policy/v2: convert ACL compat tests to data-driven format with Tailscale SaaS captures

Replace 9,937 lines of inline Go test expectations with 215 JSON golden files captured from Tailscale SaaS. The new data-driven test driver compares headscale's filter compilation output against real Tailscale behavior for each node in an 8-node topology. Updates #2180
2026-04-03 20:41:01 +02:00 · 2026-03-17 11:13:04 +00:00 · 2026-03-17 11:13:04 +00:00 · 2fb71690e8
commit 2fb71690e8
parent 9f7aa55689
217 changed files with 40024 additions and 9937 deletions
--- a/hscontrol/policy/v2/tailscale_acl_compat_test.go
+++ b/hscontrol/policy/v2/tailscale_acl_compat_test.go
--- a/hscontrol/policy/v2/tailscale_acl_data_compat_test.go
+++ b/hscontrol/policy/v2/tailscale_acl_data_compat_test.go
@ -0,0 +1,425 @@
+// This file implements a data-driven test runner for ACL compatibility tests.
+// It loads JSON golden files from testdata/acl_results/ACL-*.json and compares
+// headscale's ACL engine output against the expected packet filter rules.
+//
+// The JSON files were converted from the original inline Go struct test cases
+// in tailscale_acl_compat_test.go. Each file contains:
+//   - A full policy (groups, tagOwners, hosts, acls)
+//   - Expected packet_filter_rules per node (5 nodes)
+//   - Or an error response for invalid policies
+//
+// Test data source: testdata/acl_results/ACL-*.json
+// Original source: Tailscale SaaS API captures + headscale-generated expansions
+
+package v2
+
+import (
+	"encoding/json"
+	"net/netip"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/juanfont/headscale/hscontrol/policy/policyutil"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gorm.io/gorm"
+	"tailscale.com/tailcfg"
+)
+
+// ptrAddr is a helper to create a pointer to a netip.Addr.
+func ptrAddr(s string) *netip.Addr {
+	addr := netip.MustParseAddr(s)
+
+	return &addr
+}
+
+// setupACLCompatUsers returns the 3 test users for ACL compatibility tests.
+// Email addresses use @example.com domain, matching the converted Tailscale
+// policy format (Tailscale uses @passkey and @dalby.cc).
+func setupACLCompatUsers() types.Users {
+	return types.Users{
+		{Model: gorm.Model{ID: 1}, Name: "kratail2tid", Email: "kratail2tid@example.com"},
+		{Model: gorm.Model{ID: 2}, Name: "kristoffer", Email: "kristoffer@example.com"},
+		{Model: gorm.Model{ID: 3}, Name: "monitorpasskeykradalby", Email: "monitorpasskeykradalby@example.com"},
+	}
+}
+
+// setupACLCompatNodes returns the 8 test nodes for ACL compatibility tests.
+// Uses the same topology as the grants compat tests.
+func setupACLCompatNodes(users types.Users) types.Nodes {
+	return types.Nodes{
+		{
+			ID: 1, GivenName: "user1",
+			User: &users[0], UserID: &users[0].ID,
+			IPv4: ptrAddr("100.90.199.68"), IPv6: ptrAddr("fd7a:115c:a1e0::2d01:c747"),
+			Hostinfo: &tailcfg.Hostinfo{},
+		},
+		{
+			ID: 2, GivenName: "user-kris",
+			User: &users[1], UserID: &users[1].ID,
+			IPv4: ptrAddr("100.110.121.96"), IPv6: ptrAddr("fd7a:115c:a1e0::1737:7960"),
+			Hostinfo: &tailcfg.Hostinfo{},
+		},
+		{
+			ID: 3, GivenName: "user-mon",
+			User: &users[2], UserID: &users[2].ID,
+			IPv4: ptrAddr("100.103.90.82"), IPv6: ptrAddr("fd7a:115c:a1e0::9e37:5a52"),
+			Hostinfo: &tailcfg.Hostinfo{},
+		},
+		{
+			ID: 4, GivenName: "tagged-server",
+			IPv4: ptrAddr("100.108.74.26"), IPv6: ptrAddr("fd7a:115c:a1e0::b901:4a87"),
+			Tags: []string{"tag:server"}, Hostinfo: &tailcfg.Hostinfo{},
+		},
+		{
+			ID: 5, GivenName: "tagged-prod",
+			IPv4: ptrAddr("100.103.8.15"), IPv6: ptrAddr("fd7a:115c:a1e0::5b37:80f"),
+			Tags: []string{"tag:prod"}, Hostinfo: &tailcfg.Hostinfo{},
+		},
+		{
+			ID: 6, GivenName: "tagged-client",
+			IPv4: ptrAddr("100.83.200.69"), IPv6: ptrAddr("fd7a:115c:a1e0::c537:c845"),
+			Tags: []string{"tag:client"}, Hostinfo: &tailcfg.Hostinfo{},
+		},
+		{
+			ID: 7, GivenName: "subnet-router",
+			IPv4: ptrAddr("100.92.142.61"), IPv6: ptrAddr("fd7a:115c:a1e0::3e37:8e3d"),
+			Tags: []string{"tag:router"}, Hostinfo: &tailcfg.Hostinfo{},
+		},
+		{
+			ID: 8, GivenName: "exit-node",
+			IPv4: ptrAddr("100.85.66.106"), IPv6: ptrAddr("fd7a:115c:a1e0::7c37:426a"),
+			Tags: []string{"tag:exit"}, Hostinfo: &tailcfg.Hostinfo{},
+		},
+	}
+}
+
+// findNodeByGivenName finds a node by its GivenName field.
