[misc] fix MSI generation add installer tests (#6031)

Add Windows installer build test workflow

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.1.2"
+  SIGN_PIPE_VER: "v0.1.4"
   GORELEASER_VER: "v2.14.3"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"
@@ -114,7 +114,13 @@ jobs:
           retention-days: 30
 
   release:
-    runs-on: ubuntu-latest-m
+    runs-on: ubuntu-24.04-8-core
+    outputs:
+      release_artifact_url: ${{ steps.upload_release.outputs.artifact-url }}
+      linux_packages_artifact_url: ${{ steps.upload_linux_packages.outputs.artifact-url }}
+      windows_packages_artifact_url: ${{ steps.upload_windows_packages.outputs.artifact-url }}
+      macos_packages_artifact_url: ${{ steps.upload_macos_packages.outputs.artifact-url }}
+      ghcr_images: ${{ steps.tag_and_push_images.outputs.images_markdown }}
     env:
       flags: ""
     steps:
@@ -213,10 +219,13 @@ jobs:
         if: always()
         run: rm -f /tmp/gpg-rpm-signing-key.asc
       - name: Tag and push images (amd64 only)
+        id: tag_and_push_images
         if: |
           (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
           (github.event_name == 'push' && github.ref == 'refs/heads/main')
         run: |
+          set -euo pipefail
+
           resolve_tags() {
             if [[ "${{ github.event_name }}" == "pull_request" ]]; then
               echo "pr-${{ github.event.pull_request.number }}"
@@ -225,6 +234,17 @@ jobs:
             fi
           }
 
+          ghcr_package_url() {
+            local image="$1" package encoded_package
+            package="${image#ghcr.io/}"
+            package="${package#*/}"
+            package="${package%%:*}"
+            encoded_package="${package//\//%2F}"
+            echo "https://github.com/orgs/netbirdio/packages/container/package/${encoded_package}"
+          }
+
+          image_refs=()
+
           tag_and_push() {
             local src="$1" img_name tag dst
             img_name="${src%%:*}"
@@ -233,35 +253,56 @@ jobs:
               echo "Tagging ${src} -> ${dst}"
               docker tag "$src" "$dst"
               docker push "$dst"
+              image_refs+=("$dst")
             done
           }
 
-          export -f tag_and_push resolve_tags
+          cat > /tmp/goreleaser-artifacts.json <<'JSON'
+          ${{ steps.goreleaser.outputs.artifacts }}
+          JSON
 
-          echo '${{ steps.goreleaser.outputs.artifacts }}' | \
-            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name' | \
-            grep '^ghcr.io/' | while read -r SRC; do
-              tag_and_push "$SRC"
-            done
+          mapfile -t src_images < <(
+            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name | select(startswith("ghcr.io/"))' /tmp/goreleaser-artifacts.json
+          )
+
+          for src in "${src_images[@]}"; do
+            tag_and_push "$src"
+          done
+
+          {
+            echo "images_markdown<<EOF"
+            if [[ ${#image_refs[@]} -eq 0 ]]; then
+              echo "_No GHCR images were pushed._"
+            else
+              printf '%s\n' "${image_refs[@]}" | sort -u | while read -r image; do
+                printf -- '- [`%s`](%s)\n' "$image" "$(ghcr_package_url "$image")"
+              done
+            fi
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
       - name: upload non tags for debug purposes
+        id: upload_release
         uses: actions/upload-artifact@v4
         with:
           name: release
           path: dist/
           retention-days: 7
       - name: upload linux packages
+        id: upload_linux_packages
         uses: actions/upload-artifact@v4
         with:
           name: linux-packages
           path: dist/netbird_linux**
           retention-days: 7
       - name: upload windows packages
+        id: upload_windows_packages
         uses: actions/upload-artifact@v4
         with:
           name: windows-packages
           path: dist/netbird_windows**
           retention-days: 7
       - name: upload macos packages
+        id: upload_macos_packages
         uses: actions/upload-artifact@v4
         with:
           name: macos-packages
@@ -270,6 +311,8 @@ jobs:
 
   release_ui:
     runs-on: ubuntu-latest
+    outputs:
+      release_ui_artifact_url: ${{ steps.upload_release_ui.outputs.artifact-url }}
     steps:
       - name: Parse semver string
         id: semver_parser
@@ -360,6 +403,7 @@ jobs:
         if: always()
         run: rm -f /tmp/gpg-rpm-signing-key.asc
       - name: upload non tags for debug purposes
+        id: upload_release_ui
         uses: actions/upload-artifact@v4
         with:
           name: release-ui
@@ -368,6 +412,8 @@ jobs:
 
   release_ui_darwin:
     runs-on: macos-latest
+    outputs:
+      release_ui_darwin_artifact_url: ${{ steps.upload_release_ui_darwin.outputs.artifact-url }}
     steps:
       - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
         run: echo "flags=--snapshot" >> $GITHUB_ENV
@@ -402,15 +448,258 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: upload non tags for debug purposes
+        id: upload_release_ui_darwin
         uses: actions/upload-artifact@v4
         with:
           name: release-ui-darwin
           path: dist/
           retention-days: 3
 
-  trigger_signer:
+  test_windows_installer:
+    name: "Windows Installer / Build Test"
+    runs-on: windows-2022
+    needs: [release, release_ui]
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: amd64
+            wintun_arch: amd64
+          - arch: arm64
+            wintun_arch: arm64
+    defaults:
+      run:
+        shell: powershell
+    env:
+      PackageWorkdir: netbird_windows_${{ matrix.arch }}
+      downloadPath: '${{ github.workspace }}\temp'
+    steps:
+      - name: Parse semver string
+        id: semver_parser
+        uses: booxmedialtd/ws-action-parse-semver@v1
+        with:
+          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
+          version_extractor_regex: '\/v(.*)$'
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Add 7-Zip to PATH
+        run: echo "C:\Program Files\7-Zip" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+
+      - name: Download release artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: release
+          path: release
+
+      - name: Download UI release artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: release-ui
+          path: release-ui
+
+      - name: Stage binaries into dist
+        run: |
+          $workdir = "dist\${{ env.PackageWorkdir }}"
+          New-Item -ItemType Directory -Force -Path $workdir | Out-Null
+          $client = Get-ChildItem -Recurse -Path release -Filter "netbird_*_windows_${{ matrix.arch }}.tar.gz" | Select-Object -First 1
+          $ui = Get-ChildItem -Recurse -Path release-ui -Filter "netbird-ui-windows_*_windows_${{ matrix.arch }}.tar.gz" | Select-Object -First 1
+          if (-not $client) { Write-Host "::error::client tarball not found for ${{ matrix.arch }}"; exit 1 }
+          if (-not $ui) { Write-Host "::error::ui tarball not found for ${{ matrix.arch }}"; exit 1 }
+          Write-Host "Client: $($client.FullName)"
+          Write-Host "UI:     $($ui.FullName)"
+          tar -zvxf $client.FullName -C $workdir
+          tar -zvxf $ui.FullName -C $workdir
+          Get-ChildItem $workdir
+
+      - name: Download wintun
+        uses: carlosperate/download-file-action@v2
+        id: download-wintun
+        with:
+          file-url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
+          file-name: wintun.zip
+          location: ${{ env.downloadPath }}
+          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'
+
+      - name: Decompress wintun files
+        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
+
+      - name: Move wintun.dll into dist
+        run: mv ${{ env.downloadPath }}\wintun\bin\${{ matrix.wintun_arch }}\wintun.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\
+
+      - name: Download Mesa3D (amd64 only)
+        uses: carlosperate/download-file-action@v2
+        id: download-mesa3d
+        if: matrix.arch == 'amd64'
+        with:
+          file-url: https://downloads.fdossena.com/Projects/Mesa3D/Builds/MesaForWindows-x64-20.1.8.7z
+          file-name: mesa3d.7z
+          location: ${{ env.downloadPath }}
+          sha256: '71c7cb64ec229a1d6b8d62fa08e1889ed2bd17c0eeede8689daf0f25cb31d6b9'
+
+      - name: Extract Mesa3D driver (amd64 only)
+        if: matrix.arch == 'amd64'
+        run: 7z x -o"${{ env.downloadPath }}" "${{ env.downloadPath }}/mesa3d.7z"
+
+      - name: Move opengl32.dll into dist (amd64 only)
+        if: matrix.arch == 'amd64'
+        run: mv ${{ env.downloadPath }}\opengl32.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\
+
+      - name: Download EnVar plugin for NSIS
+        uses: carlosperate/download-file-action@v2
+        with:
+          file-url: https://nsis.sourceforge.io/mediawiki/images/7/7f/EnVar_plugin.zip
+          file-name: envar_plugin.zip
+          location: ${{ github.workspace }}
+
+      - name: Extract EnVar plugin
+        run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/envar_plugin.zip"
+
+      - name: Download ShellExecAsUser plugin for NSIS (amd64 only)
+        uses: carlosperate/download-file-action@v2
+        if: matrix.arch == 'amd64'
+        with:
+          file-url: https://nsis.sourceforge.io/mediawiki/images/6/68/ShellExecAsUser_amd64-Unicode.7z
+          file-name: ShellExecAsUser_amd64-Unicode.7z
+          location: ${{ github.workspace }}
+
+      - name: Extract ShellExecAsUser plugin (amd64 only)
+        if: matrix.arch == 'amd64'
+        run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/ShellExecAsUser_amd64-Unicode.7z"
+
+      - name: Build NSIS installer
+        uses: joncloud/makensis-action@v3.3
+        with:
+          additional-plugin-paths: ${{ github.workspace }}/NSIS_Plugins/Plugins
+          script-file: client/installer.nsis
+          arguments: "/V4 /DARCH=${{ matrix.arch }}"
+        env:
+          APPVER: ${{ steps.semver_parser.outputs.major }}.${{ steps.semver_parser.outputs.minor }}.${{ steps.semver_parser.outputs.patch }}.${{ github.run_id }}
+
+      - name: Rename NSIS installer
+        run: mv netbird-installer.exe netbird_installer_test_windows_${{ matrix.arch }}.exe
+
+      - name: Install WiX
+        run: |
+          dotnet tool install --global wix --version 6.0.2
+          wix extension add WixToolset.Util.wixext/6.0.2
+
+      - name: Build MSI installer
+        env:
+          NETBIRD_VERSION: "${{ steps.semver_parser.outputs.fullversion }}"
+        run: wix build -arch ${{ matrix.arch == 'amd64' && 'x64' || 'arm64' }} -ext WixToolset.Util.wixext -o netbird_installer_test_windows_${{ matrix.arch }}.msi .\client\netbird.wxs -d ProcessorArchitecture=${{ matrix.arch == 'amd64' && 'x64' || 'arm64' }} -d ArchSuffix=${{ matrix.arch }}
+
+      - name: Upload installer artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: windows-installer-test-${{ matrix.arch }}
+          path: |
+            netbird_installer_test_windows_${{ matrix.arch }}.exe
+            netbird_installer_test_windows_${{ matrix.arch }}.msi
+          retention-days: 3
+
+  comment_release_artifacts:
+    name: Comment release artifacts
     runs-on: ubuntu-latest
     needs: [release, release_ui, release_ui_darwin]
+    if: ${{ always() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository }}
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
+    steps:
+      - name: Create or update PR comment
+        uses: actions/github-script@v7
+        env:
+          RELEASE_RESULT: ${{ needs.release.result }}
+          RELEASE_UI_RESULT: ${{ needs.release_ui.result }}
+          RELEASE_UI_DARWIN_RESULT: ${{ needs.release_ui_darwin.result }}
+          RELEASE_ARTIFACT_URL: ${{ needs.release.outputs.release_artifact_url }}
+          LINUX_PACKAGES_ARTIFACT_URL: ${{ needs.release.outputs.linux_packages_artifact_url }}
+          WINDOWS_PACKAGES_ARTIFACT_URL: ${{ needs.release.outputs.windows_packages_artifact_url }}
+          MACOS_PACKAGES_ARTIFACT_URL: ${{ needs.release.outputs.macos_packages_artifact_url }}
+          RELEASE_UI_ARTIFACT_URL: ${{ needs.release_ui.outputs.release_ui_artifact_url }}
+          RELEASE_UI_DARWIN_ARTIFACT_URL: ${{ needs.release_ui_darwin.outputs.release_ui_darwin_artifact_url }}
+          GHCR_IMAGES_MARKDOWN: ${{ needs.release.outputs.ghcr_images }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const marker = '<!-- netbird-release-artifacts -->';
+            const { owner, repo } = context.repo;
+            const issue_number = context.payload.pull_request.number;
+            const runUrl = `${context.serverUrl}/${owner}/${repo}/actions/runs/${context.runId}`;
+            const shortSha = context.payload.pull_request.head.sha.slice(0, 7);
+
+            const artifactCell = (url, result) => {
+              if (url) return `[Download](${url})`;
+              return result && result !== 'success' ? `_Not available (${result})_` : '_Not available_';
+            };
+
+            const artifacts = [
+              ['All release artifacts', process.env.RELEASE_ARTIFACT_URL, process.env.RELEASE_RESULT],
+              ['Linux packages', process.env.LINUX_PACKAGES_ARTIFACT_URL, process.env.RELEASE_RESULT],
+              ['Windows packages', process.env.WINDOWS_PACKAGES_ARTIFACT_URL, process.env.RELEASE_RESULT],
+              ['macOS packages', process.env.MACOS_PACKAGES_ARTIFACT_URL, process.env.RELEASE_RESULT],
+              ['UI artifacts', process.env.RELEASE_UI_ARTIFACT_URL, process.env.RELEASE_UI_RESULT],
+              ['UI macOS artifacts', process.env.RELEASE_UI_DARWIN_ARTIFACT_URL, process.env.RELEASE_UI_DARWIN_RESULT],
+            ];
+
+            const artifactRows = artifacts
+              .map(([name, url, result]) => `| ${name} | ${artifactCell(url, result)} |`)
+              .join('\n');
+
+            const ghcrImages = (process.env.GHCR_IMAGES_MARKDOWN || '').trim() || '_No GHCR images were pushed._';
+
+            const body = [
+              marker,
+              '## Release artifacts',
+              '',
+              `Built for PR head \`${shortSha}\` in [workflow run #${process.env.GITHUB_RUN_NUMBER}](${runUrl}).`,
+              '',
+              '| Artifact | Link |',
+              '| --- | --- |',
+              artifactRows,
+              '',
+              '### GHCR images (amd64)',
+              ghcrImages,
+              '',
+              '_This comment is updated by the Release workflow. Artifact links expire according to the workflow retention policy._',
+            ].join('\n');
+
+            const comments = await github.paginate(github.rest.issues.listComments, {
+              owner,
+              repo,
+              issue_number,
+              per_page: 100,
+            });
+
+            const previous = comments.find(comment =>
+              comment.user?.type === 'Bot' && comment.body?.includes(marker)
+            );
+
+            if (previous) {
+              await github.rest.issues.updateComment({
+                owner,
+                repo,
+                comment_id: previous.id,
+                body,
+              });
+              core.info(`Updated release artifacts comment ${previous.id}`);
+            } else {
+              const { data } = await github.rest.issues.createComment({
+                owner,
+                repo,
+                issue_number,
+                body,
+              });
+              core.info(`Created release artifacts comment ${data.id}`);
+            }
+
+  trigger_signer:
+    runs-on: ubuntu-latest
+    needs: [release, release_ui, release_ui_darwin, test_windows_installer]
     if: startsWith(github.ref, 'refs/tags/')
     steps:
       - name: Trigger binaries sign pipelines

.github/workflows/sync-tag.yml

@@ -9,6 +9,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
   cancel-in-progress: true
 
+# Receiving workflows (cloud sync-tag, mobile bump-netbird) expect the short
+# tag form (e.g. v0.30.0), not refs/tags/v0.30.0 — github.ref_name, not github.ref.
 jobs:
   trigger_sync_tag:
     runs-on: ubuntu-latest
@@ -20,4 +22,30 @@ jobs:
           ref: main
           repo: ${{ secrets.UPSTREAM_REPO }}
           token: ${{ secrets.NC_GITHUB_TOKEN }}
+          inputs: '{ "tag": "${{ github.ref_name }}" }'
+
+  trigger_android_bump:
+    runs-on: ubuntu-latest
+    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
+    steps:
+      - name: Trigger android-client submodule bump
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
+        with:
+          workflow: bump-netbird.yml
+          ref: main
+          repo: netbirdio/android-client
+          token: ${{ secrets.NC_GITHUB_TOKEN }}
+          inputs: '{ "tag": "${{ github.ref_name }}" }'
+
+  trigger_ios_bump:
+    runs-on: ubuntu-latest
+    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
+    steps:
+      - name: Trigger ios-client submodule bump
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
+        with:
+          workflow: bump-netbird.yml
+          ref: main
+          repo: netbirdio/ios-client
+          token: ${{ secrets.NC_GITHUB_TOKEN }}
           inputs: '{ "tag": "${{ github.ref_name }}" }'

client/cmd/testutil_test.go

@@ -135,7 +135,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	if err != nil {
 		t.Fatal(err)
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}

client/firewall/firewalld/firewalld.go

@@ -0,0 +1,11 @@
+// Package firewalld integrates with the firewalld daemon so NetBird can place
+// its wg interface into firewalld's "trusted" zone. This is required because
+// firewalld's nftables chains are created with NFT_CHAIN_OWNER on recent
+// versions, which returns EPERM to any other process that tries to insert
+// rules into them. The workaround mirrors what Tailscale does: let firewalld
+// itself add the accept rules to its own chains by trusting the interface.
+package firewalld
+
+// TrustedZone is the firewalld zone name used for interfaces whose traffic
+// should bypass firewalld filtering.
+const TrustedZone = "trusted"

client/firewall/firewalld/firewalld_linux.go

@@ -0,0 +1,260 @@
+//go:build linux
+
+package firewalld
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os/exec"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/godbus/dbus/v5"
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	dbusDest      = "org.fedoraproject.FirewallD1"
+	dbusPath      = "/org/fedoraproject/FirewallD1"
+	dbusRootIface = "org.fedoraproject.FirewallD1"
+	dbusZoneIface = "org.fedoraproject.FirewallD1.zone"
+
+	errZoneAlreadySet = "ZONE_ALREADY_SET"
+	errAlreadyEnabled = "ALREADY_ENABLED"
+	errUnknownIface   = "UNKNOWN_INTERFACE"
+	errNotEnabled     = "NOT_ENABLED"
+
+	// callTimeout bounds each individual DBus or firewall-cmd invocation.
+	// A fresh context is created for each call so a slow DBus probe can't
+	// exhaust the deadline before the firewall-cmd fallback gets to run.
+	callTimeout = 3 * time.Second
+)
+
+var (
+	errDBusUnavailable = errors.New("firewalld dbus unavailable")
+
+	// trustLogOnce ensures the "added to trusted zone" message is logged at
+	// Info level only for the first successful add per process; repeat adds
+	// from other init paths are quieter.
+	trustLogOnce sync.Once
+
+	parentCtxMu sync.RWMutex
+	parentCtx   context.Context = context.Background()
+)
+
+// SetParentContext installs a parent context whose cancellation aborts any
+// in-flight TrustInterface call. It does not affect UntrustInterface, which
+// always uses a fresh Background-rooted timeout so cleanup can still run
+// during engine shutdown when the engine context is already cancelled.
+func SetParentContext(ctx context.Context) {
+	parentCtxMu.Lock()
+	parentCtx = ctx
+	parentCtxMu.Unlock()
+}
+
+func getParentContext() context.Context {
+	parentCtxMu.RLock()
+	defer parentCtxMu.RUnlock()
+	return parentCtx
+}
+
+// TrustInterface places iface into firewalld's trusted zone if firewalld is
+// running. It is idempotent and best-effort: errors are returned so callers
+// can log, but a non-running firewalld is not an error. Only the first
+// successful call per process logs at Info. Respects the parent context set
+// via SetParentContext so startup-time cancellation unblocks it.
+func TrustInterface(iface string) error {
+	parent := getParentContext()
+	if !isRunning(parent) {
+		return nil
+	}
+	if err := addTrusted(parent, iface); err != nil {
+		return fmt.Errorf("add %s to firewalld trusted zone: %w", iface, err)
+	}
+	trustLogOnce.Do(func() {
+		log.Infof("added %s to firewalld trusted zone", iface)
+	})
+	log.Debugf("firewalld: ensured %s is in trusted zone", iface)
+	return nil
+}
+
+// UntrustInterface removes iface from firewalld's trusted zone if firewalld
+// is running. Idempotent. Uses a Background-rooted timeout so it still runs
+// during shutdown after the engine context has been cancelled.
+func UntrustInterface(iface string) error {
+	if !isRunning(context.Background()) {
+		return nil
+	}
+	if err := removeTrusted(context.Background(), iface); err != nil {
+		return fmt.Errorf("remove %s from firewalld trusted zone: %w", iface, err)
+	}
+	return nil
+}
+
+func newCallContext(parent context.Context) (context.Context, context.CancelFunc) {
+	return context.WithTimeout(parent, callTimeout)
+}
+
+func isRunning(parent context.Context) bool {
+	ctx, cancel := newCallContext(parent)
+	ok, err := isRunningDBus(ctx)
+	cancel()
+	if err == nil {
+		return ok
+	}
+	if errors.Is(err, errDBusUnavailable) || errors.Is(err, context.DeadlineExceeded) {
+		ctx, cancel = newCallContext(parent)
+		defer cancel()
+		return isRunningCLI(ctx)
+	}
+	return false
+}
+
+func addTrusted(parent context.Context, iface string) error {
+	ctx, cancel := newCallContext(parent)
+	err := addDBus(ctx, iface)
+	cancel()
+	if err == nil {
+		return nil
+	}
+	if !errors.Is(err, errDBusUnavailable) {
+		log.Debugf("firewalld: dbus add failed, falling back to firewall-cmd: %v", err)
+	}
+	ctx, cancel = newCallContext(parent)
+	defer cancel()
+	return addCLI(ctx, iface)
+}
+
+func removeTrusted(parent context.Context, iface string) error {
+	ctx, cancel := newCallContext(parent)
+	err := removeDBus(ctx, iface)
+	cancel()
+	if err == nil {
+		return nil
+	}
+	if !errors.Is(err, errDBusUnavailable) {
+		log.Debugf("firewalld: dbus remove failed, falling back to firewall-cmd: %v", err)
+	}
+	ctx, cancel = newCallContext(parent)
+	defer cancel()
+	return removeCLI(ctx, iface)
+}
+
+func isRunningDBus(ctx context.Context) (bool, error) {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return false, fmt.Errorf("%w: %v", errDBusUnavailable, err)
+	}
+	obj := conn.Object(dbusDest, dbusPath)
+
+	var zone string
+	if err := obj.CallWithContext(ctx, dbusRootIface+".getDefaultZone", 0).Store(&zone); err != nil {
+		return false, fmt.Errorf("firewalld getDefaultZone: %w", err)
+	}
+	return true, nil
+}
+
+func isRunningCLI(ctx context.Context) bool {
+	if _, err := exec.LookPath("firewall-cmd"); err != nil {
+		return false
+	}
+	return exec.CommandContext(ctx, "firewall-cmd", "--state").Run() == nil
+}
+
+func addDBus(ctx context.Context, iface string) error {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return fmt.Errorf("%w: %v", errDBusUnavailable, err)
+	}
+	obj := conn.Object(dbusDest, dbusPath)
+
+	call := obj.CallWithContext(ctx, dbusZoneIface+".addInterface", 0, TrustedZone, iface)
+	if call.Err == nil {
+		return nil
+	}
+
+	if dbusErrContains(call.Err, errAlreadyEnabled) {
+		return nil
+	}
+
+	if dbusErrContains(call.Err, errZoneAlreadySet) {
+		move := obj.CallWithContext(ctx, dbusZoneIface+".changeZoneOfInterface", 0, TrustedZone, iface)
+		if move.Err != nil {
+			return fmt.Errorf("firewalld changeZoneOfInterface: %w", move.Err)
+		}
+		return nil
+	}
+
+	return fmt.Errorf("firewalld addInterface: %w", call.Err)
+}
+
+func removeDBus(ctx context.Context, iface string) error {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return fmt.Errorf("%w: %v", errDBusUnavailable, err)
+	}
+	obj := conn.Object(dbusDest, dbusPath)
+
+	call := obj.CallWithContext(ctx, dbusZoneIface+".removeInterface", 0, TrustedZone, iface)
+	if call.Err == nil {
+		return nil
+	}
+
+	if dbusErrContains(call.Err, errUnknownIface) || dbusErrContains(call.Err, errNotEnabled) {
+		return nil
+	}
+
+	return fmt.Errorf("firewalld removeInterface: %w", call.Err)
+}
+
+func addCLI(ctx context.Context, iface string) error {
+	if _, err := exec.LookPath("firewall-cmd"); err != nil {
+		return fmt.Errorf("firewall-cmd not available: %w", err)
+	}
+
+	// --change-interface (no --permanent) binds the interface for the
+	// current runtime only; we do not want membership to persist across
+	// reboots because netbird re-asserts it on every startup.
+	out, err := exec.CommandContext(ctx,
+		"firewall-cmd", "--zone="+TrustedZone, "--change-interface="+iface,
+	).CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("firewall-cmd change-interface: %w: %s", err, strings.TrimSpace(string(out)))
+	}
+	return nil
+}
+
+func removeCLI(ctx context.Context, iface string) error {
+	if _, err := exec.LookPath("firewall-cmd"); err != nil {
+		return fmt.Errorf("firewall-cmd not available: %w", err)
+	}
+
+	out, err := exec.CommandContext(ctx,
+		"firewall-cmd", "--zone="+TrustedZone, "--remove-interface="+iface,
+	).CombinedOutput()
+	if err != nil {
+		msg := strings.TrimSpace(string(out))
+		if strings.Contains(msg, errUnknownIface) || strings.Contains(msg, errNotEnabled) {
+			return nil
+		}
+		return fmt.Errorf("firewall-cmd remove-interface: %w: %s", err, msg)
+	}
+	return nil
+}
+
+func dbusErrContains(err error, code string) bool {
+	if err == nil {
+		return false
+	}
+	var de dbus.Error
+	if errors.As(err, &de) {
+		for _, b := range de.Body {
+			if s, ok := b.(string); ok && strings.Contains(s, code) {
+				return true
+			}
+		}
+	}
+	return strings.Contains(err.Error(), code)
+}

client/firewall/firewalld/firewalld_linux_test.go

@@ -0,0 +1,49 @@
+//go:build linux
+
+package firewalld
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/godbus/dbus/v5"
+)
+
+func TestDBusErrContains(t *testing.T) {
+	tests := []struct {
+		name string
+		err  error
+		code string
+		want bool
+	}{
+		{"nil error", nil, errZoneAlreadySet, false},
+		{"plain error match", errors.New("ZONE_ALREADY_SET: wt0"), errZoneAlreadySet, true},
+		{"plain error miss", errors.New("something else"), errZoneAlreadySet, false},
+		{
+			"dbus.Error body match",
+			dbus.Error{Name: "org.fedoraproject.FirewallD1.Exception", Body: []any{"ZONE_ALREADY_SET: wt0"}},
+			errZoneAlreadySet,
+			true,
+		},
+		{
+			"dbus.Error body miss",
+			dbus.Error{Name: "org.fedoraproject.FirewallD1.Exception", Body: []any{"INVALID_INTERFACE"}},
+			errAlreadyEnabled,
+			false,
+		},
+		{
+			"dbus.Error non-string body falls back to Error()",
+			dbus.Error{Name: "x", Body: []any{123}},
+			"x",
+			true,
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := dbusErrContains(tc.err, tc.code)
+			if got != tc.want {
+				t.Fatalf("dbusErrContains(%v, %q) = %v; want %v", tc.err, tc.code, got, tc.want)
+			}
+		})
+	}
+}

client/firewall/firewalld/firewalld_other.go

@@ -0,0 +1,25 @@
+//go:build !linux
+
+package firewalld
+
+import "context"
+
+// SetParentContext is a no-op on non-Linux platforms because firewalld only
+// runs on Linux.
+func SetParentContext(context.Context) {
+	// intentionally empty: firewalld is a Linux-only daemon
+}
+
+// TrustInterface is a no-op on non-Linux platforms because firewalld only
+// runs on Linux.
+func TrustInterface(string) error {
+	// intentionally empty: firewalld is a Linux-only daemon
+	return nil
+}
+
+// UntrustInterface is a no-op on non-Linux platforms because firewalld only
+// runs on Linux.
+func UntrustInterface(string) error {
+	// intentionally empty: firewalld is a Linux-only daemon
+	return nil
+}

client/firewall/iptables/manager_linux.go

@@ -12,6 +12,7 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/firewall/firewalld"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -86,6 +87,12 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 		log.Warnf("raw table not available, notrack rules will be disabled: %v", err)
 	}
 
+	// Trust after all fatal init steps so a later failure doesn't leave the
+	// interface in firewalld's trusted zone without a corresponding Close.
+	if err := firewalld.TrustInterface(m.wgIface.Name()); err != nil {
+		log.Warnf("failed to trust interface in firewalld: %v", err)
+	}
+
 	// persist early to ensure cleanup of chains
 	go func() {
 		if err := stateManager.PersistState(context.Background()); err != nil {
@@ -191,6 +198,12 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 		merr = multierror.Append(merr, fmt.Errorf("reset router: %w", err))
 	}
 
+	// Appending to merr intentionally blocks DeleteState below so ShutdownState
+	// stays persisted and the crash-recovery path retries firewalld cleanup.
+	if err := firewalld.UntrustInterface(m.wgIface.Name()); err != nil {
+		merr = multierror.Append(merr, err)
+	}
+
 	// attempt to delete state only if all other operations succeeded
 	if merr == nil {
 		if err := stateManager.DeleteState(&ShutdownState{}); err != nil {
@@ -217,6 +230,11 @@ func (m *Manager) AllowNetbird() error {
 	if err != nil {
 		return fmt.Errorf("allow netbird interface traffic: %w", err)
 	}
+
+	if err := firewalld.TrustInterface(m.wgIface.Name()); err != nil {
+		log.Warnf("failed to trust interface in firewalld: %v", err)
+	}
+
 	return nil
 }
 

client/firewall/nftables/manager_linux.go

@@ -14,6 +14,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 
+	"github.com/netbirdio/netbird/client/firewall/firewalld"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -217,6 +218,10 @@ func (m *Manager) AllowNetbird() error {
 		return fmt.Errorf("flush allow input netbird rules: %w", err)
 	}
 
+	if err := firewalld.TrustInterface(m.wgIface.Name()); err != nil {
+		log.Warnf("failed to trust interface in firewalld: %v", err)
+	}
+
 	return nil
 }
 

client/firewall/nftables/router_linux.go

@@ -19,6 +19,7 @@ import (
 	"golang.org/x/sys/unix"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/firewall/firewalld"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
 	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
@@ -40,6 +41,8 @@ const (
 	chainNameForward       = "FORWARD"
 	chainNameMangleForward = "netbird-mangle-forward"
 
+	firewalldTableName = "firewalld"
+
 	userDataAcceptForwardRuleIif = "frwacceptiif"
 	userDataAcceptForwardRuleOif = "frwacceptoif"
 	userDataAcceptInputRule      = "inputaccept"
@@ -133,6 +136,10 @@ func (r *router) Reset() error {
 		merr = multierror.Append(merr, fmt.Errorf("remove accept filter rules: %w", err))
 	}
 
+	if err := firewalld.UntrustInterface(r.wgIface.Name()); err != nil {
+		merr = multierror.Append(merr, err)
+	}
+
 	if err := r.removeNatPreroutingRules(); err != nil {
 		merr = multierror.Append(merr, fmt.Errorf("remove filter prerouting rules: %w", err))
 	}
@@ -280,6 +287,10 @@ func (r *router) createContainers() error {
 		log.Errorf("failed to add accept rules for the forward chain: %s", err)
 	}
 
+	if err := firewalld.TrustInterface(r.wgIface.Name()); err != nil {
+		log.Warnf("failed to trust interface in firewalld: %v", err)
+	}
+
 	if err := r.refreshRulesMap(); err != nil {
 		log.Errorf("failed to refresh rules: %s", err)
 	}
@@ -1319,6 +1330,13 @@ func (r *router) isExternalChain(chain *nftables.Chain) bool {
 		return false
 	}
 
+	// Skip firewalld-owned chains. Firewalld creates its chains with the
+	// NFT_CHAIN_OWNER flag, so inserting rules into them returns EPERM.
+	// We delegate acceptance to firewalld by trusting the interface instead.
+	if chain.Table.Name == firewalldTableName {
+		return false
+	}
+
 	// Skip all iptables-managed tables in the ip family
 	if chain.Table.Family == nftables.TableFamilyIPv4 && isIptablesTable(chain.Table.Name) {
 		return false

client/firewall/uspfilter/allow_netbird.go

@@ -3,6 +3,9 @@
 package uspfilter
 
 import (
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/firewall/firewalld"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
 
@@ -16,6 +19,9 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	if m.nativeFirewall != nil {
 		return m.nativeFirewall.Close(stateManager)
 	}
+	if err := firewalld.UntrustInterface(m.wgIface.Name()); err != nil {
+		log.Warnf("failed to untrust interface in firewalld: %v", err)
+	}
 	return nil
 }
 
@@ -24,5 +30,8 @@ func (m *Manager) AllowNetbird() error {
 	if m.nativeFirewall != nil {
 		return m.nativeFirewall.AllowNetbird()
 	}
+	if err := firewalld.TrustInterface(m.wgIface.Name()); err != nil {
+		log.Warnf("failed to trust interface in firewalld: %v", err)
+	}
 	return nil
 }

client/firewall/uspfilter/common/iface.go

@@ -9,6 +9,7 @@ import (
 
 // IFaceMapper defines subset methods of interface required for manager
 type IFaceMapper interface {
+	Name() string
 	SetFilter(device.PacketFilter) error
 	Address() wgaddr.Address
 	GetWGDevice() *wgdevice.Device

client/firewall/uspfilter/filter_test.go

@@ -31,12 +31,20 @@ var logger = log.NewFromLogrus(logrus.StandardLogger())
 var flowLogger = netflow.NewManager(nil, []byte{}, nil).GetLogger()
 
 type IFaceMock struct {
+	NameFunc        func() string
 	SetFilterFunc   func(device.PacketFilter) error
 	AddressFunc     func() wgaddr.Address
 	GetWGDeviceFunc func() *wgdevice.Device
 	GetDeviceFunc   func() *device.FilteredDevice
 }
 
+func (i *IFaceMock) Name() string {
+	if i.NameFunc == nil {
+		return "wgtest"
+	}
+	return i.NameFunc()
+}
+
 func (i *IFaceMock) GetWGDevice() *wgdevice.Device {
 	if i.GetWGDeviceFunc == nil {
 		return nil

client/iface/bind/ice_bind_test.go

@@ -239,8 +239,12 @@ func TestICEBind_HandlesConcurrentMixedTraffic(t *testing.T) {
 		ipv6Count++
 	}
 
-	assert.Equal(t, packetsPerFamily, ipv4Count)
-	assert.Equal(t, packetsPerFamily, ipv6Count)
+	// Allow some UDP packet loss under load (e.g. FreeBSD/QEMU runners). The
+	// routing-correctness checks above are the real assertions; the counts
+	// are a sanity bound to catch a totally silent path.
+	minDelivered := packetsPerFamily * 80 / 100
+	assert.GreaterOrEqual(t, ipv4Count, minDelivered, "IPv4 delivery below threshold")
+	assert.GreaterOrEqual(t, ipv6Count, minDelivered, "IPv6 delivery below threshold")
 }
 
 func TestICEBind_DetectsAddressFamilyFromConnection(t *testing.T) {

client/installer.nsis

@@ -201,7 +201,18 @@ Pop $0
 
 Function .onInit
 StrCpy $INSTDIR "${INSTALL_DIR}"
+; Default autostart to enabled so silent installs (/S) match the interactive default
+StrCpy $AutostartEnabled "1"
+
+; Pre-0.70.1 installers ran without SetRegView, so their uninstall keys live
+; in the 32-bit view. Fall back to it so upgrades still find them.
+SetRegView 64
 ReadRegStr $R0 HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$(^NAME)" "UninstallString"
+${If} $R0 == ""
+    SetRegView 32
+    ReadRegStr $R0 HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$(^NAME)" "UninstallString"
+    SetRegView 64
+${EndIf}
 ${If} $R0 != ""
     # if silent install jump to uninstall step
     IfSilent uninstall
@@ -214,6 +225,10 @@ ${If} $R0 != ""
 
 ${EndIf}
 FunctionEnd
+
+Function un.onInit
+SetRegView 64
+FunctionEnd
 ######################################################################
 Section -MainProgram
     ${INSTALL_TYPE}
@@ -228,6 +243,7 @@ Section -MainProgram
     !else
         File /r "..\\dist\\netbird_windows_amd64\\"
     !endif
+    File "..\\client\\ui\\assets\\netbird.png"
 SectionEnd
 ######################################################################
 
@@ -247,9 +263,11 @@ WriteRegStr ${REG_ROOT} "${UI_REG_APP_PATH}" "" "$INSTDIR\${UI_APP_EXE}"
 ; Create autostart registry entry based on checkbox
 DetailPrint "Autostart enabled: $AutostartEnabled"
 ${If} $AutostartEnabled == "1"
-    WriteRegStr HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}" "$INSTDIR\${UI_APP_EXE}.exe"
+    WriteRegStr HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}" '"$INSTDIR\${UI_APP_EXE}.exe"'
     DetailPrint "Added autostart registry entry: $INSTDIR\${UI_APP_EXE}.exe"
 ${Else}
+    DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+    ; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
     DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
     DetailPrint "Autostart not enabled by user"
 ${EndIf}
@@ -283,6 +301,8 @@ ExecWait `taskkill /im ${UI_APP_EXE}.exe /f`
 
 ; Remove autostart registry entry
 DetailPrint "Removing autostart registry entry if exists..."
+DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
 DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
 
 ; Handle data deletion based on checkbox
@@ -321,6 +341,7 @@ DetailPrint "Removing registry keys..."
 DeleteRegKey ${REG_ROOT} "${REG_APP_PATH}"
 DeleteRegKey ${REG_ROOT} "${UNINSTALL_PATH}"
 DeleteRegKey ${REG_ROOT} "${UI_REG_APP_PATH}"
+DeleteRegKey HKCU "Software\Classes\AppUserModelId\${APP_NAME}"
 
 DetailPrint "Removing application directory from PATH..."
 EnVar::SetHKLM

client/internal/connect.go

@@ -333,6 +333,10 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		c.statusRecorder.MarkSignalConnected()
 
 		relayURLs, token := parseRelayInfo(loginResp)
+		if override, ok := peer.OverrideRelayURLs(); ok {
+			log.Infof("overriding relay URLs from %s: %v", peer.EnvKeyNBHomeRelayServers, override)
+			relayURLs = override
+		}
 		peerConfig := loginResp.GetPeerConfig()
 
 		engineConfig, err := createEngineConfig(myPrivateKey, c.config, peerConfig, logPath)

client/internal/debug/upload_test.go

@@ -3,10 +3,12 @@ package debug
 import (
 	"context"
 	"errors"
+	"net"
 	"net/http"
 	"os"
 	"path/filepath"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/require"
 
@@ -19,8 +21,10 @@ func TestUpload(t *testing.T) {
 		t.Skip("Skipping upload test on docker ci")
 	}
 	testDir := t.TempDir()
-	testURL := "http://localhost:8080"
+	addr := reserveLoopbackPort(t)
+	testURL := "http://" + addr
 	t.Setenv("SERVER_URL", testURL)
+	t.Setenv("SERVER_ADDRESS", addr)
 	t.Setenv("STORE_DIR", testDir)
 	srv := server.NewServer()
 	go func() {
@@ -33,6 +37,7 @@ func TestUpload(t *testing.T) {
 			t.Errorf("Failed to stop server: %v", err)
 		}
 	})
+	waitForServer(t, addr)
 
 	file := filepath.Join(t.TempDir(), "tmpfile")
 	fileContent := []byte("test file content")
@@ -47,3 +52,30 @@ func TestUpload(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, fileContent, createdFileContent)
 }
+
+// reserveLoopbackPort binds an ephemeral port on loopback to learn a free
+// address, then releases it so the server under test can rebind. The close/
+// rebind window is racy in theory; on loopback with a kernel-assigned port
+// it's essentially never contended in practice.
+func reserveLoopbackPort(t *testing.T) string {
+	t.Helper()
+	l, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	addr := l.Addr().String()
+	require.NoError(t, l.Close())
+	return addr
+}
+
+func waitForServer(t *testing.T, addr string) {
+	t.Helper()
+	deadline := time.Now().Add(5 * time.Second)
+	for time.Now().Before(deadline) {
+		c, err := net.DialTimeout("tcp", addr, 100*time.Millisecond)
+		if err == nil {
+			_ = c.Close()
+			return
+		}
+		time.Sleep(20 * time.Millisecond)
+	}
+	t.Fatalf("server did not start listening on %s in time", addr)
+}

client/internal/dns/file_parser_unix.go

@@ -13,6 +13,7 @@ import (
 
 const (
 	defaultResolvConfPath = "/etc/resolv.conf"
+	nsswitchConfPath      = "/etc/nsswitch.conf"
 )
 
 type resolvConf struct {

client/internal/dns/handler_chain.go

@@ -1,7 +1,10 @@
 package dns
 
 import (
+	"context"
 	"fmt"
+	"math"
+	"net"
 	"slices"
 	"strconv"
 	"strings"
@@ -192,6 +195,12 @@ func (c *HandlerChain) logHandlers() {
 }
 
 func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	c.dispatch(w, r, math.MaxInt)
+}
+
+// dispatch routes a DNS request through the chain, skipping handlers with
+// priority > maxPriority. Shared by ServeDNS and ResolveInternal.
+func (c *HandlerChain) dispatch(w dns.ResponseWriter, r *dns.Msg, maxPriority int) {
 	if len(r.Question) == 0 {
 		return
 	}
@@ -216,6 +225,9 @@ func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 
 	// Try handlers in priority order
 	for _, entry := range handlers {
+		if entry.Priority > maxPriority {
+			continue
+		}
 		if !c.isHandlerMatch(qname, entry) {
 			continue
 		}
@@ -273,6 +285,55 @@ func (c *HandlerChain) logResponse(logger *log.Entry, cw *ResponseWriterChain, q
 		cw.response.Len(), meta, time.Since(startTime))
 }
 
+// ResolveInternal runs an in-process DNS query against the chain, skipping any
+// handler with priority > maxPriority. Used by internal callers (e.g. the mgmt
+// cache refresher) that must bypass themselves to avoid loops. Honors ctx
+// cancellation; on ctx.Done the dispatch goroutine is left to drain on its own
+// (bounded by the invoked handler's internal timeout).
+func (c *HandlerChain) ResolveInternal(ctx context.Context, r *dns.Msg, maxPriority int) (*dns.Msg, error) {
+	if len(r.Question) == 0 {
+		return nil, fmt.Errorf("empty question")
+	}
+
+	base := &internalResponseWriter{}
+	done := make(chan struct{})
+	go func() {
+		c.dispatch(base, r, maxPriority)
+		close(done)
+	}()
+
+	select {
+	case <-done:
+	case <-ctx.Done():
+		// Prefer a completed response if dispatch finished concurrently with cancellation.
+		select {
+		case <-done:
+		default:
+			return nil, fmt.Errorf("resolve %s: %w", strings.ToLower(r.Question[0].Name), ctx.Err())
+		}
+	}
+
+	if base.response == nil || base.response.Rcode == dns.RcodeRefused {
+		return nil, fmt.Errorf("no handler resolved %s at priority ≤ %d",
+			strings.ToLower(r.Question[0].Name), maxPriority)
+	}
+	return base.response, nil
+}
+
+// HasRootHandlerAtOrBelow reports whether any "." handler is registered at
+// priority ≤ maxPriority.
+func (c *HandlerChain) HasRootHandlerAtOrBelow(maxPriority int) bool {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	for _, h := range c.handlers {
+		if h.Pattern == "." && h.Priority <= maxPriority {
+			return true
+		}
+	}
+	return false
+}
+
 func (c *HandlerChain) isHandlerMatch(qname string, entry HandlerEntry) bool {
 	switch {
 	case entry.Pattern == ".":
@@ -291,3 +352,36 @@ func (c *HandlerChain) isHandlerMatch(qname string, entry HandlerEntry) bool {
 		}
 	}
 }
+
+// internalResponseWriter captures a dns.Msg for in-process chain queries.
+type internalResponseWriter struct {
+	response *dns.Msg
+}
+
+func (w *internalResponseWriter) WriteMsg(m *dns.Msg) error { w.response = m; return nil }
+func (w *internalResponseWriter) LocalAddr() net.Addr       { return nil }
+func (w *internalResponseWriter) RemoteAddr() net.Addr      { return nil }
+
+// Write unpacks raw DNS bytes so handlers that call Write instead of WriteMsg
+// still surface their answer to ResolveInternal.
+func (w *internalResponseWriter) Write(p []byte) (int, error) {
+	msg := new(dns.Msg)
+	if err := msg.Unpack(p); err != nil {
+		return 0, err
+	}
+	w.response = msg
+	return len(p), nil
+}
+
+func (w *internalResponseWriter) Close() error      { return nil }
+func (w *internalResponseWriter) TsigStatus() error { return nil }
+
+// TsigTimersOnly is part of dns.ResponseWriter.
+func (w *internalResponseWriter) TsigTimersOnly(bool) {
+	// no-op: in-process queries carry no TSIG state.
+}
+
+// Hijack is part of dns.ResponseWriter.
+func (w *internalResponseWriter) Hijack() {
+	// no-op: in-process queries have no underlying connection to hand off.
+}

client/internal/dns/handler_chain_test.go

@@ -1,11 +1,15 @@
 package dns_test
 
 import (
+	"context"
+	"net"
 	"testing"
+	"time"
 
 	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
 
 	nbdns "github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/dns/test"
@@ -1042,3 +1046,163 @@ func TestHandlerChain_AddRemoveRoundtrip(t *testing.T) {
 		})
 	}
 }
+
+// answeringHandler writes a fixed A record to ack the query. Used to verify
+// which handler ResolveInternal dispatches to.
+type answeringHandler struct {
+	name string
+	ip   string
+}
+
+func (h *answeringHandler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	resp := &dns.Msg{}
+	resp.SetReply(r)
+	resp.Answer = []dns.RR{&dns.A{
+		Hdr: dns.RR_Header{Name: r.Question[0].Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+		A:   net.ParseIP(h.ip).To4(),
+	}}
+	_ = w.WriteMsg(resp)
+}
+
+func (h *answeringHandler) String() string { return h.name }
+
+func TestHandlerChain_ResolveInternal_SkipsAboveMaxPriority(t *testing.T) {
+	chain := nbdns.NewHandlerChain()
+
+	high := &answeringHandler{name: "high", ip: "10.0.0.1"}
+	low := &answeringHandler{name: "low", ip: "10.0.0.2"}
+
+	chain.AddHandler("example.com.", high, nbdns.PriorityMgmtCache)
+	chain.AddHandler("example.com.", low, nbdns.PriorityUpstream)
+
+	r := new(dns.Msg)
+	r.SetQuestion("example.com.", dns.TypeA)
+
+	resp, err := chain.ResolveInternal(context.Background(), r, nbdns.PriorityUpstream)
+	assert.NoError(t, err)
+	assert.NotNil(t, resp)
+	assert.Equal(t, 1, len(resp.Answer))
+	a, ok := resp.Answer[0].(*dns.A)
+	assert.True(t, ok)
+	assert.Equal(t, "10.0.0.2", a.A.String(), "should skip mgmtCache handler and resolve via upstream")
+}
+
+func TestHandlerChain_ResolveInternal_ErrorWhenNoMatch(t *testing.T) {
+	chain := nbdns.NewHandlerChain()
+	high := &answeringHandler{name: "high", ip: "10.0.0.1"}
+	chain.AddHandler("example.com.", high, nbdns.PriorityMgmtCache)
+
+	r := new(dns.Msg)
+	r.SetQuestion("example.com.", dns.TypeA)
+
+	_, err := chain.ResolveInternal(context.Background(), r, nbdns.PriorityUpstream)
+	assert.Error(t, err, "no handler at or below maxPriority should error")
+}
+
+// rawWriteHandler packs a response and calls ResponseWriter.Write directly
+// (instead of WriteMsg), exercising the internalResponseWriter.Write path.
+type rawWriteHandler struct {
+	ip string
+}
+
+func (h *rawWriteHandler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	resp := &dns.Msg{}
+	resp.SetReply(r)
+	resp.Answer = []dns.RR{&dns.A{
+		Hdr: dns.RR_Header{Name: r.Question[0].Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+		A:   net.ParseIP(h.ip).To4(),
+	}}
+	packed, err := resp.Pack()
+	if err != nil {
+		return
+	}
+	_, _ = w.Write(packed)
+}
+
+func TestHandlerChain_ResolveInternal_CapturesRawWrite(t *testing.T) {
+	chain := nbdns.NewHandlerChain()
+	chain.AddHandler("example.com.", &rawWriteHandler{ip: "10.0.0.3"}, nbdns.PriorityUpstream)
+
+	r := new(dns.Msg)
+	r.SetQuestion("example.com.", dns.TypeA)
+
+	resp, err := chain.ResolveInternal(context.Background(), r, nbdns.PriorityUpstream)
+	assert.NoError(t, err)
+	require.NotNil(t, resp)
+	require.Len(t, resp.Answer, 1)
+	a, ok := resp.Answer[0].(*dns.A)
+	require.True(t, ok)
+	assert.Equal(t, "10.0.0.3", a.A.String(), "handlers calling Write(packed) must still surface their answer")
+}
+
+func TestHandlerChain_ResolveInternal_EmptyQuestion(t *testing.T) {
+	chain := nbdns.NewHandlerChain()
+	_, err := chain.ResolveInternal(context.Background(), new(dns.Msg), nbdns.PriorityUpstream)
+	assert.Error(t, err)
+}
+
+// hangingHandler blocks indefinitely until closed, simulating a wedged upstream.
+type hangingHandler struct {
+	block chan struct{}
+}
+
+func (h *hangingHandler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	<-h.block
+	resp := &dns.Msg{}
+	resp.SetReply(r)
+	_ = w.WriteMsg(resp)
+}
+
+func (h *hangingHandler) String() string { return "hangingHandler" }
+
+func TestHandlerChain_ResolveInternal_HonorsContextTimeout(t *testing.T) {
+	chain := nbdns.NewHandlerChain()
+	h := &hangingHandler{block: make(chan struct{})}
+	defer close(h.block)
+
+	chain.AddHandler("example.com.", h, nbdns.PriorityUpstream)
+
+	r := new(dns.Msg)
+	r.SetQuestion("example.com.", dns.TypeA)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
+	defer cancel()
+
+	start := time.Now()
+	_, err := chain.ResolveInternal(ctx, r, nbdns.PriorityUpstream)
+	elapsed := time.Since(start)
+
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, context.DeadlineExceeded)
+	assert.Less(t, elapsed, 500*time.Millisecond, "ResolveInternal must return shortly after ctx deadline")
+}
+
+func TestHandlerChain_HasRootHandlerAtOrBelow(t *testing.T) {
+	chain := nbdns.NewHandlerChain()
+	h := &answeringHandler{name: "h", ip: "10.0.0.1"}
+
+	assert.False(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream), "empty chain")
+
+	chain.AddHandler("example.com.", h, nbdns.PriorityUpstream)
+	assert.False(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream), "non-root handler does not count")
+
+	chain.AddHandler(".", h, nbdns.PriorityMgmtCache)
+	assert.False(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream), "root handler above threshold excluded")
+
+	chain.AddHandler(".", h, nbdns.PriorityDefault)
+	assert.True(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream), "root handler at PriorityDefault included")
+
+	chain.RemoveHandler(".", nbdns.PriorityDefault)
+	assert.False(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream))
+
+	// Primary nsgroup case: root handler lands at PriorityUpstream.
+	chain.AddHandler(".", h, nbdns.PriorityUpstream)
+	assert.True(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream), "root at PriorityUpstream included")
+	chain.RemoveHandler(".", nbdns.PriorityUpstream)
+
+	// Fallback case: original /etc/resolv.conf entries land at PriorityFallback.
+	chain.AddHandler(".", h, nbdns.PriorityFallback)
+	assert.True(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream), "root at PriorityFallback included")
+	chain.RemoveHandler(".", nbdns.PriorityFallback)
+	assert.False(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream))
+}

client/internal/dns/host_unix.go

@@ -46,12 +46,12 @@ type restoreHostManager interface {
 }
 
 func newHostManager(wgInterface string) (hostManager, error) {
-	osManager, err := getOSDNSManagerType()
+	osManager, reason, err := getOSDNSManagerType()
 	if err != nil {
 		return nil, fmt.Errorf("get os dns manager type: %w", err)
 	}
 
