Use BindListener for all userspace bind in lazyconn activity

[misc] Add comment automation on release workflow for PRs (#6016 )
* feat: add comment automation on release workflow for PRs * update action permissions
2026-04-29 13:46:41 +00:00 · 2026-04-29 12:57:14 +02:00 · 2026-04-29 11:28:55 +02:00 · 2026-04-29 11:01:07 +02:00 · 2026-04-29 08:09:55 +02:00 · 2026-04-28 20:54:06 +02:00
53 changed files with 2399 additions and 6682 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ on:
  pull_request:

 env:
-  SIGN_PIPE_VER: "v0.1.2"
+  SIGN_PIPE_VER: "v0.1.4"
  GORELEASER_VER: "v2.14.3"
  PRODUCT_NAME: "NetBird"
  COPYRIGHT: "NetBird GmbH"
@@ -115,6 +115,12 @@ jobs:

  release:
    runs-on: ubuntu-latest-m
+    outputs:
+      release_artifact_url: ${{ steps.upload_release.outputs.artifact-url }}
+      linux_packages_artifact_url: ${{ steps.upload_linux_packages.outputs.artifact-url }}
+      windows_packages_artifact_url: ${{ steps.upload_windows_packages.outputs.artifact-url }}
+      macos_packages_artifact_url: ${{ steps.upload_macos_packages.outputs.artifact-url }}
+      ghcr_images: ${{ steps.tag_and_push_images.outputs.images_markdown }}
    env:
      flags: ""
    steps:
@@ -213,10 +219,13 @@ jobs:
        if: always()
        run: rm -f /tmp/gpg-rpm-signing-key.asc
      - name: Tag and push images (amd64 only)
+        id: tag_and_push_images
        if: |
          (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
          (github.event_name == 'push' && github.ref == 'refs/heads/main')
        run: |
+          set -euo pipefail
+
          resolve_tags() {
            if [[ "${{ github.event_name }}" == "pull_request" ]]; then
              echo "pr-${{ github.event.pull_request.number }}"
@@ -225,6 +234,17 @@ jobs:
            fi
          }

+          ghcr_package_url() {
+            local image="$1" package encoded_package
+            package="${image#ghcr.io/}"
+            package="${package#*/}"
+            package="${package%%:*}"
+            encoded_package="${package//\//%2F}"
+            echo "https://github.com/orgs/netbirdio/packages/container/package/${encoded_package}"
+          }
+
+          image_refs=()
+
          tag_and_push() {
            local src="$1" img_name tag dst
            img_name="${src%%:*}"
@@ -233,35 +253,56 @@ jobs:
              echo "Tagging ${src} -> ${dst}"
              docker tag "$src" "$dst"
              docker push "$dst"
+              image_refs+=("$dst")
            done
          }

-          export -f tag_and_push resolve_tags
+          cat > /tmp/goreleaser-artifacts.json <<'JSON'
+          ${{ steps.goreleaser.outputs.artifacts }}
+          JSON

-          echo '${{ steps.goreleaser.outputs.artifacts }}' | \
-            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name' | \
-            grep '^ghcr.io/' | while read -r SRC; do
-              tag_and_push "$SRC"
-            done
+          mapfile -t src_images < <(
+            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name | select(startswith("ghcr.io/"))' /tmp/goreleaser-artifacts.json
+          )
+
+          for src in "${src_images[@]}"; do
+            tag_and_push "$src"
+          done
+
+          {
+            echo "images_markdown<<EOF"
+            if [[ ${#image_refs[@]} -eq 0 ]]; then
+              echo "_No GHCR images were pushed._"
+            else
+              printf '%s\n' "${image_refs[@]}" | sort -u | while read -r image; do
+                printf -- '- [`%s`](%s)\n' "$image" "$(ghcr_package_url "$image")"
+              done
+            fi
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
      - name: upload non tags for debug purposes
+        id: upload_release
        uses: actions/upload-artifact@v4
        with:
          name: release
          path: dist/
          retention-days: 7
      - name: upload linux packages
+        id: upload_linux_packages
        uses: actions/upload-artifact@v4
        with:
          name: linux-packages
          path: dist/netbird_linux**
          retention-days: 7
      - name: upload windows packages
+        id: upload_windows_packages
        uses: actions/upload-artifact@v4
        with:
          name: windows-packages
          path: dist/netbird_windows**
          retention-days: 7
      - name: upload macos packages
+        id: upload_macos_packages
        uses: actions/upload-artifact@v4
        with:
          name: macos-packages
@@ -270,6 +311,8 @@ jobs:

  release_ui:
    runs-on: ubuntu-latest
+    outputs:
+      release_ui_artifact_url: ${{ steps.upload_release_ui.outputs.artifact-url }}
    steps:
      - name: Parse semver string
        id: semver_parser
@@ -360,6 +403,7 @@ jobs:
        if: always()
        run: rm -f /tmp/gpg-rpm-signing-key.asc
      - name: upload non tags for debug purposes
+        id: upload_release_ui
        uses: actions/upload-artifact@v4
        with:
          name: release-ui
@@ -368,6 +412,8 @@ jobs:

  release_ui_darwin:
    runs-on: macos-latest
+    outputs:
+      release_ui_darwin_artifact_url: ${{ steps.upload_release_ui_darwin.outputs.artifact-url }}
    steps:
      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
@@ -402,12 +448,110 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: upload non tags for debug purposes
+        id: upload_release_ui_darwin
        uses: actions/upload-artifact@v4
        with:
          name: release-ui-darwin
          path: dist/
          retention-days: 3

+  comment_release_artifacts:
+    name: Comment release artifacts
+    runs-on: ubuntu-latest
+    needs: [release, release_ui, release_ui_darwin]
+    if: ${{ always() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository }}
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
+    steps:
+      - name: Create or update PR comment
+        uses: actions/github-script@v7
+        env:
+          RELEASE_RESULT: ${{ needs.release.result }}
+          RELEASE_UI_RESULT: ${{ needs.release_ui.result }}
+          RELEASE_UI_DARWIN_RESULT: ${{ needs.release_ui_darwin.result }}
+          RELEASE_ARTIFACT_URL: ${{ needs.release.outputs.release_artifact_url }}
+          LINUX_PACKAGES_ARTIFACT_URL: ${{ needs.release.outputs.linux_packages_artifact_url }}
+          WINDOWS_PACKAGES_ARTIFACT_URL: ${{ needs.release.outputs.windows_packages_artifact_url }}
+          MACOS_PACKAGES_ARTIFACT_URL: ${{ needs.release.outputs.macos_packages_artifact_url }}
+          RELEASE_UI_ARTIFACT_URL: ${{ needs.release_ui.outputs.release_ui_artifact_url }}
+          RELEASE_UI_DARWIN_ARTIFACT_URL: ${{ needs.release_ui_darwin.outputs.release_ui_darwin_artifact_url }}
+          GHCR_IMAGES_MARKDOWN: ${{ needs.release.outputs.ghcr_images }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const marker = '<!-- netbird-release-artifacts -->';
+            const { owner, repo } = context.repo;
+            const issue_number = context.payload.pull_request.number;
+            const runUrl = `${context.serverUrl}/${owner}/${repo}/actions/runs/${context.runId}`;
+            const shortSha = context.payload.pull_request.head.sha.slice(0, 7);
+
+            const artifactCell = (url, result) => {
+              if (url) return `[Download](${url})`;
+              return result && result !== 'success' ? `_Not available (${result})_` : '_Not available_';
+            };
+
+            const artifacts = [
+              ['All release artifacts', process.env.RELEASE_ARTIFACT_URL, process.env.RELEASE_RESULT],
+              ['Linux packages', process.env.LINUX_PACKAGES_ARTIFACT_URL, process.env.RELEASE_RESULT],
+              ['Windows packages', process.env.WINDOWS_PACKAGES_ARTIFACT_URL, process.env.RELEASE_RESULT],
+              ['macOS packages', process.env.MACOS_PACKAGES_ARTIFACT_URL, process.env.RELEASE_RESULT],
+              ['UI artifacts', process.env.RELEASE_UI_ARTIFACT_URL, process.env.RELEASE_UI_RESULT],
+              ['UI macOS artifacts', process.env.RELEASE_UI_DARWIN_ARTIFACT_URL, process.env.RELEASE_UI_DARWIN_RESULT],
+            ];
+
+            const artifactRows = artifacts
+              .map(([name, url, result]) => `| ${name} | ${artifactCell(url, result)} |`)
+              .join('\n');
+
+            const ghcrImages = (process.env.GHCR_IMAGES_MARKDOWN || '').trim() || '_No GHCR images were pushed._';
+
+            const body = [
+              marker,
+              '## Release artifacts',
+              '',
+              `Built for PR head \`${shortSha}\` in [workflow run #${process.env.GITHUB_RUN_NUMBER}](${runUrl}).`,
+              '',
+              '| Artifact | Link |',
+              '| --- | --- |',
+              artifactRows,
+              '',
+              '### GHCR images (amd64)',
+              ghcrImages,
+              '',
+              '_This comment is updated by the Release workflow. Artifact links expire according to the workflow retention policy._',
+            ].join('\n');
+
+            const comments = await github.paginate(github.rest.issues.listComments, {
+              owner,
+              repo,
+              issue_number,
+              per_page: 100,
+            });
+
+            const previous = comments.find(comment =>
+              comment.user?.type === 'Bot' && comment.body?.includes(marker)
+            );
+
+            if (previous) {
+              await github.rest.issues.updateComment({
+                owner,
+                repo,
+                comment_id: previous.id,
+                body,
+              });
+              core.info(`Updated release artifacts comment ${previous.id}`);
+            } else {
+              const { data } = await github.rest.issues.createComment({
+                owner,
+                repo,
+                issue_number,
+                body,
+              });
+              core.info(`Created release artifacts comment ${data.id}`);
+            }
+
  trigger_signer:
    runs-on: ubuntu-latest
    needs: [release, release_ui, release_ui_darwin]
--- a/client/installer.nsis
+++ b/client/installer.nsis
@@ -201,7 +201,16 @@ Pop $0

 Function .onInit
 StrCpy $INSTDIR "${INSTALL_DIR}"
+
+; Pre-0.70.1 installers ran without SetRegView, so their uninstall keys live
+; in the 32-bit view. Fall back to it so upgrades still find them.
+SetRegView 64
 ReadRegStr $R0 HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$(^NAME)" "UninstallString"
+${If} $R0 == ""
+    SetRegView 32
+    ReadRegStr $R0 HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$(^NAME)" "UninstallString"
+    SetRegView 64
+${EndIf}
 ${If} $R0 != ""
    # if silent install jump to uninstall step
    IfSilent uninstall
@@ -214,6 +223,10 @@ ${If} $R0 != ""

 ${EndIf}
 FunctionEnd
+
+Function un.onInit
+SetRegView 64
+FunctionEnd
 ######################################################################
 Section -MainProgram
    ${INSTALL_TYPE}
@@ -228,6 +241,7 @@ Section -MainProgram
    !else
        File /r "..\\dist\\netbird_windows_amd64\\"
    !endif
+    File "..\\client\\ui\\assets\\netbird.png"
 SectionEnd
 ######################################################################

@@ -247,9 +261,11 @@ WriteRegStr ${REG_ROOT} "${UI_REG_APP_PATH}" "" "$INSTDIR\${UI_APP_EXE}"
 ; Create autostart registry entry based on checkbox
 DetailPrint "Autostart enabled: $AutostartEnabled"
 ${If} $AutostartEnabled == "1"
-    WriteRegStr HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}" "$INSTDIR\${UI_APP_EXE}.exe"
+    WriteRegStr HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}" '"$INSTDIR\${UI_APP_EXE}.exe"'
    DetailPrint "Added autostart registry entry: $INSTDIR\${UI_APP_EXE}.exe"
 ${Else}
+    DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+    ; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
    DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
    DetailPrint "Autostart not enabled by user"
 ${EndIf}
@@ -283,6 +299,8 @@ ExecWait `taskkill /im ${UI_APP_EXE}.exe /f`

 ; Remove autostart registry entry
 DetailPrint "Removing autostart registry entry if exists..."
+DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
 DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"

 ; Handle data deletion based on checkbox
@@ -321,6 +339,7 @@ DetailPrint "Removing registry keys..."
 DeleteRegKey ${REG_ROOT} "${REG_APP_PATH}"
 DeleteRegKey ${REG_ROOT} "${UNINSTALL_PATH}"
 DeleteRegKey ${REG_ROOT} "${UI_REG_APP_PATH}"
+DeleteRegKey HKCU "Software\Classes\AppUserModelId\${APP_NAME}"

 DetailPrint "Removing application directory from PATH..."
 EnVar::SetHKLM
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -333,6 +333,10 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		c.statusRecorder.MarkSignalConnected()

 		relayURLs, token := parseRelayInfo(loginResp)
+		if override, ok := peer.OverrideRelayURLs(); ok {
+			log.Infof("overriding relay URLs from %s: %v", peer.EnvKeyNBHomeRelayServers, override)
+			relayURLs = override
+		}
 		peerConfig := loginResp.GetPeerConfig()

 		engineConfig, err := createEngineConfig(myPrivateKey, c.config, peerConfig, logPath)
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -944,7 +944,12 @@ func (e *Engine) handleRelayUpdate(update *mgmProto.RelayConfig) error {
 			return fmt.Errorf("update relay token: %w", err)
 		}

-		e.relayManager.UpdateServerURLs(update.Urls)
+		urls := update.Urls
+		if override, ok := peer.OverrideRelayURLs(); ok {
+			log.Infof("overriding relay URLs from %s: %v", peer.EnvKeyNBHomeRelayServers, override)
+			urls = override
+		}
+		e.relayManager.UpdateServerURLs(urls)

 		// Just in case the agent started with an MGM server where the relay was disabled but was later enabled.
 		// We can ignore all errors because the guard will manage the reconnection retries.
--- a/client/internal/lazyconn/activity/listener_bind_test.go
+++ b/client/internal/lazyconn/activity/listener_bind_test.go
@@ -3,7 +3,6 @@ package activity
 import (
 	"net"
 	"net/netip"
-	"runtime"
 	"testing"
 	"time"

@@ -18,10 +17,6 @@ import (
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
 )

-func isBindListenerPlatform() bool {
-	return runtime.GOOS == "windows" || runtime.GOOS == "js"
-}
-
 // mockEndpointManager implements device.EndpointManager for testing
 type mockEndpointManager struct {
 	endpoints map[netip.Addr]net.Conn
@@ -181,10 +176,6 @@ func TestBindListener_Close(t *testing.T) {
 }

 func TestManager_BindMode(t *testing.T) {
-	if !isBindListenerPlatform() {
-		t.Skip("BindListener only used on Windows/JS platforms")
-	}
-
 	mockEndpointMgr := newMockEndpointManager()
 	mockIface := &MockWGIfaceBind{endpointMgr: mockEndpointMgr}

@@ -226,10 +217,6 @@ func TestManager_BindMode(t *testing.T) {
 }

 func TestManager_BindMode_MultiplePeers(t *testing.T) {
-	if !isBindListenerPlatform() {
-		t.Skip("BindListener only used on Windows/JS platforms")
-	}
-
 	mockEndpointMgr := newMockEndpointManager()
 	mockIface := &MockWGIfaceBind{endpointMgr: mockEndpointMgr}

--- a/client/internal/lazyconn/activity/manager.go
+++ b/client/internal/lazyconn/activity/manager.go
@@ -4,14 +4,12 @@ import (
 	"errors"
 	"net"
 	"net/netip"
-	"runtime"
 	"sync"
 	"time"

 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

-	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
@@ -75,16 +73,6 @@ func (m *Manager) createListener(peerCfg lazyconn.PeerConfig) (listener, error)
 		return NewUDPListener(m.wgIface, peerCfg)
 	}

-	// BindListener is used on Windows, JS, and netstack platforms:
-	// - JS: Cannot listen to UDP sockets
-	// - Windows: IP_UNICAST_IF socket option forces packets out the interface the default
-	//   gateway points to, preventing them from reaching the loopback interface.
-	// - Netstack: Allows multiple instances on the same host without port conflicts.
-	// BindListener bypasses these issues by passing data directly through the bind.
-	if runtime.GOOS != "windows" && runtime.GOOS != "js" && !netstack.IsEnabled() {
-		return NewUDPListener(m.wgIface, peerCfg)
-	}
-
 	provider, ok := m.wgIface.(bindProvider)
 	if !ok {
 		return nil, errors.New("interface claims userspace bind but doesn't implement bindProvider")
--- a/client/internal/peer/env.go
+++ b/client/internal/peer/env.go
@@ -7,7 +7,8 @@ import (
 )

 const (
-	EnvKeyNBForceRelay = "NB_FORCE_RELAY"
+	EnvKeyNBForceRelay       = "NB_FORCE_RELAY"
+	EnvKeyNBHomeRelayServers = "NB_HOME_RELAY_SERVERS"
 )

 func IsForceRelayed() bool {
@@ -16,3 +17,28 @@ func IsForceRelayed() bool {
 	}
 	return strings.EqualFold(os.Getenv(EnvKeyNBForceRelay), "true")
 }
+
+// OverrideRelayURLs returns the relay server URL list set in
+// NB_HOME_RELAY_SERVERS (comma-separated) and a boolean indicating whether
+// the override is active. When the env var is unset, the boolean is false
+// and the caller should keep the list received from the management server.
+// Intended for lab/debug scenarios where a peer must pin to a specific home
+// relay regardless of what management offers.
+func OverrideRelayURLs() ([]string, bool) {
+	raw := os.Getenv(EnvKeyNBHomeRelayServers)
+	if raw == "" {
+		return nil, false
+	}
+	parts := strings.Split(raw, ",")
+	urls := make([]string, 0, len(parts))
+	for _, p := range parts {
+		p = strings.TrimSpace(p)
+		if p != "" {
+			urls = append(urls, p)
+		}
+	}
+	if len(urls) == 0 {
+		return nil, false
+	}
+	return urls, true
+}
--- a/client/internal/sleep/detector_darwin.go
+++ b/client/internal/sleep/detector_darwin.go
@@ -2,217 +2,358 @@

 package sleep

-/*
-#cgo LDFLAGS: -framework IOKit -framework CoreFoundation
-#include <IOKit/pwr_mgt/IOPMLib.h>
-#include <IOKit/IOMessage.h>
-#include <CoreFoundation/CoreFoundation.h>
-
-extern void sleepCallbackBridge();
-extern void poweredOnCallbackBridge();
-extern void suspendedCallbackBridge();
-extern void resumedCallbackBridge();
-
-
-// C global variables for IOKit state
-static IONotificationPortRef g_notifyPortRef = NULL;
-static io_object_t g_notifierObject = 0;
-static io_object_t g_generalInterestNotifier = 0;
-static io_connect_t g_rootPort = 0;
-static CFRunLoopRef g_runLoop = NULL;
-
-static void sleepCallback(void* refCon, io_service_t service, natural_t messageType, void* messageArgument) {
-	switch (messageType) {
-		case kIOMessageSystemWillSleep:
-			sleepCallbackBridge();
-			IOAllowPowerChange(g_rootPort, (long)messageArgument);
-			break;
-        case kIOMessageSystemHasPoweredOn:
-          	poweredOnCallbackBridge();
-          	break;
-        case kIOMessageServiceIsSuspended:
-			suspendedCallbackBridge();
-			break;
-		case kIOMessageServiceIsResumed:
-			resumedCallbackBridge();
-			break;
-		default:
-			break;
-	}
-}
-
-static void registerNotifications() {
-	g_rootPort = IORegisterForSystemPower(
-		NULL,
-		&g_notifyPortRef,
-		(IOServiceInterestCallback)sleepCallback,
-		&g_notifierObject
-	);
-
-	if (g_rootPort == 0) {
-		return;
-	}
-
-	CFRunLoopAddSource(CFRunLoopGetCurrent(),
-		IONotificationPortGetRunLoopSource(g_notifyPortRef),
-		kCFRunLoopCommonModes);
-
-	g_runLoop = CFRunLoopGetCurrent();
-	CFRunLoopRun();
-}
-
-static void unregisterNotifications() {
-	CFRunLoopRemoveSource(g_runLoop,
-		IONotificationPortGetRunLoopSource(g_notifyPortRef),
-		kCFRunLoopCommonModes);
-
-	IODeregisterForSystemPower(&g_notifierObject);
-	IOServiceClose(g_rootPort);
-	IONotificationPortDestroy(g_notifyPortRef);
-	CFRunLoopStop(g_runLoop);
-
-	g_notifyPortRef = NULL;
-	g_notifierObject = 0;
-	g_rootPort = 0;
-	g_runLoop = NULL;
-}
-
-*/
-import "C"
-
 import (
-	"context"
 	"fmt"
 	"runtime"
 	"sync"
 	"time"
+	"unsafe"

+	"github.com/ebitengine/purego"
 	log "github.com/sirupsen/logrus"
 )

-var (
-	serviceRegistry   = make(map[*Detector]struct{})
-	serviceRegistryMu sync.Mutex
+// IOKit message types from IOKit/IOMessage.h.
+const (
+	kIOMessageCanSystemSleep     uintptr = 0xe0000270
+	kIOMessageSystemWillSleep    uintptr = 0xe0000280
+	kIOMessageSystemHasPoweredOn uintptr = 0xe0000300
 )

-//export sleepCallbackBridge
-func sleepCallbackBridge() {
-	log.Info("sleepCallbackBridge event triggered")
+var (
+	ioKit         iokitFuncs
+	cf            cfFuncs
+	cfCommonModes uintptr

-	serviceRegistryMu.Lock()
-	defer serviceRegistryMu.Unlock()
+	libInitOnce sync.Once
+	libInitErr  error

-	for svc := range serviceRegistry {
-		svc.triggerCallback(EventTypeSleep)
-	}
+	// callbackThunk is the single C-callable trampoline registered with IOKit.
+	callbackThunk uintptr
+
+	serviceRegistry   = make(map[*Detector]struct{})
+	serviceRegistryMu sync.Mutex
+	session           *runLoopSession
+
+	// lifecycleMu serializes Register/Deregister so a new registration can't
+	// start a second runloop while a previous teardown is still pending.
+	lifecycleMu sync.Mutex
+)
+
+// iokitFuncs holds IOKit symbols resolved once at init.
+type iokitFuncs struct {
+	IORegisterForSystemPower           func(refcon uintptr, portRef *uintptr, callback uintptr, notifier *uintptr) uintptr
+	IODeregisterForSystemPower         func(notifier *uintptr) int32
+	IOAllowPowerChange                 func(kernelPort uintptr, notificationID uintptr) int32
+	IOServiceClose                     func(connect uintptr) int32
+	IONotificationPortGetRunLoopSource func(port uintptr) uintptr
+	IONotificationPortDestroy          func(port uintptr)
 }

-//export resumedCallbackBridge
-func resumedCallbackBridge() {
-	log.Info("resumedCallbackBridge event triggered")
+// cfFuncs holds CoreFoundation symbols resolved once at init.
+type cfFuncs struct {
+	CFRunLoopGetCurrent   func() uintptr
+	CFRunLoopRun          func()
+	CFRunLoopStop         func(rl uintptr)
+	CFRunLoopAddSource    func(rl, source, mode uintptr)
+	CFRunLoopRemoveSource func(rl, source, mode uintptr)
 }

-//export suspendedCallbackBridge
-func suspendedCallbackBridge() {
-	log.Info("suspendedCallbackBridge event triggered")
+// runLoopSession bundles the handles owned by one CFRunLoop lifetime. A nil
+// session means no runloop is active and the next Register must start one.
+type runLoopSession struct {
+	rl       uintptr
+	port     uintptr
+	notifier uintptr
+	rp       uintptr
 }

-//export poweredOnCallbackBridge
-func poweredOnCallbackBridge() {
-	log.Info("poweredOnCallbackBridge event triggered")
-	serviceRegistryMu.Lock()
-	defer serviceRegistryMu.Unlock()
-
-	for svc := range serviceRegistry {
-		svc.triggerCallback(EventTypeWakeUp)
-	}
+// detectorSnapshot pins a detector's callback and done channel so dispatch
+// runs with values valid at snapshot time, even if a concurrent
+// Deregister/Register rewrites the detector's fields.
+type detectorSnapshot struct {
+	detector *Detector
+	callback func(event EventType)
+	done     <-chan struct{}
 }

+// Detector delivers sleep and wake events to a registered callback.
 type Detector struct {
 	callback func(event EventType)
-	ctx      context.Context
-	cancel   context.CancelFunc
-}
-
-func NewDetector() (*Detector, error) {
-	return &Detector{}, nil
+	done     chan struct{}
 }

+// Register installs callback for power events. The first registration starts
+// the CFRunLoop on a dedicated OS-locked thread and blocks until IOKit
+// registration succeeds or fails; subsequent registrations just add to the
+// dispatch set.
 func (d *Detector) Register(callback func(event EventType)) error {
-	serviceRegistryMu.Lock()
-	defer serviceRegistryMu.Unlock()
+	lifecycleMu.Lock()
+	defer lifecycleMu.Unlock()

+	serviceRegistryMu.Lock()
 	if _, exists := serviceRegistry[d]; exists {
+		serviceRegistryMu.Unlock()
 		return fmt.Errorf("detector service already registered")
 	}
-
 	d.callback = callback
+	d.done = make(chan struct{})
+	serviceRegistry[d] = struct{}{}
+	needSetup := session == nil
+	serviceRegistryMu.Unlock()

-	d.ctx, d.cancel = context.WithCancel(context.Background())
-
-	if len(serviceRegistry) > 0 {
-		serviceRegistry[d] = struct{}{}
+	if !needSetup {
 		return nil
 	}

-	serviceRegistry[d] = struct{}{}
-
-	// CFRunLoop must run on a single fixed OS thread
-	go func() {
-		runtime.LockOSThread()
-		defer runtime.UnlockOSThread()
-
-		C.registerNotifications()
-	}()
+	errCh := make(chan error, 1)
+	go runRunLoop(errCh)
+	if err := <-errCh; err != nil {
+		serviceRegistryMu.Lock()
+		delete(serviceRegistry, d)
+		close(d.done)
+		d.done = nil
+		serviceRegistryMu.Unlock()
+		return err
+	}

 	log.Info("sleep detection service started on macOS")
 	return nil
 }

-// Deregister removes the detector. When the last detector is removed, IOKit registration is torn down
-// and the runloop is stopped and cleaned up.
+// Deregister removes the detector. When the last detector leaves, IOKit
+// notifications are torn down and the runloop is stopped.
 func (d *Detector) Deregister() error {
+	lifecycleMu.Lock()
+	defer lifecycleMu.Unlock()
+
 	serviceRegistryMu.Lock()
-	defer serviceRegistryMu.Unlock()
-	_, exists := serviceRegistry[d]
-	if !exists {
+	if _, exists := serviceRegistry[d]; !exists {
+		serviceRegistryMu.Unlock()
 		return nil
 	}
-
-	// cancel and remove this detector
-	d.cancel()
+	close(d.done)
 	delete(serviceRegistry, d)

-	// If other Detectors still exist, leave IOKit running
 	if len(serviceRegistry) > 0 {
+		serviceRegistryMu.Unlock()
 		return nil
 	}
+	sess := session
+	serviceRegistryMu.Unlock()

 	log.Info("sleep detection service stopping (deregister)")

-	// Deregister IOKit notifications, stop runloop, and free resources
-	C.unregisterNotifications()
+	if sess == nil {
+		return nil
+	}
+
+	if sess.rl != 0 && sess.port != 0 {
+		source := ioKit.IONotificationPortGetRunLoopSource(sess.port)
+		cf.CFRunLoopRemoveSource(sess.rl, source, cfCommonModes)
+	}
+	if sess.notifier != 0 {
+		n := sess.notifier
+		ioKit.IODeregisterForSystemPower(&n)
+	}
+
+	// Clear session only after IODeregisterForSystemPower returns so any
+	// in-flight powerCallback can still look up session.rp to ack sleep.
+	serviceRegistryMu.Lock()
+	session = nil
+	serviceRegistryMu.Unlock()
+
+	if sess.rp != 0 {
+		ioKit.IOServiceClose(sess.rp)
+	}
+	if sess.port != 0 {
+		ioKit.IONotificationPortDestroy(sess.port)
+	}
+	if sess.rl != 0 {
+		cf.CFRunLoopStop(sess.rl)
+	}

 	return nil
 }

-func (d *Detector) triggerCallback(event EventType) {
-	doneChan := make(chan struct{})
+func (d *Detector) triggerCallback(event EventType, cb func(event EventType), done <-chan struct{}) {
+	if cb == nil || done == nil {
+		return
+	}

+	select {
+	case <-done:
+		return
+	default:
+	}
+
+	doneChan := make(chan struct{})
 	timeout := time.NewTimer(500 * time.Millisecond)
 	defer timeout.Stop()

