require On-Premise EULA acceptance before install

client/ui/client_ui.go

@@ -418,14 +418,7 @@ func newServiceClient(args *newServiceClientArgs) *serviceClient {
 	case args.showProfiles:
 		s.showProfilesUI()
 	case args.showQuickActions:
-		// Suppress the on-boot Quick Actions popup when the daemon
-		// reports DisableAutoConnect=true — that flag carries both the
-		// user's "Connect on Startup = off" preference AND any MDM-
-		// enforced override (applyMDMPolicy writes the policy value
-		// into the same Config field). See netbirdio/netbird#5744.
-		if !s.disableAutoConnectFromDaemon() {
-			s.showQuickActionsUI()
-		}
+		s.showQuickActionsUI()
 	case args.showUpdate:
 		s.showUpdateProgress(ctx, args.showUpdateVersion)
 	}
@@ -1345,40 +1338,6 @@ func (s *serviceClient) getFeatures() (*proto.GetFeaturesResponse, error) {
 	return features, nil
 }
 
-// disableAutoConnectFromDaemon returns true when the daemon reports
-// the active profile has DisableAutoConnect=true. Used by the
-// --quick-actions startup path to suppress the on-boot popup when the
-// user (or an MDM admin) opted out of auto-connecting; both cases
-// converge on the same Config field because applyMDMPolicy writes the
-// policy value into it. Returns false on any RPC / lookup failure so a
-// daemon hiccup does not silently swallow the popup.
-func (s *serviceClient) disableAutoConnectFromDaemon() bool {
-	activeProf, err := s.profileManager.GetActiveProfile()
-	if err != nil {
-		log.Warnf("disableAutoConnectFromDaemon: get active profile: %v", err)
-		return false
-	}
-	currUser, err := user.Current()
-	if err != nil {
-		log.Warnf("disableAutoConnectFromDaemon: get current user: %v", err)
-		return false
-	}
-	conn, err := s.getSrvClient(failFastTimeout)
-	if err != nil {
-		log.Warnf("disableAutoConnectFromDaemon: get daemon client: %v", err)
-		return false
-	}
-	srvCfg, err := conn.GetConfig(s.ctx, &proto.GetConfigRequest{
-		ProfileName: activeProf.ID.String(),
-		Username:    currUser.Username,
-	})
-	if err != nil {
-		log.Warnf("disableAutoConnectFromDaemon: GetConfig RPC: %v", err)
-		return false
-	}
-	return srvCfg.GetDisableAutoConnect()
-}
-
 // getSrvConfig from the service to show it in the settings window.
 func (s *serviceClient) getSrvConfig() {
 	s.managementURL = profilemanager.DefaultManagementURL

infrastructure_files/getting-started-enterprise.sh

@@ -9,6 +9,8 @@ set -o pipefail
 
 SED_STRIP_PADDING='s/=//g'
 
+NETBIRD_EULA_URL="https://trust.netbird.io/?tab=reports-and-documents"
+
 check_docker_compose() {
   if command -v docker-compose &> /dev/null; then
     echo "docker-compose"
@@ -139,6 +141,43 @@ read_yes_no() {
   esac
 }
 
+# Gate the install on explicit acceptance of the NetBird On-Premise EULA.
+require_eula_acceptance() {
+  cat > /dev/stderr <<EOF
+
+  ──────────────────────────────────────────────────────────────────────
+   NetBird On-Premise End User License Agreement
+  ──────────────────────────────────────────────────────────────────────
+  NetBird's on-premise software is commercial software, licensed and not
+  sold. Your installation, deployment and use are governed by the NetBird
+  On-Premise End User License Agreement (the "EULA"). Please read it in
+  full before continuing — open the "On-Premise EULA" document here:
+
+      ${NETBIRD_EULA_URL}
+
+  By typing "accept" and continuing the installation, you confirm that you
+  have read and agree to the EULA, that you are authorized to accept it on
+  behalf of your organization (the "Customer"), and that the Software is
+  used for business purposes only.
+  ──────────────────────────────────────────────────────────────────────
+EOF
+
+  if [[ "${NB_ACCEPT_EULA:-}" == "yes" ]]; then
+    echo "EULA accepted via NB_ACCEPT_EULA=yes." > /dev/stderr
+    return 0
+  fi
+
+  local ans=""
+  echo -n 'Type "accept" to agree, or anything else to abort: ' > /dev/stderr
+  read -r ans < /dev/tty
+  if [[ "$ans" != "accept" ]]; then
+    echo "" > /dev/stderr
+    echo "EULA not accepted. Aborting installation." > /dev/stderr
+    exit 1
+  fi
+  echo "" > /dev/stderr
+}
+
 wait_postgres() {
   set +e
   echo -n "Waiting for postgres to become ready"
@@ -174,6 +213,9 @@ init_environment() {
     exit 1
   fi
 
+  require_eula_acceptance
+  NETBIRD_EULA_ACCEPTED_AT=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+
   echo "NetBird Enterprise bootstrap"
   echo ""
   echo "Traffic flow:"
@@ -260,6 +302,11 @@ render_env() {
 # Generated by getting-started-enterprise.sh
 # Holds all configuration and secrets for the stack. Mode 600.
 
+# NetBird On-Premise EULA acceptance
+NETBIRD_EULA_ACCEPTED=yes
+NETBIRD_EULA_ACCEPTED_AT=${NETBIRD_EULA_ACCEPTED_AT}
+NETBIRD_EULA_URL=${NETBIRD_EULA_URL}
+
 # Features (set by the script; don't edit without re-running)
 NETBIRD_TRAFFIC_FLOW_ENABLED=${NETBIRD_TRAFFIC_FLOW}
 

infrastructure_files/migrate-to-enterprise.sh

@@ -25,6 +25,8 @@ set -o pipefail
 OVERRIDE_FILE="docker-compose.override.yml"
 ENTERPRISE_CONFIG_FILE="config.yaml.enterprise"
 
+NETBIRD_EULA_URL="https://trust.netbird.io/?tab=reports-and-documents"
+
 check_docker_compose() {
   if command -v docker-compose &> /dev/null; then
     echo "docker-compose"
@@ -115,6 +117,43 @@ read_yes_no() {
   esac
 }
 
+# Gate the migration on explicit acceptance of the NetBird On-Premise EULA.
+require_eula_acceptance() {
+  cat > /dev/stderr <<EOF
+
+  ──────────────────────────────────────────────────────────────────────
+   NetBird On-Premise End User License Agreement
+  ──────────────────────────────────────────────────────────────────────
+  NetBird's on-premise software is commercial software, licensed and not
+  sold. Your installation, deployment and use are governed by the NetBird
+  On-Premise End User License Agreement (the "EULA"). Please read it in
+  full before continuing — open the "On-Premise EULA" document here:
+
+      ${NETBIRD_EULA_URL}
+
+  By typing "accept" and continuing the installation, you confirm that you
+  have read and agree to the EULA, that you are authorized to accept it on
+  behalf of your organization (the "Customer"), and that the Software is
+  used for business purposes only.
+  ──────────────────────────────────────────────────────────────────────
+EOF
+
+  if [[ "${NB_ACCEPT_EULA:-}" == "yes" ]]; then
+    echo "EULA accepted via NB_ACCEPT_EULA=yes." > /dev/stderr
+    return 0
+  fi
+
+  local ans=""
+  echo -n 'Type "accept" to agree, or anything else to abort: ' > /dev/stderr
+  read -r ans < /dev/tty
+  if [[ "$ans" != "accept" ]]; then
+    echo "" > /dev/stderr
+    echo "EULA not accepted. Aborting migration." > /dev/stderr
+    exit 1
+  fi
+  echo "" > /dev/stderr
+}
+
 # ---------------------------------------------------------------------------
 # Detection — read the operator's existing compose to find service names and
 # paths we need to override. Bail loudly if shape isn't recognised.
@@ -384,6 +423,9 @@ init_migration() {
   check_yq
   check_openssl
 
+  require_eula_acceptance
+  NETBIRD_EULA_ACCEPTED_AT=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+
   COMPOSE_FILE="${COMPOSE_FILE:-docker-compose.yml}"
 
   if [[ ! -f "$COMPOSE_FILE" ]]; then
@@ -529,6 +571,10 @@ apply_changes() {
   {
     echo ""
     echo "# Added by migrate-to-enterprise.sh on $(date -u +%Y-%m-%dT%H:%M:%SZ)"
+    echo "# NetBird On-Premise EULA accepted at install time"
+    echo "NETBIRD_EULA_ACCEPTED=yes"
+    echo "NETBIRD_EULA_ACCEPTED_AT=${NETBIRD_EULA_ACCEPTED_AT}"
+    echo "NETBIRD_EULA_URL=${NETBIRD_EULA_URL}"
     echo "NB_LICENSE_KEY=${NB_LICENSE_KEY}"
     if [[ -n "${NETBIRD_LICENSE_SERVER_BASE_URL:-}" ]]; then
       echo "NETBIRD_LICENSE_SERVER_BASE_URL=${NETBIRD_LICENSE_SERVER_BASE_URL}"

management/internals/controllers/network_map/controller/controller.go

@@ -497,7 +497,7 @@ func (c *Controller) BufferUpdateAffectedPeers(ctx context.Context, accountID st
 		c.accountManagerMetrics.CountUpdateAccountPeersTriggered(string(reason.Resource), string(reason.Operation))
 	}
 
-	log.WithContext(ctx).Tracef("buffer updating %d affected peers for account %s from %s with reason %s/%s", len(peerIDs), accountID, util.GetCallerName(), reason.Operation, reason.Resource)
+	log.WithContext(ctx).Tracef("buffer updating %d affected peers for account %s from %s", len(peerIDs), accountID, util.GetCallerName())
 
 	bufUpd, _ := c.affectedPeerUpdateLocks.LoadOrStore(accountID, &bufferAffectedUpdate{
 		peerIDs: make(map[string]struct{}),

management/server/affected_peers_coverage_test.go

@@ -41,7 +41,7 @@ func TestAffectedPeers_DependencyCoverageMatrix(t *testing.T) {
 				_, err := s.manager.SavePolicy(ctx, s.accountID, userID, peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID), true)
 				require.NoError(t, err)
 				return affectedpeers.Change{ChangedPeerIDs: []string{s.routerPeerID}},
-					[]string{s.sourcePeerID, s.routerPeerID}, []string{s.unrelatedPeerID}
+					[]string{s.sourcePeerID}, []string{s.unrelatedPeerID}
 			},
 		},
 		{
@@ -106,9 +106,11 @@ func TestAffectedPeers_DependencyCoverageMatrix(t *testing.T) {
 			change, mustContain, mustExclude := r.build(t, s, ctx)
 			affected := resolveAffected(t, s.manager.Store, s.accountID, change)
 
-			assert.ElementsMatch(t, affected, mustContain, "expected peer to be affected")
-			for _, peerID := range mustExclude {
-				assert.NotContains(t, affected, peerID, "peer must not be affected")
+			for _, id := range mustContain {
+				assert.Contains(t, affected, id, "expected peer to be affected")
+			}
+			for _, id := range mustExclude {
+				assert.NotContains(t, affected, id, "peer must not be affected")
 			}
 		})
 	}

management/server/affected_peers_router_paths_test.go

@@ -251,9 +251,7 @@ func TestAffectedPeers_E2E_UpdateResource_DestinationResourcePolicy_RefreshesSou
 	}
 }
 
-// A disabled sibling router routes to nobody, so updating a resource on its network
-// must NOT refresh its peer (the enabled router carries the bridge instead).
-func TestAffectedPeers_E2E_UpdateResource_DisabledSiblingRouterNotBridged(t *testing.T) {
+func TestAffectedPeers_E2E_UpdateResource_DisabledSiblingRouter_StillBridged(t *testing.T) {
 	s := setupRouterScenario(t, true)
 	ctx := context.Background()
 
