRule(rule firewall.Rule) error {
 		delete(r.rules, ruleKey+fwdSuffix)
 	}
 
-	if err := r.ipFwdState.ReleaseForwarding(r.v6); err != nil {
-		log.Errorf("%v", err)
-	}
-
 	r.updateState()
 	return nberrors.FormatErrorOrNil(merr)
 }

client/firewall/nftables/dnat_refcount_linux_test.go

@@ -1,208 +0,0 @@
-package nftables
-
-import (
-	"net/netip"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	fw "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-)
-
-func nftRefcountIfaceV4() *iFaceMock {
-	return &iFaceMock{
-		NameFunc: func() string { return "wt-refcount" },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      netip.MustParseAddr("100.96.0.1"),
-				Network: netip.MustParsePrefix("100.96.0.0/16"),
-			}
-		},
-	}
-}
-
-func nftRefcountIfaceDual() *iFaceMock {
-	return &iFaceMock{
-		NameFunc: func() string { return "wt-refcount" },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      netip.MustParseAddr("100.96.0.1"),
-				Network: netip.MustParsePrefix("100.96.0.0/16"),
-				IPv6:    netip.MustParseAddr("fd00::1"),
-				IPv6Net: netip.MustParsePrefix("fd00::/64"),
-			}
-		},
-	}
-}
-
-func newNftRefcountManager(t *testing.T, dual bool) *Manager {
-	t.Helper()
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
-	var ifMock *iFaceMock
-	if dual {
-		ifMock = nftRefcountIfaceDual()
-	} else {
-		ifMock = nftRefcountIfaceV4()
-	}
-	m, err := Create(ifMock, iface.DefaultMTU)
-	require.NoError(t, err, "create manager")
-	require.NoError(t, m.Init(nil), "init manager")
-	t.Cleanup(func() {
-		require.NoError(t, m.Close(nil), "close manager")
-	})
-	return m
-}
-
-func dnatV4(port uint16) fw.ForwardRule {
-	return fw.ForwardRule{
-		Protocol:          fw.ProtocolTCP,
-		DestinationPort:   fw.Port{Values: []uint16{port}},
-		TranslatedAddress: netip.MustParseAddr("100.96.0.2"),
-		TranslatedPort:    fw.Port{Values: []uint16{80}},
-	}
-}
-
-func dnatV6(port uint16) fw.ForwardRule {
-	return fw.ForwardRule{
-		Protocol:          fw.ProtocolTCP,
-		DestinationPort:   fw.Port{Values: []uint16{port}},
-		TranslatedAddress: netip.MustParseAddr("fd00::2"),
-		TranslatedPort:    fw.Port{Values: []uint16{80}},
-	}
-}
-
-// TestNftablesDNAT_RefcountBalancedV4 verifies that Add/Delete pairs leave the
-// v4 refcount at zero.
-func TestNftablesDNAT_RefcountBalancedV4(t *testing.T) {
-	m := newNftRefcountManager(t, false)
-	state := m.router.ipFwdState
-
-	r1, err := m.AddDNATRule(dnatV4(8081))
-	require.NoError(t, err, "add v4 dnat 1")
-	v4, v6 := state.Counts()
-	require.Equal(t, 1, v4, "v4 refcount after first add")
-	require.Equal(t, 0, v6, "v6 refcount unchanged")
-
-	r2, err := m.AddDNATRule(dnatV4(8082))
-	require.NoError(t, err, "add v4 dnat 2")
-	v4, v6 = state.Counts()
-	require.Equal(t, 2, v4, "v4 refcount after second add")
-	require.Equal(t, 0, v6, "v6 refcount unchanged")
-
-	require.NoError(t, m.DeleteDNATRule(r1), "delete v4 dnat 1")
-	v4, v6 = state.Counts()
-	require.Equal(t, 1, v4, "v4 refcount after first delete")
-	require.Equal(t, 0, v6, "v6 refcount unchanged")
-
-	require.NoError(t, m.DeleteDNATRule(r2), "delete v4 dnat 2")
-	v4, v6 = state.Counts()
-	require.Equal(t, 0, v4, "v4 refcount after second delete")
-	require.Equal(t, 0, v6, "v6 refcount unchanged")
-}
-
-// TestNftablesDNAT_RefcountBalancedV6 verifies the v6 path increments v6 only
-// and decrements back to zero on Delete.
-func TestNftablesDNAT_RefcountBalancedV6(t *testing.T) {
-	m := newNftRefcountManager(t, true)
-	require.NotNil(t, m.router6, "v6 router")
-	require.Same(t, m.router.ipFwdState, m.router6.ipFwdState, "shared state")
-	state := m.router.ipFwdState
-
-	r1, err := m.AddDNATRule(dnatV6(9091))
-	require.NoError(t, err, "add v6 dnat 1")
-	v4, v6 := state.Counts()
-	require.Equal(t, 0, v4, "v4 refcount unchanged")
-	require.Equal(t, 1, v6, "v6 refcount after first add")
-
-	r2, err := m.AddDNATRule(dnatV6(9092))
-	require.NoError(t, err, "add v6 dnat 2")
-	v4, v6 = state.Counts()
-	require.Equal(t, 0, v4)
-	require.Equal(t, 2, v6, "v6 refcount after second add")
-
-	require.NoError(t, m.DeleteDNATRule(r1), "delete v6 dnat 1")
-	v4, v6 = state.Counts()
-	require.Equal(t, 0, v4, "v4 refcount unchanged")
-	require.Equal(t, 1, v6, "v6 refcount after first delete")
-
-	require.NoError(t, m.DeleteDNATRule(r2), "delete v6 dnat 2")
-	v4, v6 = state.Counts()
-	require.Equal(t, 0, v4)
-	require.Equal(t, 0, v6, "v6 refcount after second delete")
-}
-
-// TestNftablesDNAT_DuplicateAddNoLeak verifies that a duplicate Add (same
-// ForwardRule) does not double-increment the refcount.
-func TestNftablesDNAT_DuplicateAddNoLeak(t *testing.T) {
-	m := newNftRefcountManager(t, true)
-	state := m.router.ipFwdState
-
-	rule := dnatV4(8083)
-	r1, err := m.AddDNATRule(rule)
-	require.NoError(t, err, "add v4 dnat")
-	v4, _ := state.Counts()
-	require.Equal(t, 1, v4)
-
-	// duplicate add: same rule ID, must be a no-op for the refcount.
-	_, err = m.AddDNATRule(rule)
-	require.NoError(t, err, "duplicate add")
-	v4, _ = state.Counts()
-	require.Equal(t, 1, v4, "duplicate add must not increment")
-
-	require.NoError(t, m.DeleteDNATRule(r1), "delete v4 dnat")
-	v4, _ = state.Counts()
-	require.Equal(t, 0, v4, "single delete must drop to zero")
-}
-
-// TestNftablesDNAT_DeleteMissingNoUnderflow verifies deleting a rule that was
-// never added does not underflow the refcount.
-func TestNftablesDNAT_DeleteMissingNoUnderflow(t *testing.T) {
-	m := newNftRefcountManager(t, true)
-	state := m.router.ipFwdState
-
-	// Construct a Rule reference for something never added. The router stores
-	// rules by ID(), and DeleteDNATRule looks them up in r.rules; a missing
-	// entry must be a no-op rather than calling Release.
-	phantom := dnatV4(8099)
-	require.NoError(t, m.DeleteDNATRule(&phantom), "delete missing v4 dnat")
-	v4, v6 := state.Counts()
-	require.Equal(t, 0, v4, "v4 refcount unaffected by missing delete")
-	require.Equal(t, 0, v6, "v6 refcount unaffected")
-
-	phantom6 := dnatV6(9099)
-	require.NoError(t, m.DeleteDNATRule(&phantom6), "delete missing v6 dnat")
-	v4, v6 = state.Counts()
-	require.Equal(t, 0, v4)
-	require.Equal(t, 0, v6, "v6 refcount unaffected by missing delete")
-
-	// And after a phantom delete, a real add still results in count=1.
-	r1, err := m.AddDNATRule(dnatV4(8100))
-	require.NoError(t, err, "add v4 dnat after phantom delete")
-	v4, _ = state.Counts()
-	require.Equal(t, 1, v4, "real add still increments after phantom delete")
-	require.NoError(t, m.DeleteDNATRule(r1))
-}
-
-// TestNftablesDNAT_DoubleDeleteNoUnderflow verifies that deleting the same rule
-// twice does not underflow the refcount (the second delete is a no-op).
-func TestNftablesDNAT_DoubleDeleteNoUnderflow(t *testing.T) {
-	m := newNftRefcountManager(t, true)
-	state := m.router.ipFwdState
-
-	r1, err := m.AddDNATRule(dnatV6(9093))
-	require.NoError(t, err)
-	_, v6 := state.Counts()
-	require.Equal(t, 1, v6)
-
-	require.NoError(t, m.DeleteDNATRule(r1), "first delete")
-	_, v6 = state.Counts()
-	require.Equal(t, 0, v6)
-
-	require.NoError(t, m.DeleteDNATRule(r1), "second delete must be no-op")
-	_, v6 = state.Counts()
-	require.Equal(t, 0, v6, "double delete must not underflow")
-}

client/firewall/nftables/external_chain_monitor_linux.go

@@ -52,10 +52,9 @@ func (m *externalChainMonitor) start() {
 
 	ctx, cancel := context.WithCancel(context.Background())
 	m.cancel = cancel
-	done := make(chan struct{})
-	m.done = done
+	m.done = make(chan struct{})
 
-	go m.run(ctx, done)
+	go m.run(ctx)
 }
 
 func (m *externalChainMonitor) stop() {
@@ -73,8 +72,8 @@ func (m *externalChainMonitor) stop() {
 	<-done
 }
 
-func (m *externalChainMonitor) run(ctx context.Context, done chan struct{}) {
-	defer close(done)
+func (m *externalChainMonitor) run(ctx context.Context) {
+	defer close(m.done)
 
 	bo := &backoff.ExponentialBackOff{
 		InitialInterval:     externalMonitorInitInterval,

client/firewall/nftables/manager_linux.go

@@ -105,8 +105,8 @@ func (m *Manager) createIPv6Components(tableName string, wgIface iFaceMapper, mt
 		return fmt.Errorf("create v6 router: %w", err)
 	}
 
-	// Share the per-family forwarding refcounter with the v4 router so a v4
-	// rule and a v6 rule against the same state machine cooperate cleanly.
+	// Share the same IP forwarding state with the v4 router, since
+	// EnableIPForwarding controls both v4 and v6 sysctls.
 	m.router6.ipFwdState = m.router.ipFwdState
 
 	m.aclManager6, err = newAclManager(workTable6, wgIface, chainNameRoutingFw)
@@ -530,33 +530,17 @@ func (m *Manager) SetLogLevel(log.Level) {
 }
 
 func (m *Manager) EnableRouting() error {
-	if err := m.router.ipFwdState.RequestForwarding(false); err != nil {
-		return fmt.Errorf("enable IPv4 forwarding: %w", err)
-	}
-	// v6 only when the overlay actually has v6.
-	if m.router6 == nil {
-		return nil
-	}
-	if err := m.router.ipFwdState.RequestForwarding(true); err != nil {
-		if rerr := m.router.ipFwdState.ReleaseForwarding(false); rerr != nil {
-			log.Warnf("rollback v4 forwarding: %v", rerr)
-		}
-		return fmt.Errorf("enable IPv6 forwarding: %w", err)
+	if err := m.router.ipFwdState.RequestForwarding(); err != nil {
+		return fmt.Errorf("enable IP forwarding: %w", err)
 	}
 	return nil
 }
 
 func (m *Manager) DisableRouting() error {
-	var merr *multierror.Error
-	if err := m.router.ipFwdState.ReleaseForwarding(false); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("disable IPv4 forwarding: %w", err))
+	if err := m.router.ipFwdState.ReleaseForwarding(); err != nil {
+		return fmt.Errorf("disable IP forwarding: %w", err)
 	}
-	if m.router6 != nil {
-		if err := m.router.ipFwdState.ReleaseForwarding(true); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("disable IPv6 forwarding: %w", err))
-		}
-	}
-	return nberrors.FormatErrorOrNil(merr)
+	return nil
 }
 
 // Flush rule/chain/set operations from the buffer

client/firewall/nftables/router_linux.go

@@ -93,7 +93,7 @@ func newRouter(workTable *nftables.Table, wgIface iFaceMapper, mtu uint16) (*rou
 		rules:      make(map[string]*nftables.Rule),
 		af:         familyForAddr(workTable.Family == nftables.TableFamilyIPv4),
 		wgIface:    wgIface,
-		ipFwdState: ipfwdstate.NewIPForwardingState(wgIface.Name()),
+		ipFwdState: ipfwdstate.NewIPForwardingState(),
 		mtu:        mtu,
 	}
 
@@ -1550,6 +1550,10 @@ func (r *router) refreshRulesMap() error {
 }
 
 func (r *router) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
+	if err := r.ipFwdState.RequestForwarding(); err != nil {
+		return nil, err
+	}
+
 	ruleKey := rule.ID()
 	if _, exists := r.rules[ruleKey+dnatSuffix]; exists {
 		return rule, nil
@@ -1560,18 +1564,7 @@ func (r *router) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
 		return nil, fmt.Errorf("convert protocol to number: %w", err)
 	}
 
-	// Request forwarding before queueing rules: addDnatRedirect/addDnatMasq
-	// buffer netlink messages on r.conn that the next caller's Flush would
-	// commit if we returned without flushing them ourselves.
-	v6 := r.af.tableFamily == nftables.TableFamilyIPv6
-	if err := r.ipFwdState.RequestForwarding(v6); err != nil {
-		return nil, fmt.Errorf("enable forwarding: %w", err)
-	}
-
 	if err := r.addDnatRedirect(rule, protoNum, ruleKey); err != nil {
-		if rerr := r.ipFwdState.ReleaseForwarding(v6); rerr != nil {
-			log.Warnf("rollback forwarding refcount: %v", rerr)
-		}
 		return nil, err
 	}
 
@@ -1583,11 +1576,6 @@ func (r *router) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
 	// TODO: find chains with drop policies and add rules there
 
 	if err := r.conn.Flush(); err != nil {
-		if rerr := r.ipFwdState.ReleaseForwarding(v6); rerr != nil {
-			log.Warnf("rollback forwarding refcount: %v", rerr)
-		}
-		delete(r.rules, ruleKey+dnatSuffix)
-		delete(r.rules, ruleKey+snatSuffix)
 		return nil, fmt.Errorf("flush rules: %w", err)
 	}
 
@@ -1790,18 +1778,16 @@ func (r *router) addDnatMasq(rule firewall.ForwardRule, protoNum uint8, ruleKey
 }
 
 func (r *router) DeleteDNATRule(rule firewall.Rule) error {
+	if err := r.ipFwdState.ReleaseForwarding(); err != nil {
+		log.Errorf("%v", err)
+	}
+
 	ruleKey := rule.ID()
 
 	if err := r.refreshRulesMap(); err != nil {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
 
-	_, hadDNAT := r.rules[ruleKey+dnatSuffix]
-	_, hadSNAT := r.rules[ruleKey+snatSuffix]
-	if !hadDNAT && !hadSNAT {
-		return nil
-	}
-
 	var merr *multierror.Error
 	var needsFlush bool
 
@@ -1838,10 +1824,6 @@ func (r *router) DeleteDNATRule(rule firewall.Rule) error {
 		delete(r.rules, ruleKey+snatSuffix)
 	}
 
-	if err := r.ipFwdState.ReleaseForwarding(r.af.tableFamily == nftables.TableFamilyIPv6); err != nil {
-		log.Errorf("%v", err)
-	}
-
 	return nberrors.FormatErrorOrNil(merr)
 }
 

client/installer.nsis

@@ -260,15 +260,23 @@ WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "Publisher" "${COMP_NAME}"
 
 WriteRegStr ${REG_ROOT} "${UI_REG_APP_PATH}" "" "$INSTDIR\${UI_APP_EXE}"
 
-; Create autostart registry entry based on checkbox
+; Drop Run, App Paths and Uninstall entries left in the 32-bit registry view
+; or HKCU by legacy installers.
+DetailPrint "Cleaning legacy 32-bit / HKCU entries..."
+DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+SetRegView 32
+DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+DeleteRegKey HKLM "${REG_APP_PATH}"
+DeleteRegKey HKLM "${UI_REG_APP_PATH}"
+DeleteRegKey HKLM "${UNINSTALL_PATH}"
+SetRegView 64
+
 DetailPrint "Autostart enabled: $AutostartEnabled"
 ${If} $AutostartEnabled == "1"
     WriteRegStr HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}" '"$INSTDIR\${UI_APP_EXE}.exe"'
     DetailPrint "Added autostart registry entry: $INSTDIR\${UI_APP_EXE}.exe"
 ${Else}
     DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-    ; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
-    DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
     DetailPrint "Autostart not enabled by user"
 ${EndIf}
 
@@ -299,11 +307,16 @@ ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service uninstall'
 DetailPrint "Terminating Netbird UI process..."
 ExecWait `taskkill /im ${UI_APP_EXE}.exe /f`
 
-; Remove autostart registry entry
+; Remove autostart entries from every view a previous installer may have used.
 DetailPrint "Removing autostart registry entry if exists..."
 DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
 DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+SetRegView 32
+DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+DeleteRegKey HKLM "${REG_APP_PATH}"
+DeleteRegKey HKLM "${UI_REG_APP_PATH}"
+DeleteRegKey HKLM "${UNINSTALL_PATH}"
+SetRegView 64
 
 ; Handle data deletion based on checkbox
 DetailPrint "Checking if user requested data deletion..."

client/internal/debug/debug_linux.go

@@ -844,10 +844,6 @@ func collectSysctls() string {
 		[]string{"net.ipv4.conf.all.src_valid_mark", "net.ipv4.conf.default.src_valid_mark"},
 		listInterfaceSysctls("ipv4", "src_valid_mark")...,
 	))
-	writeSysctlGroup(&builder, "accept_ra", append(
-		[]string{"net.ipv6.conf.all.accept_ra", "net.ipv6.conf.default.accept_ra"},
-		listInterfaceSysctls("ipv6", "accept_ra")...,
-	))
 	writeSysctlGroup(&builder, "conntrack", []string{
 		"net.netfilter.nf_conntrack_acct",
 		"net.netfilter.nf_conntrack_tcp_loose",

client/internal/routemanager/ipfwdstate/ipfwdstate.go

@@ -2,109 +2,54 @@ package ipfwdstate
 
 import (
 	"fmt"
-	"sync"
 
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 )
 
-// IPForwardingState tracks v4 and v6 IP-forwarding sysctl enables with
-// independent refcounts so a v4-only routing setup doesn't flip v6 sysctls.
+// IPForwardingState is a struct that keeps track of the IP forwarding state.
+// todo: read initial state of the IP forwarding from the system and reset the state based on it.
+// todo: separate v4/v6 forwarding state, since the sysctls are independent
+// (net.ipv4.ip_forward vs net.ipv6.conf.all.forwarding). Currently the nftables
+// manager shares one instance between both routers, which works only because
+// EnableIPForwarding enables both sysctls in a single call.
 type IPForwardingState struct {
-	mu sync.Mutex
-
-	v4Count int
-	v6Count int
-
-	wgIfaceName string
-	v6Saved     map[string]int
+	enabledCounter int
 }
 
-func NewIPForwardingState(wgIfaceName string) *IPForwardingState {
-	return &IPForwardingState{wgIfaceName: wgIfaceName}
+func NewIPForwardingState() *IPForwardingState {
+	return &IPForwardingState{}
 }
 
-// Counts returns the current v4 and v6 refcounts. Intended for diagnostics
-// and tests.
-func (f *IPForwardingState) Counts() (v4, v6 int) {
-	f.mu.Lock()
-	defer f.mu.Unlock()
-	return f.v4Count, f.v6Count
-}
-
-// RequestForwarding enables the family's forwarding sysctl on first request.
-func (f *IPForwardingState) RequestForwarding(v6 bool) error {
-	f.mu.Lock()
-	defer f.mu.Unlock()
-
-	if v6 {
-		return f.requestV6()
-	}
-	return f.requestV4()
-}
-
-// ReleaseForwarding decrements the family counter. The last v6 release restores
-// what enable captured. v4 stays on: net.ipv4.ip_forward is co-owned by other
-// tooling (docker, k8s, libvirt).
-func (f *IPForwardingState) ReleaseForwarding(v6 bool) error {
-	f.mu.Lock()
-	defer f.mu.Unlock()
-
-	if v6 {
-		return f.releaseV6()
-	}
-	f.releaseV4()
-	return nil
-}
-
-func (f *IPForwardingState) requestV4() error {
-	if f.v4Count == 0 {
-		if err := systemops.EnableV4IPForwarding(); err != nil {
-			return fmt.Errorf("enable IPv4 forwarding: %w", err)
-		}
-		log.Info("IPv4 forwarding enabled")
-	}
-	f.v4Count++
-	return nil
-}
-
-func (f *IPForwardingState) releaseV4() {
-	if f.v4Count > 0 {
-		f.v4Count--
-	}
-}
-
-func (f *IPForwardingState) requestV6() error {
-	if f.v6Count == 0 {
-		saved, err := systemops.EnableV6IPForwarding(f.wgIfaceName)
-		if err != nil {
-			if rerr := systemops.DisableV6IPForwarding(saved); rerr != nil {
-				log.Warnf("rollback partial v6 sysctls: %v", rerr)
-			}
-			return fmt.Errorf("enable IPv6 forwarding: %w", err)
-		}
-		f.v6Saved = saved
-		log.Info("IPv6 forwarding enabled")
-	}
-	f.v6Count++
-	return nil
-}
-
-func (f *IPForwardingState) releaseV6() error {
-	if f.v6Count == 0 {
-		return nil
-	}
-	f.v6Count--
-	if f.v6Count > 0 {
+func (f *IPForwardingState) RequestForwarding() error {
+	if f.enabledCounter != 0 {
+		f.enabledCounter++
 		return nil
 	}
 
-	saved := f.v6Saved
-	f.v6Saved = nil
-	if err := systemops.DisableV6IPForwarding(saved); err != nil {
-		return fmt.Errorf("disable IPv6 forwarding: %w", err)
+	if err := systemops.EnableIPForwarding(); err != nil {
+		return fmt.Errorf("failed to enable IP forwarding with sysctl: %w", err)
 	}
-	log.Info("IPv6 forwarding disabled")
+	f.enabledCounter = 1
+	log.Info("IP forwarding enabled")
+
+	return nil
+}
+
+func (f *IPForwardingState) ReleaseForwarding() error {
+	if f.enabledCounter == 0 {
+		return nil
+	}
+
+	if f.enabledCounter > 1 {
+		f.enabledCounter--
+		return nil
+	}
+
+	// if failed to disable IP forwarding we anyway decrement the counter
+	f.enabledCounter = 0
+
+	// todo call systemops.DisableIPForwarding()
 	return nil
 }

client/internal/routemanager/systemops/systemops_android.go

@@ -32,17 +32,8 @@ func (r *SysOps) removeFromRouteTable(netip.Prefix, Nexthop) error {
 	return nil
 }
 
-func EnableV4IPForwarding() error {
-	log.Infof("Enable IPv4 forwarding is not implemented on %s", runtime.GOOS)
-	return nil
-}
-
-func EnableV6IPForwarding(string) (map[string]int, error) {
-	log.Infof("Enable IPv6 forwarding is not implemented on %s", runtime.GOOS)
-	return map[string]int{}, nil
-}
-
-func DisableV6IPForwarding(map[string]int) error {
+func EnableIPForwarding() error {
+	log.Infof("Enable IP forwarding is not implemented on %s", runtime.GOOS)
 	return nil
 }
 

client/internal/routemanager/systemops/systemops_ios.go

@@ -58,17 +58,8 @@ func (r *SysOps) removeFromRouteTable(netip.Prefix, Nexthop) error {
 	return nil
 }
 
-func EnableV4IPForwarding() error {
-	log.Infof("Enable IPv4 forwarding is not implemented on %s", runtime.GOOS)
-	return nil
-}
-
-func EnableV6IPForwarding(string) (map[string]int, error) {
-	log.Infof("Enable IPv6 forwarding is not implemented on %s", runtime.GOOS)
-	return map[string]int{}, nil
-}
-
-func DisableV6IPForwarding(map[string]int) error {
+func EnableIPForwarding() error {
+	log.Infof("Enable IP forwarding is not implemented on %s", runtime.GOOS)
 	return nil
 }
 

client/internal/routemanager/systemops/systemops_linux.go

@@ -763,10 +763,13 @@ func flushRoutes(tableID, family int) error {
 	return nberrors.FormatErrorOrNil(result)
 }
 
-func EnableV4IPForwarding() error {
+func EnableIPForwarding() error {
 	if _, err := sysctl.Set(ipv4ForwardingPath, 1, false); err != nil {
 		return err
 	}
+	if _, err := sysctl.Set(ipv6ForwardingPath, 1, false); err != nil {
+		log.Warnf("failed to enable IPv6 forwarding: %v", err)
+	}
 	return nil
 }
 

client/internal/routemanager/systemops/systemops_nonlinux.go

@@ -43,17 +43,8 @@ func (r *SysOps) RemoveVPNRoute(prefix netip.Prefix, intf *net.Interface) error
 	return r.genericRemoveVPNRoute(prefix, intf)
 }
 
-func EnableV4IPForwarding() error {
-	log.Infof("Enable IPv4 forwarding is not implemented on %s", runtime.GOOS)
-	return nil
-}
-
-func EnableV6IPForwarding(string) (map[string]int, error) {
-	log.Infof("Enable IPv6 forwarding is not implemented on %s", runtime.GOOS)
-	return map[string]int{}, nil
-}
-
-func DisableV6IPForwarding(map[string]int) error {
+func EnableIPForwarding() error {
+	log.Infof("Enable IP forwarding is not implemented on %s", runtime.GOOS)
 	return nil
 }
 

client/internal/routemanager/systemops/v6forwarding_linux.go

@@ -1,82 +0,0 @@
-//go:build !android
-
-package systemops
-
-import (
-	"fmt"
-	"net"
-	"os"
-
-	"github.com/hashicorp/go-multierror"
-	log "github.com/sirupsen/logrus"
-
-	nberrors "github.com/netbirdio/netbird/client/errors"
-	"github.com/netbirdio/netbird/client/internal/routemanager/sysctl"
-)
-
-const (
-	// 1 (default) accepts RAs only while forwarding is off; 2 keeps RA
-	// acceptance on regardless, so RA-installed host defaults survive our
-	// v6 forwarding flip.
-	acceptRAInterfacePath  = "net.ipv6.conf.%s.accept_ra"
-	acceptRAProcPathFormat = "/proc/sys/net/ipv6/conf/%s/accept_ra"
-)
-
-// EnableV6IPForwarding bumps accept_ra=2 on host v6 interfaces before flipping
-// forwarding=1, so RA-installed host defaults survive. Returns the prior values
-// of sysctls we actually changed; entries already at the target are omitted.
-func EnableV6IPForwarding(wgIfaceName string) (map[string]int, error) {
-	saved := map[string]int{}
-	bumpAcceptRA(saved, wgIfaceName)
-
-	oldVal, err := sysctl.Set(ipv6ForwardingPath, 1, false)
-	if err != nil {
-		return saved, err
-	}
-	if oldVal != 1 {
-		saved[ipv6ForwardingPath] = oldVal
-	}
-	return saved, nil
-}
-
-// DisableV6IPForwarding restores what EnableV6IPForwarding captured.
-func DisableV6IPForwarding(saved map[string]int) error {
-	var result *multierror.Error
-	for key, value := range saved {
-		if _, err := sysctl.Set(key, value, false); err != nil {
-			result = multierror.Append(result, fmt.Errorf("restore %s: %w", key, err))
-		}
-	}
-	return nberrors.FormatErrorOrNil(result)
-}
-
-func bumpAcceptRA(saved map[string]int, wgIfaceName string) {
-	interfaces, err := net.Interfaces()
-	if err != nil {
-		log.Warnf("list interfaces for accept_ra: %v", err)
-		return
-	}
-	for _, intf := range interfaces {
-		if intf.Name == "lo" || intf.Name == wgIfaceName {
-			continue
-		}
-		bumpAcceptRAForInterface(saved, intf.Name)
-	}
-}
-
-func bumpAcceptRAForInterface(saved map[string]int, name string) {
-	key := fmt.Sprintf(acceptRAInterfacePath, name)
-	// Build procfs path from name, not the dotted key: VLAN names like eth0.100.
-	if _, err := os.Stat(fmt.Sprintf(acceptRAProcPathFormat, name)); err != nil {
-		return
-	}
-	// onlyIfOne=true: leave admin overrides (0, 2) alone.
-	oldVal, err := sysctl.Set(key, 2, true)
-	if err != nil {
-		log.Warnf("bump %s: %v", key, err)
-		return
-	}
-	if oldVal != 2 {
-		saved[key] = oldVal
-	}
-}

client/internal/sleep/detector_darwin.go

@@ -188,9 +188,7 @@ func (d *Detector) triggerCallback(event EventType, cb func(event EventType), do
 	}
 
 	doneChan := make(chan struct{})
-	// macOS forces sleep ~30s after kIOMessageSystemWillSleep, so block long
-	// enough for teardown to finish while staying under that deadline.
-	timeout := time.NewTimer(20 * time.Second)
+	timeout := time.NewTimer(500 * time.Millisecond)
 	defer timeout.Stop()
 
 	go func() {

client/netbird.wxs

@@ -64,6 +64,13 @@
 					<RegistryValue Name="InstalledByMSI" Type="integer" Value="1" KeyPath="yes" />
 				</RegistryKey>
 			</Component>
+			<!-- Drop the HKCU Run\Netbird value written by legacy NSIS installers. -->
+			<Component Id="NetbirdLegacyHKCUCleanup" Guid="*">
+				<RegistryValue Root="HKCU" Key="Software\NetBird GmbH\Installer"
+					Name="LegacyHKCUCleanup" Type="integer" Value="1" KeyPath="yes" />
+				<RemoveRegistryValue Root="HKCU"
+					Key="Software\Microsoft\Windows\CurrentVersion\Run" Name="Netbird" />
+			</Component>
 		</StandardDirectory>
 
 		<StandardDirectory Id="CommonAppDataFolder">
@@ -76,10 +83,28 @@
 			</Directory>
 		</StandardDirectory>
 
+		<!-- Drop Run, App Paths and Uninstall entries written by legacy NSIS
+		     installers into the 32-bit registry view (HKLM\Software\Wow6432Node). -->
+		<Component Id="NetbirdLegacyWow6432Cleanup" Directory="NetbirdInstallDir"
+			Guid="bda5d628-16bd-4086-b2c1-5099d8d51763" Bitness="always32">
+			<RegistryValue Root="HKLM" Key="Software\NetBird GmbH\Installer"
+				Name="LegacyWow6432Cleanup" Type="integer" Value="1" KeyPath="yes" />
+			<RemoveRegistryValue Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\Run" Name="Netbird" />
+			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\App Paths\Netbird" />
+			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\App Paths\Netbird-ui" />
+			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\Uninstall\Netbird" />
+		</Component>
+
 		<ComponentGroup Id="NetbirdFilesComponent">
 			<ComponentRef Id="NetbirdFiles" />
 			<ComponentRef Id="NetbirdAumidRegistry" />
 			<ComponentRef Id="NetbirdAutoStart" />
+			<ComponentRef Id="NetbirdLegacyHKCUCleanup" />
+			<ComponentRef Id="NetbirdLegacyWow6432Cleanup" />
 		</ComponentGroup>
 
 		<util:CloseApplication Id="CloseNetBird" CloseMessage="no" Target="netbird.exe" RebootPrompt="no" />

management/internals/modules/peers/ephemeral/manager/ephemeral.go

@@ -2,6 +2,7 @@ package manager
 
 import (
 	"context"
+	"math/rand"
 	"sync"
 	"time"
 
@@ -11,44 +12,76 @@ import (
 	"github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral"
 	"github.com/netbirdio/netbird/management/server/activity"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/telemetry"
-
 	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/telemetry"
 )
 
 const (
-	// cleanupWindow is the time window to wait after nearest peer deadline to start the cleanup procedure.
+	// cleanupWindow is the small grace period added on top of the
+	// staleness horizon before a sweep fires. It absorbs minor clock
+	// skew between the management server and the database and avoids
+	// firing a sweep right at the boundary where last_seen could still
+	// be one tick under the threshold.
 	cleanupWindow = 1 * time.Minute
+
+	// initialLoadMinDelay and initialLoadMaxDelay bracket the random
+	// delay applied before the post-restart catch-up query runs. Spread
+	// across replicas this prevents a thundering herd of catch-up
+	// queries hitting the database simultaneously after a deploy.
+	initialLoadMinDelay = 8 * time.Minute
+	initialLoadMaxDelay = 10 * time.Minute
 )
 
 var (
 	timeNow = time.Now
 )
 
-type ephemeralPeer struct {
-	id        string
-	accountID string
-	deadline  time.Time
-	next      *ephemeralPeer
+// accountEntry is the per-account state held by the cleanup tracker.
+// We don't track which peers are pending — the sweep query gets the
+// authoritative list straight from the database every time. We only
+// need to know the latest disconnect we've observed for this account
+// (so we can decide when it's safe to drop the entry) and the timer
+// that will fire the next sweep.
+type accountEntry struct {
+	lastDisconnectedAt time.Time
+	timer              *time.Timer
 }
 
-// todo: consider to remove peer from ephemeral list when the peer has been deleted via API. If we do not do it
-// in worst case we will get invalid error message in this manager.
-
-// EphemeralManager keep a list of ephemeral peers. After EphemeralLifeTime inactivity the peer will be deleted
-// automatically. Inactivity means the peer disconnected from the Management server.
+// EphemeralManager tracks accounts that may have ephemeral peers in
+// need of cleanup and runs a per-account sweep at the appropriate
+// time. State is in-memory and account-scoped: a sweep deletes any
+// ephemeral peer in the account that has been disconnected for at
+// least lifeTime, then either drops the account from the tracker
+// (when no recent disconnects have arrived) or re-arms the timer.
 type EphemeralManager struct {
 	store        store.Store
 	peersManager peers.Manager
 
