diff --git a/agent/go.mod b/agent/go.mod
index 2b72a9460..b2992f75f 100644
--- a/agent/go.mod
+++ b/agent/go.mod
@@ -11,7 +11,10 @@ require (
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	golang.org/x/sys v0.44.0 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/agent/go.sum b/agent/go.sum
index c52e4a833..eb90792f7 100644
--- a/agent/go.sum
+++ b/agent/go.sum
@@ -1,18 +1,27 @@
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/hashicorp/yamux v0.1.2 h1:XtB8kyFOyHXYVFnwT5C3+Bdo8gArse7j2AQ0DA0Uey8=
 github.com/hashicorp/yamux v0.1.2/go.mod h1:C+zze2n6e/7wshOZep2A70/aQU6QBRWJO/G6FT1wIns=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=
 github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
 golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/backend/internal/api/handlers/proxy_group_handler.go b/backend/internal/api/handlers/proxy_group_handler.go
new file mode 100644
index 000000000..da6a5fd7c
--- /dev/null
+++ b/backend/internal/api/handlers/proxy_group_handler.go
@@ -0,0 +1,146 @@
+package handlers
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	"gorm.io/gorm"
+
+	"github.com/Wikid82/charon/backend/internal/models"
+	"github.com/Wikid82/charon/backend/internal/services"
+)
+
+// ProxyGroupHandler handles CRUD operations for proxy groups.
+type ProxyGroupHandler struct {
+	service *services.ProxyGroupService
+	db      *gorm.DB
+}
+
+// NewProxyGroupHandler creates a new ProxyGroupHandler.
+func NewProxyGroupHandler(db *gorm.DB) *ProxyGroupHandler {
+	return &ProxyGroupHandler{
+		service: services.NewProxyGroupService(db),
+		db:      db,
+	}
+}
+
+// RegisterRoutes registers proxy group routes on the given router group.
+func (h *ProxyGroupHandler) RegisterRoutes(router *gin.RouterGroup) {
+	router.GET("/proxy-groups", h.List)
+	router.POST("/proxy-groups", h.Create)
+	router.GET("/proxy-groups/:uuid", h.Get)
+	router.PUT("/proxy-groups/:uuid", h.Update)
+	router.DELETE("/proxy-groups/:uuid", h.Delete)
+}
+
+// List returns all proxy groups ordered by name.
+func (h *ProxyGroupHandler) List(c *gin.Context) {
+	groups, err := h.service.List()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, groups)
+}
+
+// Create creates a new proxy group.
+func (h *ProxyGroupHandler) Create(c *gin.Context) {
+	var payload struct {
+		Name        string `json:"name"`
+		Description string `json:"description"`
+		Color       string `json:"color"`
+	}
+	if err := c.ShouldBindJSON(&payload); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	group := models.ProxyGroup{
+		Name:        strings.TrimSpace(payload.Name),
+		Description: payload.Description,
+		Color:       payload.Color,
+	}
+	if group.Color == "" {
+		group.Color = "#6366f1"
+	}
+
+	if err := h.service.Create(&group); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusCreated, group)
+}
+
+// Get returns a single proxy group by UUID, including host count.
+func (h *ProxyGroupHandler) Get(c *gin.Context) {
+	group, err := h.service.GetByUUID(c.Param("uuid"))
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "proxy group not found"})
+		return
+	}
+	count, _ := h.service.GetHostCount(group.ID)
+	c.JSON(http.StatusOK, gin.H{
+		"uuid":        group.UUID,
+		"name":        group.Name,
+		"description": group.Description,
+		"color":       group.Color,
+		"host_count":  count,
+		"created_at":  group.CreatedAt,
+		"updated_at":  group.UpdatedAt,
+	})
+}
+
+// Update updates an existing proxy group by UUID.
+func (h *ProxyGroupHandler) Update(c *gin.Context) {
+	group, err := h.service.GetByUUID(c.Param("uuid"))
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "proxy group not found"})
+		return
+	}
+
+	var payload struct {
+		Name        *string `json:"name"`
+		Description *string `json:"description"`
+		Color       *string `json:"color"`
+	}
+	if err := c.ShouldBindJSON(&payload); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	if payload.Name != nil {
+		trimmed := strings.TrimSpace(*payload.Name)
+		if trimmed == "" {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "name cannot be empty"})
+			return
+		}
+		group.Name = trimmed
+	}
+	if payload.Description != nil {
+		group.Description = *payload.Description
+	}
+	if payload.Color != nil {
+		group.Color = *payload.Color
+	}
+
+	if err := h.service.Update(group); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, group)
+}
+
+// Delete removes a proxy group by UUID, clearing host assignments.
+func (h *ProxyGroupHandler) Delete(c *gin.Context) {
+	group, err := h.service.GetByUUID(c.Param("uuid"))
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "proxy group not found"})
+		return
+	}
+	if err := h.service.Delete(group.ID); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.Status(http.StatusNoContent)
+}
diff --git a/backend/internal/api/handlers/proxy_group_handler_test.go b/backend/internal/api/handlers/proxy_group_handler_test.go
new file mode 100644
index 000000000..f1a5eb77b
--- /dev/null
+++ b/backend/internal/api/handlers/proxy_group_handler_test.go
@@ -0,0 +1,155 @@
+package handlers
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/Wikid82/charon/backend/internal/models"
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+)
+
+func setupProxyGroupHandlerRouter(t *testing.T) (*gin.Engine, *gorm.DB) {
+	t.Helper()
+	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
+	require.NoError(t, err)
+	require.NoError(t, db.AutoMigrate(&models.ProxyGroup{}, &models.ProxyHost{}))
+
+	gin.SetMode(gin.TestMode)
+	router := gin.New()
+	h := NewProxyGroupHandler(db)
+	grp := router.Group("/")
+	h.RegisterRoutes(grp)
+	return router, db
+}
+
+func doRequest(router *gin.Engine, method, path string, body any) *httptest.ResponseRecorder {
+	var b []byte
+	if body != nil {
+		b, _ = json.Marshal(body)
+	}
+	req, _ := http.NewRequest(method, path, bytes.NewBuffer(b))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+	return w
+}
+
+func TestProxyGroupHandler_List_Empty(t *testing.T) {
+	router, _ := setupProxyGroupHandlerRouter(t)
+	w := doRequest(router, http.MethodGet, "/proxy-groups", nil)
+	assert.Equal(t, http.StatusOK, w.Code)
+	var result []any
+	require.NoError(t, json.Unmarshal(w.Body.Bytes(), &result))
+	assert.Empty(t, result)
+}
+
+func TestProxyGroupHandler_List_WithGroups(t *testing.T) {
+	router, db := setupProxyGroupHandlerRouter(t)
+	require.NoError(t, db.Create(&models.ProxyGroup{Name: "Beta"}).Error)
+	require.NoError(t, db.Create(&models.ProxyGroup{Name: "Alpha"}).Error)
+
+	w := doRequest(router, http.MethodGet, "/proxy-groups", nil)
+	assert.Equal(t, http.StatusOK, w.Code)
+	var result []map[string]any
+	require.NoError(t, json.Unmarshal(w.Body.Bytes(), &result))
+	assert.Len(t, result, 2)
+	assert.Equal(t, "Alpha", result[0]["name"])
+}
+
+func TestProxyGroupHandler_Create_Valid(t *testing.T) {
+	router, _ := setupProxyGroupHandlerRouter(t)
+	w := doRequest(router, http.MethodPost, "/proxy-groups", map[string]any{
+		"name":        "Production",
+		"description": "Prod services",
+		"color":       "#ff0000",
+	})
+	assert.Equal(t, http.StatusCreated, w.Code)
+	var result map[string]any
+	require.NoError(t, json.Unmarshal(w.Body.Bytes(), &result))
+	assert.Equal(t, "Production", result["name"])
+	assert.NotEmpty(t, result["uuid"])
+}
+
+func TestProxyGroupHandler_Create_EmptyName_400(t *testing.T) {
+	router, _ := setupProxyGroupHandlerRouter(t)
+	w := doRequest(router, http.MethodPost, "/proxy-groups", map[string]any{"name": ""})
+	assert.Equal(t, http.StatusBadRequest, w.Code)
+}
+
+func TestProxyGroupHandler_Create_DefaultColor(t *testing.T) {
+	router, _ := setupProxyGroupHandlerRouter(t)
+	w := doRequest(router, http.MethodPost, "/proxy-groups", map[string]any{"name": "NoColor"})
+	assert.Equal(t, http.StatusCreated, w.Code)
+	var result map[string]any
+	require.NoError(t, json.Unmarshal(w.Body.Bytes(), &result))
+	assert.Equal(t, "#6366f1", result["color"])
+}
+
+func TestProxyGroupHandler_Get_Found(t *testing.T) {
+	router, db := setupProxyGroupHandlerRouter(t)
+	group := &models.ProxyGroup{Name: "Find Me", Color: "#abc"}
+	require.NoError(t, db.Create(group).Error)
+
+	w := doRequest(router, http.MethodGet, "/proxy-groups/"+group.UUID, nil)
+	assert.Equal(t, http.StatusOK, w.Code)
+	var result map[string]any
+	require.NoError(t, json.Unmarshal(w.Body.Bytes(), &result))
+	assert.Equal(t, "Find Me", result["name"])
+	assert.Equal(t, float64(0), result["host_count"])
+}
+
+func TestProxyGroupHandler_Get_NotFound_404(t *testing.T) {
+	router, _ := setupProxyGroupHandlerRouter(t)
+	w := doRequest(router, http.MethodGet, "/proxy-groups/nonexistent-uuid", nil)
+	assert.Equal(t, http.StatusNotFound, w.Code)
+}
+
+func TestProxyGroupHandler_Update_PartialFields(t *testing.T) {
+	router, db := setupProxyGroupHandlerRouter(t)
+	group := &models.ProxyGroup{Name: "Old Name", Color: "#111"}
+	require.NoError(t, db.Create(group).Error)
+
+	newName := "New Name"
+	w := doRequest(router, http.MethodPut, "/proxy-groups/"+group.UUID, map[string]any{
+		"name": newName,
+	})
+	assert.Equal(t, http.StatusOK, w.Code)
+	var result map[string]any
+	require.NoError(t, json.Unmarshal(w.Body.Bytes(), &result))
+	assert.Equal(t, "New Name", result["name"])
+}
+
+func TestProxyGroupHandler_Update_EmptyName_400(t *testing.T) {
+	router, db := setupProxyGroupHandlerRouter(t)
+	group := &models.ProxyGroup{Name: "Valid"}
+	require.NoError(t, db.Create(group).Error)
+
+	w := doRequest(router, http.MethodPut, "/proxy-groups/"+group.UUID, map[string]any{"name": "  "})
+	assert.Equal(t, http.StatusBadRequest, w.Code)
+}
+
+func TestProxyGroupHandler_Delete_204(t *testing.T) {
+	router, db := setupProxyGroupHandlerRouter(t)
+	group := &models.ProxyGroup{Name: "Delete Me"}
+	require.NoError(t, db.Create(group).Error)
+
+	w := doRequest(router, http.MethodDelete, "/proxy-groups/"+group.UUID, nil)
+	assert.Equal(t, http.StatusNoContent, w.Code)
+
+	var count int64
+	db.Model(&models.ProxyGroup{}).Count(&count)
+	assert.Equal(t, int64(0), count)
+}
+
+func TestProxyGroupHandler_Delete_NotFound_404(t *testing.T) {
+	router, _ := setupProxyGroupHandlerRouter(t)
+	w := doRequest(router, http.MethodDelete, "/proxy-groups/nonexistent-uuid", nil)
+	assert.Equal(t, http.StatusNotFound, w.Code)
+}
diff --git a/backend/internal/api/handlers/proxy_host_handler.go b/backend/internal/api/handlers/proxy_host_handler.go
index 95b42dd21..9eb435bde 100644
--- a/backend/internal/api/handlers/proxy_host_handler.go
+++ b/backend/internal/api/handlers/proxy_host_handler.go
@@ -63,6 +63,8 @@ type ProxyHostResponse struct {
 	DNSProviderID           *uint                         `json:"dns_provider_id,omitempty"`
 	DNSProvider             *models.DNSProvider           `json:"dns_provider,omitempty"`
 	UseDNSChallenge         bool                          `json:"use_dns_challenge"`
+	ProxyGroupID            *uint                         `json:"proxy_group_id,omitempty"`
+	ProxyGroup              *models.ProxyGroup            `json:"proxy_group,omitempty"`
 	CreatedAt               time.Time                     `json:"created_at"`
 	UpdatedAt               time.Time                     `json:"updated_at"`
 	Warnings                []ProxyHostWarning            `json:"warnings,omitempty"`
@@ -102,6 +104,8 @@ func NewProxyHostResponse(host *models.ProxyHost, warnings []ProxyHostWarning) P
 		DNSProviderID:           host.DNSProviderID,
 		DNSProvider:             host.DNSProvider,
 		UseDNSChallenge:         host.UseDNSChallenge,
+		ProxyGroupID:            host.ProxyGroupID,
+		ProxyGroup:              host.ProxyGroup,
 		CreatedAt:               host.CreatedAt,
 		UpdatedAt:               host.UpdatedAt,
 		Warnings:                warnings,
@@ -248,6 +252,38 @@ func (h *ProxyHostHandler) resolveSecurityHeaderProfileReference(value any) (*ui
 	return &id, nil
 }
 
+func (h *ProxyHostHandler) resolveProxyGroupReference(value any) (*uint, error) {
+	if value == nil {
+		return nil, nil
+	}
+
+	parsedID, parseErr := parseNullableUintField(value, "proxy_group_id")
+	if parseErr == nil {
+		return parsedID, nil
+	}
+
+	uuidValue, isString := value.(string)
+	if !isString {
+		return nil, parseErr
+	}
+
+	trimmed := strings.TrimSpace(uuidValue)
+	if trimmed == "" {
+		return nil, nil
+	}
+
+	var pg models.ProxyGroup
+	if err := h.db.Select("id").Where("uuid = ?", trimmed).First(&pg).Error; err != nil {
+		if err == gorm.ErrRecordNotFound {
+			return nil, fmt.Errorf("proxy group not found")
+		}
+		return nil, fmt.Errorf("failed to resolve proxy group")
+	}
+
+	id := pg.ID
+	return &id, nil
+}
+
 func (h *ProxyHostHandler) resolveCertificateReference(value any) (*uint, error) {
 	if value == nil {
 		return nil, nil
@@ -374,6 +410,15 @@ func (h *ProxyHostHandler) Create(c *gin.Context) {
 		payload["security_header_profile_id"] = resolvedSecurityHeaderID
 	}
 
+	if rawGroupRef, ok := payload["proxy_group_id"]; ok {
+		resolvedGroupID, resolveErr := h.resolveProxyGroupReference(rawGroupRef)
+		if resolveErr != nil {
+			c.JSON(http.StatusBadRequest, gin.H{"error": resolveErr.Error()})
+			return
+		}
+		payload["proxy_group_id"] = resolvedGroupID
+	}
+
 	if rawCertRef, ok := payload["certificate_id"]; ok {
 		resolvedCertID, resolveErr := h.resolveCertificateReference(rawCertRef)
 		if resolveErr != nil {
@@ -580,6 +625,15 @@ func (h *ProxyHostHandler) Update(c *gin.Context) {
 		host.AccessListID = resolvedAccessListID
 	}
 
+	if v, ok := payload["proxy_group_id"]; ok {
+		resolvedGroupID, resolveErr := h.resolveProxyGroupReference(v)
+		if resolveErr != nil {
+			c.JSON(http.StatusBadRequest, gin.H{"error": resolveErr.Error()})
+			return
+		}
+		host.ProxyGroupID = resolvedGroupID
+	}
+
 	if v, ok := payload["dns_provider_id"]; ok {
 		parsedID, parseErr := parseNullableUintField(v, "dns_provider_id")
 		if parseErr != nil {
diff --git a/backend/internal/api/routes/routes.go b/backend/internal/api/routes/routes.go
index 1ed53775b..19335ed42 100644
--- a/backend/internal/api/routes/routes.go
+++ b/backend/internal/api/routes/routes.go
@@ -98,6 +98,7 @@ func RegisterWithDeps(ctx context.Context, router *gin.Engine, db *gorm.DB, cfg
 
 	// AutoMigrate all models for Issue #5 persistence layer
 	if err := db.AutoMigrate(
+		&models.ProxyGroup{},  // must precede ProxyHost (FK dependency)
 		&models.ProxyHost{},
 		&models.Location{},
 		&models.CaddyConfig{},
@@ -759,6 +760,9 @@ func RegisterWithDeps(ctx context.Context, router *gin.Engine, db *gorm.DB, cfg
 		proxyHostHandler := handlers.NewProxyHostHandler(db, caddyManager, notificationService, uptimeService)
 		proxyHostHandler.RegisterRoutes(management)
 
+		proxyGroupHandler := handlers.NewProxyGroupHandler(db)
+		proxyGroupHandler.RegisterRoutes(management)
+
 		remoteServerHandler := handlers.NewRemoteServerHandler(remoteServerService, notificationService)
 		remoteServerHandler.RegisterRoutes(management)
 	}
diff --git a/backend/internal/models/proxy_group.go b/backend/internal/models/proxy_group.go
new file mode 100644
index 000000000..803a88182
--- /dev/null
+++ b/backend/internal/models/proxy_group.go
@@ -0,0 +1,27 @@
+package models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+	"gorm.io/gorm"
+)
+
+// ProxyGroup represents a named group for organizing proxy hosts.
+type ProxyGroup struct {
+	ID          uint      `json:"-" gorm:"primaryKey"`
+	UUID        string    `json:"uuid" gorm:"uniqueIndex;not null"`
+	Name        string    `json:"name" gorm:"not null;index"`
+	Description string    `json:"description" gorm:"type:text"`
+	Color       string    `json:"color" gorm:"default:#6366f1"`
+	CreatedAt   time.Time `json:"created_at"`
+	UpdatedAt   time.Time `json:"updated_at"`
+}
+
+// BeforeCreate assigns a UUID if one has not been set.
+func (g *ProxyGroup) BeforeCreate(tx *gorm.DB) (err error) {
+	if g.UUID == "" {
+		g.UUID = uuid.New().String()
+	}
+	return
+}
diff --git a/backend/internal/models/proxy_host.go b/backend/internal/models/proxy_host.go
index d31bfe0b4..c82b1eda3 100644
--- a/backend/internal/models/proxy_host.go
+++ b/backend/internal/models/proxy_host.go
@@ -58,6 +58,10 @@ type ProxyHost struct {
 	DNSProvider     *DNSProvider `json:"dns_provider,omitempty" gorm:"foreignKey:DNSProviderID"`
 	UseDNSChallenge bool         `json:"use_dns_challenge" gorm:"default:false"`
 