@@ -276,18 +274,13 @@ func TestAffectedPeers_E2E_UpdateResource_DisabledSiblingRouterNotBridged(t *tes
 	require.NoError(t, err)
 
 	disabledCh := s.updateManager.CreateChannel(ctx, disabledRouterPeer.ID)
-	enabledCh := s.updateManager.CreateChannel(ctx, s.routerPeerID)
-	t.Cleanup(func() {
-		s.updateManager.CloseChannel(ctx, disabledRouterPeer.ID)
-		s.updateManager.CloseChannel(ctx, s.routerPeerID)
-	})
+	t.Cleanup(func() { s.updateManager.CloseChannel(ctx, disabledRouterPeer.ID) })
 
-	settleAffectedUpdates(disabledCh, enabledCh)
+	settleAffectedUpdates(disabledCh)
 
 	done := make(chan struct{})
 	go func() {
-		peerShouldReceiveUpdate(t, enabledCh)
-		peerShouldNotReceiveUpdate(t, disabledCh)
+		peerShouldReceiveUpdate(t, disabledCh)
 		close(done)
 	}()
 
@@ -305,7 +298,7 @@ func TestAffectedPeers_E2E_UpdateResource_DisabledSiblingRouterNotBridged(t *tes
 	select {
 	case <-done:
 	case <-time.After(peerUpdateTimeout):
-		t.Error("timeout")
+		t.Error("timeout: resource update did not refresh the disabled sibling router's peer")
 	}
 }
 

management/server/affected_peers_router_test.go

@@ -682,9 +682,6 @@ func TestAffectedPeers_AllRoutingPeers_Network(t *testing.T) {
 	assert.Contains(t, affected, secondRouterPeer.ID, "second routing peer on the same network must also be affected")
 }
 
-// A disabled router in the snapshot routes to nobody, so it is skipped when the
-// walk scans existing account data: a policy edit still folds the literal source
-// group, but not the disabled router's peer.
 func TestAffectedPeers_DisabledRouter(t *testing.T) {
 	s := setupRouterScenario(t, true)
 	ctx := context.Background()
@@ -697,13 +694,11 @@ func TestAffectedPeers_DisabledRouter(t *testing.T) {
 
 	affected := s.resolvePolicyAffected(ctx, peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID))
 
-	assert.Contains(t, affected, s.sourcePeerID, "source peer (literal policy source group) must be affected")
-	assert.NotContains(t, affected, s.routerPeerID,
-		"a disabled router routes to nobody, so its peer must not be folded from snapshot data")
+	assert.Contains(t, affected, s.sourcePeerID, "source peer must be affected")
+	assert.Contains(t, affected, s.routerPeerID,
+		"disabled router's peer must still be affected: Enabled must not gate affected-peers")
 }
 
-// A disabled resource in the snapshot is skipped: the policy edit still folds the
-// literal source group, but the resource no longer bridges to its network's router.
 func TestAffectedPeers_DisabledResource(t *testing.T) {
 	s := setupRouterScenario(t, true)
 	ctx := context.Background()
@@ -715,9 +710,9 @@ func TestAffectedPeers_DisabledResource(t *testing.T) {
 
 	affected := s.resolvePolicyAffected(ctx, peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID))
 
-	assert.Contains(t, affected, s.sourcePeerID, "source peer (literal policy source group) must be affected")
-	assert.NotContains(t, affected, s.routerPeerID,
-		"a disabled resource routes to nobody, so its network's router must not be folded from snapshot data")
+	assert.Contains(t, affected, s.sourcePeerID, "source peer must be affected")
+	assert.Contains(t, affected, s.routerPeerID,
+		"disabled resource must still resolve the routing peer: Enabled must not gate affected-peers")
 }
 
 func TestAffectedPeers_DisabledRule(t *testing.T) {

management/server/affected_peers_test.go

@@ -96,54 +96,33 @@ func affectedGroupID(i int) string   { return fmt.Sprintf("affected-grp-%d", i)
 func affectedGroupName(i int) string { return fmt.Sprintf("AffectedGroup%d", i) }
 
 func TestCollectGroupChange_PolicyLinked(t *testing.T) {
-	manager, s, accountID, peerIDs, groupIDs := setupAffectedPeersTest(t)
+	manager, s, accountID, _, groupIDs := setupAffectedPeersTest(t)
 	ctx := context.Background()
 
 	_, err := manager.SavePolicy(ctx, accountID, userID, &types.Policy{
 		Enabled: true,
 		Rules: []*types.PolicyRule{
 			{
-				Enabled:             true,
-				Sources:             []string{groupIDs[0]},
-				Destinations:        []string{groupIDs[1]},
-				SourceResource:      types.Resource{ID: peerIDs[0], Type: types.ResourceTypePeer},
-				DestinationResource: types.Resource{ID: peerIDs[1], Type: types.ResourceTypePeer},
-				Bidirectional:       true,
-				Action:              types.PolicyTrafficActionAccept,
-			},
-			{
-				Enabled:             true,
-				Sources:             []string{groupIDs[0]},
-				Destinations:        []string{groupIDs[1]},
-				SourceResource:      types.Resource{ID: peerIDs[2], Type: types.ResourceTypeHost},
-				DestinationResource: types.Resource{ID: peerIDs[3], Type: types.ResourceTypeHost},
-				Bidirectional:       true,
-				Action:              types.PolicyTrafficActionAccept,
-			},
-			{
-				Enabled:             true,
-				Sources:             []string{groupIDs[0]},
-				Destinations:        []string{groupIDs[1]},
-				SourceResource:      types.Resource{ID: "", Type: types.ResourceTypePeer},
-				DestinationResource: types.Resource{ID: "", Type: types.ResourceTypePeer},
-				Bidirectional:       true,
-				Action:              types.PolicyTrafficActionAccept,
+				Enabled:       true,
+				Sources:       []string{groupIDs[0]},
+				Destinations:  []string{groupIDs[1]},
+				Bidirectional: true,
+				Action:        types.PolicyTrafficActionAccept,
 			},
 		},
 	}, true)
 	require.NoError(t, err)
 
-	groups, directPeers := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
-	assert.ElementsMatch(t, directPeers, []string{peerIDs[1]})
+	groups, _ := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
+	assert.Contains(t, groups, groupIDs[0])
+	assert.Contains(t, groups, groupIDs[1])
 
-	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[1]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
-	assert.ElementsMatch(t, directPeers, []string{peerIDs[0]})
+	groups, _ = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[1]})
+	assert.Contains(t, groups, groupIDs[0])
+	assert.Contains(t, groups, groupIDs[1])
 
-	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[2]})
+	groups, _ = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[2]})
 	assert.Empty(t, groups)
-	assert.Empty(t, directPeers)
 }
 
 func TestCollectGroupChange_PolicyWithDirectPeerResource(t *testing.T) {
@@ -154,44 +133,20 @@ func TestCollectGroupChange_PolicyWithDirectPeerResource(t *testing.T) {
 		Enabled: true,
 		Rules: []*types.PolicyRule{
 			{
-				Enabled:             true,
-				Sources:             []string{groupIDs[0]},
-				SourceResource:      types.Resource{ID: peerIDs[3], Type: types.ResourceTypePeer},
-				DestinationResource: types.Resource{ID: peerIDs[4], Type: types.ResourceTypePeer},
-				Destinations:        []string{groupIDs[1]},
-				Action:              types.PolicyTrafficActionAccept,
-			},
-			{
-				Enabled:             true,
-				Sources:             []string{groupIDs[0]},
-				SourceResource:      types.Resource{ID: peerIDs[1], Type: types.ResourceTypeHost},
-				DestinationResource: types.Resource{ID: peerIDs[2], Type: types.ResourceTypeHost},
-				Destinations:        []string{groupIDs[1]},
-				Action:              types.PolicyTrafficActionAccept,
-			},
-			{
-				Enabled:             true,
-				Sources:             []string{groupIDs[0]},
-				SourceResource:      types.Resource{ID: "", Type: types.ResourceTypePeer},
-				DestinationResource: types.Resource{ID: "", Type: types.ResourceTypePeer},
-				Destinations:        []string{groupIDs[1]},
-				Action:              types.PolicyTrafficActionAccept,
+				Enabled:        true,
+				Sources:        []string{groupIDs[0]},
+				SourceResource: types.Resource{ID: peerIDs[3], Type: types.ResourceTypePeer},
+				Destinations:   []string{groupIDs[1]},
+				Action:         types.PolicyTrafficActionAccept,
 			},
 		},
 	}, true)
 	require.NoError(t, err)
 
 	groups, directPeers := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
-	assert.ElementsMatch(t, directPeers, []string{peerIDs[4]})
-
-	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[1]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
-	assert.ElementsMatch(t, directPeers, []string{peerIDs[3]})
-
-	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[2]})
-	assert.Empty(t, groups)
-	assert.Empty(t, directPeers)
+	assert.Contains(t, groups, groupIDs[0])
+	assert.Contains(t, groups, groupIDs[1])
+	assert.Contains(t, directPeers, peerIDs[3])
 }
 
 func TestCollectGroupChange_PolicyWithNonPeerResource_NoDirectPeers(t *testing.T) {
@@ -213,7 +168,8 @@ func TestCollectGroupChange_PolicyWithNonPeerResource_NoDirectPeers(t *testing.T
 	require.NoError(t, err)
 
 	groups, directPeers := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
+	assert.Contains(t, groups, groupIDs[0])
+	assert.Contains(t, groups, groupIDs[1])
 	assert.Empty(t, directPeers, "non-peer resources should not produce direct peer IDs")
 }
 
@@ -338,7 +294,6 @@ func TestCollectGroupChange_NetworkRouterLinked(t *testing.T) {
 		AccountID:  accountID,
 		PeerGroups: []string{groupIDs[0]},
 		Peer:       peerIDs[3],
-		Enabled:    true,
 	})
 	require.NoError(t, err)
 
@@ -369,7 +324,6 @@ func TestCollectGroupChange_NetworkRouterPeerOnlyNoGroups(t *testing.T) {
 		NetworkID: net1.ID,
 		AccountID: accountID,
 		Peer:      peerIDs[4],
-		Enabled:   true,
 	})
 	require.NoError(t, err)
 
@@ -419,11 +373,17 @@ func TestCollectGroupChange_MultipleEntities(t *testing.T) {
 	require.NoError(t, err)
 
 	groups, directPeers := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
+	assert.Contains(t, groups, groupIDs[0])
+	assert.Contains(t, groups, groupIDs[1])
+	assert.NotContains(t, groups, groupIDs[2])
+	assert.NotContains(t, groups, groupIDs[3])
 	assert.Empty(t, directPeers)
 
 	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[3]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[2], groupIDs[3]})
+	assert.Contains(t, groups, groupIDs[2])
+	assert.Contains(t, groups, groupIDs[3])
+	assert.NotContains(t, groups, groupIDs[0])
+	assert.NotContains(t, groups, groupIDs[1])
 	assert.Empty(t, directPeers)
 }
 
@@ -492,9 +452,8 @@ func TestResolveAffectedPeers_PolicyBetweenTwoGroups(t *testing.T) {
 	result = manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[1]})
 	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[1]}, result)
 
-	// peerIDs[2] is unrelated to the route; only its own map can change.
 	result = manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[2]})
-	assert.ElementsMatch(t, []string{peerIDs[2]}, result)
+	assert.Empty(t, result)
 }
 
 func TestResolveAffectedPeers_PolicyThreeGroups(t *testing.T) {
@@ -515,7 +474,7 @@ func TestResolveAffectedPeers_PolicyThreeGroups(t *testing.T) {
 	require.NoError(t, err)
 
 	result := manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[0]})
-	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[2]}, result)
+	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[1], peerIDs[2]}, result)
 }
 
 func TestResolveAffectedPeers_RoutePeerGroups(t *testing.T) {
@@ -547,9 +506,8 @@ func TestResolveAffectedPeers_RoutePeerGroups(t *testing.T) {
 	result = manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[1]})
 	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[1]}, result)
 