-	headPeer  *ephemeralPeer
-	tailPeer  *ephemeralPeer
-	peersLock sync.Mutex
-	timer     *time.Timer
+	accountsLock sync.Mutex
+	accounts     map[string]*accountEntry
+
+	// initialLoadTimer is the one-shot timer used to defer the
+	// post-restart catch-up query; held so Stop() can cancel it.
+	initialLoadTimer *time.Timer
+	// stopped is flipped by Stop() so any timer that fires after
+	// teardown becomes a no-op instead of touching a half-dismantled
+	// store.
+	stopped bool
 
 	lifeTime      time.Duration
 	cleanupWindow time.Duration
 
+	// initialLoadDelay returns the wall-clock delay to wait before
+	// running the post-restart catch-up query. Pluggable so tests can
+	// fire the load immediately.
+	initialLoadDelay func() time.Duration
+
+	// bgCtx is the long-lived context captured at LoadInitialPeers
+	// time. Timer-driven sweeps use it because they fire long after
+	// the original gRPC handler ctx that produced an OnPeerDisconnected
+	// call has been cancelled.
+	bgCtx context.Context
+
 	// metrics is nil-safe; methods on telemetry.EphemeralPeersMetrics
 	// no-op when the receiver is nil so deployments without an app
 	// metrics provider work unchanged.
@@ -58,228 +91,265 @@ type EphemeralManager struct {
 // NewEphemeralManager instantiate new EphemeralManager
 func NewEphemeralManager(store store.Store, peersManager peers.Manager) *EphemeralManager {
 	return &EphemeralManager{
-		store:        store,
-		peersManager: peersManager,
-
-		lifeTime:      ephemeral.EphemeralLifeTime,
-		cleanupWindow: cleanupWindow,
+		store:            store,
+		peersManager:     peersManager,
+		accounts:         make(map[string]*accountEntry),
+		lifeTime:         ephemeral.EphemeralLifeTime,
+		cleanupWindow:    cleanupWindow,
+		initialLoadDelay: defaultInitialLoadDelay,
 	}
 }
 
-// SetMetrics attaches a metrics collector. Safe to call once before
-// LoadInitialPeers; later attachment is fine but earlier loads won't be
-// reflected in the gauge. Pass nil to detach.
+// SetMetrics attaches a metrics collector. Pass nil to detach.
 func (e *EphemeralManager) SetMetrics(m *telemetry.EphemeralPeersMetrics) {
-	e.peersLock.Lock()
+	e.accountsLock.Lock()
 	e.metrics = m
-	e.peersLock.Unlock()
+	e.accountsLock.Unlock()
 }
 
-// LoadInitialPeers load from the database the ephemeral type of peers and schedule a cleanup procedure to the head
-// of the linked list (to the most deprecated peer). At the end of cleanup it schedules the next cleanup to the new
-// head.
+// LoadInitialPeers schedules the post-restart catch-up query for a
+// random moment 8-10 minutes from now. Returns immediately. The
+// catch-up populates the per-account tracker from the database so any
+// peers that disconnected before the restart still get cleaned up.
+//
+// The random delay is critical: without it, every management replica
+// hitting the same Postgres instance after a deploy would issue the
+// catch-up query simultaneously.
 func (e *EphemeralManager) LoadInitialPeers(ctx context.Context) {
-	e.peersLock.Lock()
-	defer e.peersLock.Unlock()
-
-	e.loadEphemeralPeers(ctx)
-	if e.headPeer != nil {
-		e.timer = time.AfterFunc(e.lifeTime, func() {
-			e.cleanup(ctx)
-		})
-	}
-}
-
-// Stop timer
-func (e *EphemeralManager) Stop() {
-	e.peersLock.Lock()
-	defer e.peersLock.Unlock()
-
-	if e.timer != nil {
-		e.timer.Stop()
-	}
-}
-
-// OnPeerConnected remove the peer from the linked list of ephemeral peers. Because it has been called when the peer
-// is active the manager will not delete it while it is active.
-func (e *EphemeralManager) OnPeerConnected(ctx context.Context, peer *nbpeer.Peer) {
-	if !peer.Ephemeral {
+	e.accountsLock.Lock()
+	defer e.accountsLock.Unlock()
+	if e.stopped {
 		return
 	}
 
-	log.WithContext(ctx).Tracef("remove peer from ephemeral list: %s", peer.ID)
+	e.bgCtx = ctx
 
-	e.peersLock.Lock()
-	defer e.peersLock.Unlock()
-
-	if e.removePeer(peer.ID) {
-		e.metrics.DecPending(1)
-	}
-
-	// stop the unnecessary timer
-	if e.headPeer == nil && e.timer != nil {
-		e.timer.Stop()
-		e.timer = nil
-	}
+	delay := e.initialLoadDelay()
+	log.WithContext(ctx).Infof("ephemeral peer initial load scheduled in %s", delay)
+	e.initialLoadTimer = time.AfterFunc(delay, func() {
+		e.loadInitialAccounts(e.bgCtx)
+	})
 }
 
-// OnPeerDisconnected add the peer to the linked list of ephemeral peers. Because of the peer
-// is inactive it will be deleted after the EphemeralLifeTime period.
+// Stop cancels the deferred initial load and any per-account timers.
+func (e *EphemeralManager) Stop() {
+	e.accountsLock.Lock()
+	defer e.accountsLock.Unlock()
+
+	e.stopped = true
+	if e.initialLoadTimer != nil {
+		e.initialLoadTimer.Stop()
+		e.initialLoadTimer = nil
+	}
+	for _, entry := range e.accounts {
+		if entry.timer != nil {
+			entry.timer.Stop()
+		}
+	}
+	e.accounts = make(map[string]*accountEntry)
+}
+
+// OnPeerConnected is a no-op in the account-scoped design. The sweep
+// query filters out connected peers at the database level, so we don't
+// need an explicit "remove from list" signal when a peer reconnects.
+// Kept on the interface to preserve the existing call sites.
+func (e *EphemeralManager) OnPeerConnected(_ context.Context, _ *nbpeer.Peer) {
+}
+
+// OnPeerDisconnected registers a disconnect for the peer's account and
+// arms a sweep if one isn't already scheduled. Non-ephemeral peers are
+// ignored.
 func (e *EphemeralManager) OnPeerDisconnected(ctx context.Context, peer *nbpeer.Peer) {
 	if !peer.Ephemeral {
 		return
 	}
 
-	log.WithContext(ctx).Tracef("add peer to ephemeral list: %s", peer.ID)
-
-	e.peersLock.Lock()
-	defer e.peersLock.Unlock()
-
-	if e.isPeerOnList(peer.ID) {
-		return
-	}
-
-	e.addPeer(peer.AccountID, peer.ID, e.newDeadLine())
-	e.metrics.IncPending()
-	if e.timer == nil {
-		delay := e.headPeer.deadline.Sub(timeNow()) + e.cleanupWindow
-		if delay < 0 {
-			delay = 0
-		}
-		e.timer = time.AfterFunc(delay, func() {
-			e.cleanup(ctx)
-		})
-	}
-}
-
-func (e *EphemeralManager) loadEphemeralPeers(ctx context.Context) {
-	peers, err := e.store.GetAllEphemeralPeers(ctx, store.LockingStrengthNone)
-	if err != nil {
-		log.WithContext(ctx).Debugf("failed to load ephemeral peers: %s", err)
-		return
-	}
-
-	t := e.newDeadLine()
-	for _, p := range peers {
-		e.addPeer(p.AccountID, p.ID, t)
-	}
-	e.metrics.AddPending(int64(len(peers)))
-
-	log.WithContext(ctx).Debugf("loaded ephemeral peer(s): %d", len(peers))
-}
-
-func (e *EphemeralManager) cleanup(ctx context.Context) {
-	log.Tracef("on ephemeral cleanup")
-	deletePeers := make(map[string]*ephemeralPeer)
-
-	e.peersLock.Lock()
 	now := timeNow()
-	for p := e.headPeer; p != nil; p = p.next {
-		if now.Before(p.deadline) {
-			break
-		}
 
-		deletePeers[p.id] = p
-		e.headPeer = p.next
-		if p.next == nil {
-			e.tailPeer = nil
-		}
+	e.accountsLock.Lock()
+	defer e.accountsLock.Unlock()
+	if e.stopped {
+		return
 	}
 
-	if e.headPeer != nil {
-		delay := e.headPeer.deadline.Sub(timeNow()) + e.cleanupWindow
-		if delay < 0 {
-			delay = 0
-		}
-		e.timer = time.AfterFunc(delay, func() {
-			e.cleanup(ctx)
+	entry, existed := e.accounts[peer.AccountID]
+	if !existed {
+		entry = &accountEntry{}
+		e.accounts[peer.AccountID] = entry
+		e.metrics.IncPending()
+	}
+	entry.lastDisconnectedAt = now
+
+	if entry.timer == nil {
+		delay := e.lifeTime + e.cleanupWindow
+		log.WithContext(ctx).Tracef("ephemeral: scheduling sweep for account %s in %s", peer.AccountID, delay)
+		accountID := peer.AccountID
+		entry.timer = time.AfterFunc(delay, func() {
+			e.sweep(e.bgCtxOrFallback(ctx), accountID)
 		})
-	} else {
-		e.timer = nil
+	}
+}
+
+// bgCtxOrFallback returns the long-lived background context captured at
+// LoadInitialPeers time, falling back to the supplied ctx when the
+// manager hasn't been started through LoadInitialPeers (e.g. in tests
+// that drive the manager directly). Must be called with the lock held
+// or before the timer is armed.
+func (e *EphemeralManager) bgCtxOrFallback(ctx context.Context) context.Context {
+	if e.bgCtx != nil {
+		return e.bgCtx
+	}
+	return ctx
+}
+
+// loadInitialAccounts runs the post-restart catch-up query and seeds
+// the tracker with one entry per account that has at least one
+// disconnected ephemeral peer.
+func (e *EphemeralManager) loadInitialAccounts(ctx context.Context) {
+	accounts, err := e.store.GetEphemeralAccountsLastDisconnect(ctx)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to load ephemeral accounts on startup: %v", err)
+		return
 	}
 
-	e.peersLock.Unlock()
+	now := timeNow()
+	added := 0
 
-	// Drop the gauge by the number of entries we just took off the list,
-	// regardless of whether the subsequent DeletePeers call succeeds. The
-	// list invariant is what the gauge tracks; failed delete batches are
-	// counted separately via CountCleanupError so we can still see them.
-	if len(deletePeers) > 0 {
-		e.metrics.CountCleanupRun()
-		e.metrics.DecPending(int64(len(deletePeers)))
+	e.accountsLock.Lock()
+	defer e.accountsLock.Unlock()
+	if e.stopped {
+		return
 	}
 
-	peerIDsPerAccount := make(map[string][]string)
-	for id, p := range deletePeers {
-		peerIDsPerAccount[p.accountID] = append(peerIDsPerAccount[p.accountID], id)
-	}
-
-	for accountID, peerIDs := range peerIDsPerAccount {
-		log.WithContext(ctx).Tracef("cleanup: deleting %d ephemeral peers for account %s", len(peerIDs), accountID)
-		err := e.peersManager.DeletePeers(ctx, accountID, peerIDs, activity.SystemInitiator, true)
-		if err != nil {
-			log.WithContext(ctx).Errorf("failed to delete ephemeral peers: %s", err)
-			e.metrics.CountCleanupError()
+	for accountID, lastDisc := range accounts {
+		// If we already learned about this account via an
+		// OnPeerDisconnected that arrived during the random delay
+		// window, prefer the live timestamp.
+		if _, alreadyTracked := e.accounts[accountID]; alreadyTracked {
 			continue
 		}
-		e.metrics.CountPeersCleaned(int64(len(peerIDs)))
-	}
-}
 
-func (e *EphemeralManager) addPeer(accountID string, peerID string, deadline time.Time) {
-	ep := &ephemeralPeer{
-		id:        peerID,
-		accountID: accountID,
-		deadline:  deadline,
-	}
+		entry := &accountEntry{lastDisconnectedAt: lastDisc}
+		horizon := lastDisc.Add(e.lifeTime)
 
-	if e.headPeer == nil {
-		e.headPeer = ep
-	}
-	if e.tailPeer != nil {
-		e.tailPeer.next = ep
-	}
-	e.tailPeer = ep
-}
-
-// removePeer drops the entry from the linked list. Returns true if a
-// matching entry was found and removed so callers can keep the pending
-// metric gauge in sync.
-func (e *EphemeralManager) removePeer(id string) bool {
-	if e.headPeer == nil {
-		return false
-	}
-
-	if e.headPeer.id == id {
-		e.headPeer = e.headPeer.next
-		if e.tailPeer.id == id {
-			e.tailPeer = nil
+		var delay time.Duration
+		if horizon.After(now) {
+			delay = horizon.Sub(now) + e.cleanupWindow
+		} else {
+			// Already past the staleness window — sweep right away
+			// (one cleanupWindow later, to keep startup load smooth
+			// when many accounts qualify at once).
+			delay = e.cleanupWindow
 		}
-		return true
+		idForClosure := accountID
+		entry.timer = time.AfterFunc(delay, func() {
+			e.sweep(ctx, idForClosure)
+		})
+		e.accounts[accountID] = entry
+		added++
 	}
 
-	for p := e.headPeer; p.next != nil; p = p.next {
-		if p.next.id == id {
-			// if we remove the last element from the chain then set the last-1 as tail
-			if e.tailPeer.id == id {
-				e.tailPeer = p
-			}
-			p.next = p.next.next
-			return true
+	e.metrics.AddPending(int64(added))
+	log.WithContext(ctx).Debugf("ephemeral: loaded %d account(s) for cleanup tracking", added)
+}
+
+// sweep runs the cleanup pass for a single account. It queries the
+// database for disconnected ephemeral peers that have crossed the
+// staleness window, deletes them via peers.Manager, and then decides
+// whether to drop the account from the tracker or re-arm the timer.
+func (e *EphemeralManager) sweep(ctx context.Context, accountID string) {
+	now := timeNow()
+
+	e.accountsLock.Lock()
+	entry, ok := e.accounts[accountID]
+	if !ok || e.stopped {
+		e.accountsLock.Unlock()
+		return
+	}
+	lastDisc := entry.lastDisconnectedAt
+	entry.timer = nil
+	e.accountsLock.Unlock()
+
+	threshold := now.Add(-e.lifeTime)
+	stalePeerIDs, err := e.store.GetStaleEphemeralPeerIDsForAccount(ctx, accountID, threshold)
+	if err != nil {
+		log.WithContext(ctx).Errorf("ephemeral: failed to query stale peers for account %s: %v", accountID, err)
+		e.metrics.CountCleanupError()
+		e.rearm(ctx, accountID, e.cleanupWindow)
+		return
+	}
+
+	if len(stalePeerIDs) > 0 {
+		log.WithContext(ctx).Tracef("ephemeral: deleting %d peer(s) for account %s", len(stalePeerIDs), accountID)
+		if err := e.peersManager.DeletePeers(ctx, accountID, stalePeerIDs, activity.SystemInitiator, true); err != nil {
+			log.WithContext(ctx).Errorf("ephemeral: failed to delete peers for account %s: %v", accountID, err)
+			e.metrics.CountCleanupError()
+			e.rearm(ctx, accountID, e.cleanupWindow)
+			return
 		}
+		e.metrics.CountCleanupRun()
+		e.metrics.CountPeersCleaned(int64(len(stalePeerIDs)))
 	}
-	return false
+
+	e.accountsLock.Lock()
+	defer e.accountsLock.Unlock()
+	if e.stopped {
+		return
+	}
+	entry, ok = e.accounts[accountID]
+	if !ok {
+		return
+	}
+
+	// Drop rule: if every disconnect we've observed has now crossed
+	// the staleness window, the sweep we just ran saw everything that
+	// could possibly need cleaning. Dropping is safe — a future
+	// disconnect will recreate the entry. The check uses the latest
+	// lastDisc, which may have advanced (concurrently with the sweep
+	// itself) due to a new OnPeerDisconnected, in which case we
+	// correctly re-arm.
+	horizon := entry.lastDisconnectedAt.Add(e.lifeTime)
+	if !horizon.After(now) {
+		delete(e.accounts, accountID)
+		e.metrics.DecPending(1)
+		log.WithContext(ctx).Tracef("ephemeral: dropping account %s (lastDisc=%s, horizon=%s, now=%s)",
+			accountID, lastDisc, horizon, now)
+		return
+	}
+
+	delay := horizon.Sub(now) + e.cleanupWindow
+	idForClosure := accountID
+	entry.timer = time.AfterFunc(delay, func() {
+		e.sweep(ctx, idForClosure)
+	})
 }
 
-func (e *EphemeralManager) isPeerOnList(id string) bool {
-	for p := e.headPeer; p != nil; p = p.next {
-		if p.id == id {
-			return true
-		}
+// rearm reschedules a sweep `delay` from now. Used after a recoverable
+// error in the sweep path so the account doesn't get stuck.
+func (e *EphemeralManager) rearm(ctx context.Context, accountID string, delay time.Duration) {
+	e.accountsLock.Lock()
+	defer e.accountsLock.Unlock()
+	if e.stopped {
+		return
 	}
-	return false
+	entry, ok := e.accounts[accountID]
+	if !ok {
+		return
+	}
+	idForClosure := accountID
+	entry.timer = time.AfterFunc(delay, func() {
+		e.sweep(ctx, idForClosure)
+	})
 }
 
-func (e *EphemeralManager) newDeadLine() time.Time {
-	return timeNow().Add(e.lifeTime)
+// defaultInitialLoadDelay returns a random duration in
+// [initialLoadMinDelay, initialLoadMaxDelay). Process-wide
+// math/rand is acceptable here — the delay is purely a smoothing
+// jitter, not a security primitive.
+func defaultInitialLoadDelay() time.Duration {
+	span := int64(initialLoadMaxDelay - initialLoadMinDelay)
+	if span <= 0 {
+		return initialLoadMinDelay
+	}
+	return initialLoadMinDelay + time.Duration(rand.Int63n(span))
 }

management/internals/modules/peers/ephemeral/manager/ephemeral_test.go

@@ -2,299 +2,544 @@ package manager
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"sync"
+	"sync/atomic"
 	"testing"
 	"time"
 
 	"github.com/golang/mock/gomock"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
 	"github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral"
-	nbAccount "github.com/netbirdio/netbird/management/server/account"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/route"
 )
 
+// MockStore is a thin in-memory stand-in that implements only the two
+// methods the EphemeralManager uses. It honors the account / ephemeral
+// / connected / lastSeen attributes of each peer so the cleanup logic
+// can be exercised end-to-end without bringing up sqlite or Postgres.
 type MockStore struct {
 	store.Store
+	mu      sync.Mutex
 	account *types.Account
 }
 
-func (s *MockStore) GetAllEphemeralPeers(_ context.Context, _ store.LockingStrength) ([]*nbpeer.Peer, error) {
-	var peers []*nbpeer.Peer
-	for _, v := range s.account.Peers {
-		if v.Ephemeral {
-			peers = append(peers, v)
+func (s *MockStore) GetStaleEphemeralPeerIDsForAccount(_ context.Context, accountID string, olderThan time.Time) ([]string, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if s.account == nil || s.account.Id != accountID {
+		return nil, nil
+	}
+	var ids []string
+	for _, p := range s.account.Peers {
+		if !p.Ephemeral {
+			continue
+		}
+		if p.Status == nil || p.Status.Connected {
+			continue
+		}
+		if p.Status.LastSeen.Before(olderThan) {
+			ids = append(ids, p.ID)
 		}
 	}
-	return peers, nil
+	return ids, nil
 }
 
-type MockAccountManager struct {
-	mu sync.Mutex
-	nbAccount.Manager
-	store             *MockStore
-	deletePeerCalls   int
-	bufferUpdateCalls map[string]int
-	wg                *sync.WaitGroup
-}
-
-func (a *MockAccountManager) DeletePeer(_ context.Context, accountID, peerID, userID string) error {
-	a.mu.Lock()
-	defer a.mu.Unlock()
-	a.deletePeerCalls++
-	delete(a.store.account.Peers, peerID)
-	if a.wg != nil {
-		a.wg.Done()
+func (s *MockStore) GetEphemeralAccountsLastDisconnect(_ context.Context) (map[string]time.Time, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	out := map[string]time.Time{}
+	if s.account == nil {
+		return out, nil
 	}
-	return nil
-}
-
-func (a *MockAccountManager) GetDeletePeerCalls() int {
-	a.mu.Lock()
-	defer a.mu.Unlock()
-	return a.deletePeerCalls
-}
-
-func (a *MockAccountManager) BufferUpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) {
-	a.mu.Lock()
-	defer a.mu.Unlock()
-	if a.bufferUpdateCalls == nil {
-		a.bufferUpdateCalls = make(map[string]int)
+	var latest time.Time
+	hasAny := false
+	for _, p := range s.account.Peers {
+		if !p.Ephemeral || p.Status == nil || p.Status.Connected {
+			continue
+		}
+		if !hasAny || p.Status.LastSeen.After(latest) {
+			latest = p.Status.LastSeen
+			hasAny = true
+		}
 	}
-	a.bufferUpdateCalls[accountID]++
-}
-
-func (a *MockAccountManager) GetBufferUpdateCalls(accountID string) int {
-	a.mu.Lock()
-	defer a.mu.Unlock()
-	if a.bufferUpdateCalls == nil {
-		return 0
+	if hasAny {
+		out[s.account.Id] = latest
 	}
-	return a.bufferUpdateCalls[accountID]
+	return out, nil
 }
 
-func (a *MockAccountManager) GetStore() store.Store {
-	return a.store
-}
-
-func TestNewManager(t *testing.T) {
-	t.Cleanup(func() {
-		timeNow = time.Now
-	})
-	startTime := time.Now()
+// withFakeClock pins timeNow to a settable value for the duration of t.
+// Returns a getter and a setter so subtests can advance virtual time.
+func withFakeClock(t *testing.T, start time.Time) (get func() time.Time, set func(time.Time)) {
+	t.Helper()
+	var mu sync.Mutex
+	now := start
 	timeNow = func() time.Time {
-		return startTime
+		mu.Lock()
+		defer mu.Unlock()
+		return now
 	}
+	t.Cleanup(func() { timeNow = time.Now })
 
-	store := &MockStore{}
-	ctrl := gomock.NewController(t)
-	peersManager := peers.NewMockManager(ctrl)
-
-	numberOfPeers := 5
-	numberOfEphemeralPeers := 3
-	seedPeers(store, numberOfPeers, numberOfEphemeralPeers)
-
-	// Expect DeletePeers to be called for ephemeral peers
-	peersManager.EXPECT().
-		DeletePeers(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), true).
-		DoAndReturn(func(ctx context.Context, accountID string, peerIDs []string, userID string, checkConnected bool) error {
-			for _, peerID := range peerIDs {
-				delete(store.account.Peers, peerID)
-			}
-			return nil
-		}).
-		AnyTimes()
-
-	mgr := NewEphemeralManager(store, peersManager)
-	mgr.loadEphemeralPeers(context.Background())
-	startTime = startTime.Add(ephemeral.EphemeralLifeTime + 1)
-	mgr.cleanup(context.Background())
-
-	if len(store.account.Peers) != numberOfPeers {
-		t.Errorf("failed to cleanup ephemeral peers, expected: %d, result: %d", numberOfPeers, len(store.account.Peers))
-	}
+	return func() time.Time {
+			mu.Lock()
+			defer mu.Unlock()
+			return now
+		}, func(v time.Time) {
+			mu.Lock()
+			defer mu.Unlock()
+			now = v
+		}
 }
 
-func TestNewManagerPeerConnected(t *testing.T) {
-	t.Cleanup(func() {
-		timeNow = time.Now
-	})
-	startTime := time.Now()
-	timeNow = func() time.Time {
-		return startTime
-	}
-
-	store := &MockStore{}
-	ctrl := gomock.NewController(t)
-	peersManager := peers.NewMockManager(ctrl)
-
-	numberOfPeers := 5
-	numberOfEphemeralPeers := 3
-	seedPeers(store, numberOfPeers, numberOfEphemeralPeers)
-
-	// Expect DeletePeers to be called for ephemeral peers (except the connected one)
-	peersManager.EXPECT().
-		DeletePeers(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), true).
-		DoAndReturn(func(ctx context.Context, accountID string, peerIDs []string, userID string, checkConnected bool) error {
-			for _, peerID := range peerIDs {
-				delete(store.account.Peers, peerID)
-			}
-			return nil
-		}).
-		AnyTimes()
-
-	mgr := NewEphemeralManager(store, peersManager)
-	mgr.loadEphemeralPeers(context.Background())
-	mgr.OnPeerConnected(context.Background(), store.account.Peers["ephemeral_peer_0"])
-
-	startTime = startTime.Add(ephemeral.EphemeralLifeTime + 1)
-	mgr.cleanup(context.Background())
-
-	expected := numberOfPeers + 1
-	if len(store.account.Peers) != expected {
-		t.Errorf("failed to cleanup ephemeral peers, expected: %d, result: %d", expected, len(store.account.Peers))
-	}
+// newManagerForTest builds a manager with short timers and no random
+// initial-load delay so tests run instantly.
+func newManagerForTest(t *testing.T, st store.Store, peersMgr peers.Manager) *EphemeralManager {
+	t.Helper()
+	mgr := NewEphemeralManager(st, peersMgr)
+	mgr.lifeTime = 100 * time.Millisecond
+	mgr.cleanupWindow = 10 * time.Millisecond
+	mgr.initialLoadDelay = func() time.Duration { return 0 }
+	t.Cleanup(mgr.Stop)
+	return mgr
 }
 
-func TestNewManagerPeerDisconnected(t *testing.T) {
-	t.Cleanup(func() {
-		timeNow = time.Now
-	})
-	startTime := time.Now()
-	timeNow = func() time.Time {
-		return startTime
-	}
+// TestOnPeerDisconnected_RegistersAndSweeps drives the OnPeerDisconnected
+// path with a fake clock: a single ephemeral peer disconnects, we
+// advance past the staleness window, and the sweep deletes it.
+func TestOnPeerDisconnected_RegistersAndSweeps(t *testing.T) {
+	mockStore := &MockStore{account: newAccountWithId(context.Background(), "acc-1", "", "", false)}
 
-	store := &MockStore{}
-	ctrl := gomock.NewController(t)
-	peersManager := peers.NewMockManager(ctrl)
-
-	numberOfPeers := 5
-	numberOfEphemeralPeers := 3
-	seedPeers(store, numberOfPeers, numberOfEphemeralPeers)
-
-	// Expect DeletePeers to be called for the one disconnected peer
-	peersManager.EXPECT().
-		DeletePeers(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), true).
-		DoAndReturn(func(ctx context.Context, accountID string, peerIDs []string, userID string, checkConnected bool) error {
-			for _, peerID := range peerIDs {
-				delete(store.account.Peers, peerID)
-			}
-			return nil
-		}).
-		AnyTimes()
-
-	mgr := NewEphemeralManager(store, peersManager)
-	mgr.loadEphemeralPeers(context.Background())
-	for _, v := range store.account.Peers {
-		mgr.OnPeerConnected(context.Background(), v)
-
-	}
-	mgr.OnPeerDisconnected(context.Background(), store.account.Peers["ephemeral_peer_0"])
-
-	startTime = startTime.Add(ephemeral.EphemeralLifeTime + 1)
-	mgr.cleanup(context.Background())
-
-	expected := numberOfPeers + numberOfEphemeralPeers - 1
-	if len(store.account.Peers) != expected {
-		t.Errorf("failed to cleanup ephemeral peers, expected: %d, result: %d", expected, len(store.account.Peers))
-	}
-}
-
-func TestCleanupSchedulingBehaviorIsBatched(t *testing.T) {
-	const (
-		ephemeralPeers    = 10
-		testLifeTime      = 1 * time.Second
-		testCleanupWindow = 100 * time.Millisecond
-	)
-
-	t.Cleanup(func() {
-		timeNow = time.Now
-	})
-	startTime := time.Now()
-	timeNow = func() time.Time {
-		return startTime
-	}
-
-	mockStore := &MockStore{}
-	account := newAccountWithId(context.Background(), "account", "", "", false)
-	mockStore.account = account
-
-	wg := &sync.WaitGroup{}
-	wg.Add(ephemeralPeers)
-	mockAM := &MockAccountManager{
-		store: mockStore,
-		wg:    wg,
-	}
+	getNow, setNow := withFakeClock(t, time.Now())
 
 	ctrl := gomock.NewController(t)
-	peersManager := peers.NewMockManager(ctrl)
+	peersMgr := peers.NewMockManager(ctrl)
 
-	// Set up expectation that DeletePeers will be called once with all peer IDs
-	peersManager.EXPECT().
-		DeletePeers(gomock.Any(), account.Id, gomock.Any(), gomock.Any(), true).
-		DoAndReturn(func(ctx context.Context, accountID string, peerIDs []string, userID string, checkConnected bool) error {
-			// Simulate the actual deletion behavior
-			for _, peerID := range peerIDs {
-				err := mockAM.DeletePeer(ctx, accountID, peerID, userID)
-				if err != nil {
-					return err
-				}
+	var deletedMu sync.Mutex
+	var deleted []string
+	var deleteCalls atomic.Int32
+	peersMgr.EXPECT().
+		DeletePeers(gomock.Any(), "acc-1", gomock.Any(), gomock.Any(), true).
+		DoAndReturn(func(_ context.Context, accountID string, peerIDs []string, _ string, _ bool) error {
+			deleteCalls.Add(1)
+			mockStore.mu.Lock()
+			for _, id := range peerIDs {
+				delete(mockStore.account.Peers, id)
 			}
-			mockAM.BufferUpdateAccountPeers(ctx, accountID, types.UpdateReason{})
+			mockStore.mu.Unlock()
+			deletedMu.Lock()
+			deleted = append(deleted, peerIDs...)
+			deletedMu.Unlock()
 			return nil
-		}).
-		Times(1)
+		}).AnyTimes()
 
-	mgr := NewEphemeralManager(mockStore, peersManager)
-	mgr.lifeTime = testLifeTime
-	mgr.cleanupWindow = testCleanupWindow
+	mgr := newManagerForTest(t, mockStore, peersMgr)
 
-	// Add peers and disconnect them at slightly different times (within cleanup window)
-	for i := range ephemeralPeers {
-		p := &nbpeer.Peer{ID: fmt.Sprintf("peer-%d", i), AccountID: account.Id, Ephemeral: true}
-		mockStore.account.Peers[p.ID] = p
+	// One ephemeral peer that disconnected "now".
+	now := getNow()
+	p := &nbpeer.Peer{
+		ID:        "p1",
+		AccountID: "acc-1",
+		Ephemeral: true,
+		Status:    &nbpeer.PeerStatus{Connected: false, LastSeen: now},
+	}
+	mockStore.account.Peers[p.ID] = p
+	mgr.OnPeerDisconnected(context.Background(), p)
+
+	// Advance past lifeTime + cleanupWindow so the timer-driven sweep fires.
+	setNow(now.Add(mgr.lifeTime + 5*mgr.cleanupWindow))
+	require.Eventually(t, func() bool { return deleteCalls.Load() >= 1 }, 2*time.Second, 5*time.Millisecond,
+		"sweep should fire and delete the stale peer")
+
+	deletedMu.Lock()
+	deletedCopy := append([]string(nil), deleted...)
+	deletedMu.Unlock()
+	require.Equal(t, []string{"p1"}, deletedCopy, "only the one ephemeral peer should be deleted")
+}
+
+// TestOnPeerDisconnected_NonEphemeralIgnored: a non-ephemeral disconnect
+// must not register the account or arm any timer.
+func TestOnPeerDisconnected_NonEphemeralIgnored(t *testing.T) {
+	mockStore := &MockStore{account: newAccountWithId(context.Background(), "acc-1", "", "", false)}
+	withFakeClock(t, time.Now())
+
+	ctrl := gomock.NewController(t)
+	peersMgr := peers.NewMockManager(ctrl)
+	// No DeletePeers expectation — must not be called.
+
+	mgr := newManagerForTest(t, mockStore, peersMgr)
+	mgr.OnPeerDisconnected(context.Background(), &nbpeer.Peer{
+		ID:        "p1",
+		AccountID: "acc-1",
+		Ephemeral: false,
+		Status:    &nbpeer.PeerStatus{Connected: false, LastSeen: timeNow()},
+	})
+
+	mgr.accountsLock.Lock()
+	require.Empty(t, mgr.accounts, "non-ephemeral disconnect must not register an account")
+	mgr.accountsLock.Unlock()
+}
+
+// TestSweep_DropsAccountWhenIdle: after a sweep cleans the stale peers,
+// if no more disconnects have arrived the account must be dropped from
+// the in-memory tracker.
+func TestSweep_DropsAccountWhenIdle(t *testing.T) {
+	mockStore := &MockStore{account: newAccountWithId(context.Background(), "acc-1", "", "", false)}
+	getNow, setNow := withFakeClock(t, time.Now())
+
+	ctrl := gomock.NewController(t)
+	peersMgr := peers.NewMockManager(ctrl)
+	peersMgr.EXPECT().
+		DeletePeers(gomock.Any(), "acc-1", gomock.Any(), gomock.Any(), true).
+		DoAndReturn(func(_ context.Context, _ string, peerIDs []string, _ string, _ bool) error {
+			mockStore.mu.Lock()
+			for _, id := range peerIDs {
+				delete(mockStore.account.Peers, id)
+			}
+			mockStore.mu.Unlock()
+			return nil
+		}).AnyTimes()
+
+	mgr := newManagerForTest(t, mockStore, peersMgr)
+
+	now := getNow()
+	p := &nbpeer.Peer{ID: "p1", AccountID: "acc-1", Ephemeral: true,
+		Status: &nbpeer.PeerStatus{Connected: false, LastSeen: now}}
+	mockStore.account.Peers[p.ID] = p
+	mgr.OnPeerDisconnected(context.Background(), p)
+
+	setNow(now.Add(mgr.lifeTime + 5*mgr.cleanupWindow))
+
+	require.Eventually(t, func() bool {
+		mgr.accountsLock.Lock()
+		defer mgr.accountsLock.Unlock()
+		return len(mgr.accounts) == 0
+	}, 2*time.Second, 5*time.Millisecond, "account should be dropped after sweep with no new disconnects")
+}
+
+// TestSweep_ReArmsWhenNewDisconnectArrived: simulate the race where a
+// fresh disconnect arrives just before the sweep fires. The sweep must
+// observe the updated lastDisc and re-arm rather than drop.
+func TestSweep_ReArmsWhenNewDisconnectArrived(t *testing.T) {
+	mockStore := &MockStore{account: newAccountWithId(context.Background(), "acc-1", "", "", false)}
+	getNow, setNow := withFakeClock(t, time.Now())
+
+	ctrl := gomock.NewController(t)
+	peersMgr := peers.NewMockManager(ctrl)
+	peersMgr.EXPECT().
+		DeletePeers(gomock.Any(), "acc-1", gomock.Any(), gomock.Any(), true).
+		DoAndReturn(func(_ context.Context, _ string, peerIDs []string, _ string, _ bool) error {
+			mockStore.mu.Lock()
+			for _, id := range peerIDs {
+				delete(mockStore.account.Peers, id)
+			}
+			mockStore.mu.Unlock()
+			return nil
+		}).AnyTimes()
+
+	mgr := newManagerForTest(t, mockStore, peersMgr)
+
+	now := getNow()
+	p1 := &nbpeer.Peer{ID: "p1", AccountID: "acc-1", Ephemeral: true,
+		Status: &nbpeer.PeerStatus{Connected: false, LastSeen: now}}
+	mockStore.account.Peers[p1.ID] = p1
+	mgr.OnPeerDisconnected(context.Background(), p1)
+
+	// Advance most of the way toward the first sweep, then introduce
+	// a fresh disconnect that resets lastDisc.
+	setNow(now.Add(mgr.lifeTime - 10*time.Millisecond))
+	p2 := &nbpeer.Peer{ID: "p2", AccountID: "acc-1", Ephemeral: true,
+		Status: &nbpeer.PeerStatus{Connected: false, LastSeen: getNow()}}
+	mockStore.account.Peers[p2.ID] = p2
+	mgr.OnPeerDisconnected(context.Background(), p2)
+
+	// Push past p1's staleness so the first sweep runs and cleans p1
+	// but observes p2 already on the account entry. It must re-arm.
+	setNow(now.Add(mgr.lifeTime + 5*mgr.cleanupWindow))
+
+	require.Eventually(t, func() bool {
+		mockStore.mu.Lock()
+		defer mockStore.mu.Unlock()
+		_, gone := mockStore.account.Peers["p1"]
+		return !gone
+	}, 2*time.Second, 5*time.Millisecond, "p1 should be cleaned at the first sweep")
+
+	// The account should still be tracked because p2 is younger than lifeTime
+	// from the sweep's vantage point at this moment.
+	mgr.accountsLock.Lock()
+	_, stillTracked := mgr.accounts["acc-1"]
+	mgr.accountsLock.Unlock()
+	require.True(t, stillTracked, "account should remain tracked because p2's disconnect kept it active")
+
+	// Push past p2's staleness; second sweep cleans p2 and drops the account.
+	setNow(getNow().Add(mgr.lifeTime + 5*mgr.cleanupWindow))
+	require.Eventually(t, func() bool {
+		mgr.accountsLock.Lock()
+		defer mgr.accountsLock.Unlock()
+		return len(mgr.accounts) == 0
+	}, 2*time.Second, 5*time.Millisecond, "account should drop after the final sweep")
+}
+
+// TestSweep_BatchesPeersPerAccount: many ephemeral peers disconnect on
+// the same account; a single sweep must delete them all in one
+// DeletePeers call.
+func TestSweep_BatchesPeersPerAccount(t *testing.T) {
+	const ephemeralPeers = 8
+
+	mockStore := &MockStore{account: newAccountWithId(context.Background(), "acc-1", "", "", false)}
+	getNow, setNow := withFakeClock(t, time.Now())
+
+	ctrl := gomock.NewController(t)
+	peersMgr := peers.NewMockManager(ctrl)
+
+	deleteBatches := make(chan []string, 4)
+	peersMgr.EXPECT().
+		DeletePeers(gomock.Any(), "acc-1", gomock.Any(), gomock.Any(), true).
+		DoAndReturn(func(_ context.Context, _ string, peerIDs []string, _ string, _ bool) error {
+			cp := append([]string(nil), peerIDs...)
+			mockStore.mu.Lock()
+			for _, id := range peerIDs {
+				delete(mockStore.account.Peers, id)
+			}
+			mockStore.mu.Unlock()
+			deleteBatches <- cp
+			return nil
+		}).Times(1)
+
+	mgr := newManagerForTest(t, mockStore, peersMgr)
+
+	now := getNow()
+	for i := 0; i < ephemeralPeers; i++ {
+		id := fmt.Sprintf("p-%d", i)
+		// Stagger by a fraction of cleanupWindow so they all fall on
+		// the same sweep tick.
+		when := now.Add(time.Duration(i) * time.Millisecond)
+		p := &nbpeer.Peer{ID: id, AccountID: "acc-1", Ephemeral: true,
+			Status: &nbpeer.PeerStatus{Connected: false, LastSeen: when}}
+		mockStore.account.Peers[id] = p
 		mgr.OnPeerDisconnected(context.Background(), p)
-		startTime = startTime.Add(testCleanupWindow / (ephemeralPeers * 2))
 	}
 