+	// Proxy Group assignment
+	ProxyGroupID *uint        `json:"proxy_group_id,omitempty" gorm:"index"`
+	ProxyGroup   *ProxyGroup  `json:"proxy_group,omitempty" gorm:"foreignKey:ProxyGroupID"`
+
 	CreatedAt time.Time `json:"created_at"`
 	UpdatedAt time.Time `json:"updated_at"`
 }
diff --git a/backend/internal/services/proxy_group_service.go b/backend/internal/services/proxy_group_service.go
new file mode 100644
index 000000000..ec299e232
--- /dev/null
+++ b/backend/internal/services/proxy_group_service.go
@@ -0,0 +1,79 @@
+package services
+
+import (
+	"errors"
+	"fmt"
+
+	"gorm.io/gorm"
+
+	"github.com/Wikid82/charon/backend/internal/models"
+)
+
+var (
+	ErrProxyGroupNotFound  = errors.New("proxy group not found")
+	ErrProxyGroupNameEmpty = errors.New("proxy group name cannot be empty")
+)
+
+// ProxyGroupService handles CRUD operations for proxy groups.
+type ProxyGroupService struct {
+	db *gorm.DB
+}
+
+// NewProxyGroupService creates a new ProxyGroupService.
+func NewProxyGroupService(db *gorm.DB) *ProxyGroupService {
+	return &ProxyGroupService{db: db}
+}
+
+// Create persists a new proxy group.
+func (s *ProxyGroupService) Create(group *models.ProxyGroup) error {
+	if group.Name == "" {
+		return ErrProxyGroupNameEmpty
+	}
+	return s.db.Create(group).Error
+}
+
+// List returns all proxy groups ordered by name ascending.
+func (s *ProxyGroupService) List() ([]models.ProxyGroup, error) {
+	var groups []models.ProxyGroup
+	if err := s.db.Order("name asc").Find(&groups).Error; err != nil {
+		return nil, err
+	}
+	return groups, nil
+}
+
+// GetByUUID returns the proxy group with the given UUID.
+func (s *ProxyGroupService) GetByUUID(uuidStr string) (*models.ProxyGroup, error) {
+	var group models.ProxyGroup
+	result := s.db.Where("uuid = ?", uuidStr).Limit(1).Find(&group)
+	if result.Error != nil {
+		return nil, result.Error
+	}
+	if result.RowsAffected == 0 {
+		return nil, ErrProxyGroupNotFound
+	}
+	return &group, nil
+}
+
+// Update saves changes to an existing proxy group.
+func (s *ProxyGroupService) Update(group *models.ProxyGroup) error {
+	return s.db.Save(group).Error
+}
+
+// Delete removes the proxy group and unassigns any hosts that belonged to it.
+func (s *ProxyGroupService) Delete(id uint) error {
+	return s.db.Transaction(func(tx *gorm.DB) error {
+		if err := tx.Model(&models.ProxyHost{}).
+			Where("proxy_group_id = ?", id).
+			Update("proxy_group_id", nil).Error; err != nil {
+			return fmt.Errorf("failed to unassign proxy hosts: %w", err)
+		}
+		return tx.Delete(&models.ProxyGroup{}, id).Error
+	})
+}
+
+// GetHostCount returns the number of proxy hosts assigned to the given group.
+func (s *ProxyGroupService) GetHostCount(id uint) (int64, error) {
+	var count int64
+	err := s.db.Model(&models.ProxyHost{}).Where("proxy_group_id = ?", id).Count(&count).Error
+	return count, err
+}
diff --git a/backend/internal/services/proxy_group_service_test.go b/backend/internal/services/proxy_group_service_test.go
new file mode 100644
index 000000000..f984e8c88
--- /dev/null
+++ b/backend/internal/services/proxy_group_service_test.go
@@ -0,0 +1,142 @@
+package services
+
+import (
+	"testing"
+
+	"github.com/Wikid82/charon/backend/internal/models"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+)
+
+func setupProxyGroupTestDB(t *testing.T) *gorm.DB {
+	t.Helper()
+	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
+	require.NoError(t, err)
+	require.NoError(t, db.AutoMigrate(&models.ProxyGroup{}, &models.ProxyHost{}))
+	return db
+}
+
+func TestProxyGroupService_Create(t *testing.T) {
+	db := setupProxyGroupTestDB(t)
+	svc := NewProxyGroupService(db)
+
+	group := &models.ProxyGroup{Name: "Production", Color: "#ff0000"}
+	err := svc.Create(group)
+	require.NoError(t, err)
+	assert.NotEmpty(t, group.UUID)
+	assert.NotZero(t, group.ID)
+}
+
+func TestProxyGroupService_Create_EmptyName(t *testing.T) {
+	db := setupProxyGroupTestDB(t)
+	svc := NewProxyGroupService(db)
+
+	err := svc.Create(&models.ProxyGroup{Name: ""})
+	assert.ErrorIs(t, err, ErrProxyGroupNameEmpty)
+}
+
+func TestProxyGroupService_List(t *testing.T) {
+	db := setupProxyGroupTestDB(t)
+	svc := NewProxyGroupService(db)
+
+	require.NoError(t, svc.Create(&models.ProxyGroup{Name: "Zebra"}))
+	require.NoError(t, svc.Create(&models.ProxyGroup{Name: "Alpha"}))
+
+	groups, err := svc.List()
+	require.NoError(t, err)
+	require.Len(t, groups, 2)
+	assert.Equal(t, "Alpha", groups[0].Name)
+	assert.Equal(t, "Zebra", groups[1].Name)
+}
+
+func TestProxyGroupService_GetByUUID(t *testing.T) {
+	db := setupProxyGroupTestDB(t)
+	svc := NewProxyGroupService(db)
+
+	created := &models.ProxyGroup{Name: "Test Group"}
+	require.NoError(t, svc.Create(created))
+
+	t.Run("found", func(t *testing.T) {
+		got, err := svc.GetByUUID(created.UUID)
+		require.NoError(t, err)
+		assert.Equal(t, created.Name, got.Name)
+	})
+
+	t.Run("not found", func(t *testing.T) {
+		_, err := svc.GetByUUID("non-existent-uuid")
+		assert.ErrorIs(t, err, ErrProxyGroupNotFound)
+	})
+}
+
+func TestProxyGroupService_Update(t *testing.T) {
+	db := setupProxyGroupTestDB(t)
+	svc := NewProxyGroupService(db)
+
+	group := &models.ProxyGroup{Name: "Original", Color: "#111111"}
+	require.NoError(t, svc.Create(group))
+
+	group.Name = "Updated"
+	group.Description = "New description"
+	group.Color = "#222222"
+	require.NoError(t, svc.Update(group))
+
+	got, err := svc.GetByUUID(group.UUID)
+	require.NoError(t, err)
+	assert.Equal(t, "Updated", got.Name)
+	assert.Equal(t, "New description", got.Description)
+	assert.Equal(t, "#222222", got.Color)
+}
+
+func TestProxyGroupService_Delete_ClearsHostAssignments(t *testing.T) {
+	db := setupProxyGroupTestDB(t)
+	svc := NewProxyGroupService(db)
+
+	group := &models.ProxyGroup{Name: "ToDelete"}
+	require.NoError(t, svc.Create(group))
+
+	host := &models.ProxyHost{
+		UUID:          "test-host-uuid",
+		DomainNames:   "example.com",
+		ForwardScheme: "http",
+		ForwardHost:   "localhost",
+		ForwardPort:   80,
+		ProxyGroupID:  &group.ID,
+	}
+	require.NoError(t, db.Create(host).Error)
+
+	require.NoError(t, svc.Delete(group.ID))
+
+	var updated models.ProxyHost
+	require.NoError(t, db.First(&updated, host.ID).Error)
+	assert.Nil(t, updated.ProxyGroupID)
+
+	var count int64
+	db.Model(&models.ProxyGroup{}).Count(&count)
+	assert.Equal(t, int64(0), count)
+}
+
+func TestProxyGroupService_GetHostCount(t *testing.T) {
+	db := setupProxyGroupTestDB(t)
+	svc := NewProxyGroupService(db)
+
+	group := &models.ProxyGroup{Name: "Counted"}
+	require.NoError(t, svc.Create(group))
+
+	for i := range 3 {
+		h := &models.ProxyHost{
+			UUID:          "host-uuid-" + string(rune('a'+i)),
+			DomainNames:   "test.com",
+			ForwardScheme: "http",
+			ForwardHost:   "localhost",
+			ForwardPort:   80 + i,
+			ProxyGroupID:  &group.ID,
+		}
+		require.NoError(t, db.Create(h).Error)
+	}
+
+	count, err := svc.GetHostCount(group.ID)
+	require.NoError(t, err)
+	assert.Equal(t, int64(3), count)
+}
diff --git a/backend/internal/services/proxyhost_service.go b/backend/internal/services/proxyhost_service.go
index ded58f089..a104e00d8 100644
--- a/backend/internal/services/proxyhost_service.go
+++ b/backend/internal/services/proxyhost_service.go
@@ -227,7 +227,7 @@ func (s *ProxyHostService) GetByID(id uint) (*models.ProxyHost, error) {
 // GetByUUID finds a proxy host by UUID.
 func (s *ProxyHostService) GetByUUID(uuidStr string) (*models.ProxyHost, error) {
 	var host models.ProxyHost
-	if err := s.db.Preload("Locations").Preload("Certificate").Preload("AccessList").Preload("SecurityHeaderProfile").Where("uuid = ?", uuidStr).First(&host).Error; err != nil {
+	if err := s.db.Preload("Locations").Preload("Certificate").Preload("AccessList").Preload("SecurityHeaderProfile").Preload("ProxyGroup").Where("uuid = ?", uuidStr).First(&host).Error; err != nil {
 		return nil, err
 	}
 	return &host, nil
@@ -236,7 +236,7 @@ func (s *ProxyHostService) GetByUUID(uuidStr string) (*models.ProxyHost, error)
 // List returns all proxy hosts.
 func (s *ProxyHostService) List() ([]models.ProxyHost, error) {
 	var hosts []models.ProxyHost
-	if err := s.db.Preload("Locations").Preload("Certificate").Preload("AccessList").Preload("SecurityHeaderProfile").Order("updated_at desc").Find(&hosts).Error; err != nil {
+	if err := s.db.Preload("Locations").Preload("Certificate").Preload("AccessList").Preload("SecurityHeaderProfile").Preload("ProxyGroup").Order("updated_at desc").Find(&hosts).Error; err != nil {
 		return nil, err
 	}
 	return hosts, nil
diff --git a/backend/internal/services/proxyhost_service_group_test.go b/backend/internal/services/proxyhost_service_group_test.go
new file mode 100644
index 000000000..a495b8cd3
--- /dev/null
+++ b/backend/internal/services/proxyhost_service_group_test.go
@@ -0,0 +1,74 @@
+package services
+
+import (
+	"testing"
+
+	"github.com/Wikid82/charon/backend/internal/models"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+)
+
+func setupProxyHostGroupTestDB(t *testing.T) *gorm.DB {
+	t.Helper()
+	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
+	require.NoError(t, err)
+	require.NoError(t, db.AutoMigrate(
+		&models.ProxyGroup{},
+		&models.ProxyHost{},
+		&models.Location{},
+		&models.SSLCertificate{},
+		&models.AccessList{},
+		&models.SecurityHeaderProfile{},
+		&models.DNSProvider{},
+	))
+	return db
+}
+
+func TestProxyHostService_List_PreloadsGroup(t *testing.T) {
+	db := setupProxyHostGroupTestDB(t)
+	svc := NewProxyHostService(db)
+
+	group := &models.ProxyGroup{Name: "Web Services", Color: "#00ff00"}
+	require.NoError(t, db.Create(group).Error)
+
+	host := &models.ProxyHost{
+		UUID:          "host-list-uuid",
+		DomainNames:   "example.com",
+		ForwardScheme: "http",
+		ForwardHost:   "localhost",
+		ForwardPort:   80,
+		ProxyGroupID:  &group.ID,
+	}
+	require.NoError(t, db.Create(host).Error)
+
+	hosts, err := svc.List()
+	require.NoError(t, err)
+	require.Len(t, hosts, 1)
+	require.NotNil(t, hosts[0].ProxyGroup)
+	assert.Equal(t, "Web Services", hosts[0].ProxyGroup.Name)
+}
+
+func TestProxyHostService_GetByUUID_PreloadsGroup(t *testing.T) {
+	db := setupProxyHostGroupTestDB(t)
+	svc := NewProxyHostService(db)
+
+	group := &models.ProxyGroup{Name: "API Services", Color: "#0000ff"}
+	require.NoError(t, db.Create(group).Error)
+
+	host := &models.ProxyHost{
+		UUID:          "host-getbyuuid-uuid",
+		DomainNames:   "api.example.com",
+		ForwardScheme: "https",
+		ForwardHost:   "localhost",
+		ForwardPort:   443,
+		ProxyGroupID:  &group.ID,
+	}
+	require.NoError(t, db.Create(host).Error)
+
+	got, err := svc.GetByUUID("host-getbyuuid-uuid")
+	require.NoError(t, err)
+	require.NotNil(t, got.ProxyGroup)
+	assert.Equal(t, "API Services", got.ProxyGroup.Name)
+}
diff --git a/docs/plans/current_spec.md b/docs/plans/current_spec.md
index 9816b8cbc..acf10fd88 100644
--- a/docs/plans/current_spec.md
+++ b/docs/plans/current_spec.md
@@ -1,722 +1,1073 @@
-# CI Fix — ESLint + Backend Test Failures
+# Proxy Groups for Better Organization — Implementation Specification
 
-**Branch**: `fix/ci-eslint-backend-test`
-**PR**: Targets `development`
-**Date**: 2026-05-29
+**Feature**: Issue #254 — Proxy Groups
+**Branch**: `feature/proxy_groups`
+**Status**: Planning
+**Complexity**: Medium
 
 ---
 
-> **Archived**: The previous spec (CI Fix — Vitest `invites a new user` Failure) has been
-> superseded. This document covers the active CI failures.
+## 1. Executive Summary
+
+Proxy Groups allows users to organize their proxy hosts into named, color-coded groups (folders). A group is a lightweight container that holds zero or more proxy hosts. Groups appear in the Proxy Hosts page as collapsible sections, letting users manage large sets of hosts without losing them in a flat list.
+
+**Goals:**
+- Create, rename, recolor, and delete groups via the UI
+- Assign proxy hosts to groups (one group per host, optional)
+- Display hosts grouped on the Proxy Hosts page (ungrouped hosts shown last)
+- Full CRUD API for groups
+- Bulk-assign hosts to a group (multi-select in table → assign to group)
+
+**Non-Goals (explicitly out of scope):**
+- Nested/hierarchical groups
+- Group-level enable/disable toggle (hosts retain individual control)
+- Group-level certificate or access list assignment
+- Sorting/reordering groups beyond alphabetical (future)
+- Tags or multi-group membership
 
 ---
 
-## 1. Introduction
+## 2. Research Findings
 
-### Overview
+### 2.1 Backend Architecture
 
-Multiple CI jobs in `quality-checks.yml` are failing. The failures split across two domains:
+**Module**: `github.com/Wikid82/charon/backend`
 
-1. **Frontend ESLint** — Blocking job; 7 distinct lint violations across 5 source files and 1
-   test file.
-2. **Backend test suite** — Blocking job (via `scripts/go-test-coverage.sh`);
-   `TestSecurityHandler_UpsertRuleSet_XSSInContent` fails when the full handler package test suite
-   runs in parallel.
+**GORM Pattern** (confirmed from `models/domain.go`, `models/access_list.go`):
+- Internal `ID uint` hidden with `json:"-"`
+- External `UUID string` with `json:"uuid" gorm:"uniqueIndex;not null"`
+- `BeforeCreate` hook for UUID generation
+- No soft delete for this type of model (same pattern as AccessList)
 
-Backend **lint** violations exist but are configured with `continue-on-error: true` and are
-therefore non-blocking. They are explicitly excluded from this plan.
+**Routes Registration** (`backend/internal/api/routes/routes.go`):
+- AutoMigrate list at ~line 110 — needs `&models.ProxyGroup{}` added
+- Handler registration pattern at ~line 760-762 (after ProxyHostHandler):
+  ```go
+  proxyHostHandler := handlers.NewProxyHostHandler(db, caddyManager, notificationService, uptimeService)
+  proxyHostHandler.RegisterRoutes(management)
+  ```
+- Complex handlers use `RegisterRoutes(management *gin.RouterGroup)` pattern
 
-### Objectives
+**ProxyHost FK Pattern** (confirmed from `models/uptime.go`, `models/proxy_host.go`):
+```go
+ProxyGroupID *uint        `json:"proxy_group_id,omitempty" gorm:"index"`
+ProxyGroup   *ProxyGroup  `json:"proxy_group,omitempty" gorm:"foreignKey:ProxyGroupID"`
+```
 
-- Restore all CI jobs to green in a single PR composed of 6 ordered, reviewable commits.
-- No feature changes; this is a pure fix/refactor to make the test suite and linter pass.
+**ProxyHostService.List** (`services/proxyhost_service.go` line 237):
+```go
+s.db.Preload("Locations").Preload("Certificate").Preload("AccessList").Preload("SecurityHeaderProfile").Order("updated_at desc").Find(&hosts)
+```
+Must add `Preload("ProxyGroup")`.
 
----
+**ProxyHostService.GetByUUID** (line 228):
+```go
+s.db.Preload("Locations").Preload("Certificate").Preload("AccessList").Preload("SecurityHeaderProfile").Where("uuid = ?", uuidStr).First(&host)
+```
+Must add `Preload("ProxyGroup")`.
 
-## 2. Research Findings
+**No existing proxy group code** — zero references in backend or frontend confirmed via search.
 
-### 2.1 CI Workflow
+### 2.2 Frontend Architecture
 
-**File**: `.github/workflows/quality-checks.yml`
+**React Query pattern** (`hooks/useProxyHosts.ts`):
+```ts
+const query = useQuery({ queryKey: QUERY_KEY, queryFn: getProxyHosts });
+const mutation = useMutation({ mutationFn: ..., onSuccess: () => queryClient.invalidateQueries(...) });
+```
 
-| Job | Script / Command | Blocking? |
-|-----|-----------------|-----------|
-| Backend tests + coverage | `scripts/go-test-coverage.sh` | **Yes** |
-| Backend lint | `golangci/golangci-lint-action@v9.2.0` with `continue-on-error: true` | No |
-| Frontend ESLint | `npm run lint` | **Yes** |
-| Frontend type-check | `npm run type-check` | Yes |
-| Frontend unit tests | `scripts/frontend-test-coverage.sh` | Yes |
+**API client pattern** (`api/accessLists.ts`):
+```ts
+export const accessListsApi = {
+  async list(): Promise<AccessList[]> { ... },
+  async get(uuid: string): Promise<AccessList> { ... },
+  async create(data: CreateRequest): Promise<AccessList> { ... },
+  async update(uuid: string, data: Partial<CreateRequest>): Promise<AccessList> { ... },
+  async delete(uuid: string): Promise<void> { ... },
+};
+```
 
-`scripts/go-test-coverage.sh` captures `GO_TEST_STATUS` from the test run, applies the coverage
-gate, and at the end bubbles up any non-zero test exit code (script lines 290-295). A single
-failing test therefore causes the job to exit non-zero.
+**Routing** (`App.tsx`): No new top-level route needed — proxy groups are managed from within the Proxy Hosts page via modals.
 
-### 2.2 Frontend ESLint — Root Causes
+**Navigation** (`components/Layout.tsx`): No nav change needed — groups are a sub-feature of Proxy Hosts.
 
-**ESLint plugins in use** (`frontend/eslint.config.js`):
-`jsx-a11y`, `security`, `react-refresh`, `@vitest/eslint-plugin` (aliased as `vitest`)
+**UI Components available**: `Dialog`, `Button`, `Badge`, `Input`, `Textarea`, `DataTable`, `EmptyState`, `Card`
 
-#### Failure 1 — Duplicate devDependencies
+---
 
-`frontend/package.json` contains three devDependency keys that each appear twice:
+## 3. Database Schema Changes
 
-| Duplicate key | Affected lines |
-|---|---|
-| `@typescript-eslint/eslint-plugin` | first occurrence + second set ~lines 74-76 |
-| `@typescript-eslint/parser` | same |
-| `@typescript-eslint/utils` | same |
+### 3.1 New Table: `proxy_groups`
 
-npm treats a duplicate key as a parse-time error that prevents consistent lock-file resolution,
-causing the ESLint run to fail with a dependency error.
+| Column        | Type     | Constraints              | Notes                      |
+|--------------|----------|--------------------------|----------------------------|
+| `id`         | INTEGER  | PRIMARY KEY AUTOINCREMENT | Internal, never serialized |
+| `uuid`       | TEXT     | UNIQUE NOT NULL           | External identifier        |
+| `name`       | TEXT     | NOT NULL, INDEX           | Display name               |
+| `description`| TEXT     |                           | Optional                   |
+| `color`      | TEXT     | DEFAULT `#6366f1`         | Hex color for badge        |
+| `created_at` | DATETIME |                           |                            |
+| `updated_at` | DATETIME |                           |                            |
 
-#### Failure 2 — Unsafe regex (`security/detect-unsafe-regex`)
+### 3.2 Modified Table: `proxy_hosts`
 
-**File**: `frontend/src/components/CredentialManager.tsx`
+Add one new nullable column:
 
-`validateZoneFilter` uses a regex with nested quantifiers. The rule flags it as a potential ReDoS
-vector. The regex is intentional; the risk is acceptable for this context.
+| Column           | Type    | Constraints               | Notes               |
+|-----------------|---------|---------------------------|---------------------|
+| `proxy_group_id` | INTEGER | INDEX, FK → proxy_groups(id) | NULL = ungrouped |
 
-**Fix**: Add an inline `// eslint-disable-next-line security/detect-unsafe-regex` with a
-justification comment immediately before the regex literal.
+GORM `foreignKey:ProxyGroupID` wires the association. SQLite `ON DELETE SET NULL` is **not** used via GORM tag — the `ProxyGroupService.Delete` method explicitly clears host associations before deleting the group for consistent cross-database behavior.
 
