Revert "[client] Supress ICE signaling (#5820)"

This reverts commit 5a89e6621b.

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.1.4"
+  SIGN_PIPE_VER: "v0.1.2"
   GORELEASER_VER: "v2.14.3"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"
@@ -115,12 +115,6 @@ jobs:
 
   release:
     runs-on: ubuntu-latest-m
-    outputs:
-      release_artifact_url: ${{ steps.upload_release.outputs.artifact-url }}
-      linux_packages_artifact_url: ${{ steps.upload_linux_packages.outputs.artifact-url }}
-      windows_packages_artifact_url: ${{ steps.upload_windows_packages.outputs.artifact-url }}
-      macos_packages_artifact_url: ${{ steps.upload_macos_packages.outputs.artifact-url }}
-      ghcr_images: ${{ steps.tag_and_push_images.outputs.images_markdown }}
     env:
       flags: ""
     steps:
@@ -219,13 +213,10 @@ jobs:
         if: always()
         run: rm -f /tmp/gpg-rpm-signing-key.asc
       - name: Tag and push images (amd64 only)
-        id: tag_and_push_images
         if: |
           (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
           (github.event_name == 'push' && github.ref == 'refs/heads/main')
         run: |
-          set -euo pipefail
-
           resolve_tags() {
             if [[ "${{ github.event_name }}" == "pull_request" ]]; then
               echo "pr-${{ github.event.pull_request.number }}"
@@ -234,17 +225,6 @@ jobs:
             fi
           }
 
-          ghcr_package_url() {
-            local image="$1" package encoded_package
-            package="${image#ghcr.io/}"
-            package="${package#*/}"
-            package="${package%%:*}"
-            encoded_package="${package//\//%2F}"
-            echo "https://github.com/orgs/netbirdio/packages/container/package/${encoded_package}"
-          }
-
-          image_refs=()
-
           tag_and_push() {
             local src="$1" img_name tag dst
             img_name="${src%%:*}"
@@ -253,56 +233,35 @@ jobs:
               echo "Tagging ${src} -> ${dst}"
               docker tag "$src" "$dst"
               docker push "$dst"
-              image_refs+=("$dst")
             done
           }
 
-          cat > /tmp/goreleaser-artifacts.json <<'JSON'
-          ${{ steps.goreleaser.outputs.artifacts }}
-          JSON
+          export -f tag_and_push resolve_tags
 
-          mapfile -t src_images < <(
-            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name | select(startswith("ghcr.io/"))' /tmp/goreleaser-artifacts.json
-          )
-
-          for src in "${src_images[@]}"; do
-            tag_and_push "$src"
-          done
-
-          {
-            echo "images_markdown<<EOF"
-            if [[ ${#image_refs[@]} -eq 0 ]]; then
-              echo "_No GHCR images were pushed._"
-            else
-              printf '%s\n' "${image_refs[@]}" | sort -u | while read -r image; do
-                printf -- '- [`%s`](%s)\n' "$image" "$(ghcr_package_url "$image")"
-              done
-            fi
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
+          echo '${{ steps.goreleaser.outputs.artifacts }}' | \
+            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name' | \
+            grep '^ghcr.io/' | while read -r SRC; do
+              tag_and_push "$SRC"
+            done
       - name: upload non tags for debug purposes
-        id: upload_release
         uses: actions/upload-artifact@v4
         with:
           name: release
           path: dist/
           retention-days: 7
       - name: upload linux packages
-        id: upload_linux_packages
         uses: actions/upload-artifact@v4
         with:
           name: linux-packages
           path: dist/netbird_linux**
           retention-days: 7
       - name: upload windows packages
-        id: upload_windows_packages
         uses: actions/upload-artifact@v4
         with:
           name: windows-packages
           path: dist/netbird_windows**
           retention-days: 7
       - name: upload macos packages
-        id: upload_macos_packages
         uses: actions/upload-artifact@v4
         with:
           name: macos-packages
@@ -311,8 +270,6 @@ jobs:
 
   release_ui:
     runs-on: ubuntu-latest
-    outputs:
-      release_ui_artifact_url: ${{ steps.upload_release_ui.outputs.artifact-url }}
     steps:
       - name: Parse semver string
         id: semver_parser
@@ -403,7 +360,6 @@ jobs:
         if: always()
         run: rm -f /tmp/gpg-rpm-signing-key.asc
       - name: upload non tags for debug purposes
-        id: upload_release_ui
         uses: actions/upload-artifact@v4
         with:
           name: release-ui
@@ -412,8 +368,6 @@ jobs:
 
   release_ui_darwin:
     runs-on: macos-latest
-    outputs:
-      release_ui_darwin_artifact_url: ${{ steps.upload_release_ui_darwin.outputs.artifact-url }}
     steps:
       - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
         run: echo "flags=--snapshot" >> $GITHUB_ENV
@@ -448,110 +402,12 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: upload non tags for debug purposes
-        id: upload_release_ui_darwin
         uses: actions/upload-artifact@v4
         with:
           name: release-ui-darwin
           path: dist/
           retention-days: 3
 
-  comment_release_artifacts:
-    name: Comment release artifacts
-    runs-on: ubuntu-latest
-    needs: [release, release_ui, release_ui_darwin]
-    if: ${{ always() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository }}
-    permissions:
-      contents: read
-      issues: write
-      pull-requests: write
-    steps:
-      - name: Create or update PR comment
-        uses: actions/github-script@v7
-        env:
-          RELEASE_RESULT: ${{ needs.release.result }}
-          RELEASE_UI_RESULT: ${{ needs.release_ui.result }}
-          RELEASE_UI_DARWIN_RESULT: ${{ needs.release_ui_darwin.result }}
-          RELEASE_ARTIFACT_URL: ${{ needs.release.outputs.release_artifact_url }}
-          LINUX_PACKAGES_ARTIFACT_URL: ${{ needs.release.outputs.linux_packages_artifact_url }}
-          WINDOWS_PACKAGES_ARTIFACT_URL: ${{ needs.release.outputs.windows_packages_artifact_url }}
-          MACOS_PACKAGES_ARTIFACT_URL: ${{ needs.release.outputs.macos_packages_artifact_url }}
-          RELEASE_UI_ARTIFACT_URL: ${{ needs.release_ui.outputs.release_ui_artifact_url }}
-          RELEASE_UI_DARWIN_ARTIFACT_URL: ${{ needs.release_ui_darwin.outputs.release_ui_darwin_artifact_url }}
-          GHCR_IMAGES_MARKDOWN: ${{ needs.release.outputs.ghcr_images }}
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const marker = '<!-- netbird-release-artifacts -->';
-            const { owner, repo } = context.repo;
-            const issue_number = context.payload.pull_request.number;
-            const runUrl = `${context.serverUrl}/${owner}/${repo}/actions/runs/${context.runId}`;
-            const shortSha = context.payload.pull_request.head.sha.slice(0, 7);
-
-            const artifactCell = (url, result) => {
-              if (url) return `[Download](${url})`;
-              return result && result !== 'success' ? `_Not available (${result})_` : '_Not available_';
-            };
-
-            const artifacts = [
-              ['All release artifacts', process.env.RELEASE_ARTIFACT_URL, process.env.RELEASE_RESULT],
-              ['Linux packages', process.env.LINUX_PACKAGES_ARTIFACT_URL, process.env.RELEASE_RESULT],
-              ['Windows packages', process.env.WINDOWS_PACKAGES_ARTIFACT_URL, process.env.RELEASE_RESULT],
-              ['macOS packages', process.env.MACOS_PACKAGES_ARTIFACT_URL, process.env.RELEASE_RESULT],
-              ['UI artifacts', process.env.RELEASE_UI_ARTIFACT_URL, process.env.RELEASE_UI_RESULT],
-              ['UI macOS artifacts', process.env.RELEASE_UI_DARWIN_ARTIFACT_URL, process.env.RELEASE_UI_DARWIN_RESULT],
-            ];
-
-            const artifactRows = artifacts
-              .map(([name, url, result]) => `| ${name} | ${artifactCell(url, result)} |`)
-              .join('\n');
-
-            const ghcrImages = (process.env.GHCR_IMAGES_MARKDOWN || '').trim() || '_No GHCR images were pushed._';
-
-            const body = [
-              marker,
-              '## Release artifacts',
-              '',
-              `Built for PR head \`${shortSha}\` in [workflow run #${process.env.GITHUB_RUN_NUMBER}](${runUrl}).`,
-              '',
-              '| Artifact | Link |',
-              '| --- | --- |',
-              artifactRows,
-              '',
-              '### GHCR images (amd64)',
-              ghcrImages,
-              '',
-              '_This comment is updated by the Release workflow. Artifact links expire according to the workflow retention policy._',
-            ].join('\n');
-
-            const comments = await github.paginate(github.rest.issues.listComments, {
-              owner,
-              repo,
-              issue_number,
-              per_page: 100,
-            });
-
-            const previous = comments.find(comment =>
-              comment.user?.type === 'Bot' && comment.body?.includes(marker)
-            );
-
-            if (previous) {
-              await github.rest.issues.updateComment({
-                owner,
-                repo,
-                comment_id: previous.id,
-                body,
-              });
-              core.info(`Updated release artifacts comment ${previous.id}`);
-            } else {
-              const { data } = await github.rest.issues.createComment({
-                owner,
-                repo,
-                issue_number,
-                body,
-              });
-              core.info(`Created release artifacts comment ${data.id}`);
-            }
-
   trigger_signer:
     runs-on: ubuntu-latest
     needs: [release, release_ui, release_ui_darwin]

.github/workflows/sync-tag.yml

@@ -9,8 +9,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
   cancel-in-progress: true
 
-# Receiving workflows (cloud sync-tag, mobile bump-netbird) expect the short
-# tag form (e.g. v0.30.0), not refs/tags/v0.30.0 — github.ref_name, not github.ref.
 jobs:
   trigger_sync_tag:
     runs-on: ubuntu-latest
@@ -22,30 +20,4 @@ jobs:
           ref: main
           repo: ${{ secrets.UPSTREAM_REPO }}
           token: ${{ secrets.NC_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref_name }}" }'
-
-  trigger_android_bump:
-    runs-on: ubuntu-latest
-    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
-    steps:
-      - name: Trigger android-client submodule bump
-        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
-        with:
-          workflow: bump-netbird.yml
-          ref: main
-          repo: netbirdio/android-client
-          token: ${{ secrets.NC_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref_name }}" }'
-
-  trigger_ios_bump:
-    runs-on: ubuntu-latest
-    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
-    steps:
-      - name: Trigger ios-client submodule bump
-        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
-        with:
-          workflow: bump-netbird.yml
-          ref: main
-          repo: netbirdio/ios-client
-          token: ${{ secrets.NC_GITHUB_TOKEN }}
           inputs: '{ "tag": "${{ github.ref_name }}" }'

client/cmd/testutil_test.go

@@ -135,7 +135,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	if err != nil {
 		t.Fatal(err)
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		t.Fatal(err)
 	}

client/installer.nsis

@@ -201,18 +201,7 @@ Pop $0
 
 Function .onInit
 StrCpy $INSTDIR "${INSTALL_DIR}"
-; Default autostart to enabled so silent installs (/S) match the interactive default
-StrCpy $AutostartEnabled "1"
-
-; Pre-0.70.1 installers ran without SetRegView, so their uninstall keys live
-; in the 32-bit view. Fall back to it so upgrades still find them.
-SetRegView 64
 ReadRegStr $R0 HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$(^NAME)" "UninstallString"
-${If} $R0 == ""
-    SetRegView 32
-    ReadRegStr $R0 HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$(^NAME)" "UninstallString"
-    SetRegView 64
-${EndIf}
 ${If} $R0 != ""
     # if silent install jump to uninstall step
     IfSilent uninstall
@@ -225,10 +214,6 @@ ${If} $R0 != ""
 
 ${EndIf}
 FunctionEnd
-
-Function un.onInit
-SetRegView 64
-FunctionEnd
 ######################################################################
 Section -MainProgram
     ${INSTALL_TYPE}
@@ -243,7 +228,6 @@ Section -MainProgram
     !else
         File /r "..\\dist\\netbird_windows_amd64\\"
     !endif
-    File "..\\client\\ui\\assets\\netbird.png"
 SectionEnd
 ######################################################################
 
@@ -263,11 +247,9 @@ WriteRegStr ${REG_ROOT} "${UI_REG_APP_PATH}" "" "$INSTDIR\${UI_APP_EXE}"
 ; Create autostart registry entry based on checkbox
 DetailPrint "Autostart enabled: $AutostartEnabled"
 ${If} $AutostartEnabled == "1"
-    WriteRegStr HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}" '"$INSTDIR\${UI_APP_EXE}.exe"'
+    WriteRegStr HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}" "$INSTDIR\${UI_APP_EXE}.exe"
     DetailPrint "Added autostart registry entry: $INSTDIR\${UI_APP_EXE}.exe"
 ${Else}
-    DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-    ; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
     DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
     DetailPrint "Autostart not enabled by user"
 ${EndIf}
@@ -301,8 +283,6 @@ ExecWait `taskkill /im ${UI_APP_EXE}.exe /f`
 
 ; Remove autostart registry entry
 DetailPrint "Removing autostart registry entry if exists..."
-DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
 DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
 
 ; Handle data deletion based on checkbox
@@ -341,7 +321,6 @@ DetailPrint "Removing registry keys..."
 DeleteRegKey ${REG_ROOT} "${REG_APP_PATH}"
 DeleteRegKey ${REG_ROOT} "${UNINSTALL_PATH}"
 DeleteRegKey ${REG_ROOT} "${UI_REG_APP_PATH}"
-DeleteRegKey HKCU "Software\Classes\AppUserModelId\${APP_NAME}"
 
 DetailPrint "Removing application directory from PATH..."
 EnVar::SetHKLM

client/internal/connect.go

@@ -333,10 +333,6 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		c.statusRecorder.MarkSignalConnected()
 
 		relayURLs, token := parseRelayInfo(loginResp)
-		if override, ok := peer.OverrideRelayURLs(); ok {
-			log.Infof("overriding relay URLs from %s: %v", peer.EnvKeyNBHomeRelayServers, override)
-			relayURLs = override
-		}
 		peerConfig := loginResp.GetPeerConfig()
 
 		engineConfig, err := createEngineConfig(myPrivateKey, c.config, peerConfig, logPath)

client/internal/engine.go

@@ -571,7 +571,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	e.connMgr.Start(e.ctx)
 
 	e.srWatcher = guard.NewSRWatcher(e.signal, e.relayManager, e.mobileDep.IFaceDiscover, iceCfg)
-	e.srWatcher.Start(peer.IsForceRelayed())
+	e.srWatcher.Start()
 
 	e.receiveSignalEvents()
 	e.receiveManagementEvents()
@@ -944,12 +944,7 @@ func (e *Engine) handleRelayUpdate(update *mgmProto.RelayConfig) error {
 			return fmt.Errorf("update relay token: %w", err)
 		}
 
-		urls := update.Urls
-		if override, ok := peer.OverrideRelayURLs(); ok {
-			log.Infof("overriding relay URLs from %s: %v", peer.EnvKeyNBHomeRelayServers, override)
-			urls = override
-		}
-		e.relayManager.UpdateServerURLs(urls)
+		e.relayManager.UpdateServerURLs(update.Urls)
 
 		// Just in case the agent started with an MGM server where the relay was disabled but was later enabled.
 		// We can ignore all errors because the guard will manage the reconnection retries.

client/internal/engine_test.go

@@ -1671,7 +1671,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	if err != nil {
 		return nil, "", err
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		return nil, "", err
 	}

client/internal/lazyconn/activity/listener_bind_test.go

@@ -3,6 +3,7 @@ package activity
 import (
 	"net"
 	"net/netip"
+	"runtime"
 	"testing"
 	"time"
 
@@ -17,6 +18,10 @@ import (
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
 )
 
+func isBindListenerPlatform() bool {
+	return runtime.GOOS == "windows" || runtime.GOOS == "js"
+}
+
 // mockEndpointManager implements device.EndpointManager for testing
 type mockEndpointManager struct {
 	endpoints map[netip.Addr]net.Conn
@@ -176,6 +181,10 @@ func TestBindListener_Close(t *testing.T) {
 }
 
 func TestManager_BindMode(t *testing.T) {
+	if !isBindListenerPlatform() {
+		t.Skip("BindListener only used on Windows/JS platforms")
+	}
+
 	mockEndpointMgr := newMockEndpointManager()
 	mockIface := &MockWGIfaceBind{endpointMgr: mockEndpointMgr}
 
@@ -217,6 +226,10 @@ func TestManager_BindMode(t *testing.T) {
 }
 
 func TestManager_BindMode_MultiplePeers(t *testing.T) {
+	if !isBindListenerPlatform() {
+		t.Skip("BindListener only used on Windows/JS platforms")
+	}
+
 	mockEndpointMgr := newMockEndpointManager()
 	mockIface := &MockWGIfaceBind{endpointMgr: mockEndpointMgr}
 

client/internal/lazyconn/activity/manager.go

@@ -4,12 +4,14 @@ import (
 	"errors"
 	"net"
 	"net/netip"
+	"runtime"
 	"sync"
 	"time"
 
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
+	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
@@ -73,6 +75,16 @@ func (m *Manager) createListener(peerCfg lazyconn.PeerConfig) (listener, error)
 		return NewUDPListener(m.wgIface, peerCfg)
 	}
 
+	// BindListener is used on Windows, JS, and netstack platforms:
+	// - JS: Cannot listen to UDP sockets
+	// - Windows: IP_UNICAST_IF socket option forces packets out the interface the default
+	//   gateway points to, preventing them from reaching the loopback interface.
+	// - Netstack: Allows multiple instances on the same host without port conflicts.
+	// BindListener bypasses these issues by passing data directly through the bind.
+	if runtime.GOOS != "windows" && runtime.GOOS != "js" && !netstack.IsEnabled() {
+		return NewUDPListener(m.wgIface, peerCfg)
+	}
+
 	provider, ok := m.wgIface.(bindProvider)
 	if !ok {
 		return nil, errors.New("interface claims userspace bind but doesn't implement bindProvider")

client/internal/peer/conn.go

@@ -185,20 +185,17 @@ func (conn *Conn) Open(engineCtx context.Context) error {
 
 	conn.workerRelay = NewWorkerRelay(conn.ctx, conn.Log, isController(conn.config), conn.config, conn, conn.relayManager)
 
-	forceRelay := IsForceRelayed()
-	if !forceRelay {
-		relayIsSupportedLocally := conn.workerRelay.RelayIsSupportedLocally()
-		workerICE, err := NewWorkerICE(conn.ctx, conn.Log, conn.config, conn, conn.signaler, conn.iFaceDiscover, conn.statusRecorder, relayIsSupportedLocally)
-		if err != nil {
-			return err
-		}
-		conn.workerICE = workerICE
+	relayIsSupportedLocally := conn.workerRelay.RelayIsSupportedLocally()
+	workerICE, err := NewWorkerICE(conn.ctx, conn.Log, conn.config, conn, conn.signaler, conn.iFaceDiscover, conn.statusRecorder, relayIsSupportedLocally)
+	if err != nil {
+		return err
 	}
+	conn.workerICE = workerICE
 
 	conn.handshaker = NewHandshaker(conn.Log, conn.config, conn.signaler, conn.workerICE, conn.workerRelay, conn.metricsStages)
 
 	conn.handshaker.AddRelayListener(conn.workerRelay.OnNewOffer)
-	if !forceRelay {
+	if !isForceRelayed() {
 		conn.handshaker.AddICEListener(conn.workerICE.OnNewOffer)
 	}
 
@@ -254,9 +251,7 @@ func (conn *Conn) Close(signalToRemote bool) {
 		conn.wgWatcherCancel()
 	}
 	conn.workerRelay.CloseConn()
-	if conn.workerICE != nil {
-		conn.workerICE.Close()
-	}
+	conn.workerICE.Close()
 
 	if conn.wgProxyRelay != nil {
 		err := conn.wgProxyRelay.CloseConn()
@@ -299,9 +294,7 @@ func (conn *Conn) OnRemoteAnswer(answer OfferAnswer) {
 // OnRemoteCandidate Handles ICE connection Candidate provided by the remote peer.
 func (conn *Conn) OnRemoteCandidate(candidate ice.Candidate, haRoutes route.HAMap) {
 	conn.dumpState.RemoteCandidate()
-	if conn.workerICE != nil {
-		conn.workerICE.OnRemoteCandidate(candidate, haRoutes)
-	}
+	conn.workerICE.OnRemoteCandidate(candidate, haRoutes)
 }
 
 // SetOnConnected sets a handler function to be triggered by Conn when a new connection to a remote peer established
@@ -719,35 +712,33 @@ func (conn *Conn) evalStatus() ConnStatus {
 	return StatusConnecting
 }
 
-// isConnectedOnAllWay evaluates the overall connection status based on ICE and Relay transports.
-//
-// The result is a tri-state:
-//   - ConnStatusConnected:          all available transports are up
-//   - ConnStatusPartiallyConnected: relay is up but ICE is still pending/reconnecting
-//   - ConnStatusDisconnected:       no working transport
-func (conn *Conn) isConnectedOnAllWay() (status guard.ConnStatus) {
+func (conn *Conn) isConnectedOnAllWay() (connected bool) {
+	// would be better to protect this with a mutex, but it could cause deadlock with Close function
+
 	defer func() {
-		if status == guard.ConnStatusDisconnected {
+		if !connected {
 			conn.logTraceConnState()
 		}
 	}()
 
-	iceWorkerCreated := conn.workerICE != nil
-
-	var iceInProgress bool
-	if iceWorkerCreated {
-		iceInProgress = conn.workerICE.InProgress()
+	// For JS platform: only relay connection is supported
+	if runtime.GOOS == "js" {
+		return conn.statusRelay.Get() == worker.StatusConnected
 	}
 
-	return evalConnStatus(connStatusInputs{
-		forceRelay:          IsForceRelayed(),
-		peerUsesRelay:       conn.workerRelay.IsRelayConnectionSupportedWithPeer(),
-		relayConnected:      conn.statusRelay.Get() == worker.StatusConnected,
-		remoteSupportsICE:   conn.handshaker.RemoteICESupported(),
-		iceWorkerCreated:    iceWorkerCreated,
-		iceStatusConnecting: conn.statusICE.Get() != worker.StatusDisconnected,
-		iceInProgress:       iceInProgress,
-	})
+	// For non-JS platforms: check ICE connection status
+	if conn.statusICE.Get() == worker.StatusDisconnected && !conn.workerICE.InProgress() {
+		return false
+	}
+
+	// If relay is supported with peer, it must also be connected
+	if conn.workerRelay.IsRelayConnectionSupportedWithPeer() {
+		if conn.statusRelay.Get() == worker.StatusDisconnected {
+			return false
+		}
+	}
+
+	return true
 }
 
 func (conn *Conn) enableWgWatcherIfNeeded(enabledTime time.Time) {
@@ -935,43 +926,3 @@ func isController(config ConnConfig) bool {
 func isRosenpassEnabled(remoteRosenpassPubKey []byte) bool {
 	return remoteRosenpassPubKey != nil
 }
-
-func evalConnStatus(in connStatusInputs) guard.ConnStatus {
-	// "Relay up and needed" — the peer uses relay and the transport is connected.
-	relayUsedAndUp := in.peerUsesRelay && in.relayConnected
-
-	// Force-relay mode: ICE never runs. Relay is the only transport and must be up.
-	if in.forceRelay {
-		return boolToConnStatus(relayUsedAndUp)
-	}
-
-	// Remote peer doesn't support ICE, or we haven't created the worker yet:
-	// relay is the only possible transport.
-	if !in.remoteSupportsICE || !in.iceWorkerCreated {
-		return boolToConnStatus(relayUsedAndUp)
-	}
-
-	// ICE counts as "up" when the status is anything other than Disconnected, OR
-	// when a negotiation is currently in progress (so we don't spam offers while one is in flight).
-	iceUp := in.iceStatusConnecting || in.iceInProgress
-
-	// Relay side is acceptable if the peer doesn't rely on relay, or relay is connected.
-	relayOK := !in.peerUsesRelay || in.relayConnected
-
-	switch {
-	case iceUp && relayOK:
-		return guard.ConnStatusConnected
-	case relayUsedAndUp:
-		// Relay is up but ICE is down — partially connected.
-		return guard.ConnStatusPartiallyConnected
-	default:
-		return guard.ConnStatusDisconnected
-	}
-}
-
-func boolToConnStatus(connected bool) guard.ConnStatus {
-	if connected {
-		return guard.ConnStatusConnected
-	}
-	return guard.ConnStatusDisconnected
-}

client/internal/peer/conn_status.go

@@ -13,20 +13,6 @@ const (
 	StatusConnected
 )
 
-// connStatusInputs is the primitive-valued snapshot of the state that drives the
-// tri-state connection classification. Extracted so the decision logic can be unit-tested
-// without constructing full Worker/Handshaker objects.
-type connStatusInputs struct {
-	forceRelay          bool // NB_FORCE_RELAY or JS/WASM
-	peerUsesRelay       bool // remote peer advertises relay support AND local has relay
-	relayConnected      bool // statusRelay reports Connected (independent of whether peer uses relay)
-	remoteSupportsICE   bool // remote peer sent ICE credentials
-	iceWorkerCreated    bool // local WorkerICE exists (false in force-relay mode)
-	iceStatusConnecting bool // statusICE is anything other than Disconnected
-	iceInProgress       bool // a negotiation is currently in flight
-}
-
-
 // ConnStatus describe the status of a peer's connection
 type ConnStatus int32
 

client/internal/peer/conn_status_eval_test.go

@@ -1,201 +0,0 @@
-package peer
-
-import (
-	"testing"
-
-	"github.com/netbirdio/netbird/client/internal/peer/guard"
-)
-
-func TestEvalConnStatus_ForceRelay(t *testing.T) {
-	tests := []struct {
-		name string
-		in   connStatusInputs
-		want guard.ConnStatus
-	}{
-		{
-			name: "force relay, peer uses relay, relay up",
-			in: connStatusInputs{
-				forceRelay:     true,
-				peerUsesRelay:  true,
-				relayConnected: true,
-			},
-			want: guard.ConnStatusConnected,
-		},
-		{
-			name: "force relay, peer uses relay, relay down",
-			in: connStatusInputs{
-				forceRelay:     true,
-				peerUsesRelay:  true,
-				relayConnected: false,
-			},
-			want: guard.ConnStatusDisconnected,
-		},
-		{
-			name: "force relay, peer does NOT use relay - disconnected forever",
-			in: connStatusInputs{
-				forceRelay:     true,
-				peerUsesRelay:  false,
-				relayConnected: true,
-			},
-			want: guard.ConnStatusDisconnected,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			if got := evalConnStatus(tc.in); got != tc.want {
-				t.Fatalf("evalConnStatus = %v, want %v", got, tc.want)
-			}
-		})
-	}
-}
-
-func TestEvalConnStatus_ICEUnavailable(t *testing.T) {
-	tests := []struct {
-		name string
-		in   connStatusInputs
-		want guard.ConnStatus
-	}{
-		{
-			name: "remote does not support ICE, peer uses relay, relay up",
-			in: connStatusInputs{
-				peerUsesRelay:     true,
-				relayConnected:    true,
-				remoteSupportsICE: false,
-				iceWorkerCreated:  true,
-			},
-			want: guard.ConnStatusConnected,
-		},
-		{
-			name: "remote does not support ICE, peer uses relay, relay down",
-			in: connStatusInputs{
-				peerUsesRelay:     true,
-				relayConnected:    false,
-				remoteSupportsICE: false,
-				iceWorkerCreated:  true,
-			},
-			want: guard.ConnStatusDisconnected,
-		},
-		{
-			name: "ICE worker not yet created, relay up",
-			in: connStatusInputs{
-				peerUsesRelay:     true,
-				relayConnected:    true,
-				remoteSupportsICE: true,
-				iceWorkerCreated:  false,
-			},
-			want: guard.ConnStatusConnected,
-		},
-		{
-			name: "remote does not support ICE, peer does not use relay",
-			in: connStatusInputs{
-				peerUsesRelay:     false,
-				relayConnected:    false,
-				remoteSupportsICE: false,
-				iceWorkerCreated:  true,
-			},
-			want: guard.ConnStatusDisconnected,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			if got := evalConnStatus(tc.in); got != tc.want {
-				t.Fatalf("evalConnStatus = %v, want %v", got, tc.want)
-			}
-		})
-	}
-}
-
-func TestEvalConnStatus_FullyAvailable(t *testing.T) {
-	base := connStatusInputs{
-		remoteSupportsICE: true,
-		iceWorkerCreated:  true,
-	}
-
-	tests := []struct {
-		name    string
-		mutator func(*connStatusInputs)
-		want    guard.ConnStatus
-	}{
-		{
-			name: "ICE connected, relay connected, peer uses relay",
-			mutator: func(in *connStatusInputs) {
-				in.peerUsesRelay = true
-				in.relayConnected = true
-				in.iceStatusConnecting = true
-			},
-			want: guard.ConnStatusConnected,
-		},
-		{
-			name: "ICE connected, peer does NOT use relay",
-			mutator: func(in *connStatusInputs) {
-				in.peerUsesRelay = false
-				in.relayConnected = false
-				in.iceStatusConnecting = true
-			},
-			want: guard.ConnStatusConnected,
-		},
-		{
-			name: "ICE InProgress only, peer does NOT use relay",
-			mutator: func(in *connStatusInputs) {
-				in.peerUsesRelay = false
-				in.iceStatusConnecting = false
-				in.iceInProgress = true
-			},
-			want: guard.ConnStatusConnected,
-		},
-		{
-			name: "ICE down, relay up, peer uses relay -> partial",
-			mutator: func(in *connStatusInputs) {
-				in.peerUsesRelay = true
-				in.relayConnected = true
-				in.iceStatusConnecting = false
-				in.iceInProgress = false
-			},
-			want: guard.ConnStatusPartiallyConnected,
-		},
-		{
-			name: "ICE down, peer does NOT use relay -> disconnected",
-			mutator: func(in *connStatusInputs) {
-				in.peerUsesRelay = false
-				in.relayConnected = false
-				in.iceStatusConnecting = false
-				in.iceInProgress = false
-			},
-			want: guard.ConnStatusDisconnected,
-		},
-		{
-			name: "ICE up, peer uses relay but relay down -> partial (relay required, ICE ignored)",
-			mutator: func(in *connStatusInputs) {
-				in.peerUsesRelay = true
-				in.relayConnected = false
-				in.iceStatusConnecting = true
-			},
-			// relayOK = false (peer uses relay but it's down), iceUp = true
-			// first switch arm fails (relayOK false), relayUsedAndUp = false (relay down),
-			// falls into default: Disconnected.
-			want: guard.ConnStatusDisconnected,
-		},
-		{
-			name: "ICE down, relay up but peer does not use relay -> disconnected",
-			mutator: func(in *connStatusInputs) {
-				in.peerUsesRelay = false
-				in.relayConnected = true // not actually used since peer doesn't rely on it
-				in.iceStatusConnecting = false
-				in.iceInProgress = false
-			},
-			want: guard.ConnStatusDisconnected,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			in := base
-			tc.mutator(&in)
-			if got := evalConnStatus(in); got != tc.want {
-				t.Fatalf("evalConnStatus = %v, want %v (inputs: %+v)", got, tc.want, in)
-			}
-		})
-	}
-}

client/internal/peer/env.go

@@ -7,38 +7,12 @@ import (
 )
 
 const (
-	EnvKeyNBForceRelay       = "NB_FORCE_RELAY"
-	EnvKeyNBHomeRelayServers = "NB_HOME_RELAY_SERVERS"
+	EnvKeyNBForceRelay = "NB_FORCE_RELAY"
 )
 
-func IsForceRelayed() bool {
+func isForceRelayed() bool {
 	if runtime.GOOS == "js" {
 		return true
 	}
 	return strings.EqualFold(os.Getenv(EnvKeyNBForceRelay), "true")
 }
-
-// OverrideRelayURLs returns the relay server URL list set in
-// NB_HOME_RELAY_SERVERS (comma-separated) and a boolean indicating whether
-// the override is active. When the env var is unset, the boolean is false
-// and the caller should keep the list received from the management server.
-// Intended for lab/debug scenarios where a peer must pin to a specific home
-// relay regardless of what management offers.
-func OverrideRelayURLs() ([]string, bool) {
-	raw := os.Getenv(EnvKeyNBHomeRelayServers)
-	if raw == "" {
-		return nil, false
-	}
-	parts := strings.Split(raw, ",")
-	urls := make([]string, 0, len(parts))
-	for _, p := range parts {
-		p = strings.TrimSpace(p)
-		if p != "" {
-			urls = append(urls, p)
-		}
-	}
-	if len(urls) == 0 {
-		return nil, false
-	}
-	return urls, true
-}

client/internal/peer/guard/guard.go

@@ -8,19 +8,7 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
-// ConnStatus represents the connection state as seen by the guard.
-type ConnStatus int
-
-const (
-	// ConnStatusDisconnected means neither ICE nor Relay is connected.
-	ConnStatusDisconnected ConnStatus = iota
-	// ConnStatusPartiallyConnected means Relay is connected but ICE is not.
-	ConnStatusPartiallyConnected
-	// ConnStatusConnected means all required connections are established.
-	ConnStatusConnected
-)
-
-type connStatusFunc func() ConnStatus
+type isConnectedFunc func() bool
 
 // Guard is responsible for the reconnection logic.
 // It will trigger to send an offer to the peer then has connection issues.
@@ -32,14 +20,14 @@ type connStatusFunc func() ConnStatus
 // - ICE candidate changes
 type Guard struct {
 	log                     *log.Entry
-	isConnectedOnAllWay     connStatusFunc
+	isConnectedOnAllWay     isConnectedFunc
 	timeout                 time.Duration
 	srWatcher               *SRWatcher
 	relayedConnDisconnected chan struct{}
 	iCEConnDisconnected     chan struct{}
 }
 
-func NewGuard(log *log.Entry, isConnectedFn connStatusFunc, timeout time.Duration, srWatcher *SRWatcher) *Guard {
+func NewGuard(log *log.Entry, isConnectedFn isConnectedFunc, timeout time.Duration, srWatcher *SRWatcher) *Guard {
 	return &Guard{
 		log:                     log,
 		isConnectedOnAllWay:     isConnectedFn,
@@ -69,17 +57,8 @@ func (g *Guard) SetICEConnDisconnected() {
 	}
 }
 
-// reconnectLoopWithRetry periodically checks the connection status and sends offers to re-establish connectivity.
-//
-// Behavior depends on the connection state reported by isConnectedOnAllWay:
-//   - Connected: no action, the peer is fully reachable.
-//   - Disconnected (neither ICE nor Relay): retries aggressively with exponential backoff (800ms doubling
-//     up to timeout), never gives up. This ensures rapid recovery when the peer has no connectivity at all.
-//   - PartiallyConnected (Relay up, ICE not): retries up to 3 times with exponential backoff, then switches
-//     to one attempt per hour. This limits signaling traffic when relay already provides connectivity.
-//
-// External events (relay/ICE disconnect, signal/relay reconnect, candidate changes) reset the retry
-// counter and backoff ticker, giving ICE a fresh chance after network conditions change.
+// reconnectLoopWithRetry periodically check the connection status.
+// Try to send offer while the P2P is not established or while the Relay is not connected if is it supported
 func (g *Guard) reconnectLoopWithRetry(ctx context.Context, callback func()) {
 	srReconnectedChan := g.srWatcher.NewListener()
 	defer g.srWatcher.RemoveListener(srReconnectedChan)
@@ -89,47 +68,36 @@ func (g *Guard) reconnectLoopWithRetry(ctx context.Context, callback func()) {
 
 	tickerChannel := ticker.C
 
-	iceState := &iceRetryState{log: g.log}
-	defer iceState.reset()
-
 	for {
 		select {
-		case <-tickerChannel:
-			switch g.isConnectedOnAllWay() {
-			case ConnStatusConnected:
-				// all good, nothing to do
-			case ConnStatusDisconnected:
-				callback()
-			case ConnStatusPartiallyConnected:
-				if iceState.shouldRetry() {
-					callback()
-				} else {
-					iceState.enterHourlyMode()
-					ticker.Stop()
-					tickerChannel = iceState.hourlyC()
-				}
+		case t := <-tickerChannel:
+			if t.IsZero() {
+				g.log.Infof("retry timed out, stop periodic offer sending")
+				// after backoff timeout the ticker.C will be closed. We need to a dummy channel to avoid loop
+				tickerChannel = make(<-chan time.Time)
+				continue
 			}
 
+			if !g.isConnectedOnAllWay() {
+				callback()
+			}
 		case <-g.relayedConnDisconnected:
 			g.log.Debugf("Relay connection changed, reset reconnection ticker")
 			ticker.Stop()
-			ticker = g.newReconnectTicker(ctx)
+			ticker = g.prepareExponentTicker(ctx)
 			tickerChannel = ticker.C
-			iceState.reset()
 
 		case <-g.iCEConnDisconnected:
 			g.log.Debugf("ICE connection changed, reset reconnection ticker")
 			ticker.Stop()
-			ticker = g.newReconnectTicker(ctx)
+			ticker = g.prepareExponentTicker(ctx)
 			tickerChannel = ticker.C
-			iceState.reset()
 
 		case <-srReconnectedChan:
 			g.log.Debugf("has network changes, reset reconnection ticker")
 			ticker.Stop()
-			ticker = g.newReconnectTicker(ctx)
+			ticker = g.prepareExponentTicker(ctx)
 			tickerChannel = ticker.C
-			iceState.reset()
 
 		case <-ctx.Done():
 			g.log.Debugf("context is done, stop reconnect loop")
@@ -152,7 +120,7 @@ func (g *Guard) initialTicker(ctx context.Context) *backoff.Ticker {
 	return backoff.NewTicker(bo)
 }
 