-	// peerIDs[2] is in no policy; only its own map can change, so it refreshes itself.
 	result = manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[2]})
-	assert.ElementsMatch(t, []string{peerIDs[2]}, result)
+	assert.Empty(t, result)
 }
 
 func TestResolveAffectedPeers_RouteWithDirectPeer(t *testing.T) {
@@ -606,9 +564,9 @@ func TestResolveAffectedPeers_RouteWithAccessControlGroups(t *testing.T) {
 	result := manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[2]})
 	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[1], peerIDs[2]}, result)
 
-	// peer3 is unrelated to the route; only its own map can change.
+	// peer3 is unrelated
 	result = manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[3]})
-	assert.ElementsMatch(t, []string{peerIDs[3]}, result)
+	assert.Empty(t, result)
 }
 
 func TestResolveAffectedPeers_NetworkRouter(t *testing.T) {
@@ -629,7 +587,6 @@ func TestResolveAffectedPeers_NetworkRouter(t *testing.T) {
 		AccountID:  accountID,
 		PeerGroups: []string{groupIDs[0]},
 		Peer:       peerIDs[3],
-		Enabled:    true,
 	})
 	require.NoError(t, err)
 
@@ -702,13 +659,9 @@ func TestResolveAffectedPeers_PeerInMultipleGroups(t *testing.T) {
 	}, true)
 	require.NoError(t, err)
 
-	// peer0 is in group0 AND group1, so both policies apply. A peer change folds
-	// only the changed peer plus the opposite side of each rule: group2 (peer2) via
-	// the group0 policy and group3 (peer3) via the group1 policy. peer1, a co-member
-	// of group1, is a sibling of the changed peer and must NOT refresh.
+	// peer0 is in group0 AND group1, so both policies apply
 	result := manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[0]})
-	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[2], peerIDs[3]}, result)
-	assert.NotContains(t, result, peerIDs[1], "co-member of the changed peer's group must not refresh")
+	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[1], peerIDs[2], peerIDs[3]}, result)
 }
 
 func TestResolveAffectedPeers_MultipleChangedPeers(t *testing.T) {
@@ -744,7 +697,7 @@ func TestResolveAffectedPeers_MultipleChangedPeers(t *testing.T) {
 	require.NoError(t, err)
 
 	result := manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[0], peerIDs[2]})
-	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[2], peerIDs[1], peerIDs[3]}, result)
+	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[1], peerIDs[2], peerIDs[3]}, result)
 }
 
 func TestResolveAffectedPeers_SharedGroupAcrossPolicyAndRoute(t *testing.T) {
@@ -901,9 +854,8 @@ func TestAffectedPeers_IsolatedPolicies(t *testing.T) {
 	assert.NotContains(t, result, peerIDs[0])
 	assert.NotContains(t, result, peerIDs[1])
 
-	// peerIDs[4] is in neither isolated policy; only its own map can change.
 	result = manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[4]})
-	assert.ElementsMatch(t, []string{peerIDs[4]}, result)
+	assert.Empty(t, result)
 }
 
 func TestAffectedPeers_IsolatedRouteAndPolicy(t *testing.T) {
@@ -1025,13 +977,12 @@ func TestAffectedPeers_GroupUpdateOnlyAffectsLinkedPeers(t *testing.T) {
 	})
 }
 
-// A peer in no policy/route refreshes only itself — no other peer is affected.
-func TestAffectedPeers_UnlinkedPeerChange_RefreshesSelfOnly(t *testing.T) {
+func TestAffectedPeers_UnlinkedGroupChange_NoUpdates(t *testing.T) {
 	manager, s, accountID, peerIDs, _ := setupAffectedPeersTest(t)
 	ctx := context.Background()
 
 	result := manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[0]})
-	assert.ElementsMatch(t, []string{peerIDs[0]}, result)
+	assert.Empty(t, result)
 }
 
 // TestAffectedPeers_PolicyChange_UnrelatedPeerNoUpdate verifies that creating/deleting a
@@ -1381,7 +1332,6 @@ func TestAffectedPeers_NetworkRouterUnlinkedPeerNoUpdate(t *testing.T) {
 		NetworkID:  net1.ID,
 		AccountID:  accountID,
 		PeerGroups: []string{"nr-grpA"},
-		Enabled:    true,
 	})
 	require.NoError(t, err)
 
@@ -1805,9 +1755,7 @@ func TestCollectAffectedFromProxyServices_GroupContainingTargetPeerChanged(t *te
 	assert.Contains(t, directPeers, peerIDs[1], "target peer must be refreshed")
 }
 
-// A disabled service in the snapshot proxies nothing, so it is skipped: a changed
-// target peer does not pull in the service's proxy peer.
-func TestCollectAffectedFromProxyServices_DisabledServiceSkipped(t *testing.T) {
+func TestCollectAffectedFromProxyServices_DisabledServiceStillMatches(t *testing.T) {
 	manager, s, accountID, peerIDs, _ := setupAffectedPeersTest(t)
 	ctx := context.Background()
 
@@ -1833,7 +1781,8 @@ func TestCollectAffectedFromProxyServices_DisabledServiceSkipped(t *testing.T) {
 	require.NoError(t, s.CreateService(ctx, svc))
 
 	_, directPeers := collectPeerChangeAffectedGroups(ctx, manager.Store, accountID, nil, []string{peerIDs[1]})
-	assert.NotContains(t, directPeers, peerIDs[0], "a disabled service proxies nothing, so its proxy peer must not be folded")
+	assert.Contains(t, directPeers, peerIDs[0], "disabled service should still trigger a refresh so peers are ready when re-enabled")
+	assert.Contains(t, directPeers, peerIDs[1], "disabled target should still trigger a refresh")
 }
 
 func TestCollectAffectedFromProxyServices_NonPeerTargetType(t *testing.T) {

management/server/affectedpeers/resolver.go

@@ -6,12 +6,7 @@
 //     and before a delete/removal severs the old state).
 //   - Snapshot.Expand: in-memory walk, no store access. Run AFTER the tx commits.
 //
-// Enabled handling differs by source. Disabled objects in the SNAPSHOT (existing
-// account policies/resources/routers/routes/proxy services and their rules/targets)
-// route to nobody and are skipped — they cannot affect any peer's map. Objects in
-// the CHANGE itself are processed regardless of Enabled, so disabling one still
-// refreshes the peers that lose access (the toggle is the observable change, and the
-// update carries the old∪new state).
+// Enabled is never consulted: toggling it is itself an observable change.
 package affectedpeers
 
 import (
@@ -66,8 +61,7 @@ func Load(ctx context.Context, s store.Store, accountID string, c Change) (*Snap
 // loadCollections reads the policy/route/nameserver/dns/router/resource/proxy
 // collections a Change can touch, gated to what the walk needs.
 func (snap *Snapshot) loadCollections(ctx context.Context, s store.Store, accountID string, c Change) error {
-	// LinkGroups drive the same policy/route/dns walk as a changed group or peer.
-	hasGroupOrPeerChange := len(c.ChangedGroupIDs) > 0 || len(c.ChangedPeerIDs) > 0 || len(c.LinkGroups) > 0 || len(c.Resources) > 0
+	hasGroupOrPeerChange := len(c.ChangedGroupIDs) > 0 || len(c.ChangedPeerIDs) > 0 || len(c.Resources) > 0
 	hasNetworkObject := len(c.Routers) > 0 || len(c.Resources) > 0 || len(c.Networks) > 0
 	// the resource<->router bridge can fire for any of these
 	needsRoutersResources := hasGroupOrPeerChange || len(c.PostureCheckIDs) > 0 || len(c.Policies) > 0 || hasNetworkObject
@@ -82,7 +76,7 @@ func (snap *Snapshot) loadCollections(ctx context.Context, s store.Store, accoun
 			return err
 		}
 	}
-	if len(c.ChangedGroupIDs) > 0 || len(c.ChangedPeerIDs) > 0 || len(c.LinkGroups) > 0 {
+	if len(c.ChangedGroupIDs) > 0 || len(c.ChangedPeerIDs) > 0 {
 		if err := snap.loadDNS(ctx, s, accountID); err != nil {
 			return err
 		}
@@ -180,24 +174,6 @@ type Change struct {
 	// folded in — but only when the group is linked (an unlinked group has no map
 	// impact), matching how current members are handled.
 	RemovedPeersByGroup map[string][]string
-
-	// OutputPeerIDs are peers folded straight into the result without seeding their
-	// group memberships into the walk. Use for the peer whose group membership changed:
-	// the peer itself must refresh, but its OTHER groups did not change, so they must
-	// not be walked. Contrast ChangedPeerIDs, which seeds ALL of the peer's groups
-	// (correct when the peer's own attributes changed, e.g. IP/status).
-	OutputPeerIDs []string
-
-	// LinkGroups are groups used ONLY to match policies/routes/routers and walk to the
-	// OPPOSITE side — they are never expanded to their own members. Use this when a
-	// peer's group membership changed: pass the peer in ChangedPeerIDs and its
-	// group(s) here. The opposite side of the policies the group participates in
-	// refreshes, but the group's other members (siblings) do not — nothing changed for
-	// them. For an intra-group policy (A→A) the opposite side IS the group, so its
-	// members still refresh via the opposite-side fold, exactly when they genuinely
-	// gain/lose the changed peer. Unlike ChangedGroupIDs, a LinkGroup is not added to
-	// the output, so a one-sided membership change never wakes the whole group.
-	LinkGroups []string
 }
 
 func (c Change) isEmpty() bool {
@@ -210,9 +186,7 @@ func (c Change) isEmpty() bool {
 		len(c.Networks) == 0 &&
 		len(c.PostureCheckIDs) == 0 &&
 		len(c.DistributionGroupIDs) == 0 &&
-		len(c.RemovedPeersByGroup) == 0 &&
-		len(c.LinkGroups) == 0 &&
-		len(c.OutputPeerIDs) == 0
+		len(c.RemovedPeersByGroup) == 0
 }
 
 // Expand returns the deduplicated affected peer IDs from the preloaded Snapshot,
@@ -223,8 +197,8 @@ func (snap *Snapshot) Expand(ctx context.Context, accountID string, c Change) []
 		return nil
 	}
 	r := newResolver(ctx, snap, accountID, c)
-	log.WithContext(ctx).Tracef("affectedpeers expand start: account=%s changedGroups=%v changedPeers=%v linkGroups=%v policies=%d routes=%d routers=%d resources=%d networks=%d postureChecks=%v distributionGroups=%v",
-		accountID, c.ChangedGroupIDs, c.ChangedPeerIDs, c.LinkGroups, len(c.Policies), len(c.Routes), len(c.Routers), len(c.Resources), len(c.Networks), c.PostureCheckIDs, c.DistributionGroupIDs)
+	log.WithContext(ctx).Tracef("affectedpeers expand start: account=%s changedGroups=%v changedPeers=%v policies=%d routes=%d routers=%d resources=%d networks=%d postureChecks=%v distributionGroups=%v",
+		accountID, c.ChangedGroupIDs, c.ChangedPeerIDs, len(c.Policies), len(c.Routes), len(c.Routers), len(c.Resources), len(c.Networks), c.PostureCheckIDs, c.DistributionGroupIDs)
 	r.walk()
 	return r.expand()
 }
@@ -242,84 +216,57 @@ func Collect(ctx context.Context, s store.Store, accountID string, c Change) (gr
 	}
 	r := newResolver(ctx, snap, accountID, c)
 	r.walk()
-	return setToSlice(r.affectedGroups), setToSlice(r.affectedPeers)
+	return setToSlice(r.groupSet), setToSlice(r.peerSet)
 }
 
 func newResolver(ctx context.Context, snap *Snapshot, accountID string, c Change) *resolver {
 	r := &resolver{
-		ctx:            ctx,
-		snap:           snap,
-		accountID:      accountID,
-		change:         c,
-		linkGroups:     toSet(c.ChangedGroupIDs),
-		outputGroups:   toSet(c.ChangedGroupIDs),
-		changedPeers:   toSet(c.ChangedPeerIDs),
-		affectedGroups: make(map[string]struct{}),
-		affectedPeers:  make(map[string]struct{}),
+		ctx:             ctx,
+		snap:            snap,
+		accountID:       accountID,
+		change:          c,
+		changedGroupSet: toSet(c.ChangedGroupIDs),
+		changedPeerSet:  toSet(c.ChangedPeerIDs),
+		groupSet:        make(map[string]struct{}),
+		peerSet:         make(map[string]struct{}),
+		networkIDs:      make(map[string]struct{}),
 	}
-	// LinkGroups match policies/routes to find the opposite side but are NOT output:
-	// they go into linkGroups only, never outputGroups, so their members never fold in.
-	addAll(r.linkGroups, c.LinkGroups)
 	// Resolve each changed peer to its groups here so callers pass only ChangedPeerIDs.
 	r.seedChangedGroupsFromPeers()
+	r.matchedPolicies = append(r.matchedPolicies, c.Policies...)
 	return r
 }
 