-#### Failure 3 — Non-component exports (`react-refresh/only-export-components`)
+---
 
-**File**: `frontend/src/components/CertificateList.tsx` — lines 20 and 24
+## 4. Backend Implementation Plan
 
-```tsx
-export function isInUse(cert: Certificate): boolean { ... }    // line 20
-export function isDeletable(cert: Certificate): boolean { ... } // line 24
-```
+### 4.1 New File: `backend/internal/models/proxy_group.go`
 
-`react-refresh` requires component files export **only React components**. Exporting plain utility
-functions breaks HMR and triggers this rule.
+```go
+package models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+	"gorm.io/gorm"
+)
+
+type ProxyGroup struct {
+	ID          uint      `json:"-" gorm:"primaryKey"`
+	UUID        string    `json:"uuid" gorm:"uniqueIndex;not null"`
+	Name        string    `json:"name" gorm:"not null;index"`
+	Description string    `json:"description" gorm:"type:text"`
+	Color       string    `json:"color" gorm:"default:#6366f1"`
+	CreatedAt   time.Time `json:"created_at"`
+	UpdatedAt   time.Time `json:"updated_at"`
+}
 
-**Known import sites** (must be updated after move):
-- `frontend/src/components/__tests__/CertificateList.test.tsx` line 8
+func (g *ProxyGroup) BeforeCreate(tx *gorm.DB) (err error) {
+	if g.UUID == "" {
+		g.UUID = uuid.New().String()
+	}
+	return
+}
+```
 
-**Fix**: Move both functions to a new `frontend/src/utils/certificateUtils.ts`; update all import
-sites; keep internal calls in `CertificateList.tsx` via the new import.
+**Notes:**
+- No `gorm.DeletedAt` — groups are hard-deleted (same as AccessList model)
+- Color defaults to indigo (`#6366f1`) matching the project's design system
+- No `ProxyHosts []ProxyHost` back-reference to avoid N+1 on group list
 
-#### Failure 4 — Label on non-labelable elements (`jsx-a11y/label-has-associated-control`)
+### 4.2 Modify: `backend/internal/models/proxy_host.go`
 
-5 violations across 3 files:
+Add after the `DNSProvider *DNSProvider` field, before the next section:
 
-| File | Line | Element | Problem |
-|---|---|---|---|
-| `frontend/src/components/CSPBuilder.tsx` | ~326 | `<label>` wrapping `<pre>` | `<pre>` is not a labelable element |
-| `frontend/src/components/AccessListSelector.tsx` | ~128 | `<label>` with no `htmlFor` before custom `<Select>` | custom component not natively labelable |
-| `frontend/src/components/AccessListForm.tsx` | ~385 | `<label id="access-list-enabled-label">` | no `htmlFor`; paired with `<Switch aria-labelledby="...">` |
-| `frontend/src/components/AccessListForm.tsx` | ~401 | `<label id="access-list-local-network-label">` | same pattern |
-| `frontend/src/components/AccessListForm.tsx` | ~422 | `<label>` | no `id`, no `htmlFor` |
+```go
+ProxyGroupID *uint        `json:"proxy_group_id,omitempty" gorm:"index"`
+ProxyGroup   *ProxyGroup  `json:"proxy_group,omitempty" gorm:"foreignKey:ProxyGroupID"`
+```
 
-**Fix for AccessListForm lines 385 & 401**: Replace `<label id="...">` → `<span id="...">` to
-preserve the `id` referenced by `aria-labelledby` on the paired `<Switch>` components.
+### 4.3 New File: `backend/internal/services/proxy_group_service.go`
 
-**Fix for all others**: Replace `<label>` → `<span>` (no `id` or `aria-*` changes needed).
+```go
+package services
 
-> **Accessibility note**: `<span id="...">` with `aria-labelledby` on the control is the
-> WCAG 2.2-compliant approach when the control is a custom component that does not expose a native
-> labelable element.
+import (
+	"errors"
+	"fmt"
 
-#### Failure 5 — Skipped tests (`vitest/prefer-todo` / `vitest/no-disabled-tests`)
+	"gorm.io/gorm"
 
-**File**: `frontend/src/api/__tests__/logs-websocket.test.ts` — lines 134 and 151
+	"github.com/Wikid82/charon/backend/internal/models"
+)
 
-Both use `it.skip('description', () => { ... })` with full test bodies. The rule requires either
-a passing test or `it.todo('description')` (no body) for placeholder tests.
+var (
+	ErrProxyGroupNotFound  = errors.New("proxy group not found")
+	ErrProxyGroupNameEmpty = errors.New("proxy group name cannot be empty")
+)
 
-**Fix**: Replace both with `it.todo('description')` and remove the test bodies.
+type ProxyGroupService struct {
+	db *gorm.DB
+}
 
-### 2.3 Backend Test Failure — Root Cause
+func NewProxyGroupService(db *gorm.DB) *ProxyGroupService {
+	return &ProxyGroupService{db: db}
+}
 
-#### Failing test
+func (s *ProxyGroupService) Create(group *models.ProxyGroup) error {
+	if group.Name == "" {
+		return ErrProxyGroupNameEmpty
+	}
+	return s.db.Create(group).Error
+}
 
-**File**: `backend/internal/api/handlers/security_handler_audit_test.go`
-**Test**: `TestSecurityHandler_UpsertRuleSet_XSSInContent` (line ~395)
+func (s *ProxyGroupService) List() ([]models.ProxyGroup, error) {
+	var groups []models.ProxyGroup
+	if err := s.db.Order("name asc").Find(&groups).Error; err != nil {
+		return nil, err
+	}
+	return groups, nil
+}
 
-**Observed failures** (full suite run only; passes in isolation):
-```
-Error: Not equal:
-    expected: 200
-    actual  : 500
-Error: "{\"error\":\"failed to list rule sets\"}" does not contain "\\u003cscript\\u003e"
-```
+func (s *ProxyGroupService) GetByUUID(uuidStr string) (*models.ProxyGroup, error) {
+	var group models.ProxyGroup
+	result := s.db.Where("uuid = ?", uuidStr).Limit(1).Find(&group)
+	if result.Error != nil {
+		return nil, result.Error
+	}
+	if result.RowsAffected == 0 {
+		return nil, ErrProxyGroupNotFound
+	}
+	return &group, nil
+}
 
-Documented as pre-existing failure PE-001 in
-`docs/reports/qa_report_import_save_regression.md`.
+func (s *ProxyGroupService) Update(group *models.ProxyGroup) error {
+	return s.db.Save(group).Error
+}
 
-#### Code path to failure
+// Delete removes a group and unassigns all its proxy hosts (sets proxy_group_id = NULL).
+// Hosts are not deleted. Both operations are wrapped in a transaction for atomicity.
+func (s *ProxyGroupService) Delete(id uint) error {
+	return s.db.Transaction(func(tx *gorm.DB) error {
+		if err := tx.Model(&models.ProxyHost{}).
+			Where("proxy_group_id = ?", id).
+			Update("proxy_group_id", nil).Error; err != nil {
+			return fmt.Errorf("failed to unassign proxy hosts: %w", err)
+		}
+		return tx.Delete(&models.ProxyGroup{}, id).Error
+	})
+}
 
-1. `UpsertRuleSet` handler (lines 401-435 of `security_handler.go`) calls
-   `h.svc.UpsertRuleSet(&payload)`. On any error it returns HTTP 500.
-2. `UpsertRuleSet` service method (lines 413-455 of `security_service.go`) executes
-   `s.db.Where("name = ?", r.Name).First(&existing)`. If this returns **any error other than**
-   `ErrRecordNotFound`, it returns that error immediately. Under SQLite busy-lock conditions the
-   query returns `SQLITE_BUSY`, which is returned to the handler, causing HTTP 500.
-3. The subsequent GET `ListRuleSets` call also fails (DB connection in a broken state), producing
-   the `"failed to list rule sets"` response.
+// GetHostCount returns the number of proxy hosts assigned to a group.
+func (s *ProxyGroupService) GetHostCount(id uint) (int64, error) {
+	var count int64
+	err := s.db.Model(&models.ProxyHost{}).Where("proxy_group_id = ?", id).Count(&count).Error
+	return count, err
+}
+```
 
-#### Why parallel tests cause locking
+### 4.4 New File: `backend/internal/api/handlers/proxy_group_handler.go`
 
-`setupAuditTestDB` creates a **file-based** SQLite database:
 ```go
-dsn := filepath.Join(t.TempDir(), "security_handler_audit_test.db") +
-    "?_busy_timeout=5000&_journal_mode=WAL"
-db.SetMaxOpenConns(1)
-db.SetMaxIdleConns(1)
-```
+package handlers
 
-Many other handler test files use `t.Parallel()` (confirmed: `auth_handler_test.go`,
-`proxy_host_handler_test.go`, `proxy_host_handler_update_test.go`). These tests execute
-concurrently with the audit tests in a full package run.
+import (
+	"net/http"
+	"strings"
 
-`NewSecurityHandler` calls `services.NewSecurityService(db)` which immediately starts a
-`processAuditEvents()` background goroutine. Because `SecurityHandler.svc` is an **unexported
-field**, callers cannot invoke `svc.Close()` directly. All 14 `NewSecurityHandler` call sites in
-`security_handler_audit_test.go` register **no cleanup** for the service goroutine — unlike
-`security_service_test.go` which always registers `t.Cleanup(func() { svc.Close() })`.
+	"github.com/gin-gonic/gin"
+	"gorm.io/gorm"
 
-Under parallel load: accumulated open goroutines each holding WAL-mode file-based SQLite
-connections cause `SQLITE_BUSY` errors despite the 5-second busy-timeout.
+	"github.com/Wikid82/charon/backend/internal/models"
+	"github.com/Wikid82/charon/backend/internal/services"
+)
 
-#### Fix strategy (two complementary changes)
+type ProxyGroupHandler struct {
+	service *services.ProxyGroupService
+	db      *gorm.DB
+}
 
-**A — Add `Close()` to `SecurityHandler` + register cleanup at all 14 call sites**
+func NewProxyGroupHandler(db *gorm.DB) *ProxyGroupHandler {
+	return &ProxyGroupHandler{
+		service: services.NewProxyGroupService(db),
+		db:      db,
+	}
+}
 
-Stops goroutine accumulation. An exported `Close()` method is required because `svc` is
-unexported.
+func (h *ProxyGroupHandler) RegisterRoutes(router *gin.RouterGroup) {
+	router.GET("/proxy-groups", h.List)
+	router.POST("/proxy-groups", h.Create)
+	router.GET("/proxy-groups/:uuid", h.Get)
+	router.PUT("/proxy-groups/:uuid", h.Update)
+	router.DELETE("/proxy-groups/:uuid", h.Delete)
+}
 
-**B — Convert `setupAuditTestDB` from file-based to in-memory SQLite**
+func (h *ProxyGroupHandler) List(c *gin.Context) {
+	groups, err := h.service.List()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, groups)
+}
 
-`OpenTestDB(t)` (defined in `testdb.go`) creates a uniquely-named in-memory SQLite with
-`mode=memory&cache=shared` and auto-registered cleanup. This eliminates WAL file-lock as a
-failure vector, matching the pattern used by all working handler tests.
+func (h *ProxyGroupHandler) Create(c *gin.Context) {
+	var payload struct {
+		Name        string `json:"name"`
+		Description string `json:"description"`
+		Color       string `json:"color"`
+	}
+	if err := c.ShouldBindJSON(&payload); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+	group := models.ProxyGroup{
+		Name:        strings.TrimSpace(payload.Name),
+		Description: payload.Description,
+		Color:       payload.Color,
+	}
+	if group.Color == "" {
+		group.Color = "#6366f1"
+	}
+	if err := h.service.Create(&group); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusCreated, group)
+}
 
-Both changes together provide defense in depth: goroutine lifecycle is clean AND the DB is not
-susceptible to file-locking under concurrent load.
+func (h *ProxyGroupHandler) Get(c *gin.Context) {
+	group, err := h.service.GetByUUID(c.Param("uuid"))
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "proxy group not found"})
+		return
+	}
+	count, _ := h.service.GetHostCount(group.ID)
+	c.JSON(http.StatusOK, gin.H{
+		"uuid":        group.UUID,
+		"name":        group.Name,
+		"description": group.Description,
+		"color":       group.Color,
+		"host_count":  count,
+		"created_at":  group.CreatedAt,
+		"updated_at":  group.UpdatedAt,
+	})
+}
 
----
+func (h *ProxyGroupHandler) Update(c *gin.Context) {
+	group, err := h.service.GetByUUID(c.Param("uuid"))
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "proxy group not found"})
+		return
+	}
+	var payload struct {
+		Name        *string `json:"name"`
+		Description *string `json:"description"`
+		Color       *string `json:"color"`
+	}
+	if err := c.ShouldBindJSON(&payload); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+	if payload.Name != nil {
+		trimmed := strings.TrimSpace(*payload.Name)
+		if trimmed == "" {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "name cannot be empty"})
+			return
+		}
+		group.Name = trimmed
+	}
+	if payload.Description != nil {
+		group.Description = *payload.Description
+	}
+	if payload.Color != nil {
+		group.Color = *payload.Color
+	}
+	if err := h.service.Update(group); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, group)
+}
 
-## 3. Technical Specifications
+func (h *ProxyGroupHandler) Delete(c *gin.Context) {
+	group, err := h.service.GetByUUID(c.Param("uuid"))
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "proxy group not found"})
+		return
+	}
+	if err := h.service.Delete(group.ID); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.Status(http.StatusNoContent)
+}
+```
 
-### 3.1 Files Modified / Created
+### 4.5 Modify: `backend/internal/api/handlers/proxy_host_handler.go`
 
-| File | Action | Commit |
-|---|---|---|
-| `frontend/package.json` | Remove 3 duplicate devDependency keys | 1 |
-| `frontend/src/components/CredentialManager.tsx` | Add inline eslint-disable comment | 2 |
-| `frontend/src/utils/certificateUtils.ts` | **New file** — export `isInUse`, `isDeletable` | 3 |
-| `frontend/src/components/CertificateList.tsx` | Remove exports; add import from utils | 3 |
-| `frontend/src/components/__tests__/CertificateList.test.tsx` | Update import path | 3 |
-| `frontend/src/components/CSPBuilder.tsx` | 1× `<label>` → `<span>` | 4 |
-| `frontend/src/components/AccessListSelector.tsx` | 1× `<label>` → `<span>` | 4 |
-| `frontend/src/components/AccessListForm.tsx` | 3× `<label>` → `<span>` (2 preserve `id`) | 4 |
-| `frontend/src/api/__tests__/logs-websocket.test.ts` | 2× `it.skip` → `it.todo` | 5 |
-| `backend/internal/api/handlers/security_handler.go` | Add exported `Close()` method | 6 |
-| `backend/internal/api/handlers/security_handler_audit_test.go` | Add cleanup; convert to in-memory DB | 6 |
+**`ProxyHostResponse` struct** — add after `SecurityHeaderProfile` fields:
+```go
+ProxyGroup   *models.ProxyGroup  `json:"proxy_group,omitempty"`
+```
 
-### 3.2 Detailed Change Specifications
+> **Note**: Internal numeric IDs are never exposed in response bodies per GORM security scanner policy.
 
-#### Commit 1 — `frontend/package.json`
+**`NewProxyHostResponse` function** — add to the return literal:
+```go
+ProxyGroup:   host.ProxyGroup,
+```
+
+**New private method** `resolveProxyGroupReference`:
+```go
+func (h *ProxyHostHandler) resolveProxyGroupReference(value any) (*uint, error) {
+	if value == nil {
+		return nil, nil
+	}
+	parsedID, parseErr := parseNullableUintField(value, "proxy_group_id")
+	if parseErr == nil {
+		return parsedID, nil
+	}
+	uuidValue, isString := value.(string)
+	if !isString {
+		return nil, parseErr
+	}
+	trimmed := strings.TrimSpace(uuidValue)
+	if trimmed == "" {
+		return nil, nil
+	}
+	var pg models.ProxyGroup
+	if err := h.db.Select("id").Where("uuid = ?", trimmed).First(&pg).Error; err != nil {
+		if err == gorm.ErrRecordNotFound {
+			return nil, fmt.Errorf("proxy group not found")
+		}
+		return nil, fmt.Errorf("failed to resolve proxy group")
+	}
+	id := pg.ID
+	return &id, nil
+}
+```
 
-Remove the **second** occurrence of these three devDependency keys (approximately lines 74-76):
+**`Create` handler** — add FK resolution before the `json.Unmarshal` block (after existing `resolveAccessListReference`, etc.):
+```go
+if rawGroupRef, ok := payload["proxy_group_id"]; ok {
+	resolvedGroupID, resolveErr := h.resolveProxyGroupReference(rawGroupRef)
+	if resolveErr != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": resolveErr.Error()})
+		return
+	}
+	payload["proxy_group_id"] = resolvedGroupID
+}
 ```
-"@typescript-eslint/eslint-plugin": "...",
-"@typescript-eslint/parser": "...",
-"@typescript-eslint/utils": "...",
+
+**`Update` handler** — add to the payload field processing block (after the existing access_list_id block):
+```go
+if rawGroupRef, ok := payload["proxy_group_id"]; ok {
+	resolvedGroupID, resolveErr := h.resolveProxyGroupReference(rawGroupRef)
+	if resolveErr != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": resolveErr.Error()})
+		return
+	}
+	host.ProxyGroupID = resolvedGroupID
+}
 ```
 
-After the change, each key appears exactly once in `devDependencies`.
+### 4.6 Modify: `backend/internal/services/proxyhost_service.go`
 
-**Validation**: `cd frontend && npm install --dry-run` must complete without duplicate key
-warnings.
+**`List` method** (line ~239) — add `Preload("ProxyGroup")`:
+```go
+if err := s.db.Preload("Locations").Preload("Certificate").Preload("AccessList").
+	Preload("SecurityHeaderProfile").Preload("ProxyGroup").
+	Order("updated_at desc").Find(&hosts).Error; err != nil {
+```
 
-#### Commit 2 — `CredentialManager.tsx`
+**`GetByUUID` method** (line ~229) — add `Preload("ProxyGroup")`:
+```go
+if err := s.db.Preload("Locations").Preload("Certificate").Preload("AccessList").
+	Preload("SecurityHeaderProfile").Preload("ProxyGroup").
+	Where("uuid = ?", uuidStr).First(&host).Error; err != nil {
+```
 
-Locate `validateZoneFilter` and the regex literal it contains. Add two lines immediately before
-the regex:
+### 4.7 Modify: `backend/internal/api/routes/routes.go`
 
-```ts
-// eslint-disable-next-line security/detect-unsafe-regex
-// Runs client-side only; ReDoS risk is confined to the user's own browser session
+**AutoMigrate list** — insert `&models.ProxyGroup{}` before `&models.ProxyHost{}` so the FK constraint resolves correctly:
+```go
+// Within the db.AutoMigrate(...) call, add:
+&models.ProxyGroup{},
+// ProxyHost must come after ProxyGroup due to FK dependency
+&models.ProxyHost{},  // (already exists)
+```
+
+**Handler registration** — add after `proxyHostHandler.RegisterRoutes(management)`:
+```go
+proxyGroupHandler := handlers.NewProxyGroupHandler(db)
+proxyGroupHandler.RegisterRoutes(management)
 ```
 
-**Validation**: `npm run lint` on the file shows no `security/detect-unsafe-regex` errors.
+---
 
-#### Commit 3 — Extract certificate utilities
+## 5. API Contract
 
-**New file**: `frontend/src/utils/certificateUtils.ts`
+All endpoints are under the authenticated `management` router group → `/api/v1/`.
 