-	log.Infof("System DNS manager discovered: %s", osManager)
+	log.Infof("System DNS manager discovered: %s (%s)", osManager, reason)
 	mgr, err := newHostManagerFromType(wgInterface, osManager)
 	// need to explicitly return nil mgr on error to avoid returning a non-nil interface containing a nil value
 	if err != nil {
@@ -74,17 +74,49 @@ func newHostManagerFromType(wgInterface string, osManager osManagerType) (restor
 	}
 }
 
-func getOSDNSManagerType() (osManagerType, error) {
+func getOSDNSManagerType() (osManagerType, string, error) {
+	resolved := isSystemdResolvedRunning()
+	nss := isLibnssResolveUsed()
+	stub := checkStub()
+
+	// Prefer systemd-resolved whenever it owns libc resolution, regardless of
+	// who wrote /etc/resolv.conf. File-mode rewrites do not affect lookups
+	// that go through nss-resolve, and in foreign mode they can loop back
+	// through resolved as an upstream.
+	if resolved && (nss || stub) {
+		return systemdManager, fmt.Sprintf("systemd-resolved active (nss-resolve=%t, stub=%t)", nss, stub), nil
+	}
+
+	mgr, reason, rejected, err := scanResolvConfHeader()
+	if err != nil {
+		return 0, "", err
+	}
+	if reason != "" {
+		return mgr, reason, nil
+	}
+
+	fallback := fmt.Sprintf("no manager matched (resolved=%t, nss-resolve=%t, stub=%t)", resolved, nss, stub)
+	if len(rejected) > 0 {
+		fallback += "; rejected: " + strings.Join(rejected, ", ")
+	}
+	return fileManager, fallback, nil
+}
+
+// scanResolvConfHeader walks /etc/resolv.conf header comments and returns the
+// matching manager. If reason is empty the caller should pick file mode and
+// use rejected for diagnostics.
+func scanResolvConfHeader() (osManagerType, string, []string, error) {
 	file, err := os.Open(defaultResolvConfPath)
 	if err != nil {
-		return 0, fmt.Errorf("unable to open %s for checking owner, got error: %w", defaultResolvConfPath, err)
+		return 0, "", nil, fmt.Errorf("unable to open %s for checking owner, got error: %w", defaultResolvConfPath, err)
 	}
 	defer func() {
-		if err := file.Close(); err != nil {
-			log.Errorf("close file %s: %s", defaultResolvConfPath, err)
+		if cerr := file.Close(); cerr != nil {
+			log.Errorf("close file %s: %s", defaultResolvConfPath, cerr)
 		}
 	}()
 
+	var rejected []string
 	scanner := bufio.NewScanner(file)
 	for scanner.Scan() {
 		text := scanner.Text()
@@ -92,41 +124,48 @@ func getOSDNSManagerType() (osManagerType, error) {
 			continue
 		}
 		if text[0] != '#' {
-			return fileManager, nil
+			break
 		}
-		if strings.Contains(text, fileGeneratedResolvConfContentHeader) {
-			return netbirdManager, nil
-		}
-		if strings.Contains(text, "NetworkManager") && isDbusListenerRunning(networkManagerDest, networkManagerDbusObjectNode) && isNetworkManagerSupported() {
-			return networkManager, nil
-		}
-		if strings.Contains(text, "systemd-resolved") && isSystemdResolvedRunning() {
-			if checkStub() {
-				return systemdManager, nil
-			} else {
-				return fileManager, nil
-			}
-		}
-		if strings.Contains(text, "resolvconf") {
-			if isSystemdResolveConfMode() {
-				return systemdManager, nil
-			}
-
-			return resolvConfManager, nil
+		if mgr, reason, rej := matchResolvConfHeader(text); reason != "" {
+			return mgr, reason, nil, nil
+		} else if rej != "" {
+			rejected = append(rejected, rej)
 		}
 	}
 	if err := scanner.Err(); err != nil && err != io.EOF {
-		return 0, fmt.Errorf("scan: %w", err)
+		return 0, "", nil, fmt.Errorf("scan: %w", err)
 	}
-
-	return fileManager, nil
+	return 0, "", rejected, nil
 }
 
-// checkStub checks if the stub resolver is disabled in systemd-resolved. If it is disabled, we fall back to file manager.
+// matchResolvConfHeader inspects a single comment line. Returns either a
+// definitive (manager, reason) or a non-empty rejected diagnostic.
+func matchResolvConfHeader(text string) (osManagerType, string, string) {
+	if strings.Contains(text, fileGeneratedResolvConfContentHeader) {
+		return netbirdManager, "netbird-managed resolv.conf header detected", ""
+	}
+	if strings.Contains(text, "NetworkManager") {
+		if isDbusListenerRunning(networkManagerDest, networkManagerDbusObjectNode) && isNetworkManagerSupported() {
+			return networkManager, "NetworkManager header + supported version on dbus", ""
+		}
+		return 0, "", "NetworkManager header (no dbus or unsupported version)"
+	}
+	if strings.Contains(text, "resolvconf") {
+		if isSystemdResolveConfMode() {
+			return systemdManager, "resolvconf header in systemd-resolved compatibility mode", ""
+		}
+		return resolvConfManager, "resolvconf header detected", ""
+	}
+	return 0, "", ""
+}
+
+// checkStub reports whether systemd-resolved's stub (127.0.0.53) is listed
+// in /etc/resolv.conf. On parse failure we assume it is, to avoid dropping
+// into file mode while resolved is active.
 func checkStub() bool {
 	rConf, err := parseDefaultResolvConf()
 	if err != nil {
-		log.Warnf("failed to parse resolv conf: %s", err)
+		log.Warnf("failed to parse resolv conf, assuming stub is active: %s", err)
 		return true
 	}
 
@@ -139,3 +178,36 @@ func checkStub() bool {
 
 	return false
 }
+
+// isLibnssResolveUsed reports whether nss-resolve is listed before dns on
+// the hosts: line of /etc/nsswitch.conf. When it is, libc lookups are
+// delegated to systemd-resolved regardless of /etc/resolv.conf.
+func isLibnssResolveUsed() bool {
+	bs, err := os.ReadFile(nsswitchConfPath)
+	if err != nil {
+		log.Debugf("read %s: %v", nsswitchConfPath, err)
+		return false
+	}
+	return parseNsswitchResolveAhead(bs)
+}
+
+func parseNsswitchResolveAhead(data []byte) bool {
+	for _, line := range strings.Split(string(data), "\n") {
+		if i := strings.IndexByte(line, '#'); i >= 0 {
+			line = line[:i]
+		}
+		fields := strings.Fields(line)
+		if len(fields) < 2 || fields[0] != "hosts:" {
+			continue
+		}
+		for _, module := range fields[1:] {
+			switch module {
+			case "dns":
+				return false
+			case "resolve":
+				return true
+			}
+		}
+	}
+	return false
+}

client/internal/dns/host_unix_test.go

@@ -0,0 +1,76 @@
+//go:build (linux && !android) || freebsd
+
+package dns
+
+import "testing"
+
+func TestParseNsswitchResolveAhead(t *testing.T) {
+	tests := []struct {
+		name string
+		in   string
+		want bool
+	}{
+		{
+			name: "resolve before dns with action token",
+			in:   "hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns\n",
+			want: true,
+		},
+		{
+			name: "dns before resolve",
+			in:   "hosts: files mdns4_minimal [NOTFOUND=return] dns resolve\n",
+			want: false,
+		},
+		{
+			name: "debian default with only dns",
+			in:   "hosts: files mdns4_minimal [NOTFOUND=return] dns mymachines\n",
+			want: false,
+		},
+		{
+			name: "neither resolve nor dns",
+			in:   "hosts: files myhostname\n",
+			want: false,
+		},
+		{
+			name: "no hosts line",
+			in:   "passwd: files systemd\ngroup: files systemd\n",
+			want: false,
+		},
+		{
+			name: "empty",
+			in:   "",
+			want: false,
+		},
+		{
+			name: "comments and blank lines ignored",
+			in:   "# comment\n\n# another\nhosts: resolve dns\n",
+			want: true,
+		},
+		{
+			name: "trailing inline comment",
+			in:   "hosts: resolve [!UNAVAIL=return] dns # fallback\n",
+			want: true,
+		},
+		{
+			name: "hosts token must be the first field",
+			in:   "  hosts: resolve dns\n",
+			want: true,
+		},
+		{
+			name: "other db line mentioning resolve is ignored",
+			in:   "networks: resolve\nhosts: dns\n",
+			want: false,
+		},
+		{
+			name: "only resolve, no dns",
+			in:   "hosts: files resolve\n",
+			want: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := parseNsswitchResolveAhead([]byte(tt.in)); got != tt.want {
+				t.Errorf("parseNsswitchResolveAhead() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

client/internal/dns/mgmt/mgmt.go

@@ -2,40 +2,83 @@ package mgmt
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net"
-	"net/netip"
 	"net/url"
+	"os"
+	"slices"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"time"
 
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/sync/singleflight"
 
 	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
+	"github.com/netbirdio/netbird/client/internal/dns/resutil"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
-const dnsTimeout = 5 * time.Second
+const (
+	dnsTimeout     = 5 * time.Second
+	defaultTTL     = 300 * time.Second
+	refreshBackoff = 30 * time.Second
 
-// Resolver caches critical NetBird infrastructure domains
+	// envMgmtCacheTTL overrides defaultTTL for integration/dev testing.
+	envMgmtCacheTTL = "NB_MGMT_CACHE_TTL"
+)
+
+// ChainResolver lets the cache refresh stale entries through the DNS handler
+// chain instead of net.DefaultResolver, avoiding loopback when NetBird is the
+// system resolver.
+type ChainResolver interface {
+	ResolveInternal(ctx context.Context, msg *dns.Msg, maxPriority int) (*dns.Msg, error)
+	HasRootHandlerAtOrBelow(maxPriority int) bool
+}
+
+// cachedRecord holds DNS records plus timestamps used for TTL refresh.
+// records and cachedAt are set at construction and treated as immutable;
+// lastFailedRefresh and consecFailures are mutable and must be accessed under
+// Resolver.mutex.
+type cachedRecord struct {
+	records           []dns.RR
+	cachedAt          time.Time
+	lastFailedRefresh time.Time
+	consecFailures    int
+}
+
+// Resolver caches critical NetBird infrastructure domains.
+// records, refreshing, mgmtDomain and serverDomains are all guarded by mutex.
 type Resolver struct {
-	records       map[dns.Question][]dns.RR
+	records       map[dns.Question]*cachedRecord
 	mgmtDomain    *domain.Domain
 	serverDomains *dnsconfig.ServerDomains
 	mutex         sync.RWMutex
-}
 
-type ipsResponse struct {
-	ips []netip.Addr
-	err error
+	chain            ChainResolver
+	chainMaxPriority int
+	refreshGroup     singleflight.Group
+
+	// refreshing tracks questions whose refresh is running via the OS
+	// fallback path. A ServeDNS hit for a question in this map indicates
+	// the OS resolver routed the recursive query back to us (loop). Only
+	// the OS path arms this so chain-path refreshes don't produce false
+	// positives. The atomic bool is CAS-flipped once per refresh to
+	// throttle the warning log.
+	refreshing map[dns.Question]*atomic.Bool
+
+	cacheTTL time.Duration
 }
 
 // NewResolver creates a new management domains cache resolver.
 func NewResolver() *Resolver {
 	return &Resolver{
-		records: make(map[dns.Question][]dns.RR),
+		records:    make(map[dns.Question]*cachedRecord),
+		refreshing: make(map[dns.Question]*atomic.Bool),
+		cacheTTL:   resolveCacheTTL(),
 	}
 }
 
@@ -44,7 +87,19 @@ func (m *Resolver) String() string {
 	return "MgmtCacheResolver"
 }
 
-// ServeDNS implements dns.Handler interface.
+// SetChainResolver wires the handler chain used to refresh stale cache entries.
+// maxPriority caps which handlers may answer refresh queries (typically
+// PriorityUpstream, so upstream/default/fallback handlers are consulted and
+// mgmt/route/local handlers are skipped).
+func (m *Resolver) SetChainResolver(chain ChainResolver, maxPriority int) {
+	m.mutex.Lock()
+	m.chain = chain
+	m.chainMaxPriority = maxPriority
+	m.mutex.Unlock()
+}
+
+// ServeDNS serves cached A/AAAA records. Stale entries are returned
+// immediately and refreshed asynchronously (stale-while-revalidate).
 func (m *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	if len(r.Question) == 0 {
 		m.continueToNext(w, r)
@@ -60,7 +115,14 @@ func (m *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}
 
 	m.mutex.RLock()
-	records, found := m.records[question]
+	cached, found := m.records[question]
+	inflight := m.refreshing[question]
+	var shouldRefresh bool
+	if found {
+		stale := time.Since(cached.cachedAt) > m.cacheTTL
+		inBackoff := !cached.lastFailedRefresh.IsZero() && time.Since(cached.lastFailedRefresh) < refreshBackoff
+		shouldRefresh = stale && !inBackoff
+	}
 	m.mutex.RUnlock()
 
 	if !found {
@@ -68,12 +130,23 @@ func (m *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		return
 	}
 
+	if inflight != nil && inflight.CompareAndSwap(false, true) {
+		log.Warnf("mgmt cache: possible resolver loop for domain=%s: served stale while an OS-fallback refresh was inflight (if NetBird is the system resolver, the OS-path predicate is wrong)",
+			question.Name)
+	}
+
+	// Skip scheduling a refresh goroutine if one is already inflight for
+	// this question; singleflight would dedup anyway but skipping avoids
+	// a parked goroutine per stale hit under bursty load.
+	if shouldRefresh && inflight == nil {
+		m.scheduleRefresh(question, cached)
+	}
+
 	resp := &dns.Msg{}
 	resp.SetReply(r)
 	resp.Authoritative = false
 	resp.RecursionAvailable = true
-
-	resp.Answer = append(resp.Answer, records...)
+	resp.Answer = cloneRecordsWithTTL(cached.records, m.responseTTL(cached.cachedAt))
 
 	log.Debugf("serving %d cached records for domain=%s", len(resp.Answer), question.Name)
 
@@ -98,101 +171,260 @@ func (m *Resolver) continueToNext(w dns.ResponseWriter, r *dns.Msg) {
 	}
 }
 
-// AddDomain manually adds a domain to cache by resolving it.
+// AddDomain resolves a domain and stores its A/AAAA records in the cache.
+// A family that resolves NODATA (nil err, zero records) evicts any stale
+// entry for that qtype.
 func (m *Resolver) AddDomain(ctx context.Context, d domain.Domain) error {
 	dnsName := strings.ToLower(dns.Fqdn(d.PunycodeString()))
 
 	ctx, cancel := context.WithTimeout(ctx, dnsTimeout)
 	defer cancel()
 
-	ips, err := lookupIPWithExtraTimeout(ctx, d)
-	if err != nil {
-		return err
+	aRecords, aaaaRecords, errA, errAAAA := m.lookupBoth(ctx, d, dnsName)
+
+	if errA != nil && errAAAA != nil {
+		return fmt.Errorf("resolve %s: %w", d.SafeString(), errors.Join(errA, errAAAA))
 	}
 
-	var aRecords, aaaaRecords []dns.RR
-	for _, ip := range ips {
-		if ip.Is4() {
-			rr := &dns.A{
-				Hdr: dns.RR_Header{
-					Name:   dnsName,
-					Rrtype: dns.TypeA,
-					Class:  dns.ClassINET,
-					Ttl:    300,
-				},
-				A: ip.AsSlice(),
-			}
-			aRecords = append(aRecords, rr)
-		} else if ip.Is6() {
-			rr := &dns.AAAA{
-				Hdr: dns.RR_Header{
-					Name:   dnsName,
-					Rrtype: dns.TypeAAAA,
-					Class:  dns.ClassINET,
-					Ttl:    300,
-				},
-				AAAA: ip.AsSlice(),
-			}
-			aaaaRecords = append(aaaaRecords, rr)
+	if len(aRecords) == 0 && len(aaaaRecords) == 0 {
+		if err := errors.Join(errA, errAAAA); err != nil {
+			return fmt.Errorf("resolve %s: no A/AAAA records: %w", d.SafeString(), err)
 		}
+		return fmt.Errorf("resolve %s: no A/AAAA records", d.SafeString())
 	}
 
+	now := time.Now()
 	m.mutex.Lock()
+	defer m.mutex.Unlock()
 
-	if len(aRecords) > 0 {
-		aQuestion := dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeA,
-			Qclass: dns.ClassINET,
-		}
-		m.records[aQuestion] = aRecords
-	}
+	m.applyFamilyRecords(dnsName, dns.TypeA, aRecords, errA, now)
+	m.applyFamilyRecords(dnsName, dns.TypeAAAA, aaaaRecords, errAAAA, now)
 
-	if len(aaaaRecords) > 0 {
-		aaaaQuestion := dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeAAAA,
-			Qclass: dns.ClassINET,
-		}
-		m.records[aaaaQuestion] = aaaaRecords
-	}
-
-	m.mutex.Unlock()
-
-	log.Debugf("added domain=%s with %d A records and %d AAAA records",
+	log.Debugf("added/updated domain=%s with %d A records and %d AAAA records",
 		d.SafeString(), len(aRecords), len(aaaaRecords))
 
 	return nil
 }
 
-func lookupIPWithExtraTimeout(ctx context.Context, d domain.Domain) ([]netip.Addr, error) {
-	log.Infof("looking up IP for mgmt domain=%s", d.SafeString())
-	defer log.Infof("done looking up IP for mgmt domain=%s", d.SafeString())
-	resultChan := make(chan *ipsResponse, 1)
+// applyFamilyRecords writes records, evicts on NODATA, leaves the cache
+// untouched on error. Caller holds m.mutex.
+func (m *Resolver) applyFamilyRecords(dnsName string, qtype uint16, records []dns.RR, err error, now time.Time) {
+	q := dns.Question{Name: dnsName, Qtype: qtype, Qclass: dns.ClassINET}
+	switch {
+	case len(records) > 0:
+		m.records[q] = &cachedRecord{records: records, cachedAt: now}
+	case err == nil:
+		delete(m.records, q)
+	}
+}
 
-	go func() {
-		ips, err := net.DefaultResolver.LookupNetIP(ctx, "ip", d.PunycodeString())
-		resultChan <- &ipsResponse{
-			err: err,
-			ips: ips,
+// scheduleRefresh kicks off an async refresh. DoChan spawns one goroutine per
+// unique in-flight key; bursty stale hits share its channel. expected is the
+// cachedRecord pointer observed by the caller; the refresh only mutates the
+// cache if that pointer is still the one stored, so a stale in-flight refresh
+// can't clobber a newer entry written by AddDomain or a competing refresh.
+func (m *Resolver) scheduleRefresh(question dns.Question, expected *cachedRecord) {
+	key := question.Name + "|" + dns.TypeToString[question.Qtype]
+	_ = m.refreshGroup.DoChan(key, func() (any, error) {
+		return nil, m.refreshQuestion(question, expected)
+	})
+}
+
+// refreshQuestion replaces the cached records on success, or marks the entry
+// failed (arming the backoff) on failure. While this runs, ServeDNS can detect
+// a resolver loop by spotting a query for this same question arriving on us.
+// expected pins the cache entry observed at schedule time; mutations only apply
+// if m.records[question] still points at it.
+func (m *Resolver) refreshQuestion(question dns.Question, expected *cachedRecord) error {
+	ctx, cancel := context.WithTimeout(context.Background(), dnsTimeout)
+	defer cancel()
+
+	d, err := domain.FromString(strings.TrimSuffix(question.Name, "."))
+	if err != nil {
+		m.markRefreshFailed(question, expected)
+		return fmt.Errorf("parse domain: %w", err)
+	}
+
+	records, err := m.lookupRecords(ctx, d, question)
+	if err != nil {
+		fails := m.markRefreshFailed(question, expected)
+		logf := log.Warnf
+		if fails == 0 || fails > 1 {
+			logf = log.Debugf
 		}
-	}()
-
-	var resp *ipsResponse
-
-	select {
-	case <-time.After(dnsTimeout + time.Millisecond*500):
-		log.Warnf("timed out waiting for IP for mgmt domain=%s", d.SafeString())
-		return nil, fmt.Errorf("timed out waiting for ips to be available for domain %s", d.SafeString())
-	case <-ctx.Done():
-		return nil, ctx.Err()
-	case resp = <-resultChan:
+		logf("refresh mgmt cache domain=%s type=%s: %v (consecutive failures=%d)",
+			d.SafeString(), dns.TypeToString[question.Qtype], err, fails)
+		return err
 	}
 
-	if resp.err != nil {
-		return nil, fmt.Errorf("resolve domain %s: %w", d.SafeString(), resp.err)
+	// NOERROR/NODATA: family gone upstream, evict so we stop serving stale.
+	if len(records) == 0 {
+		m.mutex.Lock()
+		if m.records[question] == expected {
+			delete(m.records, question)
+			m.mutex.Unlock()
+			log.Infof("removed mgmt cache domain=%s type=%s: no records returned",
+				d.SafeString(), dns.TypeToString[question.Qtype])
+			return nil
+		}
+		m.mutex.Unlock()
+		log.Debugf("skipping refresh evict for domain=%s type=%s: entry changed during refresh",
+			d.SafeString(), dns.TypeToString[question.Qtype])
+		return nil
 	}
-	return resp.ips, nil
+
+	now := time.Now()
+	m.mutex.Lock()
+	if m.records[question] != expected {
+		m.mutex.Unlock()
+		log.Debugf("skipping refresh write for domain=%s type=%s: entry changed during refresh",
+			d.SafeString(), dns.TypeToString[question.Qtype])
+		return nil
+	}
+	m.records[question] = &cachedRecord{records: records, cachedAt: now}
+	m.mutex.Unlock()
+
+	log.Infof("refreshed mgmt cache domain=%s type=%s",
+		d.SafeString(), dns.TypeToString[question.Qtype])
+	return nil
+}
+
+func (m *Resolver) markRefreshing(question dns.Question) {
+	m.mutex.Lock()
+	m.refreshing[question] = &atomic.Bool{}
+	m.mutex.Unlock()
+}
+
+func (m *Resolver) clearRefreshing(question dns.Question) {
+	m.mutex.Lock()
+	delete(m.refreshing, question)
+	m.mutex.Unlock()
+}
+
+// markRefreshFailed arms the backoff and returns the new consecutive-failure
+// count so callers can downgrade subsequent failure logs to debug.
+func (m *Resolver) markRefreshFailed(question dns.Question, expected *cachedRecord) int {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+	c, ok := m.records[question]
+	if !ok || c != expected {
+		return 0
+	}
+	c.lastFailedRefresh = time.Now()
+	c.consecFailures++
+	return c.consecFailures
+}
+
+// lookupBoth resolves A and AAAA via chain or OS. Per-family errors let
+// callers tell records, NODATA (nil err, no records), and failure apart.
+func (m *Resolver) lookupBoth(ctx context.Context, d domain.Domain, dnsName string) (aRecords, aaaaRecords []dns.RR, errA, errAAAA error) {
+	m.mutex.RLock()
+	chain := m.chain
+	maxPriority := m.chainMaxPriority
+	m.mutex.RUnlock()
+
+	if chain != nil && chain.HasRootHandlerAtOrBelow(maxPriority) {
+		aRecords, errA = m.lookupViaChain(ctx, chain, maxPriority, dnsName, dns.TypeA)
+		aaaaRecords, errAAAA = m.lookupViaChain(ctx, chain, maxPriority, dnsName, dns.TypeAAAA)
+		return
+	}
+
+	// TODO: drop once every supported OS registers a fallback resolver. Safe
+	// today: no root handler at priority ≤ PriorityUpstream means NetBird is
+	// not the system resolver, so net.DefaultResolver will not loop back.
+	aRecords, errA = m.osLookup(ctx, d, dnsName, dns.TypeA)
+	aaaaRecords, errAAAA = m.osLookup(ctx, d, dnsName, dns.TypeAAAA)
+	return
+}
+
+// lookupRecords resolves a single record type via chain or OS. The OS branch
+// arms the loop detector for the duration of its call so that ServeDNS can
+// spot the OS resolver routing the recursive query back to us.
+func (m *Resolver) lookupRecords(ctx context.Context, d domain.Domain, q dns.Question) ([]dns.RR, error) {
+	m.mutex.RLock()
+	chain := m.chain
+	maxPriority := m.chainMaxPriority
+	m.mutex.RUnlock()
+
+	if chain != nil && chain.HasRootHandlerAtOrBelow(maxPriority) {
+		return m.lookupViaChain(ctx, chain, maxPriority, q.Name, q.Qtype)
+	}
+
+	// TODO: drop once every supported OS registers a fallback resolver.
+	m.markRefreshing(q)
+	defer m.clearRefreshing(q)
+
+	return m.osLookup(ctx, d, q.Name, q.Qtype)
+}
+
+// lookupViaChain resolves via the handler chain and rewrites each RR to use
+// dnsName as owner and m.cacheTTL as TTL, so CNAME-backed domains don't cache
+// target-owned records or upstream TTLs. NODATA returns (nil, nil).
+func (m *Resolver) lookupViaChain(ctx context.Context, chain ChainResolver, maxPriority int, dnsName string, qtype uint16) ([]dns.RR, error) {
+	msg := &dns.Msg{}
+	msg.SetQuestion(dnsName, qtype)
+	msg.RecursionDesired = true
+
+	resp, err := chain.ResolveInternal(ctx, msg, maxPriority)
+	if err != nil {
+		return nil, fmt.Errorf("chain resolve: %w", err)
+	}
+	if resp == nil {
+		return nil, fmt.Errorf("chain resolve returned nil response")
+	}
+	if resp.Rcode != dns.RcodeSuccess {
+		return nil, fmt.Errorf("chain resolve rcode=%s", dns.RcodeToString[resp.Rcode])
+	}
+
+	ttl := uint32(m.cacheTTL.Seconds())
+	owners := cnameOwners(dnsName, resp.Answer)
+	var filtered []dns.RR
+	for _, rr := range resp.Answer {
+		h := rr.Header()
+		if h.Class != dns.ClassINET || h.Rrtype != qtype {
+			continue
+		}
+		if !owners[strings.ToLower(dns.Fqdn(h.Name))] {
+			continue
+		}
+		if cp := cloneIPRecord(rr, dnsName, ttl); cp != nil {
+			filtered = append(filtered, cp)
+		}
+	}
+	return filtered, nil
+}
+
+// osLookup resolves a single family via net.DefaultResolver using resutil,
+// which disambiguates NODATA from NXDOMAIN and Unmaps v4-mapped-v6. NODATA
+// returns (nil, nil).
+func (m *Resolver) osLookup(ctx context.Context, d domain.Domain, dnsName string, qtype uint16) ([]dns.RR, error) {
+	network := resutil.NetworkForQtype(qtype)
+	if network == "" {
+		return nil, fmt.Errorf("unsupported qtype %s", dns.TypeToString[qtype])
+	}
+
+	log.Infof("looking up IP for mgmt domain=%s type=%s", d.SafeString(), dns.TypeToString[qtype])
+	defer log.Infof("done looking up IP for mgmt domain=%s type=%s", d.SafeString(), dns.TypeToString[qtype])
+
+	result := resutil.LookupIP(ctx, net.DefaultResolver, network, d.PunycodeString(), qtype)
+	if result.Rcode == dns.RcodeSuccess {
+		return resutil.IPsToRRs(dnsName, result.IPs, uint32(m.cacheTTL.Seconds())), nil
+	}
+
+	if result.Err != nil {
+		return nil, fmt.Errorf("resolve %s type=%s: %w", d.SafeString(), dns.TypeToString[qtype], result.Err)
+	}
+	return nil, fmt.Errorf("resolve %s type=%s: rcode=%s", d.SafeString(), dns.TypeToString[qtype], dns.RcodeToString[result.Rcode])
+}
+
+// responseTTL returns the remaining cache lifetime in seconds (rounded up),
+// so downstream resolvers don't cache an answer for longer than we will.
+func (m *Resolver) responseTTL(cachedAt time.Time) uint32 {
+	remaining := m.cacheTTL - time.Since(cachedAt)
+	if remaining <= 0 {
+		return 0
+	}
+	return uint32((remaining + time.Second - 1) / time.Second)
 }
 
 // PopulateFromConfig extracts and caches domains from the client configuration.
@@ -224,19 +456,12 @@ func (m *Resolver) RemoveDomain(d domain.Domain) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	aQuestion := dns.Question{
-		Name:   dnsName,
-		Qtype:  dns.TypeA,
-		Qclass: dns.ClassINET,
-	}
-	delete(m.records, aQuestion)
-
-	aaaaQuestion := dns.Question{
-		Name:   dnsName,
-		Qtype:  dns.TypeAAAA,
-		Qclass: dns.ClassINET,
-	}
-	delete(m.records, aaaaQuestion)
+	qA := dns.Question{Name: dnsName, Qtype: dns.TypeA, Qclass: dns.ClassINET}
+	qAAAA := dns.Question{Name: dnsName, Qtype: dns.TypeAAAA, Qclass: dns.ClassINET}
+	delete(m.records, qA)
+	delete(m.records, qAAAA)
+	delete(m.refreshing, qA)
+	delete(m.refreshing, qAAAA)
 
 	log.Debugf("removed domain=%s from cache", d.SafeString())
 	return nil
@@ -394,3 +619,73 @@ func (m *Resolver) extractDomainsFromServerDomains(serverDomains dnsconfig.Serve
 
 	return domains
 }
+
+// cloneIPRecord returns a deep copy of rr retargeted to owner with ttl. Non
+// A/AAAA records return nil.
+func cloneIPRecord(rr dns.RR, owner string, ttl uint32) dns.RR {
+	switch r := rr.(type) {
+	case *dns.A:
+		cp := *r
+		cp.Hdr.Name = owner
+		cp.Hdr.Ttl = ttl
+		cp.A = slices.Clone(r.A)
+		return &cp
+	case *dns.AAAA:
+		cp := *r
+		cp.Hdr.Name = owner
+		cp.Hdr.Ttl = ttl
+		cp.AAAA = slices.Clone(r.AAAA)
+		return &cp
+	}
+	return nil
+}
+
+// cloneRecordsWithTTL clones A/AAAA records preserving their owner and
+// stamping ttl so the response shares no memory with the cached slice.
+func cloneRecordsWithTTL(records []dns.RR, ttl uint32) []dns.RR {
+	out := make([]dns.RR, 0, len(records))
+	for _, rr := range records {
+		if cp := cloneIPRecord(rr, rr.Header().Name, ttl); cp != nil {
+			out = append(out, cp)
+		}
+	}
+	return out
+}
+
+// cnameOwners returns dnsName plus every target reachable by following CNAMEs
+// in answer, iterating until fixed point so out-of-order chains resolve.
+func cnameOwners(dnsName string, answer []dns.RR) map[string]bool {
+	owners := map[string]bool{dnsName: true}
+	for {
+		added := false
+		for _, rr := range answer {
+			cname, ok := rr.(*dns.CNAME)
+			if !ok {
+				continue
+			}
+			name := strings.ToLower(dns.Fqdn(cname.Hdr.Name))
+			if !owners[name] {
+				continue
+			}
+			target := strings.ToLower(dns.Fqdn(cname.Target))
+			if !owners[target] {
+				owners[target] = true
+				added = true
+			}
+		}
+		if !added {
+			return owners
+		}
+	}
+}
+
+// resolveCacheTTL reads the cache TTL override env var; invalid or empty
+// values fall back to defaultTTL. Called once per Resolver from NewResolver.
+func resolveCacheTTL() time.Duration {
+	if v := os.Getenv(envMgmtCacheTTL); v != "" {
+		if d, err := time.ParseDuration(v); err == nil && d > 0 {
+			return d
+		}
+	}
+	return defaultTTL
+}

client/internal/dns/mgmt/mgmt_refresh_test.go

@@ -0,0 +1,408 @@
+package mgmt
+
+import (
+	"context"
+	"errors"
+	"net"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/internal/dns/test"
+	"github.com/netbirdio/netbird/shared/management/domain"
+)
+
+type fakeChain struct {
+	mu       sync.Mutex
+	calls    map[string]int
+	answers  map[string][]dns.RR
+	err      error
+	hasRoot  bool
+	onLookup func()
+}
+
+func newFakeChain() *fakeChain {
+	return &fakeChain{
+		calls:   map[string]int{},
+		answers: map[string][]dns.RR{},
+		hasRoot: true,
+	}
+}
+
+func (f *fakeChain) HasRootHandlerAtOrBelow(maxPriority int) bool {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	return f.hasRoot
+}
+
+func (f *fakeChain) ResolveInternal(ctx context.Context, msg *dns.Msg, maxPriority int) (*dns.Msg, error) {
+	f.mu.Lock()
+	q := msg.Question[0]
+	key := q.Name + "|" + dns.TypeToString[q.Qtype]
+	f.calls[key]++
+	answers := f.answers[key]
+	err := f.err
+	onLookup := f.onLookup
+	f.mu.Unlock()
+
+	if onLookup != nil {
+		onLookup()
+	}
+	if err != nil {
+		return nil, err
+	}
+	resp := &dns.Msg{}
+	resp.SetReply(msg)
+	resp.Answer = answers
+	return resp, nil
+}
+
+func (f *fakeChain) setAnswer(name string, qtype uint16, ip string) {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	key := name + "|" + dns.TypeToString[qtype]
+	hdr := dns.RR_Header{Name: name, Rrtype: qtype, Class: dns.ClassINET, Ttl: 60}
+	switch qtype {
+	case dns.TypeA:
+		f.answers[key] = []dns.RR{&dns.A{Hdr: hdr, A: net.ParseIP(ip).To4()}}
+	case dns.TypeAAAA:
+		f.answers[key] = []dns.RR{&dns.AAAA{Hdr: hdr, AAAA: net.ParseIP(ip).To16()}}
+	}
+}
+
+func (f *fakeChain) callCount(name string, qtype uint16) int {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	return f.calls[name+"|"+dns.TypeToString[qtype]]
+}
+
+// waitFor polls the predicate until it returns true or the deadline passes.
+func waitFor(t *testing.T, d time.Duration, fn func() bool) {
+	t.Helper()
+	deadline := time.Now().Add(d)
+	for time.Now().Before(deadline) {
+		if fn() {
+			return
+		}
+		time.Sleep(5 * time.Millisecond)
+	}
+	t.Fatalf("condition not met within %s", d)
+}
+
+func queryA(t *testing.T, r *Resolver, name string) *dns.Msg {
+	t.Helper()
+	msg := new(dns.Msg)
+	msg.SetQuestion(name, dns.TypeA)
+	w := &test.MockResponseWriter{}
+	r.ServeDNS(w, msg)
+	return w.GetLastResponse()
+}
+
+func firstA(t *testing.T, resp *dns.Msg) string {
+	t.Helper()
+	require.NotNil(t, resp)
+	require.Greater(t, len(resp.Answer), 0, "expected at least one answer")
+	a, ok := resp.Answer[0].(*dns.A)
+	require.True(t, ok, "expected A record")
+	return a.A.String()
+}
+
+func TestResolver_CacheTTLGatesRefresh(t *testing.T) {
+	// Same cached entry age, different cacheTTL values: the shorter TTL must
+	// trigger a background refresh, the longer one must not. Proves that the
+	// per-Resolver cacheTTL field actually drives the stale decision.
+	cachedAt := time.Now().Add(-100 * time.Millisecond)
+
+	newRec := func() *cachedRecord {
+		return &cachedRecord{
+			records: []dns.RR{&dns.A{
+				Hdr: dns.RR_Header{Name: "mgmt.example.com.", Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+				A:   net.ParseIP("10.0.0.1").To4(),
+			}},
+			cachedAt: cachedAt,
+		}
+	}
+	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
+
+	t.Run("short TTL treats entry as stale and refreshes", func(t *testing.T) {
+		r := NewResolver()
+		r.cacheTTL = 10 * time.Millisecond
+		chain := newFakeChain()
+		chain.setAnswer(q.Name, dns.TypeA, "10.0.0.2")
+		r.SetChainResolver(chain, 50)
+		r.records[q] = newRec()
+
+		resp := queryA(t, r, q.Name)
+		assert.Equal(t, "10.0.0.1", firstA(t, resp), "stale entry must be served while refresh runs")
+
+		waitFor(t, time.Second, func() bool {
+			return chain.callCount(q.Name, dns.TypeA) >= 1
+		})
+	})
+
+	t.Run("long TTL keeps entry fresh and skips refresh", func(t *testing.T) {
+		r := NewResolver()
+		r.cacheTTL = time.Hour
+		chain := newFakeChain()
+		chain.setAnswer(q.Name, dns.TypeA, "10.0.0.2")
+		r.SetChainResolver(chain, 50)
+		r.records[q] = newRec()
+
+		resp := queryA(t, r, q.Name)
+		assert.Equal(t, "10.0.0.1", firstA(t, resp))
+
+		time.Sleep(50 * time.Millisecond)
+		assert.Equal(t, 0, chain.callCount(q.Name, dns.TypeA), "fresh entry must not trigger refresh")
+	})
+}
+
+func TestResolver_ServeFresh_NoRefresh(t *testing.T) {
+	r := NewResolver()
+	chain := newFakeChain()
+	chain.setAnswer("mgmt.example.com.", dns.TypeA, "10.0.0.2")
+	r.SetChainResolver(chain, 50)
+
+	r.records[dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}] = &cachedRecord{
+		records: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{Name: "mgmt.example.com.", Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+			A:   net.ParseIP("10.0.0.1").To4(),
+		}},
+		cachedAt: time.Now(), // fresh
+	}
+
+	resp := queryA(t, r, "mgmt.example.com.")
+	assert.Equal(t, "10.0.0.1", firstA(t, resp))
+
+	time.Sleep(20 * time.Millisecond)
+	assert.Equal(t, 0, chain.callCount("mgmt.example.com.", dns.TypeA), "fresh entry must not trigger refresh")
+}
+
+func TestResolver_StaleTriggersAsyncRefresh(t *testing.T) {
+	r := NewResolver()
+	chain := newFakeChain()
+	chain.setAnswer("mgmt.example.com.", dns.TypeA, "10.0.0.2")
+	r.SetChainResolver(chain, 50)
+
+	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
+	r.records[q] = &cachedRecord{
+		records: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+			A:   net.ParseIP("10.0.0.1").To4(),
+		}},
+		cachedAt: time.Now().Add(-2 * defaultTTL), // stale
+	}
+
+	// First query: serves stale immediately.
+	resp := queryA(t, r, "mgmt.example.com.")
+	assert.Equal(t, "10.0.0.1", firstA(t, resp), "stale entry must be served while refresh runs")
+
+	waitFor(t, time.Second, func() bool {
+		return chain.callCount("mgmt.example.com.", dns.TypeA) >= 1
+	})
+
+	// Next query should now return the refreshed IP.
+	waitFor(t, time.Second, func() bool {
+		resp := queryA(t, r, "mgmt.example.com.")
+		return resp != nil && len(resp.Answer) > 0 && firstA(t, resp) == "10.0.0.2"
+	})
+}
+
+func TestResolver_ConcurrentStaleHitsCollapseRefresh(t *testing.T) {
+	r := NewResolver()
+	chain := newFakeChain()
+	chain.setAnswer("mgmt.example.com.", dns.TypeA, "10.0.0.2")
+
+	var inflight atomic.Int32
+	var maxInflight atomic.Int32
+	chain.onLookup = func() {
+		cur := inflight.Add(1)
+		defer inflight.Add(-1)
+		for {
+			prev := maxInflight.Load()
+			if cur <= prev || maxInflight.CompareAndSwap(prev, cur) {
+				break
+			}
+		}
+		time.Sleep(50 * time.Millisecond) // hold inflight long enough to collide
+	}
+
+	r.SetChainResolver(chain, 50)
+
+	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
+	r.records[q] = &cachedRecord{
+		records: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+			A:   net.ParseIP("10.0.0.1").To4(),
+		}},
+		cachedAt: time.Now().Add(-2 * defaultTTL),
+	}
+
+	var wg sync.WaitGroup
+	for i := 0; i < 50; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			queryA(t, r, "mgmt.example.com.")
+		}()
+	}
+	wg.Wait()
+
+	waitFor(t, 2*time.Second, func() bool {
+		return inflight.Load() == 0
+	})
+
+	calls := chain.callCount("mgmt.example.com.", dns.TypeA)
+	assert.LessOrEqual(t, calls, 2, "singleflight must collapse concurrent refreshes (got %d)", calls)
+	assert.Equal(t, int32(1), maxInflight.Load(), "only one refresh should run concurrently")
+}
+
+func TestResolver_RefreshFailureArmsBackoff(t *testing.T) {
+	r := NewResolver()
+	chain := newFakeChain()
+	chain.err = errors.New("boom")
+	r.SetChainResolver(chain, 50)
+
+	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
+	r.records[q] = &cachedRecord{
+		records: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+			A:   net.ParseIP("10.0.0.1").To4(),
+		}},
+		cachedAt: time.Now().Add(-2 * defaultTTL),
+	}
+
+	// First stale hit triggers a refresh attempt that fails.
+	resp := queryA(t, r, "mgmt.example.com.")
+	assert.Equal(t, "10.0.0.1", firstA(t, resp), "stale entry served while refresh fails")
+
+	waitFor(t, time.Second, func() bool {
+		return chain.callCount("mgmt.example.com.", dns.TypeA) == 1
+	})
+	waitFor(t, time.Second, func() bool {
+		r.mutex.RLock()
+		defer r.mutex.RUnlock()
+		c, ok := r.records[q]
+		return ok && !c.lastFailedRefresh.IsZero()
+	})
+
+	// Subsequent stale hits within backoff window should not schedule more refreshes.
+	for i := 0; i < 10; i++ {
+		queryA(t, r, "mgmt.example.com.")
+	}
+	time.Sleep(50 * time.Millisecond)
+	assert.Equal(t, 1, chain.callCount("mgmt.example.com.", dns.TypeA), "backoff must suppress further refreshes")
+}
+
+func TestResolver_NoRootHandler_SkipsChain(t *testing.T) {
+	r := NewResolver()
+	chain := newFakeChain()
+	chain.hasRoot = false
+	chain.setAnswer("mgmt.example.com.", dns.TypeA, "10.0.0.2")
+	r.SetChainResolver(chain, 50)
+
+	// With hasRoot=false the chain must not be consulted. Use a short
+	// deadline so the OS fallback returns quickly without waiting on a
+	// real network call in CI.
+	ctx, cancel := context.WithTimeout(context.Background(), 50*time.Millisecond)
+	defer cancel()
+	_, _, _, _ = r.lookupBoth(ctx, domain.Domain("mgmt.example.com"), "mgmt.example.com.")
+
+	assert.Equal(t, 0, chain.callCount("mgmt.example.com.", dns.TypeA),
+		"chain must not be used when no root handler is registered at the bound priority")
+}
+
+func TestResolver_ServeDuringRefreshSetsLoopFlag(t *testing.T) {
+	// ServeDNS being invoked for a question while a refresh for that question
+	// is inflight indicates a resolver loop (OS resolver sent the recursive
+	// query back to us). The inflightRefresh.loopLoggedOnce flag must be set.
+	r := NewResolver()
+
+	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
+	r.records[q] = &cachedRecord{
+		records: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+			A:   net.ParseIP("10.0.0.1").To4(),
+		}},
+		cachedAt: time.Now(),
+	}
+
+	// Simulate an inflight refresh.
+	r.markRefreshing(q)
+	defer r.clearRefreshing(q)
+
+	resp := queryA(t, r, "mgmt.example.com.")
+	assert.Equal(t, "10.0.0.1", firstA(t, resp), "stale entry must still be served to avoid breaking external queries")
+
+	r.mutex.RLock()
+	inflight := r.refreshing[q]
+	r.mutex.RUnlock()
+	require.NotNil(t, inflight)
+	assert.True(t, inflight.Load(), "loop flag must be set once a ServeDNS during refresh was observed")
+}
+
+func TestResolver_LoopFlagOnlyTrippedOncePerRefresh(t *testing.T) {
+	r := NewResolver()
+
+	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
+	r.records[q] = &cachedRecord{
+		records: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+			A:   net.ParseIP("10.0.0.1").To4(),
+		}},
+		cachedAt: time.Now(),
+	}
+
+	r.markRefreshing(q)
+	defer r.clearRefreshing(q)
+
+	// Multiple ServeDNS calls during the same refresh must not re-set the flag
+	// (CompareAndSwap from false -> true returns true only on the first call).
+	for range 5 {
+		queryA(t, r, "mgmt.example.com.")
+	}
+
+	r.mutex.RLock()
+	inflight := r.refreshing[q]
+	r.mutex.RUnlock()
+	assert.True(t, inflight.Load())
+}
+
+func TestResolver_NoLoopFlagWhenNotRefreshing(t *testing.T) {
+	r := NewResolver()
+
+	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
+	r.records[q] = &cachedRecord{
+		records: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+			A:   net.ParseIP("10.0.0.1").To4(),
+		}},
+		cachedAt: time.Now(),
+	}
+
+	queryA(t, r, "mgmt.example.com.")
+
+	r.mutex.RLock()
+	_, ok := r.refreshing[q]
+	r.mutex.RUnlock()
+	assert.False(t, ok, "no refresh inflight means no loop tracking")
+}
+
+func TestResolver_AddDomain_UsesChainWhenRootRegistered(t *testing.T) {
+	r := NewResolver()
+	chain := newFakeChain()
+	chain.setAnswer("mgmt.example.com.", dns.TypeA, "10.0.0.2")
+	chain.setAnswer("mgmt.example.com.", dns.TypeAAAA, "fd00::2")
+	r.SetChainResolver(chain, 50)
+
+	require.NoError(t, r.AddDomain(context.Background(), domain.Domain("mgmt.example.com")))
+
+	resp := queryA(t, r, "mgmt.example.com.")
+	assert.Equal(t, "10.0.0.2", firstA(t, resp))
+	assert.Equal(t, 1, chain.callCount("mgmt.example.com.", dns.TypeA))
+	assert.Equal(t, 1, chain.callCount("mgmt.example.com.", dns.TypeAAAA))
+}

client/internal/dns/mgmt/mgmt_test.go

@@ -6,6 +6,7 @@ import (
 	"net/url"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
@@ -23,6 +24,60 @@ func TestResolver_NewResolver(t *testing.T) {
 	assert.False(t, resolver.MatchSubdomains())
 }
 
+func TestResolveCacheTTL(t *testing.T) {
+	tests := []struct {
+		name  string
+		value string
+		want  time.Duration
+	}{
+		{"unset falls back to default", "", defaultTTL},
+		{"valid duration", "45s", 45 * time.Second},
+		{"valid minutes", "2m", 2 * time.Minute},
+		{"malformed falls back to default", "not-a-duration", defaultTTL},
+		{"zero falls back to default", "0s", defaultTTL},
+		{"negative falls back to default", "-5s", defaultTTL},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Setenv(envMgmtCacheTTL, tc.value)
+			got := resolveCacheTTL()
+			assert.Equal(t, tc.want, got, "parsed TTL should match")
+		})
+	}
+}
+
+func TestNewResolver_CacheTTLFromEnv(t *testing.T) {
+	t.Setenv(envMgmtCacheTTL, "7s")
+	r := NewResolver()
+	assert.Equal(t, 7*time.Second, r.cacheTTL, "NewResolver should evaluate cacheTTL once from env")
+}
+
+func TestResolver_ResponseTTL(t *testing.T) {
+	now := time.Now()
+	tests := []struct {
+		name     string
+		cacheTTL time.Duration
+		cachedAt time.Time
+		wantMin  uint32
+		wantMax  uint32
+	}{
+		{"fresh entry returns full TTL", 60 * time.Second, now, 59, 60},
+		{"half-aged entry returns half TTL", 60 * time.Second, now.Add(-30 * time.Second), 29, 31},
+		{"expired entry returns zero", 60 * time.Second, now.Add(-61 * time.Second), 0, 0},
+		{"exactly expired returns zero", 10 * time.Second, now.Add(-10 * time.Second), 0, 0},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			r := &Resolver{cacheTTL: tc.cacheTTL}
+			got := r.responseTTL(tc.cachedAt)
+			assert.GreaterOrEqual(t, got, tc.wantMin, "remaining TTL should be >= wantMin")
+			assert.LessOrEqual(t, got, tc.wantMax, "remaining TTL should be <= wantMax")
+		})
+	}
+}
+
 func TestResolver_ExtractDomainFromURL(t *testing.T) {
 	tests := []struct {
 		name        string

client/internal/dns/server.go

@@ -212,6 +212,7 @@ func newDefaultServer(
 	ctx, stop := context.WithCancel(ctx)
 
 	mgmtCacheResolver := mgmt.NewResolver()
+	mgmtCacheResolver.SetChainResolver(handlerChain, PriorityUpstream)
 
 	defaultServer := &DefaultServer{
 		ctx:               ctx,

client/internal/engine.go

@@ -26,6 +26,7 @@ import (
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/firewall"
+	"github.com/netbirdio/netbird/client/firewall/firewalld"
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
@@ -604,6 +605,8 @@ func (e *Engine) createFirewall() error {
 		return nil
 	}
 