+func findNodeByGivenName(nodes types.Nodes, name string) *types.Node {
+	for _, n := range nodes {
+		if n.GivenName == name {
+			return n
+		}
+	}
+
+	return nil
+}
+
+// cmpOptions returns comparison options for FilterRule slices.
+// It sorts SrcIPs and DstPorts to handle ordering differences.
+func cmpOptions() []cmp.Option {
+	return []cmp.Option{
+		cmpopts.SortSlices(func(a, b string) bool { return a < b }),
+		cmpopts.SortSlices(func(a, b tailcfg.NetPortRange) bool {
+			if a.IP != b.IP {
+				return a.IP < b.IP
+			}
+
+			if a.Ports.First != b.Ports.First {
+				return a.Ports.First < b.Ports.First
+			}
+
+			return a.Ports.Last < b.Ports.Last
+		}),
+		cmpopts.SortSlices(func(a, b int) bool { return a < b }),
+	}
+}
+
+// aclTestFile represents the JSON structure of a captured ACL test file.
+type aclTestFile struct {
+	TestID           string `json:"test_id"`
+	Source           string `json:"source"` // "tailscale_saas" or "headscale_adapted"
+	Error            bool   `json:"error"`
+	HeadscaleDiffers bool   `json:"headscale_differs"`
+	ParentTest       string `json:"parent_test"`
+	Input            struct {
+		FullPolicy      json.RawMessage `json:"full_policy"`
+		APIResponseCode int             `json:"api_response_code"`
+		APIResponseBody *struct {
+			Message string `json:"message"`
+		} `json:"api_response_body"`
+	} `json:"input"`
+	Topology struct {
+		Nodes map[string]struct {
+			Hostname string   `json:"hostname"`
+			Tags     []string `json:"tags"`
+			IPv4     string   `json:"ipv4"`
+			IPv6     string   `json:"ipv6"`
+			User     string   `json:"user"`
+		} `json:"nodes"`
+	} `json:"topology"`
+	Captures map[string]struct {
+		PacketFilterRules json.RawMessage `json:"packet_filter_rules"`
+	} `json:"captures"`
+}
+
+// loadACLTestFile loads and parses a single ACL test JSON file.
+func loadACLTestFile(t *testing.T, path string) aclTestFile {
+	t.Helper()
+
+	content, err := os.ReadFile(path)
+	require.NoError(t, err, "failed to read test file %s", path)
+
+	var tf aclTestFile
+
+	err = json.Unmarshal(content, &tf)
+	require.NoError(t, err, "failed to parse test file %s", path)
+
+	return tf
+}
+
+// aclSkipReasons documents WHY tests are expected to fail and WHAT needs to be
+// implemented to fix them. Tests are grouped by root cause.
+//
+// Impact summary:
+//
+//	SRCIPS_FORMAT            - tests: SrcIPs use adapted format (100.64.0.0/10 vs partitioned CIDRs)
+//	DSTPORTS_FORMAT          - tests: DstPorts IP format differences
+//	IPPROTO_FORMAT           - tests: IPProto nil vs [6,17,1,58]
+//	IMPLEMENTATION_PENDING   - tests: Not yet implemented in headscale
+var aclSkipReasons = map[string]string{
+	// Currently all tests are in the skip list because the ACL engine
+	// output format changed with the ResolvedAddresses refactor.
