Add ios bindings for profile manager

client/ios/NetBirdSDK/profile_manager.go

@@ -0,0 +1,294 @@
+//go:build ios
+
+package NetBirdSDK
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
+)
+
+// iOS profile storage layout (mirrors the Android layout so the shared
+// profilemanager.ServiceManager behaves identically on both platforms):
+//
+//	<container>/                                  ← configDir parameter (App Group root)
+//	├── netbird.cfg                               ← default profile config
+//	├── state.json                                ← default profile state
+//	├── active_profile.json                       ← active profile tracker {"name": <id>, "username": "ios"}
+//	└── profiles/                                 ← non-default profiles
+//	    ├── <id>.json                             ← profile config (holds the display "Name")
+//	    └── <id>.state.json                       ← profile state
+//
+// The ProfileLayoutMigration in NetbirdKit moves the legacy directory-per-name
+// layout into this shape before NewProfileManager ever runs.
+
+const (
+	// iosDefaultConfigFilename is the default profile config name. Must match
+	// GlobalConstants.configFileName on the Swift side ("netbird.cfg").
+	iosDefaultConfigFilename = "netbird.cfg"
+	// iosDefaultStateFilename is the default profile state name. Must match
+	// GlobalConstants.stateFileName on the Swift side ("state.json").
+	iosDefaultStateFilename = "state.json"
+	// iosProfilesSubdir holds non-default profile files.
+	iosProfilesSubdir = "profiles"
+	// iosUsername is the single user context the app runs under. The value is
+	// written into active_profile.json's "username" field and is required to be
+	// non-empty for non-default profiles by ServiceManager.SetActiveProfileState.
+	// Must match the value the migration writes ("ios").
+	iosUsername = "ios"
+)
+
+// Profile represents a profile for gomobile. gomobile exposes the exported
+// fields as id_/name/isActive on the Swift side.
+type Profile struct {
+	ID       string
+	Name     string
+	IsActive bool
+}
+
+// ProfileArray wraps a profile slice for gomobile (which cannot bind Go slices
+// directly; callers iterate with Length()/Get()).
+type ProfileArray struct {
+	items []*Profile
+}
+
+// Length returns the number of profiles.
+func (p *ProfileArray) Length() int {
+	return len(p.items)
+}
+
+// Get returns the profile at index i, or nil if i is out of range.
+func (p *ProfileArray) Get(i int) *Profile {
+	if i < 0 || i >= len(p.items) {
+		return nil
+	}
+	return p.items[i]
+}
+
+// ProfileManager manages profiles for iOS. It wraps the internal
+// profilemanager.ServiceManager, which owns all profile identity (the on-disk
+// filename is the ID, the display name lives inside the config JSON).
+type ProfileManager struct {
+	configDir  string
+	serviceMgr *profilemanager.ServiceManager
+}
+
+// NewProfileManager creates a profile manager rooted at configDir (the App
+// Group shared container). gomobile maps this to a nullable Swift initializer.
+func NewProfileManager(configDir string) *ProfileManager {
+	defaultConfigPath := filepath.Join(configDir, iosDefaultConfigFilename)
+
+	// Point the package-level paths at the iOS container. The default profile
+	// lives in the root configDir (not under profiles/).
+	profilemanager.DefaultConfigPathDir = configDir
+	profilemanager.DefaultConfigPath = defaultConfigPath
+	profilemanager.ActiveProfileStatePath = filepath.Join(configDir, "active_profile.json")
+
+	// A fixed profiles directory avoids mutating the global ConfigDirOverride;
+	// the ServiceManager then ignores the username when resolving the directory.
+	profilesDir := filepath.Join(configDir, iosProfilesSubdir)
+	serviceMgr := profilemanager.NewServiceManagerWithProfilesDir(defaultConfigPath, profilesDir)
+
+	return &ProfileManager{
+		configDir:  configDir,
+		serviceMgr: serviceMgr,
+	}
+}
+
+// ListProfiles returns all available profiles, including the default, with
+// their active status and resolved display names.
+func (pm *ProfileManager) ListProfiles() (*ProfileArray, error) {
+	internalProfiles, err := pm.serviceMgr.ListProfiles(iosUsername)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list profiles: %w", err)
+	}
+
+	var profiles []*Profile
+	for _, p := range internalProfiles {
+		profiles = append(profiles, &Profile{
+			ID:       p.ID.String(),
+			Name:     p.Name,
+			IsActive: p.IsActive,
+		})
+	}
+
+	return &ProfileArray{items: profiles}, nil
+}
+
+// GetActiveProfile returns the currently active profile with its display name
+// resolved. ActiveProfileState only records the ID, so the ID is resolved to a
+// full profile to recover the Name.
+func (pm *ProfileManager) GetActiveProfile() (*Profile, error) {
+	activeState, err := pm.serviceMgr.GetActiveProfileState()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get active profile: %w", err)
+	}
+
+	prof, err := pm.serviceMgr.ResolveProfile(activeState.ID.String(), iosUsername)
+	if err != nil {
+		return nil, fmt.Errorf("failed to resolve active profile %q: %w", activeState.ID, err)
+	}
+
+	return &Profile{ID: prof.ID.String(), Name: prof.Name, IsActive: true}, nil
+}
+
+// AddProfile creates a new profile with displayName and returns it. The
+// returned profile carries the freshly generated ID, which callers must use
+// for all follow-up operations (the ID is NOT the display name).
+func (pm *ProfileManager) AddProfile(displayName string) (*Profile, error) {
+	prof, err := pm.serviceMgr.AddProfile(displayName, iosUsername)
+	if err != nil {
+		return nil, fmt.Errorf("failed to add profile: %w", err)
+	}
+
+	log.Infof("created new profile: %s", prof.ID)
+	return &Profile{ID: prof.ID.String(), Name: prof.Name, IsActive: false}, nil
+}
+
+// SwitchProfile records the given profile ID as the active profile. Callers
+// must stop the VPN before switching.
+func (pm *ProfileManager) SwitchProfile(id string) error {
+	if err := pm.serviceMgr.SetActiveProfileState(&profilemanager.ActiveProfileState{
+		ID:       profilemanager.ID(id),
+		Username: iosUsername,
+	}); err != nil {
+		return fmt.Errorf("failed to switch profile: %w", err)
+	}
+
+	log.Infof("switched to profile: %s", id)
+	return nil
+}
+
+// RenameProfile changes a profile's display name. The on-disk ID (filename) is
+// unchanged. There is no ServiceManager rename, so this edits the Name field of
+// the config JSON in place.
+func (pm *ProfileManager) RenameProfile(id, newName string) error {
+	if id == profilemanager.DefaultProfileName {
+		return fmt.Errorf("cannot rename the default profile")
+	}
+	if !profilemanager.IsValidProfileFilenameStem(profilemanager.ID(id)) {
+		return fmt.Errorf("invalid profile ID: %q", id)
+	}
+
+	newName = strings.TrimSpace(newName)
+	if newName == "" {
+		return fmt.Errorf("profile name must not be empty")
+	}
+	if newName == profilemanager.DefaultProfileName {
+		return fmt.Errorf("cannot use reserved profile name: %s", profilemanager.DefaultProfileName)
+	}
+
+	configPath, err := pm.getProfileConfigPath(id)
+	if err != nil {
+		return err
+	}
+	if _, err := os.Stat(configPath); os.IsNotExist(err) {
+		return fmt.Errorf("profile %q does not exist", id)
+	}
+
+	config, err := profilemanager.ReadConfig(configPath)
+	if err != nil {
+		return fmt.Errorf("failed to read profile config: %w", err)
+	}
+
+	config.Name = newName
+
+	if err := profilemanager.WriteOutConfig(configPath, config); err != nil {
+		return fmt.Errorf("failed to write profile config: %w", err)
+	}
+
+	log.Infof("renamed profile %q to %q", id, newName)
+	return nil
+}
+
+// RemoveProfile deletes a profile. The default and the active profile cannot be
+// removed.
+func (pm *ProfileManager) RemoveProfile(id string) error {
+	if err := pm.serviceMgr.RemoveProfile(profilemanager.ID(id), iosUsername); err != nil {
+		return fmt.Errorf("failed to remove profile: %w", err)
+	}
+
+	log.Infof("removed profile: %s", id)
+	return nil
+}
+
+// LogoutProfile clears a profile's authentication (private key and SSH key),
+// forcing re-login. The management URL is preserved in the config.
+func (pm *ProfileManager) LogoutProfile(id string) error {
+	if !profilemanager.IsValidProfileFilenameStem(profilemanager.ID(id)) {
+		return fmt.Errorf("invalid profile ID: %q", id)
+	}
+
+	configPath, err := pm.getProfileConfigPath(id)
+	if err != nil {
+		return err
+	}
+	if _, err := os.Stat(configPath); os.IsNotExist(err) {
+		return fmt.Errorf("profile %q does not exist", id)
+	}
+
+	config, err := profilemanager.ReadConfig(configPath)
+	if err != nil {
+		return fmt.Errorf("failed to read profile config: %w", err)
+	}
+
+	config.PrivateKey = ""
+	config.SSHKey = ""
+
+	if err := profilemanager.WriteOutConfig(configPath, config); err != nil {
+		return fmt.Errorf("failed to save config: %w", err)
+	}
+
+	log.Infof("logged out from profile: %s", id)
+	return nil
+}
+
+// GetConfigPath returns the config file path for a given profile ID.
+func (pm *ProfileManager) GetConfigPath(id string) (string, error) {
+	return pm.getProfileConfigPath(id)
+}
+
+// GetStateFilePath returns the state file path for a given profile ID.
+func (pm *ProfileManager) GetStateFilePath(id string) (string, error) {
+	if id == "" || id == profilemanager.DefaultProfileName {
+		return filepath.Join(pm.configDir, iosDefaultStateFilename), nil
+	}
+
+	profilesDir := filepath.Join(pm.configDir, iosProfilesSubdir)
+	return filepath.Join(profilesDir, id+".state.json"), nil
+}
+
+// GetActiveConfigPath returns the config file path for the active profile.
+func (pm *ProfileManager) GetActiveConfigPath() (string, error) {
+	activeProfile, err := pm.GetActiveProfile()
+	if err != nil {
+		return "", fmt.Errorf("failed to get active profile: %w", err)
+	}
+	return pm.GetConfigPath(activeProfile.ID)
+}
+
+// GetActiveStateFilePath returns the state file path for the active profile.
+func (pm *ProfileManager) GetActiveStateFilePath() (string, error) {
+	activeProfile, err := pm.GetActiveProfile()
+	if err != nil {
+		return "", fmt.Errorf("failed to get active profile: %w", err)
+	}
+	return pm.GetStateFilePath(activeProfile.ID)
+}
+
+// getProfileConfigPath returns the config file path for a profile ID. The
+// default profile lives in the root configDir as netbird.cfg; everything else
+// lives under profiles/ as <id>.json.
+func (pm *ProfileManager) getProfileConfigPath(id string) (string, error) {
+	if id == "" || id == profilemanager.DefaultProfileName {
+		return filepath.Join(pm.configDir, iosDefaultConfigFilename), nil
+	}
+
+	profilesDir := filepath.Join(pm.configDir, iosProfilesSubdir)
+	return filepath.Join(profilesDir, id+".json"), nil
+}