-// seedChangedGroupsFromPeers adds each changed peer's groups to linkGroups so
+// seedChangedGroupsFromPeers adds each changed peer's groups to changedGroupSet so
 // the group-driven walkers fire for memberships, not just direct peer references.
-// These seeded groups are for MATCHING only — folding the changed entity's own
-// side is gated on outputGroups (the caller-reported groups), so a seeded group
-// never folds its whole membership; only the changed peer itself folds in.
 func (r *resolver) seedChangedGroupsFromPeers() {
-	if len(r.changedPeers) == 0 {
+	if len(r.changedPeerSet) == 0 {
 		return
 	}
 	for groupID, members := range r.snap.groupPeers {
-		for pID := range r.changedPeers {
+		for pID := range r.changedPeerSet {
 			if _, ok := members[pID]; ok {
-				r.linkGroups[groupID] = struct{}{}
+				r.changedGroupSet[groupID] = struct{}{}
 				break
 			}
 		}
 	}
 }
 
-// policySide selects which side of a policy rule to walk.
-type policySide int
-
-const (
-	sideSource policySide = iota
-	sideDestination
-)
-
-func (s policySide) opposite() policySide {
-	if s == sideSource {
-		return sideDestination
-	}
-	return sideSource
-}
-
-// walk resolves affected peers in two buckets, by how far each change propagates.
-//
-// BOTH-SIDES — the rule itself changed (an explicit policy edit, or a policy whose
-// posture check changed). Source AND destination refresh, so each such policy is
-// walked on both sides.
-//
-// OPPOSITE-SIDE — an endpoint moved but no rule changed. For each policy the change
-// touches we fold only the side AWAY from the change:
-//   - a changed peer/group sits ON a policy side -> fold the opposite side;
-//   - a changed router/resource/network sits on a NETWORK -> fold the SOURCE side of
-//     the policies whose destination reaches it (and the routers it implies).
-//
-// Routes, nameserver groups, DNS and embedded-proxy services distribute to their own
-// member peers, outside the policy graph, and are folded here too.
 func (r *resolver) walk() {
-	for _, policy := range r.bothSidesPolicies() {
-		r.foldPolicySide(policy, sideSource)
-		r.foldPolicySide(policy, sideDestination)
-	}
+	r.collectFromExplicitPolicies()
+	r.collectFromExplicitRoutes(r.change.Routes)
+	r.collectFromExplicitRouters(r.change.Routers)
+	r.collectFromExplicitResources(r.change.Resources)
+	r.collectFromExplicitNetworks(r.change.Networks)
+	r.collectFromPostureChecks(r.change.PostureCheckIDs)
 
-	if len(r.linkGroups) > 0 || len(r.changedPeers) > 0 {
+	// Distribution groups (nameserver/DNS) affect only their member peers: fold them
+	// straight into groupSet so expand() maps them to members, without the policy/
+	// route walk that changedGroupSet would trigger.
+	addAll(r.groupSet, r.change.DistributionGroupIDs)
+
+	if len(r.changedGroupSet) > 0 || len(r.changedPeerSet) > 0 {
 		r.collectFromPolicies()
 		r.collectFromRoutes()
 		r.collectFromNameServers()
@@ -328,31 +275,7 @@ func (r *resolver) walk() {
 		r.collectFromProxyServices()
 	}
 
-	r.collectFromChangedRoutes(r.change.Routes)
-	r.collectFromChangedRouters(r.change.Routers)
-	r.collectFromChangedResources(r.change.Resources)
-	r.collectFromChangedNetworks(r.change.Networks)
-
-	// The explicitly changed peers always refresh their own maps. OnPeersUpdated only
-	// refreshes the resolver's output (it ignores the separately-passed changed peers),
-	// so the changed peer reaches its own new map only via here. An offline/deleted
-	// peer in the set is filtered downstream (filterConnectedAffectedPeers).
-	addAll(r.affectedPeers, setToSlice(r.changedPeers))
-	// OutputPeerIDs refresh themselves too, but unlike changedPeers their group
-	// memberships were not seeded into the walk (only the changed group was).
-	addAll(r.affectedPeers, r.change.OutputPeerIDs)
-
-	// Distribution groups (nameserver/DNS) affect only their member peers: fold them
-	// straight into affectedGroups so expand() maps them to members, without the
-	// policy/route walk that linkGroups would trigger.
-	addAll(r.affectedGroups, r.change.DistributionGroupIDs)
-}
-
-// bothSidesPolicies are the policies whose rule changed: the explicitly edited ones
-// plus those gated by a changed posture check. walk folds both their sides.
-func (r *resolver) bothSidesPolicies() []*types.Policy {
-	policies := append([]*types.Policy(nil), r.change.Policies...)
-	return r.appendPoliciesForPostureChecks(policies, r.change.PostureCheckIDs)
+	r.collectResourceRouterBridge()
 }
 
 type resolver struct {
@@ -361,71 +284,27 @@ type resolver struct {
 	accountID string
 	change    Change
 
-	// Inputs — what changed. Set once at construction, read-only during the walk
-	// (except linkGroups, which collectFromExplicitResources also seeds).
-	//
-	// linkGroups is the MATCH set: caller-changed groups ∪ the groups of changed
-	// peers ∪ changed-resource groups. A rule/route/router matches the change when
-	// one of its groups is here — used only to find the opposite side to fold.
-	//
-	// outputGroups is the FOLD-WHOLE-GROUP set: ONLY Change.ChangedGroupIDs. When a
-	// matched group is here, its whole membership is affected. A peer-seeded group
-	// is in linkGroups but NOT outputGroups, so it folds only the changed peer
-	// (changedPeers), never its siblings.
-	linkGroups   map[string]struct{}
-	outputGroups map[string]struct{}
-	changedPeers map[string]struct{}
+	changedGroupSet map[string]struct{}
+	changedPeerSet  map[string]struct{}
 
-	// Outputs — the answer. The only sets the walk accumulates into. affectedGroups
-	// is expanded to its member peers in expand().
-	affectedGroups map[string]struct{}
-	affectedPeers  map[string]struct{}
+	groupSet map[string]struct{}
+	peerSet  map[string]struct{}
+
+	matchedPolicies []*types.Policy
+	networkIDs      map[string]struct{}
 }
 
-// policies returns the account's ENABLED policies from the snapshot. Disabled
-// policies grant no access, so the walk skips them when scanning existing account
-// data. Explicitly changed policies (Change.Policies, via bothSidesPolicies) are
-// processed regardless of Enabled, so disabling one still refreshes its peers.
-func (r *resolver) policies() []*types.Policy {
-	enabled := make([]*types.Policy, 0, len(r.snap.policies))
-	for _, policy := range r.snap.policies {
-		if policy != nil && policy.Enabled {
-			enabled = append(enabled, policy)
-		}
-	}
-	return enabled
-}
+func (r *resolver) policies() []*types.Policy { return r.snap.policies }
 
-// networkResources / networkRouters return the account's ENABLED resources/routers
-// from the snapshot. Disabled objects route to nobody, so the walk skips them when
-// it scans existing account data. The explicitly changed objects in the Change are
-// processed regardless of Enabled (collectFromChanged*), so disabling one still
-// refreshes the peers that lose access.
-func (r *resolver) networkResources() []*resourceTypes.NetworkResource {
-	enabled := make([]*resourceTypes.NetworkResource, 0, len(r.snap.resources))
-	for _, resource := range r.snap.resources {
-		if resource.Enabled {
-			enabled = append(enabled, resource)
-		}
-	}
-	return enabled
-}
+func (r *resolver) networkResources() []*resourceTypes.NetworkResource { return r.snap.resources }
 
-func (r *resolver) networkRouters() []*routerTypes.NetworkRouter {
-	enabled := make([]*routerTypes.NetworkRouter, 0, len(r.snap.routers))
-	for _, router := range r.snap.routers {
-		if router.Enabled {
-			enabled = append(enabled, router)
-		}
-	}
-	return enabled
-}
+func (r *resolver) networkRouters() []*routerTypes.NetworkRouter { return r.snap.routers }
 
 // peerIDsForGroups maps a group set to its member peer IDs via the preloaded index.
-func (r *resolver) peerIDsForGroups(groups map[string]struct{}) []string {
+func (r *resolver) peerIDsForGroups(groupSet map[string]struct{}) []string {
 	seen := make(map[string]struct{})
 	var ids []string
-	for gID := range groups {
+	for gID := range groupSet {
 		for pID := range r.snap.groupPeers[gID] {
 			if _, ok := seen[pID]; ok {
 				continue
@@ -438,25 +317,25 @@ func (r *resolver) peerIDsForGroups(groups map[string]struct{}) []string {
 }
 
 func (r *resolver) expand() []string {
-	peerIDs := r.peerIDsForGroups(r.affectedGroups)
+	peerIDs := r.peerIDsForGroups(r.groupSet)
 
 	log.WithContext(r.ctx).Tracef("affectedpeers expand: account=%s affectedGroups=%v -> %d group-member peers; direct peers=%v",
-		r.accountID, setToSlice(r.affectedGroups), len(peerIDs), setToSlice(r.affectedPeers))
+		r.accountID, setToSlice(r.groupSet), len(peerIDs), setToSlice(r.peerSet))
 
 	seen := make(map[string]struct{}, len(peerIDs))
 	for _, id := range peerIDs {
 		seen[id] = struct{}{}
 	}
-	for id := range r.affectedPeers {
+	for id := range r.peerSet {
 		if _, ok := seen[id]; !ok {
 			peerIDs = append(peerIDs, id)
 			seen[id] = struct{}{}
 		}
 	}
 
-	// Fold in removed peers only when their group is linked (in affectedGroups).
+	// Fold in removed peers only when their group is linked (in groupSet).
 	for groupID, removed := range r.change.RemovedPeersByGroup {
-		if _, linked := r.affectedGroups[groupID]; !linked {
+		if _, linked := r.groupSet[groupID]; !linked {
 			continue
 		}
 		for _, id := range removed {
@@ -472,349 +351,169 @@ func (r *resolver) expand() []string {
 	return peerIDs
 }
 