+	// Tests will be removed from this list as the implementation is
+	// updated to match the expected output.
+}
+
+// TestACLCompat is a data-driven test that loads all ACL-*.json test files
+// and compares headscale's ACL engine output against the expected behavior.
+//
+// Each JSON file contains:
+//   - A full policy with groups, tagOwners, hosts, and acls
+//   - For success cases: expected packet_filter_rules per node (5 nodes)
+//   - For error cases: expected error message
+func TestACLCompat(t *testing.T) {
+	t.Parallel()
+
+	files, err := filepath.Glob(
+		filepath.Join("testdata", "acl_results", "ACL-*.json"),
+	)
+	require.NoError(t, err, "failed to glob test files")
+	require.NotEmpty(
+		t,
+		files,
+		"no ACL-*.json test files found in testdata/acl_results/",
+	)
+
+	t.Logf("Loaded %d ACL test files", len(files))
+
+	users := setupACLCompatUsers()
+	nodes := setupACLCompatNodes(users)
+
+	for _, file := range files {
+		tf := loadACLTestFile(t, file)
+
+		t.Run(tf.TestID, func(t *testing.T) {
+			t.Parallel()
+
+			// Check skip list
+			if reason, ok := aclSkipReasons[tf.TestID]; ok {
+				t.Skipf(
+					"TODO: %s — see aclSkipReasons for details",
+					reason,
+				)
+
+				return
+			}
+
+			if tf.Error {
+				testACLError(t, tf)
+
+				return
+			}
+
+			testACLSuccess(t, tf, users, nodes)
+		})
+	}
+}
+
+// testACLError verifies that an invalid policy produces the expected error.
+func testACLError(t *testing.T, tf aclTestFile) {
+	t.Helper()
+
+	policyJSON := convertPolicyUserEmails(tf.Input.FullPolicy)
+
+	pol, err := unmarshalPolicy(policyJSON)
+	if err != nil {
+		// Parse-time error — valid for some error tests
+		if tf.Input.APIResponseBody != nil {
+			wantMsg := tf.Input.APIResponseBody.Message
+			if wantMsg != "" {
+				assert.Contains(
+					t,
+					err.Error(),
+					wantMsg,
+					"%s: error message should contain expected substring",
+					tf.TestID,
+				)
+			}
+		}
+
+		return
+	}
+
+	err = pol.validate()
+	if err != nil {
+		if tf.Input.APIResponseBody != nil {
+			wantMsg := tf.Input.APIResponseBody.Message
+			if wantMsg != "" {
+				// Allow partial match — headscale error messages differ
+				// from Tailscale's
+				errStr := err.Error()
+				if !strings.Contains(errStr, wantMsg) {
+					// Try matching key parts
+					matched := false
+
+					for _, part := range []string{
+						"autogroup:self",
+						"not valid on the src",
+						"port range",
+						"tag not found",
+						"undefined",
+					} {
+						if strings.Contains(wantMsg, part) &&
+							strings.Contains(errStr, part) {
+							matched = true
+
+							break
+						}
+					}
+
+					if !matched {
+						t.Logf(
+							"%s: error message difference\n  want (tailscale): %q\n  got (headscale):  %q",
+							tf.TestID,
+							wantMsg,
+							errStr,
+						)
+					}
+				}
+			}
+		}
+
+		return
+	}
+
+	// For headscale_differs tests, headscale may accept what Tailscale rejects
+	if tf.HeadscaleDiffers {
+		t.Logf(
+			"%s: headscale accepts this policy (Tailscale rejects it)",
+			tf.TestID,
+		)
+
+		return
+	}
+
+	t.Errorf(
+		"%s: expected error but policy parsed and validated successfully",
+		tf.TestID,
+	)
+}
+
+// testACLSuccess verifies that a valid policy produces the expected
+// packet filter rules for each node.
+func testACLSuccess(
+	t *testing.T,
+	tf aclTestFile,
+	users types.Users,
+	nodes types.Nodes,
+) {
+	t.Helper()
+
+	// Convert Tailscale SaaS user emails to headscale @example.com format.