-func (g *Guard) newReconnectTicker(ctx context.Context) *backoff.Ticker {
+func (g *Guard) prepareExponentTicker(ctx context.Context) *backoff.Ticker {
 	bo := backoff.WithContext(&backoff.ExponentialBackOff{
 		InitialInterval:     800 * time.Millisecond,
 		RandomizationFactor: 0.1,

client/internal/peer/guard/ice_retry_state.go

@@ -1,61 +0,0 @@
-package guard
-
-import (
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	// maxICERetries is the maximum number of ICE offer attempts when relay is connected
-	maxICERetries = 3
-	// iceRetryInterval is the periodic retry interval after ICE retries are exhausted
-	iceRetryInterval = 1 * time.Hour
-)
-
-// iceRetryState tracks the limited ICE retry attempts when relay is already connected.
-// After maxICERetries attempts it switches to a periodic hourly retry.
-type iceRetryState struct {
-	log     *log.Entry
-	retries int
-	hourly  *time.Ticker
-}
-
-func (s *iceRetryState) reset() {
-	s.retries = 0
-	if s.hourly != nil {
-		s.hourly.Stop()
-		s.hourly = nil
-	}
-}
-
-// shouldRetry reports whether the caller should send another ICE offer on this tick.
-// Returns false when the per-cycle retry budget is exhausted and the caller must switch
-// to the hourly ticker via enterHourlyMode + hourlyC.
-func (s *iceRetryState) shouldRetry() bool {
-	if s.hourly != nil {
-		s.log.Debugf("hourly ICE retry attempt")
-		return true
-	}
-
-	s.retries++
-	if s.retries <= maxICERetries {
-		s.log.Debugf("ICE retry attempt %d/%d", s.retries, maxICERetries)
-		return true
-	}
-
-	return false
-}
-
-// enterHourlyMode starts the hourly retry ticker. Must be called after shouldRetry returns false.
-func (s *iceRetryState) enterHourlyMode() {
-	s.log.Infof("ICE retries exhausted (%d/%d), switching to hourly retry", maxICERetries, maxICERetries)
-	s.hourly = time.NewTicker(iceRetryInterval)
-}
-
-func (s *iceRetryState) hourlyC() <-chan time.Time {
-	if s.hourly == nil {
-		return nil
-	}
-	return s.hourly.C
-}

client/internal/peer/guard/ice_retry_state_test.go

@@ -1,103 +0,0 @@
-package guard
-
-import (
-	"testing"
-
-	log "github.com/sirupsen/logrus"
-)
-
-func newTestRetryState() *iceRetryState {
-	return &iceRetryState{log: log.NewEntry(log.StandardLogger())}
-}
-
-func TestICERetryState_AllowsInitialBudget(t *testing.T) {
-	s := newTestRetryState()
-
-	for i := 1; i <= maxICERetries; i++ {
-		if !s.shouldRetry() {
-			t.Fatalf("shouldRetry returned false on attempt %d, want true (budget = %d)", i, maxICERetries)
-		}
-	}
-}
-
-func TestICERetryState_ExhaustsAfterBudget(t *testing.T) {
-	s := newTestRetryState()
-
-	for i := 0; i < maxICERetries; i++ {
-		_ = s.shouldRetry()
-	}
-
-	if s.shouldRetry() {
-		t.Fatalf("shouldRetry returned true after budget exhausted, want false")
-	}
-}
-
-func TestICERetryState_HourlyCNilBeforeEnterHourlyMode(t *testing.T) {
-	s := newTestRetryState()
-
-	if s.hourlyC() != nil {
-		t.Fatalf("hourlyC returned non-nil channel before enterHourlyMode")
-	}
-}
-
-func TestICERetryState_EnterHourlyModeArmsTicker(t *testing.T) {
-	s := newTestRetryState()
-	for i := 0; i < maxICERetries+1; i++ {
-		_ = s.shouldRetry()
-	}
-
-	s.enterHourlyMode()
-	defer s.reset()
-
-	if s.hourlyC() == nil {
-		t.Fatalf("hourlyC returned nil after enterHourlyMode")
-	}
-}
-
-func TestICERetryState_ShouldRetryTrueInHourlyMode(t *testing.T) {
-	s := newTestRetryState()
-	s.enterHourlyMode()
-	defer s.reset()
-
-	if !s.shouldRetry() {
-		t.Fatalf("shouldRetry returned false in hourly mode, want true")
-	}
-
-	// Subsequent calls also return true — we keep retrying on each hourly tick.
-	if !s.shouldRetry() {
-		t.Fatalf("second shouldRetry returned false in hourly mode, want true")
-	}
-}
-
-func TestICERetryState_ResetRestoresBudget(t *testing.T) {
-	s := newTestRetryState()
-	for i := 0; i < maxICERetries+1; i++ {
-		_ = s.shouldRetry()
-	}
-	s.enterHourlyMode()
-
-	s.reset()
-
-	if s.hourlyC() != nil {
-		t.Fatalf("hourlyC returned non-nil channel after reset")
-	}
-	if s.retries != 0 {
-		t.Fatalf("retries = %d after reset, want 0", s.retries)
-	}
-
-	for i := 1; i <= maxICERetries; i++ {
-		if !s.shouldRetry() {
-			t.Fatalf("shouldRetry returned false on attempt %d after reset, want true", i)
-		}
-	}
-}
-
-func TestICERetryState_ResetIsIdempotent(t *testing.T) {
-	s := newTestRetryState()
-	s.reset()
-	s.reset() // second call must not panic or re-stop a nil ticker
-
-	if s.hourlyC() != nil {
-		t.Fatalf("hourlyC non-nil after double reset")
-	}
-}

client/internal/peer/guard/sr_watcher.go

@@ -39,7 +39,7 @@ func NewSRWatcher(signalClient chNotifier, relayManager chNotifier, iFaceDiscove
 	return srw
 }
 
-func (w *SRWatcher) Start(disableICEMonitor bool) {
+func (w *SRWatcher) Start() {
 	w.mu.Lock()
 	defer w.mu.Unlock()
 
@@ -50,10 +50,8 @@ func (w *SRWatcher) Start(disableICEMonitor bool) {
 	ctx, cancel := context.WithCancel(context.Background())
 	w.cancelIceMonitor = cancel
 
-	if !disableICEMonitor {
-		iceMonitor := NewICEMonitor(w.iFaceDiscover, w.iceConfig, GetICEMonitorPeriod())
-		go iceMonitor.Start(ctx, w.onICEChanged)
-	}
+	iceMonitor := NewICEMonitor(w.iFaceDiscover, w.iceConfig, GetICEMonitorPeriod())
+	go iceMonitor.Start(ctx, w.onICEChanged)
 	w.signalClient.SetOnReconnectedListener(w.onReconnected)
 	w.relayManager.SetOnReconnectedListener(w.onReconnected)
 

client/internal/peer/handshaker.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"sync"
-	"sync/atomic"
 
 	log "github.com/sirupsen/logrus"
 
@@ -44,10 +43,6 @@ type OfferAnswer struct {
 	SessionID *ICESessionID
 }
 
-func (o *OfferAnswer) hasICECredentials() bool {
-	return o.IceCredentials.UFrag != "" && o.IceCredentials.Pwd != ""
-}
-
 type Handshaker struct {
 	mu            sync.Mutex
 	log           *log.Entry
@@ -64,10 +59,6 @@ type Handshaker struct {
 	relayListener *AsyncOfferListener
 	iceListener   func(remoteOfferAnswer *OfferAnswer)
 
-	// remoteICESupported tracks whether the remote peer includes ICE credentials in its offers/answers.
-	// When false, the local side skips ICE listener dispatch and suppresses ICE credentials in responses.
-	remoteICESupported atomic.Bool
-
 	// remoteOffersCh is a channel used to wait for remote credentials to proceed with the connection
 	remoteOffersCh chan OfferAnswer
 	// remoteAnswerCh is a channel used to wait for remote credentials answer (confirmation of our offer) to proceed with the connection
@@ -75,7 +66,7 @@ type Handshaker struct {
 }
 
 func NewHandshaker(log *log.Entry, config ConnConfig, signaler *Signaler, ice *WorkerICE, relay *WorkerRelay, metricsStages *MetricsStages) *Handshaker {
-	h := &Handshaker{
+	return &Handshaker{
 		log:            log,
 		config:         config,
 		signaler:       signaler,
@@ -85,13 +76,6 @@ func NewHandshaker(log *log.Entry, config ConnConfig, signaler *Signaler, ice *W
 		remoteOffersCh: make(chan OfferAnswer),
 		remoteAnswerCh: make(chan OfferAnswer),
 	}
-	// assume remote supports ICE until we learn otherwise from received offers
-	h.remoteICESupported.Store(ice != nil)
-	return h
-}
-
-func (h *Handshaker) RemoteICESupported() bool {
-	return h.remoteICESupported.Load()
 }
 
 func (h *Handshaker) AddRelayListener(offer func(remoteOfferAnswer *OfferAnswer)) {
@@ -106,20 +90,18 @@ func (h *Handshaker) Listen(ctx context.Context) {
 	for {
 		select {
 		case remoteOfferAnswer := <-h.remoteOffersCh:
-			h.log.Infof("received offer, running version %s, remote WireGuard listen port %d, session id: %s, remote ICE supported: %t", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString(), remoteOfferAnswer.hasICECredentials())
+			h.log.Infof("received offer, running version %s, remote WireGuard listen port %d, session id: %s", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString())
 
 			// Record signaling received for reconnection attempts
 			if h.metricsStages != nil {
 				h.metricsStages.RecordSignalingReceived()
 			}
 
-			h.updateRemoteICEState(&remoteOfferAnswer)
-
 			if h.relayListener != nil {
 				h.relayListener.Notify(&remoteOfferAnswer)
 			}
 
-			if h.iceListener != nil && h.RemoteICESupported() {
+			if h.iceListener != nil {
 				h.iceListener(&remoteOfferAnswer)
 			}
 
@@ -128,20 +110,18 @@ func (h *Handshaker) Listen(ctx context.Context) {
 				continue
 			}
 		case remoteOfferAnswer := <-h.remoteAnswerCh:
-			h.log.Infof("received answer, running version %s, remote WireGuard listen port %d, session id: %s, remote ICE supported: %t", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString(), remoteOfferAnswer.hasICECredentials())
+			h.log.Infof("received answer, running version %s, remote WireGuard listen port %d, session id: %s", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString())
 
 			// Record signaling received for reconnection attempts
 			if h.metricsStages != nil {
 				h.metricsStages.RecordSignalingReceived()
 			}
 
-			h.updateRemoteICEState(&remoteOfferAnswer)
-
 			if h.relayListener != nil {
 				h.relayListener.Notify(&remoteOfferAnswer)
 			}
 
-			if h.iceListener != nil && h.RemoteICESupported() {
+			if h.iceListener != nil {
 				h.iceListener(&remoteOfferAnswer)
 			}
 		case <-ctx.Done():
@@ -203,18 +183,15 @@ func (h *Handshaker) sendAnswer() error {
 }
 
 func (h *Handshaker) buildOfferAnswer() OfferAnswer {
+	uFrag, pwd := h.ice.GetLocalUserCredentials()
+	sid := h.ice.SessionID()
 	answer := OfferAnswer{
+		IceCredentials:  IceCredentials{uFrag, pwd},
 		WgListenPort:    h.config.LocalWgPort,
 		Version:         version.NetbirdVersion(),
 		RosenpassPubKey: h.config.RosenpassConfig.PubKey,
 		RosenpassAddr:   h.config.RosenpassConfig.Addr,
-	}
-
-	if h.ice != nil && h.RemoteICESupported() {
-		uFrag, pwd := h.ice.GetLocalUserCredentials()
-		sid := h.ice.SessionID()
-		answer.IceCredentials = IceCredentials{uFrag, pwd}
-		answer.SessionID = &sid
+		SessionID:       &sid,
 	}
 
 	if addr, err := h.relay.RelayInstanceAddress(); err == nil {
@@ -223,18 +200,3 @@ func (h *Handshaker) buildOfferAnswer() OfferAnswer {
 
 	return answer
 }
-
-func (h *Handshaker) updateRemoteICEState(offer *OfferAnswer) {
-	hasICE := offer.hasICECredentials()
-	prev := h.remoteICESupported.Swap(hasICE)
-	if prev != hasICE {
-		if hasICE {
-			h.log.Infof("remote peer started sending ICE credentials")
-		} else {
-			h.log.Infof("remote peer stopped sending ICE credentials")
-			if h.ice != nil {
-				h.ice.Close()
-			}
-		}
-	}
-}

client/internal/peer/signaler.go

@@ -46,13 +46,9 @@ func (s *Signaler) Ready() bool {
 
 // SignalOfferAnswer signals either an offer or an answer to remote peer
 func (s *Signaler) signalOfferAnswer(offerAnswer OfferAnswer, remoteKey string, bodyType sProto.Body_Type) error {
-	var sessionIDBytes []byte
-	if offerAnswer.SessionID != nil {
-		var err error
-		sessionIDBytes, err = offerAnswer.SessionID.Bytes()
-		if err != nil {
-			log.Warnf("failed to get session ID bytes: %v", err)
-		}
+	sessionIDBytes, err := offerAnswer.SessionID.Bytes()
+	if err != nil {
+		log.Warnf("failed to get session ID bytes: %v", err)
 	}
 	msg, err := signal.MarshalCredential(
 		s.wgPrivateKey,

client/internal/routemanager/systemops/systemops_darwin.go

@@ -89,16 +89,8 @@ func (r *SysOps) installScopedDefaultFor(unspec netip.Addr) (bool, error) {
 		return false, fmt.Errorf("unusable default nexthop for %s (no interface)", unspec)
 	}
 
-	reused := false
 	if err := r.addScopedDefault(unspec, nexthop); err != nil {
-		if !errors.Is(err, unix.EEXIST) {
-			return false, fmt.Errorf("add scoped default on %s: %w", nexthop.Intf.Name, err)
-		}
-		// macOS installs its own RTF_IFSCOPE defaults for primary service
-		// selection on multi-NIC setups, so a route on this ifindex can
-		// already exist before we try. Binding to it via IP[V6]_BOUND_IF
-		// still produces the scoped lookup we need.
-		reused = true
+		return false, fmt.Errorf("add scoped default on %s: %w", nexthop.Intf.Name, err)
 	}
 
 	af := unix.AF_INET
@@ -110,11 +102,7 @@ func (r *SysOps) installScopedDefaultFor(unspec netip.Addr) (bool, error) {
 	if nexthop.IP.IsValid() {
 		via = nexthop.IP.String()
 	}
-	verb := "installed"
-	if reused {
-		verb = "reused existing"
-	}
-	log.Infof("%s scoped default route via %s on %s for %s", verb, via, nexthop.Intf.Name, afOf(unspec))
+	log.Infof("installed scoped default route via %s on %s for %s", via, nexthop.Intf.Name, afOf(unspec))
 	return true, nil
 }
 

client/internal/sleep/detector_darwin.go

@@ -2,358 +2,217 @@
 
 package sleep
 
+/*
+#cgo LDFLAGS: -framework IOKit -framework CoreFoundation
+#include <IOKit/pwr_mgt/IOPMLib.h>
+#include <IOKit/IOMessage.h>
+#include <CoreFoundation/CoreFoundation.h>
+
+extern void sleepCallbackBridge();
+extern void poweredOnCallbackBridge();
+extern void suspendedCallbackBridge();
+extern void resumedCallbackBridge();
+
+
+// C global variables for IOKit state
+static IONotificationPortRef g_notifyPortRef = NULL;
+static io_object_t g_notifierObject = 0;
+static io_object_t g_generalInterestNotifier = 0;
+static io_connect_t g_rootPort = 0;
+static CFRunLoopRef g_runLoop = NULL;
+
+static void sleepCallback(void* refCon, io_service_t service, natural_t messageType, void* messageArgument) {
+	switch (messageType) {
+		case kIOMessageSystemWillSleep:
+			sleepCallbackBridge();
+			IOAllowPowerChange(g_rootPort, (long)messageArgument);
+			break;
+        case kIOMessageSystemHasPoweredOn:
+          	poweredOnCallbackBridge();
+          	break;
+        case kIOMessageServiceIsSuspended:
+			suspendedCallbackBridge();
+			break;
+		case kIOMessageServiceIsResumed:
+			resumedCallbackBridge();
+			break;
+		default:
+			break;
+	}
+}
+
+static void registerNotifications() {
+	g_rootPort = IORegisterForSystemPower(
+		NULL,
+		&g_notifyPortRef,
+		(IOServiceInterestCallback)sleepCallback,
+		&g_notifierObject
+	);
+
+	if (g_rootPort == 0) {
+		return;
+	}
+
+	CFRunLoopAddSource(CFRunLoopGetCurrent(),
+		IONotificationPortGetRunLoopSource(g_notifyPortRef),
+		kCFRunLoopCommonModes);
+
+	g_runLoop = CFRunLoopGetCurrent();
+	CFRunLoopRun();
+}
+
+static void unregisterNotifications() {
+	CFRunLoopRemoveSource(g_runLoop,
+		IONotificationPortGetRunLoopSource(g_notifyPortRef),
+		kCFRunLoopCommonModes);
+
+	IODeregisterForSystemPower(&g_notifierObject);
+	IOServiceClose(g_rootPort);
+	IONotificationPortDestroy(g_notifyPortRef);
+	CFRunLoopStop(g_runLoop);
+
+	g_notifyPortRef = NULL;
+	g_notifierObject = 0;
+	g_rootPort = 0;
+	g_runLoop = NULL;
+}
+
+*/
+import "C"
+
 import (
+	"context"
 	"fmt"
 	"runtime"
 	"sync"
 	"time"
-	"unsafe"
 
-	"github.com/ebitengine/purego"
 	log "github.com/sirupsen/logrus"
 )
 
-// IOKit message types from IOKit/IOMessage.h.
-const (
-	kIOMessageCanSystemSleep     uintptr = 0xe0000270
-	kIOMessageSystemWillSleep    uintptr = 0xe0000280
-	kIOMessageSystemHasPoweredOn uintptr = 0xe0000300
-)
-
 var (
-	ioKit         iokitFuncs
-	cf            cfFuncs
-	cfCommonModes uintptr
-
-	libInitOnce sync.Once
-	libInitErr  error
-
-	// callbackThunk is the single C-callable trampoline registered with IOKit.
-	callbackThunk uintptr
-
 	serviceRegistry   = make(map[*Detector]struct{})
 	serviceRegistryMu sync.Mutex
-	session           *runLoopSession
-
-	// lifecycleMu serializes Register/Deregister so a new registration can't
-	// start a second runloop while a previous teardown is still pending.
-	lifecycleMu sync.Mutex
 )
 
-// iokitFuncs holds IOKit symbols resolved once at init.
-type iokitFuncs struct {
-	IORegisterForSystemPower           func(refcon uintptr, portRef *uintptr, callback uintptr, notifier *uintptr) uintptr
-	IODeregisterForSystemPower         func(notifier *uintptr) int32
-	IOAllowPowerChange                 func(kernelPort uintptr, notificationID uintptr) int32
-	IOServiceClose                     func(connect uintptr) int32
-	IONotificationPortGetRunLoopSource func(port uintptr) uintptr
-	IONotificationPortDestroy          func(port uintptr)
-}
-
-// cfFuncs holds CoreFoundation symbols resolved once at init.
-type cfFuncs struct {
-	CFRunLoopGetCurrent   func() uintptr
-	CFRunLoopRun          func()
-	CFRunLoopStop         func(rl uintptr)
-	CFRunLoopAddSource    func(rl, source, mode uintptr)
-	CFRunLoopRemoveSource func(rl, source, mode uintptr)
-}
-
-// runLoopSession bundles the handles owned by one CFRunLoop lifetime. A nil
-// session means no runloop is active and the next Register must start one.
-type runLoopSession struct {
-	rl       uintptr
-	port     uintptr
-	notifier uintptr
-	rp       uintptr
-}
-
-// detectorSnapshot pins a detector's callback and done channel so dispatch
-// runs with values valid at snapshot time, even if a concurrent
-// Deregister/Register rewrites the detector's fields.
-type detectorSnapshot struct {
-	detector *Detector
-	callback func(event EventType)
-	done     <-chan struct{}
-}
-
-// Detector delivers sleep and wake events to a registered callback.
-type Detector struct {
-	callback func(event EventType)
-	done     chan struct{}
-}
-
-// Register installs callback for power events. The first registration starts
-// the CFRunLoop on a dedicated OS-locked thread and blocks until IOKit
-// registration succeeds or fails; subsequent registrations just add to the
-// dispatch set.
-func (d *Detector) Register(callback func(event EventType)) error {
-	lifecycleMu.Lock()
-	defer lifecycleMu.Unlock()
+//export sleepCallbackBridge
+func sleepCallbackBridge() {
+	log.Info("sleepCallbackBridge event triggered")
 
 	serviceRegistryMu.Lock()
+	defer serviceRegistryMu.Unlock()
+
+	for svc := range serviceRegistry {
+		svc.triggerCallback(EventTypeSleep)
+	}
+}
+
+//export resumedCallbackBridge
+func resumedCallbackBridge() {
+	log.Info("resumedCallbackBridge event triggered")
+}
+
+//export suspendedCallbackBridge
+func suspendedCallbackBridge() {
+	log.Info("suspendedCallbackBridge event triggered")
+}
+
+//export poweredOnCallbackBridge
+func poweredOnCallbackBridge() {
+	log.Info("poweredOnCallbackBridge event triggered")
+	serviceRegistryMu.Lock()
+	defer serviceRegistryMu.Unlock()
+
+	for svc := range serviceRegistry {
+		svc.triggerCallback(EventTypeWakeUp)
+	}
+}
+
+type Detector struct {
+	callback func(event EventType)
+	ctx      context.Context
+	cancel   context.CancelFunc
+}
+
+func NewDetector() (*Detector, error) {
+	return &Detector{}, nil
+}
+
+func (d *Detector) Register(callback func(event EventType)) error {
+	serviceRegistryMu.Lock()
+	defer serviceRegistryMu.Unlock()
+
 	if _, exists := serviceRegistry[d]; exists {
-		serviceRegistryMu.Unlock()
 		return fmt.Errorf("detector service already registered")
 	}
-	d.callback = callback
-	d.done = make(chan struct{})
-	serviceRegistry[d] = struct{}{}
-	needSetup := session == nil
-	serviceRegistryMu.Unlock()
 
-	if !needSetup {
+	d.callback = callback
+
+	d.ctx, d.cancel = context.WithCancel(context.Background())
+
+	if len(serviceRegistry) > 0 {
+		serviceRegistry[d] = struct{}{}
 		return nil
 	}
 
-	errCh := make(chan error, 1)
-	go runRunLoop(errCh)
-	if err := <-errCh; err != nil {
-		serviceRegistryMu.Lock()
-		delete(serviceRegistry, d)
-		close(d.done)
-		d.done = nil
-		serviceRegistryMu.Unlock()
-		return err
-	}
+	serviceRegistry[d] = struct{}{}
+
+	// CFRunLoop must run on a single fixed OS thread
+	go func() {
+		runtime.LockOSThread()
+		defer runtime.UnlockOSThread()
+
+		C.registerNotifications()
+	}()
 
 	log.Info("sleep detection service started on macOS")
 	return nil
 }
 
-// Deregister removes the detector. When the last detector leaves, IOKit
-// notifications are torn down and the runloop is stopped.
+// Deregister removes the detector. When the last detector is removed, IOKit registration is torn down
+// and the runloop is stopped and cleaned up.
 func (d *Detector) Deregister() error {
-	lifecycleMu.Lock()
-	defer lifecycleMu.Unlock()
-
 	serviceRegistryMu.Lock()
-	if _, exists := serviceRegistry[d]; !exists {
-		serviceRegistryMu.Unlock()
+	defer serviceRegistryMu.Unlock()
+	_, exists := serviceRegistry[d]
+	if !exists {
 		return nil
 	}
-	close(d.done)
+
+	// cancel and remove this detector
+	d.cancel()
 	delete(serviceRegistry, d)
 
+	// If other Detectors still exist, leave IOKit running
 	if len(serviceRegistry) > 0 {
-		serviceRegistryMu.Unlock()
 		return nil
 	}
-	sess := session
-	serviceRegistryMu.Unlock()
 
 	log.Info("sleep detection service stopping (deregister)")
 
-	if sess == nil {
-		return nil
-	}
-
-	if sess.rl != 0 && sess.port != 0 {
-		source := ioKit.IONotificationPortGetRunLoopSource(sess.port)
-		cf.CFRunLoopRemoveSource(sess.rl, source, cfCommonModes)
-	}
-	if sess.notifier != 0 {
-		n := sess.notifier
-		ioKit.IODeregisterForSystemPower(&n)
-	}
-
-	// Clear session only after IODeregisterForSystemPower returns so any
-	// in-flight powerCallback can still look up session.rp to ack sleep.
-	serviceRegistryMu.Lock()
-	session = nil
-	serviceRegistryMu.Unlock()
-
-	if sess.rp != 0 {
-		ioKit.IOServiceClose(sess.rp)
-	}
-	if sess.port != 0 {
-		ioKit.IONotificationPortDestroy(sess.port)
-	}
-	if sess.rl != 0 {
-		cf.CFRunLoopStop(sess.rl)
-	}
+	// Deregister IOKit notifications, stop runloop, and free resources
+	C.unregisterNotifications()
 
 	return nil
 }
 
-func (d *Detector) triggerCallback(event EventType, cb func(event EventType), done <-chan struct{}) {
-	if cb == nil || done == nil {
-		return
-	}
-
-	select {
-	case <-done:
-		return
-	default:
-	}
-
+func (d *Detector) triggerCallback(event EventType) {
 	doneChan := make(chan struct{})
+
 	timeout := time.NewTimer(500 * time.Millisecond)
 	defer timeout.Stop()
 
-	go func() {
-		defer close(doneChan)
-		defer func() {
-			if r := recover(); r != nil {
-				log.Errorf("panic in sleep callback: %v", r)
-			}
-		}()
+	cb := d.callback
+	go func(callback func(event EventType)) {
 		log.Info("sleep detection event fired")
-		cb(event)
-	}()
+		callback(event)
+		close(doneChan)
+	}(cb)
 
 	select {
 	case <-doneChan:
-	case <-done:
+	case <-d.ctx.Done():
 	case <-timeout.C:
-		log.Warn("sleep callback timed out")
+		log.Warnf("sleep callback timed out")
 	}
 }
-
-// NewDetector initializes IOKit/CoreFoundation bindings and returns a Detector.
-func NewDetector() (*Detector, error) {
-	if err := initLibs(); err != nil {
-		return nil, err
-	}
-	return &Detector{}, nil
-}
-
-func initLibs() error {
-	libInitOnce.Do(func() {
-		iokit, err := purego.Dlopen("/System/Library/Frameworks/IOKit.framework/IOKit", purego.RTLD_NOW|purego.RTLD_GLOBAL)
-		if err != nil {
-			libInitErr = fmt.Errorf("dlopen IOKit: %w", err)
-			return
-		}
-		cfLib, err := purego.Dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", purego.RTLD_NOW|purego.RTLD_GLOBAL)
-		if err != nil {
-			libInitErr = fmt.Errorf("dlopen CoreFoundation: %w", err)
-			return
-		}
-
-		purego.RegisterLibFunc(&ioKit.IORegisterForSystemPower, iokit, "IORegisterForSystemPower")
-		purego.RegisterLibFunc(&ioKit.IODeregisterForSystemPower, iokit, "IODeregisterForSystemPower")
-		purego.RegisterLibFunc(&ioKit.IOAllowPowerChange, iokit, "IOAllowPowerChange")
-		purego.RegisterLibFunc(&ioKit.IOServiceClose, iokit, "IOServiceClose")
-		purego.RegisterLibFunc(&ioKit.IONotificationPortGetRunLoopSource, iokit, "IONotificationPortGetRunLoopSource")
-		purego.RegisterLibFunc(&ioKit.IONotificationPortDestroy, iokit, "IONotificationPortDestroy")
-
-		purego.RegisterLibFunc(&cf.CFRunLoopGetCurrent, cfLib, "CFRunLoopGetCurrent")
-		purego.RegisterLibFunc(&cf.CFRunLoopRun, cfLib, "CFRunLoopRun")
-		purego.RegisterLibFunc(&cf.CFRunLoopStop, cfLib, "CFRunLoopStop")
-		purego.RegisterLibFunc(&cf.CFRunLoopAddSource, cfLib, "CFRunLoopAddSource")
-		purego.RegisterLibFunc(&cf.CFRunLoopRemoveSource, cfLib, "CFRunLoopRemoveSource")
-
-		modeAddr, err := purego.Dlsym(cfLib, "kCFRunLoopCommonModes")
-		if err != nil {
-			libInitErr = fmt.Errorf("dlsym kCFRunLoopCommonModes: %w", err)
-			return
-		}
-		// Launder the uintptr-to-pointer conversion through a Go variable so
-		// go vet's unsafeptr analyzer doesn't flag a system-library global.
-		cfCommonModes = **(**uintptr)(unsafe.Pointer(&modeAddr))
-
-		// NewCallback slots are a finite, non-reclaimable resource, so register
-		// a single thunk that dispatches to the current Detector set.
-		callbackThunk = purego.NewCallback(powerCallback)
-	})
-	return libInitErr
-}
-
-// powerCallback is the IOServiceInterestCallback trampoline, invoked on the
-// runloop thread. A Go panic crossing the purego boundary has undefined
-// behavior, so contain it here.
-func powerCallback(refcon, service, messageType, messageArgument uintptr) uintptr {
-	defer func() {
-		if r := recover(); r != nil {
-			log.Errorf("panic in sleep powerCallback: %v", r)
-		}
-	}()
-	switch messageType {
-	case kIOMessageCanSystemSleep:
-		// Not acknowledging forces a 30s IOKit timeout before idle sleep.
-		allowPowerChange(messageArgument)
-	case kIOMessageSystemWillSleep:
-		dispatchEvent(EventTypeSleep)
-		allowPowerChange(messageArgument)
-	case kIOMessageSystemHasPoweredOn:
-		dispatchEvent(EventTypeWakeUp)
-	}
-	return 0
-}
-
-func allowPowerChange(messageArgument uintptr) {
-	serviceRegistryMu.Lock()
-	var port uintptr
-	if session != nil {
-		port = session.rp
-	}
-	serviceRegistryMu.Unlock()
-	if port != 0 {
-		ioKit.IOAllowPowerChange(port, messageArgument)
-	}
-}
-
-func dispatchEvent(event EventType) {
-	serviceRegistryMu.Lock()
-	snaps := make([]detectorSnapshot, 0, len(serviceRegistry))
-	for d := range serviceRegistry {
-		snaps = append(snaps, detectorSnapshot{
-			detector: d,
-			callback: d.callback,
-			done:     d.done,
-		})
-	}
-	serviceRegistryMu.Unlock()
-
-	for _, s := range snaps {
-		s.detector.triggerCallback(event, s.callback, s.done)
-	}
-}
-
-// runRunLoop owns the OS-locked thread that CFRunLoop is pinned to. Setup
-// result is reported on errCh so Register can surface failures synchronously.
-func runRunLoop(errCh chan<- error) {
-	runtime.LockOSThread()
-	defer runtime.UnlockOSThread()
-
-	sess, err := setupSession()
-	if err == nil {
-		serviceRegistryMu.Lock()
-		session = sess
-		serviceRegistryMu.Unlock()
-	}
-	errCh <- err
-	if err != nil {
-		return
-	}
-
-	defer func() {
-		if r := recover(); r != nil {
-			log.Errorf("panic in sleep runloop: %v", r)
-		}
-	}()
-	cf.CFRunLoopRun()
-}
-
-// setupSession performs the IOKit registration on the current thread. Panics
-// are converted to errors so runRunLoop never leaves errCh unsent.
-func setupSession() (s *runLoopSession, err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			err = fmt.Errorf("panic during runloop setup: %v", r)
-		}
-	}()
-
-	var portRef, notifier uintptr
-	rp := ioKit.IORegisterForSystemPower(0, &portRef, callbackThunk, &notifier)
-	if rp == 0 {
-		return nil, fmt.Errorf("IORegisterForSystemPower returned zero")
-	}
-
-	rl := cf.CFRunLoopGetCurrent()
-	source := ioKit.IONotificationPortGetRunLoopSource(portRef)
-	cf.CFRunLoopAddSource(rl, source, cfCommonModes)
-
-	return &runLoopSession{rl: rl, port: portRef, notifier: notifier, rp: rp}, nil
-}

client/netbird.wxs

@@ -13,25 +13,15 @@
 
 		<MajorUpgrade AllowSameVersionUpgrades='yes' DowngradeErrorMessage="A newer version of [ProductName] is already installed. Setup will now exit."/>
 
-		<!-- Autostart: enabled by default, disable with AUTOSTART=0 on the msiexec command line -->
-		<Property Id="AUTOSTART" Value="1" />
-
 		<StandardDirectory Id="ProgramFiles64Folder">
 			<Directory Id="NetbirdInstallDir" Name="Netbird">
 				<Component Id="NetbirdFiles" Guid="db3165de-cc6e-4922-8396-9d892950e23e" Bitness="always64">
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\netbird.exe" KeyPath="yes" />
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\netbird-ui.exe">
-						<Shortcut Id="NetbirdDesktopShortcut" Directory="DesktopFolder" Name="NetBird" WorkingDirectory="NetbirdInstallDir" Icon="NetbirdIcon">
-							<ShortcutProperty Key="System.AppUserModel.ID" Value="NetBird" />
-							<ShortcutProperty Key="System.AppUserModel.ToastActivatorCLSID" Value="{0E1B4DE7-E148-432B-9814-544F941826EC}" />
-						</Shortcut>
-						<Shortcut Id="NetbirdStartMenuShortcut" Directory="StartMenuFolder" Name="NetBird" WorkingDirectory="NetbirdInstallDir" Icon="NetbirdIcon">
-							<ShortcutProperty Key="System.AppUserModel.ID" Value="NetBird" />
-							<ShortcutProperty Key="System.AppUserModel.ToastActivatorCLSID" Value="{0E1B4DE7-E148-432B-9814-544F941826EC}" />
-						</Shortcut>
+						<Shortcut Id="NetbirdDesktopShortcut" Directory="DesktopFolder" Name="NetBird" WorkingDirectory="NetbirdInstallDir" Icon="NetbirdIcon" />
+						<Shortcut Id="NetbirdStartMenuShortcut" Directory="StartMenuFolder" Name="NetBird" WorkingDirectory="NetbirdInstallDir" Icon="NetbirdIcon" />
 					</File>
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\wintun.dll" />
-					<File Id="NetbirdToastIcon" Name="netbird.png" Source=".\client\ui\assets\netbird.png" />
 					<?if $(var.ArchSuffix) = "amd64" ?>
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\opengl32.dll" />
 					<?endif ?>
@@ -56,31 +46,8 @@
 			</Directory>
 		</StandardDirectory>
 
-		<!-- Per-user component: HKCU keypath (auto GUID via "*"), separate from
-		     the per-machine NetbirdFiles component to satisfy ICE57. -->
-		<StandardDirectory Id="ProgramMenuFolder">
-			<Component Id="NetbirdAumidRegistry" Guid="*">
-				<RegistryKey Root="HKCU" Key="Software\Classes\AppUserModelId\NetBird" ForceDeleteOnUninstall="yes">
-					<RegistryValue Name="InstalledByMSI" Type="integer" Value="1" KeyPath="yes" />
-				</RegistryKey>
-			</Component>
-		</StandardDirectory>
-
-		<StandardDirectory Id="CommonAppDataFolder">
-			<Directory Id="NetbirdAutoStartDir" Name="Netbird">
-				<Component Id="NetbirdAutoStart" Guid="b199eaca-b0dd-4032-af19-679cfad48eb3" Bitness="always64">
-					<Condition>AUTOSTART = "1"</Condition>
-					<RegistryValue Root="HKLM" Key="Software\Microsoft\Windows\CurrentVersion\Run"
-						Name="Netbird" Value="&quot;[NetbirdInstallDir]netbird-ui.exe&quot;"
-						Type="string" KeyPath="yes" />
-				</Component>
-			</Directory>
-		</StandardDirectory>
-
 		<ComponentGroup Id="NetbirdFilesComponent">
 			<ComponentRef Id="NetbirdFiles" />
-			<ComponentRef Id="NetbirdAumidRegistry" />
-			<ComponentRef Id="NetbirdAutoStart" />
 		</ComponentGroup>
 
 		<util:CloseApplication Id="CloseNetBird" CloseMessage="no" Target="netbird.exe" RebootPrompt="no" />

client/proto/daemon.proto

@@ -104,6 +104,8 @@ service DaemonService {
   // StopCPUProfile stops CPU profiling in the daemon
   rpc StopCPUProfile(StopCPUProfileRequest) returns (StopCPUProfileResponse) {}
 
+  rpc NotifyOSLifecycle(OSLifecycleRequest) returns(OSLifecycleResponse) {}
+
   rpc GetInstallerResult(InstallerResultRequest) returns (InstallerResultResponse) {}
 
