client: add optional daemon JSON socket gateway

Add positive-only service flags to enable the daemon HTTP/JSON grpc-gateway socket and persist its service configuration. Support unix and tcp listener addresses while keeping the gateway disabled by default and preserving live Unix sockets during stale cleanup.

Add gateway/socket coverage and a Docker smoke test script for validating Status over TCP and Unix JSON sockets.

client/cmd/service.go

@@ -5,6 +5,7 @@ package cmd
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"runtime"
 	"strings"
 	"sync"
@@ -22,15 +23,21 @@ var serviceCmd = &cobra.Command{
 	Short: "Manage the NetBird daemon service",
 }
 
+const defaultJSONSocket = "unix:///var/run/netbird-http.sock"
+
 var (
-	serviceName    string
-	serviceEnvVars []string
+	serviceName      string
+	serviceEnvVars   []string
+	jsonSocket       string
+	enableJSONSocket bool
 )
 
 type program struct {
 	ctx              context.Context
 	cancel           context.CancelFunc
 	serv             *grpc.Server
+	jsonServ         *http.Server
+	jsonServMu       sync.Mutex
 	serverInstance   *server.Server
 	serverInstanceMu sync.Mutex
 }
@@ -46,6 +53,8 @@ func init() {
 	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")
 	serviceCmd.PersistentFlags().BoolVar(&captureEnabled, "enable-capture", false, "Enables packet capture via 'netbird debug capture'. To persist, use: netbird service install --enable-capture")
 	serviceCmd.PersistentFlags().BoolVar(&networksDisabled, "disable-networks", false, "Disables network selection. If enabled, the client will not allow listing, selecting, or deselecting networks. To persist, use: netbird service install --disable-networks")
+	serviceCmd.PersistentFlags().BoolVar(&enableJSONSocket, "enable-json-socket", false, "Enables the HTTP/JSON API socket served by grpc-gateway. To persist, use: netbird service install --enable-json-socket")
+	serviceCmd.PersistentFlags().StringVar(&jsonSocket, "json-socket", defaultJSONSocket, "HTTP/JSON API socket address [unix|tcp]://[path|host:port]. Requires --enable-json-socket to serve. To persist, use: netbird service install --enable-json-socket --json-socket")
 
 	rootCmd.PersistentFlags().StringVarP(&serviceName, "service", "s", defaultServiceName, "Netbird system service name")
 	serviceEnvDesc := `Sets extra environment variables for the service. ` +

client/cmd/service_controller.go

@@ -5,9 +5,6 @@ package cmd
 import (
 	"context"
 	"fmt"
-	"net"
-	"os"
-	"strings"
 	"time"
 
 	"github.com/kardianos/service"
@@ -22,41 +19,56 @@ import (
 	"github.com/netbirdio/netbird/util"
 )
 
+func validateJSONSocketFlags() error {
+	if serviceCmd.PersistentFlags().Changed("json-socket") && !enableJSONSocket {
+		return fmt.Errorf("--json-socket requires --enable-json-socket to configure the daemon JSON gateway")
+	}
+	return nil
+}
+
 func (p *program) Start(svc service.Service) error {
 	// Start should not block. Do the actual work async.
 	log.Info("starting NetBird service") //nolint
 
+	if err := validateJSONSocketFlags(); err != nil {
+		return err
+	}
+
 	// Collect static system and platform information
 	system.UpdateStaticInfoAsync()
 
 	// in any case, even if configuration does not exists we run daemon to serve CLI gRPC API.
 	p.serv = grpc.NewServer()
 
-	split := strings.Split(daemonAddr, "://")
-	switch split[0] {
-	case "unix":
-		// cleanup failed close
-		stat, err := os.Stat(split[1])
-		if err == nil && !stat.IsDir() {
-			if err := os.Remove(split[1]); err != nil {
-				log.Debugf("remove socket file: %v", err)
-			}
-		}
-	case "tcp":
-	default:
-		return fmt.Errorf("unsupported daemon address protocol: %v", split[0])
-	}
-
-	listen, err := net.Listen(split[0], split[1])
+	daemonListener, err := listenOnAddress(daemonAddr)
 	if err != nil {
 		return fmt.Errorf("listen daemon interface: %w", err)
 	}
-	go func() {
-		defer listen.Close()
 
-		if split[0] == "unix" {
-			if err := os.Chmod(split[1], 0666); err != nil {
-				log.Errorf("failed setting daemon permissions: %v", split[1])
+	var jsonListener *socketListener
+	if enableJSONSocket {
+		jsonListener, err = listenOnAddress(jsonSocket)
+		if err != nil {
+			_ = daemonListener.Close()
+			return fmt.Errorf("listen daemon JSON interface: %w", err)
+		}
+	} else {
+		removeStaleUnixSocketForAddress(jsonSocket)
+	}
+
+	go func() {
+		defer daemonListener.Close()
+		if jsonListener != nil {
+			defer jsonListener.Close()
+		}
+
+		if err := daemonListener.chmodUnixSocket("daemon"); err != nil {
+			log.Error(err)
+			return
+		}
+		if jsonListener != nil {
+			if err := jsonListener.chmodUnixSocket("daemon JSON"); err != nil {
+				log.Error(err)
 				return
 			}
 		}
@@ -71,8 +83,16 @@ func (p *program) Start(svc service.Service) error {
 		p.serverInstance = serverInstance
 		p.serverInstanceMu.Unlock()
 
-		log.Printf("started daemon server: %v", split[1])
-		if err := p.serv.Serve(listen); err != nil {
+		if jsonListener != nil {
+			if err := p.startJSONGateway(jsonListener, daemonAddr); err != nil {
+				log.Fatalf("failed to start daemon JSON server: %v", err)
+			}
+		} else {
+			log.Debug("daemon JSON socket disabled")
+		}
+
+		log.Printf("started daemon server: %v", daemonListener.address)
+		if err := p.serv.Serve(daemonListener.Listener); err != nil {
 			log.Errorf("failed to serve daemon requests: %v", err)
 		}
 	}()
@@ -92,6 +112,20 @@ func (p *program) Stop(srv service.Service) error {
 
 	p.cancel()
 
+	p.jsonServMu.Lock()
+	jsonServ := p.jsonServ
+	p.jsonServMu.Unlock()
+	if jsonServ != nil {
+		shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 2*time.Second)
+		if err := jsonServ.Shutdown(shutdownCtx); err != nil {
+			log.Errorf("failed to stop daemon JSON server gracefully: %v", err)
+			if err := jsonServ.Close(); err != nil {
+				log.Errorf("failed to close daemon JSON server: %v", err)
+			}
+		}
+		shutdownCancel()
+	}
+
 	if p.serv != nil {
 		p.serv.Stop()
 	}
@@ -148,6 +182,9 @@ var runCmd = &cobra.Command{
 		if err != nil {
 			return err
 		}
+		if err := validateJSONSocketFlags(); err != nil {
+			return err
+		}
 
 		return s.Run()
 	},
@@ -162,6 +199,9 @@ var startCmd = &cobra.Command{
 		if err != nil {
 			return err
 		}
+		if err := validateJSONSocketFlags(); err != nil {
+			return err
+		}
 
 		if err := s.Start(); err != nil {
 			return fmt.Errorf("start service: %w", err)
@@ -198,6 +238,9 @@ var restartCmd = &cobra.Command{
 		if err != nil {
 			return err
 		}
+		if err := validateJSONSocketFlags(); err != nil {
+			return err
+		}
 
 		if err := s.Restart(); err != nil {
 			return fmt.Errorf("restart service: %w", err)

client/cmd/service_installer.go

@@ -67,6 +67,10 @@ func buildServiceArguments() []string {
 		args = append(args, "--disable-networks")
 	}
 
+	if enableJSONSocket {
+		args = append(args, "--enable-json-socket", "--json-socket", jsonSocket)
+	}
+
 	return args
 }
 
@@ -106,6 +110,10 @@ func configurePlatformSpecificSettings(svcConfig *service.Config) error {
 
 // Create fully configured service config for install/reconfigure
 func createServiceConfigForInstall() (*service.Config, error) {
+	if err := validateJSONSocketFlags(); err != nil {
+		return nil, err
+	}
+
 	svcConfig, err := newSVCConfig()
 	if err != nil {
 		return nil, fmt.Errorf("create service config: %w", err)

client/cmd/service_json_gateway.go

@@ -0,0 +1,52 @@
+//go:build !ios && !android
+
+package cmd
+
+import (
+	"context"
+	"errors"
+	"net"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+func grpcGatewayEndpoint(addr string) string {
+	return strings.TrimPrefix(addr, "tcp://")
+}
+
+func (p *program) startJSONGateway(jsonListener *socketListener, daemonEndpoint string) error {
+	mux := runtime.NewServeMux()
+	opts := []grpc.DialOption{grpc.WithTransportCredentials(insecure.NewCredentials())}
+	if err := proto.RegisterDaemonServiceHandlerFromEndpoint(p.ctx, mux, grpcGatewayEndpoint(daemonEndpoint), opts); err != nil {
+		return err
+	}
+
+	jsonServer := &http.Server{
+		Handler:           mux,
+		ReadHeaderTimeout: 5 * time.Second,
+		BaseContext: func(net.Listener) context.Context {
+			return p.ctx
+		},
+	}
+
+	p.jsonServMu.Lock()
+	p.jsonServ = jsonServer
+	p.jsonServMu.Unlock()
+
+	go func() {
+		log.Printf("started daemon JSON server: %v", jsonListener.address)
+		if err := jsonServer.Serve(jsonListener.Listener); err != nil && !errors.Is(err, http.ErrServerClosed) {
+			log.Errorf("failed to serve daemon JSON requests: %v", err)
+		}
+	}()
+
+	return nil
+}