+	firewalld.SetParentContext(e.ctx)
+
 	var err error
 	e.firewall, err = firewall.NewFirewall(e.wgInterface, e.stateManager, e.flowManager.GetLogger(), e.config.DisableServerRoutes, e.config.MTU)
 	if err != nil {
@@ -941,7 +944,12 @@ func (e *Engine) handleRelayUpdate(update *mgmProto.RelayConfig) error {
 			return fmt.Errorf("update relay token: %w", err)
 		}
 
-		e.relayManager.UpdateServerURLs(update.Urls)
+		urls := update.Urls
+		if override, ok := peer.OverrideRelayURLs(); ok {
+			log.Infof("overriding relay URLs from %s: %v", peer.EnvKeyNBHomeRelayServers, override)
+			urls = override
+		}
+		e.relayManager.UpdateServerURLs(urls)
 
 		// Just in case the agent started with an MGM server where the relay was disabled but was later enabled.
 		// We can ignore all errors because the guard will manage the reconnection retries.

client/internal/engine_test.go

@@ -1671,7 +1671,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	if err != nil {
 		return nil, "", err
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil, nil)
 	if err != nil {
 		return nil, "", err
 	}

client/internal/lazyconn/activity/listener_bind_test.go

@@ -3,7 +3,6 @@ package activity
 import (
 	"net"
 	"net/netip"
-	"runtime"
 	"testing"
 	"time"
 
@@ -18,10 +17,6 @@ import (
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
 )
 
-func isBindListenerPlatform() bool {
-	return runtime.GOOS == "windows" || runtime.GOOS == "js"
-}
-
 // mockEndpointManager implements device.EndpointManager for testing
 type mockEndpointManager struct {
 	endpoints map[netip.Addr]net.Conn
@@ -181,10 +176,6 @@ func TestBindListener_Close(t *testing.T) {
 }
 
 func TestManager_BindMode(t *testing.T) {
-	if !isBindListenerPlatform() {
-		t.Skip("BindListener only used on Windows/JS platforms")
-	}
-
 	mockEndpointMgr := newMockEndpointManager()
 	mockIface := &MockWGIfaceBind{endpointMgr: mockEndpointMgr}
 
@@ -226,10 +217,6 @@ func TestManager_BindMode(t *testing.T) {
 }
 
 func TestManager_BindMode_MultiplePeers(t *testing.T) {
-	if !isBindListenerPlatform() {
-		t.Skip("BindListener only used on Windows/JS platforms")
-	}
-
 	mockEndpointMgr := newMockEndpointManager()
 	mockIface := &MockWGIfaceBind{endpointMgr: mockEndpointMgr}
 

client/internal/lazyconn/activity/manager.go

@@ -4,14 +4,12 @@ import (
 	"errors"
 	"net"
 	"net/netip"
-	"runtime"
 	"sync"
 	"time"
 
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
-	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
@@ -75,16 +73,6 @@ func (m *Manager) createListener(peerCfg lazyconn.PeerConfig) (listener, error)
 		return NewUDPListener(m.wgIface, peerCfg)
 	}
 
-	// BindListener is used on Windows, JS, and netstack platforms:
-	// - JS: Cannot listen to UDP sockets
-	// - Windows: IP_UNICAST_IF socket option forces packets out the interface the default
-	//   gateway points to, preventing them from reaching the loopback interface.
-	// - Netstack: Allows multiple instances on the same host without port conflicts.
-	// BindListener bypasses these issues by passing data directly through the bind.
-	if runtime.GOOS != "windows" && runtime.GOOS != "js" && !netstack.IsEnabled() {
-		return NewUDPListener(m.wgIface, peerCfg)
-	}
-
 	provider, ok := m.wgIface.(bindProvider)
 	if !ok {
 		return nil, errors.New("interface claims userspace bind but doesn't implement bindProvider")

client/internal/peer/env.go

@@ -7,7 +7,8 @@ import (
 )
 
 const (
-	EnvKeyNBForceRelay = "NB_FORCE_RELAY"
+	EnvKeyNBForceRelay       = "NB_FORCE_RELAY"
+	EnvKeyNBHomeRelayServers = "NB_HOME_RELAY_SERVERS"
 )
 
 func IsForceRelayed() bool {
@@ -16,3 +17,28 @@ func IsForceRelayed() bool {
 	}
 	return strings.EqualFold(os.Getenv(EnvKeyNBForceRelay), "true")
 }
+
+// OverrideRelayURLs returns the relay server URL list set in
+// NB_HOME_RELAY_SERVERS (comma-separated) and a boolean indicating whether
+// the override is active. When the env var is unset, the boolean is false
+// and the caller should keep the list received from the management server.
+// Intended for lab/debug scenarios where a peer must pin to a specific home
+// relay regardless of what management offers.
+func OverrideRelayURLs() ([]string, bool) {
+	raw := os.Getenv(EnvKeyNBHomeRelayServers)
+	if raw == "" {
+		return nil, false
+	}
+	parts := strings.Split(raw, ",")
+	urls := make([]string, 0, len(parts))
+	for _, p := range parts {
+		p = strings.TrimSpace(p)
+		if p != "" {
+			urls = append(urls, p)
+		}
+	}
+	if len(urls) == 0 {
+		return nil, false
+	}
+	return urls, true
+}

client/internal/routemanager/systemops/systemops_darwin.go

@@ -89,8 +89,16 @@ func (r *SysOps) installScopedDefaultFor(unspec netip.Addr) (bool, error) {
 		return false, fmt.Errorf("unusable default nexthop for %s (no interface)", unspec)
 	}
 
+	reused := false
 	if err := r.addScopedDefault(unspec, nexthop); err != nil {
-		return false, fmt.Errorf("add scoped default on %s: %w", nexthop.Intf.Name, err)
+		if !errors.Is(err, unix.EEXIST) {
+			return false, fmt.Errorf("add scoped default on %s: %w", nexthop.Intf.Name, err)
+		}
+		// macOS installs its own RTF_IFSCOPE defaults for primary service
+		// selection on multi-NIC setups, so a route on this ifindex can
+		// already exist before we try. Binding to it via IP[V6]_BOUND_IF
+		// still produces the scoped lookup we need.
+		reused = true
 	}
 
 	af := unix.AF_INET
@@ -102,7 +110,11 @@ func (r *SysOps) installScopedDefaultFor(unspec netip.Addr) (bool, error) {
 	if nexthop.IP.IsValid() {
 		via = nexthop.IP.String()
 	}
-	log.Infof("installed scoped default route via %s on %s for %s", via, nexthop.Intf.Name, afOf(unspec))
+	verb := "installed"
+	if reused {
+		verb = "reused existing"
+	}
+	log.Infof("%s scoped default route via %s on %s for %s", verb, via, nexthop.Intf.Name, afOf(unspec))
 	return true, nil
 }
 

client/internal/sleep/detector_darwin.go

@@ -2,217 +2,358 @@
 
 package sleep
 
-/*
-#cgo LDFLAGS: -framework IOKit -framework CoreFoundation
-#include <IOKit/pwr_mgt/IOPMLib.h>
-#include <IOKit/IOMessage.h>
-#include <CoreFoundation/CoreFoundation.h>
-
-extern void sleepCallbackBridge();
-extern void poweredOnCallbackBridge();
-extern void suspendedCallbackBridge();
-extern void resumedCallbackBridge();
-
-
-// C global variables for IOKit state
-static IONotificationPortRef g_notifyPortRef = NULL;
-static io_object_t g_notifierObject = 0;
-static io_object_t g_generalInterestNotifier = 0;
-static io_connect_t g_rootPort = 0;
-static CFRunLoopRef g_runLoop = NULL;
-
-static void sleepCallback(void* refCon, io_service_t service, natural_t messageType, void* messageArgument) {
-	switch (messageType) {
-		case kIOMessageSystemWillSleep:
-			sleepCallbackBridge();
-			IOAllowPowerChange(g_rootPort, (long)messageArgument);
-			break;
-        case kIOMessageSystemHasPoweredOn:
-          	poweredOnCallbackBridge();
-          	break;
-        case kIOMessageServiceIsSuspended:
-			suspendedCallbackBridge();
-			break;
-		case kIOMessageServiceIsResumed:
-			resumedCallbackBridge();
-			break;
-		default:
-			break;
-	}
-}
-
-static void registerNotifications() {
-	g_rootPort = IORegisterForSystemPower(
-		NULL,
-		&g_notifyPortRef,
-		(IOServiceInterestCallback)sleepCallback,
-		&g_notifierObject
-	);
-
-	if (g_rootPort == 0) {
-		return;
-	}
-
-	CFRunLoopAddSource(CFRunLoopGetCurrent(),
-		IONotificationPortGetRunLoopSource(g_notifyPortRef),
-		kCFRunLoopCommonModes);
-
-	g_runLoop = CFRunLoopGetCurrent();
-	CFRunLoopRun();
-}
-
-static void unregisterNotifications() {
-	CFRunLoopRemoveSource(g_runLoop,
-		IONotificationPortGetRunLoopSource(g_notifyPortRef),
-		kCFRunLoopCommonModes);
-
-	IODeregisterForSystemPower(&g_notifierObject);
-	IOServiceClose(g_rootPort);
-	IONotificationPortDestroy(g_notifyPortRef);
-	CFRunLoopStop(g_runLoop);
-
-	g_notifyPortRef = NULL;
-	g_notifierObject = 0;
-	g_rootPort = 0;
-	g_runLoop = NULL;
-}
-
-*/
-import "C"
-
 import (
-	"context"
 	"fmt"
 	"runtime"
 	"sync"
 	"time"
+	"unsafe"
 
+	"github.com/ebitengine/purego"
 	log "github.com/sirupsen/logrus"
 )
 
-var (
-	serviceRegistry   = make(map[*Detector]struct{})
-	serviceRegistryMu sync.Mutex
+// IOKit message types from IOKit/IOMessage.h.
+const (
+	kIOMessageCanSystemSleep     uintptr = 0xe0000270
+	kIOMessageSystemWillSleep    uintptr = 0xe0000280
+	kIOMessageSystemHasPoweredOn uintptr = 0xe0000300
 )
 
-//export sleepCallbackBridge
-func sleepCallbackBridge() {
-	log.Info("sleepCallbackBridge event triggered")
+var (
+	ioKit         iokitFuncs
+	cf            cfFuncs
+	cfCommonModes uintptr
 
-	serviceRegistryMu.Lock()
-	defer serviceRegistryMu.Unlock()
+	libInitOnce sync.Once
+	libInitErr  error
 
-	for svc := range serviceRegistry {
-		svc.triggerCallback(EventTypeSleep)
-	}
+	// callbackThunk is the single C-callable trampoline registered with IOKit.
+	callbackThunk uintptr
+
+	serviceRegistry   = make(map[*Detector]struct{})
+	serviceRegistryMu sync.Mutex
+	session           *runLoopSession
+
+	// lifecycleMu serializes Register/Deregister so a new registration can't
+	// start a second runloop while a previous teardown is still pending.
+	lifecycleMu sync.Mutex
+)
+
+// iokitFuncs holds IOKit symbols resolved once at init.
+type iokitFuncs struct {
+	IORegisterForSystemPower           func(refcon uintptr, portRef *uintptr, callback uintptr, notifier *uintptr) uintptr
+	IODeregisterForSystemPower         func(notifier *uintptr) int32
+	IOAllowPowerChange                 func(kernelPort uintptr, notificationID uintptr) int32
+	IOServiceClose                     func(connect uintptr) int32
+	IONotificationPortGetRunLoopSource func(port uintptr) uintptr
+	IONotificationPortDestroy          func(port uintptr)
 }
 
-//export resumedCallbackBridge
-func resumedCallbackBridge() {
-	log.Info("resumedCallbackBridge event triggered")
+// cfFuncs holds CoreFoundation symbols resolved once at init.
+type cfFuncs struct {
+	CFRunLoopGetCurrent   func() uintptr
+	CFRunLoopRun          func()
+	CFRunLoopStop         func(rl uintptr)
+	CFRunLoopAddSource    func(rl, source, mode uintptr)
+	CFRunLoopRemoveSource func(rl, source, mode uintptr)
 }
 
-//export suspendedCallbackBridge
-func suspendedCallbackBridge() {
-	log.Info("suspendedCallbackBridge event triggered")
+// runLoopSession bundles the handles owned by one CFRunLoop lifetime. A nil
+// session means no runloop is active and the next Register must start one.
+type runLoopSession struct {
+	rl       uintptr
+	port     uintptr
+	notifier uintptr
+	rp       uintptr
 }
 
-//export poweredOnCallbackBridge
-func poweredOnCallbackBridge() {
-	log.Info("poweredOnCallbackBridge event triggered")
-	serviceRegistryMu.Lock()
-	defer serviceRegistryMu.Unlock()
-
-	for svc := range serviceRegistry {
-		svc.triggerCallback(EventTypeWakeUp)
-	}
+// detectorSnapshot pins a detector's callback and done channel so dispatch
+// runs with values valid at snapshot time, even if a concurrent
+// Deregister/Register rewrites the detector's fields.
+type detectorSnapshot struct {
+	detector *Detector
+	callback func(event EventType)
+	done     <-chan struct{}
 }
 
+// Detector delivers sleep and wake events to a registered callback.
 type Detector struct {
 	callback func(event EventType)
-	ctx      context.Context
-	cancel   context.CancelFunc
-}
-
-func NewDetector() (*Detector, error) {
-	return &Detector{}, nil
+	done     chan struct{}
 }
 
+// Register installs callback for power events. The first registration starts
+// the CFRunLoop on a dedicated OS-locked thread and blocks until IOKit
+// registration succeeds or fails; subsequent registrations just add to the
+// dispatch set.
 func (d *Detector) Register(callback func(event EventType)) error {
-	serviceRegistryMu.Lock()
-	defer serviceRegistryMu.Unlock()
+	lifecycleMu.Lock()
+	defer lifecycleMu.Unlock()
 
+	serviceRegistryMu.Lock()
 	if _, exists := serviceRegistry[d]; exists {
+		serviceRegistryMu.Unlock()
 		return fmt.Errorf("detector service already registered")
 	}
-
 	d.callback = callback
+	d.done = make(chan struct{})
+	serviceRegistry[d] = struct{}{}
+	needSetup := session == nil
+	serviceRegistryMu.Unlock()
 
-	d.ctx, d.cancel = context.WithCancel(context.Background())
-
-	if len(serviceRegistry) > 0 {
-		serviceRegistry[d] = struct{}{}
+	if !needSetup {
 		return nil
 	}
 
-	serviceRegistry[d] = struct{}{}
-
-	// CFRunLoop must run on a single fixed OS thread
-	go func() {
-		runtime.LockOSThread()
-		defer runtime.UnlockOSThread()
-
-		C.registerNotifications()
-	}()
+	errCh := make(chan error, 1)
+	go runRunLoop(errCh)
+	if err := <-errCh; err != nil {
+		serviceRegistryMu.Lock()
+		delete(serviceRegistry, d)
+		close(d.done)
+		d.done = nil
+		serviceRegistryMu.Unlock()
+		return err
+	}
 
 	log.Info("sleep detection service started on macOS")
 	return nil
 }
 
-// Deregister removes the detector. When the last detector is removed, IOKit registration is torn down
-// and the runloop is stopped and cleaned up.
+// Deregister removes the detector. When the last detector leaves, IOKit
+// notifications are torn down and the runloop is stopped.
 func (d *Detector) Deregister() error {
+	lifecycleMu.Lock()
+	defer lifecycleMu.Unlock()
+
 	serviceRegistryMu.Lock()
-	defer serviceRegistryMu.Unlock()
-	_, exists := serviceRegistry[d]
-	if !exists {
+	if _, exists := serviceRegistry[d]; !exists {
+		serviceRegistryMu.Unlock()
 		return nil
 	}
-
-	// cancel and remove this detector
-	d.cancel()
+	close(d.done)
 	delete(serviceRegistry, d)
 
-	// If other Detectors still exist, leave IOKit running
 	if len(serviceRegistry) > 0 {
+		serviceRegistryMu.Unlock()
 		return nil
 	}
+	sess := session
+	serviceRegistryMu.Unlock()
 
 	log.Info("sleep detection service stopping (deregister)")
 
-	// Deregister IOKit notifications, stop runloop, and free resources
-	C.unregisterNotifications()
+	if sess == nil {
+		return nil
+	}
+
+	if sess.rl != 0 && sess.port != 0 {
+		source := ioKit.IONotificationPortGetRunLoopSource(sess.port)
+		cf.CFRunLoopRemoveSource(sess.rl, source, cfCommonModes)
+	}
+	if sess.notifier != 0 {
+		n := sess.notifier
+		ioKit.IODeregisterForSystemPower(&n)
+	}
+
+	// Clear session only after IODeregisterForSystemPower returns so any
+	// in-flight powerCallback can still look up session.rp to ack sleep.
+	serviceRegistryMu.Lock()
+	session = nil
+	serviceRegistryMu.Unlock()
+
+	if sess.rp != 0 {
+		ioKit.IOServiceClose(sess.rp)
+	}
+	if sess.port != 0 {
+		ioKit.IONotificationPortDestroy(sess.port)
+	}
+	if sess.rl != 0 {
+		cf.CFRunLoopStop(sess.rl)
+	}
 
 	return nil
 }
 
-func (d *Detector) triggerCallback(event EventType) {
-	doneChan := make(chan struct{})
+func (d *Detector) triggerCallback(event EventType, cb func(event EventType), done <-chan struct{}) {
+	if cb == nil || done == nil {
+		return
+	}
 
+	select {
+	case <-done:
+		return
+	default:
+	}
+
+	doneChan := make(chan struct{})
 	timeout := time.NewTimer(500 * time.Millisecond)
 	defer timeout.Stop()
 
-	cb := d.callback
-	go func(callback func(event EventType)) {
+	go func() {
+		defer close(doneChan)
+		defer func() {
+			if r := recover(); r != nil {
+				log.Errorf("panic in sleep callback: %v", r)
+			}
+		}()
 		log.Info("sleep detection event fired")
-		callback(event)
-		close(doneChan)
-	}(cb)
+		cb(event)
+	}()
 
 	select {
 	case <-doneChan:
-	case <-d.ctx.Done():
+	case <-done:
 	case <-timeout.C:
-		log.Warnf("sleep callback timed out")
+		log.Warn("sleep callback timed out")
 	}
 }
+
+// NewDetector initializes IOKit/CoreFoundation bindings and returns a Detector.
+func NewDetector() (*Detector, error) {
+	if err := initLibs(); err != nil {
+		return nil, err
+	}
+	return &Detector{}, nil
+}
+
+func initLibs() error {
+	libInitOnce.Do(func() {
+		iokit, err := purego.Dlopen("/System/Library/Frameworks/IOKit.framework/IOKit", purego.RTLD_NOW|purego.RTLD_GLOBAL)
+		if err != nil {
+			libInitErr = fmt.Errorf("dlopen IOKit: %w", err)
+			return
+		}
+		cfLib, err := purego.Dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", purego.RTLD_NOW|purego.RTLD_GLOBAL)
+		if err != nil {
+			libInitErr = fmt.Errorf("dlopen CoreFoundation: %w", err)
+			return
+		}
+
+		purego.RegisterLibFunc(&ioKit.IORegisterForSystemPower, iokit, "IORegisterForSystemPower")
+		purego.RegisterLibFunc(&ioKit.IODeregisterForSystemPower, iokit, "IODeregisterForSystemPower")
+		purego.RegisterLibFunc(&ioKit.IOAllowPowerChange, iokit, "IOAllowPowerChange")
+		purego.RegisterLibFunc(&ioKit.IOServiceClose, iokit, "IOServiceClose")
+		purego.RegisterLibFunc(&ioKit.IONotificationPortGetRunLoopSource, iokit, "IONotificationPortGetRunLoopSource")
+		purego.RegisterLibFunc(&ioKit.IONotificationPortDestroy, iokit, "IONotificationPortDestroy")
+
+		purego.RegisterLibFunc(&cf.CFRunLoopGetCurrent, cfLib, "CFRunLoopGetCurrent")
+		purego.RegisterLibFunc(&cf.CFRunLoopRun, cfLib, "CFRunLoopRun")
+		purego.RegisterLibFunc(&cf.CFRunLoopStop, cfLib, "CFRunLoopStop")
+		purego.RegisterLibFunc(&cf.CFRunLoopAddSource, cfLib, "CFRunLoopAddSource")
+		purego.RegisterLibFunc(&cf.CFRunLoopRemoveSource, cfLib, "CFRunLoopRemoveSource")
+
+		modeAddr, err := purego.Dlsym(cfLib, "kCFRunLoopCommonModes")
+		if err != nil {
+			libInitErr = fmt.Errorf("dlsym kCFRunLoopCommonModes: %w", err)
+			return
+		}
+		// Launder the uintptr-to-pointer conversion through a Go variable so
+		// go vet's unsafeptr analyzer doesn't flag a system-library global.
+		cfCommonModes = **(**uintptr)(unsafe.Pointer(&modeAddr))
+
+		// NewCallback slots are a finite, non-reclaimable resource, so register
+		// a single thunk that dispatches to the current Detector set.
+		callbackThunk = purego.NewCallback(powerCallback)
+	})
+	return libInitErr
+}
+
+// powerCallback is the IOServiceInterestCallback trampoline, invoked on the
+// runloop thread. A Go panic crossing the purego boundary has undefined
+// behavior, so contain it here.
+func powerCallback(refcon, service, messageType, messageArgument uintptr) uintptr {
+	defer func() {
+		if r := recover(); r != nil {
+			log.Errorf("panic in sleep powerCallback: %v", r)
+		}
+	}()
+	switch messageType {
+	case kIOMessageCanSystemSleep:
+		// Not acknowledging forces a 30s IOKit timeout before idle sleep.
+		allowPowerChange(messageArgument)
+	case kIOMessageSystemWillSleep:
+		dispatchEvent(EventTypeSleep)
+		allowPowerChange(messageArgument)
+	case kIOMessageSystemHasPoweredOn:
+		dispatchEvent(EventTypeWakeUp)
+	}
+	return 0
+}
+
+func allowPowerChange(messageArgument uintptr) {
+	serviceRegistryMu.Lock()
+	var port uintptr
+	if session != nil {
+		port = session.rp
+	}
+	serviceRegistryMu.Unlock()
+	if port != 0 {
+		ioKit.IOAllowPowerChange(port, messageArgument)
+	}
+}
+
+func dispatchEvent(event EventType) {
+	serviceRegistryMu.Lock()
+	snaps := make([]detectorSnapshot, 0, len(serviceRegistry))
+	for d := range serviceRegistry {
+		snaps = append(snaps, detectorSnapshot{
+			detector: d,
+			callback: d.callback,
+			done:     d.done,
+		})
+	}
+	serviceRegistryMu.Unlock()
+
+	for _, s := range snaps {
+		s.detector.triggerCallback(event, s.callback, s.done)
+	}
+}
+
+// runRunLoop owns the OS-locked thread that CFRunLoop is pinned to. Setup
+// result is reported on errCh so Register can surface failures synchronously.
+func runRunLoop(errCh chan<- error) {
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+
+	sess, err := setupSession()
+	if err == nil {
+		serviceRegistryMu.Lock()
+		session = sess
+		serviceRegistryMu.Unlock()
+	}
+	errCh <- err
+	if err != nil {
+		return
+	}
+
+	defer func() {
+		if r := recover(); r != nil {
+			log.Errorf("panic in sleep runloop: %v", r)
+		}
+	}()
+	cf.CFRunLoopRun()
+}
+
+// setupSession performs the IOKit registration on the current thread. Panics
+// are converted to errors so runRunLoop never leaves errCh unsent.
+func setupSession() (s *runLoopSession, err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			err = fmt.Errorf("panic during runloop setup: %v", r)
+		}
+	}()
+
+	var portRef, notifier uintptr
+	rp := ioKit.IORegisterForSystemPower(0, &portRef, callbackThunk, &notifier)
+	if rp == 0 {
+		return nil, fmt.Errorf("IORegisterForSystemPower returned zero")
+	}
+
+	rl := cf.CFRunLoopGetCurrent()
+	source := ioKit.IONotificationPortGetRunLoopSource(portRef)
+	cf.CFRunLoopAddSource(rl, source, cfCommonModes)
+
+	return &runLoopSession{rl: rl, port: portRef, notifier: notifier, rp: rp}, nil
+}

client/netbird.wxs

@@ -13,15 +13,25 @@
 
 		<MajorUpgrade AllowSameVersionUpgrades='yes' DowngradeErrorMessage="A newer version of [ProductName] is already installed. Setup will now exit."/>
 
+		<!-- Autostart: enabled by default, disable with AUTOSTART=0 on the msiexec command line -->
+		<Property Id="AUTOSTART" Value="1" />
+
 		<StandardDirectory Id="ProgramFiles64Folder">
 			<Directory Id="NetbirdInstallDir" Name="Netbird">
 				<Component Id="NetbirdFiles" Guid="db3165de-cc6e-4922-8396-9d892950e23e" Bitness="always64">
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\netbird.exe" KeyPath="yes" />
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\netbird-ui.exe">
-						<Shortcut Id="NetbirdDesktopShortcut" Directory="DesktopFolder" Name="NetBird" WorkingDirectory="NetbirdInstallDir" Icon="NetbirdIcon" />
-						<Shortcut Id="NetbirdStartMenuShortcut" Directory="StartMenuFolder" Name="NetBird" WorkingDirectory="NetbirdInstallDir" Icon="NetbirdIcon" />
+						<Shortcut Id="NetbirdDesktopShortcut" Directory="DesktopFolder" Name="NetBird" WorkingDirectory="NetbirdInstallDir" Icon="NetbirdIcon">
+							<ShortcutProperty Key="System.AppUserModel.ID" Value="NetBird" />
+							<ShortcutProperty Key="System.AppUserModel.ToastActivatorCLSID" Value="{0E1B4DE7-E148-432B-9814-544F941826EC}" />
+						</Shortcut>
+						<Shortcut Id="NetbirdStartMenuShortcut" Directory="StartMenuFolder" Name="NetBird" WorkingDirectory="NetbirdInstallDir" Icon="NetbirdIcon">
+							<ShortcutProperty Key="System.AppUserModel.ID" Value="NetBird" />
+							<ShortcutProperty Key="System.AppUserModel.ToastActivatorCLSID" Value="{0E1B4DE7-E148-432B-9814-544F941826EC}" />
+						</Shortcut>
 					</File>
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\wintun.dll" />
+					<File Id="NetbirdToastIcon" Name="netbird.png" Source=".\client\ui\assets\netbird.png" />
 					<?if $(var.ArchSuffix) = "amd64" ?>
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\opengl32.dll" />
 					<?endif ?>
@@ -46,8 +56,30 @@
 			</Directory>
 		</StandardDirectory>
 
+		<!-- Per-user component: HKCU keypath (auto GUID via "*"), separate from
+		     the per-machine NetbirdFiles component to satisfy ICE57. -->
+		<StandardDirectory Id="ProgramMenuFolder">
+			<Component Id="NetbirdAumidRegistry" Guid="*">
+				<RegistryKey Root="HKCU" Key="Software\Classes\AppUserModelId\NetBird" ForceDeleteOnUninstall="yes">
+					<RegistryValue Name="InstalledByMSI" Type="integer" Value="1" KeyPath="yes" />
+				</RegistryKey>
+			</Component>
+		</StandardDirectory>
+
+		<StandardDirectory Id="CommonAppDataFolder">
+			<Directory Id="NetbirdAutoStartDir" Name="Netbird">
+				<Component Id="NetbirdAutoStart" Guid="b199eaca-b0dd-4032-af19-679cfad48eb3" Bitness="always64" Condition='AUTOSTART = "1"'>
+					<RegistryValue Root="HKLM" Key="Software\Microsoft\Windows\CurrentVersion\Run"
+						Name="Netbird" Value="&quot;[NetbirdInstallDir]netbird-ui.exe&quot;"
+						Type="string" KeyPath="yes" />
+				</Component>
+			</Directory>
+		</StandardDirectory>
+
 		<ComponentGroup Id="NetbirdFilesComponent">
 			<ComponentRef Id="NetbirdFiles" />
+			<ComponentRef Id="NetbirdAumidRegistry" />
+			<ComponentRef Id="NetbirdAutoStart" />
 		</ComponentGroup>
 
 		<util:CloseApplication Id="CloseNetBird" CloseMessage="no" Target="netbird.exe" RebootPrompt="no" />

client/proto/daemon.proto

@@ -104,8 +104,6 @@ service DaemonService {
   // StopCPUProfile stops CPU profiling in the daemon
   rpc StopCPUProfile(StopCPUProfileRequest) returns (StopCPUProfileResponse) {}
 
-  rpc NotifyOSLifecycle(OSLifecycleRequest) returns(OSLifecycleResponse) {}
-
   rpc GetInstallerResult(InstallerResultRequest) returns (InstallerResultResponse) {}
 
   // ExposeService exposes a local port via the NetBird reverse proxy
@@ -114,20 +112,6 @@ service DaemonService {
 
 
 
-message OSLifecycleRequest {
-  // avoid collision with loglevel enum
-  enum CycleType {
-    UNKNOWN = 0;
-    SLEEP = 1;
-    WAKEUP = 2;
-  }
-
-  CycleType type = 1;
-}
-
-message OSLifecycleResponse {}
-
-
 message LoginRequest {
   // setupKey netbird setup key.
   string setupKey = 1;

client/server/server.go

@@ -120,6 +120,7 @@ func New(ctx context.Context, logFile string, configFile string, profilesDisable
 	}
 	agent := &serverAgent{s}
 	s.sleepHandler = sleephandler.New(agent)
+	s.startSleepDetector()
 
 	return s
 }

client/server/server_test.go

@@ -335,7 +335,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	if err != nil {
 		return nil, "", err
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil, nil)
 	if err != nil {
 		return nil, "", err
 	}

client/server/sleep.go

@@ -2,13 +2,18 @@ package server
 
 import (
 	"context"
+	"os"
+	"strconv"
 
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/sleep"
 	"github.com/netbirdio/netbird/client/proto"
 )
 
+const envDisableSleepDetector = "NB_DISABLE_SLEEP_DETECTOR"
+
 // serverAgent adapts Server to the handler.Agent and handler.StatusChecker interfaces
 type serverAgent struct {
 	s *Server
@@ -28,19 +33,61 @@ func (a *serverAgent) Status() (internal.StatusType, error) {
 	return internal.CtxGetState(a.s.rootCtx).Status()
 }
 
-// NotifyOSLifecycle handles operating system lifecycle events by executing appropriate logic based on the request type.
-func (s *Server) NotifyOSLifecycle(callerCtx context.Context, req *proto.OSLifecycleRequest) (*proto.OSLifecycleResponse, error) {
-	switch req.GetType() {
-	case proto.OSLifecycleRequest_WAKEUP:
-		if err := s.sleepHandler.HandleWakeUp(callerCtx); err != nil {
-			return &proto.OSLifecycleResponse{}, err
-		}
-	case proto.OSLifecycleRequest_SLEEP:
-		if err := s.sleepHandler.HandleSleep(callerCtx); err != nil {
-			return &proto.OSLifecycleResponse{}, err
-		}
-	default:
-		log.Errorf("unknown OSLifecycleRequest type: %v", req.GetType())
+// startSleepDetector starts the OS sleep/wake detector and forwards events to
+// the sleep handler. On platforms without a supported detector the attempt
+// logs a warning and returns. Setting NB_DISABLE_SLEEP_DETECTOR=true skips
+// registration entirely.
+func (s *Server) startSleepDetector() {
+	if sleepDetectorDisabled() {
+		log.Info("sleep detection disabled via " + envDisableSleepDetector)
+		return
 	}
-	return &proto.OSLifecycleResponse{}, nil
+
+	svc, err := sleep.New()
+	if err != nil {
+		log.Warnf("failed to initialize sleep detection: %v", err)
+		return
+	}
+
+	err = svc.Register(func(event sleep.EventType) {
+		switch event {
+		case sleep.EventTypeSleep:
+			log.Info("handling sleep event")
+			if err := s.sleepHandler.HandleSleep(s.rootCtx); err != nil {
+				log.Errorf("failed to handle sleep event: %v", err)
+			}
+		case sleep.EventTypeWakeUp:
+			log.Info("handling wakeup event")
+			if err := s.sleepHandler.HandleWakeUp(s.rootCtx); err != nil {
+				log.Errorf("failed to handle wakeup event: %v", err)
+			}
+		}
+	})
+	if err != nil {
+		log.Errorf("failed to register sleep detector: %v", err)
+		return
+	}
+
+	log.Info("sleep detection service initialized")
+
+	go func() {
+		<-s.rootCtx.Done()
+		log.Info("stopping sleep event listener")
+		if err := svc.Deregister(); err != nil {
+			log.Errorf("failed to deregister sleep detector: %v", err)
+		}
+	}()
+}
+
+func sleepDetectorDisabled() bool {
+	val := os.Getenv(envDisableSleepDetector)
+	if val == "" {
+		return false
+	}
+	disabled, err := strconv.ParseBool(val)
+	if err != nil {
+		log.Warnf("failed to parse %s=%q: %v", envDisableSleepDetector, val, err)
+		return false
+	}
+	return disabled
 }

client/ui/client_ui.go

@@ -38,10 +38,10 @@ import (
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
-	"github.com/netbirdio/netbird/client/internal/sleep"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/ui/desktop"
 	"github.com/netbirdio/netbird/client/ui/event"
+	"github.com/netbirdio/netbird/client/ui/notifier"
 	"github.com/netbirdio/netbird/client/ui/process"
 	"github.com/netbirdio/netbird/util"
 
@@ -260,6 +260,7 @@ type serviceClient struct {
 
 	// application with main windows.
 	app                  fyne.App
+	notifier             notifier.Notifier
 	wSettings            fyne.Window
 	showAdvancedSettings bool
 	sendNotification     bool
@@ -364,6 +365,7 @@ func newServiceClient(args *newServiceClientArgs) *serviceClient {
 		cancel:           cancel,
 		addr:             args.addr,
 		app:              args.app,
+		notifier:         notifier.New(args.app),
 		logFile:          args.logFile,
 		sendNotification: false,
 
@@ -892,7 +894,7 @@ func (s *serviceClient) updateStatus() error {
 		if err != nil {
 			log.Errorf("get service status: %v", err)
 			if s.connected {
-				s.app.SendNotification(fyne.NewNotification("Error", "Connection to service lost"))
+				s.notifier.Send("Error", "Connection to service lost")
 			}
 			s.setDisconnectedStatus()
 			return err
@@ -1109,7 +1111,7 @@ func (s *serviceClient) onTrayReady() {
 		}
 	}()
 
-	s.eventManager = event.NewManager(s.app, s.addr)
+	s.eventManager = event.NewManager(s.notifier, s.addr)
 	s.eventManager.SetNotificationsEnabled(s.mNotifications.Checked())
 	s.eventManager.AddHandler(func(event *proto.SystemEvent) {
 		if event.Category == proto.SystemEvent_SYSTEM {
@@ -1146,9 +1148,6 @@ func (s *serviceClient) onTrayReady() {
 
 	go s.eventManager.Start(s.ctx)
 	go s.eventHandler.listen(s.ctx)
-
-	// Start sleep detection listener
-	go s.startSleepListener()
 }
 
 func (s *serviceClient) attachOutput(cmd *exec.Cmd) *os.File {
@@ -1209,62 +1208,6 @@ func (s *serviceClient) getSrvClient(timeout time.Duration) (proto.DaemonService
 	return s.conn, nil
 }
 
-// startSleepListener initializes the sleep detection service and listens for sleep events
-func (s *serviceClient) startSleepListener() {
-	sleepService, err := sleep.New()
-	if err != nil {
-		log.Warnf("%v", err)
-		return
-	}
-
-	if err := sleepService.Register(s.handleSleepEvents); err != nil {
-		log.Errorf("failed to start sleep detection: %v", err)
-		return
-	}
-
-	log.Info("sleep detection service initialized")
-
-	// Cleanup on context cancellation
-	go func() {
-		<-s.ctx.Done()
-		log.Info("stopping sleep event listener")
-		if err := sleepService.Deregister(); err != nil {
-			log.Errorf("failed to deregister sleep detection: %v", err)
-		}
-	}()
-}
-
-// handleSleepEvents sends a sleep notification to the daemon via gRPC
-func (s *serviceClient) handleSleepEvents(event sleep.EventType) {
-	conn, err := s.getSrvClient(0)
-	if err != nil {
-		log.Errorf("failed to get daemon client for sleep notification: %v", err)
-		return
-	}
-
-	req := &proto.OSLifecycleRequest{}
-
-	switch event {
-	case sleep.EventTypeWakeUp:
-		log.Infof("handle wakeup event: %v", event)
-		req.Type = proto.OSLifecycleRequest_WAKEUP
-	case sleep.EventTypeSleep:
-		log.Infof("handle sleep event: %v", event)
-		req.Type = proto.OSLifecycleRequest_SLEEP
-	default:
-		log.Infof("unknown event: %v", event)
-		return
-	}
-
-	_, err = conn.NotifyOSLifecycle(s.ctx, req)
-	if err != nil {
-		log.Errorf("failed to notify daemon about os lifecycle notification: %v", err)
-		return
-	}
-
-	log.Info("successfully notified daemon about os lifecycle")
-}
-
 // setSettingsEnabled enables or disables the settings menu based on the provided state
 func (s *serviceClient) setSettingsEnabled(enabled bool) {
 	if s.mSettings != nil {
@@ -1548,7 +1491,7 @@ func (s *serviceClient) onUpdateAvailable(newVersion string, enforced bool) {
 
 	if enforced && s.lastNotifiedVersion != newVersion {
 		s.lastNotifiedVersion = newVersion
-		s.app.SendNotification(fyne.NewNotification("Update available", "A new version "+newVersion+" is ready to install"))
+		s.notifier.Send("Update available", "A new version "+newVersion+" is ready to install")
 	}
 }
 

client/ui/event/event.go

@@ -8,7 +8,6 @@ import (
 	"sync"
 	"time"
 
-	"fyne.io/fyne/v2"
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
@@ -18,11 +17,17 @@ import (
 	"github.com/netbirdio/netbird/client/ui/desktop"
 )
 
+// Notifier sends desktop notifications. Defined here so the event package
+// does not depend on fyne or the platform-specific notifier implementation.
+type Notifier interface {
+	Send(title, body string)
+}
+
 type Handler func(*proto.SystemEvent)
 
 type Manager struct {
-	app  fyne.App
-	addr string
+	notifier Notifier
+	addr     string
 
 	mu       sync.Mutex
 	ctx      context.Context
@@ -31,10 +36,10 @@ type Manager struct {
 	handlers []Handler
 }
 
-func NewManager(app fyne.App, addr string) *Manager {
+func NewManager(notifier Notifier, addr string) *Manager {
 	return &Manager{
-		app:  app,
-		addr: addr,
+		notifier: notifier,
+		addr:     addr,
 	}
 }
 
@@ -114,7 +119,7 @@ func (e *Manager) handleEvent(event *proto.SystemEvent) {
 		if id != "" {
 			body += fmt.Sprintf(" ID: %s", id)
 		}
-		e.app.SendNotification(fyne.NewNotification(title, body))
+		e.notifier.Send(title, body)
 	}
 
 	for _, handler := range handlers {

client/ui/event_handler.go

@@ -9,7 +9,6 @@ import (
 	"os"
 	"os/exec"
 
-	"fyne.io/fyne/v2"
 	"fyne.io/systray"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"
@@ -87,7 +86,7 @@ func (h *eventHandler) handleConnectClick() {
 			if errors.Is(err, context.Canceled) || (ok && st.Code() == codes.Canceled) {
 				log.Debugf("connect operation cancelled by user")
 			} else {
-				h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to connect"))
+				h.client.notifier.Send("Error", "Failed to connect")
 				log.Errorf("connect failed: %v", err)
 			}
 		}
@@ -112,7 +111,7 @@ func (h *eventHandler) handleDisconnectClick() {
 		if err := h.client.menuDownClick(); err != nil {
 			st, ok := status.FromError(err)
 			if !errors.Is(err, context.Canceled) && !(ok && st.Code() == codes.Canceled) {
-				h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to disconnect"))
+				h.client.notifier.Send("Error", "Failed to disconnect")
 				log.Errorf("disconnect failed: %v", err)
 			} else {
 				log.Debugf("disconnect cancelled or already disconnecting")
@@ -130,7 +129,7 @@ func (h *eventHandler) handleAllowSSHClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mAllowSSH) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update SSH settings"))
+		h.client.notifier.Send("Error", "Failed to update SSH settings")
 	}
 
 }
@@ -140,7 +139,7 @@ func (h *eventHandler) handleAutoConnectClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mAutoConnect) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update auto-connect settings"))
+		h.client.notifier.Send("Error", "Failed to update auto-connect settings")
 	}
 }
 
@@ -149,7 +148,7 @@ func (h *eventHandler) handleRosenpassClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mEnableRosenpass) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update Rosenpass settings"))
+		h.client.notifier.Send("Error", "Failed to update Rosenpass settings")
 	}
 }
 
@@ -158,7 +157,7 @@ func (h *eventHandler) handleLazyConnectionClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mLazyConnEnabled) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update lazy connection settings"))
+		h.client.notifier.Send("Error", "Failed to update lazy connection settings")
 	}
 }
 
@@ -167,7 +166,7 @@ func (h *eventHandler) handleBlockInboundClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mBlockInbound) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update block inbound settings"))
+		h.client.notifier.Send("Error", "Failed to update block inbound settings")
 	}
 }
 
@@ -176,7 +175,7 @@ func (h *eventHandler) handleNotificationsClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mNotifications) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update notifications settings"))
+		h.client.notifier.Send("Error", "Failed to update notifications settings")
 	} else if h.client.eventManager != nil {
 		h.client.eventManager.SetNotificationsEnabled(h.client.mNotifications.Checked())
 	}

client/ui/notifier/notifier.go

@@ -0,0 +1,27 @@
+// Package notifier sends desktop notifications. On Windows it uses the WinRT
+// COM API directly via go-toast/v2 to avoid the PowerShell window flash that
+// fyne's default implementation produces. On other platforms it delegates to
+// fyne.
+package notifier
+
+import "fyne.io/fyne/v2"
+
+// Notifier sends desktop notifications.
+type Notifier interface {
+	Send(title, body string)
+}
+
+// New returns a platform-specific Notifier. The fyne app is used as the
+// fallback notifier on platforms where no native implementation is wired up,
+// and on Windows when the COM path fails to initialize.
+func New(app fyne.App) Notifier {
+	return newNotifier(app)
+}
+
+type fyneNotifier struct {
+	app fyne.App
+}
+
+func (f *fyneNotifier) Send(title, body string) {
+	f.app.SendNotification(fyne.NewNotification(title, body))
+}

client/ui/notifier/notifier_other.go

@@ -0,0 +1,9 @@
+//go:build !windows
+
+package notifier
+
+import "fyne.io/fyne/v2"
+
+func newNotifier(app fyne.App) Notifier {
+	return &fyneNotifier{app: app}
+}

client/ui/notifier/notifier_windows.go

@@ -0,0 +1,88 @@
+package notifier
+
+import (
+	"os"
+	"path/filepath"
+	"sync"
+
+	"fyne.io/fyne/v2"
+	toast "git.sr.ht/~jackmordaunt/go-toast/v2"
+	"git.sr.ht/~jackmordaunt/go-toast/v2/wintoast"
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	// appID is the AppUserModelID shown in the Windows Action Center. It
+	// must match the System.AppUserModel.ID property set on the Start Menu
+	// shortcut by the MSI (see client/netbird.wxs); otherwise Windows
+	// groups toasts under a separate, unbranded entry.
+	appID = "NetBird"
+
+	// appGUID identifies the COM activation callback class. Generated once
+	// for NetBird; do not change without coordinating an installer bump,
+	// since old registry entries pointing at the previous GUID would orphan.
+	appGUID = "{0E1B4DE7-E148-432B-9814-544F941826EC}"
+)
+
+type comNotifier struct {
+	fallback *fyneNotifier
+	ready    bool
+	iconPath string
+}
+
+var (
+	initOnce sync.Once
+	initErr  error
+)
+
+func newNotifier(app fyne.App) Notifier {
+	n := &comNotifier{
+		fallback: &fyneNotifier{app: app},
+		iconPath: resolveIcon(),
+	}
+	initOnce.Do(func() {
+		initErr = wintoast.SetAppData(wintoast.AppData{
+			AppID:    appID,
+			GUID:     appGUID,
+			IconPath: n.iconPath,
+		})
+	})
+	if initErr != nil {
+		log.Warnf("toast: register app data failed, falling back to fyne notifications: %v", initErr)
+		return n.fallback
+	}
+	n.ready = true
+	return n
+}
+
+func (n *comNotifier) Send(title, body string) {
+	if !n.ready {
+		n.fallback.Send(title, body)
+		return
+	}
+	notification := toast.Notification{
+		AppID: appID,
+		Title: title,
+		Body:  body,
+		Icon:  n.iconPath,
+	}
+	if err := notification.Push(); err != nil {
+		log.Warnf("toast: push failed, using fyne fallback: %v", err)
+		n.fallback.Send(title, body)
+	}
+}
+
+// resolveIcon returns an absolute path to the toast icon, or an empty string
+// when no icon can be located. Windows requires a PNG/JPG for the
+// AppUserModelId IconUri registry value; .ico is silently ignored.
+func resolveIcon() string {
+	exe, err := os.Executable()
+	if err != nil {
+		return ""
+	}
+	candidate := filepath.Join(filepath.Dir(exe), "netbird.png")
+	if _, err := os.Stat(candidate); err == nil {
+		return candidate
+	}
+	return ""
+}

client/ui/profile.go

@@ -548,7 +548,7 @@ func (p *profileMenu) refresh() {
 					if err != nil {
 						log.Errorf("failed to switch profile: %v", err)
 						// show  notification dialog
-						p.app.SendNotification(fyne.NewNotification("Error", "Failed to switch profile"))
+						p.serviceClient.notifier.Send("Error", "Failed to switch profile")
 						return
 					}
 