-	cb := d.callback
-	go func(callback func(event EventType)) {
+	go func() {
+		defer close(doneChan)
+		defer func() {
+			if r := recover(); r != nil {
+				log.Errorf("panic in sleep callback: %v", r)
+			}
+		}()
 		log.Info("sleep detection event fired")
-		callback(event)
-		close(doneChan)
-	}(cb)
+		cb(event)
+	}()

 	select {
 	case <-doneChan:
-	case <-d.ctx.Done():
+	case <-done:
 	case <-timeout.C:
-		log.Warnf("sleep callback timed out")
+		log.Warn("sleep callback timed out")
 	}
 }
+
+// NewDetector initializes IOKit/CoreFoundation bindings and returns a Detector.
+func NewDetector() (*Detector, error) {
+	if err := initLibs(); err != nil {
+		return nil, err
+	}
+	return &Detector{}, nil
+}
+
+func initLibs() error {
+	libInitOnce.Do(func() {
+		iokit, err := purego.Dlopen("/System/Library/Frameworks/IOKit.framework/IOKit", purego.RTLD_NOW|purego.RTLD_GLOBAL)
+		if err != nil {
+			libInitErr = fmt.Errorf("dlopen IOKit: %w", err)
+			return
+		}
+		cfLib, err := purego.Dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", purego.RTLD_NOW|purego.RTLD_GLOBAL)
+		if err != nil {
+			libInitErr = fmt.Errorf("dlopen CoreFoundation: %w", err)
+			return
+		}
+
+		purego.RegisterLibFunc(&ioKit.IORegisterForSystemPower, iokit, "IORegisterForSystemPower")
+		purego.RegisterLibFunc(&ioKit.IODeregisterForSystemPower, iokit, "IODeregisterForSystemPower")
+		purego.RegisterLibFunc(&ioKit.IOAllowPowerChange, iokit, "IOAllowPowerChange")
+		purego.RegisterLibFunc(&ioKit.IOServiceClose, iokit, "IOServiceClose")
+		purego.RegisterLibFunc(&ioKit.IONotificationPortGetRunLoopSource, iokit, "IONotificationPortGetRunLoopSource")
+		purego.RegisterLibFunc(&ioKit.IONotificationPortDestroy, iokit, "IONotificationPortDestroy")
+
+		purego.RegisterLibFunc(&cf.CFRunLoopGetCurrent, cfLib, "CFRunLoopGetCurrent")
+		purego.RegisterLibFunc(&cf.CFRunLoopRun, cfLib, "CFRunLoopRun")
+		purego.RegisterLibFunc(&cf.CFRunLoopStop, cfLib, "CFRunLoopStop")
+		purego.RegisterLibFunc(&cf.CFRunLoopAddSource, cfLib, "CFRunLoopAddSource")
+		purego.RegisterLibFunc(&cf.CFRunLoopRemoveSource, cfLib, "CFRunLoopRemoveSource")
+
+		modeAddr, err := purego.Dlsym(cfLib, "kCFRunLoopCommonModes")
+		if err != nil {
+			libInitErr = fmt.Errorf("dlsym kCFRunLoopCommonModes: %w", err)
+			return
+		}
+		// Launder the uintptr-to-pointer conversion through a Go variable so
+		// go vet's unsafeptr analyzer doesn't flag a system-library global.
+		cfCommonModes = **(**uintptr)(unsafe.Pointer(&modeAddr))
+
+		// NewCallback slots are a finite, non-reclaimable resource, so register
+		// a single thunk that dispatches to the current Detector set.
+		callbackThunk = purego.NewCallback(powerCallback)
+	})
+	return libInitErr
+}
+
+// powerCallback is the IOServiceInterestCallback trampoline, invoked on the
+// runloop thread. A Go panic crossing the purego boundary has undefined
+// behavior, so contain it here.
+func powerCallback(refcon, service, messageType, messageArgument uintptr) uintptr {
+	defer func() {
+		if r := recover(); r != nil {
+			log.Errorf("panic in sleep powerCallback: %v", r)
+		}
+	}()
+	switch messageType {
+	case kIOMessageCanSystemSleep:
+		// Not acknowledging forces a 30s IOKit timeout before idle sleep.
+		allowPowerChange(messageArgument)
+	case kIOMessageSystemWillSleep:
+		dispatchEvent(EventTypeSleep)
+		allowPowerChange(messageArgument)
+	case kIOMessageSystemHasPoweredOn:
+		dispatchEvent(EventTypeWakeUp)
+	}
+	return 0
+}
+
+func allowPowerChange(messageArgument uintptr) {
+	serviceRegistryMu.Lock()
+	var port uintptr
+	if session != nil {
+		port = session.rp
+	}
+	serviceRegistryMu.Unlock()
+	if port != 0 {
+		ioKit.IOAllowPowerChange(port, messageArgument)
+	}
+}
+
+func dispatchEvent(event EventType) {
+	serviceRegistryMu.Lock()
+	snaps := make([]detectorSnapshot, 0, len(serviceRegistry))
+	for d := range serviceRegistry {
+		snaps = append(snaps, detectorSnapshot{
+			detector: d,
+			callback: d.callback,
+			done:     d.done,
+		})
+	}
+	serviceRegistryMu.Unlock()
+
+	for _, s := range snaps {
+		s.detector.triggerCallback(event, s.callback, s.done)
+	}
+}
+
+// runRunLoop owns the OS-locked thread that CFRunLoop is pinned to. Setup
+// result is reported on errCh so Register can surface failures synchronously.
+func runRunLoop(errCh chan<- error) {
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+
+	sess, err := setupSession()
+	if err == nil {
+		serviceRegistryMu.Lock()
+		session = sess
+		serviceRegistryMu.Unlock()
+	}
+	errCh <- err
+	if err != nil {
+		return
+	}
+
+	defer func() {
+		if r := recover(); r != nil {
+			log.Errorf("panic in sleep runloop: %v", r)
+		}
+	}()
+	cf.CFRunLoopRun()
+}
+
+// setupSession performs the IOKit registration on the current thread. Panics
+// are converted to errors so runRunLoop never leaves errCh unsent.
+func setupSession() (s *runLoopSession, err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			err = fmt.Errorf("panic during runloop setup: %v", r)
+		}
+	}()
+
+	var portRef, notifier uintptr
+	rp := ioKit.IORegisterForSystemPower(0, &portRef, callbackThunk, &notifier)
+	if rp == 0 {
+		return nil, fmt.Errorf("IORegisterForSystemPower returned zero")
+	}
+
+	rl := cf.CFRunLoopGetCurrent()
+	source := ioKit.IONotificationPortGetRunLoopSource(portRef)
+	cf.CFRunLoopAddSource(rl, source, cfCommonModes)
+
+	return &runLoopSession{rl: rl, port: portRef, notifier: notifier, rp: rp}, nil
+}
--- a/client/netbird.wxs
+++ b/client/netbird.wxs
@@ -18,10 +18,17 @@
 				<Component Id="NetbirdFiles" Guid="db3165de-cc6e-4922-8396-9d892950e23e" Bitness="always64">
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\netbird.exe" KeyPath="yes" />
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\netbird-ui.exe">
-						<Shortcut Id="NetbirdDesktopShortcut" Directory="DesktopFolder" Name="NetBird" WorkingDirectory="NetbirdInstallDir" Icon="NetbirdIcon" />
-						<Shortcut Id="NetbirdStartMenuShortcut" Directory="StartMenuFolder" Name="NetBird" WorkingDirectory="NetbirdInstallDir" Icon="NetbirdIcon" />
+						<Shortcut Id="NetbirdDesktopShortcut" Directory="DesktopFolder" Name="NetBird" WorkingDirectory="NetbirdInstallDir" Icon="NetbirdIcon">
+							<ShortcutProperty Key="System.AppUserModel.ID" Value="NetBird" />
+							<ShortcutProperty Key="System.AppUserModel.ToastActivatorCLSID" Value="{0E1B4DE7-E148-432B-9814-544F941826EC}" />
+						</Shortcut>
+						<Shortcut Id="NetbirdStartMenuShortcut" Directory="StartMenuFolder" Name="NetBird" WorkingDirectory="NetbirdInstallDir" Icon="NetbirdIcon">
+							<ShortcutProperty Key="System.AppUserModel.ID" Value="NetBird" />
+							<ShortcutProperty Key="System.AppUserModel.ToastActivatorCLSID" Value="{0E1B4DE7-E148-432B-9814-544F941826EC}" />
+						</Shortcut>
 					</File>
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\wintun.dll" />
+					<File Id="NetbirdToastIcon" Name="netbird.png" Source=".\client\ui\assets\netbird.png" />
 					<?if $(var.ArchSuffix) = "amd64" ?>
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\opengl32.dll" />
 					<?endif ?>
@@ -46,8 +53,19 @@
 			</Directory>
 		</StandardDirectory>

+		<!-- Per-user component: HKCU keypath (auto GUID via "*"), separate from
+		     the per-machine NetbirdFiles component to satisfy ICE57. -->
+		<StandardDirectory Id="ProgramMenuFolder">
+			<Component Id="NetbirdAumidRegistry" Guid="*">
+				<RegistryKey Root="HKCU" Key="Software\Classes\AppUserModelId\NetBird" ForceDeleteOnUninstall="yes">
+					<RegistryValue Name="InstalledByMSI" Type="integer" Value="1" KeyPath="yes" />
+				</RegistryKey>
+			</Component>
+		</StandardDirectory>
+
 		<ComponentGroup Id="NetbirdFilesComponent">
 			<ComponentRef Id="NetbirdFiles" />
+			<ComponentRef Id="NetbirdAumidRegistry" />
 		</ComponentGroup>

 		<util:CloseApplication Id="CloseNetBird" CloseMessage="no" Target="netbird.exe" RebootPrompt="no" />
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -104,8 +104,6 @@ service DaemonService {
  // StopCPUProfile stops CPU profiling in the daemon
  rpc StopCPUProfile(StopCPUProfileRequest) returns (StopCPUProfileResponse) {}

-  rpc NotifyOSLifecycle(OSLifecycleRequest) returns(OSLifecycleResponse) {}
-
  rpc GetInstallerResult(InstallerResultRequest) returns (InstallerResultResponse) {}

  // ExposeService exposes a local port via the NetBird reverse proxy
@@ -114,20 +112,6 @@ service DaemonService {



-message OSLifecycleRequest {
-  // avoid collision with loglevel enum
-  enum CycleType {
-    UNKNOWN = 0;
-    SLEEP = 1;
-    WAKEUP = 2;
-  }
-
-  CycleType type = 1;
-}
-
-message OSLifecycleResponse {}
-
-
 message LoginRequest {
  // setupKey netbird setup key.
  string setupKey = 1;
--- a/client/proto/daemon_grpc.pb.go
+++ b/client/proto/daemon_grpc.pb.go
--- a/client/server/server.go
+++ b/client/server/server.go
@@ -120,6 +120,7 @@ func New(ctx context.Context, logFile string, configFile string, profilesDisable
 	}
 	agent := &serverAgent{s}
 	s.sleepHandler = sleephandler.New(agent)
+	s.startSleepDetector()

 	return s
 }
--- a/client/server/sleep.go
+++ b/client/server/sleep.go
@@ -2,13 +2,18 @@ package server

 import (
 	"context"
+	"os"
+	"strconv"

 	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/sleep"
 	"github.com/netbirdio/netbird/client/proto"
 )

+const envDisableSleepDetector = "NB_DISABLE_SLEEP_DETECTOR"
+
 // serverAgent adapts Server to the handler.Agent and handler.StatusChecker interfaces
 type serverAgent struct {
 	s *Server
@@ -28,19 +33,61 @@ func (a *serverAgent) Status() (internal.StatusType, error) {
 	return internal.CtxGetState(a.s.rootCtx).Status()
 }

-// NotifyOSLifecycle handles operating system lifecycle events by executing appropriate logic based on the request type.
-func (s *Server) NotifyOSLifecycle(callerCtx context.Context, req *proto.OSLifecycleRequest) (*proto.OSLifecycleResponse, error) {
-	switch req.GetType() {
-	case proto.OSLifecycleRequest_WAKEUP:
-		if err := s.sleepHandler.HandleWakeUp(callerCtx); err != nil {
-			return &proto.OSLifecycleResponse{}, err
-		}
-	case proto.OSLifecycleRequest_SLEEP:
-		if err := s.sleepHandler.HandleSleep(callerCtx); err != nil {
-			return &proto.OSLifecycleResponse{}, err
-		}
-	default:
-		log.Errorf("unknown OSLifecycleRequest type: %v", req.GetType())
+// startSleepDetector starts the OS sleep/wake detector and forwards events to
+// the sleep handler. On platforms without a supported detector the attempt
+// logs a warning and returns. Setting NB_DISABLE_SLEEP_DETECTOR=true skips
+// registration entirely.
+func (s *Server) startSleepDetector() {
+	if sleepDetectorDisabled() {
+		log.Info("sleep detection disabled via " + envDisableSleepDetector)
+		return
 	}
-	return &proto.OSLifecycleResponse{}, nil
+
+	svc, err := sleep.New()
+	if err != nil {
+		log.Warnf("failed to initialize sleep detection: %v", err)
+		return
+	}
+
+	err = svc.Register(func(event sleep.EventType) {
+		switch event {
+		case sleep.EventTypeSleep:
+			log.Info("handling sleep event")
+			if err := s.sleepHandler.HandleSleep(s.rootCtx); err != nil {
+				log.Errorf("failed to handle sleep event: %v", err)
+			}
+		case sleep.EventTypeWakeUp:
+			log.Info("handling wakeup event")
+			if err := s.sleepHandler.HandleWakeUp(s.rootCtx); err != nil {
+				log.Errorf("failed to handle wakeup event: %v", err)
+			}
+		}
+	})
+	if err != nil {
+		log.Errorf("failed to register sleep detector: %v", err)
+		return
+	}
+
+	log.Info("sleep detection service initialized")
+
+	go func() {
+		<-s.rootCtx.Done()
+		log.Info("stopping sleep event listener")
+		if err := svc.Deregister(); err != nil {
+			log.Errorf("failed to deregister sleep detector: %v", err)
+		}
+	}()
+}
+
+func sleepDetectorDisabled() bool {
+	val := os.Getenv(envDisableSleepDetector)
+	if val == "" {
+		return false
+	}
+	disabled, err := strconv.ParseBool(val)
+	if err != nil {
+		log.Warnf("failed to parse %s=%q: %v", envDisableSleepDetector, val, err)
+		return false
+	}
+	return disabled
 }
--- a/client/ui/client_ui.go
+++ b/client/ui/client_ui.go
@@ -38,10 +38,10 @@ import (
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
-	"github.com/netbirdio/netbird/client/internal/sleep"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/ui/desktop"
 	"github.com/netbirdio/netbird/client/ui/event"
+	"github.com/netbirdio/netbird/client/ui/notifier"
 	"github.com/netbirdio/netbird/client/ui/process"
 	"github.com/netbirdio/netbird/util"

@@ -260,6 +260,7 @@ type serviceClient struct {

 	// application with main windows.
 	app                  fyne.App
+	notifier             notifier.Notifier
 	wSettings            fyne.Window
 	showAdvancedSettings bool
 	sendNotification     bool
@@ -364,6 +365,7 @@ func newServiceClient(args *newServiceClientArgs) *serviceClient {
 		cancel:           cancel,
 		addr:             args.addr,
 		app:              args.app,
+		notifier:         notifier.New(args.app),
 		logFile:          args.logFile,
 		sendNotification: false,

@@ -892,7 +894,7 @@ func (s *serviceClient) updateStatus() error {
 		if err != nil {
 			log.Errorf("get service status: %v", err)
 			if s.connected {
-				s.app.SendNotification(fyne.NewNotification("Error", "Connection to service lost"))
+				s.notifier.Send("Error", "Connection to service lost")
 			}
 			s.setDisconnectedStatus()
 			return err
@@ -1109,7 +1111,7 @@ func (s *serviceClient) onTrayReady() {
 		}
 	}()

-	s.eventManager = event.NewManager(s.app, s.addr)
+	s.eventManager = event.NewManager(s.notifier, s.addr)
 	s.eventManager.SetNotificationsEnabled(s.mNotifications.Checked())
 	s.eventManager.AddHandler(func(event *proto.SystemEvent) {
 		if event.Category == proto.SystemEvent_SYSTEM {
@@ -1146,9 +1148,6 @@ func (s *serviceClient) onTrayReady() {

 	go s.eventManager.Start(s.ctx)
 	go s.eventHandler.listen(s.ctx)
-
-	// Start sleep detection listener
-	go s.startSleepListener()
 }

 func (s *serviceClient) attachOutput(cmd *exec.Cmd) *os.File {
@@ -1209,62 +1208,6 @@ func (s *serviceClient) getSrvClient(timeout time.Duration) (proto.DaemonService
 	return s.conn, nil
 }

-// startSleepListener initializes the sleep detection service and listens for sleep events
-func (s *serviceClient) startSleepListener() {
-	sleepService, err := sleep.New()
-	if err != nil {
-		log.Warnf("%v", err)
-		return
-	}
-
-	if err := sleepService.Register(s.handleSleepEvents); err != nil {
-		log.Errorf("failed to start sleep detection: %v", err)
-		return
-	}
-
-	log.Info("sleep detection service initialized")
-
-	// Cleanup on context cancellation
-	go func() {
-		<-s.ctx.Done()
-		log.Info("stopping sleep event listener")
-		if err := sleepService.Deregister(); err != nil {
-			log.Errorf("failed to deregister sleep detection: %v", err)
-		}
-	}()
-}
-
-// handleSleepEvents sends a sleep notification to the daemon via gRPC
-func (s *serviceClient) handleSleepEvents(event sleep.EventType) {
-	conn, err := s.getSrvClient(0)
-	if err != nil {
-		log.Errorf("failed to get daemon client for sleep notification: %v", err)
-		return
-	}
-
-	req := &proto.OSLifecycleRequest{}
-
-	switch event {
-	case sleep.EventTypeWakeUp:
-		log.Infof("handle wakeup event: %v", event)
-		req.Type = proto.OSLifecycleRequest_WAKEUP
-	case sleep.EventTypeSleep:
-		log.Infof("handle sleep event: %v", event)
-		req.Type = proto.OSLifecycleRequest_SLEEP
-	default:
-		log.Infof("unknown event: %v", event)
-		return
-	}
-
-	_, err = conn.NotifyOSLifecycle(s.ctx, req)
-	if err != nil {
-		log.Errorf("failed to notify daemon about os lifecycle notification: %v", err)
-		return
-	}
-
-	log.Info("successfully notified daemon about os lifecycle")
-}
-
 // setSettingsEnabled enables or disables the settings menu based on the provided state
 func (s *serviceClient) setSettingsEnabled(enabled bool) {
 	if s.mSettings != nil {
@@ -1548,7 +1491,7 @@ func (s *serviceClient) onUpdateAvailable(newVersion string, enforced bool) {

 	if enforced && s.lastNotifiedVersion != newVersion {
 		s.lastNotifiedVersion = newVersion
-		s.app.SendNotification(fyne.NewNotification("Update available", "A new version "+newVersion+" is ready to install"))
+		s.notifier.Send("Update available", "A new version "+newVersion+" is ready to install")
 	}
 }

--- a/client/ui/event/event.go
+++ b/client/ui/event/event.go
@@ -8,7 +8,6 @@ import (
 	"sync"
 	"time"

-	"fyne.io/fyne/v2"
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
@@ -18,11 +17,17 @@ import (
 	"github.com/netbirdio/netbird/client/ui/desktop"
 )

+// Notifier sends desktop notifications. Defined here so the event package
+// does not depend on fyne or the platform-specific notifier implementation.
+type Notifier interface {
+	Send(title, body string)
+}
+
 type Handler func(*proto.SystemEvent)

 type Manager struct {
-	app  fyne.App
-	addr string
+	notifier Notifier
+	addr     string

 	mu       sync.Mutex
 	ctx      context.Context
@@ -31,10 +36,10 @@ type Manager struct {
 	handlers []Handler
 }

-func NewManager(app fyne.App, addr string) *Manager {
+func NewManager(notifier Notifier, addr string) *Manager {
 	return &Manager{
-		app:  app,
-		addr: addr,
+		notifier: notifier,
+		addr:     addr,
 	}
 }

@@ -114,7 +119,7 @@ func (e *Manager) handleEvent(event *proto.SystemEvent) {
 		if id != "" {
 			body += fmt.Sprintf(" ID: %s", id)
 		}
-		e.app.SendNotification(fyne.NewNotification(title, body))
+		e.notifier.Send(title, body)
 	}

 	for _, handler := range handlers {
--- a/client/ui/event_handler.go
+++ b/client/ui/event_handler.go
@@ -9,7 +9,6 @@ import (
 	"os"
 	"os/exec"

-	"fyne.io/fyne/v2"
 	"fyne.io/systray"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"
@@ -87,7 +86,7 @@ func (h *eventHandler) handleConnectClick() {
 			if errors.Is(err, context.Canceled) || (ok && st.Code() == codes.Canceled) {
 				log.Debugf("connect operation cancelled by user")
 			} else {
-				h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to connect"))
+				h.client.notifier.Send("Error", "Failed to connect")
 				log.Errorf("connect failed: %v", err)
 			}
 		}
@@ -112,7 +111,7 @@ func (h *eventHandler) handleDisconnectClick() {
 		if err := h.client.menuDownClick(); err != nil {
 			st, ok := status.FromError(err)
 			if !errors.Is(err, context.Canceled) && !(ok && st.Code() == codes.Canceled) {
-				h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to disconnect"))
+				h.client.notifier.Send("Error", "Failed to disconnect")
 				log.Errorf("disconnect failed: %v", err)
 			} else {
 				log.Debugf("disconnect cancelled or already disconnecting")
@@ -130,7 +129,7 @@ func (h *eventHandler) handleAllowSSHClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mAllowSSH) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update SSH settings"))
+		h.client.notifier.Send("Error", "Failed to update SSH settings")
 	}

 }
@@ -140,7 +139,7 @@ func (h *eventHandler) handleAutoConnectClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mAutoConnect) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update auto-connect settings"))
+		h.client.notifier.Send("Error", "Failed to update auto-connect settings")
 	}
 }

@@ -149,7 +148,7 @@ func (h *eventHandler) handleRosenpassClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mEnableRosenpass) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update Rosenpass settings"))
+		h.client.notifier.Send("Error", "Failed to update Rosenpass settings")
 	}
 }

@@ -158,7 +157,7 @@ func (h *eventHandler) handleLazyConnectionClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mLazyConnEnabled) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update lazy connection settings"))
+		h.client.notifier.Send("Error", "Failed to update lazy connection settings")
 	}
 }

@@ -167,7 +166,7 @@ func (h *eventHandler) handleBlockInboundClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mBlockInbound) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update block inbound settings"))
+		h.client.notifier.Send("Error", "Failed to update block inbound settings")
 	}
 }

@@ -176,7 +175,7 @@ func (h *eventHandler) handleNotificationsClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mNotifications) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update notifications settings"))
+		h.client.notifier.Send("Error", "Failed to update notifications settings")
 	} else if h.client.eventManager != nil {
 		h.client.eventManager.SetNotificationsEnabled(h.client.mNotifications.Checked())
 	}
--- a/client/ui/notifier/notifier.go
+++ b/client/ui/notifier/notifier.go
@@ -0,0 +1,27 @@
+// Package notifier sends desktop notifications. On Windows it uses the WinRT
+// COM API directly via go-toast/v2 to avoid the PowerShell window flash that
+// fyne's default implementation produces. On other platforms it delegates to
+// fyne.
+package notifier
+
+import "fyne.io/fyne/v2"
+
+// Notifier sends desktop notifications.
+type Notifier interface {
+	Send(title, body string)
+}
+
+// New returns a platform-specific Notifier. The fyne app is used as the
+// fallback notifier on platforms where no native implementation is wired up,
+// and on Windows when the COM path fails to initialize.
+func New(app fyne.App) Notifier {
+	return newNotifier(app)
+}
+
+type fyneNotifier struct {
+	app fyne.App
+}
+
+func (f *fyneNotifier) Send(title, body string) {
+	f.app.SendNotification(fyne.NewNotification(title, body))
+}
--- a/client/ui/notifier/notifier_other.go
+++ b/client/ui/notifier/notifier_other.go
@@ -0,0 +1,9 @@
+//go:build !windows
+
+package notifier
+
+import "fyne.io/fyne/v2"
+
+func newNotifier(app fyne.App) Notifier {
+	return &fyneNotifier{app: app}
+}
--- a/client/ui/notifier/notifier_windows.go
+++ b/client/ui/notifier/notifier_windows.go
@@ -0,0 +1,88 @@
+package notifier
+
+import (
+	"os"
+	"path/filepath"
+	"sync"
+
+	"fyne.io/fyne/v2"
+	toast "git.sr.ht/~jackmordaunt/go-toast/v2"
+	"git.sr.ht/~jackmordaunt/go-toast/v2/wintoast"
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	// appID is the AppUserModelID shown in the Windows Action Center. It
+	// must match the System.AppUserModel.ID property set on the Start Menu
+	// shortcut by the MSI (see client/netbird.wxs); otherwise Windows
+	// groups toasts under a separate, unbranded entry.
+	appID = "NetBird"
+
+	// appGUID identifies the COM activation callback class. Generated once
+	// for NetBird; do not change without coordinating an installer bump,
+	// since old registry entries pointing at the previous GUID would orphan.
+	appGUID = "{0E1B4DE7-E148-432B-9814-544F941826EC}"
+)
+
+type comNotifier struct {
+	fallback *fyneNotifier
+	ready    bool
+	iconPath string
+}
+
+var (
+	initOnce sync.Once
+	initErr  error
+)
+
+func newNotifier(app fyne.App) Notifier {
+	n := &comNotifier{
+		fallback: &fyneNotifier{app: app},
+		iconPath: resolveIcon(),
+	}
+	initOnce.Do(func() {
+		initErr = wintoast.SetAppData(wintoast.AppData{
+			AppID:    appID,
+			GUID:     appGUID,
+			IconPath: n.iconPath,
+		})
+	})
+	if initErr != nil {
+		log.Warnf("toast: register app data failed, falling back to fyne notifications: %v", initErr)
+		return n.fallback
+	}
+	n.ready = true
+	return n
+}
+
+func (n *comNotifier) Send(title, body string) {
+	if !n.ready {
+		n.fallback.Send(title, body)
+		return
+	}
+	notification := toast.Notification{
+		AppID: appID,
+		Title: title,
+		Body:  body,
+		Icon:  n.iconPath,
+	}
+	if err := notification.Push(); err != nil {
+		log.Warnf("toast: push failed, using fyne fallback: %v", err)
+		n.fallback.Send(title, body)
+	}
+}
+
+// resolveIcon returns an absolute path to the toast icon, or an empty string
+// when no icon can be located. Windows requires a PNG/JPG for the
+// AppUserModelId IconUri registry value; .ico is silently ignored.
+func resolveIcon() string {
+	exe, err := os.Executable()
+	if err != nil {
+		return ""
+	}
+	candidate := filepath.Join(filepath.Dir(exe), "netbird.png")
+	if _, err := os.Stat(candidate); err == nil {
+		return candidate
+	}
+	return ""
+}
--- a/client/ui/profile.go
+++ b/client/ui/profile.go
@@ -548,7 +548,7 @@ func (p *profileMenu) refresh() {
 					if err != nil {
 						log.Errorf("failed to switch profile: %v", err)
 						// show  notification dialog
-						p.app.SendNotification(fyne.NewNotification("Error", "Failed to switch profile"))
+						p.serviceClient.notifier.Send("Error", "Failed to switch profile")
 						return
 					}

@@ -628,9 +628,9 @@ func (p *profileMenu) refresh() {
 				}
 				if err := p.eventHandler.logout(p.ctx); err != nil {
 					log.Errorf("logout failed: %v", err)
-					p.app.SendNotification(fyne.NewNotification("Error", "Failed to deregister"))
+					p.serviceClient.notifier.Send("Error", "Failed to deregister")
 				} else {
-					p.app.SendNotification(fyne.NewNotification("Success", "Deregistered successfully"))
+					p.serviceClient.notifier.Send("Success", "Deregistered successfully")
 				}
 			}
 		}
--- a/go.mod
+++ b/go.mod
@@ -30,6 +30,7 @@ require (
 require (
 	fyne.io/fyne/v2 v2.7.0
 	fyne.io/systray v1.12.1-0.20260116214250-81f8e1a496f9
+	git.sr.ht/~jackmordaunt/go-toast/v2 v2.0.3
 	github.com/awnumar/memguard v0.23.0
 	github.com/aws/aws-sdk-go-v2 v1.38.3
 	github.com/aws/aws-sdk-go-v2/config v1.31.6
@@ -46,6 +47,7 @@ require (
 	github.com/crowdsecurity/go-cs-bouncer v0.0.21
 	github.com/dexidp/dex v0.0.0-00010101000000-000000000000
 	github.com/dexidp/dex/api/v2 v2.4.0
+	github.com/ebitengine/purego v0.8.4
 	github.com/eko/gocache/lib/v4 v4.2.0
 	github.com/eko/gocache/store/go_cache/v4 v4.2.2
 	github.com/eko/gocache/store/redis/v4 v4.2.2
@@ -178,7 +180,6 @@ require (
 	github.com/docker/docker v28.0.1+incompatible // indirect
 	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/ebitengine/purego v0.8.4 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fredbi/uri v1.1.1 // indirect
 	github.com/fyne-io/gl-js v0.2.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -15,6 +15,8 @@ fyne.io/fyne/v2 v2.7.0 h1:GvZSpE3X0liU/fqstInVvRsaboIVpIWQ4/sfjDGIGGQ=
 fyne.io/fyne/v2 v2.7.0/go.mod h1:xClVlrhxl7D+LT+BWYmcrW4Nf+dJTvkhnPgji7spAwE=
 fyne.io/systray v1.12.1-0.20260116214250-81f8e1a496f9 h1:829+77I4TaMrcg9B3wf+gHhdSgoCVEgH2czlPXPbfj4=
 fyne.io/systray v1.12.1-0.20260116214250-81f8e1a496f9/go.mod h1:RVwqP9nYMo7h5zViCBHri2FgjXF7H2cub7MAq4NSoLs=
+git.sr.ht/~jackmordaunt/go-toast/v2 v2.0.3 h1:N3IGoHHp9pb6mj1cbXbuaSXV/UMKwmbKLf53nQmtqMA=
+git.sr.ht/~jackmordaunt/go-toast/v2 v2.0.3/go.mod h1:QtOLZGz8olr4qH2vWK0QH0w0O4T9fEIjMuWpKUsH7nc=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/AppsFlyer/go-sundheit v0.6.0 h1:d2hBvCjBSb2lUsEWGfPigr4MCOt04sxB+Rppl0yUMSk=
--- a/idp/dex/config.go
+++ b/idp/dex/config.go
@@ -193,7 +193,7 @@ func (c *Connector) ToStorageConnector() (storage.Connector, error) {
 // are stored with types that Dex can open.
 func mapConnectorToDex(connType string, config map[string]interface{}) (string, map[string]interface{}) {
 	switch connType {
-	case "oidc", "zitadel", "entra", "okta", "pocketid", "authentik", "keycloak":
+	case "oidc", "zitadel", "entra", "okta", "pocketid", "authentik", "keycloak", "adfs":
 		return "oidc", applyOIDCDefaults(connType, config)
 	default:
 		return connType, config
@@ -218,6 +218,8 @@ func applyOIDCDefaults(connType string, config map[string]interface{}) map[strin
 		setDefault(augmented, "claimMapping", map[string]string{"email": "preferred_username"})
 	case "okta", "pocketid":
 		augmented["scopes"] = []string{"openid", "profile", "email", "groups"}
+	case "adfs":
+		augmented["scopes"] = []string{"openid", "profile", "email", "allatclaims"}
 	}

 	return augmented
--- a/idp/dex/connector.go
+++ b/idp/dex/connector.go
@@ -168,7 +168,7 @@ func (p *Provider) buildStorageConnector(cfg *ConnectorConfig) (storage.Connecto
 	var err error

 	switch cfg.Type {
-	case "oidc", "zitadel", "entra", "okta", "pocketid", "authentik", "keycloak":
+	case "oidc", "zitadel", "entra", "okta", "pocketid", "authentik", "keycloak", "adfs":
 		dexType = "oidc"
 		configData, err = buildOIDCConnectorConfig(cfg, redirectURI)
 	case "google":
@@ -220,6 +220,8 @@ func buildOIDCConnectorConfig(cfg *ConnectorConfig, redirectURI string) ([]byte,
 		oidcConfig["scopes"] = []string{"openid", "profile", "email", "groups"}
 	case "pocketid":
 		oidcConfig["scopes"] = []string{"openid", "profile", "email", "groups"}
+	case "adfs":
+		oidcConfig["scopes"] = []string{"openid", "profile", "email", "allatclaims"}
 	}
 	return encodeConnectorConfig(oidcConfig)
 }
@@ -283,7 +285,7 @@ func inferIdentityProviderType(dexType, connectorID string, _ map[string]interfa
 // inferOIDCProviderType infers the specific OIDC provider from connector ID
 func inferOIDCProviderType(connectorID string) string {
 	connectorIDLower := strings.ToLower(connectorID)
-	for _, provider := range []string{"pocketid", "zitadel", "entra", "okta", "authentik", "keycloak"} {
+	for _, provider := range []string{"pocketid", "zitadel", "entra", "okta", "authentik", "keycloak", "adfs"} {
 		if strings.Contains(connectorIDLower, provider) {
 			return provider
 		}
--- a/infrastructure_files/getting-started.sh
+++ b/infrastructure_files/getting-started.sh
@@ -231,7 +231,20 @@ get_upstream_host() {

 wait_management_proxy() {
  local proxy_container="${1:-traefik}"
+  local use_docker_logs=false
  set +e
+
+  if [[ "$proxy_container" == "detect-traefik" ]]; then
+    proxy_container=$(docker ps --format "{{.ID}}\t{{.Image}}\t{{.Ports}}" \
+    | awk -F'\t' '$2 ~ /traefik/ && $3 ~ /:(80|443)->/ {print $1; exit}')
+
+    if [[ -z "$proxy_container" ]]; then
+      echo "Warning: could not auto-detect Traefik container, log output will be skipped on timeout." > /dev/stderr
+    else
+      use_docker_logs=true
+    fi
+  fi
+
  echo -n "Waiting for NetBird server to become ready"
  counter=1
  while true; do
@@ -242,7 +255,13 @@ wait_management_proxy() {
    if [[ $counter -eq 60 ]]; then
      echo ""
      echo "Taking too long. Checking logs..."
-      $DOCKER_COMPOSE_COMMAND logs --tail=20 "$proxy_container"
+      if [[ -n "$proxy_container" ]]; then
+        if [[ "$use_docker_logs" == "true" ]]; then
+          docker logs --tail=20 "$proxy_container"
+        else
+          $DOCKER_COMPOSE_COMMAND logs --tail=20 "$proxy_container"
+        fi
+      fi
      $DOCKER_COMPOSE_COMMAND logs --tail=20 netbird-server
    fi
    echo -n " ."
@@ -518,7 +537,7 @@ start_services_and_show_instructions() {
    $DOCKER_COMPOSE_COMMAND up -d

    sleep 3
-    wait_management_direct
+    wait_management_proxy detect-traefik

    echo -e "$MSG_DONE"
    print_post_setup_instructions
--- a/management/internals/controllers/network_map/controller/controller.go
+++ b/management/internals/controllers/network_map/controller/controller.go
@@ -7,7 +7,6 @@ import (
 	"os"
 	"slices"
 	"strconv"
-	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -16,11 +15,9 @@ import (
 	"golang.org/x/exp/maps"
 	"golang.org/x/mod/semver"