management/server/account_test.go

@@ -1916,117 +1916,6 @@ func TestDefaultAccountManager_MarkPeerConnected_PeerLoginExpiration(t *testing.
 	}
 }
 
-func TestDefaultAccountManager_MarkPeerDisconnected_SchedulesInactivityExpiration(t *testing.T) {
-	manager, _, err := createManager(t)
-	require.NoError(t, err, "unable to create account manager")
-
-	accountID, err := manager.GetAccountIDByUserID(context.Background(), auth.UserAuth{UserId: userID})
-	require.NoError(t, err, "unable to create an account")
-
-	key, err := wgtypes.GenerateKey()
-	require.NoError(t, err, "unable to generate WireGuard key")
-	peerPubKey := key.PublicKey().String()
-
-	_, _, _, _, err = manager.AddPeer(context.Background(), "", "", userID, &nbpeer.Peer{
-		Key:                         peerPubKey,
-		Meta:                        nbpeer.PeerSystemMeta{Hostname: "test-peer"},
-		InactivityExpirationEnabled: true,
-	}, false)
-	require.NoError(t, err, "unable to add peer")
-
-	_, err = manager.UpdateAccountSettings(context.Background(), accountID, userID, &types.Settings{
-		PeerLoginExpiration:             time.Hour,
-		PeerLoginExpirationEnabled:      true,
-		PeerInactivityExpiration:        time.Hour,
-		PeerInactivityExpirationEnabled: true,
-		Extra:                           &types.ExtraSettings{},
-	})
-	require.NoError(t, err, "expecting to update account settings successfully but got error")
-
-	// Establish a session so the matching-token disconnect is actually applied.
-	streamStartTime := time.Now().UTC()
-	err = manager.MarkPeerConnected(context.Background(), peerPubKey, accountID, streamStartTime.UnixNano(), nil)
-	require.NoError(t, err, "unable to mark peer connected")
-
-	// Install the mock only now, so the assertion observes the disconnect, not
-	// the earlier connect.
-	scheduled := make(chan struct{}, 1)
-	manager.peerInactivityExpiry = &MockScheduler{
-		CancelFunc: func(ctx context.Context, IDs []string) {},
-		ScheduleFunc: func(ctx context.Context, in time.Duration, ID string, job func() (nextRunIn time.Duration, reschedule bool)) {
-			select {
-			case scheduled <- struct{}{}:
-			default:
-			}
-		},
-	}
-
-	err = manager.MarkPeerDisconnected(context.Background(), peerPubKey, accountID, streamStartTime.UnixNano())
-	require.NoError(t, err, "unable to mark peer disconnected")
-
-	select {
-	case <-scheduled:
-		// expected: disconnect re-armed the inactivity expiry timer
-	case <-time.After(time.Second):
-		t.Fatal("expected inactivity expiration to be rescheduled when an eligible peer disconnects")
-	}
-}
-
-func TestDefaultAccountManager_MarkPeerDisconnected_SkipsInactivityExpirationWhenDisabled(t *testing.T) {
-	manager, _, err := createManager(t)
-	require.NoError(t, err, "unable to create account manager")
-
-	accountID, err := manager.GetAccountIDByUserID(context.Background(), auth.UserAuth{UserId: userID})
-	require.NoError(t, err, "unable to create an account")
-
-	key, err := wgtypes.GenerateKey()
-	require.NoError(t, err, "unable to generate WireGuard key")
-	peerPubKey := key.PublicKey().String()
-
-	_, _, _, _, err = manager.AddPeer(context.Background(), "", "", userID, &nbpeer.Peer{
-		Key:                         peerPubKey,
-		Meta:                        nbpeer.PeerSystemMeta{Hostname: "test-peer"},
-		InactivityExpirationEnabled: true,
-	}, false)
-	require.NoError(t, err, "unable to add peer")
-
-	// Peer is eligible (SSO + inactivity enabled) but the account-level setting
-	// stays disabled, so disconnect must not schedule anything.
-	_, err = manager.UpdateAccountSettings(context.Background(), accountID, userID, &types.Settings{
-		PeerLoginExpiration:             time.Hour,
-		PeerLoginExpirationEnabled:      true,
-		PeerInactivityExpiration:        time.Hour,
-		PeerInactivityExpirationEnabled: false,
-		Extra:                           &types.ExtraSettings{},
-	})
-	require.NoError(t, err, "expecting to update account settings successfully but got error")
-
-	streamStartTime := time.Now().UTC()
-	err = manager.MarkPeerConnected(context.Background(), peerPubKey, accountID, streamStartTime.UnixNano(), nil)
-	require.NoError(t, err, "unable to mark peer connected")
-
-	scheduled := make(chan struct{}, 1)
-	manager.peerInactivityExpiry = &MockScheduler{
-		CancelFunc: func(ctx context.Context, IDs []string) {},
-		ScheduleFunc: func(ctx context.Context, in time.Duration, ID string, job func() (nextRunIn time.Duration, reschedule bool)) {
-			select {
-			case scheduled <- struct{}{}:
-			default:
-			}
-		},
-	}
-
-	err = manager.MarkPeerDisconnected(context.Background(), peerPubKey, accountID, streamStartTime.UnixNano())
-	require.NoError(t, err, "unable to mark peer disconnected")
-
-	select {
-	case <-scheduled:
-		t.Fatal("inactivity expiration must not be scheduled while the account-level setting is disabled")
-	case <-time.After(200 * time.Millisecond):
-		// expected: nothing scheduled
-	}
-}
-
 func TestDefaultAccountManager_OnPeerDisconnected_LastSeenCheck(t *testing.T) {
 	manager, _, err := createManager(t)
 	require.NoError(t, err, "unable to create account manager")

management/server/affected_peers_coverage_test.go

@@ -41,7 +41,7 @@ func TestAffectedPeers_DependencyCoverageMatrix(t *testing.T) {
 				_, err := s.manager.SavePolicy(ctx, s.accountID, userID, peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID), true)
 				require.NoError(t, err)
 				return affectedpeers.Change{ChangedPeerIDs: []string{s.routerPeerID}},
-					[]string{s.sourcePeerID, s.routerPeerID}, []string{s.unrelatedPeerID}
+					[]string{s.sourcePeerID}, []string{s.unrelatedPeerID}
 			},
 		},
 		{
@@ -106,8 +106,12 @@ func TestAffectedPeers_DependencyCoverageMatrix(t *testing.T) {
 			change, mustContain, mustExclude := r.build(t, s, ctx)
 			affected := resolveAffected(t, s.manager.Store, s.accountID, change)
 
-			assert.ElementsMatch(t, affected, mustContain, "expected peer to be affected")
-			assert.NotContains(t, affected, mustExclude, "peer must not be affected")
+			for _, id := range mustContain {
+				assert.Contains(t, affected, id, "expected peer to be affected")
+			}
+			for _, id := range mustExclude {
+				assert.NotContains(t, affected, id, "peer must not be affected")
+			}
 		})
 	}
 }

management/server/affected_peers_test.go

@@ -96,54 +96,33 @@ func affectedGroupID(i int) string   { return fmt.Sprintf("affected-grp-%d", i)
 func affectedGroupName(i int) string { return fmt.Sprintf("AffectedGroup%d", i) }
 
 func TestCollectGroupChange_PolicyLinked(t *testing.T) {
-	manager, s, accountID, peerIDs, groupIDs := setupAffectedPeersTest(t)
+	manager, s, accountID, _, groupIDs := setupAffectedPeersTest(t)
 	ctx := context.Background()
 