   // ExposeService exposes a local port via the NetBird reverse proxy
@@ -112,6 +114,20 @@ service DaemonService {
 
 
 
+message OSLifecycleRequest {
+  // avoid collision with loglevel enum
+  enum CycleType {
+    UNKNOWN = 0;
+    SLEEP = 1;
+    WAKEUP = 2;
+  }
+
+  CycleType type = 1;
+}
+
+message OSLifecycleResponse {}
+
+
 message LoginRequest {
   // setupKey netbird setup key.
   string setupKey = 1;

client/server/server.go

@@ -120,7 +120,6 @@ func New(ctx context.Context, logFile string, configFile string, profilesDisable
 	}
 	agent := &serverAgent{s}
 	s.sleepHandler = sleephandler.New(agent)
-	s.startSleepDetector()
 
 	return s
 }

client/server/server_test.go

@@ -335,7 +335,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	if err != nil {
 		return nil, "", err
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		return nil, "", err
 	}

client/server/sleep.go

@@ -2,18 +2,13 @@ package server
 
 import (
 	"context"
-	"os"
-	"strconv"
 
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/sleep"
 	"github.com/netbirdio/netbird/client/proto"
 )
 
-const envDisableSleepDetector = "NB_DISABLE_SLEEP_DETECTOR"
-
 // serverAgent adapts Server to the handler.Agent and handler.StatusChecker interfaces
 type serverAgent struct {
 	s *Server
@@ -33,61 +28,19 @@ func (a *serverAgent) Status() (internal.StatusType, error) {
 	return internal.CtxGetState(a.s.rootCtx).Status()
 }
 
-// startSleepDetector starts the OS sleep/wake detector and forwards events to
-// the sleep handler. On platforms without a supported detector the attempt
-// logs a warning and returns. Setting NB_DISABLE_SLEEP_DETECTOR=true skips
-// registration entirely.
-func (s *Server) startSleepDetector() {
-	if sleepDetectorDisabled() {
-		log.Info("sleep detection disabled via " + envDisableSleepDetector)
-		return
-	}
-
-	svc, err := sleep.New()
-	if err != nil {
-		log.Warnf("failed to initialize sleep detection: %v", err)
-		return
-	}
-
-	err = svc.Register(func(event sleep.EventType) {
-		switch event {
-		case sleep.EventTypeSleep:
-			log.Info("handling sleep event")
-			if err := s.sleepHandler.HandleSleep(s.rootCtx); err != nil {
-				log.Errorf("failed to handle sleep event: %v", err)
-			}
-		case sleep.EventTypeWakeUp:
-			log.Info("handling wakeup event")
-			if err := s.sleepHandler.HandleWakeUp(s.rootCtx); err != nil {
-				log.Errorf("failed to handle wakeup event: %v", err)
-			}
+// NotifyOSLifecycle handles operating system lifecycle events by executing appropriate logic based on the request type.
+func (s *Server) NotifyOSLifecycle(callerCtx context.Context, req *proto.OSLifecycleRequest) (*proto.OSLifecycleResponse, error) {
+	switch req.GetType() {
+	case proto.OSLifecycleRequest_WAKEUP:
+		if err := s.sleepHandler.HandleWakeUp(callerCtx); err != nil {
+			return &proto.OSLifecycleResponse{}, err
 		}
-	})
-	if err != nil {
-		log.Errorf("failed to register sleep detector: %v", err)
-		return
-	}
-
-	log.Info("sleep detection service initialized")
-
-	go func() {
-		<-s.rootCtx.Done()
-		log.Info("stopping sleep event listener")
-		if err := svc.Deregister(); err != nil {
-			log.Errorf("failed to deregister sleep detector: %v", err)
+	case proto.OSLifecycleRequest_SLEEP:
+		if err := s.sleepHandler.HandleSleep(callerCtx); err != nil {
+			return &proto.OSLifecycleResponse{}, err
 		}
-	}()
-}
-
-func sleepDetectorDisabled() bool {
-	val := os.Getenv(envDisableSleepDetector)
-	if val == "" {
-		return false
+	default:
+		log.Errorf("unknown OSLifecycleRequest type: %v", req.GetType())
 	}
-	disabled, err := strconv.ParseBool(val)
-	if err != nil {
-		log.Warnf("failed to parse %s=%q: %v", envDisableSleepDetector, val, err)
-		return false
-	}
-	return disabled
+	return &proto.OSLifecycleResponse{}, nil
 }

client/ui/client_ui.go

@@ -38,10 +38,10 @@ import (
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
+	"github.com/netbirdio/netbird/client/internal/sleep"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/ui/desktop"
 	"github.com/netbirdio/netbird/client/ui/event"
-	"github.com/netbirdio/netbird/client/ui/notifier"
 	"github.com/netbirdio/netbird/client/ui/process"
 	"github.com/netbirdio/netbird/util"
 
@@ -260,7 +260,6 @@ type serviceClient struct {
 
 	// application with main windows.
 	app                  fyne.App
-	notifier             notifier.Notifier
 	wSettings            fyne.Window
 	showAdvancedSettings bool
 	sendNotification     bool
@@ -365,7 +364,6 @@ func newServiceClient(args *newServiceClientArgs) *serviceClient {
 		cancel:           cancel,
 		addr:             args.addr,
 		app:              args.app,
-		notifier:         notifier.New(args.app),
 		logFile:          args.logFile,
 		sendNotification: false,
 
@@ -894,7 +892,7 @@ func (s *serviceClient) updateStatus() error {
 		if err != nil {
 			log.Errorf("get service status: %v", err)
 			if s.connected {
-				s.notifier.Send("Error", "Connection to service lost")
+				s.app.SendNotification(fyne.NewNotification("Error", "Connection to service lost"))
 			}
 			s.setDisconnectedStatus()
 			return err
@@ -1111,7 +1109,7 @@ func (s *serviceClient) onTrayReady() {
 		}
 	}()
 
-	s.eventManager = event.NewManager(s.notifier, s.addr)
+	s.eventManager = event.NewManager(s.app, s.addr)
 	s.eventManager.SetNotificationsEnabled(s.mNotifications.Checked())
 	s.eventManager.AddHandler(func(event *proto.SystemEvent) {
 		if event.Category == proto.SystemEvent_SYSTEM {
@@ -1148,6 +1146,9 @@ func (s *serviceClient) onTrayReady() {
 
 	go s.eventManager.Start(s.ctx)
 	go s.eventHandler.listen(s.ctx)
+
+	// Start sleep detection listener
+	go s.startSleepListener()
 }
 
 func (s *serviceClient) attachOutput(cmd *exec.Cmd) *os.File {
@@ -1208,6 +1209,62 @@ func (s *serviceClient) getSrvClient(timeout time.Duration) (proto.DaemonService
 	return s.conn, nil
 }
 
+// startSleepListener initializes the sleep detection service and listens for sleep events
+func (s *serviceClient) startSleepListener() {
+	sleepService, err := sleep.New()
+	if err != nil {
+		log.Warnf("%v", err)
+		return
+	}
+
+	if err := sleepService.Register(s.handleSleepEvents); err != nil {
+		log.Errorf("failed to start sleep detection: %v", err)
+		return
+	}
+
+	log.Info("sleep detection service initialized")
+
+	// Cleanup on context cancellation
+	go func() {
+		<-s.ctx.Done()
+		log.Info("stopping sleep event listener")
+		if err := sleepService.Deregister(); err != nil {
+			log.Errorf("failed to deregister sleep detection: %v", err)
+		}
+	}()
+}
+
+// handleSleepEvents sends a sleep notification to the daemon via gRPC
+func (s *serviceClient) handleSleepEvents(event sleep.EventType) {
+	conn, err := s.getSrvClient(0)
+	if err != nil {
+		log.Errorf("failed to get daemon client for sleep notification: %v", err)
+		return
+	}
+
+	req := &proto.OSLifecycleRequest{}
+
+	switch event {
+	case sleep.EventTypeWakeUp:
+		log.Infof("handle wakeup event: %v", event)
+		req.Type = proto.OSLifecycleRequest_WAKEUP
+	case sleep.EventTypeSleep:
+		log.Infof("handle sleep event: %v", event)
+		req.Type = proto.OSLifecycleRequest_SLEEP
+	default:
+		log.Infof("unknown event: %v", event)
+		return
+	}
+
+	_, err = conn.NotifyOSLifecycle(s.ctx, req)
+	if err != nil {
+		log.Errorf("failed to notify daemon about os lifecycle notification: %v", err)
+		return
+	}
+
+	log.Info("successfully notified daemon about os lifecycle")
+}
+
 // setSettingsEnabled enables or disables the settings menu based on the provided state
 func (s *serviceClient) setSettingsEnabled(enabled bool) {
 	if s.mSettings != nil {
@@ -1491,7 +1548,7 @@ func (s *serviceClient) onUpdateAvailable(newVersion string, enforced bool) {
 
 	if enforced && s.lastNotifiedVersion != newVersion {
 		s.lastNotifiedVersion = newVersion
-		s.notifier.Send("Update available", "A new version "+newVersion+" is ready to install")
+		s.app.SendNotification(fyne.NewNotification("Update available", "A new version "+newVersion+" is ready to install"))
 	}
 }
 

client/ui/event/event.go

@@ -8,6 +8,7 @@ import (
 	"sync"
 	"time"
 
+	"fyne.io/fyne/v2"
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
@@ -17,17 +18,11 @@ import (
 	"github.com/netbirdio/netbird/client/ui/desktop"
 )
 
-// Notifier sends desktop notifications. Defined here so the event package
-// does not depend on fyne or the platform-specific notifier implementation.
-type Notifier interface {
-	Send(title, body string)
-}
-
 type Handler func(*proto.SystemEvent)
 
 type Manager struct {
-	notifier Notifier
-	addr     string
+	app  fyne.App
+	addr string
 
 	mu       sync.Mutex
 	ctx      context.Context
@@ -36,10 +31,10 @@ type Manager struct {
 	handlers []Handler
 }
 
-func NewManager(notifier Notifier, addr string) *Manager {
+func NewManager(app fyne.App, addr string) *Manager {
 	return &Manager{
-		notifier: notifier,
-		addr:     addr,
+		app:  app,
+		addr: addr,
 	}
 }
 
@@ -119,7 +114,7 @@ func (e *Manager) handleEvent(event *proto.SystemEvent) {
 		if id != "" {
 			body += fmt.Sprintf(" ID: %s", id)
 		}
-		e.notifier.Send(title, body)
+		e.app.SendNotification(fyne.NewNotification(title, body))
 	}
 
 	for _, handler := range handlers {

client/ui/event_handler.go

@@ -9,6 +9,7 @@ import (
 	"os"
 	"os/exec"
 
+	"fyne.io/fyne/v2"
 	"fyne.io/systray"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"
@@ -86,7 +87,7 @@ func (h *eventHandler) handleConnectClick() {
 			if errors.Is(err, context.Canceled) || (ok && st.Code() == codes.Canceled) {
 				log.Debugf("connect operation cancelled by user")
 			} else {
-				h.client.notifier.Send("Error", "Failed to connect")
+				h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to connect"))
 				log.Errorf("connect failed: %v", err)
 			}
 		}
@@ -111,7 +112,7 @@ func (h *eventHandler) handleDisconnectClick() {
 		if err := h.client.menuDownClick(); err != nil {
 			st, ok := status.FromError(err)
 			if !errors.Is(err, context.Canceled) && !(ok && st.Code() == codes.Canceled) {
-				h.client.notifier.Send("Error", "Failed to disconnect")
+				h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to disconnect"))
 				log.Errorf("disconnect failed: %v", err)
 			} else {
 				log.Debugf("disconnect cancelled or already disconnecting")
@@ -129,7 +130,7 @@ func (h *eventHandler) handleAllowSSHClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mAllowSSH) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.notifier.Send("Error", "Failed to update SSH settings")
+		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update SSH settings"))
 	}
 
 }
@@ -139,7 +140,7 @@ func (h *eventHandler) handleAutoConnectClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mAutoConnect) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.notifier.Send("Error", "Failed to update auto-connect settings")
+		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update auto-connect settings"))
 	}
 }
 
@@ -148,7 +149,7 @@ func (h *eventHandler) handleRosenpassClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mEnableRosenpass) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.notifier.Send("Error", "Failed to update Rosenpass settings")
+		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update Rosenpass settings"))
 	}
 }
 
@@ -157,7 +158,7 @@ func (h *eventHandler) handleLazyConnectionClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mLazyConnEnabled) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.notifier.Send("Error", "Failed to update lazy connection settings")
+		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update lazy connection settings"))
 	}
 }
 
@@ -166,7 +167,7 @@ func (h *eventHandler) handleBlockInboundClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mBlockInbound) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.notifier.Send("Error", "Failed to update block inbound settings")
+		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update block inbound settings"))
 	}
 }
 
@@ -175,7 +176,7 @@ func (h *eventHandler) handleNotificationsClick() {
 	if err := h.updateConfigWithErr(); err != nil {
 		h.toggleCheckbox(h.client.mNotifications) // revert checkbox state on error
 		log.Errorf("failed to update config: %v", err)
-		h.client.notifier.Send("Error", "Failed to update notifications settings")
+		h.client.app.SendNotification(fyne.NewNotification("Error", "Failed to update notifications settings"))
 	} else if h.client.eventManager != nil {
 		h.client.eventManager.SetNotificationsEnabled(h.client.mNotifications.Checked())
 	}

client/ui/notifier/notifier.go

@@ -1,27 +0,0 @@
-// Package notifier sends desktop notifications. On Windows it uses the WinRT
-// COM API directly via go-toast/v2 to avoid the PowerShell window flash that
-// fyne's default implementation produces. On other platforms it delegates to
-// fyne.
-package notifier
-
-import "fyne.io/fyne/v2"
-
-// Notifier sends desktop notifications.
-type Notifier interface {
-	Send(title, body string)
-}
-
-// New returns a platform-specific Notifier. The fyne app is used as the
-// fallback notifier on platforms where no native implementation is wired up,
-// and on Windows when the COM path fails to initialize.
-func New(app fyne.App) Notifier {
-	return newNotifier(app)
-}
-
-type fyneNotifier struct {
-	app fyne.App
-}
-
-func (f *fyneNotifier) Send(title, body string) {
-	f.app.SendNotification(fyne.NewNotification(title, body))
-}

client/ui/notifier/notifier_other.go

@@ -1,9 +0,0 @@
-//go:build !windows
-
-package notifier
-
-import "fyne.io/fyne/v2"
-
-func newNotifier(app fyne.App) Notifier {
-	return &fyneNotifier{app: app}
-}

client/ui/notifier/notifier_windows.go

@@ -1,88 +0,0 @@
-package notifier
-
-import (
-	"os"
-	"path/filepath"
-	"sync"
-
-	"fyne.io/fyne/v2"
-	toast "git.sr.ht/~jackmordaunt/go-toast/v2"
-	"git.sr.ht/~jackmordaunt/go-toast/v2/wintoast"
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	// appID is the AppUserModelID shown in the Windows Action Center. It
-	// must match the System.AppUserModel.ID property set on the Start Menu
-	// shortcut by the MSI (see client/netbird.wxs); otherwise Windows
-	// groups toasts under a separate, unbranded entry.
-	appID = "NetBird"
-
-	// appGUID identifies the COM activation callback class. Generated once
-	// for NetBird; do not change without coordinating an installer bump,
-	// since old registry entries pointing at the previous GUID would orphan.
-	appGUID = "{0E1B4DE7-E148-432B-9814-544F941826EC}"
-)
-
-type comNotifier struct {
-	fallback *fyneNotifier
-	ready    bool
-	iconPath string
-}
-
-var (
-	initOnce sync.Once
-	initErr  error
-)
-
-func newNotifier(app fyne.App) Notifier {
-	n := &comNotifier{
-		fallback: &fyneNotifier{app: app},
-		iconPath: resolveIcon(),
-	}
-	initOnce.Do(func() {
-		initErr = wintoast.SetAppData(wintoast.AppData{
-			AppID:    appID,
-			GUID:     appGUID,
-			IconPath: n.iconPath,
-		})
-	})
-	if initErr != nil {
-		log.Warnf("toast: register app data failed, falling back to fyne notifications: %v", initErr)
-		return n.fallback
-	}
-	n.ready = true
-	return n
-}
-
-func (n *comNotifier) Send(title, body string) {
-	if !n.ready {
-		n.fallback.Send(title, body)
-		return
-	}
-	notification := toast.Notification{
-		AppID: appID,
-		Title: title,
-		Body:  body,
-		Icon:  n.iconPath,
-	}
-	if err := notification.Push(); err != nil {
-		log.Warnf("toast: push failed, using fyne fallback: %v", err)
-		n.fallback.Send(title, body)
-	}
-}
-
-// resolveIcon returns an absolute path to the toast icon, or an empty string
-// when no icon can be located. Windows requires a PNG/JPG for the
-// AppUserModelId IconUri registry value; .ico is silently ignored.
-func resolveIcon() string {
-	exe, err := os.Executable()
-	if err != nil {
-		return ""
-	}
-	candidate := filepath.Join(filepath.Dir(exe), "netbird.png")
-	if _, err := os.Stat(candidate); err == nil {
-		return candidate
-	}
-	return ""
-}

client/ui/profile.go

@@ -548,7 +548,7 @@ func (p *profileMenu) refresh() {
 					if err != nil {
 						log.Errorf("failed to switch profile: %v", err)
 						// show  notification dialog
-						p.serviceClient.notifier.Send("Error", "Failed to switch profile")
+						p.app.SendNotification(fyne.NewNotification("Error", "Failed to switch profile"))
 						return
 					}
 
@@ -628,9 +628,9 @@ func (p *profileMenu) refresh() {
 				}
 				if err := p.eventHandler.logout(p.ctx); err != nil {
 					log.Errorf("logout failed: %v", err)
-					p.serviceClient.notifier.Send("Error", "Failed to deregister")
+					p.app.SendNotification(fyne.NewNotification("Error", "Failed to deregister"))
 				} else {
-					p.serviceClient.notifier.Send("Success", "Deregistered successfully")
+					p.app.SendNotification(fyne.NewNotification("Success", "Deregistered successfully"))
 				}
 			}
 		}

go.mod

@@ -30,7 +30,6 @@ require (
 require (
 	fyne.io/fyne/v2 v2.7.0
 	fyne.io/systray v1.12.1-0.20260116214250-81f8e1a496f9
-	git.sr.ht/~jackmordaunt/go-toast/v2 v2.0.3
 	github.com/awnumar/memguard v0.23.0
 	github.com/aws/aws-sdk-go-v2 v1.38.3
 	github.com/aws/aws-sdk-go-v2/config v1.31.6
@@ -47,7 +46,6 @@ require (
 	github.com/crowdsecurity/go-cs-bouncer v0.0.21
 	github.com/dexidp/dex v0.0.0-00010101000000-000000000000
 	github.com/dexidp/dex/api/v2 v2.4.0
-	github.com/ebitengine/purego v0.8.4
 	github.com/eko/gocache/lib/v4 v4.2.0
 	github.com/eko/gocache/store/go_cache/v4 v4.2.2
 	github.com/eko/gocache/store/redis/v4 v4.2.2
@@ -180,6 +178,7 @@ require (
 	github.com/docker/docker v28.0.1+incompatible // indirect
 	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
+	github.com/ebitengine/purego v0.8.4 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fredbi/uri v1.1.1 // indirect
 	github.com/fyne-io/gl-js v0.2.0 // indirect

go.sum

@@ -15,8 +15,6 @@ fyne.io/fyne/v2 v2.7.0 h1:GvZSpE3X0liU/fqstInVvRsaboIVpIWQ4/sfjDGIGGQ=
 fyne.io/fyne/v2 v2.7.0/go.mod h1:xClVlrhxl7D+LT+BWYmcrW4Nf+dJTvkhnPgji7spAwE=
 fyne.io/systray v1.12.1-0.20260116214250-81f8e1a496f9 h1:829+77I4TaMrcg9B3wf+gHhdSgoCVEgH2czlPXPbfj4=
 fyne.io/systray v1.12.1-0.20260116214250-81f8e1a496f9/go.mod h1:RVwqP9nYMo7h5zViCBHri2FgjXF7H2cub7MAq4NSoLs=
-git.sr.ht/~jackmordaunt/go-toast/v2 v2.0.3 h1:N3IGoHHp9pb6mj1cbXbuaSXV/UMKwmbKLf53nQmtqMA=
-git.sr.ht/~jackmordaunt/go-toast/v2 v2.0.3/go.mod h1:QtOLZGz8olr4qH2vWK0QH0w0O4T9fEIjMuWpKUsH7nc=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/AppsFlyer/go-sundheit v0.6.0 h1:d2hBvCjBSb2lUsEWGfPigr4MCOt04sxB+Rppl0yUMSk=

idp/dex/config.go

@@ -193,7 +193,7 @@ func (c *Connector) ToStorageConnector() (storage.Connector, error) {
 // are stored with types that Dex can open.
 func mapConnectorToDex(connType string, config map[string]interface{}) (string, map[string]interface{}) {
 	switch connType {
-	case "oidc", "zitadel", "entra", "okta", "pocketid", "authentik", "keycloak", "adfs":
+	case "oidc", "zitadel", "entra", "okta", "pocketid", "authentik", "keycloak":
 		return "oidc", applyOIDCDefaults(connType, config)
 	default:
 		return connType, config
@@ -218,8 +218,6 @@ func applyOIDCDefaults(connType string, config map[string]interface{}) map[strin
 		setDefault(augmented, "claimMapping", map[string]string{"email": "preferred_username"})
 	case "okta", "pocketid":
 		augmented["scopes"] = []string{"openid", "profile", "email", "groups"}
-	case "adfs":
-		augmented["scopes"] = []string{"openid", "profile", "email", "allatclaims"}
 	}
 
 	return augmented

idp/dex/connector.go

@@ -168,7 +168,7 @@ func (p *Provider) buildStorageConnector(cfg *ConnectorConfig) (storage.Connecto
 	var err error
 
 	switch cfg.Type {
-	case "oidc", "zitadel", "entra", "okta", "pocketid", "authentik", "keycloak", "adfs":
+	case "oidc", "zitadel", "entra", "okta", "pocketid", "authentik", "keycloak":
 		dexType = "oidc"
 		configData, err = buildOIDCConnectorConfig(cfg, redirectURI)
 	case "google":
@@ -220,8 +220,6 @@ func buildOIDCConnectorConfig(cfg *ConnectorConfig, redirectURI string) ([]byte,
 		oidcConfig["scopes"] = []string{"openid", "profile", "email", "groups"}
 	case "pocketid":
 		oidcConfig["scopes"] = []string{"openid", "profile", "email", "groups"}
-	case "adfs":
-		oidcConfig["scopes"] = []string{"openid", "profile", "email", "allatclaims"}
 	}
 	return encodeConnectorConfig(oidcConfig)
 }
@@ -285,7 +283,7 @@ func inferIdentityProviderType(dexType, connectorID string, _ map[string]interfa
 // inferOIDCProviderType infers the specific OIDC provider from connector ID
 func inferOIDCProviderType(connectorID string) string {
 	connectorIDLower := strings.ToLower(connectorID)
-	for _, provider := range []string{"pocketid", "zitadel", "entra", "okta", "authentik", "keycloak", "adfs"} {
+	for _, provider := range []string{"pocketid", "zitadel", "entra", "okta", "authentik", "keycloak"} {
 		if strings.Contains(connectorIDLower, provider) {
 			return provider
 		}

infrastructure_files/getting-started.sh

@@ -231,20 +231,7 @@ get_upstream_host() {
 
 wait_management_proxy() {
   local proxy_container="${1:-traefik}"
-  local use_docker_logs=false
   set +e
-
-  if [[ "$proxy_container" == "detect-traefik" ]]; then
-    proxy_container=$(docker ps --format "{{.ID}}\t{{.Image}}\t{{.Ports}}" \
-    | awk -F'\t' '$2 ~ /traefik/ && $3 ~ /:(80|443)->/ {print $1; exit}')
-
-    if [[ -z "$proxy_container" ]]; then
-      echo "Warning: could not auto-detect Traefik container, log output will be skipped on timeout." > /dev/stderr
-    else
-      use_docker_logs=true
-    fi
-  fi
-
   echo -n "Waiting for NetBird server to become ready"
   counter=1
   while true; do
@@ -255,13 +242,7 @@ wait_management_proxy() {
     if [[ $counter -eq 60 ]]; then
       echo ""
       echo "Taking too long. Checking logs..."
-      if [[ -n "$proxy_container" ]]; then
-        if [[ "$use_docker_logs" == "true" ]]; then
-          docker logs --tail=20 "$proxy_container"
-        else
-          $DOCKER_COMPOSE_COMMAND logs --tail=20 "$proxy_container"
-        fi
-      fi
+      $DOCKER_COMPOSE_COMMAND logs --tail=20 "$proxy_container"
       $DOCKER_COMPOSE_COMMAND logs --tail=20 netbird-server
     fi
     echo -n " ."
@@ -537,7 +518,7 @@ start_services_and_show_instructions() {
     $DOCKER_COMPOSE_COMMAND up -d
 
     sleep 3
-    wait_management_proxy detect-traefik
+    wait_management_direct
 
     echo -e "$MSG_DONE"
     print_post_setup_instructions

management/internals/controllers/network_map/controller/controller.go

@@ -7,6 +7,7 @@ import (
 	"os"
 	"slices"
 	"strconv"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -15,9 +16,11 @@ import (
 	"golang.org/x/exp/maps"
 	"golang.org/x/mod/semver"
 
+	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller/cache"
 	"github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral"
+	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	"github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/internals/shared/grpc"
 	"github.com/netbirdio/netbird/management/server/account"
@@ -55,6 +58,13 @@ type Controller struct {
 	proxyController port_forwarding.Controller
 
 	integratedPeerValidator integrated_validator.IntegratedValidator
+
+	holder *types.Holder
+
+	expNewNetworkMap     bool
+	expNewNetworkMapAIDs map[string]struct{}
+
+	compactedNetworkMap bool
 }
 
 type bufferUpdate struct {
@@ -71,6 +81,29 @@ func NewController(ctx context.Context, store store.Store, metrics telemetry.App
 		log.Fatal(fmt.Errorf("error creating metrics: %w", err))
 	}
 
+	newNetworkMapBuilder, err := strconv.ParseBool(os.Getenv(network_map.EnvNewNetworkMapBuilder))
+	if err != nil {
+		log.WithContext(ctx).Warnf("failed to parse %s, using default value false: %v", network_map.EnvNewNetworkMapBuilder, err)
+		newNetworkMapBuilder = false
+	}
+
+	compactedNetworkMap := true
+	compactedEnv := os.Getenv(types.EnvNewNetworkMapCompacted)
+	parsedCompactedNmap, err := strconv.ParseBool(compactedEnv)
+	if err != nil && len(compactedEnv) > 0 {
+		log.WithContext(ctx).Warnf("failed to parse %s, using default value true: %v", types.EnvNewNetworkMapCompacted, err)
+	}
+	if err == nil && !parsedCompactedNmap {
+		log.WithContext(ctx).Info("disabling compacted mode")
+		compactedNetworkMap = false
+	}
+
+	ids := strings.Split(os.Getenv(network_map.EnvNewNetworkMapAccounts), ",")
+	expIDs := make(map[string]struct{}, len(ids))
+	for _, id := range ids {
+		expIDs[id] = struct{}{}
+	}
+
 	return &Controller{
 		repo:                    newRepository(store),
 		metrics:                 nMetrics,
@@ -84,6 +117,12 @@ func NewController(ctx context.Context, store store.Store, metrics telemetry.App
 
 		proxyController:       proxyController,
 		EphemeralPeersManager: ephemeralPeersManager,
+
+		holder:               types.NewHolder(),
+		expNewNetworkMap:     newNetworkMapBuilder,
+		expNewNetworkMapAIDs: expIDs,
+
+		compactedNetworkMap: compactedNetworkMap,
 	}
 }
 
@@ -114,9 +153,17 @@ func (c *Controller) CountStreams() int {
 
 func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID string) error {
 	log.WithContext(ctx).Tracef("updating peers for account %s from %s", accountID, util.GetCallerName())
-	account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
-	if err != nil {
-		return fmt.Errorf("failed to get account: %v", err)
+	var (
+		account *types.Account
+		err     error
+	)
+	if c.experimentalNetworkMap(accountID) {
+		account = c.getAccountFromHolderOrInit(ctx, accountID)
+	} else {
+		account, err = c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+		if err != nil {
+			return fmt.Errorf("failed to get account: %v", err)
+		}
 	}
 
 	globalStart := time.Now()
@@ -150,6 +197,10 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 	routers := account.GetResourceRoutersMap()
 	groupIDToUserIDs := account.GetActiveGroupUsers()
 
+	if c.experimentalNetworkMap(accountID) {
+		c.initNetworkMapBuilderIfNeeded(account, approvedPeersMap)
+	}
+
 	proxyNetworkMaps, err := c.proxyController.GetProxyNetworkMapsAll(ctx, accountID, account.Peers)
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to get proxy network maps: %v", err)
@@ -192,7 +243,16 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 			c.metrics.CountCalcPostureChecksDuration(time.Since(start))
 			start = time.Now()
 
-			remotePeerNetworkMap := account.GetPeerNetworkMapFromComponents(ctx, p.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
+			var remotePeerNetworkMap *types.NetworkMap
+
+			switch {
+			case c.experimentalNetworkMap(accountID):
+				remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, p.AccountID, p.ID, approvedPeersMap, peersCustomZone, accountZones, c.accountManagerMetrics)
+			case c.compactedNetworkMap:
+				remotePeerNetworkMap = account.GetPeerNetworkMapFromComponents(ctx, p.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
+			default:
+				remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, p.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
+			}
 
 			c.metrics.CountCalcPeerNetworkMapDuration(time.Since(start))
 
@@ -258,6 +318,10 @@ func (c *Controller) bufferSendUpdateAccountPeers(ctx context.Context, accountID
 // UpdatePeers updates all peers that belong to an account.
 // Should be called when changes have to be synced to peers.
 func (c *Controller) UpdateAccountPeers(ctx context.Context, accountID string) error {
+	if err := c.RecalculateNetworkMapCache(ctx, accountID); err != nil {
+		return fmt.Errorf("recalculate network map cache: %v", err)
+	}
+
 	return c.sendUpdateAccountPeers(ctx, accountID)
 }
 
@@ -307,7 +371,16 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
 		return err
 	}
 
-	remotePeerNetworkMap := account.GetPeerNetworkMapFromComponents(ctx, peerId, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
+	var remotePeerNetworkMap *types.NetworkMap
+
+	switch {
+	case c.experimentalNetworkMap(accountId):
+		remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, peersCustomZone, accountZones, c.accountManagerMetrics)
+	case c.compactedNetworkMap:
+		remotePeerNetworkMap = account.GetPeerNetworkMapFromComponents(ctx, peerId, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
+	default:
+		remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, peerId, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
+	}
 
 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {
@@ -378,9 +451,17 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 		return peer, emptyMap, nil, 0, nil
 	}
 
-	account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
-	if err != nil {
-		return nil, nil, nil, 0, err
+	var (
+		account *types.Account
+		err     error
+	)
+	if c.experimentalNetworkMap(accountID) {
+		account = c.getAccountFromHolderOrInit(ctx, accountID)
+	} else {
+		account, err = c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+		if err != nil {
+			return nil, nil, nil, 0, err
+		}
 	}
 
 	account.InjectProxyPolicies(ctx)
@@ -412,10 +493,20 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 		return nil, nil, nil, 0, err
 	}
 
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-	networkMap := account.GetPeerNetworkMapFromComponents(ctx, peer.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
+	var networkMap *types.NetworkMap
+
+	if c.experimentalNetworkMap(accountID) {
+		networkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, peersCustomZone, accountZones, c.accountManagerMetrics)
+	} else {
+		resourcePolicies := account.GetResourcePoliciesMap()
+		routers := account.GetResourceRoutersMap()
+		groupIDToUserIDs := account.GetActiveGroupUsers()
+		if c.compactedNetworkMap {
+			networkMap = account.GetPeerNetworkMapFromComponents(ctx, peer.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
+		} else {
+			networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
+		}
+	}
 
 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {
@@ -427,6 +518,108 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 	return peer, networkMap, postureChecks, dnsFwdPort, nil
 }
 
+func (c *Controller) initNetworkMapBuilderIfNeeded(account *types.Account, validatedPeers map[string]struct{}) {
+	c.enrichAccountFromHolder(account)
+	account.InitNetworkMapBuilderIfNeeded(validatedPeers)
+}
+
+func (c *Controller) getPeerNetworkMapExp(
+	ctx context.Context,
+	accountId string,
+	peerId string,
+	validatedPeers map[string]struct{},
+	peersCustomZone nbdns.CustomZone,
+	accountZones []*zones.Zone,
+	metrics *telemetry.AccountManagerMetrics,
+) *types.NetworkMap {
+	account := c.getAccountFromHolderOrInit(ctx, accountId)
+	if account == nil {
+		log.WithContext(ctx).Warnf("account %s not found in holder when getting peer network map", accountId)
+		return &types.NetworkMap{
+			Network: &types.Network{},
+		}
+	}
+
+	return account.GetPeerNetworkMapExp(ctx, peerId, peersCustomZone, accountZones, validatedPeers, metrics)
+}
+
+func (c *Controller) onPeersAddedUpdNetworkMapCache(account *types.Account, peerIds ...string) {
+	c.enrichAccountFromHolder(account)
+	account.OnPeersAddedUpdNetworkMapCache(peerIds...)
+}
+
+func (c *Controller) onPeerDeletedUpdNetworkMapCache(account *types.Account, peerId string) error {
+	c.enrichAccountFromHolder(account)
+	return account.OnPeerDeletedUpdNetworkMapCache(peerId)
+}
+
+func (c *Controller) UpdatePeerInNetworkMapCache(accountId string, peer *nbpeer.Peer) {
+	account := c.getAccountFromHolder(accountId)
+	if account == nil {
+		return
+	}
+	account.UpdatePeerInNetworkMapCache(peer)
+}
+
+func (c *Controller) recalculateNetworkMapCache(account *types.Account, validatedPeers map[string]struct{}) {
+	account.RecalculateNetworkMapCache(validatedPeers)
+	c.updateAccountInHolder(account)
+}
+
+func (c *Controller) RecalculateNetworkMapCache(ctx context.Context, accountId string) error {
+	if c.experimentalNetworkMap(accountId) {
+		account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountId)
+		if err != nil {
+			return err
+		}
+		validatedPeers, err := c.integratedPeerValidator.GetValidatedPeers(ctx, account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
+		if err != nil {
+			log.WithContext(ctx).Errorf("failed to get validate peers: %v", err)
+			return err
+		}
+		c.recalculateNetworkMapCache(account, validatedPeers)
+	}
+	return nil
+}
+
+func (c *Controller) experimentalNetworkMap(accountId string) bool {
+	_, ok := c.expNewNetworkMapAIDs[accountId]
+	return c.expNewNetworkMap || ok
+}
+
+func (c *Controller) enrichAccountFromHolder(account *types.Account) {
+	a := c.holder.GetAccount(account.Id)
+	if a == nil {
+		c.holder.AddAccount(account)
+		return
+	}
+	account.NetworkMapCache = a.NetworkMapCache
+	if account.NetworkMapCache == nil {
+		return
+	}
+	c.holder.AddAccount(account)
+}
+
+func (c *Controller) getAccountFromHolder(accountID string) *types.Account {
+	return c.holder.GetAccount(accountID)
+}
+
+func (c *Controller) getAccountFromHolderOrInit(ctx context.Context, accountID string) *types.Account {
+	a := c.holder.GetAccount(accountID)
+	if a != nil {
+		return a
+	}
+	account, err := c.holder.LoadOrStoreFunc(ctx, accountID, c.requestBuffer.GetAccountWithBackpressure)
+	if err != nil {
+		return nil
+	}
+	return account
+}
+
+func (c *Controller) updateAccountInHolder(account *types.Account) {
+	c.holder.AddAccount(account)
+}
+
 // GetDNSDomain returns the configured dnsDomain
 func (c *Controller) GetDNSDomain(settings *types.Settings) string {
 	if settings == nil {
@@ -563,7 +756,16 @@ func isPeerInPolicySourceGroups(account *types.Account, peerID string, policy *t
 }
 
 func (c *Controller) OnPeersUpdated(ctx context.Context, accountID string, peerIDs []string) error {
-	err := c.bufferSendUpdateAccountPeers(ctx, accountID)
+	peers, err := c.repo.GetPeersByIDs(ctx, accountID, peerIDs)
+	if err != nil {
+		return fmt.Errorf("failed to get peers by ids: %w", err)
+	}
+
+	for _, peer := range peers {
+		c.UpdatePeerInNetworkMapCache(accountID, peer)
+	}
+
+	err = c.bufferSendUpdateAccountPeers(ctx, accountID)
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to buffer update account peers for peer update in account %s: %v", accountID, err)
 	}
@@ -573,6 +775,14 @@ func (c *Controller) OnPeersUpdated(ctx context.Context, accountID string, peerI
 
 func (c *Controller) OnPeersAdded(ctx context.Context, accountID string, peerIDs []string) error {
 	log.WithContext(ctx).Debugf("OnPeersAdded call to add peers: %v", peerIDs)
+	if c.experimentalNetworkMap(accountID) {
+		account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+		if err != nil {
+			return err
+		}
+		log.WithContext(ctx).Debugf("peers are ready to be added to networkmap cache: %v", peerIDs)
+		c.onPeersAddedUpdNetworkMapCache(account, peerIDs...)
+	}
 	return c.bufferSendUpdateAccountPeers(ctx, accountID)
 }
 