-	// Advance time past the lifetime to trigger cleanup
-	startTime = startTime.Add(testLifeTime + testCleanupWindow)
+	setNow(now.Add(mgr.lifeTime + 5*mgr.cleanupWindow))
 
-	// Wait for all deletions to complete
-	wg.Wait()
-
-	assert.Len(t, mockStore.account.Peers, 0, "all ephemeral peers should be cleaned up after the lifetime")
-	assert.Equal(t, 1, mockAM.GetBufferUpdateCalls(account.Id), "buffer update should be called once")
-	assert.Equal(t, ephemeralPeers, mockAM.GetDeletePeerCalls(), "should have deleted all peers")
+	select {
+	case batch := <-deleteBatches:
+		require.Len(t, batch, ephemeralPeers, "all peers should be deleted in a single batch")
+	case <-time.After(2 * time.Second):
+		t.Fatal("expected one batched DeletePeers call")
+	}
 }
 
-func seedPeers(store *MockStore, numberOfPeers int, numberOfEphemeralPeers int) {
-	store.account = newAccountWithId(context.Background(), "my account", "", "", false)
+// TestLoadInitialAccounts_SeedsFromStore exercises the post-restart
+// catch-up path: pre-populate the store, point the manager at it, and
+// confirm both already-stale and not-yet-stale peers get cleaned at
+// their proper times.
+func TestLoadInitialAccounts_SeedsFromStore(t *testing.T) {
+	mockStore := &MockStore{account: newAccountWithId(context.Background(), "acc-1", "", "", false)}
+	getNow, setNow := withFakeClock(t, time.Now())
 
-	for i := 0; i < numberOfPeers; i++ {
-		peerId := fmt.Sprintf("peer_%d", i)
-		p := &nbpeer.Peer{
-			ID:        peerId,
-			Ephemeral: false,
-		}
-		store.account.Peers[p.ID] = p
+	now := getNow()
+	// p-stale: already past the staleness window when load runs.
+	mockStore.account.Peers["p-stale"] = &nbpeer.Peer{
+		ID: "p-stale", AccountID: "acc-1", Ephemeral: true,
+		Status: &nbpeer.PeerStatus{Connected: false, LastSeen: now.Add(-time.Hour)},
+	}
+	// p-fresh: disconnected but not yet stale.
+	mockStore.account.Peers["p-fresh"] = &nbpeer.Peer{
+		ID: "p-fresh", AccountID: "acc-1", Ephemeral: true,
+		Status: &nbpeer.PeerStatus{Connected: false, LastSeen: now},
 	}
 
-	for i := 0; i < numberOfEphemeralPeers; i++ {
-		peerId := fmt.Sprintf("ephemeral_peer_%d", i)
-		p := &nbpeer.Peer{
-			ID:        peerId,
-			Ephemeral: true,
-		}
-		store.account.Peers[p.ID] = p
+	ctrl := gomock.NewController(t)
+	peersMgr := peers.NewMockManager(ctrl)
+	peersMgr.EXPECT().
+		DeletePeers(gomock.Any(), "acc-1", gomock.Any(), gomock.Any(), true).
+		DoAndReturn(func(_ context.Context, _ string, peerIDs []string, _ string, _ bool) error {
+			mockStore.mu.Lock()
+			for _, id := range peerIDs {
+				delete(mockStore.account.Peers, id)
+			}
+			mockStore.mu.Unlock()
+			return nil
+		}).AnyTimes()
+
+	mgr := newManagerForTest(t, mockStore, peersMgr)
+	// Drive loadInitialAccounts directly with the fake-clock-aware now.
+	mgr.loadInitialAccounts(context.Background())
+
+	// First sweep should fire shortly (cleanupWindow) for the stale peer.
+	setNow(now.Add(5 * mgr.cleanupWindow))
+	require.Eventually(t, func() bool {
+		mockStore.mu.Lock()
+		defer mockStore.mu.Unlock()
+		_, gone := mockStore.account.Peers["p-stale"]
+		return !gone
+	}, 2*time.Second, 5*time.Millisecond, "p-stale should be deleted on the first sweep")
+
+	// p-fresh is not yet stale; advance past its window.
+	setNow(now.Add(mgr.lifeTime + 5*mgr.cleanupWindow))
+	require.Eventually(t, func() bool {
+		mockStore.mu.Lock()
+		defer mockStore.mu.Unlock()
+		_, gone := mockStore.account.Peers["p-fresh"]
+		return !gone
+	}, 2*time.Second, 5*time.Millisecond, "p-fresh should be deleted once it crosses the staleness window")
+}
+
+// TestStop_CancelsPendingWork verifies that Stop() cancels both the
+// deferred initial load and per-account sweep timers and that
+// subsequent OnPeerDisconnected calls are ignored.
+func TestStop_CancelsPendingWork(t *testing.T) {
+	mockStore := &MockStore{account: newAccountWithId(context.Background(), "acc-1", "", "", false)}
+	withFakeClock(t, time.Now())
+
+	ctrl := gomock.NewController(t)
+	peersMgr := peers.NewMockManager(ctrl)
+	// DeletePeers must NOT be called after Stop.
+
+	mgr := NewEphemeralManager(mockStore, peersMgr)
+	mgr.lifeTime = 100 * time.Millisecond
+	mgr.cleanupWindow = 10 * time.Millisecond
+	// Use a long delay so the initial-load timer is still pending.
+	mgr.initialLoadDelay = func() time.Duration { return time.Hour }
+
+	mgr.LoadInitialPeers(context.Background())
+	mgr.OnPeerDisconnected(context.Background(), &nbpeer.Peer{
+		ID: "p1", AccountID: "acc-1", Ephemeral: true,
+		Status: &nbpeer.PeerStatus{Connected: false, LastSeen: timeNow()},
+	})
+
+	mgr.accountsLock.Lock()
+	require.NotNil(t, mgr.initialLoadTimer, "initial-load timer should be armed")
+	require.Len(t, mgr.accounts, 1, "account should be tracked after disconnect")
+	mgr.accountsLock.Unlock()
+
+	mgr.Stop()
+
+	mgr.accountsLock.Lock()
+	require.Empty(t, mgr.accounts, "Stop should clear tracked accounts")
+	require.True(t, mgr.stopped, "stopped flag must be set")
+	mgr.accountsLock.Unlock()
+
+	// Post-stop disconnect must be ignored.
+	mgr.OnPeerDisconnected(context.Background(), &nbpeer.Peer{
+		ID: "p2", AccountID: "acc-1", Ephemeral: true,
+		Status: &nbpeer.PeerStatus{Connected: false, LastSeen: timeNow()},
+	})
+	mgr.accountsLock.Lock()
+	require.Empty(t, mgr.accounts, "disconnects after Stop must be ignored")
+	mgr.accountsLock.Unlock()
+}
+
+// TestOnPeerConnected_IsNoop: the OnPeerConnected hook is preserved on
+// the interface but does nothing in the per-account model — the sweep
+// query filters connected peers at the DB level.
+func TestOnPeerConnected_IsNoop(t *testing.T) {
+	mockStore := &MockStore{account: newAccountWithId(context.Background(), "acc-1", "", "", false)}
+	withFakeClock(t, time.Now())
+
+	ctrl := gomock.NewController(t)
+	peersMgr := peers.NewMockManager(ctrl)
+
+	mgr := newManagerForTest(t, mockStore, peersMgr)
+	mgr.OnPeerDisconnected(context.Background(), &nbpeer.Peer{
+		ID: "p1", AccountID: "acc-1", Ephemeral: true,
+		Status: &nbpeer.PeerStatus{Connected: false, LastSeen: timeNow()},
+	})
+	mgr.accountsLock.Lock()
+	require.Len(t, mgr.accounts, 1, "disconnect should track the account")
+	mgr.accountsLock.Unlock()
+
+	mgr.OnPeerConnected(context.Background(), &nbpeer.Peer{ID: "p1", AccountID: "acc-1", Ephemeral: true})
+	mgr.accountsLock.Lock()
+	require.Len(t, mgr.accounts, 1, "OnPeerConnected must be a no-op")
+	mgr.accountsLock.Unlock()
+}
+
+// TestSweep_StoreErrorReArms: if the stale-peer query fails, the
+// account must remain tracked and a follow-up sweep gets scheduled.
+func TestSweep_StoreErrorReArms(t *testing.T) {
+	mockStore := &erroringStore{
+		MockStore: MockStore{account: newAccountWithId(context.Background(), "acc-1", "", "", false)},
+	}
+	getNow, setNow := withFakeClock(t, time.Now())
+
+	ctrl := gomock.NewController(t)
+	peersMgr := peers.NewMockManager(ctrl)
+
+	mgr := newManagerForTest(t, mockStore, peersMgr)
+
+	p := &nbpeer.Peer{ID: "p1", AccountID: "acc-1", Ephemeral: true,
+		Status: &nbpeer.PeerStatus{Connected: false, LastSeen: getNow()}}
+	mockStore.account.Peers[p.ID] = p
+	mgr.OnPeerDisconnected(context.Background(), p)
+
+	mockStore.fail.Store(true)
+	setNow(getNow().Add(mgr.lifeTime + 5*mgr.cleanupWindow))
+
+	// Wait until the failing sweep has run at least once.
+	require.Eventually(t, func() bool { return mockStore.failedCalls.Load() >= 1 },
+		2*time.Second, 5*time.Millisecond, "expected at least one failing sweep")
+
+	mgr.accountsLock.Lock()
+	_, stillTracked := mgr.accounts["acc-1"]
+	mgr.accountsLock.Unlock()
+	require.True(t, stillTracked, "account must remain tracked after a sweep error")
+
+	// Recover and ensure the rearmed sweep cleans up.
+	peersMgr.EXPECT().
+		DeletePeers(gomock.Any(), "acc-1", gomock.Any(), gomock.Any(), true).
+		DoAndReturn(func(_ context.Context, _ string, peerIDs []string, _ string, _ bool) error {
+			mockStore.mu.Lock()
+			for _, id := range peerIDs {
+				delete(mockStore.account.Peers, id)
+			}
+			mockStore.mu.Unlock()
+			return nil
+		}).AnyTimes()
+	mockStore.fail.Store(false)
+
+	require.Eventually(t, func() bool {
+		mockStore.mu.Lock()
+		defer mockStore.mu.Unlock()
+		_, gone := mockStore.account.Peers["p1"]
+		return !gone
+	}, 2*time.Second, 5*time.Millisecond, "rearmed sweep should clean up after the store recovers")
+}
+
+// erroringStore is a MockStore that can be flipped into a failing mode
+// to exercise the sweep's error-rearm path.
+type erroringStore struct {
+	MockStore
+	fail        atomic.Bool
+	failedCalls atomic.Int32
+}
+
+func (s *erroringStore) GetStaleEphemeralPeerIDsForAccount(ctx context.Context, accountID string, olderThan time.Time) ([]string, error) {
+	if s.fail.Load() {
+		s.failedCalls.Add(1)
+		return nil, errors.New("synthetic store error")
+	}
+	return s.MockStore.GetStaleEphemeralPeerIDsForAccount(ctx, accountID, olderThan)
+}
+
+// TestDefaultInitialLoadDelay confirms the jitter falls inside the
+// documented [8m, 10m) range — sanity check for the production timer.
+func TestDefaultInitialLoadDelay(t *testing.T) {
+	for i := 0; i < 1000; i++ {
+		d := defaultInitialLoadDelay()
+		assert.GreaterOrEqual(t, d, initialLoadMinDelay)
+		assert.Less(t, d, initialLoadMaxDelay)
 	}
 }
 
@@ -351,3 +596,7 @@ func newAccountWithId(ctx context.Context, accountID, userID, domain string, dis
 	}
 	return acc
 }
+
+// silence the import "github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral"
+// (still needed indirectly for ephemeral.EphemeralLifeTime in production paths).
+var _ = ephemeral.EphemeralLifeTime

management/internals/modules/reverseproxy/proxy/manager/manager.go

@@ -17,7 +17,7 @@ type store interface {
 	UpdateProxyHeartbeat(ctx context.Context, p *proxy.Proxy) error
 	GetActiveProxyClusterAddresses(ctx context.Context) ([]string, error)
 	GetActiveProxyClusterAddressesForAccount(ctx context.Context, accountID string) ([]string, error)
-	GetProxyClusters(ctx context.Context, accountID string) ([]proxy.Cluster, error)
+	GetActiveProxyClusters(ctx context.Context, accountID string) ([]proxy.Cluster, error)
 	GetClusterSupportsCustomPorts(ctx context.Context, clusterAddr string) *bool
 	GetClusterRequireSubdomain(ctx context.Context, clusterAddr string) *bool
 	GetClusterSupportsCrowdSec(ctx context.Context, clusterAddr string) *bool

management/internals/modules/reverseproxy/proxy/manager/manager_test.go

@@ -57,7 +57,7 @@ func (m *mockStore) GetActiveProxyClusterAddressesForAccount(ctx context.Context
 	}
 	return nil, nil
 }
-func (m *mockStore) GetProxyClusters(_ context.Context, _ string) ([]proxy.Cluster, error) {
+func (m *mockStore) GetActiveProxyClusters(_ context.Context, _ string) ([]proxy.Cluster, error) {
 	return nil, nil
 }
 func (m *mockStore) CleanupStaleProxies(ctx context.Context, d time.Duration) error {

management/internals/modules/reverseproxy/proxy/proxy.go

@@ -42,35 +42,10 @@ func (Proxy) TableName() string {
 	return "proxies"
 }
 
-// ClusterType is the source of a proxy cluster.
-type ClusterType string
-
-const (
-	// ClusterTypeAccount is a cluster operated by the account itself (BYOP) —
-	// at least one proxy row in the cluster carries a non-NULL account_id.
-	ClusterTypeAccount ClusterType = "account"
-	// ClusterTypeShared is a cluster operated by NetBird and shared across
-	// accounts — all proxy rows in the cluster have account_id IS NULL.
-	ClusterTypeShared ClusterType = "shared"
-)
-
 // Cluster represents a group of proxy nodes serving the same address.
-//
-// Online and ConnectedProxies derive from the same 2-min active window
-// the rest of the module uses, but Cluster rows are not gated on it —
-// the cluster listing surfaces offline clusters too so operators can
-// see and clean them up. The 1-hour heartbeat reaper still bounds the
-// table eventually.
 type Cluster struct {
 	ID               string
 	Address          string
-	Type             ClusterType
-	Online           bool
 	ConnectedProxies int
-	// Capability flags. *bool because nil means "no proxy reported a
-	// capability for this cluster" — the dashboard renders these as
-	// unknown rather than false.
-	SupportsCustomPorts *bool
-	RequireSubdomain    *bool
-	SupportsCrowdSec    *bool
+	SelfHosted       bool
 }

management/internals/modules/reverseproxy/service/interface.go

@@ -9,7 +9,7 @@ import (
 )
 
 type Manager interface {
-	GetClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error)
+	GetActiveClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error)
 	DeleteAccountCluster(ctx context.Context, accountID, userID, clusterAddress string) error
 	GetAllServices(ctx context.Context, accountID, userID string) ([]*Service, error)
 	GetService(ctx context.Context, accountID, userID, serviceID string) (*Service, error)

management/internals/modules/reverseproxy/service/interface_mock.go

@@ -65,20 +65,6 @@ func (mr *MockManagerMockRecorder) CreateServiceFromPeer(ctx, accountID, peerID,
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateServiceFromPeer", reflect.TypeOf((*MockManager)(nil).CreateServiceFromPeer), ctx, accountID, peerID, req)
 }
 
-// DeleteAccountCluster mocks base method.
-func (m *MockManager) DeleteAccountCluster(ctx context.Context, accountID, userID, clusterAddress string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DeleteAccountCluster", ctx, accountID, userID, clusterAddress)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// DeleteAccountCluster indicates an expected call of DeleteAccountCluster.
-func (mr *MockManagerMockRecorder) DeleteAccountCluster(ctx, accountID, userID, clusterAddress interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAccountCluster", reflect.TypeOf((*MockManager)(nil).DeleteAccountCluster), ctx, accountID, userID, clusterAddress)
-}
-
 // DeleteAllServices mocks base method.
 func (m *MockManager) DeleteAllServices(ctx context.Context, accountID, userID string) error {
 	m.ctrl.T.Helper()
@@ -93,6 +79,20 @@ func (mr *MockManagerMockRecorder) DeleteAllServices(ctx, accountID, userID inte
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAllServices", reflect.TypeOf((*MockManager)(nil).DeleteAllServices), ctx, accountID, userID)
 }
 
+// DeleteAccountCluster mocks base method.
+func (m *MockManager) DeleteAccountCluster(ctx context.Context, accountID, userID, clusterAddress string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteAccountCluster", ctx, accountID, userID, clusterAddress)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteAccountCluster indicates an expected call of DeleteAccountCluster.
+func (mr *MockManagerMockRecorder) DeleteAccountCluster(ctx, accountID, userID, clusterAddress interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAccountCluster", reflect.TypeOf((*MockManager)(nil).DeleteAccountCluster), ctx, accountID, userID, clusterAddress)
+}
+
 // DeleteService mocks base method.
 func (m *MockManager) DeleteService(ctx context.Context, accountID, userID, serviceID string) error {
 	m.ctrl.T.Helper()
@@ -122,6 +122,21 @@ func (mr *MockManagerMockRecorder) GetAccountServices(ctx, accountID interface{}
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAccountServices", reflect.TypeOf((*MockManager)(nil).GetAccountServices), ctx, accountID)
 }
 
+// GetActiveClusters mocks base method.
+func (m *MockManager) GetActiveClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetActiveClusters", ctx, accountID, userID)
+	ret0, _ := ret[0].([]proxy.Cluster)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetActiveClusters indicates an expected call of GetActiveClusters.
+func (mr *MockManagerMockRecorder) GetActiveClusters(ctx, accountID, userID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetActiveClusters", reflect.TypeOf((*MockManager)(nil).GetActiveClusters), ctx, accountID, userID)
+}
+
 // GetAllServices mocks base method.
 func (m *MockManager) GetAllServices(ctx context.Context, accountID, userID string) ([]*Service, error) {
 	m.ctrl.T.Helper()
@@ -137,19 +152,19 @@ func (mr *MockManagerMockRecorder) GetAllServices(ctx, accountID, userID interfa
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAllServices", reflect.TypeOf((*MockManager)(nil).GetAllServices), ctx, accountID, userID)
 }
 
-// GetClusters mocks base method.
-func (m *MockManager) GetClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error) {
+// GetServiceByDomain mocks base method.
+func (m *MockManager) GetServiceByDomain(ctx context.Context, domain string) (*Service, error) {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetClusters", ctx, accountID, userID)
-	ret0, _ := ret[0].([]proxy.Cluster)
+	ret := m.ctrl.Call(m, "GetServiceByDomain", ctx, domain)
+	ret0, _ := ret[0].(*Service)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
 
-// GetClusters indicates an expected call of GetClusters.
-func (mr *MockManagerMockRecorder) GetClusters(ctx, accountID, userID interface{}) *gomock.Call {
+// GetServiceByDomain indicates an expected call of GetServiceByDomain.
+func (mr *MockManagerMockRecorder) GetServiceByDomain(ctx, domain interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetClusters", reflect.TypeOf((*MockManager)(nil).GetClusters), ctx, accountID, userID)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetServiceByDomain", reflect.TypeOf((*MockManager)(nil).GetServiceByDomain), ctx, domain)
 }
 
 // GetGlobalServices mocks base method.
@@ -182,21 +197,6 @@ func (mr *MockManagerMockRecorder) GetService(ctx, accountID, userID, serviceID
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetService", reflect.TypeOf((*MockManager)(nil).GetService), ctx, accountID, userID, serviceID)
 }
 
-// GetServiceByDomain mocks base method.
-func (m *MockManager) GetServiceByDomain(ctx context.Context, domain string) (*Service, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetServiceByDomain", ctx, domain)
-	ret0, _ := ret[0].(*Service)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetServiceByDomain indicates an expected call of GetServiceByDomain.
-func (mr *MockManagerMockRecorder) GetServiceByDomain(ctx, domain interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetServiceByDomain", reflect.TypeOf((*MockManager)(nil).GetServiceByDomain), ctx, domain)
-}
-
 // GetServiceByID mocks base method.
 func (m *MockManager) GetServiceByID(ctx context.Context, accountID, serviceID string) (*Service, error) {
 	m.ctrl.T.Helper()

management/internals/modules/reverseproxy/service/manager/api.go

@@ -187,7 +187,7 @@ func (h *handler) getClusters(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	clusters, err := h.manager.GetClusters(r.Context(), userAuth.AccountId, userAuth.UserId)
+	clusters, err := h.manager.GetActiveClusters(r.Context(), userAuth.AccountId, userAuth.UserId)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -196,14 +196,10 @@ func (h *handler) getClusters(w http.ResponseWriter, r *http.Request) {
 	apiClusters := make([]api.ProxyCluster, 0, len(clusters))
 	for _, c := range clusters {
 		apiClusters = append(apiClusters, api.ProxyCluster{
-			Id:                  c.ID,
-			Address:             c.Address,
-			Type:                api.ProxyClusterType(c.Type),
-			Online:              c.Online,
-			ConnectedProxies:    c.ConnectedProxies,
-			SupportsCustomPorts: c.SupportsCustomPorts,
-			RequireSubdomain:    c.RequireSubdomain,
-			SupportsCrowdsec:    c.SupportsCrowdSec,
+			Id:               c.ID,
+			Address:          c.Address,
+			ConnectedProxies: c.ConnectedProxies,
+			SelfHosted:       c.SelfHosted,
 		})
 	}
 

management/internals/modules/reverseproxy/service/manager/manager.go

@@ -81,7 +81,6 @@ type ClusterDeriver interface {
 type CapabilityProvider interface {
 	ClusterSupportsCustomPorts(ctx context.Context, clusterAddr string) *bool
 	ClusterRequireSubdomain(ctx context.Context, clusterAddr string) *bool
-	ClusterSupportsCrowdSec(ctx context.Context, clusterAddr string) *bool
 }
 
 type Manager struct {
@@ -113,12 +112,8 @@ func (m *Manager) StartExposeReaper(ctx context.Context) {
 	m.exposeReaper.StartExposeReaper(ctx)
 }
 
-// GetClusters returns every proxy cluster visible to the account
-// (shared + its own BYOP), regardless of whether any proxy in the
-// cluster is currently heartbeating. Each cluster is enriched with the
-// capability flags reported by its active proxies so the dashboard can
-// render feature support without a second round-trip.
-func (m *Manager) GetClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error) {
+// GetActiveClusters returns all active proxy clusters with their connected proxy count.
+func (m *Manager) GetActiveClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error) {
 	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
@@ -127,18 +122,7 @@ func (m *Manager) GetClusters(ctx context.Context, accountID, userID string) ([]
 		return nil, status.NewPermissionDeniedError()
 	}
 
-	clusters, err := m.store.GetProxyClusters(ctx, accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	for i := range clusters {
-		clusters[i].SupportsCustomPorts = m.capabilities.ClusterSupportsCustomPorts(ctx, clusters[i].Address)
-		clusters[i].RequireSubdomain = m.capabilities.ClusterRequireSubdomain(ctx, clusters[i].Address)
-		clusters[i].SupportsCrowdSec = m.capabilities.ClusterSupportsCrowdSec(ctx, clusters[i].Address)
-	}
-
-	return clusters, nil
+	return m.store.GetActiveProxyClusters(ctx, accountID)
 }
 
 // DeleteAccountCluster removes all proxy registrations for the given cluster address

management/internals/shared/grpc/proxy.go

@@ -9,7 +9,6 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
-	"io"
 	"net"
 	"net/http"
 	"net/url"
@@ -137,12 +136,9 @@ type proxyConnection struct {
 	tokenID      string
 	capabilities *proto.ProxyCapabilities
 	stream       proto.ProxyService_GetMappingUpdateServer
-	// syncStream is set when the proxy connected via SyncMappings.
-	// When non-nil, the sender goroutine uses this instead of stream.
-	syncStream proto.ProxyService_SyncMappingsServer
-	sendChan   chan *proto.GetMappingUpdateResponse
-	ctx        context.Context
-	cancel     context.CancelFunc
+	sendChan     chan *proto.GetMappingUpdateResponse
+	ctx          context.Context
+	cancel       context.CancelFunc
 }
 
 func enforceAccountScope(ctx context.Context, requestAccountID string) error {
@@ -210,322 +206,145 @@ func (s *ProxyServiceServer) SetProxyController(proxyController proxy.Controller
 	s.proxyController = proxyController
 }
 
-// proxyConnectParams holds the validated parameters extracted from either
-// a GetMappingUpdateRequest or a SyncMappingsInit message.
-type proxyConnectParams struct {
-	proxyID      string
-	address      string
-	capabilities *proto.ProxyCapabilities
-}
-
 // GetMappingUpdate handles the control stream with proxy clients
 func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest, stream proto.ProxyService_GetMappingUpdateServer) error {
-	params, err := s.validateProxyConnect(req.GetProxyId(), req.GetAddress(), stream.Context())
-	if err != nil {
-		return err
-	}
-	params.capabilities = req.GetCapabilities()
+	ctx := stream.Context()
 
-	conn, proxyRecord, err := s.registerProxyConnection(stream.Context(), params, &proxyConnection{
-		stream: stream,
-	})
-	if err != nil {
-		return err
-	}
-
-	if err := s.sendSnapshot(stream.Context(), conn); err != nil {
-		s.cleanupFailedSnapshot(stream.Context(), conn)
-		return fmt.Errorf("send snapshot to proxy %s: %w", params.proxyID, err)
-	}
-
-	errChan := make(chan error, 2)
-	go s.sender(conn, errChan)
-
-	return s.serveProxyConnection(conn, proxyRecord, errChan, false)
-}
-
-// SyncMappings implements the bidirectional SyncMappings RPC.
-// It mirrors GetMappingUpdate but provides application-level back-pressure:
-// management waits for an ack from the proxy before sending the next batch.
-func (s *ProxyServiceServer) SyncMappings(stream proto.ProxyService_SyncMappingsServer) error {
-	init, err := recvSyncInit(stream)
-	if err != nil {
-		return err
-	}
-
-	params, err := s.validateProxyConnect(init.GetProxyId(), init.GetAddress(), stream.Context())
-	if err != nil {
-		return err
-	}
-	params.capabilities = init.GetCapabilities()
-
-	conn, proxyRecord, err := s.registerProxyConnection(stream.Context(), params, &proxyConnection{
-		syncStream: stream,
-	})
-	if err != nil {
-		return err
-	}
-
-	if err := s.sendSnapshotSync(stream.Context(), conn, stream); err != nil {
-		s.cleanupFailedSnapshot(stream.Context(), conn)
-		return fmt.Errorf("send snapshot to proxy %s: %w", params.proxyID, err)
-	}
-
-	errChan := make(chan error, 2)
-	go s.sender(conn, errChan)
-	go s.drainRecv(stream, errChan)
-
-	return s.serveProxyConnection(conn, proxyRecord, errChan, true)
-}
-
-// recvSyncInit receives and validates the first message on a SyncMappings stream.
-func recvSyncInit(stream proto.ProxyService_SyncMappingsServer) (*proto.SyncMappingsInit, error) {
-	firstMsg, err := stream.Recv()
-	if err != nil {
-		return nil, status.Errorf(codes.Internal, "receive init: %v", err)
-	}
-	init := firstMsg.GetInit()
-	if init == nil {
-		return nil, status.Errorf(codes.InvalidArgument, "first message must be init")
-	}
-	return init, nil
-}
-
-// validateProxyConnect validates the proxy ID and address, and checks cluster
-// address availability for account-scoped tokens.
-func (s *ProxyServiceServer) validateProxyConnect(proxyID, address string, ctx context.Context) (proxyConnectParams, error) {
-	if proxyID == "" {
-		return proxyConnectParams{}, status.Errorf(codes.InvalidArgument, "proxy_id is required")
-	}
-	if !isProxyAddressValid(address) {
-		return proxyConnectParams{}, status.Errorf(codes.InvalidArgument, "proxy address is invalid")
-	}
-
-	token := GetProxyTokenFromContext(ctx)
-	if token != nil && token.AccountID != nil {
-		available, err := s.proxyManager.IsClusterAddressAvailable(ctx, address, *token.AccountID)
-		if err != nil {
-			return proxyConnectParams{}, status.Errorf(codes.Internal, "check cluster address: %v", err)
-		}
-		if !available {
-			return proxyConnectParams{}, status.Errorf(codes.AlreadyExists, "cluster address %s is already in use", address)
-		}
-	}
-
-	return proxyConnectParams{proxyID: proxyID, address: address}, nil
-}
-
-// registerProxyConnection creates a proxyConnection, registers it with the
-// proxy manager and cluster, and stores it in connectedProxies. The caller
-// provides a partially initialised connSeed with stream-specific fields set;
-// the remaining fields are filled in here.
-func (s *ProxyServiceServer) registerProxyConnection(ctx context.Context, params proxyConnectParams, connSeed *proxyConnection) (*proxyConnection, *proxy.Proxy, error) {
 	peerInfo := PeerIPFromContext(ctx)
+	log.Infof("New proxy connection from %s", peerInfo)
+
+	proxyID := req.GetProxyId()
+	if proxyID == "" {
+		return status.Errorf(codes.InvalidArgument, "proxy_id is required")
+	}
+
+	proxyAddress := req.GetAddress()
+	if !isProxyAddressValid(proxyAddress) {
+		return status.Errorf(codes.InvalidArgument, "proxy address is invalid")
+	}
 
 	var accountID *string
-	var tokenID string
-	if token := GetProxyTokenFromContext(ctx); token != nil {
-		if token.AccountID != nil {
-			accountID = token.AccountID
+	token := GetProxyTokenFromContext(ctx)
+	if token != nil && token.AccountID != nil {
+		accountID = token.AccountID
+
+		available, err := s.proxyManager.IsClusterAddressAvailable(ctx, proxyAddress, *accountID)
+		if err != nil {
+			return status.Errorf(codes.Internal, "check cluster address: %v", err)
 		}
+		if !available {
+			return status.Errorf(codes.AlreadyExists, "cluster address %s is already in use", proxyAddress)
+		}
+	}
+
+	var tokenID string
+	if token != nil {
 		tokenID = token.ID
 	}
 
 	sessionID := uuid.NewString()
-	s.supersedePriorConnection(params.proxyID, sessionID)
+
+	if old, loaded := s.connectedProxies.Load(proxyID); loaded {
+		oldConn := old.(*proxyConnection)
+		log.WithFields(log.Fields{
+			"proxy_id":       proxyID,
+			"old_session_id": oldConn.sessionID,
+			"new_session_id": sessionID,
+		}).Info("Superseding existing proxy connection")
+		oldConn.cancel()
+	}
 
 	connCtx, cancel := context.WithCancel(ctx)
-	connSeed.proxyID = params.proxyID
-	connSeed.sessionID = sessionID
-	connSeed.address = params.address
-	connSeed.accountID = accountID
-	connSeed.tokenID = tokenID
-	connSeed.capabilities = params.capabilities
-	connSeed.sendChan = make(chan *proto.GetMappingUpdateResponse, 100)
-	connSeed.ctx = connCtx
-	connSeed.cancel = cancel
+	conn := &proxyConnection{
+		proxyID:      proxyID,
+		sessionID:    sessionID,
+		address:      proxyAddress,
+		accountID:    accountID,
+		tokenID:      tokenID,
+		capabilities: req.GetCapabilities(),
+		stream:       stream,
+		sendChan:     make(chan *proto.GetMappingUpdateResponse, 100),
+		ctx:          connCtx,
+		cancel:       cancel,
+	}
 
 	var caps *proxy.Capabilities
-	if c := params.capabilities; c != nil {
+	if c := req.GetCapabilities(); c != nil {
 		caps = &proxy.Capabilities{
 			SupportsCustomPorts: c.SupportsCustomPorts,
 			RequireSubdomain:    c.RequireSubdomain,
 			SupportsCrowdsec:    c.SupportsCrowdsec,
 		}
 	}
-
-	proxyRecord, err := s.proxyManager.Connect(ctx, params.proxyID, sessionID, params.address, peerInfo, accountID, caps)
+	proxyRecord, err := s.proxyManager.Connect(ctx, proxyID, sessionID, proxyAddress, peerInfo, accountID, caps)
 	if err != nil {
 		cancel()
 		if accountID != nil {
-			return nil, nil, status.Errorf(codes.Internal, "failed to register BYOP proxy: %v", err)
+			return status.Errorf(codes.Internal, "failed to register BYOP proxy: %v", err)
 		}
-		log.WithContext(ctx).Warnf("failed to register proxy %s in database: %v", params.proxyID, err)
-		return nil, nil, status.Errorf(codes.Internal, "register proxy in database: %v", err)
+		log.WithContext(ctx).Warnf("failed to register proxy %s in database: %v", proxyID, err)
+		return status.Errorf(codes.Internal, "register proxy in database: %v", err)
 	}
 