client/cmd/service_json_socket_test.go

@@ -0,0 +1,176 @@
+//go:build !ios && !android
+
+package cmd
+
+import (
+	"net"
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func preserveJSONSocketTestState(t *testing.T) {
+	t.Helper()
+
+	origJSONSocket := jsonSocket
+	origEnableJSONSocket := enableJSONSocket
+	origChanged := map[string]bool{}
+	serviceCmd.PersistentFlags().VisitAll(func(flag *pflag.Flag) {
+		origChanged[flag.Name] = flag.Changed
+	})
+
+	t.Cleanup(func() {
+		jsonSocket = origJSONSocket
+		enableJSONSocket = origEnableJSONSocket
+		serviceCmd.PersistentFlags().VisitAll(func(flag *pflag.Flag) {
+			flag.Changed = origChanged[flag.Name]
+		})
+	})
+}
+
+func TestJSONSocketFlagsArePositiveEnableOnly(t *testing.T) {
+	assert.NotNil(t, serviceCmd.PersistentFlags().Lookup("enable-json-socket"))
+	assert.NotNil(t, serviceCmd.PersistentFlags().Lookup("json-socket"))
+	assert.Nil(t, serviceCmd.PersistentFlags().Lookup("disable-json-socket"))
+	assert.Equal(t, "false", serviceCmd.PersistentFlags().Lookup("enable-json-socket").DefValue)
+}
+
+func TestBuildServiceArgumentsDefaultDisablesJSONSocket(t *testing.T) {
+	preserveJSONSocketTestState(t)
+
+	enableJSONSocket = false
+	jsonSocket = "tcp://127.0.0.1:8080"
+
+	args := buildServiceArguments()
+
+	assert.NotContains(t, args, "--enable-json-socket")
+	assert.NotContains(t, args, "--json-socket")
+}
+
+func TestBuildServiceArgumentsIncludesJSONSocketWhenEnabled(t *testing.T) {
+	preserveJSONSocketTestState(t)
+
+	enableJSONSocket = true
+	jsonSocket = "tcp://127.0.0.1:8080"
+
+	args := buildServiceArguments()
+
+	enableIndex := indexOfArg(args, "--enable-json-socket")
+	jsonIndex := indexOfArg(args, "--json-socket")
+	require.NotEqual(t, -1, enableIndex)
+	require.NotEqual(t, -1, jsonIndex)
+	require.Less(t, enableIndex, jsonIndex)
+	require.Less(t, jsonIndex+1, len(args))
+	assert.Equal(t, "tcp://127.0.0.1:8080", args[jsonIndex+1])
+}
+
+func TestJSONSocketWithoutEnableValidation(t *testing.T) {
+	preserveJSONSocketTestState(t)
+
+	enableJSONSocket = false
+	require.NoError(t, serviceCmd.PersistentFlags().Set("json-socket", "tcp://127.0.0.1:8080"))
+
+	err := validateJSONSocketFlags()
+
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "--enable-json-socket")
+}
+
+func TestJSONSocketWithEnableValidation(t *testing.T) {
+	preserveJSONSocketTestState(t)
+
+	require.NoError(t, serviceCmd.PersistentFlags().Set("enable-json-socket", "true"))
+	require.NoError(t, serviceCmd.PersistentFlags().Set("json-socket", "tcp://127.0.0.1:8080"))
+
+	assert.NoError(t, validateJSONSocketFlags())
+}
+
+func TestJSONSocketServiceParamsPersistEnableAndAddress(t *testing.T) {
+	preserveJSONSocketTestState(t)
+	serviceCmd.PersistentFlags().VisitAll(func(flag *pflag.Flag) {
+		flag.Changed = false
+	})
+
+	enableJSONSocket = true
+	jsonSocket = "tcp://127.0.0.1:8080"
+
+	params := currentServiceParams()
+	require.True(t, params.EnableJSONSocket)
+	require.Equal(t, "tcp://127.0.0.1:8080", params.JSONSocket)
+
+	enableJSONSocket = false
+	jsonSocket = defaultJSONSocket
+	applyServiceParams(testServiceEnvCommand(), params)
+
+	assert.True(t, enableJSONSocket)
+	assert.Equal(t, "tcp://127.0.0.1:8080", jsonSocket)
+}
+
+func TestRemoveStaleUnixSocketDoesNotRemoveRegularFile(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "netbird-http.sock")
+	require.NoError(t, os.WriteFile(path, []byte("not a socket"), 0600))
+
+	removeStaleUnixSocket(path)
+
+	data, err := os.ReadFile(path)
+	require.NoError(t, err)
+	assert.Equal(t, []byte("not a socket"), data)
+}
+
+func TestRemoveStaleUnixSocketRemovesSocket(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("unix sockets are not available on Windows")
+	}
+
+	path := filepath.Join(t.TempDir(), "netbird-http.sock")
+	addr := &net.UnixAddr{Name: path, Net: "unix"}
+	listener, err := net.ListenUnix("unix", addr)
+	require.NoError(t, err)
+	listener.SetUnlinkOnClose(false)
+	require.NoError(t, listener.Close())
+
+	_, err = os.Lstat(path)
+	require.NoError(t, err, "test setup must leave a stale Unix socket path")
+
+	removeStaleUnixSocket(path)
+
+	_, err = os.Lstat(path)
+	assert.True(t, os.IsNotExist(err), "expected stale Unix socket to be removed, got %v", err)
+}
+
+func TestRemoveStaleUnixSocketDoesNotRemoveLiveSocket(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("unix sockets are not available on Windows")
+	}
+
+	path := filepath.Join(t.TempDir(), "netbird-http.sock")
+	listener, err := net.Listen("unix", path)
+	require.NoError(t, err)
+	defer listener.Close()
+
+	removeStaleUnixSocket(path)
+
+	_, err = os.Lstat(path)
+	assert.NoError(t, err, "expected live Unix socket to be preserved")
+}
+
+func testServiceEnvCommand() *cobra.Command {
+	cmd := &cobra.Command{}
+	cmd.Flags().StringSlice("service-env", nil, "")
+	return cmd
+}
+
+func indexOfArg(args []string, arg string) int {
+	for i, candidate := range args {
+		if candidate == arg {
+			return i
+		}
+	}
+	return -1
+}

client/cmd/service_params.go

@@ -23,6 +23,7 @@ const serviceParamsFile = "service.json"
 type serviceParams struct {
 	LogLevel              string            `json:"log_level"`
 	DaemonAddr            string            `json:"daemon_addr"`
+	JSONSocket            string            `json:"json_socket"`
 	ManagementURL         string            `json:"management_url,omitempty"`
 	ConfigPath            string            `json:"config_path,omitempty"`
 	LogFiles              []string          `json:"log_files,omitempty"`
@@ -30,6 +31,7 @@ type serviceParams struct {
 	DisableUpdateSettings bool              `json:"disable_update_settings,omitempty"`
 	EnableCapture         bool              `json:"enable_capture,omitempty"`
 	DisableNetworks       bool              `json:"disable_networks,omitempty"`
+	EnableJSONSocket      bool              `json:"enable_json_socket,omitempty"`
 	ServiceEnvVars        map[string]string `json:"service_env_vars,omitempty"`
 }
 
@@ -75,6 +77,7 @@ func currentServiceParams() *serviceParams {
 	params := &serviceParams{
 		LogLevel:              logLevel,
 		DaemonAddr:            daemonAddr,
+		JSONSocket:            jsonSocket,
 		ManagementURL:         managementURL,
 		ConfigPath:            configPath,
 		LogFiles:              logFiles,
@@ -82,6 +85,7 @@ func currentServiceParams() *serviceParams {
 		DisableUpdateSettings: updateSettingsDisabled,
 		EnableCapture:         captureEnabled,
 		DisableNetworks:       networksDisabled,
+		EnableJSONSocket:      enableJSONSocket,
 	}
 
 	if len(serviceEnvVars) > 0 {
@@ -113,9 +117,8 @@ func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
 		return
 	}
 
-	// For fields with non-empty defaults (log-level, daemon-addr), keep the
-	// != "" guard so that an older service.json missing the field doesn't
-	// clobber the default with an empty string.
+	// For fields with non-empty defaults, keep the != "" guard so that an older
+	// service.json missing the field doesn't clobber the default with an empty string.
 	if !rootCmd.PersistentFlags().Changed("log-level") && params.LogLevel != "" {
 		logLevel = params.LogLevel
 	}
@@ -124,6 +127,14 @@ func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
 		daemonAddr = params.DaemonAddr
 	}
 
+	if !serviceCmd.PersistentFlags().Changed("json-socket") && params.JSONSocket != "" {
+		jsonSocket = params.JSONSocket
+	}
+
+	if !serviceCmd.PersistentFlags().Changed("enable-json-socket") {
+		enableJSONSocket = params.EnableJSONSocket
+	}
+
 	// For optional fields where empty means "use default", always apply so
 	// that an explicit clear (--management-url "") persists across reinstalls.
 	if !rootCmd.PersistentFlags().Changed("management-url") {

client/cmd/service_params_test.go

@@ -41,6 +41,8 @@ func TestSaveAndLoadServiceParams(t *testing.T) {
 	params := &serviceParams{
 		LogLevel:              "debug",
 		DaemonAddr:            "unix:///var/run/netbird.sock",
+		JSONSocket:            "tcp://127.0.0.1:8080",
+		EnableJSONSocket:      true,
 		ManagementURL:         "https://my.server.com",
 		ConfigPath:            "/etc/netbird/config.json",
 		LogFiles:              []string{"/var/log/netbird/client.log", "console"},
@@ -63,6 +65,8 @@ func TestSaveAndLoadServiceParams(t *testing.T) {
 