-	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller/cache"
 	"github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral"
-	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	"github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/internals/shared/grpc"
 	"github.com/netbirdio/netbird/management/server/account"
@@ -58,13 +55,6 @@ type Controller struct {
 	proxyController port_forwarding.Controller

 	integratedPeerValidator integrated_validator.IntegratedValidator
-
-	holder *types.Holder
-
-	expNewNetworkMap     bool
-	expNewNetworkMapAIDs map[string]struct{}
-
-	compactedNetworkMap bool
 }

 type bufferUpdate struct {
@@ -81,29 +71,6 @@ func NewController(ctx context.Context, store store.Store, metrics telemetry.App
 		log.Fatal(fmt.Errorf("error creating metrics: %w", err))
 	}

-	newNetworkMapBuilder, err := strconv.ParseBool(os.Getenv(network_map.EnvNewNetworkMapBuilder))
-	if err != nil {
-		log.WithContext(ctx).Warnf("failed to parse %s, using default value false: %v", network_map.EnvNewNetworkMapBuilder, err)
-		newNetworkMapBuilder = false
-	}
-
-	compactedNetworkMap := true
-	compactedEnv := os.Getenv(types.EnvNewNetworkMapCompacted)
-	parsedCompactedNmap, err := strconv.ParseBool(compactedEnv)
-	if err != nil && len(compactedEnv) > 0 {
-		log.WithContext(ctx).Warnf("failed to parse %s, using default value true: %v", types.EnvNewNetworkMapCompacted, err)
-	}
-	if err == nil && !parsedCompactedNmap {
-		log.WithContext(ctx).Info("disabling compacted mode")
-		compactedNetworkMap = false
-	}
-
-	ids := strings.Split(os.Getenv(network_map.EnvNewNetworkMapAccounts), ",")
-	expIDs := make(map[string]struct{}, len(ids))
-	for _, id := range ids {
-		expIDs[id] = struct{}{}
-	}
-
 	return &Controller{
 		repo:                    newRepository(store),
 		metrics:                 nMetrics,
@@ -117,12 +84,6 @@ func NewController(ctx context.Context, store store.Store, metrics telemetry.App

 		proxyController:       proxyController,
 		EphemeralPeersManager: ephemeralPeersManager,
-
-		holder:               types.NewHolder(),
-		expNewNetworkMap:     newNetworkMapBuilder,
-		expNewNetworkMapAIDs: expIDs,
-
-		compactedNetworkMap: compactedNetworkMap,
 	}
 }

@@ -153,17 +114,9 @@ func (c *Controller) CountStreams() int {

 func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID string) error {
 	log.WithContext(ctx).Tracef("updating peers for account %s from %s", accountID, util.GetCallerName())
-	var (
-		account *types.Account
-		err     error
-	)
-	if c.experimentalNetworkMap(accountID) {
-		account = c.getAccountFromHolderOrInit(ctx, accountID)
-	} else {
-		account, err = c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
-		if err != nil {
-			return fmt.Errorf("failed to get account: %v", err)
-		}
+	account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+	if err != nil {
+		return fmt.Errorf("failed to get account: %v", err)
 	}

 	globalStart := time.Now()
@@ -197,10 +150,6 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 	routers := account.GetResourceRoutersMap()
 	groupIDToUserIDs := account.GetActiveGroupUsers()

-	if c.experimentalNetworkMap(accountID) {
-		c.initNetworkMapBuilderIfNeeded(account, approvedPeersMap)
-	}
-
 	proxyNetworkMaps, err := c.proxyController.GetProxyNetworkMapsAll(ctx, accountID, account.Peers)
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to get proxy network maps: %v", err)
@@ -243,16 +192,7 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 			c.metrics.CountCalcPostureChecksDuration(time.Since(start))
 			start = time.Now()

-			var remotePeerNetworkMap *types.NetworkMap
-
-			switch {
-			case c.experimentalNetworkMap(accountID):
-				remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, p.AccountID, p.ID, approvedPeersMap, peersCustomZone, accountZones, c.accountManagerMetrics)
-			case c.compactedNetworkMap:
-				remotePeerNetworkMap = account.GetPeerNetworkMapFromComponents(ctx, p.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
-			default:
-				remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, p.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
-			}
+			remotePeerNetworkMap := account.GetPeerNetworkMapFromComponents(ctx, p.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)

 			c.metrics.CountCalcPeerNetworkMapDuration(time.Since(start))

@@ -318,10 +258,6 @@ func (c *Controller) bufferSendUpdateAccountPeers(ctx context.Context, accountID
 // UpdatePeers updates all peers that belong to an account.
 // Should be called when changes have to be synced to peers.
 func (c *Controller) UpdateAccountPeers(ctx context.Context, accountID string) error {
-	if err := c.RecalculateNetworkMapCache(ctx, accountID); err != nil {
-		return fmt.Errorf("recalculate network map cache: %v", err)
-	}
-
 	return c.sendUpdateAccountPeers(ctx, accountID)
 }

@@ -371,16 +307,7 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
 		return err
 	}

-	var remotePeerNetworkMap *types.NetworkMap
-
-	switch {
-	case c.experimentalNetworkMap(accountId):
-		remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, peersCustomZone, accountZones, c.accountManagerMetrics)
-	case c.compactedNetworkMap:
-		remotePeerNetworkMap = account.GetPeerNetworkMapFromComponents(ctx, peerId, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
-	default:
-		remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, peerId, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
-	}
+	remotePeerNetworkMap := account.GetPeerNetworkMapFromComponents(ctx, peerId, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)

 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {
@@ -451,17 +378,9 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 		return peer, emptyMap, nil, 0, nil
 	}

-	var (
-		account *types.Account
-		err     error
-	)
-	if c.experimentalNetworkMap(accountID) {
-		account = c.getAccountFromHolderOrInit(ctx, accountID)
-	} else {
-		account, err = c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
-		if err != nil {
-			return nil, nil, nil, 0, err
-		}
+	account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+	if err != nil {
+		return nil, nil, nil, 0, err
 	}

 	account.InjectProxyPolicies(ctx)
@@ -493,20 +412,10 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 		return nil, nil, nil, 0, err
 	}

-	var networkMap *types.NetworkMap
-
-	if c.experimentalNetworkMap(accountID) {
-		networkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, peersCustomZone, accountZones, c.accountManagerMetrics)
-	} else {
-		resourcePolicies := account.GetResourcePoliciesMap()
-		routers := account.GetResourceRoutersMap()
-		groupIDToUserIDs := account.GetActiveGroupUsers()
-		if c.compactedNetworkMap {
-			networkMap = account.GetPeerNetworkMapFromComponents(ctx, peer.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
-		} else {
-			networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
-		}
-	}
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
+	groupIDToUserIDs := account.GetActiveGroupUsers()
+	networkMap := account.GetPeerNetworkMapFromComponents(ctx, peer.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)

 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {
@@ -518,108 +427,6 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 	return peer, networkMap, postureChecks, dnsFwdPort, nil
 }

-func (c *Controller) initNetworkMapBuilderIfNeeded(account *types.Account, validatedPeers map[string]struct{}) {
-	c.enrichAccountFromHolder(account)
-	account.InitNetworkMapBuilderIfNeeded(validatedPeers)
-}
-
-func (c *Controller) getPeerNetworkMapExp(
-	ctx context.Context,
-	accountId string,
-	peerId string,
-	validatedPeers map[string]struct{},
-	peersCustomZone nbdns.CustomZone,
-	accountZones []*zones.Zone,
-	metrics *telemetry.AccountManagerMetrics,
-) *types.NetworkMap {
-	account := c.getAccountFromHolderOrInit(ctx, accountId)
-	if account == nil {
-		log.WithContext(ctx).Warnf("account %s not found in holder when getting peer network map", accountId)
-		return &types.NetworkMap{
-			Network: &types.Network{},
-		}
-	}
-
-	return account.GetPeerNetworkMapExp(ctx, peerId, peersCustomZone, accountZones, validatedPeers, metrics)
-}
-
-func (c *Controller) onPeersAddedUpdNetworkMapCache(account *types.Account, peerIds ...string) {
-	c.enrichAccountFromHolder(account)
-	account.OnPeersAddedUpdNetworkMapCache(peerIds...)
-}
-
-func (c *Controller) onPeerDeletedUpdNetworkMapCache(account *types.Account, peerId string) error {
-	c.enrichAccountFromHolder(account)
-	return account.OnPeerDeletedUpdNetworkMapCache(peerId)
-}
-
-func (c *Controller) UpdatePeerInNetworkMapCache(accountId string, peer *nbpeer.Peer) {
-	account := c.getAccountFromHolder(accountId)
-	if account == nil {
-		return
-	}
-	account.UpdatePeerInNetworkMapCache(peer)
-}
-
-func (c *Controller) recalculateNetworkMapCache(account *types.Account, validatedPeers map[string]struct{}) {
-	account.RecalculateNetworkMapCache(validatedPeers)
-	c.updateAccountInHolder(account)
-}
-
-func (c *Controller) RecalculateNetworkMapCache(ctx context.Context, accountId string) error {
-	if c.experimentalNetworkMap(accountId) {
-		account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountId)
-		if err != nil {
-			return err
-		}
-		validatedPeers, err := c.integratedPeerValidator.GetValidatedPeers(ctx, account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
-		if err != nil {
-			log.WithContext(ctx).Errorf("failed to get validate peers: %v", err)
-			return err
-		}
-		c.recalculateNetworkMapCache(account, validatedPeers)
-	}
-	return nil
-}
-
-func (c *Controller) experimentalNetworkMap(accountId string) bool {
-	_, ok := c.expNewNetworkMapAIDs[accountId]
-	return c.expNewNetworkMap || ok
-}
-
-func (c *Controller) enrichAccountFromHolder(account *types.Account) {
-	a := c.holder.GetAccount(account.Id)
-	if a == nil {
-		c.holder.AddAccount(account)
-		return
-	}
-	account.NetworkMapCache = a.NetworkMapCache
-	if account.NetworkMapCache == nil {
-		return
-	}
-	c.holder.AddAccount(account)
-}
-
-func (c *Controller) getAccountFromHolder(accountID string) *types.Account {
-	return c.holder.GetAccount(accountID)
-}
-
-func (c *Controller) getAccountFromHolderOrInit(ctx context.Context, accountID string) *types.Account {
-	a := c.holder.GetAccount(accountID)
-	if a != nil {
-		return a
-	}
-	account, err := c.holder.LoadOrStoreFunc(ctx, accountID, c.requestBuffer.GetAccountWithBackpressure)
-	if err != nil {
-		return nil
-	}
-	return account
-}
-
-func (c *Controller) updateAccountInHolder(account *types.Account) {
-	c.holder.AddAccount(account)
-}
-
 // GetDNSDomain returns the configured dnsDomain
 func (c *Controller) GetDNSDomain(settings *types.Settings) string {
 	if settings == nil {
@@ -756,16 +563,7 @@ func isPeerInPolicySourceGroups(account *types.Account, peerID string, policy *t
 }

 func (c *Controller) OnPeersUpdated(ctx context.Context, accountID string, peerIDs []string) error {
-	peers, err := c.repo.GetPeersByIDs(ctx, accountID, peerIDs)
-	if err != nil {
-		return fmt.Errorf("failed to get peers by ids: %w", err)
-	}
-
-	for _, peer := range peers {
-		c.UpdatePeerInNetworkMapCache(accountID, peer)
-	}
-
-	err = c.bufferSendUpdateAccountPeers(ctx, accountID)
+	err := c.bufferSendUpdateAccountPeers(ctx, accountID)
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to buffer update account peers for peer update in account %s: %v", accountID, err)
 	}
@@ -775,14 +573,6 @@ func (c *Controller) OnPeersUpdated(ctx context.Context, accountID string, peerI

 func (c *Controller) OnPeersAdded(ctx context.Context, accountID string, peerIDs []string) error {
 	log.WithContext(ctx).Debugf("OnPeersAdded call to add peers: %v", peerIDs)
-	if c.experimentalNetworkMap(accountID) {
-		account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
-		if err != nil {
-			return err
-		}
-		log.WithContext(ctx).Debugf("peers are ready to be added to networkmap cache: %v", peerIDs)
-		c.onPeersAddedUpdNetworkMapCache(account, peerIDs...)
-	}
 	return c.bufferSendUpdateAccountPeers(ctx, accountID)
 }

@@ -817,19 +607,6 @@ func (c *Controller) OnPeersDeleted(ctx context.Context, accountID string, peerI
 			MessageType: network_map.MessageTypeNetworkMap,
 		})
 		c.peersUpdateManager.CloseChannel(ctx, peerID)
-
-		if c.experimentalNetworkMap(accountID) {
-			account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
-			if err != nil {
-				log.WithContext(ctx).Errorf("failed to get account %s: %v", accountID, err)
-				continue
-			}
-			err = c.onPeerDeletedUpdNetworkMapCache(account, peerID)
-			if err != nil {
-				log.WithContext(ctx).Errorf("failed to update network map cache for deleted peer %s in account %s: %v", peerID, accountID, err)
-				continue
-			}
-		}
 	}

 	return c.bufferSendUpdateAccountPeers(ctx, accountID)
@@ -872,21 +649,11 @@ func (c *Controller) GetNetworkMap(ctx context.Context, peerID string) (*types.N
 		return nil, err
 	}

-	var networkMap *types.NetworkMap
-
-	if c.experimentalNetworkMap(peer.AccountID) {
-		networkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peerID, validatedPeers, peersCustomZone, accountZones, nil)
-	} else {
-		account.InjectProxyPolicies(ctx)
-		resourcePolicies := account.GetResourcePoliciesMap()
-		routers := account.GetResourceRoutersMap()
-		groupIDToUserIDs := account.GetActiveGroupUsers()
-		if c.compactedNetworkMap {
-			networkMap = account.GetPeerNetworkMapFromComponents(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, nil, groupIDToUserIDs)
-		} else {
-			networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, nil, groupIDToUserIDs)
-		}
-	}
+	account.InjectProxyPolicies(ctx)
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
+	groupIDToUserIDs := account.GetActiveGroupUsers()
+	networkMap := account.GetPeerNetworkMapFromComponents(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, nil, groupIDToUserIDs)

 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {
--- a/management/internals/controllers/network_map/interface.go
+++ b/management/internals/controllers/network_map/interface.go
@@ -12,9 +12,6 @@ import (
 )

 const (
-	EnvNewNetworkMapBuilder  = "NB_EXPERIMENT_NETWORK_MAP"
-	EnvNewNetworkMapAccounts = "NB_EXPERIMENT_NETWORK_MAP_ACCOUNTS"
-
 	DnsForwarderPort           = nbdns.ForwarderServerPort
 	OldForwarderPort           = nbdns.ForwarderClientPort
 	DnsForwarderPortMinVersion = "v0.59.0"
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -408,7 +408,7 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 		}

 		customZone := account.GetPeersCustomZone(context.Background(), "netbird.io")
-		networkMap := account.GetPeerNetworkMap(context.Background(), testCase.peerID, customZone, nil, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil, account.GetActiveGroupUsers())
+		networkMap := account.GetPeerNetworkMapFromComponents(context.Background(), testCase.peerID, customZone, nil, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil, account.GetActiveGroupUsers())
 		assert.Len(t, networkMap.Peers, len(testCase.expectedPeers))
 		assert.Len(t, networkMap.OfflinePeers, len(testCase.expectedOfflinePeers))
 	}
@@ -1171,11 +1171,6 @@ func TestAccountManager_AddPeerWithUserID(t *testing.T) {
 	assert.Equal(t, peer.IP.String(), fmt.Sprint(ev.Meta["ip"]))
 }

-func TestAccountManager_NetworkUpdates_SaveGroup_Experimental(t *testing.T) {
-	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
-	testAccountManager_NetworkUpdates_SaveGroup(t)
-}
-
 func TestAccountManager_NetworkUpdates_SaveGroup(t *testing.T) {
 	testAccountManager_NetworkUpdates_SaveGroup(t)
 }
@@ -1231,11 +1226,6 @@ func testAccountManager_NetworkUpdates_SaveGroup(t *testing.T) {
 	wg.Wait()
 }

-func TestAccountManager_NetworkUpdates_DeletePolicy_Experimental(t *testing.T) {
-	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
-	testAccountManager_NetworkUpdates_DeletePolicy(t)
-}
-
 func TestAccountManager_NetworkUpdates_DeletePolicy(t *testing.T) {
 	testAccountManager_NetworkUpdates_DeletePolicy(t)
 }
@@ -1274,11 +1264,6 @@ func testAccountManager_NetworkUpdates_DeletePolicy(t *testing.T) {
 	wg.Wait()
 }

-func TestAccountManager_NetworkUpdates_SavePolicy_Experimental(t *testing.T) {
-	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
-	testAccountManager_NetworkUpdates_SavePolicy(t)
-}
-
 func TestAccountManager_NetworkUpdates_SavePolicy(t *testing.T) {
 	testAccountManager_NetworkUpdates_SavePolicy(t)
 }
@@ -1332,11 +1317,6 @@ func testAccountManager_NetworkUpdates_SavePolicy(t *testing.T) {
 	wg.Wait()
 }

-func TestAccountManager_NetworkUpdates_DeletePeer_Experimental(t *testing.T) {
-	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
-	testAccountManager_NetworkUpdates_DeletePeer(t)
-}
-
 func TestAccountManager_NetworkUpdates_DeletePeer(t *testing.T) {
 	testAccountManager_NetworkUpdates_DeletePeer(t)
 }
@@ -1397,11 +1377,6 @@ func testAccountManager_NetworkUpdates_DeletePeer(t *testing.T) {
 	wg.Wait()
 }

-func TestAccountManager_NetworkUpdates_DeleteGroup_Experimental(t *testing.T) {
-	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
-	testAccountManager_NetworkUpdates_DeleteGroup(t)
-}
-
 func TestAccountManager_NetworkUpdates_DeleteGroup(t *testing.T) {
 	testAccountManager_NetworkUpdates_DeleteGroup(t)
 }
@@ -1633,75 +1608,6 @@ func TestFileStore_GetRoutesByPrefix(t *testing.T) {
 	assert.Contains(t, routeIDs, route.ID("route-2"))
 }

-func TestAccount_GetRoutesToSync(t *testing.T) {
-	_, prefix, err := route.ParseNetwork("192.168.64.0/24")
-	if err != nil {
-		t.Fatal(err)
-	}
-	_, prefix2, err := route.ParseNetwork("192.168.0.0/24")
-	if err != nil {
-		t.Fatal(err)
-	}
-	account := &types.Account{
-		Peers: map[string]*nbpeer.Peer{
-			"peer-1": {Key: "peer-1", Meta: nbpeer.PeerSystemMeta{GoOS: "linux"}}, "peer-2": {Key: "peer-2", Meta: nbpeer.PeerSystemMeta{GoOS: "linux"}}, "peer-3": {Key: "peer-1", Meta: nbpeer.PeerSystemMeta{GoOS: "linux"}},
-		},
-		Groups: map[string]*types.Group{"group1": {ID: "group1", Peers: []string{"peer-1", "peer-2"}}},
-		Routes: map[route.ID]*route.Route{
-			"route-1": {
-				ID:          "route-1",
-				Network:     prefix,
-				NetID:       "network-1",
-				Description: "network-1",
-				Peer:        "peer-1",
-				NetworkType: 0,
-				Masquerade:  false,
-				Metric:      999,
-				Enabled:     true,
-				Groups:      []string{"group1"},
-			},
-			"route-2": {
-				ID:          "route-2",
-				Network:     prefix2,
-				NetID:       "network-2",
-				Description: "network-2",
-				Peer:        "peer-2",
-				NetworkType: 0,
-				Masquerade:  false,
-				Metric:      999,
-				Enabled:     true,
-				Groups:      []string{"group1"},
-			},
-			"route-3": {
-				ID:          "route-3",
-				Network:     prefix,
-				NetID:       "network-1",
-				Description: "network-1",
-				Peer:        "peer-2",
-				NetworkType: 0,
-				Masquerade:  false,
-				Metric:      999,
-				Enabled:     true,
-				Groups:      []string{"group1"},
-			},
-		},
-	}
-
-	routes := account.GetRoutesToSync(context.Background(), "peer-2", []*nbpeer.Peer{{Key: "peer-1"}, {Key: "peer-3"}}, account.GetPeerGroups("peer-2"))
-
-	assert.Len(t, routes, 2)
-	routeIDs := make(map[route.ID]struct{}, 2)
-	for _, r := range routes {
-		routeIDs[r.ID] = struct{}{}
-	}
-	assert.Contains(t, routeIDs, route.ID("route-2"))
-	assert.Contains(t, routeIDs, route.ID("route-3"))
-
-	emptyRoutes := account.GetRoutesToSync(context.Background(), "peer-3", []*nbpeer.Peer{{Key: "peer-1"}, {Key: "peer-2"}}, account.GetPeerGroups("peer-3"))
-
-	assert.Len(t, emptyRoutes, 0)
-}
-
 func TestAccount_Copy(t *testing.T) {
 	account := &types.Account{
 		Id:                     "account1",
@@ -1824,9 +1730,7 @@ func TestAccount_Copy(t *testing.T) {
 				AccountID: "account1",
 			},
 		},
-		NetworkMapCache: &types.NetworkMapBuilder{},
 	}
-	account.InitOnce()
 	err := hasNilField(account)
 	if err != nil {
 		t.Fatal(err)
--- a/management/server/http/handlers/peers/peers_handler.go
+++ b/management/server/http/handlers/peers/peers_handler.go
@@ -417,7 +417,7 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request) {

 	dnsDomain := h.networkMapController.GetDNSDomain(account.Settings)

-	netMap := account.GetPeerNetworkMap(r.Context(), peerID, dns.CustomZone{}, nil, validPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil, account.GetActiveGroupUsers())
+	netMap := account.GetPeerNetworkMapFromComponents(r.Context(), peerID, dns.CustomZone{}, nil, validPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil, account.GetActiveGroupUsers())

 	util.WriteJSONObject(r.Context(), w, toAccessiblePeers(netMap, dnsDomain))
 }
--- a/management/server/identity_provider.go
+++ b/management/server/identity_provider.go
@@ -274,7 +274,7 @@ func identityProviderToConnectorConfig(idpConfig *types.IdentityProvider) *dex.C
 }

 // generateIdentityProviderID generates a unique ID for an identity provider.
-// For specific provider types (okta, zitadel, entra, google, pocketid, microsoft),
+// For specific provider types (okta, zitadel, entra, google, pocketid, microsoft, adfs),
 // the ID is prefixed with the type name. Generic OIDC providers get no prefix.
 func generateIdentityProviderID(idpType types.IdentityProviderType) string {
 	id := xid.New().String()
@@ -296,6 +296,8 @@ func generateIdentityProviderID(idpType types.IdentityProviderType) string {
 		return "authentik-" + id
 	case types.IdentityProviderTypeKeycloak:
 		return "keycloak-" + id
+	case types.IdentityProviderTypeADFS:
+		return "adfs-" + id
 	default:
 		// Generic OIDC - no prefix
 		return id
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -33,8 +33,8 @@ import (

 const remoteJobsMinVer = "0.64.0"

-// GetPeers returns a list of peers under the given account filtering out peers that do not belong to a user if
-// the current user is not an admin.
+// GetPeers returns peers visible to the user within an account.
+// Users with "peers:read" see all peers. Otherwise, users see only their own peers, or none if restricted by account settings.
 func (am *DefaultAccountManager) GetPeers(ctx context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error) {
 	user, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
 	if err != nil {
@@ -46,14 +46,8 @@ func (am *DefaultAccountManager) GetPeers(ctx context.Context, accountID, userID
 		return nil, status.NewPermissionValidationError(err)
 	}

-	accountPeers, err := am.Store.GetAccountPeers(ctx, store.LockingStrengthNone, accountID, nameFilter, ipFilter)
-	if err != nil {
-		return nil, err
-	}
-
-	// @note if the user has permission to read peers it shows all account peers
 	if allowed {
-		return accountPeers, nil
+		return am.Store.GetAccountPeers(ctx, store.LockingStrengthNone, accountID, nameFilter, ipFilter)
 	}

 	settings, err := am.Store.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
@@ -65,41 +59,7 @@ func (am *DefaultAccountManager) GetPeers(ctx context.Context, accountID, userID
 		return []*nbpeer.Peer{}, nil
 	}

-	// @note if it does not have permission read peers then only display it's own peers
-	peers := make([]*nbpeer.Peer, 0)
-	peersMap := make(map[string]*nbpeer.Peer)
-
-	for _, peer := range accountPeers {
-		if user.Id != peer.UserID {
-			continue
-		}
-		peers = append(peers, peer)
-		peersMap[peer.ID] = peer
-	}
-
-	return am.getUserAccessiblePeers(ctx, accountID, peersMap, peers)
-}
-
-func (am *DefaultAccountManager) getUserAccessiblePeers(ctx context.Context, accountID string, peersMap map[string]*nbpeer.Peer, peers []*nbpeer.Peer) ([]*nbpeer.Peer, error) {
-	account, err := am.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	approvedPeersMap, err := am.integratedPeerValidator.GetValidatedPeers(ctx, accountID, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
-	if err != nil {
-		return nil, err
-	}
-
-	// fetch all the peers that have access to the user's peers
-	for _, peer := range peers {
-		aclPeers, _, _, _ := account.GetPeerConnectionResources(ctx, peer, approvedPeersMap, account.GetActiveGroupUsers())
-		for _, p := range aclPeers {
-			peersMap[p.ID] = p
-		}
-	}
-
-	return maps.Values(peersMap), nil
+	return am.Store.GetUserPeers(ctx, store.LockingStrengthNone, accountID, userID)
 }

 // MarkPeerConnected marks peer as connected (true) or disconnected (false)
@@ -1230,7 +1190,8 @@ func peerLoginExpired(ctx context.Context, peer *nbpeer.Peer, settings *types.Se
 	return false
 }

-// GetPeer for a given accountID, peerID and userID error if not found.
+// GetPeer returns a peer visible to the user within an account.
+// Users with "peers:read" permission can access any peer. Otherwise, users can access only their own peer.
 func (am *DefaultAccountManager) GetPeer(ctx context.Context, accountID, peerID, userID string) (*nbpeer.Peer, error) {
 	peer, err := am.Store.GetPeerByID(ctx, store.LockingStrengthNone, accountID, peerID)
 	if err != nil {
@@ -1255,36 +1216,6 @@ func (am *DefaultAccountManager) GetPeer(ctx context.Context, accountID, peerID,
 		return peer, nil
 	}

-	return am.checkIfUserOwnsPeer(ctx, accountID, userID, peer)
-}
-
-func (am *DefaultAccountManager) checkIfUserOwnsPeer(ctx context.Context, accountID, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, error) {
-	account, err := am.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	approvedPeersMap, err := am.integratedPeerValidator.GetValidatedPeers(ctx, accountID, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
-	if err != nil {
-		return nil, err
-	}
-
-	// it is also possible that user doesn't own the peer but some of his peers have access to it,
-	// this is a valid case, show the peer as well.
-	userPeers, err := am.Store.GetUserPeers(ctx, store.LockingStrengthNone, accountID, userID)
-	if err != nil {
-		return nil, err
-	}
-
-	for _, p := range userPeers {
-		aclPeers, _, _, _ := account.GetPeerConnectionResources(ctx, p, approvedPeersMap, account.GetActiveGroupUsers())
-		for _, aclPeer := range aclPeers {
-			if aclPeer.ID == peer.ID {
-				return peer, nil
-			}
-		}
-	}
-
 	return nil, status.Errorf(status.Internal, "user %s has no access to peer %s under account %s", userID, peer.ID, accountID)
 }

--- a/management/server/peer_test.go
+++ b/management/server/peer_test.go
@@ -179,11 +179,6 @@ func TestAccountManager_GetNetworkMap(t *testing.T) {
 	testGetNetworkMapGeneral(t)
 }

-func TestAccountManager_GetNetworkMap_Experimental(t *testing.T) {
-	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
-	testGetNetworkMapGeneral(t)
-}
-
 func testGetNetworkMapGeneral(t *testing.T) {
 	manager, _, err := createManager(t)
 	if err != nil {
@@ -564,25 +559,9 @@ func TestDefaultAccountManager_GetPeer(t *testing.T) {
 	}
 	assert.NotNil(t, peer)

-	// the user can see peer2 because peer1 of the user has access to peer2 due to the All group and the default rule 0 all-to-all access
-	peer, err = manager.GetPeer(context.Background(), accountID, peer2.ID, someUser)
-	if err != nil {
-		t.Fatal(err)
-		return
-	}
-	assert.NotNil(t, peer)
-
-	// delete the all-to-all policy so that user's peer1 has no access to peer2
-	for _, policy := range account.Policies {
-		err = manager.DeletePolicy(context.Background(), accountID, policy.ID, adminUser)
-		if err != nil {
-			t.Fatal(err)
-			return
-		}
-	}
-
-	// at this point the user can't see the details of peer2
-	peer, err = manager.GetPeer(context.Background(), accountID, peer2.ID, someUser) //nolint
+	// the user can NOT see peer2 because it is not owned by them.
+	// Regular users only see peers they directly own.
+	_, err = manager.GetPeer(context.Background(), accountID, peer2.ID, someUser)
 	assert.Error(t, err)

 	// admin users can always access all the peers
@@ -1016,11 +995,6 @@ func BenchmarkUpdateAccountPeers(b *testing.B) {
 	}
 }

-func TestUpdateAccountPeers_Experimental(t *testing.T) {
-	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
-	testUpdateAccountPeers(t)
-}
-
 func TestUpdateAccountPeers(t *testing.T) {
 	testUpdateAccountPeers(t)
 }
@@ -1600,7 +1574,6 @@ func Test_RegisterPeerRollbackOnFailure(t *testing.T) {
 }

 func Test_LoginPeer(t *testing.T) {
-	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
 	if runtime.GOOS == "windows" {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}
--- a/management/server/route_test.go
+++ b/management/server/route_test.go
@@ -2,10 +2,8 @@ package server

 import (
 	"context"
-	"fmt"
 	"net"
 	"net/netip"
-	"sort"
 	"testing"
 	"time"