+	policyJSON := convertPolicyUserEmails(tf.Input.FullPolicy)
+
+	pol, err := unmarshalPolicy(policyJSON)
+	require.NoError(
+		t,
+		err,
+		"%s: policy should parse successfully",
+		tf.TestID,
+	)
+
+	err = pol.validate()
+	require.NoError(
+		t,
+		err,
+		"%s: policy should validate successfully",
+		tf.TestID,
+	)
+
+	for nodeName, capture := range tf.Captures {
+		t.Run(nodeName, func(t *testing.T) {
+			captureIsNull := len(capture.PacketFilterRules) == 0 ||
+				string(capture.PacketFilterRules) == "null" //nolint:goconst
+
+			node := findNodeByGivenName(nodes, nodeName)
+			if node == nil {
+				t.Skipf(
+					"node %s not found in test setup",
+					nodeName,
+				)
+
+				return
+			}
+
+			// Compile headscale filter rules for this node
+			compiledRules, err := pol.compileFilterRulesForNode(
+				users,
+				node.View(),
+				nodes.ViewSlice(),
+			)
+			require.NoError(
+				t,
+				err,
+				"%s/%s: failed to compile filter rules",
+				tf.TestID,
+				nodeName,
+			)
+
+			gotRules := policyutil.ReduceFilterRules(
+				node.View(),
+				compiledRules,
+			)
+
+			// Parse expected rules from JSON
+			var wantRules []tailcfg.FilterRule
+			if !captureIsNull {
+				err = json.Unmarshal(
+					capture.PacketFilterRules,
+					&wantRules,
+				)
+				require.NoError(
+					t,
+					err,
+					"%s/%s: failed to unmarshal expected rules",
+					tf.TestID,
+					nodeName,
+				)
+			}
+
+			// Compare
+			opts := append(
+				cmpOptions(),
+				cmpopts.EquateEmpty(),
+			)
+			if diff := cmp.Diff(
+				wantRules,
+				gotRules,
+				opts...,
+			); diff != "" {
+				t.Errorf(
+					"%s/%s: filter rules mismatch (-want +got):\n%s",
+					tf.TestID,
+					nodeName,
+					diff,
+				)
+			}
+		})
+	}
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-A01.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-A01.json
@ -0,0 +1,283 @@
+{
+  "test_id": "ACL-A01",
+  "timestamp": "2026-03-17T14:16:33Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_a01.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["autogroup:member"],
+          "dst": ["*:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::9e37:5a52"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::9e37:5a52"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::9e37:5a52"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::9e37:5a52"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::9e37:5a52"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::9e37:5a52"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::9e37:5a52"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::9e37:5a52"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-A02.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-A02.json
@ -0,0 +1,315 @@
+{
+  "test_id": "ACL-A02",
+  "timestamp": "2026-03-17T14:16:44Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_a02.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["autogroup:tagged"],
+          "dst": ["*:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-A03.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-A03.json
@ -0,0 +1,152 @@
+{
+  "test_id": "ACL-A03",
+  "timestamp": "2026-03-17T14:16:54Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_a03.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["autogroup:member", "tag:client"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-A04.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-A04.json
@ -0,0 +1,183 @@
+{
+  "test_id": "ACL-A04",
+  "timestamp": "2026-03-17T14:17:04Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_a04.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["autogroup:self:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.110.121.96", "fd7a:115c:a1e0::1737:7960"],
+          "DstPorts": [
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.103.90.82", "fd7a:115c:a1e0::9e37:5a52"],
+          "DstPorts": [
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-A05.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-A05.json
@ -0,0 +1,123 @@
+{
+  "test_id": "ACL-A05",
+  "timestamp": "2026-03-17T14:17:15Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_a05.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["autogroup:internet:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-A06.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-A06.json
@ -0,0 +1,198 @@
+{
+  "test_id": "ACL-A06",
+  "timestamp": "2026-03-17T14:17:25Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_a06.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["autogroup:member:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-A07.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-A07.json
@ -0,0 +1,208 @@
+{
+  "test_id": "ACL-A07",
+  "timestamp": "2026-03-17T14:17:36Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_a07.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["autogroup:self:*", "tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.110.121.96", "fd7a:115c:a1e0::1737:7960"],
+          "DstPorts": [
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.103.90.82", "fd7a:115c:a1e0::9e37:5a52"],
+          "DstPorts": [
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-A08.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-A08.json
@ -0,0 +1,248 @@
+{
+  "test_id": "ACL-A08",
+  "timestamp": "2026-03-17T14:17:47Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_a08.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["autogroup:tagged:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.85.66.106",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::7c37:426a",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.92.142.61",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::3e37:8e3d",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.83.200.69",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::c537:c845",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-A09.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-A09.json
@ -0,0 +1,183 @@
+{
+  "test_id": "ACL-A09",
+  "timestamp": "2026-03-17T14:17:57Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_a09.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["autogroup:member"],
+          "dst": ["autogroup:self:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.110.121.96", "fd7a:115c:a1e0::1737:7960"],
+          "DstPorts": [