 	assert.Equal(t, params.LogLevel, loaded.LogLevel)
 	assert.Equal(t, params.DaemonAddr, loaded.DaemonAddr)
+	assert.Equal(t, params.JSONSocket, loaded.JSONSocket)
+	assert.Equal(t, params.EnableJSONSocket, loaded.EnableJSONSocket)
 	assert.Equal(t, params.ManagementURL, loaded.ManagementURL)
 	assert.Equal(t, params.ConfigPath, loaded.ConfigPath)
 	assert.Equal(t, params.LogFiles, loaded.LogFiles)
@@ -101,6 +105,8 @@ func TestLoadServiceParams_InvalidJSON(t *testing.T) {
 func TestCurrentServiceParams(t *testing.T) {
 	origLogLevel := logLevel
 	origDaemonAddr := daemonAddr
+	origJSONSocket := jsonSocket
+	origEnableJSONSocket := enableJSONSocket
 	origManagementURL := managementURL
 	origConfigPath := configPath
 	origLogFiles := logFiles
@@ -110,6 +116,8 @@ func TestCurrentServiceParams(t *testing.T) {
 	t.Cleanup(func() {
 		logLevel = origLogLevel
 		daemonAddr = origDaemonAddr
+		jsonSocket = origJSONSocket
+		enableJSONSocket = origEnableJSONSocket
 		managementURL = origManagementURL
 		configPath = origConfigPath
 		logFiles = origLogFiles
@@ -120,6 +128,8 @@ func TestCurrentServiceParams(t *testing.T) {
 
 	logLevel = "trace"
 	daemonAddr = "tcp://127.0.0.1:9999"
+	jsonSocket = "tcp://127.0.0.1:8080"
+	enableJSONSocket = true
 	managementURL = "https://mgmt.example.com"
 	configPath = "/tmp/test-config.json"
 	logFiles = []string{"/tmp/test.log"}
@@ -131,6 +141,8 @@ func TestCurrentServiceParams(t *testing.T) {
 
 	assert.Equal(t, "trace", params.LogLevel)
 	assert.Equal(t, "tcp://127.0.0.1:9999", params.DaemonAddr)
+	assert.Equal(t, "tcp://127.0.0.1:8080", params.JSONSocket)
+	assert.True(t, params.EnableJSONSocket)
 	assert.Equal(t, "https://mgmt.example.com", params.ManagementURL)
 	assert.Equal(t, "/tmp/test-config.json", params.ConfigPath)
 	assert.Equal(t, []string{"/tmp/test.log"}, params.LogFiles)
@@ -142,6 +154,8 @@ func TestCurrentServiceParams(t *testing.T) {
 func TestApplyServiceParams_OnlyUnchangedFlags(t *testing.T) {
 	origLogLevel := logLevel
 	origDaemonAddr := daemonAddr
+	origJSONSocket := jsonSocket
+	origEnableJSONSocket := enableJSONSocket
 	origManagementURL := managementURL
 	origConfigPath := configPath
 	origLogFiles := logFiles
@@ -151,6 +165,8 @@ func TestApplyServiceParams_OnlyUnchangedFlags(t *testing.T) {
 	t.Cleanup(func() {
 		logLevel = origLogLevel
 		daemonAddr = origDaemonAddr
+		jsonSocket = origJSONSocket
+		enableJSONSocket = origEnableJSONSocket
 		managementURL = origManagementURL
 		configPath = origConfigPath
 		logFiles = origLogFiles
@@ -162,6 +178,8 @@ func TestApplyServiceParams_OnlyUnchangedFlags(t *testing.T) {
 	// Reset all flags to defaults.
 	logLevel = "info"
 	daemonAddr = "unix:///var/run/netbird.sock"
+	jsonSocket = defaultJSONSocket
+	enableJSONSocket = false
 	managementURL = ""
 	configPath = "/etc/netbird/config.json"
 	logFiles = []string{"/var/log/netbird/client.log"}
@@ -184,6 +202,8 @@ func TestApplyServiceParams_OnlyUnchangedFlags(t *testing.T) {
 	saved := &serviceParams{
 		LogLevel:              "debug",
 		DaemonAddr:            "tcp://127.0.0.1:5555",
+		JSONSocket:            "tcp://127.0.0.1:8080",
+		EnableJSONSocket:      true,
 		ManagementURL:         "https://saved.example.com",
 		ConfigPath:            "/saved/config.json",
 		LogFiles:              []string{"/saved/client.log"},
@@ -201,6 +221,8 @@ func TestApplyServiceParams_OnlyUnchangedFlags(t *testing.T) {
 
 	// All other fields were not Changed, so they should use saved values.
 	assert.Equal(t, "tcp://127.0.0.1:5555", daemonAddr)
+	assert.Equal(t, "tcp://127.0.0.1:8080", jsonSocket)
+	assert.True(t, enableJSONSocket)
 	assert.Equal(t, "https://saved.example.com", managementURL)
 	assert.Equal(t, "/saved/config.json", configPath)
 	assert.Equal(t, []string{"/saved/client.log"}, logFiles)
@@ -212,14 +234,17 @@ func TestApplyServiceParams_OnlyUnchangedFlags(t *testing.T) {
 func TestApplyServiceParams_BooleanRevertToFalse(t *testing.T) {
 	origProfilesDisabled := profilesDisabled
 	origUpdateSettingsDisabled := updateSettingsDisabled
+	origEnableJSONSocket := enableJSONSocket
 	t.Cleanup(func() {
 		profilesDisabled = origProfilesDisabled
 		updateSettingsDisabled = origUpdateSettingsDisabled
+		enableJSONSocket = origEnableJSONSocket
 	})
 
 	// Simulate current state where booleans are true (e.g. set by previous install).
 	profilesDisabled = true
 	updateSettingsDisabled = true
+	enableJSONSocket = true
 
 	// Reset Changed state so flags appear unset.
 	serviceCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
@@ -238,6 +263,7 @@ func TestApplyServiceParams_BooleanRevertToFalse(t *testing.T) {
 
 	assert.False(t, profilesDisabled, "saved false should override current true")
 	assert.False(t, updateSettingsDisabled, "saved false should override current true")
+	assert.False(t, enableJSONSocket, "saved false should override current true")
 }
 
 func TestApplyServiceParams_ClearManagementURL(t *testing.T) {
@@ -530,6 +556,7 @@ func fieldToGlobalVar(field string) string {
 	m := map[string]string{
 		"LogLevel":              "logLevel",
 		"DaemonAddr":            "daemonAddr",
+		"JSONSocket":            "jsonSocket",
 		"ManagementURL":         "managementURL",
 		"ConfigPath":            "configPath",
 		"LogFiles":              "logFiles",
@@ -537,6 +564,7 @@ func fieldToGlobalVar(field string) string {
 		"DisableUpdateSettings": "updateSettingsDisabled",
 		"EnableCapture":         "captureEnabled",
 		"DisableNetworks":       "networksDisabled",
+		"EnableJSONSocket":      "enableJSONSocket",
 		"ServiceEnvVars":        "serviceEnvVars",
 	}
 	if v, ok := m[field]; ok {

client/cmd/service_socket.go

@@ -0,0 +1,111 @@
+//go:build !ios && !android
+
+package cmd
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"os"
+	"strings"
+	"syscall"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+type socketListener struct {
+	net.Listener
+	network string
+	address string
+}
+
+func listenOnAddress(addr string) (*socketListener, error) {
+	network, address, err := parseListenAddress(addr)
+	if err != nil {
+		return nil, err
+	}
+
+	if network == "unix" {
+		removeStaleUnixSocket(address)
+	}
+
+	listener, err := net.Listen(network, address)
+	if err != nil {
+		return nil, err
+	}
+
+	return &socketListener{Listener: listener, network: network, address: address}, nil
+}
+
+func parseListenAddress(addr string) (string, string, error) {
+	network, address, ok := strings.Cut(addr, "://")
+	if !ok || network == "" || address == "" {
+		return "", "", fmt.Errorf("address must be in [unix|tcp]://[path|host:port] format: %q", addr)
+	}
+
+	switch network {
+	case "unix", "tcp":
+		return network, address, nil
+	default:
+		return "", "", fmt.Errorf("unsupported daemon address protocol: %v", network)
+	}
+}
+
+func removeStaleUnixSocket(path string) {
+	stat, err := os.Lstat(path)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			log.Debugf("stat socket file: %v", err)
+		}
+		return
+	}
+
+	if stat.Mode()&os.ModeSocket == 0 {
+		return
+	}
+
+	if !isStaleUnixSocket(path) {
+		return
+	}
+
+	if err := os.Remove(path); err != nil {
+		log.Debugf("remove socket file: %v", err)
+	}
+}
+
+func isStaleUnixSocket(path string) bool {
+	conn, err := net.DialTimeout("unix", path, 100*time.Millisecond)
+	if err == nil {
+		if closeErr := conn.Close(); closeErr != nil {
+			log.Debugf("close unix socket probe: %v", closeErr)
+		}
+		return false
+	}
+
+	if os.IsNotExist(err) || os.IsPermission(err) || os.IsTimeout(err) {
+		log.Debugf("not removing unix socket %s after probe error: %v", path, err)
+		return false
+	}
+
+	return errors.Is(err, syscall.ECONNREFUSED)
+}
+
+func removeStaleUnixSocketForAddress(addr string) {
+	network, address, err := parseListenAddress(addr)
+	if err != nil || network != "unix" {
+		return
+	}
+	removeStaleUnixSocket(address)
+}
+
+func (l *socketListener) chmodUnixSocket(description string) error {
+	if l == nil || l.network != "unix" {
+		return nil
+	}
+
+	if err := os.Chmod(l.address, 0666); err != nil {
+		return fmt.Errorf("failed setting %s permissions for %s: %w", description, l.address, err)
+	}
+	return nil
+}

client/internal/dns/mgmt/mgmt.go

@@ -51,13 +51,20 @@ type cachedRecord struct {
 }
 
 // Resolver caches critical NetBird infrastructure domains.
-// records, refreshing, mgmtDomain and serverDomains are all guarded by mutex.
+// records, refreshing, failedResolves, mgmtDomain and serverDomains are all
+// guarded by mutex.
 type Resolver struct {
 	records       map[dns.Question]*cachedRecord
 	mgmtDomain    *domain.Domain
 	serverDomains *dnsconfig.ServerDomains
 	mutex         sync.RWMutex
 