@@ -607,6 +817,19 @@ func (c *Controller) OnPeersDeleted(ctx context.Context, accountID string, peerI
 			MessageType: network_map.MessageTypeNetworkMap,
 		})
 		c.peersUpdateManager.CloseChannel(ctx, peerID)
+
+		if c.experimentalNetworkMap(accountID) {
+			account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+			if err != nil {
+				log.WithContext(ctx).Errorf("failed to get account %s: %v", accountID, err)
+				continue
+			}
+			err = c.onPeerDeletedUpdNetworkMapCache(account, peerID)
+			if err != nil {
+				log.WithContext(ctx).Errorf("failed to update network map cache for deleted peer %s in account %s: %v", peerID, accountID, err)
+				continue
+			}
+		}
 	}
 
 	return c.bufferSendUpdateAccountPeers(ctx, accountID)
@@ -649,11 +872,21 @@ func (c *Controller) GetNetworkMap(ctx context.Context, peerID string) (*types.N
 		return nil, err
 	}
 
-	account.InjectProxyPolicies(ctx)
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-	networkMap := account.GetPeerNetworkMapFromComponents(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, nil, groupIDToUserIDs)
+	var networkMap *types.NetworkMap
+
+	if c.experimentalNetworkMap(peer.AccountID) {
+		networkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peerID, validatedPeers, peersCustomZone, accountZones, nil)
+	} else {
+		account.InjectProxyPolicies(ctx)
+		resourcePolicies := account.GetResourcePoliciesMap()
+		routers := account.GetResourceRoutersMap()
+		groupIDToUserIDs := account.GetActiveGroupUsers()
+		if c.compactedNetworkMap {
+			networkMap = account.GetPeerNetworkMapFromComponents(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, nil, groupIDToUserIDs)
+		} else {
+			networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, nil, groupIDToUserIDs)
+		}
+	}
 
 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {

management/internals/controllers/network_map/interface.go

@@ -12,6 +12,9 @@ import (
 )
 
 const (
+	EnvNewNetworkMapBuilder  = "NB_EXPERIMENT_NETWORK_MAP"
+	EnvNewNetworkMapAccounts = "NB_EXPERIMENT_NETWORK_MAP_ACCOUNTS"
+
 	DnsForwarderPort           = nbdns.ForwarderServerPort
 	OldForwarderPort           = nbdns.ForwarderClientPort
 	DnsForwarderPortMinVersion = "v0.59.0"

management/internals/server/boot.go

@@ -173,7 +173,7 @@ func (s *BaseServer) GRPCServer() *grpc.Server {
 		}
 
 		gRPCAPIHandler := grpc.NewServer(gRPCOpts...)
-		srv, err := nbgrpc.NewServer(s.Config, s.AccountManager(), s.SettingsManager(), s.JobManager(), s.SecretsManager(), s.Metrics(), s.AuthManager(), s.IntegratedValidator(), s.NetworkMapController(), s.OAuthConfigProvider(), s.SessionStore())
+		srv, err := nbgrpc.NewServer(s.Config, s.AccountManager(), s.SettingsManager(), s.JobManager(), s.SecretsManager(), s.Metrics(), s.AuthManager(), s.IntegratedValidator(), s.NetworkMapController(), s.OAuthConfigProvider())
 		if err != nil {
 			log.Fatalf("failed to create management server: %v", err)
 		}

management/internals/server/controllers.go

@@ -6,7 +6,6 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/management-integrations/integrations"
-
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy"
 	proxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy/manager"
 
@@ -67,12 +66,6 @@ func (s *BaseServer) SecretsManager() grpc.SecretsManager {
 	})
 }
 
-func (s *BaseServer) SessionStore() *auth.SessionStore {
-	return Create(s, func() *auth.SessionStore {
-		return auth.NewSessionStore(s.CacheStore())
-	})
-}
-
 func (s *BaseServer) AuthManager() auth.Manager {
 	audiences := s.Config.GetAuthAudiences()
 	audience := s.Config.HttpConfig.AuthAudience

management/internals/shared/grpc/server.go

@@ -14,7 +14,6 @@ import (
 	"sync/atomic"
 	"time"
 
-	jwtv5 "github.com/golang-jwt/jwt/v5"
 	pb "github.com/golang/protobuf/proto" // nolint
 	"github.com/golang/protobuf/ptypes/timestamp"
 	"github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/realip"
@@ -68,7 +67,6 @@ type Server struct {
 	appMetrics     telemetry.AppMetrics
 	peerLocks      sync.Map
 	authManager    auth.Manager
-	sessionStore   *auth.SessionStore
 
 	logBlockedPeers          bool
 	blockPeersWithSameConfig bool
@@ -100,7 +98,6 @@ func NewServer(
 	integratedPeerValidator integrated_validator.IntegratedValidator,
 	networkMapController network_map.Controller,
 	oAuthConfigProvider idp.OAuthConfigProvider,
-	sessionStore *auth.SessionStore,
 ) (*Server, error) {
 	if appMetrics != nil {
 		// update gauge based on number of connected peers which is equal to open gRPC streams
@@ -143,7 +140,6 @@ func NewServer(
 		integratedPeerValidator:  integratedPeerValidator,
 		networkMapController:     networkMapController,
 		oAuthConfigProvider:      oAuthConfigProvider,
-		sessionStore:             sessionStore,
 
 		loginFilter: newLoginFilter(),
 
@@ -539,7 +535,7 @@ func (s *Server) cancelPeerRoutinesWithoutLock(ctx context.Context, accountID st
 	log.WithContext(ctx).Debugf("peer %s has been disconnected", peer.Key)
 }
 
-func (s *Server) validateToken(ctx context.Context, peerKey, jwtToken string) (string, error) {
+func (s *Server) validateToken(ctx context.Context, jwtToken string) (string, error) {
 	if s.authManager == nil {
 		return "", status.Errorf(codes.Internal, "missing auth manager")
 	}
@@ -549,10 +545,6 @@ func (s *Server) validateToken(ctx context.Context, peerKey, jwtToken string) (s
 		return "", status.Errorf(codes.InvalidArgument, "invalid jwt token, err: %v", err)
 	}
 
-	if err := s.claimLoginToken(ctx, peerKey, jwtToken, token); err != nil {
-		return "", err
-	}
-
 	// we need to call this method because if user is new, we will automatically add it to existing or create a new account
 	accountId, _, err := s.accountManager.GetAccountIDFromUserAuth(ctx, userAuth)
 	if err != nil {
@@ -836,31 +828,6 @@ func (s *Server) prepareLoginResponse(ctx context.Context, peer *nbpeer.Peer, ne
 	return loginResp, nil
 }
 
-func (s *Server) claimLoginToken(ctx context.Context, peerKey, jwtToken string, token *jwtv5.Token) error {
-	if s.sessionStore == nil || token == nil {
-		return nil
-	}
-
-	exp, err := token.Claims.GetExpirationTime()
-	if err != nil || exp == nil {
-		log.WithContext(ctx).Warnf("JWT has no usable exp claim for peer %s", peerKey)
-		return status.Error(codes.Unauthenticated, "jwt token has no expiration")
-	}
-
-	err = s.sessionStore.RegisterToken(ctx, jwtToken, exp.Time)
-	if err == nil {
-		return nil
-	}
-
-	if errors.Is(err, auth.ErrTokenAlreadyUsed) || errors.Is(err, auth.ErrTokenExpired) {
-		log.WithContext(ctx).Warnf("%v for peer %s", err, peerKey)
-		return status.Error(codes.Unauthenticated, err.Error())
-	}
-
-	log.WithContext(ctx).Warnf("failed to claim JWT for peer %s: %v", peerKey, err)
-	return status.Error(codes.Unavailable, "failed to claim jwt token")
-}
-
 // processJwtToken validates the existence of a JWT token in the login request, and returns the corresponding user ID if
 // the token is valid.
 //
@@ -871,7 +838,7 @@ func (s *Server) processJwtToken(ctx context.Context, loginReq *proto.LoginReque
 	if loginReq.GetJwtToken() != "" {
 		var err error
 		for i := 0; i < 3; i++ {
-			userID, err = s.validateToken(ctx, peerKey.String(), loginReq.GetJwtToken())
+			userID, err = s.validateToken(ctx, loginReq.GetJwtToken())
 			if err == nil {
 				break
 			}

management/server/account_test.go

@@ -408,7 +408,7 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 		}
 
 		customZone := account.GetPeersCustomZone(context.Background(), "netbird.io")
-		networkMap := account.GetPeerNetworkMapFromComponents(context.Background(), testCase.peerID, customZone, nil, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil, account.GetActiveGroupUsers())
+		networkMap := account.GetPeerNetworkMap(context.Background(), testCase.peerID, customZone, nil, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil, account.GetActiveGroupUsers())
 		assert.Len(t, networkMap.Peers, len(testCase.expectedPeers))
 		assert.Len(t, networkMap.OfflinePeers, len(testCase.expectedOfflinePeers))
 	}
@@ -1171,6 +1171,11 @@ func TestAccountManager_AddPeerWithUserID(t *testing.T) {
 	assert.Equal(t, peer.IP.String(), fmt.Sprint(ev.Meta["ip"]))
 }
 
+func TestAccountManager_NetworkUpdates_SaveGroup_Experimental(t *testing.T) {
+	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
+	testAccountManager_NetworkUpdates_SaveGroup(t)
+}
+
 func TestAccountManager_NetworkUpdates_SaveGroup(t *testing.T) {
 	testAccountManager_NetworkUpdates_SaveGroup(t)
 }
@@ -1226,6 +1231,11 @@ func testAccountManager_NetworkUpdates_SaveGroup(t *testing.T) {
 	wg.Wait()
 }
 
+func TestAccountManager_NetworkUpdates_DeletePolicy_Experimental(t *testing.T) {
+	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
+	testAccountManager_NetworkUpdates_DeletePolicy(t)
+}
+
 func TestAccountManager_NetworkUpdates_DeletePolicy(t *testing.T) {
 	testAccountManager_NetworkUpdates_DeletePolicy(t)
 }
@@ -1264,6 +1274,11 @@ func testAccountManager_NetworkUpdates_DeletePolicy(t *testing.T) {
 	wg.Wait()
 }
 
+func TestAccountManager_NetworkUpdates_SavePolicy_Experimental(t *testing.T) {
+	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
+	testAccountManager_NetworkUpdates_SavePolicy(t)
+}
+
 func TestAccountManager_NetworkUpdates_SavePolicy(t *testing.T) {
 	testAccountManager_NetworkUpdates_SavePolicy(t)
 }
@@ -1317,6 +1332,11 @@ func testAccountManager_NetworkUpdates_SavePolicy(t *testing.T) {
 	wg.Wait()
 }
 
+func TestAccountManager_NetworkUpdates_DeletePeer_Experimental(t *testing.T) {
+	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
+	testAccountManager_NetworkUpdates_DeletePeer(t)
+}
+
 func TestAccountManager_NetworkUpdates_DeletePeer(t *testing.T) {
 	testAccountManager_NetworkUpdates_DeletePeer(t)
 }
@@ -1377,6 +1397,11 @@ func testAccountManager_NetworkUpdates_DeletePeer(t *testing.T) {
 	wg.Wait()
 }
 
+func TestAccountManager_NetworkUpdates_DeleteGroup_Experimental(t *testing.T) {
+	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
+	testAccountManager_NetworkUpdates_DeleteGroup(t)
+}
+
 func TestAccountManager_NetworkUpdates_DeleteGroup(t *testing.T) {
 	testAccountManager_NetworkUpdates_DeleteGroup(t)
 }
@@ -1608,6 +1633,75 @@ func TestFileStore_GetRoutesByPrefix(t *testing.T) {
 	assert.Contains(t, routeIDs, route.ID("route-2"))
 }
 
+func TestAccount_GetRoutesToSync(t *testing.T) {
+	_, prefix, err := route.ParseNetwork("192.168.64.0/24")
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, prefix2, err := route.ParseNetwork("192.168.0.0/24")
+	if err != nil {
+		t.Fatal(err)
+	}
+	account := &types.Account{
+		Peers: map[string]*nbpeer.Peer{
+			"peer-1": {Key: "peer-1", Meta: nbpeer.PeerSystemMeta{GoOS: "linux"}}, "peer-2": {Key: "peer-2", Meta: nbpeer.PeerSystemMeta{GoOS: "linux"}}, "peer-3": {Key: "peer-1", Meta: nbpeer.PeerSystemMeta{GoOS: "linux"}},
+		},
+		Groups: map[string]*types.Group{"group1": {ID: "group1", Peers: []string{"peer-1", "peer-2"}}},
+		Routes: map[route.ID]*route.Route{
+			"route-1": {
+				ID:          "route-1",
+				Network:     prefix,
+				NetID:       "network-1",
+				Description: "network-1",
+				Peer:        "peer-1",
+				NetworkType: 0,
+				Masquerade:  false,
+				Metric:      999,
+				Enabled:     true,
+				Groups:      []string{"group1"},
+			},
+			"route-2": {
+				ID:          "route-2",
+				Network:     prefix2,
+				NetID:       "network-2",
+				Description: "network-2",
+				Peer:        "peer-2",
+				NetworkType: 0,
+				Masquerade:  false,
+				Metric:      999,
+				Enabled:     true,
+				Groups:      []string{"group1"},
+			},
+			"route-3": {
+				ID:          "route-3",
+				Network:     prefix,
+				NetID:       "network-1",
+				Description: "network-1",
+				Peer:        "peer-2",
+				NetworkType: 0,
+				Masquerade:  false,
+				Metric:      999,
+				Enabled:     true,
+				Groups:      []string{"group1"},
+			},
+		},
+	}
+
+	routes := account.GetRoutesToSync(context.Background(), "peer-2", []*nbpeer.Peer{{Key: "peer-1"}, {Key: "peer-3"}}, account.GetPeerGroups("peer-2"))
+
+	assert.Len(t, routes, 2)
+	routeIDs := make(map[route.ID]struct{}, 2)
+	for _, r := range routes {
+		routeIDs[r.ID] = struct{}{}
+	}
+	assert.Contains(t, routeIDs, route.ID("route-2"))
+	assert.Contains(t, routeIDs, route.ID("route-3"))
+
+	emptyRoutes := account.GetRoutesToSync(context.Background(), "peer-3", []*nbpeer.Peer{{Key: "peer-1"}, {Key: "peer-2"}}, account.GetPeerGroups("peer-3"))
+
+	assert.Len(t, emptyRoutes, 0)
+}
+
 func TestAccount_Copy(t *testing.T) {
 	account := &types.Account{
 		Id:                     "account1",
@@ -1730,7 +1824,9 @@ func TestAccount_Copy(t *testing.T) {
 				AccountID: "account1",
 			},
 		},
+		NetworkMapCache: &types.NetworkMapBuilder{},
 	}
+	account.InitOnce()
 	err := hasNilField(account)
 	if err != nil {
 		t.Fatal(err)

management/server/auth/session.go

@@ -1,61 +0,0 @@
-package auth
-
-import (
-	"context"
-	"crypto/sha256"
-	"encoding/hex"
-	"errors"
-	"fmt"
-	"time"
-
-	"github.com/eko/gocache/lib/v4/cache"
-	"github.com/eko/gocache/lib/v4/store"
-)
-
-const (
-	usedTokenKeyPrefix = "jwt-used:"
-	usedTokenMarker    = "1"
-)
-
-var (
-	ErrTokenAlreadyUsed = errors.New("JWT already used")
-	ErrTokenExpired     = errors.New("JWT expired")
-)
-
-type SessionStore struct {
-	cache *cache.Cache[string]
-}
-
-func NewSessionStore(cacheStore store.StoreInterface) *SessionStore {
-	return &SessionStore{cache: cache.New[string](cacheStore)}
-}
-
-// RegisterToken records a JWT until its exp time and rejects reuse.
-func (s *SessionStore) RegisterToken(ctx context.Context, token string, expiresAt time.Time) error {
-	ttl := time.Until(expiresAt)
-	if ttl <= 0 {
-		return ErrTokenExpired
-	}
-
-	key := usedTokenKeyPrefix + hashToken(token)
-	_, err := s.cache.Get(ctx, key)
-	if err == nil {
-		return ErrTokenAlreadyUsed
-	}
-
-	var notFound *store.NotFound
-	if !errors.As(err, &notFound) {
-		return fmt.Errorf("failed to lookup used token entry: %w", err)
-	}
-
-	if err := s.cache.Set(ctx, key, usedTokenMarker, store.WithExpiration(ttl)); err != nil {
-		return fmt.Errorf("failed to store used token entry: %w", err)
-	}
-
-	return nil
-}
-
-func hashToken(token string) string {
-	sum := sha256.Sum256([]byte(token))
-	return hex.EncodeToString(sum[:])
-}

management/server/auth/session_test.go

@@ -1,82 +0,0 @@
-package auth
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	nbcache "github.com/netbirdio/netbird/management/server/cache"
-)
-
-func newTestSessionStore(t *testing.T) *SessionStore {
-	t.Helper()
-	cacheStore, err := nbcache.NewStore(context.Background(), time.Hour, time.Hour, 100)
-	require.NoError(t, err)
-	return NewSessionStore(cacheStore)
-}
-
-func TestSessionStore_FirstRegisterSucceeds(t *testing.T) {
-	s := newTestSessionStore(t)
-	ctx := context.Background()
-
-	require.NoError(t, s.RegisterToken(ctx, "token", time.Now().Add(time.Hour)))
-}
-
-func TestSessionStore_RegisterSameTokenTwiceIsRejected(t *testing.T) {
-	s := newTestSessionStore(t)
-	ctx := context.Background()
-	token := "token"
-	exp := time.Now().Add(time.Hour)
-
-	require.NoError(t, s.RegisterToken(ctx, token, exp))
-
-	err := s.RegisterToken(ctx, token, exp)
-	require.Error(t, err)
-	assert.ErrorIs(t, err, ErrTokenAlreadyUsed)
-}
-
-func TestSessionStore_RegisterDifferentTokensAreIndependent(t *testing.T) {
-	s := newTestSessionStore(t)
-	ctx := context.Background()
-	exp := time.Now().Add(time.Hour)
-
-	require.NoError(t, s.RegisterToken(ctx, "tokenA", exp))
-	require.NoError(t, s.RegisterToken(ctx, "tokenB", exp))
-}
-
-func TestSessionStore_RegisterWithPastExpiryIsRejected(t *testing.T) {
-	s := newTestSessionStore(t)
-	ctx := context.Background()
-	token := "token"
-
-	err := s.RegisterToken(ctx, token, time.Now().Add(-time.Second))
-	require.Error(t, err)
-	assert.ErrorIs(t, err, ErrTokenExpired)
-}
-
-func TestSessionStore_EntryEvictsAtTTLAndAllowsReRegistration(t *testing.T) {
-	s := newTestSessionStore(t)
-	ctx := context.Background()
-	token := "token"
-
-	require.NoError(t, s.RegisterToken(ctx, token, time.Now().Add(50*time.Millisecond)))
-
-	err := s.RegisterToken(ctx, token, time.Now().Add(50*time.Millisecond))
-	assert.ErrorIs(t, err, ErrTokenAlreadyUsed)
-
-	time.Sleep(120 * time.Millisecond)
-
-	require.NoError(t, s.RegisterToken(ctx, token, time.Now().Add(time.Hour)))
-}
-
-func TestHashToken_StableAndDoesNotLeak(t *testing.T) {
-	a := hashToken("tokenA")
-	b := hashToken("tokenB")
-	assert.Equal(t, a, hashToken("tokenA"), "hash must be deterministic")
-	assert.NotEqual(t, a, b, "different tokens must hash differently")
-	assert.Len(t, a, 64, "sha256 hex must be 64 chars")
-	assert.NotContains(t, a, "tokenA", "raw token must not appear in hash")
-}

management/server/http/handlers/peers/peers_handler.go

@@ -417,7 +417,7 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request) {
 
 	dnsDomain := h.networkMapController.GetDNSDomain(account.Settings)
 
-	netMap := account.GetPeerNetworkMapFromComponents(r.Context(), peerID, dns.CustomZone{}, nil, validPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil, account.GetActiveGroupUsers())
+	netMap := account.GetPeerNetworkMap(r.Context(), peerID, dns.CustomZone{}, nil, validPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil, account.GetActiveGroupUsers())
 
 	util.WriteJSONObject(r.Context(), w, toAccessiblePeers(netMap, dnsDomain))
 }

management/server/identity_provider.go

@@ -274,7 +274,7 @@ func identityProviderToConnectorConfig(idpConfig *types.IdentityProvider) *dex.C
 }
 
 // generateIdentityProviderID generates a unique ID for an identity provider.
-// For specific provider types (okta, zitadel, entra, google, pocketid, microsoft, adfs),
+// For specific provider types (okta, zitadel, entra, google, pocketid, microsoft),
 // the ID is prefixed with the type name. Generic OIDC providers get no prefix.
 func generateIdentityProviderID(idpType types.IdentityProviderType) string {
 	id := xid.New().String()
@@ -296,8 +296,6 @@ func generateIdentityProviderID(idpType types.IdentityProviderType) string {
 		return "authentik-" + id
 	case types.IdentityProviderTypeKeycloak:
 		return "keycloak-" + id
-	case types.IdentityProviderTypeADFS:
-		return "adfs-" + id
 	default:
 		// Generic OIDC - no prefix
 		return id

management/server/management_proto_test.go

@@ -391,7 +391,7 @@ func startManagementForTest(t *testing.T, testFile string, config *config.Config
 		return nil, nil, "", cleanup, err
 	}
 
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, MockIntegratedValidator{}, networkMapController, nil, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		return nil, nil, "", cleanup, err
 	}

management/server/management_test.go

@@ -256,7 +256,6 @@ func startServer(
 		server.MockIntegratedValidator{},
 		networkMapController,
 		nil,
-		nil,
 	)
 	if err != nil {
 		t.Fatalf("failed creating management server: %v", err)

management/server/peer.go

@@ -33,8 +33,8 @@ import (
 
 const remoteJobsMinVer = "0.64.0"
 
-// GetPeers returns peers visible to the user within an account.
-// Users with "peers:read" see all peers. Otherwise, users see only their own peers, or none if restricted by account settings.
+// GetPeers returns a list of peers under the given account filtering out peers that do not belong to a user if
+// the current user is not an admin.
 func (am *DefaultAccountManager) GetPeers(ctx context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error) {
 	user, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
 	if err != nil {
@@ -46,8 +46,14 @@ func (am *DefaultAccountManager) GetPeers(ctx context.Context, accountID, userID
 		return nil, status.NewPermissionValidationError(err)
 	}
 
+	accountPeers, err := am.Store.GetAccountPeers(ctx, store.LockingStrengthNone, accountID, nameFilter, ipFilter)
+	if err != nil {
+		return nil, err
+	}
+
+	// @note if the user has permission to read peers it shows all account peers
 	if allowed {
-		return am.Store.GetAccountPeers(ctx, store.LockingStrengthNone, accountID, nameFilter, ipFilter)
+		return accountPeers, nil
 	}
 
 	settings, err := am.Store.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
@@ -59,7 +65,41 @@ func (am *DefaultAccountManager) GetPeers(ctx context.Context, accountID, userID
 		return []*nbpeer.Peer{}, nil
 	}
 
-	return am.Store.GetUserPeers(ctx, store.LockingStrengthNone, accountID, userID)
+	// @note if it does not have permission read peers then only display it's own peers
+	peers := make([]*nbpeer.Peer, 0)
+	peersMap := make(map[string]*nbpeer.Peer)
+
+	for _, peer := range accountPeers {
+		if user.Id != peer.UserID {
+			continue
+		}
+		peers = append(peers, peer)
+		peersMap[peer.ID] = peer
+	}
+
+	return am.getUserAccessiblePeers(ctx, accountID, peersMap, peers)
+}
+
+func (am *DefaultAccountManager) getUserAccessiblePeers(ctx context.Context, accountID string, peersMap map[string]*nbpeer.Peer, peers []*nbpeer.Peer) ([]*nbpeer.Peer, error) {
+	account, err := am.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+	if err != nil {
+		return nil, err
+	}
+
+	approvedPeersMap, err := am.integratedPeerValidator.GetValidatedPeers(ctx, accountID, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
+	if err != nil {
+		return nil, err
+	}
+
+	// fetch all the peers that have access to the user's peers
+	for _, peer := range peers {
+		aclPeers, _, _, _ := account.GetPeerConnectionResources(ctx, peer, approvedPeersMap, account.GetActiveGroupUsers())
+		for _, p := range aclPeers {
+			peersMap[p.ID] = p
+		}
+	}
+
+	return maps.Values(peersMap), nil
 }
 
 // MarkPeerConnected marks peer as connected (true) or disconnected (false)
@@ -1190,8 +1230,7 @@ func peerLoginExpired(ctx context.Context, peer *nbpeer.Peer, settings *types.Se
 	return false
 }
 
-// GetPeer returns a peer visible to the user within an account.
-// Users with "peers:read" permission can access any peer. Otherwise, users can access only their own peer.
+// GetPeer for a given accountID, peerID and userID error if not found.
 func (am *DefaultAccountManager) GetPeer(ctx context.Context, accountID, peerID, userID string) (*nbpeer.Peer, error) {
 	peer, err := am.Store.GetPeerByID(ctx, store.LockingStrengthNone, accountID, peerID)
 	if err != nil {
@@ -1216,6 +1255,36 @@ func (am *DefaultAccountManager) GetPeer(ctx context.Context, accountID, peerID,
 		return peer, nil
 	}
 
+	return am.checkIfUserOwnsPeer(ctx, accountID, userID, peer)
+}
+
+func (am *DefaultAccountManager) checkIfUserOwnsPeer(ctx context.Context, accountID, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, error) {
+	account, err := am.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+	if err != nil {
+		return nil, err
+	}
+
+	approvedPeersMap, err := am.integratedPeerValidator.GetValidatedPeers(ctx, accountID, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
+	if err != nil {
+		return nil, err
+	}
+
+	// it is also possible that user doesn't own the peer but some of his peers have access to it,
+	// this is a valid case, show the peer as well.
+	userPeers, err := am.Store.GetUserPeers(ctx, store.LockingStrengthNone, accountID, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, p := range userPeers {
+		aclPeers, _, _, _ := account.GetPeerConnectionResources(ctx, p, approvedPeersMap, account.GetActiveGroupUsers())
+		for _, aclPeer := range aclPeers {
+			if aclPeer.ID == peer.ID {
+				return peer, nil
+			}
+		}
+	}
+
 	return nil, status.Errorf(status.Internal, "user %s has no access to peer %s under account %s", userID, peer.ID, accountID)
 }
 

management/server/peer_test.go

@@ -179,6 +179,11 @@ func TestAccountManager_GetNetworkMap(t *testing.T) {
 	testGetNetworkMapGeneral(t)
 }
 
+func TestAccountManager_GetNetworkMap_Experimental(t *testing.T) {
+	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
+	testGetNetworkMapGeneral(t)
+}
+
 func testGetNetworkMapGeneral(t *testing.T) {
 	manager, _, err := createManager(t)
 	if err != nil {
@@ -559,9 +564,25 @@ func TestDefaultAccountManager_GetPeer(t *testing.T) {
 	}
 	assert.NotNil(t, peer)
 
-	// the user can NOT see peer2 because it is not owned by them.
-	// Regular users only see peers they directly own.
-	_, err = manager.GetPeer(context.Background(), accountID, peer2.ID, someUser)
+	// the user can see peer2 because peer1 of the user has access to peer2 due to the All group and the default rule 0 all-to-all access
+	peer, err = manager.GetPeer(context.Background(), accountID, peer2.ID, someUser)
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+	assert.NotNil(t, peer)
+
+	// delete the all-to-all policy so that user's peer1 has no access to peer2
+	for _, policy := range account.Policies {
+		err = manager.DeletePolicy(context.Background(), accountID, policy.ID, adminUser)
+		if err != nil {
+			t.Fatal(err)
+			return
+		}
+	}
+
+	// at this point the user can't see the details of peer2
+	peer, err = manager.GetPeer(context.Background(), accountID, peer2.ID, someUser) //nolint
 	assert.Error(t, err)
 
 	// admin users can always access all the peers
@@ -995,6 +1016,11 @@ func BenchmarkUpdateAccountPeers(b *testing.B) {
 	}
 }
 
+func TestUpdateAccountPeers_Experimental(t *testing.T) {
+	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
+	testUpdateAccountPeers(t)
+}
+
 func TestUpdateAccountPeers(t *testing.T) {
 	testUpdateAccountPeers(t)
 }
@@ -1574,6 +1600,7 @@ func Test_RegisterPeerRollbackOnFailure(t *testing.T) {
 }
 
 func Test_LoginPeer(t *testing.T) {
+	t.Setenv(network_map.EnvNewNetworkMapBuilder, "true")
 	if runtime.GOOS == "windows" {
 		t.Skip("The SQLite store is not properly supported by Windows yet")
 	}

management/server/route_test.go

@@ -2,8 +2,10 @@ package server
 
 import (
 	"context"
+	"fmt"
 	"net"
 	"net/netip"
+	"sort"
 	"testing"
 	"time"
 
@@ -1838,6 +1840,11 @@ func TestAccount_getPeersRoutesFirewall(t *testing.T) {
 		},
 	}
 
+	validatedPeers := make(map[string]struct{})
+	for p := range account.Peers {
+		validatedPeers[p] = struct{}{}
+	}
+
 	t.Run("check applied policies for the route", func(t *testing.T) {
 		route1 := account.Routes["route1"]
 		policies := types.GetAllRoutePoliciesFromGroups(account, route1.AccessControlGroups)
@@ -1851,6 +1858,116 @@ func TestAccount_getPeersRoutesFirewall(t *testing.T) {
 		policies = types.GetAllRoutePoliciesFromGroups(account, route3.AccessControlGroups)
 		assert.Len(t, policies, 0)
 	})
+
+	t.Run("check peer routes firewall rules", func(t *testing.T) {
+		routesFirewallRules := account.GetPeerRoutesFirewallRules(context.Background(), "peerA", validatedPeers)
+		assert.Len(t, routesFirewallRules, 4)
+
+		expectedRoutesFirewallRules := []*types.RouteFirewallRule{
+			{
+				SourceRanges: []string{
+					fmt.Sprintf(types.AllowedIPsFormat, peerCIp),
+					fmt.Sprintf(types.AllowedIPsFormat, peerHIp),
+					fmt.Sprintf(types.AllowedIPsFormat, peerBIp),
+				},
+				Action:      "accept",
+				Destination: "192.168.0.0/16",
+				Protocol:    "all",
+				Port:        80,
+				RouteID:     "route1:peerA",
+			},
+			{
+				SourceRanges: []string{
+					fmt.Sprintf(types.AllowedIPsFormat, peerCIp),
+					fmt.Sprintf(types.AllowedIPsFormat, peerHIp),
+					fmt.Sprintf(types.AllowedIPsFormat, peerBIp),
+				},
+				Action:      "accept",
+				Destination: "192.168.0.0/16",
+				Protocol:    "all",
+				Port:        320,
+				RouteID:     "route1:peerA",
+			},
+		}
+		additionalFirewallRule := []*types.RouteFirewallRule{
+			{
+				SourceRanges: []string{
+					fmt.Sprintf(types.AllowedIPsFormat, peerJIp),
+				},
+				Action:      "accept",
+				Destination: "192.168.10.0/16",
+				Protocol:    "tcp",
+				Port:        80,
+				RouteID:     "route4:peerA",
+			},
+			{
+				SourceRanges: []string{
+					fmt.Sprintf(types.AllowedIPsFormat, peerKIp),
+				},
+				Action:      "accept",
+				Destination: "192.168.10.0/16",
+				Protocol:    "all",
+				RouteID:     "route4:peerA",
+			},
+		}
+
+		assert.ElementsMatch(t, orderRuleSourceRanges(routesFirewallRules), orderRuleSourceRanges(append(expectedRoutesFirewallRules, additionalFirewallRule...)))
+
+		// peerD is also the routing peer for route1, should contain same routes firewall rules as peerA
+		routesFirewallRules = account.GetPeerRoutesFirewallRules(context.Background(), "peerD", validatedPeers)
+		assert.Len(t, routesFirewallRules, 2)
+		for _, rule := range expectedRoutesFirewallRules {
+			rule.RouteID = "route1:peerD"
+		}
+		assert.ElementsMatch(t, orderRuleSourceRanges(routesFirewallRules), orderRuleSourceRanges(expectedRoutesFirewallRules))
+
+		// peerE is a single routing peer for route 2 and route 3
+		routesFirewallRules = account.GetPeerRoutesFirewallRules(context.Background(), "peerE", validatedPeers)
+		assert.Len(t, routesFirewallRules, 3)
+
+		expectedRoutesFirewallRules = []*types.RouteFirewallRule{
+			{
+				SourceRanges: []string{"100.65.250.202/32", "100.65.13.186/32"},
+				Action:       "accept",
+				Destination:  existingNetwork.String(),
+				Protocol:     "tcp",
+				PortRange:    types.RulePortRange{Start: 80, End: 350},
+				RouteID:      "route2",
+			},
+			{
+				SourceRanges: []string{"0.0.0.0/0"},
+				Action:       "accept",
+				Destination:  "192.0.2.0/32",
+				Protocol:     "all",
+				Domains:      domain.List{"example.com"},
+				IsDynamic:    true,
+				RouteID:      "route3",
+			},
+			{
+				SourceRanges: []string{"::/0"},
+				Action:       "accept",
+				Destination:  "192.0.2.0/32",
+				Protocol:     "all",
+				Domains:      domain.List{"example.com"},
+				IsDynamic:    true,
+				RouteID:      "route3",
+			},
+		}
+		assert.ElementsMatch(t, orderRuleSourceRanges(routesFirewallRules), orderRuleSourceRanges(expectedRoutesFirewallRules))
+
+		// peerC is part of route1 distribution groups but should not receive the routes firewall rules
+		routesFirewallRules = account.GetPeerRoutesFirewallRules(context.Background(), "peerC", validatedPeers)
+		assert.Len(t, routesFirewallRules, 0)
+	})
+
+}
+
+// orderList is a helper function to sort a list of strings
+func orderRuleSourceRanges(ruleList []*types.RouteFirewallRule) []*types.RouteFirewallRule {
+	for _, rule := range ruleList {
+		sort.Strings(rule.SourceRanges)
+	}
+	return ruleList
 }
 
 func TestRouteAccountPeersUpdate(t *testing.T) {
@@ -2548,6 +2665,11 @@ func TestAccount_GetPeerNetworkResourceFirewallRules(t *testing.T) {
 		},
 	}
 