-// ruleSideGroups / ruleSideResource return the groups and the resource on the given
-// side of a rule.
-func ruleSideGroups(rule *types.PolicyRule, side policySide) []string {
-	if side == sideDestination {
-		return rule.Destinations
-	}
-	return rule.Sources
-}
-
-func ruleSideResource(rule *types.PolicyRule, side policySide) types.Resource {
-	if side == sideDestination {
-		return rule.DestinationResource
-	}
-	return rule.SourceResource
-}
-
-// foldPolicySide folds one side of a policy down to affected peers: its groups
-// (resolved to members in expand) and its direct peer. When the side is the
-// DESTINATION and references a network resource (directly or via a destination
-// group's resources), it also folds the routers that serve that resource's network
-// — a destination resource is reached through its routers. A resource on the SOURCE
-// side routes to nobody (GetPoliciesForNetworkResource matches destinations only),
-// so the router hop is destination-only.
-func (r *resolver) foldPolicySide(policy *types.Policy, side policySide) {
-	if policy == nil {
-		return
-	}
-	for _, rule := range policy.Rules {
-		addAll(r.affectedGroups, ruleSideGroups(rule, side))
-		res := ruleSideResource(rule, side)
-		if res.Type == types.ResourceTypePeer && res.ID != "" {
-			r.affectedPeers[res.ID] = struct{}{}
-		}
-	}
-	if side == sideDestination {
-		r.foldRoutersForResources(r.policyDestinationResourceIDs(policy))
-	}
-}
-
-// appendPoliciesForPostureChecks appends every policy that references a changed
-// posture check (a rule change, so walk both sides).
-func (r *resolver) appendPoliciesForPostureChecks(policies []*types.Policy, postureCheckIDs []string) []*types.Policy {
-	if len(postureCheckIDs) == 0 {
-		return policies
-	}
-	ids := toSet(postureCheckIDs)
-	for _, policy := range r.policies() {
-		if !policyReferencesPostureChecks(policy, ids) || !policy.Enabled {
+func (r *resolver) collectFromExplicitPolicies() {
+	for _, policy := range r.matchedPolicies {
+		if policy == nil {
 			continue
 		}
-		log.WithContext(r.ctx).Tracef("appendPoliciesForPostureChecks: policy %s (%s) references changed posture checks %v -> both-sides policy",
-			policy.ID, policy.Name, postureCheckIDs)
-		policies = append(policies, policy)
-	}
-	return policies
-}
-
-// collectFromPolicies folds, for every policy whose rule a changed group or peer
-// touches, only the OPPOSITE side (down to peers, incl. destination routers), plus
-// the changed entity's own side: the changed group's whole membership when the
-// group itself changed (outputGroups), or the changed peer alone when matched via a
-// peer-seeded group (never its co-members).
-func (r *resolver) collectFromPolicies() {
-	for _, policy := range r.policies() {
-		for _, rule := range policy.Rules {
-			if !rule.Enabled {
-				continue // a disabled rule grants no access
-			}
-			r.foldRuleSideIfChanged(policy, rule, sideSource)
-			r.foldRuleSideIfChanged(policy, rule, sideDestination)
-		}
+		log.WithContext(r.ctx).Tracef("collectFromExplicitPolicies: changed policy %s (%s) -> folding rule groups %v + direct peers",
+			policy.ID, policy.Name, policy.RuleGroups())
+		addAll(r.groupSet, policy.RuleGroups())
+		collectPolicyDirectPeers(policy, r.peerSet)
 	}
 }
 
-// foldRuleSideIfChanged: when a changed group or direct peer sits on `side` of the
-// rule, fold the opposite side fully (groups/peers + destination routers) and fold
-// the changed entity's own side (the whole changed group, or the changed peer alone).
-func (r *resolver) foldRuleSideIfChanged(policy *types.Policy, rule *types.PolicyRule, side policySide) {
-	nearGroups := ruleSideGroups(rule, side)
-	nearResource := ruleSideResource(rule, side)
-
-	matchedByGroup := anyInSet(nearGroups, r.linkGroups)
-	matchedByPeer := isDirectPeerInSet(nearResource, r.changedPeers)
-	if !matchedByGroup && !matchedByPeer {
-		return
-	}
-
-	// Opposite side, fully down to peers (a destination opposite also folds routers).
-	r.foldPolicySideForRule(policy, rule, side.opposite())
-
-	// Own side: fold the whole changed group's members only when the group itself
-	// changed (outputGroups). A peer-seeded or link-only group is not folded here —
-	// its siblings never refresh. The changed peers themselves are folded once, after
-	// the walk (see walk()).
-	for _, gID := range nearGroups {
-		if _, ok := r.outputGroups[gID]; ok {
-			r.affectedGroups[gID] = struct{}{}
-		}
-	}
-
-	// When the changed side IS a destination, the resources it targets are reached
-	// through their network's routers, so those routers refresh too (e.g. attaching a
-	// resource to a destination group, or a changed destination group/resource).
-	if side == sideDestination {
-		r.foldRoutersForResources(r.ruleDestinationResourceIDs(rule))
-	}
-}
-
-// foldPolicySideForRule folds one side of a single rule (groups + direct peer), and
-// for a destination side the routers of that rule's destination resources.
-func (r *resolver) foldPolicySideForRule(policy *types.Policy, rule *types.PolicyRule, side policySide) {
-	addAll(r.affectedGroups, ruleSideGroups(rule, side))
-	res := ruleSideResource(rule, side)
-	if res.Type == types.ResourceTypePeer && res.ID != "" {
-		r.affectedPeers[res.ID] = struct{}{}
-	}
-	if side == sideDestination {
-		r.foldRoutersForResources(r.ruleDestinationResourceIDs(rule))
-	}
-}
-
-// collectFromChangedRoutes folds an explicitly changed route's own groups and peer.
-func (r *resolver) collectFromChangedRoutes(routes []*route.Route) {
+func (r *resolver) collectFromExplicitRoutes(routes []*route.Route) {
 	for _, rt := range routes {
 		if rt == nil {
 			continue
 		}
-		log.WithContext(r.ctx).Tracef("collectFromChangedRoutes: changed route %s -> folding groups=%v peerGroups=%v accessControlGroups=%v peer=%q",
+		log.WithContext(r.ctx).Tracef("collectFromExplicitRoutes: changed route %s -> folding groups=%v peerGroups=%v accessControlGroups=%v peer=%q",
 			rt.ID, rt.Groups, rt.PeerGroups, rt.AccessControlGroups, rt.Peer)
-		addAll(r.affectedGroups, rt.Groups, rt.PeerGroups, rt.AccessControlGroups)
+		addAll(r.groupSet, rt.Groups, rt.PeerGroups, rt.AccessControlGroups)
 		if rt.Peer != "" {
-			r.affectedPeers[rt.Peer] = struct{}{}
+			r.peerSet[rt.Peer] = struct{}{}
 		}
 	}
 }
 
-// collectFromChangedRouters: a changed router refreshes its OWN backing peer/groups
-// (the changed entity) and the SOURCE side of every policy reaching a resource on
-// its network (the router serves the whole network). Sibling routers on the network
-// are independent and are NOT folded. Passing the old router state keeps a repointed
-// router's previous backing affected without a post-commit read.
-func (r *resolver) collectFromChangedRouters(routers []*routerTypes.NetworkRouter) {
+// collectFromExplicitRouters folds changed routers' peers and marks their networks
+// for the bridge. Passing the old router keeps a repointed router's previous peers
+// affected without a post-commit read.
+func (r *resolver) collectFromExplicitRouters(routers []*routerTypes.NetworkRouter) {
 	for _, router := range routers {
 		if router == nil {
 			continue
 		}
-		log.WithContext(r.ctx).Tracef("collectFromChangedRouters: changed router %s on network %s -> folding its own peerGroups=%v peer=%q + sources reaching network resources",
+		log.WithContext(r.ctx).Tracef("collectFromExplicitRouters: changed router %s on network %s -> folding peerGroups=%v peer=%q and marking network for source bridge",
 			router.ID, router.NetworkID, router.PeerGroups, router.Peer)
-		addAll(r.affectedGroups, router.PeerGroups)
+		addAll(r.groupSet, router.PeerGroups)
 		if router.Peer != "" {
-			r.affectedPeers[router.Peer] = struct{}{}
+			r.peerSet[router.Peer] = struct{}{}
 		}
 		if router.NetworkID != "" {
-			r.foldPolicySourcesForResources(r.networkResourceIDs(router.NetworkID))
+			r.networkIDs[router.NetworkID] = struct{}{}
 		}
 	}
 }
 
-// collectFromChangedResources: a changed resource refreshes the SOURCE side of the
-// policies targeting EXACTLY that resource — directly, or via one of the resource's
-// own groups (old∪new across the change, so a now-detached group's sources still
-// refresh) — plus the routers serving its network (the resource is reached through
-// them). It does not touch sibling resources on the same network.
-func (r *resolver) collectFromChangedResources(resources []*resourceTypes.NetworkResource) {
+// collectFromExplicitResources marks changed resources' networks for the bridge and
+// treats their group IDs as changed, so policies targeting the resource via a
+// now-detached (old) group still refresh.
+func (r *resolver) collectFromExplicitResources(resources []*resourceTypes.NetworkResource) {
 	for _, resource := range resources {
 		if resource == nil {
 			continue
 		}
-		log.WithContext(r.ctx).Tracef("collectFromChangedResources: changed resource %s on network %s (groups %v) -> folding sources of policies targeting it + its network's routers",
+		log.WithContext(r.ctx).Tracef("collectFromExplicitResources: changed resource %s on network %s -> marking network for bridge and treating groups %v as changed",
 			resource.ID, resource.NetworkID, resource.GroupIDs)
-		r.foldPolicySourcesForResource(resource.ID, resource.GroupIDs)
+		addAll(r.changedGroupSet, resource.GroupIDs)
 		if resource.NetworkID != "" {
-			r.foldRoutersOnNetworks(map[string]struct{}{resource.NetworkID: {}})
+			r.networkIDs[resource.NetworkID] = struct{}{}
 		}
 	}
 }
 
-// foldPolicySourcesForResource folds the source side of every policy whose
-// destination is the given resource — referenced directly, or via any of the given
-// groups (the resource's own old∪new groups, which captures a detached group).
-func (r *resolver) foldPolicySourcesForResource(resourceID string, groupIDs []string) {
-	groups := toSet(groupIDs)
-	for _, policy := range r.policies() {
-		if !policyTargetsResourceOrGroups(policy, resourceID, groups) {
-			continue
-		}
-		log.WithContext(r.ctx).Tracef("foldPolicySourcesForResource: policy %s (%s) targets changed resource %s -> folding its source groups/peers", policy.ID, policy.Name, resourceID)
-		collectPolicySources(policy, r.affectedGroups, r.affectedPeers)
-	}
-}
-
-// policyTargetsResourceOrGroups reports whether a policy's destination is the given
-// resource directly, or one of the given destination groups.
-func policyTargetsResourceOrGroups(policy *types.Policy, resourceID string, groups map[string]struct{}) bool {
-	if policy == nil {
-		return false
-	}
-	for _, rule := range policy.Rules {
-		if !rule.Enabled {
-			continue
-		}
-		if rule.DestinationResource.Type != types.ResourceTypePeer && rule.DestinationResource.ID == resourceID && resourceID != "" {
-			return true
-		}
-		if anyInSet(rule.Destinations, groups) {
-			return true
-		}
-	}
-	return false
-}
-
-// collectFromChangedNetworks: a changed network refreshes the SOURCE side of the
-// policies reaching any of its resources, plus its routers. A network has no
-// groups/peers of its own.
-func (r *resolver) collectFromChangedNetworks(networks []*networkTypes.Network) {
+// collectFromExplicitNetworks marks changed networks for the bridge. A network has
+// no groups/peers of its own.
+func (r *resolver) collectFromExplicitNetworks(networks []*networkTypes.Network) {
 	for _, network := range networks {
-		if network == nil || network.ID == "" {
+		if network == nil {
 			continue
 		}
-		log.WithContext(r.ctx).Tracef("collectFromChangedNetworks: changed network %s -> folding sources reaching its resources + its routers", network.ID)
-		resourceIDs := r.networkResourceIDs(network.ID)
-		r.foldPolicySourcesForResources(resourceIDs)
-		r.foldRoutersOnNetworks(map[string]struct{}{network.ID: {}})
+		log.WithContext(r.ctx).Tracef("collectFromExplicitNetworks: changed network %s -> marking for bridge", network.ID)
+		if network.ID != "" {
+			r.networkIDs[network.ID] = struct{}{}
+		}
 	}
 }
 