-```ts
-import { type Certificate } from '../api/certificates'
+### `GET /api/v1/proxy-groups`
+
+**Description**: List all proxy groups, ordered alphabetically by name.
+
+**Response `200 OK`**:
+```json
+[
+  {
+    "uuid": "3f2a1b4c-...",
+    "name": "Production",
+    "description": "Production services",
+    "color": "#6366f1",
+    "created_at": "2025-01-01T00:00:00Z",
+    "updated_at": "2025-01-01T00:00:00Z"
+  }
+]
+```
 
-export function isInUse(cert: Certificate): boolean {
-  return cert.in_use
+> **`host_count` is NOT returned by the list endpoint.** Frontend computes host counts client-side from the proxies list using the `groupedHosts.byGroupUUID[uuid].length` memo pattern. The detail endpoint (`GET /proxy-groups/:uuid`) optionally includes it via `GetHostCount`.
+
+> **Optional enhancement**: compute counts server-side via subquery:
+> ```go
+> // Optional enhancement: compute counts server-side
+> s.db.Select("proxy_groups.*, COUNT(ph.id) as host_count").
+>     Joins("LEFT JOIN proxy_hosts ph ON ph.proxy_group_id = proxy_groups.id").
+>     Group("proxy_groups.id").
+>     Find(&groups)
+> ```
+
+### `POST /api/v1/proxy-groups`
+
+**Request Body**:
+```json
+{
+  "name": "Production",
+  "description": "Production-facing services",
+  "color": "#ef4444"
 }
+```
 
-export function isDeletable(cert: Certificate): boolean {
-  if (cert.in_use) return false
-  return (
-    cert.provider === 'custom' ||
-    cert.provider === 'letsencrypt-staging' ||
-    cert.status === 'expired' ||
-    cert.status === 'expiring'
-  )
+| Field         | Type   | Required | Notes                  |
+|--------------|--------|----------|------------------------|
+| `name`       | string | Yes      | Non-empty after trim   |
+| `description`| string | No       | Defaults to `""`       |
+| `color`      | string | No       | Defaults to `#6366f1`  |
+
+**Response `201 Created`**: Full ProxyGroup object.
+**Response `400 Bad Request`**: `{ "error": "proxy group name cannot be empty" }`
+
+### `GET /api/v1/proxy-groups/:uuid`
+
+**Response `200 OK`**:
+```json
+{
+  "uuid": "3f2a1b4c-...",
+  "name": "Production",
+  "description": "Production services",
+  "color": "#6366f1",
+  "host_count": 5,
+  "created_at": "2025-01-01T00:00:00Z",
+  "updated_at": "2025-01-01T00:00:00Z"
 }
 ```
 
-**`frontend/src/components/CertificateList.tsx`** changes:
-- Remove the two `export function` declarations at lines 20-31.
-- Add to the import block: `import { isInUse, isDeletable } from '../utils/certificateUtils'`
-- Internal call sites (lines 103, 225, 226) are unchanged — they reference the same function
-  names now satisfied by the import.
+**Response `404 Not Found`**: `{ "error": "proxy group not found" }`
 
-**`frontend/src/components/__tests__/CertificateList.test.tsx`** line 8:
-```ts
-// Before:
-import CertificateList, { isDeletable, isInUse } from '../CertificateList'
+### `PUT /api/v1/proxy-groups/:uuid`
+
+Partial update — only provided fields are mutated.
 
-// After:
-import CertificateList from '../CertificateList'
-import { isDeletable, isInUse } from '../../utils/certificateUtils'
+**Request Body** (all optional):
+```json
+{ "name": "Staging", "description": "Staging environment", "color": "#f59e0b" }
 ```
 
-**Validation**: `npm run lint` — no `react-refresh/only-export-components` errors.
-`npm run test -- CertificateList` — all existing tests pass.
+**Response `200 OK`**: Updated ProxyGroup object.
 
-#### Commit 4 — Replace `<label>` on non-labelable elements
+### `DELETE /api/v1/proxy-groups/:uuid`
 
-| File | Change |
-|---|---|
-| `CSPBuilder.tsx` ~line 326 | `<label` → `<span` and `</label>` → `</span>` |
-| `AccessListSelector.tsx` ~line 128 | `<label` → `<span` and `</label>` → `</span>` |
-| `AccessListForm.tsx` ~line 385 | `<label id="access-list-enabled-label">` → `<span id="access-list-enabled-label">` and `</label>` → `</span>` |
-| `AccessListForm.tsx` ~line 401 | `<label id="access-list-local-network-label">` → `<span id="access-list-local-network-label">` and `</label>` → `</span>` |
-| `AccessListForm.tsx` ~line 422 | `<label` → `<span` and `</label>` → `</span>` |
+**Description**: Delete a group. Assigned proxy hosts have `proxy_group_id` set to `NULL` (hosts are not deleted).
 
-**Critical constraint for lines 385 & 401**: The `id` attribute **must be preserved** — `<Switch>`
-components reference it via `aria-labelledby`. Removing the `id` would break the programmatic
-label association for screen readers.
+**Response `204 No Content`**: Empty.
 
-**Validation**: `npm run lint` — no `jsx-a11y/label-has-associated-control` errors.
+### Proxy Host Group Assignment
 
-#### Commit 5 — `logs-websocket.test.ts`
+Hosts are assigned/unassigned via the existing `PUT /api/v1/proxy-hosts/:uuid` endpoint:
 
-Replace both `it.skip(...)` blocks at lines 134 and 151 with `it.todo(...)`, removing the
-callback bodies entirely:
+```json
+{ "proxy_group_id": "3f2a1b4c-..." }
+```
 
-```ts
-// Before:
-// These tests are skipped because ...
-it.skip('should do X', () => {
-  // ... test body ...
-})
+Accepts `null` (unassign), a numeric ID, or a UUID string.
 
-// After:
-// These tests are skipped because ...
-it.todo('should do X')
+The proxy host response now includes:
+```json
+{
+  "proxy_group": {
+    "uuid": "3f2a1b4c-...",
+    "name": "Production",
+    "color": "#6366f1"
+  }
+}
 ```
 
-Apply to both occurrences. **Preserve the explanatory comment** that appears immediately above
-each `it.skip` call — it must remain above the resulting `it.todo` line.
-
-**Test bodies are deleted outright** — do not preserve them as commented-out code. The prior
-implementations are retained in git history and can be recovered from there if needed.
+---
 
-**Validation**: `npm run lint` — no disabled-test rule violations. `npm run test` shows both as
-`todo`.
+## 6. Frontend Implementation Plan
 
-#### Commit 6 — Backend test fix
+### 6.1 New File: `frontend/src/api/proxyGroups.ts`
 
-##### Part A: Add `Close()` to `security_handler.go`
+```typescript
+import client from './client';
 
-After `NewSecurityHandler` (or `NewSecurityHandlerWithDeps`), add:
+export interface ProxyGroup {
+  uuid: string;
+  name: string;
+  description: string;
+  color: string;
+  host_count?: number;
+  created_at: string;
+  updated_at: string;
+}
 
-```go
-// Close stops the background audit goroutine. Required for test cleanup.
-func (h *SecurityHandler) Close() {
-	h.svc.Close()
+export interface CreateProxyGroupRequest {
+  name: string;
+  description?: string;
+  color?: string;
 }
+
+export const proxyGroupsApi = {
+  async list(): Promise<ProxyGroup[]> {
+    const response = await client.get<ProxyGroup[]>('/proxy-groups');
+    return response.data;
+  },
+
+  async get(uuid: string): Promise<ProxyGroup> {
+    const response = await client.get<ProxyGroup>(`/proxy-groups/${uuid}`);
+    return response.data;
+  },
+
+  async create(data: CreateProxyGroupRequest): Promise<ProxyGroup> {
+    const response = await client.post<ProxyGroup>('/proxy-groups', data);
+    return response.data;
+  },
+
+  async update(uuid: string, data: Partial<CreateProxyGroupRequest>): Promise<ProxyGroup> {
+    const response = await client.put<ProxyGroup>(`/proxy-groups/${uuid}`, data);
+    return response.data;
+  },
+
+  async delete(uuid: string): Promise<void> {
+    await client.delete(`/proxy-groups/${uuid}`);
+  },
+};
 ```
 
-`svc` is unexported; this method is the only way for test code to call `svc.Close()`.
+### 6.2 New File: `frontend/src/hooks/useProxyGroups.ts`
 
-##### Part B1: Replace `setupAuditTestDB` in `security_handler_audit_test.go`
+Export the following named hooks (multi-hook pattern, same as `useAccessLists.ts`):
 
-Replace the entire function body with:
+```typescript
+export const PROXY_GROUPS_QUERY_KEY = ['proxy-groups'];
 
-```go
-func setupAuditTestDB(t *testing.T) *gorm.DB {
-	t.Helper()
-	db := OpenTestDB(t)
-	if err := db.AutoMigrate(
-		&models.SecurityRuleSet{},
-		&models.SecurityConfig{},
-		&models.SecurityDecision{},   // ← required, not AccessListRule
-		&models.SecurityAudit{},
-		&models.Setting{},
-	); err != nil {
-		t.Fatalf("setupAuditTestDB migrate: %v", err)
-	}
-	return db
-}
+export function useProxyGroups(): UseQueryResult<ProxyGroup[]>
+export function useCreateProxyGroup(): UseMutationResult<...>
+export function useUpdateProxyGroup(): UseMutationResult<...>
+export function useDeleteProxyGroup(): UseMutationResult<...>
 ```
 
-`OpenTestDB(t)` creates a uniquely-named in-memory SQLite with auto-registered cleanup. This
-eliminates WAL file-locking entirely.
-
-> The model list (`SecurityRuleSet`, `SecurityConfig`, `SecurityDecision`, `SecurityAudit`,
-> `Setting`) must match this specification exactly. `SecurityDecision` is required because
-> `TestSecurityHandler_CreateDecision_SQLInjection` and
-> `TestSecurityHandler_CreateDecision_EmptyFields` both query the `security_decisions` table.
-> `AccessListRule` is **not** in this list.
+- `useCreateProxyGroup`: on success → `toast.success('Group created')` + invalidate `PROXY_GROUPS_QUERY_KEY`; on error → `toast.error(\`Failed to create group: ${error.message}\`)`
+- `useUpdateProxyGroup`: mutation fn takes `{ uuid: string; data: Partial<CreateProxyGroupRequest> }` → `toast.success('Group updated')`; on error → `toast.error(\`Failed to update group: ${error.message}\`)`
+- `useDeleteProxyGroup`: on success → `toast.success('Group deleted — hosts moved to Ungrouped')` + invalidate both `PROXY_GROUPS_QUERY_KEY` and `['proxy-hosts']`; on error → `toast.error(\`Failed to delete group: ${error.message}\`)`
 
-##### Part B2: Add `t.Cleanup(func() { h.Close() })` at all 14 call sites
+### 6.3 Modify: `frontend/src/api/proxyHosts.ts`
 
-Every `h := NewSecurityHandler(cfg, db, nil)` call must be immediately followed by:
-```go
-t.Cleanup(func() { h.Close() })
+Add to the `ProxyHost` interface:
+```typescript
+proxy_group_id?: number | string | null;
+proxy_group?: {
+  uuid: string;
+  name: string;
+  color: string;
+} | null;
 ```
 
-The 14 call site line numbers (approximate — verify before applying):
-`76, 98, 144, 179, 210, 280, 325, 355, 399, 447, 508, 536, 562, 597`
-
-##### Part B3: Add diagnostic logging to the failing test
+### 6.4 New File: `frontend/src/components/ProxyGroupBadge.tsx`
 
-In `TestSecurityHandler_UpsertRuleSet_XSSInContent`, immediately before the first
-`assert.Equal(t, http.StatusOK, w.Code)`, add:
-```go
-t.Logf("UpsertRuleSet response body: %s", w.Body.String())
+```typescript
+interface ProxyGroupBadgeProps {
+  group: { name: string; color: string };
+  className?: string;
+}
 ```
 
-This surfaces the real GORM error message if the test regresses in future.
+Renders a colored circle dot followed by the group name. Uses inline `style={{ backgroundColor: group.color }}` for the dot. Falls back to `—` when group is undefined (caller decides).
 
-**Validation**:
-```bash
-# Isolated run must pass
-go test -v -count=1 -run TestSecurityHandler_UpsertRuleSet_XSSInContent ./backend/internal/api/handlers/
+### 6.5 New File: `frontend/src/components/ProxyGroupForm.tsx`
 
-# Full package with race detector must pass
-go test -race -count=1 ./backend/internal/api/handlers/
+Create/edit dialog for a proxy group.
 
-# Coverage gate must pass
-bash scripts/go-test-coverage.sh
+**Props**:
+```typescript
+interface ProxyGroupFormProps {
+  open: boolean;
+  onClose: () => void;
+  group?: ProxyGroup; // undefined = create mode
+}
 ```
 
----
-
-## 4. Implementation Plan
+**Fields**:
+- `name` — `Input` (required, validates non-empty)
+- `description` — `Textarea` (optional)
+- `color` — 8 preset color swatches (clickable circles) + hex text input
 
-### Phase 1 — Playwright Tests
+**Color presets**: `['#6366f1', '#ef4444', '#f59e0b', '#10b981', '#3b82f6', '#8b5cf6', '#ec4899', '#6b7280']`
 
-No UI/UX behaviour changes are introduced. Playwright E2E tests are not required for this plan.
-Changes are limited to build config, utility extraction, HTML element type changes (visually
-identical), and test-only changes. A smoke run of the standard suite is optional.
+**Behavior**:
+- Create mode: calls `useCreateProxyGroup().mutateAsync(data)` then `onClose()`
+- Edit mode: calls `useUpdateProxyGroup().mutateAsync({ uuid: group.uuid, data })` then `onClose()`
+- Submit button disabled when `name.trim() === ''`
+- Uses `Dialog`, `Input`, `Textarea`, `Button` from `components/ui`
 
-### Phase 2 — Backend Implementation (Commit 6)
+### 6.6 Modify: `frontend/src/pages/ProxyHosts.tsx`
 
-1. Edit `security_handler.go` — add `Close()` method.
-2. Edit `security_handler_audit_test.go`:
-   a. Replace `setupAuditTestDB` body.
-   b. Add `t.Cleanup` at all 14 call sites.
-   c. Add `t.Logf` diagnostic.
-3. Run: `go test -race -count=1 ./backend/internal/api/handlers/` — confirm exit 0.
-4. Run: `bash scripts/go-test-coverage.sh` — confirm coverage gate passes.
+**New imports**:
+```typescript
+import { useProxyGroups, useDeleteProxyGroup, useUpdateProxyGroup } from '../hooks/useProxyGroups';
+import ProxyGroupForm from '../components/ProxyGroupForm';
+import ProxyGroupBadge from '../components/ProxyGroupBadge';
+```
 
-### Phase 3 — Frontend Implementation (Commits 1-5)
+**New state**:
+```typescript
+const [showGroupForm, setShowGroupForm] = useState(false);
+const [editingGroup, setEditingGroup] = useState<ProxyGroup | undefined>();
+const [groupToDelete, setGroupToDelete] = useState<ProxyGroup | null>(null);
+const [showAssignGroupModal, setShowAssignGroupModal] = useState(false);
+const [assignTargetGroupUUID, setAssignTargetGroupUUID] = useState<string | null>(null);
+```
 
-Execute commits 1-5 in order. After each commit, run `npm run lint` to verify no new errors.
-After all five: run `npm run type-check` and `npm run test` to confirm no regressions.
+**New data hooks**:
+```typescript
+const { data: groups = [] } = useProxyGroups();
+const deleteGroupMutation = useDeleteProxyGroup();
+const updateProxyHostMutation = /* existing update from useProxyHosts */;
+```
 
-### Phase 4 — Integration Verification
+**Grouped hosts memo** (replaces or supplements `sortedHosts`):
+```typescript
+const groupedHosts = useMemo(() => {
+  const byGroupUUID: Record<string, ProxyHost[]> = {};
+  const ungrouped: ProxyHost[] = [];
+  for (const host of sortedHosts) {
+    if (host.proxy_group?.uuid) {
+      if (!byGroupUUID[host.proxy_group.uuid]) byGroupUUID[host.proxy_group.uuid] = [];
+      byGroupUUID[host.proxy_group.uuid].push(host);
+    } else {
+      ungrouped.push(host);
+    }
+  }
+  return { byGroupUUID, ungrouped };
+}, [sortedHosts]);
+```
 
-Final checklist before opening PR:
-- [ ] `go test -race ./backend/...` exits 0
-- [ ] `bash scripts/go-test-coverage.sh` exits 0
-- [ ] `npm run lint` exits 0 (zero errors)
-- [ ] `npm run type-check` exits 0
-- [ ] `npm run test` exits 0
+**Page header addition** — "Manage Groups" button (next to "Add Proxy Host" button):
+```tsx
+<Button variant="outline" onClick={() => { setEditingGroup(undefined); setShowGroupForm(true); }}>
+  {t('proxyGroups.manageGroups')}
+</Button>
+```
 
-### Phase 5 — Documentation
+**Table column addition** — `Group` column in the DataTable column definitions:
+```typescript
+{
+  key: 'proxy_group',
+  header: t('proxyGroups.group'),
+  render: (host: ProxyHost) =>
+    host.proxy_group
+      ? <ProxyGroupBadge group={host.proxy_group} />
+      : <span className="text-muted-foreground text-sm">—</span>,
+}
+```
 
-No documentation changes required.
+**Grouped rendering** — replace the flat `sortedHosts` table with grouped sections:
+- For each group in `groups`: render a section header (`<Card>` with group color swatch, name, host count, edit/delete icon buttons) followed by a `DataTable` scoped to `groupedHosts.byGroupUUID[group.uuid] ?? []`
+- After all named groups: render an "Ungrouped" section with `groupedHosts.ungrouped`
+- If `groups.length === 0`: render the existing flat table (no regression for users with no groups)
+
+**Bulk assign** — when `selectedHosts.length > 0`, show "Assign to Group" in bulk actions bar:
+- Opens a `Dialog` with a radio list of groups + "None (Ungrouped)"
+- On confirm: loops over `selectedHosts`, calls `updateHost(uuid, { proxy_group_id: assignTargetGroupUUID ?? null })`
+- Uses existing `applyProgress` / loading pattern if available, otherwise sequential mutations
+
+**Dialogs to add**:
+1. `ProxyGroupForm` (create/edit) — controlled by `showGroupForm` + `editingGroup`
+2. Delete group confirmation — `groupToDelete` drives a `Dialog` that calls `deleteGroupMutation.mutate(groupToDelete.uuid)`
+3. Assign to group modal — `showAssignGroupModal`
+
+### 6.7 i18n Keys
+
+Add to all locale files (`frontend/src/locales/en/translation.json`, `frontend/src/locales/es/translation.json`, `frontend/src/locales/fr/translation.json`, `frontend/src/locales/de/translation.json`, `frontend/src/locales/zh/translation.json`):
+
+```json
+{
+  "proxyGroups": {
+    "group": "Group",
+    "manageGroups": "Manage Groups",
+    "createGroup": "Create Group",
+    "editGroup": "Edit Group",
+    "deleteGroup": "Delete Group",
+    "deleteGroupConfirm": "Delete this group? All hosts will be moved to Ungrouped.",
+    "groupName": "Group Name",
+    "groupDescription": "Description",
+    "groupColor": "Color",
+    "noGroups": "No groups yet",
+    "ungrouped": "Ungrouped",
+    "assignToGroup": "Assign to Group",
+    "hostCount_one": "{{count}} host",
+    "hostCount_other": "{{count}} hosts"
+  }
+}
+```
 