-	s.connectedProxies.Store(params.proxyID, connSeed)
-	if err := s.proxyController.RegisterProxyToCluster(ctx, params.address, params.proxyID); err != nil {
-		log.WithContext(ctx).Warnf("Failed to register proxy %s in cluster: %v", params.proxyID, err)
+	s.connectedProxies.Store(proxyID, conn)
+	if err := s.proxyController.RegisterProxyToCluster(ctx, conn.address, proxyID); err != nil {
+		log.WithContext(ctx).Warnf("Failed to register proxy %s in cluster: %v", proxyID, err)
 	}
 
-	return connSeed, proxyRecord, nil
-}
-
-// supersedePriorConnection cancels any existing connection for the given proxy.
-func (s *ProxyServiceServer) supersedePriorConnection(proxyID, newSessionID string) {
-	if old, loaded := s.connectedProxies.Load(proxyID); loaded {
-		oldConn := old.(*proxyConnection)
-		log.WithFields(log.Fields{
-			"proxy_id":       proxyID,
-			"old_session_id": oldConn.sessionID,
-			"new_session_id": newSessionID,
-		}).Info("Superseding existing proxy connection")
-		oldConn.cancel()
-	}
-}
-
-// cleanupFailedSnapshot removes the connection from the cluster and store
-// after a snapshot send failure.
-func (s *ProxyServiceServer) cleanupFailedSnapshot(ctx context.Context, conn *proxyConnection) {
-	if s.connectedProxies.CompareAndDelete(conn.proxyID, conn) {
-		if err := s.proxyController.UnregisterProxyFromCluster(context.Background(), conn.address, conn.proxyID); err != nil {
-			log.WithContext(ctx).Debugf("cleanup after snapshot failure for proxy %s: %v", conn.proxyID, err)
+	if err := s.sendSnapshot(ctx, conn); err != nil {
+		if s.connectedProxies.CompareAndDelete(proxyID, conn) {
+			if unregErr := s.proxyController.UnregisterProxyFromCluster(context.Background(), conn.address, proxyID); unregErr != nil {
+				log.WithContext(ctx).Debugf("cleanup after snapshot failure for proxy %s: %v", proxyID, unregErr)
+			}
 		}
-	}
-	conn.cancel()
-	if err := s.proxyManager.Disconnect(context.Background(), conn.proxyID, conn.sessionID); err != nil {
-		log.WithContext(ctx).Debugf("cleanup after snapshot failure for proxy %s: %v", conn.proxyID, err)
-	}
-}
-
-// drainRecv consumes and discards messages from a bidirectional stream.
-// The proxy sends an ack for every incremental update; we don't need them
-// after the snapshot phase. Recv errors are forwarded to errChan.
-func (s *ProxyServiceServer) drainRecv(stream proto.ProxyService_SyncMappingsServer, errChan chan<- error) {
-	for {
-		if _, err := stream.Recv(); err != nil {
-			errChan <- err
-			return
+		cancel()
+		if disconnErr := s.proxyManager.Disconnect(context.Background(), proxyID, sessionID); disconnErr != nil {
+			log.WithContext(ctx).Debugf("cleanup after snapshot failure for proxy %s: %v", proxyID, disconnErr)
 		}
+		return fmt.Errorf("send snapshot to proxy %s: %w", proxyID, err)
 	}
-}
 
-// serveProxyConnection runs the post-snapshot lifecycle: heartbeat, sender,
-// and wait for termination. When bidi is true, normal stream closure (EOF,
-// canceled) is treated as a clean disconnect rather than an error.
-func (s *ProxyServiceServer) serveProxyConnection(conn *proxyConnection, proxyRecord *proxy.Proxy, errChan <-chan error, bidi bool) error {
+	errChan := make(chan error, 2)
+	go s.sender(conn, errChan)
+
 	log.WithFields(log.Fields{
-		"proxy_id":      conn.proxyID,
-		"session_id":    conn.sessionID,
-		"address":       conn.address,
-		"cluster_addr":  conn.address,
-		"account_id":    conn.accountID,
+		"proxy_id":      proxyID,
+		"session_id":    sessionID,
+		"address":       proxyAddress,
+		"cluster_addr":  proxyAddress,
+		"account_id":    accountID,
 		"total_proxies": len(s.GetConnectedProxies()),
 	}).Info("Proxy registered in cluster")
+	defer func() {
+		if !s.connectedProxies.CompareAndDelete(proxyID, conn) {
+			log.Infof("Proxy %s session %s: skipping cleanup, superseded by new connection", proxyID, sessionID)
+			cancel()
+			return
+		}
 
-	defer s.disconnectProxy(conn)
-	go s.heartbeat(conn.ctx, conn, proxyRecord)
+		if err := s.proxyController.UnregisterProxyFromCluster(context.Background(), conn.address, proxyID); err != nil {
+			log.Warnf("Failed to unregister proxy %s from cluster: %v", proxyID, err)
+		}
+		if err := s.proxyManager.Disconnect(context.Background(), proxyID, sessionID); err != nil {
+			log.Warnf("Failed to mark proxy %s as disconnected: %v", proxyID, err)
+		}
+
+		cancel()
+		log.Infof("Proxy %s session %s disconnected", proxyID, sessionID)
+	}()
+
+	go s.heartbeat(connCtx, conn, proxyRecord)
 
 	select {
 	case err := <-errChan:
-		if bidi && isStreamClosed(err) {
-			log.Infof("Proxy %s stream closed", conn.proxyID)
-			return nil
-		}
-		log.Warnf("Failed to send update: %v", err)
-		return fmt.Errorf("send update to proxy %s: %w", conn.proxyID, err)
-	case <-conn.ctx.Done():
-		log.Infof("Proxy %s context canceled", conn.proxyID)
-		return conn.ctx.Err()
+		log.WithContext(ctx).Warnf("Failed to send update: %v", err)
+		return fmt.Errorf("send update to proxy %s: %w", proxyID, err)
+	case <-connCtx.Done():
+		log.WithContext(ctx).Infof("Proxy %s context canceled", proxyID)
+		return connCtx.Err()
 	}
 }
 
-// disconnectProxy removes the connection from cluster and store, unless it
-// has already been superseded by a newer connection.
-func (s *ProxyServiceServer) disconnectProxy(conn *proxyConnection) {
-	if !s.connectedProxies.CompareAndDelete(conn.proxyID, conn) {
-		log.Infof("Proxy %s session %s: skipping cleanup, superseded by new connection", conn.proxyID, conn.sessionID)
-		conn.cancel()
-		return
-	}
-
-	if err := s.proxyController.UnregisterProxyFromCluster(context.Background(), conn.address, conn.proxyID); err != nil {
-		log.Warnf("Failed to unregister proxy %s from cluster: %v", conn.proxyID, err)
-	}
-	if err := s.proxyManager.Disconnect(context.Background(), conn.proxyID, conn.sessionID); err != nil {
-		log.Warnf("Failed to mark proxy %s as disconnected: %v", conn.proxyID, err)
-	}
-
-	conn.cancel()
-	log.Infof("Proxy %s session %s disconnected", conn.proxyID, conn.sessionID)
-}
-
-// sendSnapshotSync sends the initial snapshot with back-pressure: it sends
-// one batch, then waits for the proxy to ack before sending the next.
-func (s *ProxyServiceServer) sendSnapshotSync(ctx context.Context, conn *proxyConnection, stream proto.ProxyService_SyncMappingsServer) error {
-	if !isProxyAddressValid(conn.address) {
-		return fmt.Errorf("proxy address is invalid")
-	}
-	if s.snapshotBatchSize <= 0 {
-		return fmt.Errorf("invalid snapshot batch size: %d", s.snapshotBatchSize)
-	}
-
-	mappings, err := s.snapshotServiceMappings(ctx, conn)
-	if err != nil {
-		return err
-	}
-
-	for i := 0; i < len(mappings); i += s.snapshotBatchSize {
-		end := i + s.snapshotBatchSize
-		if end > len(mappings) {
-			end = len(mappings)
-		}
-		for _, m := range mappings[i:end] {
-			token, err := s.tokenStore.GenerateToken(m.AccountId, m.Id, s.proxyTokenTTL())
-			if err != nil {
-				return fmt.Errorf("generate auth token for service %s: %w", m.Id, err)
-			}
-			m.AuthToken = token
-		}
-		if err := stream.Send(&proto.SyncMappingsResponse{
-			Mapping:             mappings[i:end],
-			InitialSyncComplete: end == len(mappings),
-		}); err != nil {
-			return fmt.Errorf("send snapshot batch: %w", err)
-		}
-
-		if err := waitForAck(stream); err != nil {
-			return err
-		}
-	}
-
-	if len(mappings) == 0 {
-		if err := stream.Send(&proto.SyncMappingsResponse{
-			InitialSyncComplete: true,
-		}); err != nil {
-			return fmt.Errorf("send snapshot completion: %w", err)
-		}
-
-		if err := waitForAck(stream); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func waitForAck(stream proto.ProxyService_SyncMappingsServer) error {
-	msg, err := stream.Recv()
-	if err != nil {
-		return fmt.Errorf("receive ack: %w", err)
-	}
-	if msg.GetAck() == nil {
-		return fmt.Errorf("expected ack, got %T", msg.GetMsg())
-	}
-	return nil
-}
-
 // heartbeat updates the proxy's last_seen timestamp every minute and
 // disconnects the proxy if its access token has been revoked.
 func (s *ProxyServiceServer) heartbeat(ctx context.Context, conn *proxyConnection, p *proxy.Proxy) {
@@ -562,9 +381,6 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec
 	if !isProxyAddressValid(conn.address) {
 		return fmt.Errorf("proxy address is invalid")
 	}
-	if s.snapshotBatchSize <= 0 {
-		return fmt.Errorf("invalid snapshot batch size: %d", s.snapshotBatchSize)
-	}
 
 	mappings, err := s.snapshotServiceMappings(ctx, conn)
 	if err != nil {
@@ -644,26 +460,12 @@ func isProxyAddressValid(addr string) bool {
 	return err == nil
 }
 
-// isStreamClosed returns true for errors that indicate normal stream
-// termination: io.EOF, context cancellation, or gRPC Canceled.
-func isStreamClosed(err error) bool {
-	if err == nil {
-		return false
-	}
-	if errors.Is(err, io.EOF) || errors.Is(err, context.Canceled) {
-		return true
-	}
-	return status.Code(err) == codes.Canceled
-}
-
-// sender handles sending messages to proxy.
-// When conn.syncStream is set the message is sent as SyncMappingsResponse;
-// otherwise the legacy GetMappingUpdateResponse stream is used.
+// sender handles sending messages to proxy
 func (s *ProxyServiceServer) sender(conn *proxyConnection, errChan chan<- error) {
 	for {
 		select {
 		case resp := <-conn.sendChan:
-			if err := conn.sendResponse(resp); err != nil {
+			if err := conn.stream.Send(resp); err != nil {
 				errChan <- err
 				return
 			}
@@ -673,17 +475,6 @@ func (s *ProxyServiceServer) sender(conn *proxyConnection, errChan chan<- error)
 	}
 }
 
-// sendResponse sends a mapping update on whichever stream the proxy connected with.
-func (conn *proxyConnection) sendResponse(resp *proto.GetMappingUpdateResponse) error {
-	if conn.syncStream != nil {
-		return conn.syncStream.Send(&proto.SyncMappingsResponse{
-			Mapping:             resp.Mapping,
-			InitialSyncComplete: resp.InitialSyncComplete,
-		})
-	}
-	return conn.stream.Send(resp)
-}
-
 // SendAccessLog processes access log from proxy
 func (s *ProxyServiceServer) SendAccessLog(ctx context.Context, req *proto.SendAccessLogRequest) (*proto.SendAccessLogResponse, error) {
 	accessLog := req.GetLog()
@@ -750,8 +541,8 @@ func (s *ProxyServiceServer) SendServiceUpdate(update *proto.GetMappingUpdateRes
 				return true
 			}
 			connUpdate = &proto.GetMappingUpdateResponse{
-				Mapping:             filtered,
-				InitialSyncComplete: update.InitialSyncComplete,
+				Mapping:              filtered,
+				InitialSyncComplete:  update.InitialSyncComplete,
 			}
 		}
 		resp := s.perProxyMessage(connUpdate, conn.proxyID)

management/internals/shared/grpc/proxy_group_access_test.go

@@ -109,7 +109,7 @@ func (m *mockReverseProxyManager) GetServiceByDomain(_ context.Context, domain s
 	return nil, errors.New("service not found for domain: " + domain)
 }
 
-func (m *mockReverseProxyManager) GetClusters(_ context.Context, _, _ string) ([]proxy.Cluster, error) {
+func (m *mockReverseProxyManager) GetActiveClusters(_ context.Context, _, _ string) ([]proxy.Cluster, error) {
 	return nil, nil
 }
 

management/internals/shared/grpc/sync_mappings_test.go

@@ -1,411 +0,0 @@
-package grpc
-
-import (
-	"context"
-	"fmt"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/golang/mock/gomock"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/metadata"
-
-	rpservice "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-// syncRecordingStream is a mock ProxyService_SyncMappingsServer that records
-// sent messages and returns pre-loaded ack responses from Recv.
-type syncRecordingStream struct {
-	grpc.ServerStream
-
-	mu       sync.Mutex
-	sent     []*proto.SyncMappingsResponse
-	recvMsgs []*proto.SyncMappingsRequest
-	recvIdx  int
-}
-
-func (s *syncRecordingStream) Send(m *proto.SyncMappingsResponse) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	s.sent = append(s.sent, m)
-	return nil
-}
-
-func (s *syncRecordingStream) Recv() (*proto.SyncMappingsRequest, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if s.recvIdx >= len(s.recvMsgs) {
-		return nil, fmt.Errorf("no more recv messages")
-	}
-	msg := s.recvMsgs[s.recvIdx]
-	s.recvIdx++
-	return msg, nil
-}
-
-func (s *syncRecordingStream) Context() context.Context     { return context.Background() }
-func (s *syncRecordingStream) SetHeader(metadata.MD) error  { return nil }
-func (s *syncRecordingStream) SendHeader(metadata.MD) error { return nil }
-func (s *syncRecordingStream) SetTrailer(metadata.MD)       {}
-func (s *syncRecordingStream) SendMsg(any) error            { return nil }
-func (s *syncRecordingStream) RecvMsg(any) error            { return nil }
-
-func ackMsg() *proto.SyncMappingsRequest {
-	return &proto.SyncMappingsRequest{
-		Msg: &proto.SyncMappingsRequest_Ack{Ack: &proto.SyncMappingsAck{}},
-	}
-}
-
-func TestSendSnapshotSync_BatchesWithAcks(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 3
-	const totalServices = 7 // 3 + 3 + 1 → 3 batches, 3 acks (one per batch, including final)
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-
-	stream := &syncRecordingStream{
-		recvMsgs: []*proto.SyncMappingsRequest{ackMsg(), ackMsg(), ackMsg()},
-	}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.NoError(t, err)
-
-	require.Len(t, stream.sent, 3, "should send ceil(7/3) = 3 batches")
-
-	assert.Len(t, stream.sent[0].Mapping, 3)
-	assert.False(t, stream.sent[0].InitialSyncComplete)
-
-	assert.Len(t, stream.sent[1].Mapping, 3)
-	assert.False(t, stream.sent[1].InitialSyncComplete)
-
-	assert.Len(t, stream.sent[2].Mapping, 1)
-	assert.True(t, stream.sent[2].InitialSyncComplete)
-
-	// All 3 acks consumed — including the final batch.
-	assert.Equal(t, 3, stream.recvIdx)
-}
-
-func TestSendSnapshotSync_SingleBatchWaitsForAck(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 100
-	const totalServices = 5
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-
-	stream := &syncRecordingStream{
-		recvMsgs: []*proto.SyncMappingsRequest{ackMsg()},
-	}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.NoError(t, err)
-
-	require.Len(t, stream.sent, 1)
-	assert.Len(t, stream.sent[0].Mapping, totalServices)
-	assert.True(t, stream.sent[0].InitialSyncComplete)
-	assert.Equal(t, 1, stream.recvIdx, "final batch ack must be consumed")
-}
-
-func TestSendSnapshotSync_EmptySnapshot(t *testing.T) {
-	const cluster = "cluster.example.com"
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(nil, nil)
-
-	s := newSnapshotTestServer(t, 500)
-	s.serviceManager = mgr
-
-	stream := &syncRecordingStream{
-		recvMsgs: []*proto.SyncMappingsRequest{ackMsg()},
-	}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.NoError(t, err)
-
-	require.Len(t, stream.sent, 1, "empty snapshot must still send sync-complete")
-	assert.Empty(t, stream.sent[0].Mapping)
-	assert.True(t, stream.sent[0].InitialSyncComplete)
-	assert.Equal(t, 1, stream.recvIdx, "empty snapshot ack must be consumed")
-}
-
-func TestSendSnapshotSync_MissingAckReturnsError(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 2
-	const totalServices = 4 // 2 batches → 1 ack needed, but we provide none
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-
-	// No acks available — Recv will return error.
-	stream := &syncRecordingStream{}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "receive ack")
-	// First batch should have been sent before the error.
-	require.Len(t, stream.sent, 1)
-}
-
-func TestSendSnapshotSync_WrongMessageInsteadOfAck(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 2
-	const totalServices = 4
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-
-	// Send an init message instead of an ack.
-	stream := &syncRecordingStream{
-		recvMsgs: []*proto.SyncMappingsRequest{
-			{Msg: &proto.SyncMappingsRequest_Init{Init: &proto.SyncMappingsInit{ProxyId: "bad"}}},
-		},
-	}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "expected ack")
-}
-
-func TestSendSnapshotSync_BackPressureOrdering(t *testing.T) {
-	// Verify batches are sent strictly sequentially — batch N+1 is not sent
-	// until the ack for batch N is received, including the final batch.
-	const cluster = "cluster.example.com"
-	const batchSize = 2
-	const totalServices = 6 // 3 batches, 3 acks
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-
-	var mu sync.Mutex
-	var events []string
-
-	// Build a stream that logs send/recv events so we can verify ordering.
-	ackCh := make(chan struct{}, 3)
-	stream := &orderTrackingStream{
-		mu:     &mu,
-		events: &events,
-		ackCh:  ackCh,
-	}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	// Feed acks asynchronously after a short delay to simulate real proxy.
-	go func() {
-		for range 3 {
-			time.Sleep(10 * time.Millisecond)
-			ackCh <- struct{}{}
-		}
-	}()
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.NoError(t, err)
-
-	mu.Lock()
-	defer mu.Unlock()
-
-	// Expected: send, recv-ack, send, recv-ack, send, recv-ack.
-	require.Len(t, events, 6)
-	assert.Equal(t, "send", events[0])
-	assert.Equal(t, "recv", events[1])
-	assert.Equal(t, "send", events[2])
-	assert.Equal(t, "recv", events[3])
-	assert.Equal(t, "send", events[4])
-	assert.Equal(t, "recv", events[5])
-}
-
-// orderTrackingStream logs "send" and "recv" events and blocks Recv until
-// an ack is signaled via ackCh.
-type orderTrackingStream struct {
-	grpc.ServerStream
-	mu     *sync.Mutex
-	events *[]string
-	ackCh  chan struct{}
-}
-
-func (s *orderTrackingStream) Send(_ *proto.SyncMappingsResponse) error {
-	s.mu.Lock()
-	*s.events = append(*s.events, "send")
-	s.mu.Unlock()
-	return nil
-}
-
-func (s *orderTrackingStream) Recv() (*proto.SyncMappingsRequest, error) {
-	<-s.ackCh
-	s.mu.Lock()
-	*s.events = append(*s.events, "recv")
-	s.mu.Unlock()
-	return ackMsg(), nil
-}
-
-func (s *orderTrackingStream) Context() context.Context     { return context.Background() }
-func (s *orderTrackingStream) SetHeader(metadata.MD) error  { return nil }
-func (s *orderTrackingStream) SendHeader(metadata.MD) error { return nil }
-func (s *orderTrackingStream) SetTrailer(metadata.MD)       {}
-func (s *orderTrackingStream) SendMsg(any) error            { return nil }
-func (s *orderTrackingStream) RecvMsg(any) error            { return nil }
-
-func TestSendSnapshotSync_TokensGeneratedPerBatch(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 2
-	const totalServices = 4
-	const ttl = 100 * time.Millisecond
-	const ackDelay = 200 * time.Millisecond
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-	s.tokenTTL = ttl
-
-	// Build a stream that validates tokens immediately on Send, then
-	// delays the ack to ensure the next batch's tokens are generated fresh.
-	var validateErrs []error
-	ackCh := make(chan struct{}, 2)
-	stream := &tokenValidatingSyncStream{
-		tokenStore:   s.tokenStore,
-		validateErrs: &validateErrs,
-		ackCh:        ackCh,
-	}
-	conn := &proxyConnection{
-		proxyID:    "proxy-a",
-		address:    cluster,
-		syncStream: stream,
-	}
-
-	go func() {
-		// Delay first ack so that if tokens were all generated upfront they'd expire.
-		time.Sleep(ackDelay)
-		ackCh <- struct{}{}
-		// Final batch ack — immediate.
-		ackCh <- struct{}{}
-	}()
-
-	err := s.sendSnapshotSync(context.Background(), conn, stream)
-	require.NoError(t, err)
-	require.Empty(t, validateErrs,
-		"tokens must remain valid: per-batch generation guarantees freshness")
-}
-
-type tokenValidatingSyncStream struct {
-	grpc.ServerStream
-	tokenStore   *OneTimeTokenStore
-	validateErrs *[]error
-	ackCh        chan struct{}
-}
-
-func (s *tokenValidatingSyncStream) Send(m *proto.SyncMappingsResponse) error {
-	for _, mapping := range m.Mapping {
-		if err := s.tokenStore.ValidateAndConsume(mapping.AuthToken, mapping.AccountId, mapping.Id); err != nil {
-			*s.validateErrs = append(*s.validateErrs, fmt.Errorf("svc %s: %w", mapping.Id, err))
-		}
-	}
-	return nil
-}
-
-func (s *tokenValidatingSyncStream) Recv() (*proto.SyncMappingsRequest, error) {
-	<-s.ackCh
-	return ackMsg(), nil
-}
-
-func (s *tokenValidatingSyncStream) Context() context.Context     { return context.Background() }
-func (s *tokenValidatingSyncStream) SetHeader(metadata.MD) error  { return nil }
-func (s *tokenValidatingSyncStream) SendHeader(metadata.MD) error { return nil }
-func (s *tokenValidatingSyncStream) SetTrailer(metadata.MD)       {}
-func (s *tokenValidatingSyncStream) SendMsg(any) error            { return nil }
-func (s *tokenValidatingSyncStream) RecvMsg(any) error            { return nil }
-
-func TestConnectionSendResponse_RoutesToSyncStream(t *testing.T) {
-	stream := &syncRecordingStream{}
-	conn := &proxyConnection{
-		syncStream: stream,
-	}
-
-	resp := &proto.GetMappingUpdateResponse{
-		Mapping: []*proto.ProxyMapping{
-			{Id: "svc-1", AccountId: "acct-1", Domain: "example.com"},
-		},
-		InitialSyncComplete: true,
-	}
-
-	err := conn.sendResponse(resp)
-	require.NoError(t, err)
-
-	require.Len(t, stream.sent, 1)
-	assert.Len(t, stream.sent[0].Mapping, 1)
-	assert.Equal(t, "svc-1", stream.sent[0].Mapping[0].Id)
-	assert.True(t, stream.sent[0].InitialSyncComplete)
-}
-
-func TestConnectionSendResponse_RoutesToLegacyStream(t *testing.T) {
-	stream := &recordingStream{}
-	conn := &proxyConnection{
-		stream: stream,
-	}
-
-	resp := &proto.GetMappingUpdateResponse{
-		Mapping: []*proto.ProxyMapping{
-			{Id: "svc-2", AccountId: "acct-2"},
-		},
-	}
-
-	err := conn.sendResponse(resp)
-	require.NoError(t, err)
-
-	require.Len(t, stream.messages, 1)
-	assert.Equal(t, "svc-2", stream.messages[0].Mapping[0].Id)
-}

management/internals/shared/grpc/validate_session_test.go

@@ -322,7 +322,7 @@ func (m *testValidateSessionServiceManager) GetServiceByDomain(ctx context.Conte
 	return m.store.GetServiceByDomain(ctx, domain)
 }
 
-func (m *testValidateSessionServiceManager) GetClusters(_ context.Context, _, _ string) ([]proxy.Cluster, error) {
+func (m *testValidateSessionServiceManager) GetActiveClusters(_ context.Context, _, _ string) ([]proxy.Cluster, error) {
 	return nil, nil
 }
 

management/server/http/handlers/proxy/auth_callback_integration_test.go

@@ -444,7 +444,7 @@ func (m *testServiceManager) GetServiceByDomain(ctx context.Context, domain stri
 	return m.store.GetServiceByDomain(ctx, domain)
 }
 
-func (m *testServiceManager) GetClusters(_ context.Context, _, _ string) ([]nbproxy.Cluster, error) {
+func (m *testServiceManager) GetActiveClusters(_ context.Context, _, _ string) ([]nbproxy.Cluster, error) {
 	return nil, nil
 }
 

management/server/http/testing/integration/networks_handler_integration_test.go

@@ -1319,7 +1319,7 @@ func Test_NetworkRouters_Update(t *testing.T) {
 			},
 		},
 		{
-			name:      "Update non-existing router returns not found",
+			name:      "Update non-existing router creates it",
 			networkId: "testNetworkId",
 			routerId:  "nonExistingRouterId",
 			requestBody: &api.NetworkRouterRequest{
@@ -1328,7 +1328,11 @@ func Test_NetworkRouters_Update(t *testing.T) {
 				Metric:     100,
 				Enabled:    true,
 			},
-			expectedStatus: http.StatusNotFound,
+			expectedStatus: http.StatusOK,
+			verifyResponse: func(t *testing.T, router *api.NetworkRouter) {
+				t.Helper()
+				assert.Equal(t, "nonExistingRouterId", router.Id)
+			},
 		},
 		{
 			name:      "Update router with both peer and peer_groups",

management/server/migration/migration_test.go

@@ -198,11 +198,7 @@ func TestMigrateNetIPFieldFromBlobToJSON_WithJSONData(t *testing.T) {
 	require.NoError(t, err, "Failed to insert account")
 
 	account.PeersG = []nbpeer.Peer{
-		{
-			AccountID: "1234",
-			Location:  nbpeer.Location{ConnectionIP: net.IP{10, 0, 0, 1}},
-			Status:    &nbpeer.PeerStatus{LastSeen: time.Now()},
-		},
+		{AccountID: "1234", Location: nbpeer.Location{ConnectionIP: net.IP{10, 0, 0, 1}}},
 	}
 
 	err = db.Save(account).Error

management/server/networks/manager_test.go

@@ -34,11 +34,8 @@ func Test_GetAllNetworksReturnsNetworks(t *testing.T) {
 
 	networks, err := manager.GetAllNetworks(ctx, accountID, userID)
 	require.NoError(t, err)
-	ids := make([]string, 0, len(networks))
-	for _, n := range networks {
-		ids = append(ids, n.ID)
-	}
-	require.ElementsMatch(t, []string{"testNetworkId", "secondNetworkId"}, ids)
+	require.Len(t, networks, 1)
+	require.Equal(t, "testNetworkId", networks[0].ID)
 }
 
 func Test_GetAllNetworksReturnsPermissionDenied(t *testing.T) {

management/server/networks/routers/manager.go

@@ -102,7 +102,7 @@ func (m *managerImpl) CreateRouter(ctx context.Context, userID string, router *t
 
 		router.ID = xid.New().String()
 
-		err = transaction.CreateNetworkRouter(ctx, router)
+		err = transaction.SaveNetworkRouter(ctx, router)
 		if err != nil {
 			return fmt.Errorf("failed to create network router: %w", err)
 		}
@@ -162,20 +162,11 @@ func (m *managerImpl) UpdateRouter(ctx context.Context, userID string, router *t
 			return fmt.Errorf("failed to get network: %w", err)
 		}
 
-		existing, err := transaction.GetNetworkRouterByID(ctx, store.LockingStrengthUpdate, router.AccountID, router.ID)
-		if err != nil {
-			return fmt.Errorf("failed to get network router: %w", err)
-		}
-
-		if existing.AccountID != router.AccountID {
-			return status.NewNetworkRouterNotFoundError(router.ID)
-		}
-
-		if existing.NetworkID != router.NetworkID {
+		if network.ID != router.NetworkID {
 			return status.NewRouterNotPartOfNetworkError(router.ID, router.NetworkID)
 		}
 
-		err = transaction.UpdateNetworkRouter(ctx, router)
+		err = transaction.SaveNetworkRouter(ctx, router)
 		if err != nil {
 			return fmt.Errorf("failed to update network router: %w", err)
 		}

management/server/networks/routers/manager_test.go

@@ -195,7 +195,6 @@ func Test_UpdateRouterSuccessfully(t *testing.T) {
 	if err != nil {
 		require.NoError(t, err)
 	}
-	router.ID = "testRouterId"
 
 	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
 	if err != nil {
@@ -211,102 +210,6 @@ func Test_UpdateRouterSuccessfully(t *testing.T) {
 	require.Equal(t, router.Metric, updatedRouter.Metric)
 }
 
-func Test_UpdateRouterRejectsCrossAccountID(t *testing.T) {
-	ctx := context.Background()
-	userID := "testAdminId"
-
-	// Admin of testAccountId tries to update a router that belongs to otherAccountId
-	// by passing the other account's router ID through the URL.
-	router, err := types.NewNetworkRouter("testAccountId", "testNetworkId", "testPeerId", []string{}, false, 1, true)
-	if err != nil {
-		require.NoError(t, err)
-	}
-	router.ID = "otherRouterId"
-
-	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Cleanup(cleanUp)
-	permissionsManager := permissions.NewManager(s)
-	am := mock_server.MockAccountManager{}
-	manager := NewManager(s, permissionsManager, &am)
-
-	updatedRouter, err := manager.UpdateRouter(ctx, userID, router)
-	require.Error(t, err)
-	require.Nil(t, updatedRouter)
-
-	// The other account's router must be untouched.
-	stored, err := s.GetNetworkRouterByID(ctx, store.LockingStrengthNone, "otherAccountId", "otherRouterId")
-	require.NoError(t, err)
-	require.Equal(t, "otherAccountId", stored.AccountID)
-	require.Equal(t, "otherNetworkId", stored.NetworkID)
-	require.Equal(t, "otherPeer", stored.Peer)
-	require.Equal(t, 1, stored.Metric)
-}
-
-func Test_CreateRouterRejectsCrossAccountID(t *testing.T) {
-	ctx := context.Background()
-	userID := "testAdminId"
-
-	// Admin of testAccountId tries to create a router in otherAccountId's network.
-	// The permission check is on router.AccountID (their own), but the network
-	// lookup must fail because (testAccountId, otherNetworkId) does not exist.
-	router, err := types.NewNetworkRouter("testAccountId", "otherNetworkId", "testPeerId", []string{}, false, 1, true)
-	if err != nil {
-		require.NoError(t, err)
-	}
-
-	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Cleanup(cleanUp)
-	permissionsManager := permissions.NewManager(s)
-	am := mock_server.MockAccountManager{}
-	manager := NewManager(s, permissionsManager, &am)
-
-	createdRouter, err := manager.CreateRouter(ctx, userID, router)
-	require.Error(t, err)
-	require.Nil(t, createdRouter)
-
-	// No router should have been created in either account's scope under otherNetworkId.
-	routersInOther, err := s.GetNetworkRoutersByNetID(ctx, store.LockingStrengthNone, "otherAccountId", "otherNetworkId")
-	require.NoError(t, err)
-	require.Len(t, routersInOther, 1)
-	require.Equal(t, "otherRouterId", routersInOther[0].ID)
-}
-
-func Test_UpdateRouterRejectsNetworkMismatch(t *testing.T) {
-	ctx := context.Background()
-	userID := "testAdminId"
-
-	// The router exists in testNetworkId, but the caller submits secondNetworkId
-	// (a different network in the same account). The update must be refused.
-	router, err := types.NewNetworkRouter("testAccountId", "secondNetworkId", "testPeerId", []string{}, false, 1, true)
-	if err != nil {
-		require.NoError(t, err)
-	}
-	router.ID = "testRouterId"
-
-	s, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../../testdata/networks.sql", t.TempDir())
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Cleanup(cleanUp)
-	permissionsManager := permissions.NewManager(s)
-	am := mock_server.MockAccountManager{}
-	manager := NewManager(s, permissionsManager, &am)
-
-	updatedRouter, err := manager.UpdateRouter(ctx, userID, router)
-	require.Error(t, err)
-	require.Nil(t, updatedRouter)
-
-	stored, err := s.GetNetworkRouterByID(ctx, store.LockingStrengthNone, "testAccountId", "testRouterId")
-	require.NoError(t, err)
-	require.Equal(t, "testNetworkId", stored.NetworkID)
-}
-
 func Test_UpdateRouterFailsWithPermissionDenied(t *testing.T) {
 	ctx := context.Background()
 	userID := "testUserId"

management/server/peer/peer.go

@@ -86,7 +86,7 @@ type PeerStatus struct { //nolint:revive
 	// active session". Integer nanoseconds are used so equality is
 	// precision-safe across drivers, and so the predicates compose to a
 	// single bigint comparison.
-	SessionStartedAt int64 `gorm:"not null;default:0"`
+	SessionStartedAt int64
 	// Connected indicates whether peer is connected to the management service or not
 	Connected bool
 	// LoginExpired

management/server/peer_test.go

@@ -2218,9 +2218,6 @@ func Test_IsUniqueConstraintError(t *testing.T) {
 		ID:        "test-peer-id",
 		AccountID: "bf1c8084-ba50-4ce7-9439-34653001fc3b",
 		DNSLabel:  "test-peer-dns-label",
-		Status: &nbpeer.PeerStatus{
-			LastSeen: time.Now(),
-		},
 	}
 
 	for _, tt := range tests {

management/server/store/sql_store.go

@@ -3463,6 +3463,49 @@ func (s *SqlStore) GetAllEphemeralPeers(ctx context.Context, lockStrength Lockin
 	return allEphemeralPeers, nil
 }
 