+	// failedResolves records the last failed initial resolve per domain so a
+	// domain that never resolves isn't retried on every server-domains update
+	// until refreshBackoff elapses. Entries are cleared on success and pruned
+	// to the current server-domains set.
+	failedResolves map[domain.Domain]time.Time
+
 	chain            ChainResolver
 	chainMaxPriority int
 	refreshGroup     singleflight.Group
@@ -76,9 +83,10 @@ type Resolver struct {
 // NewResolver creates a new management domains cache resolver.
 func NewResolver() *Resolver {
 	return &Resolver{
-		records:    make(map[dns.Question]*cachedRecord),
-		refreshing: make(map[dns.Question]*atomic.Bool),
-		cacheTTL:   resolveCacheTTL(),
+		records:        make(map[dns.Question]*cachedRecord),
+		refreshing:     make(map[dns.Question]*atomic.Bool),
+		failedResolves: make(map[domain.Domain]time.Time),
+		cacheTTL:       resolveCacheTTL(),
 	}
 }
 
@@ -173,7 +181,9 @@ func (m *Resolver) continueToNext(w dns.ResponseWriter, r *dns.Msg) {
 
 // AddDomain resolves a domain and stores its A/AAAA records in the cache.
 // A family that resolves NODATA (nil err, zero records) evicts any stale
-// entry for that qtype.
+// entry for that qtype. When one family hard-errors while the other succeeds,
+// the resolved family is still cached but AddDomain returns an error so the
+// caller retries the incomplete resolve rather than treating it as complete.
 func (m *Resolver) AddDomain(ctx context.Context, d domain.Domain) error {
 	dnsName := strings.ToLower(dns.Fqdn(d.PunycodeString()))
 
@@ -203,6 +213,10 @@ func (m *Resolver) AddDomain(ctx context.Context, d domain.Domain) error {
 	log.Debugf("added/updated domain=%s with %d A records and %d AAAA records",
 		d.SafeString(), len(aRecords), len(aaaaRecords))
 
+	if errA != nil || errAAAA != nil {
+		return fmt.Errorf("resolve %s: incomplete, a family failed: %w", d.SafeString(), errors.Join(errA, errAAAA))
+	}
+
 	return nil
 }
 
@@ -462,6 +476,7 @@ func (m *Resolver) RemoveDomain(d domain.Domain) error {
 	delete(m.records, qAAAA)
 	delete(m.refreshing, qA)
 	delete(m.refreshing, qAAAA)
+	delete(m.failedResolves, d)
 
 	log.Debugf("removed domain=%s from cache", d.SafeString())
 	return nil
@@ -505,6 +520,7 @@ func (m *Resolver) UpdateFromServerDomains(ctx context.Context, serverDomains dn
 		allDomains := m.extractDomainsFromServerDomains(updatedServerDomains)
 		currentDomains := m.GetCachedDomains()
 		removedDomains = m.removeStaleDomains(currentDomains, allDomains)
+		m.pruneFailedResolves(allDomains)
 	}
 
 	m.addNewDomains(ctx, newDomains)
@@ -577,13 +593,85 @@ func (m *Resolver) isManagementDomain(domain domain.Domain) bool {
 	return m.mgmtDomain != nil && domain == *m.mgmtDomain
 }
 
-// addNewDomains resolves and caches all domains from the update
+// addNewDomains resolves and caches domains that are not yet in the cache,
+// running the lookups concurrently. Domains already cached are skipped and left
+// to the stale-while-revalidate refresh path, so a sync never re-resolves them
+// synchronously: once NetBird owns the OS resolver the resolve runs through the
+// handler chain and would otherwise dial the managed upstreams under the engine
+// sync lock on every update.
 func (m *Resolver) addNewDomains(ctx context.Context, newDomains domain.List) {
+	var wg sync.WaitGroup
+	seen := make(map[domain.Domain]struct{}, len(newDomains))
 	for _, newDomain := range newDomains {
-		if err := m.AddDomain(ctx, newDomain); err != nil {
-			log.Warnf("failed to add/update domain=%s: %v", newDomain.SafeString(), err)
-		} else {
-			log.Debugf("added/updated management cache domain=%s", newDomain.SafeString())
+		if _, dup := seen[newDomain]; dup {
+			continue
+		}
+		seen[newDomain] = struct{}{}
+
+		if !m.needsResolve(newDomain) {
+			continue
+		}
+
+		wg.Add(1)
+		go func(d domain.Domain) {
+			defer wg.Done()
+			if err := m.AddDomain(ctx, d); err != nil {
+				m.markResolveFailed(d)
+				log.Warnf("failed to add/update domain=%s: %v", d.SafeString(), err)
+				return
+			}
+			m.clearResolveFailed(d)
+			log.Debugf("added/updated management cache domain=%s", d.SafeString())
+		}(newDomain)
+	}
+	wg.Wait()
+}
+
+// needsResolve reports whether d should be resolved now. A recent failed or
+// incomplete resolve gates retries on the backoff even when one family is
+// already cached, so a transiently-failed family is retried instead of being
+// treated as fully resolved. Otherwise a domain with any cached record is left
+// to the stale-while-revalidate refresh path.
+func (m *Resolver) needsResolve(d domain.Domain) bool {
+	dnsName := strings.ToLower(dns.Fqdn(d.PunycodeString()))
+
+	m.mutex.RLock()
+	defer m.mutex.RUnlock()
+
+	if failedAt, ok := m.failedResolves[d]; ok {
+		return time.Since(failedAt) >= refreshBackoff
+	}
+
+	for _, qtype := range []uint16{dns.TypeA, dns.TypeAAAA} {
+		q := dns.Question{Name: dnsName, Qtype: qtype, Qclass: dns.ClassINET}
+		if _, ok := m.records[q]; ok {
+			return false
+		}
+	}
+	return true
+}
+
+func (m *Resolver) markResolveFailed(d domain.Domain) {
+	m.mutex.Lock()
+	m.failedResolves[d] = time.Now()
+	m.mutex.Unlock()
+}
+
+func (m *Resolver) clearResolveFailed(d domain.Domain) {
+	m.mutex.Lock()
+	delete(m.failedResolves, d)
+	m.mutex.Unlock()
+}
+
+// pruneFailedResolves drops failure markers for domains no longer present in
+// the server-domains set, keeping the map bounded to the current set (a
+// failed-only domain has no cached record, so RemoveDomain never sees it).
+func (m *Resolver) pruneFailedResolves(domains domain.List) {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+	for d := range m.failedResolves {
+		if !slices.Contains(domains, d) {
+			delete(m.failedResolves, d)
 		}
 	}
 }

client/internal/dns/mgmt/mgmt_refresh_test.go

@@ -21,6 +21,7 @@ type fakeChain struct {
 	mu       sync.Mutex
 	calls    map[string]int
 	answers  map[string][]dns.RR
+	qErr     map[string]error
 	err      error
 	hasRoot  bool
 	onLookup func()
@@ -30,6 +31,7 @@ func newFakeChain() *fakeChain {
 	return &fakeChain{
 		calls:   map[string]int{},
 		answers: map[string][]dns.RR{},
+		qErr:    map[string]error{},
 		hasRoot: true,
 	}
 }
@@ -47,6 +49,9 @@ func (f *fakeChain) ResolveInternal(ctx context.Context, msg *dns.Msg, maxPriori
 	f.calls[key]++
 	answers := f.answers[key]
 	err := f.err
+	if err == nil {
+		err = f.qErr[key]
+	}
 	onLookup := f.onLookup
 	f.mu.Unlock()
 
@@ -75,6 +80,12 @@ func (f *fakeChain) setAnswer(name string, qtype uint16, ip string) {
 	}
 }
 
+func (f *fakeChain) setErr(name string, qtype uint16, err error) {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	f.qErr[name+"|"+dns.TypeToString[qtype]] = err
+}
+
 func (f *fakeChain) callCount(name string, qtype uint16) int {
 	f.mu.Lock()
 	defer f.mu.Unlock()