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.103.90.82", "fd7a:115c:a1e0::9e37:5a52"],
+          "DstPorts": [
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-A10.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-A10.json
@ -0,0 +1,143 @@
+{
+  "test_id": "ACL-A10",
+  "timestamp": "2026-03-17T14:18:08Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_a10.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["kratail2tid@passkey"],
+          "dst": ["autogroup:self:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-A11.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-A11.json
@ -0,0 +1,143 @@
+{
+  "test_id": "ACL-A11",
+  "timestamp": "2026-03-17T14:18:18Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_a11.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["group:admins"],
+          "dst": ["autogroup:self:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-A12.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-A12.json
@ -0,0 +1,183 @@
+{
+  "test_id": "ACL-A12",
+  "timestamp": "2026-03-17T14:18:28Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_a12.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["autogroup:self:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.110.121.96", "fd7a:115c:a1e0::1737:7960"],
+          "DstPorts": [
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.103.90.82", "fd7a:115c:a1e0::9e37:5a52"],
+          "DstPorts": [
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-A13.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-A13.json
@ -0,0 +1,183 @@
+{
+  "test_id": "ACL-A13",
+  "timestamp": "2026-03-17T14:18:39Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_a13.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["autogroup:self:80-443"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.110.121.96", "fd7a:115c:a1e0::1737:7960"],
+          "DstPorts": [
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 80,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 80,
+                "Last": 443
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.103.90.82", "fd7a:115c:a1e0::9e37:5a52"],
+          "DstPorts": [
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 80,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 80,
+                "Last": 443
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 80,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 80,
+                "Last": 443
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-A14.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-A14.json
@ -0,0 +1,267 @@
+{
+  "test_id": "ACL-A14",
+  "timestamp": "2026-03-17T14:18:49Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_a14.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["autogroup:self:22,80,443"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.110.121.96", "fd7a:115c:a1e0::1737:7960"],
+          "DstPorts": [
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.103.90.82", "fd7a:115c:a1e0::9e37:5a52"],
+          "DstPorts": [
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-A15.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-A15.json
@ -0,0 +1,363 @@
+{
+  "test_id": "ACL-A15",
+  "timestamp": "2026-03-17T14:19:00Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_a15.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["autogroup:member", "autogroup:tagged"],
+          "dst": ["*:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-A16.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-A16.json
@ -0,0 +1,160 @@
+{
+  "test_id": "ACL-A16",
+  "timestamp": "2026-03-17T14:19:10Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_a16.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["autogroup:member", "autogroup:tagged"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-A17.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-A17.json
@ -0,0 +1,280 @@
+{
+  "test_id": "ACL-A17",
+  "timestamp": "2026-03-17T14:19:21Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_a17.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["autogroup:self:*", "tag:server:22", "autogroup:member:80"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": ["100.110.121.96", "fd7a:115c:a1e0::1737:7960"],
+          "DstPorts": [
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": ["100.103.90.82", "fd7a:115c:a1e0::9e37:5a52"],
+          "DstPorts": [
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AH01.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AH01.json
@ -0,0 +1,227 @@
+{
+  "test_id": "ACL-AH01",
+  "timestamp": "2026-03-17T14:19:31Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_ah01.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["internal", "subnet24"],
+          "dst": ["*:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["10.0.0.0/8", "192.168.1.0/24"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["10.0.0.0/8", "192.168.1.0/24"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["10.0.0.0/8", "192.168.1.0/24"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["10.0.0.0/8", "192.168.1.0/24"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["10.0.0.0/8", "192.168.1.0/24"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["10.0.0.0/8", "192.168.1.0/24"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["10.0.0.0/8", "192.168.1.0/24"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["10.0.0.0/8", "192.168.1.0/24"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AH02.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AH02.json
@ -0,0 +1,143 @@
+{
+  "test_id": "ACL-AH02",
+  "timestamp": "2026-03-17T14:19:42Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_ah02.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["internal", "100.108.74.26"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["10.0.0.0/8", "100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AH03.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AH03.json
@ -0,0 +1,166 @@
+{
+  "test_id": "ACL-AH03",
+  "timestamp": "2026-03-17T14:19:52Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_ah03.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["internal:22", "subnet24:80", "tag:server:443"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "10.0.0.0/8",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AH04.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AH04.json