@@ -628,9 +628,9 @@ func (p *profileMenu) refresh() {
 				}
 				if err := p.eventHandler.logout(p.ctx); err != nil {
 					log.Errorf("logout failed: %v", err)
-					p.app.SendNotification(fyne.NewNotification("Error", "Failed to deregister"))
+					p.serviceClient.notifier.Send("Error", "Failed to deregister")
 				} else {
-					p.app.SendNotification(fyne.NewNotification("Success", "Deregistered successfully"))
+					p.serviceClient.notifier.Send("Success", "Deregistered successfully")
 				}
 			}
 		}

flow/client/client_test.go

@@ -457,6 +457,18 @@ func TestReceive_ProtocolErrorStreamReconnect(t *testing.T) {
 
 	client, err := flow.NewClient("http://"+server.addr, "test-payload", "test-signature", 1*time.Second)
 	require.NoError(t, err)
+
+	// Cleanups run LIFO: the goroutine-drain registered here runs after Close below,
+	// which is when Receive has actually returned. Without this, the Receive goroutine
+	// can outlive the test and call t.Logf after teardown, panicking.
+	receiveDone := make(chan struct{})
+	t.Cleanup(func() {
+		select {
+		case <-receiveDone:
+		case <-time.After(2 * time.Second):
+			t.Error("Receive goroutine did not exit after Close")
+		}
+	})
 	t.Cleanup(func() {
 		err := client.Close()
 		assert.NoError(t, err, "failed to close flow")
@@ -468,6 +480,7 @@ func TestReceive_ProtocolErrorStreamReconnect(t *testing.T) {
 	receivedAfterReconnect := make(chan struct{})
 
 	go func() {
+		defer close(receiveDone)
 		err := client.Receive(ctx, 1*time.Second, func(msg *proto.FlowEventAck) error {
 			if msg.IsInitiator || len(msg.EventId) == 0 {
 				return nil

go.mod

@@ -30,6 +30,7 @@ require (
 require (
 	fyne.io/fyne/v2 v2.7.0
 	fyne.io/systray v1.12.1-0.20260116214250-81f8e1a496f9
+	git.sr.ht/~jackmordaunt/go-toast/v2 v2.0.3
 	github.com/awnumar/memguard v0.23.0
 	github.com/aws/aws-sdk-go-v2 v1.38.3
 	github.com/aws/aws-sdk-go-v2/config v1.31.6
@@ -46,6 +47,7 @@ require (
 	github.com/crowdsecurity/go-cs-bouncer v0.0.21
 	github.com/dexidp/dex v0.0.0-00010101000000-000000000000
 	github.com/dexidp/dex/api/v2 v2.4.0
+	github.com/ebitengine/purego v0.8.4
 	github.com/eko/gocache/lib/v4 v4.2.0
 	github.com/eko/gocache/store/go_cache/v4 v4.2.2
 	github.com/eko/gocache/store/redis/v4 v4.2.2
@@ -178,7 +180,6 @@ require (
 	github.com/docker/docker v28.0.1+incompatible // indirect
 	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/ebitengine/purego v0.8.4 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fredbi/uri v1.1.1 // indirect
 	github.com/fyne-io/gl-js v0.2.0 // indirect

go.sum

@@ -15,6 +15,8 @@ fyne.io/fyne/v2 v2.7.0 h1:GvZSpE3X0liU/fqstInVvRsaboIVpIWQ4/sfjDGIGGQ=
 fyne.io/fyne/v2 v2.7.0/go.mod h1:xClVlrhxl7D+LT+BWYmcrW4Nf+dJTvkhnPgji7spAwE=
 fyne.io/systray v1.12.1-0.20260116214250-81f8e1a496f9 h1:829+77I4TaMrcg9B3wf+gHhdSgoCVEgH2czlPXPbfj4=
 fyne.io/systray v1.12.1-0.20260116214250-81f8e1a496f9/go.mod h1:RVwqP9nYMo7h5zViCBHri2FgjXF7H2cub7MAq4NSoLs=
+git.sr.ht/~jackmordaunt/go-toast/v2 v2.0.3 h1:N3IGoHHp9pb6mj1cbXbuaSXV/UMKwmbKLf53nQmtqMA=
+git.sr.ht/~jackmordaunt/go-toast/v2 v2.0.3/go.mod h1:QtOLZGz8olr4qH2vWK0QH0w0O4T9fEIjMuWpKUsH7nc=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/AppsFlyer/go-sundheit v0.6.0 h1:d2hBvCjBSb2lUsEWGfPigr4MCOt04sxB+Rppl0yUMSk=

idp/dex/config.go

@@ -193,7 +193,7 @@ func (c *Connector) ToStorageConnector() (storage.Connector, error) {
 // are stored with types that Dex can open.
 func mapConnectorToDex(connType string, config map[string]interface{}) (string, map[string]interface{}) {
 	switch connType {
-	case "oidc", "zitadel", "entra", "okta", "pocketid", "authentik", "keycloak":
+	case "oidc", "zitadel", "entra", "okta", "pocketid", "authentik", "keycloak", "adfs":
 		return "oidc", applyOIDCDefaults(connType, config)
 	default:
 		return connType, config
@@ -218,6 +218,8 @@ func applyOIDCDefaults(connType string, config map[string]interface{}) map[strin
 		setDefault(augmented, "claimMapping", map[string]string{"email": "preferred_username"})
 	case "okta", "pocketid":
 		augmented["scopes"] = []string{"openid", "profile", "email", "groups"}
+	case "adfs":
+		augmented["scopes"] = []string{"openid", "profile", "email", "allatclaims"}
 	}
 
 	return augmented

idp/dex/connector.go

@@ -168,7 +168,7 @@ func (p *Provider) buildStorageConnector(cfg *ConnectorConfig) (storage.Connecto
 	var err error
 
 	switch cfg.Type {
-	case "oidc", "zitadel", "entra", "okta", "pocketid", "authentik", "keycloak":
+	case "oidc", "zitadel", "entra", "okta", "pocketid", "authentik", "keycloak", "adfs":
 		dexType = "oidc"
 		configData, err = buildOIDCConnectorConfig(cfg, redirectURI)
 	case "google":
@@ -220,6 +220,8 @@ func buildOIDCConnectorConfig(cfg *ConnectorConfig, redirectURI string) ([]byte,
 		oidcConfig["scopes"] = []string{"openid", "profile", "email", "groups"}
 	case "pocketid":
 		oidcConfig["scopes"] = []string{"openid", "profile", "email", "groups"}
+	case "adfs":
+		oidcConfig["scopes"] = []string{"openid", "profile", "email", "allatclaims"}
 	}
 	return encodeConnectorConfig(oidcConfig)
 }
@@ -283,7 +285,7 @@ func inferIdentityProviderType(dexType, connectorID string, _ map[string]interfa
 // inferOIDCProviderType infers the specific OIDC provider from connector ID
 func inferOIDCProviderType(connectorID string) string {
 	connectorIDLower := strings.ToLower(connectorID)
-	for _, provider := range []string{"pocketid", "zitadel", "entra", "okta", "authentik", "keycloak"} {
+	for _, provider := range []string{"pocketid", "zitadel", "entra", "okta", "authentik", "keycloak", "adfs"} {
 		if strings.Contains(connectorIDLower, provider) {
 			return provider
 		}

infrastructure_files/getting-started.sh

@@ -231,7 +231,20 @@ get_upstream_host() {
 
 wait_management_proxy() {
   local proxy_container="${1:-traefik}"
+  local use_docker_logs=false
   set +e
+
+  if [[ "$proxy_container" == "detect-traefik" ]]; then
+    proxy_container=$(docker ps --format "{{.ID}}\t{{.Image}}\t{{.Ports}}" \
+    | awk -F'\t' '$2 ~ /traefik/ && $3 ~ /:(80|443)->/ {print $1; exit}')
+
+    if [[ -z "$proxy_container" ]]; then
+      echo "Warning: could not auto-detect Traefik container, log output will be skipped on timeout." > /dev/stderr
+    else
+      use_docker_logs=true
+    fi
+  fi
+
   echo -n "Waiting for NetBird server to become ready"
   counter=1
   while true; do
@@ -242,7 +255,13 @@ wait_management_proxy() {
     if [[ $counter -eq 60 ]]; then
       echo ""
       echo "Taking too long. Checking logs..."
-      $DOCKER_COMPOSE_COMMAND logs --tail=20 "$proxy_container"
+      if [[ -n "$proxy_container" ]]; then
+        if [[ "$use_docker_logs" == "true" ]]; then
+          docker logs --tail=20 "$proxy_container"
+        else
+          $DOCKER_COMPOSE_COMMAND logs --tail=20 "$proxy_container"
+        fi
+      fi
       $DOCKER_COMPOSE_COMMAND logs --tail=20 netbird-server
     fi
     echo -n " ."
@@ -472,7 +491,7 @@ start_services_and_show_instructions() {
       if [[ "$ENABLE_CROWDSEC" == "true" ]]; then
         echo "Registering CrowdSec bouncer..."
         local cs_retries=0
-        while ! $DOCKER_COMPOSE_COMMAND exec -T crowdsec cscli capi status >/dev/null 2>&1; do
+        while ! $DOCKER_COMPOSE_COMMAND exec -T crowdsec cscli lapi status >/dev/null 2>&1; do
           cs_retries=$((cs_retries + 1))
           if [[ $cs_retries -ge 30 ]]; then
             echo "WARNING: CrowdSec did not become ready. Skipping CrowdSec setup." > /dev/stderr
@@ -518,7 +537,7 @@ start_services_and_show_instructions() {
     $DOCKER_COMPOSE_COMMAND up -d
 
     sleep 3
-    wait_management_direct
+    wait_management_proxy detect-traefik
 
     echo -e "$MSG_DONE"
     print_post_setup_instructions

management/internals/controllers/network_map/controller/controller.go

@@ -7,7 +7,6 @@ import (
 	"os"
 	"slices"
 	"strconv"
-	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -16,11 +15,9 @@ import (
 	"golang.org/x/exp/maps"
 	"golang.org/x/mod/semver"
 
-	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller/cache"
 	"github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral"
-	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	"github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/internals/shared/grpc"
 	"github.com/netbirdio/netbird/management/server/account"
@@ -58,13 +55,6 @@ type Controller struct {
 	proxyController port_forwarding.Controller
 
 	integratedPeerValidator integrated_validator.IntegratedValidator
-
-	holder *types.Holder
-
-	expNewNetworkMap     bool
-	expNewNetworkMapAIDs map[string]struct{}
-
-	compactedNetworkMap bool
 }
 
 type bufferUpdate struct {
@@ -81,29 +71,6 @@ func NewController(ctx context.Context, store store.Store, metrics telemetry.App
 		log.Fatal(fmt.Errorf("error creating metrics: %w", err))
 	}
 
-	newNetworkMapBuilder, err := strconv.ParseBool(os.Getenv(network_map.EnvNewNetworkMapBuilder))
-	if err != nil {
-		log.WithContext(ctx).Warnf("failed to parse %s, using default value false: %v", network_map.EnvNewNetworkMapBuilder, err)
-		newNetworkMapBuilder = false
-	}
-
-	compactedNetworkMap := true
-	compactedEnv := os.Getenv(types.EnvNewNetworkMapCompacted)
-	parsedCompactedNmap, err := strconv.ParseBool(compactedEnv)
-	if err != nil && len(compactedEnv) > 0 {
-		log.WithContext(ctx).Warnf("failed to parse %s, using default value true: %v", types.EnvNewNetworkMapCompacted, err)
-	}
-	if err == nil && !parsedCompactedNmap {
-		log.WithContext(ctx).Info("disabling compacted mode")
-		compactedNetworkMap = false
-	}
-
-	ids := strings.Split(os.Getenv(network_map.EnvNewNetworkMapAccounts), ",")
-	expIDs := make(map[string]struct{}, len(ids))
-	for _, id := range ids {
-		expIDs[id] = struct{}{}
-	}
-
 	return &Controller{
 		repo:                    newRepository(store),
 		metrics:                 nMetrics,
@@ -117,12 +84,6 @@ func NewController(ctx context.Context, store store.Store, metrics telemetry.App
 
 		proxyController:       proxyController,
 		EphemeralPeersManager: ephemeralPeersManager,
-
-		holder:               types.NewHolder(),
-		expNewNetworkMap:     newNetworkMapBuilder,
-		expNewNetworkMapAIDs: expIDs,
-
-		compactedNetworkMap: compactedNetworkMap,
 	}
 }
 
@@ -153,17 +114,9 @@ func (c *Controller) CountStreams() int {
 
 func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID string) error {
 	log.WithContext(ctx).Tracef("updating peers for account %s from %s", accountID, util.GetCallerName())
-	var (
-		account *types.Account
-		err     error
-	)
-	if c.experimentalNetworkMap(accountID) {
-		account = c.getAccountFromHolderOrInit(ctx, accountID)
-	} else {
-		account, err = c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
-		if err != nil {
-			return fmt.Errorf("failed to get account: %v", err)
-		}
+	account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+	if err != nil {
+		return fmt.Errorf("failed to get account: %v", err)
 	}
 
 	globalStart := time.Now()
@@ -197,10 +150,6 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 	routers := account.GetResourceRoutersMap()
 	groupIDToUserIDs := account.GetActiveGroupUsers()
 
-	if c.experimentalNetworkMap(accountID) {
-		c.initNetworkMapBuilderIfNeeded(account, approvedPeersMap)
-	}
-
 	proxyNetworkMaps, err := c.proxyController.GetProxyNetworkMapsAll(ctx, accountID, account.Peers)
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to get proxy network maps: %v", err)
@@ -243,16 +192,7 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 			c.metrics.CountCalcPostureChecksDuration(time.Since(start))
 			start = time.Now()
 
-			var remotePeerNetworkMap *types.NetworkMap
-
-			switch {
-			case c.experimentalNetworkMap(accountID):
-				remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, p.AccountID, p.ID, approvedPeersMap, peersCustomZone, accountZones, c.accountManagerMetrics)
-			case c.compactedNetworkMap:
-				remotePeerNetworkMap = account.GetPeerNetworkMapFromComponents(ctx, p.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
-			default:
-				remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, p.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
-			}
+			remotePeerNetworkMap := account.GetPeerNetworkMapFromComponents(ctx, p.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
 
 			c.metrics.CountCalcPeerNetworkMapDuration(time.Since(start))
 
@@ -318,10 +258,6 @@ func (c *Controller) bufferSendUpdateAccountPeers(ctx context.Context, accountID
 // UpdatePeers updates all peers that belong to an account.
 // Should be called when changes have to be synced to peers.
 func (c *Controller) UpdateAccountPeers(ctx context.Context, accountID string) error {
-	if err := c.RecalculateNetworkMapCache(ctx, accountID); err != nil {
-		return fmt.Errorf("recalculate network map cache: %v", err)
-	}
-
 	return c.sendUpdateAccountPeers(ctx, accountID)
 }
 
@@ -371,16 +307,7 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
 		return err
 	}
 
-	var remotePeerNetworkMap *types.NetworkMap
-
-	switch {
-	case c.experimentalNetworkMap(accountId):
-		remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, peersCustomZone, accountZones, c.accountManagerMetrics)
-	case c.compactedNetworkMap:
-		remotePeerNetworkMap = account.GetPeerNetworkMapFromComponents(ctx, peerId, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
-	default:
-		remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, peerId, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
-	}
+	remotePeerNetworkMap := account.GetPeerNetworkMapFromComponents(ctx, peerId, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
 
 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {
@@ -451,17 +378,9 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 		return peer, emptyMap, nil, 0, nil
 	}
 
-	var (
-		account *types.Account
-		err     error
-	)
-	if c.experimentalNetworkMap(accountID) {
-		account = c.getAccountFromHolderOrInit(ctx, accountID)
-	} else {
-		account, err = c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
-		if err != nil {
-			return nil, nil, nil, 0, err
-		}
+	account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+	if err != nil {
+		return nil, nil, nil, 0, err
 	}
 
 	account.InjectProxyPolicies(ctx)
@@ -493,20 +412,10 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 		return nil, nil, nil, 0, err
 	}
 
-	var networkMap *types.NetworkMap
-
-	if c.experimentalNetworkMap(accountID) {
-		networkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, peersCustomZone, accountZones, c.accountManagerMetrics)
-	} else {
-		resourcePolicies := account.GetResourcePoliciesMap()
-		routers := account.GetResourceRoutersMap()
-		groupIDToUserIDs := account.GetActiveGroupUsers()
-		if c.compactedNetworkMap {
-			networkMap = account.GetPeerNetworkMapFromComponents(ctx, peer.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
-		} else {
-			networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
-		}
-	}
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
+	groupIDToUserIDs := account.GetActiveGroupUsers()
+	networkMap := account.GetPeerNetworkMapFromComponents(ctx, peer.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
 
 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {
@@ -518,108 +427,6 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 	return peer, networkMap, postureChecks, dnsFwdPort, nil
 }
 
-func (c *Controller) initNetworkMapBuilderIfNeeded(account *types.Account, validatedPeers map[string]struct{}) {
-	c.enrichAccountFromHolder(account)
-	account.InitNetworkMapBuilderIfNeeded(validatedPeers)
-}
-
-func (c *Controller) getPeerNetworkMapExp(
-	ctx context.Context,
-	accountId string,
-	peerId string,
-	validatedPeers map[string]struct{},
-	peersCustomZone nbdns.CustomZone,
-	accountZones []*zones.Zone,
-	metrics *telemetry.AccountManagerMetrics,
-) *types.NetworkMap {
-	account := c.getAccountFromHolderOrInit(ctx, accountId)
-	if account == nil {
-		log.WithContext(ctx).Warnf("account %s not found in holder when getting peer network map", accountId)
-		return &types.NetworkMap{
-			Network: &types.Network{},
-		}
-	}
-
-	return account.GetPeerNetworkMapExp(ctx, peerId, peersCustomZone, accountZones, validatedPeers, metrics)
-}
-
-func (c *Controller) onPeersAddedUpdNetworkMapCache(account *types.Account, peerIds ...string) {
-	c.enrichAccountFromHolder(account)
-	account.OnPeersAddedUpdNetworkMapCache(peerIds...)
-}
-
-func (c *Controller) onPeerDeletedUpdNetworkMapCache(account *types.Account, peerId string) error {
-	c.enrichAccountFromHolder(account)
-	return account.OnPeerDeletedUpdNetworkMapCache(peerId)
-}
-
-func (c *Controller) UpdatePeerInNetworkMapCache(accountId string, peer *nbpeer.Peer) {
-	account := c.getAccountFromHolder(accountId)
-	if account == nil {
-		return
-	}
-	account.UpdatePeerInNetworkMapCache(peer)
-}
-
-func (c *Controller) recalculateNetworkMapCache(account *types.Account, validatedPeers map[string]struct{}) {
-	account.RecalculateNetworkMapCache(validatedPeers)
-	c.updateAccountInHolder(account)
-}
-
-func (c *Controller) RecalculateNetworkMapCache(ctx context.Context, accountId string) error {
-	if c.experimentalNetworkMap(accountId) {
-		account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountId)
-		if err != nil {
-			return err
-		}
-		validatedPeers, err := c.integratedPeerValidator.GetValidatedPeers(ctx, account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
-		if err != nil {
-			log.WithContext(ctx).Errorf("failed to get validate peers: %v", err)
-			return err
-		}
-		c.recalculateNetworkMapCache(account, validatedPeers)
-	}
-	return nil
-}
-
-func (c *Controller) experimentalNetworkMap(accountId string) bool {
-	_, ok := c.expNewNetworkMapAIDs[accountId]
-	return c.expNewNetworkMap || ok
-}
-
-func (c *Controller) enrichAccountFromHolder(account *types.Account) {
-	a := c.holder.GetAccount(account.Id)
-	if a == nil {
-		c.holder.AddAccount(account)
-		return
-	}
-	account.NetworkMapCache = a.NetworkMapCache
-	if account.NetworkMapCache == nil {
-		return
-	}
-	c.holder.AddAccount(account)
-}
-
-func (c *Controller) getAccountFromHolder(accountID string) *types.Account {
-	return c.holder.GetAccount(accountID)
-}
-
-func (c *Controller) getAccountFromHolderOrInit(ctx context.Context, accountID string) *types.Account {
-	a := c.holder.GetAccount(accountID)
-	if a != nil {
-		return a
-	}
-	account, err := c.holder.LoadOrStoreFunc(ctx, accountID, c.requestBuffer.GetAccountWithBackpressure)
-	if err != nil {
-		return nil
-	}
-	return account
-}
-
-func (c *Controller) updateAccountInHolder(account *types.Account) {
-	c.holder.AddAccount(account)
-}
-
 // GetDNSDomain returns the configured dnsDomain
 func (c *Controller) GetDNSDomain(settings *types.Settings) string {
 	if settings == nil {
@@ -756,16 +563,7 @@ func isPeerInPolicySourceGroups(account *types.Account, peerID string, policy *t
 }
 
 func (c *Controller) OnPeersUpdated(ctx context.Context, accountID string, peerIDs []string) error {
-	peers, err := c.repo.GetPeersByIDs(ctx, accountID, peerIDs)
-	if err != nil {
-		return fmt.Errorf("failed to get peers by ids: %w", err)
-	}
-
-	for _, peer := range peers {
-		c.UpdatePeerInNetworkMapCache(accountID, peer)
-	}
-
-	err = c.bufferSendUpdateAccountPeers(ctx, accountID)
+	err := c.bufferSendUpdateAccountPeers(ctx, accountID)
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to buffer update account peers for peer update in account %s: %v", accountID, err)
 	}
@@ -775,14 +573,6 @@ func (c *Controller) OnPeersUpdated(ctx context.Context, accountID string, peerI
 
 func (c *Controller) OnPeersAdded(ctx context.Context, accountID string, peerIDs []string) error {
 	log.WithContext(ctx).Debugf("OnPeersAdded call to add peers: %v", peerIDs)
-	if c.experimentalNetworkMap(accountID) {
-		account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
-		if err != nil {
-			return err
-		}
-		log.WithContext(ctx).Debugf("peers are ready to be added to networkmap cache: %v", peerIDs)
-		c.onPeersAddedUpdNetworkMapCache(account, peerIDs...)
-	}
 	return c.bufferSendUpdateAccountPeers(ctx, accountID)
 }
 
@@ -817,19 +607,6 @@ func (c *Controller) OnPeersDeleted(ctx context.Context, accountID string, peerI
 			MessageType: network_map.MessageTypeNetworkMap,
 		})
 		c.peersUpdateManager.CloseChannel(ctx, peerID)
-
-		if c.experimentalNetworkMap(accountID) {
-			account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
-			if err != nil {
-				log.WithContext(ctx).Errorf("failed to get account %s: %v", accountID, err)
-				continue
-			}
-			err = c.onPeerDeletedUpdNetworkMapCache(account, peerID)
-			if err != nil {
-				log.WithContext(ctx).Errorf("failed to update network map cache for deleted peer %s in account %s: %v", peerID, accountID, err)
-				continue
-			}
-		}
 	}
 
 	return c.bufferSendUpdateAccountPeers(ctx, accountID)
@@ -872,21 +649,11 @@ func (c *Controller) GetNetworkMap(ctx context.Context, peerID string) (*types.N
 		return nil, err
 	}
 
-	var networkMap *types.NetworkMap
-
-	if c.experimentalNetworkMap(peer.AccountID) {
-		networkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peerID, validatedPeers, peersCustomZone, accountZones, nil)
-	} else {
-		account.InjectProxyPolicies(ctx)
-		resourcePolicies := account.GetResourcePoliciesMap()
-		routers := account.GetResourceRoutersMap()
-		groupIDToUserIDs := account.GetActiveGroupUsers()
-		if c.compactedNetworkMap {
-			networkMap = account.GetPeerNetworkMapFromComponents(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, nil, groupIDToUserIDs)
-		} else {
-			networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, nil, groupIDToUserIDs)
-		}
-	}
+	account.InjectProxyPolicies(ctx)
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
+	groupIDToUserIDs := account.GetActiveGroupUsers()
+	networkMap := account.GetPeerNetworkMapFromComponents(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, nil, groupIDToUserIDs)
 
 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {

management/internals/controllers/network_map/interface.go

@@ -12,9 +12,6 @@ import (
 )
 
 const (
-	EnvNewNetworkMapBuilder  = "NB_EXPERIMENT_NETWORK_MAP"
-	EnvNewNetworkMapAccounts = "NB_EXPERIMENT_NETWORK_MAP_ACCOUNTS"
-
 	DnsForwarderPort           = nbdns.ForwarderServerPort
 	OldForwarderPort           = nbdns.ForwarderClientPort
 	DnsForwarderPortMinVersion = "v0.59.0"

management/internals/server/boot.go

@@ -30,6 +30,7 @@ import (
 	nbcache "github.com/netbirdio/netbird/management/server/cache"
 	nbContext "github.com/netbirdio/netbird/management/server/context"
 	nbhttp "github.com/netbirdio/netbird/management/server/http"
+	"github.com/netbirdio/netbird/management/server/http/middleware"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
@@ -109,7 +110,7 @@ func (s *BaseServer) EventStore() activity.Store {
 
 func (s *BaseServer) APIHandler() http.Handler {
 	return Create(s, func() http.Handler {
-		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager(), s.ServiceManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer(), s.Config.ReverseProxy.TrustedHTTPProxies)
+		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager(), s.ServiceManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer(), s.Config.ReverseProxy.TrustedHTTPProxies, s.RateLimiter())
 		if err != nil {
 			log.Fatalf("failed to create API handler: %v", err)
 		}
@@ -117,6 +118,15 @@ func (s *BaseServer) APIHandler() http.Handler {
 	})
 }
 
+func (s *BaseServer) RateLimiter() *middleware.APIRateLimiter {
+	return Create(s, func() *middleware.APIRateLimiter {
+		cfg, enabled := middleware.RateLimiterConfigFromEnv()
+		limiter := middleware.NewAPIRateLimiter(cfg)
+		limiter.SetEnabled(enabled)
+		return limiter
+	})
+}
+
 func (s *BaseServer) GRPCServer() *grpc.Server {
 	return Create(s, func() *grpc.Server {
 		trustedPeers := s.Config.ReverseProxy.TrustedPeers
@@ -163,7 +173,7 @@ func (s *BaseServer) GRPCServer() *grpc.Server {
 		}
 
 		gRPCAPIHandler := grpc.NewServer(gRPCOpts...)
-		srv, err := nbgrpc.NewServer(s.Config, s.AccountManager(), s.SettingsManager(), s.JobManager(), s.SecretsManager(), s.Metrics(), s.AuthManager(), s.IntegratedValidator(), s.NetworkMapController(), s.OAuthConfigProvider())
+		srv, err := nbgrpc.NewServer(s.Config, s.AccountManager(), s.SettingsManager(), s.JobManager(), s.SecretsManager(), s.Metrics(), s.AuthManager(), s.IntegratedValidator(), s.NetworkMapController(), s.OAuthConfigProvider(), s.SessionStore())
 		if err != nil {
 			log.Fatalf("failed to create management server: %v", err)
 		}

management/internals/server/controllers.go

@@ -6,6 +6,7 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/management-integrations/integrations"
+
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy"
 	proxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy/manager"
 
@@ -66,6 +67,12 @@ func (s *BaseServer) SecretsManager() grpc.SecretsManager {
 	})
 }
 
+func (s *BaseServer) SessionStore() *auth.SessionStore {
+	return Create(s, func() *auth.SessionStore {
+		return auth.NewSessionStore(s.CacheStore())
+	})
+}
+
 func (s *BaseServer) AuthManager() auth.Manager {
 	audiences := s.Config.GetAuthAudiences()
 	audience := s.Config.HttpConfig.AuthAudience

management/internals/shared/grpc/server.go

@@ -14,6 +14,7 @@ import (
 	"sync/atomic"
 	"time"
 
+	jwtv5 "github.com/golang-jwt/jwt/v5"
 	pb "github.com/golang/protobuf/proto" // nolint
 	"github.com/golang/protobuf/ptypes/timestamp"
 	"github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/realip"
@@ -67,6 +68,7 @@ type Server struct {
 	appMetrics     telemetry.AppMetrics
 	peerLocks      sync.Map
 	authManager    auth.Manager
+	sessionStore   *auth.SessionStore
 
 	logBlockedPeers          bool
 	blockPeersWithSameConfig bool
@@ -98,6 +100,7 @@ func NewServer(
 	integratedPeerValidator integrated_validator.IntegratedValidator,
 	networkMapController network_map.Controller,
 	oAuthConfigProvider idp.OAuthConfigProvider,
+	sessionStore *auth.SessionStore,
 ) (*Server, error) {
 	if appMetrics != nil {
 		// update gauge based on number of connected peers which is equal to open gRPC streams
@@ -140,6 +143,7 @@ func NewServer(
 		integratedPeerValidator:  integratedPeerValidator,
 		networkMapController:     networkMapController,
 		oAuthConfigProvider:      oAuthConfigProvider,
+		sessionStore:             sessionStore,
 
 		loginFilter: newLoginFilter(),
 
@@ -535,7 +539,7 @@ func (s *Server) cancelPeerRoutinesWithoutLock(ctx context.Context, accountID st
 	log.WithContext(ctx).Debugf("peer %s has been disconnected", peer.Key)
 }
 
-func (s *Server) validateToken(ctx context.Context, jwtToken string) (string, error) {
+func (s *Server) validateToken(ctx context.Context, peerKey, jwtToken string) (string, error) {
 	if s.authManager == nil {
 		return "", status.Errorf(codes.Internal, "missing auth manager")
 	}
@@ -545,6 +549,10 @@ func (s *Server) validateToken(ctx context.Context, jwtToken string) (string, er
 		return "", status.Errorf(codes.InvalidArgument, "invalid jwt token, err: %v", err)
 	}
 
+	if err := s.claimLoginToken(ctx, peerKey, jwtToken, token); err != nil {
+		return "", err
+	}
+
 	// we need to call this method because if user is new, we will automatically add it to existing or create a new account
 	accountId, _, err := s.accountManager.GetAccountIDFromUserAuth(ctx, userAuth)
 	if err != nil {
@@ -828,6 +836,31 @@ func (s *Server) prepareLoginResponse(ctx context.Context, peer *nbpeer.Peer, ne
 	return loginResp, nil
 }
 
+func (s *Server) claimLoginToken(ctx context.Context, peerKey, jwtToken string, token *jwtv5.Token) error {
+	if s.sessionStore == nil || token == nil {
+		return nil
+	}
+
+	exp, err := token.Claims.GetExpirationTime()
+	if err != nil || exp == nil {
+		log.WithContext(ctx).Warnf("JWT has no usable exp claim for peer %s", peerKey)
+		return status.Error(codes.Unauthenticated, "jwt token has no expiration")
+	}
+
+	err = s.sessionStore.RegisterToken(ctx, jwtToken, exp.Time)
+	if err == nil {
+		return nil
+	}
+
+	if errors.Is(err, auth.ErrTokenAlreadyUsed) || errors.Is(err, auth.ErrTokenExpired) {
+		log.WithContext(ctx).Warnf("%v for peer %s", err, peerKey)
+		return status.Error(codes.Unauthenticated, err.Error())
+	}
+
+	log.WithContext(ctx).Warnf("failed to claim JWT for peer %s: %v", peerKey, err)
+	return status.Error(codes.Unavailable, "failed to claim jwt token")
+}
+
 // processJwtToken validates the existence of a JWT token in the login request, and returns the corresponding user ID if
 // the token is valid.
 //
@@ -838,7 +871,7 @@ func (s *Server) processJwtToken(ctx context.Context, loginReq *proto.LoginReque
 	if loginReq.GetJwtToken() != "" {
 		var err error
 		for i := 0; i < 3; i++ {
-			userID, err = s.validateToken(ctx, loginReq.GetJwtToken())
+			userID, err = s.validateToken(ctx, peerKey.String(), loginReq.GetJwtToken())
 			if err == nil {
 				break
 			}

management/server/account_test.go

@@ -408,7 +408,7 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 		}
 
 		customZone := account.GetPeersCustomZone(context.Background(), "netbird.io")
-		networkMap := account.GetPeerNetworkMap(context.Background(), testCase.peerID, customZone, nil, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil, account.GetActiveGroupUsers())
+		networkMap := account.GetPeerNetworkMapFromComponents(context.Background(), testCase.peerID, customZone, nil, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil, account.GetActiveGroupUsers())
 		assert.Len(t, networkMap.Peers, len(testCase.expectedPeers))
 		assert.Len(t, networkMap.OfflinePeers, len(testCase.expectedOfflinePeers))
 	}
@@ -1171,11 +1171,6 @@ func TestAccountManager_AddPeerWithUserID(t *testing.T) {
 	assert.Equal(t, peer.IP.String(), fmt.Sprint(ev.Meta["ip"]))
 }
 
-func TestAccountManager_NetworkUpdates_SaveGroup_Experimental(t *testing.T) {
-	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
-	testAccountManager_NetworkUpdates_SaveGroup(t)
-}
-
 func TestAccountManager_NetworkUpdates_SaveGroup(t *testing.T) {
 	testAccountManager_NetworkUpdates_SaveGroup(t)
 }
@@ -1231,11 +1226,6 @@ func testAccountManager_NetworkUpdates_SaveGroup(t *testing.T) {
 	wg.Wait()
 }
 
-func TestAccountManager_NetworkUpdates_DeletePolicy_Experimental(t *testing.T) {
-	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
-	testAccountManager_NetworkUpdates_DeletePolicy(t)
-}
-
 func TestAccountManager_NetworkUpdates_DeletePolicy(t *testing.T) {
 	testAccountManager_NetworkUpdates_DeletePolicy(t)
 }
@@ -1274,11 +1264,6 @@ func testAccountManager_NetworkUpdates_DeletePolicy(t *testing.T) {
 	wg.Wait()
 }
 
-func TestAccountManager_NetworkUpdates_SavePolicy_Experimental(t *testing.T) {
-	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
-	testAccountManager_NetworkUpdates_SavePolicy(t)
-}
-
 func TestAccountManager_NetworkUpdates_SavePolicy(t *testing.T) {
 	testAccountManager_NetworkUpdates_SavePolicy(t)
 }
@@ -1332,11 +1317,6 @@ func testAccountManager_NetworkUpdates_SavePolicy(t *testing.T) {
 	wg.Wait()
 }
 
-func TestAccountManager_NetworkUpdates_DeletePeer_Experimental(t *testing.T) {
-	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
-	testAccountManager_NetworkUpdates_DeletePeer(t)
-}
-
 func TestAccountManager_NetworkUpdates_DeletePeer(t *testing.T) {
 	testAccountManager_NetworkUpdates_DeletePeer(t)
 }
@@ -1397,11 +1377,6 @@ func testAccountManager_NetworkUpdates_DeletePeer(t *testing.T) {
 	wg.Wait()
 }
 
-func TestAccountManager_NetworkUpdates_DeleteGroup_Experimental(t *testing.T) {
-	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
-	testAccountManager_NetworkUpdates_DeleteGroup(t)
-}
-
 func TestAccountManager_NetworkUpdates_DeleteGroup(t *testing.T) {
 	testAccountManager_NetworkUpdates_DeleteGroup(t)
 }
@@ -1633,75 +1608,6 @@ func TestFileStore_GetRoutesByPrefix(t *testing.T) {
 	assert.Contains(t, routeIDs, route.ID("route-2"))
 }
 
-func TestAccount_GetRoutesToSync(t *testing.T) {
-	_, prefix, err := route.ParseNetwork("192.168.64.0/24")
-	if err != nil {
-		t.Fatal(err)
-	}
-	_, prefix2, err := route.ParseNetwork("192.168.0.0/24")
-	if err != nil {
-		t.Fatal(err)
-	}
-	account := &types.Account{
-		Peers: map[string]*nbpeer.Peer{
-			"peer-1": {Key: "peer-1", Meta: nbpeer.PeerSystemMeta{GoOS: "linux"}}, "peer-2": {Key: "peer-2", Meta: nbpeer.PeerSystemMeta{GoOS: "linux"}}, "peer-3": {Key: "peer-1", Meta: nbpeer.PeerSystemMeta{GoOS: "linux"}},
-		},
-		Groups: map[string]*types.Group{"group1": {ID: "group1", Peers: []string{"peer-1", "peer-2"}}},
-		Routes: map[route.ID]*route.Route{
-			"route-1": {
-				ID:          "route-1",
-				Network:     prefix,
-				NetID:       "network-1",
-				Description: "network-1",
-				Peer:        "peer-1",
-				NetworkType: 0,
-				Masquerade:  false,
-				Metric:      999,
-				Enabled:     true,
-				Groups:      []string{"group1"},
-			},
-			"route-2": {
-				ID:          "route-2",
-				Network:     prefix2,
-				NetID:       "network-2",
-				Description: "network-2",
-				Peer:        "peer-2",
-				NetworkType: 0,
-				Masquerade:  false,
-				Metric:      999,
-				Enabled:     true,
-				Groups:      []string{"group1"},
-			},
-			"route-3": {
-				ID:          "route-3",
-				Network:     prefix,
-				NetID:       "network-1",
-				Description: "network-1",
-				Peer:        "peer-2",
-				NetworkType: 0,
-				Masquerade:  false,
-				Metric:      999,
-				Enabled:     true,
-				Groups:      []string{"group1"},
-			},
-		},
-	}
-
-	routes := account.GetRoutesToSync(context.Background(), "peer-2", []*nbpeer.Peer{{Key: "peer-1"}, {Key: "peer-3"}}, account.GetPeerGroups("peer-2"))
-
-	assert.Len(t, routes, 2)
-	routeIDs := make(map[route.ID]struct{}, 2)
-	for _, r := range routes {
-		routeIDs[r.ID] = struct{}{}
-	}
-	assert.Contains(t, routeIDs, route.ID("route-2"))
-	assert.Contains(t, routeIDs, route.ID("route-3"))
-
-	emptyRoutes := account.GetRoutesToSync(context.Background(), "peer-3", []*nbpeer.Peer{{Key: "peer-1"}, {Key: "peer-2"}}, account.GetPeerGroups("peer-3"))
-
-	assert.Len(t, emptyRoutes, 0)
-}
-
 func TestAccount_Copy(t *testing.T) {
 	account := &types.Account{
 		Id:                     "account1",
@@ -1824,9 +1730,7 @@ func TestAccount_Copy(t *testing.T) {
 				AccountID: "account1",
 			},
 		},
-		NetworkMapCache: &types.NetworkMapBuilder{},
 	}
-	account.InitOnce()
 	err := hasNilField(account)
 	if err != nil {
 		t.Fatal(err)
@@ -2311,6 +2215,29 @@ func TestAccount_GetExpiredPeers(t *testing.T) {
 	}
 }
 
+func TestGetExpiredPeers_SkipsAlreadyExpired(t *testing.T) {
+	ctx := context.Background()
+
+	testStore, cleanUp, err := store.NewTestStoreFromSQL(ctx, "testdata/store_with_expired_peers.sql", t.TempDir())
+	t.Cleanup(cleanUp)
+	require.NoError(t, err)
+
+	accountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
+
+	// Verify the already-expired peer is excluded at the store level
+	peers, err := testStore.GetAccountPeersWithExpiration(ctx, store.LockingStrengthNone, accountID)
+	require.NoError(t, err)
+
+	for _, peer := range peers {
+		assert.NotEqual(t, "cg05lnblo1hkg2j514p0", peer.ID, "already expired peer should be excluded by the store query")
+		assert.False(t, peer.Status.LoginExpired, "returned peers should not already be marked as login expired")
+	}
+
+	// Only the non-expired peer with expiration enabled should be returned
+	require.Len(t, peers, 1)
+	assert.Equal(t, "notexpired01", peers[0].ID)
+}
+
 func TestAccount_GetInactivePeers(t *testing.T) {
 	type test struct {
 		name          string
@@ -3230,6 +3157,13 @@ func setupNetworkMapTest(t *testing.T) (*DefaultAccountManager, *update_channel.
 	return manager, updateManager, account, peer1, peer2, peer3
 }
 
+// peerUpdateTimeout bounds how long peerShouldReceiveUpdate and its outer
+// wrappers wait for an expected update message. Sized for slow CI runners
+// (MySQL, FreeBSD, loaded sqlite) where the channel publish can take
+// seconds. Only runs down on failure; passing tests return immediately
+// when the channel delivers.
+const peerUpdateTimeout = 5 * time.Second
+
 func peerShouldNotReceiveUpdate(t *testing.T, updateMessage <-chan *network_map.UpdateMessage) {
 	t.Helper()
 	select {
@@ -3248,7 +3182,7 @@ func peerShouldReceiveUpdate(t *testing.T, updateMessage <-chan *network_map.Upd
 		if msg == nil {
 			t.Errorf("Received nil update message, expected valid message")
 		}
-	case <-time.After(500 * time.Millisecond):
+	case <-time.After(peerUpdateTimeout):
 		t.Error("Timed out waiting for update message")
 	}
 }

management/server/auth/session.go

@@ -0,0 +1,61 @@
+package auth
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/eko/gocache/lib/v4/cache"
+	"github.com/eko/gocache/lib/v4/store"
+)
+
+const (
+	usedTokenKeyPrefix = "jwt-used:"
+	usedTokenMarker    = "1"
+)
+
+var (
+	ErrTokenAlreadyUsed = errors.New("JWT already used")
+	ErrTokenExpired     = errors.New("JWT expired")
+)
+
+type SessionStore struct {
+	cache *cache.Cache[string]
+}
+
+func NewSessionStore(cacheStore store.StoreInterface) *SessionStore {
+	return &SessionStore{cache: cache.New[string](cacheStore)}
+}
+
+// RegisterToken records a JWT until its exp time and rejects reuse.
+func (s *SessionStore) RegisterToken(ctx context.Context, token string, expiresAt time.Time) error {
+	ttl := time.Until(expiresAt)
+	if ttl <= 0 {
+		return ErrTokenExpired
+	}
+
+	key := usedTokenKeyPrefix + hashToken(token)
+	_, err := s.cache.Get(ctx, key)
+	if err == nil {
+		return ErrTokenAlreadyUsed
+	}
+
+	var notFound *store.NotFound
+	if !errors.As(err, &notFound) {
+		return fmt.Errorf("failed to lookup used token entry: %w", err)
+	}
+
+	if err := s.cache.Set(ctx, key, usedTokenMarker, store.WithExpiration(ttl)); err != nil {
+		return fmt.Errorf("failed to store used token entry: %w", err)
+	}
+
+	return nil
+}
+
+func hashToken(token string) string {
+	sum := sha256.Sum256([]byte(token))
+	return hex.EncodeToString(sum[:])
+}

management/server/auth/session_test.go

@@ -0,0 +1,82 @@
+package auth
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	nbcache "github.com/netbirdio/netbird/management/server/cache"
+)
+
+func newTestSessionStore(t *testing.T) *SessionStore {
+	t.Helper()
+	cacheStore, err := nbcache.NewStore(context.Background(), time.Hour, time.Hour, 100)
+	require.NoError(t, err)
+	return NewSessionStore(cacheStore)
+}
+
+func TestSessionStore_FirstRegisterSucceeds(t *testing.T) {
+	s := newTestSessionStore(t)
+	ctx := context.Background()
+
+	require.NoError(t, s.RegisterToken(ctx, "token", time.Now().Add(time.Hour)))
+}
+
+func TestSessionStore_RegisterSameTokenTwiceIsRejected(t *testing.T) {
+	s := newTestSessionStore(t)
+	ctx := context.Background()
+	token := "token"
+	exp := time.Now().Add(time.Hour)
+
+	require.NoError(t, s.RegisterToken(ctx, token, exp))
+
+	err := s.RegisterToken(ctx, token, exp)
+	require.Error(t, err)
+	assert.ErrorIs(t, err, ErrTokenAlreadyUsed)
+}
+
+func TestSessionStore_RegisterDifferentTokensAreIndependent(t *testing.T) {
+	s := newTestSessionStore(t)
+	ctx := context.Background()
+	exp := time.Now().Add(time.Hour)
+
+	require.NoError(t, s.RegisterToken(ctx, "tokenA", exp))
+	require.NoError(t, s.RegisterToken(ctx, "tokenB", exp))
+}
+
+func TestSessionStore_RegisterWithPastExpiryIsRejected(t *testing.T) {
+	s := newTestSessionStore(t)
+	ctx := context.Background()
+	token := "token"
+
+	err := s.RegisterToken(ctx, token, time.Now().Add(-time.Second))
+	require.Error(t, err)
+	assert.ErrorIs(t, err, ErrTokenExpired)
+}
+
+func TestSessionStore_EntryEvictsAtTTLAndAllowsReRegistration(t *testing.T) {
+	s := newTestSessionStore(t)
+	ctx := context.Background()
+	token := "token"
+
+	require.NoError(t, s.RegisterToken(ctx, token, time.Now().Add(50*time.Millisecond)))
+
+	err := s.RegisterToken(ctx, token, time.Now().Add(50*time.Millisecond))
+	assert.ErrorIs(t, err, ErrTokenAlreadyUsed)
+
+	time.Sleep(120 * time.Millisecond)
+
+	require.NoError(t, s.RegisterToken(ctx, token, time.Now().Add(time.Hour)))
+}
+
+func TestHashToken_StableAndDoesNotLeak(t *testing.T) {
+	a := hashToken("tokenA")
+	b := hashToken("tokenB")
+	assert.Equal(t, a, hashToken("tokenA"), "hash must be deterministic")
+	assert.NotEqual(t, a, b, "different tokens must hash differently")
+	assert.Len(t, a, 64, "sha256 hex must be 64 chars")
+	assert.NotContains(t, a, "tokenA", "raw token must not appear in hash")
+}

management/server/dns_test.go

@@ -458,7 +458,7 @@ func TestDNSAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -478,7 +478,7 @@ func TestDNSAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -518,7 +518,7 @@ func TestDNSAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})

management/server/group_test.go

@@ -620,7 +620,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -638,7 +638,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -656,7 +656,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -689,7 +689,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -730,7 +730,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -757,7 +757,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -804,7 +804,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})

management/server/http/handler.go

@@ -5,9 +5,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/netip"
-	"os"
-	"strconv"
-	"time"
 
 	"github.com/gorilla/mux"
 	"github.com/rs/cors"
@@ -66,14 +63,11 @@ import (
 )
 
 const (
-	apiPrefix              = "/api"
-	rateLimitingEnabledKey = "NB_API_RATE_LIMITING_ENABLED"
-	rateLimitingBurstKey   = "NB_API_RATE_LIMITING_BURST"
-	rateLimitingRPMKey     = "NB_API_RATE_LIMITING_RPM"
+	apiPrefix = "/api"
 )
 
 // NewAPIHandler creates the Management service HTTP API handler registering all the available endpoints.
-func NewAPIHandler(ctx context.Context, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, integratedValidator integrated_validator.IntegratedValidator, proxyController port_forwarding.Controller, permissionsManager permissions.Manager, peersManager nbpeers.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager, serviceManager service.Manager, reverseProxyDomainManager *manager.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, trustedHTTPProxies []netip.Prefix) (http.Handler, error) {
+func NewAPIHandler(ctx context.Context, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, integratedValidator integrated_validator.IntegratedValidator, proxyController port_forwarding.Controller, permissionsManager permissions.Manager, peersManager nbpeers.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager, serviceManager service.Manager, reverseProxyDomainManager *manager.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, trustedHTTPProxies []netip.Prefix, rateLimiter *middleware.APIRateLimiter) (http.Handler, error) {
 
 	// Register bypass paths for unauthenticated endpoints
 	if err := bypass.AddBypassPath("/api/instance"); err != nil {
@@ -94,34 +88,10 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 		return nil, fmt.Errorf("failed to add bypass path: %w", err)
 	}
 
-	var rateLimitingConfig *middleware.RateLimiterConfig
-	if os.Getenv(rateLimitingEnabledKey) == "true" {
-		rpm := 6
-		if v := os.Getenv(rateLimitingRPMKey); v != "" {
-			value, err := strconv.Atoi(v)
-			if err != nil {
-				log.Warnf("parsing %s env var: %v, using default %d", rateLimitingRPMKey, err, rpm)
-			} else {
-				rpm = value
-			}
-		}
-
-		burst := 500
-		if v := os.Getenv(rateLimitingBurstKey); v != "" {
-			value, err := strconv.Atoi(v)
-			if err != nil {
-				log.Warnf("parsing %s env var: %v, using default %d", rateLimitingBurstKey, err, burst)
-			} else {
-				burst = value
-			}
-		}
-
-		rateLimitingConfig = &middleware.RateLimiterConfig{
-			RequestsPerMinute: float64(rpm),
-			Burst:             burst,
-			CleanupInterval:   6 * time.Hour,
-			LimiterTTL:        24 * time.Hour,
-		}
+	if rateLimiter == nil {
+		log.Warn("NewAPIHandler: nil rate limiter, rate limiting disabled")
+		rateLimiter = middleware.NewAPIRateLimiter(nil)
+		rateLimiter.SetEnabled(false)
 	}
 
 	authMiddleware := middleware.NewAuthMiddleware(
@@ -129,7 +99,7 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 		accountManager.GetAccountIDFromUserAuth,
 		accountManager.SyncUserJWTGroups,
 		accountManager.GetUserFromUserAuth,
-		rateLimitingConfig,
+		rateLimiter,
 		appMetrics.GetMeter(),
 	)
 

management/server/http/handlers/peers/peers_handler.go

@@ -417,7 +417,7 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request) {
 
 	dnsDomain := h.networkMapController.GetDNSDomain(account.Settings)
 
-	netMap := account.GetPeerNetworkMap(r.Context(), peerID, dns.CustomZone{}, nil, validPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil, account.GetActiveGroupUsers())
+	netMap := account.GetPeerNetworkMapFromComponents(r.Context(), peerID, dns.CustomZone{}, nil, validPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil, account.GetActiveGroupUsers())
 
 	util.WriteJSONObject(r.Context(), w, toAccessiblePeers(netMap, dnsDomain))
 }

management/server/http/middleware/auth_middleware.go

@@ -12,6 +12,7 @@ import (
 	"go.opentelemetry.io/otel/metric"
 
 	"github.com/netbirdio/management-integrations/integrations"
+
 	serverauth "github.com/netbirdio/netbird/management/server/auth"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/http/middleware/bypass"
@@ -42,14 +43,9 @@ func NewAuthMiddleware(
 	ensureAccount EnsureAccountFunc,
 	syncUserJWTGroups SyncUserJWTGroupsFunc,
 	getUserFromUserAuth GetUserFromUserAuthFunc,
-	rateLimiterConfig *RateLimiterConfig,
+	rateLimiter *APIRateLimiter,
 	meter metric.Meter,
 ) *AuthMiddleware {
-	var rateLimiter *APIRateLimiter
-	if rateLimiterConfig != nil {
-		rateLimiter = NewAPIRateLimiter(rateLimiterConfig)
-	}
-
 	var patUsageTracker *PATUsageTracker
 	if meter != nil {
 		var err error
@@ -87,17 +83,14 @@ func (m *AuthMiddleware) Handler(h http.Handler) http.Handler {
 
 		switch authType {
 		case "bearer":
-			request, err := m.checkJWTFromRequest(r, authHeader)
-			if err != nil {
+			if err := m.checkJWTFromRequest(r, authHeader); err != nil {
 				log.WithContext(r.Context()).Errorf("Error when validating JWT: %s", err.Error())
 				util.WriteError(r.Context(), status.Errorf(status.Unauthorized, "token invalid"), w)
 				return
 			}
-
-			h.ServeHTTP(w, request)
+			h.ServeHTTP(w, r)
 		case "token":
-			request, err := m.checkPATFromRequest(r, authHeader)
-			if err != nil {
+			if err := m.checkPATFromRequest(r, authHeader); err != nil {
 				log.WithContext(r.Context()).Debugf("Error when validating PAT: %s", err.Error())
 				// Check if it's a status error, otherwise default to Unauthorized
 				if _, ok := status.FromError(err); !ok {
@@ -106,7 +99,7 @@ func (m *AuthMiddleware) Handler(h http.Handler) http.Handler {
 				util.WriteError(r.Context(), err, w)
 				return
 			}
-			h.ServeHTTP(w, request)
+			h.ServeHTTP(w, r)
 		default:
 			util.WriteError(r.Context(), status.Errorf(status.Unauthorized, "no valid authentication provided"), w)
 			return
@@ -115,19 +108,19 @@ func (m *AuthMiddleware) Handler(h http.Handler) http.Handler {
 }
 
 // CheckJWTFromRequest checks if the JWT is valid
-func (m *AuthMiddleware) checkJWTFromRequest(r *http.Request, authHeaderParts []string) (*http.Request, error) {
+func (m *AuthMiddleware) checkJWTFromRequest(r *http.Request, authHeaderParts []string) error {
 	token, err := getTokenFromJWTRequest(authHeaderParts)
 
 	// If an error occurs, call the error handler and return an error
 	if err != nil {
-		return r, fmt.Errorf("error extracting token: %w", err)
+		return fmt.Errorf("error extracting token: %w", err)
 	}
 
 	ctx := r.Context()
 
 	userAuth, validatedToken, err := m.authManager.ValidateAndParseToken(ctx, token)
 	if err != nil {
-		return r, err
+		return err
 	}
 
 	if impersonate, ok := r.URL.Query()["account"]; ok && len(impersonate) == 1 {
@@ -143,7 +136,7 @@ func (m *AuthMiddleware) checkJWTFromRequest(r *http.Request, authHeaderParts []
 	// we need to call this method because if user is new, we will automatically add it to existing or create a new account
 	accountId, _, err := m.ensureAccount(ctx, userAuth)
 	if err != nil {
-		return r, err
+		return err
 	}
 
 	if userAuth.AccountId != accountId {
@@ -153,7 +146,7 @@ func (m *AuthMiddleware) checkJWTFromRequest(r *http.Request, authHeaderParts []
 
 	userAuth, err = m.authManager.EnsureUserAccessByJWTGroups(ctx, userAuth, validatedToken)
 	if err != nil {
-		return r, err
+		return err
 	}
 
 	err = m.syncUserJWTGroups(ctx, userAuth)
@@ -164,41 +157,41 @@ func (m *AuthMiddleware) checkJWTFromRequest(r *http.Request, authHeaderParts []
 	_, err = m.getUserFromUserAuth(ctx, userAuth)
 	if err != nil {
 		log.WithContext(ctx).Errorf("HTTP server failed to update user from user auth: %s", err)
-		return r, err
+		return err
 	}
 