@@ -1840,11 +1838,6 @@ func TestAccount_getPeersRoutesFirewall(t *testing.T) {
 		},
 	}

-	validatedPeers := make(map[string]struct{})
-	for p := range account.Peers {
-		validatedPeers[p] = struct{}{}
-	}
-
 	t.Run("check applied policies for the route", func(t *testing.T) {
 		route1 := account.Routes["route1"]
 		policies := types.GetAllRoutePoliciesFromGroups(account, route1.AccessControlGroups)
@@ -1858,116 +1851,6 @@ func TestAccount_getPeersRoutesFirewall(t *testing.T) {
 		policies = types.GetAllRoutePoliciesFromGroups(account, route3.AccessControlGroups)
 		assert.Len(t, policies, 0)
 	})
-
-	t.Run("check peer routes firewall rules", func(t *testing.T) {
-		routesFirewallRules := account.GetPeerRoutesFirewallRules(context.Background(), "peerA", validatedPeers)
-		assert.Len(t, routesFirewallRules, 4)
-
-		expectedRoutesFirewallRules := []*types.RouteFirewallRule{
-			{
-				SourceRanges: []string{
-					fmt.Sprintf(types.AllowedIPsFormat, peerCIp),
-					fmt.Sprintf(types.AllowedIPsFormat, peerHIp),
-					fmt.Sprintf(types.AllowedIPsFormat, peerBIp),
-				},
-				Action:      "accept",
-				Destination: "192.168.0.0/16",
-				Protocol:    "all",
-				Port:        80,
-				RouteID:     "route1:peerA",
-			},
-			{
-				SourceRanges: []string{
-					fmt.Sprintf(types.AllowedIPsFormat, peerCIp),
-					fmt.Sprintf(types.AllowedIPsFormat, peerHIp),
-					fmt.Sprintf(types.AllowedIPsFormat, peerBIp),
-				},
-				Action:      "accept",
-				Destination: "192.168.0.0/16",
-				Protocol:    "all",
-				Port:        320,
-				RouteID:     "route1:peerA",
-			},
-		}
-		additionalFirewallRule := []*types.RouteFirewallRule{
-			{
-				SourceRanges: []string{
-					fmt.Sprintf(types.AllowedIPsFormat, peerJIp),
-				},
-				Action:      "accept",
-				Destination: "192.168.10.0/16",
-				Protocol:    "tcp",
-				Port:        80,
-				RouteID:     "route4:peerA",
-			},
-			{
-				SourceRanges: []string{
-					fmt.Sprintf(types.AllowedIPsFormat, peerKIp),
-				},
-				Action:      "accept",
-				Destination: "192.168.10.0/16",
-				Protocol:    "all",
-				RouteID:     "route4:peerA",
-			},
-		}
-
-		assert.ElementsMatch(t, orderRuleSourceRanges(routesFirewallRules), orderRuleSourceRanges(append(expectedRoutesFirewallRules, additionalFirewallRule...)))
-
-		// peerD is also the routing peer for route1, should contain same routes firewall rules as peerA
-		routesFirewallRules = account.GetPeerRoutesFirewallRules(context.Background(), "peerD", validatedPeers)
-		assert.Len(t, routesFirewallRules, 2)
-		for _, rule := range expectedRoutesFirewallRules {
-			rule.RouteID = "route1:peerD"
-		}
-		assert.ElementsMatch(t, orderRuleSourceRanges(routesFirewallRules), orderRuleSourceRanges(expectedRoutesFirewallRules))
-
-		// peerE is a single routing peer for route 2 and route 3
-		routesFirewallRules = account.GetPeerRoutesFirewallRules(context.Background(), "peerE", validatedPeers)
-		assert.Len(t, routesFirewallRules, 3)
-
-		expectedRoutesFirewallRules = []*types.RouteFirewallRule{
-			{
-				SourceRanges: []string{"100.65.250.202/32", "100.65.13.186/32"},
-				Action:       "accept",
-				Destination:  existingNetwork.String(),
-				Protocol:     "tcp",
-				PortRange:    types.RulePortRange{Start: 80, End: 350},
-				RouteID:      "route2",
-			},
-			{
-				SourceRanges: []string{"0.0.0.0/0"},
-				Action:       "accept",
-				Destination:  "192.0.2.0/32",
-				Protocol:     "all",
-				Domains:      domain.List{"example.com"},
-				IsDynamic:    true,
-				RouteID:      "route3",
-			},
-			{
-				SourceRanges: []string{"::/0"},
-				Action:       "accept",
-				Destination:  "192.0.2.0/32",
-				Protocol:     "all",
-				Domains:      domain.List{"example.com"},
-				IsDynamic:    true,
-				RouteID:      "route3",
-			},
-		}
-		assert.ElementsMatch(t, orderRuleSourceRanges(routesFirewallRules), orderRuleSourceRanges(expectedRoutesFirewallRules))
-
-		// peerC is part of route1 distribution groups but should not receive the routes firewall rules
-		routesFirewallRules = account.GetPeerRoutesFirewallRules(context.Background(), "peerC", validatedPeers)
-		assert.Len(t, routesFirewallRules, 0)
-	})
-
-}
-
-// orderList is a helper function to sort a list of strings
-func orderRuleSourceRanges(ruleList []*types.RouteFirewallRule) []*types.RouteFirewallRule {
-	for _, rule := range ruleList {
-		sort.Strings(rule.SourceRanges)
-	}
-	return ruleList
 }

 func TestRouteAccountPeersUpdate(t *testing.T) {
@@ -2665,11 +2548,6 @@ func TestAccount_GetPeerNetworkResourceFirewallRules(t *testing.T) {
 		},
 	}

-	validatedPeers := make(map[string]struct{})
-	for p := range account.Peers {
-		validatedPeers[p] = struct{}{}
-	}
-
 	t.Run("validate applied policies for different network resources", func(t *testing.T) {
 		// Test case: Resource1 is directly applied to the policy (policyResource1)
 		policies := account.GetPoliciesForNetworkResource("resource1")
@@ -2693,127 +2571,4 @@ func TestAccount_GetPeerNetworkResourceFirewallRules(t *testing.T) {
 		policies = account.GetPoliciesForNetworkResource("resource6")
 		assert.Len(t, policies, 1, "resource6 should have exactly 1 policy applied via access control groups")
 	})
-
-	t.Run("validate routing peer firewall rules for network resources", func(t *testing.T) {
-		resourcePoliciesMap := account.GetResourcePoliciesMap()
-		resourceRoutersMap := account.GetResourceRoutersMap()
-		_, routes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), "peerA", resourcePoliciesMap, resourceRoutersMap)
-		firewallRules := account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers["peerA"], validatedPeers, routes, resourcePoliciesMap)
-		assert.Len(t, firewallRules, 4)
-		assert.Len(t, sourcePeers, 5)
-
-		expectedFirewallRules := []*types.RouteFirewallRule{
-			{
-				SourceRanges: []string{
-					fmt.Sprintf(types.AllowedIPsFormat, peerCIp),
-					fmt.Sprintf(types.AllowedIPsFormat, peerHIp),
-					fmt.Sprintf(types.AllowedIPsFormat, peerBIp),
-				},
-				Action:      "accept",
-				Destination: "192.168.0.0/16",
-				Protocol:    "all",
-				Port:        80,
-				RouteID:     "resource2:peerA",
-			},
-			{
-				SourceRanges: []string{
-					fmt.Sprintf(types.AllowedIPsFormat, peerCIp),
-					fmt.Sprintf(types.AllowedIPsFormat, peerHIp),
-					fmt.Sprintf(types.AllowedIPsFormat, peerBIp),
-				},
-				Action:      "accept",
-				Destination: "192.168.0.0/16",
-				Protocol:    "all",
-				Port:        320,
-				RouteID:     "resource2:peerA",
-			},
-		}
-
-		additionalFirewallRules := []*types.RouteFirewallRule{
-			{
-				SourceRanges: []string{
-					fmt.Sprintf(types.AllowedIPsFormat, peerJIp),
-				},
-				Action:      "accept",
-				Destination: "192.0.2.0/32",
-				Protocol:    "tcp",
-				Port:        80,
-				Domains:     domain.List{"example.com"},
-				IsDynamic:   true,
-				RouteID:     "resource4:peerA",
-			},
-			{
-				SourceRanges: []string{
-					fmt.Sprintf(types.AllowedIPsFormat, peerKIp),
-				},
-				Action:      "accept",
-				Destination: "192.0.2.0/32",
-				Protocol:    "all",
-				Domains:     domain.List{"example.com"},
-				IsDynamic:   true,
-				RouteID:     "resource4:peerA",
-			},
-		}
-		assert.ElementsMatch(t, orderRuleSourceRanges(firewallRules), orderRuleSourceRanges(append(expectedFirewallRules, additionalFirewallRules...)))
-
-		// peerD is also the routing peer for resource2
-		_, routes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), "peerD", resourcePoliciesMap, resourceRoutersMap)
-		firewallRules = account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers["peerD"], validatedPeers, routes, resourcePoliciesMap)
-		assert.Len(t, firewallRules, 2)
-		for _, rule := range expectedFirewallRules {
-			rule.RouteID = "resource2:peerD"
-		}
-		assert.ElementsMatch(t, orderRuleSourceRanges(firewallRules), orderRuleSourceRanges(expectedFirewallRules))
-		assert.Len(t, sourcePeers, 3)
-
-		// peerE is a single routing peer for resource1 and resource3
-		// PeerE should only receive rules for resource1 since resource3 has no applied policy
-		_, routes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), "peerE", resourcePoliciesMap, resourceRoutersMap)
-		firewallRules = account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers["peerE"], validatedPeers, routes, resourcePoliciesMap)
-		assert.Len(t, firewallRules, 1)
-		assert.Len(t, sourcePeers, 2)
-
-		expectedFirewallRules = []*types.RouteFirewallRule{
-			{
-				SourceRanges: []string{"100.65.250.202/32", "100.65.13.186/32"},
-				Action:       "accept",
-				Destination:  "10.10.10.0/24",
-				Protocol:     "tcp",
-				PortRange:    types.RulePortRange{Start: 80, End: 350},
-				RouteID:      "resource1:peerE",
-			},
-		}
-		assert.ElementsMatch(t, orderRuleSourceRanges(firewallRules), orderRuleSourceRanges(expectedFirewallRules))
-
-		// peerC is part of distribution groups for resource2 but should not receive the firewall rules
-		firewallRules = account.GetPeerRoutesFirewallRules(context.Background(), "peerC", validatedPeers)
-		assert.Len(t, firewallRules, 0)
-
-		// peerL is the single routing peer for resource5
-		_, routes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), "peerL", resourcePoliciesMap, resourceRoutersMap)
-		assert.Len(t, routes, 1)
-		firewallRules = account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers["peerL"], validatedPeers, routes, resourcePoliciesMap)
-		assert.Len(t, firewallRules, 1)
-		assert.Len(t, sourcePeers, 1)
-
-		expectedFirewallRules = []*types.RouteFirewallRule{
-			{
-				SourceRanges: []string{"100.65.29.67/32"},
-				Action:       "accept",
-				Destination:  "10.12.12.1/32",
-				Protocol:     "tcp",
-				Port:         8080,
-				RouteID:      "resource5:peerL",
-			},
-		}
-		assert.ElementsMatch(t, orderRuleSourceRanges(firewallRules), orderRuleSourceRanges(expectedFirewallRules))
-
-		_, routes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), "peerM", resourcePoliciesMap, resourceRoutersMap)
-		assert.Len(t, routes, 1)
-		assert.Len(t, sourcePeers, 0)
-
-		_, routes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), "peerN", resourcePoliciesMap, resourceRoutersMap)
-		assert.Len(t, routes, 1)
-		assert.Len(t, sourcePeers, 2)
-	})
 }
--- a/management/server/store/sql_store.go
+++ b/management/server/store/sql_store.go
@@ -1196,7 +1196,6 @@ func (s *SqlStore) getAccountGorm(ctx context.Context, accountID string) (*types
 		account.NameServerGroups[ns.ID] = &ns
 	}
 	account.NameServerGroupsG = nil
-	account.InitOnce()
 	return &account, nil
 }

@@ -1635,7 +1634,6 @@ func (s *SqlStore) getAccount(ctx context.Context, accountID string) (*types.Acc
 	if sExtraIntegratedValidatorGroups.Valid {
 		_ = json.Unmarshal([]byte(sExtraIntegratedValidatorGroups.String), &account.Settings.Extra.IntegratedValidatorGroups)
 	}
-	account.InitOnce()
 	return &account, nil
 }

--- a/management/server/types/account.go
+++ b/management/server/types/account.go
@@ -8,7 +8,6 @@ import (
 	"slices"
 	"strconv"
 	"strings"
-	"sync"
 	"time"

 	"github.com/hashicorp/go-multierror"
@@ -27,7 +26,6 @@ import (
 	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/posture"
-	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/netbirdio/netbird/management/server/util"
 	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
@@ -110,16 +108,9 @@ type Account struct {
 	NetworkResources []*resourceTypes.NetworkResource `gorm:"foreignKey:AccountID;references:id"`
 	Onboarding       AccountOnboarding                `gorm:"foreignKey:AccountID;references:id;constraint:OnDelete:CASCADE"`

-	NetworkMapCache *NetworkMapBuilder `gorm:"-"`
-	nmapInitOnce    *sync.Once         `gorm:"-"`
-
 	ReverseProxyFreeDomainNonce string
 }

-func (a *Account) InitOnce() {
-	a.nmapInitOnce = &sync.Once{}
-}
-
 // this class is used by gorm only
 type PrimaryAccountInfo struct {
 	IsDomainPrimaryAccount bool
@@ -155,108 +146,6 @@ func (o AccountOnboarding) IsEqual(onboarding AccountOnboarding) bool {
 		o.SignupFormPending == onboarding.SignupFormPending
 }

-// GetRoutesToSync returns the enabled routes for the peer ID and the routes
-// from the ACL peers that have distribution groups associated with the peer ID.
-// Please mind, that the returned route.Route objects will contain Peer.Key instead of Peer.ID.
-func (a *Account) GetRoutesToSync(ctx context.Context, peerID string, aclPeers []*nbpeer.Peer, peerGroups LookupMap) []*route.Route {
-	routes, peerDisabledRoutes := a.getRoutingPeerRoutes(ctx, peerID)
-	peerRoutesMembership := make(LookupMap)
-	for _, r := range append(routes, peerDisabledRoutes...) {
-		peerRoutesMembership[string(r.GetHAUniqueID())] = struct{}{}
-	}
-
-	for _, peer := range aclPeers {
-		activeRoutes, _ := a.getRoutingPeerRoutes(ctx, peer.ID)
-		groupFilteredRoutes := a.filterRoutesByGroups(activeRoutes, peerGroups)
-		filteredRoutes := a.filterRoutesFromPeersOfSameHAGroup(groupFilteredRoutes, peerRoutesMembership)
-		routes = append(routes, filteredRoutes...)
-	}
-
-	return routes
-}
-
-// filterRoutesFromPeersOfSameHAGroup filters and returns a list of routes that don't share the same HA route membership
-func (a *Account) filterRoutesFromPeersOfSameHAGroup(routes []*route.Route, peerMemberships LookupMap) []*route.Route {
-	var filteredRoutes []*route.Route
-	for _, r := range routes {
-		_, found := peerMemberships[string(r.GetHAUniqueID())]
-		if !found {
-			filteredRoutes = append(filteredRoutes, r)
-		}
-	}
-	return filteredRoutes
-}
-
-// filterRoutesByGroups returns a list with routes that have distribution groups in the group's map
-func (a *Account) filterRoutesByGroups(routes []*route.Route, groupListMap LookupMap) []*route.Route {
-	var filteredRoutes []*route.Route
-	for _, r := range routes {
-		for _, groupID := range r.Groups {
-			_, found := groupListMap[groupID]
-			if found {
-				filteredRoutes = append(filteredRoutes, r)
-				break
-			}
-		}
-	}
-	return filteredRoutes
-}
-
-// getRoutingPeerRoutes returns the enabled and disabled lists of routes that the given routing peer serves
-// Please mind, that the returned route.Route objects will contain Peer.Key instead of Peer.ID.
-// If the given is not a routing peer, then the lists are empty.
-func (a *Account) getRoutingPeerRoutes(ctx context.Context, peerID string) (enabledRoutes []*route.Route, disabledRoutes []*route.Route) {
-
-	peer := a.GetPeer(peerID)
-	if peer == nil {
-		log.WithContext(ctx).Errorf("peer %s that doesn't exist under account %s", peerID, a.Id)
-		return enabledRoutes, disabledRoutes
-	}
-
-	seenRoute := make(map[route.ID]struct{})
-
-	takeRoute := func(r *route.Route, id string) {
-		if _, ok := seenRoute[r.ID]; ok {
-			return
-		}
-		seenRoute[r.ID] = struct{}{}
-
-		if r.Enabled {
-			r.Peer = peer.Key
-			enabledRoutes = append(enabledRoutes, r)
-			return
-		}
-		disabledRoutes = append(disabledRoutes, r)
-	}
-
-	for _, r := range a.Routes {
-		for _, groupID := range r.PeerGroups {
-			group := a.GetGroup(groupID)
-			if group == nil {
-				log.WithContext(ctx).Errorf("route %s has peers group %s that doesn't exist under account %s", r.ID, groupID, a.Id)
-				continue
-			}
-			for _, id := range group.Peers {
-				if id != peerID {
-					continue
-				}
-
-				newPeerRoute := r.Copy()
-				newPeerRoute.Peer = id
-				newPeerRoute.PeerGroups = nil
-				newPeerRoute.ID = route.ID(string(r.ID) + ":" + id) // we have to provide unique route id when distribute network map
-				takeRoute(newPeerRoute, id)
-				break
-			}
-		}
-		if r.Peer == peerID {
-			takeRoute(r.Copy(), peerID)
-		}
-	}
-
-	return enabledRoutes, disabledRoutes
-}
-
 // GetRoutesByPrefixOrDomains return list of routes by account and route prefix
 func (a *Account) GetRoutesByPrefixOrDomains(prefix netip.Prefix, domains domain.List) []*route.Route {
 	var routes []*route.Route
@@ -276,106 +165,6 @@ func (a *Account) GetGroup(groupID string) *Group {
 	return a.Groups[groupID]
 }

-// GetPeerNetworkMap returns the networkmap for the given peer ID.
-func (a *Account) GetPeerNetworkMap(
-	ctx context.Context,
-	peerID string,
-	peersCustomZone nbdns.CustomZone,
-	accountZones []*zones.Zone,
-	validatedPeersMap map[string]struct{},
-	resourcePolicies map[string][]*Policy,
-	routers map[string]map[string]*routerTypes.NetworkRouter,
-	metrics *telemetry.AccountManagerMetrics,
-	groupIDToUserIDs map[string][]string,
-) *NetworkMap {
-	start := time.Now()
-	peer := a.Peers[peerID]
-	if peer == nil {
-		return &NetworkMap{
-			Network: a.Network.Copy(),
-		}
-	}
-
-	if _, ok := validatedPeersMap[peerID]; !ok {
-		return &NetworkMap{
-			Network: a.Network.Copy(),
-		}
-	}
-
-	peerGroups := a.GetPeerGroups(peerID)
-
-	aclPeers, firewallRules, authorizedUsers, enableSSH := a.GetPeerConnectionResources(ctx, peer, validatedPeersMap, groupIDToUserIDs)
-	// exclude expired peers
-	var peersToConnect []*nbpeer.Peer
-	var expiredPeers []*nbpeer.Peer
-	for _, p := range aclPeers {
-		expired, _ := p.LoginExpired(a.Settings.PeerLoginExpiration)
-		if a.Settings.PeerLoginExpirationEnabled && expired {
-			expiredPeers = append(expiredPeers, p)
-			continue
-		}
-		peersToConnect = append(peersToConnect, p)
-	}
-
-	routesUpdate := a.GetRoutesToSync(ctx, peerID, peersToConnect, peerGroups)
-	routesFirewallRules := a.GetPeerRoutesFirewallRules(ctx, peerID, validatedPeersMap)
-	isRouter, networkResourcesRoutes, sourcePeers := a.GetNetworkResourcesRoutesToSync(ctx, peerID, resourcePolicies, routers)
-	var networkResourcesFirewallRules []*RouteFirewallRule
-	if isRouter {
-		networkResourcesFirewallRules = a.GetPeerNetworkResourceFirewallRules(ctx, peer, validatedPeersMap, networkResourcesRoutes, resourcePolicies)
-	}
-	peersToConnectIncludingRouters := a.addNetworksRoutingPeers(networkResourcesRoutes, peer, peersToConnect, expiredPeers, isRouter, sourcePeers)
-
-	dnsManagementStatus := a.getPeerDNSManagementStatus(peerID)
-	dnsUpdate := nbdns.Config{
-		ServiceEnable: dnsManagementStatus,
-	}
-
-	if dnsManagementStatus {
-		var zones []nbdns.CustomZone
-
-		if peersCustomZone.Domain != "" {
-			records := filterZoneRecordsForPeers(peer, peersCustomZone, peersToConnectIncludingRouters, expiredPeers)
-			zones = append(zones, nbdns.CustomZone{
-				Domain:  peersCustomZone.Domain,
-				Records: records,
-			})
-		}
-
-		filteredAccountZones := filterPeerAppliedZones(ctx, accountZones, peerGroups)
-		zones = append(zones, filteredAccountZones...)
-
-		dnsUpdate.CustomZones = zones
-		dnsUpdate.NameServerGroups = getPeerNSGroups(a, peerID)
-	}
-
-	nm := &NetworkMap{
-		Peers:               peersToConnectIncludingRouters,
-		Network:             a.Network.Copy(),
-		Routes:              slices.Concat(networkResourcesRoutes, routesUpdate),
-		DNSConfig:           dnsUpdate,
-		OfflinePeers:        expiredPeers,
-		FirewallRules:       firewallRules,
-		RoutesFirewallRules: slices.Concat(networkResourcesFirewallRules, routesFirewallRules),
-		AuthorizedUsers:     authorizedUsers,
-		EnableSSH:           enableSSH,
-	}
-
-	if metrics != nil {
-		objectCount := int64(len(peersToConnectIncludingRouters) + len(expiredPeers) + len(routesUpdate) + len(networkResourcesRoutes) + len(firewallRules) + +len(networkResourcesFirewallRules) + len(routesFirewallRules))
-		metrics.CountNetworkMapObjects(objectCount)
-		metrics.CountGetPeerNetworkMapDuration(time.Since(start))
-
-		if objectCount > 5000 {
-			log.WithContext(ctx).Tracef("account: %s has a total resource count of %d objects, "+
-				"peers to connect: %d, expired peers: %d, routes: %d, firewall rules: %d, network resources routes: %d, network resources firewall rules: %d, routes firewall rules: %d",
-				a.Id, objectCount, len(peersToConnectIncludingRouters), len(expiredPeers), len(routesUpdate), len(firewallRules), len(networkResourcesRoutes), len(networkResourcesFirewallRules), len(routesFirewallRules))
-		}
-	}
-
-	return nm
-}
-
 func (a *Account) addNetworksRoutingPeers(
 	networkResourcesRoutes []*route.Route,
 	peer *nbpeer.Peer,
@@ -421,39 +210,6 @@ func (a *Account) addNetworksRoutingPeers(
 	return peersToConnect
 }

-func getPeerNSGroups(account *Account, peerID string) []*nbdns.NameServerGroup {
-	groupList := account.GetPeerGroups(peerID)
-
-	var peerNSGroups []*nbdns.NameServerGroup
-
-	for _, nsGroup := range account.NameServerGroups {
-		if !nsGroup.Enabled {
-			continue
-		}
-		for _, gID := range nsGroup.Groups {
-			_, found := groupList[gID]
-			if found {
-				if !peerIsNameserver(account.GetPeer(peerID), nsGroup) {
-					peerNSGroups = append(peerNSGroups, nsGroup.Copy())
-					break
-				}
-			}
-		}
-	}
-
-	return peerNSGroups
-}
-
-// peerIsNameserver returns true if the peer is a nameserver for a nsGroup
-func peerIsNameserver(peer *nbpeer.Peer, nsGroup *nbdns.NameServerGroup) bool {
-	for _, ns := range nsGroup.NameServers {
-		if peer.IP.Equal(ns.IP.AsSlice()) {
-			return true
-		}
-	}
-	return false
-}
-
 func AddPeerLabelsToAccount(ctx context.Context, account *Account, peerLabels LookupMap) {
 	for _, peer := range account.Peers {
 		label, err := GetPeerHostLabel(peer.Name, peerLabels)
@@ -800,19 +556,6 @@ func (a *Account) GetPeerGroupsList(peerID string) []string {
 	return grps
 }

-func (a *Account) getPeerDNSManagementStatus(peerID string) bool {
-	peerGroups := a.GetPeerGroups(peerID)
-	enabled := true
-	for _, groupID := range a.DNSSettings.DisabledManagementGroups {
-		_, found := peerGroups[groupID]
-		if found {
-			enabled = false
-			break
-		}
-	}
-	return enabled
-}
-
 func (a *Account) GetPeerGroups(peerID string) LookupMap {
 	groupList := make(LookupMap)
 	for groupID, group := range a.Groups {
@@ -941,8 +684,6 @@ func (a *Account) Copy() *Account {
 		NetworkResources:       networkResources,
 		Services:               services,
 		Onboarding:             a.Onboarding,
-		NetworkMapCache:        a.NetworkMapCache,
-		nmapInitOnce:           a.nmapInitOnce,
 		Domains:                domains,
 	}
 }
@@ -1304,31 +1045,6 @@ func (a *Account) GetPostureChecks(postureChecksID string) *posture.Checks {
 	return nil
 }

-// GetPeerRoutesFirewallRules gets the routes firewall rules associated with a routing peer ID for the account.
-func (a *Account) GetPeerRoutesFirewallRules(ctx context.Context, peerID string, validatedPeersMap map[string]struct{}) []*RouteFirewallRule {
-	routesFirewallRules := make([]*RouteFirewallRule, 0, len(a.Routes))
-
-	enabledRoutes, _ := a.getRoutingPeerRoutes(ctx, peerID)
-	for _, route := range enabledRoutes {
-		// If no access control groups are specified, accept all traffic.
-		if len(route.AccessControlGroups) == 0 {
-			defaultPermit := getDefaultPermit(route)
-			routesFirewallRules = append(routesFirewallRules, defaultPermit...)
-			continue
-		}
-
-		distributionPeers := a.getDistributionGroupsPeers(route)
-
-		for _, accessGroup := range route.AccessControlGroups {
-			policies := GetAllRoutePoliciesFromGroups(a, []string{accessGroup})
-			rules := a.getRouteFirewallRules(ctx, peerID, policies, route, validatedPeersMap, distributionPeers)
-			routesFirewallRules = append(routesFirewallRules, rules...)
-		}
-	}
-
-	return routesFirewallRules
-}
-
 func (a *Account) getRouteFirewallRules(ctx context.Context, peerID string, policies []*Policy, route *route.Route, validatedPeersMap map[string]struct{}, distributionPeers map[string]struct{}) []*RouteFirewallRule {
 	var fwRules []*RouteFirewallRule
 	for _, policy := range policies {
@@ -1387,50 +1103,6 @@ func (a *Account) getRulePeers(rule *PolicyRule, postureChecks []string, peerID
 	return distributionGroupPeers
 }

-func (a *Account) getDistributionGroupsPeers(route *route.Route) map[string]struct{} {
-	distPeers := make(map[string]struct{})
-	for _, id := range route.Groups {
-		group := a.Groups[id]
-		if group == nil {
-			continue
-		}
-
-		for _, pID := range group.Peers {
-			distPeers[pID] = struct{}{}
-		}
-	}
-	return distPeers
-}
-
-func getDefaultPermit(route *route.Route) []*RouteFirewallRule {
-	var rules []*RouteFirewallRule
-
-	sources := []string{"0.0.0.0/0"}
-	if route.Network.Addr().Is6() {
-		sources = []string{"::/0"}
-	}
-	rule := RouteFirewallRule{
-		SourceRanges: sources,
-		Action:       string(PolicyTrafficActionAccept),
-		Destination:  route.Network.String(),
-		Protocol:     string(PolicyRuleProtocolALL),
-		Domains:      route.Domains,
-		IsDynamic:    route.IsDynamic(),
-		RouteID:      route.ID,
-	}
-
-	rules = append(rules, &rule)
-
-	// dynamic routes always contain an IPv4 placeholder as destination, hence we must add IPv6 rules additionally
-	if route.IsDynamic() {
-		ruleV6 := rule
-		ruleV6.SourceRanges = []string{"::/0"}
-		rules = append(rules, &ruleV6)
-	}
-
-	return rules
-}
-
 // GetAllRoutePoliciesFromGroups retrieves route policies associated with the specified access control groups
 // and returns a list of policies that have rules with destinations matching the specified groups.
 func GetAllRoutePoliciesFromGroups(account *Account, accessControlGroups []string) []*Policy {
@@ -1508,65 +1180,6 @@ func (a *Account) GetResourcePoliciesMap() map[string][]*Policy {
 	return resourcePolicies
 }

-// GetNetworkResourcesRoutesToSync returns network routes for syncing with a specific peer and its ACL peers.
-func (a *Account) GetNetworkResourcesRoutesToSync(ctx context.Context, peerID string, resourcePolicies map[string][]*Policy, routers map[string]map[string]*routerTypes.NetworkRouter) (bool, []*route.Route, map[string]struct{}) {
-	var isRoutingPeer bool
-	var routes []*route.Route
-	allSourcePeers := make(map[string]struct{}, len(a.Peers))
-
-	for _, resource := range a.NetworkResources {
-		if !resource.Enabled {
-			continue
-		}
-
-		var addSourcePeers bool
-
-		networkRoutingPeers, exists := routers[resource.NetworkID]
-		if exists {
-			if router, ok := networkRoutingPeers[peerID]; ok {
-				isRoutingPeer, addSourcePeers = true, true
-				routes = append(routes, a.getNetworkResourcesRoutes(resource, peerID, router, resourcePolicies)...)
-			}
-		}
-
-		addedResourceRoute := false
-		for _, policy := range resourcePolicies[resource.ID] {
-			var peers []string
-			if policy.Rules[0].SourceResource.Type == ResourceTypePeer && policy.Rules[0].SourceResource.ID != "" {
-				peers = []string{policy.Rules[0].SourceResource.ID}
-			} else {
-				peers = a.getUniquePeerIDsFromGroupsIDs(ctx, policy.SourceGroups())
-			}
-			if addSourcePeers {
-				for _, pID := range a.getPostureValidPeers(peers, policy.SourcePostureChecks) {
-					allSourcePeers[pID] = struct{}{}
-				}
-			} else if slices.Contains(peers, peerID) && a.validatePostureChecksOnPeer(ctx, policy.SourcePostureChecks, peerID) {
-				// add routes for the resource if the peer is in the distribution group
-				for peerId, router := range networkRoutingPeers {
-					routes = append(routes, a.getNetworkResourcesRoutes(resource, peerId, router, resourcePolicies)...)
-				}
-				addedResourceRoute = true
-			}
-			if addedResourceRoute {
-				break
-			}
-		}
-	}
-
-	return isRoutingPeer, routes, allSourcePeers
-}
-
-func (a *Account) getPostureValidPeers(inputPeers []string, postureChecksIDs []string) []string {
-	var dest []string
-	for _, peerID := range inputPeers {
-		if a.validatePostureChecksOnPeer(context.Background(), postureChecksIDs, peerID) {
-			dest = append(dest, peerID)
-		}
-	}
-	return dest
-}
-
 func (a *Account) getUniquePeerIDsFromGroupsIDs(ctx context.Context, groups []string) []string {
 	peerIDs := make(map[string]struct{}, len(groups)) // we expect at least one peer per group as initial capacity
 	for _, groupID := range groups {
@@ -1658,22 +1271,6 @@ func (a *Account) GetPoliciesAppliedInNetwork(networkID string) []string {
 	return result
 }