@ -0,0 +1,143 @@
+{
+  "test_id": "ACL-AH04",
+  "timestamp": "2026-03-17T14:20:02Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_ah04.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["internal", "10.0.0.0/8"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["10.0.0.0/8"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AH05.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AH05.json
@ -0,0 +1,141 @@
+{
+  "test_id": "ACL-AH05",
+  "timestamp": "2026-03-17T14:20:13Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_ah05.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["internal:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "10.0.0.0/8",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AH06.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AH06.json
@ -0,0 +1,141 @@
+{
+  "test_id": "ACL-AH06",
+  "timestamp": "2026-03-17T14:20:23Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_ah06.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["10.0.0.0/8:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "10.0.0.0/8",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AR01.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AR01.json
@ -0,0 +1,176 @@
+{
+  "test_id": "ACL-AR01",
+  "timestamp": "2026-03-17T14:20:34Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_ar01.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:22"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:80,443"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AR02.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AR02.json
@ -0,0 +1,207 @@
+{
+  "test_id": "ACL-AR02",
+  "timestamp": "2026-03-17T14:20:44Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_ar02.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:22"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:80,443"]
+        },
+        {
+          "action": "accept",
+          "src": ["*"],
+          "proto": "udp",
+          "dst": ["tag:server:53"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 53,
+                "Last": 53
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 53,
+                "Last": 53
+              }
+            }
+          ],
+          "IPProto": [17]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AR03.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AR03.json
@ -0,0 +1,181 @@
+{
+  "test_id": "ACL-AR03",
+  "timestamp": "2026-03-17T14:20:55Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_ar03.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:22"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:80"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:443"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AR04.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AR04.json
@ -0,0 +1,191 @@
+{
+  "test_id": "ACL-AR04",
+  "timestamp": "2026-03-17T14:21:05Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_ar04.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:22"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:prod"],
+          "dst": ["tag:server:22"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:router"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": ["100.103.8.15", "fd7a:115c:a1e0::5b37:80f"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": ["100.92.142.61", "fd7a:115c:a1e0::3e37:8e3d"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AR05.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AR05.json
@ -0,0 +1,205 @@
+{
+  "test_id": "ACL-AR05",
+  "timestamp": "2026-03-17T14:21:16Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_ar05.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:22"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:80"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:prod"],
+          "dst": ["tag:server:22"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:prod"],
+          "dst": ["tag:server:443"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": ["100.103.8.15", "fd7a:115c:a1e0::5b37:80f"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AR06.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AR06.json
@ -0,0 +1,172 @@
+{
+  "test_id": "ACL-AR06",
+  "timestamp": "2026-03-17T14:21:26Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_ar06.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:22"]
+        },
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["tag:server:80"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AT01.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AT01.json
@ -0,0 +1,315 @@
+{
+  "test_id": "ACL-AT01",
+  "timestamp": "2026-03-17T14:21:36Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_at01.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:server", "tag:client", "tag:prod", "tag:router", "tag:exit"],
+          "dst": ["*:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AT02.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AT02.json
@ -0,0 +1,248 @@
+{
+  "test_id": "ACL-AT02",
+  "timestamp": "2026-03-17T14:21:47Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_at02.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["tag:server:22", "tag:client:22", "tag:prod:22", "tag:router:22", "tag:exit:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.85.66.106",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::7c37:426a",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.92.142.61",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::3e37:8e3d",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.83.200.69",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::c537:c845",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AT03.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AT03.json
@ -0,0 +1,216 @@
+{
+  "test_id": "ACL-AT03",
+  "timestamp": "2026-03-17T14:21:57Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_at03.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:server", "tag:client", "tag:prod", "tag:router", "tag:exit"],
+          "dst": ["autogroup:member:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AT04.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AT04.json
@ -0,0 +1,185 @@
+{
+  "test_id": "ACL-AT04",
+  "timestamp": "2026-03-17T14:22:08Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_at04.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["autogroup:tagged"],