-// foldPolicySourcesForResources folds the source groups/peers of every policy whose
-// destination targets one of resourceIDs (directly or via a destination group).
-func (r *resolver) foldPolicySourcesForResources(resourceIDs map[string]struct{}) {
-	if len(resourceIDs) == 0 {
+func (r *resolver) collectFromPostureChecks(postureCheckIDs []string) {
+	if len(postureCheckIDs) == 0 {
 		return
 	}
+	ids := toSet(postureCheckIDs)
 	for _, policy := range r.policies() {
-		if r.policyTargetsResources(policy, resourceIDs) {
-			log.WithContext(r.ctx).Tracef("foldPolicySourcesForResources: policy %s (%s) targets a changed resource -> folding its source groups/peers", policy.ID, policy.Name)
-			collectPolicySources(policy, r.affectedGroups, r.affectedPeers)
+		if !policyReferencesPostureChecks(policy, ids) {
+			continue
 		}
+		log.WithContext(r.ctx).Tracef("collectFromPostureChecks: policy %s (%s) references changed posture checks %v -> folding rule groups %v + direct peers",
+			policy.ID, policy.Name, postureCheckIDs, policy.RuleGroups())
+		addAll(r.groupSet, policy.RuleGroups())
+		collectPolicyDirectPeers(policy, r.peerSet)
+		r.matchedPolicies = append(r.matchedPolicies, policy)
+	}
+}
+
+func (r *resolver) collectFromPolicies() {
+	for _, policy := range r.policies() {
+		matchedByGroup := policyReferencesGroups(policy, r.changedGroupSet)
+		matchedByPeer := len(r.changedPeerSet) > 0 && policyReferencesDirectPeers(policy, r.changedPeerSet)
+		if !matchedByGroup && !matchedByPeer {
+			continue
+		}
+		log.WithContext(r.ctx).Tracef("collectFromPolicies: policy %s (%s) matched (byGroup=%t byPeer=%t) -> folding rule groups %v + direct peers",
+			policy.ID, policy.Name, matchedByGroup, matchedByPeer, policy.RuleGroups())
+		addAll(r.groupSet, policy.RuleGroups())
+		collectPolicyDirectPeers(policy, r.peerSet)
+		r.matchedPolicies = append(r.matchedPolicies, policy)
 	}
 }
 
-// collectFromRoutes folds, per matched route, the OPPOSITE side(s) fully and the
-// matched side's own groups only on a whole-group change (outputGroups). A route has
-// three peer sides — routing (Peer/PeerGroups), consumer (Groups) and ACL
-// (AccessControlGroups) — that each refresh the others; the changed side's own group
-// folds its siblings only when the group itself changed, never on a one-peer move.
 func (r *resolver) collectFromRoutes() {
 	for _, rt := range r.snap.routes {
-		if !rt.Enabled {
-			continue // disabled routes route to nobody; skip existing account data
-		}
-		routing := anyInSet(rt.PeerGroups, r.linkGroups) || (rt.Peer != "" && isInSet(rt.Peer, r.changedPeers))
-		consumer := anyInSet(rt.Groups, r.linkGroups)
-		acl := anyInSet(rt.AccessControlGroups, r.linkGroups)
-		if !routing && !consumer && !acl {
+		matchedByGroup := anyInSet(rt.Groups, r.changedGroupSet) || anyInSet(rt.PeerGroups, r.changedGroupSet) || anyInSet(rt.AccessControlGroups, r.changedGroupSet)
+		matchedByPeer := rt.Peer != "" && len(r.changedPeerSet) > 0 && isInSet(rt.Peer, r.changedPeerSet)
+		if !matchedByGroup && !matchedByPeer {
 			continue
 		}
-		log.WithContext(r.ctx).Tracef("collectFromRoutes: route %s matched (routing=%t consumer=%t acl=%t) -> folding opposite sides; own side gated on outputGroups",
-			rt.ID, routing, consumer, acl)
-		r.foldRouteSide(rt.PeerGroups, routing)
-		r.foldRouteSide(rt.Groups, consumer)
-		r.foldRouteSide(rt.AccessControlGroups, acl)
-		// The single routing Peer folds when the routing side is the OPPOSITE of the
-		// match (consumer/acl need it), or when that very peer is the change.
-		if rt.Peer != "" && (consumer || acl || isInSet(rt.Peer, r.changedPeers)) {
-			r.affectedPeers[rt.Peer] = struct{}{}
-		}
-	}
-}
-
-// foldRouteSide folds a route side: when this side is the one that matched, fold its
-// groups only on a whole-group change (outputGroups) so siblings of a single moved
-// peer stay put; otherwise it is an opposite side and folds fully.
-func (r *resolver) foldRouteSide(groups []string, matchedHere bool) {
-	if matchedHere {
-		r.foldOutputGroups(groups)
-		return
-	}
-	addAll(r.affectedGroups, groups)
-}
-
-// foldOutputGroups folds only the groups that the caller reported as wholly changed
-// (outputGroups). Used for a matched object's OWN side, where a peer-seeded or
-// link-only group must not pull in its siblings.
-func (r *resolver) foldOutputGroups(groups ...[]string) {
-	for _, gs := range groups {
-		for _, gID := range gs {
-			if _, ok := r.outputGroups[gID]; ok {
-				r.affectedGroups[gID] = struct{}{}
-			}
+		log.WithContext(r.ctx).Tracef("collectFromRoutes: route %s matched (byGroup=%t byPeer=%t) -> folding groups=%v peerGroups=%v accessControlGroups=%v peer=%q",
+			rt.ID, matchedByGroup, matchedByPeer, rt.Groups, rt.PeerGroups, rt.AccessControlGroups, rt.Peer)
+		addAll(r.groupSet, rt.Groups, rt.PeerGroups, rt.AccessControlGroups)
+		if rt.Peer != "" {
+			r.peerSet[rt.Peer] = struct{}{}
 		}
 	}
 }
 
 func (r *resolver) collectFromNameServers() {
-	if len(r.linkGroups) == 0 {
+	if len(r.changedGroupSet) == 0 {
 		return
 	}
 	for _, ns := range r.snap.nsGroups {
-		if anyInSet(ns.Groups, r.linkGroups) {
-			// A nameserver group has no opposite side: a peer's DNS config depends only
-			// on its own membership, so a one-peer move refreshes that peer alone (folded
-			// elsewhere). Fold the referenced groups only on a whole-group change.
-			log.WithContext(r.ctx).Tracef("collectFromNameServers: nameserver group %s references a linked group -> folding its groups %v (outputGroups only)", ns.ID, ns.Groups)
-			r.foldOutputGroups(ns.Groups)
+		if anyInSet(ns.Groups, r.changedGroupSet) {
+			log.WithContext(r.ctx).Tracef("collectFromNameServers: nameserver group %s references a changed group -> folding its groups %v", ns.ID, ns.Groups)
+			addAll(r.groupSet, ns.Groups)
 		}
 	}
 }
 
 func (r *resolver) collectFromDNSSettings() {
-	if len(r.linkGroups) == 0 || r.snap.dnsSettings == nil {
+	if len(r.changedGroupSet) == 0 || r.snap.dnsSettings == nil {
 		return
 	}
 	for _, gID := range r.snap.dnsSettings.DisabledManagementGroups {
-		if _, ok := r.linkGroups[gID]; ok {
+		if _, ok := r.changedGroupSet[gID]; ok {
 			log.WithContext(r.ctx).Tracef("collectFromDNSSettings: changed group %s is in DisabledManagementGroups -> folding it", gID)
-			r.affectedGroups[gID] = struct{}{}
+			r.groupSet[gID] = struct{}{}
 		}
 	}
 }
 
-// collectFromNetworkRouters handles a changed group/peer that BACKS a router (the
-// routing peer set moved): the router's own peers refresh and so do the sources of
-// the policies reaching its network's resources. Sibling routers on the network are
-// independent and are not folded.
 func (r *resolver) collectFromNetworkRouters() {
 	for _, router := range r.networkRouters() {
-		matchedByGroup := anyInSet(router.PeerGroups, r.linkGroups)
-		matchedByPeer := router.Peer != "" && len(r.changedPeers) > 0 && isInSet(router.Peer, r.changedPeers)
+		matchedByGroup := anyInSet(router.PeerGroups, r.changedGroupSet)
+		matchedByPeer := router.Peer != "" && len(r.changedPeerSet) > 0 && isInSet(router.Peer, r.changedPeerSet)
 		if !matchedByGroup && !matchedByPeer {
 			continue
 		}
-		log.WithContext(r.ctx).Tracef("collectFromNetworkRouters: router %s on network %s matched (byGroup=%t byPeer=%t) -> folding its peerGroups=%v peer=%q (own groups on outputGroups) + sources reaching network resources",
+		log.WithContext(r.ctx).Tracef("collectFromNetworkRouters: router %s on network %s matched (byGroup=%t byPeer=%t) -> folding peerGroups=%v peer=%q and marking network for source bridge",
 			router.ID, router.NetworkID, matchedByGroup, matchedByPeer, router.PeerGroups, router.Peer)
-		// The backing PeerGroups are the matched (own) side: fold them only on a
-		// whole-group change so a one-peer move does not wake sibling backing peers. The
-		// opposite side (policy sources reaching the network) is folded below.
-		r.foldOutputGroups(router.PeerGroups)
+		addAll(r.groupSet, router.PeerGroups)
 		if router.Peer != "" {
-			r.affectedPeers[router.Peer] = struct{}{}
-		}
-		if router.NetworkID != "" {
-			r.foldPolicySourcesForResources(r.networkResourceIDs(router.NetworkID))
+			r.peerSet[router.Peer] = struct{}{}
 		}
+		r.networkIDs[router.NetworkID] = struct{}{}
 	}
 }
 
@@ -827,48 +526,42 @@ func (r *resolver) collectFromProxyServices() {
 	expanded := r.expandChangedPeersWithGroups()
 
 	for _, svc := range services {
-		if svc == nil || !svc.Enabled {
-			continue // a disabled service proxies nothing; skip existing account data
+		if svc == nil {
+			continue
 		}
 		proxyPeers := proxyByCluster[svc.ProxyCluster]
 		if len(proxyPeers) == 0 {
 			continue
 		}
 		matchedByPeer := serviceMatchesChangedPeers(svc, proxyPeers, expanded)
-		matchedByAccessGroup := anyInSet(svc.AccessGroups, r.linkGroups)
+		matchedByAccessGroup := anyInSet(svc.AccessGroups, r.changedGroupSet)
 		if !matchedByPeer && !matchedByAccessGroup {
 			continue
 		}
-		log.WithContext(r.ctx).Tracef("collectFromProxyServices: service %s (cluster=%s) matched (byProxyOrTargetPeer=%t byAccessGroup=%t) -> folding %d proxy peers, peer targets; access groups %v on outputGroups only",
+		log.WithContext(r.ctx).Tracef("collectFromProxyServices: service %s (cluster=%s) matched (byProxyOrTargetPeer=%t byAccessGroup=%t) -> folding %d proxy peers, peer targets and access groups %v",
 			svc.ID, svc.ProxyCluster, matchedByPeer, matchedByAccessGroup, len(proxyPeers), svc.AccessGroups)
 		for _, pid := range proxyPeers {
-			r.affectedPeers[pid] = struct{}{}
+			r.peerSet[pid] = struct{}{}
 		}
 		for _, target := range svc.Targets {
-			if !target.Enabled {
-				continue // a disabled target forwards nothing
-			}
 			if target.TargetType == rpservice.TargetTypePeer && target.TargetId != "" {
-				r.affectedPeers[target.TargetId] = struct{}{}
+				r.peerSet[target.TargetId] = struct{}{}
 			}
 		}
-		// AccessGroups are the matched (own) side with no opposite to fold: a member's
-		// proxy access is self-contained, so a one-peer move refreshes that peer alone.
-		// Fold the groups only on a whole-group change.
-		r.foldOutputGroups(svc.AccessGroups)
+		addAll(r.groupSet, svc.AccessGroups)
 	}
 }
 
 func (r *resolver) expandChangedPeersWithGroups() map[string]struct{} {
-	if len(r.linkGroups) == 0 {
-		return r.changedPeers
+	if len(r.changedGroupSet) == 0 {
+		return r.changedPeerSet
 	}
-	ids := r.peerIDsForGroups(r.linkGroups)
+	ids := r.peerIDsForGroups(r.changedGroupSet)
 	if len(ids) == 0 {
-		return r.changedPeers
+		return r.changedPeerSet
 	}
-	merged := make(map[string]struct{}, len(r.changedPeers)+len(ids))
-	for id := range r.changedPeers {
+	merged := make(map[string]struct{}, len(r.changedPeerSet)+len(ids))
+	for id := range r.changedPeerSet {
 		merged[id] = struct{}{}
 	}
 	for _, id := range ids {
@@ -877,36 +570,54 @@ func (r *resolver) expandChangedPeersWithGroups() map[string]struct{} {
 	return merged
 }
 