 ---
 
-## 5. Acceptance Criteria
+## 7. Testing Strategy
 
-| # | Criterion | Verification |
-|---|---|---|
-| AC-1 | `TestSecurityHandler_UpsertRuleSet_XSSInContent` passes in full package run | `go test -race -count=1 ./backend/internal/api/handlers/` exits 0 |
-| AC-2 | `scripts/go-test-coverage.sh` exits 0 | Coverage gate and test status both pass |
-| AC-3 | `npm run lint` exits 0 | No ESLint errors; `react-refresh`, `jsx-a11y`, `security`, `vitest` rules all pass |
-| AC-4 | `npm run type-check` exits 0 | No TypeScript errors after utility extraction |
-| AC-5 | All existing Vitest tests continue to pass | `npm run test` exits 0; `CertificateList.test.tsx` passes |
-| AC-6 | `<Switch>` components retain ARIA labels | `aria-labelledby` on Switch components resolves to matching `id` on adjacent `<span>` |
-| AC-7 | No backend lint regressions | Backend lint (non-blocking) gains no new CRITICAL/HIGH findings |
+### Phase 1 — Playwright E2E Tests (write before implementation)
 
----
+**File**: `tests/proxy-groups.spec.ts`
 
-## 6. Commit Slicing Strategy
+Imports:
+```typescript
+import { test, expect } from './fixtures/test';
+import { waitForAPIHealth } from './utils/api-helpers';
+import { getToastLocator } from './utils/ui-helpers';
+import { waitForAPIResponse, waitForDialog, waitForLoadingComplete } from './utils/wait-helpers';
+```
 
-**Decision**: Single PR with 6 ordered logical commits.
+Test scenarios:
+```
+test.describe('Proxy Groups', () => {
+  test.beforeEach(async ({ page }) => {
+    await waitForAPIHealth(page);
+    await page.goto('/proxy-hosts');
+    await waitForLoadingComplete(page);
+  });
+
+  test.describe('Group Management', () => {
+    test('should create a proxy group with name and color')
+    test('should display created group as a section header on Proxy Hosts page')
+    test('should edit a group name and color')
+    test('should delete a group — hosts become ungrouped')
+    test('should prevent creating a group with empty name — submit disabled')
+  })
+
+  test.describe('Host Assignment', () => {
+    test('should assign a proxy host to a group via host edit form')
+    test('should unassign a proxy host from a group')
+    test('should bulk-assign selected hosts to a group')
+    test('should display host under correct group section')
+  })
+
+  test.describe('Grouped Display', () => {
+    test('should show group header with correct name, color, and host count')
+    test('should show ungrouped section for unassigned hosts')
+    test('should show flat list when no groups exist')
+  })
+})
+```
 
-**Trigger reasons**: Cross-domain changes (frontend/backend); logical independence of each fix;
-reviewability of each concern in isolation.
+Use role-based locators: `getByRole('button', { name: /manage groups/i })`, `getByRole('heading', { name: groupName })`.
+
+### Phase 2 — Backend Unit Tests
+
+**`backend/internal/services/proxy_group_service_test.go`**:
+- `TestProxyGroupService_Create` — happy path, UUID assigned
+- `TestProxyGroupService_Create_EmptyName` — returns `ErrProxyGroupNameEmpty`
+- `TestProxyGroupService_List` — returns sorted by name
+- `TestProxyGroupService_GetByUUID` — found and not found
+- `TestProxyGroupService_Update` — patches Name/Description/Color
+- `TestProxyGroupService_Delete_ClearsHostAssignments` — host `proxy_group_id` set to NULL, group deleted
+- `TestProxyGroupService_GetHostCount` — correct count
+
+**`backend/internal/api/handlers/proxy_group_handler_test.go`**:
+- `TestProxyGroupHandler_List_Empty`
+- `TestProxyGroupHandler_List_WithGroups`
+- `TestProxyGroupHandler_Create_Valid`
+- `TestProxyGroupHandler_Create_EmptyName_400`
+- `TestProxyGroupHandler_Get_Found`
+- `TestProxyGroupHandler_Get_NotFound_404`
+- `TestProxyGroupHandler_Update_PartialFields`
+- `TestProxyGroupHandler_Update_EmptyName_400`
+- `TestProxyGroupHandler_Delete_204`
+- `TestProxyGroupHandler_Delete_NotFound_404`
+
+**`backend/internal/services/proxyhost_service_group_test.go`**:
+- `TestProxyHostService_List_PreloadsGroup`
+- `TestProxyHostService_GetByUUID_PreloadsGroup`
+
+Follow `access_list_service_test.go` pattern: in-memory SQLite (`gorm.Open(sqlite.Open(":memory:"))`), table-driven cases.
+
+### Phase 3 — Frontend Unit Tests
+
+**`frontend/src/components/__tests__/ProxyGroupForm.test.tsx`**:
+- Renders create form when no `group` prop
+- Renders edit form with pre-filled values when `group` prop provided
+- Disables submit when name is empty
+- Calls create mutation on submit in create mode
+- Calls update mutation on submit in edit mode
+
+**`frontend/src/components/__tests__/ProxyGroupBadge.test.tsx`**:
+- Renders group name
+- Renders color dot with correct background color
+
+### GORM Security Scanner (mandatory gate)
+
+After implementing models, run:
+```bash
+./scripts/scan-gorm-security.sh --check
+```
 
-### Commit Order
+Expected: `proxy_group.go` passes all checks (no `json:"id"` exposure, no DTO embedding in response structs).
 
-| # | Commit message | Files | Dependencies | Validation gate |
-|---|---|---|---|---|
-| 1 | `fix(frontend): remove duplicate devDependencies from package.json` | `frontend/package.json` | None | `npm install` no warnings |
-| 2 | `fix(frontend): suppress unsafe-regex lint in zone filter validation` | `CredentialManager.tsx` | None | `npm run lint` clean on file |
-| 3 | `refactor(frontend): extract certificate utility functions to utils module` | `certificateUtils.ts` (new), `CertificateList.tsx`, `CertificateList.test.tsx` | None | `npm run lint` + `npm run test -- CertificateList` |
-| 4 | `fix(frontend/a11y): replace label with span for non-labelable controls` | `CSPBuilder.tsx`, `AccessListSelector.tsx`, `AccessListForm.tsx` | None | `npm run lint` clean on all 3 |
-| 5 | `fix(tests): convert skipped tests to todo in logs-websocket` | `logs-websocket.test.ts` | None | `npm run lint` clean on file |
-| 6 | `fix(backend/test): resolve UpsertRuleSet XSS test isolation failure` | `security_handler.go`, `security_handler_audit_test.go` | None | `go test -race ./backend/internal/api/handlers/` exits 0 |
+---
 
-Commits 1-6 are fully independent and may be cherry-picked or reordered safely.
+## 8. Commit Slicing Strategy
 
-### Rollback Notes
+**Decision**: Single PR with 6 ordered commits. One feature = one PR.
 
-Each commit is self-contained. Reverting any one commit has no cross-domain impact.
-Commit 6 revert returns the CI failure but affects no production behaviour.
+**Rationale**: Commits are strongly ordered by dependency (model → service → handler → routes → frontend types → frontend UI). Each commit is individually testable. The backend/frontend split allows parallel code review.
 
 ---
 
-## 7. Risk Register
+### Commit 1 — `feat(models): add ProxyGroup model and ProxyHost FK`
 
-| Risk | Likelihood | Impact | Mitigation |
-|---|---|---|---|
-| `AccessListForm` `<Switch>` `aria-labelledby` broken after label → span | Low | Medium | Spec explicitly preserves `id` on converted `<span>` elements |
-| `CertificateList.test.tsx` import path wrong after utility extraction | Low | Low | Test suite catches immediately; path is `../../utils/certificateUtils` |
-| `setupAuditTestDB` model list wrong | Low | High | Spec now explicitly requires `SecurityDecision` (not `AccessListRule`); required by `TestSecurityHandler_CreateDecision_*` tests |
-| One or more of the 14 `t.Cleanup` call sites missed | Low | Low | In-memory DB (B1) already eliminates the locking failure; goroutine cleanup is defence-in-depth |
-| `it.todo` removal of test body causes compile error | None | — | `it.todo` takes only a string argument; no compilation issues |
+**Scope**: Backend model layer
+**Files**:
+- `backend/internal/models/proxy_group.go` ← **new**
+- `backend/internal/models/proxy_host.go` ← add `ProxyGroupID *uint` + `ProxyGroup *ProxyGroup`
 
----
-
-## Commit 7 — Fix Cloudflare provider stdout capture race condition
-
-**Branch addition**: `fix/ci-eslint-backend-test` (same PR)
-**CI failure**: `TestStart_CapturesStdoutOutput` — 1.01 s timeout, ring buffer empty
-**PR**: <https://github.com/Wikid82/Charon/actions/runs/25817001017/job/75848015026?pr=1013>
+**Dependencies**: None
+**Validation gate**: `go build ./...` passes; GORM scanner passes with zero CRITICAL/HIGH
+**Rollback**: Revert 2 files
 
 ---
 
-### 7.1 Root Cause Analysis
-
-#### Failing test
-
-**File**: `backend/internal/hecate/providers/cloudflare/coverage_test.go`
-**Test**: `TestStart_CapturesStdoutOutput` (~line 113)
-**Error** (line 143):
-```
-Error: Should NOT be empty, but was []
-Messages: stdout scanner goroutine must have written output to the ring buffer
-```
-
-The test starts the `echo` binary via `p.Start()`, waits for the process to exit via `<-done`,
-polls `p.buf.ReadAll()` for up to 1 second, then asserts it is non-empty. It consistently returns
-empty on CI.
+### Commit 2 — `feat(services): add ProxyGroupService and update ProxyHostService preloads`
 
-#### The race
+**Scope**: Service layer
+**Files**:
+- `backend/internal/services/proxy_group_service.go` ← **new**
+- `backend/internal/services/proxyhost_service.go` ← add `Preload("ProxyGroup")` in `List` and `GetByUUID`
 
-`Start()` launches three goroutines in this order:
+**Dependencies**: Commit 1
+**Validation gate**: `go test ./backend/internal/services/...` (all existing tests pass)
+**Rollback**: Delete `proxy_group_service.go`; revert preload lines in `proxyhost_service.go`
 
-| Goroutine | Role |
-|---|---|
-| stdout scanner | `bufio.Scanner` reads `stdoutPipe`; calls `p.buf.Write(s.Text())` for each line |
-| stderr scanner | same but for `stderrPipe` |
-| monitor | calls `cmd.Wait()`; in its **deferred** cleanup calls `p.buf.Close()` then `close(p.done)` |
+---
 
-The critical ordering defect in the monitor goroutine's deferred function
-(`backend/internal/hecate/providers/cloudflare/provider.go`, lines ~175–184):
+### Commit 3 — `feat(handlers): add ProxyGroupHandler and update ProxyHostHandler`
 
-```go
-// BEFORE (buggy)
-go func() {
-    defer func() {
-        p.mu.Lock()
-        p.cmd = nil
-        if p.state != hecate.TunnelStateStopped {
-            p.state = hecate.TunnelStateError
-        }
-        p.mu.Unlock()
-        p.buf.Close()   // ← (1) closes the buffer
-        close(p.done)   // ← (2) signals test
-    }()
-    _ = cmd.Wait()
-}()
-```
-
-Once `cmd.Wait()` returns (process exited), the monitor deferred function runs and calls
-`p.buf.Close()`. This sets `rb.closed = true` inside `RingBuffer`
-(`backend/internal/hecate/ring_buffer.go`, line ~95).
-
-Concurrently, the stdout scanner goroutine may not yet have been scheduled. When it eventually
-runs and calls `p.buf.Write(s.Text())`, the guard at `ring_buffer.go` line ~31 fires:
+**Scope**: Handler layer + routes registration
+**Files**:
+- `backend/internal/api/handlers/proxy_group_handler.go` ← **new**
+- `backend/internal/api/handlers/proxy_host_handler.go` ← add response fields + `resolveProxyGroupReference` + Update/Create FK handling
+- `backend/internal/api/routes/routes.go` ← add `ProxyGroup` to AutoMigrate + register handler
 
+**AutoMigrate change** (exact lines in `backend/internal/api/routes/routes.go`):
 ```go
-func (rb *RingBuffer) Write(line string) {
-    rb.mu.Lock()
-    defer rb.mu.Unlock()
-    if rb.closed {
-        return  // ← silently drops the write
-    }
-    // ...
-}
+// backend/internal/api/routes/routes.go — AutoMigrate block
+db.AutoMigrate(
+    &models.ProxyGroup{},  // NEW — must precede ProxyHost (FK dependency)
+    &models.ProxyHost{},
+    // ... existing models
+)
 ```
 
-The write is silently dropped. The ring buffer remains empty. The test's 1-second polling loop
-exhausts without finding any data. `ReadAll()` returns `nil` and the assertion fails.
+**Dependencies**: Commits 1 + 2
+**Validation gate**: `go build ./...`; Docker E2E container rebuilds and health check passes; existing E2E proxy-host tests still pass
+**Rollback**: Revert 3 files
+
+---
 
-#### Why it is non-deterministic
+### Commit 4 — `test(backend): proxy group service and handler unit tests`
 
-The race window is the interval between `cmd.Wait()` returning and the scanner goroutine calling
-`p.buf.Write()`. On a lightly-loaded machine the Go scheduler tends to run the scanner goroutines
-first because they are I/O-bound and already have data waiting in the pipe. On a loaded CI runner
-the monitor goroutine is more likely to win the scheduler lottery, close the buffer, and leave the
-scanner goroutine with nowhere to write.
+**Scope**: Backend test files only
+**Files**:
+- `backend/internal/services/proxy_group_service_test.go` ← **new**
+- `backend/internal/api/handlers/proxy_group_handler_test.go` ← **new**
+- `backend/internal/services/proxyhost_service_group_test.go` ← **new**
 
-`echo` exits in < 1 ms; the entire race window is sub-millisecond — too short for `time.Sleep`-
-based workarounds but reliably closed by a `sync.WaitGroup`.
+**Dependencies**: Commit 3
+**Validation gate**: `go test ./backend/internal/...` all pass; line coverage ≥ 85% for new service and handler files
+**Rollback**: Delete test files (no functional regression)
 
 ---
 
-### 7.2 File Locations and Exact Lines
+### Commit 5 — `feat(frontend): proxy group API client, hooks, and type updates`
 
-| File | Lines of interest |
-|---|---|
-| `backend/internal/hecate/providers/cloudflare/provider.go` | ~153–185 (`Start()` goroutine block) |
-| `backend/internal/hecate/ring_buffer.go` | ~29–31 (`Write` closed guard), ~93–101 (`Close`) |
-| `backend/internal/hecate/providers/cloudflare/coverage_test.go` | ~113–143 (`TestStart_CapturesStdoutOutput`) |
+**Scope**: Frontend new files + ProxyHost type extension
+**Files**:
+- `frontend/src/api/proxyGroups.ts` ← **new**
+- `frontend/src/hooks/useProxyGroups.ts` ← **new**
+- `frontend/src/components/ProxyGroupForm.tsx` ← **new**
+- `frontend/src/components/ProxyGroupBadge.tsx` ← **new**
+- `frontend/src/api/proxyHosts.ts` ← add `proxy_group_id` + `proxy_group` to `ProxyHost` interface
 
----
+**Dependencies**: Commit 3 (API endpoints must exist)
+**Validation gate**: `npm run build` passes; `npm run lint` clean
+**Rollback**: Delete new files; revert 2 lines in `proxyHosts.ts`
 
-### 7.3 Fix Specification
+---
 
-**Single change**: add a `sync.WaitGroup` (`scanWg`) that tracks both scanner goroutines.
-The monitor goroutine calls `scanWg.Wait()` inside its deferred function, **before**
-`p.buf.Close()`, so the buffer is never closed until all writes have completed.
+### Commit 6 — `feat(ui): integrate proxy groups into ProxyHosts page`
 
-No changes to the test or `RingBuffer` are required.
+**Scope**: Page integration + i18n
+**Files**:
+- `frontend/src/pages/ProxyHosts.tsx` ← grouped display, manage groups button, assign modal, Group column
+- `frontend/src/locales/en/translation.json` (and `es`, `fr`, `de`, `zh` equivalents) ← add `proxyGroups.*` keys
 
-#### Before (`provider.go` — Start(), goroutine block)
+**Dependencies**: Commit 5
+**Validation gate**: All Playwright E2E tests pass (Firefox, Chromium, WebKit); existing proxy-hosts tests pass; new `proxy-groups.spec.ts` passes
+**Rollback**: Revert `ProxyHosts.tsx` and i18n changes
 
-```go
-// Stream stdout to the ring buffer.
-go func() {
-    s := bufio.NewScanner(stdoutPipe)
-    for s.Scan() {
-        p.buf.Write(s.Text())
-    }
-}()
+---
 
-// Stream stderr to the ring buffer.
-go func() {
-    s := bufio.NewScanner(stderrPipe)
-    for s.Scan() {
-        p.buf.Write(s.Text())
-    }
-}()
-
-// Monitor process exit and update state accordingly.
-go func() {
-    defer func() {
-        p.mu.Lock()
-        p.cmd = nil
-        if p.state != hecate.TunnelStateStopped {
-            p.state = hecate.TunnelStateError
-        }
-        p.mu.Unlock()
-        p.buf.Close()
-        close(p.done)
-    }()
-    _ = cmd.Wait()
-}()
-```
-
-#### After (`provider.go` — Start(), goroutine block)
+### Contingency Notes
 
-```go
-var scanWg sync.WaitGroup
-
-// Stream stdout to the ring buffer.
-scanWg.Add(1)
-go func() {
-    defer scanWg.Done()
-    s := bufio.NewScanner(stdoutPipe)
-    for s.Scan() {
-        p.buf.Write(s.Text())
-    }
-}()
-
-// Stream stderr to the ring buffer.
-scanWg.Add(1)
-go func() {
-    defer scanWg.Done()
-    s := bufio.NewScanner(stderrPipe)
-    for s.Scan() {
-        p.buf.Write(s.Text())
-    }
-}()
-
-// Monitor process exit and update state accordingly.
-go func() {
-    defer func() {
-        p.mu.Lock()
-        p.cmd = nil
-        if p.state != hecate.TunnelStateStopped {
-            p.state = hecate.TunnelStateError
-        }
-        p.mu.Unlock()
-        scanWg.Wait() // drain scanner goroutines before closing the buffer
-        p.buf.Close()
-        close(p.done)
-    }()
-    _ = cmd.Wait()
-}()
-```
-
-**Why this is safe:**
-- `cmd.Wait()` returns only after the process exits and the pipe write-ends are closed by the OS.
-  At that point `s.Scan()` will return `false` (EOF) on the next iteration, so both scanner
-  goroutines will reach `scanWg.Done()` promptly.
-- `scanWg.Wait()` blocks for at most the time it takes the scanner goroutines to drain the pipe
-  buffer — microseconds in practice.
-- `p.buf.Close()` and `close(p.done)` are still called in the same relative order; only
-  `scanWg.Wait()` is inserted between the state unlock and `p.buf.Close()`.
-- `sync` is already imported in `provider.go` (used by `sync.RWMutex`); no new import is needed.
+- **SQLite FK constraint during AutoMigrate**: `ProxyGroup` is registered before `ProxyHost` to ensure the FK resolves. If ordering causes a regression, SQLite's deferred FK enforcement makes this a non-issue in practice, but the ordering is correct.
+- **Bulk assign performance**: If >20 hosts selected, consider adding a `PUT /api/v1/proxy-hosts/bulk-update-group` endpoint (same shape as existing `bulk-update-acl`) in a follow-up PR. For v1, sequential mutations are acceptable.
+- **Color validation**: No server-side hex validation for v1. The frontend color picker enforces valid hex. If invalid values appear in the database, the UI renders them as-is (no crash risk).
+- **Groups with no hosts**: Rendered as empty section with a "No hosts in this group" placeholder. Not hidden to allow users to manage the group structure independently.
 