-	return nbcontext.SetUserAuthInRequest(r, userAuth), nil
+	// propagates ctx change to upstream middleware
+	*r = *nbcontext.SetUserAuthInRequest(r, userAuth)
+	return nil
 }
 
 // CheckPATFromRequest checks if the PAT is valid
-func (m *AuthMiddleware) checkPATFromRequest(r *http.Request, authHeaderParts []string) (*http.Request, error) {
+func (m *AuthMiddleware) checkPATFromRequest(r *http.Request, authHeaderParts []string) error {
 	token, err := getTokenFromPATRequest(authHeaderParts)
 	if err != nil {
-		return r, fmt.Errorf("error extracting token: %w", err)
+		return fmt.Errorf("error extracting token: %w", err)
 	}
 
 	if m.patUsageTracker != nil {
 		m.patUsageTracker.IncrementUsage(token)
 	}
 
-	if m.rateLimiter != nil && !isTerraformRequest(r) {
-		if !m.rateLimiter.Allow(token) {
-			return r, status.Errorf(status.TooManyRequests, "too many requests")
-		}
+	if !isTerraformRequest(r) && !m.rateLimiter.Allow(token) {
+		return status.Errorf(status.TooManyRequests, "too many requests")
 	}
 
 	ctx := r.Context()
 	user, pat, accDomain, accCategory, err := m.authManager.GetPATInfo(ctx, token)
 	if err != nil {
-		return r, fmt.Errorf("invalid Token: %w", err)
+		return fmt.Errorf("invalid Token: %w", err)
 	}
 	if time.Now().After(pat.GetExpirationDate()) {
-		return r, fmt.Errorf("token expired")
+		return fmt.Errorf("token expired")
 	}
 
 	err = m.authManager.MarkPATUsed(ctx, pat.ID)
 	if err != nil {
-		return r, err
+		return err
 	}
 
 	userAuth := auth.UserAuth{
@@ -216,7 +209,9 @@ func (m *AuthMiddleware) checkPATFromRequest(r *http.Request, authHeaderParts []
 		}
 	}
 
-	return nbcontext.SetUserAuthInRequest(r, userAuth), nil
+	// propagates ctx change to upstream middleware
+	*r = *nbcontext.SetUserAuthInRequest(r, userAuth)
+	return nil
 }
 
 func isTerraformRequest(r *http.Request) bool {

management/server/http/middleware/auth_middleware_test.go

@@ -196,6 +196,8 @@ func TestAuthMiddleware_Handler(t *testing.T) {
 		GetPATInfoFunc:                  mockGetAccountInfoFromPAT,
 	}
 
+	disabledLimiter := NewAPIRateLimiter(nil)
+	disabledLimiter.SetEnabled(false)
 	authMiddleware := NewAuthMiddleware(
 		mockAuth,
 		func(ctx context.Context, userAuth nbauth.UserAuth) (string, string, error) {
@@ -207,7 +209,7 @@ func TestAuthMiddleware_Handler(t *testing.T) {
 		func(ctx context.Context, userAuth nbauth.UserAuth) (*types.User, error) {
 			return &types.User{}, nil
 		},
-		nil,
+		disabledLimiter,
 		nil,
 	)
 
@@ -266,7 +268,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			func(ctx context.Context, userAuth nbauth.UserAuth) (*types.User, error) {
 				return &types.User{}, nil
 			},
-			rateLimitConfig,
+			NewAPIRateLimiter(rateLimitConfig),
 			nil,
 		)
 
@@ -318,7 +320,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			func(ctx context.Context, userAuth nbauth.UserAuth) (*types.User, error) {
 				return &types.User{}, nil
 			},
-			rateLimitConfig,
+			NewAPIRateLimiter(rateLimitConfig),
 			nil,
 		)
 
@@ -361,7 +363,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			func(ctx context.Context, userAuth nbauth.UserAuth) (*types.User, error) {
 				return &types.User{}, nil
 			},
-			rateLimitConfig,
+			NewAPIRateLimiter(rateLimitConfig),
 			nil,
 		)
 
@@ -405,7 +407,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			func(ctx context.Context, userAuth nbauth.UserAuth) (*types.User, error) {
 				return &types.User{}, nil
 			},
-			rateLimitConfig,
+			NewAPIRateLimiter(rateLimitConfig),
 			nil,
 		)
 
@@ -469,7 +471,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			func(ctx context.Context, userAuth nbauth.UserAuth) (*types.User, error) {
 				return &types.User{}, nil
 			},
-			rateLimitConfig,
+			NewAPIRateLimiter(rateLimitConfig),
 			nil,
 		)
 
@@ -528,7 +530,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			func(ctx context.Context, userAuth nbauth.UserAuth) (*types.User, error) {
 				return &types.User{}, nil
 			},
-			rateLimitConfig,
+			NewAPIRateLimiter(rateLimitConfig),
 			nil,
 		)
 
@@ -583,7 +585,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			func(ctx context.Context, userAuth nbauth.UserAuth) (*types.User, error) {
 				return &types.User{}, nil
 			},
-			rateLimitConfig,
+			NewAPIRateLimiter(rateLimitConfig),
 			nil,
 		)
 
@@ -670,6 +672,8 @@ func TestAuthMiddleware_Handler_Child(t *testing.T) {
 		GetPATInfoFunc:                  mockGetAccountInfoFromPAT,
 	}
 
+	disabledLimiter := NewAPIRateLimiter(nil)
+	disabledLimiter.SetEnabled(false)
 	authMiddleware := NewAuthMiddleware(
 		mockAuth,
 		func(ctx context.Context, userAuth nbauth.UserAuth) (string, string, error) {
@@ -681,7 +685,7 @@ func TestAuthMiddleware_Handler_Child(t *testing.T) {
 		func(ctx context.Context, userAuth nbauth.UserAuth) (*types.User, error) {
 			return &types.User{}, nil
 		},
-		nil,
+		disabledLimiter,
 		nil,
 	)
 

management/server/http/middleware/rate_limiter.go

@@ -4,14 +4,27 @@ import (
 	"context"
 	"net"
 	"net/http"
+	"os"
+	"strconv"
 	"sync"
+	"sync/atomic"
 	"time"
 
+	log "github.com/sirupsen/logrus"
 	"golang.org/x/time/rate"
 
 	"github.com/netbirdio/netbird/shared/management/http/util"
 )
 
+const (
+	RateLimitingEnabledEnv = "NB_API_RATE_LIMITING_ENABLED"
+	RateLimitingBurstEnv   = "NB_API_RATE_LIMITING_BURST"
+	RateLimitingRPMEnv     = "NB_API_RATE_LIMITING_RPM"
+
+	defaultAPIRPM   = 6
+	defaultAPIBurst = 500
+)
+
 // RateLimiterConfig holds configuration for the API rate limiter
 type RateLimiterConfig struct {
 	// RequestsPerMinute defines the rate at which tokens are replenished
@@ -34,6 +47,43 @@ func DefaultRateLimiterConfig() *RateLimiterConfig {
 	}
 }
 
+func RateLimiterConfigFromEnv() (cfg *RateLimiterConfig, enabled bool) {
+	rpm := defaultAPIRPM
+	if v := os.Getenv(RateLimitingRPMEnv); v != "" {
+		value, err := strconv.Atoi(v)
+		if err != nil {
+			log.Warnf("parsing %s env var: %v, using default %d", RateLimitingRPMEnv, err, rpm)
+		} else {
+			rpm = value
+		}
+	}
+	if rpm <= 0 {
+		log.Warnf("%s=%d is non-positive, using default %d", RateLimitingRPMEnv, rpm, defaultAPIRPM)
+		rpm = defaultAPIRPM
+	}
+
+	burst := defaultAPIBurst
+	if v := os.Getenv(RateLimitingBurstEnv); v != "" {
+		value, err := strconv.Atoi(v)
+		if err != nil {
+			log.Warnf("parsing %s env var: %v, using default %d", RateLimitingBurstEnv, err, burst)
+		} else {
+			burst = value
+		}
+	}
+	if burst <= 0 {
+		log.Warnf("%s=%d is non-positive, using default %d", RateLimitingBurstEnv, burst, defaultAPIBurst)
+		burst = defaultAPIBurst
+	}
+
+	return &RateLimiterConfig{
+		RequestsPerMinute: float64(rpm),
+		Burst:             burst,
+		CleanupInterval:   6 * time.Hour,
+		LimiterTTL:        24 * time.Hour,
+	}, os.Getenv(RateLimitingEnabledEnv) == "true"
+}
+
 // limiterEntry holds a rate limiter and its last access time
 type limiterEntry struct {
 	limiter    *rate.Limiter
@@ -46,6 +96,7 @@ type APIRateLimiter struct {
 	limiters map[string]*limiterEntry
 	mu       sync.RWMutex
 	stopChan chan struct{}
+	enabled  atomic.Bool
 }
 
 // NewAPIRateLimiter creates a new API rate limiter with the given configuration
@@ -59,14 +110,53 @@ func NewAPIRateLimiter(config *RateLimiterConfig) *APIRateLimiter {
 		limiters: make(map[string]*limiterEntry),
 		stopChan: make(chan struct{}),
 	}
+	rl.enabled.Store(true)
 
 	go rl.cleanupLoop()
 
 	return rl
 }
 
+func (rl *APIRateLimiter) SetEnabled(enabled bool) {
+	rl.enabled.Store(enabled)
+}
+
+func (rl *APIRateLimiter) Enabled() bool {
+	return rl.enabled.Load()
+}
+
+func (rl *APIRateLimiter) UpdateConfig(config *RateLimiterConfig) {
+	if config == nil {
+		return
+	}
+	if config.RequestsPerMinute <= 0 || config.Burst <= 0 {
+		log.Warnf("UpdateConfig: ignoring invalid rpm=%v burst=%d", config.RequestsPerMinute, config.Burst)
+		return
+	}
+
+	newRPS := rate.Limit(config.RequestsPerMinute / 60.0)
+	newBurst := config.Burst
+
+	rl.mu.Lock()
+	rl.config.RequestsPerMinute = config.RequestsPerMinute
+	rl.config.Burst = newBurst
+	snapshot := make([]*rate.Limiter, 0, len(rl.limiters))
+	for _, entry := range rl.limiters {
+		snapshot = append(snapshot, entry.limiter)
+	}
+	rl.mu.Unlock()
+
+	for _, l := range snapshot {
+		l.SetLimit(newRPS)
+		l.SetBurst(newBurst)
+	}
+}
+
 // Allow checks if a request for the given key (token) is allowed
 func (rl *APIRateLimiter) Allow(key string) bool {
+	if !rl.enabled.Load() {
+		return true
+	}
 	limiter := rl.getLimiter(key)
 	return limiter.Allow()
 }
@@ -74,6 +164,9 @@ func (rl *APIRateLimiter) Allow(key string) bool {
 // Wait blocks until the rate limiter allows another request for the given key
 // Returns an error if the context is canceled
 func (rl *APIRateLimiter) Wait(ctx context.Context, key string) error {
+	if !rl.enabled.Load() {
+		return nil
+	}
 	limiter := rl.getLimiter(key)
 	return limiter.Wait(ctx)
 }
@@ -153,6 +246,10 @@ func (rl *APIRateLimiter) Reset(key string) {
 // Returns 429 Too Many Requests if the rate limit is exceeded.
 func (rl *APIRateLimiter) Middleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if !rl.enabled.Load() {
+			next.ServeHTTP(w, r)
+			return
+		}
 		clientIP := getClientIP(r)
 		if !rl.Allow(clientIP) {
 			util.WriteErrorResponse("rate limit exceeded, please try again later", http.StatusTooManyRequests, w)

management/server/http/middleware/rate_limiter_test.go

@@ -1,8 +1,10 @@
 package middleware
 
 import (
+	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"sync"
 	"testing"
 	"time"
 
@@ -156,3 +158,172 @@ func TestAPIRateLimiter_Reset(t *testing.T) {
 	// Should be allowed again
 	assert.True(t, rl.Allow("test-key"))
 }
+
+func TestAPIRateLimiter_SetEnabled(t *testing.T) {
+	rl := NewAPIRateLimiter(&RateLimiterConfig{
+		RequestsPerMinute: 60,
+		Burst:             1,
+		CleanupInterval:   time.Minute,
+		LimiterTTL:        time.Minute,
+	})
+	defer rl.Stop()
+
+	assert.True(t, rl.Allow("key"))
+	assert.False(t, rl.Allow("key"), "burst exhausted while enabled")
+
+	rl.SetEnabled(false)
+	assert.False(t, rl.Enabled())
+	for i := 0; i < 5; i++ {
+		assert.True(t, rl.Allow("key"), "disabled limiter must always allow")
+	}
+
+	rl.SetEnabled(true)
+	assert.True(t, rl.Enabled())
+	assert.False(t, rl.Allow("key"), "re-enabled limiter retains prior bucket state")
+}
+
+func TestAPIRateLimiter_UpdateConfig(t *testing.T) {
+	rl := NewAPIRateLimiter(&RateLimiterConfig{
+		RequestsPerMinute: 60,
+		Burst:             2,
+		CleanupInterval:   time.Minute,
+		LimiterTTL:        time.Minute,
+	})
+	defer rl.Stop()
+
+	assert.True(t, rl.Allow("k1"))
+	assert.True(t, rl.Allow("k1"))
+	assert.False(t, rl.Allow("k1"), "burst=2 exhausted")
+
+	rl.UpdateConfig(&RateLimiterConfig{
+		RequestsPerMinute: 60,
+		Burst:             10,
+		CleanupInterval:   time.Minute,
+		LimiterTTL:        time.Minute,
+	})
+
+	// New burst applies to existing keys in place; bucket refills up to new burst over time,
+	// but importantly newly-added keys use the updated config immediately.
+	assert.True(t, rl.Allow("k2"))
+	for i := 0; i < 9; i++ {
+		assert.True(t, rl.Allow("k2"))
+	}
+	assert.False(t, rl.Allow("k2"), "new burst=10 exhausted")
+}
+
+func TestAPIRateLimiter_UpdateConfig_NilIgnored(t *testing.T) {
+	rl := NewAPIRateLimiter(&RateLimiterConfig{
+		RequestsPerMinute: 60,
+		Burst:             1,
+		CleanupInterval:   time.Minute,
+		LimiterTTL:        time.Minute,
+	})
+	defer rl.Stop()
+
+	rl.UpdateConfig(nil) // must not panic or zero the config
+
+	assert.True(t, rl.Allow("k"))
+	assert.False(t, rl.Allow("k"))
+}
+
+func TestAPIRateLimiter_UpdateConfig_NonPositiveIgnored(t *testing.T) {
+	rl := NewAPIRateLimiter(&RateLimiterConfig{
+		RequestsPerMinute: 60,
+		Burst:             1,
+		CleanupInterval:   time.Minute,
+		LimiterTTL:        time.Minute,
+	})
+	defer rl.Stop()
+
+	assert.True(t, rl.Allow("k"))
+	assert.False(t, rl.Allow("k"))
+
+	rl.UpdateConfig(&RateLimiterConfig{RequestsPerMinute: 0, Burst: 0, CleanupInterval: time.Minute, LimiterTTL: time.Minute})
+	rl.UpdateConfig(&RateLimiterConfig{RequestsPerMinute: -1, Burst: 5, CleanupInterval: time.Minute, LimiterTTL: time.Minute})
+	rl.UpdateConfig(&RateLimiterConfig{RequestsPerMinute: 60, Burst: -1, CleanupInterval: time.Minute, LimiterTTL: time.Minute})
+
+	rl.Reset("k")
+	assert.True(t, rl.Allow("k"))
+	assert.False(t, rl.Allow("k"), "burst should still be 1 — invalid UpdateConfig calls were ignored")
+}
+
+func TestAPIRateLimiter_ConcurrentAllowAndUpdate(t *testing.T) {
+	rl := NewAPIRateLimiter(&RateLimiterConfig{
+		RequestsPerMinute: 600,
+		Burst:             10,
+		CleanupInterval:   time.Minute,
+		LimiterTTL:        time.Minute,
+	})
+	defer rl.Stop()
+
+	var wg sync.WaitGroup
+	stop := make(chan struct{})
+
+	for i := 0; i < 8; i++ {
+		wg.Add(1)
+		go func(id int) {
+			defer wg.Done()
+			key := fmt.Sprintf("k%d", id)
+			for {
+				select {
+				case <-stop:
+					return
+				default:
+					rl.Allow(key)
+				}
+			}
+		}(i)
+	}
+
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		for i := 0; i < 200; i++ {
+			select {
+			case <-stop:
+				return
+			default:
+				rl.UpdateConfig(&RateLimiterConfig{
+					RequestsPerMinute: float64(30 + (i % 90)),
+					Burst:             1 + (i % 20),
+					CleanupInterval:   time.Minute,
+					LimiterTTL:        time.Minute,
+				})
+				rl.SetEnabled(i%2 == 0)
+			}
+		}
+	}()
+
+	time.Sleep(100 * time.Millisecond)
+	close(stop)
+	wg.Wait()
+}
+
+func TestRateLimiterConfigFromEnv(t *testing.T) {
+	t.Setenv(RateLimitingEnabledEnv, "true")
+	t.Setenv(RateLimitingRPMEnv, "42")
+	t.Setenv(RateLimitingBurstEnv, "7")
+
+	cfg, enabled := RateLimiterConfigFromEnv()
+	assert.True(t, enabled)
+	assert.Equal(t, float64(42), cfg.RequestsPerMinute)
+	assert.Equal(t, 7, cfg.Burst)
+
+	t.Setenv(RateLimitingEnabledEnv, "false")
+	_, enabled = RateLimiterConfigFromEnv()
+	assert.False(t, enabled)
+
+	t.Setenv(RateLimitingEnabledEnv, "")
+	t.Setenv(RateLimitingRPMEnv, "")
+	t.Setenv(RateLimitingBurstEnv, "")
+	cfg, enabled = RateLimiterConfigFromEnv()
+	assert.False(t, enabled)
+	assert.Equal(t, float64(defaultAPIRPM), cfg.RequestsPerMinute)
+	assert.Equal(t, defaultAPIBurst, cfg.Burst)
+
+	t.Setenv(RateLimitingRPMEnv, "0")
+	t.Setenv(RateLimitingBurstEnv, "-5")
+	cfg, _ = RateLimiterConfigFromEnv()
+	assert.Equal(t, float64(defaultAPIRPM), cfg.RequestsPerMinute, "non-positive rpm must fall back to default")
+	assert.Equal(t, defaultAPIBurst, cfg.Burst, "non-positive burst must fall back to default")
+}

management/server/http/testing/testing_tools/channel/channel.go

@@ -135,7 +135,7 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 	customZonesManager := zonesManager.NewManager(store, am, permissionsManager, "")
 	zoneRecordsManager := recordsManager.NewManager(store, am, permissionsManager)
 
-	apiHandler, err := http2.NewAPIHandler(context.Background(), am, networksManager, resourcesManager, routersManager, groupsManager, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManager, peersManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, serviceManager, nil, nil, nil, nil)
+	apiHandler, err := http2.NewAPIHandler(context.Background(), am, networksManager, resourcesManager, routersManager, groupsManager, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManager, peersManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, serviceManager, nil, nil, nil, nil, nil)
 	if err != nil {
 		t.Fatalf("Failed to create API handler: %v", err)
 	}
@@ -264,7 +264,7 @@ func BuildApiBlackBoxWithDBStateAndPeerChannel(t testing_tools.TB, sqlFile strin
 	customZonesManager := zonesManager.NewManager(store, am, permissionsManager, "")
 	zoneRecordsManager := recordsManager.NewManager(store, am, permissionsManager)
 
-	apiHandler, err := http2.NewAPIHandler(context.Background(), am, networksManager, resourcesManager, routersManager, groupsManager, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManager, peersManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, serviceManager, nil, nil, nil, nil)
+	apiHandler, err := http2.NewAPIHandler(context.Background(), am, networksManager, resourcesManager, routersManager, groupsManager, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManager, peersManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, serviceManager, nil, nil, nil, nil, nil)
 	if err != nil {
 		t.Fatalf("Failed to create API handler: %v", err)
 	}

management/server/identity_provider.go

@@ -274,7 +274,7 @@ func identityProviderToConnectorConfig(idpConfig *types.IdentityProvider) *dex.C
 }
 
 // generateIdentityProviderID generates a unique ID for an identity provider.
-// For specific provider types (okta, zitadel, entra, google, pocketid, microsoft),
+// For specific provider types (okta, zitadel, entra, google, pocketid, microsoft, adfs),
 // the ID is prefixed with the type name. Generic OIDC providers get no prefix.
 func generateIdentityProviderID(idpType types.IdentityProviderType) string {
 	id := xid.New().String()
@@ -296,6 +296,8 @@ func generateIdentityProviderID(idpType types.IdentityProviderType) string {
 		return "authentik-" + id
 	case types.IdentityProviderTypeKeycloak:
 		return "keycloak-" + id
+	case types.IdentityProviderTypeADFS:
+		return "adfs-" + id
 	default:
 		// Generic OIDC - no prefix
 		return id

management/server/management_proto_test.go

@@ -267,8 +267,8 @@ func Test_SyncProtocol(t *testing.T) {
 	}
 
 	// expired peers come separately.
-	if len(networkMap.GetOfflinePeers()) != 1 {
-		t.Fatal("expecting SyncResponse to have NetworkMap with 1 offline peer")
+	if len(networkMap.GetOfflinePeers()) != 2 {
+		t.Fatal("expecting SyncResponse to have NetworkMap with 2 offline peer")
 	}
 
 	expiredPeerPubKey := "RlSy2vzoG2HyMBTUImXOiVhCBiiBa5qD5xzMxkiFDW4="
@@ -391,7 +391,7 @@ func startManagementForTest(t *testing.T, testFile string, config *config.Config
 		return nil, nil, "", cleanup, err
 	}
 
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, MockIntegratedValidator{}, networkMapController, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, MockIntegratedValidator{}, networkMapController, nil, nil)
 	if err != nil {
 		return nil, nil, "", cleanup, err
 	}

management/server/management_test.go

@@ -256,6 +256,7 @@ func startServer(
 		server.MockIntegratedValidator{},
 		networkMapController,
 		nil,
+		nil,
 	)
 	if err != nil {
 		t.Fatalf("failed creating management server: %v", err)

management/server/nameserver_test.go

@@ -1087,7 +1087,7 @@ func TestNameServerAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -1105,7 +1105,7 @@ func TestNameServerAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})

management/server/peer.go

@@ -33,8 +33,8 @@ import (
 
 const remoteJobsMinVer = "0.64.0"
 
-// GetPeers returns a list of peers under the given account filtering out peers that do not belong to a user if
-// the current user is not an admin.
+// GetPeers returns peers visible to the user within an account.
+// Users with "peers:read" see all peers. Otherwise, users see only their own peers, or none if restricted by account settings.
 func (am *DefaultAccountManager) GetPeers(ctx context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error) {
 	user, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
 	if err != nil {
@@ -46,14 +46,8 @@ func (am *DefaultAccountManager) GetPeers(ctx context.Context, accountID, userID
 		return nil, status.NewPermissionValidationError(err)
 	}
 
-	accountPeers, err := am.Store.GetAccountPeers(ctx, store.LockingStrengthNone, accountID, nameFilter, ipFilter)
-	if err != nil {
-		return nil, err
-	}
-
-	// @note if the user has permission to read peers it shows all account peers
 	if allowed {
-		return accountPeers, nil
+		return am.Store.GetAccountPeers(ctx, store.LockingStrengthNone, accountID, nameFilter, ipFilter)
 	}
 
 	settings, err := am.Store.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
@@ -65,41 +59,7 @@ func (am *DefaultAccountManager) GetPeers(ctx context.Context, accountID, userID
 		return []*nbpeer.Peer{}, nil
 	}
 
-	// @note if it does not have permission read peers then only display it's own peers
-	peers := make([]*nbpeer.Peer, 0)
-	peersMap := make(map[string]*nbpeer.Peer)
-
-	for _, peer := range accountPeers {
-		if user.Id != peer.UserID {
-			continue
-		}
-		peers = append(peers, peer)
-		peersMap[peer.ID] = peer
-	}
-
-	return am.getUserAccessiblePeers(ctx, accountID, peersMap, peers)
-}
-
-func (am *DefaultAccountManager) getUserAccessiblePeers(ctx context.Context, accountID string, peersMap map[string]*nbpeer.Peer, peers []*nbpeer.Peer) ([]*nbpeer.Peer, error) {
-	account, err := am.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	approvedPeersMap, err := am.integratedPeerValidator.GetValidatedPeers(ctx, accountID, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
-	if err != nil {
-		return nil, err
-	}
-
-	// fetch all the peers that have access to the user's peers
-	for _, peer := range peers {
-		aclPeers, _, _, _ := account.GetPeerConnectionResources(ctx, peer, approvedPeersMap, account.GetActiveGroupUsers())
-		for _, p := range aclPeers {
-			peersMap[p.ID] = p
-		}
-	}
-
-	return maps.Values(peersMap), nil
+	return am.Store.GetUserPeers(ctx, store.LockingStrengthNone, accountID, userID)
 }
 
 // MarkPeerConnected marks peer as connected (true) or disconnected (false)
@@ -1230,7 +1190,8 @@ func peerLoginExpired(ctx context.Context, peer *nbpeer.Peer, settings *types.Se
 	return false
 }
 
-// GetPeer for a given accountID, peerID and userID error if not found.
+// GetPeer returns a peer visible to the user within an account.
+// Users with "peers:read" permission can access any peer. Otherwise, users can access only their own peer.
 func (am *DefaultAccountManager) GetPeer(ctx context.Context, accountID, peerID, userID string) (*nbpeer.Peer, error) {
 	peer, err := am.Store.GetPeerByID(ctx, store.LockingStrengthNone, accountID, peerID)
 	if err != nil {
@@ -1255,36 +1216,6 @@ func (am *DefaultAccountManager) GetPeer(ctx context.Context, accountID, peerID,
 		return peer, nil
 	}
 
-	return am.checkIfUserOwnsPeer(ctx, accountID, userID, peer)
-}
-
-func (am *DefaultAccountManager) checkIfUserOwnsPeer(ctx context.Context, accountID, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, error) {
-	account, err := am.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	approvedPeersMap, err := am.integratedPeerValidator.GetValidatedPeers(ctx, accountID, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
-	if err != nil {
-		return nil, err
-	}
-
-	// it is also possible that user doesn't own the peer but some of his peers have access to it,
-	// this is a valid case, show the peer as well.
-	userPeers, err := am.Store.GetUserPeers(ctx, store.LockingStrengthNone, accountID, userID)
-	if err != nil {
-		return nil, err
-	}
-
-	for _, p := range userPeers {
-		aclPeers, _, _, _ := account.GetPeerConnectionResources(ctx, p, approvedPeersMap, account.GetActiveGroupUsers())
-		for _, aclPeer := range aclPeers {
-			if aclPeer.ID == peer.ID {
-				return peer, nil
-			}
-		}
-	}
-
 	return nil, status.Errorf(status.Internal, "user %s has no access to peer %s under account %s", userID, peer.ID, accountID)
 }
 
@@ -1405,6 +1336,10 @@ func (am *DefaultAccountManager) getExpiredPeers(ctx context.Context, accountID
 
 	var peers []*nbpeer.Peer
 	for _, peer := range peersWithExpiry {
+		if peer.Status.LoginExpired {
+			continue
+		}
+
 		expired, _ := peer.LoginExpired(settings.PeerLoginExpiration)
 		if expired {
 			peers = append(peers, peer)

management/server/peer_test.go

@@ -179,11 +179,6 @@ func TestAccountManager_GetNetworkMap(t *testing.T) {
 	testGetNetworkMapGeneral(t)
 }
 
-func TestAccountManager_GetNetworkMap_Experimental(t *testing.T) {
-	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
-	testGetNetworkMapGeneral(t)
-}
-
 func testGetNetworkMapGeneral(t *testing.T) {
 	manager, _, err := createManager(t)
 	if err != nil {
@@ -564,25 +559,9 @@ func TestDefaultAccountManager_GetPeer(t *testing.T) {
 	}
 	assert.NotNil(t, peer)
 
-	// the user can see peer2 because peer1 of the user has access to peer2 due to the All group and the default rule 0 all-to-all access
-	peer, err = manager.GetPeer(context.Background(), accountID, peer2.ID, someUser)
-	if err != nil {
-		t.Fatal(err)
-		return
-	}
-	assert.NotNil(t, peer)
-
-	// delete the all-to-all policy so that user's peer1 has no access to peer2
-	for _, policy := range account.Policies {
-		err = manager.DeletePolicy(context.Background(), accountID, policy.ID, adminUser)
-		if err != nil {
-			t.Fatal(err)
-			return
-		}
-	}
-
-	// at this point the user can't see the details of peer2
-	peer, err = manager.GetPeer(context.Background(), accountID, peer2.ID, someUser) //nolint
+	// the user can NOT see peer2 because it is not owned by them.
+	// Regular users only see peers they directly own.
+	_, err = manager.GetPeer(context.Background(), accountID, peer2.ID, someUser)
 	assert.Error(t, err)
 
 	// admin users can always access all the peers
@@ -1016,11 +995,6 @@ func BenchmarkUpdateAccountPeers(b *testing.B) {
 	}
 }
 
-func TestUpdateAccountPeers_Experimental(t *testing.T) {
-	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
-	testUpdateAccountPeers(t)
-}
-
 func TestUpdateAccountPeers(t *testing.T) {
 	testUpdateAccountPeers(t)
 }
@@ -1600,7 +1574,6 @@ func Test_RegisterPeerRollbackOnFailure(t *testing.T) {
 }
 
 func Test_LoginPeer(t *testing.T) {
-	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
 	if runtime.GOOS == "windows" {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}
@@ -1907,7 +1880,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -1929,7 +1902,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -1994,7 +1967,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -2012,7 +1985,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -2058,7 +2031,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -2076,7 +2049,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -2113,7 +2086,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -2131,7 +2104,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})

management/server/policy.go

@@ -5,6 +5,7 @@ import (
 	_ "embed"
 
 	"github.com/rs/xid"
+	"github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
@@ -46,25 +47,40 @@ func (am *DefaultAccountManager) SavePolicy(ctx context.Context, accountID, user
 	var isUpdate = policy.ID != ""
 	var updateAccountPeers bool
 	var action = activity.PolicyAdded
+	var unchanged bool
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		if err = validatePolicy(ctx, transaction, accountID, policy); err != nil {
-			return err
-		}
-
-		updateAccountPeers, err = arePolicyChangesAffectPeers(ctx, transaction, accountID, policy, isUpdate)
+		existingPolicy, err := validatePolicy(ctx, transaction, accountID, policy)
 		if err != nil {
 			return err
 		}
 
-		saveFunc := transaction.CreatePolicy
 		if isUpdate {
-			action = activity.PolicyUpdated
-			saveFunc = transaction.SavePolicy
-		}
+			if policy.Equal(existingPolicy) {
+				logrus.WithContext(ctx).Tracef("policy update skipped because equal to stored one - policy id %s", policy.ID)
+				unchanged = true
+				return nil
+			}
 
-		if err = saveFunc(ctx, policy); err != nil {
-			return err
+			action = activity.PolicyUpdated
+
+			updateAccountPeers, err = arePolicyChangesAffectPeersWithExisting(ctx, transaction, policy, existingPolicy)
+			if err != nil {
+				return err
+			}
+
+			if err = transaction.SavePolicy(ctx, policy); err != nil {
+				return err
+			}
+		} else {
+			updateAccountPeers, err = arePolicyChangesAffectPeers(ctx, transaction, policy)
+			if err != nil {
+				return err
+			}
+
+			if err = transaction.CreatePolicy(ctx, policy); err != nil {
+				return err
+			}
 		}
 
 		return transaction.IncrementNetworkSerial(ctx, accountID)
@@ -73,6 +89,10 @@ func (am *DefaultAccountManager) SavePolicy(ctx context.Context, accountID, user
 		return nil, err
 	}
 
+	if unchanged {
+		return policy, nil
+	}
+
 	am.StoreEvent(ctx, userID, policy.ID, accountID, action, policy.EventMeta())
 
 	if updateAccountPeers {
@@ -101,7 +121,7 @@ func (am *DefaultAccountManager) DeletePolicy(ctx context.Context, accountID, po
 			return err
 		}
 
-		updateAccountPeers, err = arePolicyChangesAffectPeers(ctx, transaction, accountID, policy, false)
+		updateAccountPeers, err = arePolicyChangesAffectPeers(ctx, transaction, policy)
 		if err != nil {
 			return err
 		}
@@ -138,34 +158,37 @@ func (am *DefaultAccountManager) ListPolicies(ctx context.Context, accountID, us
 	return am.Store.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
 }
 
-// arePolicyChangesAffectPeers checks if changes to a policy will affect any associated peers.
-func arePolicyChangesAffectPeers(ctx context.Context, transaction store.Store, accountID string, policy *types.Policy, isUpdate bool) (bool, error) {
-	if isUpdate {
-		existingPolicy, err := transaction.GetPolicyByID(ctx, store.LockingStrengthNone, accountID, policy.ID)
-		if err != nil {
-			return false, err
-		}
-
-		if !policy.Enabled && !existingPolicy.Enabled {
-			return false, nil
-		}
-
-		for _, rule := range existingPolicy.Rules {
-			if rule.SourceResource.Type != "" || rule.DestinationResource.Type != "" {
-				return true, nil
-			}
-		}
-
-		hasPeers, err := anyGroupHasPeersOrResources(ctx, transaction, policy.AccountID, existingPolicy.RuleGroups())
-		if err != nil {
-			return false, err
-		}
-
-		if hasPeers {
+// arePolicyChangesAffectPeers checks if a policy (being created or deleted) will affect any associated peers.
+func arePolicyChangesAffectPeers(ctx context.Context, transaction store.Store, policy *types.Policy) (bool, error) {
+	for _, rule := range policy.Rules {
+		if rule.SourceResource.Type != "" || rule.DestinationResource.Type != "" {
 			return true, nil
 		}
 	}
 
+	return anyGroupHasPeersOrResources(ctx, transaction, policy.AccountID, policy.RuleGroups())
+}
+
+func arePolicyChangesAffectPeersWithExisting(ctx context.Context, transaction store.Store, policy *types.Policy, existingPolicy *types.Policy) (bool, error) {
+	if !policy.Enabled && !existingPolicy.Enabled {
+		return false, nil
+	}
+
+	for _, rule := range existingPolicy.Rules {
+		if rule.SourceResource.Type != "" || rule.DestinationResource.Type != "" {
+			return true, nil
+		}
+	}
+
+	hasPeers, err := anyGroupHasPeersOrResources(ctx, transaction, policy.AccountID, existingPolicy.RuleGroups())
+	if err != nil {
+		return false, err
+	}
+
+	if hasPeers {
+		return true, nil
+	}
+
 	for _, rule := range policy.Rules {
 		if rule.SourceResource.Type != "" || rule.DestinationResource.Type != "" {
 			return true, nil
@@ -175,12 +198,15 @@ func arePolicyChangesAffectPeers(ctx context.Context, transaction store.Store, a
 	return anyGroupHasPeersOrResources(ctx, transaction, policy.AccountID, policy.RuleGroups())
 }
 
-// validatePolicy validates the policy and its rules.
-func validatePolicy(ctx context.Context, transaction store.Store, accountID string, policy *types.Policy) error {
+// validatePolicy validates the policy and its rules. For updates it returns
+// the existing policy loaded from the store so callers can avoid a second read.
+func validatePolicy(ctx context.Context, transaction store.Store, accountID string, policy *types.Policy) (*types.Policy, error) {
+	var existingPolicy *types.Policy
 	if policy.ID != "" {
-		existingPolicy, err := transaction.GetPolicyByID(ctx, store.LockingStrengthNone, accountID, policy.ID)
+		var err error
+		existingPolicy, err = transaction.GetPolicyByID(ctx, store.LockingStrengthNone, accountID, policy.ID)
 		if err != nil {
-			return err
+			return nil, err
 		}
 
 		// TODO: Refactor to support multiple rules per policy
@@ -191,7 +217,7 @@ func validatePolicy(ctx context.Context, transaction store.Store, accountID stri
 
 		for _, rule := range policy.Rules {
 			if rule.ID != "" && !existingRuleIDs[rule.ID] {
-				return status.Errorf(status.InvalidArgument, "invalid rule ID: %s", rule.ID)
+				return nil, status.Errorf(status.InvalidArgument, "invalid rule ID: %s", rule.ID)
 			}
 		}
 	} else {
@@ -201,12 +227,12 @@ func validatePolicy(ctx context.Context, transaction store.Store, accountID stri
 
 	groups, err := transaction.GetGroupsByIDs(ctx, store.LockingStrengthNone, accountID, policy.RuleGroups())
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	postureChecks, err := transaction.GetPostureChecksByIDs(ctx, store.LockingStrengthNone, accountID, policy.SourcePostureChecks)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	for i, rule := range policy.Rules {
@@ -225,7 +251,7 @@ func validatePolicy(ctx context.Context, transaction store.Store, accountID stri
 		policy.SourcePostureChecks = getValidPostureCheckIDs(postureChecks, policy.SourcePostureChecks)
 	}
 
-	return nil
+	return existingPolicy, nil
 }
 
 // getValidPostureCheckIDs filters and returns only the valid posture check IDs from the provided list.

management/server/policy_test.go

@@ -1231,7 +1231,7 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -1263,7 +1263,7 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -1294,7 +1294,7 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -1314,7 +1314,7 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -1355,7 +1355,7 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -1373,7 +1373,7 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 
@@ -1393,7 +1393,7 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})

management/server/posture_checks_test.go

@@ -244,7 +244,7 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -273,7 +273,7 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -292,7 +292,7 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -395,7 +395,7 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -438,7 +438,7 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})

management/server/route_test.go

@@ -2,10 +2,8 @@ package server
 
 import (
 	"context"
-	"fmt"
 	"net"
 	"net/netip"
-	"sort"
 	"testing"
 	"time"
 
@@ -1840,11 +1838,6 @@ func TestAccount_getPeersRoutesFirewall(t *testing.T) {
 		},
 	}
 
-	validatedPeers := make(map[string]struct{})
-	for p := range account.Peers {
-		validatedPeers[p] = struct{}{}
-	}
-
 	t.Run("check applied policies for the route", func(t *testing.T) {
 		route1 := account.Routes["route1"]
 		policies := types.GetAllRoutePoliciesFromGroups(account, route1.AccessControlGroups)
@@ -1858,116 +1851,6 @@ func TestAccount_getPeersRoutesFirewall(t *testing.T) {
 		policies = types.GetAllRoutePoliciesFromGroups(account, route3.AccessControlGroups)
 		assert.Len(t, policies, 0)
 	})
-
-	t.Run("check peer routes firewall rules", func(t *testing.T) {
-		routesFirewallRules := account.GetPeerRoutesFirewallRules(context.Background(), "peerA", validatedPeers)
-		assert.Len(t, routesFirewallRules, 4)
-
-		expectedRoutesFirewallRules := []*types.RouteFirewallRule{
-			{
-				SourceRanges: []string{
-					fmt.Sprintf(types.AllowedIPsFormat, peerCIp),
-					fmt.Sprintf(types.AllowedIPsFormat, peerHIp),
-					fmt.Sprintf(types.AllowedIPsFormat, peerBIp),
-				},
-				Action:      "accept",
-				Destination: "192.168.0.0/16",
-				Protocol:    "all",
-				Port:        80,
-				RouteID:     "route1:peerA",
-			},
-			{
-				SourceRanges: []string{
-					fmt.Sprintf(types.AllowedIPsFormat, peerCIp),
-					fmt.Sprintf(types.AllowedIPsFormat, peerHIp),
-					fmt.Sprintf(types.AllowedIPsFormat, peerBIp),
-				},
-				Action:      "accept",
-				Destination: "192.168.0.0/16",
-				Protocol:    "all",
-				Port:        320,
-				RouteID:     "route1:peerA",
-			},
-		}
-		additionalFirewallRule := []*types.RouteFirewallRule{
-			{
-				SourceRanges: []string{
-					fmt.Sprintf(types.AllowedIPsFormat, peerJIp),
-				},
-				Action:      "accept",
-				Destination: "192.168.10.0/16",
-				Protocol:    "tcp",
-				Port:        80,
-				RouteID:     "route4:peerA",
-			},
-			{
-				SourceRanges: []string{
-					fmt.Sprintf(types.AllowedIPsFormat, peerKIp),
-				},
-				Action:      "accept",
-				Destination: "192.168.10.0/16",
-				Protocol:    "all",
-				RouteID:     "route4:peerA",
-			},
-		}
-
-		assert.ElementsMatch(t, orderRuleSourceRanges(routesFirewallRules), orderRuleSourceRanges(append(expectedRoutesFirewallRules, additionalFirewallRule...)))
-
-		// peerD is also the routing peer for route1, should contain same routes firewall rules as peerA
-		routesFirewallRules = account.GetPeerRoutesFirewallRules(context.Background(), "peerD", validatedPeers)
-		assert.Len(t, routesFirewallRules, 2)
-		for _, rule := range expectedRoutesFirewallRules {
-			rule.RouteID = "route1:peerD"
-		}
-		assert.ElementsMatch(t, orderRuleSourceRanges(routesFirewallRules), orderRuleSourceRanges(expectedRoutesFirewallRules))
-
-		// peerE is a single routing peer for route 2 and route 3
-		routesFirewallRules = account.GetPeerRoutesFirewallRules(context.Background(), "peerE", validatedPeers)
-		assert.Len(t, routesFirewallRules, 3)
-
-		expectedRoutesFirewallRules = []*types.RouteFirewallRule{
-			{
-				SourceRanges: []string{"100.65.250.202/32", "100.65.13.186/32"},
-				Action:       "accept",
-				Destination:  existingNetwork.String(),
-				Protocol:     "tcp",
-				PortRange:    types.RulePortRange{Start: 80, End: 350},
-				RouteID:      "route2",
-			},
-			{
-				SourceRanges: []string{"0.0.0.0/0"},
-				Action:       "accept",
-				Destination:  "192.0.2.0/32",
-				Protocol:     "all",
-				Domains:      domain.List{"example.com"},
-				IsDynamic:    true,
-				RouteID:      "route3",
-			},
-			{
-				SourceRanges: []string{"::/0"},
-				Action:       "accept",
-				Destination:  "192.0.2.0/32",
-				Protocol:     "all",
-				Domains:      domain.List{"example.com"},
-				IsDynamic:    true,
-				RouteID:      "route3",
-			},
-		}
-		assert.ElementsMatch(t, orderRuleSourceRanges(routesFirewallRules), orderRuleSourceRanges(expectedRoutesFirewallRules))
-
-		// peerC is part of route1 distribution groups but should not receive the routes firewall rules
-		routesFirewallRules = account.GetPeerRoutesFirewallRules(context.Background(), "peerC", validatedPeers)
-		assert.Len(t, routesFirewallRules, 0)
-	})
-
-}
-
-// orderList is a helper function to sort a list of strings
-func orderRuleSourceRanges(ruleList []*types.RouteFirewallRule) []*types.RouteFirewallRule {
-	for _, rule := range ruleList {
-		sort.Strings(rule.SourceRanges)
-	}
-	return ruleList
 }
 
 func TestRouteAccountPeersUpdate(t *testing.T) {
@@ -2070,7 +1953,7 @@ func TestRouteAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 
@@ -2107,7 +1990,7 @@ func TestRouteAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -2127,7 +2010,7 @@ func TestRouteAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -2145,7 +2028,7 @@ func TestRouteAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -2185,7 +2068,7 @@ func TestRouteAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -2225,7 +2108,7 @@ func TestRouteAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -2665,11 +2548,6 @@ func TestAccount_GetPeerNetworkResourceFirewallRules(t *testing.T) {
 		},
 	}
 
-	validatedPeers := make(map[string]struct{})
-	for p := range account.Peers {
-		validatedPeers[p] = struct{}{}
-	}
-
 	t.Run("validate applied policies for different network resources", func(t *testing.T) {
 		// Test case: Resource1 is directly applied to the policy (policyResource1)
 		policies := account.GetPoliciesForNetworkResource("resource1")
@@ -2693,127 +2571,4 @@ func TestAccount_GetPeerNetworkResourceFirewallRules(t *testing.T) {
 		policies = account.GetPoliciesForNetworkResource("resource6")
 		assert.Len(t, policies, 1, "resource6 should have exactly 1 policy applied via access control groups")
 	})
-
-	t.Run("validate routing peer firewall rules for network resources", func(t *testing.T) {
-		resourcePoliciesMap := account.GetResourcePoliciesMap()
-		resourceRoutersMap := account.GetResourceRoutersMap()
-		_, routes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), "peerA", resourcePoliciesMap, resourceRoutersMap)
-		firewallRules := account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers["peerA"], validatedPeers, routes, resourcePoliciesMap)
-		assert.Len(t, firewallRules, 4)
-		assert.Len(t, sourcePeers, 5)
-
-		expectedFirewallRules := []*types.RouteFirewallRule{
-			{
-				SourceRanges: []string{
-					fmt.Sprintf(types.AllowedIPsFormat, peerCIp),
-					fmt.Sprintf(types.AllowedIPsFormat, peerHIp),
-					fmt.Sprintf(types.AllowedIPsFormat, peerBIp),
-				},
-				Action:      "accept",
-				Destination: "192.168.0.0/16",
-				Protocol:    "all",
-				Port:        80,
-				RouteID:     "resource2:peerA",
-			},
-			{
-				SourceRanges: []string{
-					fmt.Sprintf(types.AllowedIPsFormat, peerCIp),
-					fmt.Sprintf(types.AllowedIPsFormat, peerHIp),
-					fmt.Sprintf(types.AllowedIPsFormat, peerBIp),
-				},
-				Action:      "accept",
-				Destination: "192.168.0.0/16",
-				Protocol:    "all",
-				Port:        320,
-				RouteID:     "resource2:peerA",
-			},
-		}
-
-		additionalFirewallRules := []*types.RouteFirewallRule{
-			{
-				SourceRanges: []string{
-					fmt.Sprintf(types.AllowedIPsFormat, peerJIp),
-				},
-				Action:      "accept",
-				Destination: "192.0.2.0/32",
-				Protocol:    "tcp",
-				Port:        80,
-				Domains:     domain.List{"example.com"},
-				IsDynamic:   true,
-				RouteID:     "resource4:peerA",
-			},
-			{
-				SourceRanges: []string{
-					fmt.Sprintf(types.AllowedIPsFormat, peerKIp),
-				},
-				Action:      "accept",
-				Destination: "192.0.2.0/32",
-				Protocol:    "all",
-				Domains:     domain.List{"example.com"},
-				IsDynamic:   true,
-				RouteID:     "resource4:peerA",
-			},
-		}
-		assert.ElementsMatch(t, orderRuleSourceRanges(firewallRules), orderRuleSourceRanges(append(expectedFirewallRules, additionalFirewallRules...)))
-
-		// peerD is also the routing peer for resource2
-		_, routes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), "peerD", resourcePoliciesMap, resourceRoutersMap)
-		firewallRules = account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers["peerD"], validatedPeers, routes, resourcePoliciesMap)
-		assert.Len(t, firewallRules, 2)
-		for _, rule := range expectedFirewallRules {
-			rule.RouteID = "resource2:peerD"
-		}
-		assert.ElementsMatch(t, orderRuleSourceRanges(firewallRules), orderRuleSourceRanges(expectedFirewallRules))
-		assert.Len(t, sourcePeers, 3)
-
-		// peerE is a single routing peer for resource1 and resource3
-		// PeerE should only receive rules for resource1 since resource3 has no applied policy
-		_, routes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), "peerE", resourcePoliciesMap, resourceRoutersMap)
-		firewallRules = account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers["peerE"], validatedPeers, routes, resourcePoliciesMap)
-		assert.Len(t, firewallRules, 1)
-		assert.Len(t, sourcePeers, 2)
-
-		expectedFirewallRules = []*types.RouteFirewallRule{
-			{
-				SourceRanges: []string{"100.65.250.202/32", "100.65.13.186/32"},
-				Action:       "accept",
-				Destination:  "10.10.10.0/24",
-				Protocol:     "tcp",
-				PortRange:    types.RulePortRange{Start: 80, End: 350},
-				RouteID:      "resource1:peerE",
-			},
-		}
-		assert.ElementsMatch(t, orderRuleSourceRanges(firewallRules), orderRuleSourceRanges(expectedFirewallRules))
-
-		// peerC is part of distribution groups for resource2 but should not receive the firewall rules
-		firewallRules = account.GetPeerRoutesFirewallRules(context.Background(), "peerC", validatedPeers)
-		assert.Len(t, firewallRules, 0)
-
-		// peerL is the single routing peer for resource5
-		_, routes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), "peerL", resourcePoliciesMap, resourceRoutersMap)
-		assert.Len(t, routes, 1)
-		firewallRules = account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers["peerL"], validatedPeers, routes, resourcePoliciesMap)
-		assert.Len(t, firewallRules, 1)
-		assert.Len(t, sourcePeers, 1)
-
-		expectedFirewallRules = []*types.RouteFirewallRule{
-			{
-				SourceRanges: []string{"100.65.29.67/32"},
-				Action:       "accept",
-				Destination:  "10.12.12.1/32",
-				Protocol:     "tcp",
-				Port:         8080,
-				RouteID:      "resource5:peerL",
-			},
-		}
-		assert.ElementsMatch(t, orderRuleSourceRanges(firewallRules), orderRuleSourceRanges(expectedFirewallRules))
-
-		_, routes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), "peerM", resourcePoliciesMap, resourceRoutersMap)
-		assert.Len(t, routes, 1)
-		assert.Len(t, sourcePeers, 0)
-
-		_, routes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), "peerN", resourcePoliciesMap, resourceRoutersMap)
-		assert.Len(t, routes, 1)
-		assert.Len(t, sourcePeers, 2)
-	})
 }

management/server/store/sql_store.go

@@ -1196,7 +1196,6 @@ func (s *SqlStore) getAccountGorm(ctx context.Context, accountID string) (*types
 		account.NameServerGroups[ns.ID] = &ns
 	}
 	account.NameServerGroupsG = nil
-	account.InitOnce()
 	return &account, nil
 }
 
@@ -1635,7 +1634,6 @@ func (s *SqlStore) getAccount(ctx context.Context, accountID string) (*types.Acc
 	if sExtraIntegratedValidatorGroups.Valid {
 		_ = json.Unmarshal([]byte(sExtraIntegratedValidatorGroups.String), &account.Settings.Extra.IntegratedValidatorGroups)
 	}
-	account.InitOnce()
 	return &account, nil
 }
 