client/internal/dns/mgmt/mgmt_resolve_test.go

@@ -0,0 +1,183 @@
+package mgmt
+
+import (
+	"context"
+	"errors"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
+	"github.com/netbirdio/netbird/shared/management/domain"
+)
+
+// A domain already in the cache must not be re-resolved on a subsequent server
+// domains update; it is left to the stale-while-revalidate refresh path.
+func TestResolver_UpdateFromServerDomains_SkipsCached(t *testing.T) {
+	r := NewResolver()
+	chain := newFakeChain()
+	chain.setAnswer("signal.example.com.", dns.TypeA, "10.0.0.2")
+	r.SetChainResolver(chain, 50)
+
+	sd := dnsconfig.ServerDomains{Signal: domain.Domain("signal.example.com")}
+
+	_, err := r.UpdateFromServerDomains(context.Background(), sd)
+	require.NoError(t, err)
+	require.Equal(t, 1, chain.callCount("signal.example.com.", dns.TypeA),
+		"first update must resolve the domain")
+
+	_, err = r.UpdateFromServerDomains(context.Background(), sd)
+	require.NoError(t, err)
+	assert.Equal(t, 1, chain.callCount("signal.example.com.", dns.TypeA),
+		"cached domain must not be re-resolved on a subsequent update")
+}
+
+// New domains in a single update must resolve concurrently rather than serially.
+func TestResolver_AddNewDomains_ResolvesConcurrently(t *testing.T) {
+	r := NewResolver()
+	chain := newFakeChain()
+
+	var inflight, maxInflight atomic.Int32
+	chain.onLookup = func() {
+		n := inflight.Add(1)
+		for {
+			old := maxInflight.Load()
+			if n <= old || maxInflight.CompareAndSwap(old, n) {
+				break
+			}
+		}
+		time.Sleep(50 * time.Millisecond)
+		inflight.Add(-1)
+	}
+
+	relays := []domain.Domain{"a.example.com", "b.example.com", "c.example.com", "d.example.com"}
+	for _, d := range relays {
+		chain.setAnswer(dns.Fqdn(string(d)), dns.TypeA, "10.0.0.2")
+	}
+	r.SetChainResolver(chain, 50)
+
+	start := time.Now()
+	_, err := r.UpdateFromServerDomains(context.Background(), dnsconfig.ServerDomains{Relay: relays})
+	require.NoError(t, err)
+	elapsed := time.Since(start)
+
+	assert.GreaterOrEqual(t, int(maxInflight.Load()), 2, "domains must resolve concurrently")
+	// Serial resolution of 4 domains would take at least 4*50ms; concurrent is far less.
+	assert.Less(t, elapsed, 300*time.Millisecond, "resolution should not be serial")
+}
+
+// A domain that fails to resolve must not be retried on every update; the
+// failure backoff suppresses re-resolution until it expires.
+func TestResolver_UpdateFromServerDomains_BacksOffFailures(t *testing.T) {
+	r := NewResolver()
+	chain := newFakeChain()
+	chain.err = errors.New("resolve boom")
+	r.SetChainResolver(chain, 50)
+
+	sd := dnsconfig.ServerDomains{Signal: domain.Domain("signal.example.com")}
+
+	_, err := r.UpdateFromServerDomains(context.Background(), sd)
+	require.NoError(t, err)
+	require.Equal(t, 1, chain.callCount("signal.example.com.", dns.TypeA),
+		"first update must attempt the resolve")
+
+	_, err = r.UpdateFromServerDomains(context.Background(), sd)
+	require.NoError(t, err)
+	assert.Equal(t, 1, chain.callCount("signal.example.com.", dns.TypeA),
+		"failed resolve must back off and not retry on the next update")
+}
+
+// A domain listed under more than one server-domain type (e.g. STUN and TURN on
+// the same host) must be resolved once per update, not once per occurrence.
+func TestResolver_AddNewDomains_DedupesDuplicateDomains(t *testing.T) {
+	r := NewResolver()
+	chain := newFakeChain()
+	chain.setAnswer("dup.example.com.", dns.TypeA, "10.0.0.9")
+	r.SetChainResolver(chain, 50)
+
+	sd := dnsconfig.ServerDomains{
+		Stuns: []domain.Domain{"dup.example.com"},
+		Turns: []domain.Domain{"dup.example.com"},
+	}
+
+	_, err := r.UpdateFromServerDomains(context.Background(), sd)
+	require.NoError(t, err)
+	assert.Equal(t, 1, chain.callCount("dup.example.com.", dns.TypeA),
+		"a domain appearing under multiple server-domain types must resolve once")
+}
+
+// A failure marker must be dropped once its domain leaves the server-domains set
+// so the map stays bounded to the current set.
+func TestResolver_UpdateFromServerDomains_PrunesFailedResolves(t *testing.T) {
+	r := NewResolver()
+	chain := newFakeChain()
+	chain.err = errors.New("resolve boom")
+	r.SetChainResolver(chain, 50)
+
+	_, err := r.UpdateFromServerDomains(context.Background(), dnsconfig.ServerDomains{Signal: domain.Domain("gone.example.com")})
+	require.NoError(t, err)
+	r.mutex.RLock()
+	_, marked := r.failedResolves[domain.Domain("gone.example.com")]
+	r.mutex.RUnlock()
+	require.True(t, marked, "failed resolve must be recorded")
+
+	_, err = r.UpdateFromServerDomains(context.Background(), dnsconfig.ServerDomains{Signal: domain.Domain("other.example.com")})
+	require.NoError(t, err)
+	r.mutex.RLock()
+	_, stillMarked := r.failedResolves[domain.Domain("gone.example.com")]
+	r.mutex.RUnlock()
+	assert.False(t, stillMarked, "failure marker for a domain no longer in the set must be pruned")
+}
+
+// When one family hard-errors while the other resolves, the domain is cached
+// for the working family but recorded as incomplete so the failed family is
+// retried under backoff instead of being treated as fully resolved forever.
+func TestResolver_AddNewDomains_RetriesPartialFamilyFailure(t *testing.T) {
+	d := domain.Domain("relay.example.com")
+	r := NewResolver()
+	chain := newFakeChain()
+	chain.setAnswer("relay.example.com.", dns.TypeA, "10.0.0.2")
+	chain.setErr("relay.example.com.", dns.TypeAAAA, errors.New("servfail"))
+	r.SetChainResolver(chain, 50)
+
+	_, err := r.UpdateFromServerDomains(context.Background(), dnsconfig.ServerDomains{Relay: []domain.Domain{d}})
+	require.NoError(t, err)
+
+	r.mutex.RLock()
+	_, aCached := r.records[dns.Question{Name: "relay.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}]
+	_, marked := r.failedResolves[d]
+	r.mutex.RUnlock()
+	require.True(t, aCached, "the working family must still be cached")
+	require.True(t, marked, "a partial failure must be recorded so the failed family is retried")
+
+	assert.False(t, r.needsResolve(d), "within the backoff window the domain is not retried")
+
+	r.mutex.Lock()
+	r.failedResolves[d] = time.Now().Add(-2 * refreshBackoff)
+	r.mutex.Unlock()
+	assert.True(t, r.needsResolve(d), "after the backoff elapses the domain is retried to pick up the missing family")
+}
+
+// A family that returns NODATA (legitimately absent, e.g. an IPv4-only host) is
+// not a failure: the domain must not be marked for retry, otherwise it would be
+// re-resolved on every sync.
+func TestResolver_AddNewDomains_NodataIsNotFailure(t *testing.T) {
+	d := domain.Domain("v4only.example.com")
+	r := NewResolver()
+	chain := newFakeChain()
+	chain.setAnswer("v4only.example.com.", dns.TypeA, "10.0.0.2")
+	r.SetChainResolver(chain, 50)
+
+	_, err := r.UpdateFromServerDomains(context.Background(), dnsconfig.ServerDomains{Relay: []domain.Domain{d}})
+	require.NoError(t, err)
+
+	r.mutex.RLock()
+	_, marked := r.failedResolves[d]
+	r.mutex.RUnlock()
+	assert.False(t, marked, "a NODATA family must not be recorded as a failure")
+	assert.False(t, r.needsResolve(d), "an IPv4-only host must not be re-resolved on later syncs")
+}

client/proto/daemon_gateway_test.go

@@ -0,0 +1,80 @@
+package proto
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	gatewayruntime "github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/test/bufconn"
+)
+
+func TestGatewayServerRoutesCoverDaemonRPCs(t *testing.T) {
+	mux := gatewayruntime.NewServeMux()
+	if err := RegisterDaemonServiceHandlerServer(context.Background(), mux, UnimplementedDaemonServiceServer{}); err != nil {
+		t.Fatalf("register daemon gateway server handlers: %v", err)
+	}
+
+	assertAllDaemonGatewayRoutesRegistered(t, mux)
+}
+
+func TestGatewayClientRoutesCoverDaemonRPCs(t *testing.T) {
+	listener := bufconn.Listen(1024 * 1024)
+	server := grpc.NewServer()
+	RegisterDaemonServiceServer(server, UnimplementedDaemonServiceServer{})
+	go func() {
+		if err := server.Serve(listener); err != nil && err != grpc.ErrServerStopped {
+			t.Errorf("serve bufconn gRPC server: %v", err)
+		}
+	}()
+	t.Cleanup(func() {
+		server.Stop()
+		_ = listener.Close()
+	})
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	mux := gatewayruntime.NewServeMux()
+	opts := []grpc.DialOption{
+		grpc.WithContextDialer(func(context.Context, string) (net.Conn, error) {
+			return listener.Dial()
+		}),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+	}
+	if err := RegisterDaemonServiceHandlerFromEndpoint(ctx, mux, "passthrough:///bufnet", opts); err != nil {
+		t.Fatalf("register daemon gateway client handlers: %v", err)
+	}
+
+	assertAllDaemonGatewayRoutesRegistered(t, mux)
+}
+
+func assertAllDaemonGatewayRoutesRegistered(t *testing.T, mux http.Handler) {
+	t.Helper()
+	for _, method := range DaemonService_ServiceDesc.Methods {
+		assertGatewayRouteRegistered(t, mux, method.MethodName)
+	}
+	for _, stream := range DaemonService_ServiceDesc.Streams {
+		assertGatewayRouteRegistered(t, mux, stream.StreamName)
+	}
+}
+
+func assertGatewayRouteRegistered(t *testing.T, mux http.Handler, methodName string) {
+	t.Helper()
+
+	path := "/daemon.DaemonService/" + methodName
+	req := httptest.NewRequest(http.MethodPost, path, strings.NewReader("{}"))
+	req.Header.Set("Content-Type", "application/json")
+	res := httptest.NewRecorder()
+
+	mux.ServeHTTP(res, req)
+
+	if res.Code == http.StatusNotFound {
+		t.Fatalf("gateway route for %s is not registered", methodName)
+	}
+}

client/proto/generate.sh

@@ -12,5 +12,11 @@ script_path=$(dirname "$(realpath "$0")")
 cd "$script_path"
 go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.36.6
 go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.6.1
-protoc -I ./ ./daemon.proto --go_out=../ --go-grpc_out=../ --experimental_allow_proto3_optional
+go install github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway@v2.26.3
+protoc -I ./ ./daemon.proto \
+  --go_out=../ \
+  --go-grpc_out=../ \
+  --grpc-gateway_out=../ \
+  --grpc-gateway_opt=generate_unbound_methods=true \
+  --experimental_allow_proto3_optional
 cd "$old_pwd"