-// getNetworkResourcesRoutes convert the network resources list to routes list.
-func (a *Account) getNetworkResourcesRoutes(resource *resourceTypes.NetworkResource, peerId string, router *routerTypes.NetworkRouter, resourcePolicies map[string][]*Policy) []*route.Route {
-	resourceAppliedPolicies := resourcePolicies[resource.ID]
-
-	var routes []*route.Route
-	// distribute the resource routes only if there is policy applied to it
-	if len(resourceAppliedPolicies) > 0 {
-		peer := a.GetPeer(peerId)
-		if peer != nil {
-			routes = append(routes, resource.ToRoute(peer, router))
-		}
-	}
-
-	return routes
-}
-
 func (a *Account) GetResourceRoutersMap() map[string]map[string]*routerTypes.NetworkRouter {
 	routers := make(map[string]map[string]*routerTypes.NetworkRouter)

--- a/management/server/types/account_test.go
+++ b/management/server/types/account_test.go
@@ -4,8 +4,6 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"net/netip"
-	"slices"
 	"testing"

 	"github.com/miekg/dns"
@@ -19,7 +17,6 @@ import (
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/route"
 )

@@ -451,402 +448,6 @@ func Test_AddNetworksRoutingPeersHandlesNoMissingPeers(t *testing.T) {
 	require.Len(t, result, 0)
 }

-const (
-	accID                                = "accountID"
-	network1ID                           = "network1ID"
-	group1ID                             = "group1"
-	accNetResourcePeer1ID                = "peer1"
-	accNetResourcePeer2ID                = "peer2"
-	accNetResourceRouter1ID              = "router1"
-	accNetResource1ID                    = "resource1ID"
-	accNetResourceRestrictPostureCheckID = "restrictPostureCheck"
-	accNetResourceRelaxedPostureCheckID  = "relaxedPostureCheck"
-	accNetResourceLockedPostureCheckID   = "lockedPostureCheck"
-	accNetResourceLinuxPostureCheckID    = "linuxPostureCheck"
-)
-
-var (
-	accNetResourcePeer1IP    = net.IP{192, 168, 1, 1}
-	accNetResourcePeer2IP    = net.IP{192, 168, 1, 2}
-	accNetResourceRouter1IP  = net.IP{192, 168, 1, 3}
-	accNetResourceValidPeers = map[string]struct{}{accNetResourcePeer1ID: {}, accNetResourcePeer2ID: {}}
-)
-
-func getBasicAccountsWithResource() *Account {
-	return &Account{
-		Id: accID,
-		Peers: map[string]*nbpeer.Peer{
-			accNetResourcePeer1ID: {
-				ID:        accNetResourcePeer1ID,
-				AccountID: accID,
-				Key:       "peer1Key",
-				IP:        accNetResourcePeer1IP,
-				Meta: nbpeer.PeerSystemMeta{
-					GoOS:          "linux",
-					WtVersion:     "0.35.1",
-					KernelVersion: "4.4.0",
-				},
-			},
-			accNetResourcePeer2ID: {
-				ID:        accNetResourcePeer2ID,
-				AccountID: accID,
-				Key:       "peer2Key",
-				IP:        accNetResourcePeer2IP,
-				Meta: nbpeer.PeerSystemMeta{
-					GoOS:          "windows",
-					WtVersion:     "0.34.1",
-					KernelVersion: "4.4.0",
-				},
-			},
-			accNetResourceRouter1ID: {
-				ID:        accNetResourceRouter1ID,
-				AccountID: accID,
-				Key:       "router1Key",
-				IP:        accNetResourceRouter1IP,
-				Meta: nbpeer.PeerSystemMeta{
-					GoOS:          "linux",
-					WtVersion:     "0.35.1",
-					KernelVersion: "4.4.0",
-				},
-			},
-		},
-		Groups: map[string]*Group{
-			group1ID: {
-				ID:    group1ID,
-				Peers: []string{accNetResourcePeer1ID, accNetResourcePeer2ID},
-			},
-		},
-		Networks: []*networkTypes.Network{
-			{
-				ID:        network1ID,
-				AccountID: accID,
-				Name:      "network1",
-			},
-		},
-		NetworkRouters: []*routerTypes.NetworkRouter{
-			{
-				ID:         accNetResourceRouter1ID,
-				NetworkID:  network1ID,
-				AccountID:  accID,
-				Peer:       accNetResourceRouter1ID,
-				PeerGroups: []string{},
-				Masquerade: false,
-				Metric:     100,
-				Enabled:    true,
-			},
-		},
-		NetworkResources: []*resourceTypes.NetworkResource{
-			{
-				ID:        accNetResource1ID,
-				AccountID: accID,
-				NetworkID: network1ID,
-				Address:   "10.10.10.0/24",
-				Prefix:    netip.MustParsePrefix("10.10.10.0/24"),
-				Type:      resourceTypes.NetworkResourceType("subnet"),
-				Enabled:   true,
-			},
-		},
-		Policies: []*Policy{
-			{
-				ID:        "policy1ID",
-				AccountID: accID,
-				Enabled:   true,
-				Rules: []*PolicyRule{
-					{
-						ID:      "rule1ID",
-						Enabled: true,
-						Sources: []string{group1ID},
-						DestinationResource: Resource{
-							ID:   accNetResource1ID,
-							Type: "Host",
-						},
-						Protocol: PolicyRuleProtocolTCP,
-						Ports:    []string{"80"},
-						Action:   PolicyTrafficActionAccept,
-					},
-				},
-				SourcePostureChecks: nil,
-			},
-		},
-		PostureChecks: []*posture.Checks{
-			{
-				ID:   accNetResourceRestrictPostureCheckID,
-				Name: accNetResourceRestrictPostureCheckID,
-				Checks: posture.ChecksDefinition{
-					NBVersionCheck: &posture.NBVersionCheck{
-						MinVersion: "0.35.0",
-					},
-				},
-			},
-			{
-				ID:   accNetResourceRelaxedPostureCheckID,
-				Name: accNetResourceRelaxedPostureCheckID,
-				Checks: posture.ChecksDefinition{
-					NBVersionCheck: &posture.NBVersionCheck{
-						MinVersion: "0.0.1",
-					},
-				},
-			},
-			{
-				ID:   accNetResourceLockedPostureCheckID,
-				Name: accNetResourceLockedPostureCheckID,
-				Checks: posture.ChecksDefinition{
-					NBVersionCheck: &posture.NBVersionCheck{
-						MinVersion: "7.7.7",
-					},
-				},
-			},
-			{
-				ID:   accNetResourceLinuxPostureCheckID,
-				Name: accNetResourceLinuxPostureCheckID,
-				Checks: posture.ChecksDefinition{
-					OSVersionCheck: &posture.OSVersionCheck{
-						Linux: &posture.MinKernelVersionCheck{
-							MinKernelVersion: "0.0.0"},
-					},
-				},
-			},
-		},
-	}
-}
-
-func Test_NetworksNetMapGenWithNoPostureChecks(t *testing.T) {
-	account := getBasicAccountsWithResource()
-
-	// all peers should match the policy
-
-	// validate for peer1
-	isRouter, networkResourcesRoutes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate for peer2
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer2ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate routes for router1
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourceRouter1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.True(t, isRouter, "should be router")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 2, "expected source peers don't match")
-	assert.NotNil(t, sourcePeers[accNetResourcePeer1ID], "expected source peers don't match")
-	assert.NotNil(t, sourcePeers[accNetResourcePeer2ID], "expected source peers don't match")
-
-	// validate rules for router1
-	rules := account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers[accNetResourceRouter1ID], accNetResourceValidPeers, networkResourcesRoutes, account.GetResourcePoliciesMap())
-	assert.Len(t, rules, 1, "expected rules count don't match")
-	assert.Equal(t, uint16(80), rules[0].Port, "should have port 80")
-	assert.Equal(t, "tcp", rules[0].Protocol, "should have protocol tcp")
-	if !slices.Contains(rules[0].SourceRanges, accNetResourcePeer1IP.String()+"/32") {
-		t.Errorf("%s should have source range of peer1 %s", rules[0].SourceRanges, accNetResourcePeer1IP.String())
-	}
-	if !slices.Contains(rules[0].SourceRanges, accNetResourcePeer2IP.String()+"/32") {
-		t.Errorf("%s should have source range of peer2 %s", rules[0].SourceRanges, accNetResourcePeer2IP.String())
-	}
-}
-
-func Test_NetworksNetMapGenWithPostureChecks(t *testing.T) {
-	account := getBasicAccountsWithResource()
-
-	// should allow peer1 to match the policy
-	policy := account.Policies[0]
-	policy.SourcePostureChecks = []string{accNetResourceRestrictPostureCheckID}
-
-	// validate for peer1
-	isRouter, networkResourcesRoutes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate for peer2
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer2ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 0, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate routes for router1
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourceRouter1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.True(t, isRouter, "should be router")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 1, "expected source peers don't match")
-	assert.NotNil(t, sourcePeers[accNetResourcePeer1ID], "expected source peers don't match")
-
-	// validate rules for router1
-	rules := account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers[accNetResourceRouter1ID], accNetResourceValidPeers, networkResourcesRoutes, account.GetResourcePoliciesMap())
-	assert.Len(t, rules, 1, "expected rules count don't match")
-	assert.Equal(t, uint16(80), rules[0].Port, "should have port 80")
-	assert.Equal(t, "tcp", rules[0].Protocol, "should have protocol tcp")
-	if !slices.Contains(rules[0].SourceRanges, accNetResourcePeer1IP.String()+"/32") {
-		t.Errorf("%s should have source range of peer1 %s", rules[0].SourceRanges, accNetResourcePeer1IP.String())
-	}
-	if slices.Contains(rules[0].SourceRanges, accNetResourcePeer2IP.String()+"/32") {
-		t.Errorf("%s should not have source range of peer2 %s", rules[0].SourceRanges, accNetResourcePeer2IP.String())
-	}
-}
-
-func Test_NetworksNetMapGenWithNoMatchedPostureChecks(t *testing.T) {
-	account := getBasicAccountsWithResource()
-
-	// should not match any peer
-	policy := account.Policies[0]
-	policy.SourcePostureChecks = []string{accNetResourceLockedPostureCheckID}
-
-	// validate for peer1
-	isRouter, networkResourcesRoutes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 0, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate for peer2
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer2ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 0, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate routes for router1
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourceRouter1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.True(t, isRouter, "should be router")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate rules for router1
-	rules := account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers[accNetResourceRouter1ID], accNetResourceValidPeers, networkResourcesRoutes, account.GetResourcePoliciesMap())
-	assert.Len(t, rules, 0, "expected rules count don't match")
-}
-
-func Test_NetworksNetMapGenWithTwoPoliciesAndPostureChecks(t *testing.T) {
-	account := getBasicAccountsWithResource()
-
-	// should allow peer1 to match the policy
-	policy := account.Policies[0]
-	policy.SourcePostureChecks = []string{accNetResourceRestrictPostureCheckID}
-
-	// should allow peer1 and peer2 to match the policy
-	newPolicy := &Policy{
-		ID:        "policy2ID",
-		AccountID: accID,
-		Enabled:   true,
-		Rules: []*PolicyRule{
-			{
-				ID:      "policy2ID",
-				Enabled: true,
-				Sources: []string{group1ID},
-				DestinationResource: Resource{
-					ID:   accNetResource1ID,
-					Type: "Host",
-				},
-				Protocol: PolicyRuleProtocolTCP,
-				Ports:    []string{"22"},
-				Action:   PolicyTrafficActionAccept,
-			},
-		},
-		SourcePostureChecks: []string{accNetResourceRelaxedPostureCheckID},
-	}
-
-	account.Policies = append(account.Policies, newPolicy)
-
-	// validate for peer1
-	isRouter, networkResourcesRoutes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate for peer2
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer2ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate routes for router1
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourceRouter1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.True(t, isRouter, "should be router")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 2, "expected source peers don't match")
-	assert.NotNil(t, sourcePeers[accNetResourcePeer1ID], "expected source peers don't match")
-	assert.NotNil(t, sourcePeers[accNetResourcePeer2ID], "expected source peers don't match")
-
-	// validate rules for router1
-	rules := account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers[accNetResourceRouter1ID], accNetResourceValidPeers, networkResourcesRoutes, account.GetResourcePoliciesMap())
-	assert.Len(t, rules, 2, "expected rules count don't match")
-	assert.Equal(t, uint16(80), rules[0].Port, "should have port 80")
-	assert.Equal(t, "tcp", rules[0].Protocol, "should have protocol tcp")
-	if !slices.Contains(rules[0].SourceRanges, accNetResourcePeer1IP.String()+"/32") {
-		t.Errorf("%s should have source range of peer1 %s", rules[0].SourceRanges, accNetResourcePeer1IP.String())
-	}
-	if slices.Contains(rules[0].SourceRanges, accNetResourcePeer2IP.String()+"/32") {
-		t.Errorf("%s should not have source range of peer2 %s", rules[0].SourceRanges, accNetResourcePeer2IP.String())
-	}
-
-	assert.Equal(t, uint16(22), rules[1].Port, "should have port 22")
-	assert.Equal(t, "tcp", rules[1].Protocol, "should have protocol tcp")
-	if !slices.Contains(rules[1].SourceRanges, accNetResourcePeer1IP.String()+"/32") {
-		t.Errorf("%s should have source range of peer1 %s", rules[1].SourceRanges, accNetResourcePeer1IP.String())
-	}
-	if !slices.Contains(rules[1].SourceRanges, accNetResourcePeer2IP.String()+"/32") {
-		t.Errorf("%s should have source range of peer2 %s", rules[1].SourceRanges, accNetResourcePeer2IP.String())
-	}
-}
-
-func Test_NetworksNetMapGenWithTwoPostureChecks(t *testing.T) {
-	account := getBasicAccountsWithResource()
-
-	// two posture checks should match only the peers that match both checks
-	policy := account.Policies[0]
-	policy.SourcePostureChecks = []string{accNetResourceRelaxedPostureCheckID, accNetResourceLinuxPostureCheckID}
-
-	// validate for peer1
-	isRouter, networkResourcesRoutes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate for peer2
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer2ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.False(t, isRouter, "expected router status")
-	assert.Len(t, networkResourcesRoutes, 0, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
-
-	// validate routes for router1
-	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourceRouter1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.True(t, isRouter, "should be router")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 1, "expected source peers don't match")
-	assert.NotNil(t, sourcePeers[accNetResourcePeer1ID], "expected source peers don't match")
-
-	// validate rules for router1
-	rules := account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers[accNetResourceRouter1ID], accNetResourceValidPeers, networkResourcesRoutes, account.GetResourcePoliciesMap())
-	assert.Len(t, rules, 1, "expected rules count don't match")
-	assert.Equal(t, uint16(80), rules[0].Port, "should have port 80")
-	assert.Equal(t, "tcp", rules[0].Protocol, "should have protocol tcp")
-	if !slices.Contains(rules[0].SourceRanges, accNetResourcePeer1IP.String()+"/32") {
-		t.Errorf("%s should have source range of peer1 %s", rules[0].SourceRanges, accNetResourcePeer1IP.String())
-	}
-	if slices.Contains(rules[0].SourceRanges, accNetResourcePeer2IP.String()+"/32") {
-		t.Errorf("%s should not have source range of peer2 %s", rules[0].SourceRanges, accNetResourcePeer2IP.String())
-	}
-}
-
-func Test_NetworksNetMapGenShouldExcludeOtherRouters(t *testing.T) {
-	account := getBasicAccountsWithResource()
-
-	account.Peers["router2Id"] = &nbpeer.Peer{Key: "router2Key", ID: "router2Id", AccountID: accID, IP: net.IP{192, 168, 1, 4}}
-	account.NetworkRouters = append(account.NetworkRouters, &routerTypes.NetworkRouter{
-		ID:        "router2Id",
-		NetworkID: network1ID,
-		AccountID: accID,
-		Peer:      "router2Id",
-	})
-
-	// validate routes for router1
-	isRouter, networkResourcesRoutes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourceRouter1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
-	assert.True(t, isRouter, "should be router")
-	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
-	assert.Len(t, sourcePeers, 2, "expected source peers don't match")
-}
-
 func Test_ExpandPortsAndRanges_SSHRuleExpansion(t *testing.T) {
 	tests := []struct {
 		name          string
--- a/management/server/types/holder.go
+++ b/management/server/types/holder.go
@@ -1,47 +0,0 @@
-package types
-
-import (
-	"context"
-	"sync"
-)
-
-type Holder struct {
-	mu       sync.RWMutex
-	accounts map[string]*Account
-}
-
-func NewHolder() *Holder {
-	return &Holder{
-		accounts: make(map[string]*Account),
-	}
-}
-
-func (h *Holder) GetAccount(id string) *Account {
-	h.mu.RLock()
-	defer h.mu.RUnlock()
-	return h.accounts[id]
-}
-
-func (h *Holder) AddAccount(account *Account) {
-	h.mu.Lock()
-	defer h.mu.Unlock()
-	a := h.accounts[account.Id]
-	if a != nil && a.Network.CurrentSerial() >= account.Network.CurrentSerial() {
-		return
-	}
-	h.accounts[account.Id] = account
-}
-
-func (h *Holder) LoadOrStoreFunc(ctx context.Context, id string, accGetter func(context.Context, string) (*Account, error)) (*Account, error) {
-	h.mu.Lock()
-	defer h.mu.Unlock()
-	if acc, ok := h.accounts[id]; ok {
-		return acc, nil
-	}
-	account, err := accGetter(ctx, id)
-	if err != nil {
-		return nil, err
-	}
-	h.accounts[id] = account
-	return account, nil
-}
--- a/management/server/types/identity_provider.go
+++ b/management/server/types/identity_provider.go
@@ -39,6 +39,8 @@ const (
 	IdentityProviderTypeAuthentik IdentityProviderType = "authentik"
 	// IdentityProviderTypeKeycloak is the Keycloak identity provider
 	IdentityProviderTypeKeycloak IdentityProviderType = "keycloak"
+	// IdentityProviderTypeADFS is the Microsoft AD FS identity provider
+	IdentityProviderTypeADFS IdentityProviderType = "adfs"
 )

 // IdentityProvider represents an identity provider configuration
@@ -112,7 +114,8 @@ func (t IdentityProviderType) IsValid() bool {
 	switch t {
 	case IdentityProviderTypeOIDC, IdentityProviderTypeZitadel, IdentityProviderTypeEntra,
 		IdentityProviderTypeGoogle, IdentityProviderTypeOkta, IdentityProviderTypePocketID,
-		IdentityProviderTypeMicrosoft, IdentityProviderTypeAuthentik, IdentityProviderTypeKeycloak:
+		IdentityProviderTypeMicrosoft, IdentityProviderTypeAuthentik, IdentityProviderTypeKeycloak,
+		IdentityProviderTypeADFS:
 		return true
 	}
 	return false
--- a/management/server/types/networkmap.go
+++ b/management/server/types/networkmap.go
@@ -1,67 +0,0 @@
-package types
-
-import (
-	"context"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/management/internals/modules/zones"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/telemetry"
-)
-
-func (a *Account) initNetworkMapBuilder(validatedPeers map[string]struct{}) {
-	if a.NetworkMapCache != nil {
-		return
-	}
-	a.nmapInitOnce.Do(func() {
-		a.NetworkMapCache = NewNetworkMapBuilder(a, validatedPeers)
-	})
-}
-
-func (a *Account) InitNetworkMapBuilderIfNeeded(validatedPeers map[string]struct{}) {
-	a.initNetworkMapBuilder(validatedPeers)
-}
-
-func (a *Account) GetPeerNetworkMapExp(
-	ctx context.Context,
-	peerID string,
-	peersCustomZone nbdns.CustomZone,
-	accountZones []*zones.Zone,
-	validatedPeers map[string]struct{},
-	metrics *telemetry.AccountManagerMetrics,
-) *NetworkMap {
-	a.initNetworkMapBuilder(validatedPeers)
-	return a.NetworkMapCache.GetPeerNetworkMap(ctx, peerID, peersCustomZone, accountZones, validatedPeers, metrics)
-}
-
-func (a *Account) OnPeerAddedUpdNetworkMapCache(peerId string) error {
-	if a.NetworkMapCache == nil {
-		return nil
-	}
-	return a.NetworkMapCache.OnPeerAddedIncremental(a, peerId)
-}
-
-func (a *Account) OnPeersAddedUpdNetworkMapCache(peerIds ...string) {
-	if a.NetworkMapCache == nil {
-		return
-	}
-	a.NetworkMapCache.EnqueuePeersForIncrementalAdd(a, peerIds...)
-}
-
-func (a *Account) OnPeerDeletedUpdNetworkMapCache(peerId string) error {
-	if a.NetworkMapCache == nil {
-		return nil
-	}
-	return a.NetworkMapCache.OnPeerDeleted(a, peerId)
-}
-
-func (a *Account) UpdatePeerInNetworkMapCache(peer *nbpeer.Peer) {
-	if a.NetworkMapCache == nil {
-		return
-	}
-	a.NetworkMapCache.UpdatePeer(peer)
-}
-
-func (a *Account) RecalculateNetworkMapCache(validatedPeers map[string]struct{}) {
-	a.initNetworkMapBuilder(validatedPeers)
-}
--- a/management/server/types/networkmap_comparison_test.go
+++ b/management/server/types/networkmap_comparison_test.go
@@ -1,592 +0,0 @@
-package types
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"net"
-	"net/netip"
-	"os"
-	"path/filepath"
-	"sort"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
-	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
-	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/posture"
-	"github.com/netbirdio/netbird/route"
-)
-
-func TestNetworkMapComponents_CompareWithLegacy(t *testing.T) {
-	account := createTestAccount()
-	ctx := context.Background()
-
-	peerID := testingPeerID
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		pid := fmt.Sprintf("peer-%d", i)
-		if pid == offlinePeerID {
-			continue
-		}
-		validatedPeersMap[pid] = struct{}{}
-	}
-
-	peersCustomZone := nbdns.CustomZone{}
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-
-	legacyNetworkMap := account.GetPeerNetworkMap(
-		ctx,
-		peerID,
-		peersCustomZone,
-		nil,
-		validatedPeersMap,
-		resourcePolicies,
-		routers,
-		nil,
-		groupIDToUserIDs,
-	)
-
-	components := account.GetPeerNetworkMapComponents(
-		ctx,
-		peerID,
-		peersCustomZone,
-		nil,
-		validatedPeersMap,
-		resourcePolicies,
-		routers,
-		groupIDToUserIDs,
-	)
-
-	if components == nil {
-		t.Fatal("GetPeerNetworkMapComponents returned nil")
-	}
-
-	newNetworkMap := CalculateNetworkMapFromComponents(ctx, components)
-
-	if newNetworkMap == nil {
-		t.Fatal("CalculateNetworkMapFromComponents returned nil")
-	}
-
-	compareNetworkMaps(t, legacyNetworkMap, newNetworkMap)
-}
-
-func TestNetworkMapComponents_GoldenFileComparison(t *testing.T) {
-	account := createTestAccount()
-	ctx := context.Background()
-
-	peerID := testingPeerID
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		pid := fmt.Sprintf("peer-%d", i)
-		if pid == offlinePeerID {
-			continue
-		}
-		validatedPeersMap[pid] = struct{}{}
-	}
-
-	peersCustomZone := nbdns.CustomZone{}
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-
-	legacyNetworkMap := account.GetPeerNetworkMap(
-		ctx,
-		peerID,
-		peersCustomZone,
-		nil,
-		validatedPeersMap,
-		resourcePolicies,
-		routers,
-		nil,
-		groupIDToUserIDs,
-	)
-
-	components := account.GetPeerNetworkMapComponents(
-		ctx,
-		peerID,
-		peersCustomZone,
-		nil,
-		validatedPeersMap,
-		resourcePolicies,
-		routers,
-		groupIDToUserIDs,
-	)
-
-	require.NotNil(t, components, "GetPeerNetworkMapComponents returned nil")
-
-	newNetworkMap := CalculateNetworkMapFromComponents(ctx, components)
-	require.NotNil(t, newNetworkMap, "CalculateNetworkMapFromComponents returned nil")
-
-	normalizeAndSortNetworkMap(legacyNetworkMap)
-	normalizeAndSortNetworkMap(newNetworkMap)
-
-	componentsJSON, err := json.MarshalIndent(components, "", "  ")
-	require.NoError(t, err, "error marshaling components to JSON")
-
-	legacyJSON, err := json.MarshalIndent(legacyNetworkMap, "", "  ")
-	require.NoError(t, err, "error marshaling legacy network map to JSON")
-
-	newJSON, err := json.MarshalIndent(newNetworkMap, "", "  ")
-	require.NoError(t, err, "error marshaling new network map to JSON")
-
-	goldenDir := filepath.Join("testdata", "comparison")
-	err = os.MkdirAll(goldenDir, 0755)
-	require.NoError(t, err)
-
-	legacyGoldenPath := filepath.Join(goldenDir, "legacy_networkmap.json")
-	err = os.WriteFile(legacyGoldenPath, legacyJSON, 0644)
-	require.NoError(t, err, "error writing legacy golden file")
-
-	newGoldenPath := filepath.Join(goldenDir, "components_networkmap.json")
-	err = os.WriteFile(newGoldenPath, newJSON, 0644)
-	require.NoError(t, err, "error writing components golden file")
-
-	componentsPath := filepath.Join(goldenDir, "components.json")
-	err = os.WriteFile(componentsPath, componentsJSON, 0644)
-	require.NoError(t, err, "error writing components golden file")
-
-	require.JSONEq(t, string(legacyJSON), string(newJSON),
-		"NetworkMaps from legacy and components approaches do not match.\n"+
-			"Legacy JSON saved to: %s\n"+
-			"Components JSON saved to: %s",
-		legacyGoldenPath, newGoldenPath)
-
-	t.Logf("✅ NetworkMaps are identical")
-	t.Logf("   Legacy NetworkMap: %s", legacyGoldenPath)
-	t.Logf("   Components NetworkMap: %s", newGoldenPath)
-}
-
-func normalizeAndSortNetworkMap(nm *NetworkMap) {
-	if nm == nil {
-		return
-	}
-
-	sort.Slice(nm.Peers, func(i, j int) bool {
-		return nm.Peers[i].ID < nm.Peers[j].ID
-	})
-
-	sort.Slice(nm.OfflinePeers, func(i, j int) bool {
-		return nm.OfflinePeers[i].ID < nm.OfflinePeers[j].ID
-	})
-
-	sort.Slice(nm.Routes, func(i, j int) bool {
-		return string(nm.Routes[i].ID) < string(nm.Routes[j].ID)
-	})
-
-	sort.Slice(nm.FirewallRules, func(i, j int) bool {
-		if nm.FirewallRules[i].PeerIP != nm.FirewallRules[j].PeerIP {
-			return nm.FirewallRules[i].PeerIP < nm.FirewallRules[j].PeerIP
-		}
-		if nm.FirewallRules[i].Direction != nm.FirewallRules[j].Direction {
-			return nm.FirewallRules[i].Direction < nm.FirewallRules[j].Direction
-		}
-		if nm.FirewallRules[i].Protocol != nm.FirewallRules[j].Protocol {
-			return nm.FirewallRules[i].Protocol < nm.FirewallRules[j].Protocol
-		}
-		if nm.FirewallRules[i].Port != nm.FirewallRules[j].Port {
-			return nm.FirewallRules[i].Port < nm.FirewallRules[j].Port
-		}
-		return nm.FirewallRules[i].PolicyID < nm.FirewallRules[j].PolicyID
-	})
-
-	for i := range nm.RoutesFirewallRules {
-		sort.Strings(nm.RoutesFirewallRules[i].SourceRanges)
-	}
-
-	sort.Slice(nm.RoutesFirewallRules, func(i, j int) bool {
-		if nm.RoutesFirewallRules[i].Destination != nm.RoutesFirewallRules[j].Destination {
-			return nm.RoutesFirewallRules[i].Destination < nm.RoutesFirewallRules[j].Destination
-		}
-
-		minLen := len(nm.RoutesFirewallRules[i].SourceRanges)
-		if len(nm.RoutesFirewallRules[j].SourceRanges) < minLen {
-			minLen = len(nm.RoutesFirewallRules[j].SourceRanges)
-		}
-		for k := 0; k < minLen; k++ {
-			if nm.RoutesFirewallRules[i].SourceRanges[k] != nm.RoutesFirewallRules[j].SourceRanges[k] {
-				return nm.RoutesFirewallRules[i].SourceRanges[k] < nm.RoutesFirewallRules[j].SourceRanges[k]
-			}
-		}
-		if len(nm.RoutesFirewallRules[i].SourceRanges) != len(nm.RoutesFirewallRules[j].SourceRanges) {
-			return len(nm.RoutesFirewallRules[i].SourceRanges) < len(nm.RoutesFirewallRules[j].SourceRanges)
-		}
-
-		if string(nm.RoutesFirewallRules[i].RouteID) != string(nm.RoutesFirewallRules[j].RouteID) {
-			return string(nm.RoutesFirewallRules[i].RouteID) < string(nm.RoutesFirewallRules[j].RouteID)
-		}
-
-		if nm.RoutesFirewallRules[i].PolicyID != nm.RoutesFirewallRules[j].PolicyID {
-			return nm.RoutesFirewallRules[i].PolicyID < nm.RoutesFirewallRules[j].PolicyID
-		}
-
-		if nm.RoutesFirewallRules[i].Port != nm.RoutesFirewallRules[j].Port {
-			return nm.RoutesFirewallRules[i].Port < nm.RoutesFirewallRules[j].Port
-		}
-
-		return nm.RoutesFirewallRules[i].Protocol < nm.RoutesFirewallRules[j].Protocol
-	})
-
-	if nm.DNSConfig.CustomZones != nil {
-		for i := range nm.DNSConfig.CustomZones {
-			sort.Slice(nm.DNSConfig.CustomZones[i].Records, func(a, b int) bool {
-				return nm.DNSConfig.CustomZones[i].Records[a].Name < nm.DNSConfig.CustomZones[i].Records[b].Name
-			})
-		}
-	}
-
-	if len(nm.DNSConfig.NameServerGroups) != 0 {
-		sort.Slice(nm.DNSConfig.NameServerGroups, func(a, b int) bool {
-			return nm.DNSConfig.NameServerGroups[a].Name < nm.DNSConfig.NameServerGroups[b].Name
-		})
-	}
-}
-
-func compareNetworkMaps(t *testing.T, legacy, current *NetworkMap) {
-	t.Helper()
-
-	if legacy.Network.Serial != current.Network.Serial {
-		t.Errorf("Network Serial mismatch: legacy=%d, current=%d", legacy.Network.Serial, current.Network.Serial)
-	}
-
-	if len(legacy.Peers) != len(current.Peers) {
-		t.Errorf("Peers count mismatch: legacy=%d, current=%d", len(legacy.Peers), len(current.Peers))
-	}
-
-	legacyPeerIDs := make(map[string]bool)
-	for _, p := range legacy.Peers {
-		legacyPeerIDs[p.ID] = true
-	}
-
-	for _, p := range current.Peers {
-		if !legacyPeerIDs[p.ID] {
-			t.Errorf("Current NetworkMap contains peer %s not in legacy", p.ID)
-		}
-	}
-
-	if len(legacy.OfflinePeers) != len(current.OfflinePeers) {
-		t.Errorf("OfflinePeers count mismatch: legacy=%d, current=%d", len(legacy.OfflinePeers), len(current.OfflinePeers))
-	}
-
-	if len(legacy.FirewallRules) != len(current.FirewallRules) {
-		t.Logf("FirewallRules count mismatch: legacy=%d, current=%d", len(legacy.FirewallRules), len(current.FirewallRules))
-	}
-
-	if len(legacy.Routes) != len(current.Routes) {
-		t.Logf("Routes count mismatch: legacy=%d, current=%d", len(legacy.Routes), len(current.Routes))
-	}
-
-	if len(legacy.RoutesFirewallRules) != len(current.RoutesFirewallRules) {
-		t.Logf("RoutesFirewallRules count mismatch: legacy=%d, current=%d", len(legacy.RoutesFirewallRules), len(current.RoutesFirewallRules))
-	}
-
-	if legacy.DNSConfig.ServiceEnable != current.DNSConfig.ServiceEnable {
-		t.Errorf("DNSConfig.ServiceEnable mismatch: legacy=%v, current=%v", legacy.DNSConfig.ServiceEnable, current.DNSConfig.ServiceEnable)
-	}
-}
-
-const (
-	numPeers          = 100
-	devGroupID        = "group-dev"
-	opsGroupID        = "group-ops"
-	allGroupID        = "group-all"
-	routeID           = route.ID("route-main")
-	routeHA1ID        = route.ID("route-ha-1")
-	routeHA2ID        = route.ID("route-ha-2")
-	policyIDDevOps    = "policy-dev-ops"
-	policyIDAll       = "policy-all"
-	policyIDPosture   = "policy-posture"
-	policyIDDrop      = "policy-drop"
-	postureCheckID    = "posture-check-ver"
-	networkResourceID = "res-database"
-	networkID         = "net-database"
-	networkRouterID   = "router-database"
-	nameserverGroupID = "ns-group-main"
-	testingPeerID     = "peer-60"
-	expiredPeerID     = "peer-98"
-	offlinePeerID     = "peer-99"
-	routingPeerID     = "peer-95"
-	testAccountID     = "account-comparison-test"
-)
-
-func createTestAccount() *Account {
-	peers := make(map[string]*nbpeer.Peer)
-	devGroupPeers, opsGroupPeers, allGroupPeers := []string{}, []string{}, []string{}
-
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		ip := net.IP{100, 64, 0, byte(i + 1)}
-		wtVersion := "0.25.0"
-		if i%2 == 0 {
-			wtVersion = "0.40.0"
-		}
-
-		p := &nbpeer.Peer{
-			ID: peerID, IP: ip, Key: fmt.Sprintf("key-%s", peerID), DNSLabel: fmt.Sprintf("peer%d", i+1),
-			Status: &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
-			UserID: "user-admin", Meta: nbpeer.PeerSystemMeta{WtVersion: wtVersion, GoOS: "linux"},
-		}
-
-		if peerID == expiredPeerID {
-			p.LoginExpirationEnabled = true
-			pastTimestamp := time.Now().Add(-2 * time.Hour)
-			p.LastLogin = &pastTimestamp
-		}
-
-		peers[peerID] = p
-		allGroupPeers = append(allGroupPeers, peerID)
-		if i < numPeers/2 {
-			devGroupPeers = append(devGroupPeers, peerID)
-		} else {
-			opsGroupPeers = append(opsGroupPeers, peerID)
-		}
-	}
-
-	groups := map[string]*Group{
-		allGroupID: {ID: allGroupID, Name: "All", Peers: allGroupPeers},
-		devGroupID: {ID: devGroupID, Name: "Developers", Peers: devGroupPeers},
-		opsGroupID: {ID: opsGroupID, Name: "Operations", Peers: opsGroupPeers},
-	}
-
-	policies := []*Policy{
-		{
-			ID: policyIDAll, Name: "Default-Allow", Enabled: true,
-			Rules: []*PolicyRule{{
-				ID: policyIDAll, Name: "Allow All", Enabled: true, Action: PolicyTrafficActionAccept,
-				Protocol: PolicyRuleProtocolALL, Bidirectional: true,
-				Sources: []string{allGroupID}, Destinations: []string{allGroupID},
-			}},
-		},
-		{
-			ID: policyIDDevOps, Name: "Dev to Ops Web Access", Enabled: true,
-			Rules: []*PolicyRule{{
-				ID: policyIDDevOps, Name: "Dev -> Ops (HTTP Range)", Enabled: true, Action: PolicyTrafficActionAccept,
-				Protocol: PolicyRuleProtocolTCP, Bidirectional: false,
-				PortRanges: []RulePortRange{{Start: 8080, End: 8090}},
-				Sources:    []string{devGroupID}, Destinations: []string{opsGroupID},
-			}},
-		},
-		{
-			ID: policyIDDrop, Name: "Drop DB traffic", Enabled: true,
-			Rules: []*PolicyRule{{
-				ID: policyIDDrop, Name: "Drop DB", Enabled: true, Action: PolicyTrafficActionDrop,
-				Protocol: PolicyRuleProtocolTCP, Ports: []string{"5432"}, Bidirectional: true,
-				Sources: []string{devGroupID}, Destinations: []string{opsGroupID},
-			}},
-		},
-		{
-			ID: policyIDPosture, Name: "Posture Check for DB Resource", Enabled: true,
-			SourcePostureChecks: []string{postureCheckID},
-			Rules: []*PolicyRule{{
-				ID: policyIDPosture, Name: "Allow DB Access", Enabled: true, Action: PolicyTrafficActionAccept,
-				Protocol: PolicyRuleProtocolALL, Bidirectional: true,
-				Sources: []string{opsGroupID}, DestinationResource: Resource{ID: networkResourceID},
-			}},
-		},
-	}
-
-	routes := map[route.ID]*route.Route{
-		routeID: {
-			ID: routeID, Network: netip.MustParsePrefix("192.168.10.0/24"),
-			Peer:        peers["peer-75"].Key,
-			PeerID:      "peer-75",
-			Description: "Route to internal resource", Enabled: true,
-			PeerGroups:          []string{devGroupID, opsGroupID},
-			Groups:              []string{devGroupID, opsGroupID},
-			AccessControlGroups: []string{devGroupID},
-		},
-		routeHA1ID: {
-			ID: routeHA1ID, Network: netip.MustParsePrefix("10.10.0.0/16"),
-			Peer:        peers["peer-80"].Key,
-			PeerID:      "peer-80",
-			Description: "HA Route 1", Enabled: true, Metric: 1000,
-			PeerGroups:          []string{allGroupID},
-			Groups:              []string{allGroupID},
-			AccessControlGroups: []string{allGroupID},
-		},
-		routeHA2ID: {
-			ID: routeHA2ID, Network: netip.MustParsePrefix("10.10.0.0/16"),
-			Peer:        peers["peer-90"].Key,
-			PeerID:      "peer-90",
-			Description: "HA Route 2", Enabled: true, Metric: 900,
-			PeerGroups:          []string{devGroupID, opsGroupID},
-			Groups:              []string{devGroupID, opsGroupID},
-			AccessControlGroups: []string{allGroupID},
-		},
-	}
-
-	account := &Account{
-		Id: testAccountID, Peers: peers, Groups: groups, Policies: policies, Routes: routes,
-		Network: &Network{
-			Identifier: "net-comparison-test", Net: net.IPNet{IP: net.IP{100, 64, 0, 0}, Mask: net.CIDRMask(16, 32)}, Serial: 1,
-		},
-		DNSSettings: DNSSettings{DisabledManagementGroups: []string{opsGroupID}},
-		NameServerGroups: map[string]*nbdns.NameServerGroup{
-			nameserverGroupID: {
-				ID: nameserverGroupID, Name: "Main NS", Enabled: true, Groups: []string{devGroupID},
-				NameServers: []nbdns.NameServer{{IP: netip.MustParseAddr("8.8.8.8"), NSType: nbdns.UDPNameServerType, Port: 53}},
-			},
-		},
-		PostureChecks: []*posture.Checks{
-			{ID: postureCheckID, Name: "Check version", Checks: posture.ChecksDefinition{
-				NBVersionCheck: &posture.NBVersionCheck{MinVersion: "0.26.0"},
-			}},
-		},
-		NetworkResources: []*resourceTypes.NetworkResource{
-			{ID: networkResourceID, NetworkID: networkID, AccountID: testAccountID, Enabled: true, Address: "db.netbird.cloud"},
-		},
-		Networks: []*networkTypes.Network{{ID: networkID, Name: "DB Network", AccountID: testAccountID}},
-		NetworkRouters: []*routerTypes.NetworkRouter{
-			{ID: networkRouterID, NetworkID: networkID, Peer: routingPeerID, Enabled: true, AccountID: testAccountID},
-		},
-		Settings: &Settings{PeerLoginExpirationEnabled: true, PeerLoginExpiration: 1 * time.Hour},
-	}
-
-	for _, p := range account.Policies {
-		p.AccountID = account.Id
-	}
-	for _, r := range account.Routes {
-		r.AccountID = account.Id
-	}
-
-	return account
-}
-
-func BenchmarkLegacyNetworkMap(b *testing.B) {
-	account := createTestAccount()
-	ctx := context.Background()
-	peerID := testingPeerID
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		pid := fmt.Sprintf("peer-%d", i)
-		if pid != offlinePeerID {
-			validatedPeersMap[pid] = struct{}{}
-		}
-	}
-
-	peersCustomZone := nbdns.CustomZone{}
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_ = account.GetPeerNetworkMap(
-			ctx,
-			peerID,
-			peersCustomZone,
-			nil,
-			validatedPeersMap,
-			resourcePolicies,
-			routers,
-			nil,
-			groupIDToUserIDs,
-		)
-	}
-}
-
-func BenchmarkComponentsNetworkMap(b *testing.B) {
-	account := createTestAccount()
-	ctx := context.Background()
-	peerID := testingPeerID
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		pid := fmt.Sprintf("peer-%d", i)
-		if pid != offlinePeerID {
-			validatedPeersMap[pid] = struct{}{}
-		}
-	}
-
-	peersCustomZone := nbdns.CustomZone{}
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		components := account.GetPeerNetworkMapComponents(
-			ctx,
-			peerID,
-			peersCustomZone,
-			nil,
-			validatedPeersMap,
-			resourcePolicies,
-			routers,
-			groupIDToUserIDs,
-		)
-		_ = CalculateNetworkMapFromComponents(ctx, components)
-	}
-}
-
-func BenchmarkComponentsCreation(b *testing.B) {
-	account := createTestAccount()
-	ctx := context.Background()
-	peerID := testingPeerID
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		pid := fmt.Sprintf("peer-%d", i)
-		if pid != offlinePeerID {
-			validatedPeersMap[pid] = struct{}{}
-		}
-	}
-
-	peersCustomZone := nbdns.CustomZone{}
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_ = account.GetPeerNetworkMapComponents(
-			ctx,
-			peerID,
-			peersCustomZone,
-			nil,
-			validatedPeersMap,
-			resourcePolicies,
-			routers,
-			groupIDToUserIDs,
-		)
-	}
-}
-
-func BenchmarkCalculationFromComponents(b *testing.B) {
-	account := createTestAccount()
-	ctx := context.Background()
-	peerID := testingPeerID
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		pid := fmt.Sprintf("peer-%d", i)
-		if pid != offlinePeerID {
-			validatedPeersMap[pid] = struct{}{}
-		}
-	}
-
-	peersCustomZone := nbdns.CustomZone{}
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-
-	components := account.GetPeerNetworkMapComponents(
-		ctx,
-		peerID,
-		peersCustomZone,
-		nil,
-		validatedPeersMap,
-		resourcePolicies,
-		routers,
-		groupIDToUserIDs,
-	)
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_ = CalculateNetworkMapFromComponents(ctx, components)
-	}
-}
--- a/management/server/types/networkmap_components.go
+++ b/management/server/types/networkmap_components.go
@@ -19,8 +19,6 @@ import (
 	"github.com/netbirdio/netbird/shared/management/domain"
 )