+// GetStaleEphemeralPeerIDsForAccount returns IDs of disconnected
+// ephemeral peers in the given account whose last_seen is strictly
+// older than olderThan.
+func (s *SqlStore) GetStaleEphemeralPeerIDsForAccount(ctx context.Context, accountID string, olderThan time.Time) ([]string, error) {
+	var ids []string
+	err := s.db.WithContext(ctx).
+		Model(&nbpeer.Peer{}).
+		Where("account_id = ? AND ephemeral = ? AND peer_status_connected = ? AND peer_status_last_seen < ?",
+			accountID, true, false, olderThan).
+		Pluck("id", &ids).Error
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to query stale ephemeral peers for account %s: %v", accountID, err)
+		return nil, status.Errorf(status.Internal, "query stale ephemeral peers")
+	}
+	return ids, nil
+}
+
+// GetEphemeralAccountsLastDisconnect returns the latest peer_status_last_seen
+// per account across disconnected ephemeral peers. Returns one entry per
+// account that has at least one such peer.
+func (s *SqlStore) GetEphemeralAccountsLastDisconnect(ctx context.Context) (map[string]time.Time, error) {
+	type row struct {
+		AccountID string
+		LastSeen  time.Time
+	}
+	var rows []row
+	err := s.db.WithContext(ctx).
+		Model(&nbpeer.Peer{}).
+		Select("account_id, MAX(peer_status_last_seen) AS last_seen").
+		Where("ephemeral = ? AND peer_status_connected = ?", true, false).
+		Group("account_id").
+		Scan(&rows).Error
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to load ephemeral-account last disconnect map: %v", err)
+		return nil, status.Errorf(status.Internal, "load ephemeral accounts")
+	}
+	out := make(map[string]time.Time, len(rows))
+	for _, r := range rows {
+		out[r.AccountID] = r.LastSeen
+	}
+	return out, nil
+}
+
 // DeletePeer removes a peer from the store.
 func (s *SqlStore) DeletePeer(ctx context.Context, accountID string, peerID string) error {
 	result := s.db.Delete(&nbpeer.Peer{}, accountAndIDQueryCondition, accountID, peerID)
@@ -4315,27 +4358,11 @@ func (s *SqlStore) GetNetworkRouterByID(ctx context.Context, lockStrength Lockin
 	return netRouter, nil
 }
 
-func (s *SqlStore) CreateNetworkRouter(ctx context.Context, router *routerTypes.NetworkRouter) error {
-	if err := s.db.Create(router).Error; err != nil {
-		log.WithContext(ctx).Errorf("failed to create network router in store: %v", err)
-		return status.Errorf(status.Internal, "failed to create network router in store")
-	}
-
-	return nil
-}
-
-func (s *SqlStore) UpdateNetworkRouter(ctx context.Context, router *routerTypes.NetworkRouter) error {
-	result := s.db.
-		Select("*").
-		Where(accountAndIDQueryCondition, router.AccountID, router.ID).
-		Updates(router)
+func (s *SqlStore) SaveNetworkRouter(ctx context.Context, router *routerTypes.NetworkRouter) error {
+	result := s.db.Save(router)
 	if result.Error != nil {
-		log.WithContext(ctx).Errorf("failed to update network router in store: %v", result.Error)
-		return status.Errorf(status.Internal, "failed to update network router in store")
-	}
-
-	if result.RowsAffected == 0 {
-		return status.NewNetworkRouterNotFoundError(router.ID)
+		log.WithContext(ctx).Errorf("failed to save network router to store: %v", result.Error)
+		return status.Errorf(status.Internal, "failed to save network router to store")
 	}
 
 	return nil
@@ -5752,67 +5779,19 @@ func (s *SqlStore) DeleteAccountCluster(ctx context.Context, clusterAddress, acc
 	return nil
 }
 
-// GetProxyClusters returns every cluster the account can see (shared
-// plus its own BYOP), regardless of whether any proxy in the cluster
-// is currently heartbeating. Online and ConnectedProxies are derived
-// from the 2-min active window so the dashboard can render offline
-// clusters distinctly; the 1-hour heartbeat reaper still removes rows
-// that go quiet for too long.
-//
-// AccountOwned is determined by whether any proxy row in the group
-// carries a non-NULL account_id; the caller maps that to Cluster.Type.
-// Capability flags are NOT filled here — the handler enriches them via
-// the per-cluster capability lookups.
-func (s *SqlStore) GetProxyClusters(ctx context.Context, accountID string) ([]proxy.Cluster, error) {
-	activeCutoff := time.Now().Add(-proxyActiveThreshold)
+func (s *SqlStore) GetActiveProxyClusters(ctx context.Context, accountID string) ([]proxy.Cluster, error) {
+	var clusters []proxy.Cluster
 
-	type clusterRow struct {
-		ID               string
-		Address          string
-		ConnectedProxies int
-		Online           bool
-		AccountOwned     bool
-	}
-
-	var rows []clusterRow
 	result := s.db.Model(&proxy.Proxy{}).
-		Select(
-			"MIN(id) AS id, "+
-				"cluster_address AS address, "+
-				// COUNT(CASE WHEN ... THEN 1 END) counts only non-NULL — i.e. only
-				// rows that satisfy the predicate — so it works portably across
-				// sqlite/postgres/mysql without dialect-specific FILTER syntax.
-				"COUNT(CASE WHEN status = ? AND last_seen > ? THEN 1 END) AS connected_proxies, "+
-				// MAX(CASE …) > 0 expresses BOOL_OR in a way Postgres tolerates
-				// (Postgres can't MAX a boolean column).
-				"MAX(CASE WHEN status = ? AND last_seen > ? THEN 1 ELSE 0 END) > 0 AS online, "+
-				"MAX(CASE WHEN account_id IS NOT NULL THEN 1 ELSE 0 END) > 0 AS account_owned",
-			proxy.StatusConnected, activeCutoff,
-			proxy.StatusConnected, activeCutoff,
-		).
-		Where("account_id IS NULL OR account_id = ?", accountID).
+		Select("MIN(id) as id, cluster_address as address, COUNT(*) as connected_proxies, COUNT(account_id) > 0 as self_hosted").
+		Where("status = ? AND last_seen > ? AND (account_id IS NULL OR account_id = ?)",
+			proxy.StatusConnected, time.Now().Add(-proxyActiveThreshold), accountID).
 		Group("cluster_address").
-		Scan(&rows)
+		Scan(&clusters)
 
 	if result.Error != nil {
-		log.WithContext(ctx).Errorf("failed to get proxy clusters: %v", result.Error)
-		return nil, status.Errorf(status.Internal, "get proxy clusters")
-	}
-
-	clusters := make([]proxy.Cluster, 0, len(rows))
-	for _, r := range rows {
-		c := proxy.Cluster{
-			ID:               r.ID,
-			Address:          r.Address,
-			Online:           r.Online,
-			ConnectedProxies: r.ConnectedProxies,
-		}
-		if r.AccountOwned {
-			c.Type = proxy.ClusterTypeAccount
-		} else {
-			c.Type = proxy.ClusterTypeShared
-		}
-		clusters = append(clusters, c)
+		log.WithContext(ctx).Errorf("failed to get active proxy clusters: %v", result.Error)
+		return nil, status.Errorf(status.Internal, "get active proxy clusters")
 	}
 
 	return clusters, nil

management/server/store/sql_store_proxy_clusters_test.go

@@ -1,109 +0,0 @@
-package store
-
-import (
-	"context"
-	"os"
-	"runtime"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	rpproxy "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy"
-)
-
-// TestSqlStore_GetProxyClusters_DerivesOnlineAndType guards the
-// account-visible cluster list against silent regressions in two
-// dimensions:
-//
-//  1. Online derivation: a cluster with one stale and one fresh proxy
-//     is online and counts only the fresh proxy; a cluster whose
-//     proxies all heartbeated outside the 2-min window appears offline
-//     with connected_proxies = 0 (rather than disappearing, which is
-//     what the old query did).
-//  2. Type derivation: a cluster scoped to the calling account is
-//     reported as `account`; a cluster with account_id IS NULL is
-//     reported as `shared`. Clusters scoped to other accounts must not
-//     leak into the result.
-//
-// Capability flags are intentionally not asserted here — they're filled
-// by the manager (handler) layer from the per-cluster capability
-// lookups, not by the store query.
-func TestSqlStore_GetProxyClusters_DerivesOnlineAndType(t *testing.T) {
-	if (os.Getenv("CI") == "true" && runtime.GOOS == "darwin") || runtime.GOOS == "windows" {
-		t.Skip("skip CI tests on darwin and windows")
-	}
-
-	runTestForAllEngines(t, "", func(t *testing.T, store Store) {
-		ctx := context.Background()
-		accountID := "acct-clusters"
-		require.NoError(t, store.SaveAccount(ctx, newAccountWithId(ctx, accountID, "user-1", "")))
-
-		otherAccountID := "acct-other"
-		require.NoError(t, store.SaveAccount(ctx, newAccountWithId(ctx, otherAccountID, "user-2", "")))
-
-		acctID := accountID
-		otherID := otherAccountID
-
-		fresh := time.Now().Add(-30 * time.Second)
-		stale := time.Now().Add(-30 * time.Minute)
-
-		mustSave := func(id, cluster string, accID *string, status string, lastSeen time.Time) {
-			require.NoError(t, store.SaveProxy(ctx, &rpproxy.Proxy{
-				ID:             id,
-				SessionID:      id + "-sess",
-				ClusterAddress: cluster,
-				IPAddress:      "10.0.0.1",
-				AccountID:      accID,
-				LastSeen:       lastSeen,
-				Status:         status,
-			}))
-		}
-
-		// shared-mixed: one fresh + one stale proxy → online, connected=1
-		mustSave("p-shared-fresh", "shared-mixed.netbird.io", nil, rpproxy.StatusConnected, fresh)
-		mustSave("p-shared-stale", "shared-mixed.netbird.io", nil, rpproxy.StatusConnected, stale)
-
-		// shared-offline: only stale proxies → offline, connected=0,
-		// but row must still appear (this is the new semantic — old
-		// query would have dropped it entirely).
-		mustSave("p-shared-off", "shared-offline.netbird.io", nil, rpproxy.StatusConnected, stale)
-
-		// account-online: BYOP cluster owned by acctID, fresh
-		mustSave("p-acct-fresh", "byop.acct.example", &acctID, rpproxy.StatusConnected, fresh)
-
-		// other-account: must not surface for acctID
-		mustSave("p-other", "byop.other.example", &otherID, rpproxy.StatusConnected, fresh)
-
-		clusters, err := store.GetProxyClusters(ctx, accountID)
-		require.NoError(t, err)
-
-		byAddr := map[string]rpproxy.Cluster{}
-		for _, c := range clusters {
-			byAddr[c.Address] = c
-		}
-
-		assert.NotContains(t, byAddr, "byop.other.example",
-			"another account's BYOP cluster must not leak into this account's listing")
-
-		require.Contains(t, byAddr, "shared-mixed.netbird.io")
-		mixed := byAddr["shared-mixed.netbird.io"]
-		assert.Equal(t, rpproxy.ClusterTypeShared, mixed.Type, "shared cluster (account_id IS NULL) must be reported as Type=shared")
-		assert.True(t, mixed.Online, "cluster with a fresh proxy must be online")
-		assert.Equal(t, 1, mixed.ConnectedProxies, "connected_proxies must count only fresh proxies; the stale one should not bump the count")
-
-		require.Contains(t, byAddr, "shared-offline.netbird.io",
-			"offline clusters must still appear so the dashboard can render them — the old GetActiveProxyClusters would have dropped this row, which is the regression this test guards against")
-		offline := byAddr["shared-offline.netbird.io"]
-		assert.Equal(t, rpproxy.ClusterTypeShared, offline.Type)
-		assert.False(t, offline.Online, "no fresh heartbeat → offline")
-		assert.Equal(t, 0, offline.ConnectedProxies, "no fresh proxies → connected_proxies=0")
-
-		require.Contains(t, byAddr, "byop.acct.example")
-		acct := byAddr["byop.acct.example"]
-		assert.Equal(t, rpproxy.ClusterTypeAccount, acct.Type, "BYOP cluster owned by the account must be reported as Type=account")
-		assert.True(t, acct.Online)
-		assert.Equal(t, 1, acct.ConnectedProxies)
-	})
-}

management/server/store/sql_store_test.go

@@ -2399,7 +2399,7 @@ func TestSqlStore_GetNetworkRouterByID(t *testing.T) {
 	}
 }
 
-func TestSqlStore_CreateNetworkRouter(t *testing.T) {
+func TestSqlStore_SaveNetworkRouter(t *testing.T) {
 	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", t.TempDir())
 	t.Cleanup(cleanup)
 	require.NoError(t, err)
@@ -2410,7 +2410,7 @@ func TestSqlStore_CreateNetworkRouter(t *testing.T) {
 	netRouter, err := routerTypes.NewNetworkRouter(accountID, networkID, "", []string{"net-router-grp"}, true, 0, true)
 	require.NoError(t, err)
 
-	err = store.CreateNetworkRouter(context.Background(), netRouter)
+	err = store.SaveNetworkRouter(context.Background(), netRouter)
 	require.NoError(t, err)
 
 	savedNetRouter, err := store.GetNetworkRouterByID(context.Background(), LockingStrengthNone, accountID, netRouter.ID)
@@ -2418,39 +2418,6 @@ func TestSqlStore_CreateNetworkRouter(t *testing.T) {
 	require.Equal(t, netRouter, savedNetRouter)
 }
 
-func TestSqlStore_UpdateNetworkRouter(t *testing.T) {
-	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", t.TempDir())
-	t.Cleanup(cleanup)
-	require.NoError(t, err)
-
-	accountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
-	networkID := "ct286bi7qv930dsrrug0"
-	routerID := "ctc20ji7qv9ck2sebc80"
-
-	netRouter := &routerTypes.NetworkRouter{
-		ID:         routerID,
-		AccountID:  accountID,
-		NetworkID:  networkID,
-		Peer:       "",
-		PeerGroups: []string{"net-router-grp"},
-		Masquerade: true,
-		Metric:     42,
-		Enabled:    true,
-	}
-
-	err = store.UpdateNetworkRouter(context.Background(), netRouter)
-	require.NoError(t, err)
-
-	savedNetRouter, err := store.GetNetworkRouterByID(context.Background(), LockingStrengthNone, accountID, routerID)
-	require.NoError(t, err)
-	require.Equal(t, netRouter, savedNetRouter)
-
-	// Updating a router under a different account must not match any row.
-	netRouter.AccountID = "non-existent-account"
-	err = store.UpdateNetworkRouter(context.Background(), netRouter)
-	require.Error(t, err)
-}
-
 func TestSqlStore_DeleteNetworkRouter(t *testing.T) {
 	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", t.TempDir())
 	t.Cleanup(cleanup)

management/server/store/store.go

@@ -165,6 +165,15 @@ type Store interface {
 	GetAccountPeersWithExpiration(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*nbpeer.Peer, error)
 	GetAccountPeersWithInactivity(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*nbpeer.Peer, error)
 	GetAllEphemeralPeers(ctx context.Context, lockStrength LockingStrength) ([]*nbpeer.Peer, error)
+	// GetStaleEphemeralPeerIDsForAccount returns the IDs of disconnected
+	// ephemeral peers whose last_seen is strictly older than olderThan,
+	// scoped to a single account. Used by the per-account cleanup sweep.
+	GetStaleEphemeralPeerIDsForAccount(ctx context.Context, accountID string, olderThan time.Time) ([]string, error)
+	// GetEphemeralAccountsLastDisconnect returns, for every account that
+	// has at least one disconnected ephemeral peer, the most recent
+	// last_seen across that account's disconnected ephemeral peers. Used
+	// to reconstruct the per-account cleanup tracker after a restart.
+	GetEphemeralAccountsLastDisconnect(ctx context.Context) (map[string]time.Time, error)
 	SavePeer(ctx context.Context, accountID string, peer *nbpeer.Peer) error
 	SavePeerStatus(ctx context.Context, accountID, peerID string, status nbpeer.PeerStatus) error
 	// MarkPeerConnectedIfNewerSession sets the peer to connected with the
@@ -228,8 +237,7 @@ type Store interface {
 	GetNetworkRoutersByNetID(ctx context.Context, lockStrength LockingStrength, accountID, netID string) ([]*routerTypes.NetworkRouter, error)
 	GetNetworkRoutersByAccountID(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*routerTypes.NetworkRouter, error)
 	GetNetworkRouterByID(ctx context.Context, lockStrength LockingStrength, accountID, routerID string) (*routerTypes.NetworkRouter, error)
-	CreateNetworkRouter(ctx context.Context, router *routerTypes.NetworkRouter) error
-	UpdateNetworkRouter(ctx context.Context, router *routerTypes.NetworkRouter) error
+	SaveNetworkRouter(ctx context.Context, router *routerTypes.NetworkRouter) error
 	DeleteNetworkRouter(ctx context.Context, accountID, routerID string) error
 
 	GetNetworkResourcesByNetID(ctx context.Context, lockStrength LockingStrength, accountID, netID string) ([]*resourceTypes.NetworkResource, error)
@@ -308,7 +316,7 @@ type Store interface {
 	UpdateProxyHeartbeat(ctx context.Context, p *proxy.Proxy) error
 	GetActiveProxyClusterAddresses(ctx context.Context) ([]string, error)
 	GetActiveProxyClusterAddressesForAccount(ctx context.Context, accountID string) ([]string, error)
-	GetProxyClusters(ctx context.Context, accountID string) ([]proxy.Cluster, error)
+	GetActiveProxyClusters(ctx context.Context, accountID string) ([]proxy.Cluster, error)
 	GetClusterSupportsCustomPorts(ctx context.Context, clusterAddr string) *bool
 	GetClusterRequireSubdomain(ctx context.Context, clusterAddr string) *bool
 	GetClusterSupportsCrowdSec(ctx context.Context, clusterAddr string) *bool
@@ -472,9 +480,6 @@ func getMigrationsPreAuto(ctx context.Context) []migrationFunc {
 		func(db *gorm.DB) error {
 			return migration.MigrateNewField[types.User](ctx, db, "email", "")
 		},
-		func(db *gorm.DB) error {
-			return migration.MigrateNewField[nbpeer.Peer](ctx, db, "peer_status_session_started_at", int64(0))
-		},
 		func(db *gorm.DB) error {
 			return migration.RemoveDuplicatePeerKeys(ctx, db)
 		},

management/server/store/store_mock.go

@@ -310,20 +310,6 @@ func (mr *MockStoreMockRecorder) CreateGroups(ctx, accountID, groups interface{}
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateGroups", reflect.TypeOf((*MockStore)(nil).CreateGroups), ctx, accountID, groups)
 }
 
-// CreateNetworkRouter mocks base method.
-func (m *MockStore) CreateNetworkRouter(ctx context.Context, router *types0.NetworkRouter) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "CreateNetworkRouter", ctx, router)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// CreateNetworkRouter indicates an expected call of CreateNetworkRouter.
-func (mr *MockStoreMockRecorder) CreateNetworkRouter(ctx, router interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateNetworkRouter", reflect.TypeOf((*MockStore)(nil).CreateNetworkRouter), ctx, router)
-}
-
 // CreatePeerJob mocks base method.
 func (m *MockStore) CreatePeerJob(ctx context.Context, job *types2.Job) error {
 	m.ctrl.T.Helper()
@@ -394,20 +380,6 @@ func (mr *MockStoreMockRecorder) DeleteAccount(ctx, account interface{}) *gomock
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAccount", reflect.TypeOf((*MockStore)(nil).DeleteAccount), ctx, account)
 }
 
-// DeleteAccountCluster mocks base method.
-func (m *MockStore) DeleteAccountCluster(ctx context.Context, clusterAddress, accountID string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DeleteAccountCluster", ctx, clusterAddress, accountID)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// DeleteAccountCluster indicates an expected call of DeleteAccountCluster.
-func (mr *MockStoreMockRecorder) DeleteAccountCluster(ctx, clusterAddress, accountID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAccountCluster", reflect.TypeOf((*MockStore)(nil).DeleteAccountCluster), ctx, clusterAddress, accountID)
-}
-
 // DeleteCustomDomain mocks base method.
 func (m *MockStore) DeleteCustomDomain(ctx context.Context, accountID, domainID string) error {
 	m.ctrl.T.Helper()
@@ -605,6 +577,20 @@ func (mr *MockStoreMockRecorder) DeletePostureChecks(ctx, accountID, postureChec
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeletePostureChecks", reflect.TypeOf((*MockStore)(nil).DeletePostureChecks), ctx, accountID, postureChecksID)
 }
 
+// DeleteAccountCluster mocks base method.
+func (m *MockStore) DeleteAccountCluster(ctx context.Context, clusterAddress, accountID string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteAccountCluster", ctx, clusterAddress, accountID)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteAccountCluster indicates an expected call of DeleteAccountCluster.
+func (mr *MockStoreMockRecorder) DeleteAccountCluster(ctx, clusterAddress, accountID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAccountCluster", reflect.TypeOf((*MockStore)(nil).DeleteAccountCluster), ctx, clusterAddress, accountID)
+}
+
 // DeleteRoute mocks base method.
 func (m *MockStore) DeleteRoute(ctx context.Context, accountID, routeID string) error {
 	m.ctrl.T.Helper()
@@ -745,20 +731,6 @@ func (mr *MockStoreMockRecorder) DeleteZoneDNSRecords(ctx, accountID, zoneID int
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteZoneDNSRecords", reflect.TypeOf((*MockStore)(nil).DeleteZoneDNSRecords), ctx, accountID, zoneID)
 }
 
-// DisconnectProxy mocks base method.
-func (m *MockStore) DisconnectProxy(ctx context.Context, proxyID, sessionID string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DisconnectProxy", ctx, proxyID, sessionID)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// DisconnectProxy indicates an expected call of DisconnectProxy.
-func (mr *MockStoreMockRecorder) DisconnectProxy(ctx, proxyID, sessionID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DisconnectProxy", reflect.TypeOf((*MockStore)(nil).DisconnectProxy), ctx, proxyID, sessionID)
-}
-
 // EphemeralServiceExists mocks base method.
 func (m *MockStore) EphemeralServiceExists(ctx context.Context, lockStrength LockingStrength, accountID, peerID, domain string) (bool, error) {
 	m.ctrl.T.Helper()
@@ -1360,6 +1332,21 @@ func (mr *MockStoreMockRecorder) GetActiveProxyClusterAddressesForAccount(ctx, a
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetActiveProxyClusterAddressesForAccount", reflect.TypeOf((*MockStore)(nil).GetActiveProxyClusterAddressesForAccount), ctx, accountID)
 }
 
+// GetActiveProxyClusters mocks base method.
+func (m *MockStore) GetActiveProxyClusters(ctx context.Context, accountID string) ([]proxy.Cluster, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetActiveProxyClusters", ctx, accountID)
+	ret0, _ := ret[0].([]proxy.Cluster)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetActiveProxyClusters indicates an expected call of GetActiveProxyClusters.
+func (mr *MockStoreMockRecorder) GetActiveProxyClusters(ctx, accountID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetActiveProxyClusters", reflect.TypeOf((*MockStore)(nil).GetActiveProxyClusters), ctx, accountID)
+}
+
 // GetAllAccounts mocks base method.
 func (m *MockStore) GetAllAccounts(ctx context.Context) []*types2.Account {
 	m.ctrl.T.Helper()
@@ -1389,6 +1376,36 @@ func (mr *MockStoreMockRecorder) GetAllEphemeralPeers(ctx, lockStrength interfac
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAllEphemeralPeers", reflect.TypeOf((*MockStore)(nil).GetAllEphemeralPeers), ctx, lockStrength)
 }
 
+// GetStaleEphemeralPeerIDsForAccount mocks base method.
+func (m *MockStore) GetStaleEphemeralPeerIDsForAccount(ctx context.Context, accountID string, olderThan time.Time) ([]string, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetStaleEphemeralPeerIDsForAccount", ctx, accountID, olderThan)
+	ret0, _ := ret[0].([]string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetStaleEphemeralPeerIDsForAccount indicates an expected call of GetStaleEphemeralPeerIDsForAccount.
+func (mr *MockStoreMockRecorder) GetStaleEphemeralPeerIDsForAccount(ctx, accountID, olderThan interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetStaleEphemeralPeerIDsForAccount", reflect.TypeOf((*MockStore)(nil).GetStaleEphemeralPeerIDsForAccount), ctx, accountID, olderThan)
+}
+
+// GetEphemeralAccountsLastDisconnect mocks base method.
+func (m *MockStore) GetEphemeralAccountsLastDisconnect(ctx context.Context) (map[string]time.Time, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetEphemeralAccountsLastDisconnect", ctx)
+	ret0, _ := ret[0].(map[string]time.Time)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetEphemeralAccountsLastDisconnect indicates an expected call of GetEphemeralAccountsLastDisconnect.
+func (mr *MockStoreMockRecorder) GetEphemeralAccountsLastDisconnect(ctx interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetEphemeralAccountsLastDisconnect", reflect.TypeOf((*MockStore)(nil).GetEphemeralAccountsLastDisconnect), ctx)
+}
+
 // GetAllProxyAccessTokens mocks base method.
 func (m *MockStore) GetAllProxyAccessTokens(ctx context.Context, lockStrength LockingStrength) ([]*types2.ProxyAccessToken, error) {
 	m.ctrl.T.Helper()
@@ -2061,21 +2078,6 @@ func (mr *MockStoreMockRecorder) GetProxyByAccountID(ctx, accountID interface{})
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetProxyByAccountID", reflect.TypeOf((*MockStore)(nil).GetProxyByAccountID), ctx, accountID)
 }
 
-// GetProxyClusters mocks base method.
-func (m *MockStore) GetProxyClusters(ctx context.Context, accountID string) ([]proxy.Cluster, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetProxyClusters", ctx, accountID)
-	ret0, _ := ret[0].([]proxy.Cluster)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetProxyClusters indicates an expected call of GetProxyClusters.
-func (mr *MockStoreMockRecorder) GetProxyClusters(ctx, accountID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetProxyClusters", reflect.TypeOf((*MockStore)(nil).GetProxyClusters), ctx, accountID)
-}
-
 // GetResourceGroups mocks base method.
 func (m *MockStore) GetResourceGroups(ctx context.Context, lockStrength LockingStrength, accountID, resourceID string) ([]*types2.Group, error) {
 	m.ctrl.T.Helper()
@@ -2626,36 +2628,6 @@ func (mr *MockStoreMockRecorder) MarkPATUsed(ctx, patID interface{}) *gomock.Cal
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MarkPATUsed", reflect.TypeOf((*MockStore)(nil).MarkPATUsed), ctx, patID)
 }
 
-// MarkPeerConnectedIfNewerSession mocks base method.
-func (m *MockStore) MarkPeerConnectedIfNewerSession(ctx context.Context, accountID, peerID string, newSessionStartedAt int64) (bool, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "MarkPeerConnectedIfNewerSession", ctx, accountID, peerID, newSessionStartedAt)
-	ret0, _ := ret[0].(bool)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// MarkPeerConnectedIfNewerSession indicates an expected call of MarkPeerConnectedIfNewerSession.
-func (mr *MockStoreMockRecorder) MarkPeerConnectedIfNewerSession(ctx, accountID, peerID, newSessionStartedAt interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MarkPeerConnectedIfNewerSession", reflect.TypeOf((*MockStore)(nil).MarkPeerConnectedIfNewerSession), ctx, accountID, peerID, newSessionStartedAt)
-}
-
-// MarkPeerDisconnectedIfSameSession mocks base method.
-func (m *MockStore) MarkPeerDisconnectedIfSameSession(ctx context.Context, accountID, peerID string, sessionStartedAt int64) (bool, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "MarkPeerDisconnectedIfSameSession", ctx, accountID, peerID, sessionStartedAt)
-	ret0, _ := ret[0].(bool)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// MarkPeerDisconnectedIfSameSession indicates an expected call of MarkPeerDisconnectedIfSameSession.
-func (mr *MockStoreMockRecorder) MarkPeerDisconnectedIfSameSession(ctx, accountID, peerID, sessionStartedAt interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MarkPeerDisconnectedIfSameSession", reflect.TypeOf((*MockStore)(nil).MarkPeerDisconnectedIfSameSession), ctx, accountID, peerID, sessionStartedAt)
-}
-
 // MarkPendingJobsAsFailed mocks base method.
 func (m *MockStore) MarkPendingJobsAsFailed(ctx context.Context, accountID, peerID, jobID, reason string) error {
 	m.ctrl.T.Helper()
@@ -2866,6 +2838,20 @@ func (mr *MockStoreMockRecorder) SaveNetworkResource(ctx, resource interface{})
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SaveNetworkResource", reflect.TypeOf((*MockStore)(nil).SaveNetworkResource), ctx, resource)
 }
 
+// SaveNetworkRouter mocks base method.
+func (m *MockStore) SaveNetworkRouter(ctx context.Context, router *types0.NetworkRouter) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SaveNetworkRouter", ctx, router)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SaveNetworkRouter indicates an expected call of SaveNetworkRouter.
+func (mr *MockStoreMockRecorder) SaveNetworkRouter(ctx, router interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SaveNetworkRouter", reflect.TypeOf((*MockStore)(nil).SaveNetworkRouter), ctx, router)
+}
+
 // SavePAT mocks base method.
 func (m *MockStore) SavePAT(ctx context.Context, pat *types2.PersonalAccessToken) error {
 	m.ctrl.T.Helper()
@@ -2922,6 +2908,36 @@ func (mr *MockStoreMockRecorder) SavePeerStatus(ctx, accountID, peerID, status i
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SavePeerStatus", reflect.TypeOf((*MockStore)(nil).SavePeerStatus), ctx, accountID, peerID, status)
 }
 
+// MarkPeerConnectedIfNewerSession mocks base method.
+func (m *MockStore) MarkPeerConnectedIfNewerSession(ctx context.Context, accountID, peerID string, newSessionStartedAt int64) (bool, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "MarkPeerConnectedIfNewerSession", ctx, accountID, peerID, newSessionStartedAt)
+	ret0, _ := ret[0].(bool)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// MarkPeerConnectedIfNewerSession indicates an expected call of MarkPeerConnectedIfNewerSession.
+func (mr *MockStoreMockRecorder) MarkPeerConnectedIfNewerSession(ctx, accountID, peerID, newSessionStartedAt interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MarkPeerConnectedIfNewerSession", reflect.TypeOf((*MockStore)(nil).MarkPeerConnectedIfNewerSession), ctx, accountID, peerID, newSessionStartedAt)
+}
+
+// MarkPeerDisconnectedIfSameSession mocks base method.
+func (m *MockStore) MarkPeerDisconnectedIfSameSession(ctx context.Context, accountID, peerID string, sessionStartedAt int64) (bool, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "MarkPeerDisconnectedIfSameSession", ctx, accountID, peerID, sessionStartedAt)
+	ret0, _ := ret[0].(bool)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// MarkPeerDisconnectedIfSameSession indicates an expected call of MarkPeerDisconnectedIfSameSession.
+func (mr *MockStoreMockRecorder) MarkPeerDisconnectedIfSameSession(ctx, accountID, peerID, sessionStartedAt interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MarkPeerDisconnectedIfSameSession", reflect.TypeOf((*MockStore)(nil).MarkPeerDisconnectedIfSameSession), ctx, accountID, peerID, sessionStartedAt)
+}
+
 // SavePolicy mocks base method.
 func (m *MockStore) SavePolicy(ctx context.Context, policy *types2.Policy) error {
 	m.ctrl.T.Helper()
@@ -2964,6 +2980,20 @@ func (mr *MockStoreMockRecorder) SaveProxy(ctx, proxy interface{}) *gomock.Call
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SaveProxy", reflect.TypeOf((*MockStore)(nil).SaveProxy), ctx, proxy)
 }
 
+// DisconnectProxy mocks base method.
+func (m *MockStore) DisconnectProxy(ctx context.Context, proxyID, sessionID string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DisconnectProxy", ctx, proxyID, sessionID)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DisconnectProxy indicates an expected call of DisconnectProxy.
+func (mr *MockStoreMockRecorder) DisconnectProxy(ctx, proxyID, sessionID interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DisconnectProxy", reflect.TypeOf((*MockStore)(nil).DisconnectProxy), ctx, proxyID, sessionID)
+}
+
 // SaveProxyAccessToken mocks base method.
 func (m *MockStore) SaveProxyAccessToken(ctx context.Context, token *types2.ProxyAccessToken) error {
 	m.ctrl.T.Helper()
@@ -3173,20 +3203,6 @@ func (mr *MockStoreMockRecorder) UpdateGroups(ctx, accountID, groups interface{}
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateGroups", reflect.TypeOf((*MockStore)(nil).UpdateGroups), ctx, accountID, groups)
 }
 
-// UpdateNetworkRouter mocks base method.
-func (m *MockStore) UpdateNetworkRouter(ctx context.Context, router *types0.NetworkRouter) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "UpdateNetworkRouter", ctx, router)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// UpdateNetworkRouter indicates an expected call of UpdateNetworkRouter.
-func (mr *MockStoreMockRecorder) UpdateNetworkRouter(ctx, router interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateNetworkRouter", reflect.TypeOf((*MockStore)(nil).UpdateNetworkRouter), ctx, router)
-}
-
 // UpdateProxyHeartbeat mocks base method.
 func (m *MockStore) UpdateProxyHeartbeat(ctx context.Context, p *proxy.Proxy) error {
 	m.ctrl.T.Helper()

management/server/telemetry/ephemeral_metrics.go

@@ -7,9 +7,9 @@ import (
 )
 
 // EphemeralPeersMetrics tracks the ephemeral peer cleanup pipeline: how
-// many peers are currently scheduled for deletion, how many tick runs
-// the cleaner has performed, how many peers it has removed, and how
-// many delete batches failed.
+// many accounts are currently being tracked for cleanup, how many sweep
+// runs deleted at least one peer, how many peers have been removed, and
+// how many delete batches failed.
 type EphemeralPeersMetrics struct {
 	ctx context.Context
 
@@ -21,16 +21,16 @@ type EphemeralPeersMetrics struct {
 
 // NewEphemeralPeersMetrics constructs the ephemeral cleanup counters.
 func NewEphemeralPeersMetrics(ctx context.Context, meter metric.Meter) (*EphemeralPeersMetrics, error) {
-	pending, err := meter.Int64UpDownCounter("management.ephemeral.peers.pending",
+	pending, err := meter.Int64UpDownCounter("management.ephemeral.accounts.tracked",
 		metric.WithUnit("1"),
-		metric.WithDescription("Number of ephemeral peers currently waiting to be cleaned up"))
+		metric.WithDescription("Number of accounts currently tracked for ephemeral peer cleanup"))
 	if err != nil {
 		return nil, err
 	}
 
 	cleanupRuns, err := meter.Int64Counter("management.ephemeral.cleanup.runs.counter",
 		metric.WithUnit("1"),
-		metric.WithDescription("Number of ephemeral cleanup ticks that processed at least one peer"))
+		metric.WithDescription("Number of ephemeral cleanup sweeps that deleted at least one peer"))
 	if err != nil {
 		return nil, err
 	}
@@ -61,7 +61,8 @@ func NewEphemeralPeersMetrics(ctx context.Context, meter metric.Meter) (*Ephemer
 // All methods are nil-receiver safe so callers that haven't wired metrics
 // (tests, self-hosted with metrics off) can invoke them unconditionally.
 