+	validatedPeers := make(map[string]struct{})
+	for p := range account.Peers {
+		validatedPeers[p] = struct{}{}
+	}
+
 	t.Run("validate applied policies for different network resources", func(t *testing.T) {
 		// Test case: Resource1 is directly applied to the policy (policyResource1)
 		policies := account.GetPoliciesForNetworkResource("resource1")
@@ -2571,4 +2693,127 @@ func TestAccount_GetPeerNetworkResourceFirewallRules(t *testing.T) {
 		policies = account.GetPoliciesForNetworkResource("resource6")
 		assert.Len(t, policies, 1, "resource6 should have exactly 1 policy applied via access control groups")
 	})
+
+	t.Run("validate routing peer firewall rules for network resources", func(t *testing.T) {
+		resourcePoliciesMap := account.GetResourcePoliciesMap()
+		resourceRoutersMap := account.GetResourceRoutersMap()
+		_, routes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), "peerA", resourcePoliciesMap, resourceRoutersMap)
+		firewallRules := account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers["peerA"], validatedPeers, routes, resourcePoliciesMap)
+		assert.Len(t, firewallRules, 4)
+		assert.Len(t, sourcePeers, 5)
+
+		expectedFirewallRules := []*types.RouteFirewallRule{
+			{
+				SourceRanges: []string{
+					fmt.Sprintf(types.AllowedIPsFormat, peerCIp),
+					fmt.Sprintf(types.AllowedIPsFormat, peerHIp),
+					fmt.Sprintf(types.AllowedIPsFormat, peerBIp),
+				},
+				Action:      "accept",
+				Destination: "192.168.0.0/16",
+				Protocol:    "all",
+				Port:        80,
+				RouteID:     "resource2:peerA",
+			},
+			{
+				SourceRanges: []string{
+					fmt.Sprintf(types.AllowedIPsFormat, peerCIp),
+					fmt.Sprintf(types.AllowedIPsFormat, peerHIp),
+					fmt.Sprintf(types.AllowedIPsFormat, peerBIp),
+				},
+				Action:      "accept",
+				Destination: "192.168.0.0/16",
+				Protocol:    "all",
+				Port:        320,
+				RouteID:     "resource2:peerA",
+			},
+		}
+
+		additionalFirewallRules := []*types.RouteFirewallRule{
+			{
+				SourceRanges: []string{
+					fmt.Sprintf(types.AllowedIPsFormat, peerJIp),
+				},
+				Action:      "accept",
+				Destination: "192.0.2.0/32",
+				Protocol:    "tcp",
+				Port:        80,
+				Domains:     domain.List{"example.com"},
+				IsDynamic:   true,
+				RouteID:     "resource4:peerA",
+			},
+			{
+				SourceRanges: []string{
+					fmt.Sprintf(types.AllowedIPsFormat, peerKIp),
+				},
+				Action:      "accept",
+				Destination: "192.0.2.0/32",
+				Protocol:    "all",
+				Domains:     domain.List{"example.com"},
+				IsDynamic:   true,
+				RouteID:     "resource4:peerA",
+			},
+		}
+		assert.ElementsMatch(t, orderRuleSourceRanges(firewallRules), orderRuleSourceRanges(append(expectedFirewallRules, additionalFirewallRules...)))
+
+		// peerD is also the routing peer for resource2
+		_, routes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), "peerD", resourcePoliciesMap, resourceRoutersMap)
+		firewallRules = account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers["peerD"], validatedPeers, routes, resourcePoliciesMap)
+		assert.Len(t, firewallRules, 2)
+		for _, rule := range expectedFirewallRules {
+			rule.RouteID = "resource2:peerD"
+		}
+		assert.ElementsMatch(t, orderRuleSourceRanges(firewallRules), orderRuleSourceRanges(expectedFirewallRules))
+		assert.Len(t, sourcePeers, 3)
+
+		// peerE is a single routing peer for resource1 and resource3
+		// PeerE should only receive rules for resource1 since resource3 has no applied policy
+		_, routes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), "peerE", resourcePoliciesMap, resourceRoutersMap)
+		firewallRules = account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers["peerE"], validatedPeers, routes, resourcePoliciesMap)
+		assert.Len(t, firewallRules, 1)
+		assert.Len(t, sourcePeers, 2)
+
+		expectedFirewallRules = []*types.RouteFirewallRule{
+			{
+				SourceRanges: []string{"100.65.250.202/32", "100.65.13.186/32"},
+				Action:       "accept",
+				Destination:  "10.10.10.0/24",
+				Protocol:     "tcp",
+				PortRange:    types.RulePortRange{Start: 80, End: 350},
+				RouteID:      "resource1:peerE",
+			},
+		}
+		assert.ElementsMatch(t, orderRuleSourceRanges(firewallRules), orderRuleSourceRanges(expectedFirewallRules))
+
+		// peerC is part of distribution groups for resource2 but should not receive the firewall rules
+		firewallRules = account.GetPeerRoutesFirewallRules(context.Background(), "peerC", validatedPeers)
+		assert.Len(t, firewallRules, 0)
+
+		// peerL is the single routing peer for resource5
+		_, routes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), "peerL", resourcePoliciesMap, resourceRoutersMap)
+		assert.Len(t, routes, 1)
+		firewallRules = account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers["peerL"], validatedPeers, routes, resourcePoliciesMap)
+		assert.Len(t, firewallRules, 1)
+		assert.Len(t, sourcePeers, 1)
+
+		expectedFirewallRules = []*types.RouteFirewallRule{
+			{
+				SourceRanges: []string{"100.65.29.67/32"},
+				Action:       "accept",
+				Destination:  "10.12.12.1/32",
+				Protocol:     "tcp",
+				Port:         8080,
+				RouteID:      "resource5:peerL",
+			},
+		}
+		assert.ElementsMatch(t, orderRuleSourceRanges(firewallRules), orderRuleSourceRanges(expectedFirewallRules))
+
+		_, routes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), "peerM", resourcePoliciesMap, resourceRoutersMap)
+		assert.Len(t, routes, 1)
+		assert.Len(t, sourcePeers, 0)
+
+		_, routes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), "peerN", resourcePoliciesMap, resourceRoutersMap)
+		assert.Len(t, routes, 1)
+		assert.Len(t, sourcePeers, 2)
+	})
 }

management/server/store/sql_store.go

@@ -1196,6 +1196,7 @@ func (s *SqlStore) getAccountGorm(ctx context.Context, accountID string) (*types
 		account.NameServerGroups[ns.ID] = &ns
 	}
 	account.NameServerGroupsG = nil
+	account.InitOnce()
 	return &account, nil
 }
 
@@ -1634,6 +1635,7 @@ func (s *SqlStore) getAccount(ctx context.Context, accountID string) (*types.Acc
 	if sExtraIntegratedValidatorGroups.Valid {
 		_ = json.Unmarshal([]byte(sExtraIntegratedValidatorGroups.String), &account.Settings.Extra.IntegratedValidatorGroups)
 	}
+	account.InitOnce()
 	return &account, nil
 }
 

management/server/types/account.go

@@ -8,6 +8,7 @@ import (
 	"slices"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/hashicorp/go-multierror"
@@ -26,6 +27,7 @@ import (
 	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/posture"
+	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/netbirdio/netbird/management/server/util"
 	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
@@ -108,9 +110,16 @@ type Account struct {
 	NetworkResources []*resourceTypes.NetworkResource `gorm:"foreignKey:AccountID;references:id"`
 	Onboarding       AccountOnboarding                `gorm:"foreignKey:AccountID;references:id;constraint:OnDelete:CASCADE"`
 
+	NetworkMapCache *NetworkMapBuilder `gorm:"-"`
+	nmapInitOnce    *sync.Once         `gorm:"-"`
+
 	ReverseProxyFreeDomainNonce string
 }
 
+func (a *Account) InitOnce() {
+	a.nmapInitOnce = &sync.Once{}
+}
+
 // this class is used by gorm only
 type PrimaryAccountInfo struct {
 	IsDomainPrimaryAccount bool
@@ -146,6 +155,108 @@ func (o AccountOnboarding) IsEqual(onboarding AccountOnboarding) bool {
 		o.SignupFormPending == onboarding.SignupFormPending
 }
 
+// GetRoutesToSync returns the enabled routes for the peer ID and the routes
+// from the ACL peers that have distribution groups associated with the peer ID.
+// Please mind, that the returned route.Route objects will contain Peer.Key instead of Peer.ID.
+func (a *Account) GetRoutesToSync(ctx context.Context, peerID string, aclPeers []*nbpeer.Peer, peerGroups LookupMap) []*route.Route {
+	routes, peerDisabledRoutes := a.getRoutingPeerRoutes(ctx, peerID)
+	peerRoutesMembership := make(LookupMap)
+	for _, r := range append(routes, peerDisabledRoutes...) {
+		peerRoutesMembership[string(r.GetHAUniqueID())] = struct{}{}
+	}
+
+	for _, peer := range aclPeers {
+		activeRoutes, _ := a.getRoutingPeerRoutes(ctx, peer.ID)
+		groupFilteredRoutes := a.filterRoutesByGroups(activeRoutes, peerGroups)
+		filteredRoutes := a.filterRoutesFromPeersOfSameHAGroup(groupFilteredRoutes, peerRoutesMembership)
+		routes = append(routes, filteredRoutes...)
+	}
+
+	return routes
+}
+
+// filterRoutesFromPeersOfSameHAGroup filters and returns a list of routes that don't share the same HA route membership
+func (a *Account) filterRoutesFromPeersOfSameHAGroup(routes []*route.Route, peerMemberships LookupMap) []*route.Route {
+	var filteredRoutes []*route.Route
+	for _, r := range routes {
+		_, found := peerMemberships[string(r.GetHAUniqueID())]
+		if !found {
+			filteredRoutes = append(filteredRoutes, r)
+		}
+	}
+	return filteredRoutes
+}
+
+// filterRoutesByGroups returns a list with routes that have distribution groups in the group's map
+func (a *Account) filterRoutesByGroups(routes []*route.Route, groupListMap LookupMap) []*route.Route {
+	var filteredRoutes []*route.Route
+	for _, r := range routes {
+		for _, groupID := range r.Groups {
+			_, found := groupListMap[groupID]
+			if found {
+				filteredRoutes = append(filteredRoutes, r)
+				break
+			}
+		}
+	}
+	return filteredRoutes
+}
+
+// getRoutingPeerRoutes returns the enabled and disabled lists of routes that the given routing peer serves
+// Please mind, that the returned route.Route objects will contain Peer.Key instead of Peer.ID.
+// If the given is not a routing peer, then the lists are empty.
+func (a *Account) getRoutingPeerRoutes(ctx context.Context, peerID string) (enabledRoutes []*route.Route, disabledRoutes []*route.Route) {
+
+	peer := a.GetPeer(peerID)
+	if peer == nil {
+		log.WithContext(ctx).Errorf("peer %s that doesn't exist under account %s", peerID, a.Id)
+		return enabledRoutes, disabledRoutes
+	}
+
+	seenRoute := make(map[route.ID]struct{})
+
+	takeRoute := func(r *route.Route, id string) {
+		if _, ok := seenRoute[r.ID]; ok {
+			return
+		}
+		seenRoute[r.ID] = struct{}{}
+
+		if r.Enabled {
+			r.Peer = peer.Key
+			enabledRoutes = append(enabledRoutes, r)
+			return
+		}
+		disabledRoutes = append(disabledRoutes, r)
+	}
+
+	for _, r := range a.Routes {
+		for _, groupID := range r.PeerGroups {
+			group := a.GetGroup(groupID)
+			if group == nil {
+				log.WithContext(ctx).Errorf("route %s has peers group %s that doesn't exist under account %s", r.ID, groupID, a.Id)
+				continue
+			}
+			for _, id := range group.Peers {
+				if id != peerID {
+					continue
+				}
+
+				newPeerRoute := r.Copy()
+				newPeerRoute.Peer = id
+				newPeerRoute.PeerGroups = nil
+				newPeerRoute.ID = route.ID(string(r.ID) + ":" + id) // we have to provide unique route id when distribute network map
+				takeRoute(newPeerRoute, id)
+				break
+			}
+		}
+		if r.Peer == peerID {
+			takeRoute(r.Copy(), peerID)
+		}
+	}
+
+	return enabledRoutes, disabledRoutes
+}
+
 // GetRoutesByPrefixOrDomains return list of routes by account and route prefix
 func (a *Account) GetRoutesByPrefixOrDomains(prefix netip.Prefix, domains domain.List) []*route.Route {
 	var routes []*route.Route
@@ -165,6 +276,106 @@ func (a *Account) GetGroup(groupID string) *Group {
 	return a.Groups[groupID]
 }
 
+// GetPeerNetworkMap returns the networkmap for the given peer ID.
+func (a *Account) GetPeerNetworkMap(
+	ctx context.Context,
+	peerID string,
+	peersCustomZone nbdns.CustomZone,
+	accountZones []*zones.Zone,
+	validatedPeersMap map[string]struct{},
+	resourcePolicies map[string][]*Policy,
+	routers map[string]map[string]*routerTypes.NetworkRouter,
+	metrics *telemetry.AccountManagerMetrics,
+	groupIDToUserIDs map[string][]string,
+) *NetworkMap {
+	start := time.Now()
+	peer := a.Peers[peerID]
+	if peer == nil {
+		return &NetworkMap{
+			Network: a.Network.Copy(),
+		}
+	}
+
+	if _, ok := validatedPeersMap[peerID]; !ok {
+		return &NetworkMap{
+			Network: a.Network.Copy(),
+		}
+	}
+
+	peerGroups := a.GetPeerGroups(peerID)
+
+	aclPeers, firewallRules, authorizedUsers, enableSSH := a.GetPeerConnectionResources(ctx, peer, validatedPeersMap, groupIDToUserIDs)
+	// exclude expired peers
+	var peersToConnect []*nbpeer.Peer
+	var expiredPeers []*nbpeer.Peer
+	for _, p := range aclPeers {
+		expired, _ := p.LoginExpired(a.Settings.PeerLoginExpiration)
+		if a.Settings.PeerLoginExpirationEnabled && expired {
+			expiredPeers = append(expiredPeers, p)
+			continue
+		}
+		peersToConnect = append(peersToConnect, p)
+	}
+
+	routesUpdate := a.GetRoutesToSync(ctx, peerID, peersToConnect, peerGroups)
+	routesFirewallRules := a.GetPeerRoutesFirewallRules(ctx, peerID, validatedPeersMap)
+	isRouter, networkResourcesRoutes, sourcePeers := a.GetNetworkResourcesRoutesToSync(ctx, peerID, resourcePolicies, routers)
+	var networkResourcesFirewallRules []*RouteFirewallRule
+	if isRouter {
+		networkResourcesFirewallRules = a.GetPeerNetworkResourceFirewallRules(ctx, peer, validatedPeersMap, networkResourcesRoutes, resourcePolicies)
+	}
+	peersToConnectIncludingRouters := a.addNetworksRoutingPeers(networkResourcesRoutes, peer, peersToConnect, expiredPeers, isRouter, sourcePeers)
+
+	dnsManagementStatus := a.getPeerDNSManagementStatus(peerID)
+	dnsUpdate := nbdns.Config{
+		ServiceEnable: dnsManagementStatus,
+	}
+
+	if dnsManagementStatus {
+		var zones []nbdns.CustomZone
+
+		if peersCustomZone.Domain != "" {
+			records := filterZoneRecordsForPeers(peer, peersCustomZone, peersToConnectIncludingRouters, expiredPeers)
+			zones = append(zones, nbdns.CustomZone{
+				Domain:  peersCustomZone.Domain,
+				Records: records,
+			})
+		}
+
+		filteredAccountZones := filterPeerAppliedZones(ctx, accountZones, peerGroups)
+		zones = append(zones, filteredAccountZones...)
+
+		dnsUpdate.CustomZones = zones
+		dnsUpdate.NameServerGroups = getPeerNSGroups(a, peerID)
+	}
+
+	nm := &NetworkMap{
+		Peers:               peersToConnectIncludingRouters,
+		Network:             a.Network.Copy(),
+		Routes:              slices.Concat(networkResourcesRoutes, routesUpdate),
+		DNSConfig:           dnsUpdate,
+		OfflinePeers:        expiredPeers,
+		FirewallRules:       firewallRules,
+		RoutesFirewallRules: slices.Concat(networkResourcesFirewallRules, routesFirewallRules),
+		AuthorizedUsers:     authorizedUsers,
+		EnableSSH:           enableSSH,
+	}
+
+	if metrics != nil {
+		objectCount := int64(len(peersToConnectIncludingRouters) + len(expiredPeers) + len(routesUpdate) + len(networkResourcesRoutes) + len(firewallRules) + +len(networkResourcesFirewallRules) + len(routesFirewallRules))
+		metrics.CountNetworkMapObjects(objectCount)
+		metrics.CountGetPeerNetworkMapDuration(time.Since(start))
+
+		if objectCount > 5000 {
+			log.WithContext(ctx).Tracef("account: %s has a total resource count of %d objects, "+
+				"peers to connect: %d, expired peers: %d, routes: %d, firewall rules: %d, network resources routes: %d, network resources firewall rules: %d, routes firewall rules: %d",
+				a.Id, objectCount, len(peersToConnectIncludingRouters), len(expiredPeers), len(routesUpdate), len(firewallRules), len(networkResourcesRoutes), len(networkResourcesFirewallRules), len(routesFirewallRules))
+		}
+	}
+
+	return nm
+}
+
 func (a *Account) addNetworksRoutingPeers(
 	networkResourcesRoutes []*route.Route,
 	peer *nbpeer.Peer,
@@ -210,6 +421,39 @@ func (a *Account) addNetworksRoutingPeers(
 	return peersToConnect
 }
 
+func getPeerNSGroups(account *Account, peerID string) []*nbdns.NameServerGroup {
+	groupList := account.GetPeerGroups(peerID)
+
+	var peerNSGroups []*nbdns.NameServerGroup
+
+	for _, nsGroup := range account.NameServerGroups {
+		if !nsGroup.Enabled {
+			continue
+		}
+		for _, gID := range nsGroup.Groups {
+			_, found := groupList[gID]
+			if found {
+				if !peerIsNameserver(account.GetPeer(peerID), nsGroup) {
+					peerNSGroups = append(peerNSGroups, nsGroup.Copy())
+					break
+				}
+			}
+		}
+	}
+
+	return peerNSGroups
+}
+
+// peerIsNameserver returns true if the peer is a nameserver for a nsGroup
+func peerIsNameserver(peer *nbpeer.Peer, nsGroup *nbdns.NameServerGroup) bool {
+	for _, ns := range nsGroup.NameServers {
+		if peer.IP.Equal(ns.IP.AsSlice()) {
+			return true
+		}
+	}
+	return false
+}
+
 func AddPeerLabelsToAccount(ctx context.Context, account *Account, peerLabels LookupMap) {
 	for _, peer := range account.Peers {
 		label, err := GetPeerHostLabel(peer.Name, peerLabels)
@@ -556,6 +800,19 @@ func (a *Account) GetPeerGroupsList(peerID string) []string {
 	return grps
 }
 
+func (a *Account) getPeerDNSManagementStatus(peerID string) bool {
+	peerGroups := a.GetPeerGroups(peerID)
+	enabled := true
+	for _, groupID := range a.DNSSettings.DisabledManagementGroups {
+		_, found := peerGroups[groupID]
+		if found {
+			enabled = false
+			break
+		}
+	}
+	return enabled
+}
+
 func (a *Account) GetPeerGroups(peerID string) LookupMap {
 	groupList := make(LookupMap)
 	for groupID, group := range a.Groups {
@@ -684,6 +941,8 @@ func (a *Account) Copy() *Account {
 		NetworkResources:       networkResources,
 		Services:               services,
 		Onboarding:             a.Onboarding,
+		NetworkMapCache:        a.NetworkMapCache,
+		nmapInitOnce:           a.nmapInitOnce,
 		Domains:                domains,
 	}
 }
@@ -1045,6 +1304,31 @@ func (a *Account) GetPostureChecks(postureChecksID string) *posture.Checks {
 	return nil
 }
 
+// GetPeerRoutesFirewallRules gets the routes firewall rules associated with a routing peer ID for the account.
+func (a *Account) GetPeerRoutesFirewallRules(ctx context.Context, peerID string, validatedPeersMap map[string]struct{}) []*RouteFirewallRule {
+	routesFirewallRules := make([]*RouteFirewallRule, 0, len(a.Routes))
+
+	enabledRoutes, _ := a.getRoutingPeerRoutes(ctx, peerID)
+	for _, route := range enabledRoutes {
+		// If no access control groups are specified, accept all traffic.
+		if len(route.AccessControlGroups) == 0 {
+			defaultPermit := getDefaultPermit(route)
+			routesFirewallRules = append(routesFirewallRules, defaultPermit...)
+			continue
+		}
+
+		distributionPeers := a.getDistributionGroupsPeers(route)
+
+		for _, accessGroup := range route.AccessControlGroups {
+			policies := GetAllRoutePoliciesFromGroups(a, []string{accessGroup})
+			rules := a.getRouteFirewallRules(ctx, peerID, policies, route, validatedPeersMap, distributionPeers)
+			routesFirewallRules = append(routesFirewallRules, rules...)
+		}
+	}
+
+	return routesFirewallRules
+}
+
 func (a *Account) getRouteFirewallRules(ctx context.Context, peerID string, policies []*Policy, route *route.Route, validatedPeersMap map[string]struct{}, distributionPeers map[string]struct{}) []*RouteFirewallRule {
 	var fwRules []*RouteFirewallRule
 	for _, policy := range policies {
@@ -1103,6 +1387,50 @@ func (a *Account) getRulePeers(rule *PolicyRule, postureChecks []string, peerID
 	return distributionGroupPeers
 }
 
+func (a *Account) getDistributionGroupsPeers(route *route.Route) map[string]struct{} {
+	distPeers := make(map[string]struct{})
+	for _, id := range route.Groups {
+		group := a.Groups[id]
+		if group == nil {
+			continue
+		}
+
+		for _, pID := range group.Peers {
+			distPeers[pID] = struct{}{}
+		}
+	}
+	return distPeers
+}
+
+func getDefaultPermit(route *route.Route) []*RouteFirewallRule {
+	var rules []*RouteFirewallRule
+
+	sources := []string{"0.0.0.0/0"}
+	if route.Network.Addr().Is6() {
+		sources = []string{"::/0"}
+	}
+	rule := RouteFirewallRule{
+		SourceRanges: sources,
+		Action:       string(PolicyTrafficActionAccept),
+		Destination:  route.Network.String(),
+		Protocol:     string(PolicyRuleProtocolALL),
+		Domains:      route.Domains,
+		IsDynamic:    route.IsDynamic(),
+		RouteID:      route.ID,
+	}
+
+	rules = append(rules, &rule)
+
+	// dynamic routes always contain an IPv4 placeholder as destination, hence we must add IPv6 rules additionally
+	if route.IsDynamic() {
+		ruleV6 := rule
+		ruleV6.SourceRanges = []string{"::/0"}
+		rules = append(rules, &ruleV6)
+	}
+
+	return rules
+}
+
 // GetAllRoutePoliciesFromGroups retrieves route policies associated with the specified access control groups
 // and returns a list of policies that have rules with destinations matching the specified groups.
 func GetAllRoutePoliciesFromGroups(account *Account, accessControlGroups []string) []*Policy {
@@ -1180,6 +1508,65 @@ func (a *Account) GetResourcePoliciesMap() map[string][]*Policy {
 	return resourcePolicies
 }
 
+// GetNetworkResourcesRoutesToSync returns network routes for syncing with a specific peer and its ACL peers.
+func (a *Account) GetNetworkResourcesRoutesToSync(ctx context.Context, peerID string, resourcePolicies map[string][]*Policy, routers map[string]map[string]*routerTypes.NetworkRouter) (bool, []*route.Route, map[string]struct{}) {
+	var isRoutingPeer bool
+	var routes []*route.Route
+	allSourcePeers := make(map[string]struct{}, len(a.Peers))
+
+	for _, resource := range a.NetworkResources {
+		if !resource.Enabled {
+			continue
+		}
+
+		var addSourcePeers bool
+
+		networkRoutingPeers, exists := routers[resource.NetworkID]
+		if exists {
+			if router, ok := networkRoutingPeers[peerID]; ok {
+				isRoutingPeer, addSourcePeers = true, true
+				routes = append(routes, a.getNetworkResourcesRoutes(resource, peerID, router, resourcePolicies)...)
+			}
+		}
+
+		addedResourceRoute := false
+		for _, policy := range resourcePolicies[resource.ID] {
+			var peers []string
+			if policy.Rules[0].SourceResource.Type == ResourceTypePeer && policy.Rules[0].SourceResource.ID != "" {
+				peers = []string{policy.Rules[0].SourceResource.ID}
+			} else {
+				peers = a.getUniquePeerIDsFromGroupsIDs(ctx, policy.SourceGroups())
+			}
+			if addSourcePeers {
+				for _, pID := range a.getPostureValidPeers(peers, policy.SourcePostureChecks) {
+					allSourcePeers[pID] = struct{}{}
+				}
+			} else if slices.Contains(peers, peerID) && a.validatePostureChecksOnPeer(ctx, policy.SourcePostureChecks, peerID) {
+				// add routes for the resource if the peer is in the distribution group
+				for peerId, router := range networkRoutingPeers {
+					routes = append(routes, a.getNetworkResourcesRoutes(resource, peerId, router, resourcePolicies)...)
+				}
+				addedResourceRoute = true
+			}
+			if addedResourceRoute {
+				break
+			}
+		}
+	}
+
+	return isRoutingPeer, routes, allSourcePeers
+}
+
+func (a *Account) getPostureValidPeers(inputPeers []string, postureChecksIDs []string) []string {
+	var dest []string
+	for _, peerID := range inputPeers {
+		if a.validatePostureChecksOnPeer(context.Background(), postureChecksIDs, peerID) {
+			dest = append(dest, peerID)
+		}
+	}
+	return dest
+}
+
 func (a *Account) getUniquePeerIDsFromGroupsIDs(ctx context.Context, groups []string) []string {
 	peerIDs := make(map[string]struct{}, len(groups)) // we expect at least one peer per group as initial capacity
 	for _, groupID := range groups {
@@ -1271,6 +1658,22 @@ func (a *Account) GetPoliciesAppliedInNetwork(networkID string) []string {
 	return result
 }
 
+// getNetworkResourcesRoutes convert the network resources list to routes list.
+func (a *Account) getNetworkResourcesRoutes(resource *resourceTypes.NetworkResource, peerId string, router *routerTypes.NetworkRouter, resourcePolicies map[string][]*Policy) []*route.Route {
+	resourceAppliedPolicies := resourcePolicies[resource.ID]
+
+	var routes []*route.Route
+	// distribute the resource routes only if there is policy applied to it
+	if len(resourceAppliedPolicies) > 0 {
+		peer := a.GetPeer(peerId)
+		if peer != nil {
+			routes = append(routes, resource.ToRoute(peer, router))
+		}
+	}
+
+	return routes
+}
+
 func (a *Account) GetResourceRoutersMap() map[string]map[string]*routerTypes.NetworkRouter {
 	routers := make(map[string]map[string]*routerTypes.NetworkRouter)
 

management/server/types/account_test.go

@@ -4,6 +4,8 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"net/netip"
+	"slices"
 	"testing"
 
 	"github.com/miekg/dns"
@@ -17,6 +19,7 @@ import (
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/route"
 )
 
@@ -448,6 +451,402 @@ func Test_AddNetworksRoutingPeersHandlesNoMissingPeers(t *testing.T) {
 	require.Len(t, result, 0)
 }
 
+const (
+	accID                                = "accountID"
+	network1ID                           = "network1ID"
+	group1ID                             = "group1"
+	accNetResourcePeer1ID                = "peer1"
+	accNetResourcePeer2ID                = "peer2"
+	accNetResourceRouter1ID              = "router1"
+	accNetResource1ID                    = "resource1ID"
+	accNetResourceRestrictPostureCheckID = "restrictPostureCheck"
+	accNetResourceRelaxedPostureCheckID  = "relaxedPostureCheck"
+	accNetResourceLockedPostureCheckID   = "lockedPostureCheck"
+	accNetResourceLinuxPostureCheckID    = "linuxPostureCheck"
+)
+
+var (
+	accNetResourcePeer1IP    = net.IP{192, 168, 1, 1}
+	accNetResourcePeer2IP    = net.IP{192, 168, 1, 2}
+	accNetResourceRouter1IP  = net.IP{192, 168, 1, 3}
+	accNetResourceValidPeers = map[string]struct{}{accNetResourcePeer1ID: {}, accNetResourcePeer2ID: {}}
+)
+
+func getBasicAccountsWithResource() *Account {
+	return &Account{
+		Id: accID,
+		Peers: map[string]*nbpeer.Peer{
+			accNetResourcePeer1ID: {
+				ID:        accNetResourcePeer1ID,
+				AccountID: accID,
+				Key:       "peer1Key",
+				IP:        accNetResourcePeer1IP,
+				Meta: nbpeer.PeerSystemMeta{
+					GoOS:          "linux",
+					WtVersion:     "0.35.1",
+					KernelVersion: "4.4.0",
+				},
+			},
+			accNetResourcePeer2ID: {
+				ID:        accNetResourcePeer2ID,
+				AccountID: accID,
+				Key:       "peer2Key",
+				IP:        accNetResourcePeer2IP,
+				Meta: nbpeer.PeerSystemMeta{
+					GoOS:          "windows",
+					WtVersion:     "0.34.1",
+					KernelVersion: "4.4.0",
+				},
+			},
+			accNetResourceRouter1ID: {
+				ID:        accNetResourceRouter1ID,
+				AccountID: accID,
+				Key:       "router1Key",
+				IP:        accNetResourceRouter1IP,
+				Meta: nbpeer.PeerSystemMeta{
+					GoOS:          "linux",
+					WtVersion:     "0.35.1",
+					KernelVersion: "4.4.0",
+				},
+			},
+		},
+		Groups: map[string]*Group{
+			group1ID: {
+				ID:    group1ID,
+				Peers: []string{accNetResourcePeer1ID, accNetResourcePeer2ID},
+			},
+		},
+		Networks: []*networkTypes.Network{
+			{
+				ID:        network1ID,
+				AccountID: accID,
+				Name:      "network1",
+			},
+		},
+		NetworkRouters: []*routerTypes.NetworkRouter{
+			{
+				ID:         accNetResourceRouter1ID,
+				NetworkID:  network1ID,
+				AccountID:  accID,
+				Peer:       accNetResourceRouter1ID,
+				PeerGroups: []string{},
+				Masquerade: false,
+				Metric:     100,
+				Enabled:    true,
+			},
+		},
+		NetworkResources: []*resourceTypes.NetworkResource{
+			{
+				ID:        accNetResource1ID,
+				AccountID: accID,
+				NetworkID: network1ID,
+				Address:   "10.10.10.0/24",
+				Prefix:    netip.MustParsePrefix("10.10.10.0/24"),
+				Type:      resourceTypes.NetworkResourceType("subnet"),
+				Enabled:   true,
+			},
+		},
+		Policies: []*Policy{
+			{
+				ID:        "policy1ID",
+				AccountID: accID,
+				Enabled:   true,
+				Rules: []*PolicyRule{
+					{
+						ID:      "rule1ID",
+						Enabled: true,
+						Sources: []string{group1ID},
+						DestinationResource: Resource{
+							ID:   accNetResource1ID,
+							Type: "Host",
+						},
+						Protocol: PolicyRuleProtocolTCP,
+						Ports:    []string{"80"},
+						Action:   PolicyTrafficActionAccept,
+					},
+				},
+				SourcePostureChecks: nil,
+			},
+		},
+		PostureChecks: []*posture.Checks{
+			{
+				ID:   accNetResourceRestrictPostureCheckID,
+				Name: accNetResourceRestrictPostureCheckID,
+				Checks: posture.ChecksDefinition{
+					NBVersionCheck: &posture.NBVersionCheck{
+						MinVersion: "0.35.0",
+					},
+				},
+			},
+			{
+				ID:   accNetResourceRelaxedPostureCheckID,
+				Name: accNetResourceRelaxedPostureCheckID,
+				Checks: posture.ChecksDefinition{
+					NBVersionCheck: &posture.NBVersionCheck{
+						MinVersion: "0.0.1",
+					},
+				},
+			},
+			{
+				ID:   accNetResourceLockedPostureCheckID,
+				Name: accNetResourceLockedPostureCheckID,
+				Checks: posture.ChecksDefinition{
+					NBVersionCheck: &posture.NBVersionCheck{
+						MinVersion: "7.7.7",
+					},
+				},
+			},
+			{
+				ID:   accNetResourceLinuxPostureCheckID,
+				Name: accNetResourceLinuxPostureCheckID,
+				Checks: posture.ChecksDefinition{
+					OSVersionCheck: &posture.OSVersionCheck{
+						Linux: &posture.MinKernelVersionCheck{
+							MinKernelVersion: "0.0.0"},
+					},
+				},
+			},
+		},
+	}
+}
+
+func Test_NetworksNetMapGenWithNoPostureChecks(t *testing.T) {
+	account := getBasicAccountsWithResource()
+
+	// all peers should match the policy
+
+	// validate for peer1
+	isRouter, networkResourcesRoutes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
+	assert.False(t, isRouter, "expected router status")
+	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
+	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
+
+	// validate for peer2
+	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer2ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
+	assert.False(t, isRouter, "expected router status")
+	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
+	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
+
+	// validate routes for router1
+	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourceRouter1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
+	assert.True(t, isRouter, "should be router")
+	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
+	assert.Len(t, sourcePeers, 2, "expected source peers don't match")
+	assert.NotNil(t, sourcePeers[accNetResourcePeer1ID], "expected source peers don't match")
+	assert.NotNil(t, sourcePeers[accNetResourcePeer2ID], "expected source peers don't match")
+
+	// validate rules for router1
+	rules := account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers[accNetResourceRouter1ID], accNetResourceValidPeers, networkResourcesRoutes, account.GetResourcePoliciesMap())
+	assert.Len(t, rules, 1, "expected rules count don't match")
+	assert.Equal(t, uint16(80), rules[0].Port, "should have port 80")
+	assert.Equal(t, "tcp", rules[0].Protocol, "should have protocol tcp")
+	if !slices.Contains(rules[0].SourceRanges, accNetResourcePeer1IP.String()+"/32") {
+		t.Errorf("%s should have source range of peer1 %s", rules[0].SourceRanges, accNetResourcePeer1IP.String())
+	}
+	if !slices.Contains(rules[0].SourceRanges, accNetResourcePeer2IP.String()+"/32") {
+		t.Errorf("%s should have source range of peer2 %s", rules[0].SourceRanges, accNetResourcePeer2IP.String())
+	}
+}
+
+func Test_NetworksNetMapGenWithPostureChecks(t *testing.T) {
+	account := getBasicAccountsWithResource()
+
+	// should allow peer1 to match the policy
+	policy := account.Policies[0]
+	policy.SourcePostureChecks = []string{accNetResourceRestrictPostureCheckID}
+
+	// validate for peer1
+	isRouter, networkResourcesRoutes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
+	assert.False(t, isRouter, "expected router status")
+	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
+	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
+
+	// validate for peer2
+	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer2ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
+	assert.False(t, isRouter, "expected router status")
+	assert.Len(t, networkResourcesRoutes, 0, "expected network resource route don't match")
+	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
+
+	// validate routes for router1
+	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourceRouter1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
+	assert.True(t, isRouter, "should be router")
+	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
+	assert.Len(t, sourcePeers, 1, "expected source peers don't match")
+	assert.NotNil(t, sourcePeers[accNetResourcePeer1ID], "expected source peers don't match")
+
+	// validate rules for router1
+	rules := account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers[accNetResourceRouter1ID], accNetResourceValidPeers, networkResourcesRoutes, account.GetResourcePoliciesMap())
+	assert.Len(t, rules, 1, "expected rules count don't match")
+	assert.Equal(t, uint16(80), rules[0].Port, "should have port 80")
+	assert.Equal(t, "tcp", rules[0].Protocol, "should have protocol tcp")
+	if !slices.Contains(rules[0].SourceRanges, accNetResourcePeer1IP.String()+"/32") {
+		t.Errorf("%s should have source range of peer1 %s", rules[0].SourceRanges, accNetResourcePeer1IP.String())
+	}
+	if slices.Contains(rules[0].SourceRanges, accNetResourcePeer2IP.String()+"/32") {
+		t.Errorf("%s should not have source range of peer2 %s", rules[0].SourceRanges, accNetResourcePeer2IP.String())
+	}
+}
+
+func Test_NetworksNetMapGenWithNoMatchedPostureChecks(t *testing.T) {
+	account := getBasicAccountsWithResource()
+
+	// should not match any peer
+	policy := account.Policies[0]
+	policy.SourcePostureChecks = []string{accNetResourceLockedPostureCheckID}
+
+	// validate for peer1
+	isRouter, networkResourcesRoutes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
+	assert.False(t, isRouter, "expected router status")
+	assert.Len(t, networkResourcesRoutes, 0, "expected network resource route don't match")
+	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
+
+	// validate for peer2
+	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer2ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
+	assert.False(t, isRouter, "expected router status")
+	assert.Len(t, networkResourcesRoutes, 0, "expected network resource route don't match")
+	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
+
+	// validate routes for router1
+	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourceRouter1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
+	assert.True(t, isRouter, "should be router")
+	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
+	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
+
+	// validate rules for router1
+	rules := account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers[accNetResourceRouter1ID], accNetResourceValidPeers, networkResourcesRoutes, account.GetResourcePoliciesMap())
+	assert.Len(t, rules, 0, "expected rules count don't match")
+}
+
+func Test_NetworksNetMapGenWithTwoPoliciesAndPostureChecks(t *testing.T) {
+	account := getBasicAccountsWithResource()
+
+	// should allow peer1 to match the policy
+	policy := account.Policies[0]
+	policy.SourcePostureChecks = []string{accNetResourceRestrictPostureCheckID}
+
+	// should allow peer1 and peer2 to match the policy
+	newPolicy := &Policy{
+		ID:        "policy2ID",
+		AccountID: accID,
+		Enabled:   true,
+		Rules: []*PolicyRule{
+			{
+				ID:      "policy2ID",
+				Enabled: true,
+				Sources: []string{group1ID},
+				DestinationResource: Resource{
+					ID:   accNetResource1ID,
+					Type: "Host",
+				},
+				Protocol: PolicyRuleProtocolTCP,
+				Ports:    []string{"22"},
+				Action:   PolicyTrafficActionAccept,
+			},
+		},
+		SourcePostureChecks: []string{accNetResourceRelaxedPostureCheckID},
+	}
+
+	account.Policies = append(account.Policies, newPolicy)
+
+	// validate for peer1
+	isRouter, networkResourcesRoutes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
+	assert.False(t, isRouter, "expected router status")
+	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
+	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
+
+	// validate for peer2
+	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer2ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
+	assert.False(t, isRouter, "expected router status")
+	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
+	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
+
+	// validate routes for router1
+	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourceRouter1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
+	assert.True(t, isRouter, "should be router")
+	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
+	assert.Len(t, sourcePeers, 2, "expected source peers don't match")
+	assert.NotNil(t, sourcePeers[accNetResourcePeer1ID], "expected source peers don't match")
+	assert.NotNil(t, sourcePeers[accNetResourcePeer2ID], "expected source peers don't match")
+
+	// validate rules for router1
+	rules := account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers[accNetResourceRouter1ID], accNetResourceValidPeers, networkResourcesRoutes, account.GetResourcePoliciesMap())
+	assert.Len(t, rules, 2, "expected rules count don't match")
+	assert.Equal(t, uint16(80), rules[0].Port, "should have port 80")
+	assert.Equal(t, "tcp", rules[0].Protocol, "should have protocol tcp")
+	if !slices.Contains(rules[0].SourceRanges, accNetResourcePeer1IP.String()+"/32") {
+		t.Errorf("%s should have source range of peer1 %s", rules[0].SourceRanges, accNetResourcePeer1IP.String())
+	}
+	if slices.Contains(rules[0].SourceRanges, accNetResourcePeer2IP.String()+"/32") {
+		t.Errorf("%s should not have source range of peer2 %s", rules[0].SourceRanges, accNetResourcePeer2IP.String())
+	}
+
+	assert.Equal(t, uint16(22), rules[1].Port, "should have port 22")
+	assert.Equal(t, "tcp", rules[1].Protocol, "should have protocol tcp")
+	if !slices.Contains(rules[1].SourceRanges, accNetResourcePeer1IP.String()+"/32") {
+		t.Errorf("%s should have source range of peer1 %s", rules[1].SourceRanges, accNetResourcePeer1IP.String())
+	}
+	if !slices.Contains(rules[1].SourceRanges, accNetResourcePeer2IP.String()+"/32") {
+		t.Errorf("%s should have source range of peer2 %s", rules[1].SourceRanges, accNetResourcePeer2IP.String())
+	}
+}
+
+func Test_NetworksNetMapGenWithTwoPostureChecks(t *testing.T) {
+	account := getBasicAccountsWithResource()
+
+	// two posture checks should match only the peers that match both checks
+	policy := account.Policies[0]
+	policy.SourcePostureChecks = []string{accNetResourceRelaxedPostureCheckID, accNetResourceLinuxPostureCheckID}
+
+	// validate for peer1
+	isRouter, networkResourcesRoutes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
+	assert.False(t, isRouter, "expected router status")
+	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
+	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
+
+	// validate for peer2
+	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourcePeer2ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
+	assert.False(t, isRouter, "expected router status")
+	assert.Len(t, networkResourcesRoutes, 0, "expected network resource route don't match")
+	assert.Len(t, sourcePeers, 0, "expected source peers don't match")
+
+	// validate routes for router1
+	isRouter, networkResourcesRoutes, sourcePeers = account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourceRouter1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
+	assert.True(t, isRouter, "should be router")
+	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
+	assert.Len(t, sourcePeers, 1, "expected source peers don't match")
+	assert.NotNil(t, sourcePeers[accNetResourcePeer1ID], "expected source peers don't match")
+
+	// validate rules for router1
+	rules := account.GetPeerNetworkResourceFirewallRules(context.Background(), account.Peers[accNetResourceRouter1ID], accNetResourceValidPeers, networkResourcesRoutes, account.GetResourcePoliciesMap())
+	assert.Len(t, rules, 1, "expected rules count don't match")
+	assert.Equal(t, uint16(80), rules[0].Port, "should have port 80")
+	assert.Equal(t, "tcp", rules[0].Protocol, "should have protocol tcp")
+	if !slices.Contains(rules[0].SourceRanges, accNetResourcePeer1IP.String()+"/32") {
+		t.Errorf("%s should have source range of peer1 %s", rules[0].SourceRanges, accNetResourcePeer1IP.String())
+	}
+	if slices.Contains(rules[0].SourceRanges, accNetResourcePeer2IP.String()+"/32") {
+		t.Errorf("%s should not have source range of peer2 %s", rules[0].SourceRanges, accNetResourcePeer2IP.String())
+	}
+}
+
+func Test_NetworksNetMapGenShouldExcludeOtherRouters(t *testing.T) {
+	account := getBasicAccountsWithResource()
+
+	account.Peers["router2Id"] = &nbpeer.Peer{Key: "router2Key", ID: "router2Id", AccountID: accID, IP: net.IP{192, 168, 1, 4}}
+	account.NetworkRouters = append(account.NetworkRouters, &routerTypes.NetworkRouter{
+		ID:        "router2Id",
+		NetworkID: network1ID,
+		AccountID: accID,
+		Peer:      "router2Id",
+	})
+
+	// validate routes for router1
+	isRouter, networkResourcesRoutes, sourcePeers := account.GetNetworkResourcesRoutesToSync(context.Background(), accNetResourceRouter1ID, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap())
+	assert.True(t, isRouter, "should be router")
+	assert.Len(t, networkResourcesRoutes, 1, "expected network resource route don't match")
+	assert.Len(t, sourcePeers, 2, "expected source peers don't match")
+}
+
 func Test_ExpandPortsAndRanges_SSHRuleExpansion(t *testing.T) {
 	tests := []struct {
 		name          string

management/server/types/holder.go

@@ -0,0 +1,47 @@
+package types
+
+import (
+	"context"
+	"sync"
+)
+
+type Holder struct {
+	mu       sync.RWMutex
+	accounts map[string]*Account
+}
+
+func NewHolder() *Holder {
+	return &Holder{
+		accounts: make(map[string]*Account),
+	}
+}
+
+func (h *Holder) GetAccount(id string) *Account {
+	h.mu.RLock()
+	defer h.mu.RUnlock()
+	return h.accounts[id]
+}
+
+func (h *Holder) AddAccount(account *Account) {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+	a := h.accounts[account.Id]
+	if a != nil && a.Network.CurrentSerial() >= account.Network.CurrentSerial() {
+		return
+	}
+	h.accounts[account.Id] = account
+}
+
+func (h *Holder) LoadOrStoreFunc(ctx context.Context, id string, accGetter func(context.Context, string) (*Account, error)) (*Account, error) {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+	if acc, ok := h.accounts[id]; ok {
+		return acc, nil
+	}
+	account, err := accGetter(ctx, id)
+	if err != nil {
+		return nil, err
+	}
+	h.accounts[id] = account
+	return account, nil
+}

management/server/types/identity_provider.go

@@ -39,8 +39,6 @@ const (
 	IdentityProviderTypeAuthentik IdentityProviderType = "authentik"
 	// IdentityProviderTypeKeycloak is the Keycloak identity provider
 	IdentityProviderTypeKeycloak IdentityProviderType = "keycloak"
-	// IdentityProviderTypeADFS is the Microsoft AD FS identity provider
-	IdentityProviderTypeADFS IdentityProviderType = "adfs"
 )
 