-const EnvNewNetworkMapCompacted = "NB_NETWORK_MAP_COMPACTED"
-
 type NetworkMapComponents struct {
 	PeerID string

--- a/management/server/types/networkmap_components_test.go
+++ b/management/server/types/networkmap_components_test.go
@@ -0,0 +1,787 @@
+package types_test
+
+import (
+	"context"
+	"net"
+	"net/netip"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
+	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
+	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/posture"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/route"
+)
+
+func networkMapFromComponents(t *testing.T, account *types.Account, peerID string, validatedPeers map[string]struct{}) *types.NetworkMap {
+	t.Helper()
+	return account.GetPeerNetworkMapFromComponents(
+		context.Background(),
+		peerID,
+		account.GetPeersCustomZone(context.Background(), "netbird.io"),
+		nil,
+		validatedPeers,
+		account.GetResourcePoliciesMap(),
+		account.GetResourceRoutersMap(),
+		nil,
+		account.GetActiveGroupUsers(),
+	)
+}
+
+func allPeersValidated(account *types.Account, excludePeerIDs ...string) map[string]struct{} {
+	excludeSet := make(map[string]struct{}, len(excludePeerIDs))
+	for _, id := range excludePeerIDs {
+		excludeSet[id] = struct{}{}
+	}
+	validated := make(map[string]struct{}, len(account.Peers))
+	for id := range account.Peers {
+		if _, excluded := excludeSet[id]; !excluded {
+			validated[id] = struct{}{}
+		}
+	}
+	return validated
+}
+
+func peerIDs(peers []*nbpeer.Peer) []string {
+	ids := make([]string, len(peers))
+	for i, p := range peers {
+		ids[i] = p.ID
+	}
+	return ids
+}
+
+func TestNetworkMapComponents_RegularPeerConnectivity(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	assert.NotNil(t, nm)
+	assert.Contains(t, peerIDs(nm.Peers), "peer-dst-1", "should see peer from destination group via bidirectional policy")
+	assert.Contains(t, peerIDs(nm.Peers), "peer-router-1", "should see router peer via resource policy")
+	assert.NotContains(t, peerIDs(nm.Peers), "peer-src-1", "should not see itself")
+	assert.Empty(t, nm.OfflinePeers, "no expired peers expected")
+}
+
+func TestNetworkMapComponents_IntraGroupConnectivity(t *testing.T) {
+	account := createComponentTestAccount()
+	account.Policies = append(account.Policies, &types.Policy{
+		ID: "policy-intra-src", Name: "Intra-source connectivity", Enabled: true, AccountID: account.Id,
+		Rules: []*types.PolicyRule{{
+			ID: "rule-intra-src", Name: "src <-> src", Enabled: true,
+			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
+			Bidirectional: true,
+			Sources:       []string{"group-src"}, Destinations: []string{"group-src"},
+		}},
+	})
+	validated := allPeersValidated(account)
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+	assert.Contains(t, peerIDs(nm.Peers), "peer-src-2", "should see peer from same group with intra-group policy")
+}
+
+func TestNetworkMapComponents_FirewallRules(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	require.NotEmpty(t, nm.FirewallRules, "firewall rules should be generated")
+
+	var hasAcceptAll bool
+	for _, rule := range nm.FirewallRules {
+		if rule.Protocol == string(types.PolicyRuleProtocolALL) && rule.Action == string(types.PolicyTrafficActionAccept) {
+			hasAcceptAll = true
+		}
+	}
+	assert.True(t, hasAcceptAll, "should have an accept-all firewall rule from the base policy")
+}
+
+func TestNetworkMapComponents_LoginExpiration(t *testing.T) {
+	account := createComponentTestAccount()
+	account.Settings.PeerLoginExpirationEnabled = true
+	account.Settings.PeerLoginExpiration = 1 * time.Hour
+
+	expiredTime := time.Now().Add(-2 * time.Hour)
+	account.Peers["peer-dst-1"].LoginExpirationEnabled = true
+	account.Peers["peer-dst-1"].LastLogin = &expiredTime
+
+	validated := allPeersValidated(account)
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	assert.Contains(t, peerIDs(nm.OfflinePeers), "peer-dst-1", "expired peer should be in OfflinePeers")
+	assert.NotContains(t, peerIDs(nm.Peers), "peer-dst-1", "expired peer should NOT be in active Peers")
+}
+
+func TestNetworkMapComponents_InvalidatedPeerExcluded(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account, "peer-dst-1")
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	assert.NotContains(t, peerIDs(nm.Peers), "peer-dst-1", "non-validated peer should be excluded")
+	assert.NotContains(t, peerIDs(nm.OfflinePeers), "peer-dst-1", "non-validated peer should not be in offline peers either")
+}
+
+func TestNetworkMapComponents_NonValidatedTargetPeer(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account, "peer-src-1")
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	assert.Empty(t, nm.Peers, "non-validated target peer should get empty network map")
+	assert.Empty(t, nm.FirewallRules)
+}
+
+func TestNetworkMapComponents_NetworkResourceRoutes_SourcePeer(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	var hasResourceRoute bool
+	for _, r := range nm.Routes {
+		if r.Network.String() == "10.200.0.1/32" {
+			hasResourceRoute = true
+			break
+		}
+	}
+	assert.True(t, hasResourceRoute, "source peer should receive route to network resource via router")
+	assert.Contains(t, peerIDs(nm.Peers), "peer-router-1", "source peer should see the routing peer")
+}
+
+func TestNetworkMapComponents_NetworkResourceRoutes_RouterPeer(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	nm := networkMapFromComponents(t, account, "peer-router-1", validated)
+
+	var hasResourceRoute bool
+	for _, r := range nm.Routes {
+		if r.Network.String() == "10.200.0.1/32" {
+			hasResourceRoute = true
+			break
+		}
+	}
+	assert.True(t, hasResourceRoute, "router peer should receive network resource route")
+	assert.NotEmpty(t, nm.RoutesFirewallRules, "router peer should have route firewall rules for the resource")
+}
+
+func TestNetworkMapComponents_NetworkResourceRoutes_UnrelatedPeer(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	nm := networkMapFromComponents(t, account, "peer-dst-1", validated)
+
+	for _, r := range nm.Routes {
+		assert.NotEqual(t, "10.200.0.1/32", r.Network.String(), "unrelated peer should not receive network resource route")
+	}
+}
+
+func TestNetworkMapComponents_NetworkResource_WithPostureCheck(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.PostureChecks = []*posture.Checks{
+		{ID: "pc-version", Name: "Version check", Checks: posture.ChecksDefinition{
+			NBVersionCheck: &posture.NBVersionCheck{MinVersion: "0.30.0"},
+		}},
+	}
+	account.Policies = append(account.Policies, &types.Policy{
+		ID: "policy-posture-resource", Name: "Posture resource access", Enabled: true, AccountID: account.Id,
+		SourcePostureChecks: []string{"pc-version"},
+		Rules: []*types.PolicyRule{{
+			ID: "rule-posture-resource", Name: "Posture -> Resource", Enabled: true,
+			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
+			Sources:             []string{"group-src"},
+			DestinationResource: types.Resource{ID: "resource-guarded"},
+		}},
+	})
+
+	account.NetworkResources = append(account.NetworkResources, &resourceTypes.NetworkResource{
+		ID: "resource-guarded", NetworkID: "net-guarded", AccountID: account.Id, Enabled: true,
+		Type: resourceTypes.Host, Prefix: netip.MustParsePrefix("10.200.1.1/32"), Address: "10.200.1.1/32",
+	})
+	account.Networks = append(account.Networks, &networkTypes.Network{
+		ID: "net-guarded", Name: "Guarded Net", AccountID: account.Id,
+	})
+	account.NetworkRouters = append(account.NetworkRouters, &routerTypes.NetworkRouter{
+		ID: "router-guarded", NetworkID: "net-guarded", Peer: "peer-router-1", Enabled: true, AccountID: account.Id,
+	})
+
+	t.Run("peer passes posture check", func(t *testing.T) {
+		account.Peers["peer-src-1"].Meta.WtVersion = "0.35.0"
+		nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+		var hasGuardedRoute bool
+		for _, r := range nm.Routes {
+			if r.Network.String() == "10.200.1.1/32" {
+				hasGuardedRoute = true
+			}
+		}
+		assert.True(t, hasGuardedRoute, "peer passing posture check should get guarded resource route")
+	})
+
+	t.Run("peer fails posture check", func(t *testing.T) {
+		account.Peers["peer-src-1"].Meta.WtVersion = "0.20.0"
+		nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+		for _, r := range nm.Routes {
+			assert.NotEqual(t, "10.200.1.1/32", r.Network.String(), "peer failing posture check should NOT get guarded resource route")
+		}
+	})
+}
+
+func TestNetworkMapComponents_NetworkResource_MultiplePostureChecks(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.PostureChecks = []*posture.Checks{
+		{ID: "pc-version", Name: "Version", Checks: posture.ChecksDefinition{
+			NBVersionCheck: &posture.NBVersionCheck{MinVersion: "0.30.0"},
+		}},
+		{ID: "pc-os", Name: "OS check", Checks: posture.ChecksDefinition{
+			OSVersionCheck: &posture.OSVersionCheck{Linux: &posture.MinKernelVersionCheck{MinKernelVersion: "5.0"}},
+		}},
+	}
+
+	account.Policies = append(account.Policies, &types.Policy{
+		ID: "policy-multi-posture", Name: "Multi posture", Enabled: true, AccountID: account.Id,
+		SourcePostureChecks: []string{"pc-version", "pc-os"},
+		Rules: []*types.PolicyRule{{
+			ID: "rule-multi-posture", Name: "Multi posture rule", Enabled: true,
+			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
+			Sources:             []string{"group-src"},
+			DestinationResource: types.Resource{ID: "resource-strict"},
+		}},
+	})
+
+	account.NetworkResources = append(account.NetworkResources, &resourceTypes.NetworkResource{
+		ID: "resource-strict", NetworkID: "net-strict", AccountID: account.Id, Enabled: true,
+		Type: resourceTypes.Host, Prefix: netip.MustParsePrefix("10.200.2.1/32"), Address: "10.200.2.1/32",
+	})
+	account.Networks = append(account.Networks, &networkTypes.Network{
+		ID: "net-strict", Name: "Strict Net", AccountID: account.Id,
+	})
+	account.NetworkRouters = append(account.NetworkRouters, &routerTypes.NetworkRouter{
+		ID: "router-strict", NetworkID: "net-strict", Peer: "peer-router-1", Enabled: true, AccountID: account.Id,
+	})
+
+	t.Run("passes both posture checks", func(t *testing.T) {
+		account.Peers["peer-src-1"].Meta.WtVersion = "0.35.0"
+		account.Peers["peer-src-1"].Meta.GoOS = "linux"
+		account.Peers["peer-src-1"].Meta.KernelVersion = "6.1.0"
+		nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+		var found bool
+		for _, r := range nm.Routes {
+			if r.Network.String() == "10.200.2.1/32" {
+				found = true
+			}
+		}
+		assert.True(t, found, "peer passing both checks should get resource route")
+	})
+
+	t.Run("fails version posture check", func(t *testing.T) {
+		account.Peers["peer-src-1"].Meta.WtVersion = "0.20.0"
+		account.Peers["peer-src-1"].Meta.KernelVersion = "6.1.0"
+		nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+		for _, r := range nm.Routes {
+			assert.NotEqual(t, "10.200.2.1/32", r.Network.String(), "peer failing version check should NOT get resource route")
+		}
+	})
+
+	t.Run("fails OS posture check", func(t *testing.T) {
+		account.Peers["peer-src-1"].Meta.WtVersion = "0.35.0"
+		account.Peers["peer-src-1"].Meta.KernelVersion = "4.0.0"
+		nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+		for _, r := range nm.Routes {
+			assert.NotEqual(t, "10.200.2.1/32", r.Network.String(), "peer failing OS check should NOT get resource route")
+		}
+	})
+}
+
+func TestNetworkMapComponents_RouterPeerFirewallRules(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	nm := networkMapFromComponents(t, account, "peer-router-1", validated)
+
+	var resourceFWRules []*types.RouteFirewallRule
+	for _, rule := range nm.RoutesFirewallRules {
+		if rule.Destination == "10.200.0.1/32" {
+			resourceFWRules = append(resourceFWRules, rule)
+		}
+	}
+	assert.NotEmpty(t, resourceFWRules, "router should have firewall rules for the network resource")
+
+	var hasSourcePeerIP bool
+	for _, rule := range resourceFWRules {
+		for _, sr := range rule.SourceRanges {
+			if sr == account.Peers["peer-src-1"].IP.String()+"/32" || sr == account.Peers["peer-src-2"].IP.String()+"/32" {
+				hasSourcePeerIP = true
+			}
+		}
+	}
+	assert.True(t, hasSourcePeerIP, "resource firewall rules should include source peer IPs")
+}
+
+func TestNetworkMapComponents_DNSManagement(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	t.Run("peer in DNS-enabled group", func(t *testing.T) {
+		nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+		assert.True(t, nm.DNSConfig.ServiceEnable, "peer in non-disabled group should have DNS enabled")
+	})
+
+	t.Run("peer in DNS-disabled group", func(t *testing.T) {
+		nm := networkMapFromComponents(t, account, "peer-dst-1", validated)
+		assert.False(t, nm.DNSConfig.ServiceEnable, "peer in DNS-disabled group should have DNS disabled")
+	})
+}
+
+func TestNetworkMapComponents_NameServerGroups(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+	assert.True(t, nm.DNSConfig.ServiceEnable)
+
+	var hasNSGroup bool
+	for _, ns := range nm.DNSConfig.NameServerGroups {
+		if ns.ID == "ns-main" {
+			hasNSGroup = true
+		}
+	}
+	assert.True(t, hasNSGroup, "peer in NS group should receive nameserver configuration")
+}
+
+func TestNetworkMapComponents_RoutesWithHADeduplication(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.Routes["route-ha-1"] = &route.Route{
+		ID: "route-ha-1", Network: netip.MustParsePrefix("172.16.0.0/16"),
+		Peer: account.Peers["peer-dst-1"].Key, PeerID: "peer-dst-1",
+		Enabled: true, Metric: 100, AccountID: account.Id,
+		Groups: []string{"group-src", "group-dst"}, PeerGroups: []string{"group-dst"},
+	}
+	account.Routes["route-ha-2"] = &route.Route{
+		ID: "route-ha-2", Network: netip.MustParsePrefix("172.16.0.0/16"),
+		Peer: account.Peers["peer-src-1"].Key, PeerID: "peer-src-1",
+		Enabled: true, Metric: 200, AccountID: account.Id,
+		Groups: []string{"group-src", "group-dst"}, PeerGroups: []string{"group-src"},
+	}
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	haCount := 0
+	for _, r := range nm.Routes {
+		if r.Network.String() == "172.16.0.0/16" {
+			haCount++
+		}
+	}
+	assert.Equal(t, 1, haCount, "peer should only receive one route from HA group (not both, since it's a member of one)")
+}
+
+func TestNetworkMapComponents_RoutesFirewallRulesForAccessControl(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.Routes["route-acl"] = &route.Route{
+		ID: "route-acl", Network: netip.MustParsePrefix("192.168.100.0/24"),
+		Peer: account.Peers["peer-src-1"].Key, PeerID: "peer-src-1",
+		Enabled: true, Metric: 100, AccountID: account.Id,
+		Groups:              []string{"group-dst"},
+		PeerGroups:          []string{"group-src"},
+		AccessControlGroups: []string{"group-dst"},
+	}
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	var hasFWRule bool
+	for _, rule := range nm.RoutesFirewallRules {
+		if rule.Destination == "192.168.100.0/24" {
+			hasFWRule = true
+		}
+	}
+	assert.True(t, hasFWRule, "routing peer should have firewall rules for route with access control groups")
+}
+
+func TestNetworkMapComponents_RoutesDefaultPermit(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.Routes["route-open"] = &route.Route{
+		ID: "route-open", Network: netip.MustParsePrefix("10.99.0.0/16"),
+		Peer: account.Peers["peer-src-1"].Key, PeerID: "peer-src-1",
+		Enabled: true, Metric: 100, AccountID: account.Id,
+		Groups:     []string{"group-src"},
+		PeerGroups: []string{"group-src"},
+	}
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	var hasFWRule bool
+	for _, rule := range nm.RoutesFirewallRules {
+		if rule.Destination == "10.99.0.0/16" {
+			hasFWRule = true
+		}
+	}
+	assert.True(t, hasFWRule, "route without access control groups should have default permit firewall rules")
+}
+
+func TestNetworkMapComponents_SSHAuthorizedUsers(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.Peers["peer-dst-1"].SSHEnabled = true
+
+	account.Policies = append(account.Policies, &types.Policy{
+		ID: "policy-ssh", Name: "SSH Access", Enabled: true, AccountID: account.Id,
+		Rules: []*types.PolicyRule{{
+			ID: "rule-ssh", Name: "SSH to dst", Enabled: true,
+			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
+			Bidirectional: true,
+			Sources:       []string{"group-src"}, Destinations: []string{"group-dst"},
+		}},
+	})
+
+	nm := networkMapFromComponents(t, account, "peer-dst-1", validated)
+	assert.True(t, nm.EnableSSH, "SSH-enabled peer with matching policy should have EnableSSH")
+}
+
+func TestNetworkMapComponents_DisabledPolicyIgnored(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	for _, p := range account.Policies {
+		p.Enabled = false
+	}
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+	assert.Empty(t, nm.Peers, "with all policies disabled, peer should see no other peers")
+	assert.Empty(t, nm.FirewallRules)
+}
+
+func TestNetworkMapComponents_DisabledRouteIgnored(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	for _, r := range account.Routes {
+		r.Enabled = false
+	}
+	for _, r := range account.NetworkResources {
+		r.Enabled = false
+	}
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+	assert.Empty(t, nm.Routes, "disabled routes should not appear in network map")
+}
+
+func TestNetworkMapComponents_DisabledNetworkResourceIgnored(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	for _, r := range account.NetworkResources {
+		r.Enabled = false
+	}
+
+	nm := networkMapFromComponents(t, account, "peer-router-1", validated)
+
+	for _, r := range nm.Routes {
+		assert.NotEqual(t, "10.200.0.1/32", r.Network.String(), "disabled resource should not generate routes")
+	}
+}
+
+func TestNetworkMapComponents_BidirectionalPolicy(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	nmSrc := networkMapFromComponents(t, account, "peer-src-1", validated)
+	nmDst := networkMapFromComponents(t, account, "peer-dst-1", validated)
+
+	assert.Contains(t, peerIDs(nmSrc.Peers), "peer-dst-1", "src should see dst via bidirectional policy")
+	assert.Contains(t, peerIDs(nmDst.Peers), "peer-src-1", "dst should see src via bidirectional policy")
+}
+
+func TestNetworkMapComponents_DropPolicy(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.Policies = append(account.Policies, &types.Policy{
+		ID: "policy-drop", Name: "Drop traffic", Enabled: true, AccountID: account.Id,
+		Rules: []*types.PolicyRule{{
+			ID: "rule-drop", Name: "Drop src->dst", Enabled: true,
+			Action: types.PolicyTrafficActionDrop, Protocol: types.PolicyRuleProtocolTCP,
+			Ports:   []string{"5432"},
+			Sources: []string{"group-src"}, Destinations: []string{"group-dst"},
+		}},
+	})
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	var hasDropRule bool
+	for _, rule := range nm.FirewallRules {
+		if rule.Action == string(types.PolicyTrafficActionDrop) && rule.Port == "5432" {
+			hasDropRule = true
+		}
+	}
+	assert.True(t, hasDropRule, "drop policy should generate drop firewall rule")
+}
+
+func TestNetworkMapComponents_PortRangePolicy(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.Peers["peer-src-1"].Meta.WtVersion = "0.50.0"
+
+	account.Policies = append(account.Policies, &types.Policy{
+		ID: "policy-range", Name: "Port range", Enabled: true, AccountID: account.Id,
+		Rules: []*types.PolicyRule{{
+			ID: "rule-range", Name: "Range rule", Enabled: true,
+			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolTCP,
+			PortRanges: []types.RulePortRange{{Start: 8080, End: 8090}},
+			Sources:    []string{"group-src"}, Destinations: []string{"group-dst"},
+		}},
+	})
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	var hasRangeRule bool
+	for _, rule := range nm.FirewallRules {
+		if rule.PortRange.Start == 8080 && rule.PortRange.End == 8090 {
+			hasRangeRule = true
+		}
+	}
+	assert.True(t, hasRangeRule, "port range policy should generate corresponding firewall rule")
+}
+
+func TestNetworkMapComponents_MultipleNetworkResources(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.NetworkResources = append(account.NetworkResources, &resourceTypes.NetworkResource{
+		ID: "resource-2", NetworkID: "net-1", AccountID: account.Id, Enabled: true,
+		Type: resourceTypes.Host, Prefix: netip.MustParsePrefix("10.200.0.2/32"), Address: "10.200.0.2/32",
+	})
+	account.Groups["group-res2"] = &types.Group{ID: "group-res2", Name: "Resource 2 Group", Peers: []string{"peer-src-1", "peer-src-2"},
+		Resources: []types.Resource{{ID: "resource-2"}},
+	}
+	account.Policies = append(account.Policies, &types.Policy{
+		ID: "policy-res2", Name: "Resource 2 Policy", Enabled: true, AccountID: account.Id,
+		Rules: []*types.PolicyRule{{
+			ID: "rule-res2", Name: "Access Resource 2", Enabled: true,
+			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
+			Sources:             []string{"group-src"},
+			DestinationResource: types.Resource{ID: "resource-2"},
+		}},
+	})
+
+	nm := networkMapFromComponents(t, account, "peer-router-1", validated)
+
+	resourceRouteCount := 0
+	for _, r := range nm.Routes {
+		if r.Network.String() == "10.200.0.1/32" || r.Network.String() == "10.200.0.2/32" {
+			resourceRouteCount++
+		}
+	}
+	assert.Equal(t, 2, resourceRouteCount, "router should have routes for both network resources")
+}
+
+func TestNetworkMapComponents_DomainNetworkResource(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.NetworkResources = append(account.NetworkResources, &resourceTypes.NetworkResource{
+		ID: "resource-domain", NetworkID: "net-1", AccountID: account.Id, Enabled: true,
+		Type: resourceTypes.Domain, Domain: "api.example.com", Address: "api.example.com",
+	})
+	account.Groups["group-res-domain"] = &types.Group{
+		ID: "group-res-domain", Name: "Domain Resource Group",
+		Resources: []types.Resource{{ID: "resource-domain"}},
+	}
+	account.Policies = append(account.Policies, &types.Policy{
+		ID: "policy-domain", Name: "Domain resource policy", Enabled: true, AccountID: account.Id,
+		Rules: []*types.PolicyRule{{
+			ID: "rule-domain", Name: "Access domain resource", Enabled: true,
+			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
+			Sources:             []string{"group-src"},
+			DestinationResource: types.Resource{ID: "resource-domain"},
+		}},
+	})
+
+	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
+
+	var hasDomainRoute bool
+	for _, r := range nm.Routes {
+		if r.NetworkType == route.DomainNetwork && len(r.Domains) > 0 && r.Domains[0].SafeString() == "api.example.com" {
+			hasDomainRoute = true
+		}
+	}
+	assert.True(t, hasDomainRoute, "source peer should receive domain route for domain network resource")
+}
+
+func TestNetworkMapComponents_NetworkEmpty(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	nm := networkMapFromComponents(t, account, "nonexistent-peer", validated)
+
+	assert.NotNil(t, nm)
+	assert.Empty(t, nm.Peers)
+	assert.Empty(t, nm.FirewallRules)
+	assert.NotNil(t, nm.Network)
+}
+
+func TestNetworkMapComponents_RouterExcludesOtherNetworkRoutes(t *testing.T) {
+	account := createComponentTestAccount()
+	validated := allPeersValidated(account)
+
+	account.NetworkResources = append(account.NetworkResources, &resourceTypes.NetworkResource{
+		ID: "resource-other", NetworkID: "net-other", AccountID: account.Id, Enabled: true,
+		Type: resourceTypes.Host, Prefix: netip.MustParsePrefix("10.200.99.1/32"), Address: "10.200.99.1/32",
+	})
+	account.Networks = append(account.Networks, &networkTypes.Network{
+		ID: "net-other", Name: "Other Net", AccountID: account.Id,
+	})
+	account.NetworkRouters = append(account.NetworkRouters, &routerTypes.NetworkRouter{
+		ID: "router-other", NetworkID: "net-other", Peer: "peer-dst-1", Enabled: true, AccountID: account.Id,
+	})
+	account.Groups["group-res-other"] = &types.Group{ID: "group-res-other", Name: "Other resource group",
+		Resources: []types.Resource{{ID: "resource-other"}},
+	}
+	account.Policies = append(account.Policies, &types.Policy{
+		ID: "policy-other-resource", Name: "Other resource policy", Enabled: true, AccountID: account.Id,
+		Rules: []*types.PolicyRule{{
+			ID: "rule-other", Name: "Other resource access", Enabled: true,
+			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
+			Sources:             []string{"group-src"},
+			DestinationResource: types.Resource{ID: "resource-other"},
+		}},
+	})
+
+	nm := networkMapFromComponents(t, account, "peer-router-1", validated)
+
+	for _, r := range nm.Routes {
+		assert.NotEqual(t, "10.200.99.1/32", r.Network.String(), "router-1 should NOT get routes for other network's resources")
+	}
+}
+
+func createComponentTestAccount() *types.Account {
+	peers := map[string]*nbpeer.Peer{
+		"peer-src-1": {
+			ID: "peer-src-1", IP: net.IP{100, 64, 0, 1}, Key: "key-src-1", DNSLabel: "src1",
+			Status: &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()}, UserID: "user-1",
+			Meta: nbpeer.PeerSystemMeta{WtVersion: "0.35.0", GoOS: "linux"},
+		},
+		"peer-src-2": {
+			ID: "peer-src-2", IP: net.IP{100, 64, 0, 2}, Key: "key-src-2", DNSLabel: "src2",
+			Status: &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()}, UserID: "user-1",
+			Meta: nbpeer.PeerSystemMeta{WtVersion: "0.35.0", GoOS: "linux"},
+		},
+		"peer-dst-1": {
+			ID: "peer-dst-1", IP: net.IP{100, 64, 0, 3}, Key: "key-dst-1", DNSLabel: "dst1",
+			Status: &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()}, UserID: "user-2",
+			Meta: nbpeer.PeerSystemMeta{WtVersion: "0.35.0", GoOS: "linux"},
+		},
+		"peer-router-1": {
+			ID: "peer-router-1", IP: net.IP{100, 64, 0, 10}, Key: "key-router-1", DNSLabel: "router1",
+			Status: &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()}, UserID: "user-1",
+			Meta: nbpeer.PeerSystemMeta{WtVersion: "0.35.0", GoOS: "linux"},
+		},
+	}
+
+	groups := map[string]*types.Group{
+		"group-src": {ID: "group-src", Name: "Sources", Peers: []string{"peer-src-1", "peer-src-2"}},
+		"group-dst": {ID: "group-dst", Name: "Destinations", Peers: []string{"peer-dst-1"}},
+		"group-all": {ID: "group-all", Name: "All", Peers: []string{"peer-src-1", "peer-src-2", "peer-dst-1", "peer-router-1"}},
+		"group-res": {
+			ID: "group-res", Name: "Resource Group",
+			Resources: []types.Resource{{ID: "resource-1"}},
+		},
+	}
+
+	policies := []*types.Policy{
+		{
+			ID: "policy-base", Name: "Base connectivity", Enabled: true,
+			Rules: []*types.PolicyRule{{
+				ID: "rule-base", Name: "Allow src <-> dst", Enabled: true,
+				Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
+				Bidirectional: true,
+				Sources:       []string{"group-src"}, Destinations: []string{"group-dst"},
+			}},
+		},
+		{
+			ID: "policy-resource", Name: "Network resource access", Enabled: true,
+			Rules: []*types.PolicyRule{{
+				ID: "rule-resource", Name: "Source -> Resource", Enabled: true,
+				Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
+				Sources:             []string{"group-src"},
+				DestinationResource: types.Resource{ID: "resource-1"},
+			}},
+		},
+	}
+
+	routes := map[route.ID]*route.Route{
+		"route-main": {
+			ID: "route-main", Network: netip.MustParsePrefix("192.168.10.0/24"),
+			Peer: peers["peer-dst-1"].Key, PeerID: "peer-dst-1",
+			Enabled: true, Metric: 100,
+			Groups: []string{"group-src", "group-dst"}, PeerGroups: []string{"group-dst"},
+		},
+	}
+
+	users := map[string]*types.User{
+		"user-1": {Id: "user-1", Role: types.UserRoleAdmin, IsServiceUser: false, AutoGroups: []string{"group-all"}},
+		"user-2": {Id: "user-2", Role: types.UserRoleUser, IsServiceUser: false, AutoGroups: []string{"group-all"}},
+	}
+
+	account := &types.Account{
+		Id: "account-components-test", Peers: peers, Groups: groups, Policies: policies, Routes: routes,
+		Users: users,
+		Network: &types.Network{
+			Identifier: "net-test", Net: net.IPNet{IP: net.IP{100, 64, 0, 0}, Mask: net.CIDRMask(16, 32)}, Serial: 1,
+		},
+		DNSSettings: types.DNSSettings{DisabledManagementGroups: []string{"group-dst"}},
+		NameServerGroups: map[string]*nbdns.NameServerGroup{
+			"ns-main": {
+				ID: "ns-main", Name: "Main NS", Enabled: true, Groups: []string{"group-src"},
+				NameServers: []nbdns.NameServer{{IP: netip.MustParseAddr("8.8.8.8"), NSType: nbdns.UDPNameServerType, Port: 53}},
+			},
+		},
+		PostureChecks: []*posture.Checks{},
+		NetworkResources: []*resourceTypes.NetworkResource{
+			{
+				ID: "resource-1", NetworkID: "net-1", AccountID: "account-components-test", Enabled: true,
+				Type: resourceTypes.Host, Prefix: netip.MustParsePrefix("10.200.0.1/32"), Address: "10.200.0.1/32",
+			},
+		},
+		Networks: []*networkTypes.Network{
+			{ID: "net-1", Name: "Resource Net", AccountID: "account-components-test"},
+		},
+		NetworkRouters: []*routerTypes.NetworkRouter{
+			{ID: "router-1", NetworkID: "net-1", Peer: "peer-router-1", Enabled: true, AccountID: "account-components-test"},
+		},
+		Settings: &types.Settings{PeerLoginExpirationEnabled: false, PeerLoginExpiration: 24 * time.Hour},
+	}
+
+	for _, p := range account.Policies {
+		p.AccountID = account.Id
+	}
+	for _, r := range account.Routes {
+		r.AccountID = account.Id
+	}
+
+	return account
+}
--- a/management/server/types/networkmap_golden_test.go
+++ b/management/server/types/networkmap_golden_test.go
@@ -1,967 +0,0 @@
-package types_test
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"net"
-	"net/netip"
-	"os"
-	"path/filepath"
-	"slices"
-	"sort"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/management/internals/modules/zones"
-	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
-	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
-	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/posture"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/route"
-)
-
-const (
-	numPeers          = 100
-	devGroupID        = "group-dev"
-	opsGroupID        = "group-ops"
-	allGroupID        = "group-all"
-	sshUsersGroupID   = "group-ssh-users"
-	routeID           = route.ID("route-main")
-	routeHA1ID        = route.ID("route-ha-1")
-	routeHA2ID        = route.ID("route-ha-2")
-	policyIDDevOps    = "policy-dev-ops"
-	policyIDAll       = "policy-all"
-	policyIDPosture   = "policy-posture"
-	policyIDDrop      = "policy-drop"
-	policyIDSSH       = "policy-ssh"
-	postureCheckID    = "posture-check-ver"
-	networkResourceID = "res-database"
-	networkID         = "net-database"
-	networkRouterID   = "router-database"
-	nameserverGroupID = "ns-group-main"
-	testingPeerID     = "peer-60" // A peer from the "dev" group, should receive the most detailed map.
-	expiredPeerID     = "peer-98" // This peer will be online but with an expired session.
-	offlinePeerID     = "peer-99" // This peer will be completely offline.
-	routingPeerID     = "peer-95" // This peer is used for routing, it has a route to the network.
-	testAccountID     = "account-golden-test"
-	userAdminID       = "user-admin"
-	userDevID         = "user-dev"
-	userOpsID         = "user-ops"
-)
-
-func TestGetPeerNetworkMap_Golden(t *testing.T) {
-	account := createTestAccountWithEntities()
-
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		if peerID == offlinePeerID {
-			continue
-		}
-		validatedPeersMap[peerID] = struct{}{}
-	}
-
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-
-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