@@ -3310,7 +3308,7 @@ func (s *SqlStore) GetAccountPeersWithExpiration(ctx context.Context, lockStreng
 
 	var peers []*nbpeer.Peer
 	result := tx.
-		Where("login_expiration_enabled = ? AND user_id IS NOT NULL AND user_id != ''", true).
+		Where("login_expiration_enabled = ? AND peer_status_login_expired != ? AND user_id IS NOT NULL AND user_id != ''", true, true).
 		Find(&peers, accountIDCondition, accountID)
 	if err := result.Error; err != nil {
 		log.WithContext(ctx).Errorf("failed to get peers with expiration from the store: %s", result.Error)

management/server/store/sql_store_test.go

@@ -2729,7 +2729,7 @@ func TestSqlStore_GetAccountPeers(t *testing.T) {
 		{
 			name:          "should retrieve peers for an existing account ID",
 			accountID:     "bf1c8084-ba50-4ce7-9439-34653001fc3b",
-			expectedCount: 4,
+			expectedCount: 5,
 		},
 		{
 			name:          "should return no peers for a non-existing account ID",
@@ -2751,7 +2751,7 @@ func TestSqlStore_GetAccountPeers(t *testing.T) {
 			name:          "should filter peers by partial name",
 			accountID:     "bf1c8084-ba50-4ce7-9439-34653001fc3b",
 			nameFilter:    "host",
-			expectedCount: 3,
+			expectedCount: 4,
 		},
 		{
 			name:          "should filter peers by ip",
@@ -2777,14 +2777,16 @@ func TestSqlStore_GetAccountPeersWithExpiration(t *testing.T) {
 	require.NoError(t, err)
 
 	tests := []struct {
-		name          string
-		accountID     string
-		expectedCount int
+		name            string
+		accountID       string
+		expectedCount   int
+		expectedPeerIDs []string
 	}{
 		{
-			name:          "should retrieve peers with expiration for an existing account ID",
-			accountID:     "bf1c8084-ba50-4ce7-9439-34653001fc3b",
-			expectedCount: 1,
+			name:            "should retrieve only non-expired peers with expiration enabled",
+			accountID:       "bf1c8084-ba50-4ce7-9439-34653001fc3b",
+			expectedCount:   1,
+			expectedPeerIDs: []string{"notexpired01"},
 		},
 		{
 			name:          "should return no peers with expiration for a non-existing account ID",
@@ -2803,10 +2805,30 @@ func TestSqlStore_GetAccountPeersWithExpiration(t *testing.T) {
 			peers, err := store.GetAccountPeersWithExpiration(context.Background(), LockingStrengthNone, tt.accountID)
 			require.NoError(t, err)
 			require.Len(t, peers, tt.expectedCount)
+			for i, peer := range peers {
+				assert.Equal(t, tt.expectedPeerIDs[i], peer.ID)
+			}
 		})
 	}
 }
 
+func TestSqlStore_GetAccountPeersWithExpiration_ExcludesAlreadyExpired(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/store_with_expired_peers.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	require.NoError(t, err)
+
+	accountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
+
+	peers, err := store.GetAccountPeersWithExpiration(context.Background(), LockingStrengthNone, accountID)
+	require.NoError(t, err)
+
+	// Verify the already-expired peer (cg05lnblo1hkg2j514p0) is not returned
+	for _, peer := range peers {
+		assert.NotEqual(t, "cg05lnblo1hkg2j514p0", peer.ID, "already expired peer should not be returned")
+		assert.False(t, peer.Status.LoginExpired, "returned peers should not have LoginExpired set")
+	}
+}
+
 func TestSqlStore_GetAccountPeersWithInactivity(t *testing.T) {
 	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/store_with_expired_peers.sql", t.TempDir())
 	t.Cleanup(cleanup)
@@ -2887,7 +2909,7 @@ func TestSqlStore_GetUserPeers(t *testing.T) {
 			name:          "should retrieve peers for another valid account ID and user ID",
 			accountID:     "bf1c8084-ba50-4ce7-9439-34653001fc3b",
 			userID:        "edafee4e-63fb-11ec-90d6-0242ac120003",
-			expectedCount: 2,
+			expectedCount: 3,
 		},
 		{
 			name:          "should return no peers for existing account ID with empty user ID",

management/server/telemetry/http_api_metrics.go

@@ -193,20 +193,12 @@ func (m *HTTPMiddleware) Handler(h http.Handler) http.Handler {
 			}
 		})
 
-		h.ServeHTTP(w, r.WithContext(ctx))
+		// Hold on to req so auth's in-place ctx update is visible after ServeHTTP.
+		req := r.WithContext(ctx)
+		h.ServeHTTP(w, req)
 		close(handlerDone)
 
-		userAuth, err := nbContext.GetUserAuthFromContext(r.Context())
-		if err == nil {
-			if userAuth.AccountId != "" {
-				//nolint
-				ctx = context.WithValue(ctx, nbContext.AccountIDKey, userAuth.AccountId)
-			}
-			if userAuth.UserId != "" {
-				//nolint
-				ctx = context.WithValue(ctx, nbContext.UserIDKey, userAuth.UserId)
-			}
-		}
+		ctx = req.Context()
 
 		if w.Status() > 399 {
 			log.WithContext(ctx).Errorf("HTTP response %v: %v %v status %v", reqID, r.Method, r.URL, w.Status())

management/server/testdata/store_with_expired_peers.sql

@@ -31,6 +31,7 @@ INSERT INTO peers VALUES('cfvprsrlo1hqoo49ohog','bf1c8084-ba50-4ce7-9439-3465300
 INSERT INTO peers VALUES('cg05lnblo1hkg2j514p0','bf1c8084-ba50-4ce7-9439-34653001fc3b','RlSy2vzoG2HyMBTUImXOiVhCBiiBa5qD5xzMxkiFDW4=','','"100.64.39.54"','expiredhost','linux','Linux','22.04','x86_64','Ubuntu','','development','','',NULL,'','','','{"Cloud":"","Platform":""}',NULL,'expiredhost','expiredhost','2023-03-02 09:19:57.276717255+01:00',0,1,0,'edafee4e-63fb-11ec-90d6-0242ac120003','ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMbK5ZXJsGOOWoBT4OmkPtgdPZe2Q7bDuS/zjn2CZxhK',0,1,0,'2023-03-02 09:14:21.791679181+01:00','2024-10-02 17:00:32.527947+02:00',0,'""','','',0);
 INSERT INTO peers VALUES('cg3161rlo1hs9cq94gdg','bf1c8084-ba50-4ce7-9439-34653001fc3b','mVABSKj28gv+JRsf7e0NEGKgSOGTfU/nPB2cpuG56HU=','','"100.64.117.96"','testhost','linux','Linux','22.04','x86_64','Ubuntu','','development','','',NULL,'','','','{"Cloud":"","Platform":""}',NULL,'testhost','testhost','2023-03-06 18:21:27.252010027+01:00',0,0,0,'edafee4e-63fb-11ec-90d6-0242ac120003','ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINWvvUkFFcrj48CWTkNUb/do/n52i1L5dH4DhGu+4ZuM',0,0,0,'2023-03-07 09:02:47.442857106+01:00','2024-10-02 17:00:32.527947+02:00',0,'""','','',0);
 INSERT INTO peers VALUES('csrnkiq7qv9d8aitqd50','bf1c8084-ba50-4ce7-9439-34653001fc3b','nVABSKj28gv+JRsf7e0NEGKgSOGTfU/nPB2cpuG56HX=','','"100.64.117.97"','testhost','linux','Linux','22.04','x86_64','Ubuntu','','development','','',NULL,'','','','{"Cloud":"","Platform":""}',NULL,'testhost','testhost-1','2023-03-06 18:21:27.252010027+01:00',0,0,0,'f4f6d672-63fb-11ec-90d6-0242ac120003','ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINWvvUkFFcrj48CWTkNUb/do/n52i1L5dH4DhGu+4ZuM',0,0,1,'2023-03-07 09:02:47.442857106+01:00','2024-10-02 17:00:32.527947+02:00',0,'""','','',0);
+INSERT INTO peers VALUES('notexpired01','bf1c8084-ba50-4ce7-9439-34653001fc3b','oVABSKj28gv+JRsf7e0NEGKgSOGTfU/nPB2cpuG56HY=','','"100.64.117.98"','activehost','linux','Linux','22.04','x86_64','Ubuntu','','development','','',NULL,'','','','{"Cloud":"","Platform":""}',NULL,'activehost','activehost','2023-03-06 18:21:27.252010027+01:00',0,0,0,'edafee4e-63fb-11ec-90d6-0242ac120003','ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINWvvUkFFcrj48CWTkNUb/do/n52i1L5dH4DhGu+4ZuM',0,1,0,'2023-03-07 09:02:47.442857106+01:00','2024-10-02 17:00:32.527947+02:00',0,'""','','',0);
 INSERT INTO users VALUES('f4f6d672-63fb-11ec-90d6-0242ac120003','bf1c8084-ba50-4ce7-9439-34653001fc3b','user',0,0,'','[]',0,NULL,'2024-10-02 17:00:32.528196+02:00','api',0,'');
 INSERT INTO users VALUES('edafee4e-63fb-11ec-90d6-0242ac120003','bf1c8084-ba50-4ce7-9439-34653001fc3b','admin',0,0,'','[]',0,NULL,'2024-10-02 17:00:32.528196+02:00','api',0,'');
 INSERT INTO installations VALUES(1,'');

management/server/types/account.go

@@ -8,7 +8,6 @@ import (
 	"slices"
 	"strconv"
 	"strings"
-	"sync"
 	"time"
 
 	"github.com/hashicorp/go-multierror"
@@ -27,7 +26,6 @@ import (
 	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/posture"
-	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/netbirdio/netbird/management/server/util"
 	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
@@ -110,16 +108,9 @@ type Account struct {
 	NetworkResources []*resourceTypes.NetworkResource `gorm:"foreignKey:AccountID;references:id"`
 	Onboarding       AccountOnboarding                `gorm:"foreignKey:AccountID;references:id;constraint:OnDelete:CASCADE"`
 
-	NetworkMapCache *NetworkMapBuilder `gorm:"-"`
-	nmapInitOnce    *sync.Once         `gorm:"-"`
-
 	ReverseProxyFreeDomainNonce string
 }
 
-func (a *Account) InitOnce() {
-	a.nmapInitOnce = &sync.Once{}
-}
-
 // this class is used by gorm only
 type PrimaryAccountInfo struct {
 	IsDomainPrimaryAccount bool
@@ -155,108 +146,6 @@ func (o AccountOnboarding) IsEqual(onboarding AccountOnboarding) bool {
 		o.SignupFormPending == onboarding.SignupFormPending
 }
 
-// GetRoutesToSync returns the enabled routes for the peer ID and the routes
-// from the ACL peers that have distribution groups associated with the peer ID.
-// Please mind, that the returned route.Route objects will contain Peer.Key instead of Peer.ID.
-func (a *Account) GetRoutesToSync(ctx context.Context, peerID string, aclPeers []*nbpeer.Peer, peerGroups LookupMap) []*route.Route {
-	routes, peerDisabledRoutes := a.getRoutingPeerRoutes(ctx, peerID)
-	peerRoutesMembership := make(LookupMap)
-	for _, r := range append(routes, peerDisabledRoutes...) {
-		peerRoutesMembership[string(r.GetHAUniqueID())] = struct{}{}
-	}
-
-	for _, peer := range aclPeers {
-		activeRoutes, _ := a.getRoutingPeerRoutes(ctx, peer.ID)
-		groupFilteredRoutes := a.filterRoutesByGroups(activeRoutes, peerGroups)
-		filteredRoutes := a.filterRoutesFromPeersOfSameHAGroup(groupFilteredRoutes, peerRoutesMembership)
-		routes = append(routes, filteredRoutes...)
-	}
-
-	return routes
-}
-
-// filterRoutesFromPeersOfSameHAGroup filters and returns a list of routes that don't share the same HA route membership
-func (a *Account) filterRoutesFromPeersOfSameHAGroup(routes []*route.Route, peerMemberships LookupMap) []*route.Route {
-	var filteredRoutes []*route.Route
-	for _, r := range routes {
-		_, found := peerMemberships[string(r.GetHAUniqueID())]
-		if !found {
-			filteredRoutes = append(filteredRoutes, r)
-		}
-	}
-	return filteredRoutes
-}
-
-// filterRoutesByGroups returns a list with routes that have distribution groups in the group's map
-func (a *Account) filterRoutesByGroups(routes []*route.Route, groupListMap LookupMap) []*route.Route {
-	var filteredRoutes []*route.Route
-	for _, r := range routes {
-		for _, groupID := range r.Groups {
-			_, found := groupListMap[groupID]
-			if found {
-				filteredRoutes = append(filteredRoutes, r)
-				break
-			}
-		}
-	}
-	return filteredRoutes
-}
-
-// getRoutingPeerRoutes returns the enabled and disabled lists of routes that the given routing peer serves
-// Please mind, that the returned route.Route objects will contain Peer.Key instead of Peer.ID.
-// If the given is not a routing peer, then the lists are empty.
-func (a *Account) getRoutingPeerRoutes(ctx context.Context, peerID string) (enabledRoutes []*route.Route, disabledRoutes []*route.Route) {
-
-	peer := a.GetPeer(peerID)
-	if peer == nil {
-		log.WithContext(ctx).Errorf("peer %s that doesn't exist under account %s", peerID, a.Id)
-		return enabledRoutes, disabledRoutes
-	}
-
-	seenRoute := make(map[route.ID]struct{})
-
-	takeRoute := func(r *route.Route, id string) {
-		if _, ok := seenRoute[r.ID]; ok {
-			return
-		}
-		seenRoute[r.ID] = struct{}{}
-
-		if r.Enabled {
-			r.Peer = peer.Key
-			enabledRoutes = append(enabledRoutes, r)
-			return
-		}
-		disabledRoutes = append(disabledRoutes, r)
-	}
-
-	for _, r := range a.Routes {
-		for _, groupID := range r.PeerGroups {
-			group := a.GetGroup(groupID)
-			if group == nil {
-				log.WithContext(ctx).Errorf("route %s has peers group %s that doesn't exist under account %s", r.ID, groupID, a.Id)
-				continue
-			}
-			for _, id := range group.Peers {
-				if id != peerID {
-					continue
-				}
-
-				newPeerRoute := r.Copy()
-				newPeerRoute.Peer = id
-				newPeerRoute.PeerGroups = nil
-				newPeerRoute.ID = route.ID(string(r.ID) + ":" + id) // we have to provide unique route id when distribute network map
-				takeRoute(newPeerRoute, id)
-				break
-			}
-		}
-		if r.Peer == peerID {
-			takeRoute(r.Copy(), peerID)
-		}
-	}
-
-	return enabledRoutes, disabledRoutes
-}
-
 // GetRoutesByPrefixOrDomains return list of routes by account and route prefix
 func (a *Account) GetRoutesByPrefixOrDomains(prefix netip.Prefix, domains domain.List) []*route.Route {
 	var routes []*route.Route
@@ -276,106 +165,6 @@ func (a *Account) GetGroup(groupID string) *Group {
 	return a.Groups[groupID]
 }
 
-// GetPeerNetworkMap returns the networkmap for the given peer ID.
-func (a *Account) GetPeerNetworkMap(
-	ctx context.Context,
-	peerID string,
-	peersCustomZone nbdns.CustomZone,
-	accountZones []*zones.Zone,
-	validatedPeersMap map[string]struct{},
-	resourcePolicies map[string][]*Policy,
-	routers map[string]map[string]*routerTypes.NetworkRouter,
-	metrics *telemetry.AccountManagerMetrics,
-	groupIDToUserIDs map[string][]string,
-) *NetworkMap {
-	start := time.Now()
-	peer := a.Peers[peerID]
-	if peer == nil {
-		return &NetworkMap{
-			Network: a.Network.Copy(),
-		}
-	}
-
-	if _, ok := validatedPeersMap[peerID]; !ok {
-		return &NetworkMap{
-			Network: a.Network.Copy(),
-		}
-	}
-
-	peerGroups := a.GetPeerGroups(peerID)
-
-	aclPeers, firewallRules, authorizedUsers, enableSSH := a.GetPeerConnectionResources(ctx, peer, validatedPeersMap, groupIDToUserIDs)
-	// exclude expired peers
-	var peersToConnect []*nbpeer.Peer
-	var expiredPeers []*nbpeer.Peer
-	for _, p := range aclPeers {
-		expired, _ := p.LoginExpired(a.Settings.PeerLoginExpiration)
-		if a.Settings.PeerLoginExpirationEnabled && expired {
-			expiredPeers = append(expiredPeers, p)
-			continue
-		}
-		peersToConnect = append(peersToConnect, p)
-	}
-
-	routesUpdate := a.GetRoutesToSync(ctx, peerID, peersToConnect, peerGroups)
-	routesFirewallRules := a.GetPeerRoutesFirewallRules(ctx, peerID, validatedPeersMap)
-	isRouter, networkResourcesRoutes, sourcePeers := a.GetNetworkResourcesRoutesToSync(ctx, peerID, resourcePolicies, routers)
-	var networkResourcesFirewallRules []*RouteFirewallRule
-	if isRouter {
-		networkResourcesFirewallRules = a.GetPeerNetworkResourceFirewallRules(ctx, peer, validatedPeersMap, networkResourcesRoutes, resourcePolicies)
-	}
-	peersToConnectIncludingRouters := a.addNetworksRoutingPeers(networkResourcesRoutes, peer, peersToConnect, expiredPeers, isRouter, sourcePeers)
-
-	dnsManagementStatus := a.getPeerDNSManagementStatus(peerID)
-	dnsUpdate := nbdns.Config{
-		ServiceEnable: dnsManagementStatus,
-	}
-
-	if dnsManagementStatus {
-		var zones []nbdns.CustomZone
-
-		if peersCustomZone.Domain != "" {
-			records := filterZoneRecordsForPeers(peer, peersCustomZone, peersToConnectIncludingRouters, expiredPeers)
-			zones = append(zones, nbdns.CustomZone{
-				Domain:  peersCustomZone.Domain,
-				Records: records,
-			})
-		}
-
-		filteredAccountZones := filterPeerAppliedZones(ctx, accountZones, peerGroups)
-		zones = append(zones, filteredAccountZones...)
-
-		dnsUpdate.CustomZones = zones
-		dnsUpdate.NameServerGroups = getPeerNSGroups(a, peerID)
-	}
-
-	nm := &NetworkMap{
-		Peers:               peersToConnectIncludingRouters,
-		Network:             a.Network.Copy(),
-		Routes:              slices.Concat(networkResourcesRoutes, routesUpdate),
-		DNSConfig:           dnsUpdate,
-		OfflinePeers:        expiredPeers,
-		FirewallRules:       firewallRules,
-		RoutesFirewallRules: slices.Concat(networkResourcesFirewallRules, routesFirewallRules),
-		AuthorizedUsers:     authorizedUsers,
-		EnableSSH:           enableSSH,
-	}
-
-	if metrics != nil {
-		objectCount := int64(len(peersToConnectIncludingRouters) + len(expiredPeers) + len(routesUpdate) + len(networkResourcesRoutes) + len(firewallRules) + +len(networkResourcesFirewallRules) + len(routesFirewallRules))
-		metrics.CountNetworkMapObjects(objectCount)
-		metrics.CountGetPeerNetworkMapDuration(time.Since(start))
-
-		if objectCount > 5000 {
-			log.WithContext(ctx).Tracef("account: %s has a total resource count of %d objects, "+
-				"peers to connect: %d, expired peers: %d, routes: %d, firewall rules: %d, network resources routes: %d, network resources firewall rules: %d, routes firewall rules: %d",
-				a.Id, objectCount, len(peersToConnectIncludingRouters), len(expiredPeers), len(routesUpdate), len(firewallRules), len(networkResourcesRoutes), len(networkResourcesFirewallRules), len(routesFirewallRules))
-		}
-	}
-
-	return nm
-}
-
 func (a *Account) addNetworksRoutingPeers(
 	networkResourcesRoutes []*route.Route,
 	peer *nbpeer.Peer,
@@ -421,39 +210,6 @@ func (a *Account) addNetworksRoutingPeers(
 	return peersToConnect
 }
 
-func getPeerNSGroups(account *Account, peerID string) []*nbdns.NameServerGroup {
-	groupList := account.GetPeerGroups(peerID)
-
-	var peerNSGroups []*nbdns.NameServerGroup
-
-	for _, nsGroup := range account.NameServerGroups {
-		if !nsGroup.Enabled {
-			continue
-		}
-		for _, gID := range nsGroup.Groups {
-			_, found := groupList[gID]
-			if found {
-				if !peerIsNameserver(account.GetPeer(peerID), nsGroup) {
-					peerNSGroups = append(peerNSGroups, nsGroup.Copy())
-					break
-				}
-			}
-		}
-	}
-
-	return peerNSGroups
-}
-
-// peerIsNameserver returns true if the peer is a nameserver for a nsGroup
-func peerIsNameserver(peer *nbpeer.Peer, nsGroup *nbdns.NameServerGroup) bool {
-	for _, ns := range nsGroup.NameServers {
-		if peer.IP.Equal(ns.IP.AsSlice()) {
-			return true
-		}
-	}
-	return false
-}
-
 func AddPeerLabelsToAccount(ctx context.Context, account *Account, peerLabels LookupMap) {
 	for _, peer := range account.Peers {
 		label, err := GetPeerHostLabel(peer.Name, peerLabels)
@@ -800,19 +556,6 @@ func (a *Account) GetPeerGroupsList(peerID string) []string {
 	return grps
 }
 
-func (a *Account) getPeerDNSManagementStatus(peerID string) bool {
-	peerGroups := a.GetPeerGroups(peerID)
-	enabled := true
-	for _, groupID := range a.DNSSettings.DisabledManagementGroups {
-		_, found := peerGroups[groupID]
-		if found {
-			enabled = false
-			break
-		}
-	}
-	return enabled
-}
-
 func (a *Account) GetPeerGroups(peerID string) LookupMap {
 	groupList := make(LookupMap)
 	for groupID, group := range a.Groups {
@@ -941,8 +684,6 @@ func (a *Account) Copy() *Account {
 		NetworkResources:       networkResources,
 		Services:               services,
 		Onboarding:             a.Onboarding,
-		NetworkMapCache:        a.NetworkMapCache,
-		nmapInitOnce:           a.nmapInitOnce,
 		Domains:                domains,
 	}
 }
@@ -1304,31 +1045,6 @@ func (a *Account) GetPostureChecks(postureChecksID string) *posture.Checks {
 	return nil
 }
 
-// GetPeerRoutesFirewallRules gets the routes firewall rules associated with a routing peer ID for the account.
-func (a *Account) GetPeerRoutesFirewallRules(ctx context.Context, peerID string, validatedPeersMap map[string]struct{}) []*RouteFirewallRule {
-	routesFirewallRules := make([]*RouteFirewallRule, 0, len(a.Routes))
-
-	enabledRoutes, _ := a.getRoutingPeerRoutes(ctx, peerID)
-	for _, route := range enabledRoutes {
-		// If no access control groups are specified, accept all traffic.
-		if len(route.AccessControlGroups) == 0 {
-			defaultPermit := getDefaultPermit(route)
-			routesFirewallRules = append(routesFirewallRules, defaultPermit...)
-			continue
-		}
-
-		distributionPeers := a.getDistributionGroupsPeers(route)
-
-		for _, accessGroup := range route.AccessControlGroups {
-			policies := GetAllRoutePoliciesFromGroups(a, []string{accessGroup})
-			rules := a.getRouteFirewallRules(ctx, peerID, policies, route, validatedPeersMap, distributionPeers)
-			routesFirewallRules = append(routesFirewallRules, rules...)
-		}
-	}
-
-	return routesFirewallRules
-}
-
 func (a *Account) getRouteFirewallRules(ctx context.Context, peerID string, policies []*Policy, route *route.Route, validatedPeersMap map[string]struct{}, distributionPeers map[string]struct{}) []*RouteFirewallRule {
 	var fwRules []*RouteFirewallRule
 	for _, policy := range policies {
@@ -1387,50 +1103,6 @@ func (a *Account) getRulePeers(rule *PolicyRule, postureChecks []string, peerID
 	return distributionGroupPeers
 }
 
-func (a *Account) getDistributionGroupsPeers(route *route.Route) map[string]struct{} {
-	distPeers := make(map[string]struct{})
-	for _, id := range route.Groups {
-		group := a.Groups[id]
-		if group == nil {
-			continue
-		}
-
-		for _, pID := range group.Peers {
-			distPeers[pID] = struct{}{}
-		}
-	}
-	return distPeers
-}
-
-func getDefaultPermit(route *route.Route) []*RouteFirewallRule {
-	var rules []*RouteFirewallRule
-
-	sources := []string{"0.0.0.0/0"}
-	if route.Network.Addr().Is6() {
-		sources = []string{"::/0"}
-	}
-	rule := RouteFirewallRule{
-		SourceRanges: sources,
-		Action:       string(PolicyTrafficActionAccept),
-		Destination:  route.Network.String(),
-		Protocol:     string(PolicyRuleProtocolALL),
-		Domains:      route.Domains,
-		IsDynamic:    route.IsDynamic(),
-		RouteID:      route.ID,
-	}
-
-	rules = append(rules, &rule)
-
-	// dynamic routes always contain an IPv4 placeholder as destination, hence we must add IPv6 rules additionally
-	if route.IsDynamic() {
-		ruleV6 := rule
-		ruleV6.SourceRanges = []string{"::/0"}
-		rules = append(rules, &ruleV6)
-	}
-
-	return rules
-}
-
 // GetAllRoutePoliciesFromGroups retrieves route policies associated with the specified access control groups
 // and returns a list of policies that have rules with destinations matching the specified groups.
 func GetAllRoutePoliciesFromGroups(account *Account, accessControlGroups []string) []*Policy {
@@ -1508,65 +1180,6 @@ func (a *Account) GetResourcePoliciesMap() map[string][]*Policy {
 	return resourcePolicies
 }
 
-// GetNetworkResourcesRoutesToSync returns network routes for syncing with a specific peer and its ACL peers.
-func (a *Account) GetNetworkResourcesRoutesToSync(ctx context.Context, peerID string, resourcePolicies map[string][]*Policy, routers map[string]map[string]*routerTypes.NetworkRouter) (bool, []*route.Route, map[string]struct{}) {
-	var isRoutingPeer bool
-	var routes []*route.Route
-	allSourcePeers := make(map[string]struct{}, len(a.Peers))
-
-	for _, resource := range a.NetworkResources {
-		if !resource.Enabled {
-			continue
-		}
-
-		var addSourcePeers bool
-
-		networkRoutingPeers, exists := routers[resource.NetworkID]
-		if exists {
-			if router, ok := networkRoutingPeers[peerID]; ok {
-				isRoutingPeer, addSourcePeers = true, true
-				routes = append(routes, a.getNetworkResourcesRoutes(resource, peerID, router, resourcePolicies)...)
-			}
-		}
-
-		addedResourceRoute := false
-		for _, policy := range resourcePolicies[resource.ID] {
-			var peers []string
-			if policy.Rules[0].SourceResource.Type == ResourceTypePeer && policy.Rules[0].SourceResource.ID != "" {
-				peers = []string{policy.Rules[0].SourceResource.ID}
-			} else {
-				peers = a.getUniquePeerIDsFromGroupsIDs(ctx, policy.SourceGroups())
-			}
-			if addSourcePeers {
-				for _, pID := range a.getPostureValidPeers(peers, policy.SourcePostureChecks) {
-					allSourcePeers[pID] = struct{}{}
-				}
-			} else if slices.Contains(peers, peerID) && a.validatePostureChecksOnPeer(ctx, policy.SourcePostureChecks, peerID) {
-				// add routes for the resource if the peer is in the distribution group
-				for peerId, router := range networkRoutingPeers {
-					routes = append(routes, a.getNetworkResourcesRoutes(resource, peerId, router, resourcePolicies)...)
-				}
-				addedResourceRoute = true
-			}
-			if addedResourceRoute {
-				break
-			}
-		}
-	}
-
-	return isRoutingPeer, routes, allSourcePeers
-}
-
-func (a *Account) getPostureValidPeers(inputPeers []string, postureChecksIDs []string) []string {
-	var dest []string
-	for _, peerID := range inputPeers {
-		if a.validatePostureChecksOnPeer(context.Background(), postureChecksIDs, peerID) {
-			dest = append(dest, peerID)
-		}
-	}
-	return dest
-}
-
 func (a *Account) getUniquePeerIDsFromGroupsIDs(ctx context.Context, groups []string) []string {
 	peerIDs := make(map[string]struct{}, len(groups)) // we expect at least one peer per group as initial capacity
 	for _, groupID := range groups {
@@ -1658,22 +1271,6 @@ func (a *Account) GetPoliciesAppliedInNetwork(networkID string) []string {
 	return result
 }
 
-// getNetworkResourcesRoutes convert the network resources list to routes list.
-func (a *Account) getNetworkResourcesRoutes(resource *resourceTypes.NetworkResource, peerId string, router *routerTypes.NetworkRouter, resourcePolicies map[string][]*Policy) []*route.Route {
-	resourceAppliedPolicies := resourcePolicies[resource.ID]
-
-	var routes []*route.Route
-	// distribute the resource routes only if there is policy applied to it
-	if len(resourceAppliedPolicies) > 0 {
-		peer := a.GetPeer(peerId)
-		if peer != nil {
-			routes = append(routes, resource.ToRoute(peer, router))
-		}
-	}
-
-	return routes
-}
-
 func (a *Account) GetResourceRoutersMap() map[string]map[string]*routerTypes.NetworkRouter {
 	routers := make(map[string]map[string]*routerTypes.NetworkRouter)
 

management/server/types/account_test.go

@@ -4,8 +4,6 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"net/netip"
-	"slices"
 	"testing"
 
 	"github.com/miekg/dns"
@@ -19,7 +17,6 @@ import (
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/route"
 )
 
@@ -451,402 +448,6 @@ func Test_AddNetworksRoutingPeersHandlesNoMissingPeers(t *testing.T) {
 	require.Len(t, result, 0)
 }
 
-const (
-	accID                                = "accountID"
-	network1ID                           = "network1ID"
-	group1ID                             = "group1"
-	accNetResourcePeer1ID                = "peer1"
-	accNetResourcePeer2ID                = "peer2"
-	accNetResourceRouter1ID              = "router1"
-	accNetResource1ID                    = "resource1ID"
-	accNetResourceRestrictPostureCheckID = "restrictPostureCheck"
-	accNetResourceRelaxedPostureCheckID  = "relaxedPostureCheck"
-	accNetResourceLockedPostureCheckID   = "lockedPostureCheck"
-	accNetResourceLinuxPostureCheckID    = "linuxPostureCheck"
-)
-
-var (
-	accNetResourcePeer1IP    = net.IP{192, 168, 1, 1}
-	accNetResourcePeer2IP    = net.IP{192, 168, 1, 2}
-	accNetResourceRouter1IP  = net.IP{192, 168, 1, 3}
-	accNetResourceValidPeers = map[string]struct{}{accNetResourcePeer1ID: {}, accNetResourcePeer2ID: {}}
-)
-
-func getBasicAccountsWithResource() *Account {
-	return &Account{
-		Id: accID,
-		Peers: map[string]*nbpeer.Peer{
-			accNetResourcePeer1ID: {
-				ID:        accNetResourcePeer1ID,
-				AccountID: accID,
-				Key:       "peer1Key",
-				IP:        accNetResourcePeer1IP,
-				Meta: nbpeer.PeerSystemMeta{
-					GoOS:          "linux",
-					WtVersion:     "0.35.1",
-					KernelVersion: "4.4.0",
-				},
-			},
-			accNetResourcePeer2ID: {
-				ID:        accNetResourcePeer2ID,
-				AccountID: accID,
-				Key:       "peer2Key",
-				IP:        accNetResourcePeer2IP,
-				Meta: nbpeer.PeerSystemMeta{
-					GoOS:          "windows",
-					WtVersion:     "0.34.1",
-					KernelVersion: "4.4.0",
-				},
-			},
-			accNetResourceRouter1ID: {
-				ID:        accNetResourceRouter1ID,
-				AccountID: accID,
-				Key:       "router1Key",
-				IP:        accNetResourceRouter1IP,
-				Meta: nbpeer.PeerSystemMeta{
-					GoOS:          "linux",
-					WtVersion:     "0.35.1",
-					KernelVersion: "4.4.0",
-				},
-			},
-		},
-		Groups: map[string]*Group{
-			group1ID: {
-				ID:    group1ID,
-				Peers: []string{accNetResourcePeer1ID, accNetResourcePeer2ID},
-			},
-		},
-		Networks: []*networkTypes.Network{
-			{
-				ID:        network1ID,
-				AccountID: accID,
-				Name:      "network1",
-			},
-		},
-		NetworkRouters: []*routerTypes.NetworkRouter{
-			{
-				ID:         accNetResourceRouter1ID,
-				NetworkID:  network1ID,
-				AccountID:  accID,
-				Peer:       accNetResourceRouter1ID,
-				PeerGroups: []string{},
-				Masquerade: false,
-				Metric:     100,
-				Enabled:    true,
-			},
-		},
-		NetworkResources: []*resourceTypes.NetworkResource{
-			{
-				ID:        accNetResource1ID,
-				AccountID: accID,
-				NetworkID: network1ID,
-				Address:   "10.10.10.0/24",
-				Prefix:    netip.MustParsePrefix("10.10.10.0/24"),
-				Type:      resourceTypes.NetworkResourceType("subnet"),
-				Enabled:   true,
-			},
-		},
-		Policies: []*Policy{
-			{
-				ID:        "policy1ID",
-				AccountID: accID,
-				Enabled:   true,
-				Rules: []*PolicyRule{
-					{
-						ID:      "rule1ID",
-						Enabled: true,
-						Sources: []string{group1ID},
-						DestinationResource: Resource{
-							ID:   accNetResource1ID,
-							Type: "Host",
-						},
-						Protocol: PolicyRuleProtocolTCP,
-						Ports:    []string{"80"},
-						Action:   PolicyTrafficActionAccept,
-					},
-				},
-				SourcePostureChecks: nil,
-			},
-		},
-		PostureChecks: []*posture.Checks{
-			{
-				ID:   accNetResourceRestrictPostureCheckID,
-				Name: accNetResourceRestrictPostureCheckID,
-				Checks: posture.ChecksDefinition{
-					NBVersionCheck: &posture.NBVersionCheck{
-						MinVersion: "0.35.0",
-					},
-				},
-			},
-			{
-				ID:   accNetResourceRelaxedPostureCheckID,
-				Name: accNetResourceRelaxedPostureCheckID,
-				Checks: posture.ChecksDefinition{
-					NBVersionCheck: &posture.NBVersionCheck{
-						MinVersion: "0.0.1",
-					},
-				},
-			},
-			{
-				ID:   accNetResourceLockedPostureCheckID,
-				Name: accNetResourceLockedPostureCheckID,
-				Checks: posture.ChecksDefinition{
-					NBVersionCheck: &posture.NBVersionCheck{
-						MinVersion: "7.7.7",
-					},
-				},
-			},
-			{
-				ID:   accNetResourceLinuxPostureCheckID,
-				Name: accNetResourceLinuxPostureCheckID,
-				Checks: posture.ChecksDefinition{
-					OSVersionCheck: &posture.OSVersionCheck{
-						Linux: &posture.MinKernelVersionCheck{
-							MinKernelVersion: "0.0.0"},
-					},
-				},
-			},
-		},
-	}
-}
-
-func Test_NetworksNetMapGenWithNoPostureChecks(t *testing.T) {
-	account := getBasicAccountsWithResource()
-
-	// all peers should match the policy
-
-	// validate for peer1
-	isRouter, networkResourcesRoutes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate for peer2
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer2ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate routes for router1
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourceRouter1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.True(t, isRouter, "should be router")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 2, "expected source peers don't match")
-	assert.NotNil(t, sourcePeers[accNetResourcePeer1ID], "expected source peers don't match")
-	assert.NotNil(t, sourcePeers[accNetResourcePeer2ID], "expected source peers don't match")
-
-	// validate rules for router1
-	rules := account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers[accNetResourceRouter1ID], accNetResourceValidPeers, networkResourcesRoutes, account.GetResourcePoliciesMap())
-	assert.Len(t, rules, 1, "expected rules count don't match")
-	assert.Equal(t, uint16(80), rules[0].Port, "should have port 80")
-	assert.Equal(t, "tcp", rules[0].Protocol, "should have protocol tcp")
-	if !slices.Contains(rules[0].SourceRanges, accNetResourcePeer1IP.String()+"/32") {
-		t.Errorf("%s should have source range of peer1 %s", rules[0].SourceRanges, accNetResourcePeer1IP.String())
-	}
-	if !slices.Contains(rules[0].SourceRanges, accNetResourcePeer2IP.String()+"/32") {
-		t.Errorf("%s should have source range of peer2 %s", rules[0].SourceRanges, accNetResourcePeer2IP.String())
-	}
-}
-
-func Test_NetworksNetMapGenWithPostureChecks(t *testing.T) {
-	account := getBasicAccountsWithResource()
-
-	// should allow peer1 to match the policy
-	policy := account.Policies[0]
-	policy.SourcePostureChecks = []string{accNetResourceRestrictPostureCheckID}
-
-	// validate for peer1
-	isRouter, networkResourcesRoutes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate for peer2
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer2ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 0, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate routes for router1
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourceRouter1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.True(t, isRouter, "should be router")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 1, "expected source peers don't match")
-	assert.NotNil(t, sourcePeers[accNetResourcePeer1ID], "expected source peers don't match")
-
-	// validate rules for router1
-	rules := account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers[accNetResourceRouter1ID], accNetResourceValidPeers, networkResourcesRoutes, account.GetResourcePoliciesMap())
-	assert.Len(t, rules, 1, "expected rules count don't match")
-	assert.Equal(t, uint16(80), rules[0].Port, "should have port 80")
-	assert.Equal(t, "tcp", rules[0].Protocol, "should have protocol tcp")
-	if !slices.Contains(rules[0].SourceRanges, accNetResourcePeer1IP.String()+"/32") {
-		t.Errorf("%s should have source range of peer1 %s", rules[0].SourceRanges, accNetResourcePeer1IP.String())
-	}
-	if slices.Contains(rules[0].SourceRanges, accNetResourcePeer2IP.String()+"/32") {
-		t.Errorf("%s should not have source range of peer2 %s", rules[0].SourceRanges, accNetResourcePeer2IP.String())
-	}
-}
-
-func Test_NetworksNetMapGenWithNoMatchedPostureChecks(t *testing.T) {
-	account := getBasicAccountsWithResource()
-
-	// should not match any peer
-	policy := account.Policies[0]
-	policy.SourcePostureChecks = []string{accNetResourceLockedPostureCheckID}
-
-	// validate for peer1
-	isRouter, networkResourcesRoutes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 0, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate for peer2
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer2ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 0, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate routes for router1
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourceRouter1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.True(t, isRouter, "should be router")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate rules for router1
-	rules := account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers[accNetResourceRouter1ID], accNetResourceValidPeers, networkResourcesRoutes, account.GetResourcePoliciesMap())
-	assert.Len(t, rules, 0, "expected rules count don't match")
-}
-
-func Test_NetworksNetMapGenWithTwoPoliciesAndPostureChecks(t *testing.T) {
-	account := getBasicAccountsWithResource()
-
-	// should allow peer1 to match the policy
-	policy := account.Policies[0]
-	policy.SourcePostureChecks = []string{accNetResourceRestrictPostureCheckID}
-
-	// should allow peer1 and peer2 to match the policy
-	newPolicy := &Policy{
-		ID:        "policy2ID",
-		AccountID: accID,
-		Enabled:   true,
-		Rules: []*PolicyRule{
-			{
-				ID:      "policy2ID",
-				Enabled: true,
-				Sources: []string{group1ID},
-				DestinationResource: Resource{
-					ID:   accNetResource1ID,
-					Type: "Host",
-				},
-				Protocol: PolicyRuleProtocolTCP,
-				Ports:    []string{"22"},
-				Action:   PolicyTrafficActionAccept,
-			},
-		},
-		SourcePostureChecks: []string{accNetResourceRelaxedPostureCheckID},
-	}
-
-	account.Policies = append(account.Policies, newPolicy)
-
-	// validate for peer1
-	isRouter, networkResourcesRoutes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate for peer2
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer2ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate routes for router1
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourceRouter1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.True(t, isRouter, "should be router")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 2, "expected source peers don't match")
-	assert.NotNil(t, sourcePeers[accNetResourcePeer1ID], "expected source peers don't match")
-	assert.NotNil(t, sourcePeers[accNetResourcePeer2ID], "expected source peers don't match")
-
-	// validate rules for router1
-	rules := account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers[accNetResourceRouter1ID], accNetResourceValidPeers, networkResourcesRoutes, account.GetResourcePoliciesMap())
-	assert.Len(t, rules, 2, "expected rules count don't match")
-	assert.Equal(t, uint16(80), rules[0].Port, "should have port 80")
-	assert.Equal(t, "tcp", rules[0].Protocol, "should have protocol tcp")
-	if !slices.Contains(rules[0].SourceRanges, accNetResourcePeer1IP.String()+"/32") {
-		t.Errorf("%s should have source range of peer1 %s", rules[0].SourceRanges, accNetResourcePeer1IP.String())
-	}
-	if slices.Contains(rules[0].SourceRanges, accNetResourcePeer2IP.String()+"/32") {
-		t.Errorf("%s should not have source range of peer2 %s", rules[0].SourceRanges, accNetResourcePeer2IP.String())
-	}
-
-	assert.Equal(t, uint16(22), rules[1].Port, "should have port 22")
-	assert.Equal(t, "tcp", rules[1].Protocol, "should have protocol tcp")
-	if !slices.Contains(rules[1].SourceRanges, accNetResourcePeer1IP.String()+"/32") {
-		t.Errorf("%s should have source range of peer1 %s", rules[1].SourceRanges, accNetResourcePeer1IP.String())
-	}
-	if !slices.Contains(rules[1].SourceRanges, accNetResourcePeer2IP.String()+"/32") {
-		t.Errorf("%s should have source range of peer2 %s", rules[1].SourceRanges, accNetResourcePeer2IP.String())
-	}
-}
-
-func Test_NetworksNetMapGenWithTwoPostureChecks(t *testing.T) {
-	account := getBasicAccountsWithResource()
-
-	// two posture checks should match only the peers that match both checks
-	policy := account.Policies[0]
-	policy.SourcePostureChecks = []string{accNetResourceRelaxedPostureCheckID, accNetResourceLinuxPostureCheckID}
-
-	// validate for peer1
-	isRouter, networkResourcesRoutes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate for peer2
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer2ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 0, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate routes for router1
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourceRouter1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.True(t, isRouter, "should be router")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 1, "expected source peers don't match")
-	assert.NotNil(t, sourcePeers[accNetResourcePeer1ID], "expected source peers don't match")
-
-	// validate rules for router1
-	rules := account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers[accNetResourceRouter1ID], accNetResourceValidPeers, networkResourcesRoutes, account.GetResourcePoliciesMap())
-	assert.Len(t, rules, 1, "expected rules count don't match")
-	assert.Equal(t, uint16(80), rules[0].Port, "should have port 80")
-	assert.Equal(t, "tcp", rules[0].Protocol, "should have protocol tcp")
-	if !slices.Contains(rules[0].SourceRanges, accNetResourcePeer1IP.String()+"/32") {
-		t.Errorf("%s should have source range of peer1 %s", rules[0].SourceRanges, accNetResourcePeer1IP.String())
-	}
-	if slices.Contains(rules[0].SourceRanges, accNetResourcePeer2IP.String()+"/32") {
-		t.Errorf("%s should not have source range of peer2 %s", rules[0].SourceRanges, accNetResourcePeer2IP.String())
-	}
-}
-
-func Test_NetworksNetMapGenShouldExcludeOtherRouters(t *testing.T) {
-	account := getBasicAccountsWithResource()
-
-	account.Peers["router2Id"] = &nbpeer.Peer{Key: "router2Key", ID: "router2Id", AccountID: accID, IP: net.IP{192, 168, 1, 4}}
-	account.NetworkRouters = append(account.NetworkRouters, &routerTypes.NetworkRouter{
-		ID:        "router2Id",
-		NetworkID: network1ID,
-		AccountID: accID,
-		Peer:      "router2Id",
-	})
-
-	// validate routes for router1
-	isRouter, networkResourcesRoutes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourceRouter1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.True(t, isRouter, "should be router")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 2, "expected source peers don't match")
-}
-
 func Test_ExpandPortsAndRanges_SSHRuleExpansion(t *testing.T) {
 	tests := []struct {
 		name          string

management/server/types/holder.go

@@ -1,47 +0,0 @@
-package types
-
-import (
-	"context"
-	"sync"
-)
-
-type Holder struct {
-	mu       sync.RWMutex
-	accounts map[string]*Account
-}
-
-func NewHolder() *Holder {
-	return &Holder{
-		accounts: make(map[string]*Account),
-	}
-}
-
-func (h *Holder) GetAccount(id string) *Account {
-	h.mu.RLock()
-	defer h.mu.RUnlock()
-	return h.accounts[id]
-}
-
-func (h *Holder) AddAccount(account *Account) {
-	h.mu.Lock()
-	defer h.mu.Unlock()
-	a := h.accounts[account.Id]
-	if a != nil && a.Network.CurrentSerial() >= account.Network.CurrentSerial() {
-		return
-	}
-	h.accounts[account.Id] = account
-}
-
-func (h *Holder) LoadOrStoreFunc(ctx context.Context, id string, accGetter func(context.Context, string) (*Account, error)) (*Account, error) {
-	h.mu.Lock()
-	defer h.mu.Unlock()
-	if acc, ok := h.accounts[id]; ok {
-		return acc, nil
-	}
-	account, err := accGetter(ctx, id)
-	if err != nil {
-		return nil, err
-	}
-	h.accounts[id] = account
-	return account, nil
-}

management/server/types/identity_provider.go

@@ -39,6 +39,8 @@ const (
 	IdentityProviderTypeAuthentik IdentityProviderType = "authentik"
 	// IdentityProviderTypeKeycloak is the Keycloak identity provider
 	IdentityProviderTypeKeycloak IdentityProviderType = "keycloak"
+	// IdentityProviderTypeADFS is the Microsoft AD FS identity provider
+	IdentityProviderTypeADFS IdentityProviderType = "adfs"
 )
 