 // IdentityProvider represents an identity provider configuration
@@ -114,8 +112,7 @@ func (t IdentityProviderType) IsValid() bool {
 	switch t {
 	case IdentityProviderTypeOIDC, IdentityProviderTypeZitadel, IdentityProviderTypeEntra,
 		IdentityProviderTypeGoogle, IdentityProviderTypeOkta, IdentityProviderTypePocketID,
-		IdentityProviderTypeMicrosoft, IdentityProviderTypeAuthentik, IdentityProviderTypeKeycloak,
-		IdentityProviderTypeADFS:
+		IdentityProviderTypeMicrosoft, IdentityProviderTypeAuthentik, IdentityProviderTypeKeycloak:
 		return true
 	}
 	return false

management/server/types/networkmap.go

@@ -0,0 +1,67 @@
+package types
+
+import (
+	"context"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/internals/modules/zones"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/telemetry"
+)
+
+func (a *Account) initNetworkMapBuilder(validatedPeers map[string]struct{}) {
+	if a.NetworkMapCache != nil {
+		return
+	}
+	a.nmapInitOnce.Do(func() {
+		a.NetworkMapCache = NewNetworkMapBuilder(a, validatedPeers)
+	})
+}
+
+func (a *Account) InitNetworkMapBuilderIfNeeded(validatedPeers map[string]struct{}) {
+	a.initNetworkMapBuilder(validatedPeers)
+}
+
+func (a *Account) GetPeerNetworkMapExp(
+	ctx context.Context,
+	peerID string,
+	peersCustomZone nbdns.CustomZone,
+	accountZones []*zones.Zone,
+	validatedPeers map[string]struct{},
+	metrics *telemetry.AccountManagerMetrics,
+) *NetworkMap {
+	a.initNetworkMapBuilder(validatedPeers)
+	return a.NetworkMapCache.GetPeerNetworkMap(ctx, peerID, peersCustomZone, accountZones, validatedPeers, metrics)
+}
+
+func (a *Account) OnPeerAddedUpdNetworkMapCache(peerId string) error {
+	if a.NetworkMapCache == nil {
+		return nil
+	}
+	return a.NetworkMapCache.OnPeerAddedIncremental(a, peerId)
+}
+
+func (a *Account) OnPeersAddedUpdNetworkMapCache(peerIds ...string) {
+	if a.NetworkMapCache == nil {
+		return
+	}
+	a.NetworkMapCache.EnqueuePeersForIncrementalAdd(a, peerIds...)
+}
+
+func (a *Account) OnPeerDeletedUpdNetworkMapCache(peerId string) error {
+	if a.NetworkMapCache == nil {
+		return nil
+	}
+	return a.NetworkMapCache.OnPeerDeleted(a, peerId)
+}
+
+func (a *Account) UpdatePeerInNetworkMapCache(peer *nbpeer.Peer) {
+	if a.NetworkMapCache == nil {
+		return
+	}
+	a.NetworkMapCache.UpdatePeer(peer)
+}
+
+func (a *Account) RecalculateNetworkMapCache(validatedPeers map[string]struct{}) {
+	a.initNetworkMapBuilder(validatedPeers)
+}

management/server/types/networkmap_comparison_test.go

@@ -0,0 +1,592 @@
+package types
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/netip"
+	"os"
+	"path/filepath"
+	"sort"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
+	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
+	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/posture"
+	"github.com/netbirdio/netbird/route"
+)
+
+func TestNetworkMapComponents_CompareWithLegacy(t *testing.T) {
+	account := createTestAccount()
+	ctx := context.Background()
+
+	peerID := testingPeerID
+	validatedPeersMap := make(map[string]struct{})
+	for i := range numPeers {
+		pid := fmt.Sprintf("peer-%d", i)
+		if pid == offlinePeerID {
+			continue
+		}
+		validatedPeersMap[pid] = struct{}{}
+	}
+
+	peersCustomZone := nbdns.CustomZone{}
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
+	groupIDToUserIDs := account.GetActiveGroupUsers()
+
+	legacyNetworkMap := account.GetPeerNetworkMap(
+		ctx,
+		peerID,
+		peersCustomZone,
+		nil,
+		validatedPeersMap,
+		resourcePolicies,
+		routers,
+		nil,
+		groupIDToUserIDs,
+	)
+
+	components := account.GetPeerNetworkMapComponents(
+		ctx,
+		peerID,
+		peersCustomZone,
+		nil,
+		validatedPeersMap,
+		resourcePolicies,
+		routers,
+		groupIDToUserIDs,
+	)
+
+	if components == nil {
+		t.Fatal("GetPeerNetworkMapComponents returned nil")
+	}
+
+	newNetworkMap := CalculateNetworkMapFromComponents(ctx, components)
+
+	if newNetworkMap == nil {
+		t.Fatal("CalculateNetworkMapFromComponents returned nil")
+	}
+
+	compareNetworkMaps(t, legacyNetworkMap, newNetworkMap)
+}
+
+func TestNetworkMapComponents_GoldenFileComparison(t *testing.T) {
+	account := createTestAccount()
+	ctx := context.Background()
+
+	peerID := testingPeerID
+	validatedPeersMap := make(map[string]struct{})
+	for i := range numPeers {
+		pid := fmt.Sprintf("peer-%d", i)
+		if pid == offlinePeerID {
+			continue
+		}
+		validatedPeersMap[pid] = struct{}{}
+	}
+
+	peersCustomZone := nbdns.CustomZone{}
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
+	groupIDToUserIDs := account.GetActiveGroupUsers()
+
+	legacyNetworkMap := account.GetPeerNetworkMap(
+		ctx,
+		peerID,
+		peersCustomZone,
+		nil,
+		validatedPeersMap,
+		resourcePolicies,
+		routers,
+		nil,
+		groupIDToUserIDs,
+	)
+
+	components := account.GetPeerNetworkMapComponents(
+		ctx,
+		peerID,
+		peersCustomZone,
+		nil,
+		validatedPeersMap,
+		resourcePolicies,
+		routers,
+		groupIDToUserIDs,
+	)
+
+	require.NotNil(t, components, "GetPeerNetworkMapComponents returned nil")
+
+	newNetworkMap := CalculateNetworkMapFromComponents(ctx, components)
+	require.NotNil(t, newNetworkMap, "CalculateNetworkMapFromComponents returned nil")
+
+	normalizeAndSortNetworkMap(legacyNetworkMap)
+	normalizeAndSortNetworkMap(newNetworkMap)
+
+	componentsJSON, err := json.MarshalIndent(components, "", "  ")
+	require.NoError(t, err, "error marshaling components to JSON")
+
+	legacyJSON, err := json.MarshalIndent(legacyNetworkMap, "", "  ")
+	require.NoError(t, err, "error marshaling legacy network map to JSON")
+
+	newJSON, err := json.MarshalIndent(newNetworkMap, "", "  ")
+	require.NoError(t, err, "error marshaling new network map to JSON")
+
+	goldenDir := filepath.Join("testdata", "comparison")
+	err = os.MkdirAll(goldenDir, 0755)
+	require.NoError(t, err)
+
+	legacyGoldenPath := filepath.Join(goldenDir, "legacy_networkmap.json")
+	err = os.WriteFile(legacyGoldenPath, legacyJSON, 0644)
+	require.NoError(t, err, "error writing legacy golden file")
+
+	newGoldenPath := filepath.Join(goldenDir, "components_networkmap.json")
+	err = os.WriteFile(newGoldenPath, newJSON, 0644)
+	require.NoError(t, err, "error writing components golden file")
+
+	componentsPath := filepath.Join(goldenDir, "components.json")
+	err = os.WriteFile(componentsPath, componentsJSON, 0644)
+	require.NoError(t, err, "error writing components golden file")
+
+	require.JSONEq(t, string(legacyJSON), string(newJSON),
+		"NetworkMaps from legacy and components approaches do not match.\n"+
+			"Legacy JSON saved to: %s\n"+
+			"Components JSON saved to: %s",
+		legacyGoldenPath, newGoldenPath)
+
+	t.Logf("✅ NetworkMaps are identical")
+	t.Logf("   Legacy NetworkMap: %s", legacyGoldenPath)
+	t.Logf("   Components NetworkMap: %s", newGoldenPath)
+}
+
+func normalizeAndSortNetworkMap(nm *NetworkMap) {
+	if nm == nil {
+		return
+	}
+
+	sort.Slice(nm.Peers, func(i, j int) bool {
+		return nm.Peers[i].ID < nm.Peers[j].ID
+	})
+
+	sort.Slice(nm.OfflinePeers, func(i, j int) bool {
+		return nm.OfflinePeers[i].ID < nm.OfflinePeers[j].ID
+	})
+
+	sort.Slice(nm.Routes, func(i, j int) bool {
+		return string(nm.Routes[i].ID) < string(nm.Routes[j].ID)
+	})
+
+	sort.Slice(nm.FirewallRules, func(i, j int) bool {
+		if nm.FirewallRules[i].PeerIP != nm.FirewallRules[j].PeerIP {
+			return nm.FirewallRules[i].PeerIP < nm.FirewallRules[j].PeerIP
+		}
+		if nm.FirewallRules[i].Direction != nm.FirewallRules[j].Direction {
+			return nm.FirewallRules[i].Direction < nm.FirewallRules[j].Direction
+		}
+		if nm.FirewallRules[i].Protocol != nm.FirewallRules[j].Protocol {
+			return nm.FirewallRules[i].Protocol < nm.FirewallRules[j].Protocol
+		}
+		if nm.FirewallRules[i].Port != nm.FirewallRules[j].Port {
+			return nm.FirewallRules[i].Port < nm.FirewallRules[j].Port
+		}
+		return nm.FirewallRules[i].PolicyID < nm.FirewallRules[j].PolicyID
+	})
+
+	for i := range nm.RoutesFirewallRules {
+		sort.Strings(nm.RoutesFirewallRules[i].SourceRanges)
+	}
+
+	sort.Slice(nm.RoutesFirewallRules, func(i, j int) bool {
+		if nm.RoutesFirewallRules[i].Destination != nm.RoutesFirewallRules[j].Destination {
+			return nm.RoutesFirewallRules[i].Destination < nm.RoutesFirewallRules[j].Destination
+		}
+
+		minLen := len(nm.RoutesFirewallRules[i].SourceRanges)
+		if len(nm.RoutesFirewallRules[j].SourceRanges) < minLen {
+			minLen = len(nm.RoutesFirewallRules[j].SourceRanges)
+		}
+		for k := 0; k < minLen; k++ {
+			if nm.RoutesFirewallRules[i].SourceRanges[k] != nm.RoutesFirewallRules[j].SourceRanges[k] {
+				return nm.RoutesFirewallRules[i].SourceRanges[k] < nm.RoutesFirewallRules[j].SourceRanges[k]
+			}
+		}
+		if len(nm.RoutesFirewallRules[i].SourceRanges) != len(nm.RoutesFirewallRules[j].SourceRanges) {
+			return len(nm.RoutesFirewallRules[i].SourceRanges) < len(nm.RoutesFirewallRules[j].SourceRanges)
+		}
+
+		if string(nm.RoutesFirewallRules[i].RouteID) != string(nm.RoutesFirewallRules[j].RouteID) {
+			return string(nm.RoutesFirewallRules[i].RouteID) < string(nm.RoutesFirewallRules[j].RouteID)
+		}
+
+		if nm.RoutesFirewallRules[i].PolicyID != nm.RoutesFirewallRules[j].PolicyID {
+			return nm.RoutesFirewallRules[i].PolicyID < nm.RoutesFirewallRules[j].PolicyID
+		}
+
+		if nm.RoutesFirewallRules[i].Port != nm.RoutesFirewallRules[j].Port {
+			return nm.RoutesFirewallRules[i].Port < nm.RoutesFirewallRules[j].Port
+		}
+
+		return nm.RoutesFirewallRules[i].Protocol < nm.RoutesFirewallRules[j].Protocol
+	})
+
+	if nm.DNSConfig.CustomZones != nil {
+		for i := range nm.DNSConfig.CustomZones {
+			sort.Slice(nm.DNSConfig.CustomZones[i].Records, func(a, b int) bool {
+				return nm.DNSConfig.CustomZones[i].Records[a].Name < nm.DNSConfig.CustomZones[i].Records[b].Name
+			})
+		}
+	}
+
+	if len(nm.DNSConfig.NameServerGroups) != 0 {
+		sort.Slice(nm.DNSConfig.NameServerGroups, func(a, b int) bool {
+			return nm.DNSConfig.NameServerGroups[a].Name < nm.DNSConfig.NameServerGroups[b].Name
+		})
+	}
+}
+
+func compareNetworkMaps(t *testing.T, legacy, current *NetworkMap) {
+	t.Helper()
+
+	if legacy.Network.Serial != current.Network.Serial {
+		t.Errorf("Network Serial mismatch: legacy=%d, current=%d", legacy.Network.Serial, current.Network.Serial)
+	}
+
+	if len(legacy.Peers) != len(current.Peers) {
+		t.Errorf("Peers count mismatch: legacy=%d, current=%d", len(legacy.Peers), len(current.Peers))
+	}
+
+	legacyPeerIDs := make(map[string]bool)
+	for _, p := range legacy.Peers {
+		legacyPeerIDs[p.ID] = true
+	}
+
+	for _, p := range current.Peers {
+		if !legacyPeerIDs[p.ID] {
+			t.Errorf("Current NetworkMap contains peer %s not in legacy", p.ID)
+		}
+	}
+
+	if len(legacy.OfflinePeers) != len(current.OfflinePeers) {
+		t.Errorf("OfflinePeers count mismatch: legacy=%d, current=%d", len(legacy.OfflinePeers), len(current.OfflinePeers))
+	}
+
+	if len(legacy.FirewallRules) != len(current.FirewallRules) {
+		t.Logf("FirewallRules count mismatch: legacy=%d, current=%d", len(legacy.FirewallRules), len(current.FirewallRules))
+	}
+
+	if len(legacy.Routes) != len(current.Routes) {
+		t.Logf("Routes count mismatch: legacy=%d, current=%d", len(legacy.Routes), len(current.Routes))
+	}
+
+	if len(legacy.RoutesFirewallRules) != len(current.RoutesFirewallRules) {
+		t.Logf("RoutesFirewallRules count mismatch: legacy=%d, current=%d", len(legacy.RoutesFirewallRules), len(current.RoutesFirewallRules))
+	}
+
+	if legacy.DNSConfig.ServiceEnable != current.DNSConfig.ServiceEnable {
+		t.Errorf("DNSConfig.ServiceEnable mismatch: legacy=%v, current=%v", legacy.DNSConfig.ServiceEnable, current.DNSConfig.ServiceEnable)
+	}
+}
+
+const (
+	numPeers          = 100
+	devGroupID        = "group-dev"
+	opsGroupID        = "group-ops"
+	allGroupID        = "group-all"
+	routeID           = route.ID("route-main")
+	routeHA1ID        = route.ID("route-ha-1")
+	routeHA2ID        = route.ID("route-ha-2")
+	policyIDDevOps    = "policy-dev-ops"
+	policyIDAll       = "policy-all"
+	policyIDPosture   = "policy-posture"
+	policyIDDrop      = "policy-drop"
+	postureCheckID    = "posture-check-ver"
+	networkResourceID = "res-database"
+	networkID         = "net-database"
+	networkRouterID   = "router-database"
+	nameserverGroupID = "ns-group-main"
+	testingPeerID     = "peer-60"
+	expiredPeerID     = "peer-98"
+	offlinePeerID     = "peer-99"
+	routingPeerID     = "peer-95"
+	testAccountID     = "account-comparison-test"
+)
+
+func createTestAccount() *Account {
+	peers := make(map[string]*nbpeer.Peer)
+	devGroupPeers, opsGroupPeers, allGroupPeers := []string{}, []string{}, []string{}
+
+	for i := range numPeers {
+		peerID := fmt.Sprintf("peer-%d", i)
+		ip := net.IP{100, 64, 0, byte(i + 1)}
+		wtVersion := "0.25.0"
+		if i%2 == 0 {
+			wtVersion = "0.40.0"
+		}
+
+		p := &nbpeer.Peer{
+			ID: peerID, IP: ip, Key: fmt.Sprintf("key-%s", peerID), DNSLabel: fmt.Sprintf("peer%d", i+1),
+			Status: &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
+			UserID: "user-admin", Meta: nbpeer.PeerSystemMeta{WtVersion: wtVersion, GoOS: "linux"},
+		}
+
+		if peerID == expiredPeerID {
+			p.LoginExpirationEnabled = true
+			pastTimestamp := time.Now().Add(-2 * time.Hour)
+			p.LastLogin = &pastTimestamp
+		}
+
+		peers[peerID] = p
+		allGroupPeers = append(allGroupPeers, peerID)
+		if i < numPeers/2 {
+			devGroupPeers = append(devGroupPeers, peerID)
+		} else {
+			opsGroupPeers = append(opsGroupPeers, peerID)
+		}
+	}
+
+	groups := map[string]*Group{
+		allGroupID: {ID: allGroupID, Name: "All", Peers: allGroupPeers},
+		devGroupID: {ID: devGroupID, Name: "Developers", Peers: devGroupPeers},
+		opsGroupID: {ID: opsGroupID, Name: "Operations", Peers: opsGroupPeers},
+	}
+
+	policies := []*Policy{
+		{
+			ID: policyIDAll, Name: "Default-Allow", Enabled: true,
+			Rules: []*PolicyRule{{
+				ID: policyIDAll, Name: "Allow All", Enabled: true, Action: PolicyTrafficActionAccept,
+				Protocol: PolicyRuleProtocolALL, Bidirectional: true,
+				Sources: []string{allGroupID}, Destinations: []string{allGroupID},
+			}},
+		},
+		{
+			ID: policyIDDevOps, Name: "Dev to Ops Web Access", Enabled: true,
+			Rules: []*PolicyRule{{
+				ID: policyIDDevOps, Name: "Dev -> Ops (HTTP Range)", Enabled: true, Action: PolicyTrafficActionAccept,
+				Protocol: PolicyRuleProtocolTCP, Bidirectional: false,
+				PortRanges: []RulePortRange{{Start: 8080, End: 8090}},
+				Sources:    []string{devGroupID}, Destinations: []string{opsGroupID},
+			}},
+		},
+		{
+			ID: policyIDDrop, Name: "Drop DB traffic", Enabled: true,
+			Rules: []*PolicyRule{{
+				ID: policyIDDrop, Name: "Drop DB", Enabled: true, Action: PolicyTrafficActionDrop,
+				Protocol: PolicyRuleProtocolTCP, Ports: []string{"5432"}, Bidirectional: true,
+				Sources: []string{devGroupID}, Destinations: []string{opsGroupID},
+			}},
+		},
+		{
+			ID: policyIDPosture, Name: "Posture Check for DB Resource", Enabled: true,
+			SourcePostureChecks: []string{postureCheckID},
+			Rules: []*PolicyRule{{
+				ID: policyIDPosture, Name: "Allow DB Access", Enabled: true, Action: PolicyTrafficActionAccept,
+				Protocol: PolicyRuleProtocolALL, Bidirectional: true,
+				Sources: []string{opsGroupID}, DestinationResource: Resource{ID: networkResourceID},
+			}},
+		},
+	}
+
+	routes := map[route.ID]*route.Route{
+		routeID: {
+			ID: routeID, Network: netip.MustParsePrefix("192.168.10.0/24"),
+			Peer:        peers["peer-75"].Key,
+			PeerID:      "peer-75",
+			Description: "Route to internal resource", Enabled: true,
+			PeerGroups:          []string{devGroupID, opsGroupID},
+			Groups:              []string{devGroupID, opsGroupID},
+			AccessControlGroups: []string{devGroupID},
+		},
+		routeHA1ID: {
+			ID: routeHA1ID, Network: netip.MustParsePrefix("10.10.0.0/16"),
+			Peer:        peers["peer-80"].Key,
+			PeerID:      "peer-80",
+			Description: "HA Route 1", Enabled: true, Metric: 1000,
+			PeerGroups:          []string{allGroupID},
+			Groups:              []string{allGroupID},
+			AccessControlGroups: []string{allGroupID},
+		},
+		routeHA2ID: {
+			ID: routeHA2ID, Network: netip.MustParsePrefix("10.10.0.0/16"),
+			Peer:        peers["peer-90"].Key,
+			PeerID:      "peer-90",
+			Description: "HA Route 2", Enabled: true, Metric: 900,
+			PeerGroups:          []string{devGroupID, opsGroupID},
+			Groups:              []string{devGroupID, opsGroupID},
+			AccessControlGroups: []string{allGroupID},
+		},
+	}
+
+	account := &Account{
+		Id: testAccountID, Peers: peers, Groups: groups, Policies: policies, Routes: routes,
+		Network: &Network{
+			Identifier: "net-comparison-test", Net: net.IPNet{IP: net.IP{100, 64, 0, 0}, Mask: net.CIDRMask(16, 32)}, Serial: 1,
+		},
+		DNSSettings: DNSSettings{DisabledManagementGroups: []string{opsGroupID}},
+		NameServerGroups: map[string]*nbdns.NameServerGroup{
+			nameserverGroupID: {
+				ID: nameserverGroupID, Name: "Main NS", Enabled: true, Groups: []string{devGroupID},
+				NameServers: []nbdns.NameServer{{IP: netip.MustParseAddr("8.8.8.8"), NSType: nbdns.UDPNameServerType, Port: 53}},
+			},
+		},
+		PostureChecks: []*posture.Checks{
+			{ID: postureCheckID, Name: "Check version", Checks: posture.ChecksDefinition{
+				NBVersionCheck: &posture.NBVersionCheck{MinVersion: "0.26.0"},
+			}},
+		},
+		NetworkResources: []*resourceTypes.NetworkResource{
+			{ID: networkResourceID, NetworkID: networkID, AccountID: testAccountID, Enabled: true, Address: "db.netbird.cloud"},
+		},
+		Networks: []*networkTypes.Network{{ID: networkID, Name: "DB Network", AccountID: testAccountID}},
+		NetworkRouters: []*routerTypes.NetworkRouter{
+			{ID: networkRouterID, NetworkID: networkID, Peer: routingPeerID, Enabled: true, AccountID: testAccountID},
+		},
+		Settings: &Settings{PeerLoginExpirationEnabled: true, PeerLoginExpiration: 1 * time.Hour},
+	}
+
+	for _, p := range account.Policies {
+		p.AccountID = account.Id
+	}
+	for _, r := range account.Routes {
+		r.AccountID = account.Id
+	}
+
+	return account
+}
+
+func BenchmarkLegacyNetworkMap(b *testing.B) {
+	account := createTestAccount()
+	ctx := context.Background()
+	peerID := testingPeerID
+	validatedPeersMap := make(map[string]struct{})
+	for i := range numPeers {
+		pid := fmt.Sprintf("peer-%d", i)
+		if pid != offlinePeerID {
+			validatedPeersMap[pid] = struct{}{}
+		}
+	}
+
+	peersCustomZone := nbdns.CustomZone{}
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
+	groupIDToUserIDs := account.GetActiveGroupUsers()
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_ = account.GetPeerNetworkMap(
+			ctx,
+			peerID,
+			peersCustomZone,
+			nil,
+			validatedPeersMap,
+			resourcePolicies,
+			routers,
+			nil,
+			groupIDToUserIDs,
+		)
+	}
+}
+
+func BenchmarkComponentsNetworkMap(b *testing.B) {
+	account := createTestAccount()
+	ctx := context.Background()
+	peerID := testingPeerID
+	validatedPeersMap := make(map[string]struct{})
+	for i := range numPeers {
+		pid := fmt.Sprintf("peer-%d", i)
+		if pid != offlinePeerID {
+			validatedPeersMap[pid] = struct{}{}
+		}
+	}
+
+	peersCustomZone := nbdns.CustomZone{}
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
+	groupIDToUserIDs := account.GetActiveGroupUsers()
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		components := account.GetPeerNetworkMapComponents(
+			ctx,
+			peerID,
+			peersCustomZone,
+			nil,
+			validatedPeersMap,
+			resourcePolicies,
+			routers,
+			groupIDToUserIDs,
+		)
+		_ = CalculateNetworkMapFromComponents(ctx, components)
+	}
+}
+
+func BenchmarkComponentsCreation(b *testing.B) {
+	account := createTestAccount()
+	ctx := context.Background()
+	peerID := testingPeerID
+	validatedPeersMap := make(map[string]struct{})
+	for i := range numPeers {
+		pid := fmt.Sprintf("peer-%d", i)
+		if pid != offlinePeerID {
+			validatedPeersMap[pid] = struct{}{}
+		}
+	}
+
+	peersCustomZone := nbdns.CustomZone{}
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
+	groupIDToUserIDs := account.GetActiveGroupUsers()
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_ = account.GetPeerNetworkMapComponents(
+			ctx,
+			peerID,
+			peersCustomZone,
+			nil,
+			validatedPeersMap,
+			resourcePolicies,
+			routers,
+			groupIDToUserIDs,
+		)
+	}
+}
+
+func BenchmarkCalculationFromComponents(b *testing.B) {
+	account := createTestAccount()
+	ctx := context.Background()
+	peerID := testingPeerID
+	validatedPeersMap := make(map[string]struct{})
+	for i := range numPeers {
+		pid := fmt.Sprintf("peer-%d", i)
+		if pid != offlinePeerID {
+			validatedPeersMap[pid] = struct{}{}
+		}
+	}
+
+	peersCustomZone := nbdns.CustomZone{}
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
+	groupIDToUserIDs := account.GetActiveGroupUsers()
+
+	components := account.GetPeerNetworkMapComponents(
+		ctx,
+		peerID,
+		peersCustomZone,
+		nil,
+		validatedPeersMap,
+		resourcePolicies,
+		routers,
+		groupIDToUserIDs,
+	)
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_ = CalculateNetworkMapFromComponents(ctx, components)
+	}
+}

management/server/types/networkmap_components.go

@@ -19,6 +19,8 @@ import (
 	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
+const EnvNewNetworkMapCompacted = "NB_NETWORK_MAP_COMPACTED"
+
 type NetworkMapComponents struct {
 	PeerID string
 