-// IncPending bumps the pending gauge when a peer is added to the cleanup list.
+// IncPending bumps the tracked-accounts gauge when a new account
+// becomes eligible for ephemeral cleanup tracking.
 func (m *EphemeralPeersMetrics) IncPending() {
 	if m == nil {
 		return
@@ -69,8 +70,8 @@ func (m *EphemeralPeersMetrics) IncPending() {
 	m.pending.Add(m.ctx, 1)
 }
 
-// AddPending bumps the pending gauge by n — used at startup when the
-// initial set of ephemeral peers is loaded from the store.
+// AddPending bumps the tracked-accounts gauge by n — used at startup
+// when the catch-up query seeds the tracker.
 func (m *EphemeralPeersMetrics) AddPending(n int64) {
 	if m == nil || n <= 0 {
 		return
@@ -78,9 +79,8 @@ func (m *EphemeralPeersMetrics) AddPending(n int64) {
 	m.pending.Add(m.ctx, n)
 }
 
-// DecPending decreases the pending gauge — used both when a peer reconnects
-// before its deadline (removed from the list) and when a cleanup tick
-// actually deletes it.
+// DecPending decreases the tracked-accounts gauge when an account is
+// dropped from the tracker (no more disconnects to chase).
 func (m *EphemeralPeersMetrics) DecPending(n int64) {
 	if m == nil || n <= 0 {
 		return

management/server/testdata/networks.sql

@@ -9,13 +9,9 @@ INSERT INTO peers VALUES('testPeerId','testAccountId','5rvhvriKJZ3S9oxYToVj5TzDM
 
 CREATE TABLE `networks` (`id` text,`account_id` text,`name` text,`description` text,PRIMARY KEY (`id`),CONSTRAINT `fk_accounts_networks` FOREIGN KEY (`account_id`) REFERENCES `accounts`(`id`));
 INSERT INTO networks VALUES('testNetworkId','testAccountId','some-name','some-description');
-INSERT INTO networks VALUES('secondNetworkId','testAccountId','second-name','second-description');
 
 CREATE TABLE `network_routers` (`id` text,`network_id` text,`account_id` text,`peer` text,`peer_groups` text,`masquerade` numeric,`metric` integer,PRIMARY KEY (`id`),CONSTRAINT `fk_accounts_network_routers` FOREIGN KEY (`account_id`) REFERENCES `accounts`(`id`));
 INSERT INTO network_routers VALUES('testRouterId','testNetworkId','testAccountId','','["csquuo4jcko732k1ag00"]',0,9999);
-INSERT INTO accounts VALUES('otherAccountId','','2024-10-02 16:01:38.000000000+00:00','other.com','private',1,'otherNetworkIdentifier','{"IP":"100.65.0.0","Mask":"//8AAA=="}','',0,'[]',0,86400000000000,0,0,0,'',NULL,NULL,NULL);
-INSERT INTO networks VALUES('otherNetworkId','otherAccountId','other-net','other-description');
-INSERT INTO network_routers VALUES('otherRouterId','otherNetworkId','otherAccountId','otherPeer',NULL,0,1);
 
 CREATE TABLE `network_resources` (`id` text,`network_id` text,`account_id` text,`name` text,`description` text,`type` text,`address` text,PRIMARY KEY (`id`),CONSTRAINT `fk_accounts_network_resources` FOREIGN KEY (`account_id`) REFERENCES `accounts`(`id`));
 INSERT INTO network_resources VALUES('testResourceId','testNetworkId','testAccountId','some-name','some-description','host','3.3.3.3/32');

proxy/handle_mapping_stream_test.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"io"
 	"testing"
-	"time"
 
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
@@ -60,7 +59,7 @@ func TestHandleMappingStream_SyncCompleteFlag(t *testing.T) {
 	}
 
 	syncDone := false
-	err := s.handleMappingStream(context.Background(), stream, &syncDone, time.Time{})
+	err := s.handleMappingStream(context.Background(), stream, &syncDone)
 	assert.NoError(t, err)
 	assert.True(t, syncDone, "initial sync should be marked done when flag is set")
 }
@@ -80,7 +79,7 @@ func TestHandleMappingStream_NoSyncFlagDoesNotMarkDone(t *testing.T) {
 	}
 
 	syncDone := false
-	err := s.handleMappingStream(context.Background(), stream, &syncDone, time.Time{})
+	err := s.handleMappingStream(context.Background(), stream, &syncDone)
 	assert.NoError(t, err)
 	assert.False(t, syncDone, "initial sync should not be marked done without flag")
 }
@@ -98,7 +97,7 @@ func TestHandleMappingStream_NilHealthChecker(t *testing.T) {
 	}
 
 	syncDone := false
-	err := s.handleMappingStream(context.Background(), stream, &syncDone, time.Time{})
+	err := s.handleMappingStream(context.Background(), stream, &syncDone)
 	assert.NoError(t, err)
 	assert.True(t, syncDone, "sync done flag should be set even without health checker")
 }

proxy/internal/metrics/metrics.go

@@ -25,11 +25,6 @@ type Metrics struct {
 	backendDuration          metric.Int64Histogram
 	certificateIssueDuration metric.Int64Histogram
 
-	// Management sync metrics.
-	snapshotSyncDuration  metric.Int64Histogram
-	snapshotBatchDuration metric.Int64Histogram
-	addPeerDuration       metric.Int64Histogram
-
 	// L4 service-level metrics.
 	l4Services metric.Int64UpDownCounter
 
@@ -59,9 +54,6 @@ func New(ctx context.Context, meter metric.Meter) (*Metrics, error) {
 	if err := m.initHTTPMetrics(meter); err != nil {
 		return nil, err
 	}
-	if err := m.initSyncMetrics(meter); err != nil {
-		return nil, err
-	}
 	if err := m.initL4Metrics(meter); err != nil {
 		return nil, err
 	}
@@ -134,59 +126,6 @@ func (m *Metrics) initHTTPMetrics(meter metric.Meter) error {
 	return err
 }
 
-func (m *Metrics) initSyncMetrics(meter metric.Meter) error {
-	var err error
-
-	m.snapshotSyncDuration, err = meter.Int64Histogram(
-		"proxy.sync.snapshot.duration.ms",
-		metric.WithUnit("milliseconds"),
-		metric.WithDescription("Duration from management connect until the initial snapshot sync is complete"),
-		metric.WithExplicitBucketBoundaries(100, 250, 500, 1000, 2500, 5000, 10000, 30000, 60000, 120000, 300000),
-	)
-	if err != nil {
-		return err
-	}
-
-	m.snapshotBatchDuration, err = meter.Int64Histogram(
-		"proxy.sync.batch.duration.ms",
-		metric.WithUnit("milliseconds"),
-		metric.WithDescription("Duration to process a single mapping batch during initial snapshot sync"),
-		metric.WithExplicitBucketBoundaries(100, 250, 500, 1000, 2500, 5000, 10000, 30000, 60000, 120000, 300000),
-	)
-	if err != nil {
-		return err
-	}
-
-	m.addPeerDuration, err = meter.Int64Histogram(
-		"proxy.peer.add.duration.ms",
-		metric.WithUnit("milliseconds"),
-		metric.WithDescription("Duration to add a peer for an account (keygen + gRPC CreateProxyPeer + embed.New)"),
-		metric.WithExplicitBucketBoundaries(10, 25, 50, 100, 250, 500, 1000, 2500, 5000, 10000),
-	)
-	return err
-}
-
-// RecordSnapshotSyncDuration records the total time from connect to sync-complete.
-func (m *Metrics) RecordSnapshotSyncDuration(d time.Duration) {
-	m.snapshotSyncDuration.Record(m.ctx, d.Milliseconds())
-}
-
-// RecordSnapshotBatchDuration records the time to process one mapping batch during initial sync.
-func (m *Metrics) RecordSnapshotBatchDuration(d time.Duration) {
-	m.snapshotBatchDuration.Record(m.ctx, d.Milliseconds())
-}
-
-// RecordAddPeerDuration records the time to create a new peer for an account.
-func (m *Metrics) RecordAddPeerDuration(d time.Duration, err error) {
-	result := "success"
-	if err != nil {
-		result = "error"
-	}
-	m.addPeerDuration.Record(m.ctx, d.Milliseconds(), metric.WithAttributes(
-		attribute.String("result", result),
-	))
-}
-
 func (m *Metrics) initL4Metrics(meter metric.Meter) error {
 	var err error
 

proxy/internal/roundtrip/netbird.go

@@ -76,11 +76,6 @@ type clientEntry struct {
 	services          map[ServiceKey]serviceInfo
 	createdAt         time.Time
 	started           bool
-	// ready is closed once the client has been fully initialized.
-	// Callers that find a pending entry wait on this channel before
-	// accessing the client. A nil initErr means success.
-	ready   chan struct{}
-	initErr error
 	// Per-backend in-flight limiting keyed by target host:port.
 	// TODO: clean up stale entries when backend targets change.
 	inflightMu  sync.Mutex
@@ -142,11 +137,6 @@ type NetBird struct {
 	clients        map[types.AccountID]*clientEntry
 	initLogOnce    sync.Once
 	statusNotifier statusNotifier
-
-	// OnAddPeer, when set, is called after AddPeer completes for a new account
-	// (i.e. when a new client was actually created, not when an existing one
-	// was reused). The duration covers keygen + gRPC CreateProxyPeer + embed.New.
-	OnAddPeer func(d time.Duration, err error)
 }
 
 // ClientDebugInfo contains debug information about a client.
@@ -167,9 +157,6 @@ type skipTLSVerifyContextKey struct{}
 // AddPeer registers a service for an account. If the account doesn't have a client yet,
 // one is created by authenticating with the management server using the provided token.
 // Multiple services can share the same client.
-//
-// Client creation (WG keygen, gRPC, embed.New) runs without holding clientsMux
-// so that concurrent AddPeer calls for different accounts execute in parallel.
 func (n *NetBird) AddPeer(ctx context.Context, accountID types.AccountID, key ServiceKey, authToken string, serviceID types.ServiceID) error {
 	si := serviceInfo{serviceID: serviceID}
 
@@ -177,23 +164,10 @@ func (n *NetBird) AddPeer(ctx context.Context, accountID types.AccountID, key Se
 
 	entry, exists := n.clients[accountID]
 	if exists {
-		ready := entry.ready
 		entry.services[key] = si
 		started := entry.started
 		n.clientsMux.Unlock()
 
-		// If the entry is still being initialized by another goroutine, wait.
-		if ready != nil {
-			select {
-			case <-ready:
-			case <-ctx.Done():
-				return ctx.Err()
-			}
-			if entry.initErr != nil {
-				return fmt.Errorf("peer initialization failed: %w", entry.initErr)
-			}
-		}
-
 		n.logger.WithFields(log.Fields{
 			"account_id":  accountID,
 			"service_key": key,
@@ -210,43 +184,15 @@ func (n *NetBird) AddPeer(ctx context.Context, accountID types.AccountID, key Se
 		return nil
 	}
 
-	// Insert a placeholder so other goroutines calling AddPeer for the same
-	// account will wait on the ready channel instead of starting a second
-	// client creation.
-	entry = &clientEntry{
-		services: map[ServiceKey]serviceInfo{key: si},
-		ready:    make(chan struct{}),
-	}
-	n.clients[accountID] = entry
-	n.clientsMux.Unlock()
-
-	createStart := time.Now()
-	created, err := n.createClientEntry(ctx, accountID, key, authToken, si)
-	if n.OnAddPeer != nil {
-		n.OnAddPeer(time.Since(createStart), err)
-	}
+	entry, err := n.createClientEntry(ctx, accountID, key, authToken, si)
 	if err != nil {
-		entry.initErr = err
-		close(entry.ready)
-
-		n.clientsMux.Lock()
-		delete(n.clients, accountID)
 		n.clientsMux.Unlock()
 		return err
 	}
 
-	// Transfer any services that were registered by concurrent AddPeer calls
-	// while we were creating the client.
-	n.clientsMux.Lock()
-	for k, v := range entry.services {
-		created.services[k] = v
-	}
-	created.ready = nil
-	n.clients[accountID] = created
+	n.clients[accountID] = entry
 	n.clientsMux.Unlock()
 
-	close(entry.ready)
-
 	n.logger.WithFields(log.Fields{
 		"account_id":  accountID,
 		"service_key": key,
@@ -254,13 +200,13 @@ func (n *NetBird) AddPeer(ctx context.Context, accountID types.AccountID, key Se
 
 	// Attempt to start the client in the background; if this fails we will
 	// retry on the first request via RoundTrip.
-	go n.runClientStartup(ctx, accountID, created.client)
+	go n.runClientStartup(ctx, accountID, entry.client)
 
 	return nil
 }
 
 // createClientEntry generates a WireGuard keypair, authenticates with management,
-// and creates an embedded NetBird client.
+// and creates an embedded NetBird client. Must be called with clientsMux held.
 func (n *NetBird) createClientEntry(ctx context.Context, accountID types.AccountID, key ServiceKey, authToken string, si serviceInfo) (*clientEntry, error) {
 	serviceID := si.serviceID
 	n.logger.WithFields(log.Fields{

proxy/management_integration_test.go

@@ -366,7 +366,7 @@ func (m *storeBackedServiceManager) GetServiceByDomain(ctx context.Context, doma
 	return m.store.GetServiceByDomain(ctx, domain)
 }
 
-func (m *storeBackedServiceManager) GetClusters(_ context.Context, _, _ string) ([]nbproxy.Cluster, error) {
+func (m *storeBackedServiceManager) GetActiveClusters(_ context.Context, _, _ string) ([]nbproxy.Cluster, error) {
 	return nil, nil
 }
 

proxy/process_mappings_bench_test.go

@@ -1,300 +0,0 @@
-package proxy
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"testing"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/grpc"
-
-	"github.com/netbirdio/netbird/proxy/internal/auth"
-	"github.com/netbirdio/netbird/proxy/internal/conntrack"
-	"github.com/netbirdio/netbird/proxy/internal/crowdsec"
-	proxymetrics "github.com/netbirdio/netbird/proxy/internal/metrics"
-	"github.com/netbirdio/netbird/proxy/internal/proxy"
-	"github.com/netbirdio/netbird/proxy/internal/roundtrip"
-	nbtcp "github.com/netbirdio/netbird/proxy/internal/tcp"
-	"github.com/netbirdio/netbird/proxy/internal/types"
-	udprelay "github.com/netbirdio/netbird/proxy/internal/udp"
-	"github.com/netbirdio/netbird/shared/management/proto"
-
-	"go.opentelemetry.io/otel/metric/noop"
-)
-
-// latencyMockClient simulates realistic gRPC latency for management calls.
-type latencyMockClient struct {
-	proto.ProxyServiceClient
-	createPeerDelay   time.Duration
-	statusUpdateDelay time.Duration
-}
-
-func (m *latencyMockClient) SendStatusUpdate(ctx context.Context, _ *proto.SendStatusUpdateRequest, _ ...grpc.CallOption) (*proto.SendStatusUpdateResponse, error) {
-	if m.statusUpdateDelay > 0 {
-		select {
-		case <-time.After(m.statusUpdateDelay):
-		case <-ctx.Done():
-			return nil, ctx.Err()
-		}
-	}
-	return &proto.SendStatusUpdateResponse{}, nil
-}
-
-func (m *latencyMockClient) CreateProxyPeer(ctx context.Context, _ *proto.CreateProxyPeerRequest, _ ...grpc.CallOption) (*proto.CreateProxyPeerResponse, error) {
-	if m.createPeerDelay > 0 {
-		select {
-		case <-time.After(m.createPeerDelay):
-		case <-ctx.Done():
-			return nil, ctx.Err()
-		}
-	}
-	return &proto.CreateProxyPeerResponse{Success: true}, nil
-}
-
-type discardWriter struct{}
-
-func (discardWriter) Write(p []byte) (int, error) { return len(p), nil }
-
-func benchServerWithLatency(b *testing.B, createPeerDelay, statusDelay time.Duration) *Server {
-	b.Helper()
-	logger := log.New()
-	logger.SetLevel(log.FatalLevel)
-	logger.SetOutput(&discardWriter{})
-
-	meter, err := proxymetrics.New(context.Background(), noop.Meter{})
-	if err != nil {
-		b.Fatal(err)
-	}
-
-	mgmtClient := &latencyMockClient{
-		createPeerDelay:   createPeerDelay,
-		statusUpdateDelay: statusDelay,
-	}
-
-	nb := roundtrip.NewNetBird("bench-proxy", "bench.test",
-		roundtrip.ClientConfig{MgmtAddr: "http://bench.test:9999"},
-		logger, nil, mgmtClient)
-
-	mainRouter := nbtcp.NewRouter(logger, func(accountID types.AccountID) (types.DialContextFunc, error) {
-		return (&net.Dialer{}).DialContext, nil
-	}, &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 443})
-
-	return &Server{
-		Logger:           logger,
-		mgmtClient:       mgmtClient,
-		netbird:          nb,
-		proxy:            proxy.NewReverseProxy(nil, "auto", nil, logger),
-		auth:             auth.NewMiddleware(logger, nil, nil),
-		mainRouter:       mainRouter,
-		mainPort:         443,
-		meter:            meter,
-		hijackTracker:    conntrack.HijackTracker{},
-		crowdsecRegistry: crowdsec.NewRegistry("", "", log.NewEntry(logger)),
-		crowdsecServices: make(map[types.ServiceID]bool),
-		lastMappings:     make(map[types.ServiceID]*proto.ProxyMapping),
-		portRouters:      make(map[uint16]*portRouter),
-		svcPorts:         make(map[types.ServiceID][]uint16),
-		udpRelays:        make(map[types.ServiceID]*udprelay.Relay),
-	}
-}
-
-// generateHTTPMappings creates N HTTP-mode mappings with the given update type.
-// All belong to a single account to share the embedded client.
-func generateHTTPMappings(n int, updateType proto.ProxyMappingUpdateType) []*proto.ProxyMapping {
-	mappings := make([]*proto.ProxyMapping, n)
-	for i := range n {
-		mappings[i] = &proto.ProxyMapping{
-			Type:      updateType,
-			Id:        fmt.Sprintf("svc-%d", i),
-			AccountId: "account-1",
-			Domain:    fmt.Sprintf("svc-%d.bench.example.com", i),
-			Mode:      "http",
-			Path: []*proto.PathMapping{
-				{
-					Path:   "/",
-					Target: fmt.Sprintf("http://10.0.%d.%d:8080", (i/256)%256, i%256),
-				},
-			},
-			Auth: &proto.Authentication{},
-		}
-	}
-	return mappings
-}
-
-// generateMultiAccountHTTPMappings creates N HTTP-mode CREATED mappings spread
-// across the given number of accounts. This stresses the AddPeer new-account
-// path which calls CreateProxyPeer + embed.New per unique account.
-func generateMultiAccountHTTPMappings(n, accounts int) []*proto.ProxyMapping {
-	mappings := make([]*proto.ProxyMapping, n)
-	for i := range n {
-		mappings[i] = &proto.ProxyMapping{
-			Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED,
-			Id:        fmt.Sprintf("svc-%d", i),
-			AccountId: fmt.Sprintf("account-%d", i%accounts),
-			Domain:    fmt.Sprintf("svc-%d.bench.example.com", i),
-			Mode:      "http",
-			Path: []*proto.PathMapping{
-				{
-					Path:   "/",
-					Target: fmt.Sprintf("http://10.0.%d.%d:8080", (i/256)%256, i%256),
-				},
-			},
-			Auth: &proto.Authentication{},
-		}
-	}
-	return mappings
-}
-
-// generateMixedMappings creates mappings with a realistic distribution:
-// 70% HTTP create, 15% modify existing, 10% TLS on main port, 5% remove.
-// All use a single account to avoid embed.New dialing.
-func generateMixedMappings(n int) []*proto.ProxyMapping {
-	mappings := make([]*proto.ProxyMapping, n)
-	for i := range n {
-		var m *proto.ProxyMapping
-		switch {
-		case i%20 < 14: // 70% HTTP create
-			m = &proto.ProxyMapping{
-				Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED,
-				Id:        fmt.Sprintf("svc-http-%d", i),
-				AccountId: "account-1",
-				Domain:    fmt.Sprintf("svc-%d.bench.example.com", i),
-				Mode:      "http",
-				Path: []*proto.PathMapping{
-					{Path: "/", Target: fmt.Sprintf("http://10.0.%d.%d:8080", (i/256)%256, i%256)},
-					{Path: "/api", Target: fmt.Sprintf("http://10.0.%d.%d:8081", (i/256)%256, i%256)},
-				},
-				Auth: &proto.Authentication{},
-			}
-		case i%20 < 17: // 15% modify
-			m = &proto.ProxyMapping{
-				Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_MODIFIED,
-				Id:        fmt.Sprintf("svc-http-%d", i%100),
-				AccountId: "account-1",
-				Domain:    fmt.Sprintf("svc-%d.bench.example.com", i%100),
-				Mode:      "http",
-				Path: []*proto.PathMapping{
-					{Path: "/", Target: fmt.Sprintf("http://10.1.%d.%d:8080", (i/256)%256, i%256)},
-				},
-				Auth: &proto.Authentication{},
-			}
-		case i%20 < 19: // 10% TLS passthrough on main port
-			m = &proto.ProxyMapping{
-				Type:       proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED,
-				Id:         fmt.Sprintf("svc-tls-%d", i),
-				AccountId:  "account-1",
-				Domain:     fmt.Sprintf("tls-%d.bench.example.com", i),
-				Mode:       "tls",
-				ListenPort: 443,
-				Path: []*proto.PathMapping{
-					{Path: "/", Target: fmt.Sprintf("10.2.%d.%d:443", (i/256)%256, i%256)},
-				},
-			}
-		default: // 5% remove
-			m = &proto.ProxyMapping{
-				Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED,
-				Id:        fmt.Sprintf("svc-http-%d", i%50),
-				AccountId: "account-1",
-				Domain:    fmt.Sprintf("svc-%d.bench.example.com", i%50),
-				Mode:      "http",
-			}
-		}
-		mappings[i] = m
-	}
-	return mappings
-}
-
-const (
-	createPeerLatency   = 100 * time.Millisecond
-	statusUpdateLatency = 50 * time.Millisecond
-)
-
-// BenchmarkProcessMappings_HTTPCreate_SingleAccount benchmarks the initial sync
-// scenario: N HTTP mappings all on a single account. Only the first mapping
-// triggers CreateProxyPeer (100ms gRPC). The rest just register with the
-// existing client. This is the "best case" production path.
-func BenchmarkProcessMappings_HTTPCreate_SingleAccount(b *testing.B) {
-	for _, n := range []int{100, 1000, 5000} {
-		b.Run(fmt.Sprintf("n=%d", n), func(b *testing.B) {
-			mappings := generateHTTPMappings(n, proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED)
-			for range b.N {
-				s := benchServerWithLatency(b, createPeerLatency, statusUpdateLatency)
-				s.processMappings(b.Context(), mappings)
-			}
-		})
-	}
-}
-
-// BenchmarkProcessMappings_HTTPCreate_MultiAccount benchmarks the worst-case
-// initial sync: every mapping belongs to a different account, so each one
-// triggers a full CreateProxyPeer gRPC round-trip (100ms) + embed.New.
-// With 500 accounts this serializes to ~50s of blocking I/O.
-func BenchmarkProcessMappings_HTTPCreate_MultiAccount(b *testing.B) {
-	for _, tc := range []struct {
-		mappings int
-		accounts int
-	}{
-		{100, 10},
-		{100, 50},
-		{1000, 50},
-		{1000, 200},
-		{3000, 500},
-	} {
-		b.Run(fmt.Sprintf("mappings=%d/accounts=%d", tc.mappings, tc.accounts), func(b *testing.B) {
-			mappings := generateMultiAccountHTTPMappings(tc.mappings, tc.accounts)
-			for range b.N {
-				s := benchServerWithLatency(b, createPeerLatency, statusUpdateLatency)
-				s.processMappings(b.Context(), mappings)
-			}
-		})
-	}
-}
-
-// BenchmarkProcessMappings_Mixed benchmarks a realistic mixed workload
-// of creates, modifies, TLS, and removes with production-like latency.
-// TLS mappings call SendStatusUpdate (50ms each), serialized.
-func BenchmarkProcessMappings_Mixed(b *testing.B) {
-	for _, n := range []int{100, 1000, 5000} {
-		b.Run(fmt.Sprintf("n=%d", n), func(b *testing.B) {
-			mappings := generateMixedMappings(n)
-			for range b.N {
-				s := benchServerWithLatency(b, createPeerLatency, statusUpdateLatency)
-				creates := generateHTTPMappings(100, proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED)
-				s.processMappings(b.Context(), creates)
-				s.processMappings(b.Context(), mappings)
-			}
-		})
-	}
-}
-
-// BenchmarkProcessMappings_ModifyOnly benchmarks bulk modification of
-// already-registered mappings (no new peers needed, no gRPC).
-func BenchmarkProcessMappings_ModifyOnly(b *testing.B) {
-	for _, n := range []int{100, 1000, 5000} {
-		b.Run(fmt.Sprintf("n=%d", n), func(b *testing.B) {
-			creates := generateHTTPMappings(n, proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED)
-			modifies := generateHTTPMappings(n, proto.ProxyMappingUpdateType_UPDATE_TYPE_MODIFIED)
-			for range b.N {
-				s := benchServerWithLatency(b, createPeerLatency, statusUpdateLatency)
-				s.processMappings(b.Context(), creates)
-				s.processMappings(b.Context(), modifies)
-			}
-		})
-	}
-}
-
-// BenchmarkProcessMappings_NoLatency measures pure CPU/allocation overhead
-// with zero I/O latency for profiling purposes.
-func BenchmarkProcessMappings_NoLatency(b *testing.B) {
-	for _, n := range []int{1000, 5000} {
-		b.Run(fmt.Sprintf("n=%d", n), func(b *testing.B) {
-			mappings := generateHTTPMappings(n, proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED)
-			for range b.N {
-				s := benchServerWithLatency(b, 0, 0)
-				s.processMappings(b.Context(), mappings)
-			}
-		})
-	}
-}

proxy/server.go

@@ -32,11 +32,9 @@ import (
 	"go.opentelemetry.io/otel/sdk/metric"
 	"golang.org/x/exp/maps"
 	"google.golang.org/grpc"
-	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/keepalive"
-	grpcstatus "google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/netbirdio/netbird/proxy/internal/accesslog"
@@ -284,7 +282,6 @@ func (s *Server) ListenAndServe(ctx context.Context, addr string) (err error) {
 		WGPort:       s.WireguardPort,
 		PreSharedKey: s.PreSharedKey,
 	}, s.Logger, s, s.mgmtClient)
-	s.netbird.OnAddPeer = s.meter.RecordAddPeerDuration
 
 	// Create health checker before the mapping worker so it can track
 	// management connectivity from the first stream connection.
@@ -941,9 +938,6 @@ func (s *Server) newManagementMappingWorker(ctx context.Context, client proto.Pr
 		Clock:               backoff.SystemClock,
 	}
 
-	// syncSupported tracks whether management supports SyncMappings.
-	// Starts true; set to false on first Unimplemented error.
-	syncSupported := true
 	initialSyncDone := false
 
 	operation := func() error {
@@ -955,25 +949,36 @@ func (s *Server) newManagementMappingWorker(ctx context.Context, client proto.Pr
 			s.healthChecker.SetManagementConnected(false)
 		}
 
-		var streamErr error
-		if syncSupported {
-			streamErr = s.trySyncMappings(ctx, client, &initialSyncDone)
-			if isSyncUnimplemented(streamErr) {
-				syncSupported = false
-				s.Logger.Info("management does not support SyncMappings, falling back to GetMappingUpdate")
-				streamErr = s.tryGetMappingUpdate(ctx, client, &initialSyncDone)
-			}
-		} else {
-			streamErr = s.tryGetMappingUpdate(ctx, client, &initialSyncDone)
+		supportsCrowdSec := s.crowdsecRegistry.Available()
+		mappingClient, err := client.GetMappingUpdate(ctx, &proto.GetMappingUpdateRequest{
+			ProxyId:   s.ID,
+			Version:   s.Version,
+			StartedAt: timestamppb.New(s.startTime),
+			Address:   s.ProxyURL,
+			Capabilities: &proto.ProxyCapabilities{
+				SupportsCustomPorts: &s.SupportsCustomPorts,
+				RequireSubdomain:    &s.RequireSubdomain,
+				SupportsCrowdsec:    &supportsCrowdSec,
+			},
+		})
+		if err != nil {
+			return fmt.Errorf("create mapping stream: %w", err)
 		}
 
+		if s.healthChecker != nil {
+			s.healthChecker.SetManagementConnected(true)
+		}
+		s.Logger.Debug("management mapping stream established")
+
+		// Stream established — reset backoff so the next failure retries quickly.
+		bo.Reset()
+
+		streamErr := s.handleMappingStream(ctx, mappingClient, &initialSyncDone)
+
 		if s.healthChecker != nil {
 			s.healthChecker.SetManagementConnected(false)
 		}
 
-		// Stream established — reset backoff so the next failure retries quickly.
-		bo.Reset()
-
 		if streamErr == nil {
 			return fmt.Errorf("stream closed by server")
 		}
@@ -990,187 +995,56 @@ func (s *Server) newManagementMappingWorker(ctx context.Context, client proto.Pr
 	}
 }
 
-func (s *Server) proxyCapabilities() *proto.ProxyCapabilities {
-	supportsCrowdSec := s.crowdsecRegistry.Available()
-	return &proto.ProxyCapabilities{
-		SupportsCustomPorts: &s.SupportsCustomPorts,
-		RequireSubdomain:    &s.RequireSubdomain,
-		SupportsCrowdsec:    &supportsCrowdSec,
-	}
-}
-
-func (s *Server) tryGetMappingUpdate(ctx context.Context, client proto.ProxyServiceClient, initialSyncDone *bool) error {
-	connectTime := time.Now()
-	mappingClient, err := client.GetMappingUpdate(ctx, &proto.GetMappingUpdateRequest{
-		ProxyId:      s.ID,
-		Version:      s.Version,
-		StartedAt:    timestamppb.New(s.startTime),
-		Address:      s.ProxyURL,
-		Capabilities: s.proxyCapabilities(),
-	})
-	if err != nil {
-		return fmt.Errorf("create mapping stream: %w", err)
-	}
-
-	if s.healthChecker != nil {
-		s.healthChecker.SetManagementConnected(true)
-	}
-	s.Logger.Debug("management mapping stream established (GetMappingUpdate)")
-
-	return s.handleMappingStream(ctx, mappingClient, initialSyncDone, connectTime)
-}
-
-func (s *Server) trySyncMappings(ctx context.Context, client proto.ProxyServiceClient, initialSyncDone *bool) error {
-	connectTime := time.Now()
-	stream, err := client.SyncMappings(ctx)
-	if err != nil {
-		return fmt.Errorf("create sync stream: %w", err)
-	}
-
-	// Send init message.
-	if err := stream.Send(&proto.SyncMappingsRequest{
-		Msg: &proto.SyncMappingsRequest_Init{
-			Init: &proto.SyncMappingsInit{
-				ProxyId:      s.ID,
-				Version:      s.Version,
-				StartedAt:    timestamppb.New(s.startTime),
-				Address:      s.ProxyURL,
-				Capabilities: s.proxyCapabilities(),
-			},
-		},
-	}); err != nil {
-		return fmt.Errorf("send sync init: %w", err)
-	}
-
-	if s.healthChecker != nil {
-		s.healthChecker.SetManagementConnected(true)
-	}
-	s.Logger.Debug("management mapping stream established (SyncMappings)")
-
-	return s.handleSyncMappingsStream(ctx, stream, initialSyncDone, connectTime)
-}
-
-func isSyncUnimplemented(err error) bool {
-	if err == nil {
-		return false
-	}
-	st, ok := grpcstatus.FromError(err)
-	return ok && st.Code() == codes.Unimplemented
-}
-
-func (s *Server) handleSyncMappingsStream(ctx context.Context, stream proto.ProxyService_SyncMappingsClient, initialSyncDone *bool, connectTime time.Time) error {
+func (s *Server) handleMappingStream(ctx context.Context, mappingClient proto.ProxyService_GetMappingUpdateClient, initialSyncDone *bool) error {
 	select {
 	case <-s.routerReady:
 	case <-ctx.Done():
 		return ctx.Err()
 	}
 
-	tracker := s.newSnapshotTracker(initialSyncDone, connectTime)
-
-	for {
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		default:
-			msg, err := stream.Recv()
-			switch {
-			case errors.Is(err, io.EOF):
-				return nil
-			case err != nil:
-				return fmt.Errorf("receive msg: %w", err)
-			}
-
-			batchStart := time.Now()
-			s.Logger.Debug("Received mapping update, starting processing")
-			s.processMappings(ctx, msg.GetMapping())
-			s.Logger.Debug("Processing mapping update completed")
-			tracker.recordBatch(ctx, s, msg.GetMapping(), msg.GetInitialSyncComplete(), batchStart)
-
-			if err := stream.Send(&proto.SyncMappingsRequest{
-				Msg: &proto.SyncMappingsRequest_Ack{Ack: &proto.SyncMappingsAck{}},
-			}); err != nil {
-				return fmt.Errorf("send ack: %w", err)
-			}
-		}
-	}
-}
-
-func (s *Server) handleMappingStream(ctx context.Context, mappingClient proto.ProxyService_GetMappingUpdateClient, initialSyncDone *bool, connectTime time.Time) error {
-	select {
-	case <-s.routerReady:
-	case <-ctx.Done():
-		return ctx.Err()
+	var snapshotIDs map[types.ServiceID]struct{}
+	if !*initialSyncDone {
+		snapshotIDs = make(map[types.ServiceID]struct{})
 	}
 