 	_, err := manager.SavePolicy(ctx, accountID, userID, &types.Policy{
 		Enabled: true,
 		Rules: []*types.PolicyRule{
 			{
-				Enabled:             true,
-				Sources:             []string{groupIDs[0]},
-				Destinations:        []string{groupIDs[1]},
-				SourceResource:      types.Resource{ID: peerIDs[0], Type: types.ResourceTypePeer},
-				DestinationResource: types.Resource{ID: peerIDs[1], Type: types.ResourceTypePeer},
-				Bidirectional:       true,
-				Action:              types.PolicyTrafficActionAccept,
-			},
-			{
-				Enabled:             true,
-				Sources:             []string{groupIDs[0]},
-				Destinations:        []string{groupIDs[1]},
-				SourceResource:      types.Resource{ID: peerIDs[2], Type: types.ResourceTypeHost},
-				DestinationResource: types.Resource{ID: peerIDs[3], Type: types.ResourceTypeHost},
-				Bidirectional:       true,
-				Action:              types.PolicyTrafficActionAccept,
-			},
-			{
-				Enabled:             true,
-				Sources:             []string{groupIDs[0]},
-				Destinations:        []string{groupIDs[1]},
-				SourceResource:      types.Resource{ID: "", Type: types.ResourceTypePeer},
-				DestinationResource: types.Resource{ID: "", Type: types.ResourceTypePeer},
-				Bidirectional:       true,
-				Action:              types.PolicyTrafficActionAccept,
+				Enabled:       true,
+				Sources:       []string{groupIDs[0]},
+				Destinations:  []string{groupIDs[1]},
+				Bidirectional: true,
+				Action:        types.PolicyTrafficActionAccept,
 			},
 		},
 	}, true)
 	require.NoError(t, err)
 
-	groups, directPeers := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
-	assert.ElementsMatch(t, directPeers, []string{peerIDs[1]})
+	groups, _ := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
+	assert.Contains(t, groups, groupIDs[0])
+	assert.Contains(t, groups, groupIDs[1])
 
-	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[1]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
-	assert.ElementsMatch(t, directPeers, []string{peerIDs[0]})
+	groups, _ = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[1]})
+	assert.Contains(t, groups, groupIDs[0])
+	assert.Contains(t, groups, groupIDs[1])
 
-	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[2]})
+	groups, _ = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[2]})
 	assert.Empty(t, groups)
-	assert.Empty(t, directPeers)
 }
 
 func TestCollectGroupChange_PolicyWithDirectPeerResource(t *testing.T) {
@@ -154,44 +133,20 @@ func TestCollectGroupChange_PolicyWithDirectPeerResource(t *testing.T) {
 		Enabled: true,
 		Rules: []*types.PolicyRule{
 			{
-				Enabled:             true,
-				Sources:             []string{groupIDs[0]},
-				SourceResource:      types.Resource{ID: peerIDs[3], Type: types.ResourceTypePeer},
-				DestinationResource: types.Resource{ID: peerIDs[4], Type: types.ResourceTypePeer},
-				Destinations:        []string{groupIDs[1]},
-				Action:              types.PolicyTrafficActionAccept,
-			},
-			{
-				Enabled:             true,
-				Sources:             []string{groupIDs[0]},
-				SourceResource:      types.Resource{ID: peerIDs[1], Type: types.ResourceTypeHost},
-				DestinationResource: types.Resource{ID: peerIDs[2], Type: types.ResourceTypeHost},
-				Destinations:        []string{groupIDs[1]},
-				Action:              types.PolicyTrafficActionAccept,
-			},
-			{
-				Enabled:             true,
-				Sources:             []string{groupIDs[0]},
-				SourceResource:      types.Resource{ID: "", Type: types.ResourceTypePeer},
-				DestinationResource: types.Resource{ID: "", Type: types.ResourceTypePeer},
-				Destinations:        []string{groupIDs[1]},
-				Action:              types.PolicyTrafficActionAccept,
+				Enabled:        true,
+				Sources:        []string{groupIDs[0]},
+				SourceResource: types.Resource{ID: peerIDs[3], Type: types.ResourceTypePeer},
+				Destinations:   []string{groupIDs[1]},
+				Action:         types.PolicyTrafficActionAccept,
 			},
 		},
 	}, true)
 	require.NoError(t, err)
 
 	groups, directPeers := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
-	assert.ElementsMatch(t, directPeers, []string{peerIDs[4]})
-
-	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[1]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
-	assert.ElementsMatch(t, directPeers, []string{peerIDs[3]})
-
-	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[2]})
-	assert.Empty(t, groups)
-	assert.Empty(t, directPeers)
+	assert.Contains(t, groups, groupIDs[0])
+	assert.Contains(t, groups, groupIDs[1])
+	assert.Contains(t, directPeers, peerIDs[3])
 }
 
 func TestCollectGroupChange_PolicyWithNonPeerResource_NoDirectPeers(t *testing.T) {
@@ -213,7 +168,8 @@ func TestCollectGroupChange_PolicyWithNonPeerResource_NoDirectPeers(t *testing.T
 	require.NoError(t, err)
 
 	groups, directPeers := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
+	assert.Contains(t, groups, groupIDs[0])
+	assert.Contains(t, groups, groupIDs[1])
 	assert.Empty(t, directPeers, "non-peer resources should not produce direct peer IDs")
 }
 
@@ -417,11 +373,17 @@ func TestCollectGroupChange_MultipleEntities(t *testing.T) {
 	require.NoError(t, err)
 
 	groups, directPeers := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
+	assert.Contains(t, groups, groupIDs[0])
+	assert.Contains(t, groups, groupIDs[1])
+	assert.NotContains(t, groups, groupIDs[2])
+	assert.NotContains(t, groups, groupIDs[3])
 	assert.Empty(t, directPeers)
 
 	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[3]})
-	assert.ElementsMatch(t, groups, []string{groupIDs[2], groupIDs[3]})
+	assert.Contains(t, groups, groupIDs[2])
+	assert.Contains(t, groups, groupIDs[3])
+	assert.NotContains(t, groups, groupIDs[0])
+	assert.NotContains(t, groups, groupIDs[1])
 	assert.Empty(t, directPeers)
 }
 
@@ -490,9 +452,8 @@ func TestResolveAffectedPeers_PolicyBetweenTwoGroups(t *testing.T) {
 	result = manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[1]})
 	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[1]}, result)
 
-	// peerIDs[2] is unrelated to the route; only its own map can change.
 	result = manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[2]})
-	assert.ElementsMatch(t, []string{peerIDs[2]}, result)
+	assert.Empty(t, result)
 }
 
 func TestResolveAffectedPeers_PolicyThreeGroups(t *testing.T) {
@@ -513,7 +474,7 @@ func TestResolveAffectedPeers_PolicyThreeGroups(t *testing.T) {
 	require.NoError(t, err)
 
 	result := manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[0]})
-	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[2]}, result)
+	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[1], peerIDs[2]}, result)
 }
 
 func TestResolveAffectedPeers_RoutePeerGroups(t *testing.T) {
@@ -545,9 +506,8 @@ func TestResolveAffectedPeers_RoutePeerGroups(t *testing.T) {
 	result = manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[1]})
 	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[1]}, result)
 
-	// peerIDs[2] is in no policy; only its own map can change, so it refreshes itself.
 	result = manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[2]})
-	assert.ElementsMatch(t, []string{peerIDs[2]}, result)
+	assert.Empty(t, result)
 }
 
 func TestResolveAffectedPeers_RouteWithDirectPeer(t *testing.T) {
@@ -604,9 +564,9 @@ func TestResolveAffectedPeers_RouteWithAccessControlGroups(t *testing.T) {
 	result := manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[2]})
 	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[1], peerIDs[2]}, result)
 
-	// peer3 is unrelated to the route; only its own map can change.
+	// peer3 is unrelated
 	result = manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[3]})
-	assert.ElementsMatch(t, []string{peerIDs[3]}, result)
+	assert.Empty(t, result)
 }
 
 func TestResolveAffectedPeers_NetworkRouter(t *testing.T) {
@@ -699,13 +659,9 @@ func TestResolveAffectedPeers_PeerInMultipleGroups(t *testing.T) {
 	}, true)
 	require.NoError(t, err)
 
-	// peer0 is in group0 AND group1, so both policies apply. A peer change folds
-	// only the changed peer plus the opposite side of each rule: group2 (peer2) via
-	// the group0 policy and group3 (peer3) via the group1 policy. peer1, a co-member
-	// of group1, is a sibling of the changed peer and must NOT refresh.
+	// peer0 is in group0 AND group1, so both policies apply
 	result := manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[0]})
-	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[2], peerIDs[3]}, result)
-	assert.NotContains(t, result, peerIDs[1], "co-member of the changed peer's group must not refresh")
+	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[1], peerIDs[2], peerIDs[3]}, result)
 }
 
 func TestResolveAffectedPeers_MultipleChangedPeers(t *testing.T) {
@@ -741,7 +697,7 @@ func TestResolveAffectedPeers_MultipleChangedPeers(t *testing.T) {
 	require.NoError(t, err)
 
 	result := manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[0], peerIDs[2]})
-	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[2], peerIDs[1], peerIDs[3]}, result)
+	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[1], peerIDs[2], peerIDs[3]}, result)
 }
 
 func TestResolveAffectedPeers_SharedGroupAcrossPolicyAndRoute(t *testing.T) {
@@ -898,9 +854,8 @@ func TestAffectedPeers_IsolatedPolicies(t *testing.T) {
 	assert.NotContains(t, result, peerIDs[0])
 	assert.NotContains(t, result, peerIDs[1])
 
-	// peerIDs[4] is in neither isolated policy; only its own map can change.
 	result = manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[4]})
-	assert.ElementsMatch(t, []string{peerIDs[4]}, result)
+	assert.Empty(t, result)
 }
 
 func TestAffectedPeers_IsolatedRouteAndPolicy(t *testing.T) {
@@ -1022,13 +977,12 @@ func TestAffectedPeers_GroupUpdateOnlyAffectsLinkedPeers(t *testing.T) {
 	})
 }
 
-// A peer in no policy/route refreshes only itself — no other peer is affected.
-func TestAffectedPeers_UnlinkedPeerChange_RefreshesSelfOnly(t *testing.T) {
+func TestAffectedPeers_UnlinkedGroupChange_NoUpdates(t *testing.T) {
 	manager, s, accountID, peerIDs, _ := setupAffectedPeersTest(t)
 	ctx := context.Background()
 
 	result := manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[0]})
-	assert.ElementsMatch(t, []string{peerIDs[0]}, result)
+	assert.Empty(t, result)
 }
 