management/server/types/networkmap_components_test.go

@@ -1,787 +0,0 @@
-package types_test
-
-import (
-	"context"
-	"net"
-	"net/netip"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
-	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
-	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/posture"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/route"
-)
-
-func networkMapFromComponents(t *testing.T, account *types.Account, peerID string, validatedPeers map[string]struct{}) *types.NetworkMap {
-	t.Helper()
-	return account.GetPeerNetworkMapFromComponents(
-		context.Background(),
-		peerID,
-		account.GetPeersCustomZone(context.Background(), "netbird.io"),
-		nil,
-		validatedPeers,
-		account.GetResourcePoliciesMap(),
-		account.GetResourceRoutersMap(),
-		nil,
-		account.GetActiveGroupUsers(),
-	)
-}
-
-func allPeersValidated(account *types.Account, excludePeerIDs ...string) map[string]struct{} {
-	excludeSet := make(map[string]struct{}, len(excludePeerIDs))
-	for _, id := range excludePeerIDs {
-		excludeSet[id] = struct{}{}
-	}
-	validated := make(map[string]struct{}, len(account.Peers))
-	for id := range account.Peers {
-		if _, excluded := excludeSet[id]; !excluded {
-			validated[id] = struct{}{}
-		}
-	}
-	return validated
-}
-
-func peerIDs(peers []*nbpeer.Peer) []string {
-	ids := make([]string, len(peers))
-	for i, p := range peers {
-		ids[i] = p.ID
-	}
-	return ids
-}
-
-func TestNetworkMapComponents_RegularPeerConnectivity(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-
-	assert.NotNil(t, nm)
-	assert.Contains(t, peerIDs(nm.Peers), "peer-dst-1", "should see peer from destination group via bidirectional policy")
-	assert.Contains(t, peerIDs(nm.Peers), "peer-router-1", "should see router peer via resource policy")
-	assert.NotContains(t, peerIDs(nm.Peers), "peer-src-1", "should not see itself")
-	assert.Empty(t, nm.OfflinePeers, "no expired peers expected")
-}
-
-func TestNetworkMapComponents_IntraGroupConnectivity(t *testing.T) {
-	account := createComponentTestAccount()
-	account.Policies = append(account.Policies, &types.Policy{
-		ID: "policy-intra-src", Name: "Intra-source connectivity", Enabled: true, AccountID: account.Id,
-		Rules: []*types.PolicyRule{{
-			ID: "rule-intra-src", Name: "src <-> src", Enabled: true,
-			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
-			Bidirectional: true,
-			Sources:       []string{"group-src"}, Destinations: []string{"group-src"},
-		}},
-	})
-	validated := allPeersValidated(account)
-
-	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-	assert.Contains(t, peerIDs(nm.Peers), "peer-src-2", "should see peer from same group with intra-group policy")
-}
-
-func TestNetworkMapComponents_FirewallRules(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-
-	require.NotEmpty(t, nm.FirewallRules, "firewall rules should be generated")
-
-	var hasAcceptAll bool
-	for _, rule := range nm.FirewallRules {
-		if rule.Protocol == string(types.PolicyRuleProtocolALL) && rule.Action == string(types.PolicyTrafficActionAccept) {
-			hasAcceptAll = true
-		}
-	}
-	assert.True(t, hasAcceptAll, "should have an accept-all firewall rule from the base policy")
-}
-
-func TestNetworkMapComponents_LoginExpiration(t *testing.T) {
-	account := createComponentTestAccount()
-	account.Settings.PeerLoginExpirationEnabled = true
-	account.Settings.PeerLoginExpiration = 1 * time.Hour
-
-	expiredTime := time.Now().Add(-2 * time.Hour)
-	account.Peers["peer-dst-1"].LoginExpirationEnabled = true
-	account.Peers["peer-dst-1"].LastLogin = &expiredTime
-
-	validated := allPeersValidated(account)
-	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-
-	assert.Contains(t, peerIDs(nm.OfflinePeers), "peer-dst-1", "expired peer should be in OfflinePeers")
-	assert.NotContains(t, peerIDs(nm.Peers), "peer-dst-1", "expired peer should NOT be in active Peers")
-}
-
-func TestNetworkMapComponents_InvalidatedPeerExcluded(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account, "peer-dst-1")
-
-	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-
-	assert.NotContains(t, peerIDs(nm.Peers), "peer-dst-1", "non-validated peer should be excluded")
-	assert.NotContains(t, peerIDs(nm.OfflinePeers), "peer-dst-1", "non-validated peer should not be in offline peers either")
-}
-
-func TestNetworkMapComponents_NonValidatedTargetPeer(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account, "peer-src-1")
-
-	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-
-	assert.Empty(t, nm.Peers, "non-validated target peer should get empty network map")
-	assert.Empty(t, nm.FirewallRules)
-}
-
-func TestNetworkMapComponents_NetworkResourceRoutes_SourcePeer(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-
-	var hasResourceRoute bool
-	for _, r := range nm.Routes {
-		if r.Network.String() == "10.200.0.1/32" {
-			hasResourceRoute = true
-			break
-		}
-	}
-	assert.True(t, hasResourceRoute, "source peer should receive route to network resource via router")
-	assert.Contains(t, peerIDs(nm.Peers), "peer-router-1", "source peer should see the routing peer")
-}
-
-func TestNetworkMapComponents_NetworkResourceRoutes_RouterPeer(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	nm := networkMapFromComponents(t, account, "peer-router-1", validated)
-
-	var hasResourceRoute bool
-	for _, r := range nm.Routes {
-		if r.Network.String() == "10.200.0.1/32" {
-			hasResourceRoute = true
-			break
-		}
-	}
-	assert.True(t, hasResourceRoute, "router peer should receive network resource route")
-	assert.NotEmpty(t, nm.RoutesFirewallRules, "router peer should have route firewall rules for the resource")
-}
-
-func TestNetworkMapComponents_NetworkResourceRoutes_UnrelatedPeer(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	nm := networkMapFromComponents(t, account, "peer-dst-1", validated)
-
-	for _, r := range nm.Routes {
-		assert.NotEqual(t, "10.200.0.1/32", r.Network.String(), "unrelated peer should not receive network resource route")
-	}
-}
-
-func TestNetworkMapComponents_NetworkResource_WithPostureCheck(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	account.PostureChecks = []*posture.Checks{
-		{ID: "pc-version", Name: "Version check", Checks: posture.ChecksDefinition{
-			NBVersionCheck: &posture.NBVersionCheck{MinVersion: "0.30.0"},
-		}},
-	}
-	account.Policies = append(account.Policies, &types.Policy{
-		ID: "policy-posture-resource", Name: "Posture resource access", Enabled: true, AccountID: account.Id,
-		SourcePostureChecks: []string{"pc-version"},
-		Rules: []*types.PolicyRule{{
-			ID: "rule-posture-resource", Name: "Posture -> Resource", Enabled: true,
-			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
-			Sources:             []string{"group-src"},
-			DestinationResource: types.Resource{ID: "resource-guarded"},
-		}},
-	})
-
-	account.NetworkResources = append(account.NetworkResources, &resourceTypes.NetworkResource{
-		ID: "resource-guarded", NetworkID: "net-guarded", AccountID: account.Id, Enabled: true,
-		Type: resourceTypes.Host, Prefix: netip.MustParsePrefix("10.200.1.1/32"), Address: "10.200.1.1/32",
-	})
-	account.Networks = append(account.Networks, &networkTypes.Network{
-		ID: "net-guarded", Name: "Guarded Net", AccountID: account.Id,
-	})
-	account.NetworkRouters = append(account.NetworkRouters, &routerTypes.NetworkRouter{
-		ID: "router-guarded", NetworkID: "net-guarded", Peer: "peer-router-1", Enabled: true, AccountID: account.Id,
-	})
-
-	t.Run("peer passes posture check", func(t *testing.T) {
-		account.Peers["peer-src-1"].Meta.WtVersion = "0.35.0"
-		nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-
-		var hasGuardedRoute bool
-		for _, r := range nm.Routes {
-			if r.Network.String() == "10.200.1.1/32" {
-				hasGuardedRoute = true
-			}
-		}
-		assert.True(t, hasGuardedRoute, "peer passing posture check should get guarded resource route")
-	})
-
-	t.Run("peer fails posture check", func(t *testing.T) {
-		account.Peers["peer-src-1"].Meta.WtVersion = "0.20.0"
-		nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-
-		for _, r := range nm.Routes {
-			assert.NotEqual(t, "10.200.1.1/32", r.Network.String(), "peer failing posture check should NOT get guarded resource route")
-		}
-	})
-}
-
-func TestNetworkMapComponents_NetworkResource_MultiplePostureChecks(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	account.PostureChecks = []*posture.Checks{
-		{ID: "pc-version", Name: "Version", Checks: posture.ChecksDefinition{
-			NBVersionCheck: &posture.NBVersionCheck{MinVersion: "0.30.0"},
-		}},
-		{ID: "pc-os", Name: "OS check", Checks: posture.ChecksDefinition{
-			OSVersionCheck: &posture.OSVersionCheck{Linux: &posture.MinKernelVersionCheck{MinKernelVersion: "5.0"}},
-		}},
-	}
-
-	account.Policies = append(account.Policies, &types.Policy{
-		ID: "policy-multi-posture", Name: "Multi posture", Enabled: true, AccountID: account.Id,
-		SourcePostureChecks: []string{"pc-version", "pc-os"},
-		Rules: []*types.PolicyRule{{
-			ID: "rule-multi-posture", Name: "Multi posture rule", Enabled: true,
-			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
-			Sources:             []string{"group-src"},
-			DestinationResource: types.Resource{ID: "resource-strict"},
-		}},
-	})
-
-	account.NetworkResources = append(account.NetworkResources, &resourceTypes.NetworkResource{
-		ID: "resource-strict", NetworkID: "net-strict", AccountID: account.Id, Enabled: true,
-		Type: resourceTypes.Host, Prefix: netip.MustParsePrefix("10.200.2.1/32"), Address: "10.200.2.1/32",
-	})
-	account.Networks = append(account.Networks, &networkTypes.Network{
-		ID: "net-strict", Name: "Strict Net", AccountID: account.Id,
-	})
-	account.NetworkRouters = append(account.NetworkRouters, &routerTypes.NetworkRouter{
-		ID: "router-strict", NetworkID: "net-strict", Peer: "peer-router-1", Enabled: true, AccountID: account.Id,
-	})
-
-	t.Run("passes both posture checks", func(t *testing.T) {
-		account.Peers["peer-src-1"].Meta.WtVersion = "0.35.0"
-		account.Peers["peer-src-1"].Meta.GoOS = "linux"
-		account.Peers["peer-src-1"].Meta.KernelVersion = "6.1.0"
-		nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-
-		var found bool
-		for _, r := range nm.Routes {
-			if r.Network.String() == "10.200.2.1/32" {
-				found = true
-			}
-		}
-		assert.True(t, found, "peer passing both checks should get resource route")
-	})
-
-	t.Run("fails version posture check", func(t *testing.T) {
-		account.Peers["peer-src-1"].Meta.WtVersion = "0.20.0"
-		account.Peers["peer-src-1"].Meta.KernelVersion = "6.1.0"
-		nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-
-		for _, r := range nm.Routes {
-			assert.NotEqual(t, "10.200.2.1/32", r.Network.String(), "peer failing version check should NOT get resource route")
-		}
-	})
-
-	t.Run("fails OS posture check", func(t *testing.T) {
-		account.Peers["peer-src-1"].Meta.WtVersion = "0.35.0"
-		account.Peers["peer-src-1"].Meta.KernelVersion = "4.0.0"
-		nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-
-		for _, r := range nm.Routes {
-			assert.NotEqual(t, "10.200.2.1/32", r.Network.String(), "peer failing OS check should NOT get resource route")
-		}
-	})
-}
-
-func TestNetworkMapComponents_RouterPeerFirewallRules(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	nm := networkMapFromComponents(t, account, "peer-router-1", validated)
-
-	var resourceFWRules []*types.RouteFirewallRule
-	for _, rule := range nm.RoutesFirewallRules {
-		if rule.Destination == "10.200.0.1/32" {
-			resourceFWRules = append(resourceFWRules, rule)
-		}
-	}
-	assert.NotEmpty(t, resourceFWRules, "router should have firewall rules for the network resource")
-
-	var hasSourcePeerIP bool
-	for _, rule := range resourceFWRules {
-		for _, sr := range rule.SourceRanges {
-			if sr == account.Peers["peer-src-1"].IP.String()+"/32" || sr == account.Peers["peer-src-2"].IP.String()+"/32" {
-				hasSourcePeerIP = true
-			}
-		}
-	}
-	assert.True(t, hasSourcePeerIP, "resource firewall rules should include source peer IPs")
-}
-
-func TestNetworkMapComponents_DNSManagement(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	t.Run("peer in DNS-enabled group", func(t *testing.T) {
-		nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-		assert.True(t, nm.DNSConfig.ServiceEnable, "peer in non-disabled group should have DNS enabled")
-	})
-
-	t.Run("peer in DNS-disabled group", func(t *testing.T) {
-		nm := networkMapFromComponents(t, account, "peer-dst-1", validated)
-		assert.False(t, nm.DNSConfig.ServiceEnable, "peer in DNS-disabled group should have DNS disabled")
-	})
-}
-
-func TestNetworkMapComponents_NameServerGroups(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-	assert.True(t, nm.DNSConfig.ServiceEnable)
-
-	var hasNSGroup bool
-	for _, ns := range nm.DNSConfig.NameServerGroups {
-		if ns.ID == "ns-main" {
-			hasNSGroup = true
-		}
-	}
-	assert.True(t, hasNSGroup, "peer in NS group should receive nameserver configuration")
-}
-
-func TestNetworkMapComponents_RoutesWithHADeduplication(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	account.Routes["route-ha-1"] = &route.Route{
-		ID: "route-ha-1", Network: netip.MustParsePrefix("172.16.0.0/16"),
-		Peer: account.Peers["peer-dst-1"].Key, PeerID: "peer-dst-1",
-		Enabled: true, Metric: 100, AccountID: account.Id,
-		Groups: []string{"group-src", "group-dst"}, PeerGroups: []string{"group-dst"},
-	}
-	account.Routes["route-ha-2"] = &route.Route{
-		ID: "route-ha-2", Network: netip.MustParsePrefix("172.16.0.0/16"),
-		Peer: account.Peers["peer-src-1"].Key, PeerID: "peer-src-1",
-		Enabled: true, Metric: 200, AccountID: account.Id,
-		Groups: []string{"group-src", "group-dst"}, PeerGroups: []string{"group-src"},
-	}
-
-	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-
-	haCount := 0
-	for _, r := range nm.Routes {
-		if r.Network.String() == "172.16.0.0/16" {
-			haCount++
-		}
-	}
-	assert.Equal(t, 1, haCount, "peer should only receive one route from HA group (not both, since it's a member of one)")
-}
-
-func TestNetworkMapComponents_RoutesFirewallRulesForAccessControl(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	account.Routes["route-acl"] = &route.Route{
-		ID: "route-acl", Network: netip.MustParsePrefix("192.168.100.0/24"),
-		Peer: account.Peers["peer-src-1"].Key, PeerID: "peer-src-1",
-		Enabled: true, Metric: 100, AccountID: account.Id,
-		Groups:              []string{"group-dst"},
-		PeerGroups:          []string{"group-src"},
-		AccessControlGroups: []string{"group-dst"},
-	}
-
-	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-
-	var hasFWRule bool
-	for _, rule := range nm.RoutesFirewallRules {
-		if rule.Destination == "192.168.100.0/24" {
-			hasFWRule = true
-		}
-	}
-	assert.True(t, hasFWRule, "routing peer should have firewall rules for route with access control groups")
-}
-
-func TestNetworkMapComponents_RoutesDefaultPermit(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	account.Routes["route-open"] = &route.Route{
-		ID: "route-open", Network: netip.MustParsePrefix("10.99.0.0/16"),
-		Peer: account.Peers["peer-src-1"].Key, PeerID: "peer-src-1",
-		Enabled: true, Metric: 100, AccountID: account.Id,
-		Groups:     []string{"group-src"},
-		PeerGroups: []string{"group-src"},
-	}
-
-	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-
-	var hasFWRule bool
-	for _, rule := range nm.RoutesFirewallRules {
-		if rule.Destination == "10.99.0.0/16" {
-			hasFWRule = true
-		}
-	}
-	assert.True(t, hasFWRule, "route without access control groups should have default permit firewall rules")
-}
-
-func TestNetworkMapComponents_SSHAuthorizedUsers(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	account.Peers["peer-dst-1"].SSHEnabled = true
-
-	account.Policies = append(account.Policies, &types.Policy{
-		ID: "policy-ssh", Name: "SSH Access", Enabled: true, AccountID: account.Id,
-		Rules: []*types.PolicyRule{{
-			ID: "rule-ssh", Name: "SSH to dst", Enabled: true,
-			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
-			Bidirectional: true,
-			Sources:       []string{"group-src"}, Destinations: []string{"group-dst"},
-		}},
-	})
-
-	nm := networkMapFromComponents(t, account, "peer-dst-1", validated)
-	assert.True(t, nm.EnableSSH, "SSH-enabled peer with matching policy should have EnableSSH")
-}
-
-func TestNetworkMapComponents_DisabledPolicyIgnored(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	for _, p := range account.Policies {
-		p.Enabled = false
-	}
-
-	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-	assert.Empty(t, nm.Peers, "with all policies disabled, peer should see no other peers")
-	assert.Empty(t, nm.FirewallRules)
-}
-
-func TestNetworkMapComponents_DisabledRouteIgnored(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	for _, r := range account.Routes {
-		r.Enabled = false
-	}
-	for _, r := range account.NetworkResources {
-		r.Enabled = false
-	}
-
-	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-	assert.Empty(t, nm.Routes, "disabled routes should not appear in network map")
-}
-
-func TestNetworkMapComponents_DisabledNetworkResourceIgnored(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	for _, r := range account.NetworkResources {
-		r.Enabled = false
-	}
-
-	nm := networkMapFromComponents(t, account, "peer-router-1", validated)
-
-	for _, r := range nm.Routes {
-		assert.NotEqual(t, "10.200.0.1/32", r.Network.String(), "disabled resource should not generate routes")
-	}
-}
-
-func TestNetworkMapComponents_BidirectionalPolicy(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	nmSrc := networkMapFromComponents(t, account, "peer-src-1", validated)
-	nmDst := networkMapFromComponents(t, account, "peer-dst-1", validated)
-
-	assert.Contains(t, peerIDs(nmSrc.Peers), "peer-dst-1", "src should see dst via bidirectional policy")
-	assert.Contains(t, peerIDs(nmDst.Peers), "peer-src-1", "dst should see src via bidirectional policy")
-}
-
-func TestNetworkMapComponents_DropPolicy(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	account.Policies = append(account.Policies, &types.Policy{
-		ID: "policy-drop", Name: "Drop traffic", Enabled: true, AccountID: account.Id,
-		Rules: []*types.PolicyRule{{
-			ID: "rule-drop", Name: "Drop src->dst", Enabled: true,
-			Action: types.PolicyTrafficActionDrop, Protocol: types.PolicyRuleProtocolTCP,
-			Ports:   []string{"5432"},
-			Sources: []string{"group-src"}, Destinations: []string{"group-dst"},
-		}},
-	})
-
-	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-
-	var hasDropRule bool
-	for _, rule := range nm.FirewallRules {
-		if rule.Action == string(types.PolicyTrafficActionDrop) && rule.Port == "5432" {
-			hasDropRule = true
-		}
-	}
-	assert.True(t, hasDropRule, "drop policy should generate drop firewall rule")
-}
-
-func TestNetworkMapComponents_PortRangePolicy(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	account.Peers["peer-src-1"].Meta.WtVersion = "0.50.0"
-
-	account.Policies = append(account.Policies, &types.Policy{
-		ID: "policy-range", Name: "Port range", Enabled: true, AccountID: account.Id,
-		Rules: []*types.PolicyRule{{
-			ID: "rule-range", Name: "Range rule", Enabled: true,
-			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolTCP,
-			PortRanges: []types.RulePortRange{{Start: 8080, End: 8090}},
-			Sources:    []string{"group-src"}, Destinations: []string{"group-dst"},
-		}},
-	})
-
-	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-
-	var hasRangeRule bool
-	for _, rule := range nm.FirewallRules {
-		if rule.PortRange.Start == 8080 && rule.PortRange.End == 8090 {
-			hasRangeRule = true
-		}
-	}
-	assert.True(t, hasRangeRule, "port range policy should generate corresponding firewall rule")
-}
-
-func TestNetworkMapComponents_MultipleNetworkResources(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	account.NetworkResources = append(account.NetworkResources, &resourceTypes.NetworkResource{
-		ID: "resource-2", NetworkID: "net-1", AccountID: account.Id, Enabled: true,
-		Type: resourceTypes.Host, Prefix: netip.MustParsePrefix("10.200.0.2/32"), Address: "10.200.0.2/32",
-	})
-	account.Groups["group-res2"] = &types.Group{ID: "group-res2", Name: "Resource 2 Group", Peers: []string{"peer-src-1", "peer-src-2"},
-		Resources: []types.Resource{{ID: "resource-2"}},
-	}
-	account.Policies = append(account.Policies, &types.Policy{
-		ID: "policy-res2", Name: "Resource 2 Policy", Enabled: true, AccountID: account.Id,
-		Rules: []*types.PolicyRule{{
-			ID: "rule-res2", Name: "Access Resource 2", Enabled: true,
-			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
-			Sources:             []string{"group-src"},
-			DestinationResource: types.Resource{ID: "resource-2"},
-		}},
-	})
-
-	nm := networkMapFromComponents(t, account, "peer-router-1", validated)
-
-	resourceRouteCount := 0
-	for _, r := range nm.Routes {
-		if r.Network.String() == "10.200.0.1/32" || r.Network.String() == "10.200.0.2/32" {
-			resourceRouteCount++
-		}
-	}
-	assert.Equal(t, 2, resourceRouteCount, "router should have routes for both network resources")
-}
-
-func TestNetworkMapComponents_DomainNetworkResource(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	account.NetworkResources = append(account.NetworkResources, &resourceTypes.NetworkResource{
-		ID: "resource-domain", NetworkID: "net-1", AccountID: account.Id, Enabled: true,
-		Type: resourceTypes.Domain, Domain: "api.example.com", Address: "api.example.com",
-	})
-	account.Groups["group-res-domain"] = &types.Group{
-		ID: "group-res-domain", Name: "Domain Resource Group",
-		Resources: []types.Resource{{ID: "resource-domain"}},
-	}
-	account.Policies = append(account.Policies, &types.Policy{
-		ID: "policy-domain", Name: "Domain resource policy", Enabled: true, AccountID: account.Id,
-		Rules: []*types.PolicyRule{{
-			ID: "rule-domain", Name: "Access domain resource", Enabled: true,
-			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
-			Sources:             []string{"group-src"},
-			DestinationResource: types.Resource{ID: "resource-domain"},
-		}},
-	})
-
-	nm := networkMapFromComponents(t, account, "peer-src-1", validated)
-
-	var hasDomainRoute bool
-	for _, r := range nm.Routes {
-		if r.NetworkType == route.DomainNetwork && len(r.Domains) > 0 && r.Domains[0].SafeString() == "api.example.com" {
-			hasDomainRoute = true
-		}
-	}
-	assert.True(t, hasDomainRoute, "source peer should receive domain route for domain network resource")
-}
-
-func TestNetworkMapComponents_NetworkEmpty(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	nm := networkMapFromComponents(t, account, "nonexistent-peer", validated)
-
-	assert.NotNil(t, nm)
-	assert.Empty(t, nm.Peers)
-	assert.Empty(t, nm.FirewallRules)
-	assert.NotNil(t, nm.Network)
-}
-
-func TestNetworkMapComponents_RouterExcludesOtherNetworkRoutes(t *testing.T) {
-	account := createComponentTestAccount()
-	validated := allPeersValidated(account)
-
-	account.NetworkResources = append(account.NetworkResources, &resourceTypes.NetworkResource{
-		ID: "resource-other", NetworkID: "net-other", AccountID: account.Id, Enabled: true,
-		Type: resourceTypes.Host, Prefix: netip.MustParsePrefix("10.200.99.1/32"), Address: "10.200.99.1/32",
-	})
-	account.Networks = append(account.Networks, &networkTypes.Network{
-		ID: "net-other", Name: "Other Net", AccountID: account.Id,
-	})
-	account.NetworkRouters = append(account.NetworkRouters, &routerTypes.NetworkRouter{
-		ID: "router-other", NetworkID: "net-other", Peer: "peer-dst-1", Enabled: true, AccountID: account.Id,
-	})
-	account.Groups["group-res-other"] = &types.Group{ID: "group-res-other", Name: "Other resource group",
-		Resources: []types.Resource{{ID: "resource-other"}},
-	}
-	account.Policies = append(account.Policies, &types.Policy{
-		ID: "policy-other-resource", Name: "Other resource policy", Enabled: true, AccountID: account.Id,
-		Rules: []*types.PolicyRule{{
-			ID: "rule-other", Name: "Other resource access", Enabled: true,
-			Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
-			Sources:             []string{"group-src"},
-			DestinationResource: types.Resource{ID: "resource-other"},
-		}},
-	})
-
-	nm := networkMapFromComponents(t, account, "peer-router-1", validated)
-
-	for _, r := range nm.Routes {
-		assert.NotEqual(t, "10.200.99.1/32", r.Network.String(), "router-1 should NOT get routes for other network's resources")
-	}
-}
-
-func createComponentTestAccount() *types.Account {
-	peers := map[string]*nbpeer.Peer{
-		"peer-src-1": {
-			ID: "peer-src-1", IP: net.IP{100, 64, 0, 1}, Key: "key-src-1", DNSLabel: "src1",
-			Status: &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()}, UserID: "user-1",
-			Meta: nbpeer.PeerSystemMeta{WtVersion: "0.35.0", GoOS: "linux"},
-		},
-		"peer-src-2": {
-			ID: "peer-src-2", IP: net.IP{100, 64, 0, 2}, Key: "key-src-2", DNSLabel: "src2",
-			Status: &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()}, UserID: "user-1",
-			Meta: nbpeer.PeerSystemMeta{WtVersion: "0.35.0", GoOS: "linux"},
-		},
-		"peer-dst-1": {
-			ID: "peer-dst-1", IP: net.IP{100, 64, 0, 3}, Key: "key-dst-1", DNSLabel: "dst1",
-			Status: &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()}, UserID: "user-2",
-			Meta: nbpeer.PeerSystemMeta{WtVersion: "0.35.0", GoOS: "linux"},
-		},
-		"peer-router-1": {
-			ID: "peer-router-1", IP: net.IP{100, 64, 0, 10}, Key: "key-router-1", DNSLabel: "router1",
-			Status: &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()}, UserID: "user-1",
-			Meta: nbpeer.PeerSystemMeta{WtVersion: "0.35.0", GoOS: "linux"},
-		},
-	}
-
-	groups := map[string]*types.Group{
-		"group-src": {ID: "group-src", Name: "Sources", Peers: []string{"peer-src-1", "peer-src-2"}},
-		"group-dst": {ID: "group-dst", Name: "Destinations", Peers: []string{"peer-dst-1"}},
-		"group-all": {ID: "group-all", Name: "All", Peers: []string{"peer-src-1", "peer-src-2", "peer-dst-1", "peer-router-1"}},
-		"group-res": {
-			ID: "group-res", Name: "Resource Group",
-			Resources: []types.Resource{{ID: "resource-1"}},
-		},
-	}
-
-	policies := []*types.Policy{
-		{
-			ID: "policy-base", Name: "Base connectivity", Enabled: true,
-			Rules: []*types.PolicyRule{{
-				ID: "rule-base", Name: "Allow src <-> dst", Enabled: true,
-				Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
-				Bidirectional: true,
-				Sources:       []string{"group-src"}, Destinations: []string{"group-dst"},
-			}},
-		},
-		{
-			ID: "policy-resource", Name: "Network resource access", Enabled: true,
-			Rules: []*types.PolicyRule{{
-				ID: "rule-resource", Name: "Source -> Resource", Enabled: true,
-				Action: types.PolicyTrafficActionAccept, Protocol: types.PolicyRuleProtocolALL,
-				Sources:             []string{"group-src"},
-				DestinationResource: types.Resource{ID: "resource-1"},
-			}},
-		},
-	}
-
-	routes := map[route.ID]*route.Route{
-		"route-main": {
-			ID: "route-main", Network: netip.MustParsePrefix("192.168.10.0/24"),
-			Peer: peers["peer-dst-1"].Key, PeerID: "peer-dst-1",
-			Enabled: true, Metric: 100,
-			Groups: []string{"group-src", "group-dst"}, PeerGroups: []string{"group-dst"},
-		},
-	}
-
-	users := map[string]*types.User{
-		"user-1": {Id: "user-1", Role: types.UserRoleAdmin, IsServiceUser: false, AutoGroups: []string{"group-all"}},
-		"user-2": {Id: "user-2", Role: types.UserRoleUser, IsServiceUser: false, AutoGroups: []string{"group-all"}},
-	}
-
-	account := &types.Account{
-		Id: "account-components-test", Peers: peers, Groups: groups, Policies: policies, Routes: routes,
-		Users: users,
-		Network: &types.Network{
-			Identifier: "net-test", Net: net.IPNet{IP: net.IP{100, 64, 0, 0}, Mask: net.CIDRMask(16, 32)}, Serial: 1,
-		},
-		DNSSettings: types.DNSSettings{DisabledManagementGroups: []string{"group-dst"}},
-		NameServerGroups: map[string]*nbdns.NameServerGroup{
-			"ns-main": {
-				ID: "ns-main", Name: "Main NS", Enabled: true, Groups: []string{"group-src"},
-				NameServers: []nbdns.NameServer{{IP: netip.MustParseAddr("8.8.8.8"), NSType: nbdns.UDPNameServerType, Port: 53}},
-			},
-		},
-		PostureChecks: []*posture.Checks{},
-		NetworkResources: []*resourceTypes.NetworkResource{
-			{
-				ID: "resource-1", NetworkID: "net-1", AccountID: "account-components-test", Enabled: true,
-				Type: resourceTypes.Host, Prefix: netip.MustParsePrefix("10.200.0.1/32"), Address: "10.200.0.1/32",
-			},
-		},
-		Networks: []*networkTypes.Network{
-			{ID: "net-1", Name: "Resource Net", AccountID: "account-components-test"},
-		},
-		NetworkRouters: []*routerTypes.NetworkRouter{
-			{ID: "router-1", NetworkID: "net-1", Peer: "peer-router-1", Enabled: true, AccountID: "account-components-test"},
-		},
-		Settings: &types.Settings{PeerLoginExpirationEnabled: false, PeerLoginExpiration: 24 * time.Hour},
-	}
-
-	for _, p := range account.Policies {
-		p.AccountID = account.Id
-	}
-	for _, r := range account.Routes {
-		r.AccountID = account.Id
-	}
-
-	return account
-}