client/test/json-socket-docker.sh

@@ -0,0 +1,223 @@
+#!/usr/bin/env bash
+set -eEuo pipefail
+
+usage() {
+  cat <<'EOF'
+Usage: client/test/json-socket-docker.sh [tcp|unix|both]
+
+Builds the NetBird client Docker image from the local source tree, starts
+`netbird service run` in a container with --enable-json-socket, and verifies
+that the HTTP/JSON daemon gateway responds to Status requests.
+
+Modes:
+  tcp   Validate tcp://0.0.0.0:8080 via a published localhost port (default)
+  unix  Validate unix:///sock/netbird-http.sock via a bind-mounted socket dir
+  both  Run both validations
+
+Environment:
+  CONTAINER_RUNTIME  docker or podman. Auto-detected if unset.
+  IMAGE              Image tag to build. Default: netbird-json-socket-test:local
+  TARGETARCH         Go/Docker target arch. Default: `go env GOARCH`
+  PLATFORM           Docker platform. Default: linux/$TARGETARCH
+  WAIT_TIMEOUT       Seconds to wait for the JSON socket. Default: 30
+EOF
+}
+
+if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
+  usage
+  exit 0
+fi
+
+MODE="${1:-tcp}"
+case "${MODE}" in
+  tcp|unix|both) ;;
+  *)
+    usage >&2
+    echo "invalid mode: ${MODE}" >&2
+    exit 2
+    ;;
+esac
+
+RUNTIME="${CONTAINER_RUNTIME:-}"
+if [[ -z "${RUNTIME}" ]]; then
+  if command -v docker >/dev/null 2>&1; then
+    RUNTIME=docker
+  elif command -v podman >/dev/null 2>&1; then
+    RUNTIME=podman
+  else
+    echo "docker or podman is required" >&2
+    exit 127
+  fi
+fi
+if ! command -v "${RUNTIME}" >/dev/null 2>&1; then
+  echo "container runtime not found: ${RUNTIME}" >&2
+  exit 127
+fi
+
+if ! command -v curl >/dev/null 2>&1; then
+  echo "curl is required" >&2
+  exit 127
+fi
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+IMAGE="${IMAGE:-netbird-json-socket-test:local}"
+TARGETARCH="${TARGETARCH:-$(go env GOARCH)}"
+PLATFORM="${PLATFORM:-linux/${TARGETARCH}}"
+WAIT_TIMEOUT="${WAIT_TIMEOUT:-30}"
+TMP_DIR="$(mktemp -d)"
+CONTAINERS=()
+
+cleanup() {
+  local status=$?
+  for container in "${CONTAINERS[@]:-}"; do
+    "${RUNTIME}" rm -f "${container}" >/dev/null 2>&1 || true
+  done
+  rm -rf "${TMP_DIR}"
+  exit "${status}"
+}
+trap cleanup EXIT
+
+build_image() {
+  echo "==> Building Linux ${TARGETARCH} netbird binary"
+  mkdir -p "${TMP_DIR}/context/client"
+  cp "${ROOT_DIR}/client/Dockerfile" "${TMP_DIR}/context/Dockerfile"
+  cp "${ROOT_DIR}/client/netbird-entrypoint.sh" "${TMP_DIR}/context/client/netbird-entrypoint.sh"
+
+  (cd "${ROOT_DIR}" && CGO_ENABLED=0 GOOS=linux GOARCH="${TARGETARCH}" go build -o "${TMP_DIR}/context/netbird" ./client)
+
+  echo "==> Building ${IMAGE} for ${PLATFORM}"
+  "${RUNTIME}" build \
+    --platform "${PLATFORM}" \
+    --build-arg NETBIRD_BINARY=netbird \
+    -t "${IMAGE}" \
+    -f "${TMP_DIR}/context/Dockerfile" \
+    "${TMP_DIR}/context"
+}
+
+pick_port() {
+  python3 - <<'PY'
+import socket
+sock = socket.socket()
+sock.bind(("127.0.0.1", 0))
+print(sock.getsockname()[1])
+sock.close()
+PY
+}
+
+assert_status_json() {
+  local response_file="$1"
+  if command -v python3 >/dev/null 2>&1; then
+    python3 - "${response_file}" <<'PY'
+import json
+import sys
+with open(sys.argv[1], encoding="utf-8") as fh:
+    data = json.load(fh)
+if not data.get("status"):
+    raise SystemExit("missing non-empty status field")
+if "daemonVersion" not in data:
+    raise SystemExit("missing daemonVersion field")
+print(f"status={data['status']} daemonVersion={data['daemonVersion']}")
+PY
+  else
+    grep -q '"status"' "${response_file}"
+    grep -q '"daemonVersion"' "${response_file}"
+    cat "${response_file}"
+  fi
+}
+
+container_logs() {
+  local container="$1"
+  echo "---- ${container} logs ----" >&2
+  "${RUNTIME}" logs "${container}" >&2 || true
+  echo "--------------------------" >&2
+}
+
+wait_for_http_status() {
+  local container="$1"
+  local response="${TMP_DIR}/${container}.json"
+  local curl_err="${TMP_DIR}/${container}.curl.err"
+  shift
+  local deadline=$((SECONDS + WAIT_TIMEOUT))
+
+  while (( SECONDS < deadline )); do
+    if curl -fsS "$@" \
+      -X POST \
+      -H 'Content-Type: application/json' \
+      -d '{}' \
+      -o "${response}" \
+      2>"${curl_err}"; then
+      assert_status_json "${response}"
+      return 0
+    fi
+
+    if ! "${RUNTIME}" ps --format '{{.Names}}' | grep -Fxq "${container}"; then
+      echo "container exited before JSON socket became ready" >&2
+      container_logs "${container}"
+      return 1
+    fi
+    sleep 1
+  done
+
+  echo "timed out waiting for JSON socket after ${WAIT_TIMEOUT}s" >&2
+  cat "${curl_err}" >&2 || true
+  container_logs "${container}"
+  return 1
+}
+
+run_netbird_container() {
+  local container="$1"
+  local json_socket="$2"
+  shift 2
+
+  CONTAINERS+=("${container}")
+  "${RUNTIME}" run --rm -d \
+    --name "${container}" \
+    -e NB_STATE_DIR=/tmp/netbird-state \
+    --entrypoint /usr/local/bin/netbird \
+    "$@" \
+    "${IMAGE}" \
+    --log-file console \
+    --daemon-addr unix:///tmp/netbird.sock \
+    service run \
+    --enable-json-socket \
+    --json-socket "${json_socket}" >/dev/null
+}
+
+run_tcp_test() {
+  local port container
+  port="$(pick_port)"
+  container="nb-json-socket-tcp-$RANDOM-$RANDOM"
+
+  echo "==> Validating TCP JSON socket on 127.0.0.1:${port}"
+  run_netbird_container "${container}" "tcp://0.0.0.0:8080" -p "127.0.0.1:${port}:8080"
+  wait_for_http_status "${container}" "http://127.0.0.1:${port}/daemon.DaemonService/Status"
+}
+
+run_unix_test() {
+  local sock_dir sock_path container
+  sock_dir="${TMP_DIR}/sock"
+  sock_path="${sock_dir}/netbird-http.sock"
+  container="nb-json-socket-unix-$RANDOM-$RANDOM"
+  mkdir -p "${sock_dir}"
+
+  echo "==> Validating Unix JSON socket at ${sock_path}"
+  run_netbird_container "${container}" "unix:///sock/netbird-http.sock" -v "${sock_dir}:/sock"
+  wait_for_http_status "${container}" --unix-socket "${sock_path}" "http://unix/daemon.DaemonService/Status"
+}
+
+build_image
+
+case "${MODE}" in
+  tcp)
+    run_tcp_test
+    ;;
+  unix)
+    run_unix_test
+    ;;
+  both)
+    run_tcp_test
+    run_unix_test
+    ;;
+esac
+
+echo "==> Docker JSON socket validation passed (${MODE})"

go.mod

@@ -66,6 +66,7 @@ require (
 	github.com/google/nftables v0.3.0
 	github.com/gopacket/gopacket v1.4.0
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.2-0.20240212192251-757544f21357
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-secure-stdlib/base62 v0.1.2
 	github.com/hashicorp/go-version v1.7.0
@@ -330,6 +331,7 @@ require (
 	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/tools v0.43.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260319201613-d00831a3d3e7 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect

management/server/affected_peers_coverage_test.go

@@ -41,7 +41,7 @@ func TestAffectedPeers_DependencyCoverageMatrix(t *testing.T) {
 				_, err := s.manager.SavePolicy(ctx, s.accountID, userID, peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID), true)
 				require.NoError(t, err)
 				return affectedpeers.Change{ChangedPeerIDs: []string{s.routerPeerID}},
-					[]string{s.sourcePeerID, s.routerPeerID}, []string{s.unrelatedPeerID}
+					[]string{s.sourcePeerID}, []string{s.unrelatedPeerID}
 			},
 		},
 		{
@@ -106,8 +106,12 @@ func TestAffectedPeers_DependencyCoverageMatrix(t *testing.T) {
 			change, mustContain, mustExclude := r.build(t, s, ctx)
 			affected := resolveAffected(t, s.manager.Store, s.accountID, change)
 
-			assert.ElementsMatch(t, affected, mustContain, "expected peer to be affected")
-			assert.NotContains(t, affected, mustExclude, "peer must not be affected")
+			for _, id := range mustContain {
+				assert.Contains(t, affected, id, "expected peer to be affected")
+			}
+			for _, id := range mustExclude {
+				assert.NotContains(t, affected, id, "peer must not be affected")
+			}
 		})
 	}
 }

management/server/affected_peers_test.go

@@ -96,54 +96,33 @@ func affectedGroupID(i int) string   { return fmt.Sprintf("affected-grp-%d", i)
 func affectedGroupName(i int) string { return fmt.Sprintf("AffectedGroup%d", i) }
 
 func TestCollectGroupChange_PolicyLinked(t *testing.T) {
-	manager, s, accountID, peerIDs, groupIDs := setupAffectedPeersTest(t)
+	manager, s, accountID, _, groupIDs := setupAffectedPeersTest(t)
 	ctx := context.Background()
 
