cleanup route handling for local backend

internal/app/wireguard/wireguard_interfaces.go

@@ -462,12 +462,17 @@ func (m Manager) DeleteInterface(ctx context.Context, id domain.InterfaceIdentif
 		return fmt.Errorf("deletion not allowed: %w", err)
 	}
 
+	m.bus.Publish(app.TopicRouteRemove, domain.RoutingTableInfo{
+		Interface:  *existingInterface,
+		AllowedIps: existingInterface.GetAllowedIPs(existingPeers),
+		FwMark:     existingInterface.FirewallMark,
+		Table:      existingInterface.GetRoutingTable(),
+	})
+
 	now := time.Now()
 	existingInterface.Disabled = &now // simulate a disabled interface
 	existingInterface.DisabledReason = domain.DisabledReasonDeleted
 
-	physicalInterface, _ := m.wg.GetController(*existingInterface).GetInterface(ctx, id)
-
 	if err := m.handleInterfacePreSaveHooks(ctx, existingInterface, !existingInterface.IsDisabled(),
 		false); err != nil {
 		return fmt.Errorf("pre-delete hooks failed: %w", err)
@@ -489,17 +494,6 @@ func (m Manager) DeleteInterface(ctx context.Context, id domain.InterfaceIdentif
 		return fmt.Errorf("deletion failure: %w", err)
 	}
 
-	fwMark := existingInterface.FirewallMark
-	if physicalInterface != nil && fwMark == 0 {
-		fwMark = physicalInterface.FirewallMark
-	}
-	m.bus.Publish(app.TopicRouteRemove, domain.RoutingTableInfo{
-		Interface:  *existingInterface,
-		AllowedIps: existingInterface.GetAllowedIPs(existingPeers),
-		FwMark:     fwMark,
-		Table:      existingInterface.GetRoutingTable(),
-	})
-
 	if err := m.handleInterfacePostSaveHooks(
 		ctx,
 		existingInterface,
@@ -577,15 +571,10 @@ func (m Manager) saveInterface(ctx context.Context, iface *domain.Interface) (
 	}
 
 	if iface.IsDisabled() {
-		physicalInterface, _ := m.wg.GetController(*iface).GetInterface(ctx, iface.Identifier)
-		fwMark := iface.FirewallMark
-		if physicalInterface != nil && fwMark == 0 {
-			fwMark = physicalInterface.FirewallMark
-		}
 		m.bus.Publish(app.TopicRouteRemove, domain.RoutingTableInfo{
 			Interface:  *iface,
 			AllowedIps: iface.GetAllowedIPs(peers),
-			FwMark:     fwMark,
+			FwMark:     iface.FirewallMark,
 			Table:      iface.GetRoutingTable(),
 		})
 	} else {

internal/app/wireguard/wireguard_peers.go

@@ -449,7 +449,6 @@ func (m Manager) GetUserPeerStats(ctx context.Context, id domain.UserIdentifier)
 
 func (m Manager) savePeers(ctx context.Context, peers ...*domain.Peer) error {
 	interfaces := make(map[domain.InterfaceIdentifier]domain.Interface)
-	interfacePeers := make(map[domain.InterfaceIdentifier][]domain.Peer)
 
 	for _, peer := range peers {
 		// get interface from db if it is not yet in the map
@@ -462,7 +461,6 @@ func (m Manager) savePeers(ctx context.Context, peers ...*domain.Peer) error {
 		}
 
 		iface := interfaces[peer.InterfaceIdentifier]
-		interfacePeers[iface.Identifier] = append(interfacePeers[iface.Identifier], *peer)
 
 		// Always save the peer to the backend, regardless of disabled/expired state
 		// The backend will handle the disabled state appropriately
@@ -497,9 +495,14 @@ func (m Manager) savePeers(ctx context.Context, peers ...*domain.Peer) error {
 
 	// Update routes after peers have changed
 	for id, iface := range interfaces {
+		interfacePeers, err := m.db.GetInterfacePeers(ctx, id)
+		if err != nil {
+			return fmt.Errorf("failed to re-load peers for interface %s: %w", id, err)
+		}
+
 		m.bus.Publish(app.TopicRouteUpdate, domain.RoutingTableInfo{
 			Interface:  iface,
-			AllowedIps: iface.GetAllowedIPs(interfacePeers[id]),
+			AllowedIps: iface.GetAllowedIPs(interfacePeers),
 			FwMark:     iface.FirewallMark,
 			Table:      iface.GetRoutingTable(),
 		})