 ---
 
-### 7.4 Commit Details
+## 9. Acceptance Criteria / Definition of Done
 
-| Field | Value |
-|---|---|
-| **Commit message** | `fix(hecate/cloudflare): drain scanner goroutines before closing ring buffer` |
-| **Files changed** | `backend/internal/hecate/providers/cloudflare/provider.go` |
-| **Lines changed** | ~6 lines added (WaitGroup declaration + 2×Add + 2×Done + 1×Wait) |
-| **Dependencies** | None; Commits 1-6 are independent |
+### Functional
 
-### 7.5 Validation Gate
+- [ ] User can create a proxy group with name, optional description, and optional color
+- [ ] User can edit a group's name, description, or color
+- [ ] User can delete a group; all affected proxy hosts become ungrouped (not deleted)
+- [ ] User can assign a single proxy host to a group via the host edit form
+- [ ] User can unassign a proxy host from a group (set to ungrouped)
+- [ ] User can bulk-assign multiple selected hosts to a group
+- [ ] Proxy Hosts page displays hosts in grouped sections with group header (name + color + host count)
+- [ ] Ungrouped hosts appear in an "Ungrouped" section
+- [ ] All existing proxy host functionality is unaffected (Caddy config, SSL, enable/disable)
 
-```bash
-# Target test — must pass deterministically
-go test ./backend/internal/hecate/providers/cloudflare/... \
-    -v -count=5 -race -run TestStart_CapturesStdoutOutput
+### Technical
 
-# Full cloudflare package — must pass
-go test -race -count=1 ./backend/internal/hecate/providers/cloudflare/...
+- [ ] `proxy_groups` table created by GORM AutoMigrate on server start
+- [ ] `proxy_hosts.proxy_group_id` column created by GORM AutoMigrate on server start
+- [ ] All API endpoints return correct HTTP status codes
+- [ ] GORM security scanner: zero CRITICAL/HIGH findings for `proxy_group.go`
+- [ ] Go unit test coverage ≥ 85% for new files (via local patch report)
+- [ ] TypeScript builds without errors (`npm run build`)
+- [ ] No ESLint errors (`npm run lint`)
+- [ ] No existing Playwright E2E tests regress
+- [ ] New Playwright E2E tests in `proxy-groups.spec.ts` pass in Firefox, Chromium, WebKit
+- [ ] `go build ./...` passes on clean checkout
+- [ ] `golangci-lint run` passes
 
-# Coverage gate — must not regress
-bash scripts/go-test-coverage.sh
-```
+### Documentation
 
-`-count=5` runs the test five times in a single invocation to exercise the scheduler across
-multiple scheduling decisions, providing high confidence the race is closed.
+- [ ] i18n keys added for all new UI text (English locale minimum)
+- [ ] Plan archived to `docs/implementation/proxy_groups_COMPLETE.md` on merge
 
 ---
 
-*Plan written by GitHub Copilot in Planning mode. Ready for implementation agent handoff.*
+## 10. Risk Register
+
+| Risk | Likelihood | Impact | Mitigation |
+|------|-----------|--------|------------|
+| GORM AutoMigrate FK order causes constraint error | Low | Medium | Register `ProxyGroup` before `ProxyHost` in AutoMigrate list (specified above) |
+| SQLite `ON DELETE` not triggered through GORM | Medium | High | Explicitly clear `proxy_group_id` in `Delete()` before deleting group (implemented in spec) |
+| Frontend `DataTable` doesn't support grouped/sectioned rows | Medium | Medium | Use separate `DataTable` instance per group instead of one grouped table |
+| Existing Playwright tests depend on flat host list ordering | Low | Medium | Ungrouped section preserves behavior for hosts with no group |
+| Bulk assign with >20 hosts creates noticeable UI lag | Low | Low | Acceptable for v1; `bulk-update-group` endpoint is a documented follow-up |
+| Color value persisted as invalid hex breaks UI rendering | Low | Low | Frontend enforces valid hex; worst case is an unstyled badge |
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index d7d0a5cff..5a916d93a 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -5896,9 +5896,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.355",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.355.tgz",
-      "integrity": "sha512-LUPZhKzZPYSPme1jEYohpkA+ybYCJztr1quAdBd7E7h3+VOBVcKkwwtBJu41nrjawrRzfb8mtMfzWozoaK0ZIQ==",
+      "version": "1.5.356",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.356.tgz",
+      "integrity": "sha512-9NgFd7m5t5MCJ5rUSjJITUXAH9mEGlrlofnMf4YEr+pz6JlP7cWmTAH+JFmbPnaSW8koVTkuW7pacORWAnA5Yw==",
       "dev": true,
       "license": "ISC"
     },
diff --git a/frontend/src/api/__tests__/proxyGroups.test.ts b/frontend/src/api/__tests__/proxyGroups.test.ts
new file mode 100644
index 000000000..27c2f04ad
--- /dev/null
+++ b/frontend/src/api/__tests__/proxyGroups.test.ts
@@ -0,0 +1,65 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+import client from '../client';
+import { proxyGroupsApi, type ProxyGroup } from '../proxyGroups';
+
+vi.mock('../client', () => ({
+  default: {
+    get: vi.fn(),
+    post: vi.fn(),
+    put: vi.fn(),
+    delete: vi.fn(),
+  },
+}));
+
+describe('proxyGroupsApi', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  const mockGroup: ProxyGroup = {
+    uuid: 'abc-123',
+    name: 'Test Group',
+    description: 'A test group',
+    color: '#ff0000',
+    host_count: 2,
+    created_at: '2026-01-01T00:00:00Z',
+    updated_at: '2026-01-01T00:00:00Z',
+  };
+
+  it('list calls client.get /proxy-groups', async () => {
+    vi.mocked(client.get).mockResolvedValue({ data: [mockGroup] });
+    const result = await proxyGroupsApi.list();
+    expect(client.get).toHaveBeenCalledWith('/proxy-groups');
+    expect(result).toEqual([mockGroup]);
+  });
+
+  it('get calls client.get with uuid', async () => {
+    vi.mocked(client.get).mockResolvedValue({ data: mockGroup });
+    const result = await proxyGroupsApi.get('abc-123');
+    expect(client.get).toHaveBeenCalledWith('/proxy-groups/abc-123');
+    expect(result).toEqual(mockGroup);
+  });
+
+  it('create calls client.post with payload', async () => {
+    vi.mocked(client.post).mockResolvedValue({ data: mockGroup });
+    const payload = { name: 'Test Group', description: 'A test group', color: '#ff0000' };
+    const result = await proxyGroupsApi.create(payload);
+    expect(client.post).toHaveBeenCalledWith('/proxy-groups', payload);
+    expect(result).toEqual(mockGroup);
+  });
+
+  it('update calls client.put with uuid and payload', async () => {
+    vi.mocked(client.put).mockResolvedValue({ data: mockGroup });
+    const payload = { name: 'Updated Group' };
+    const result = await proxyGroupsApi.update('abc-123', payload);
+    expect(client.put).toHaveBeenCalledWith('/proxy-groups/abc-123', payload);
+    expect(result).toEqual(mockGroup);
+  });
+
+  it('delete calls client.delete with uuid', async () => {
+    vi.mocked(client.delete).mockResolvedValue({ data: undefined });
+    await proxyGroupsApi.delete('abc-123');
+    expect(client.delete).toHaveBeenCalledWith('/proxy-groups/abc-123');
+  });
+});
diff --git a/frontend/src/api/proxyGroups.ts b/frontend/src/api/proxyGroups.ts
new file mode 100644
index 000000000..1a50e291e
--- /dev/null
+++ b/frontend/src/api/proxyGroups.ts
@@ -0,0 +1,43 @@
+import client from './client';
+
+export interface ProxyGroup {
+  uuid: string;
+  name: string;
+  description?: string;
+  color?: string;
+  host_count?: number;
+  created_at: string;
+  updated_at: string;
+}
+
+export interface CreateProxyGroupRequest {
+  name: string;
+  description?: string;
+  color?: string;
+}
+
+export const proxyGroupsApi = {
+  list: async (): Promise<ProxyGroup[]> => {
+    const { data } = await client.get<ProxyGroup[]>('/proxy-groups');
+    return data;
+  },
+
+  get: async (uuid: string): Promise<ProxyGroup> => {
+    const { data } = await client.get<ProxyGroup>(`/proxy-groups/${uuid}`);
+    return data;
+  },
+
+  create: async (payload: CreateProxyGroupRequest): Promise<ProxyGroup> => {
+    const { data } = await client.post<ProxyGroup>('/proxy-groups', payload);
+    return data;
+  },
+
+  update: async (uuid: string, payload: Partial<CreateProxyGroupRequest>): Promise<ProxyGroup> => {
+    const { data } = await client.put<ProxyGroup>(`/proxy-groups/${uuid}`, payload);
+    return data;
+  },
+
+  delete: async (uuid: string): Promise<void> => {
+    await client.delete(`/proxy-groups/${uuid}`);
+  },
+};
diff --git a/frontend/src/api/proxyHosts.ts b/frontend/src/api/proxyHosts.ts
index d00461b0c..595078e26 100644
--- a/frontend/src/api/proxyHosts.ts
+++ b/frontend/src/api/proxyHosts.ts
@@ -49,6 +49,12 @@ export interface ProxyHost {
     description: string;
     type: string;
   } | null;
+  proxy_group_id?: number | string | null;
+  proxy_group?: {
+    uuid: string;
+    name: string;
+    color: string;
+  } | null;
   security_header_profile_id?: number | string | null;
   dns_provider_id?: number | null;
   security_header_profile?: {
diff --git a/frontend/src/components/ProxyGroupBadge.tsx b/frontend/src/components/ProxyGroupBadge.tsx
new file mode 100644
index 000000000..6bbbc20b2
--- /dev/null
+++ b/frontend/src/components/ProxyGroupBadge.tsx
@@ -0,0 +1,22 @@
+import { cn } from '../utils/cn';
+
+interface ProxyGroupBadgeProps {
+  group: {
+    name: string;
+    color: string;
+  };
+  className?: string;
+}
+
+export function ProxyGroupBadge({ group, className }: ProxyGroupBadgeProps) {
+  return (
+    <span className={cn('inline-flex items-center gap-1.5 text-sm', className)}>
+      <span
+        className="inline-block w-2.5 h-2.5 rounded-full shrink-0"
+        style={{ backgroundColor: group.color }}
+        aria-hidden="true"
+      />
+      <span>{group.name}</span>
+    </span>
+  );
+}
diff --git a/frontend/src/components/ProxyGroupForm.tsx b/frontend/src/components/ProxyGroupForm.tsx
new file mode 100644
index 000000000..436b3bae3
--- /dev/null
+++ b/frontend/src/components/ProxyGroupForm.tsx
@@ -0,0 +1,174 @@
+import { useState, useEffect } from 'react';
+
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+  Button,
+  Input,
+  Textarea,
+} from './ui';
+import { useCreateProxyGroup, useUpdateProxyGroup } from '../hooks/useProxyGroups';
+
+import type { ProxyGroup } from '../api/proxyGroups';
+
+const COLOR_PRESETS = [
+  '#6366f1',
+  '#ef4444',
+  '#f59e0b',
+  '#10b981',
+  '#3b82f6',
+  '#8b5cf6',
+  '#ec4899',
+  '#6b7280',
+];
+
+interface ProxyGroupFormProps {
+  open: boolean;
+  onClose: () => void;
+  group?: ProxyGroup;
+}
+
+export function ProxyGroupForm({ open, onClose, group }: ProxyGroupFormProps) {
+  const [name, setName] = useState('');
+  const [description, setDescription] = useState('');
+  const [color, setColor] = useState(COLOR_PRESETS[0]);
+
+  const createGroup = useCreateProxyGroup();
+  const updateGroup = useUpdateProxyGroup();
+
+  const isEdit = !!group;
+  const isPending = createGroup.isPending || updateGroup.isPending;
+
+  useEffect(() => {
+    if (open) {
+      setName(group?.name ?? '');
+      setDescription(group?.description ?? '');
+      setColor(group?.color ?? COLOR_PRESETS[0]);
+    }
+  }, [open, group]);
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    if (!name.trim()) return;
+
+    const payload = {
+      name: name.trim(),
+      description: description.trim() || undefined,
+      color,
+    };
+
+    try {
+      if (isEdit) {
+        await updateGroup.mutateAsync({ uuid: group.uuid, data: payload });
+      } else {
+        await createGroup.mutateAsync(payload);
+      }
+      onClose();
+    } catch {
+      // errors handled by hook toast
+    }
+  };
+
+  return (
+    <Dialog open={open} onOpenChange={(isOpen) => !isOpen && onClose()}>
+      <DialogContent className="max-w-md">
+        <DialogHeader>
+          <DialogTitle>{isEdit ? 'Edit Group' : 'Create Group'}</DialogTitle>
+          <DialogDescription>
+            {isEdit
+              ? 'Update this proxy group.'
+              : 'Create a new proxy group to organize hosts.'}
+          </DialogDescription>
+        </DialogHeader>
+
+        <form onSubmit={handleSubmit} className="space-y-4">
+          <div>
+            <label
+              htmlFor="group-name"
+              className="block text-sm font-medium text-content-primary mb-1.5"
+            >
+              Group Name{' '}
+              <span aria-hidden="true" className="text-error">
+                *
+              </span>
+            </label>
+            <Input
+              id="group-name"
+              value={name}
+              onChange={(e) => setName(e.target.value)}
+              placeholder="e.g. Production"
+              required
+              aria-required="true"
+            />
+          </div>
+
+          <div>
+            <label
+              htmlFor="group-description"
+              className="block text-sm font-medium text-content-primary mb-1.5"
+            >
+              Description
+            </label>
+            <Textarea
+              id="group-description"
+              value={description}
+              onChange={(e) => setDescription(e.target.value)}
+              placeholder="Optional description"
+              rows={2}
+            />
+          </div>
+
+          <div>
+            <span
+              id="color-label"
+              className="block text-sm font-medium text-content-primary mb-1.5"
+            >
+              Color
+            </span>
+            <div
+              className="flex flex-wrap items-center gap-2"
+              role="group"
+              aria-labelledby="color-label"
+            >
+              {COLOR_PRESETS.map((preset) => (
+                <button
+                  key={preset}
+                  type="button"
+                  aria-label={`Color ${preset}`}
+                  aria-pressed={color === preset}
+                  className="w-7 h-7 rounded-full border-2 transition-all focus:outline-none focus-visible:ring-2 focus-visible:ring-brand-500"
+                  style={{
+                    backgroundColor: preset,
+                    borderColor: color === preset ? 'white' : 'transparent',
+                    boxShadow: color === preset ? `0 0 0 2px ${preset}` : undefined,
+                  }}
+                  onClick={() => setColor(preset)}
+                />
+              ))}
+              <input
+                type="color"
+                value={color}
+                onChange={(e) => setColor(e.target.value)}
+                aria-label="Custom color"
+                className="w-7 h-7 rounded cursor-pointer border border-border bg-transparent"
+              />
+            </div>
+          </div>
+
+          <DialogFooter>
+            <Button type="button" variant="ghost" onClick={onClose} disabled={isPending}>
+              Cancel
+            </Button>
+            <Button type="submit" disabled={!name.trim() || isPending} isLoading={isPending}>
+              {isEdit ? 'Update' : 'Create'}
+            </Button>
+          </DialogFooter>
+        </form>
+      </DialogContent>
+    </Dialog>
+  );
+}
diff --git a/frontend/src/components/__tests__/ProxyGroupBadge.test.tsx b/frontend/src/components/__tests__/ProxyGroupBadge.test.tsx
new file mode 100644
index 000000000..6db22c391
--- /dev/null
+++ b/frontend/src/components/__tests__/ProxyGroupBadge.test.tsx
@@ -0,0 +1,36 @@
+import { render, screen } from '@testing-library/react';
+import { describe, it, expect } from 'vitest';
+
+import { ProxyGroupBadge } from '../ProxyGroupBadge';
+
+describe('ProxyGroupBadge', () => {
+  it('renders group name', () => {
+    render(<ProxyGroupBadge group={{ name: 'Production', color: '#6366f1' }} />);
+    expect(screen.getByText('Production')).toBeInTheDocument();
+  });
+
+  it('renders color dot with correct background color', () => {
+    const { container } = render(
+      <ProxyGroupBadge group={{ name: 'Staging', color: '#ef4444' }} />,
+    );
+    const dot = container.querySelector('[aria-hidden="true"]');
+    expect(dot).toBeInTheDocument();
+    expect((dot as HTMLElement).style.backgroundColor).toBe('rgb(239, 68, 68)');
+  });
+
+  it('applies aria-hidden to the color dot', () => {
+    const { container } = render(
+      <ProxyGroupBadge group={{ name: 'Dev', color: '#10b981' }} />,
+    );
+    const dot = container.querySelector('[aria-hidden="true"]');
+    expect(dot).toHaveAttribute('aria-hidden', 'true');
+  });
+
+  it('applies className prop to the wrapper', () => {
+    const { container } = render(
+      <ProxyGroupBadge group={{ name: 'Test', color: '#6b7280' }} className="custom-class" />,
+    );
+    const wrapper = container.firstChild as HTMLElement;
+    expect(wrapper).toHaveClass('custom-class');
+  });
+});
diff --git a/frontend/src/components/__tests__/ProxyGroupForm.test.tsx b/frontend/src/components/__tests__/ProxyGroupForm.test.tsx
new file mode 100644
index 000000000..757de469d
--- /dev/null
+++ b/frontend/src/components/__tests__/ProxyGroupForm.test.tsx
@@ -0,0 +1,128 @@
+import { QueryClientProvider } from '@tanstack/react-query';
+import { render, screen, waitFor } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { vi, describe, it, expect, beforeEach } from 'vitest';
+
+import { createTestQueryClient } from '../../test/createTestQueryClient';
+import { ProxyGroupForm } from '../ProxyGroupForm';
+
+const mockMutateAsync = vi.fn();
+
+vi.mock('../../hooks/useProxyGroups', () => ({
+  useCreateProxyGroup: vi.fn(() => ({
+    mutateAsync: mockMutateAsync,
+    isPending: false,
+  })),
+  useUpdateProxyGroup: vi.fn(() => ({
+    mutateAsync: mockMutateAsync,
+    isPending: false,
+  })),
+}));
+
+vi.mock('react-i18next', () => ({
+  useTranslation: () => ({
+    t: (key: string) => key,
+  }),
+}));
+
+function renderForm(props: Partial<React.ComponentProps<typeof ProxyGroupForm>> = {}) {
+  const qc = createTestQueryClient();
+  const mockClose = vi.fn();
+  const utils = render(
+    <QueryClientProvider client={qc}>
+      <ProxyGroupForm open={true} onClose={mockClose} {...props} />
+    </QueryClientProvider>,
+  );
+  return { ...utils, mockClose };
+}
+
+describe('ProxyGroupForm', () => {
+  const user = userEvent.setup();
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it('renders create form when no group prop', () => {
+    renderForm();
+    expect(screen.getByText('Create Group')).toBeInTheDocument();
+    expect(screen.getByLabelText(/group name/i)).toBeInTheDocument();
+    expect(screen.getByLabelText(/description/i)).toBeInTheDocument();
+    expect(screen.getByRole('button', { name: /create/i })).toBeInTheDocument();
+  });
+
+  it('renders edit form with pre-filled values when group prop is provided', () => {
+    const group = {
+      uuid: 'test-uuid',
+      name: 'Production',
+      description: 'Prod env',
+      color: '#ef4444',
+      created_at: '2024-01-01T00:00:00Z',
+      updated_at: '2024-01-01T00:00:00Z',
+    };
+    renderForm({ group });
+    expect(screen.getByText('Edit Group')).toBeInTheDocument();
+    expect(screen.getByLabelText(/group name/i)).toHaveValue('Production');
+    expect(screen.getByLabelText(/description/i)).toHaveValue('Prod env');
+    expect(screen.getByRole('button', { name: /update/i })).toBeInTheDocument();
+  });
+
+  it('disables submit when name is empty', () => {
+    renderForm();
+    const submitBtn = screen.getByRole('button', { name: /create/i });
+    expect(submitBtn).toBeDisabled();
+  });
+
+  it('enables submit when name is filled', async () => {
+    renderForm();
+    await user.type(screen.getByLabelText(/group name/i), 'My Group');
+    const submitBtn = screen.getByRole('button', { name: /create/i });
+    expect(submitBtn).toBeEnabled();
+  });
+
+  it('calls create mutation on submit in create mode', async () => {
+    mockMutateAsync.mockResolvedValueOnce({});
+    const { mockClose } = renderForm();
+
+    await user.type(screen.getByLabelText(/group name/i), 'New Group');
+    await user.click(screen.getByRole('button', { name: /create/i }));
+
+    await waitFor(() => {
+      expect(mockMutateAsync).toHaveBeenCalledWith(
+        expect.objectContaining({ name: 'New Group' }),
+      );
+    });
+    await waitFor(() => expect(mockClose).toHaveBeenCalled());
+  });
+
+  it('calls update mutation on submit in edit mode', async () => {
+    mockMutateAsync.mockResolvedValueOnce({});
+    const group = {
+      uuid: 'edit-uuid',
+      name: 'Old Name',
+      description: '',
+      color: '#6366f1',
+      created_at: '2024-01-01T00:00:00Z',
+      updated_at: '2024-01-01T00:00:00Z',
+    };
+    const { mockClose } = renderForm({ group });
+
+    const nameInput = screen.getByLabelText(/group name/i);
+    await user.clear(nameInput);
+    await user.type(nameInput, 'New Name');
+    await user.click(screen.getByRole('button', { name: /update/i }));
+
+    await waitFor(() => {
+      expect(mockMutateAsync).toHaveBeenCalledWith(
+        expect.objectContaining({ uuid: 'edit-uuid', data: expect.objectContaining({ name: 'New Name' }) }),
+      );
+    });
+    await waitFor(() => expect(mockClose).toHaveBeenCalled());
+  });
+
+  it('closes when cancel is clicked', async () => {
+    const { mockClose } = renderForm();
+    await user.click(screen.getByRole('button', { name: /cancel/i }));
+    expect(mockClose).toHaveBeenCalled();
+  });
+});
diff --git a/frontend/src/hooks/useProxyGroups.ts b/frontend/src/hooks/useProxyGroups.ts
new file mode 100644
index 000000000..ee894298e
--- /dev/null
+++ b/frontend/src/hooks/useProxyGroups.ts
@@ -0,0 +1,60 @@
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import toast from 'react-hot-toast';
+
+import { proxyGroupsApi, type CreateProxyGroupRequest } from '../api/proxyGroups';
+
+export const PROXY_GROUPS_QUERY_KEY = ['proxy-groups'];
+
+export function useProxyGroups() {
+  return useQuery({
+    queryKey: PROXY_GROUPS_QUERY_KEY,
+    queryFn: proxyGroupsApi.list,
+  });
+}
+
+export function useCreateProxyGroup() {
+  const queryClient = useQueryClient();
+
+  return useMutation({
+    mutationFn: (data: CreateProxyGroupRequest) => proxyGroupsApi.create(data),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: PROXY_GROUPS_QUERY_KEY });
+      toast.success('Group created');
+    },
+    onError: (error: Error) => {
+      toast.error(`Failed to create group: ${error.message}`);
+    },
+  });
+}
+
+export function useUpdateProxyGroup() {
+  const queryClient = useQueryClient();
+
+  return useMutation({
+    mutationFn: ({ uuid, data }: { uuid: string; data: Partial<CreateProxyGroupRequest> }) =>
+      proxyGroupsApi.update(uuid, data),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: PROXY_GROUPS_QUERY_KEY });
+      toast.success('Group updated');
+    },
+    onError: (error: Error) => {
+      toast.error(`Failed to update group: ${error.message}`);
+    },
+  });
+}
+
+export function useDeleteProxyGroup() {
+  const queryClient = useQueryClient();
+
+  return useMutation({
+    mutationFn: (uuid: string) => proxyGroupsApi.delete(uuid),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: PROXY_GROUPS_QUERY_KEY });
+      queryClient.invalidateQueries({ queryKey: ['proxy-hosts'] });
+      toast.success('Group deleted — hosts moved to Ungrouped');
+    },
+    onError: (error: Error) => {
+      toast.error(`Failed to delete group: ${error.message}`);
+    },
+  });
+}
diff --git a/frontend/src/locales/de/translation.json b/frontend/src/locales/de/translation.json
index cd2d05d40..45250b2ff 100644
--- a/frontend/src/locales/de/translation.json
+++ b/frontend/src/locales/de/translation.json
@@ -156,6 +156,23 @@
     "noSecurityProfile": "Keine (Profil entfernen)",
     "removeSecurityHeadersWarning": "Dies entfernt das Sicherheitsheader-Profil von allen ausgewählten Hosts und kann deren Sicherheitslage verringern."
   },
+  "proxyGroups": {
+    "group": "Gruppe",
+    "manageGroups": "Gruppen verwalten",
+    "createGroup": "Gruppe erstellen",
+    "editGroup": "Gruppe bearbeiten",
+    "deleteGroup": "Gruppe löschen",
+    "deleteGroupConfirm": "Gruppe löschen? Alle Hosts werden in Nicht gruppiert verschoben.",
+    "groupName": "Gruppenname",
+    "groupDescription": "Beschreibung",
+    "groupColor": "Farbe",
+    "noGroups": "Noch keine Gruppen",
+    "ungrouped": "Nicht gruppiert",
+    "assignToGroup": "Gruppe zuweisen",
+    "hostCount_one": "{{count}} Host",
+    "hostCount_other": "{{count}} Hosts",
+    "hostCount": "{{count}} Hosts"
+  },
   "certificates": {
     "title": "SSL-Zertifikate",
     "description": "SSL/TLS-Zertifikate für Ihre Proxy-Hosts verwalten",
diff --git a/frontend/src/locales/en/translation.json b/frontend/src/locales/en/translation.json
index 726add412..2912f0150 100644
--- a/frontend/src/locales/en/translation.json
+++ b/frontend/src/locales/en/translation.json
@@ -170,6 +170,23 @@
     "noSecurityProfile": "None (Remove Profile)",
     "removeSecurityHeadersWarning": "This will remove the security header profile from all selected hosts, potentially reducing their security posture."
   },
+  "proxyGroups": {
+    "group": "Group",
+    "manageGroups": "Manage Groups",
+    "createGroup": "Create Group",
+    "editGroup": "Edit Group",
+    "deleteGroup": "Delete Group",
+    "deleteGroupConfirm": "Delete this group? All hosts will be moved to Ungrouped.",
+    "groupName": "Group Name",
+    "groupDescription": "Description",
+    "groupColor": "Color",
+    "noGroups": "No groups yet",
+    "ungrouped": "Ungrouped",
+    "assignToGroup": "Assign to Group",
+    "hostCount_one": "{{count}} host",
+    "hostCount_other": "{{count}} hosts",
+    "hostCount": "{{count}} hosts"
+  },
   "certificates": {
     "title": "SSL Certificates",
     "description": "Manage SSL/TLS certificates for your proxy hosts",
diff --git a/frontend/src/locales/es/translation.json b/frontend/src/locales/es/translation.json
index 760a6ca3b..ba9bc357b 100644
--- a/frontend/src/locales/es/translation.json
+++ b/frontend/src/locales/es/translation.json
@@ -156,6 +156,23 @@
     "noSecurityProfile": "Ninguno (Eliminar Perfil)",
     "removeSecurityHeadersWarning": "Esto eliminará el perfil de cabeceras de seguridad de todos los hosts seleccionados, lo que podría reducir su postura de seguridad."
   },
+  "proxyGroups": {
+    "group": "Grupo",
+    "manageGroups": "Gestionar Grupos",
+    "createGroup": "Crear Grupo",
+    "editGroup": "Editar Grupo",
+    "deleteGroup": "Eliminar Grupo",
+    "deleteGroupConfirm": "¿Eliminar este grupo? Todos los hosts se moverán a Sin Grupo.",
+    "groupName": "Nombre del Grupo",
+    "groupDescription": "Descripción",
+    "groupColor": "Color",
+    "noGroups": "Aún no hay grupos",
+    "ungrouped": "Sin Grupo",
+    "assignToGroup": "Asignar a Grupo",
+    "hostCount_one": "{{count}} host",
+    "hostCount_other": "{{count}} hosts",
+    "hostCount": "{{count}} hosts"
+  },
   "certificates": {
     "title": "Certificados SSL",
     "description": "Gestiona certificados SSL/TLS para tus hosts proxy",
diff --git a/frontend/src/locales/fr/translation.json b/frontend/src/locales/fr/translation.json
index f1a96e35f..1379030d6 100644
--- a/frontend/src/locales/fr/translation.json
+++ b/frontend/src/locales/fr/translation.json
@@ -156,6 +156,23 @@
     "noSecurityProfile": "Aucun (Supprimer le Profil)",
     "removeSecurityHeadersWarning": "Cela supprimera le profil d'en-têtes de sécurité de tous les hôtes sélectionnés, ce qui pourrait réduire leur posture de sécurité."
   },
+  "proxyGroups": {
+    "group": "Groupe",
+    "manageGroups": "Gérer les Groupes",
+    "createGroup": "Créer un Groupe",
+    "editGroup": "Modifier le Groupe",
+    "deleteGroup": "Supprimer le Groupe",
+    "deleteGroupConfirm": "Supprimer ce groupe ? Tous les hôtes seront déplacés dans Non groupé.",
+    "groupName": "Nom du Groupe",
+    "groupDescription": "Description",
+    "groupColor": "Couleur",
+    "noGroups": "Aucun groupe pour l'instant",
+    "ungrouped": "Non groupé",
+    "assignToGroup": "Assigner à un Groupe",
+    "hostCount_one": "{{count}} hôte",
+    "hostCount_other": "{{count}} hôtes",
+    "hostCount": "{{count}} hôtes"
+  },
   "certificates": {
     "title": "Certificats SSL",
     "description": "Gérer les certificats SSL/TLS pour vos hôtes proxy",
diff --git a/frontend/src/locales/zh/translation.json b/frontend/src/locales/zh/translation.json
index 93e4141f8..f5fddbd0e 100644
--- a/frontend/src/locales/zh/translation.json
+++ b/frontend/src/locales/zh/translation.json
@@ -156,6 +156,23 @@
     "noSecurityProfile": "无（移除配置文件）",
     "removeSecurityHeadersWarning": "这将从所有选定的主机中移除安全标头配置文件，可能降低其安全态势。"
   },
+  "proxyGroups": {
+    "group": "分组",
+    "manageGroups": "管理分组",
+    "createGroup": "创建分组",
+    "editGroup": "编辑分组",
+    "deleteGroup": "删除分组",
+    "deleteGroupConfirm": "删除此分组？所有主机将移至未分组。",
+    "groupName": "分组名称",
+    "groupDescription": "描述",
+    "groupColor": "颜色",
+    "noGroups": "暂无分组",
+    "ungrouped": "未分组",
+    "assignToGroup": "分配到分组",
+    "hostCount_one": "{{count}} 个主机",
+    "hostCount_other": "{{count}} 个主机",
+    "hostCount": "{{count}} 个主机"
+  },
   "certificates": {
     "title": "SSL证书",
     "description": "管理代理主机的SSL/TLS证书",
diff --git a/frontend/src/pages/ProxyHosts.tsx b/frontend/src/pages/ProxyHosts.tsx
index 386455f44..13e354a29 100644
--- a/frontend/src/pages/ProxyHosts.tsx
+++ b/frontend/src/pages/ProxyHosts.tsx
@@ -1,5 +1,5 @@
 import { useQuery } from '@tanstack/react-query'
-import { Loader2, ExternalLink, AlertTriangle, Trash2, Globe, Settings } from 'lucide-react'
+import { Loader2, ExternalLink, AlertTriangle, Trash2, Globe, Settings, FolderOpen } from 'lucide-react'
 import { useState, useMemo } from 'react'
 import { toast } from 'react-hot-toast'
 import { useTranslation } from 'react-i18next'
@@ -32,11 +32,15 @@ import {
 import { useAccessLists } from '../hooks/useAccessLists'
 import { useCertificates } from '../hooks/useCertificates'
 import { useProxyHosts } from '../hooks/useProxyHosts'
+import { useDeleteProxyGroup, useProxyGroups } from '../hooks/useProxyGroups'
 import { useSecurityHeaderProfiles } from '../hooks/useSecurityHeaders'
+import { ProxyGroupBadge } from '../components/ProxyGroupBadge'
+import { ProxyGroupForm } from '../components/ProxyGroupForm'
 import compareHosts from '../utils/compareHosts'
 import { formatSettingLabel, settingHelpText, applyBulkSettingsToHosts } from '../utils/proxyHostsHelpers'
 