 // TestAffectedPeers_PolicyChange_UnrelatedPeerNoUpdate verifies that creating/deleting a

management/server/affectedpeers/resolver.go

@@ -61,8 +61,7 @@ func Load(ctx context.Context, s store.Store, accountID string, c Change) (*Snap
 // loadCollections reads the policy/route/nameserver/dns/router/resource/proxy
 // collections a Change can touch, gated to what the walk needs.
 func (snap *Snapshot) loadCollections(ctx context.Context, s store.Store, accountID string, c Change) error {
-	// LinkGroups drive the same policy/route/dns walk as a changed group or peer.
-	hasGroupOrPeerChange := len(c.ChangedGroupIDs) > 0 || len(c.ChangedPeerIDs) > 0 || len(c.LinkGroups) > 0 || len(c.Resources) > 0
+	hasGroupOrPeerChange := len(c.ChangedGroupIDs) > 0 || len(c.ChangedPeerIDs) > 0 || len(c.Resources) > 0
 	hasNetworkObject := len(c.Routers) > 0 || len(c.Resources) > 0 || len(c.Networks) > 0
 	// the resource<->router bridge can fire for any of these
 	needsRoutersResources := hasGroupOrPeerChange || len(c.PostureCheckIDs) > 0 || len(c.Policies) > 0 || hasNetworkObject
@@ -77,7 +76,7 @@ func (snap *Snapshot) loadCollections(ctx context.Context, s store.Store, accoun
 			return err
 		}
 	}
-	if len(c.ChangedGroupIDs) > 0 || len(c.ChangedPeerIDs) > 0 || len(c.LinkGroups) > 0 {
+	if len(c.ChangedGroupIDs) > 0 || len(c.ChangedPeerIDs) > 0 {
 		if err := snap.loadDNS(ctx, s, accountID); err != nil {
 			return err
 		}
@@ -175,24 +174,6 @@ type Change struct {
 	// folded in — but only when the group is linked (an unlinked group has no map
 	// impact), matching how current members are handled.
 	RemovedPeersByGroup map[string][]string
-
-	// OutputPeerIDs are peers folded straight into the result without seeding their
-	// group memberships into the walk. Use for the peer whose group membership changed:
-	// the peer itself must refresh, but its OTHER groups did not change, so they must
-	// not be walked. Contrast ChangedPeerIDs, which seeds ALL of the peer's groups
-	// (correct when the peer's own attributes changed, e.g. IP/status).
-	OutputPeerIDs []string
-
-	// LinkGroups are groups used ONLY to match policies/routes/routers and walk to the
-	// OPPOSITE side — they are never expanded to their own members. Use this when a
-	// peer's group membership changed: pass the peer in ChangedPeerIDs and its
-	// group(s) here. The opposite side of the policies the group participates in
-	// refreshes, but the group's other members (siblings) do not — nothing changed for
-	// them. For an intra-group policy (A→A) the opposite side IS the group, so its
-	// members still refresh via the opposite-side fold, exactly when they genuinely
-	// gain/lose the changed peer. Unlike ChangedGroupIDs, a LinkGroup is not added to
-	// the output, so a one-sided membership change never wakes the whole group.
-	LinkGroups []string
 }
 
 func (c Change) isEmpty() bool {
@@ -205,9 +186,7 @@ func (c Change) isEmpty() bool {
 		len(c.Networks) == 0 &&
 		len(c.PostureCheckIDs) == 0 &&
 		len(c.DistributionGroupIDs) == 0 &&
-		len(c.RemovedPeersByGroup) == 0 &&
-		len(c.LinkGroups) == 0 &&
-		len(c.OutputPeerIDs) == 0
+		len(c.RemovedPeersByGroup) == 0
 }
 
 // Expand returns the deduplicated affected peer IDs from the preloaded Snapshot,
@@ -218,8 +197,8 @@ func (snap *Snapshot) Expand(ctx context.Context, accountID string, c Change) []
 		return nil
 	}
 	r := newResolver(ctx, snap, accountID, c)
-	log.WithContext(ctx).Tracef("affectedpeers expand start: account=%s changedGroups=%v changedPeers=%v linkGroups=%v policies=%d routes=%d routers=%d resources=%d networks=%d postureChecks=%v distributionGroups=%v",
-		accountID, c.ChangedGroupIDs, c.ChangedPeerIDs, c.LinkGroups, len(c.Policies), len(c.Routes), len(c.Routers), len(c.Resources), len(c.Networks), c.PostureCheckIDs, c.DistributionGroupIDs)
+	log.WithContext(ctx).Tracef("affectedpeers expand start: account=%s changedGroups=%v changedPeers=%v policies=%d routes=%d routers=%d resources=%d networks=%d postureChecks=%v distributionGroups=%v",
+		accountID, c.ChangedGroupIDs, c.ChangedPeerIDs, len(c.Policies), len(c.Routes), len(c.Routers), len(c.Resources), len(c.Networks), c.PostureCheckIDs, c.DistributionGroupIDs)
 	r.walk()
 	return r.expand()
 }
@@ -237,84 +216,57 @@ func Collect(ctx context.Context, s store.Store, accountID string, c Change) (gr
 	}
 	r := newResolver(ctx, snap, accountID, c)
 	r.walk()
-	return setToSlice(r.affectedGroups), setToSlice(r.affectedPeers)
+	return setToSlice(r.groupSet), setToSlice(r.peerSet)
 }
 
 func newResolver(ctx context.Context, snap *Snapshot, accountID string, c Change) *resolver {
 	r := &resolver{
-		ctx:            ctx,
-		snap:           snap,
-		accountID:      accountID,
-		change:         c,
-		linkGroups:     toSet(c.ChangedGroupIDs),
-		outputGroups:   toSet(c.ChangedGroupIDs),
-		changedPeers:   toSet(c.ChangedPeerIDs),
-		affectedGroups: make(map[string]struct{}),
-		affectedPeers:  make(map[string]struct{}),
+		ctx:             ctx,
+		snap:            snap,
+		accountID:       accountID,
+		change:          c,
+		changedGroupSet: toSet(c.ChangedGroupIDs),
+		changedPeerSet:  toSet(c.ChangedPeerIDs),
+		groupSet:        make(map[string]struct{}),
+		peerSet:         make(map[string]struct{}),
+		networkIDs:      make(map[string]struct{}),
 	}
-	// LinkGroups match policies/routes to find the opposite side but are NOT output:
-	// they go into linkGroups only, never outputGroups, so their members never fold in.
-	addAll(r.linkGroups, c.LinkGroups)
 	// Resolve each changed peer to its groups here so callers pass only ChangedPeerIDs.
 	r.seedChangedGroupsFromPeers()
+	r.matchedPolicies = append(r.matchedPolicies, c.Policies...)
 	return r
 }
 
-// seedChangedGroupsFromPeers adds each changed peer's groups to linkGroups so
+// seedChangedGroupsFromPeers adds each changed peer's groups to changedGroupSet so
 // the group-driven walkers fire for memberships, not just direct peer references.
-// These seeded groups are for MATCHING only — folding the changed entity's own
-// side is gated on outputGroups (the caller-reported groups), so a seeded group
-// never folds its whole membership; only the changed peer itself folds in.
 func (r *resolver) seedChangedGroupsFromPeers() {
-	if len(r.changedPeers) == 0 {
+	if len(r.changedPeerSet) == 0 {
 		return
 	}
 	for groupID, members := range r.snap.groupPeers {
-		for pID := range r.changedPeers {
+		for pID := range r.changedPeerSet {
 			if _, ok := members[pID]; ok {
-				r.linkGroups[groupID] = struct{}{}
+				r.changedGroupSet[groupID] = struct{}{}
 				break
 			}
 		}
 	}
 }
 
-// policySide selects which side of a policy rule to walk.
-type policySide int
-
-const (
-	sideSource policySide = iota
-	sideDestination
-)
-
-func (s policySide) opposite() policySide {
-	if s == sideSource {
-		return sideDestination
-	}
-	return sideSource
-}
-
-// walk resolves affected peers in two buckets, by how far each change propagates.
-//
-// BOTH-SIDES — the rule itself changed (an explicit policy edit, or a policy whose
-// posture check changed). Source AND destination refresh, so each such policy is
-// walked on both sides.
-//
-// OPPOSITE-SIDE — an endpoint moved but no rule changed. For each policy the change
-// touches we fold only the side AWAY from the change:
-//   - a changed peer/group sits ON a policy side -> fold the opposite side;
-//   - a changed router/resource/network sits on a NETWORK -> fold the SOURCE side of
-//     the policies whose destination reaches it (and the routers it implies).
-//
-// Routes, nameserver groups, DNS and embedded-proxy services distribute to their own
-// member peers, outside the policy graph, and are folded here too.
 func (r *resolver) walk() {
-	for _, policy := range r.bothSidesPolicies() {
-		r.foldPolicySide(policy, sideSource)
-		r.foldPolicySide(policy, sideDestination)
-	}
+	r.collectFromExplicitPolicies()
+	r.collectFromExplicitRoutes(r.change.Routes)
+	r.collectFromExplicitRouters(r.change.Routers)
+	r.collectFromExplicitResources(r.change.Resources)
+	r.collectFromExplicitNetworks(r.change.Networks)
+	r.collectFromPostureChecks(r.change.PostureCheckIDs)
 
-	if len(r.linkGroups) > 0 || len(r.changedPeers) > 0 {
+	// Distribution groups (nameserver/DNS) affect only their member peers: fold them
+	// straight into groupSet so expand() maps them to members, without the policy/
+	// route walk that changedGroupSet would trigger.
+	addAll(r.groupSet, r.change.DistributionGroupIDs)
+
+	if len(r.changedGroupSet) > 0 || len(r.changedPeerSet) > 0 {
 		r.collectFromPolicies()
 		r.collectFromRoutes()
 		r.collectFromNameServers()
@@ -323,31 +275,7 @@ func (r *resolver) walk() {
 		r.collectFromProxyServices()
 	}
 