-// foldRoutersForResources folds the routers serving the networks of the given
-// resources (a destination resource is reached through its network's routers). It is
-// the resource -> network -> router hop used by foldPolicySide for a destination.
-func (r *resolver) foldRoutersForResources(resourceIDs map[string]struct{}) {
+// collectResourceRouterBridge crosses between source peers and routing peers, which
+// are reachable only via resource -> network -> router, not through the policy's own
+// groups: source -> router (targeted resources' networks), then router -> source.
+func (r *resolver) collectResourceRouterBridge() {
+	r.bridgeSourceToRouters()
+	r.bridgeRoutersToSources()
+}
+
+func (r *resolver) bridgeSourceToRouters() {
+	resourceIDs := r.policyDestinationResourceIDs(r.matchedPolicies...)
 	if len(resourceIDs) == 0 {
 		return
 	}
-	r.foldRoutersOnNetworks(r.resourceNetworkIDs(resourceIDs))
-}
 
-// ruleDestinationResourceIDs returns the destination resource IDs of a single rule:
-// the direct DestinationResource plus the resources of its destination groups.
-func (r *resolver) ruleDestinationResourceIDs(rule *types.PolicyRule) map[string]struct{} {
-	resourceIDs := make(map[string]struct{})
-	if rule.DestinationResource.Type != types.ResourceTypePeer && rule.DestinationResource.ID != "" {
-		resourceIDs[rule.DestinationResource.ID] = struct{}{}
+	networkIDs := r.resourceNetworkIDs(resourceIDs)
+	log.WithContext(r.ctx).Tracef("bridgeSourceToRouters: targeted resources %v -> networks %v (their routers become affected via the router->source pass)",
+		setToSlice(resourceIDs), setToSlice(networkIDs))
+	for id := range networkIDs {
+		r.networkIDs[id] = struct{}{}
 	}
-	r.addGroupResourceIDs(toSet(rule.Destinations), resourceIDs)
-	return resourceIDs
 }
 
-// networkResourceIDs returns the IDs of all resources on the given network.
-func (r *resolver) networkResourceIDs(networkID string) map[string]struct{} {
+func (r *resolver) bridgeRoutersToSources() {
+	if len(r.networkIDs) == 0 {
+		return
+	}
+
+	log.WithContext(r.ctx).Tracef("bridgeRoutersToSources: affected networks %v -> folding their routing peers and the source peers of policies targeting their resources",
+		setToSlice(r.networkIDs))
+
+	r.foldRoutersOnNetworks(r.networkIDs)
+
 	resourceIDs := make(map[string]struct{})
 	for _, resource := range r.networkResources() {
-		if resource.NetworkID == networkID {
+		if _, ok := r.networkIDs[resource.NetworkID]; ok {
 			resourceIDs[resource.ID] = struct{}{}
 		}
 	}
-	return resourceIDs
+	if len(resourceIDs) == 0 {
+		return
+	}
+
+	for _, policy := range r.policies() {
+		if r.policyTargetsResources(policy, resourceIDs) {
+			log.WithContext(r.ctx).Tracef("bridgeRoutersToSources: policy %s (%s) targets an affected-network resource -> folding its source groups/peers", policy.ID, policy.Name)
+			collectPolicySources(policy, r.groupSet, r.peerSet)
+		}
+	}
 }
 
 func (r *resolver) foldRoutersOnNetworks(networkIDs map[string]struct{}) {
@@ -916,9 +627,9 @@ func (r *resolver) foldRoutersOnNetworks(networkIDs map[string]struct{}) {
 		}
 		log.WithContext(r.ctx).Tracef("bridgeRoutersToSources: router %s serves affected network %s -> folding peerGroups=%v peer=%q",
 			router.ID, router.NetworkID, router.PeerGroups, router.Peer)
-		addAll(r.affectedGroups, router.PeerGroups)
+		addAll(r.groupSet, router.PeerGroups)
 		if router.Peer != "" {
-			r.affectedPeers[router.Peer] = struct{}{}
+			r.peerSet[router.Peer] = struct{}{}
 		}
 	}
 }
@@ -939,9 +650,6 @@ func (r *resolver) policyTargetsResources(policy *types.Policy, resourceIDs map[
 	}
 	destGroupSet := make(map[string]struct{})
 	for _, rule := range policy.Rules {
-		if !rule.Enabled {
-			continue
-		}
 		if rule.DestinationResource.Type != types.ResourceTypePeer && isInSet(rule.DestinationResource.ID, resourceIDs) {
 			return true
 		}
@@ -1006,20 +714,44 @@ func (r *resolver) addGroupResourceIDs(groupIDs map[string]struct{}, resourceIDs
 	}
 }
 
-// collectPolicySources folds the source groups/peers of a snapshot policy's enabled
-// rules (a disabled rule grants no access).
-func collectPolicySources(policy *types.Policy, groups, peers map[string]struct{}) {
+func collectPolicyDirectPeers(policy *types.Policy, peerSet map[string]struct{}) {
 	for _, rule := range policy.Rules {
-		if !rule.Enabled {
-			continue
-		}
-		addAll(groups, rule.Sources)
 		if rule.SourceResource.Type == types.ResourceTypePeer && rule.SourceResource.ID != "" {
-			peers[rule.SourceResource.ID] = struct{}{}
+			peerSet[rule.SourceResource.ID] = struct{}{}
+		}
+		if rule.DestinationResource.Type == types.ResourceTypePeer && rule.DestinationResource.ID != "" {
+			peerSet[rule.DestinationResource.ID] = struct{}{}
 		}
 	}
 }
 
+func collectPolicySources(policy *types.Policy, groupSet, peerSet map[string]struct{}) {
+	for _, rule := range policy.Rules {
+		addAll(groupSet, rule.Sources)
+		if rule.SourceResource.Type == types.ResourceTypePeer && rule.SourceResource.ID != "" {
+			peerSet[rule.SourceResource.ID] = struct{}{}
+		}
+	}
+}
+
+func policyReferencesGroups(policy *types.Policy, groupSet map[string]struct{}) bool {
+	for _, rule := range policy.Rules {
+		if anyInSet(rule.Sources, groupSet) || anyInSet(rule.Destinations, groupSet) {
+			return true
+		}
+	}
+	return false
+}
+
+func policyReferencesDirectPeers(policy *types.Policy, changedSet map[string]struct{}) bool {
+	for _, rule := range policy.Rules {
+		if isDirectPeerInSet(rule.SourceResource, changedSet) || isDirectPeerInSet(rule.DestinationResource, changedSet) {
+			return true
+		}
+	}
+	return false
+}
+
 func policyReferencesPostureChecks(policy *types.Policy, ids map[string]struct{}) bool {
 	for _, id := range policy.SourcePostureChecks {
 		if _, ok := ids[id]; ok {
@@ -1044,7 +776,7 @@ func serviceMatchesChangedPeers(svc *rpservice.Service, proxyPeers []string, cha
 		}
 	}
 	for _, target := range svc.Targets {
-		if !target.Enabled || target.TargetType != rpservice.TargetTypePeer || target.TargetId == "" {
+		if target.TargetType != rpservice.TargetTypePeer || target.TargetId == "" {
 			continue
 		}
 		if _, ok := changedPeers[target.TargetId]; ok {

management/server/affectedpeers/resolver_test.go

@@ -10,8 +10,8 @@ import (
 	"github.com/netbirdio/netbird/management/server/types"
 )
 
-// policyGroupsAndPeers mirrors the both-sides extraction (RuleGroups + direct peers)
-// the resolver folds in for a changed policy, for asserting the pure logic.
+// policyGroupsAndPeers mirrors the explicit-policy extraction (RuleGroups +
+// direct peers) the resolver folds in, for asserting the pure logic.
 func policyGroupsAndPeers(policies ...*types.Policy) (groups []string, peers []string) {
 	peerSet := map[string]struct{}{}
 	for _, p := range policies {
@@ -19,14 +19,7 @@ func policyGroupsAndPeers(policies ...*types.Policy) (groups []string, peers []s
 			continue
 		}
 		groups = append(groups, p.RuleGroups()...)
-		for _, rule := range p.Rules {
-			if rule.SourceResource.Type == types.ResourceTypePeer && rule.SourceResource.ID != "" {
-				peerSet[rule.SourceResource.ID] = struct{}{}
-			}
-			if rule.DestinationResource.Type == types.ResourceTypePeer && rule.DestinationResource.ID != "" {
-				peerSet[rule.DestinationResource.ID] = struct{}{}
-			}
-		}
+		collectPolicyDirectPeers(p, peerSet)
 	}
 	for id := range peerSet {
 		peers = append(peers, id)
@@ -87,6 +80,26 @@ func TestChangeIsEmpty(t *testing.T) {
 	assert.False(t, Change{PostureCheckIDs: []string{"pc"}}.isEmpty())
 }
 
+func TestPolicyReferencesGroups(t *testing.T) {
+	policy := &types.Policy{Rules: []*types.PolicyRule{{Sources: []string{"g1", "g2"}, Destinations: []string{"g3"}}}}
+
+	assert.True(t, policyReferencesGroups(policy, map[string]struct{}{"g1": {}}))
+	assert.True(t, policyReferencesGroups(policy, map[string]struct{}{"g3": {}}))
+	assert.False(t, policyReferencesGroups(policy, map[string]struct{}{"g4": {}}))
+	assert.False(t, policyReferencesGroups(policy, map[string]struct{}{}))
+}
+
+func TestPolicyReferencesDirectPeers(t *testing.T) {
+	policy := &types.Policy{Rules: []*types.PolicyRule{{
+		SourceResource:      types.Resource{Type: types.ResourceTypePeer, ID: "p1"},
+		DestinationResource: types.Resource{Type: types.ResourceTypeHost, ID: "r1"},
+	}}}
+
+	assert.True(t, policyReferencesDirectPeers(policy, map[string]struct{}{"p1": {}}))
+	assert.False(t, policyReferencesDirectPeers(policy, map[string]struct{}{"r1": {}}))
+	assert.False(t, policyReferencesDirectPeers(policy, map[string]struct{}{"p2": {}}))
+}
+
 func TestPolicyReferencesPostureChecks(t *testing.T) {
 	policy := &types.Policy{SourcePostureChecks: []string{"pc1", "pc2"}}
 
@@ -94,9 +107,24 @@ func TestPolicyReferencesPostureChecks(t *testing.T) {
 	assert.False(t, policyReferencesPostureChecks(policy, map[string]struct{}{"pc3": {}}))
 }
 