-	tracker := s.newSnapshotTracker(initialSyncDone, connectTime)
-
 	for {
+		// Check for context completion to gracefully shutdown.
 		select {
 		case <-ctx.Done():
+			// Shutting down.
 			return ctx.Err()
 		default:
 			msg, err := mappingClient.Recv()
 			switch {
 			case errors.Is(err, io.EOF):
+				// Mapping connection gracefully terminated by server.
 				return nil
 			case err != nil:
+				// Something has gone horribly wrong, return and hope the parent retries the connection.
 				return fmt.Errorf("receive msg: %w", err)
 			}
-
-			batchStart := time.Now()
 			s.Logger.Debug("Received mapping update, starting processing")
 			s.processMappings(ctx, msg.GetMapping())
 			s.Logger.Debug("Processing mapping update completed")
-			tracker.recordBatch(ctx, s, msg.GetMapping(), msg.GetInitialSyncComplete(), batchStart)
+
+			if !*initialSyncDone {
+				for _, m := range msg.GetMapping() {
+					snapshotIDs[types.ServiceID(m.GetId())] = struct{}{}
+				}
+				if msg.GetInitialSyncComplete() {
+					s.reconcileSnapshot(ctx, snapshotIDs)
+					snapshotIDs = nil
+					if s.healthChecker != nil {
+						s.healthChecker.SetInitialSyncComplete()
+					}
+					*initialSyncDone = true
+					s.Logger.Info("Initial mapping sync complete")
+				}
+			}
 		}
 	}
 }
 
-// snapshotTracker accumulates service IDs during the initial snapshot and
-// finalises sync state when the complete flag arrives.
-type snapshotTracker struct {
-	done        *bool
-	connectTime time.Time
-	snapshotIDs map[types.ServiceID]struct{}
-}
-
-func (s *Server) newSnapshotTracker(done *bool, connectTime time.Time) *snapshotTracker {
-	var ids map[types.ServiceID]struct{}
-	if !*done {
-		ids = make(map[types.ServiceID]struct{})
-	}
-	return &snapshotTracker{done: done, connectTime: connectTime, snapshotIDs: ids}
-}
-
-func (t *snapshotTracker) recordBatch(ctx context.Context, s *Server, mappings []*proto.ProxyMapping, syncComplete bool, batchStart time.Time) {
-	if *t.done {
-		return
-	}
-
-	if s.meter != nil {
-		s.meter.RecordSnapshotBatchDuration(time.Since(batchStart))
-	}
-
-	for _, m := range mappings {
-		t.snapshotIDs[types.ServiceID(m.GetId())] = struct{}{}
-	}
-
-	if !syncComplete {
-		return
-	}
-
-	s.reconcileSnapshot(ctx, t.snapshotIDs)
-	t.snapshotIDs = nil
-	if s.healthChecker != nil {
-		s.healthChecker.SetInitialSyncComplete()
-	}
-	*t.done = true
-	if s.meter != nil {
-		s.meter.RecordSnapshotSyncDuration(time.Since(t.connectTime))
-	}
-	s.Logger.Info("Initial mapping sync complete")
-}
-
 // reconcileSnapshot removes local mappings that are absent from the snapshot.
 // This ensures services deleted while the proxy was disconnected get cleaned up.
 func (s *Server) reconcileSnapshot(ctx context.Context, snapshotIDs map[types.ServiceID]struct{}) {
@@ -1193,8 +1067,6 @@ func (s *Server) reconcileSnapshot(ctx context.Context, snapshotIDs map[types.Se
 }
 
 func (s *Server) processMappings(ctx context.Context, mappings []*proto.ProxyMapping) {
-	s.ensurePeers(ctx, mappings)
-
 	for _, mapping := range mappings {
 		s.Logger.WithFields(log.Fields{
 			"type":   mapping.GetType(),
@@ -1228,60 +1100,6 @@ func (s *Server) processMappings(ctx context.Context, mappings []*proto.ProxyMap
 	}
 }
 
-// ensurePeers pre-creates NetBird peers for all unique accounts referenced by
-// CREATED mappings. Peers for different accounts are created concurrently,
-// which avoids serializing N×100ms gRPC round-trips during large initial syncs.
-func (s *Server) ensurePeers(ctx context.Context, mappings []*proto.ProxyMapping) {
-	// Collect one representative mapping per account that needs a new peer.
-	type peerReq struct {
-		accountID types.AccountID
-		svcKey    roundtrip.ServiceKey
-		authToken string
-		svcID     types.ServiceID
-	}
-	seen := make(map[types.AccountID]struct{})
-	var reqs []peerReq
-	for _, m := range mappings {
-		if m.GetType() != proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED {
-			continue
-		}
-		accountID := types.AccountID(m.GetAccountId())
-		if _, ok := seen[accountID]; ok {
-			continue
-		}
-		seen[accountID] = struct{}{}
-		if s.netbird.HasClient(accountID) {
-			continue
-		}
-		reqs = append(reqs, peerReq{
-			accountID: accountID,
-			svcKey:    s.serviceKeyForMapping(m),
-			authToken: m.GetAuthToken(),
-			svcID:     types.ServiceID(m.GetId()),
-		})
-	}
-
-	if len(reqs) <= 1 {
-		return
-	}
-
-	var wg sync.WaitGroup
-	wg.Add(len(reqs))
-	for _, r := range reqs {
-		go func() {
-			defer wg.Done()
-			if err := s.netbird.AddPeer(ctx, r.accountID, r.svcKey, r.authToken, r.svcID); err != nil {
-				s.Logger.WithFields(log.Fields{
-					"account_id": r.accountID,
-					"service_id": r.svcID,
-					"error":      err,
-				}).Warn("failed to pre-create peer for account")
-			}
-		}()
-	}
-	wg.Wait()
-}
-
 // addMapping registers a service mapping and starts the appropriate relay or routes.
 func (s *Server) addMapping(ctx context.Context, mapping *proto.ProxyMapping) error {
 	accountID := types.AccountID(mapping.GetAccountId())

proxy/snapshot_reconcile_test.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"io"
 	"testing"
-	"time"
 
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
@@ -140,7 +139,7 @@ func TestHandleMappingStream_BatchedSnapshotSyncComplete(t *testing.T) {
 	}
 
 	syncDone := false
-	err := s.handleMappingStream(context.Background(), stream, &syncDone, time.Time{})
+	err := s.handleMappingStream(context.Background(), stream, &syncDone)
 	assert.NoError(t, err)
 	assert.True(t, syncDone, "sync should be marked done after final batch")
 }
@@ -165,7 +164,7 @@ func TestHandleMappingStream_PostSyncDoesNotReconcile(t *testing.T) {
 	}
 
 	syncDone := true // sync already completed in a previous stream
-	err := s.handleMappingStream(context.Background(), stream, &syncDone, time.Time{})
+	err := s.handleMappingStream(context.Background(), stream, &syncDone)
 	require.NoError(t, err)
 
 	assert.Len(t, s.lastMappings, 2,
@@ -186,7 +185,7 @@ func TestHandleMappingStream_ImmediateEOF_NoReconciliation(t *testing.T) {
 	stream := &mockMappingStream{} // no messages → immediate EOF
 
 	syncDone := false
-	err := s.handleMappingStream(context.Background(), stream, &syncDone, time.Time{})
+	err := s.handleMappingStream(context.Background(), stream, &syncDone)
 	assert.NoError(t, err)
 	assert.False(t, syncDone, "sync should not be marked done on immediate EOF")
 
@@ -219,7 +218,7 @@ func TestHandleMappingStream_ErrorMidSync_NoReconciliation(t *testing.T) {
 	s.lastMappings["svc-stale"] = &proto.ProxyMapping{Id: "svc-stale", AccountId: "acct-1"}
 
 	syncDone := false
-	err := s.handleMappingStream(context.Background(), &mockErrRecvStream{}, &syncDone, time.Time{})
+	err := s.handleMappingStream(context.Background(), &mockErrRecvStream{}, &syncDone)
 	assert.Error(t, err)
 	assert.False(t, syncDone)
 

proxy/sync_mappings_test.go

@@ -1,525 +0,0 @@
-package proxy
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/credentials/insecure"
-	grpcstatus "google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-func TestIntegration_SyncMappings_HappyPath(t *testing.T) {
-	setup := setupIntegrationTest(t)
-	defer setup.cleanup()
-
-	conn, err := grpc.NewClient(setup.grpcAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
-	require.NoError(t, err)
-	defer conn.Close()
-
-	client := proto.NewProxyServiceClient(conn)
-
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-
-	stream, err := client.SyncMappings(ctx)
-	require.NoError(t, err)
-
-	// Send init.
-	err = stream.Send(&proto.SyncMappingsRequest{
-		Msg: &proto.SyncMappingsRequest_Init{
-			Init: &proto.SyncMappingsInit{
-				ProxyId: "sync-proxy-1",
-				Version: "test-v1",
-				Address: "test.proxy.io",
-			},
-		},
-	})
-	require.NoError(t, err)
-
-	mappingsByID := make(map[string]*proto.ProxyMapping)
-	for {
-		msg, err := stream.Recv()
-		require.NoError(t, err)
-		for _, m := range msg.GetMapping() {
-			mappingsByID[m.GetId()] = m
-		}
-
-		// Ack every batch.
-		err = stream.Send(&proto.SyncMappingsRequest{
-			Msg: &proto.SyncMappingsRequest_Ack{Ack: &proto.SyncMappingsAck{}},
-		})
-		require.NoError(t, err)
-
-		if msg.GetInitialSyncComplete() {
-			break
-		}
-	}
-
-	assert.Len(t, mappingsByID, 2, "Should receive 2 mappings")
-
-	rp1 := mappingsByID["rp-1"]
-	require.NotNil(t, rp1)
-	assert.Equal(t, "app1.test.proxy.io", rp1.GetDomain())
-	assert.Equal(t, "test-account-1", rp1.GetAccountId())
-	assert.Equal(t, proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED, rp1.GetType())
-	assert.NotEmpty(t, rp1.GetAuthToken(), "Should have auth token")
-
-	rp2 := mappingsByID["rp-2"]
-	require.NotNil(t, rp2)
-	assert.Equal(t, "app2.test.proxy.io", rp2.GetDomain())
-}
-
-func TestIntegration_SyncMappings_BackPressure(t *testing.T) {
-	setup := setupIntegrationTest(t)
-	defer setup.cleanup()
-
-	// Add enough services to guarantee multiple batches (default batch size 500).
-	addServicesToStore(t, setup, 600, "test.proxy.io")
-
-	conn, err := grpc.NewClient(setup.grpcAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
-	require.NoError(t, err)
-	defer conn.Close()
-
-	client := proto.NewProxyServiceClient(conn)
-
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	defer cancel()
-
-	stream, err := client.SyncMappings(ctx)
-	require.NoError(t, err)
-
-	err = stream.Send(&proto.SyncMappingsRequest{
-		Msg: &proto.SyncMappingsRequest_Init{
-			Init: &proto.SyncMappingsInit{
-				ProxyId: "sync-proxy-backpressure",
-				Version: "test-v1",
-				Address: "test.proxy.io",
-			},
-		},
-	})
-	require.NoError(t, err)
-
-	// Strategy: receive batch 1, then hold for a significant delay before
-	// acking. If back-pressure works, batch 2 cannot arrive until after
-	// the ack is sent — so its receive timestamp must be >= the ack
-	// timestamp. If management were fire-and-forget, all batches would
-	// already be buffered in the gRPC transport and batch 2 would arrive
-	// well before the ack time.
-	const ackDelay = 300 * time.Millisecond
-
-	type batchEvent struct {
-		recvAt time.Time
-		ackAt  time.Time
-		count  int
-	}
-	var batches []batchEvent
-	var totalMappings int
-
-	for {
-		msg, err := stream.Recv()
-		require.NoError(t, err)
-
-		recvAt := time.Now()
-		totalMappings += len(msg.GetMapping())
-
-		// Delay the ack on non-final batches to create a measurable gap.
-		if !msg.GetInitialSyncComplete() {
-			time.Sleep(ackDelay)
-		}
-
-		ackAt := time.Now()
-		batches = append(batches, batchEvent{
-			recvAt: recvAt,
-			ackAt:  ackAt,
-			count:  len(msg.GetMapping()),
-		})
-
-		err = stream.Send(&proto.SyncMappingsRequest{
-			Msg: &proto.SyncMappingsRequest_Ack{Ack: &proto.SyncMappingsAck{}},
-		})
-		require.NoError(t, err)
-
-		if msg.GetInitialSyncComplete() {
-			break
-		}
-	}
-
-	// 2 original + 600 added = 602 services total.
-	assert.Equal(t, 602, totalMappings, "should receive all 602 mappings")
-	require.GreaterOrEqual(t, len(batches), 2, "need at least 2 batches to verify back-pressure")
-
-	// For every batch after the first, its receive time must be after the
-	// previous batch's ack time. This proves management waited for the ack
-	// before sending the next batch.
-	for i := 1; i < len(batches); i++ {
-		prevAckAt := batches[i-1].ackAt
-		thisRecvAt := batches[i].recvAt
-		assert.True(t, !thisRecvAt.Before(prevAckAt),
-			"batch %d received at %v, but batch %d was acked at %v — "+
-				"management sent the next batch before receiving the ack",
-			i, thisRecvAt, i-1, prevAckAt)
-	}
-}
-
-func TestIntegration_SyncMappings_IncrementalUpdate(t *testing.T) {
-	setup := setupIntegrationTest(t)
-	defer setup.cleanup()
-
-	conn, err := grpc.NewClient(setup.grpcAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
-	require.NoError(t, err)
-	defer conn.Close()
-
-	client := proto.NewProxyServiceClient(conn)
-
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-
-	stream, err := client.SyncMappings(ctx)
-	require.NoError(t, err)
-
-	err = stream.Send(&proto.SyncMappingsRequest{
-		Msg: &proto.SyncMappingsRequest_Init{
-			Init: &proto.SyncMappingsInit{
-				ProxyId: "sync-proxy-incremental",
-				Version: "test-v1",
-				Address: "test.proxy.io",
-			},
-		},
-	})
-	require.NoError(t, err)
-
-	// Drain initial snapshot.
-	for {
-		msg, err := stream.Recv()
-		require.NoError(t, err)
-
-		err = stream.Send(&proto.SyncMappingsRequest{
-			Msg: &proto.SyncMappingsRequest_Ack{Ack: &proto.SyncMappingsAck{}},
-		})
-		require.NoError(t, err)
-
-		if msg.GetInitialSyncComplete() {
-			break
-		}
-	}
-
-	// Now send an incremental update via the management server.
-	setup.proxyService.SendServiceUpdate(&proto.GetMappingUpdateResponse{
-		Mapping: []*proto.ProxyMapping{{
-			Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED,
-			Id:        "rp-1",
-			AccountId: "test-account-1",
-			Domain:    "app1.test.proxy.io",
-		}},
-	})
-
-	// Receive the incremental update on the sync stream.
-	msg, err := stream.Recv()
-	require.NoError(t, err)
-	require.NotEmpty(t, msg.GetMapping())
-	assert.Equal(t, "rp-1", msg.GetMapping()[0].GetId())
-	assert.Equal(t, proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED, msg.GetMapping()[0].GetType())
-}
-
-func TestIntegration_SyncMappings_MixedProxyVersions(t *testing.T) {
-	setup := setupIntegrationTest(t)
-	defer setup.cleanup()
-
-	conn, err := grpc.NewClient(setup.grpcAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
-	require.NoError(t, err)
-	defer conn.Close()
-
-	client := proto.NewProxyServiceClient(conn)
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-
-	// Old proxy uses GetMappingUpdate.
-	legacyStream, err := client.GetMappingUpdate(ctx, &proto.GetMappingUpdateRequest{
-		ProxyId: "legacy-proxy",
-		Version: "old-v1",
-		Address: "test.proxy.io",
-	})
-	require.NoError(t, err)
-
-	var legacyMappings []*proto.ProxyMapping
-	for {
-		msg, err := legacyStream.Recv()
-		require.NoError(t, err)
-		legacyMappings = append(legacyMappings, msg.GetMapping()...)
-		if msg.GetInitialSyncComplete() {
-			break
-		}
-	}
-
-	// New proxy uses SyncMappings.
-	syncStream, err := client.SyncMappings(ctx)
-	require.NoError(t, err)
-
-	err = syncStream.Send(&proto.SyncMappingsRequest{
-		Msg: &proto.SyncMappingsRequest_Init{
-			Init: &proto.SyncMappingsInit{
-				ProxyId: "new-proxy",
-				Version: "new-v2",
-				Address: "test.proxy.io",
-			},
-		},
-	})
-	require.NoError(t, err)
-
-	var syncMappings []*proto.ProxyMapping
-	for {
-		msg, err := syncStream.Recv()
-		require.NoError(t, err)
-		syncMappings = append(syncMappings, msg.GetMapping()...)
-
-		err = syncStream.Send(&proto.SyncMappingsRequest{
-			Msg: &proto.SyncMappingsRequest_Ack{Ack: &proto.SyncMappingsAck{}},
-		})
-		require.NoError(t, err)
-
-		if msg.GetInitialSyncComplete() {
-			break
-		}
-	}
-
-	// Both should receive the same set of mappings.
-	assert.Equal(t, len(legacyMappings), len(syncMappings),
-		"legacy and sync proxies should receive the same number of mappings")
-
-	legacyIDs := make(map[string]bool)
-	for _, m := range legacyMappings {
-		legacyIDs[m.GetId()] = true
-	}
-	for _, m := range syncMappings {
-		assert.True(t, legacyIDs[m.GetId()],
-			"mapping %s should be present in both streams", m.GetId())
-	}
-
-	// Both proxies should be connected.
-	proxies := setup.proxyService.GetConnectedProxies()
-	assert.Contains(t, proxies, "legacy-proxy")
-	assert.Contains(t, proxies, "new-proxy")
-
-	// Both should receive incremental updates.
-	setup.proxyService.SendServiceUpdate(&proto.GetMappingUpdateResponse{
-		Mapping: []*proto.ProxyMapping{{
-			Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED,
-			Id:        "rp-1",
-			AccountId: "test-account-1",
-			Domain:    "app1.test.proxy.io",
-		}},
-	})
-
-	// Legacy proxy receives via GetMappingUpdateResponse.
-	legacyMsg, err := legacyStream.Recv()
-	require.NoError(t, err)
-	assert.Equal(t, "rp-1", legacyMsg.GetMapping()[0].GetId())
-
-	// Sync proxy receives via SyncMappingsResponse.
-	syncMsg, err := syncStream.Recv()
-	require.NoError(t, err)
-	assert.Equal(t, "rp-1", syncMsg.GetMapping()[0].GetId())
-}
-
-func TestIntegration_SyncMappings_Reconnect(t *testing.T) {
-	setup := setupIntegrationTest(t)
-	defer setup.cleanup()
-
-	conn, err := grpc.NewClient(setup.grpcAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
-	require.NoError(t, err)
-	defer conn.Close()
-
-	client := proto.NewProxyServiceClient(conn)
-	proxyID := "sync-proxy-reconnect"
-
-	receiveMappings := func() []*proto.ProxyMapping {
-		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-		defer cancel()
-
-		stream, err := client.SyncMappings(ctx)
-		require.NoError(t, err)
-
-		err = stream.Send(&proto.SyncMappingsRequest{
-			Msg: &proto.SyncMappingsRequest_Init{
-				Init: &proto.SyncMappingsInit{
-					ProxyId: proxyID,
-					Version: "test-v1",
-					Address: "test.proxy.io",
-				},
-			},
-		})
-		require.NoError(t, err)
-
-		var mappings []*proto.ProxyMapping
-		for {
-			msg, err := stream.Recv()
-			require.NoError(t, err)
-			mappings = append(mappings, msg.GetMapping()...)
-
-			err = stream.Send(&proto.SyncMappingsRequest{
-				Msg: &proto.SyncMappingsRequest_Ack{Ack: &proto.SyncMappingsAck{}},
-			})
-			require.NoError(t, err)
-
-			if msg.GetInitialSyncComplete() {
-				break
-			}
-		}
-		return mappings
-	}
-
-	first := receiveMappings()
-	time.Sleep(100 * time.Millisecond)
-	second := receiveMappings()
-
-	assert.Equal(t, len(first), len(second),
-		"should receive same mappings on reconnect")
-
-	firstIDs := make(map[string]bool)
-	for _, m := range first {
-		firstIDs[m.GetId()] = true
-	}
-	for _, m := range second {
-		assert.True(t, firstIDs[m.GetId()],
-			"mapping %s should be present in both connections", m.GetId())
-	}
-}
-
-// --- Fallback tests: old management returns Unimplemented ---
-
-// unimplementedProxyServer embeds UnimplementedProxyServiceServer so
-// SyncMappings returns codes.Unimplemented while GetMappingUpdate works.
-type unimplementedSyncServer struct {
-	proto.UnimplementedProxyServiceServer
-	getMappingCalls atomic.Int32
-}
-
-func (s *unimplementedSyncServer) GetMappingUpdate(_ *proto.GetMappingUpdateRequest, stream proto.ProxyService_GetMappingUpdateServer) error {
-	s.getMappingCalls.Add(1)
-	return stream.Send(&proto.GetMappingUpdateResponse{
-		Mapping:             []*proto.ProxyMapping{{Id: "svc-1", AccountId: "acct-1", Domain: "example.com"}},
-		InitialSyncComplete: true,
-	})
-}
-
-func TestIntegration_FallbackToGetMappingUpdate(t *testing.T) {
-	// Start a gRPC server that does NOT implement SyncMappings.
-	lis, err := net.Listen("tcp", "127.0.0.1:0")
-	require.NoError(t, err)
-
-	srv := &unimplementedSyncServer{}
-	grpcServer := grpc.NewServer()
-	proto.RegisterProxyServiceServer(grpcServer, srv)
-	go func() { _ = grpcServer.Serve(lis) }()
-	defer grpcServer.GracefulStop()
-
-	conn, err := grpc.NewClient(lis.Addr().String(), grpc.WithTransportCredentials(insecure.NewCredentials()))
-	require.NoError(t, err)
-	defer conn.Close()
-
-	client := proto.NewProxyServiceClient(conn)
-
-	// Try SyncMappings — should get Unimplemented.
-	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-	defer cancel()
-
-	stream, err := client.SyncMappings(ctx)
-	require.NoError(t, err)
-
-	err = stream.Send(&proto.SyncMappingsRequest{
-		Msg: &proto.SyncMappingsRequest_Init{
-			Init: &proto.SyncMappingsInit{
-				ProxyId: "test-proxy",
-				Address: "test.example.com",
-			},
-		},
-	})
-	require.NoError(t, err)
-
-	_, err = stream.Recv()
-	require.Error(t, err)
-	st, ok := grpcstatus.FromError(err)
-	require.True(t, ok)
-	assert.Equal(t, codes.Unimplemented, st.Code(),
-		"unimplemented SyncMappings should return Unimplemented code")
-
-	// isSyncUnimplemented should detect this.
-	assert.True(t, isSyncUnimplemented(err))
-
-	// The actual fallback: GetMappingUpdate should work.
-	legacyStream, err := client.GetMappingUpdate(ctx, &proto.GetMappingUpdateRequest{
-		ProxyId: "test-proxy",
-		Address: "test.example.com",
-	})
-	require.NoError(t, err)
-
-	msg, err := legacyStream.Recv()
-	require.NoError(t, err)
-	assert.True(t, msg.GetInitialSyncComplete())
-	assert.Len(t, msg.GetMapping(), 1)
-	assert.Equal(t, int32(1), srv.getMappingCalls.Load())
-}
-
-func TestIsSyncUnimplemented(t *testing.T) {
-	tests := []struct {
-		name string
-		err  error
-		want bool
-	}{
-		{"nil error", nil, false},
-		{"non-grpc error", errors.New("random"), false},
-		{"grpc internal", grpcstatus.Error(codes.Internal, "fail"), false},
-		{"grpc unavailable", grpcstatus.Error(codes.Unavailable, "fail"), false},
-		{"grpc unimplemented", grpcstatus.Error(codes.Unimplemented, "method not found"), true},
-		{
-			"wrapped unimplemented",
-			fmt.Errorf("create sync stream: %w", grpcstatus.Error(codes.Unimplemented, "nope")),
-			// grpc/status.FromError unwraps in recent versions of grpc-go.
-			true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			assert.Equal(t, tt.want, isSyncUnimplemented(tt.err))
-		})
-	}
-}
-
-// addServicesToStore adds n extra services to the test store for the given cluster.
-func addServicesToStore(t *testing.T, setup *integrationTestSetup, n int, cluster string) {
-	t.Helper()
-	ctx := context.Background()
-	for i := 0; i < n; i++ {
-		svc := &service.Service{
-			ID:           fmt.Sprintf("extra-svc-%d", i),
-			AccountID:    "test-account-1",
-			Name:         fmt.Sprintf("Extra Service %d", i),
-			Domain:       fmt.Sprintf("extra-%d.test.proxy.io", i),
-			ProxyCluster: cluster,
-			Enabled:      true,
-			Targets: []*service.Target{{
-				Path:       strPtr("/"),
-				Host:       fmt.Sprintf("10.0.1.%d", i%256),
-				Port:       8080,
-				Protocol:   "http",
-				TargetId:   fmt.Sprintf("peer-extra-%d", i),
-				TargetType: "peer",
-				Enabled:    true,
-			}},
-		}
-		require.NoError(t, setup.store.CreateService(ctx, svc))
-	}
-}

shared/management/http/api/openapi.yml

@@ -3417,43 +3417,19 @@ components:
           type: string
           description: Cluster address used for CNAME targets
           example: "eu.proxy.netbird.io"
-        type:
-          $ref: '#/components/schemas/ProxyClusterType'
-        online:
-          type: boolean
-          description: Whether at least one proxy in the cluster has heartbeated within the active window
-          example: true
         connected_proxies:
           type: integer
-          description: Number of proxy nodes currently connected (heartbeat within the active window)
+          description: Number of proxy nodes connected in this cluster
           example: 3
-        supports_custom_ports:
+        self_hosted:
           type: boolean
-          description: Whether the cluster supports binding arbitrary TCP/UDP ports
-          example: true
-        require_subdomain:
-          type: boolean
-          description: Whether services on this cluster must include a subdomain label
-          example: false
-        supports_crowdsec:
-          type: boolean
-          description: Whether all active proxies in the cluster have CrowdSec configured
+          description: Whether this cluster is a self-hosted (BYOP) proxy managed by the account owner
           example: false
       required:
         - id
         - address
-        - type
-        - online
         - connected_proxies
-    ProxyClusterType:
-      type: string
-      description: |
-        Source of the proxy cluster. `account` clusters are owned and operated by the account (BYOP);
-        `shared` clusters are operated by NetBird and shared across accounts.
-      enum:
-        - account
-        - shared
-      example: shared
+        - self_hosted
     ReverseProxyDomainType:
       type: string
       description: Type of Reverse Proxy Domain

shared/management/http/api/types.gen.go

@@ -1,6 +1,6 @@
 // Package api provides primitives to interact with the openapi HTTP API.
 //
-// Code generated by github.com/oapi-codegen/oapi-codegen/v2 version v2.7.0 DO NOT EDIT.
+// Code generated by github.com/oapi-codegen/oapi-codegen/v2 version v2.6.0 DO NOT EDIT.
 package api
 
 import (
@@ -13,8 +13,8 @@ import (
 )
 
 const (
-	BearerAuthScopes bearerAuthContextKey = "BearerAuth.Scopes"
-	TokenAuthScopes  tokenAuthContextKey  = "TokenAuth.Scopes"
+	BearerAuthScopes = "BearerAuth.Scopes"
+	TokenAuthScopes  = "TokenAuth.Scopes"
 )
 
 // Defines values for AccessRestrictionsCrowdsecMode.
@@ -511,7 +511,6 @@ func (e GroupMinimumIssued) Valid() bool {
 
 // Defines values for IdentityProviderType.
 const (
-	IdentityProviderTypeAdfs      IdentityProviderType = "adfs"
 	IdentityProviderTypeEntra     IdentityProviderType = "entra"
 	IdentityProviderTypeGoogle    IdentityProviderType = "google"
 	IdentityProviderTypeMicrosoft IdentityProviderType = "microsoft"
@@ -519,13 +518,12 @@ const (
 	IdentityProviderTypeOkta      IdentityProviderType = "okta"
 	IdentityProviderTypePocketid  IdentityProviderType = "pocketid"
 	IdentityProviderTypeZitadel   IdentityProviderType = "zitadel"
+	IdentityProviderTypeAdfs      IdentityProviderType = "adfs"
 )
 
 // Valid indicates whether the value is a known member of the IdentityProviderType enum.
 func (e IdentityProviderType) Valid() bool {
 	switch e {
-	case IdentityProviderTypeAdfs:
-		return true
 	case IdentityProviderTypeEntra:
 		return true
 	case IdentityProviderTypeGoogle:
@@ -540,6 +538,8 @@ func (e IdentityProviderType) Valid() bool {
 		return true
 	case IdentityProviderTypeZitadel:
 		return true
+	case IdentityProviderTypeAdfs:
+		return true
 	default:
 		return false
 	}
@@ -878,24 +878,6 @@ func (e PolicyRuleUpdateProtocol) Valid() bool {
 	}
 }
 
-// Defines values for ProxyClusterType.
-const (
-	ProxyClusterTypeAccount ProxyClusterType = "account"
-	ProxyClusterTypeShared  ProxyClusterType = "shared"
-)
-
-// Valid indicates whether the value is a known member of the ProxyClusterType enum.
-func (e ProxyClusterType) Valid() bool {
-	switch e {
-	case ProxyClusterTypeAccount:
-		return true
-	case ProxyClusterTypeShared:
-		return true
-	default:
-		return false
-	}
-}
-
 // Defines values for ResourceType.
 const (
 	ResourceTypeDomain ResourceType = "domain"
@@ -1656,9 +1638,7 @@ type Checks struct {
 	// OsVersionCheck Posture check for the version of operating system
 	OsVersionCheck *OSVersionCheck `json:"os_version_check,omitempty"`
 
-	// PeerNetworkRangeCheck Posture check for allow or deny access based on the peer's IP addresses. A range matches when it
-	// contains any of the peer's local network interface IPs or its public connection (NAT egress) IP,
-	// so ranges may target private subnets, public CIDRs, or single hosts via a /32 or /128.
+	// PeerNetworkRangeCheck Posture check for allow or deny access based on the peer's IP addresses. A range matches when it contains any of the peer's local network interface IPs or its public connection (NAT egress) IP, so ranges may target private subnets, public CIDRs, or single hosts via a /32 or /128.
 	PeerNetworkRangeCheck *PeerNetworkRangeCheck `json:"peer_network_range_check,omitempty"`
 
 	// ProcessCheck Posture Check for binaries exist and are running in the peer’s system
@@ -3350,9 +3330,7 @@ type PeerMinimum struct {
 	Name string `json:"name"`
 }
 
-// PeerNetworkRangeCheck Posture check for allow or deny access based on the peer's IP addresses. A range matches when it
-// contains any of the peer's local network interface IPs or its public connection (NAT egress) IP,
-// so ranges may target private subnets, public CIDRs, or single hosts via a /32 or /128.
+// PeerNetworkRangeCheck Posture check for allow or deny access based on the peer's IP addresses. A range matches when it contains any of the peer's local network interface IPs or its public connection (NAT egress) IP, so ranges may target private subnets, public CIDRs, or single hosts via a /32 or /128.
 type PeerNetworkRangeCheck struct {
 	// Action Action to take upon policy match
 	Action PeerNetworkRangeCheckAction `json:"action"`
@@ -3807,36 +3785,19 @@ type ProxyAccessLogsResponse struct {
 
 // ProxyCluster A proxy cluster represents a group of proxy nodes serving the same address
 type ProxyCluster struct {
-	// Address Cluster address used for CNAME targets
-	Address string `json:"address"`
-
-	// ConnectedProxies Number of proxy nodes currently connected (heartbeat within the active window)
-	ConnectedProxies int `json:"connected_proxies"`
-
 	// Id Unique identifier of a proxy in this cluster
 	Id string `json:"id"`
 
-	// Online Whether at least one proxy in the cluster has heartbeated within the active window
-	Online bool `json:"online"`
+	// Address Cluster address used for CNAME targets
+	Address string `json:"address"`
 
-	// RequireSubdomain Whether services on this cluster must include a subdomain label
-	RequireSubdomain *bool `json:"require_subdomain,omitempty"`
+	// ConnectedProxies Number of proxy nodes connected in this cluster
+	ConnectedProxies int `json:"connected_proxies"`
 
-	// SupportsCrowdsec Whether all active proxies in the cluster have CrowdSec configured
-	SupportsCrowdsec *bool `json:"supports_crowdsec,omitempty"`
-
-	// SupportsCustomPorts Whether the cluster supports binding arbitrary TCP/UDP ports
-	SupportsCustomPorts *bool `json:"supports_custom_ports,omitempty"`
-
-	// Type Source of the proxy cluster. `account` clusters are owned and operated by the account (BYOP);
-	// `shared` clusters are operated by NetBird and shared across accounts.
-	Type ProxyClusterType `json:"type"`
+	// SelfHosted Whether this cluster is a self-hosted (BYOP) proxy managed by the account owner
+	SelfHosted bool `json:"self_hosted"`
 }
 
-// ProxyClusterType Source of the proxy cluster. `account` clusters are owned and operated by the account (BYOP);
-// `shared` clusters are operated by NetBird and shared across accounts.
-type ProxyClusterType string
-
 // ProxyToken defines model for ProxyToken.
 type ProxyToken struct {
 	CreatedAt time.Time  `json:"created_at"`
@@ -4859,12 +4820,6 @@ type ZoneRequest struct {
 // Conflict Standard error response. Note: The exact structure of this error response is inferred from `util.WriteErrorResponse` and `util.WriteError` usage in the provided Go code, as a specific Go struct for errors was not provided.
 type Conflict = ErrorResponse
 
-// bearerAuthContextKey is the context key for BearerAuth security scheme
-type bearerAuthContextKey string
-
-// tokenAuthContextKey is the context key for TokenAuth security scheme
-type tokenAuthContextKey string
-
 // GetApiEventsNetworkTrafficParams defines parameters for GetApiEventsNetworkTraffic.
 type GetApiEventsNetworkTrafficParams struct {
 	// Page Page number

shared/management/proto/proxy_service.pb.go

@@ -1970,269 +1970,6 @@ func (x *ValidateSessionResponse) GetDeniedReason() string {
 	return ""
 }
 