-	r.collectFromChangedRoutes(r.change.Routes)
-	r.collectFromChangedRouters(r.change.Routers)
-	r.collectFromChangedResources(r.change.Resources)
-	r.collectFromChangedNetworks(r.change.Networks)
-
-	// The explicitly changed peers always refresh their own maps. OnPeersUpdated only
-	// refreshes the resolver's output (it ignores the separately-passed changed peers),
-	// so the changed peer reaches its own new map only via here. An offline/deleted
-	// peer in the set is filtered downstream (filterConnectedAffectedPeers).
-	addAll(r.affectedPeers, setToSlice(r.changedPeers))
-	// OutputPeerIDs refresh themselves too, but unlike changedPeers their group
-	// memberships were not seeded into the walk (only the changed group was).
-	addAll(r.affectedPeers, r.change.OutputPeerIDs)
-
-	// Distribution groups (nameserver/DNS) affect only their member peers: fold them
-	// straight into affectedGroups so expand() maps them to members, without the
-	// policy/route walk that linkGroups would trigger.
-	addAll(r.affectedGroups, r.change.DistributionGroupIDs)
-}
-
-// bothSidesPolicies are the policies whose rule changed: the explicitly edited ones
-// plus those gated by a changed posture check. walk folds both their sides.
-func (r *resolver) bothSidesPolicies() []*types.Policy {
-	policies := append([]*types.Policy(nil), r.change.Policies...)
-	return r.appendPoliciesForPostureChecks(policies, r.change.PostureCheckIDs)
+	r.collectResourceRouterBridge()
 }
 
 type resolver struct {
@@ -356,25 +284,14 @@ type resolver struct {
 	accountID string
 	change    Change
 
-	// Inputs — what changed. Set once at construction, read-only during the walk
-	// (except linkGroups, which collectFromExplicitResources also seeds).
-	//
-	// linkGroups is the MATCH set: caller-changed groups ∪ the groups of changed
-	// peers ∪ changed-resource groups. A rule/route/router matches the change when
-	// one of its groups is here — used only to find the opposite side to fold.
-	//
-	// outputGroups is the FOLD-WHOLE-GROUP set: ONLY Change.ChangedGroupIDs. When a
-	// matched group is here, its whole membership is affected. A peer-seeded group
-	// is in linkGroups but NOT outputGroups, so it folds only the changed peer
-	// (changedPeers), never its siblings.
-	linkGroups   map[string]struct{}
-	outputGroups map[string]struct{}
-	changedPeers map[string]struct{}
+	changedGroupSet map[string]struct{}
+	changedPeerSet  map[string]struct{}
 
-	// Outputs — the answer. The only sets the walk accumulates into. affectedGroups
-	// is expanded to its member peers in expand().
-	affectedGroups map[string]struct{}
-	affectedPeers  map[string]struct{}
+	groupSet map[string]struct{}
+	peerSet  map[string]struct{}
+
+	matchedPolicies []*types.Policy
+	networkIDs      map[string]struct{}
 }
 
 func (r *resolver) policies() []*types.Policy { return r.snap.policies }
@@ -384,10 +301,10 @@ func (r *resolver) networkResources() []*resourceTypes.NetworkResource { return
 func (r *resolver) networkRouters() []*routerTypes.NetworkRouter { return r.snap.routers }
 
 // peerIDsForGroups maps a group set to its member peer IDs via the preloaded index.
-func (r *resolver) peerIDsForGroups(groups map[string]struct{}) []string {
+func (r *resolver) peerIDsForGroups(groupSet map[string]struct{}) []string {
 	seen := make(map[string]struct{})
 	var ids []string
-	for gID := range groups {
+	for gID := range groupSet {
 		for pID := range r.snap.groupPeers[gID] {
 			if _, ok := seen[pID]; ok {
 				continue
@@ -400,25 +317,25 @@ func (r *resolver) peerIDsForGroups(groups map[string]struct{}) []string {
 }
 
 func (r *resolver) expand() []string {
-	peerIDs := r.peerIDsForGroups(r.affectedGroups)
+	peerIDs := r.peerIDsForGroups(r.groupSet)
 
 	log.WithContext(r.ctx).Tracef("affectedpeers expand: account=%s affectedGroups=%v -> %d group-member peers; direct peers=%v",
-		r.accountID, setToSlice(r.affectedGroups), len(peerIDs), setToSlice(r.affectedPeers))
+		r.accountID, setToSlice(r.groupSet), len(peerIDs), setToSlice(r.peerSet))
 
 	seen := make(map[string]struct{}, len(peerIDs))
 	for _, id := range peerIDs {
 		seen[id] = struct{}{}
 	}
-	for id := range r.affectedPeers {
+	for id := range r.peerSet {
 		if _, ok := seen[id]; !ok {
 			peerIDs = append(peerIDs, id)
 			seen[id] = struct{}{}
 		}
 	}
 
-	// Fold in removed peers only when their group is linked (in affectedGroups).
+	// Fold in removed peers only when their group is linked (in groupSet).
 	for groupID, removed := range r.change.RemovedPeersByGroup {
-		if _, linked := r.affectedGroups[groupID]; !linked {
+		if _, linked := r.groupSet[groupID]; !linked {
 			continue
 		}
 		for _, id := range removed {
@@ -434,300 +351,169 @@ func (r *resolver) expand() []string {
 	return peerIDs
 }
 
-// ruleSideGroups / ruleSideResource return the groups and the resource on the given
-// side of a rule.
-func ruleSideGroups(rule *types.PolicyRule, side policySide) []string {
-	if side == sideDestination {
-		return rule.Destinations
+func (r *resolver) collectFromExplicitPolicies() {
+	for _, policy := range r.matchedPolicies {
+		if policy == nil {
+			continue
+		}
+		log.WithContext(r.ctx).Tracef("collectFromExplicitPolicies: changed policy %s (%s) -> folding rule groups %v + direct peers",
+			policy.ID, policy.Name, policy.RuleGroups())
+		addAll(r.groupSet, policy.RuleGroups())
+		collectPolicyDirectPeers(policy, r.peerSet)
 	}
-	return rule.Sources
 }
 
-func ruleSideResource(rule *types.PolicyRule, side policySide) types.Resource {
-	if side == sideDestination {
-		return rule.DestinationResource
-	}
-	return rule.SourceResource
-}
-
-// foldPolicySide folds one side of a policy down to affected peers: its groups
-// (resolved to members in expand) and its direct peer. When the side is the
-// DESTINATION and references a network resource (directly or via a destination
-// group's resources), it also folds the routers that serve that resource's network
-// — a destination resource is reached through its routers. A resource on the SOURCE
-// side routes to nobody (GetPoliciesForNetworkResource matches destinations only),
-// so the router hop is destination-only.
-func (r *resolver) foldPolicySide(policy *types.Policy, side policySide) {
-	if policy == nil {
-		return
-	}
-	for _, rule := range policy.Rules {
-		addAll(r.affectedGroups, ruleSideGroups(rule, side))
-		res := ruleSideResource(rule, side)
-		if res.Type == types.ResourceTypePeer && res.ID != "" {
-			r.affectedPeers[res.ID] = struct{}{}
+func (r *resolver) collectFromExplicitRoutes(routes []*route.Route) {
+	for _, rt := range routes {
+		if rt == nil {
+			continue
+		}
+		log.WithContext(r.ctx).Tracef("collectFromExplicitRoutes: changed route %s -> folding groups=%v peerGroups=%v accessControlGroups=%v peer=%q",
+			rt.ID, rt.Groups, rt.PeerGroups, rt.AccessControlGroups, rt.Peer)
+		addAll(r.groupSet, rt.Groups, rt.PeerGroups, rt.AccessControlGroups)
+		if rt.Peer != "" {
+			r.peerSet[rt.Peer] = struct{}{}
 		}
 	}
-	if side == sideDestination {
-		r.foldRoutersForResources(r.policyDestinationResourceIDs(policy))
+}
+
+// collectFromExplicitRouters folds changed routers' peers and marks their networks
+// for the bridge. Passing the old router keeps a repointed router's previous peers
+// affected without a post-commit read.
+func (r *resolver) collectFromExplicitRouters(routers []*routerTypes.NetworkRouter) {
+	for _, router := range routers {
+		if router == nil {
+			continue
+		}
+		log.WithContext(r.ctx).Tracef("collectFromExplicitRouters: changed router %s on network %s -> folding peerGroups=%v peer=%q and marking network for source bridge",
+			router.ID, router.NetworkID, router.PeerGroups, router.Peer)
+		addAll(r.groupSet, router.PeerGroups)
+		if router.Peer != "" {
+			r.peerSet[router.Peer] = struct{}{}
+		}
+		if router.NetworkID != "" {
+			r.networkIDs[router.NetworkID] = struct{}{}
+		}
 	}
 }
 