management/server/types/networkmap_golden_test.go

@@ -0,0 +1,967 @@
+package types_test
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/netip"
+	"os"
+	"path/filepath"
+	"slices"
+	"sort"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/internals/modules/zones"
+	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
+	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
+	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/posture"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/route"
+)
+
+const (
+	numPeers          = 100
+	devGroupID        = "group-dev"
+	opsGroupID        = "group-ops"
+	allGroupID        = "group-all"
+	sshUsersGroupID   = "group-ssh-users"
+	routeID           = route.ID("route-main")
+	routeHA1ID        = route.ID("route-ha-1")
+	routeHA2ID        = route.ID("route-ha-2")
+	policyIDDevOps    = "policy-dev-ops"
+	policyIDAll       = "policy-all"
+	policyIDPosture   = "policy-posture"
+	policyIDDrop      = "policy-drop"
+	policyIDSSH       = "policy-ssh"
+	postureCheckID    = "posture-check-ver"
+	networkResourceID = "res-database"
+	networkID         = "net-database"
+	networkRouterID   = "router-database"
+	nameserverGroupID = "ns-group-main"
+	testingPeerID     = "peer-60" // A peer from the "dev" group, should receive the most detailed map.
+	expiredPeerID     = "peer-98" // This peer will be online but with an expired session.
+	offlinePeerID     = "peer-99" // This peer will be completely offline.
+	routingPeerID     = "peer-95" // This peer is used for routing, it has a route to the network.
+	testAccountID     = "account-golden-test"
+	userAdminID       = "user-admin"
+	userDevID         = "user-dev"
+	userOpsID         = "user-ops"
+)
+
+func TestGetPeerNetworkMap_Golden(t *testing.T) {
+	account := createTestAccountWithEntities()
+
+	ctx := context.Background()
+	validatedPeersMap := make(map[string]struct{})
+	for i := range numPeers {
+		peerID := fmt.Sprintf("peer-%d", i)
+		if peerID == offlinePeerID {
+			continue
+		}
+		validatedPeersMap[peerID] = struct{}{}
+	}
+
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
+
+	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
+	normalizeAndSortNetworkMap(legacyNetworkMap)
+	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
+	require.NoError(t, err, "error marshaling legacy network map to JSON")
+
+	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
+	newNetworkMap := builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
+	normalizeAndSortNetworkMap(newNetworkMap)
+	newJSON, err := json.MarshalIndent(toNetworkMapJSON(newNetworkMap), "", "  ")
+	require.NoError(t, err, "error marshaling new network map to JSON")
+
+	if string(legacyJSON) != string(newJSON) {
+		legacyFilePath := filepath.Join("testdata", "networkmap_golden.json")
+		newFilePath := filepath.Join("testdata", "networkmap_golden_new.json")
+
+		err = os.MkdirAll(filepath.Dir(legacyFilePath), 0755)
+		require.NoError(t, err)
+
+		err = os.WriteFile(legacyFilePath, legacyJSON, 0644)
+		require.NoError(t, err)
+		t.Logf("Saved legacy network map to %s", legacyFilePath)
+
+		err = os.WriteFile(newFilePath, newJSON, 0644)
+		require.NoError(t, err)
+		t.Logf("Saved new network map to %s", newFilePath)
+
+		require.JSONEq(t, string(legacyJSON), string(newJSON), "network maps from legacy and new builder do not match")
+	}
+}
+
+func BenchmarkGetPeerNetworkMap(b *testing.B) {
+	account := createTestAccountWithEntities()
+	ctx := context.Background()
+	validatedPeersMap := make(map[string]struct{})
+	var peerIDs []string
+	for i := range numPeers {
+		peerID := fmt.Sprintf("peer-%d", i)
+		validatedPeersMap[peerID] = struct{}{}
+		peerIDs = append(peerIDs, peerID)
+	}
+
+	b.ResetTimer()
+	b.Run("old builder", func(b *testing.B) {
+		for range b.N {
+			for _, peerID := range peerIDs {
+				_ = account.GetPeerNetworkMap(ctx, peerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
+			}
+		}
+	})
+	b.ResetTimer()
+	b.Run("new builder", func(b *testing.B) {
+		for range b.N {
+			builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
+			for _, peerID := range peerIDs {
+				_ = builder.GetPeerNetworkMap(ctx, peerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
+			}
+		}
+	})
+}
+
+func TestGetPeerNetworkMap_Golden_WithNewPeer(t *testing.T) {
+	account := createTestAccountWithEntities()
+
+	ctx := context.Background()
+	validatedPeersMap := make(map[string]struct{})
+	for i := range numPeers {
+		peerID := fmt.Sprintf("peer-%d", i)
+		if peerID == offlinePeerID {
+			continue
+		}
+		validatedPeersMap[peerID] = struct{}{}
+	}
+
+	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
+
+	newPeerID := "peer-new-101"
+	newPeerIP := net.IP{100, 64, 1, 1}
+	newPeer := &nbpeer.Peer{
+		ID:        newPeerID,
+		IP:        newPeerIP,
+		Key:       fmt.Sprintf("key-%s", newPeerID),
+		DNSLabel:  "peernew101",
+		Status:    &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
+		UserID:    "user-admin",
+		Meta:      nbpeer.PeerSystemMeta{WtVersion: "0.26.0", GoOS: "linux"},
+		LastLogin: func() *time.Time { t := time.Now(); return &t }(),
+	}
+
+	account.Peers[newPeerID] = newPeer
+
+	if devGroup, exists := account.Groups[devGroupID]; exists {
+		devGroup.Peers = append(devGroup.Peers, newPeerID)
+	}
+
+	if allGroup, exists := account.Groups[allGroupID]; exists {
+		allGroup.Peers = append(allGroup.Peers, newPeerID)
+	}
+
+	validatedPeersMap[newPeerID] = struct{}{}
+
+	if account.Network != nil {
+		account.Network.Serial++
+	}
+
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
+
+	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
+	normalizeAndSortNetworkMap(legacyNetworkMap)
+	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
+	require.NoError(t, err, "error marshaling legacy network map to JSON")
+
+	err = builder.OnPeerAddedIncremental(account, newPeerID)
+	require.NoError(t, err, "error adding peer to cache")
+
+	newNetworkMap := builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
+	normalizeAndSortNetworkMap(newNetworkMap)
+	newJSON, err := json.MarshalIndent(toNetworkMapJSON(newNetworkMap), "", "  ")
+	require.NoError(t, err, "error marshaling new network map to JSON")
+
+	if string(legacyJSON) != string(newJSON) {
+		legacyFilePath := filepath.Join("testdata", "networkmap_golden_with_new_peer.json")
+		newFilePath := filepath.Join("testdata", "networkmap_golden_new_with_onpeeradded.json")
+
+		err = os.MkdirAll(filepath.Dir(legacyFilePath), 0755)
+		require.NoError(t, err)
+
+		err = os.WriteFile(legacyFilePath, legacyJSON, 0644)
+		require.NoError(t, err)
+		t.Logf("Saved legacy network map to %s", legacyFilePath)
+
+		err = os.WriteFile(newFilePath, newJSON, 0644)
+		require.NoError(t, err)
+		t.Logf("Saved new network map to %s", newFilePath)
+
+		require.JSONEq(t, string(legacyJSON), string(newJSON), "network maps with new peer from legacy and new builder do not match")
+	}
+}
+
+func BenchmarkGetPeerNetworkMap_AfterPeerAdded(b *testing.B) {
+	account := createTestAccountWithEntities()
+	ctx := context.Background()
+	validatedPeersMap := make(map[string]struct{})
+	var peerIDs []string
+	for i := range numPeers {
+		peerID := fmt.Sprintf("peer-%d", i)
+		validatedPeersMap[peerID] = struct{}{}
+		peerIDs = append(peerIDs, peerID)
+	}
+	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
+	newPeerID := "peer-new-101"
+	newPeer := &nbpeer.Peer{
+		ID:       newPeerID,
+		IP:       net.IP{100, 64, 1, 1},
+		Key:      fmt.Sprintf("key-%s", newPeerID),
+		DNSLabel: "peernew101",
+		Status:   &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
+		UserID:   "user-admin",
+		Meta:     nbpeer.PeerSystemMeta{WtVersion: "0.26.0", GoOS: "linux"},
+	}
+
+	account.Peers[newPeerID] = newPeer
+	account.Groups[devGroupID].Peers = append(account.Groups[devGroupID].Peers, newPeerID)
+	account.Groups[allGroupID].Peers = append(account.Groups[allGroupID].Peers, newPeerID)
+	validatedPeersMap[newPeerID] = struct{}{}
+
+	b.ResetTimer()
+	b.Run("old builder after add", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			for _, testingPeerID := range peerIDs {
+				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
+			}
+		}
+	})
+
+	b.ResetTimer()
+	b.Run("new builder after add", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			_ = builder.OnPeerAddedIncremental(account, newPeerID)
+			for _, testingPeerID := range peerIDs {
+				_ = builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
+			}
+		}
+	})
+}
+
+func TestGetPeerNetworkMap_Golden_WithNewRoutingPeer(t *testing.T) {
+	account := createTestAccountWithEntities()
+
+	ctx := context.Background()
+	validatedPeersMap := make(map[string]struct{})
+	for i := range numPeers {
+		peerID := fmt.Sprintf("peer-%d", i)
+		if peerID == offlinePeerID {
+			continue
+		}
+		validatedPeersMap[peerID] = struct{}{}
+	}
+
+	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
+
+	newRouterID := "peer-new-router-102"
+	newRouterIP := net.IP{100, 64, 1, 2}
+	newRouter := &nbpeer.Peer{
+		ID:        newRouterID,
+		IP:        newRouterIP,
+		Key:       fmt.Sprintf("key-%s", newRouterID),
+		DNSLabel:  "newrouter102",
+		Status:    &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
+		UserID:    "user-admin",
+		Meta:      nbpeer.PeerSystemMeta{WtVersion: "0.26.0", GoOS: "linux"},
+		LastLogin: func() *time.Time { t := time.Now(); return &t }(),
+	}
+
+	account.Peers[newRouterID] = newRouter
+
+	if opsGroup, exists := account.Groups[opsGroupID]; exists {
+		opsGroup.Peers = append(opsGroup.Peers, newRouterID)
+	}
+
+	if allGroup, exists := account.Groups[allGroupID]; exists {
+		allGroup.Peers = append(allGroup.Peers, newRouterID)
+	}
+
+	newRoute := &route.Route{
+		ID:                  route.ID("route-new-router"),
+		Network:             netip.MustParsePrefix("172.16.0.0/24"),
+		Peer:                newRouter.Key,
+		PeerID:              newRouterID,
+		Description:         "Route from new router",
+		Enabled:             true,
+		PeerGroups:          []string{opsGroupID},
+		Groups:              []string{devGroupID, opsGroupID},
+		AccessControlGroups: []string{devGroupID},
+		AccountID:           account.Id,
+	}
+	account.Routes[newRoute.ID] = newRoute
+
+	validatedPeersMap[newRouterID] = struct{}{}
+
+	if account.Network != nil {
+		account.Network.Serial++
+	}
+
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
+
+	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
+	normalizeAndSortNetworkMap(legacyNetworkMap)
+	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
+	require.NoError(t, err, "error marshaling legacy network map to JSON")
+
+	err = builder.OnPeerAddedIncremental(account, newRouterID)
+	require.NoError(t, err, "error adding router to cache")
+
+	newNetworkMap := builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
+	normalizeAndSortNetworkMap(newNetworkMap)
+	newJSON, err := json.MarshalIndent(toNetworkMapJSON(newNetworkMap), "", "  ")
+	require.NoError(t, err, "error marshaling new network map to JSON")
+
+	if string(legacyJSON) != string(newJSON) {
+		legacyFilePath := filepath.Join("testdata", "networkmap_golden_with_new_router.json")
+		newFilePath := filepath.Join("testdata", "networkmap_golden_new_with_onpeeradded_router.json")
+
+		err = os.MkdirAll(filepath.Dir(legacyFilePath), 0755)
+		require.NoError(t, err)
+
+		err = os.WriteFile(legacyFilePath, legacyJSON, 0644)
+		require.NoError(t, err)
+		t.Logf("Saved legacy network map to %s", legacyFilePath)
+
+		err = os.WriteFile(newFilePath, newJSON, 0644)
+		require.NoError(t, err)
+		t.Logf("Saved new network map to %s", newFilePath)
+
+		require.JSONEq(t, string(legacyJSON), string(newJSON), "network maps with new router from legacy and new builder do not match")
+	}
+}
+
+func BenchmarkGetPeerNetworkMap_AfterRouterPeerAdded(b *testing.B) {
+	account := createTestAccountWithEntities()
+	ctx := context.Background()
+	validatedPeersMap := make(map[string]struct{})
+	var peerIDs []string
+	for i := range numPeers {
+		peerID := fmt.Sprintf("peer-%d", i)
+		validatedPeersMap[peerID] = struct{}{}
+		peerIDs = append(peerIDs, peerID)
+	}
+	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
+	newRouterID := "peer-new-router-102"
+	newRouterIP := net.IP{100, 64, 1, 2}
+	newRouter := &nbpeer.Peer{
+		ID:        newRouterID,
+		IP:        newRouterIP,
+		Key:       fmt.Sprintf("key-%s", newRouterID),
+		DNSLabel:  "newrouter102",
+		Status:    &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
+		UserID:    "user-admin",
+		Meta:      nbpeer.PeerSystemMeta{WtVersion: "0.26.0", GoOS: "linux"},
+		LastLogin: func() *time.Time { t := time.Now(); return &t }(),
+	}
+
+	account.Peers[newRouterID] = newRouter
+
+	if opsGroup, exists := account.Groups[opsGroupID]; exists {
+		opsGroup.Peers = append(opsGroup.Peers, newRouterID)
+	}
+	if allGroup, exists := account.Groups[allGroupID]; exists {
+		allGroup.Peers = append(allGroup.Peers, newRouterID)
+	}
+
+	newRoute := &route.Route{
+		ID:                  route.ID("route-new-router"),
+		Network:             netip.MustParsePrefix("172.16.0.0/24"),
+		Peer:                newRouter.Key,
+		PeerID:              newRouterID,
+		Description:         "Route from new router",
+		Enabled:             true,
+		PeerGroups:          []string{opsGroupID},
+		Groups:              []string{devGroupID, opsGroupID},
+		AccessControlGroups: []string{devGroupID},
+		AccountID:           account.Id,
+	}
+	account.Routes[newRoute.ID] = newRoute
+
+	validatedPeersMap[newRouterID] = struct{}{}
+
+	b.ResetTimer()
+	b.Run("old builder after add", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			for _, testingPeerID := range peerIDs {
+				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
+			}
+		}
+	})
+
+	b.ResetTimer()
+	b.Run("new builder after add", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			_ = builder.OnPeerAddedIncremental(account, newRouterID)
+			for _, testingPeerID := range peerIDs {
+				_ = builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
+			}
+		}
+	})
+}
+
+func TestGetPeerNetworkMap_Golden_WithDeletedPeer(t *testing.T) {
+	account := createTestAccountWithEntities()
+
+	ctx := context.Background()
+	validatedPeersMap := make(map[string]struct{})
+	for i := range numPeers {
+		peerID := fmt.Sprintf("peer-%d", i)
+		if peerID == offlinePeerID {
+			continue
+		}
+		validatedPeersMap[peerID] = struct{}{}
+	}
+
+	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
+
+	deletedPeerID := "peer-25"
+
+	delete(account.Peers, deletedPeerID)
+
+	if devGroup, exists := account.Groups[devGroupID]; exists {
+		devGroup.Peers = slices.DeleteFunc(devGroup.Peers, func(id string) bool {
+			return id == deletedPeerID
+		})
+	}
+
+	if allGroup, exists := account.Groups[allGroupID]; exists {
+		allGroup.Peers = slices.DeleteFunc(allGroup.Peers, func(id string) bool {
+			return id == deletedPeerID
+		})
+	}
+
+	delete(validatedPeersMap, deletedPeerID)
+
+	if account.Network != nil {
+		account.Network.Serial++
+	}
+
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
+
+	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
+	normalizeAndSortNetworkMap(legacyNetworkMap)
+	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
+	require.NoError(t, err, "error marshaling legacy network map to JSON")
+
+	err = builder.OnPeerDeleted(account, deletedPeerID)
+	require.NoError(t, err, "error deleting peer from cache")
+
+	newNetworkMap := builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
+	normalizeAndSortNetworkMap(newNetworkMap)
+	newJSON, err := json.MarshalIndent(toNetworkMapJSON(newNetworkMap), "", "  ")
+	require.NoError(t, err, "error marshaling new network map to JSON")
+
+	if string(legacyJSON) != string(newJSON) {
+		legacyFilePath := filepath.Join("testdata", "networkmap_golden_with_deleted_peer.json")
+		newFilePath := filepath.Join("testdata", "networkmap_golden_new_with_onpeerdeleted.json")
+
+		err = os.MkdirAll(filepath.Dir(legacyFilePath), 0755)
+		require.NoError(t, err)
+
+		err = os.WriteFile(legacyFilePath, legacyJSON, 0644)
+		require.NoError(t, err)
+		t.Logf("Saved legacy network map to %s", legacyFilePath)
+
+		err = os.WriteFile(newFilePath, newJSON, 0644)
+		require.NoError(t, err)
+		t.Logf("Saved new network map to %s", newFilePath)
+
+		require.JSONEq(t, string(legacyJSON), string(newJSON), "network maps with deleted peer from legacy and new builder do not match")
+	}
+}
+
+func TestGetPeerNetworkMap_Golden_WithDeletedRouterPeer(t *testing.T) {
+	account := createTestAccountWithEntities()
+
+	ctx := context.Background()
+	validatedPeersMap := make(map[string]struct{})
+	for i := range numPeers {
+		peerID := fmt.Sprintf("peer-%d", i)
+		if peerID == offlinePeerID {
+			continue
+		}
+		validatedPeersMap[peerID] = struct{}{}
+	}
+
+	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
+
+	deletedRouterID := "peer-75"
+
+	var affectedRoute *route.Route
+	for _, r := range account.Routes {
+		if r.PeerID == deletedRouterID {
+			affectedRoute = r
+			break
+		}
+	}
+	require.NotNil(t, affectedRoute, "Router peer should have a route")
+
+	for _, group := range account.Groups {
+		group.Peers = slices.DeleteFunc(group.Peers, func(id string) bool {
+			return id == deletedRouterID
+		})
+	}
+
+	for routeID, r := range account.Routes {
+		if r.Peer == account.Peers[deletedRouterID].Key || r.PeerID == deletedRouterID {
+			delete(account.Routes, routeID)
+		}
+	}
+	delete(account.Peers, deletedRouterID)
+	delete(validatedPeersMap, deletedRouterID)
+
+	if account.Network != nil {
+		account.Network.Serial++
+	}
+
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
+
+	legacyNetworkMap := account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
+	normalizeAndSortNetworkMap(legacyNetworkMap)
+	legacyJSON, err := json.MarshalIndent(toNetworkMapJSON(legacyNetworkMap), "", "  ")
+	require.NoError(t, err, "error marshaling legacy network map to JSON")
+
+	err = builder.OnPeerDeleted(account, deletedRouterID)
+	require.NoError(t, err, "error deleting routing peer from cache")
+
+	newNetworkMap := builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
+	normalizeAndSortNetworkMap(newNetworkMap)
+	newJSON, err := json.MarshalIndent(toNetworkMapJSON(newNetworkMap), "", "  ")
+	require.NoError(t, err, "error marshaling new network map to JSON")
+
+	if string(legacyJSON) != string(newJSON) {
+		legacyFilePath := filepath.Join("testdata", "networkmap_golden_with_deleted_router_peer.json")
+		newFilePath := filepath.Join("testdata", "networkmap_golden_new_with_deleted_router.json")
+
+		err = os.MkdirAll(filepath.Dir(legacyFilePath), 0755)
+		require.NoError(t, err)
+
+		err = os.WriteFile(legacyFilePath, legacyJSON, 0644)
+		require.NoError(t, err)
+		t.Logf("Saved legacy network map to %s", legacyFilePath)
+
+		err = os.WriteFile(newFilePath, newJSON, 0644)
+		require.NoError(t, err)
+		t.Logf("Saved new network map to %s", newFilePath)
+
+		require.JSONEq(t, string(legacyJSON), string(newJSON), "network maps with deleted router from legacy and new builder do not match")
+	}
+}
+
+func BenchmarkGetPeerNetworkMap_AfterPeerDeleted(b *testing.B) {
+	account := createTestAccountWithEntities()
+	ctx := context.Background()
+	validatedPeersMap := make(map[string]struct{})
+	var peerIDs []string
+	for i := range numPeers {
+		peerID := fmt.Sprintf("peer-%d", i)
+		validatedPeersMap[peerID] = struct{}{}
+		peerIDs = append(peerIDs, peerID)
+	}
+
+	deletedPeerID := "peer-25"
+
+	delete(account.Peers, deletedPeerID)
+	account.Groups[devGroupID].Peers = slices.DeleteFunc(account.Groups[devGroupID].Peers, func(id string) bool {
+		return id == deletedPeerID
+	})
+	account.Groups[allGroupID].Peers = slices.DeleteFunc(account.Groups[allGroupID].Peers, func(id string) bool {
+		return id == deletedPeerID
+	})
+	delete(validatedPeersMap, deletedPeerID)
+
+	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
+
+	b.ResetTimer()
+	b.Run("old builder after delete", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			for _, testingPeerID := range peerIDs {
+				_ = account.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, []*zones.Zone{}, validatedPeersMap, nil, nil, nil, account.GetActiveGroupUsers())
+			}
+		}
+	})
+
+	b.ResetTimer()
+	b.Run("new builder after delete", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			_ = builder.OnPeerDeleted(account, deletedPeerID)
+			for _, testingPeerID := range peerIDs {
+				_ = builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
+			}
+		}
+	})
+}
+
+func normalizeAndSortNetworkMap(networkMap *types.NetworkMap) {
+	for _, peer := range networkMap.Peers {
+		if peer.Status != nil {
+			peer.Status.LastSeen = time.Time{}
+		}
+		peer.LastLogin = &time.Time{}
+	}
+	for _, peer := range networkMap.OfflinePeers {
+		if peer.Status != nil {
+			peer.Status.LastSeen = time.Time{}
+		}
+		peer.LastLogin = &time.Time{}
+	}
+
+	sort.Slice(networkMap.Peers, func(i, j int) bool { return networkMap.Peers[i].ID < networkMap.Peers[j].ID })
+	sort.Slice(networkMap.OfflinePeers, func(i, j int) bool { return networkMap.OfflinePeers[i].ID < networkMap.OfflinePeers[j].ID })
+	sort.Slice(networkMap.Routes, func(i, j int) bool { return networkMap.Routes[i].ID < networkMap.Routes[j].ID })
+
+	sort.Slice(networkMap.FirewallRules, func(i, j int) bool {
+		r1, r2 := networkMap.FirewallRules[i], networkMap.FirewallRules[j]
+		if r1.PeerIP != r2.PeerIP {
+			return r1.PeerIP < r2.PeerIP
+		}
+		if r1.Protocol != r2.Protocol {
+			return r1.Protocol < r2.Protocol
+		}
+		if r1.Direction != r2.Direction {
+			return r1.Direction < r2.Direction
+		}
+		if r1.Action != r2.Action {
+			return r1.Action < r2.Action
+		}
+		return r1.Port < r2.Port
+	})
+
+	sort.Slice(networkMap.RoutesFirewallRules, func(i, j int) bool {
+		r1, r2 := networkMap.RoutesFirewallRules[i], networkMap.RoutesFirewallRules[j]
+		if r1.RouteID != r2.RouteID {
+			return r1.RouteID < r2.RouteID
+		}
+		if r1.Action != r2.Action {
+			return r1.Action < r2.Action
+		}
+		if r1.Destination != r2.Destination {
+			return r1.Destination < r2.Destination
+		}
+		if len(r1.SourceRanges) > 0 && len(r2.SourceRanges) > 0 {
+			if r1.SourceRanges[0] != r2.SourceRanges[0] {
+				return r1.SourceRanges[0] < r2.SourceRanges[0]
+			}
+		}
+		return r1.Port < r2.Port
+	})
+
+	for _, ranges := range networkMap.RoutesFirewallRules {
+		sort.Slice(ranges.SourceRanges, func(i, j int) bool {
+			return ranges.SourceRanges[i] < ranges.SourceRanges[j]
+		})
+	}
+}
+
+type networkMapJSON struct {
+	Peers               []*nbpeer.Peer             `json:"Peers"`
+	Network             *types.Network             `json:"Network"`
+	Routes              []*route.Route             `json:"Routes"`
+	DNSConfig           dns.Config                 `json:"DNSConfig"`
+	OfflinePeers        []*nbpeer.Peer             `json:"OfflinePeers"`
+	FirewallRules       []*types.FirewallRule      `json:"FirewallRules"`
+	RoutesFirewallRules []*types.RouteFirewallRule `json:"RoutesFirewallRules"`
+	ForwardingRules     []*types.ForwardingRule    `json:"ForwardingRules"`
+	AuthorizedUsers     map[string][]string        `json:"AuthorizedUsers,omitempty"`
+	EnableSSH           bool                       `json:"EnableSSH"`
+}
+
+func toNetworkMapJSON(nm *types.NetworkMap) *networkMapJSON {
+	result := &networkMapJSON{
+		Peers:               nm.Peers,
+		Network:             nm.Network,
+		Routes:              nm.Routes,
+		DNSConfig:           nm.DNSConfig,
+		OfflinePeers:        nm.OfflinePeers,
+		FirewallRules:       nm.FirewallRules,
+		RoutesFirewallRules: nm.RoutesFirewallRules,
+		ForwardingRules:     nm.ForwardingRules,
+		EnableSSH:           nm.EnableSSH,
+	}
+
+	if len(nm.AuthorizedUsers) > 0 {
+		result.AuthorizedUsers = make(map[string][]string)
+		localUsers := make([]string, 0, len(nm.AuthorizedUsers))
+		for localUser := range nm.AuthorizedUsers {
+			localUsers = append(localUsers, localUser)
+		}
+		sort.Strings(localUsers)
+
+		for _, localUser := range localUsers {
+			userIDs := nm.AuthorizedUsers[localUser]
+			sortedUserIDs := make([]string, 0, len(userIDs))
+			for userID := range userIDs {
+				sortedUserIDs = append(sortedUserIDs, userID)
+			}
+			sort.Strings(sortedUserIDs)
+			result.AuthorizedUsers[localUser] = sortedUserIDs
+		}
+	}
+
+	return result
+}
+
+func createTestAccountWithEntities() *types.Account {
+	peers := make(map[string]*nbpeer.Peer)
+	devGroupPeers, opsGroupPeers, allGroupPeers := []string{}, []string{}, []string{}
+
+	for i := range numPeers {
+		peerID := fmt.Sprintf("peer-%d", i)
+		ip := net.IP{100, 64, 0, byte(i + 1)}
+		wtVersion := "0.25.0"
+		if i%2 == 0 {
+			wtVersion = "0.40.0"
+		}
+
+		p := &nbpeer.Peer{
+			ID: peerID, IP: ip, Key: fmt.Sprintf("key-%s", peerID), DNSLabel: fmt.Sprintf("peer%d", i+1),
+			Status: &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
+			UserID: "user-admin", Meta: nbpeer.PeerSystemMeta{WtVersion: wtVersion, GoOS: "linux"},
+		}
+
+		if peerID == expiredPeerID {
+			p.LoginExpirationEnabled = true
+			pastTimestamp := time.Now().Add(-2 * time.Hour)
+			p.LastLogin = &pastTimestamp
+		}
+
+		peers[peerID] = p
+		allGroupPeers = append(allGroupPeers, peerID)
+		if i < numPeers/2 {
+			devGroupPeers = append(devGroupPeers, peerID)
+		} else {
+			opsGroupPeers = append(opsGroupPeers, peerID)
+		}
+
+	}
+
+	groups := map[string]*types.Group{
+		allGroupID:      {ID: allGroupID, Name: "All", Peers: allGroupPeers},
+		devGroupID:      {ID: devGroupID, Name: "Developers", Peers: devGroupPeers},
+		opsGroupID:      {ID: opsGroupID, Name: "Operations", Peers: opsGroupPeers},
+		sshUsersGroupID: {ID: sshUsersGroupID, Name: "SSH Users", Peers: []string{}},
+	}
+
+	policies := []*types.Policy{
+		{
+			ID: policyIDAll, Name: "Default-Allow", Enabled: true,
+			Rules: []*types.PolicyRule{{
+				ID: policyIDAll, Name: "Allow All", Enabled: true, Action: types.PolicyTrafficActionAccept,
+				Protocol: types.PolicyRuleProtocolALL, Bidirectional: true,
+				Sources: []string{allGroupID}, Destinations: []string{allGroupID},
+			}},
+		},
+		{
+			ID: policyIDDevOps, Name: "Dev to Ops Web Access", Enabled: true,
+			Rules: []*types.PolicyRule{{
+				ID: policyIDDevOps, Name: "Dev -> Ops (HTTP Range)", Enabled: true, Action: types.PolicyTrafficActionAccept,
+				Protocol: types.PolicyRuleProtocolTCP, Bidirectional: false,
+				PortRanges: []types.RulePortRange{{Start: 8080, End: 8090}},
+				Sources:    []string{devGroupID}, Destinations: []string{opsGroupID},
+			}},
+		},
+		{
+			ID: policyIDDrop, Name: "Drop DB traffic", Enabled: true,
+			Rules: []*types.PolicyRule{{
+				ID: policyIDDrop, Name: "Drop DB", Enabled: true, Action: types.PolicyTrafficActionDrop,
+				Protocol: types.PolicyRuleProtocolTCP, Ports: []string{"5432"}, Bidirectional: true,
+				Sources: []string{devGroupID}, Destinations: []string{opsGroupID},
+			}},
+		},
+		{
+			ID: policyIDPosture, Name: "Posture Check for DB Resource", Enabled: true,
+			SourcePostureChecks: []string{postureCheckID},
+			Rules: []*types.PolicyRule{{
+				ID: policyIDPosture, Name: "Allow DB Access", Enabled: true, Action: types.PolicyTrafficActionAccept,
+				Protocol: types.PolicyRuleProtocolALL, Bidirectional: true,
+				Sources: []string{opsGroupID}, DestinationResource: types.Resource{ID: networkResourceID},
+			}},
+		},
+		{
+			ID: policyIDSSH, Name: "SSH Access Policy", Enabled: true,
+			Rules: []*types.PolicyRule{{
+				ID: policyIDSSH, Name: "Allow SSH to Ops", Enabled: true, Action: types.PolicyTrafficActionAccept,
+				Protocol: types.PolicyRuleProtocolNetbirdSSH, Bidirectional: false,
+				Sources: []string{devGroupID}, Destinations: []string{opsGroupID},
+				AuthorizedGroups: map[string][]string{sshUsersGroupID: {"root", "admin"}},
+			}},
+		},
+	}
+
+	routes := map[route.ID]*route.Route{
+		routeID: {
+			ID: routeID, Network: netip.MustParsePrefix("192.168.10.0/24"),
+			Peer:        peers["peer-75"].Key,
+			PeerID:      "peer-75",
+			Description: "Route to internal resource", Enabled: true,
+			PeerGroups:          []string{devGroupID, opsGroupID},
+			Groups:              []string{devGroupID, opsGroupID},
+			AccessControlGroups: []string{devGroupID},
+		},
+		routeHA1ID: {
+			ID: routeHA1ID, Network: netip.MustParsePrefix("10.10.0.0/16"),
+			Peer:        peers["peer-80"].Key,
+			PeerID:      "peer-80",
+			Description: "HA Route 1", Enabled: true, Metric: 1000,
+			PeerGroups:          []string{allGroupID},
+			Groups:              []string{allGroupID},
+			AccessControlGroups: []string{allGroupID},
+		},
+		routeHA2ID: {
+			ID: routeHA2ID, Network: netip.MustParsePrefix("10.10.0.0/16"),
+			Peer:        peers["peer-90"].Key,
+			PeerID:      "peer-90",
+			Description: "HA Route 2", Enabled: true, Metric: 900,
+			PeerGroups:          []string{devGroupID, opsGroupID},
+			Groups:              []string{devGroupID, opsGroupID},
+			AccessControlGroups: []string{allGroupID},
+		},
+	}
+
+	users := map[string]*types.User{
+		userAdminID: {Id: userAdminID, Role: types.UserRoleAdmin, IsServiceUser: false, AccountID: testAccountID, AutoGroups: []string{allGroupID}},
+		userDevID:   {Id: userDevID, Role: types.UserRoleUser, IsServiceUser: false, AccountID: testAccountID, AutoGroups: []string{sshUsersGroupID, devGroupID}},
+		userOpsID:   {Id: userOpsID, Role: types.UserRoleUser, IsServiceUser: false, AccountID: testAccountID, AutoGroups: []string{sshUsersGroupID, opsGroupID}},
+	}
+
+	account := &types.Account{
+		Id: testAccountID, Peers: peers, Groups: groups, Policies: policies, Routes: routes,
+		Users: users,
+		Network: &types.Network{
+			Identifier: "net-golden-test", Net: net.IPNet{IP: net.IP{100, 64, 0, 0}, Mask: net.CIDRMask(16, 32)}, Serial: 1,
+		},
+		DNSSettings: types.DNSSettings{DisabledManagementGroups: []string{opsGroupID}},
+		NameServerGroups: map[string]*dns.NameServerGroup{
+			nameserverGroupID: {
+				ID: nameserverGroupID, Name: "Main NS", Enabled: true, Groups: []string{devGroupID},
+				NameServers: []dns.NameServer{{IP: netip.MustParseAddr("8.8.8.8"), NSType: dns.UDPNameServerType, Port: 53}},
+			},
+		},
+		PostureChecks: []*posture.Checks{
+			{ID: postureCheckID, Name: "Check version", Checks: posture.ChecksDefinition{
+				NBVersionCheck: &posture.NBVersionCheck{MinVersion: "0.26.0"},
+			}},
+		},
+		NetworkResources: []*resourceTypes.NetworkResource{
+			{ID: networkResourceID, NetworkID: networkID, AccountID: testAccountID, Enabled: true, Address: "db.netbird.cloud"},
+		},
+		Networks: []*networkTypes.Network{{ID: networkID, Name: "DB Network", AccountID: testAccountID}},
+		NetworkRouters: []*routerTypes.NetworkRouter{
+			{ID: networkRouterID, NetworkID: networkID, Peer: routingPeerID, Enabled: true, AccountID: testAccountID},
+		},
+		Settings: &types.Settings{PeerLoginExpirationEnabled: true, PeerLoginExpiration: 1 * time.Hour},
+	}
+
+	for _, p := range account.Policies {
+		p.AccountID = account.Id
+	}
+	for _, r := range account.Routes {
+		r.AccountID = account.Id
+	}
+
+	return account
+}
+
+func TestGetPeerNetworkMap_Golden_New_WithOnPeerAddedRouter_Batched(t *testing.T) {
+	account := createTestAccountWithEntities()
+
+	ctx := context.Background()
+	validatedPeersMap := make(map[string]struct{})
+	for i := range numPeers {
+		peerID := fmt.Sprintf("peer-%d", i)
+		if peerID == offlinePeerID {
+			continue
+		}
+		validatedPeersMap[peerID] = struct{}{}
+	}
+
+	builder := types.NewNetworkMapBuilder(account, validatedPeersMap)
+
+	newRouterID := "peer-new-router-102"
+	newRouterIP := net.IP{100, 64, 1, 2}
+	newRouter := &nbpeer.Peer{
+		ID:        newRouterID,
+		IP:        newRouterIP,
+		Key:       fmt.Sprintf("key-%s", newRouterID),
+		DNSLabel:  "newrouter102",
+		Status:    &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
+		UserID:    "user-admin",
+		Meta:      nbpeer.PeerSystemMeta{WtVersion: "0.26.0", GoOS: "linux"},
+		LastLogin: func() *time.Time { t := time.Now(); return &t }(),
+	}
+
+	account.Peers[newRouterID] = newRouter
+
+	if opsGroup, exists := account.Groups[opsGroupID]; exists {
+		opsGroup.Peers = append(opsGroup.Peers, newRouterID)
+	}
+	if allGroup, exists := account.Groups[allGroupID]; exists {
+		allGroup.Peers = append(allGroup.Peers, newRouterID)
+	}
+
+	newRoute := &route.Route{
+		ID:                  route.ID("route-new-router"),
+		Network:             netip.MustParsePrefix("172.16.0.0/24"),
+		Peer:                newRouter.Key,
+		PeerID:              newRouterID,
+		Description:         "Route from new router",
+		Enabled:             true,
+		PeerGroups:          []string{opsGroupID},
+		Groups:              []string{devGroupID, opsGroupID},
+		AccessControlGroups: []string{devGroupID},
+		AccountID:           account.Id,
+	}
+	account.Routes[newRoute.ID] = newRoute
+
+	validatedPeersMap[newRouterID] = struct{}{}
+
+	if account.Network != nil {
+		account.Network.Serial++
+	}
+
+	builder.EnqueuePeersForIncrementalAdd(account, newRouterID)
+
+	time.Sleep(100 * time.Millisecond)
+
+	networkMap := builder.GetPeerNetworkMap(ctx, testingPeerID, dns.CustomZone{}, nil, validatedPeersMap, nil)
+
+	normalizeAndSortNetworkMap(networkMap)
+
+	jsonData, err := json.MarshalIndent(networkMap, "", "  ")
+	require.NoError(t, err, "error marshaling network map to JSON")
+
+	goldenFilePath := filepath.Join("testdata", "networkmap_golden_new_with_onpeeradded_router.json")
+
+	t.Log("Update golden file with OnPeerAdded router...")
+	err = os.MkdirAll(filepath.Dir(goldenFilePath), 0755)
+	require.NoError(t, err)
+	err = os.WriteFile(goldenFilePath, jsonData, 0644)
+	require.NoError(t, err)
+
+	expectedJSON, err := os.ReadFile(goldenFilePath)
+	require.NoError(t, err, "error reading golden file")
+
+	require.JSONEq(t, string(expectedJSON), string(jsonData), "network map from NEW builder with OnPeerAdded router does not match golden file")
+}

shared/auth/jwt/extractor.go

@@ -146,11 +146,7 @@ func (c *ClaimsExtractor) ToGroups(token *jwt.Token, claimName string) []string
 	userJWTGroups := make([]string, 0)
 
 	if claim, ok := claims[claimName]; ok {
-		switch claimGroups := claim.(type) {
-		case string:
-			// Some IdPs emit a single group claim as a string instead of an array.
-			userJWTGroups = append(userJWTGroups, claimGroups)
-		case []any:
+		if claimGroups, ok := claim.([]interface{}); ok {
 			for _, g := range claimGroups {
 				if group, ok := g.(string); ok {
 					userJWTGroups = append(userJWTGroups, group)
@@ -158,11 +154,9 @@ func (c *ClaimsExtractor) ToGroups(token *jwt.Token, claimName string) []string
 					log.Debugf("JWT claim %q contains a non-string group (type: %T): %v", claimName, g, g)
 				}
 			}
-		default:
-			log.Debugf("JWT claim %q is not a string or string array (type: %T): %v", claimName, claim, claim)
 		}
 	} else {
-		log.Debugf("JWT claim %q is missing", claimName)
+		log.Debugf("JWT claim %q is not a string array", claimName)
 	}
 
 	return userJWTGroups

shared/auth/jwt/extractor_test.go

@@ -249,15 +249,6 @@ func TestClaimsExtractor_ToGroups(t *testing.T) {
 			groupClaimName: "groups",
 			expectedGroups: []string{},
 		},
-		{
-			name: "extracts single group string from claim",
-			claims: jwt.MapClaims{
-				"sub":    "user-123",
-				"groups": "admin",
-			},
-			groupClaimName: "groups",
-			expectedGroups: []string{"admin"},
-		},
 		{
 			name: "handles custom claim name",
 			claims: jwt.MapClaims{

shared/management/client/client_test.go

@@ -138,7 +138,7 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, mgmt.MockIntegratedValidator{}, networkMapController, nil, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, mgmt.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		t.Fatal(err)
 	}

shared/management/client/grpc.go

@@ -252,19 +252,21 @@ func (c *GrpcClient) handleJobStream(
 					c.notifyDisconnected(err)
 					return backoff.Permanent(err) // unrecoverable error, propagate to the upper layer
 				case codes.Canceled:
-					log.Debugf("job stream context has been canceled, this usually indicates shutdown")
+					log.Debugf("management connection context has been canceled, this usually indicates shutdown")
 					return err
 				case codes.Unimplemented:
 					log.Warn("Job feature is not supported by the current management server version. " +
 						"Please update the management service to use this feature.")
 					return nil
 				default:
-					log.Warnf("job stream disconnected, will retry silently. Reason: %v", err)
+					c.notifyDisconnected(err)
+					log.Warnf("disconnected from the Management service but will retry silently. Reason: %v", err)
 					return err
 				}
 			} else {
 				// non-gRPC error
-				log.Warnf("job stream disconnected, will retry silently. Reason: %v", err)
+				c.notifyDisconnected(err)
+				log.Warnf("disconnected from the Management service but will retry silently. Reason: %v", err)
 				return err
 			}
 		}

shared/management/http/api/openapi.yml

@@ -2917,7 +2917,6 @@ components:
         - okta
         - pocketid
         - microsoft
-        - adfs
       example: oidc
     IdentityProvider:
       type: object

shared/management/http/api/types.gen.go

@@ -518,7 +518,6 @@ const (
 	IdentityProviderTypeOkta      IdentityProviderType = "okta"
 	IdentityProviderTypePocketid  IdentityProviderType = "pocketid"
 	IdentityProviderTypeZitadel   IdentityProviderType = "zitadel"
-	IdentityProviderTypeAdfs      IdentityProviderType = "adfs"
 )
 
 // Valid indicates whether the value is a known member of the IdentityProviderType enum.
@@ -538,8 +537,6 @@ func (e IdentityProviderType) Valid() bool {
 		return true
 	case IdentityProviderTypeZitadel:
 		return true
-	case IdentityProviderTypeAdfs:
-		return true
 	default:
 		return false
 	}

shared/relay/client/guard.go

@@ -8,7 +8,10 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
-const defaultMaxBackoffInterval = 60 * time.Second
+const (
+	// TODO: make it configurable, the manager should validate all configurable parameters
+	reconnectingTimeout = 60 * time.Second
+)
 
 // Guard manage the reconnection tries to the Relay server in case of disconnection event.
 type Guard struct {
@@ -16,23 +19,14 @@ type Guard struct {
 	OnNewRelayClient chan *Client
 	OnReconnected    chan struct{}
 	serverPicker     *ServerPicker
-
-	// maxBackoffInterval caps the exponential backoff between reconnect
-	// attempts.
-	maxBackoffInterval time.Duration
 }
 
-// NewGuard creates a new guard for the relay client. A non-positive
-// maxBackoffInterval falls back to defaultMaxBackoffInterval.
-func NewGuard(sp *ServerPicker, maxBackoffInterval time.Duration) *Guard {
-	if maxBackoffInterval <= 0 {
-		maxBackoffInterval = defaultMaxBackoffInterval
-	}
+// NewGuard creates a new guard for the relay client.
+func NewGuard(sp *ServerPicker) *Guard {
 	g := &Guard{
-		OnNewRelayClient:   make(chan *Client, 1),
-		OnReconnected:      make(chan struct{}, 1),
-		serverPicker:       sp,
-		maxBackoffInterval: maxBackoffInterval,
+		OnNewRelayClient: make(chan *Client, 1),
+		OnReconnected:    make(chan struct{}, 1),
+		serverPicker:     sp,
 	}
 	return g
 }
@@ -55,7 +49,7 @@ func (g *Guard) StartReconnectTrys(ctx context.Context, relayClient *Client) {
 	}
 
 	// start a ticker to pick a new server
-	ticker := g.exponentTicker(ctx)
+	ticker := exponentTicker(ctx)
 	defer ticker.Stop()
 
 	for {
@@ -131,11 +125,11 @@ func (g *Guard) notifyReconnected() {
 	}
 }
 
-func (g *Guard) exponentTicker(ctx context.Context) *backoff.Ticker {
+func exponentTicker(ctx context.Context) *backoff.Ticker {
 	bo := backoff.WithContext(&backoff.ExponentialBackOff{
 		InitialInterval: 2 * time.Second,
 		Multiplier:      2,
-		MaxInterval:     g.maxBackoffInterval,
+		MaxInterval:     reconnectingTimeout,
 		Clock:           backoff.SystemClock,
 	}, ctx)
 

shared/relay/client/manager.go

@@ -39,15 +39,6 @@ func NewRelayTrack() *RelayTrack {
 
 type OnServerCloseListener func()
 
-// ManagerOption configures a Manager at construction time.
-type ManagerOption func(*Manager)
-
-// WithMaxBackoffInterval caps the exponential backoff between reconnect
-// attempts to the home relay. A non-positive value keeps the default.
-func WithMaxBackoffInterval(d time.Duration) ManagerOption {
-	return func(m *Manager) { m.maxBackoffInterval = d }
-}
-
 // Manager is a manager for the relay client instances. It establishes one persistent connection to the given relay URL
 // and automatically reconnect to them in case disconnection.
 // The manager also manage temporary relay connection. If a client wants to communicate with a client on a
@@ -73,13 +64,12 @@ type Manager struct {
 	onReconnectedListenerFn func()
 	listenerLock            sync.Mutex
 
-	mtu                uint16
-	maxBackoffInterval time.Duration
+	mtu uint16
 }
 
 // NewManager creates a new manager instance.
 // The serverURL address can be empty. In this case, the manager will not serve.
-func NewManager(ctx context.Context, serverURLs []string, peerID string, mtu uint16, opts ...ManagerOption) *Manager {
+func NewManager(ctx context.Context, serverURLs []string, peerID string, mtu uint16) *Manager {
 	tokenStore := &relayAuth.TokenStore{}
 
 	m := &Manager{
@@ -96,11 +86,8 @@ func NewManager(ctx context.Context, serverURLs []string, peerID string, mtu uin
 		relayClients:            make(map[string]*RelayTrack),
 		onDisconnectedListeners: make(map[string]*list.List),
 	}
-	for _, opt := range opts {
-		opt(m)
-	}
 	m.serverPicker.ServerURLs.Store(serverURLs)
-	m.reconnectGuard = NewGuard(m.serverPicker, m.maxBackoffInterval)
+	m.reconnectGuard = NewGuard(m.serverPicker)
 	return m
 }
 
@@ -303,36 +290,19 @@ func (m *Manager) onServerConnected() {
 	go m.onReconnectedListenerFn()
 }
 
-// onServerDisconnected handles relay disconnect events. For the home server it
-// starts the reconnect guard. For foreign servers it evicts the now-dead client
-// from the cache so the next OpenConn builds a fresh one instead of reusing a
-// closed client.
+// onServerDisconnected start to reconnection for home server only
 func (m *Manager) onServerDisconnected(serverAddress string) {
 	m.relayClientMu.Lock()
-	isHome := m.relayClient != nil && serverAddress == m.relayClient.connectionURL
-	if isHome {
+	if serverAddress == m.relayClient.connectionURL {
 		go func(client *Client) {
 			m.reconnectGuard.StartReconnectTrys(m.ctx, client)
 		}(m.relayClient)
 	}
 	m.relayClientMu.Unlock()
 
-	if !isHome {
-		m.evictForeignRelay(serverAddress)
-	}
-
 	m.notifyOnDisconnectListeners(serverAddress)
 }
 
-func (m *Manager) evictForeignRelay(serverAddress string) {
-	m.relayClientsMutex.Lock()
-	defer m.relayClientsMutex.Unlock()
-	if _, ok := m.relayClients[serverAddress]; ok {
-		delete(m.relayClients, serverAddress)
-		log.Debugf("evicted disconnected foreign relay client: %s", serverAddress)
-	}
-}
-
 func (m *Manager) listenGuardEvent(ctx context.Context) {
 	for {
 		select {

shared/relay/client/manager_test.go

@@ -2,7 +2,6 @@ package client
 
 import (
 	"context"
-	"fmt"
 	"testing"
 	"time"
 
@@ -361,8 +360,7 @@ func TestAutoReconnect(t *testing.T) {
 		t.Fatalf("failed to serve manager: %s", err)
 	}
 
-	clientAlice := NewManager(mCtx, toURL(srvCfg), "alice", iface.DefaultMTU,
-		WithMaxBackoffInterval(2*time.Second))
+	clientAlice := NewManager(mCtx, toURL(srvCfg), "alice", iface.DefaultMTU)
 	err = clientAlice.Serve()
 	if err != nil {
 		t.Fatalf("failed to serve manager: %s", err)
@@ -386,9 +384,7 @@ func TestAutoReconnect(t *testing.T) {
 	}
 
 	log.Infof("waiting for reconnection")
-	if err := waitForReady(ctx, clientAlice, 15*time.Second); err != nil {
-		t.Fatalf("manager did not reconnect: %s", err)
-	}
+	time.Sleep(reconnectingTimeout + 1*time.Second)
 
 	log.Infof("reopent the connection")
 	_, err = clientAlice.OpenConn(ctx, ra, "bob")
@@ -397,21 +393,6 @@ func TestAutoReconnect(t *testing.T) {
 	}
 }
 
-func waitForReady(ctx context.Context, m *Manager, timeout time.Duration) error {
-	deadline := time.Now().Add(timeout)
-	for time.Now().Before(deadline) {
-		if m.Ready() {
-			return nil
-		}
-		select {
-		case <-time.After(100 * time.Millisecond):
-		case <-ctx.Done():
-			return ctx.Err()
-		}
-	}
-	return fmt.Errorf("manager not ready within %s", timeout)
-}
-
 func TestNotifierDoubleAdd(t *testing.T) {
 	ctx := context.Background()