 	_, err := manager.SavePolicy(ctx, accountID, userID, &types.Policy{
 		Enabled: true,
 		Rules: []*types.PolicyRule{
 			{
-				Enabled:             true,
-				Sources:             []string{groupIDs[0]},
-				Destinations:        []string{groupIDs[1]},
-				SourceResource:      types.Resource{ID: peerIDs[0], Type: types.ResourceTypePeer},
-				DestinationResource: types.Resource{ID: peerIDs[1], Type: types.ResourceTypePeer},
-				Bidirectional:       true,
-				Action:              types.PolicyTrafficActionAccept,
-			},
-			{
-				Enabled:             true,
-				Sources:             []string{groupIDs[0]},
-				Destinations:        []string{groupIDs[1]},
-				SourceResource:      types.Resource{ID: peerIDs[2], Type: types.ResourceTypeHost},
-				DestinationResource: types.Resource{ID: peerIDs[3], Type: types.ResourceTypeHost},
-				Bidirectional:       true,
-				Action:              types.PolicyTrafficActionAccept,
-			},
-			{
-				Enabled:             true,
-				Sources:             []string{groupIDs[0]},
-				Destinations:        []string{groupIDs[1]},
-				SourceResource:      types.Resource{ID: "", Type: types.ResourceTypePeer},
-				DestinationResource: types.Resource{ID: "", Type: types.ResourceTypePeer},
-				Bidirectional:       true,
-				Action:              types.PolicyTrafficActionAccept,
+				Enabled:       true,
+				Sources:       []string{groupIDs[0]},
+				Destinations:  []string{groupIDs[1]},
+				Bidirectional: true,
+				Action:        types.PolicyTrafficActionAccept,
 			},
 		},
 	}, true)
 	require.NoError(t, err)
 
-	groups, directPeers := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
-	assert.ElementsMatch(t, directPeers, []string{peerIDs[1]})
+	groups, _ := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
+	assert.Contains(t, groups, groupIDs[0])
+	assert.Contains(t, groups, groupIDs[1])
 
-	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[1]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
-	assert.ElementsMatch(t, directPeers, []string{peerIDs[0]})
+	groups, _ = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[1]})
+	assert.Contains(t, groups, groupIDs[0])
+	assert.Contains(t, groups, groupIDs[1])
 
-	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[2]})
+	groups, _ = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[2]})
 	assert.Empty(t, groups)
-	assert.Empty(t, directPeers)
 }
 
 func TestCollectGroupChange_PolicyWithDirectPeerResource(t *testing.T) {
@@ -154,44 +133,20 @@ func TestCollectGroupChange_PolicyWithDirectPeerResource(t *testing.T) {
 		Enabled: true,
 		Rules: []*types.PolicyRule{
 			{
-				Enabled:             true,
-				Sources:             []string{groupIDs[0]},
-				SourceResource:      types.Resource{ID: peerIDs[3], Type: types.ResourceTypePeer},
-				DestinationResource: types.Resource{ID: peerIDs[4], Type: types.ResourceTypePeer},
-				Destinations:        []string{groupIDs[1]},
-				Action:              types.PolicyTrafficActionAccept,
-			},
-			{
-				Enabled:             true,
-				Sources:             []string{groupIDs[0]},
-				SourceResource:      types.Resource{ID: peerIDs[1], Type: types.ResourceTypeHost},
-				DestinationResource: types.Resource{ID: peerIDs[2], Type: types.ResourceTypeHost},
-				Destinations:        []string{groupIDs[1]},
-				Action:              types.PolicyTrafficActionAccept,
-			},
-			{
-				Enabled:             true,
-				Sources:             []string{groupIDs[0]},
-				SourceResource:      types.Resource{ID: "", Type: types.ResourceTypePeer},
-				DestinationResource: types.Resource{ID: "", Type: types.ResourceTypePeer},
-				Destinations:        []string{groupIDs[1]},
-				Action:              types.PolicyTrafficActionAccept,
+				Enabled:        true,
+				Sources:        []string{groupIDs[0]},
+				SourceResource: types.Resource{ID: peerIDs[3], Type: types.ResourceTypePeer},
+				Destinations:   []string{groupIDs[1]},
+				Action:         types.PolicyTrafficActionAccept,
 			},
 		},
 	}, true)
 	require.NoError(t, err)
 
 	groups, directPeers := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
-	assert.ElementsMatch(t, directPeers, []string{peerIDs[4]})
-
-	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[1]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
-	assert.ElementsMatch(t, directPeers, []string{peerIDs[3]})
-
-	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[2]})
-	assert.Empty(t, groups)
-	assert.Empty(t, directPeers)
+	assert.Contains(t, groups, groupIDs[0])
+	assert.Contains(t, groups, groupIDs[1])
+	assert.Contains(t, directPeers, peerIDs[3])
 }
 
 func TestCollectGroupChange_PolicyWithNonPeerResource_NoDirectPeers(t *testing.T) {
@@ -213,7 +168,8 @@ func TestCollectGroupChange_PolicyWithNonPeerResource_NoDirectPeers(t *testing.T
 	require.NoError(t, err)
 
 	groups, directPeers := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
+	assert.Contains(t, groups, groupIDs[0])
+	assert.Contains(t, groups, groupIDs[1])
 	assert.Empty(t, directPeers, "non-peer resources should not produce direct peer IDs")
 }
 
@@ -417,11 +373,17 @@ func TestCollectGroupChange_MultipleEntities(t *testing.T) {
 	require.NoError(t, err)
 
 	groups, directPeers := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
+	assert.Contains(t, groups, groupIDs[0])
+	assert.Contains(t, groups, groupIDs[1])
+	assert.NotContains(t, groups, groupIDs[2])
+	assert.NotContains(t, groups, groupIDs[3])
 	assert.Empty(t, directPeers)
 
 	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[3]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[2], groupIDs[3]})
+	assert.Contains(t, groups, groupIDs[2])
+	assert.Contains(t, groups, groupIDs[3])
+	assert.NotContains(t, groups, groupIDs[0])
+	assert.NotContains(t, groups, groupIDs[1])
 	assert.Empty(t, directPeers)
 }
 
@@ -512,7 +474,7 @@ func TestResolveAffectedPeers_PolicyThreeGroups(t *testing.T) {
 	require.NoError(t, err)
 
 	result := manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[0]})
-	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[2]}, result)
+	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[1], peerIDs[2]}, result)
 }
 
 func TestResolveAffectedPeers_RoutePeerGroups(t *testing.T) {
@@ -697,13 +659,9 @@ func TestResolveAffectedPeers_PeerInMultipleGroups(t *testing.T) {
 	}, true)
 	require.NoError(t, err)
 
-	// peer0 is in group0 AND group1, so both policies apply. A peer change folds
-	// only the changed peer plus the opposite side of each rule: group2 (peer2) via
-	// the group0 policy and group3 (peer3) via the group1 policy. peer1, a co-member
-	// of group1, is a sibling of the changed peer and must NOT refresh.
+	// peer0 is in group0 AND group1, so both policies apply
 	result := manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[0]})
-	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[2], peerIDs[3]}, result)
-	assert.NotContains(t, result, peerIDs[1], "co-member of the changed peer's group must not refresh")
+	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[1], peerIDs[2], peerIDs[3]}, result)
 }
 
 func TestResolveAffectedPeers_MultipleChangedPeers(t *testing.T) {
@@ -739,7 +697,7 @@ func TestResolveAffectedPeers_MultipleChangedPeers(t *testing.T) {
 	require.NoError(t, err)
 
 	result := manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[0], peerIDs[2]})
-	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[2], peerIDs[1], peerIDs[3]}, result)
+	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[1], peerIDs[2], peerIDs[3]}, result)
 }
 
 func TestResolveAffectedPeers_SharedGroupAcrossPolicyAndRoute(t *testing.T) {

management/server/affectedpeers/resolver.go

@@ -221,17 +221,15 @@ func Collect(ctx context.Context, s store.Store, accountID string, c Change) (gr
 
 func newResolver(ctx context.Context, snap *Snapshot, accountID string, c Change) *resolver {
 	r := &resolver{
-		ctx:                        ctx,
-		snap:                       snap,
-		accountID:                  accountID,
-		change:                     c,
-		changedGroupSet:            toSet(c.ChangedGroupIDs),
-		changedPeerSet:             toSet(c.ChangedPeerIDs),
-		groupSet:                   make(map[string]struct{}),
-		peerSet:                    make(map[string]struct{}),
-		networkIDs:                 make(map[string]struct{}),
-		sourceOriginatedNetworkIDs: make(map[string]struct{}),
-		changedGroupIDs:            toSet(c.ChangedGroupIDs),
+		ctx:             ctx,
+		snap:            snap,
+		accountID:       accountID,
+		change:          c,
+		changedGroupSet: toSet(c.ChangedGroupIDs),
+		changedPeerSet:  toSet(c.ChangedPeerIDs),
+		groupSet:        make(map[string]struct{}),
+		peerSet:         make(map[string]struct{}),
+		networkIDs:      make(map[string]struct{}),
 	}
 	// Resolve each changed peer to its groups here so callers pass only ChangedPeerIDs.
 	r.seedChangedGroupsFromPeers()
@@ -241,9 +239,6 @@ func newResolver(ctx context.Context, snap *Snapshot, accountID string, c Change
 
 // seedChangedGroupsFromPeers adds each changed peer's groups to changedGroupSet so
 // the group-driven walkers fire for memberships, not just direct peer references.
-// These seeded groups are for MATCHING only — folding the changed entity's own
-// side is gated on changedGroupIDs (the caller-reported groups), so a seeded group
-// never folds its whole membership; only the changed peer itself folds in.
 func (r *resolver) seedChangedGroupsFromPeers() {
 	if len(r.changedPeerSet) == 0 {
 		return
@@ -297,18 +292,6 @@ type resolver struct {
 
 	matchedPolicies []*types.Policy
 	networkIDs      map[string]struct{}
-	// sourceOriginatedNetworkIDs are networks marked affected only because a
-	// source-side change targets a resource on them (bridgeSourceToRouters). Their
-	// routers must refresh, but the policy sources must not be folded back: a
-	// changed source propagates only to the opposite (router) side, never to its
-	// co-sources. Networks marked by a router/resource/network change are absent
-	// here and do fold sources, since the destination side itself changed.
-	sourceOriginatedNetworkIDs map[string]struct{}
-
-	// changedGroupIDs are the groups the caller reported as changed via
-	// Change.ChangedGroupIDs (NOT the peer-seeded ones in changedGroupSet). Only
-	// these fold their whole membership; a peer-seeded group folds the peer alone.
-	changedGroupIDs map[string]struct{}
 }
 
 func (r *resolver) policies() []*types.Policy { return r.snap.policies }
@@ -462,88 +445,21 @@ func (r *resolver) collectFromPostureChecks(postureCheckIDs []string) {
 	}
 }
 