-// appendPoliciesForPostureChecks appends every policy that references a changed
-// posture check (a rule change, so walk both sides).
-func (r *resolver) appendPoliciesForPostureChecks(policies []*types.Policy, postureCheckIDs []string) []*types.Policy {
+// collectFromExplicitResources marks changed resources' networks for the bridge and
+// treats their group IDs as changed, so policies targeting the resource via a
+// now-detached (old) group still refresh.
+func (r *resolver) collectFromExplicitResources(resources []*resourceTypes.NetworkResource) {
+	for _, resource := range resources {
+		if resource == nil {
+			continue
+		}
+		log.WithContext(r.ctx).Tracef("collectFromExplicitResources: changed resource %s on network %s -> marking network for bridge and treating groups %v as changed",
+			resource.ID, resource.NetworkID, resource.GroupIDs)
+		addAll(r.changedGroupSet, resource.GroupIDs)
+		if resource.NetworkID != "" {
+			r.networkIDs[resource.NetworkID] = struct{}{}
+		}
+	}
+}
+
+// collectFromExplicitNetworks marks changed networks for the bridge. A network has
+// no groups/peers of its own.
+func (r *resolver) collectFromExplicitNetworks(networks []*networkTypes.Network) {
+	for _, network := range networks {
+		if network == nil {
+			continue
+		}
+		log.WithContext(r.ctx).Tracef("collectFromExplicitNetworks: changed network %s -> marking for bridge", network.ID)
+		if network.ID != "" {
+			r.networkIDs[network.ID] = struct{}{}
+		}
+	}
+}
+
+func (r *resolver) collectFromPostureChecks(postureCheckIDs []string) {
 	if len(postureCheckIDs) == 0 {
-		return policies
+		return
 	}
 	ids := toSet(postureCheckIDs)
 	for _, policy := range r.policies() {
 		if !policyReferencesPostureChecks(policy, ids) {
 			continue
 		}
-		log.WithContext(r.ctx).Tracef("appendPoliciesForPostureChecks: policy %s (%s) references changed posture checks %v -> both-sides policy",
-			policy.ID, policy.Name, postureCheckIDs)
-		policies = append(policies, policy)
+		log.WithContext(r.ctx).Tracef("collectFromPostureChecks: policy %s (%s) references changed posture checks %v -> folding rule groups %v + direct peers",
+			policy.ID, policy.Name, postureCheckIDs, policy.RuleGroups())
+		addAll(r.groupSet, policy.RuleGroups())
+		collectPolicyDirectPeers(policy, r.peerSet)
+		r.matchedPolicies = append(r.matchedPolicies, policy)
 	}
-	return policies
 }
 
-// collectFromPolicies folds, for every policy whose rule a changed group or peer
-// touches, only the OPPOSITE side (down to peers, incl. destination routers), plus
-// the changed entity's own side: the changed group's whole membership when the
-// group itself changed (outputGroups), or the changed peer alone when matched via a
-// peer-seeded group (never its co-members).
 func (r *resolver) collectFromPolicies() {
 	for _, policy := range r.policies() {
-		for _, rule := range policy.Rules {
-			r.foldRuleSideIfChanged(policy, rule, sideSource)
-			r.foldRuleSideIfChanged(policy, rule, sideDestination)
-		}
-	}
-}
-
-// foldRuleSideIfChanged: when a changed group or direct peer sits on `side` of the
-// rule, fold the opposite side fully (groups/peers + destination routers) and fold
-// the changed entity's own side (the whole changed group, or the changed peer alone).
-func (r *resolver) foldRuleSideIfChanged(policy *types.Policy, rule *types.PolicyRule, side policySide) {
-	nearGroups := ruleSideGroups(rule, side)
-	nearResource := ruleSideResource(rule, side)
-
-	matchedByGroup := anyInSet(nearGroups, r.linkGroups)
-	matchedByPeer := isDirectPeerInSet(nearResource, r.changedPeers)
-	if !matchedByGroup && !matchedByPeer {
-		return
-	}
-
-	// Opposite side, fully down to peers (a destination opposite also folds routers).
-	r.foldPolicySideForRule(policy, rule, side.opposite())
-
-	// Own side: fold the whole changed group's members only when the group itself
-	// changed (outputGroups). A peer-seeded or link-only group is not folded here —
-	// its siblings never refresh. The changed peers themselves are folded once, after
-	// the walk (see walk()).
-	for _, gID := range nearGroups {
-		if _, ok := r.outputGroups[gID]; ok {
-			r.affectedGroups[gID] = struct{}{}
-		}
-	}
-
-	// When the changed side IS a destination, the resources it targets are reached
-	// through their network's routers, so those routers refresh too (e.g. attaching a
-	// resource to a destination group, or a changed destination group/resource).
-	if side == sideDestination {
-		r.foldRoutersForResources(r.ruleDestinationResourceIDs(rule))
-	}
-}
-
-// foldPolicySideForRule folds one side of a single rule (groups + direct peer), and
-// for a destination side the routers of that rule's destination resources.
-func (r *resolver) foldPolicySideForRule(policy *types.Policy, rule *types.PolicyRule, side policySide) {
-	addAll(r.affectedGroups, ruleSideGroups(rule, side))
-	res := ruleSideResource(rule, side)
-	if res.Type == types.ResourceTypePeer && res.ID != "" {
-		r.affectedPeers[res.ID] = struct{}{}
-	}
-	if side == sideDestination {
-		r.foldRoutersForResources(r.ruleDestinationResourceIDs(rule))
-	}
-}
-
-// collectFromChangedRoutes folds an explicitly changed route's own groups and peer.
-func (r *resolver) collectFromChangedRoutes(routes []*route.Route) {
-	for _, rt := range routes {
-		if rt == nil {
+		matchedByGroup := policyReferencesGroups(policy, r.changedGroupSet)
+		matchedByPeer := len(r.changedPeerSet) > 0 && policyReferencesDirectPeers(policy, r.changedPeerSet)
+		if !matchedByGroup && !matchedByPeer {
 			continue
 		}
-		log.WithContext(r.ctx).Tracef("collectFromChangedRoutes: changed route %s -> folding groups=%v peerGroups=%v accessControlGroups=%v peer=%q",
-			rt.ID, rt.Groups, rt.PeerGroups, rt.AccessControlGroups, rt.Peer)
-		addAll(r.affectedGroups, rt.Groups, rt.PeerGroups, rt.AccessControlGroups)
-		if rt.Peer != "" {
-			r.affectedPeers[rt.Peer] = struct{}{}
-		}
-	}
-}
-
-// collectFromChangedRouters: a changed router refreshes its OWN backing peer/groups
-// (the changed entity) and the SOURCE side of every policy reaching a resource on
-// its network (the router serves the whole network). Sibling routers on the network
-// are independent and are NOT folded. Passing the old router state keeps a repointed
-// router's previous backing affected without a post-commit read.
-func (r *resolver) collectFromChangedRouters(routers []*routerTypes.NetworkRouter) {
-	for _, router := range routers {
-		if router == nil {
-			continue
-		}
-		log.WithContext(r.ctx).Tracef("collectFromChangedRouters: changed router %s on network %s -> folding its own peerGroups=%v peer=%q + sources reaching network resources",
-			router.ID, router.NetworkID, router.PeerGroups, router.Peer)
-		addAll(r.affectedGroups, router.PeerGroups)
-		if router.Peer != "" {
-			r.affectedPeers[router.Peer] = struct{}{}
-		}
-		if router.NetworkID != "" {
-			r.foldPolicySourcesForResources(r.networkResourceIDs(router.NetworkID))
-		}
-	}
-}
-
-// collectFromChangedResources: a changed resource refreshes the SOURCE side of the
-// policies targeting EXACTLY that resource — directly, or via one of the resource's
-// own groups (old∪new across the change, so a now-detached group's sources still
-// refresh) — plus the routers serving its network (the resource is reached through
-// them). It does not touch sibling resources on the same network.
-func (r *resolver) collectFromChangedResources(resources []*resourceTypes.NetworkResource) {
-	for _, resource := range resources {
-		if resource == nil {
-			continue
-		}
-		log.WithContext(r.ctx).Tracef("collectFromChangedResources: changed resource %s on network %s (groups %v) -> folding sources of policies targeting it + its network's routers",
-			resource.ID, resource.NetworkID, resource.GroupIDs)
-		r.foldPolicySourcesForResource(resource.ID, resource.GroupIDs)
-		if resource.NetworkID != "" {
-			r.foldRoutersOnNetworks(map[string]struct{}{resource.NetworkID: {}})
-		}
-	}
-}
-
-// foldPolicySourcesForResource folds the source side of every policy whose
-// destination is the given resource — referenced directly, or via any of the given
-// groups (the resource's own old∪new groups, which captures a detached group).
-func (r *resolver) foldPolicySourcesForResource(resourceID string, groupIDs []string) {
-	groups := toSet(groupIDs)
-	for _, policy := range r.policies() {
-		if !policyTargetsResourceOrGroups(policy, resourceID, groups) {
-			continue
-		}
-		log.WithContext(r.ctx).Tracef("foldPolicySourcesForResource: policy %s (%s) targets changed resource %s -> folding its source groups/peers", policy.ID, policy.Name, resourceID)
-		collectPolicySources(policy, r.affectedGroups, r.affectedPeers)
-	}
-}
-
-// policyTargetsResourceOrGroups reports whether a policy's destination is the given
-// resource directly, or one of the given destination groups.
-func policyTargetsResourceOrGroups(policy *types.Policy, resourceID string, groups map[string]struct{}) bool {
-	if policy == nil {
-		return false
-	}
-	for _, rule := range policy.Rules {
-		if rule.DestinationResource.Type != types.ResourceTypePeer && rule.DestinationResource.ID == resourceID && resourceID != "" {
-			return true
-		}
-		if anyInSet(rule.Destinations, groups) {
-			return true
-		}
-	}
-	return false
-}
-
-// collectFromChangedNetworks: a changed network refreshes the SOURCE side of the
-// policies reaching any of its resources, plus its routers. A network has no
-// groups/peers of its own.
-func (r *resolver) collectFromChangedNetworks(networks []*networkTypes.Network) {
-	for _, network := range networks {
-		if network == nil || network.ID == "" {
-			continue
-		}
-		log.WithContext(r.ctx).Tracef("collectFromChangedNetworks: changed network %s -> folding sources reaching its resources + its routers", network.ID)
-		resourceIDs := r.networkResourceIDs(network.ID)
-		r.foldPolicySourcesForResources(resourceIDs)
-		r.foldRoutersOnNetworks(map[string]struct{}{network.ID: {}})
-	}
-}
-
-// foldPolicySourcesForResources folds the source groups/peers of every policy whose
-// destination targets one of resourceIDs (directly or via a destination group).
-func (r *resolver) foldPolicySourcesForResources(resourceIDs map[string]struct{}) {
-	if len(resourceIDs) == 0 {
-		return
-	}
-	for _, policy := range r.policies() {
-		if r.policyTargetsResources(policy, resourceIDs) {
-			log.WithContext(r.ctx).Tracef("foldPolicySourcesForResources: policy %s (%s) targets a changed resource -> folding its source groups/peers", policy.ID, policy.Name)
-			collectPolicySources(policy, r.affectedGroups, r.affectedPeers)
-		}
+		log.WithContext(r.ctx).Tracef("collectFromPolicies: policy %s (%s) matched (byGroup=%t byPeer=%t) -> folding rule groups %v + direct peers",
+			policy.ID, policy.Name, matchedByGroup, matchedByPeer, policy.RuleGroups())
+		addAll(r.groupSet, policy.RuleGroups())
+		collectPolicyDirectPeers(policy, r.peerSet)
+		r.matchedPolicies = append(r.matchedPolicies, policy)
 	}
 }
 