-// SyncMappingsRequest is sent by the proxy on the bidirectional SyncMappings
-// stream. The first message MUST be an init; all subsequent messages MUST be
-// acks.
-type SyncMappingsRequest struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	// Types that are assignable to Msg:
-	//
-	//	*SyncMappingsRequest_Init
-	//	*SyncMappingsRequest_Ack
-	Msg isSyncMappingsRequest_Msg `protobuf_oneof:"msg"`
-}
-
-func (x *SyncMappingsRequest) Reset() {
-	*x = SyncMappingsRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_proxy_service_proto_msgTypes[25]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *SyncMappingsRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*SyncMappingsRequest) ProtoMessage() {}
-
-func (x *SyncMappingsRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_proxy_service_proto_msgTypes[25]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use SyncMappingsRequest.ProtoReflect.Descriptor instead.
-func (*SyncMappingsRequest) Descriptor() ([]byte, []int) {
-	return file_proxy_service_proto_rawDescGZIP(), []int{25}
-}
-
-func (m *SyncMappingsRequest) GetMsg() isSyncMappingsRequest_Msg {
-	if m != nil {
-		return m.Msg
-	}
-	return nil
-}
-
-func (x *SyncMappingsRequest) GetInit() *SyncMappingsInit {
-	if x, ok := x.GetMsg().(*SyncMappingsRequest_Init); ok {
-		return x.Init
-	}
-	return nil
-}
-
-func (x *SyncMappingsRequest) GetAck() *SyncMappingsAck {
-	if x, ok := x.GetMsg().(*SyncMappingsRequest_Ack); ok {
-		return x.Ack
-	}
-	return nil
-}
-
-type isSyncMappingsRequest_Msg interface {
-	isSyncMappingsRequest_Msg()
-}
-
-type SyncMappingsRequest_Init struct {
-	Init *SyncMappingsInit `protobuf:"bytes,1,opt,name=init,proto3,oneof"`
-}
-
-type SyncMappingsRequest_Ack struct {
-	Ack *SyncMappingsAck `protobuf:"bytes,2,opt,name=ack,proto3,oneof"`
-}
-
-func (*SyncMappingsRequest_Init) isSyncMappingsRequest_Msg() {}
-
-func (*SyncMappingsRequest_Ack) isSyncMappingsRequest_Msg() {}
-
-// SyncMappingsInit is the first message on the stream, carrying the same
-// identification fields as GetMappingUpdateRequest.
-type SyncMappingsInit struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	ProxyId      string                 `protobuf:"bytes,1,opt,name=proxy_id,json=proxyId,proto3" json:"proxy_id,omitempty"`
-	Version      string                 `protobuf:"bytes,2,opt,name=version,proto3" json:"version,omitempty"`
-	StartedAt    *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=started_at,json=startedAt,proto3" json:"started_at,omitempty"`
-	Address      string                 `protobuf:"bytes,4,opt,name=address,proto3" json:"address,omitempty"`
-	Capabilities *ProxyCapabilities     `protobuf:"bytes,5,opt,name=capabilities,proto3" json:"capabilities,omitempty"`
-}
-
-func (x *SyncMappingsInit) Reset() {
-	*x = SyncMappingsInit{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_proxy_service_proto_msgTypes[26]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *SyncMappingsInit) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*SyncMappingsInit) ProtoMessage() {}
-
-func (x *SyncMappingsInit) ProtoReflect() protoreflect.Message {
-	mi := &file_proxy_service_proto_msgTypes[26]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use SyncMappingsInit.ProtoReflect.Descriptor instead.
-func (*SyncMappingsInit) Descriptor() ([]byte, []int) {
-	return file_proxy_service_proto_rawDescGZIP(), []int{26}
-}
-
-func (x *SyncMappingsInit) GetProxyId() string {
-	if x != nil {
-		return x.ProxyId
-	}
-	return ""
-}
-
-func (x *SyncMappingsInit) GetVersion() string {
-	if x != nil {
-		return x.Version
-	}
-	return ""
-}
-
-func (x *SyncMappingsInit) GetStartedAt() *timestamppb.Timestamp {
-	if x != nil {
-		return x.StartedAt
-	}
-	return nil
-}
-
-func (x *SyncMappingsInit) GetAddress() string {
-	if x != nil {
-		return x.Address
-	}
-	return ""
-}
-
-func (x *SyncMappingsInit) GetCapabilities() *ProxyCapabilities {
-	if x != nil {
-		return x.Capabilities
-	}
-	return nil
-}
-
-// SyncMappingsAck is sent by the proxy after it has fully processed a batch.
-// Management waits for this before sending the next batch.
-type SyncMappingsAck struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-}
-
-func (x *SyncMappingsAck) Reset() {
-	*x = SyncMappingsAck{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_proxy_service_proto_msgTypes[27]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *SyncMappingsAck) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*SyncMappingsAck) ProtoMessage() {}
-
-func (x *SyncMappingsAck) ProtoReflect() protoreflect.Message {
-	mi := &file_proxy_service_proto_msgTypes[27]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use SyncMappingsAck.ProtoReflect.Descriptor instead.
-func (*SyncMappingsAck) Descriptor() ([]byte, []int) {
-	return file_proxy_service_proto_rawDescGZIP(), []int{27}
-}
-
-// SyncMappingsResponse is a batch of mappings sent by management.
-// Identical semantics to GetMappingUpdateResponse.
-type SyncMappingsResponse struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Mapping []*ProxyMapping `protobuf:"bytes,1,rep,name=mapping,proto3" json:"mapping,omitempty"`
-	// initial_sync_complete is set on the last message of the initial snapshot.
-	InitialSyncComplete bool `protobuf:"varint,2,opt,name=initial_sync_complete,json=initialSyncComplete,proto3" json:"initial_sync_complete,omitempty"`
-}
-
-func (x *SyncMappingsResponse) Reset() {
-	*x = SyncMappingsResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_proxy_service_proto_msgTypes[28]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *SyncMappingsResponse) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*SyncMappingsResponse) ProtoMessage() {}
-
-func (x *SyncMappingsResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_proxy_service_proto_msgTypes[28]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use SyncMappingsResponse.ProtoReflect.Descriptor instead.
-func (*SyncMappingsResponse) Descriptor() ([]byte, []int) {
-	return file_proxy_service_proto_rawDescGZIP(), []int{28}
-}
-
-func (x *SyncMappingsResponse) GetMapping() []*ProxyMapping {
-	if x != nil {
-		return x.Mapping
-	}
-	return nil
-}
-
-func (x *SyncMappingsResponse) GetInitialSyncComplete() bool {
-	if x != nil {
-		return x.InitialSyncComplete
-	}
-	return false
-}
-
 var File_proxy_service_proto protoreflect.FileDescriptor
 
 var file_proxy_service_proto_rawDesc = []byte{
@@ -2517,74 +2254,37 @@ var file_proxy_service_proto_rawDesc = []byte{
 	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x75, 0x73, 0x65, 0x72, 0x45, 0x6d, 0x61, 0x69,
 	0x6c, 0x12, 0x23, 0x0a, 0x0d, 0x64, 0x65, 0x6e, 0x69, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x61, 0x73,
 	0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x64, 0x65, 0x6e, 0x69, 0x65, 0x64,
-	0x52, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x22, 0x81, 0x01, 0x0a, 0x13, 0x53, 0x79, 0x6e, 0x63, 0x4d,
-	0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x32,
-	0x0a, 0x04, 0x69, 0x6e, 0x69, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x6d,
-	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x4d, 0x61,
-	0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x49, 0x6e, 0x69, 0x74, 0x48, 0x00, 0x52, 0x04, 0x69, 0x6e,
-	0x69, 0x74, 0x12, 0x2f, 0x0a, 0x03, 0x61, 0x63, 0x6b, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x1b, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x79, 0x6e,
-	0x63, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x41, 0x63, 0x6b, 0x48, 0x00, 0x52, 0x03,
-	0x61, 0x63, 0x6b, 0x42, 0x05, 0x0a, 0x03, 0x6d, 0x73, 0x67, 0x22, 0xdf, 0x01, 0x0a, 0x10, 0x53,
-	0x79, 0x6e, 0x63, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x49, 0x6e, 0x69, 0x74, 0x12,
-	0x19, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x07, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x49, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65,
-	0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72,
-	0x73, 0x69, 0x6f, 0x6e, 0x12, 0x39, 0x0a, 0x0a, 0x73, 0x74, 0x61, 0x72, 0x74, 0x65, 0x64, 0x5f,
-	0x61, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73,
-	0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x73, 0x74, 0x61, 0x72, 0x74, 0x65, 0x64, 0x41, 0x74, 0x12,
-	0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x41, 0x0a, 0x0c, 0x63, 0x61, 0x70,
-	0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x72, 0x6f,
-	0x78, 0x79, 0x43, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x52, 0x0c,
-	0x63, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x22, 0x11, 0x0a, 0x0f,
-	0x53, 0x79, 0x6e, 0x63, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x41, 0x63, 0x6b, 0x22,
-	0x7e, 0x0a, 0x14, 0x53, 0x79, 0x6e, 0x63, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x32, 0x0a, 0x07, 0x6d, 0x61, 0x70, 0x70, 0x69,
-	0x6e, 0x67, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
-	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4d, 0x61, 0x70, 0x70, 0x69,
-	0x6e, 0x67, 0x52, 0x07, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x32, 0x0a, 0x15, 0x69,
-	0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x73, 0x79, 0x6e, 0x63, 0x5f, 0x63, 0x6f, 0x6d, 0x70,
-	0x6c, 0x65, 0x74, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x69, 0x6e, 0x69, 0x74,
-	0x69, 0x61, 0x6c, 0x53, 0x79, 0x6e, 0x63, 0x43, 0x6f, 0x6d, 0x70, 0x6c, 0x65, 0x74, 0x65, 0x2a,
-	0x64, 0x0a, 0x16, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55,
-	0x70, 0x64, 0x61, 0x74, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x17, 0x0a, 0x13, 0x55, 0x50, 0x44,
-	0x41, 0x54, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, 0x41, 0x54, 0x45, 0x44,
-	0x10, 0x00, 0x12, 0x18, 0x0a, 0x14, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x5f, 0x54, 0x59, 0x50,
-	0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13,
-	0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x52, 0x45, 0x4d, 0x4f,
-	0x56, 0x45, 0x44, 0x10, 0x02, 0x2a, 0x46, 0x0a, 0x0f, 0x50, 0x61, 0x74, 0x68, 0x52, 0x65, 0x77,
-	0x72, 0x69, 0x74, 0x65, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x18, 0x0a, 0x14, 0x50, 0x41, 0x54, 0x48,
-	0x5f, 0x52, 0x45, 0x57, 0x52, 0x49, 0x54, 0x45, 0x5f, 0x44, 0x45, 0x46, 0x41, 0x55, 0x4c, 0x54,
-	0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, 0x50, 0x41, 0x54, 0x48, 0x5f, 0x52, 0x45, 0x57, 0x52, 0x49,
-	0x54, 0x45, 0x5f, 0x50, 0x52, 0x45, 0x53, 0x45, 0x52, 0x56, 0x45, 0x10, 0x01, 0x2a, 0xc8, 0x01,
-	0x0a, 0x0b, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x18, 0x0a,
-	0x14, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x50, 0x45,
-	0x4e, 0x44, 0x49, 0x4e, 0x47, 0x10, 0x00, 0x12, 0x17, 0x0a, 0x13, 0x50, 0x52, 0x4f, 0x58, 0x59,
-	0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x56, 0x45, 0x10, 0x01,
-	0x12, 0x23, 0x0a, 0x1f, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53,
-	0x5f, 0x54, 0x55, 0x4e, 0x4e, 0x45, 0x4c, 0x5f, 0x4e, 0x4f, 0x54, 0x5f, 0x43, 0x52, 0x45, 0x41,
-	0x54, 0x45, 0x44, 0x10, 0x02, 0x12, 0x24, 0x0a, 0x20, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53,
-	0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54,
-	0x45, 0x5f, 0x50, 0x45, 0x4e, 0x44, 0x49, 0x4e, 0x47, 0x10, 0x03, 0x12, 0x23, 0x0a, 0x1f, 0x50,
-	0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x43, 0x45, 0x52, 0x54,
-	0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x5f, 0x46, 0x41, 0x49, 0x4c, 0x45, 0x44, 0x10, 0x04,
-	0x12, 0x16, 0x0a, 0x12, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53,
-	0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x05, 0x32, 0xd3, 0x05, 0x0a, 0x0c, 0x50, 0x72, 0x6f,
-	0x78, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x5f, 0x0a, 0x10, 0x47, 0x65, 0x74,
-	0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x12, 0x23, 0x2e,
-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61,
-	0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x1a, 0x24, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
-	0x47, 0x65, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x30, 0x01, 0x12, 0x55, 0x0a, 0x0c, 0x53, 0x79,
-	0x6e, 0x63, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x1f, 0x2e, 0x6d, 0x61, 0x6e,
-	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x4d, 0x61, 0x70, 0x70,
-	0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x6d, 0x61,
-	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x79, 0x6e, 0x63, 0x4d, 0x61, 0x70,
-	0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x28, 0x01, 0x30,
+	0x52, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x2a, 0x64, 0x0a, 0x16, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4d,
+	0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x54, 0x79, 0x70, 0x65,
+	0x12, 0x17, 0x0a, 0x13, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f,
+	0x43, 0x52, 0x45, 0x41, 0x54, 0x45, 0x44, 0x10, 0x00, 0x12, 0x18, 0x0a, 0x14, 0x55, 0x50, 0x44,
+	0x41, 0x54, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x49, 0x46, 0x49, 0x45,
+	0x44, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x55, 0x50, 0x44, 0x41, 0x54, 0x45, 0x5f, 0x54, 0x59,
+	0x50, 0x45, 0x5f, 0x52, 0x45, 0x4d, 0x4f, 0x56, 0x45, 0x44, 0x10, 0x02, 0x2a, 0x46, 0x0a, 0x0f,
+	0x50, 0x61, 0x74, 0x68, 0x52, 0x65, 0x77, 0x72, 0x69, 0x74, 0x65, 0x4d, 0x6f, 0x64, 0x65, 0x12,
+	0x18, 0x0a, 0x14, 0x50, 0x41, 0x54, 0x48, 0x5f, 0x52, 0x45, 0x57, 0x52, 0x49, 0x54, 0x45, 0x5f,
+	0x44, 0x45, 0x46, 0x41, 0x55, 0x4c, 0x54, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, 0x50, 0x41, 0x54,
+	0x48, 0x5f, 0x52, 0x45, 0x57, 0x52, 0x49, 0x54, 0x45, 0x5f, 0x50, 0x52, 0x45, 0x53, 0x45, 0x52,
+	0x56, 0x45, 0x10, 0x01, 0x2a, 0xc8, 0x01, 0x0a, 0x0b, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x53, 0x74,
+	0x61, 0x74, 0x75, 0x73, 0x12, 0x18, 0x0a, 0x14, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54,
+	0x41, 0x54, 0x55, 0x53, 0x5f, 0x50, 0x45, 0x4e, 0x44, 0x49, 0x4e, 0x47, 0x10, 0x00, 0x12, 0x17,
+	0x0a, 0x13, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x41,
+	0x43, 0x54, 0x49, 0x56, 0x45, 0x10, 0x01, 0x12, 0x23, 0x0a, 0x1f, 0x50, 0x52, 0x4f, 0x58, 0x59,
+	0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x55, 0x4e, 0x4e, 0x45, 0x4c, 0x5f, 0x4e,
+	0x4f, 0x54, 0x5f, 0x43, 0x52, 0x45, 0x41, 0x54, 0x45, 0x44, 0x10, 0x02, 0x12, 0x24, 0x0a, 0x20,
+	0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x43, 0x45, 0x52,
+	0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x5f, 0x50, 0x45, 0x4e, 0x44, 0x49, 0x4e, 0x47,
+	0x10, 0x03, 0x12, 0x23, 0x0a, 0x1f, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54,
+	0x55, 0x53, 0x5f, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x5f, 0x46,
+	0x41, 0x49, 0x4c, 0x45, 0x44, 0x10, 0x04, 0x12, 0x16, 0x0a, 0x12, 0x50, 0x52, 0x4f, 0x58, 0x59,
+	0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x05, 0x32,
+	0xfc, 0x04, 0x0a, 0x0c, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
+	0x12, 0x5f, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70,
+	0x64, 0x61, 0x74, 0x65, 0x12, 0x23, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
+	0x74, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61,
+	0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
+	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e,
+	0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x30,
 	0x01, 0x12, 0x54, 0x0a, 0x0d, 0x53, 0x65, 0x6e, 0x64, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c,
 	0x6f, 0x67, 0x12, 0x20, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
 	0x53, 0x65, 0x6e, 0x64, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x71,
@@ -2634,7 +2334,7 @@ func file_proxy_service_proto_rawDescGZIP() []byte {
 }
 
 var file_proxy_service_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
-var file_proxy_service_proto_msgTypes = make([]protoimpl.MessageInfo, 31)
+var file_proxy_service_proto_msgTypes = make([]protoimpl.MessageInfo, 27)
 var file_proxy_service_proto_goTypes = []interface{}{
 	(ProxyMappingUpdateType)(0),      // 0: management.ProxyMappingUpdateType
 	(PathRewriteMode)(0),             // 1: management.PathRewriteMode
@@ -2664,23 +2364,19 @@ var file_proxy_service_proto_goTypes = []interface{}{
 	(*GetOIDCURLResponse)(nil),       // 25: management.GetOIDCURLResponse
 	(*ValidateSessionRequest)(nil),   // 26: management.ValidateSessionRequest
 	(*ValidateSessionResponse)(nil),  // 27: management.ValidateSessionResponse
-	(*SyncMappingsRequest)(nil),      // 28: management.SyncMappingsRequest
-	(*SyncMappingsInit)(nil),         // 29: management.SyncMappingsInit
-	(*SyncMappingsAck)(nil),          // 30: management.SyncMappingsAck
-	(*SyncMappingsResponse)(nil),     // 31: management.SyncMappingsResponse
-	nil,                              // 32: management.PathTargetOptions.CustomHeadersEntry
-	nil,                              // 33: management.AccessLog.MetadataEntry
-	(*timestamppb.Timestamp)(nil),    // 34: google.protobuf.Timestamp
-	(*durationpb.Duration)(nil),      // 35: google.protobuf.Duration
+	nil,                              // 28: management.PathTargetOptions.CustomHeadersEntry
+	nil,                              // 29: management.AccessLog.MetadataEntry
+	(*timestamppb.Timestamp)(nil),    // 30: google.protobuf.Timestamp
+	(*durationpb.Duration)(nil),      // 31: google.protobuf.Duration
 }
 var file_proxy_service_proto_depIdxs = []int32{
-	34, // 0: management.GetMappingUpdateRequest.started_at:type_name -> google.protobuf.Timestamp
+	30, // 0: management.GetMappingUpdateRequest.started_at:type_name -> google.protobuf.Timestamp
 	3,  // 1: management.GetMappingUpdateRequest.capabilities:type_name -> management.ProxyCapabilities
 	11, // 2: management.GetMappingUpdateResponse.mapping:type_name -> management.ProxyMapping
-	35, // 3: management.PathTargetOptions.request_timeout:type_name -> google.protobuf.Duration
+	31, // 3: management.PathTargetOptions.request_timeout:type_name -> google.protobuf.Duration
 	1,  // 4: management.PathTargetOptions.path_rewrite:type_name -> management.PathRewriteMode
-	32, // 5: management.PathTargetOptions.custom_headers:type_name -> management.PathTargetOptions.CustomHeadersEntry
-	35, // 6: management.PathTargetOptions.session_idle_timeout:type_name -> google.protobuf.Duration
+	28, // 5: management.PathTargetOptions.custom_headers:type_name -> management.PathTargetOptions.CustomHeadersEntry
+	31, // 6: management.PathTargetOptions.session_idle_timeout:type_name -> google.protobuf.Duration
 	6,  // 7: management.PathMapping.options:type_name -> management.PathTargetOptions
 	8,  // 8: management.Authentication.header_auths:type_name -> management.HeaderAuth
 	0,  // 9: management.ProxyMapping.type:type_name -> management.ProxyMappingUpdateType
@@ -2688,38 +2384,31 @@ var file_proxy_service_proto_depIdxs = []int32{
 	9,  // 11: management.ProxyMapping.auth:type_name -> management.Authentication
 	10, // 12: management.ProxyMapping.access_restrictions:type_name -> management.AccessRestrictions
 	14, // 13: management.SendAccessLogRequest.log:type_name -> management.AccessLog
-	34, // 14: management.AccessLog.timestamp:type_name -> google.protobuf.Timestamp
-	33, // 15: management.AccessLog.metadata:type_name -> management.AccessLog.MetadataEntry
+	30, // 14: management.AccessLog.timestamp:type_name -> google.protobuf.Timestamp
+	29, // 15: management.AccessLog.metadata:type_name -> management.AccessLog.MetadataEntry
 	17, // 16: management.AuthenticateRequest.password:type_name -> management.PasswordRequest
 	18, // 17: management.AuthenticateRequest.pin:type_name -> management.PinRequest
 	16, // 18: management.AuthenticateRequest.header_auth:type_name -> management.HeaderAuthRequest
 	2,  // 19: management.SendStatusUpdateRequest.status:type_name -> management.ProxyStatus
-	29, // 20: management.SyncMappingsRequest.init:type_name -> management.SyncMappingsInit
-	30, // 21: management.SyncMappingsRequest.ack:type_name -> management.SyncMappingsAck
-	34, // 22: management.SyncMappingsInit.started_at:type_name -> google.protobuf.Timestamp
-	3,  // 23: management.SyncMappingsInit.capabilities:type_name -> management.ProxyCapabilities
-	11, // 24: management.SyncMappingsResponse.mapping:type_name -> management.ProxyMapping
-	4,  // 25: management.ProxyService.GetMappingUpdate:input_type -> management.GetMappingUpdateRequest
-	28, // 26: management.ProxyService.SyncMappings:input_type -> management.SyncMappingsRequest
-	12, // 27: management.ProxyService.SendAccessLog:input_type -> management.SendAccessLogRequest
-	15, // 28: management.ProxyService.Authenticate:input_type -> management.AuthenticateRequest
-	20, // 29: management.ProxyService.SendStatusUpdate:input_type -> management.SendStatusUpdateRequest
-	22, // 30: management.ProxyService.CreateProxyPeer:input_type -> management.CreateProxyPeerRequest
-	24, // 31: management.ProxyService.GetOIDCURL:input_type -> management.GetOIDCURLRequest
-	26, // 32: management.ProxyService.ValidateSession:input_type -> management.ValidateSessionRequest
-	5,  // 33: management.ProxyService.GetMappingUpdate:output_type -> management.GetMappingUpdateResponse
-	31, // 34: management.ProxyService.SyncMappings:output_type -> management.SyncMappingsResponse
-	13, // 35: management.ProxyService.SendAccessLog:output_type -> management.SendAccessLogResponse
-	19, // 36: management.ProxyService.Authenticate:output_type -> management.AuthenticateResponse
-	21, // 37: management.ProxyService.SendStatusUpdate:output_type -> management.SendStatusUpdateResponse
-	23, // 38: management.ProxyService.CreateProxyPeer:output_type -> management.CreateProxyPeerResponse
-	25, // 39: management.ProxyService.GetOIDCURL:output_type -> management.GetOIDCURLResponse
-	27, // 40: management.ProxyService.ValidateSession:output_type -> management.ValidateSessionResponse
-	33, // [33:41] is the sub-list for method output_type
-	25, // [25:33] is the sub-list for method input_type
-	25, // [25:25] is the sub-list for extension type_name
-	25, // [25:25] is the sub-list for extension extendee
-	0,  // [0:25] is the sub-list for field type_name
+	4,  // 20: management.ProxyService.GetMappingUpdate:input_type -> management.GetMappingUpdateRequest
+	12, // 21: management.ProxyService.SendAccessLog:input_type -> management.SendAccessLogRequest
+	15, // 22: management.ProxyService.Authenticate:input_type -> management.AuthenticateRequest
+	20, // 23: management.ProxyService.SendStatusUpdate:input_type -> management.SendStatusUpdateRequest
+	22, // 24: management.ProxyService.CreateProxyPeer:input_type -> management.CreateProxyPeerRequest
+	24, // 25: management.ProxyService.GetOIDCURL:input_type -> management.GetOIDCURLRequest
+	26, // 26: management.ProxyService.ValidateSession:input_type -> management.ValidateSessionRequest
+	5,  // 27: management.ProxyService.GetMappingUpdate:output_type -> management.GetMappingUpdateResponse
+	13, // 28: management.ProxyService.SendAccessLog:output_type -> management.SendAccessLogResponse
+	19, // 29: management.ProxyService.Authenticate:output_type -> management.AuthenticateResponse
+	21, // 30: management.ProxyService.SendStatusUpdate:output_type -> management.SendStatusUpdateResponse
+	23, // 31: management.ProxyService.CreateProxyPeer:output_type -> management.CreateProxyPeerResponse
+	25, // 32: management.ProxyService.GetOIDCURL:output_type -> management.GetOIDCURLResponse
+	27, // 33: management.ProxyService.ValidateSession:output_type -> management.ValidateSessionResponse
+	27, // [27:34] is the sub-list for method output_type
+	20, // [20:27] is the sub-list for method input_type
+	20, // [20:20] is the sub-list for extension type_name
+	20, // [20:20] is the sub-list for extension extendee
+	0,  // [0:20] is the sub-list for field type_name
 }
 
 func init() { file_proxy_service_proto_init() }
@@ -3028,54 +2717,6 @@ func file_proxy_service_proto_init() {
 				return nil
 			}
 		}
-		file_proxy_service_proto_msgTypes[25].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SyncMappingsRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_proxy_service_proto_msgTypes[26].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SyncMappingsInit); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_proxy_service_proto_msgTypes[27].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SyncMappingsAck); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_proxy_service_proto_msgTypes[28].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SyncMappingsResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
 	}
 	file_proxy_service_proto_msgTypes[0].OneofWrappers = []interface{}{}
 	file_proxy_service_proto_msgTypes[12].OneofWrappers = []interface{}{
@@ -3085,17 +2726,13 @@ func file_proxy_service_proto_init() {
 	}
 	file_proxy_service_proto_msgTypes[17].OneofWrappers = []interface{}{}
 	file_proxy_service_proto_msgTypes[20].OneofWrappers = []interface{}{}
-	file_proxy_service_proto_msgTypes[25].OneofWrappers = []interface{}{
-		(*SyncMappingsRequest_Init)(nil),
-		(*SyncMappingsRequest_Ack)(nil),
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_proxy_service_proto_rawDesc,
 			NumEnums:      3,
-			NumMessages:   31,
+			NumMessages:   27,
 			NumExtensions: 0,
 			NumServices:   1,
 		},

shared/management/proto/proxy_service.proto

@@ -12,15 +12,6 @@ import "google/protobuf/timestamp.proto";
 service ProxyService {
   rpc GetMappingUpdate(GetMappingUpdateRequest) returns (stream GetMappingUpdateResponse);
 
-  // SyncMappings is a bidirectional stream that replaces GetMappingUpdate for
-  // new proxies. The proxy sends an initial SyncMappingsRequest to start the
-  // stream and then sends an ack after each batch is fully processed.
-  // Management waits for the ack before sending the next batch, providing
-  // application-level back-pressure during large initial syncs.
-  // Old proxies continue using GetMappingUpdate; old management servers
-  // return Unimplemented for this RPC and proxies fall back.
-  rpc SyncMappings(stream SyncMappingsRequest) returns (stream SyncMappingsResponse);
-
   rpc SendAccessLog(SendAccessLogRequest) returns (SendAccessLogResponse);
 
   rpc Authenticate(AuthenticateRequest) returns (AuthenticateResponse);
@@ -255,35 +246,3 @@ message ValidateSessionResponse {
   string user_email = 3;
   string denied_reason = 4;
 }
-
-// SyncMappingsRequest is sent by the proxy on the bidirectional SyncMappings
-// stream. The first message MUST be an init; all subsequent messages MUST be
-// acks.
-message SyncMappingsRequest {
-  oneof msg {
-    SyncMappingsInit init = 1;
-    SyncMappingsAck ack = 2;
-  }
-}
-
-// SyncMappingsInit is the first message on the stream, carrying the same
-// identification fields as GetMappingUpdateRequest.
-message SyncMappingsInit {
-  string proxy_id = 1;
-  string version = 2;
-  google.protobuf.Timestamp started_at = 3;
-  string address = 4;
-  ProxyCapabilities capabilities = 5;
-}
-
-// SyncMappingsAck is sent by the proxy after it has fully processed a batch.
-// Management waits for this before sending the next batch.
-message SyncMappingsAck {}
-
-// SyncMappingsResponse is a batch of mappings sent by management.
-// Identical semantics to GetMappingUpdateResponse.
-message SyncMappingsResponse {
-  repeated ProxyMapping mapping = 1;
-  // initial_sync_complete is set on the last message of the initial snapshot.
-  bool initial_sync_complete = 2;
-}

shared/management/proto/proxy_service_grpc.pb.go

@@ -19,14 +19,6 @@ const _ = grpc.SupportPackageIsVersion7
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type ProxyServiceClient interface {
 	GetMappingUpdate(ctx context.Context, in *GetMappingUpdateRequest, opts ...grpc.CallOption) (ProxyService_GetMappingUpdateClient, error)
-	// SyncMappings is a bidirectional stream that replaces GetMappingUpdate for
-	// new proxies. The proxy sends an initial SyncMappingsRequest to start the
-	// stream and then sends an ack after each batch is fully processed.
-	// Management waits for the ack before sending the next batch, providing
-	// application-level back-pressure during large initial syncs.
-	// Old proxies continue using GetMappingUpdate; old management servers
-	// return Unimplemented for this RPC and proxies fall back.
-	SyncMappings(ctx context.Context, opts ...grpc.CallOption) (ProxyService_SyncMappingsClient, error)
 	SendAccessLog(ctx context.Context, in *SendAccessLogRequest, opts ...grpc.CallOption) (*SendAccessLogResponse, error)
 	Authenticate(ctx context.Context, in *AuthenticateRequest, opts ...grpc.CallOption) (*AuthenticateResponse, error)
 	SendStatusUpdate(ctx context.Context, in *SendStatusUpdateRequest, opts ...grpc.CallOption) (*SendStatusUpdateResponse, error)
@@ -77,37 +69,6 @@ func (x *proxyServiceGetMappingUpdateClient) Recv() (*GetMappingUpdateResponse,
 	return m, nil
 }
 
-func (c *proxyServiceClient) SyncMappings(ctx context.Context, opts ...grpc.CallOption) (ProxyService_SyncMappingsClient, error) {
-	stream, err := c.cc.NewStream(ctx, &ProxyService_ServiceDesc.Streams[1], "/management.ProxyService/SyncMappings", opts...)
-	if err != nil {
-		return nil, err
-	}
-	x := &proxyServiceSyncMappingsClient{stream}
-	return x, nil
-}
-
-type ProxyService_SyncMappingsClient interface {
-	Send(*SyncMappingsRequest) error
-	Recv() (*SyncMappingsResponse, error)
-	grpc.ClientStream
-}
-
-type proxyServiceSyncMappingsClient struct {
-	grpc.ClientStream
-}
-
-func (x *proxyServiceSyncMappingsClient) Send(m *SyncMappingsRequest) error {
-	return x.ClientStream.SendMsg(m)
-}
-
-func (x *proxyServiceSyncMappingsClient) Recv() (*SyncMappingsResponse, error) {
-	m := new(SyncMappingsResponse)
-	if err := x.ClientStream.RecvMsg(m); err != nil {
-		return nil, err
-	}
-	return m, nil
-}
-
 func (c *proxyServiceClient) SendAccessLog(ctx context.Context, in *SendAccessLogRequest, opts ...grpc.CallOption) (*SendAccessLogResponse, error) {
 	out := new(SendAccessLogResponse)
 	err := c.cc.Invoke(ctx, "/management.ProxyService/SendAccessLog", in, out, opts...)
@@ -167,14 +128,6 @@ func (c *proxyServiceClient) ValidateSession(ctx context.Context, in *ValidateSe
 // for forward compatibility
 type ProxyServiceServer interface {
 	GetMappingUpdate(*GetMappingUpdateRequest, ProxyService_GetMappingUpdateServer) error
-	// SyncMappings is a bidirectional stream that replaces GetMappingUpdate for
-	// new proxies. The proxy sends an initial SyncMappingsRequest to start the
-	// stream and then sends an ack after each batch is fully processed.
-	// Management waits for the ack before sending the next batch, providing
-	// application-level back-pressure during large initial syncs.
-	// Old proxies continue using GetMappingUpdate; old management servers
-	// return Unimplemented for this RPC and proxies fall back.
-	SyncMappings(ProxyService_SyncMappingsServer) error
 	SendAccessLog(context.Context, *SendAccessLogRequest) (*SendAccessLogResponse, error)
 	Authenticate(context.Context, *AuthenticateRequest) (*AuthenticateResponse, error)
 	SendStatusUpdate(context.Context, *SendStatusUpdateRequest) (*SendStatusUpdateResponse, error)
@@ -193,9 +146,6 @@ type UnimplementedProxyServiceServer struct {
 func (UnimplementedProxyServiceServer) GetMappingUpdate(*GetMappingUpdateRequest, ProxyService_GetMappingUpdateServer) error {
 	return status.Errorf(codes.Unimplemented, "method GetMappingUpdate not implemented")
 }
-func (UnimplementedProxyServiceServer) SyncMappings(ProxyService_SyncMappingsServer) error {
-	return status.Errorf(codes.Unimplemented, "method SyncMappings not implemented")
-}
 func (UnimplementedProxyServiceServer) SendAccessLog(context.Context, *SendAccessLogRequest) (*SendAccessLogResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method SendAccessLog not implemented")
 }
@@ -248,32 +198,6 @@ func (x *proxyServiceGetMappingUpdateServer) Send(m *GetMappingUpdateResponse) e
 	return x.ServerStream.SendMsg(m)
 }
 
-func _ProxyService_SyncMappings_Handler(srv interface{}, stream grpc.ServerStream) error {
-	return srv.(ProxyServiceServer).SyncMappings(&proxyServiceSyncMappingsServer{stream})
-}
-
-type ProxyService_SyncMappingsServer interface {
-	Send(*SyncMappingsResponse) error
-	Recv() (*SyncMappingsRequest, error)
-	grpc.ServerStream
-}
-
-type proxyServiceSyncMappingsServer struct {
-	grpc.ServerStream
-}
-
-func (x *proxyServiceSyncMappingsServer) Send(m *SyncMappingsResponse) error {
-	return x.ServerStream.SendMsg(m)
-}
-
-func (x *proxyServiceSyncMappingsServer) Recv() (*SyncMappingsRequest, error) {
-	m := new(SyncMappingsRequest)
-	if err := x.ServerStream.RecvMsg(m); err != nil {
-		return nil, err
-	}
-	return m, nil
-}
-
 func _ProxyService_SendAccessLog_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(SendAccessLogRequest)
 	if err := dec(in); err != nil {
@@ -420,12 +344,6 @@ var ProxyService_ServiceDesc = grpc.ServiceDesc{
 			Handler:       _ProxyService_GetMappingUpdate_Handler,
 			ServerStreams: true,
 		},
-		{
-			StreamName:    "SyncMappings",
-			Handler:       _ProxyService_SyncMappings_Handler,
-			ServerStreams: true,
-			ClientStreams: true,
-		},
 	},
 	Metadata: "proxy_service.proto",
 }