-	normalizeAndSortNetworkMap(legacyNetworkMap)
-	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling legacy network map to JSON")
-
-	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-	newNetworkMap := builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-	normalizeAndSortNetworkMap(newNetworkMap)
-	newJSON, err := json.MarshalIndent(toNetworkMapJSON(newNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling new network map to JSON")
-
-	if string(legacyJSON) != string(newJSON) {
-		legacyFilePath := filepath.Join("testdata", "networkmap_golden.json")
-		newFilePath := filepath.Join("testdata", "networkmap_golden_new.json")
-
-		err = os.MkdirAll(filepath.Dir(legacyFilePath), 0755)
-		require.NoError(t, err)
-
-		err = os.WriteFile(legacyFilePath, legacyJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved legacy network map to %s", legacyFilePath)
-
-		err = os.WriteFile(newFilePath, newJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved new network map to %s", newFilePath)
-
-		require.JSONEq(t, string(legacyJSON), string(newJSON), "network maps from legacy and new builder do not match")
-	}
-}
-
-func BenchmarkGetPeerNetworkMap(b *testing.B) {
-	account := createTestAccountWithEntities()
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	var peerIDs []string
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		validatedPeersMap[peerID] = struct{}{}
-		peerIDs = append(peerIDs, peerID)
-	}
-
-	b.ResetTimer()
-	b.Run("old builder", func(b *testing.B) {
-		for range b.N {
-			for _, peerID := range peerIDs {
-				_ = account.GetPeerNetworkMap(ctx, peerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
-			}
-		}
-	})
-	b.ResetTimer()
-	b.Run("new builder", func(b *testing.B) {
-		for range b.N {
-			builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-			for _, peerID := range peerIDs {
-				_ = builder.GetPeerNetworkMap(ctx, peerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-			}
-		}
-	})
-}
-
-func TestGetPeerNetworkMap_Golden_WithNewPeer(t *testing.T) {
-	account := createTestAccountWithEntities()
-
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		if peerID == offlinePeerID {
-			continue
-		}
-		validatedPeersMap[peerID] = struct{}{}
-	}
-
-	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-
-	newPeerID := "peer-new-101"
-	newPeerIP := net.IP{100, 64, 1, 1}
-	newPeer := &nbpeer.Peer{
-		ID:        newPeerID,
-		IP:        newPeerIP,
-		Key:       fmt.Sprintf("key-%s", newPeerID),
-		DNSLabel:  "peernew101",
-		Status:    &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
-		UserID:    "user-admin",
-		Meta:      nbpeer.PeerSystemMeta{WtVersion: "0.26.0", GoOS: "linux"},
-		LastLogin: func() *time.Time { t := time.Now(); return &t }(),
-	}
-
-	account.Peers[newPeerID] = newPeer
-
-	if devGroup, exists := account.Groups[devGroupID]; exists {
-		devGroup.Peers = append(devGroup.Peers, newPeerID)
-	}
-
-	if allGroup, exists := account.Groups[allGroupID]; exists {
-		allGroup.Peers = append(allGroup.Peers, newPeerID)
-	}
-
-	validatedPeersMap[newPeerID] = struct{}{}
-
-	if account.Network != nil {
-		account.Network.Serial++
-	}
-
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-
-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
-	normalizeAndSortNetworkMap(legacyNetworkMap)
-	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling legacy network map to JSON")
-
-	err = builder.OnPeerAddedIncremental(account, newPeerID)
-	require.NoError(t, err, "error adding peer to cache")
-
-	newNetworkMap := builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-	normalizeAndSortNetworkMap(newNetworkMap)
-	newJSON, err := json.MarshalIndent(toNetworkMapJSON(newNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling new network map to JSON")
-
-	if string(legacyJSON) != string(newJSON) {
-		legacyFilePath := filepath.Join("testdata", "networkmap_golden_with_new_peer.json")
-		newFilePath := filepath.Join("testdata", "networkmap_golden_new_with_onpeeradded.json")
-
-		err = os.MkdirAll(filepath.Dir(legacyFilePath), 0755)
-		require.NoError(t, err)
-
-		err = os.WriteFile(legacyFilePath, legacyJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved legacy network map to %s", legacyFilePath)
-
-		err = os.WriteFile(newFilePath, newJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved new network map to %s", newFilePath)
-
-		require.JSONEq(t, string(legacyJSON), string(newJSON), "network maps with new peer from legacy and new builder do not match")
-	}
-}
-
-func BenchmarkGetPeerNetworkMap_AfterPeerAdded(b *testing.B) {
-	account := createTestAccountWithEntities()
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	var peerIDs []string
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		validatedPeersMap[peerID] = struct{}{}
-		peerIDs = append(peerIDs, peerID)
-	}
-	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-	newPeerID := "peer-new-101"
-	newPeer := &nbpeer.Peer{
-		ID:       newPeerID,
-		IP:       net.IP{100, 64, 1, 1},
-		Key:      fmt.Sprintf("key-%s", newPeerID),
-		DNSLabel: "peernew101",
-		Status:   &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
-		UserID:   "user-admin",
-		Meta:     nbpeer.PeerSystemMeta{WtVersion: "0.26.0", GoOS: "linux"},
-	}
-
-	account.Peers[newPeerID] = newPeer
-	account.Groups[devGroupID].Peers = append(account.Groups[devGroupID].Peers, newPeerID)
-	account.Groups[allGroupID].Peers = append(account.Groups[allGroupID].Peers, newPeerID)
-	validatedPeersMap[newPeerID] = struct{}{}
-
-	b.ResetTimer()
-	b.Run("old builder after add", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			for _, testingPeerID := range peerIDs {
-				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
-			}
-		}
-	})
-
-	b.ResetTimer()
-	b.Run("new builder after add", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			_ = builder.OnPeerAddedIncremental(account, newPeerID)
-			for _, testingPeerID := range peerIDs {
-				_ = builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-			}
-		}
-	})
-}
-
-func TestGetPeerNetworkMap_Golden_WithNewRoutingPeer(t *testing.T) {
-	account := createTestAccountWithEntities()
-
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		if peerID == offlinePeerID {
-			continue
-		}
-		validatedPeersMap[peerID] = struct{}{}
-	}
-
-	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-
-	newRouterID := "peer-new-router-102"
-	newRouterIP := net.IP{100, 64, 1, 2}
-	newRouter := &nbpeer.Peer{
-		ID:        newRouterID,
-		IP:        newRouterIP,
-		Key:       fmt.Sprintf("key-%s", newRouterID),
-		DNSLabel:  "newrouter102",
-		Status:    &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
-		UserID:    "user-admin",
-		Meta:      nbpeer.PeerSystemMeta{WtVersion: "0.26.0", GoOS: "linux"},
-		LastLogin: func() *time.Time { t := time.Now(); return &t }(),
-	}
-
-	account.Peers[newRouterID] = newRouter
-
-	if opsGroup, exists := account.Groups[opsGroupID]; exists {
-		opsGroup.Peers = append(opsGroup.Peers, newRouterID)
-	}
-
-	if allGroup, exists := account.Groups[allGroupID]; exists {
-		allGroup.Peers = append(allGroup.Peers, newRouterID)
-	}
-
-	newRoute := &route.Route{
-		ID:                  route.ID("route-new-router"),
-		Network:             netip.MustParsePrefix("172.16.0.0/24"),
-		Peer:                newRouter.Key,
-		PeerID:              newRouterID,
-		Description:         "Route from new router",
-		Enabled:             true,
-		PeerGroups:          []string{opsGroupID},
-		Groups:              []string{devGroupID, opsGroupID},
-		AccessControlGroups: []string{devGroupID},
-		AccountID:           account.Id,
-	}
-	account.Routes[newRoute.ID] = newRoute
-
-	validatedPeersMap[newRouterID] = struct{}{}
-
-	if account.Network != nil {
-		account.Network.Serial++
-	}
-
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-
-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
-	normalizeAndSortNetworkMap(legacyNetworkMap)
-	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling legacy network map to JSON")
-
-	err = builder.OnPeerAddedIncremental(account, newRouterID)
-	require.NoError(t, err, "error adding router to cache")
-
-	newNetworkMap := builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-	normalizeAndSortNetworkMap(newNetworkMap)
-	newJSON, err := json.MarshalIndent(toNetworkMapJSON(newNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling new network map to JSON")
-
-	if string(legacyJSON) != string(newJSON) {
-		legacyFilePath := filepath.Join("testdata", "networkmap_golden_with_new_router.json")
-		newFilePath := filepath.Join("testdata", "networkmap_golden_new_with_onpeeradded_router.json")
-
-		err = os.MkdirAll(filepath.Dir(legacyFilePath), 0755)
-		require.NoError(t, err)
-
-		err = os.WriteFile(legacyFilePath, legacyJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved legacy network map to %s", legacyFilePath)
-
-		err = os.WriteFile(newFilePath, newJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved new network map to %s", newFilePath)
-
-		require.JSONEq(t, string(legacyJSON), string(newJSON), "network maps with new router from legacy and new builder do not match")
-	}
-}
-
-func BenchmarkGetPeerNetworkMap_AfterRouterPeerAdded(b *testing.B) {
-	account := createTestAccountWithEntities()
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	var peerIDs []string
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		validatedPeersMap[peerID] = struct{}{}
-		peerIDs = append(peerIDs, peerID)
-	}
-	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-	newRouterID := "peer-new-router-102"
-	newRouterIP := net.IP{100, 64, 1, 2}
-	newRouter := &nbpeer.Peer{
-		ID:        newRouterID,
-		IP:        newRouterIP,
-		Key:       fmt.Sprintf("key-%s", newRouterID),
-		DNSLabel:  "newrouter102",
-		Status:    &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
-		UserID:    "user-admin",
-		Meta:      nbpeer.PeerSystemMeta{WtVersion: "0.26.0", GoOS: "linux"},
-		LastLogin: func() *time.Time { t := time.Now(); return &t }(),
-	}
-
-	account.Peers[newRouterID] = newRouter
-
-	if opsGroup, exists := account.Groups[opsGroupID]; exists {
-		opsGroup.Peers = append(opsGroup.Peers, newRouterID)
-	}
-	if allGroup, exists := account.Groups[allGroupID]; exists {
-		allGroup.Peers = append(allGroup.Peers, newRouterID)
-	}
-
-	newRoute := &route.Route{
-		ID:                  route.ID("route-new-router"),
-		Network:             netip.MustParsePrefix("172.16.0.0/24"),
-		Peer:                newRouter.Key,
-		PeerID:              newRouterID,
-		Description:         "Route from new router",
-		Enabled:             true,
-		PeerGroups:          []string{opsGroupID},
-		Groups:              []string{devGroupID, opsGroupID},
-		AccessControlGroups: []string{devGroupID},
-		AccountID:           account.Id,
-	}
-	account.Routes[newRoute.ID] = newRoute
-
-	validatedPeersMap[newRouterID] = struct{}{}
-
-	b.ResetTimer()
-	b.Run("old builder after add", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			for _, testingPeerID := range peerIDs {
-				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
-			}
-		}
-	})
-
-	b.ResetTimer()
-	b.Run("new builder after add", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			_ = builder.OnPeerAddedIncremental(account, newRouterID)
-			for _, testingPeerID := range peerIDs {
-				_ = builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-			}
-		}
-	})
-}
-
-func TestGetPeerNetworkMap_Golden_WithDeletedPeer(t *testing.T) {
-	account := createTestAccountWithEntities()
-
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		if peerID == offlinePeerID {
-			continue
-		}
-		validatedPeersMap[peerID] = struct{}{}
-	}
-
-	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-
-	deletedPeerID := "peer-25"
-
-	delete(account.Peers, deletedPeerID)
-
-	if devGroup, exists := account.Groups[devGroupID]; exists {
-		devGroup.Peers = slices.DeleteFunc(devGroup.Peers, func(id string) bool {
-			return id == deletedPeerID
-		})
-	}
-
-	if allGroup, exists := account.Groups[allGroupID]; exists {
-		allGroup.Peers = slices.DeleteFunc(allGroup.Peers, func(id string) bool {
-			return id == deletedPeerID
-		})
-	}
-
-	delete(validatedPeersMap, deletedPeerID)
-
-	if account.Network != nil {
-		account.Network.Serial++
-	}
-
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-
-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
-	normalizeAndSortNetworkMap(legacyNetworkMap)
-	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling legacy network map to JSON")
-
-	err = builder.OnPeerDeleted(account, deletedPeerID)
-	require.NoError(t, err, "error deleting peer from cache")
-
-	newNetworkMap := builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-	normalizeAndSortNetworkMap(newNetworkMap)
-	newJSON, err := json.MarshalIndent(toNetworkMapJSON(newNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling new network map to JSON")
-
-	if string(legacyJSON) != string(newJSON) {
-		legacyFilePath := filepath.Join("testdata", "networkmap_golden_with_deleted_peer.json")
-		newFilePath := filepath.Join("testdata", "networkmap_golden_new_with_onpeerdeleted.json")
-
-		err = os.MkdirAll(filepath.Dir(legacyFilePath), 0755)
-		require.NoError(t, err)
-
-		err = os.WriteFile(legacyFilePath, legacyJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved legacy network map to %s", legacyFilePath)
-
-		err = os.WriteFile(newFilePath, newJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved new network map to %s", newFilePath)
-
-		require.JSONEq(t, string(legacyJSON), string(newJSON), "network maps with deleted peer from legacy and new builder do not match")
-	}
-}
-
-func TestGetPeerNetworkMap_Golden_WithDeletedRouterPeer(t *testing.T) {
-	account := createTestAccountWithEntities()
-
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		if peerID == offlinePeerID {
-			continue
-		}
-		validatedPeersMap[peerID] = struct{}{}
-	}
-
-	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-
-	deletedRouterID := "peer-75"
-
-	var affectedRoute *route.Route
-	for _, r := range account.Routes {
-		if r.PeerID == deletedRouterID {
-			affectedRoute = r
-			break
-		}
-	}
-	require.NotNil(t, affectedRoute, "Router peer should have a route")
-
-	for _, group := range account.Groups {
-		group.Peers = slices.DeleteFunc(group.Peers, func(id string) bool {
-			return id == deletedRouterID
-		})
-	}
-
-	for routeID, r := range account.Routes {
-		if r.Peer == account.Peers[deletedRouterID].Key || r.PeerID == deletedRouterID {
-			delete(account.Routes, routeID)
-		}
-	}
-	delete(account.Peers, deletedRouterID)
-	delete(validatedPeersMap, deletedRouterID)
-
-	if account.Network != nil {
-		account.Network.Serial++
-	}
-
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-
-	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
-	normalizeAndSortNetworkMap(legacyNetworkMap)
-	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling legacy network map to JSON")
-
-	err = builder.OnPeerDeleted(account, deletedRouterID)
-	require.NoError(t, err, "error deleting routing peer from cache")
-
-	newNetworkMap := builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-	normalizeAndSortNetworkMap(newNetworkMap)
-	newJSON, err := json.MarshalIndent(toNetworkMapJSON(newNetworkMap), "", "  ")
-	require.NoError(t, err, "error marshaling new network map to JSON")
-
-	if string(legacyJSON) != string(newJSON) {
-		legacyFilePath := filepath.Join("testdata", "networkmap_golden_with_deleted_router_peer.json")
-		newFilePath := filepath.Join("testdata", "networkmap_golden_new_with_deleted_router.json")
-
-		err = os.MkdirAll(filepath.Dir(legacyFilePath), 0755)
-		require.NoError(t, err)
-
-		err = os.WriteFile(legacyFilePath, legacyJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved legacy network map to %s", legacyFilePath)
-
-		err = os.WriteFile(newFilePath, newJSON, 0644)
-		require.NoError(t, err)
-		t.Logf("Saved new network map to %s", newFilePath)
-
-		require.JSONEq(t, string(legacyJSON), string(newJSON), "network maps with deleted router from legacy and new builder do not match")
-	}
-}
-
-func BenchmarkGetPeerNetworkMap_AfterPeerDeleted(b *testing.B) {
-	account := createTestAccountWithEntities()
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	var peerIDs []string
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		validatedPeersMap[peerID] = struct{}{}
-		peerIDs = append(peerIDs, peerID)
-	}
-
-	deletedPeerID := "peer-25"
-
-	delete(account.Peers, deletedPeerID)
-	account.Groups[devGroupID].Peers = slices.DeleteFunc(account.Groups[devGroupID].Peers, func(id string) bool {
-		return id == deletedPeerID
-	})
-	account.Groups[allGroupID].Peers = slices.DeleteFunc(account.Groups[allGroupID].Peers, func(id string) bool {
-		return id == deletedPeerID
-	})
-	delete(validatedPeersMap, deletedPeerID)
-
-	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-
-	b.ResetTimer()
-	b.Run("old builder after delete", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			for _, testingPeerID := range peerIDs {
-				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
-			}
-		}
-	})
-
-	b.ResetTimer()
-	b.Run("new builder after delete", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			_ = builder.OnPeerDeleted(account, deletedPeerID)
-			for _, testingPeerID := range peerIDs {
-				_ = builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-			}
-		}
-	})
-}
-
-func normalizeAndSortNetworkMap(networkMap *types.NetworkMap) {
-	for _, peer := range networkMap.Peers {
-		if peer.Status != nil {
-			peer.Status.LastSeen = time.Time{}
-		}
-		peer.LastLogin = &time.Time{}
-	}
-	for _, peer := range networkMap.OfflinePeers {
-		if peer.Status != nil {
-			peer.Status.LastSeen = time.Time{}
-		}
-		peer.LastLogin = &time.Time{}
-	}
-
-	sort.Slice(networkMap.Peers, func(i, j int) bool { return networkMap.Peers[i].ID < networkMap.Peers[j].ID })
-	sort.Slice(networkMap.OfflinePeers, func(i, j int) bool { return networkMap.OfflinePeers[i].ID < networkMap.OfflinePeers[j].ID })
-	sort.Slice(networkMap.Routes, func(i, j int) bool { return networkMap.Routes[i].ID < networkMap.Routes[j].ID })
-
-	sort.Slice(networkMap.FirewallRules, func(i, j int) bool {
-		r1, r2 := networkMap.FirewallRules[i], networkMap.FirewallRules[j]
-		if r1.PeerIP != r2.PeerIP {
-			return r1.PeerIP < r2.PeerIP
-		}
-		if r1.Protocol != r2.Protocol {
-			return r1.Protocol < r2.Protocol
-		}
-		if r1.Direction != r2.Direction {
-			return r1.Direction < r2.Direction
-		}
-		if r1.Action != r2.Action {
-			return r1.Action < r2.Action
-		}
-		return r1.Port < r2.Port
-	})
-
-	sort.Slice(networkMap.RoutesFirewallRules, func(i, j int) bool {
-		r1, r2 := networkMap.RoutesFirewallRules[i], networkMap.RoutesFirewallRules[j]
-		if r1.RouteID != r2.RouteID {
-			return r1.RouteID < r2.RouteID
-		}
-		if r1.Action != r2.Action {
-			return r1.Action < r2.Action
-		}
-		if r1.Destination != r2.Destination {
-			return r1.Destination < r2.Destination
-		}
-		if len(r1.SourceRanges) > 0 && len(r2.SourceRanges) > 0 {
-			if r1.SourceRanges[0] != r2.SourceRanges[0] {
-				return r1.SourceRanges[0] < r2.SourceRanges[0]
-			}
-		}
-		return r1.Port < r2.Port
-	})
-
-	for _, ranges := range networkMap.RoutesFirewallRules {
-		sort.Slice(ranges.SourceRanges, func(i, j int) bool {
-			return ranges.SourceRanges[i] < ranges.SourceRanges[j]
-		})
-	}
-}
-
-type networkMapJSON struct {
-	Peers               []*nbpeer.Peer             `json:"Peers"`
-	Network             *types.Network             `json:"Network"`
-	Routes              []*route.Route             `json:"Routes"`
-	DNSConfig           dns.Config                 `json:"DNSConfig"`
-	OfflinePeers        []*nbpeer.Peer             `json:"OfflinePeers"`
-	FirewallRules       []*types.FirewallRule      `json:"FirewallRules"`
-	RoutesFirewallRules []*types.RouteFirewallRule `json:"RoutesFirewallRules"`
-	ForwardingRules     []*types.ForwardingRule    `json:"ForwardingRules"`
-	AuthorizedUsers     map[string][]string        `json:"AuthorizedUsers,omitempty"`
-	EnableSSH           bool                       `json:"EnableSSH"`
-}
-
-func toNetworkMapJSON(nm *types.NetworkMap) *networkMapJSON {
-	result := &networkMapJSON{
-		Peers:               nm.Peers,
-		Network:             nm.Network,
-		Routes:              nm.Routes,
-		DNSConfig:           nm.DNSConfig,
-		OfflinePeers:        nm.OfflinePeers,
-		FirewallRules:       nm.FirewallRules,
-		RoutesFirewallRules: nm.RoutesFirewallRules,
-		ForwardingRules:     nm.ForwardingRules,
-		EnableSSH:           nm.EnableSSH,
-	}
-
-	if len(nm.AuthorizedUsers) > 0 {
-		result.AuthorizedUsers = make(map[string][]string)
-		localUsers := make([]string, 0, len(nm.AuthorizedUsers))
-		for localUser := range nm.AuthorizedUsers {
-			localUsers = append(localUsers, localUser)
-		}
-		sort.Strings(localUsers)
-
-		for _, localUser := range localUsers {
-			userIDs := nm.AuthorizedUsers[localUser]
-			sortedUserIDs := make([]string, 0, len(userIDs))
-			for userID := range userIDs {
-				sortedUserIDs = append(sortedUserIDs, userID)
-			}
-			sort.Strings(sortedUserIDs)
-			result.AuthorizedUsers[localUser] = sortedUserIDs
-		}
-	}
-
-	return result
-}
-
-func createTestAccountWithEntities() *types.Account {
-	peers := make(map[string]*nbpeer.Peer)
-	devGroupPeers, opsGroupPeers, allGroupPeers := []string{}, []string{}, []string{}
-
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		ip := net.IP{100, 64, 0, byte(i + 1)}
-		wtVersion := "0.25.0"
-		if i%2 == 0 {
-			wtVersion = "0.40.0"
-		}
-
-		p := &nbpeer.Peer{
-			ID: peerID, IP: ip, Key: fmt.Sprintf("key-%s", peerID), DNSLabel: fmt.Sprintf("peer%d", i+1),
-			Status: &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
-			UserID: "user-admin", Meta: nbpeer.PeerSystemMeta{WtVersion: wtVersion, GoOS: "linux"},
-		}
-
-		if peerID == expiredPeerID {
-			p.LoginExpirationEnabled = true
-			pastTimestamp := time.Now().Add(-2 * time.Hour)
-			p.LastLogin = &pastTimestamp
-		}
-
-		peers[peerID] = p
-		allGroupPeers = append(allGroupPeers, peerID)
-		if i < numPeers/2 {
-			devGroupPeers = append(devGroupPeers, peerID)
-		} else {
-			opsGroupPeers = append(opsGroupPeers, peerID)
-		}
-
-	}
-
-	groups := map[string]*types.Group{
-		allGroupID:      {ID: allGroupID, Name: "All", Peers: allGroupPeers},
-		devGroupID:      {ID: devGroupID, Name: "Developers", Peers: devGroupPeers},
-		opsGroupID:      {ID: opsGroupID, Name: "Operations", Peers: opsGroupPeers},
-		sshUsersGroupID: {ID: sshUsersGroupID, Name: "SSH Users", Peers: []string{}},
-	}
-
-	policies := []*types.Policy{
-		{
-			ID: policyIDAll, Name: "Default-Allow", Enabled: true,
-			Rules: []*types.PolicyRule{{
-				ID: policyIDAll, Name: "Allow All", Enabled: true, Action: types.PolicyTrafficActionAccept,
-				Protocol: types.PolicyRuleProtocolALL, Bidirectional: true,
-				Sources: []string{allGroupID}, Destinations: []string{allGroupID},
-			}},
-		},
-		{
-			ID: policyIDDevOps, Name: "Dev to Ops Web Access", Enabled: true,
-			Rules: []*types.PolicyRule{{
-				ID: policyIDDevOps, Name: "Dev -> Ops (HTTP Range)", Enabled: true, Action: types.PolicyTrafficActionAccept,
-				Protocol: types.PolicyRuleProtocolTCP, Bidirectional: false,
-				PortRanges: []types.RulePortRange{{Start: 8080, End: 8090}},
-				Sources:    []string{devGroupID}, Destinations: []string{opsGroupID},
-			}},
-		},
-		{
-			ID: policyIDDrop, Name: "Drop DB traffic", Enabled: true,
-			Rules: []*types.PolicyRule{{
-				ID: policyIDDrop, Name: "Drop DB", Enabled: true, Action: types.PolicyTrafficActionDrop,
-				Protocol: types.PolicyRuleProtocolTCP, Ports: []string{"5432"}, Bidirectional: true,
-				Sources: []string{devGroupID}, Destinations: []string{opsGroupID},
-			}},
-		},
-		{
-			ID: policyIDPosture, Name: "Posture Check for DB Resource", Enabled: true,
-			SourcePostureChecks: []string{postureCheckID},
-			Rules: []*types.PolicyRule{{
-				ID: policyIDPosture, Name: "Allow DB Access", Enabled: true, Action: types.PolicyTrafficActionAccept,
-				Protocol: types.PolicyRuleProtocolALL, Bidirectional: true,
-				Sources: []string{opsGroupID}, DestinationResource: types.Resource{ID: networkResourceID},
-			}},
-		},
-		{
-			ID: policyIDSSH, Name: "SSH Access Policy", Enabled: true,
-			Rules: []*types.PolicyRule{{
-				ID: policyIDSSH, Name: "Allow SSH to Ops", Enabled: true, Action: types.PolicyTrafficActionAccept,
-				Protocol: types.PolicyRuleProtocolNetbirdSSH, Bidirectional: false,
-				Sources: []string{devGroupID}, Destinations: []string{opsGroupID},
-				AuthorizedGroups: map[string][]string{sshUsersGroupID: {"root", "admin"}},
-			}},
-		},
-	}
-
-	routes := map[route.ID]*route.Route{
-		routeID: {
-			ID: routeID, Network: netip.MustParsePrefix("192.168.10.0/24"),
-			Peer:        peers["peer-75"].Key,
-			PeerID:      "peer-75",
-			Description: "Route to internal resource", Enabled: true,
-			PeerGroups:          []string{devGroupID, opsGroupID},
-			Groups:              []string{devGroupID, opsGroupID},
-			AccessControlGroups: []string{devGroupID},
-		},
-		routeHA1ID: {
-			ID: routeHA1ID, Network: netip.MustParsePrefix("10.10.0.0/16"),
-			Peer:        peers["peer-80"].Key,
-			PeerID:      "peer-80",
-			Description: "HA Route 1", Enabled: true, Metric: 1000,
-			PeerGroups:          []string{allGroupID},
-			Groups:              []string{allGroupID},
-			AccessControlGroups: []string{allGroupID},
-		},
-		routeHA2ID: {
-			ID: routeHA2ID, Network: netip.MustParsePrefix("10.10.0.0/16"),
-			Peer:        peers["peer-90"].Key,
-			PeerID:      "peer-90",
-			Description: "HA Route 2", Enabled: true, Metric: 900,
-			PeerGroups:          []string{devGroupID, opsGroupID},
-			Groups:              []string{devGroupID, opsGroupID},
-			AccessControlGroups: []string{allGroupID},
-		},
-	}
-
-	users := map[string]*types.User{
-		userAdminID: {Id: userAdminID, Role: types.UserRoleAdmin, IsServiceUser: false, AccountID: testAccountID, AutoGroups: []string{allGroupID}},
-		userDevID:   {Id: userDevID, Role: types.UserRoleUser, IsServiceUser: false, AccountID: testAccountID, AutoGroups: []string{sshUsersGroupID, devGroupID}},
-		userOpsID:   {Id: userOpsID, Role: types.UserRoleUser, IsServiceUser: false, AccountID: testAccountID, AutoGroups: []string{sshUsersGroupID, opsGroupID}},
-	}
-
-	account := &types.Account{
-		Id: testAccountID, Peers: peers, Groups: groups, Policies: policies, Routes: routes,
-		Users: users,
-		Network: &types.Network{
-			Identifier: "net-golden-test", Net: net.IPNet{IP: net.IP{100, 64, 0, 0}, Mask: net.CIDRMask(16, 32)}, Serial: 1,
-		},
-		DNSSettings: types.DNSSettings{DisabledManagementGroups: []string{opsGroupID}},
-		NameServerGroups: map[string]*dns.NameServerGroup{
-			nameserverGroupID: {
-				ID: nameserverGroupID, Name: "Main NS", Enabled: true, Groups: []string{devGroupID},
-				NameServers: []dns.NameServer{{IP: netip.MustParseAddr("8.8.8.8"), NSType: dns.UDPNameServerType, Port: 53}},
-			},
-		},
-		PostureChecks: []*posture.Checks{
-			{ID: postureCheckID, Name: "Check version", Checks: posture.ChecksDefinition{
-				NBVersionCheck: &posture.NBVersionCheck{MinVersion: "0.26.0"},
-			}},
-		},
-		NetworkResources: []*resourceTypes.NetworkResource{
-			{ID: networkResourceID, NetworkID: networkID, AccountID: testAccountID, Enabled: true, Address: "db.netbird.cloud"},
-		},
-		Networks: []*networkTypes.Network{{ID: networkID, Name: "DB Network", AccountID: testAccountID}},
-		NetworkRouters: []*routerTypes.NetworkRouter{
-			{ID: networkRouterID, NetworkID: networkID, Peer: routingPeerID, Enabled: true, AccountID: testAccountID},
-		},
-		Settings: &types.Settings{PeerLoginExpirationEnabled: true, PeerLoginExpiration: 1 * time.Hour},
-	}
-
-	for _, p := range account.Policies {
-		p.AccountID = account.Id
-	}
-	for _, r := range account.Routes {
-		r.AccountID = account.Id
-	}
-
-	return account
-}
-
-func TestGetPeerNetworkMap_Golden_New_WithOnPeerAddedRouter_Batched(t *testing.T) {
-	account := createTestAccountWithEntities()
-
-	ctx := context.Background()
-	validatedPeersMap := make(map[string]struct{})
-	for i := range numPeers {
-		peerID := fmt.Sprintf("peer-%d", i)
-		if peerID == offlinePeerID {
-			continue
-		}
-		validatedPeersMap[peerID] = struct{}{}
-	}
-
-	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
-
-	newRouterID := "peer-new-router-102"
-	newRouterIP := net.IP{100, 64, 1, 2}
-	newRouter := &nbpeer.Peer{
-		ID:        newRouterID,
-		IP:        newRouterIP,
-		Key:       fmt.Sprintf("key-%s", newRouterID),
-		DNSLabel:  "newrouter102",
-		Status:    &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
-		UserID:    "user-admin",
-		Meta:      nbpeer.PeerSystemMeta{WtVersion: "0.26.0", GoOS: "linux"},
-		LastLogin: func() *time.Time { t := time.Now(); return &t }(),
-	}
-
-	account.Peers[newRouterID] = newRouter
-
-	if opsGroup, exists := account.Groups[opsGroupID]; exists {
-		opsGroup.Peers = append(opsGroup.Peers, newRouterID)
-	}
-	if allGroup, exists := account.Groups[allGroupID]; exists {
-		allGroup.Peers = append(allGroup.Peers, newRouterID)
-	}
-
-	newRoute := &route.Route{
-		ID:                  route.ID("route-new-router"),
-		Network:             netip.MustParsePrefix("172.16.0.0/24"),
-		Peer:                newRouter.Key,
-		PeerID:              newRouterID,
-		Description:         "Route from new router",
-		Enabled:             true,
-		PeerGroups:          []string{opsGroupID},
-		Groups:              []string{devGroupID, opsGroupID},
-		AccessControlGroups: []string{devGroupID},
-		AccountID:           account.Id,
-	}
-	account.Routes[newRoute.ID] = newRoute
-
-	validatedPeersMap[newRouterID] = struct{}{}
-
-	if account.Network != nil {
-		account.Network.Serial++
-	}
-
-	builder.EnqueuePeersForIncrementalAdd(account, newRouterID)
-
-	time.Sleep(100 * time.Millisecond)
-
-	networkMap := builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
-
-	normalizeAndSortNetworkMap(networkMap)
-
-	jsonData, err := json.MarshalIndent(networkMap, "", "  ")
-	require.NoError(t, err, "error marshaling network map to JSON")
-
-	goldenFilePath := filepath.Join("testdata", "networkmap_golden_new_with_onpeeradded_router.json")
-
-	t.Log("Update golden file with OnPeerAdded router...")
-	err = os.MkdirAll(filepath.Dir(goldenFilePath), 0755)
-	require.NoError(t, err)
-	err = os.WriteFile(goldenFilePath, jsonData, 0644)
-	require.NoError(t, err)
-
-	expectedJSON, err := os.ReadFile(goldenFilePath)
-	require.NoError(t, err, "error reading golden file")
-
-	require.JSONEq(t, string(expectedJSON), string(jsonData), "network map from NEW builder with OnPeerAdded router does not match golden file")
-}
--- a/management/server/types/networkmapbuilder.go
+++ b/management/server/types/networkmapbuilder.go
--- a/shared/auth/jwt/extractor.go
+++ b/shared/auth/jwt/extractor.go
@@ -146,7 +146,11 @@ func (c *ClaimsExtractor) ToGroups(token *jwt.Token, claimName string) []string
 	userJWTGroups := make([]string, 0)