 // IdentityProvider represents an identity provider configuration
@@ -112,7 +114,8 @@ func (t IdentityProviderType) IsValid() bool {
 	switch t {
 	case IdentityProviderTypeOIDC, IdentityProviderTypeZitadel, IdentityProviderTypeEntra,
 		IdentityProviderTypeGoogle, IdentityProviderTypeOkta, IdentityProviderTypePocketID,
-		IdentityProviderTypeMicrosoft, IdentityProviderTypeAuthentik, IdentityProviderTypeKeycloak:
+		IdentityProviderTypeMicrosoft, IdentityProviderTypeAuthentik, IdentityProviderTypeKeycloak,
+		IdentityProviderTypeADFS:
 		return true
 	}
 	return false

management/server/types/networkmap.go

@@ -1,67 +0,0 @@
-package types
-
-import (
-	"context"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/management/internals/modules/zones"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/telemetry"
-)
-
-func (a *Account) initNetworkMapBuilder(validatedPeers map[string]struct{}) {
-	if a.NetworkMapCache != nil {
-		return
-	}
-	a.nmapInitOnce.Do(func() {
-		a.NetworkMapCache = NewNetworkMapBuilder(a, validatedPeers)
-	})
-}
-
-func (a *Account) InitNetworkMapBuilderIfNeeded(validatedPeers map[string]struct{}) {
-	a.initNetworkMapBuilder(validatedPeers)
-}
-
-func (a *Account) GetPeerNetworkMapExp(
-	ctx context.Context,
-	peerID string,
-	peersCustomZone nbdns.CustomZone,
-	accountZones []*zones.Zone,
-	validatedPeers map[string]struct{},
-	metrics *telemetry.AccountManagerMetrics,
-) *NetworkMap {
-	a.initNetworkMapBuilder(validatedPeers)
-	return a.NetworkMapCache.GetPeerNetworkMap(ctx, peerID, peersCustomZone, accountZones, validatedPeers, metrics)
-}
-
-func (a *Account) OnPeerAddedUpdNetworkMapCache(peerId string) error {
-	if a.NetworkMapCache == nil {
-		return nil
-	}
-	return a.NetworkMapCache.OnPeerAddedIncremental(a, peerId)
-}
-
-func (a *Account) OnPeersAddedUpdNetworkMapCache(peerIds ...string) {
-	if a.NetworkMapCache == nil {
-		return
-	}
-	a.NetworkMapCache.EnqueuePeersForIncrementalAdd(a, peerIds...)
-}
-
-func (a *Account) OnPeerDeletedUpdNetworkMapCache(peerId string) error {
-	if a.NetworkMapCache == nil {
-		return nil
-	}
-	return a.NetworkMapCache.OnPeerDeleted(a, peerId)
-}
-
-func (a *Account) UpdatePeerInNetworkMapCache(peer *nbpeer.Peer) {
-	if a.NetworkMapCache == nil {
-		return
-	}
-	a.NetworkMapCache.UpdatePeer(peer)
-}
-
-func (a *Account) RecalculateNetworkMapCache(validatedPeers map[string]struct{}) {
-	a.initNetworkMapBuilder(validatedPeers)
-}

management/server/types/networkmap_comparison_test.go

@@ -1,592 +0,0 @@
-package types
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"net"
-	"net/netip"
-	"os"
-	"path/filepath"
-	"sort"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
-	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
-	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/posture"
-	"github.com/netbirdio/netbird/route"
-)
-
-func TestNetworkMapComponents_CompareWithLegacy(t *testing.T) {
-	account := createTestAccount()
-	ctx := context.Background()
-
-	peerID := testingPeerID
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		pid := fmt.Sprintf("peer-%d", i)
-		if pid == offlinePeerID {
-			continue
-		}
-		validatedPeersMap[pid] = struct{}{}
-	}
-
-	peersCustomZone := nbdns.CustomZone{}
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-
-	legacyNetworkMap := account.GetPeerNetworkMap(
-		ctx,
-		peerID,
-		peersCustomZone,
-		nil,
-		validatedPeersMap,
-		resourcePolicies,
-		routers,
-		nil,
-		groupIDToUserIDs,
-	)
-
-	components := account.GetPeerNetworkMapComponents(
-		ctx,
-		peerID,
-		peersCustomZone,
-		nil,
-		validatedPeersMap,
-		resourcePolicies,
-		routers,
-		groupIDToUserIDs,
-	)
-
-	if components == nil {
-		t.Fatal("GetPeerNetworkMapComponents returned nil")
-	}
-
-	newNetworkMap := CalculateNetworkMapFromComponents(ctx, components)
-
-	if newNetworkMap == nil {
-		t.Fatal("CalculateNetworkMapFromComponents returned nil")
-	}
-
-	compareNetworkMaps(t, legacyNetworkMap, newNetworkMap)
-}
-
-func TestNetworkMapComponents_GoldenFileComparison(t *testing.T) {
-	account := createTestAccount()
-	ctx := context.Background()
-
-	peerID := testingPeerID
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		pid := fmt.Sprintf("peer-%d", i)
-		if pid == offlinePeerID {
-			continue
-		}
-		validatedPeersMap[pid] = struct{}{}
-	}
-
-	peersCustomZone := nbdns.CustomZone{}
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-
-	legacyNetworkMap := account.GetPeerNetworkMap(
-		ctx,
-		peerID,
-		peersCustomZone,
-		nil,
-		validatedPeersMap,
-		resourcePolicies,
-		routers,
-		nil,
-		groupIDToUserIDs,
-	)
-
-	components := account.GetPeerNetworkMapComponents(
-		ctx,
-		peerID,
-		peersCustomZone,
-		nil,
-		validatedPeersMap,
-		resourcePolicies,
-		routers,
-		groupIDToUserIDs,
-	)
-
-	require.NotNil(t, components, "GetPeerNetworkMapComponents returned nil")
-
-	newNetworkMap := CalculateNetworkMapFromComponents(ctx, components)
-	require.NotNil(t, newNetworkMap, "CalculateNetworkMapFromComponents returned nil")
-
-	normalizeAndSortNetworkMap(legacyNetworkMap)
-	normalizeAndSortNetworkMap(newNetworkMap)
-
-	componentsJSON, err := json.MarshalIndent(components, "", "  ")
-	require.NoError(t, err, "error marshaling components to JSON")
-
-	legacyJSON, err := json.MarshalIndent(legacyNetworkMap, "", "  ")
-	require.NoError(t, err, "error marshaling legacy network map to JSON")
-
-	newJSON, err := json.MarshalIndent(newNetworkMap, "", "  ")
-	require.NoError(t, err, "error marshaling new network map to JSON")
-
-	goldenDir := filepath.Join("testdata", "comparison")
-	err = os.MkdirAll(goldenDir, 0755)
-	require.NoError(t, err)
-
-	legacyGoldenPath := filepath.Join(goldenDir, "legacy_networkmap.json")
-	err = os.WriteFile(legacyGoldenPath, legacyJSON, 0644)
-	require.NoError(t, err, "error writing legacy golden file")
-
-	newGoldenPath := filepath.Join(goldenDir, "components_networkmap.json")
-	err = os.WriteFile(newGoldenPath, newJSON, 0644)
-	require.NoError(t, err, "error writing components golden file")
-
-	componentsPath := filepath.Join(goldenDir, "components.json")
-	err = os.WriteFile(componentsPath, componentsJSON, 0644)
-	require.NoError(t, err, "error writing components golden file")
-
-	require.JSONEq(t, string(legacyJSON), string(newJSON),
-		"NetworkMaps from legacy and components approaches do not match.\n"+
-			"Legacy JSON saved to: %s\n"+
-			"Components JSON saved to: %s",
-		legacyGoldenPath, newGoldenPath)
-
-	t.Logf("✅ NetworkMaps are identical")
-	t.Logf("   Legacy NetworkMap: %s", legacyGoldenPath)
-	t.Logf("   Components NetworkMap: %s", newGoldenPath)
-}
-
-func normalizeAndSortNetworkMap(nm *NetworkMap) {
-	if nm == nil {
-		return
-	}
-
-	sort.Slice(nm.Peers, func(i, j int) bool {
-		return nm.Peers[i].ID < nm.Peers[j].ID
-	})
-
-	sort.Slice(nm.OfflinePeers, func(i, j int) bool {
-		return nm.OfflinePeers[i].ID < nm.OfflinePeers[j].ID
-	})
-
-	sort.Slice(nm.Routes, func(i, j int) bool {
-		return string(nm.Routes[i].ID) < string(nm.Routes[j].ID)
-	})
-
-	sort.Slice(nm.FirewallRules, func(i, j int) bool {
-		if nm.FirewallRules[i].PeerIP != nm.FirewallRules[j].PeerIP {
-			return nm.FirewallRules[i].PeerIP < nm.FirewallRules[j].PeerIP
-		}
-		if nm.FirewallRules[i].Direction != nm.FirewallRules[j].Direction {
-			return nm.FirewallRules[i].Direction < nm.FirewallRules[j].Direction
-		}
-		if nm.FirewallRules[i].Protocol != nm.FirewallRules[j].Protocol {
-			return nm.FirewallRules[i].Protocol < nm.FirewallRules[j].Protocol
-		}
-		if nm.FirewallRules[i].Port != nm.FirewallRules[j].Port {
-			return nm.FirewallRules[i].Port < nm.FirewallRules[j].Port
-		}
-		return nm.FirewallRules[i].PolicyID < nm.FirewallRules[j].PolicyID
-	})
-
-	for i := range nm.RoutesFirewallRules {
-		sort.Strings(nm.RoutesFirewallRules[i].SourceRanges)
-	}
-
-	sort.Slice(nm.RoutesFirewallRules, func(i, j int) bool {
-		if nm.RoutesFirewallRules[i].Destination != nm.RoutesFirewallRules[j].Destination {
-			return nm.RoutesFirewallRules[i].Destination < nm.RoutesFirewallRules[j].Destination
-		}
-
-		minLen := len(nm.RoutesFirewallRules[i].SourceRanges)
-		if len(nm.RoutesFirewallRules[j].SourceRanges) < minLen {
-			minLen = len(nm.RoutesFirewallRules[j].SourceRanges)
-		}
-		for k := 0; k < minLen; k++ {
-			if nm.RoutesFirewallRules[i].SourceRanges[k] != nm.RoutesFirewallRules[j].SourceRanges[k] {
-				return nm.RoutesFirewallRules[i].SourceRanges[k] < nm.RoutesFirewallRules[j].SourceRanges[k]
-			}
-		}
-		if len(nm.RoutesFirewallRules[i].SourceRanges) != len(nm.RoutesFirewallRules[j].SourceRanges) {
-			return len(nm.RoutesFirewallRules[i].SourceRanges) < len(nm.RoutesFirewallRules[j].SourceRanges)
-		}
-
-		if string(nm.RoutesFirewallRules[i].RouteID) != string(nm.RoutesFirewallRules[j].RouteID) {
-			return string(nm.RoutesFirewallRules[i].RouteID) < string(nm.RoutesFirewallRules[j].RouteID)
-		}
-
-		if nm.RoutesFirewallRules[i].PolicyID != nm.RoutesFirewallRules[j].PolicyID {
-			return nm.RoutesFirewallRules[i].PolicyID < nm.RoutesFirewallRules[j].PolicyID
-		}
-
-		if nm.RoutesFirewallRules[i].Port != nm.RoutesFirewallRules[j].Port {
-			return nm.RoutesFirewallRules[i].Port < nm.RoutesFirewallRules[j].Port
-		}
-
-		return nm.RoutesFirewallRules[i].Protocol < nm.RoutesFirewallRules[j].Protocol
-	})
-
-	if nm.DNSConfig.CustomZones != nil {
-		for i := range nm.DNSConfig.CustomZones {
-			sort.Slice(nm.DNSConfig.CustomZones[i].Records, func(a, b int) bool {
-				return nm.DNSConfig.CustomZones[i].Records[a].Name < nm.DNSConfig.CustomZones[i].Records[b].Name
-			})
-		}
-	}
-
-	if len(nm.DNSConfig.NameServerGroups) != 0 {
-		sort.Slice(nm.DNSConfig.NameServerGroups, func(a, b int) bool {
-			return nm.DNSConfig.NameServerGroups[a].Name < nm.DNSConfig.NameServerGroups[b].Name
-		})
-	}
-}
-
-func compareNetworkMaps(t *testing.T, legacy, current *NetworkMap) {
-	t.Helper()
-
-	if legacy.Network.Serial != current.Network.Serial {
-		t.Errorf("Network Serial mismatch: legacy=%d, current=%d", legacy.Network.Serial, current.Network.Serial)
-	}
-
-	if len(legacy.Peers) != len(current.Peers) {
-		t.Errorf("Peers count mismatch: legacy=%d, current=%d", len(legacy.Peers), len(current.Peers))
-	}
-
-	legacyPeerIDs := make(map[string]bool)
-	for _, p := range legacy.Peers {
-		legacyPeerIDs[p.ID] = true
-	}
-
-	for _, p := range current.Peers {
-		if !legacyPeerIDs[p.ID] {
-			t.Errorf("Current NetworkMap contains peer %s not in legacy", p.ID)
-		}
-	}
-
-	if len(legacy.OfflinePeers) != len(current.OfflinePeers) {
-		t.Errorf("OfflinePeers count mismatch: legacy=%d, current=%d", len(legacy.OfflinePeers), len(current.OfflinePeers))
-	}
-
-	if len(legacy.FirewallRules) != len(current.FirewallRules) {
-		t.Logf("FirewallRules count mismatch: legacy=%d, current=%d", len(legacy.FirewallRules), len(current.FirewallRules))
-	}
-
-	if len(legacy.Routes) != len(current.Routes) {
-		t.Logf("Routes count mismatch: legacy=%d, current=%d", len(legacy.Routes), len(current.Routes))
-	}
-
-	if len(legacy.RoutesFirewallRules) != len(current.RoutesFirewallRules) {
-		t.Logf("RoutesFirewallRules count mismatch: legacy=%d, current=%d", len(legacy.RoutesFirewallRules), len(current.RoutesFirewallRules))
-	}
-
-	if legacy.DNSConfig.ServiceEnable != current.DNSConfig.ServiceEnable {
-		t.Errorf("DNSConfig.ServiceEnable mismatch: legacy=%v, current=%v", legacy.DNSConfig.ServiceEnable, current.DNSConfig.ServiceEnable)
-	}
-}
-
-const (
-	numPeers          = 100
-	devGroupID        = "group-dev"
-	opsGroupID        = "group-ops"
-	allGroupID        = "group-all"
-	routeID           = route.ID("route-main")
-	routeHA1ID        = route.ID("route-ha-1")
-	routeHA2ID        = route.ID("route-ha-2")
-	policyIDDevOps    = "policy-dev-ops"
-	policyIDAll       = "policy-all"
-	policyIDPosture   = "policy-posture"
-	policyIDDrop      = "policy-drop"
-	postureCheckID    = "posture-check-ver"
-	networkResourceID = "res-database"
-	networkID         = "net-database"
-	networkRouterID   = "router-database"
-	nameserverGroupID = "ns-group-main"
-	testingPeerID     = "peer-60"
-	expiredPeerID     = "peer-98"
-	offlinePeerID     = "peer-99"
-	routingPeerID     = "peer-95"
-	testAccountID     = "account-comparison-test"
-)
-
-func createTestAccount() *Account {
-	peers := make(map[string]*nbpeer.Peer)
-	devGroupPeers, opsGroupPeers, allGroupPeers := []string{}, []string{}, []string{}
-
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		ip := net.IP{100, 64, 0, byte(i + 1)}
-		wtVersion := "0.25.0"
-		if i%2 == 0 {
-			wtVersion = "0.40.0"
-		}
-
-		p := &nbpeer.Peer{
-			ID: peerID, IP: ip, Key: fmt.Sprintf("key-%s", peerID), DNSLabel: fmt.Sprintf("peer%d", i+1),
-			Status: &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
-			UserID: "user-admin", Meta: nbpeer.PeerSystemMeta{WtVersion: wtVersion, GoOS: "linux"},
-		}
-
-		if peerID == expiredPeerID {
-			p.LoginExpirationEnabled = true
-			pastTimestamp := time.Now().Add(-2 * time.Hour)
-			p.LastLogin = &pastTimestamp
-		}
-
-		peers[peerID] = p
-		allGroupPeers = append(allGroupPeers, peerID)
-		if i < numPeers/2 {
-			devGroupPeers = append(devGroupPeers, peerID)
-		} else {
-			opsGroupPeers = append(opsGroupPeers, peerID)
-		}
-	}
-
-	groups := map[string]*Group{
-		allGroupID: {ID: allGroupID, Name: "All", Peers: allGroupPeers},
-		devGroupID: {ID: devGroupID, Name: "Developers", Peers: devGroupPeers},
-		opsGroupID: {ID: opsGroupID, Name: "Operations", Peers: opsGroupPeers},
-	}
-
-	policies := []*Policy{
-		{
-			ID: policyIDAll, Name: "Default-Allow", Enabled: true,
-			Rules: []*PolicyRule{{
-				ID: policyIDAll, Name: "Allow All", Enabled: true, Action: PolicyTrafficActionAccept,
-				Protocol: PolicyRuleProtocolALL, Bidirectional: true,
-				Sources: []string{allGroupID}, Destinations: []string{allGroupID},
-			}},
-		},
-		{
-			ID: policyIDDevOps, Name: "Dev to Ops Web Access", Enabled: true,
-			Rules: []*PolicyRule{{
-				ID: policyIDDevOps, Name: "Dev -> Ops (HTTP Range)", Enabled: true, Action: PolicyTrafficActionAccept,
-				Protocol: PolicyRuleProtocolTCP, Bidirectional: false,
-				PortRanges: []RulePortRange{{Start: 8080, End: 8090}},
-				Sources:    []string{devGroupID}, Destinations: []string{opsGroupID},
-			}},
-		},
-		{
-			ID: policyIDDrop, Name: "Drop DB traffic", Enabled: true,
-			Rules: []*PolicyRule{{
-				ID: policyIDDrop, Name: "Drop DB", Enabled: true, Action: PolicyTrafficActionDrop,
-				Protocol: PolicyRuleProtocolTCP, Ports: []string{"5432"}, Bidirectional: true,
-				Sources: []string{devGroupID}, Destinations: []string{opsGroupID},
-			}},
-		},
-		{
-			ID: policyIDPosture, Name: "Posture Check for DB Resource", Enabled: true,
-			SourcePostureChecks: []string{postureCheckID},
-			Rules: []*PolicyRule{{
-				ID: policyIDPosture, Name: "Allow DB Access", Enabled: true, Action: PolicyTrafficActionAccept,
-				Protocol: PolicyRuleProtocolALL, Bidirectional: true,
-				Sources: []string{opsGroupID}, DestinationResource: Resource{ID: networkResourceID},
-			}},
-		},
-	}
-
-	routes := map[route.ID]*route.Route{
-		routeID: {
-			ID: routeID, Network: netip.MustParsePrefix("192.168.10.0/24"),
-			Peer:        peers["peer-75"].Key,
-			PeerID:      "peer-75",
-			Description: "Route to internal resource", Enabled: true,
-			PeerGroups:          []string{devGroupID, opsGroupID},
-			Groups:              []string{devGroupID, opsGroupID},
-			AccessControlGroups: []string{devGroupID},
-		},
-		routeHA1ID: {
-			ID: routeHA1ID, Network: netip.MustParsePrefix("10.10.0.0/16"),
-			Peer:        peers["peer-80"].Key,
-			PeerID:      "peer-80",
-			Description: "HA Route 1", Enabled: true, Metric: 1000,
-			PeerGroups:          []string{allGroupID},
-			Groups:              []string{allGroupID},
-			AccessControlGroups: []string{allGroupID},
-		},
-		routeHA2ID: {
-			ID: routeHA2ID, Network: netip.MustParsePrefix("10.10.0.0/16"),
-			Peer:        peers["peer-90"].Key,
-			PeerID:      "peer-90",
-			Description: "HA Route 2", Enabled: true, Metric: 900,
-			PeerGroups:          []string{devGroupID, opsGroupID},
-			Groups:              []string{devGroupID, opsGroupID},
-			AccessControlGroups: []string{allGroupID},
-		},
-	}
-
-	account := &Account{
-		Id: testAccountID, Peers: peers, Groups: groups, Policies: policies, Routes: routes,
-		Network: &Network{
-			Identifier: "net-comparison-test", Net: net.IPNet{IP: net.IP{100, 64, 0, 0}, Mask: net.CIDRMask(16, 32)}, Serial: 1,
-		},
-		DNSSettings: DNSSettings{DisabledManagementGroups: []string{opsGroupID}},
-		NameServerGroups: map[string]*nbdns.NameServerGroup{
-			nameserverGroupID: {
-				ID: nameserverGroupID, Name: "Main NS", Enabled: true, Groups: []string{devGroupID},
-				NameServers: []nbdns.NameServer{{IP: netip.MustParseAddr("8.8.8.8"), NSType: nbdns.UDPNameServerType, Port: 53}},
-			},
-		},
-		PostureChecks: []*posture.Checks{
-			{ID: postureCheckID, Name: "Check version", Checks: posture.ChecksDefinition{
-				NBVersionCheck: &posture.NBVersionCheck{MinVersion: "0.26.0"},
-			}},
-		},
-		NetworkResources: []*resourceTypes.NetworkResource{
-			{ID: networkResourceID, NetworkID: networkID, AccountID: testAccountID, Enabled: true, Address: "db.netbird.cloud"},
-		},
-		Networks: []*networkTypes.Network{{ID: networkID, Name: "DB Network", AccountID: testAccountID}},
-		NetworkRouters: []*routerTypes.NetworkRouter{
-			{ID: networkRouterID, NetworkID: networkID, Peer: routingPeerID, Enabled: true, AccountID: testAccountID},
-		},
-		Settings: &Settings{PeerLoginExpirationEnabled: true, PeerLoginExpiration: 1 * time.Hour},
-	}
-
-	for _, p := range account.Policies {
-		p.AccountID = account.Id
-	}
-	for _, r := range account.Routes {
-		r.AccountID = account.Id
-	}
-
-	return account
-}
-
-func BenchmarkLegacyNetworkMap(b *testing.B) {
-	account := createTestAccount()
-	ctx := context.Background()
-	peerID := testingPeerID
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		pid := fmt.Sprintf("peer-%d", i)
-		if pid != offlinePeerID {
-			validatedPeersMap[pid] = struct{}{}
-		}
-	}
-
-	peersCustomZone := nbdns.CustomZone{}
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_ = account.GetPeerNetworkMap(
-			ctx,
-			peerID,
-			peersCustomZone,
-			nil,
-			validatedPeersMap,
-			resourcePolicies,
-			routers,
-			nil,
-			groupIDToUserIDs,
-		)
-	}
-}
-
-func BenchmarkComponentsNetworkMap(b *testing.B) {
-	account := createTestAccount()
-	ctx := context.Background()
-	peerID := testingPeerID
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		pid := fmt.Sprintf("peer-%d", i)
-		if pid != offlinePeerID {
-			validatedPeersMap[pid] = struct{}{}
-		}
-	}
-
-	peersCustomZone := nbdns.CustomZone{}
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		components := account.GetPeerNetworkMapComponents(
-			ctx,
-			peerID,
-			peersCustomZone,
-			nil,
-			validatedPeersMap,
-			resourcePolicies,
-			routers,
-			groupIDToUserIDs,
-		)
-		_ = CalculateNetworkMapFromComponents(ctx, components)
-	}
-}
-
-func BenchmarkComponentsCreation(b *testing.B) {
-	account := createTestAccount()
-	ctx := context.Background()
-	peerID := testingPeerID
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		pid := fmt.Sprintf("peer-%d", i)
-		if pid != offlinePeerID {
-			validatedPeersMap[pid] = struct{}{}
-		}
-	}
-
-	peersCustomZone := nbdns.CustomZone{}
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_ = account.GetPeerNetworkMapComponents(
-			ctx,
-			peerID,
-			peersCustomZone,
-			nil,
-			validatedPeersMap,
-			resourcePolicies,
-			routers,
-			groupIDToUserIDs,
-		)
-	}
-}
-
-func BenchmarkCalculationFromComponents(b *testing.B) {
-	account := createTestAccount()
-	ctx := context.Background()
-	peerID := testingPeerID
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		pid := fmt.Sprintf("peer-%d", i)
-		if pid != offlinePeerID {
-			validatedPeersMap[pid] = struct{}{}
-		}
-	}
-
-	peersCustomZone := nbdns.CustomZone{}
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-
-	components := account.GetPeerNetworkMapComponents(
-		ctx,
-		peerID,
-		peersCustomZone,
-		nil,
-		validatedPeersMap,
-		resourcePolicies,
-		routers,
-		groupIDToUserIDs,
-	)
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_ = CalculateNetworkMapFromComponents(ctx, components)
-	}
-}

management/server/types/networkmap_components.go

@@ -19,8 +19,6 @@ import (
 	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
-const EnvNewNetworkMapCompacted = "NB_NETWORK_MAP_COMPACTED"
-
 type NetworkMapComponents struct {
 	PeerID string
 

management/server/types/networkmap_components_test.go

@@ -0,0 +1,787 @@
+package types_test
+
+import (
+	"context"
+	"net"
+	"net/netip"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
+	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
+	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/posture"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/route"
+)
+
+func networkMapFromComponents(t *testing.T, account *types.Account, peerID string, validatedPeers map[string]struct{}) *types.NetworkMap {
+	t.Helper()
+	return account.GetPeerNetworkMapFromComponents(
+		context.Background(),
+		peerID,
+		account.GetPeersCustomZone(context.Background(), "netbird.io"),
+		nil,
+		validatedPeers,
+		account.GetResourcePoliciesMap(),
+		account.GetResourceRoutersMap(),
+		nil,
+		account.GetActiveGroupUsers(),
+	)
+}
+
+func allPeersValidated(account *types.Account, excludePeerIDs ...string) map[string]struct{} {
+	excludeSet := make(map[string]struct{}, len(excludePeerIDs))
+	for _, id := range excludePeerIDs {
+		excludeSet[id] = struct{}{}
+	}
+	validated := make(map[string]struct{}, len(account.Peers))
+	for id := range account.Peers {
+		if _, excluded := excludeSet[id]; !excluded {
+			validated[id] = struct{}{}
+		}
+	}
+	return validated
+}
+
+func peerIDs(peers []*nbpeer.Peer) []string {
+	ids := make([]string, len(peers))
+	for i, p := range peers {
+		ids[i] = p.ID
+	}
+	return ids
+}
+
+func TestNetworkMapComponents_RegularPeerConnectivity(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	assert.NotNil(t, nm)
+	assert.Contains(t, peerIDs(nm.Peers), "peer-dst-1", "should see peer from destination group via bidirectional policy")
+	assert.Contains(t, peerIDs(nm.Peers), "peer-router-1", "should see router peer via resource policy")
+	assert.NotContains(t, peerIDs(nm.Peers), "peer-src-1", "should not see itself")
+	assert.Empty(t, nm.OfflinePeers, "no expired peers expected")
+}
+
+func TestNetworkMapComponents_IntraGroupConnectivity(t *testing.T) {
+	account := createComponentTestAccount()
+	account.Policies = append(account.Policies, &types.Policy{
+		ID: "policy-intra-src", Name: "Intra-source connectivity", Enabled: true, AccountID: account.Id,
+		Rules: []*types.PolicyRule{{
+			ID: "rule-intra-src", Name: "src <-> src", Enabled: true,
+			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
+			Bidirectional: true,
+			Sources:       []string{"group-src"}, Destinations: []string{"group-src"},
+		}},
+	})
+	validated := allPeersValidated(account)
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+	assert.Contains(t, peerIDs(nm.Peers), "peer-src-2", "should see peer from same group with intra-group policy")
+}
+
+func TestNetworkMapComponents_FirewallRules(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	require.NotEmpty(t, nm.FirewallRules, "firewall rules should be generated")
+
+	var hasAcceptAll bool
+	for _, rule := range nm.FirewallRules {
+		if rule.Protocol == string(types.PolicyRuleProtocolALL) && rule.Action == string(types.PolicyTrafficActionAccept) {
+			hasAcceptAll = true
+		}
+	}
+	assert.True(t, hasAcceptAll, "should have an accept-all firewall rule from the base policy")
+}
+
+func TestNetworkMapComponents_LoginExpiration(t *testing.T) {
+	account := createComponentTestAccount()
+	account.Settings.PeerLoginExpirationEnabled = true
+	account.Settings.PeerLoginExpiration = 1 * time.Hour
+
+	expiredTime := time.Now().Add(-2 * time.Hour)
+	account.Peers["peer-dst-1"].LoginExpirationEnabled = true
+	account.Peers["peer-dst-1"].LastLogin = &expiredTime
+
+	validated := allPeersValidated(account)
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	assert.Contains(t, peerIDs(nm.OfflinePeers), "peer-dst-1", "expired peer should be in OfflinePeers")
+	assert.NotContains(t, peerIDs(nm.Peers), "peer-dst-1", "expired peer should NOT be in active Peers")
+}
+
+func TestNetworkMapComponents_InvalidatedPeerExcluded(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account, "peer-dst-1")
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	assert.NotContains(t, peerIDs(nm.Peers), "peer-dst-1", "non-validated peer should be excluded")
+	assert.NotContains(t, peerIDs(nm.OfflinePeers), "peer-dst-1", "non-validated peer should not be in offline peers either")
+}
+
+func TestNetworkMapComponents_NonValidatedTargetPeer(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account, "peer-src-1")
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	assert.Empty(t, nm.Peers, "non-validated target peer should get empty network map")
+	assert.Empty(t, nm.FirewallRules)
+}
+
+func TestNetworkMapComponents_NetworkResourceRoutes_SourcePeer(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	var hasResourceRoute bool
+	for _, r := range nm.Routes {
+		if r.Network.String() == "10.200.0.1/32" {
+			hasResourceRoute = true
+			break
+		}
+	}
+	assert.True(t, hasResourceRoute, "source peer should receive route to network resource via router")
+	assert.Contains(t, peerIDs(nm.Peers), "peer-router-1", "source peer should see the routing peer")
+}
+
+func TestNetworkMapComponents_NetworkResourceRoutes_RouterPeer(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	nm := networkMapFromComponents(t, account, "peer-router-1", validated)
+
+	var hasResourceRoute bool
+	for _, r := range nm.Routes {
+		if r.Network.String() == "10.200.0.1/32" {
+			hasResourceRoute = true
+			break
+		}
+	}
+	assert.True(t, hasResourceRoute, "router peer should receive network resource route")
+	assert.NotEmpty(t, nm.RoutesFirewallRules, "router peer should have route firewall rules for the resource")
+}
+
+func TestNetworkMapComponents_NetworkResourceRoutes_UnrelatedPeer(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	nm := networkMapFromComponents(t, account, "peer-dst-1", validated)
+
+	for _, r := range nm.Routes {
+		assert.NotEqual(t, "10.200.0.1/32", r.Network.String(), "unrelated peer should not receive network resource route")
+	}
+}
+
+func TestNetworkMapComponents_NetworkResource_WithPostureCheck(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.PostureChecks = []*posture.Checks{
+		{ID: "pc-version", Name: "Version check", Checks: posture.ChecksDefinition{
+			NBVersionCheck: &posture.NBVersionCheck{MinVersion: "0.30.0"},
+		}},
+	}
+	account.Policies = append(account.Policies, &types.Policy{
+		ID: "policy-posture-resource", Name: "Posture resource access", Enabled: true, AccountID: account.Id,
+		SourcePostureChecks: []string{"pc-version"},
+		Rules: []*types.PolicyRule{{
+			ID: "rule-posture-resource", Name: "Posture -> Resource", Enabled: true,
+			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
+			Sources:             []string{"group-src"},
+			DestinationResource: types.Resource{ID: "resource-guarded"},
+		}},
+	})
+
+	account.NetworkResources = append(account.NetworkResources, &resourceTypes.NetworkResource{
+		ID: "resource-guarded", NetworkID: "net-guarded", AccountID: account.Id, Enabled: true,
+		Type: resourceTypes.Host, Prefix: netip.MustParsePrefix("10.200.1.1/32"), Address: "10.200.1.1/32",
+	})
+	account.Networks = append(account.Networks, &networkTypes.Network{
+		ID: "net-guarded", Name: "Guarded Net", AccountID: account.Id,
+	})
+	account.NetworkRouters = append(account.NetworkRouters, &routerTypes.NetworkRouter{
+		ID: "router-guarded", NetworkID: "net-guarded", Peer: "peer-router-1", Enabled: true, AccountID: account.Id,
+	})
+
+	t.Run("peer passes posture check", func(t *testing.T) {
+		account.Peers["peer-src-1"].Meta.WtVersion = "0.35.0"
+		nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+		var hasGuardedRoute bool
+		for _, r := range nm.Routes {
+			if r.Network.String() == "10.200.1.1/32" {
+				hasGuardedRoute = true
+			}
+		}
+		assert.True(t, hasGuardedRoute, "peer passing posture check should get guarded resource route")
+	})
+
+	t.Run("peer fails posture check", func(t *testing.T) {
+		account.Peers["peer-src-1"].Meta.WtVersion = "0.20.0"
+		nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+		for _, r := range nm.Routes {
+			assert.NotEqual(t, "10.200.1.1/32", r.Network.String(), "peer failing posture check should NOT get guarded resource route")
+		}
+	})
+}
+
+func TestNetworkMapComponents_NetworkResource_MultiplePostureChecks(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.PostureChecks = []*posture.Checks{
+		{ID: "pc-version", Name: "Version", Checks: posture.ChecksDefinition{
+			NBVersionCheck: &posture.NBVersionCheck{MinVersion: "0.30.0"},
+		}},
+		{ID: "pc-os", Name: "OS check", Checks: posture.ChecksDefinition{
+			OSVersionCheck: &posture.OSVersionCheck{Linux: &posture.MinKernelVersionCheck{MinKernelVersion: "5.0"}},
+		}},
+	}
+
+	account.Policies = append(account.Policies, &types.Policy{
+		ID: "policy-multi-posture", Name: "Multi posture", Enabled: true, AccountID: account.Id,
+		SourcePostureChecks: []string{"pc-version", "pc-os"},
+		Rules: []*types.PolicyRule{{
+			ID: "rule-multi-posture", Name: "Multi posture rule", Enabled: true,
+			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
+			Sources:             []string{"group-src"},
+			DestinationResource: types.Resource{ID: "resource-strict"},
+		}},
+	})
+
+	account.NetworkResources = append(account.NetworkResources, &resourceTypes.NetworkResource{
+		ID: "resource-strict", NetworkID: "net-strict", AccountID: account.Id, Enabled: true,
+		Type: resourceTypes.Host, Prefix: netip.MustParsePrefix("10.200.2.1/32"), Address: "10.200.2.1/32",
+	})
+	account.Networks = append(account.Networks, &networkTypes.Network{
+		ID: "net-strict", Name: "Strict Net", AccountID: account.Id,
+	})
+	account.NetworkRouters = append(account.NetworkRouters, &routerTypes.NetworkRouter{
+		ID: "router-strict", NetworkID: "net-strict", Peer: "peer-router-1", Enabled: true, AccountID: account.Id,
+	})
+
+	t.Run("passes both posture checks", func(t *testing.T) {
+		account.Peers["peer-src-1"].Meta.WtVersion = "0.35.0"
+		account.Peers["peer-src-1"].Meta.GoOS = "linux"
+		account.Peers["peer-src-1"].Meta.KernelVersion = "6.1.0"
+		nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+		var found bool
+		for _, r := range nm.Routes {
+			if r.Network.String() == "10.200.2.1/32" {
+				found = true
+			}
+		}
+		assert.True(t, found, "peer passing both checks should get resource route")
+	})
+
+	t.Run("fails version posture check", func(t *testing.T) {
+		account.Peers["peer-src-1"].Meta.WtVersion = "0.20.0"
+		account.Peers["peer-src-1"].Meta.KernelVersion = "6.1.0"
+		nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+		for _, r := range nm.Routes {
+			assert.NotEqual(t, "10.200.2.1/32", r.Network.String(), "peer failing version check should NOT get resource route")
+		}
+	})
+
+	t.Run("fails OS posture check", func(t *testing.T) {
+		account.Peers["peer-src-1"].Meta.WtVersion = "0.35.0"
+		account.Peers["peer-src-1"].Meta.KernelVersion = "4.0.0"
+		nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+		for _, r := range nm.Routes {
+			assert.NotEqual(t, "10.200.2.1/32", r.Network.String(), "peer failing OS check should NOT get resource route")
+		}
+	})
+}
+
+func TestNetworkMapComponents_RouterPeerFirewallRules(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	nm := networkMapFromComponents(t, account, "peer-router-1", validated)
+
+	var resourceFWRules []*types.RouteFirewallRule
+	for _, rule := range nm.RoutesFirewallRules {
+		if rule.Destination == "10.200.0.1/32" {
+			resourceFWRules = append(resourceFWRules, rule)
+		}
+	}
+	assert.NotEmpty(t, resourceFWRules, "router should have firewall rules for the network resource")
+
+	var hasSourcePeerIP bool
+	for _, rule := range resourceFWRules {
+		for _, sr := range rule.SourceRanges {
+			if sr == account.Peers["peer-src-1"].IP.String()+"/32" || sr == account.Peers["peer-src-2"].IP.String()+"/32" {
+				hasSourcePeerIP = true
+			}
+		}
+	}
+	assert.True(t, hasSourcePeerIP, "resource firewall rules should include source peer IPs")
+}
+
+func TestNetworkMapComponents_DNSManagement(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	t.Run("peer in DNS-enabled group", func(t *testing.T) {
+		nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+		assert.True(t, nm.DNSConfig.ServiceEnable, "peer in non-disabled group should have DNS enabled")
+	})
+
+	t.Run("peer in DNS-disabled group", func(t *testing.T) {
+		nm := networkMapFromComponents(t, account, "peer-dst-1", validated)
+		assert.False(t, nm.DNSConfig.ServiceEnable, "peer in DNS-disabled group should have DNS disabled")
+	})
+}
+
+func TestNetworkMapComponents_NameServerGroups(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+	assert.True(t, nm.DNSConfig.ServiceEnable)
+
+	var hasNSGroup bool
+	for _, ns := range nm.DNSConfig.NameServerGroups {
+		if ns.ID == "ns-main" {
+			hasNSGroup = true
+		}
+	}
+	assert.True(t, hasNSGroup, "peer in NS group should receive nameserver configuration")
+}
+
+func TestNetworkMapComponents_RoutesWithHADeduplication(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.Routes["route-ha-1"] = &route.Route{
+		ID: "route-ha-1", Network: netip.MustParsePrefix("172.16.0.0/16"),
+		Peer: account.Peers["peer-dst-1"].Key, PeerID: "peer-dst-1",
+		Enabled: true, Metric: 100, AccountID: account.Id,
+		Groups: []string{"group-src", "group-dst"}, PeerGroups: []string{"group-dst"},
+	}
+	account.Routes["route-ha-2"] = &route.Route{
+		ID: "route-ha-2", Network: netip.MustParsePrefix("172.16.0.0/16"),
+		Peer: account.Peers["peer-src-1"].Key, PeerID: "peer-src-1",
+		Enabled: true, Metric: 200, AccountID: account.Id,
+		Groups: []string{"group-src", "group-dst"}, PeerGroups: []string{"group-src"},
+	}
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	haCount := 0
+	for _, r := range nm.Routes {
+		if r.Network.String() == "172.16.0.0/16" {
+			haCount++
+		}
+	}
+	assert.Equal(t, 1, haCount, "peer should only receive one route from HA group (not both, since it's a member of one)")
+}
+
+func TestNetworkMapComponents_RoutesFirewallRulesForAccessControl(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.Routes["route-acl"] = &route.Route{
+		ID: "route-acl", Network: netip.MustParsePrefix("192.168.100.0/24"),
+		Peer: account.Peers["peer-src-1"].Key, PeerID: "peer-src-1",
+		Enabled: true, Metric: 100, AccountID: account.Id,
+		Groups:              []string{"group-dst"},
+		PeerGroups:          []string{"group-src"},
+		AccessControlGroups: []string{"group-dst"},
+	}
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	var hasFWRule bool
+	for _, rule := range nm.RoutesFirewallRules {
+		if rule.Destination == "192.168.100.0/24" {
+			hasFWRule = true
+		}
+	}
+	assert.True(t, hasFWRule, "routing peer should have firewall rules for route with access control groups")
+}
+
+func TestNetworkMapComponents_RoutesDefaultPermit(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.Routes["route-open"] = &route.Route{
+		ID: "route-open", Network: netip.MustParsePrefix("10.99.0.0/16"),
+		Peer: account.Peers["peer-src-1"].Key, PeerID: "peer-src-1",
+		Enabled: true, Metric: 100, AccountID: account.Id,
+		Groups:     []string{"group-src"},
+		PeerGroups: []string{"group-src"},
+	}
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	var hasFWRule bool
+	for _, rule := range nm.RoutesFirewallRules {
+		if rule.Destination == "10.99.0.0/16" {
+			hasFWRule = true
+		}
+	}
+	assert.True(t, hasFWRule, "route without access control groups should have default permit firewall rules")
+}
+
+func TestNetworkMapComponents_SSHAuthorizedUsers(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.Peers["peer-dst-1"].SSHEnabled = true
+
+	account.Policies = append(account.Policies, &types.Policy{
+		ID: "policy-ssh", Name: "SSH Access", Enabled: true, AccountID: account.Id,
+		Rules: []*types.PolicyRule{{
+			ID: "rule-ssh", Name: "SSH to dst", Enabled: true,
+			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
+			Bidirectional: true,
+			Sources:       []string{"group-src"}, Destinations: []string{"group-dst"},
+		}},
+	})
+
+	nm := networkMapFromComponents(t, account, "peer-dst-1", validated)
+	assert.True(t, nm.EnableSSH, "SSH-enabled peer with matching policy should have EnableSSH")
+}
+
+func TestNetworkMapComponents_DisabledPolicyIgnored(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	for _, p := range account.Policies {
+		p.Enabled = false
+	}
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+	assert.Empty(t, nm.Peers, "with all policies disabled, peer should see no other peers")
+	assert.Empty(t, nm.FirewallRules)
+}
+
+func TestNetworkMapComponents_DisabledRouteIgnored(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	for _, r := range account.Routes {
+		r.Enabled = false
+	}
+	for _, r := range account.NetworkResources {
+		r.Enabled = false
+	}
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+	assert.Empty(t, nm.Routes, "disabled routes should not appear in network map")
+}
+
+func TestNetworkMapComponents_DisabledNetworkResourceIgnored(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	for _, r := range account.NetworkResources {
+		r.Enabled = false
+	}
+
+	nm := networkMapFromComponents(t, account, "peer-router-1", validated)
+
+	for _, r := range nm.Routes {
+		assert.NotEqual(t, "10.200.0.1/32", r.Network.String(), "disabled resource should not generate routes")
+	}
+}
+
+func TestNetworkMapComponents_BidirectionalPolicy(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	nmSrc := networkMapFromComponents(t, account, "peer-src-1", validated)
+	nmDst := networkMapFromComponents(t, account, "peer-dst-1", validated)
+
+	assert.Contains(t, peerIDs(nmSrc.Peers), "peer-dst-1", "src should see dst via bidirectional policy")
+	assert.Contains(t, peerIDs(nmDst.Peers), "peer-src-1", "dst should see src via bidirectional policy")
+}
+
+func TestNetworkMapComponents_DropPolicy(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.Policies = append(account.Policies, &types.Policy{
+		ID: "policy-drop", Name: "Drop traffic", Enabled: true, AccountID: account.Id,
+		Rules: []*types.PolicyRule{{
+			ID: "rule-drop", Name: "Drop src->dst", Enabled: true,
+			Action: types.PolicyTrafficActionDrop, Protocol: types.PolicyRuleProtocolTCP,
+			Ports:   []string{"5432"},
+			Sources: []string{"group-src"}, Destinations: []string{"group-dst"},
+		}},
+	})
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	var hasDropRule bool
+	for _, rule := range nm.FirewallRules {
+		if rule.Action == string(types.PolicyTrafficActionDrop) && rule.Port == "5432" {
+			hasDropRule = true
+		}
+	}
+	assert.True(t, hasDropRule, "drop policy should generate drop firewall rule")
+}
+
+func TestNetworkMapComponents_PortRangePolicy(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.Peers["peer-src-1"].Meta.WtVersion = "0.50.0"
+
+	account.Policies = append(account.Policies, &types.Policy{
+		ID: "policy-range", Name: "Port range", Enabled: true, AccountID: account.Id,
+		Rules: []*types.PolicyRule{{
+			ID: "rule-range", Name: "Range rule", Enabled: true,
+			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolTCP,
+			PortRanges: []types.RulePortRange{{Start: 8080, End: 8090}},
+			Sources:    []string{"group-src"}, Destinations: []string{"group-dst"},
+		}},
+	})
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	var hasRangeRule bool
+	for _, rule := range nm.FirewallRules {
+		if rule.PortRange.Start == 8080 && rule.PortRange.End == 8090 {
+			hasRangeRule = true
+		}
+	}
+	assert.True(t, hasRangeRule, "port range policy should generate corresponding firewall rule")
+}
+
+func TestNetworkMapComponents_MultipleNetworkResources(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.NetworkResources = append(account.NetworkResources, &resourceTypes.NetworkResource{
+		ID: "resource-2", NetworkID: "net-1", AccountID: account.Id, Enabled: true,
+		Type: resourceTypes.Host, Prefix: netip.MustParsePrefix("10.200.0.2/32"), Address: "10.200.0.2/32",
+	})
+	account.Groups["group-res2"] = &types.Group{ID: "group-res2", Name: "Resource 2 Group", Peers: []string{"peer-src-1", "peer-src-2"},
+		Resources: []types.Resource{{ID: "resource-2"}},
+	}
+	account.Policies = append(account.Policies, &types.Policy{
+		ID: "policy-res2", Name: "Resource 2 Policy", Enabled: true, AccountID: account.Id,
+		Rules: []*types.PolicyRule{{
+			ID: "rule-res2", Name: "Access Resource 2", Enabled: true,
+			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
+			Sources:             []string{"group-src"},
+			DestinationResource: types.Resource{ID: "resource-2"},
+		}},
+	})
+
+	nm := networkMapFromComponents(t, account, "peer-router-1", validated)
+
+	resourceRouteCount := 0
+	for _, r := range nm.Routes {
+		if r.Network.String() == "10.200.0.1/32" || r.Network.String() == "10.200.0.2/32" {
+			resourceRouteCount++
+		}
+	}
+	assert.Equal(t, 2, resourceRouteCount, "router should have routes for both network resources")
+}
+
+func TestNetworkMapComponents_DomainNetworkResource(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.NetworkResources = append(account.NetworkResources, &resourceTypes.NetworkResource{
+		ID: "resource-domain", NetworkID: "net-1", AccountID: account.Id, Enabled: true,
+		Type: resourceTypes.Domain, Domain: "api.example.com", Address: "api.example.com",
+	})
+	account.Groups["group-res-domain"] = &types.Group{
+		ID: "group-res-domain", Name: "Domain Resource Group",
+		Resources: []types.Resource{{ID: "resource-domain"}},
+	}
+	account.Policies = append(account.Policies, &types.Policy{
+		ID: "policy-domain", Name: "Domain resource policy", Enabled: true, AccountID: account.Id,
+		Rules: []*types.PolicyRule{{
+			ID: "rule-domain", Name: "Access domain resource", Enabled: true,
+			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
+			Sources:             []string{"group-src"},
+			DestinationResource: types.Resource{ID: "resource-domain"},
+		}},
+	})
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	var hasDomainRoute bool
+	for _, r := range nm.Routes {
+		if r.NetworkType == route.DomainNetwork && len(r.Domains) > 0 && r.Domains[0].SafeString() == "api.example.com" {
+			hasDomainRoute = true
+		}
+	}
+	assert.True(t, hasDomainRoute, "source peer should receive domain route for domain network resource")
+}
+
+func TestNetworkMapComponents_NetworkEmpty(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	nm := networkMapFromComponents(t, account, "nonexistent-peer", validated)
+
+	assert.NotNil(t, nm)
+	assert.Empty(t, nm.Peers)
+	assert.Empty(t, nm.FirewallRules)
+	assert.NotNil(t, nm.Network)
+}
+
+func TestNetworkMapComponents_RouterExcludesOtherNetworkRoutes(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.NetworkResources = append(account.NetworkResources, &resourceTypes.NetworkResource{
+		ID: "resource-other", NetworkID: "net-other", AccountID: account.Id, Enabled: true,
+		Type: resourceTypes.Host, Prefix: netip.MustParsePrefix("10.200.99.1/32"), Address: "10.200.99.1/32",
+	})
+	account.Networks = append(account.Networks, &networkTypes.Network{
+		ID: "net-other", Name: "Other Net", AccountID: account.Id,
+	})
+	account.NetworkRouters = append(account.NetworkRouters, &routerTypes.NetworkRouter{
+		ID: "router-other", NetworkID: "net-other", Peer: "peer-dst-1", Enabled: true, AccountID: account.Id,
+	})
+	account.Groups["group-res-other"] = &types.Group{ID: "group-res-other", Name: "Other resource group",
+		Resources: []types.Resource{{ID: "resource-other"}},
+	}
+	account.Policies = append(account.Policies, &types.Policy{
+		ID: "policy-other-resource", Name: "Other resource policy", Enabled: true, AccountID: account.Id,
+		Rules: []*types.PolicyRule{{
+			ID: "rule-other", Name: "Other resource access", Enabled: true,
+			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
+			Sources:             []string{"group-src"},
+			DestinationResource: types.Resource{ID: "resource-other"},
+		}},
+	})
+
+	nm := networkMapFromComponents(t, account, "peer-router-1", validated)
+
+	for _, r := range nm.Routes {
+		assert.NotEqual(t, "10.200.99.1/32", r.Network.String(), "router-1 should NOT get routes for other network's resources")
+	}
+}
+
+func createComponentTestAccount() *types.Account {
+	peers := map[string]*nbpeer.Peer{
+		"peer-src-1": {
+			ID: "peer-src-1", IP: net.IP{100, 64, 0, 1}, Key: "key-src-1", DNSLabel: "src1",
+			Status: &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()}, UserID: "user-1",
+			Meta: nbpeer.PeerSystemMeta{WtVersion: "0.35.0", GoOS: "linux"},
+		},
+		"peer-src-2": {
+			ID: "peer-src-2", IP: net.IP{100, 64, 0, 2}, Key: "key-src-2", DNSLabel: "src2",
+			Status: &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()}, UserID: "user-1",
+			Meta: nbpeer.PeerSystemMeta{WtVersion: "0.35.0", GoOS: "linux"},
+		},
+		"peer-dst-1": {
+			ID: "peer-dst-1", IP: net.IP{100, 64, 0, 3}, Key: "key-dst-1", DNSLabel: "dst1",
+			Status: &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()}, UserID: "user-2",
+			Meta: nbpeer.PeerSystemMeta{WtVersion: "0.35.0", GoOS: "linux"},
+		},
+		"peer-router-1": {
+			ID: "peer-router-1", IP: net.IP{100, 64, 0, 10}, Key: "key-router-1", DNSLabel: "router1",
+			Status: &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()}, UserID: "user-1",
+			Meta: nbpeer.PeerSystemMeta{WtVersion: "0.35.0", GoOS: "linux"},
+		},
+	}
+
+	groups := map[string]*types.Group{
+		"group-src": {ID: "group-src", Name: "Sources", Peers: []string{"peer-src-1", "peer-src-2"}},
+		"group-dst": {ID: "group-dst", Name: "Destinations", Peers: []string{"peer-dst-1"}},
+		"group-all": {ID: "group-all", Name: "All", Peers: []string{"peer-src-1", "peer-src-2", "peer-dst-1", "peer-router-1"}},
+		"group-res": {
+			ID: "group-res", Name: "Resource Group",
+			Resources: []types.Resource{{ID: "resource-1"}},
+		},
+	}
+
+	policies := []*types.Policy{
+		{
+			ID: "policy-base", Name: "Base connectivity", Enabled: true,
+			Rules: []*types.PolicyRule{{
+				ID: "rule-base", Name: "Allow src <-> dst", Enabled: true,
+				Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
+				Bidirectional: true,
+				Sources:       []string{"group-src"}, Destinations: []string{"group-dst"},
+			}},
+		},
+		{
+			ID: "policy-resource", Name: "Network resource access", Enabled: true,
+			Rules: []*types.PolicyRule{{
+				ID: "rule-resource", Name: "Source -> Resource", Enabled: true,
+				Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
+				Sources:             []string{"group-src"},
+				DestinationResource: types.Resource{ID: "resource-1"},
+			}},
+		},
+	}
+
+	routes := map[route.ID]*route.Route{
+		"route-main": {
+			ID: "route-main", Network: netip.MustParsePrefix("192.168.10.0/24"),
+			Peer: peers["peer-dst-1"].Key, PeerID: "peer-dst-1",
+			Enabled: true, Metric: 100,
+			Groups: []string{"group-src", "group-dst"}, PeerGroups: []string{"group-dst"},
+		},
+	}
+
+	users := map[string]*types.User{
+		"user-1": {Id: "user-1", Role: types.UserRoleAdmin, IsServiceUser: false, AutoGroups: []string{"group-all"}},
+		"user-2": {Id: "user-2", Role: types.UserRoleUser, IsServiceUser: false, AutoGroups: []string{"group-all"}},
+	}
+
+	account := &types.Account{
+		Id: "account-components-test", Peers: peers, Groups: groups, Policies: policies, Routes: routes,
+		Users: users,
+		Network: &types.Network{
+			Identifier: "net-test", Net: net.IPNet{IP: net.IP{100, 64, 0, 0}, Mask: net.CIDRMask(16, 32)}, Serial: 1,
+		},
+		DNSSettings: types.DNSSettings{DisabledManagementGroups: []string{"group-dst"}},
+		NameServerGroups: map[string]*nbdns.NameServerGroup{
+			"ns-main": {
+				ID: "ns-main", Name: "Main NS", Enabled: true, Groups: []string{"group-src"},
+				NameServers: []nbdns.NameServer{{IP: netip.MustParseAddr("8.8.8.8"), NSType: nbdns.UDPNameServerType, Port: 53}},
+			},
+		},
+		PostureChecks: []*posture.Checks{},
+		NetworkResources: []*resourceTypes.NetworkResource{
+			{
+				ID: "resource-1", NetworkID: "net-1", AccountID: "account-components-test", Enabled: true,
+				Type: resourceTypes.Host, Prefix: netip.MustParsePrefix("10.200.0.1/32"), Address: "10.200.0.1/32",
+			},
+		},
+		Networks: []*networkTypes.Network{
+			{ID: "net-1", Name: "Resource Net", AccountID: "account-components-test"},
+		},
+		NetworkRouters: []*routerTypes.NetworkRouter{
+			{ID: "router-1", NetworkID: "net-1", Peer: "peer-router-1", Enabled: true, AccountID: "account-components-test"},
+		},
+		Settings: &types.Settings{PeerLoginExpirationEnabled: false, PeerLoginExpiration: 24 * time.Hour},
+	}
+
+	for _, p := range account.Policies {
+		p.AccountID = account.Id
+	}
+	for _, r := range account.Routes {
+		r.AccountID = account.Id
+	}
+
+	return account
+}