 import type { AccessList } from '../api/accessLists'
+import type { ProxyGroup } from '../api/proxyGroups'
 import type { ProxyHost } from '../api/proxyHosts'
 
 
@@ -77,6 +81,13 @@ export default function ProxyHosts() {
     profileId: number | null;
   }>({ apply: false, profileId: null })
   const [hostToDelete, setHostToDelete] = useState<ProxyHost | null>(null)
+  const [showGroupForm, setShowGroupForm] = useState(false)
+  const [editingGroup, setEditingGroup] = useState<ProxyGroup | undefined>()
+  const [groupToDelete, setGroupToDelete] = useState<ProxyGroup | null>(null)
+  const [showAssignGroupModal, setShowAssignGroupModal] = useState(false)
+  const [assignTargetGroupUUID, setAssignTargetGroupUUID] = useState<string | null>(null)
+  const { data: groups = [] } = useProxyGroups()
+  const deleteGroup = useDeleteProxyGroup()
 
   const { data: settings } = useQuery({
     queryKey: ['settings'],
@@ -116,6 +127,21 @@ export default function ProxyHosts() {
   // Sort hosts alphabetically by name for display
   const sortedHosts = useMemo(() => [...hosts].sort((a, b) => compareHosts(a, b, 'name', 'asc')), [hosts])
 
+  const groupedHosts = useMemo(() => {
+    const byGroup: Record<string, ProxyHost[]> = {}
+    const ungrouped: ProxyHost[] = []
+    for (const host of sortedHosts) {
+      const gid = host.proxy_group?.uuid
+      if (gid) {
+        if (!byGroup[gid]) byGroup[gid] = []
+        byGroup[gid].push(host)
+      } else {
+        ungrouped.push(host)
+      }
+    }
+    return { byGroup, ungrouped }
+  }, [sortedHosts])
+
   const handleDomainClick = (e: React.MouseEvent, url: string) => {
     if (linkBehavior === 'new_window') {
       e.preventDefault()
@@ -495,6 +521,17 @@ export default function ProxyHosts() {
         </div>
       ),
     },
+    {
+      key: 'group',
+      header: t('proxyGroups.group'),
+      width: '12%',
+      cell: (host) =>
+        host.proxy_group ? (
+          <ProxyGroupBadge group={host.proxy_group} />
+        ) : (
+          <span className="text-content-muted text-sm">—</span>
+        ),
+    },
     {
       key: 'status',
       header: t('proxyHosts.columnStatus'),
@@ -557,6 +594,16 @@ export default function ProxyHosts() {
         actions={
           <div className="flex items-center gap-3">
             {isFetching && !loading && <Loader2 className="animate-spin text-brand-400" size={20} />}
+            <Button
+              variant="outline"
+              leftIcon={FolderOpen}
+              onClick={() => {
+                setEditingGroup(undefined)
+                setShowGroupForm(true)
+              }}
+            >
+              {t('proxyGroups.manageGroups')}
+            </Button>
             <Button onClick={handleAdd}>{t('proxyHosts.addHost')}</Button>
           </div>
         }
@@ -593,6 +640,18 @@ export default function ProxyHosts() {
               >
                 {t('proxyHosts.manageACL')}
               </Button>
+              {groups.length > 0 && (
+                <Button
+                  variant="outline"
+                  size="sm"
+                  onClick={() => {
+                    setAssignTargetGroupUUID(groups[0].uuid)
+                    setShowAssignGroupModal(true)
+                  }}
+                >
+                  {t('proxyGroups.assignToGroup')}
+                </Button>
+              )}
               <Button
                 variant="danger"
                 size="sm"
@@ -608,7 +667,7 @@ export default function ProxyHosts() {
         {/* Data Table */}
         {loading ? (
           <SkeletonTable rows={5} columns={7} />
-        ) : (
+        ) : groups.length === 0 ? (
           <DataTable
             data={sortedHosts}
             columns={columns}
@@ -629,6 +688,96 @@ export default function ProxyHosts() {
               />
             }
           />
+        ) : (
+          <div className="space-y-6">
+            {groups.map((group) => {
+              const groupHosts = groupedHosts.byGroup[group.uuid] ?? []
+              return (
+                <section key={group.uuid} aria-label={group.name}>
+                  <div className="flex items-center justify-between mb-2">
+                    <div className="flex items-center gap-2">
+                      <span
+                        className="inline-block w-3 h-3 rounded-full shrink-0"
+                        style={{ backgroundColor: group.color ?? '#6b7280' }}
+                        aria-hidden="true"
+                      />
+                      <h2 className="text-sm font-semibold text-content-primary">{group.name}</h2>
+                      <span className="text-xs text-content-muted">
+                        {t('proxyGroups.hostCount', { count: groupHosts.length })}
+                      </span>
+                    </div>
+                    <div className="flex items-center gap-1">
+                      <Button
+                        variant="ghost"
+                        size="sm"
+                        aria-label={`Edit group ${group.name}`}
+                        onClick={() => {
+                          setEditingGroup(group)
+                          setShowGroupForm(true)
+                        }}
+                      >
+                        {t('common.edit')}
+                      </Button>
+                      <Button
+                        variant="ghost"
+                        size="sm"
+                        className="text-error hover:text-error hover:bg-error/10"
+                        aria-label={`Delete group ${group.name}`}
+                        onClick={() => setGroupToDelete(group)}
+                      >
+                        {t('common.delete')}
+                      </Button>
+                    </div>
+                  </div>
+                  <DataTable
+                    data={groupHosts}
+                    columns={columns}
+                    rowKey={(row) => row.uuid}
+                    selectable
+                    selectedKeys={selectedHosts}
+                    onSelectionChange={setSelectedHosts}
+                    emptyState={
+                      <EmptyState
+                        icon={<Globe className="h-10 w-10" />}
+                        title={t('proxyHosts.noHosts')}
+                        description={t('proxyHosts.noHostsDescription')}
+                        action={{ label: t('proxyHosts.addHost'), onClick: handleAdd }}
+                      />
+                    }
+                  />
+                </section>
+              )
+            })}
+            {groupedHosts.ungrouped.length > 0 && (
+              <section aria-label={t('proxyGroups.ungrouped')}>
+                <div className="flex items-center gap-2 mb-2">
+                  <h2 className="text-sm font-semibold text-content-muted">
+                    {t('proxyGroups.ungrouped')}
+                  </h2>
+                  <span className="text-xs text-content-muted">
+                    {t('proxyGroups.hostCount', { count: groupedHosts.ungrouped.length })}
+                  </span>
+                </div>
+                <DataTable
+                  data={groupedHosts.ungrouped}
+                  columns={columns}
+                  rowKey={(row) => row.uuid}
+                  selectable
+                  selectedKeys={selectedHosts}
+                  onSelectionChange={setSelectedHosts}
+                  emptyState={null}
+                />
+              </section>
+            )}
+            {sortedHosts.length === 0 && (
+              <EmptyState
+                icon={<Globe className="h-12 w-12" />}
+                title={t('proxyHosts.noHosts')}
+                description={t('proxyHosts.noHostsDescription')}
+                action={{ label: t('proxyHosts.addHost'), onClick: handleAdd }}
+              />
+            )}
+          </div>
         )}
 