 func (r *resolver) collectFromRoutes() {
 	for _, rt := range r.snap.routes {
-		matchedByGroup := anyInSet(rt.Groups, r.linkGroups) || anyInSet(rt.PeerGroups, r.linkGroups) || anyInSet(rt.AccessControlGroups, r.linkGroups)
-		matchedByPeer := rt.Peer != "" && len(r.changedPeers) > 0 && isInSet(rt.Peer, r.changedPeers)
+		matchedByGroup := anyInSet(rt.Groups, r.changedGroupSet) || anyInSet(rt.PeerGroups, r.changedGroupSet) || anyInSet(rt.AccessControlGroups, r.changedGroupSet)
+		matchedByPeer := rt.Peer != "" && len(r.changedPeerSet) > 0 && isInSet(rt.Peer, r.changedPeerSet)
 		if !matchedByGroup && !matchedByPeer {
 			continue
 		}
 		log.WithContext(r.ctx).Tracef("collectFromRoutes: route %s matched (byGroup=%t byPeer=%t) -> folding groups=%v peerGroups=%v accessControlGroups=%v peer=%q",
 			rt.ID, matchedByGroup, matchedByPeer, rt.Groups, rt.PeerGroups, rt.AccessControlGroups, rt.Peer)
-		addAll(r.affectedGroups, rt.Groups, rt.PeerGroups, rt.AccessControlGroups)
+		addAll(r.groupSet, rt.Groups, rt.PeerGroups, rt.AccessControlGroups)
 		if rt.Peer != "" {
-			r.affectedPeers[rt.Peer] = struct{}{}
+			r.peerSet[rt.Peer] = struct{}{}
 		}
 	}
 }
 
 func (r *resolver) collectFromNameServers() {
-	if len(r.linkGroups) == 0 {
+	if len(r.changedGroupSet) == 0 {
 		return
 	}
 	for _, ns := range r.snap.nsGroups {
-		if anyInSet(ns.Groups, r.linkGroups) {
+		if anyInSet(ns.Groups, r.changedGroupSet) {
 			log.WithContext(r.ctx).Tracef("collectFromNameServers: nameserver group %s references a changed group -> folding its groups %v", ns.ID, ns.Groups)
-			addAll(r.affectedGroups, ns.Groups)
+			addAll(r.groupSet, ns.Groups)
 		}
 	}
 }
 
 func (r *resolver) collectFromDNSSettings() {
-	if len(r.linkGroups) == 0 || r.snap.dnsSettings == nil {
+	if len(r.changedGroupSet) == 0 || r.snap.dnsSettings == nil {
 		return
 	}
 	for _, gID := range r.snap.dnsSettings.DisabledManagementGroups {
-		if _, ok := r.linkGroups[gID]; ok {
+		if _, ok := r.changedGroupSet[gID]; ok {
 			log.WithContext(r.ctx).Tracef("collectFromDNSSettings: changed group %s is in DisabledManagementGroups -> folding it", gID)
-			r.affectedGroups[gID] = struct{}{}
+			r.groupSet[gID] = struct{}{}
 		}
 	}
 }
 
-// collectFromNetworkRouters handles a changed group/peer that BACKS a router (the
-// routing peer set moved): the router's own peers refresh and so do the sources of
-// the policies reaching its network's resources. Sibling routers on the network are
-// independent and are not folded.
 func (r *resolver) collectFromNetworkRouters() {
 	for _, router := range r.networkRouters() {
-		matchedByGroup := anyInSet(router.PeerGroups, r.linkGroups)
-		matchedByPeer := router.Peer != "" && len(r.changedPeers) > 0 && isInSet(router.Peer, r.changedPeers)
+		matchedByGroup := anyInSet(router.PeerGroups, r.changedGroupSet)
+		matchedByPeer := router.Peer != "" && len(r.changedPeerSet) > 0 && isInSet(router.Peer, r.changedPeerSet)
 		if !matchedByGroup && !matchedByPeer {
 			continue
 		}
-		log.WithContext(r.ctx).Tracef("collectFromNetworkRouters: router %s on network %s matched (byGroup=%t byPeer=%t) -> folding its peerGroups=%v peer=%q + sources reaching network resources",
+		log.WithContext(r.ctx).Tracef("collectFromNetworkRouters: router %s on network %s matched (byGroup=%t byPeer=%t) -> folding peerGroups=%v peer=%q and marking network for source bridge",
 			router.ID, router.NetworkID, matchedByGroup, matchedByPeer, router.PeerGroups, router.Peer)
-		addAll(r.affectedGroups, router.PeerGroups)
+		addAll(r.groupSet, router.PeerGroups)
 		if router.Peer != "" {
-			r.affectedPeers[router.Peer] = struct{}{}
-		}
-		if router.NetworkID != "" {
-			r.foldPolicySourcesForResources(r.networkResourceIDs(router.NetworkID))
+			r.peerSet[router.Peer] = struct{}{}
 		}
+		r.networkIDs[router.NetworkID] = struct{}{}
 	}
 }
 
@@ -748,34 +534,34 @@ func (r *resolver) collectFromProxyServices() {
 			continue
 		}
 		matchedByPeer := serviceMatchesChangedPeers(svc, proxyPeers, expanded)
-		matchedByAccessGroup := anyInSet(svc.AccessGroups, r.linkGroups)
+		matchedByAccessGroup := anyInSet(svc.AccessGroups, r.changedGroupSet)
 		if !matchedByPeer && !matchedByAccessGroup {
 			continue
 		}
 		log.WithContext(r.ctx).Tracef("collectFromProxyServices: service %s (cluster=%s) matched (byProxyOrTargetPeer=%t byAccessGroup=%t) -> folding %d proxy peers, peer targets and access groups %v",
 			svc.ID, svc.ProxyCluster, matchedByPeer, matchedByAccessGroup, len(proxyPeers), svc.AccessGroups)
 		for _, pid := range proxyPeers {
-			r.affectedPeers[pid] = struct{}{}
+			r.peerSet[pid] = struct{}{}
 		}
 		for _, target := range svc.Targets {
 			if target.TargetType == rpservice.TargetTypePeer && target.TargetId != "" {
-				r.affectedPeers[target.TargetId] = struct{}{}
+				r.peerSet[target.TargetId] = struct{}{}
 			}
 		}
-		addAll(r.affectedGroups, svc.AccessGroups)
+		addAll(r.groupSet, svc.AccessGroups)
 	}
 }
 
 func (r *resolver) expandChangedPeersWithGroups() map[string]struct{} {
-	if len(r.linkGroups) == 0 {
-		return r.changedPeers
+	if len(r.changedGroupSet) == 0 {
+		return r.changedPeerSet
 	}
-	ids := r.peerIDsForGroups(r.linkGroups)
+	ids := r.peerIDsForGroups(r.changedGroupSet)
 	if len(ids) == 0 {
-		return r.changedPeers
+		return r.changedPeerSet
 	}
-	merged := make(map[string]struct{}, len(r.changedPeers)+len(ids))
-	for id := range r.changedPeers {
+	merged := make(map[string]struct{}, len(r.changedPeerSet)+len(ids))
+	for id := range r.changedPeerSet {
 		merged[id] = struct{}{}
 	}
 	for _, id := range ids {
@@ -784,36 +570,54 @@ func (r *resolver) expandChangedPeersWithGroups() map[string]struct{} {
 	return merged
 }
 
-// foldRoutersForResources folds the routers serving the networks of the given
-// resources (a destination resource is reached through its network's routers). It is
-// the resource -> network -> router hop used by foldPolicySide for a destination.
-func (r *resolver) foldRoutersForResources(resourceIDs map[string]struct{}) {
+// collectResourceRouterBridge crosses between source peers and routing peers, which
+// are reachable only via resource -> network -> router, not through the policy's own
+// groups: source -> router (targeted resources' networks), then router -> source.
+func (r *resolver) collectResourceRouterBridge() {
+	r.bridgeSourceToRouters()
+	r.bridgeRoutersToSources()
+}
+
+func (r *resolver) bridgeSourceToRouters() {
+	resourceIDs := r.policyDestinationResourceIDs(r.matchedPolicies...)
 	if len(resourceIDs) == 0 {
 		return
 	}
-	r.foldRoutersOnNetworks(r.resourceNetworkIDs(resourceIDs))
-}
 