+func TestCollectPolicyDirectPeers(t *testing.T) {
+	policy := &types.Policy{Rules: []*types.PolicyRule{{
+		SourceResource:      types.Resource{Type: types.ResourceTypePeer, ID: "p1"},
+		DestinationResource: types.Resource{Type: types.ResourceTypePeer, ID: "p2"},
+	}, {
+		DestinationResource: types.Resource{Type: types.ResourceTypeHost, ID: "r1"},
+	}}}
+
+	peerSet := map[string]struct{}{}
+	collectPolicyDirectPeers(policy, peerSet)
+
+	assert.Contains(t, peerSet, "p1")
+	assert.Contains(t, peerSet, "p2")
+	assert.NotContains(t, peerSet, "r1")
+}
+
 func TestCollectPolicySources(t *testing.T) {
 	policy := &types.Policy{Rules: []*types.PolicyRule{{
-		Enabled:        true,
 		Sources:        []string{"g1"},
 		SourceResource: types.Resource{Type: types.ResourceTypePeer, ID: "p1"},
 		Destinations:   []string{"g2"},

management/server/group.go

@@ -520,12 +520,7 @@ func collectDeletableGroups(ctx context.Context, transaction store.Store, accoun
 // GroupAddPeer appends peer to the group
 func (am *DefaultAccountManager) GroupAddPeer(ctx context.Context, accountID, groupID, peerID string) error {
 	var snap *affectedpeers.Snapshot
-	// A membership change affects only the peer itself and the opposite side of THIS
-	// group's policies — not the group's other members, and not the peer's other
-	// groups. LinkGroups walks only this group (matched, not expanded); OutputPeerIDs
-	// refreshes the peer without seeding its other group memberships. For an
-	// intra-group policy the opposite side is the group, so its members still refresh.
-	change := affectedpeers.Change{OutputPeerIDs: []string{peerID}, LinkGroups: []string{groupID}}
+	change := affectedpeers.Change{ChangedGroupIDs: []string{groupID}}
 
 	err := am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err := transaction.AddPeerToGroup(ctx, accountID, peerID, groupID); err != nil {
@@ -591,11 +586,10 @@ func (am *DefaultAccountManager) GroupAddResource(ctx context.Context, accountID
 // GroupDeletePeer removes peer from the group
 func (am *DefaultAccountManager) GroupDeletePeer(ctx context.Context, accountID, groupID, peerID string) error {
 	var snap *affectedpeers.Snapshot
-	// Same as GroupAddPeer: the removed peer and the opposite side of THIS group's
-	// policies refresh, not the group's other members or the peer's other groups. The
-	// peer is no longer in the group's index, but LinkGroups still drives the
-	// opposite-side walk, and OutputPeerIDs refreshes the removed peer itself.
-	change := affectedpeers.Change{OutputPeerIDs: []string{peerID}, LinkGroups: []string{groupID}}
+	change := affectedpeers.Change{
+		ChangedGroupIDs:     []string{groupID},
+		RemovedPeersByGroup: map[string][]string{groupID: {peerID}},
+	}
 
 	err := am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err := transaction.RemovePeerFromGroup(ctx, peerID, groupID); err != nil {
@@ -606,6 +600,8 @@ func (am *DefaultAccountManager) GroupDeletePeer(ctx context.Context, accountID,
 			return err
 		}
 
+		// The removed peer is carried in change.RemovedPeersByGroup and folded in
+		// only when the group is linked, so loading post-removal is correct.
 		var err error
 		if snap, err = affectedpeers.Load(ctx, transaction, accountID, change); err != nil {
 			return err

management/server/peer.go

@@ -209,14 +209,14 @@ func (am *DefaultAccountManager) resolvePeerLocation(ctx context.Context, peer *
 	if am.geo == nil || realIP == nil {
 		return nil
 	}
+	if peer.Location.ConnectionIP != nil && peer.Location.ConnectionIP.Equal(realIP) {
+		return nil
+	}
 	location, err := am.geo.Lookup(realIP)
 	if err != nil {
 		log.WithContext(ctx).Warnf("failed to get location for peer %s realip: [%s]: %v", peer.ID, realIP.String(), err)
 		return nil
 	}
-	if peer.Location.ConnectionIP != nil && peer.Location.ConnectionIP.Equal(realIP) && peer.Location.GeoNameID == location.City.GeonameID {
-		return nil
-	}
 	return &nbpeer.Location{
 		ConnectionIP: realIP,
 		CountryCode:  location.Country.ISOCode,
@@ -1052,7 +1052,7 @@ func (am *DefaultAccountManager) SyncPeer(ctx context.Context, sync types.PeerSy
 	}
 
 	metaDiffAffectsPosture := posture.AffectsPosture(ctx, &metaDiff, resPostureChecks)
-	if requiresPeerUpdate(ctx, isStatusChanged, sync.UpdateAccountPeers, ipv6CapabilityChanged, metaDiffAffectsPosture, metaDiff.VersionChanged(), metaDiff.HostnameChanged()) {
+	if isStatusChanged || sync.UpdateAccountPeers || ipv6CapabilityChanged || metaDiffAffectsPosture || metaDiff.VersionChanged() || metaDiff.HostnameChanged() {
 		changedPeerIDs := []string{peer.ID}
 		affectedPeerIDs := am.syncPeerAffectedPeers(ctx, accountID, peer.ID, nmap, peerNotValid, metaDiffAffectsPosture)
 		if err = am.networkMapController.OnPeersUpdated(ctx, accountID, changedPeerIDs, affectedPeerIDs); err != nil {
@@ -1063,29 +1063,6 @@ func (am *DefaultAccountManager) SyncPeer(ctx context.Context, sync types.PeerSy
 	return peer, nmap, resPostureChecks, dnsFwdPort, nil
 }
 
-func requiresPeerUpdate(ctx context.Context, isStatusChanged, updateAccountPeers, ipv6CapabilityChanged, metaDiffAffectsPosture, versionChanged, hostname bool) bool {
-	var reason string
-	switch {
-	case isStatusChanged:
-		reason = "status changed"
-	case updateAccountPeers:
-		reason = "update account peers"
-	case ipv6CapabilityChanged:
-		reason = "ipv6 capability changed"
-	case metaDiffAffectsPosture:
-		reason = "meta diff affects posture"
-	case versionChanged:
-		reason = "version changed"
-	case hostname:
-		reason = "hostname changed"
-	default:
-		return false
-	}
-
-	log.WithContext(ctx).Tracef("peer update required: %s", reason)
-	return true
-}
-
 // syncPeerAffectedPeers resolves the peers affected by a SyncPeer change. The
 // peer's own validated network map is bidirectional for policy and routing
 // reachability, so when the peer stays valid and no source-posture gate is in

management/server/peer_test.go

@@ -49,7 +49,6 @@ import (
 
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/netbirdio/netbird/management/server/geolocation"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/management/server/store"
@@ -2894,141 +2893,3 @@ func TestUpdatePeer_DnsLabelUniqueName(t *testing.T) {
 	require.NoError(t, err, "renaming to unique FQDN should succeed")
 	assert.Equal(t, "api-server", updated.DNSLabel, "DNS label should be first label of FQDN")
 }
-
-// fakeGeo is a configurable geolocation.Geolocation implementation for tests. It
-// returns a record built from the configured city geoname id, or an error when set.
-type fakeGeo struct {
-	geoNameID uint
-	isoCode   string
-	cityName  string
-	err       error
-}
-
-func (g *fakeGeo) Lookup(net.IP) (*geolocation.Record, error) {
-	if g.err != nil {
-		return nil, g.err
-	}
-	record := &geolocation.Record{}
-	record.City.GeonameID = g.geoNameID
-	record.City.Names.En = g.cityName
-	record.Country.ISOCode = g.isoCode
-	return record, nil
-}
-
-func (g *fakeGeo) GetAllCountries() ([]geolocation.Country, error) { return nil, nil }
-
-func (g *fakeGeo) GetCitiesByCountry(string) ([]geolocation.City, error) { return nil, nil }
-
-func (g *fakeGeo) Stop() error { return nil }
-
-func TestResolvePeerLocation(t *testing.T) {
-	realIP := net.ParseIP("203.0.113.10")
-
-	tests := []struct {
-		name    string
-		geo     geolocation.Geolocation
-		peer    *nbpeer.Peer
-		realIP  net.IP
-		want    *nbpeer.Location
-		wantNil bool
-	}{
-		{
-			name:    "no geo configured returns nil",
-			geo:     nil,
-			peer:    &nbpeer.Peer{ID: "p1"},
-			realIP:  realIP,
-			wantNil: true,
-		},
-		{
-			name:    "nil real IP returns nil",
-			geo:     &fakeGeo{geoNameID: 100},
-			peer:    &nbpeer.Peer{ID: "p1"},
-			realIP:  nil,
-			wantNil: true,
-		},
-		{
-			name:    "lookup error returns nil",
-			geo:     &fakeGeo{err: fmt.Errorf("lookup boom")},
-			peer:    &nbpeer.Peer{ID: "p1"},
-			realIP:  realIP,
-			wantNil: true,
-		},
-		{
-			name: "same IP and same geoname returns nil",
-			geo:  &fakeGeo{geoNameID: 100, isoCode: "US", cityName: "City A"},
-			peer: &nbpeer.Peer{
-				ID: "p1",
-				Location: nbpeer.Location{
-					ConnectionIP: realIP,
-					GeoNameID:    100,
-				},
-			},
-			realIP:  realIP,
-			wantNil: true,
-		},
-		{
-			name: "same IP but changed geoname returns location",
-			geo:  &fakeGeo{geoNameID: 200, isoCode: "US", cityName: "City B"},
-			peer: &nbpeer.Peer{
-				ID: "p1",
-				Location: nbpeer.Location{
-					ConnectionIP: realIP,
-					GeoNameID:    100,
-				},
-			},
-			realIP: realIP,
-			want: &nbpeer.Location{
-				ConnectionIP: realIP,
-				CountryCode:  "US",
-				CityName:     "City B",
-				GeoNameID:    200,
-			},
-		},
-		{
-			name: "different IP returns location",
-			geo:  &fakeGeo{geoNameID: 100, isoCode: "US", cityName: "City A"},
-			peer: &nbpeer.Peer{
-				ID: "p1",
-				Location: nbpeer.Location{
-					ConnectionIP: net.ParseIP("198.51.100.7"),
-					GeoNameID:    100,
-				},
-			},
-			realIP: realIP,
-			want: &nbpeer.Location{
-				ConnectionIP: realIP,
-				CountryCode:  "US",
-				CityName:     "City A",
-				GeoNameID:    100,
-			},
-		},
-		{
-			name:   "no prior location returns location",
-			geo:    &fakeGeo{geoNameID: 100, isoCode: "US", cityName: "City A"},
-			peer:   &nbpeer.Peer{ID: "p1"},
-			realIP: realIP,
-			want: &nbpeer.Location{
-				ConnectionIP: realIP,
-				CountryCode:  "US",
-				CityName:     "City A",
-				GeoNameID:    100,
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			am := &DefaultAccountManager{geo: tt.geo}
-			got := am.resolvePeerLocation(context.Background(), tt.peer, tt.realIP)
-			if tt.wantNil {
-				assert.Nil(t, got, "resolved location should be nil")
-				return
-			}
-			require.NotNil(t, got, "resolved location should not be nil")
-			assert.True(t, tt.want.ConnectionIP.Equal(got.ConnectionIP), "connection IP should match")
-			assert.Equal(t, tt.want.CountryCode, got.CountryCode, "country code should match")
-			assert.Equal(t, tt.want.CityName, got.CityName, "city name should match")
-			assert.Equal(t, tt.want.GeoNameID, got.GeoNameID, "geoname id should match")
-		})
-	}
-}

management/server/posture_checks_test.go

@@ -489,7 +489,6 @@ func TestArePostureCheckChangesAffectPeers(t *testing.T) {
 
 	policy := &types.Policy{
 		AccountID: account.Id,
-		Enabled:   true,
 		Rules: []*types.PolicyRule{
 			{
 				Enabled:      true,