         {/* Add/Edit Form Dialog */}
@@ -1166,6 +1315,105 @@ export default function ProxyHosts() {
             isBulk={certCleanupData.isBulk}
           />
         )}
+
+        {/* Proxy Group Form Dialog */}
+        <ProxyGroupForm
+          open={showGroupForm}
+          onClose={() => {
+            setShowGroupForm(false)
+            setEditingGroup(undefined)
+          }}
+          group={editingGroup}
+        />
+
+        {/* Delete Group Confirmation Dialog */}
+        <Dialog open={!!groupToDelete} onOpenChange={(open) => !open && setGroupToDelete(null)}>
+          <DialogContent className="max-w-md">
+            <DialogHeader>
+              <DialogTitle>{t('proxyGroups.deleteGroup')}</DialogTitle>
+              <DialogDescription>{t('proxyGroups.deleteGroupConfirm')}</DialogDescription>
+            </DialogHeader>
+            <DialogFooter>
+              <Button variant="ghost" onClick={() => setGroupToDelete(null)}>
+                {t('common.cancel')}
+              </Button>
+              <Button
+                variant="danger"
+                onClick={async () => {
+                  if (!groupToDelete) return
+                  try {
+                    await deleteGroup.mutateAsync(groupToDelete.uuid)
+                  } catch {
+                    // errors handled by hook toast
+                  } finally {
+                    setGroupToDelete(null)
+                  }
+                }}
+                isLoading={deleteGroup.isPending}
+              >
+                {t('common.delete')}
+              </Button>
+            </DialogFooter>
+          </DialogContent>
+        </Dialog>
+
+        {/* Assign to Group Dialog */}
+        <Dialog open={showAssignGroupModal} onOpenChange={(open) => !open && setShowAssignGroupModal(false)}>
+          <DialogContent className="max-w-sm">
+            <DialogHeader>
+              <DialogTitle>{t('proxyGroups.assignToGroup')}</DialogTitle>
+              <DialogDescription>
+                {selectedHosts.size} host(s) selected
+              </DialogDescription>
+            </DialogHeader>
+            <div className="py-2">
+              <label htmlFor="assign-group-select" className="block text-sm font-medium text-content-primary mb-1.5">
+                {t('proxyGroups.group')}
+              </label>
+              <select
+                id="assign-group-select"
+                value={assignTargetGroupUUID ?? ''}
+                onChange={(e) => setAssignTargetGroupUUID(e.target.value || null)}
+                className="w-full rounded-md border border-border bg-surface-primary text-content-primary px-3 py-2 text-sm focus:outline-none focus:ring-2 focus:ring-brand-500"
+              >
+                <option value="">{t('proxyGroups.ungrouped')}</option>
+                {groups.map((g) => (
+                  <option key={g.uuid} value={g.uuid}>
+                    {g.name}
+                  </option>
+                ))}
+              </select>
+            </div>
+            <DialogFooter>
+              <Button variant="ghost" onClick={() => setShowAssignGroupModal(false)}>
+                {t('common.cancel')}
+              </Button>
+              <Button
+                onClick={async () => {
+                  const targetGroup = assignTargetGroupUUID
+                    ? groups.find((g) => g.uuid === assignTargetGroupUUID) ?? null
+                    : null
+                  const uuids = Array.from(selectedHosts)
+                  try {
+                    await Promise.all(
+                      uuids.map((uuid) =>
+                        updateHost(uuid, {
+                          proxy_group_id: targetGroup ? targetGroup.uuid : null,
+                        })
+                      )
+                    )
+                    setShowAssignGroupModal(false)
+                    setSelectedHosts(new Set())
+                  } catch {
+                    // errors handled individually
+                  }
+                }}
+              >
+                {t('common.save')}
+              </Button>
+            </DialogFooter>
+          </DialogContent>
+        </Dialog>
       </PageShell>
     </>
   )
diff --git a/frontend/src/pages/__tests__/ProxyHosts-bulk-acl.test.tsx b/frontend/src/pages/__tests__/ProxyHosts-bulk-acl.test.tsx
index 9660716bc..4848e4938 100644
--- a/frontend/src/pages/__tests__/ProxyHosts-bulk-acl.test.tsx
+++ b/frontend/src/pages/__tests__/ProxyHosts-bulk-acl.test.tsx
@@ -62,6 +62,12 @@ vi.mock('../../api/settings', () => ({
 
 vi.mock('../../hooks/useSecurityHeaders', () => ({
   useSecurityHeaderProfiles: vi.fn(() => ({ data: [], isLoading: false, error: null })),
+}))
+vi.mock('../../hooks/useProxyGroups', () => ({
+  useProxyGroups: vi.fn(() => ({ data: [], isLoading: false, error: null })),
+  useCreateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useUpdateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useDeleteProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
 }));
 
 const mockProxyHosts = [
diff --git a/frontend/src/pages/__tests__/ProxyHosts-bulk-apply-all-settings.test.tsx b/frontend/src/pages/__tests__/ProxyHosts-bulk-apply-all-settings.test.tsx
index 1b0a66601..42fd0a866 100644
--- a/frontend/src/pages/__tests__/ProxyHosts-bulk-apply-all-settings.test.tsx
+++ b/frontend/src/pages/__tests__/ProxyHosts-bulk-apply-all-settings.test.tsx
@@ -24,6 +24,12 @@ vi.mock('../../api/accessLists', () => ({ accessListsApi: { list: vi.fn() } }));
 vi.mock('../../api/settings', () => ({ getSettings: vi.fn() }));
 vi.mock('../../hooks/useSecurityHeaders', () => ({
   useSecurityHeaderProfiles: vi.fn(() => ({ data: [], isLoading: false, error: null })),
+}))
+vi.mock('../../hooks/useProxyGroups', () => ({
+  useProxyGroups: vi.fn(() => ({ data: [], isLoading: false, error: null })),
+  useCreateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useUpdateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useDeleteProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
 }));
 
 const hosts = [
diff --git a/frontend/src/pages/__tests__/ProxyHosts-bulk-apply-progress.test.tsx b/frontend/src/pages/__tests__/ProxyHosts-bulk-apply-progress.test.tsx
index bc3230af5..2fd157a66 100644
--- a/frontend/src/pages/__tests__/ProxyHosts-bulk-apply-progress.test.tsx
+++ b/frontend/src/pages/__tests__/ProxyHosts-bulk-apply-progress.test.tsx
@@ -23,6 +23,12 @@ vi.mock('../../api/settings', () => ({ getSettings: vi.fn() }))
 vi.mock('../../hooks/useSecurityHeaders', () => ({
   useSecurityHeaderProfiles: vi.fn(() => ({ data: [], isLoading: false, error: null })),
 }))
+vi.mock('../../hooks/useProxyGroups', () => ({
+  useProxyGroups: vi.fn(() => ({ data: [], isLoading: false, error: null })),
+  useCreateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useUpdateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useDeleteProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+}))
 
 const hosts = [
   createMockProxyHost({ uuid: 'p1', name: 'Progress 1', domain_names: 'p1.example.com' }),
diff --git a/frontend/src/pages/__tests__/ProxyHosts-bulk-apply.test.tsx b/frontend/src/pages/__tests__/ProxyHosts-bulk-apply.test.tsx
index 8d573ac08..a07028c5c 100644
--- a/frontend/src/pages/__tests__/ProxyHosts-bulk-apply.test.tsx
+++ b/frontend/src/pages/__tests__/ProxyHosts-bulk-apply.test.tsx
@@ -35,6 +35,12 @@ vi.mock('../../api/accessLists', () => ({ accessListsApi: { list: vi.fn() } }));
 vi.mock('../../api/settings', () => ({ getSettings: vi.fn() }));
 vi.mock('../../hooks/useSecurityHeaders', () => ({
   useSecurityHeaderProfiles: vi.fn(() => ({ data: [], isLoading: false, error: null })),
+}))
+vi.mock('../../hooks/useProxyGroups', () => ({
+  useProxyGroups: vi.fn(() => ({ data: [], isLoading: false, error: null })),
+  useCreateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useUpdateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useDeleteProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
 }));
 
 const mockProxyHosts = [
diff --git a/frontend/src/pages/__tests__/ProxyHosts-bulk-delete.test.tsx b/frontend/src/pages/__tests__/ProxyHosts-bulk-delete.test.tsx
index f3ed58709..78067b5ca 100644
--- a/frontend/src/pages/__tests__/ProxyHosts-bulk-delete.test.tsx
+++ b/frontend/src/pages/__tests__/ProxyHosts-bulk-delete.test.tsx
@@ -63,6 +63,12 @@ vi.mock('../../api/settings', () => ({
 
 vi.mock('../../hooks/useSecurityHeaders', () => ({
   useSecurityHeaderProfiles: vi.fn(() => ({ data: [], isLoading: false, error: null })),
+}))
+vi.mock('../../hooks/useProxyGroups', () => ({
+  useProxyGroups: vi.fn(() => ({ data: [], isLoading: false, error: null })),
+  useCreateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useUpdateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useDeleteProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
 }));
 
 const mockProxyHosts = [
diff --git a/frontend/src/pages/__tests__/ProxyHosts-cert-cleanup.test.tsx b/frontend/src/pages/__tests__/ProxyHosts-cert-cleanup.test.tsx
index 245d0fa4b..772e5e2c1 100644
--- a/frontend/src/pages/__tests__/ProxyHosts-cert-cleanup.test.tsx
+++ b/frontend/src/pages/__tests__/ProxyHosts-cert-cleanup.test.tsx
@@ -44,6 +44,12 @@ vi.mock('../../api/uptime', () => ({ getMonitors: vi.fn() }))
 vi.mock('../../hooks/useSecurityHeaders', () => ({
   useSecurityHeaderProfiles: vi.fn(() => ({ data: [], isLoading: false, error: null })),
 }))
+vi.mock('../../hooks/useProxyGroups', () => ({
+  useProxyGroups: vi.fn(() => ({ data: [], isLoading: false, error: null })),
+  useCreateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useUpdateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useDeleteProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+}))
 
 const createQueryClient = () => new QueryClient({
   defaultOptions: {
diff --git a/frontend/src/pages/__tests__/ProxyHosts-coverage-isolated.test.tsx b/frontend/src/pages/__tests__/ProxyHosts-coverage-isolated.test.tsx
index bf160e6cc..bf31bff1e 100644
--- a/frontend/src/pages/__tests__/ProxyHosts-coverage-isolated.test.tsx
+++ b/frontend/src/pages/__tests__/ProxyHosts-coverage-isolated.test.tsx
@@ -85,6 +85,13 @@ describe('ProxyHosts page - coverage targets (isolated)', () => {
       useSecurityHeaderProfiles: vi.fn(() => ({ data: [], isLoading: false, error: null }))
     }))
 
+    vi.doMock('../../hooks/useProxyGroups', () => ({
+      useProxyGroups: vi.fn(() => ({ data: [], isLoading: false, error: null })),
+      useCreateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+      useUpdateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+      useDeleteProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+    }))
+
     vi.doMock('../../api/settings', () => ({ getSettings: vi.fn(() => Promise.resolve({ 'ui.domain_link_behavior': 'new_window' })) }))
 
     // Import page after mocks are in place
diff --git a/frontend/src/pages/__tests__/ProxyHosts-coverage.test.tsx b/frontend/src/pages/__tests__/ProxyHosts-coverage.test.tsx
index b25ed93ec..8a9f77dca 100644
--- a/frontend/src/pages/__tests__/ProxyHosts-coverage.test.tsx
+++ b/frontend/src/pages/__tests__/ProxyHosts-coverage.test.tsx
@@ -36,6 +36,12 @@ vi.mock('../../api/uptime', () => ({ getMonitors: vi.fn() }))
 vi.mock('../../hooks/useSecurityHeaders', () => ({
   useSecurityHeaderProfiles: vi.fn(() => ({ data: [], isLoading: false, error: null })),
 }))
+vi.mock('../../hooks/useProxyGroups', () => ({
+  useProxyGroups: vi.fn(() => ({ data: [], isLoading: false, error: null })),
+  useCreateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useUpdateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useDeleteProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+}))
 
 const createQueryClient = () => new QueryClient({ defaultOptions: { queries: { retry: false, gcTime: 0 }, mutations: { retry: false } } })
 
diff --git a/frontend/src/pages/__tests__/ProxyHosts-extra.test.tsx b/frontend/src/pages/__tests__/ProxyHosts-extra.test.tsx
index 386c89e2d..16f1efdf2 100644
--- a/frontend/src/pages/__tests__/ProxyHosts-extra.test.tsx
+++ b/frontend/src/pages/__tests__/ProxyHosts-extra.test.tsx
@@ -21,6 +21,12 @@ vi.mock('../../hooks/useAccessLists', () => ({ useAccessLists: vi.fn() }))
 vi.mock('../../hooks/useSecurityHeaders', () => ({
   useSecurityHeaderProfiles: vi.fn(() => ({ data: [], isLoading: false, error: null })),
 }))
+vi.mock('../../hooks/useProxyGroups', () => ({
+  useProxyGroups: vi.fn(() => ({ data: [], isLoading: false, error: null })),
+  useCreateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useUpdateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useDeleteProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+}))
 vi.mock('../../api/settings', () => ({ getSettings: vi.fn() }))
 vi.mock('../../api/uptime', () => ({ getMonitors: vi.fn() }))
 vi.mock('../../api/backups', () => ({ createBackup: vi.fn() }))
diff --git a/frontend/src/pages/__tests__/ProxyHosts-progress.test.tsx b/frontend/src/pages/__tests__/ProxyHosts-progress.test.tsx
index d166c77c6..8ca940234 100644
--- a/frontend/src/pages/__tests__/ProxyHosts-progress.test.tsx
+++ b/frontend/src/pages/__tests__/ProxyHosts-progress.test.tsx
@@ -33,6 +33,12 @@ vi.mock('../../api/settings', () => ({ getSettings: vi.fn() }))
 vi.mock('../../hooks/useSecurityHeaders', () => ({
   useSecurityHeaderProfiles: vi.fn(() => ({ data: [], isLoading: false, error: null })),
 }))
+vi.mock('../../hooks/useProxyGroups', () => ({
+  useProxyGroups: vi.fn(() => ({ data: [], isLoading: false, error: null })),
+  useCreateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useUpdateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useDeleteProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+}))
 
 const createQueryClient = () => new QueryClient({ defaultOptions: { queries: { retry: false, gcTime: 0 }, mutations: { retry: false } } })
 const renderWithProviders = (ui: React.ReactNode) => {
diff --git a/frontend/src/pages/__tests__/ProxyHosts.bulkApplyHeaders.test.tsx b/frontend/src/pages/__tests__/ProxyHosts.bulkApplyHeaders.test.tsx
index 8cd7e7d7a..96068f901 100644
--- a/frontend/src/pages/__tests__/ProxyHosts.bulkApplyHeaders.test.tsx
+++ b/frontend/src/pages/__tests__/ProxyHosts.bulkApplyHeaders.test.tsx
@@ -41,6 +41,15 @@ vi.mock('../../api/securityHeaders', () => ({
     listProfiles: vi.fn(),
   },
 }));
+vi.mock('../../hooks/useProxyGroups', () => ({
+  useProxyGroups: vi.fn(() => ({ data: [], isLoading: false, error: null })),
+  useCreateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useUpdateProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+  useDeleteProxyGroup: vi.fn(() => ({ mutateAsync: vi.fn(), isPending: false })),
+}))
+vi.mock('../../hooks/useSecurityHeaders', () => ({
+  useSecurityHeaderProfiles: vi.fn(() => ({ data: mockSecurityProfiles, isLoading: false, error: null })),
+}));
 
 const mockProxyHosts = [
   createMockProxyHost({
diff --git a/frontend/vitest.config.ts b/frontend/vitest.config.ts
index ef779f924..362d8f415 100644
--- a/frontend/vitest.config.ts
+++ b/frontend/vitest.config.ts
@@ -35,6 +35,7 @@ export default defineConfig({
     coverage: {
       provider: 'v8',
       clean: false,
+      reportOnFailure: true,
       reportsDirectory: coverageReportsDirectory,
       reporter: ['text', 'json', 'html', 'lcov', 'json-summary'],
       exclude: [
diff --git a/go.work.sum b/go.work.sum
index 504d7802f..06a7d5d8f 100644
--- a/go.work.sum
+++ b/go.work.sum
@@ -127,6 +127,7 @@ golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
 golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
 golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
 golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
 golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w=
diff --git a/tests/proxy-groups.spec.ts b/tests/proxy-groups.spec.ts
new file mode 100644
index 000000000..435b4b783
--- /dev/null
+++ b/tests/proxy-groups.spec.ts
@@ -0,0 +1,101 @@
+import { test, expect } from './fixtures/test';
+import { waitForAPIHealth } from './utils/api-helpers';
+import { getToastLocator } from './utils/ui-helpers';
+import {
+  waitForAPIResponse,
+  waitForDialog,
+  waitForLoadingComplete,
+} from './utils/wait-helpers';
+
+test.describe('Proxy Groups', () => {
+  test.beforeEach(async ({ page }) => {
+    await waitForAPIHealth(page);
+    await page.goto('/proxy-hosts');
+    await waitForLoadingComplete(page);
+  });
+
+  test.describe('Group Management', () => {
+    test('should open Manage Groups dialog', async ({ page }) => {
+      await page.getByRole('button', { name: /manage groups/i }).click();
+      await waitForDialog(page);
+      await expect(page.getByRole('dialog')).toBeVisible();
+    });
+
+    test('should create a new proxy group', async ({ page }) => {
+      await page.getByRole('button', { name: /manage groups/i }).click();
+      await waitForDialog(page);
+
+      const responsePromise = waitForAPIResponse(page, '/api/proxy-groups');
+      await page.getByRole('button', { name: /create group/i }).click();
+
+      await page.getByRole('dialog').last().waitFor({ state: 'visible' });
+      await page.getByLabel(/group name/i).fill('Test Group');
+
+      const savePromise = waitForAPIResponse(page, '/api/proxy-groups');
+      await page.getByRole('button', { name: /save/i }).click();
+      await savePromise;
+
+      await expect(getToastLocator(page)).toBeVisible();
+      await responsePromise;
+    });
+
+    test('should show validation error when name is empty', async ({ page }) => {
+      await page.getByRole('button', { name: /manage groups/i }).click();
+      await waitForDialog(page);
+
+      await page.getByRole('button', { name: /create group/i }).click();
+      await page.getByRole('dialog').last().waitFor({ state: 'visible' });
+
+      await page.getByRole('button', { name: /save/i }).click();
+
+      const nameInput = page.getByLabel(/group name/i);
+      await expect(nameInput).toBeFocused();
+    });
+
+    test('should allow selecting a preset color', async ({ page }) => {
+      await page.getByRole('button', { name: /manage groups/i }).click();
+      await waitForDialog(page);
+
+      await page.getByRole('button', { name: /create group/i }).click();
+      await page.getByRole('dialog').last().waitFor({ state: 'visible' });
+
+      await page.getByLabel(/group name/i).fill('Colored Group');
+
+      const colorSwatches = page.locator('[data-testid="color-swatch"], button[title]').filter({ hasText: '' });
+      if (await colorSwatches.count() > 0) {
+        await colorSwatches.first().click();
+      }
+
+      await expect(page.getByLabel(/group name/i)).toHaveValue('Colored Group');
+    });
+  });
+
+  test.describe('Grouped Display', () => {
+    test('should show ungrouped section when groups exist', async ({ page }) => {
+      const hasGroups = await page.getByRole('button', { name: /manage groups/i }).isVisible();
+      expect(hasGroups).toBe(true);
+    });
+
+    test('should display flat table when no groups exist', async ({ page }) => {
+      const table = page.getByRole('table').first();
+      await expect(table).toBeVisible();
+    });
+  });
+
+  test.describe('Bulk Assignment', () => {
+    test('Assign to Group button is conditionally visible', async ({ page }) => {
+      const checkboxes = page.getByRole('checkbox');
+      const count = await checkboxes.count();
+
+      if (count > 1) {
+        await checkboxes.first().check();
+
+        const assignBtn = page.getByRole('button', { name: /assign to group/i });
+        const isVisible = await assignBtn.isVisible();
+        if (isVisible) {
+          await expect(assignBtn).toBeVisible();
+        }
+      }
+    });
+  });
+});