 	if claim, ok := claims[claimName]; ok {
-		if claimGroups, ok := claim.([]interface{}); ok {
+		switch claimGroups := claim.(type) {
+		case string:
+			// Some IdPs emit a single group claim as a string instead of an array.
+			userJWTGroups = append(userJWTGroups, claimGroups)
+		case []any:
 			for _, g := range claimGroups {
 				if group, ok := g.(string); ok {
 					userJWTGroups = append(userJWTGroups, group)
@@ -154,9 +158,11 @@ func (c *ClaimsExtractor) ToGroups(token *jwt.Token, claimName string) []string
 					log.Debugf("JWT claim %q contains a non-string group (type: %T): %v", claimName, g, g)
 				}
 			}
+		default:
+			log.Debugf("JWT claim %q is not a string or string array (type: %T): %v", claimName, claim, claim)
 		}
 	} else {
-		log.Debugf("JWT claim %q is not a string array", claimName)
+		log.Debugf("JWT claim %q is missing", claimName)
 	}

 	return userJWTGroups
--- a/shared/auth/jwt/extractor_test.go
+++ b/shared/auth/jwt/extractor_test.go
@@ -249,6 +249,15 @@ func TestClaimsExtractor_ToGroups(t *testing.T) {
 			groupClaimName: "groups",
 			expectedGroups: []string{},
 		},
+		{
+			name: "extracts single group string from claim",
+			claims: jwt.MapClaims{
+				"sub":    "user-123",
+				"groups": "admin",
+			},
+			groupClaimName: "groups",
+			expectedGroups: []string{"admin"},
+		},
 		{
 			name: "handles custom claim name",
 			claims: jwt.MapClaims{
--- a/shared/management/client/grpc.go
+++ b/shared/management/client/grpc.go
@@ -252,21 +252,19 @@ func (c *GrpcClient) handleJobStream(
 					c.notifyDisconnected(err)
 					return backoff.Permanent(err) // unrecoverable error, propagate to the upper layer
 				case codes.Canceled:
-					log.Debugf("management connection context has been canceled, this usually indicates shutdown")
+					log.Debugf("job stream context has been canceled, this usually indicates shutdown")
 					return err
 				case codes.Unimplemented:
 					log.Warn("Job feature is not supported by the current management server version. " +
 						"Please update the management service to use this feature.")
 					return nil
 				default:
-					c.notifyDisconnected(err)
-					log.Warnf("disconnected from the Management service but will retry silently. Reason: %v", err)
+					log.Warnf("job stream disconnected, will retry silently. Reason: %v", err)
 					return err
 				}
 			} else {
 				// non-gRPC error
-				c.notifyDisconnected(err)
-				log.Warnf("disconnected from the Management service but will retry silently. Reason: %v", err)
+				log.Warnf("job stream disconnected, will retry silently. Reason: %v", err)
 				return err
 			}
 		}
--- a/shared/management/http/api/openapi.yml
+++ b/shared/management/http/api/openapi.yml
@@ -2917,6 +2917,7 @@ components:
        - okta
        - pocketid
        - microsoft
+        - adfs
      example: oidc
    IdentityProvider:
      type: object
--- a/shared/management/http/api/types.gen.go
+++ b/shared/management/http/api/types.gen.go
@@ -518,6 +518,7 @@ const (
 	IdentityProviderTypeOkta      IdentityProviderType = "okta"
 	IdentityProviderTypePocketid  IdentityProviderType = "pocketid"
 	IdentityProviderTypeZitadel   IdentityProviderType = "zitadel"
+	IdentityProviderTypeAdfs      IdentityProviderType = "adfs"
 )

 // Valid indicates whether the value is a known member of the IdentityProviderType enum.
@@ -537,6 +538,8 @@ func (e IdentityProviderType) Valid() bool {
 		return true
 	case IdentityProviderTypeZitadel:
 		return true
+	case IdentityProviderTypeAdfs:
+		return true
 	default:
 		return false
 	}
--- a/shared/relay/client/guard.go
+++ b/shared/relay/client/guard.go
@@ -8,10 +8,7 @@ import (
 	log "github.com/sirupsen/logrus"
 )

-const (
-	// TODO: make it configurable, the manager should validate all configurable parameters
-	reconnectingTimeout = 60 * time.Second
-)
+const defaultMaxBackoffInterval = 60 * time.Second

 // Guard manage the reconnection tries to the Relay server in case of disconnection event.
 type Guard struct {
@@ -19,14 +16,23 @@ type Guard struct {
 	OnNewRelayClient chan *Client
 	OnReconnected    chan struct{}
 	serverPicker     *ServerPicker
+
+	// maxBackoffInterval caps the exponential backoff between reconnect
+	// attempts.
+	maxBackoffInterval time.Duration
 }

-// NewGuard creates a new guard for the relay client.
-func NewGuard(sp *ServerPicker) *Guard {
+// NewGuard creates a new guard for the relay client. A non-positive
+// maxBackoffInterval falls back to defaultMaxBackoffInterval.
+func NewGuard(sp *ServerPicker, maxBackoffInterval time.Duration) *Guard {
+	if maxBackoffInterval <= 0 {
+		maxBackoffInterval = defaultMaxBackoffInterval
+	}
 	g := &Guard{
-		OnNewRelayClient: make(chan *Client, 1),
-		OnReconnected:    make(chan struct{}, 1),
-		serverPicker:     sp,
+		OnNewRelayClient:   make(chan *Client, 1),
+		OnReconnected:      make(chan struct{}, 1),
+		serverPicker:       sp,
+		maxBackoffInterval: maxBackoffInterval,
 	}
 	return g
 }
@@ -49,7 +55,7 @@ func (g *Guard) StartReconnectTrys(ctx context.Context, relayClient *Client) {
 	}

 	// start a ticker to pick a new server
-	ticker := exponentTicker(ctx)
+	ticker := g.exponentTicker(ctx)
 	defer ticker.Stop()

 	for {
@@ -125,11 +131,11 @@ func (g *Guard) notifyReconnected() {
 	}
 }

-func exponentTicker(ctx context.Context) *backoff.Ticker {
+func (g *Guard) exponentTicker(ctx context.Context) *backoff.Ticker {
 	bo := backoff.WithContext(&backoff.ExponentialBackOff{
 		InitialInterval: 2 * time.Second,
 		Multiplier:      2,
-		MaxInterval:     reconnectingTimeout,
+		MaxInterval:     g.maxBackoffInterval,
 		Clock:           backoff.SystemClock,
 	}, ctx)

--- a/shared/relay/client/manager.go
+++ b/shared/relay/client/manager.go
@@ -39,6 +39,15 @@ func NewRelayTrack() *RelayTrack {

 type OnServerCloseListener func()

+// ManagerOption configures a Manager at construction time.
+type ManagerOption func(*Manager)
+
+// WithMaxBackoffInterval caps the exponential backoff between reconnect
+// attempts to the home relay. A non-positive value keeps the default.
+func WithMaxBackoffInterval(d time.Duration) ManagerOption {
+	return func(m *Manager) { m.maxBackoffInterval = d }
+}
+
 // Manager is a manager for the relay client instances. It establishes one persistent connection to the given relay URL
 // and automatically reconnect to them in case disconnection.
 // The manager also manage temporary relay connection. If a client wants to communicate with a client on a
@@ -64,12 +73,13 @@ type Manager struct {
 	onReconnectedListenerFn func()
 	listenerLock            sync.Mutex

-	mtu uint16
+	mtu                uint16
+	maxBackoffInterval time.Duration
 }

 // NewManager creates a new manager instance.
 // The serverURL address can be empty. In this case, the manager will not serve.
-func NewManager(ctx context.Context, serverURLs []string, peerID string, mtu uint16) *Manager {
+func NewManager(ctx context.Context, serverURLs []string, peerID string, mtu uint16, opts ...ManagerOption) *Manager {
 	tokenStore := &relayAuth.TokenStore{}

 	m := &Manager{
@@ -86,8 +96,11 @@ func NewManager(ctx context.Context, serverURLs []string, peerID string, mtu uin
 		relayClients:            make(map[string]*RelayTrack),
 		onDisconnectedListeners: make(map[string]*list.List),
 	}
+	for _, opt := range opts {
+		opt(m)
+	}
 	m.serverPicker.ServerURLs.Store(serverURLs)
-	m.reconnectGuard = NewGuard(m.serverPicker)
+	m.reconnectGuard = NewGuard(m.serverPicker, m.maxBackoffInterval)
 	return m
 }

@@ -290,19 +303,36 @@ func (m *Manager) onServerConnected() {
 	go m.onReconnectedListenerFn()
 }

-// onServerDisconnected start to reconnection for home server only
+// onServerDisconnected handles relay disconnect events. For the home server it
+// starts the reconnect guard. For foreign servers it evicts the now-dead client
+// from the cache so the next OpenConn builds a fresh one instead of reusing a
+// closed client.
 func (m *Manager) onServerDisconnected(serverAddress string) {
 	m.relayClientMu.Lock()
-	if serverAddress == m.relayClient.connectionURL {
+	isHome := m.relayClient != nil && serverAddress == m.relayClient.connectionURL
+	if isHome {
 		go func(client *Client) {
 			m.reconnectGuard.StartReconnectTrys(m.ctx, client)
 		}(m.relayClient)
 	}
 	m.relayClientMu.Unlock()

+	if !isHome {
+		m.evictForeignRelay(serverAddress)
+	}
+
 	m.notifyOnDisconnectListeners(serverAddress)
 }

+func (m *Manager) evictForeignRelay(serverAddress string) {
+	m.relayClientsMutex.Lock()
+	defer m.relayClientsMutex.Unlock()
+	if _, ok := m.relayClients[serverAddress]; ok {
+		delete(m.relayClients, serverAddress)
+		log.Debugf("evicted disconnected foreign relay client: %s", serverAddress)
+	}
+}
+
 func (m *Manager) listenGuardEvent(ctx context.Context) {
 	for {
 		select {
--- a/shared/relay/client/manager_test.go
+++ b/shared/relay/client/manager_test.go
@@ -2,6 +2,7 @@ package client

 import (
 	"context"
+	"fmt"
 	"testing"
 	"time"

@@ -360,7 +361,8 @@ func TestAutoReconnect(t *testing.T) {
 		t.Fatalf("failed to serve manager: %s", err)
 	}

-	clientAlice := NewManager(mCtx, toURL(srvCfg), "alice", iface.DefaultMTU)
+	clientAlice := NewManager(mCtx, toURL(srvCfg), "alice", iface.DefaultMTU,
+		WithMaxBackoffInterval(2*time.Second))
 	err = clientAlice.Serve()
 	if err != nil {
 		t.Fatalf("failed to serve manager: %s", err)
@@ -384,7 +386,9 @@ func TestAutoReconnect(t *testing.T) {
 	}

 	log.Infof("waiting for reconnection")
-	time.Sleep(reconnectingTimeout + 1*time.Second)
+	if err := waitForReady(ctx, clientAlice, 15*time.Second); err != nil {
+		t.Fatalf("manager did not reconnect: %s", err)
+	}

 	log.Infof("reopent the connection")
 	_, err = clientAlice.OpenConn(ctx, ra, "bob")
@@ -393,6 +397,21 @@ func TestAutoReconnect(t *testing.T) {
 	}
 }

+func waitForReady(ctx context.Context, m *Manager, timeout time.Duration) error {
+	deadline := time.Now().Add(timeout)
+	for time.Now().Before(deadline) {
+		if m.Ready() {
+			return nil
+		}
+		select {
+		case <-time.After(100 * time.Millisecond):
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+	}
+	return fmt.Errorf("manager not ready within %s", timeout)
+}
+
 func TestNotifierDoubleAdd(t *testing.T) {
 	ctx := context.Background()
Author	SHA1	Message	Date
Viktor Liu	a0a8e9bf8d	Use BindListener for all userspace bind in lazyconn activity	2026-04-29 12:57:14 +02:00
Nicolas Frati	7eba5dafd8	[misc] Add comment automation on release workflow for PRs (#6016 ) * feat: add comment automation on release workflow for PRs * update action permissions	2026-04-29 11:28:55 +02:00
Viktor Liu	28fe26637b	[client] Fix Windows installer upgrade detection for pre-0.70.1 installs (#6025 )	2026-04-29 11:01:07 +02:00
Viktor Liu	407e9d304b	[client] Move macOS sleep detection into the daemon (purego) (#5926 )	2026-04-29 08:09:55 +02:00
Viktor Liu	e5474e199f	[client] Use WinRT COM for Windows toasts (#6013 ) * Use WinRT COM for Windows toasts instead of fyne's PowerShell path * Quote autostart path and split HKCU registry into per-user component	2026-04-28 20:54:06 +02:00
Bethuel Mmbaga	db44848e2d	[management] Drop netmap calculation on peer read (#6006 )	2026-04-28 18:25:56 +03:00
EL OUAZIZI Walid	9417ce3b3a	fix(getting-started): Infinite healthcheck loop with existing traefik (#5871 )	2026-04-28 17:22:51 +02:00
Zoltan Papp	8fc4265995	[relay] evict foreign client cache on disconnect (#6015 ) * [relay] evict foreign client cache on disconnect When a foreign relay's TCP connection drops, the manager's onServerDisconnected handler only triggered reconnect logic for the home server; the disconnected foreign entry stayed in the relayClients cache. Subsequent OpenConn calls reused the closed client until the 60-second cleanup tick evicted it, breaking peer connectivity through that relay for up to a minute. Evict the foreign entry from the cache on disconnect so the next OpenConn dials a fresh client. Also: - Make the reconnect backoff cap configurable via WithMaxBackoffInterval ManagerOption; the previous hard-coded 60s constant forced TestAutoReconnect to sleep ~61s. Test now polls Ready() and finishes in ~2s. - Add NB_HOME_RELAY_SERVERS env var that overrides the relay URL list received from management, so a peer can be pinned to a specific home relay (used by the netbird-conn-lab Edge 4 reproducer). * [client] treat empty NB_HOME_RELAY_SERVERS as unset Returning (urls=[], ok=true) when the env var contained only separators or whitespace caused callers to wipe the mgmt-provided relay list, leaving the peer with no relays. Treat a parsed-empty result the same as an unset env.	2026-04-28 15:04:48 +02:00
Zoltan Papp	9c50819f20	Don't mark management disconnected on transient job stream errors (#6005 ) The JOB stream is a separate channel from the SYNC stream. Server-side EOF or other transient errors on the JOB stream do not indicate that the management connection is unhealthy — the SYNC stream remains the authoritative state signal. Previously, a JOB stream EOF would call notifyDisconnected and the client would emit OnConnecting to the UI. The backoff retry would reconnect the JOB stream, but handleJobStream never calls notifyConnected on success, so the UI was stuck on "Connecting" until the next SYNC event or health check. Keep notifyDisconnected for codes.PermissionDenied since IsLoginRequired relies on managementError to detect expired auth.	2026-04-28 15:04:41 +02:00
Bethuel Mmbaga	6f0eff3ba0	[management] Handle single-string JWT group claim from IdPs (#6014 )	2026-04-28 14:48:28 +03:00
Bethuel Mmbaga	f8745723fc	[management] Add Microsoft AD FS support for embedded Dex identity providers (#6008 )	2026-04-28 12:42:19 +03:00
Vlad	154b81645a	[management] removed legacy network map code (#5565 )	2026-04-27 16:02:54 +02:00
Maycon Santos	34167c8a16	[misc] Update release pipeline version (#5995 )	2026-04-27 10:55:38 +02:00
Maycon Santos	d6f08e4840	[misc] Update sign pipeline version (#5981 )	2026-04-24 13:13:27 +02:00