management/server/types/networkmap_golden_test.go

@@ -1,967 +0,0 @@
-package types_test
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"net"
-	"net/netip"
-	"os"
-	"path/filepath"
-	"slices"
-	"sort"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/management/internals/modules/zones"
-	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
-	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
-	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/posture"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/route"
-)
-
-const (
-	numPeers          = 100
-	devGroupID        = "group-dev"
-	opsGroupID        = "group-ops"
-	allGroupID        = "group-all"
-	sshUsersGroupID   = "group-ssh-users"
-	routeID           = route.ID("route-main")
-	routeHA1ID        = route.ID("route-ha-1")
-	routeHA2ID        = route.ID("route-ha-2")
-	policyIDDevOps    = "policy-dev-ops"
-	policyIDAll       = "policy-all"
-	policyIDPosture   = "policy-posture"
-	policyIDDrop      = "policy-drop"
-	policyIDSSH       = "policy-ssh"
-	postureCheckID    = "posture-check-ver"
-	networkResourceID = "res-database"
-	networkID         = "net-database"
-	networkRouterID   = "router-database"
-	nameserverGroupID = "ns-group-main"
-	testingPeerID     = "peer-60" // A peer from the "dev" group, should receive the most detailed map.
-	expiredPeerID     = "peer-98" // This peer will be online but with an expired session.
-	offlinePeerID     = "peer-99" // This peer will be completely offline.
-	routingPeerID     = "peer-95" // This peer is used for routing, it has a route to the network.
-	testAccountID     = "account-golden-test"
-	userAdminID       = "user-admin"
-	userDevID         = "user-dev"
-	userOpsID         = "user-ops"
-)
-
-func TestGetPeerNetworkMap_Golden(t *testing.T) {
-	account := createTestAccountWithEntities()
-
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		if peerID == offlinePeerID {
-			continue
-		}
-		validatedPeersMap[peerID] = struct{}{}
-	}
-
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-
-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
-	normalizeAndSortNetworkMap(legacyNetworkMap)
-	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling legacy network map to JSON")
-
-	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-	newNetworkMap := builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-	normalizeAndSortNetworkMap(newNetworkMap)
-	newJSON, err := json.MarshalIndent(toNetworkMapJSON(newNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling new network map to JSON")
-
-	if string(legacyJSON) != string(newJSON) {
-		legacyFilePath := filepath.Join("testdata", "networkmap_golden.json")
-		newFilePath := filepath.Join("testdata", "networkmap_golden_new.json")
-
-		err = os.MkdirAll(filepath.Dir(legacyFilePath), 0755)
-		require.NoError(t, err)
-
-		err = os.WriteFile(legacyFilePath, legacyJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved legacy network map to %s", legacyFilePath)
-
-		err = os.WriteFile(newFilePath, newJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved new network map to %s", newFilePath)
-
-		require.JSONEq(t, string(legacyJSON), string(newJSON), "network maps from legacy and new builder do not match")
-	}
-}
-
-func BenchmarkGetPeerNetworkMap(b *testing.B) {
-	account := createTestAccountWithEntities()
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	var peerIDs []string
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		validatedPeersMap[peerID] = struct{}{}
-		peerIDs = append(peerIDs, peerID)
-	}
-
-	b.ResetTimer()
-	b.Run("old builder", func(b *testing.B) {
-		for range b.N {
-			for _, peerID := range peerIDs {
-				_ = account.GetPeerNetworkMap(ctx, peerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
-			}
-		}
-	})
-	b.ResetTimer()
-	b.Run("new builder", func(b *testing.B) {
-		for range b.N {
-			builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-			for _, peerID := range peerIDs {
-				_ = builder.GetPeerNetworkMap(ctx, peerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-			}
-		}
-	})
-}
-
-func TestGetPeerNetworkMap_Golden_WithNewPeer(t *testing.T) {
-	account := createTestAccountWithEntities()
-
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		if peerID == offlinePeerID {
-			continue
-		}
-		validatedPeersMap[peerID] = struct{}{}
-	}
-
-	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-
-	newPeerID := "peer-new-101"
-	newPeerIP := net.IP{100, 64, 1, 1}
-	newPeer := &nbpeer.Peer{
-		ID:        newPeerID,
-		IP:        newPeerIP,
-		Key:       fmt.Sprintf("key-%s", newPeerID),
-		DNSLabel:  "peernew101",
-		Status:    &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
-		UserID:    "user-admin",
-		Meta:      nbpeer.PeerSystemMeta{WtVersion: "0.26.0", GoOS: "linux"},
-		LastLogin: func() *time.Time { t := time.Now(); return &t }(),
-	}
-
-	account.Peers[newPeerID] = newPeer
-
-	if devGroup, exists := account.Groups[devGroupID]; exists {
-		devGroup.Peers = append(devGroup.Peers, newPeerID)
-	}
-
-	if allGroup, exists := account.Groups[allGroupID]; exists {
-		allGroup.Peers = append(allGroup.Peers, newPeerID)
-	}
-
-	validatedPeersMap[newPeerID] = struct{}{}
-
-	if account.Network != nil {
-		account.Network.Serial++
-	}
-
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-
-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
-	normalizeAndSortNetworkMap(legacyNetworkMap)
-	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling legacy network map to JSON")
-
-	err = builder.OnPeerAddedIncremental(account, newPeerID)
-	require.NoError(t, err, "error adding peer to cache")
-
-	newNetworkMap := builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-	normalizeAndSortNetworkMap(newNetworkMap)
-	newJSON, err := json.MarshalIndent(toNetworkMapJSON(newNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling new network map to JSON")
-
-	if string(legacyJSON) != string(newJSON) {
-		legacyFilePath := filepath.Join("testdata", "networkmap_golden_with_new_peer.json")
-		newFilePath := filepath.Join("testdata", "networkmap_golden_new_with_onpeeradded.json")
-
-		err = os.MkdirAll(filepath.Dir(legacyFilePath), 0755)
-		require.NoError(t, err)
-
-		err = os.WriteFile(legacyFilePath, legacyJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved legacy network map to %s", legacyFilePath)
-
-		err = os.WriteFile(newFilePath, newJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved new network map to %s", newFilePath)
-
-		require.JSONEq(t, string(legacyJSON), string(newJSON), "network maps with new peer from legacy and new builder do not match")
-	}
-}
-
-func BenchmarkGetPeerNetworkMap_AfterPeerAdded(b *testing.B) {
-	account := createTestAccountWithEntities()
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	var peerIDs []string
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		validatedPeersMap[peerID] = struct{}{}
-		peerIDs = append(peerIDs, peerID)
-	}
-	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-	newPeerID := "peer-new-101"
-	newPeer := &nbpeer.Peer{
-		ID:       newPeerID,
-		IP:       net.IP{100, 64, 1, 1},
-		Key:      fmt.Sprintf("key-%s", newPeerID),
-		DNSLabel: "peernew101",
-		Status:   &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
-		UserID:   "user-admin",
-		Meta:     nbpeer.PeerSystemMeta{WtVersion: "0.26.0", GoOS: "linux"},
-	}
-
-	account.Peers[newPeerID] = newPeer
-	account.Groups[devGroupID].Peers = append(account.Groups[devGroupID].Peers, newPeerID)
-	account.Groups[allGroupID].Peers = append(account.Groups[allGroupID].Peers, newPeerID)
-	validatedPeersMap[newPeerID] = struct{}{}
-
-	b.ResetTimer()
-	b.Run("old builder after add", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			for _, testingPeerID := range peerIDs {
-				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
-			}
-		}
-	})
-
-	b.ResetTimer()
-	b.Run("new builder after add", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			_ = builder.OnPeerAddedIncremental(account, newPeerID)
-			for _, testingPeerID := range peerIDs {
-				_ = builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-			}
-		}
-	})
-}
-
-func TestGetPeerNetworkMap_Golden_WithNewRoutingPeer(t *testing.T) {
-	account := createTestAccountWithEntities()
-
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		if peerID == offlinePeerID {
-			continue
-		}
-		validatedPeersMap[peerID] = struct{}{}
-	}
-
-	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-
-	newRouterID := "peer-new-router-102"
-	newRouterIP := net.IP{100, 64, 1, 2}
-	newRouter := &nbpeer.Peer{
-		ID:        newRouterID,
-		IP:        newRouterIP,
-		Key:       fmt.Sprintf("key-%s", newRouterID),
-		DNSLabel:  "newrouter102",
-		Status:    &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
-		UserID:    "user-admin",
-		Meta:      nbpeer.PeerSystemMeta{WtVersion: "0.26.0", GoOS: "linux"},
-		LastLogin: func() *time.Time { t := time.Now(); return &t }(),
-	}
-
-	account.Peers[newRouterID] = newRouter
-
-	if opsGroup, exists := account.Groups[opsGroupID]; exists {
-		opsGroup.Peers = append(opsGroup.Peers, newRouterID)
-	}
-
-	if allGroup, exists := account.Groups[allGroupID]; exists {
-		allGroup.Peers = append(allGroup.Peers, newRouterID)
-	}
-
-	newRoute := &route.Route{
-		ID:                  route.ID("route-new-router"),
-		Network:             netip.MustParsePrefix("172.16.0.0/24"),
-		Peer:                newRouter.Key,
-		PeerID:              newRouterID,
-		Description:         "Route from new router",
-		Enabled:             true,
-		PeerGroups:          []string{opsGroupID},
-		Groups:              []string{devGroupID, opsGroupID},
-		AccessControlGroups: []string{devGroupID},
-		AccountID:           account.Id,
-	}
-	account.Routes[newRoute.ID] = newRoute
-
-	validatedPeersMap[newRouterID] = struct{}{}
-
-	if account.Network != nil {
-		account.Network.Serial++
-	}
-
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-
-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
-	normalizeAndSortNetworkMap(legacyNetworkMap)
-	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling legacy network map to JSON")
-
-	err = builder.OnPeerAddedIncremental(account, newRouterID)
-	require.NoError(t, err, "error adding router to cache")
-
-	newNetworkMap := builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-	normalizeAndSortNetworkMap(newNetworkMap)
-	newJSON, err := json.MarshalIndent(toNetworkMapJSON(newNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling new network map to JSON")
-
-	if string(legacyJSON) != string(newJSON) {
-		legacyFilePath := filepath.Join("testdata", "networkmap_golden_with_new_router.json")
-		newFilePath := filepath.Join("testdata", "networkmap_golden_new_with_onpeeradded_router.json")
-
-		err = os.MkdirAll(filepath.Dir(legacyFilePath), 0755)
-		require.NoError(t, err)
-
-		err = os.WriteFile(legacyFilePath, legacyJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved legacy network map to %s", legacyFilePath)
-
-		err = os.WriteFile(newFilePath, newJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved new network map to %s", newFilePath)
-
-		require.JSONEq(t, string(legacyJSON), string(newJSON), "network maps with new router from legacy and new builder do not match")
-	}
-}
-
-func BenchmarkGetPeerNetworkMap_AfterRouterPeerAdded(b *testing.B) {
-	account := createTestAccountWithEntities()
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	var peerIDs []string
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		validatedPeersMap[peerID] = struct{}{}
-		peerIDs = append(peerIDs, peerID)
-	}
-	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-	newRouterID := "peer-new-router-102"
-	newRouterIP := net.IP{100, 64, 1, 2}
-	newRouter := &nbpeer.Peer{
-		ID:        newRouterID,
-		IP:        newRouterIP,
-		Key:       fmt.Sprintf("key-%s", newRouterID),
-		DNSLabel:  "newrouter102",
-		Status:    &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
-		UserID:    "user-admin",
-		Meta:      nbpeer.PeerSystemMeta{WtVersion: "0.26.0", GoOS: "linux"},
-		LastLogin: func() *time.Time { t := time.Now(); return &t }(),
-	}
-
-	account.Peers[newRouterID] = newRouter
-
-	if opsGroup, exists := account.Groups[opsGroupID]; exists {
-		opsGroup.Peers = append(opsGroup.Peers, newRouterID)
-	}
-	if allGroup, exists := account.Groups[allGroupID]; exists {
-		allGroup.Peers = append(allGroup.Peers, newRouterID)
-	}
-
-	newRoute := &route.Route{
-		ID:                  route.ID("route-new-router"),
-		Network:             netip.MustParsePrefix("172.16.0.0/24"),
-		Peer:                newRouter.Key,
-		PeerID:              newRouterID,
-		Description:         "Route from new router",
-		Enabled:             true,
-		PeerGroups:          []string{opsGroupID},
-		Groups:              []string{devGroupID, opsGroupID},
-		AccessControlGroups: []string{devGroupID},
-		AccountID:           account.Id,
-	}
-	account.Routes[newRoute.ID] = newRoute
-
-	validatedPeersMap[newRouterID] = struct{}{}
-
-	b.ResetTimer()
-	b.Run("old builder after add", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			for _, testingPeerID := range peerIDs {
-				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
-			}
-		}
-	})
-
-	b.ResetTimer()
-	b.Run("new builder after add", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			_ = builder.OnPeerAddedIncremental(account, newRouterID)
-			for _, testingPeerID := range peerIDs {
-				_ = builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-			}
-		}
-	})
-}
-
-func TestGetPeerNetworkMap_Golden_WithDeletedPeer(t *testing.T) {
-	account := createTestAccountWithEntities()
-
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		if peerID == offlinePeerID {
-			continue
-		}
-		validatedPeersMap[peerID] = struct{}{}
-	}
-
-	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-
-	deletedPeerID := "peer-25"
-
-	delete(account.Peers, deletedPeerID)
-
-	if devGroup, exists := account.Groups[devGroupID]; exists {
-		devGroup.Peers = slices.DeleteFunc(devGroup.Peers, func(id string) bool {
-			return id == deletedPeerID
-		})
-	}
-
-	if allGroup, exists := account.Groups[allGroupID]; exists {
-		allGroup.Peers = slices.DeleteFunc(allGroup.Peers, func(id string) bool {
-			return id == deletedPeerID
-		})
-	}
-
-	delete(validatedPeersMap, deletedPeerID)
-
-	if account.Network != nil {
-		account.Network.Serial++
-	}
-
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-
-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
-	normalizeAndSortNetworkMap(legacyNetworkMap)
-	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling legacy network map to JSON")
-
-	err = builder.OnPeerDeleted(account, deletedPeerID)
-	require.NoError(t, err, "error deleting peer from cache")
-
-	newNetworkMap := builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-	normalizeAndSortNetworkMap(newNetworkMap)
-	newJSON, err := json.MarshalIndent(toNetworkMapJSON(newNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling new network map to JSON")
-
-	if string(legacyJSON) != string(newJSON) {
-		legacyFilePath := filepath.Join("testdata", "networkmap_golden_with_deleted_peer.json")
-		newFilePath := filepath.Join("testdata", "networkmap_golden_new_with_onpeerdeleted.json")
-
-		err = os.MkdirAll(filepath.Dir(legacyFilePath), 0755)
-		require.NoError(t, err)
-
-		err = os.WriteFile(legacyFilePath, legacyJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved legacy network map to %s", legacyFilePath)
-
-		err = os.WriteFile(newFilePath, newJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved new network map to %s", newFilePath)
-
-		require.JSONEq(t, string(legacyJSON), string(newJSON), "network maps with deleted peer from legacy and new builder do not match")
-	}
-}
-
-func TestGetPeerNetworkMap_Golden_WithDeletedRouterPeer(t *testing.T) {
-	account := createTestAccountWithEntities()
-
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		if peerID == offlinePeerID {
-			continue
-		}
-		validatedPeersMap[peerID] = struct{}{}
-	}
-
-	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-
-	deletedRouterID := "peer-75"
-
-	var affectedRoute *route.Route
-	for _, r := range account.Routes {
-		if r.PeerID == deletedRouterID {
-			affectedRoute = r
-			break
-		}
-	}
-	require.NotNil(t, affectedRoute, "Router peer should have a route")
-
-	for _, group := range account.Groups {
-		group.Peers = slices.DeleteFunc(group.Peers, func(id string) bool {
-			return id == deletedRouterID
-		})
-	}
-
-	for routeID, r := range account.Routes {
-		if r.Peer == account.Peers[deletedRouterID].Key || r.PeerID == deletedRouterID {
-			delete(account.Routes, routeID)
-		}
-	}
-	delete(account.Peers, deletedRouterID)
-	delete(validatedPeersMap, deletedRouterID)
-
-	if account.Network != nil {
-		account.Network.Serial++
-	}
-
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-
-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
-	normalizeAndSortNetworkMap(legacyNetworkMap)
-	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling legacy network map to JSON")
-
-	err = builder.OnPeerDeleted(account, deletedRouterID)
-	require.NoError(t, err, "error deleting routing peer from cache")
-
-	newNetworkMap := builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-	normalizeAndSortNetworkMap(newNetworkMap)
-	newJSON, err := json.MarshalIndent(toNetworkMapJSON(newNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling new network map to JSON")
-
-	if string(legacyJSON) != string(newJSON) {
-		legacyFilePath := filepath.Join("testdata", "networkmap_golden_with_deleted_router_peer.json")
-		newFilePath := filepath.Join("testdata", "networkmap_golden_new_with_deleted_router.json")
-
-		err = os.MkdirAll(filepath.Dir(legacyFilePath), 0755)
-		require.NoError(t, err)
-
-		err = os.WriteFile(legacyFilePath, legacyJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved legacy network map to %s", legacyFilePath)
-
-		err = os.WriteFile(newFilePath, newJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved new network map to %s", newFilePath)
-
-		require.JSONEq(t, string(legacyJSON), string(newJSON), "network maps with deleted router from legacy and new builder do not match")
-	}
-}
-
-func BenchmarkGetPeerNetworkMap_AfterPeerDeleted(b *testing.B) {
-	account := createTestAccountWithEntities()
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	var peerIDs []string
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		validatedPeersMap[peerID] = struct{}{}
-		peerIDs = append(peerIDs, peerID)
-	}
-
-	deletedPeerID := "peer-25"
-
-	delete(account.Peers, deletedPeerID)
-	account.Groups[devGroupID].Peers = slices.DeleteFunc(account.Groups[devGroupID].Peers, func(id string) bool {
-		return id == deletedPeerID
-	})
-	account.Groups[allGroupID].Peers = slices.DeleteFunc(account.Groups[allGroupID].Peers, func(id string) bool {
-		return id == deletedPeerID
-	})
-	delete(validatedPeersMap, deletedPeerID)
-
-	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-
-	b.ResetTimer()
-	b.Run("old builder after delete", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			for _, testingPeerID := range peerIDs {
-				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
-			}
-		}
-	})
-
-	b.ResetTimer()
-	b.Run("new builder after delete", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			_ = builder.OnPeerDeleted(account, deletedPeerID)
-			for _, testingPeerID := range peerIDs {
-				_ = builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-			}
-		}
-	})
-}
-
-func normalizeAndSortNetworkMap(networkMap *types.NetworkMap) {
-	for _, peer := range networkMap.Peers {
-		if peer.Status != nil {
-			peer.Status.LastSeen = time.Time{}
-		}
-		peer.LastLogin = &time.Time{}
-	}
-	for _, peer := range networkMap.OfflinePeers {
-		if peer.Status != nil {
-			peer.Status.LastSeen = time.Time{}
-		}
-		peer.LastLogin = &time.Time{}
-	}
-
-	sort.Slice(networkMap.Peers, func(i, j int) bool { return networkMap.Peers[i].ID < networkMap.Peers[j].ID })
-	sort.Slice(networkMap.OfflinePeers, func(i, j int) bool { return networkMap.OfflinePeers[i].ID < networkMap.OfflinePeers[j].ID })
-	sort.Slice(networkMap.Routes, func(i, j int) bool { return networkMap.Routes[i].ID < networkMap.Routes[j].ID })
-
-	sort.Slice(networkMap.FirewallRules, func(i, j int) bool {
-		r1, r2 := networkMap.FirewallRules[i], networkMap.FirewallRules[j]
-		if r1.PeerIP != r2.PeerIP {
-			return r1.PeerIP < r2.PeerIP
-		}
-		if r1.Protocol != r2.Protocol {
-			return r1.Protocol < r2.Protocol
-		}
-		if r1.Direction != r2.Direction {
-			return r1.Direction < r2.Direction
-		}
-		if r1.Action != r2.Action {
-			return r1.Action < r2.Action
-		}
-		return r1.Port < r2.Port
-	})
-
-	sort.Slice(networkMap.RoutesFirewallRules, func(i, j int) bool {
-		r1, r2 := networkMap.RoutesFirewallRules[i], networkMap.RoutesFirewallRules[j]
-		if r1.RouteID != r2.RouteID {
-			return r1.RouteID < r2.RouteID
-		}
-		if r1.Action != r2.Action {
-			return r1.Action < r2.Action
-		}
-		if r1.Destination != r2.Destination {
-			return r1.Destination < r2.Destination
-		}
-		if len(r1.SourceRanges) > 0 && len(r2.SourceRanges) > 0 {
-			if r1.SourceRanges[0] != r2.SourceRanges[0] {
-				return r1.SourceRanges[0] < r2.SourceRanges[0]
-			}
-		}
-		return r1.Port < r2.Port
-	})
-
-	for _, ranges := range networkMap.RoutesFirewallRules {
-		sort.Slice(ranges.SourceRanges, func(i, j int) bool {
-			return ranges.SourceRanges[i] < ranges.SourceRanges[j]
-		})
-	}
-}
-
-type networkMapJSON struct {
-	Peers               []*nbpeer.Peer             `json:"Peers"`
-	Network             *types.Network             `json:"Network"`
-	Routes              []*route.Route             `json:"Routes"`
-	DNSConfig           dns.Config                 `json:"DNSConfig"`
-	OfflinePeers        []*nbpeer.Peer             `json:"OfflinePeers"`
-	FirewallRules       []*types.FirewallRule      `json:"FirewallRules"`
-	RoutesFirewallRules []*types.RouteFirewallRule `json:"RoutesFirewallRules"`
-	ForwardingRules     []*types.ForwardingRule    `json:"ForwardingRules"`
-	AuthorizedUsers     map[string][]string        `json:"AuthorizedUsers,omitempty"`
-	EnableSSH           bool                       `json:"EnableSSH"`
-}
-
-func toNetworkMapJSON(nm *types.NetworkMap) *networkMapJSON {
-	result := &networkMapJSON{
-		Peers:               nm.Peers,
-		Network:             nm.Network,
-		Routes:              nm.Routes,
-		DNSConfig:           nm.DNSConfig,
-		OfflinePeers:        nm.OfflinePeers,
-		FirewallRules:       nm.FirewallRules,
-		RoutesFirewallRules: nm.RoutesFirewallRules,
-		ForwardingRules:     nm.ForwardingRules,
-		EnableSSH:           nm.EnableSSH,
-	}
-
-	if len(nm.AuthorizedUsers) > 0 {
-		result.AuthorizedUsers = make(map[string][]string)
-		localUsers := make([]string, 0, len(nm.AuthorizedUsers))
-		for localUser := range nm.AuthorizedUsers {
-			localUsers = append(localUsers, localUser)
-		}
-		sort.Strings(localUsers)
-
-		for _, localUser := range localUsers {
-			userIDs := nm.AuthorizedUsers[localUser]
-			sortedUserIDs := make([]string, 0, len(userIDs))
-			for userID := range userIDs {
-				sortedUserIDs = append(sortedUserIDs, userID)
-			}
-			sort.Strings(sortedUserIDs)
-			result.AuthorizedUsers[localUser] = sortedUserIDs
-		}
-	}
-
-	return result
-}
-
-func createTestAccountWithEntities() *types.Account {
-	peers := make(map[string]*nbpeer.Peer)
-	devGroupPeers, opsGroupPeers, allGroupPeers := []string{}, []string{}, []string{}
-
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		ip := net.IP{100, 64, 0, byte(i + 1)}
-		wtVersion := "0.25.0"
-		if i%2 == 0 {
-			wtVersion = "0.40.0"
-		}
-
-		p := &nbpeer.Peer{
-			ID: peerID, IP: ip, Key: fmt.Sprintf("key-%s", peerID), DNSLabel: fmt.Sprintf("peer%d", i+1),
-			Status: &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
-			UserID: "user-admin", Meta: nbpeer.PeerSystemMeta{WtVersion: wtVersion, GoOS: "linux"},
-		}
-
-		if peerID == expiredPeerID {
-			p.LoginExpirationEnabled = true
-			pastTimestamp := time.Now().Add(-2 * time.Hour)
-			p.LastLogin = &pastTimestamp
-		}
-
-		peers[peerID] = p
-		allGroupPeers = append(allGroupPeers, peerID)
-		if i < numPeers/2 {
-			devGroupPeers = append(devGroupPeers, peerID)
-		} else {
-			opsGroupPeers = append(opsGroupPeers, peerID)
-		}
-
-	}
-
-	groups := map[string]*types.Group{
-		allGroupID:      {ID: allGroupID, Name: "All", Peers: allGroupPeers},
-		devGroupID:      {ID: devGroupID, Name: "Developers", Peers: devGroupPeers},
-		opsGroupID:      {ID: opsGroupID, Name: "Operations", Peers: opsGroupPeers},
-		sshUsersGroupID: {ID: sshUsersGroupID, Name: "SSH Users", Peers: []string{}},
-	}
-
-	policies := []*types.Policy{
-		{
-			ID: policyIDAll, Name: "Default-Allow", Enabled: true,
-			Rules: []*types.PolicyRule{{
-				ID: policyIDAll, Name: "Allow All", Enabled: true, Action: types.PolicyTrafficActionAccept,
-				Protocol: types.PolicyRuleProtocolALL, Bidirectional: true,
-				Sources: []string{allGroupID}, Destinations: []string{allGroupID},
-			}},
-		},
-		{
-			ID: policyIDDevOps, Name: "Dev to Ops Web Access", Enabled: true,
-			Rules: []*types.PolicyRule{{
-				ID: policyIDDevOps, Name: "Dev -> Ops (HTTP Range)", Enabled: true, Action: types.PolicyTrafficActionAccept,
-				Protocol: types.PolicyRuleProtocolTCP, Bidirectional: false,
-				PortRanges: []types.RulePortRange{{Start: 8080, End: 8090}},
-				Sources:    []string{devGroupID}, Destinations: []string{opsGroupID},
-			}},
-		},
-		{
-			ID: policyIDDrop, Name: "Drop DB traffic", Enabled: true,
-			Rules: []*types.PolicyRule{{
-				ID: policyIDDrop, Name: "Drop DB", Enabled: true, Action: types.PolicyTrafficActionDrop,
-				Protocol: types.PolicyRuleProtocolTCP, Ports: []string{"5432"}, Bidirectional: true,
-				Sources: []string{devGroupID}, Destinations: []string{opsGroupID},
-			}},
-		},
-		{
-			ID: policyIDPosture, Name: "Posture Check for DB Resource", Enabled: true,
-			SourcePostureChecks: []string{postureCheckID},
-			Rules: []*types.PolicyRule{{
-				ID: policyIDPosture, Name: "Allow DB Access", Enabled: true, Action: types.PolicyTrafficActionAccept,
-				Protocol: types.PolicyRuleProtocolALL, Bidirectional: true,
-				Sources: []string{opsGroupID}, DestinationResource: types.Resource{ID: networkResourceID},
-			}},
-		},
-		{
-			ID: policyIDSSH, Name: "SSH Access Policy", Enabled: true,
-			Rules: []*types.PolicyRule{{
-				ID: policyIDSSH, Name: "Allow SSH to Ops", Enabled: true, Action: types.PolicyTrafficActionAccept,
-				Protocol: types.PolicyRuleProtocolNetbirdSSH, Bidirectional: false,
-				Sources: []string{devGroupID}, Destinations: []string{opsGroupID},
-				AuthorizedGroups: map[string][]string{sshUsersGroupID: {"root", "admin"}},
-			}},
-		},
-	}
-
-	routes := map[route.ID]*route.Route{
-		routeID: {
-			ID: routeID, Network: netip.MustParsePrefix("192.168.10.0/24"),
-			Peer:        peers["peer-75"].Key,
-			PeerID:      "peer-75",
-			Description: "Route to internal resource", Enabled: true,
-			PeerGroups:          []string{devGroupID, opsGroupID},
-			Groups:              []string{devGroupID, opsGroupID},
-			AccessControlGroups: []string{devGroupID},
-		},
-		routeHA1ID: {
-			ID: routeHA1ID, Network: netip.MustParsePrefix("10.10.0.0/16"),
-			Peer:        peers["peer-80"].Key,
-			PeerID:      "peer-80",
-			Description: "HA Route 1", Enabled: true, Metric: 1000,
-			PeerGroups:          []string{allGroupID},
-			Groups:              []string{allGroupID},
-			AccessControlGroups: []string{allGroupID},
-		},
-		routeHA2ID: {
-			ID: routeHA2ID, Network: netip.MustParsePrefix("10.10.0.0/16"),
-			Peer:        peers["peer-90"].Key,
-			PeerID:      "peer-90",
-			Description: "HA Route 2", Enabled: true, Metric: 900,
-			PeerGroups:          []string{devGroupID, opsGroupID},
-			Groups:              []string{devGroupID, opsGroupID},
-			AccessControlGroups: []string{allGroupID},
-		},
-	}
-
-	users := map[string]*types.User{
-		userAdminID: {Id: userAdminID, Role: types.UserRoleAdmin, IsServiceUser: false, AccountID: testAccountID, AutoGroups: []string{allGroupID}},
-		userDevID:   {Id: userDevID, Role: types.UserRoleUser, IsServiceUser: false, AccountID: testAccountID, AutoGroups: []string{sshUsersGroupID, devGroupID}},
-		userOpsID:   {Id: userOpsID, Role: types.UserRoleUser, IsServiceUser: false, AccountID: testAccountID, AutoGroups: []string{sshUsersGroupID, opsGroupID}},
-	}
-
-	account := &types.Account{
-		Id: testAccountID, Peers: peers, Groups: groups, Policies: policies, Routes: routes,
-		Users: users,
-		Network: &types.Network{
-			Identifier: "net-golden-test", Net: net.IPNet{IP: net.IP{100, 64, 0, 0}, Mask: net.CIDRMask(16, 32)}, Serial: 1,
-		},
-		DNSSettings: types.DNSSettings{DisabledManagementGroups: []string{opsGroupID}},
-		NameServerGroups: map[string]*dns.NameServerGroup{
-			nameserverGroupID: {
-				ID: nameserverGroupID, Name: "Main NS", Enabled: true, Groups: []string{devGroupID},
-				NameServers: []dns.NameServer{{IP: netip.MustParseAddr("8.8.8.8"), NSType: dns.UDPNameServerType, Port: 53}},
-			},
-		},
-		PostureChecks: []*posture.Checks{
-			{ID: postureCheckID, Name: "Check version", Checks: posture.ChecksDefinition{
-				NBVersionCheck: &posture.NBVersionCheck{MinVersion: "0.26.0"},
-			}},
-		},
-		NetworkResources: []*resourceTypes.NetworkResource{
-			{ID: networkResourceID, NetworkID: networkID, AccountID: testAccountID, Enabled: true, Address: "db.netbird.cloud"},
-		},
-		Networks: []*networkTypes.Network{{ID: networkID, Name: "DB Network", AccountID: testAccountID}},
-		NetworkRouters: []*routerTypes.NetworkRouter{
-			{ID: networkRouterID, NetworkID: networkID, Peer: routingPeerID, Enabled: true, AccountID: testAccountID},
-		},
-		Settings: &types.Settings{PeerLoginExpirationEnabled: true, PeerLoginExpiration: 1 * time.Hour},
-	}
-
-	for _, p := range account.Policies {
-		p.AccountID = account.Id
-	}
-	for _, r := range account.Routes {
-		r.AccountID = account.Id
-	}
-
-	return account
-}
-
-func TestGetPeerNetworkMap_Golden_New_WithOnPeerAddedRouter_Batched(t *testing.T) {
-	account := createTestAccountWithEntities()
-
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		if peerID == offlinePeerID {
-			continue
-		}
-		validatedPeersMap[peerID] = struct{}{}
-	}
-
-	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-
-	newRouterID := "peer-new-router-102"
-	newRouterIP := net.IP{100, 64, 1, 2}
-	newRouter := &nbpeer.Peer{
-		ID:        newRouterID,
-		IP:        newRouterIP,
-		Key:       fmt.Sprintf("key-%s", newRouterID),
-		DNSLabel:  "newrouter102",
-		Status:    &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
-		UserID:    "user-admin",
-		Meta:      nbpeer.PeerSystemMeta{WtVersion: "0.26.0", GoOS: "linux"},
-		LastLogin: func() *time.Time { t := time.Now(); return &t }(),
-	}
-
-	account.Peers[newRouterID] = newRouter
-
-	if opsGroup, exists := account.Groups[opsGroupID]; exists {
-		opsGroup.Peers = append(opsGroup.Peers, newRouterID)
-	}
-	if allGroup, exists := account.Groups[allGroupID]; exists {
-		allGroup.Peers = append(allGroup.Peers, newRouterID)
-	}
-
-	newRoute := &route.Route{
-		ID:                  route.ID("route-new-router"),
-		Network:             netip.MustParsePrefix("172.16.0.0/24"),
-		Peer:                newRouter.Key,
-		PeerID:              newRouterID,
-		Description:         "Route from new router",
-		Enabled:             true,
-		PeerGroups:          []string{opsGroupID},
-		Groups:              []string{devGroupID, opsGroupID},
-		AccessControlGroups: []string{devGroupID},
-		AccountID:           account.Id,
-	}
-	account.Routes[newRoute.ID] = newRoute
-
-	validatedPeersMap[newRouterID] = struct{}{}
-
-	if account.Network != nil {
-		account.Network.Serial++
-	}
-
-	builder.EnqueuePeersForIncrementalAdd(account, newRouterID)
-
-	time.Sleep(100 * time.Millisecond)
-
-	networkMap := builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-
-	normalizeAndSortNetworkMap(networkMap)
-
-	jsonData, err := json.MarshalIndent(networkMap, "", "  ")
-	require.NoError(t, err, "error marshaling network map to JSON")
-
-	goldenFilePath := filepath.Join("testdata", "networkmap_golden_new_with_onpeeradded_router.json")
-
-	t.Log("Update golden file with OnPeerAdded router...")
-	err = os.MkdirAll(filepath.Dir(goldenFilePath), 0755)
-	require.NoError(t, err)
-	err = os.WriteFile(goldenFilePath, jsonData, 0644)
-	require.NoError(t, err)
-
-	expectedJSON, err := os.ReadFile(goldenFilePath)
-	require.NoError(t, err, "error reading golden file")
-
-	require.JSONEq(t, string(expectedJSON), string(jsonData), "network map from NEW builder with OnPeerAdded router does not match golden file")
-}

management/server/types/policy.go

@@ -93,6 +93,44 @@ func (p *Policy) Copy() *Policy {
 	return c
 }
 
+func (p *Policy) Equal(other *Policy) bool {
+	if p == nil || other == nil {
+		return p == other
+	}
+
+	if p.ID != other.ID ||
+		p.AccountID != other.AccountID ||
+		p.Name != other.Name ||
+		p.Description != other.Description ||
+		p.Enabled != other.Enabled {
+		return false
+	}
+
+	if !stringSlicesEqualUnordered(p.SourcePostureChecks, other.SourcePostureChecks) {
+		return false
+	}
+
+	if len(p.Rules) != len(other.Rules) {
+		return false
+	}
+
+	otherRules := make(map[string]*PolicyRule, len(other.Rules))
+	for _, r := range other.Rules {
+		otherRules[r.ID] = r
+	}
+	for _, r := range p.Rules {
+		otherRule, ok := otherRules[r.ID]
+		if !ok {
+			return false
+		}
+		if !r.Equal(otherRule) {
+			return false
+		}
+	}
+
+	return true
+}
+
 // EventMeta returns activity event meta related to this policy
 func (p *Policy) EventMeta() map[string]any {
 	return map[string]any{"name": p.Name}

management/server/types/policy_test.go

@@ -0,0 +1,193 @@
+package types
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPolicyEqual_SameRulesDifferentOrder(t *testing.T) {
+	a := &Policy{
+		ID:        "pol1",
+		AccountID: "acc1",
+		Name:      "test",
+		Enabled:   true,
+		Rules: []*PolicyRule{
+			{ID: "r1", PolicyID: "pol1", Ports: []string{"80"}},
+			{ID: "r2", PolicyID: "pol1", Ports: []string{"443"}},
+		},
+	}
+	b := &Policy{
+		ID:        "pol1",
+		AccountID: "acc1",
+		Name:      "test",
+		Enabled:   true,
+		Rules: []*PolicyRule{
+			{ID: "r2", PolicyID: "pol1", Ports: []string{"443"}},
+			{ID: "r1", PolicyID: "pol1", Ports: []string{"80"}},
+		},
+	}
+	assert.True(t, a.Equal(b))
+}
+
+func TestPolicyEqual_DifferentRules(t *testing.T) {
+	a := &Policy{
+		ID:      "pol1",
+		Enabled: true,
+		Rules: []*PolicyRule{
+			{ID: "r1", PolicyID: "pol1", Ports: []string{"80"}},
+		},
+	}
+	b := &Policy{
+		ID:      "pol1",
+		Enabled: true,
+		Rules: []*PolicyRule{
+			{ID: "r1", PolicyID: "pol1", Ports: []string{"443"}},
+		},
+	}
+	assert.False(t, a.Equal(b))
+}
+
+func TestPolicyEqual_DifferentRuleCount(t *testing.T) {
+	a := &Policy{
+		ID: "pol1",
+		Rules: []*PolicyRule{
+			{ID: "r1", PolicyID: "pol1"},
+		},
+	}
+	b := &Policy{
+		ID: "pol1",
+		Rules: []*PolicyRule{
+			{ID: "r1", PolicyID: "pol1"},
+			{ID: "r2", PolicyID: "pol1"},
+		},
+	}
+	assert.False(t, a.Equal(b))
+}
+
+func TestPolicyEqual_PostureChecksDifferentOrder(t *testing.T) {
+	a := &Policy{
+		ID:                  "pol1",
+		SourcePostureChecks: []string{"pc3", "pc1", "pc2"},
+	}
+	b := &Policy{
+		ID:                  "pol1",
+		SourcePostureChecks: []string{"pc1", "pc2", "pc3"},
+	}
+	assert.True(t, a.Equal(b))
+}
+
+func TestPolicyEqual_DifferentPostureChecks(t *testing.T) {
+	a := &Policy{
+		ID:                  "pol1",
+		SourcePostureChecks: []string{"pc1", "pc2"},
+	}
+	b := &Policy{
+		ID:                  "pol1",
+		SourcePostureChecks: []string{"pc1", "pc3"},
+	}
+	assert.False(t, a.Equal(b))
+}
+
+func TestPolicyEqual_DifferentScalarFields(t *testing.T) {
+	base := Policy{
+		ID:          "pol1",
+		AccountID:   "acc1",
+		Name:        "test",
+		Description: "desc",
+		Enabled:     true,
+	}
+
+	other := base
+	other.Name = "changed"
+	assert.False(t, base.Equal(&other))
+
+	other = base
+	other.Enabled = false
+	assert.False(t, base.Equal(&other))
+
+	other = base
+	other.Description = "changed"
+	assert.False(t, base.Equal(&other))
+}
+
+func TestPolicyEqual_NilCases(t *testing.T) {
+	var a *Policy
+	var b *Policy
+	assert.True(t, a.Equal(b))
+
+	a = &Policy{ID: "pol1"}
+	assert.False(t, a.Equal(nil))
+}
+
+func TestPolicyEqual_RulesMismatchByID(t *testing.T) {
+	a := &Policy{
+		ID: "pol1",
+		Rules: []*PolicyRule{
+			{ID: "r1", PolicyID: "pol1"},
+		},
+	}
+	b := &Policy{
+		ID: "pol1",
+		Rules: []*PolicyRule{
+			{ID: "r2", PolicyID: "pol1"},
+		},
+	}
+	assert.False(t, a.Equal(b))
+}
+
+func TestPolicyEqual_FullScenario(t *testing.T) {
+	a := &Policy{
+		ID:                  "pol1",
+		AccountID:           "acc1",
+		Name:                "Web Access",
+		Description:         "Allow web access",
+		Enabled:             true,
+		SourcePostureChecks: []string{"pc2", "pc1"},
+		Rules: []*PolicyRule{
+			{
+				ID:            "r1",
+				PolicyID:      "pol1",
+				Name:          "HTTP",
+				Enabled:       true,
+				Action:        PolicyTrafficActionAccept,
+				Protocol:      PolicyRuleProtocolTCP,
+				Bidirectional: true,
+				Sources:       []string{"g2", "g1"},
+				Destinations:  []string{"g4", "g3"},
+				Ports:         []string{"443", "80", "8080"},
+				PortRanges: []RulePortRange{
+					{Start: 8000, End: 9000},
+					{Start: 80, End: 80},
+				},
+			},
+		},
+	}
+	b := &Policy{
+		ID:                  "pol1",
+		AccountID:           "acc1",
+		Name:                "Web Access",
+		Description:         "Allow web access",
+		Enabled:             true,
+		SourcePostureChecks: []string{"pc1", "pc2"},
+		Rules: []*PolicyRule{
+			{
+				ID:            "r1",
+				PolicyID:      "pol1",
+				Name:          "HTTP",
+				Enabled:       true,
+				Action:        PolicyTrafficActionAccept,
+				Protocol:      PolicyRuleProtocolTCP,
+				Bidirectional: true,
+				Sources:       []string{"g1", "g2"},
+				Destinations:  []string{"g3", "g4"},
+				Ports:         []string{"80", "8080", "443"},
+				PortRanges: []RulePortRange{
+					{Start: 80, End: 80},
+					{Start: 8000, End: 9000},
+				},
+			},
+		},
+	}
+	assert.True(t, a.Equal(b))
+}

management/server/types/policyrule.go

@@ -1,6 +1,8 @@
 package types
 
 import (
+	"slices"
+
 	"github.com/netbirdio/netbird/shared/management/proto"
 )
 
@@ -118,3 +120,106 @@ func (pm *PolicyRule) Copy() *PolicyRule {
 	}
 	return rule
 }
+
+func (pm *PolicyRule) Equal(other *PolicyRule) bool {
+	if pm == nil || other == nil {
+		return pm == other
+	}
+
+	if pm.ID != other.ID ||
+		pm.PolicyID != other.PolicyID ||
+		pm.Name != other.Name ||
+		pm.Description != other.Description ||
+		pm.Enabled != other.Enabled ||
+		pm.Action != other.Action ||
+		pm.Bidirectional != other.Bidirectional ||
+		pm.Protocol != other.Protocol ||
+		pm.SourceResource != other.SourceResource ||
+		pm.DestinationResource != other.DestinationResource ||
+		pm.AuthorizedUser != other.AuthorizedUser {
+		return false
+	}
+
+	if !stringSlicesEqualUnordered(pm.Sources, other.Sources) {
+		return false
+	}
+	if !stringSlicesEqualUnordered(pm.Destinations, other.Destinations) {
+		return false
+	}
+	if !stringSlicesEqualUnordered(pm.Ports, other.Ports) {
+		return false
+	}
+	if !portRangeSlicesEqualUnordered(pm.PortRanges, other.PortRanges) {
+		return false
+	}
+	if !authorizedGroupsEqual(pm.AuthorizedGroups, other.AuthorizedGroups) {
+		return false
+	}
+
+	return true
+}
+
+func stringSlicesEqualUnordered(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	if len(a) == 0 {
+		return true
+	}
+	sorted1 := make([]string, len(a))
+	sorted2 := make([]string, len(b))
+	copy(sorted1, a)
+	copy(sorted2, b)
+	slices.Sort(sorted1)
+	slices.Sort(sorted2)
+	return slices.Equal(sorted1, sorted2)
+}
+
+func portRangeSlicesEqualUnordered(a, b []RulePortRange) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	if len(a) == 0 {
+		return true
+	}
+	cmp := func(x, y RulePortRange) int {
+		if x.Start != y.Start {
+			if x.Start < y.Start {
+				return -1
+			}
+			return 1
+		}
+		if x.End != y.End {
+			if x.End < y.End {
+				return -1
+			}
+			return 1
+		}
+		return 0
+	}
+	sorted1 := make([]RulePortRange, len(a))
+	sorted2 := make([]RulePortRange, len(b))
+	copy(sorted1, a)
+	copy(sorted2, b)
+	slices.SortFunc(sorted1, cmp)
+	slices.SortFunc(sorted2, cmp)
+	return slices.EqualFunc(sorted1, sorted2, func(x, y RulePortRange) bool {
+		return x.Start == y.Start && x.End == y.End
+	})
+}
+
+func authorizedGroupsEqual(a, b map[string][]string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for k, va := range a {
+		vb, ok := b[k]
+		if !ok {
+			return false
+		}
+		if !stringSlicesEqualUnordered(va, vb) {
+			return false
+		}
+	}
+	return true
+}

management/server/types/policyrule_test.go

@@ -0,0 +1,194 @@
+package types
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPolicyRuleEqual_SamePortsDifferentOrder(t *testing.T) {
+	a := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		Ports:    []string{"443", "80", "22"},
+	}
+	b := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		Ports:    []string{"22", "443", "80"},
+	}
+	assert.True(t, a.Equal(b))
+}
+
+func TestPolicyRuleEqual_DifferentPorts(t *testing.T) {
+	a := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		Ports:    []string{"443", "80"},
+	}
+	b := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		Ports:    []string{"443", "22"},
+	}
+	assert.False(t, a.Equal(b))
+}
+
+func TestPolicyRuleEqual_SourcesDestinationsDifferentOrder(t *testing.T) {
+	a := &PolicyRule{
+		ID:           "rule1",
+		PolicyID:     "pol1",
+		Sources:      []string{"g1", "g2", "g3"},
+		Destinations: []string{"g4", "g5"},
+	}
+	b := &PolicyRule{
+		ID:           "rule1",
+		PolicyID:     "pol1",
+		Sources:      []string{"g3", "g1", "g2"},
+		Destinations: []string{"g5", "g4"},
+	}
+	assert.True(t, a.Equal(b))
+}
+
+func TestPolicyRuleEqual_DifferentSources(t *testing.T) {
+	a := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		Sources:  []string{"g1", "g2"},
+	}
+	b := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		Sources:  []string{"g1", "g3"},
+	}
+	assert.False(t, a.Equal(b))
+}
+
+func TestPolicyRuleEqual_PortRangesDifferentOrder(t *testing.T) {
+	a := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		PortRanges: []RulePortRange{
+			{Start: 8000, End: 9000},
+			{Start: 80, End: 80},
+		},
+	}
+	b := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		PortRanges: []RulePortRange{
+			{Start: 80, End: 80},
+			{Start: 8000, End: 9000},
+		},
+	}
+	assert.True(t, a.Equal(b))
+}
+
+func TestPolicyRuleEqual_DifferentPortRanges(t *testing.T) {
+	a := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		PortRanges: []RulePortRange{
+			{Start: 80, End: 80},
+		},
+	}
+	b := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		PortRanges: []RulePortRange{
+			{Start: 80, End: 443},
+		},
+	}
+	assert.False(t, a.Equal(b))
+}
+
+func TestPolicyRuleEqual_AuthorizedGroupsDifferentValueOrder(t *testing.T) {
+	a := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		AuthorizedGroups: map[string][]string{
+			"g1": {"u1", "u2", "u3"},
+		},
+	}
+	b := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		AuthorizedGroups: map[string][]string{
+			"g1": {"u3", "u1", "u2"},
+		},
+	}
+	assert.True(t, a.Equal(b))
+}
+
+func TestPolicyRuleEqual_DifferentAuthorizedGroups(t *testing.T) {
+	a := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		AuthorizedGroups: map[string][]string{
+			"g1": {"u1"},
+		},
+	}
+	b := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		AuthorizedGroups: map[string][]string{
+			"g2": {"u1"},
+		},
+	}
+	assert.False(t, a.Equal(b))
+}
+
+func TestPolicyRuleEqual_DifferentScalarFields(t *testing.T) {
+	base := PolicyRule{
+		ID:            "rule1",
+		PolicyID:      "pol1",
+		Name:          "test",
+		Description:   "desc",
+		Enabled:       true,
+		Action:        PolicyTrafficActionAccept,
+		Bidirectional: true,
+		Protocol:      PolicyRuleProtocolTCP,
+	}
+
+	other := base
+	other.Name = "changed"
+	assert.False(t, base.Equal(&other))
+
+	other = base
+	other.Enabled = false
+	assert.False(t, base.Equal(&other))
+
+	other = base
+	other.Action = PolicyTrafficActionDrop
+	assert.False(t, base.Equal(&other))
+
+	other = base
+	other.Protocol = PolicyRuleProtocolUDP
+	assert.False(t, base.Equal(&other))
+}
+
+func TestPolicyRuleEqual_NilCases(t *testing.T) {
+	var a *PolicyRule
+	var b *PolicyRule
+	assert.True(t, a.Equal(b))
+
+	a = &PolicyRule{ID: "rule1"}
+	assert.False(t, a.Equal(nil))
+}
+
+func TestPolicyRuleEqual_EmptySlices(t *testing.T) {
+	a := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		Ports:    []string{},
+		Sources:  nil,
+	}
+	b := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		Ports:    nil,
+		Sources:  []string{},
+	}
+	assert.True(t, a.Equal(b))
+}
+

management/server/user_test.go

@@ -1586,7 +1586,7 @@ func TestUserAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})
@@ -1609,7 +1609,7 @@ func TestUserAccountPeersUpdate(t *testing.T) {
 
 		select {
 		case <-done:
-		case <-time.After(time.Second):
+		case <-time.After(peerUpdateTimeout):
 			t.Error("timeout waiting for peerShouldReceiveUpdate")
 		}
 	})

proxy/internal/auth/middleware.go

@@ -433,6 +433,7 @@ func setSessionCookie(w http.ResponseWriter, token string, expiration time.Durat
 	http.SetCookie(w, &http.Cookie{
 		Name:     auth.SessionCookieName,
 		Value:    token,
+		Path:     "/",
 		HttpOnly: true,
 		Secure:   true,
 		SameSite: http.SameSiteLaxMode,