-// collectFromPolicies folds, for every policy a changed group or peer touches:
-// the opposite side of the matching rule, the changed entity's own side (the
-// changed group itself, or the changed peer alone — never the changed side's
-// sibling groups or co-members), and records the policy for the resource<->router
-// bridge. A changed peer is mapped to its groups in changedGroupSet up front (see
-// seedChangedGroupsFromPeers); changedGroupIDs holds only the caller-reported
-// groups, so a peer-seeded group does not fold its whole membership.
 func (r *resolver) collectFromPolicies() {
 	for _, policy := range r.policies() {
-		if !r.collectPolicyDirectional(policy) {
+		matchedByGroup := policyReferencesGroups(policy, r.changedGroupSet)
+		matchedByPeer := len(r.changedPeerSet) > 0 && policyReferencesDirectPeers(policy, r.changedPeerSet)
+		if !matchedByGroup && !matchedByPeer {
 			continue
 		}
-		log.WithContext(r.ctx).Tracef("collectFromPolicies: policy %s (%s) matched directionally", policy.ID, policy.Name)
+		log.WithContext(r.ctx).Tracef("collectFromPolicies: policy %s (%s) matched (byGroup=%t byPeer=%t) -> folding rule groups %v + direct peers",
+			policy.ID, policy.Name, matchedByGroup, matchedByPeer, policy.RuleGroups())
+		addAll(r.groupSet, policy.RuleGroups())
+		collectPolicyDirectPeers(policy, r.peerSet)
 		r.matchedPolicies = append(r.matchedPolicies, policy)
 	}
 }
 
-// collectPolicyDirectional folds one policy's affected groups/peers and reports
-// whether it matched a changed group or peer at all (so the caller can record it
-// for the bridge even when the opposite side is a resource, not a group).
-func (r *resolver) collectPolicyDirectional(policy *types.Policy) bool {
-	matched := false
-	for _, rule := range policy.Rules {
-		matched = r.foldRuleSide(rule.Sources, rule.Destinations, rule.DestinationResource) || matched
-		matched = r.foldRuleSide(rule.Destinations, rule.Sources, rule.SourceResource) || matched
-
-		if isDirectPeerInSet(rule.SourceResource, r.changedPeerSet) {
-			r.peerSet[rule.SourceResource.ID] = struct{}{}
-			addAll(r.groupSet, rule.Destinations)
-			if rule.DestinationResource.Type == types.ResourceTypePeer && rule.DestinationResource.ID != "" {
-				r.peerSet[rule.DestinationResource.ID] = struct{}{}
-			}
-			matched = true
-		}
-		if isDirectPeerInSet(rule.DestinationResource, r.changedPeerSet) {
-			r.peerSet[rule.DestinationResource.ID] = struct{}{}
-			addAll(r.groupSet, rule.Sources)
-			if rule.SourceResource.Type == types.ResourceTypePeer && rule.SourceResource.ID != "" {
-				r.peerSet[rule.SourceResource.ID] = struct{}{}
-			}
-			matched = true
-		}
-	}
-	return matched
-}
-
-// foldRuleSide handles a changed group on `near` (Sources or Destinations): it
-// folds the `far` (opposite) groups and far resource peer, the changed group(s)
-// themselves (caller-reported groups only — not seeded ones, so a changed peer's
-// group does not pull in its members), and the changed peers seeded from those
-// groups (the peer alone). Returns whether the side matched.
-func (r *resolver) foldRuleSide(near, far []string, farResource types.Resource) bool {
-	if !anyInSet(near, r.changedGroupSet) {
-		return false
-	}
-	addAll(r.groupSet, far)
-	if farResource.Type == types.ResourceTypePeer && farResource.ID != "" {
-		r.peerSet[farResource.ID] = struct{}{}
-	}
-	for _, gID := range near {
-		if _, ok := r.changedGroupIDs[gID]; ok {
-			r.groupSet[gID] = struct{}{} // changed group itself -> its members
-		}
-		r.foldChangedPeersInGroup(gID) // a changed peer in this group -> the peer alone
-	}
-	return true
-}
-
-// foldChangedPeersInGroup folds changed peers that belong to groupID directly into
-// peerSet (the peer only, never its co-members).
-func (r *resolver) foldChangedPeersInGroup(groupID string) {
-	if len(r.changedPeerSet) == 0 {
-		return
-	}
-	members := r.snap.groupPeers[groupID]
-	for pID := range r.changedPeerSet {
-		if _, ok := members[pID]; ok {
-			r.peerSet[pID] = struct{}{}
-		}
-	}
-}
-
 func (r *resolver) collectFromRoutes() {
 	for _, rt := range r.snap.routes {
 		matchedByGroup := anyInSet(rt.Groups, r.changedGroupSet) || anyInSet(rt.PeerGroups, r.changedGroupSet) || anyInSet(rt.AccessControlGroups, r.changedGroupSet)
@@ -672,11 +588,6 @@ func (r *resolver) bridgeSourceToRouters() {
 	log.WithContext(r.ctx).Tracef("bridgeSourceToRouters: targeted resources %v -> networks %v (their routers become affected via the router->source pass)",
 		setToSlice(resourceIDs), setToSlice(networkIDs))
 	for id := range networkIDs {
-		// Mark source-originated unless a router/resource/network change already
-		// marked this network directly (then it folds sources back).
-		if _, ok := r.networkIDs[id]; !ok {
-			r.sourceOriginatedNetworkIDs[id] = struct{}{}
-		}
 		r.networkIDs[id] = struct{}{}
 	}
 }
@@ -691,19 +602,11 @@ func (r *resolver) bridgeRoutersToSources() {
 
 	r.foldRoutersOnNetworks(r.networkIDs)
 
-	// Sources are folded back only for networks the destination side itself changed
-	// (router/resource/network change). Networks reached only because a source-side
-	// change targets their resource must not refresh the policy's sources — the
-	// changed source propagates to the router side, not back to its co-sources.
 	resourceIDs := make(map[string]struct{})
 	for _, resource := range r.networkResources() {
-		if _, ok := r.networkIDs[resource.NetworkID]; !ok {
-			continue
+		if _, ok := r.networkIDs[resource.NetworkID]; ok {
+			resourceIDs[resource.ID] = struct{}{}
 		}
-		if _, sourceOriginated := r.sourceOriginatedNetworkIDs[resource.NetworkID]; sourceOriginated {
-			continue
-		}
-		resourceIDs[resource.ID] = struct{}{}
 	}
 	if len(resourceIDs) == 0 {
 		return
@@ -831,6 +734,24 @@ func collectPolicySources(policy *types.Policy, groupSet, peerSet map[string]str
 	}
 }
 
+func policyReferencesGroups(policy *types.Policy, groupSet map[string]struct{}) bool {
+	for _, rule := range policy.Rules {
+		if anyInSet(rule.Sources, groupSet) || anyInSet(rule.Destinations, groupSet) {
+			return true
+		}
+	}
+	return false
+}
+
+func policyReferencesDirectPeers(policy *types.Policy, changedSet map[string]struct{}) bool {
+	for _, rule := range policy.Rules {
+		if isDirectPeerInSet(rule.SourceResource, changedSet) || isDirectPeerInSet(rule.DestinationResource, changedSet) {
+			return true
+		}
+	}
+	return false
+}
+
 func policyReferencesPostureChecks(policy *types.Policy, ids map[string]struct{}) bool {
 	for _, id := range policy.SourcePostureChecks {
 		if _, ok := ids[id]; ok {

management/server/affectedpeers/resolver_test.go

@@ -80,6 +80,26 @@ func TestChangeIsEmpty(t *testing.T) {
 	assert.False(t, Change{PostureCheckIDs: []string{"pc"}}.isEmpty())
 }
 
+func TestPolicyReferencesGroups(t *testing.T) {
+	policy := &types.Policy{Rules: []*types.PolicyRule{{Sources: []string{"g1", "g2"}, Destinations: []string{"g3"}}}}
+
+	assert.True(t, policyReferencesGroups(policy, map[string]struct{}{"g1": {}}))
+	assert.True(t, policyReferencesGroups(policy, map[string]struct{}{"g3": {}}))
+	assert.False(t, policyReferencesGroups(policy, map[string]struct{}{"g4": {}}))
+	assert.False(t, policyReferencesGroups(policy, map[string]struct{}{}))
+}
+
+func TestPolicyReferencesDirectPeers(t *testing.T) {
+	policy := &types.Policy{Rules: []*types.PolicyRule{{
+		SourceResource:      types.Resource{Type: types.ResourceTypePeer, ID: "p1"},
+		DestinationResource: types.Resource{Type: types.ResourceTypeHost, ID: "r1"},
+	}}}
+
+	assert.True(t, policyReferencesDirectPeers(policy, map[string]struct{}{"p1": {}}))
+	assert.False(t, policyReferencesDirectPeers(policy, map[string]struct{}{"r1": {}}))
+	assert.False(t, policyReferencesDirectPeers(policy, map[string]struct{}{"p2": {}}))
+}
+
 func TestPolicyReferencesPostureChecks(t *testing.T) {
 	policy := &types.Policy{SourcePostureChecks: []string{"pc1", "pc2"}}