-// ruleDestinationResourceIDs returns the destination resource IDs of a single rule:
-// the direct DestinationResource plus the resources of its destination groups.
-func (r *resolver) ruleDestinationResourceIDs(rule *types.PolicyRule) map[string]struct{} {
-	resourceIDs := make(map[string]struct{})
-	if rule.DestinationResource.Type != types.ResourceTypePeer && rule.DestinationResource.ID != "" {
-		resourceIDs[rule.DestinationResource.ID] = struct{}{}
+	networkIDs := r.resourceNetworkIDs(resourceIDs)
+	log.WithContext(r.ctx).Tracef("bridgeSourceToRouters: targeted resources %v -> networks %v (their routers become affected via the router->source pass)",
+		setToSlice(resourceIDs), setToSlice(networkIDs))
+	for id := range networkIDs {
+		r.networkIDs[id] = struct{}{}
 	}
-	r.addGroupResourceIDs(toSet(rule.Destinations), resourceIDs)
-	return resourceIDs
 }
 
-// networkResourceIDs returns the IDs of all resources on the given network.
-func (r *resolver) networkResourceIDs(networkID string) map[string]struct{} {
+func (r *resolver) bridgeRoutersToSources() {
+	if len(r.networkIDs) == 0 {
+		return
+	}
+
+	log.WithContext(r.ctx).Tracef("bridgeRoutersToSources: affected networks %v -> folding their routing peers and the source peers of policies targeting their resources",
+		setToSlice(r.networkIDs))
+
+	r.foldRoutersOnNetworks(r.networkIDs)
+
 	resourceIDs := make(map[string]struct{})
 	for _, resource := range r.networkResources() {
-		if resource.NetworkID == networkID {
+		if _, ok := r.networkIDs[resource.NetworkID]; ok {
 			resourceIDs[resource.ID] = struct{}{}
 		}
 	}
-	return resourceIDs
+	if len(resourceIDs) == 0 {
+		return
+	}
+
+	for _, policy := range r.policies() {
+		if r.policyTargetsResources(policy, resourceIDs) {
+			log.WithContext(r.ctx).Tracef("bridgeRoutersToSources: policy %s (%s) targets an affected-network resource -> folding its source groups/peers", policy.ID, policy.Name)
+			collectPolicySources(policy, r.groupSet, r.peerSet)
+		}
+	}
 }
 
 func (r *resolver) foldRoutersOnNetworks(networkIDs map[string]struct{}) {
@@ -823,9 +627,9 @@ func (r *resolver) foldRoutersOnNetworks(networkIDs map[string]struct{}) {
 		}
 		log.WithContext(r.ctx).Tracef("bridgeRoutersToSources: router %s serves affected network %s -> folding peerGroups=%v peer=%q",
 			router.ID, router.NetworkID, router.PeerGroups, router.Peer)
-		addAll(r.affectedGroups, router.PeerGroups)
+		addAll(r.groupSet, router.PeerGroups)
 		if router.Peer != "" {
-			r.affectedPeers[router.Peer] = struct{}{}
+			r.peerSet[router.Peer] = struct{}{}
 		}
 	}
 }
@@ -910,26 +714,44 @@ func (r *resolver) addGroupResourceIDs(groupIDs map[string]struct{}, resourceIDs
 	}
 }
 
-func collectPolicyDirectPeers(policy *types.Policy, peers map[string]struct{}) {
+func collectPolicyDirectPeers(policy *types.Policy, peerSet map[string]struct{}) {
 	for _, rule := range policy.Rules {
 		if rule.SourceResource.Type == types.ResourceTypePeer && rule.SourceResource.ID != "" {
-			peers[rule.SourceResource.ID] = struct{}{}
+			peerSet[rule.SourceResource.ID] = struct{}{}
 		}
 		if rule.DestinationResource.Type == types.ResourceTypePeer && rule.DestinationResource.ID != "" {
-			peers[rule.DestinationResource.ID] = struct{}{}
+			peerSet[rule.DestinationResource.ID] = struct{}{}
 		}
 	}
 }
 
-func collectPolicySources(policy *types.Policy, groups, peers map[string]struct{}) {
+func collectPolicySources(policy *types.Policy, groupSet, peerSet map[string]struct{}) {
 	for _, rule := range policy.Rules {
-		addAll(groups, rule.Sources)
+		addAll(groupSet, rule.Sources)
 		if rule.SourceResource.Type == types.ResourceTypePeer && rule.SourceResource.ID != "" {
-			peers[rule.SourceResource.ID] = struct{}{}
+			peerSet[rule.SourceResource.ID] = struct{}{}
 		}
 	}
 }
 
+func policyReferencesGroups(policy *types.Policy, groupSet map[string]struct{}) bool {
+	for _, rule := range policy.Rules {
+		if anyInSet(rule.Sources, groupSet) || anyInSet(rule.Destinations, groupSet) {
+			return true
+		}
+	}
+	return false
+}
+
+func policyReferencesDirectPeers(policy *types.Policy, changedSet map[string]struct{}) bool {
+	for _, rule := range policy.Rules {
+		if isDirectPeerInSet(rule.SourceResource, changedSet) || isDirectPeerInSet(rule.DestinationResource, changedSet) {
+			return true
+		}
+	}
+	return false
+}
+
 func policyReferencesPostureChecks(policy *types.Policy, ids map[string]struct{}) bool {
 	for _, id := range policy.SourcePostureChecks {
 		if _, ok := ids[id]; ok {

management/server/affectedpeers/resolver_test.go

@@ -80,6 +80,26 @@ func TestChangeIsEmpty(t *testing.T) {
 	assert.False(t, Change{PostureCheckIDs: []string{"pc"}}.isEmpty())
 }
 
+func TestPolicyReferencesGroups(t *testing.T) {
+	policy := &types.Policy{Rules: []*types.PolicyRule{{Sources: []string{"g1", "g2"}, Destinations: []string{"g3"}}}}
+
+	assert.True(t, policyReferencesGroups(policy, map[string]struct{}{"g1": {}}))
+	assert.True(t, policyReferencesGroups(policy, map[string]struct{}{"g3": {}}))
+	assert.False(t, policyReferencesGroups(policy, map[string]struct{}{"g4": {}}))
+	assert.False(t, policyReferencesGroups(policy, map[string]struct{}{}))
+}
+
+func TestPolicyReferencesDirectPeers(t *testing.T) {
+	policy := &types.Policy{Rules: []*types.PolicyRule{{
+		SourceResource:      types.Resource{Type: types.ResourceTypePeer, ID: "p1"},
+		DestinationResource: types.Resource{Type: types.ResourceTypeHost, ID: "r1"},
+	}}}
+
+	assert.True(t, policyReferencesDirectPeers(policy, map[string]struct{}{"p1": {}}))
+	assert.False(t, policyReferencesDirectPeers(policy, map[string]struct{}{"r1": {}}))
+	assert.False(t, policyReferencesDirectPeers(policy, map[string]struct{}{"p2": {}}))
+}
+
 func TestPolicyReferencesPostureChecks(t *testing.T) {
 	policy := &types.Policy{SourcePostureChecks: []string{"pc1", "pc2"}}
 

management/server/group.go

@@ -520,12 +520,7 @@ func collectDeletableGroups(ctx context.Context, transaction store.Store, accoun
 // GroupAddPeer appends peer to the group
 func (am *DefaultAccountManager) GroupAddPeer(ctx context.Context, accountID, groupID, peerID string) error {
 	var snap *affectedpeers.Snapshot
-	// A membership change affects only the peer itself and the opposite side of THIS
-	// group's policies — not the group's other members, and not the peer's other
-	// groups. LinkGroups walks only this group (matched, not expanded); OutputPeerIDs
-	// refreshes the peer without seeding its other group memberships. For an
-	// intra-group policy the opposite side is the group, so its members still refresh.
-	change := affectedpeers.Change{OutputPeerIDs: []string{peerID}, LinkGroups: []string{groupID}}
+	change := affectedpeers.Change{ChangedGroupIDs: []string{groupID}}
 
 	err := am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err := transaction.AddPeerToGroup(ctx, accountID, peerID, groupID); err != nil {
@@ -591,11 +586,10 @@ func (am *DefaultAccountManager) GroupAddResource(ctx context.Context, accountID
 // GroupDeletePeer removes peer from the group
 func (am *DefaultAccountManager) GroupDeletePeer(ctx context.Context, accountID, groupID, peerID string) error {
 	var snap *affectedpeers.Snapshot
-	// Same as GroupAddPeer: the removed peer and the opposite side of THIS group's
-	// policies refresh, not the group's other members or the peer's other groups. The
-	// peer is no longer in the group's index, but LinkGroups still drives the
-	// opposite-side walk, and OutputPeerIDs refreshes the removed peer itself.
-	change := affectedpeers.Change{OutputPeerIDs: []string{peerID}, LinkGroups: []string{groupID}}
+	change := affectedpeers.Change{
+		ChangedGroupIDs:     []string{groupID},
+		RemovedPeersByGroup: map[string][]string{groupID: {peerID}},
+	}
 
 	err := am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err := transaction.RemovePeerFromGroup(ctx, peerID, groupID); err != nil {
@@ -606,6 +600,8 @@ func (am *DefaultAccountManager) GroupDeletePeer(ctx context.Context, accountID,
 			return err
 		}
 
+		// The removed peer is carried in change.RemovedPeersByGroup and folded in
+		// only when the group is linked, so loading post-removal is correct.
 		var err error
 		if snap, err = affectedpeers.Load(ctx, transaction, accountID, change); err != nil {
 			return err

management/server/peer.go

@@ -188,15 +188,6 @@ func (am *DefaultAccountManager) MarkPeerDisconnected(ctx context.Context, peerP
 		}
 	}
 
-	if peer.AddedWithSSOLogin() && peer.InactivityExpirationEnabled {
-		settings, err := am.Store.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
-		if err != nil {
-			log.WithContext(ctx).Warnf("failed getting account settings to schedule inactivity expiration for peer %s: %v", peer.ID, err)
-		} else if settings.PeerInactivityExpirationEnabled {
-			am.checkAndSchedulePeerInactivityExpiration(ctx, accountID)
-		}
-	}
-
 	return nil
 }