+          "dst": ["tag:server:22"]
+        },
+        {
+          "action": "accept",
+          "src": ["autogroup:member"],
+          "dst": ["tag:server:80"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": [
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::9e37:5a52"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AT05.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AT05.json
@ -0,0 +1,168 @@
+{
+  "test_id": "ACL-AT05",
+  "timestamp": "2026-03-17T14:22:18Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_at05.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:22"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:server"],
+          "dst": ["tag:client:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "100.83.200.69",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::c537:c845",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AT06.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AT06.json
@ -0,0 +1,217 @@
+{
+  "test_id": "ACL-AT06",
+  "timestamp": "2026-03-17T14:22:29Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_at06.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:22"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:server"],
+          "dst": ["tag:prod:5432"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:prod"],
+          "dst": ["tag:client:80"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:prod:443"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.103.8.15", "fd7a:115c:a1e0::5b37:80f"],
+          "DstPorts": [
+            {
+              "IP": "100.83.200.69",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::c537:c845",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AU01.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AU01.json
@ -0,0 +1,143 @@
+{
+  "test_id": "ACL-AU01",
+  "timestamp": "2026-03-17T14:22:39Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_au01.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["kristoffer@dalby.cc"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.110.121.96", "fd7a:115c:a1e0::1737:7960"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AU02.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AU02.json
@ -0,0 +1,143 @@
+{
+  "test_id": "ACL-AU02",
+  "timestamp": "2026-03-17T14:22:49Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_au02.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["monitorpasskeykradalby@passkey"],
+          "dst": ["tag:prod:5432"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.103.90.82", "fd7a:115c:a1e0::9e37:5a52"],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AU03.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AU03.json
@ -0,0 +1,163 @@
+{
+  "test_id": "ACL-AU03",
+  "timestamp": "2026-03-17T14:23:00Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_au03.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["group:developers"],
+          "dst": ["tag:server:22", "tag:prod:5432"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.110.121.96", "100.90.199.68", "fd7a:115c:a1e0::1737:7960", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.110.121.96", "100.90.199.68", "fd7a:115c:a1e0::1737:7960", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AU04.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AU04.json
@ -0,0 +1,173 @@
+{
+  "test_id": "ACL-AU04",
+  "timestamp": "2026-03-17T14:23:10Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_au04.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["group:developers:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AU05.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AU05.json
@ -0,0 +1,148 @@
+{
+  "test_id": "ACL-AU05",
+  "timestamp": "2026-03-17T14:23:21Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_au05.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["group:monitors:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-AU06.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-AU06.json
@ -0,0 +1,150 @@
+{
+  "test_id": "ACL-AU06",
+  "timestamp": "2026-03-17T14:23:31Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_au06.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["group:admins", "group:developers", "group:monitors"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::9e37:5a52"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-C01.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-C01.json
@ -0,0 +1,204 @@
+{
+  "test_id": "ACL-C01",
+  "timestamp": "2026-03-17T14:23:42Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_c01.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:22"]
+        },
+        {
+          "action": "accept",
+          "src": ["autogroup:member"],
+          "dst": ["tag:server:80"]
+        },
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["tag:prod:5432"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": [
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::9e37:5a52"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-C02.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-C02.json
@ -0,0 +1,201 @@
+{
+  "test_id": "ACL-C02",
+  "timestamp": "2026-03-17T14:23:52Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_c02.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:client", "autogroup:member"],
+          "dst": ["tag:server:22"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:prod"],
+          "dst": ["tag:server:80"]
+        },
+        {
+          "action": "accept",
+          "src": ["group:admins"],
+          "dst": ["tag:prod:5432"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": ["100.103.8.15", "fd7a:115c:a1e0::5b37:80f"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-C03.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-C03.json
@ -0,0 +1,235 @@
+{
+  "test_id": "ACL-C03",
+  "timestamp": "2026-03-17T14:24:03Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_c03.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:22", "tag:prod:5432", "webserver:80"]
+        },
+        {
+          "action": "accept",
+          "src": ["autogroup:member"],
+          "dst": ["autogroup:self:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.110.121.96", "fd7a:115c:a1e0::1737:7960"],
+          "DstPorts": [
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.103.90.82", "fd7a:115c:a1e0::9e37:5a52"],
+          "DstPorts": [
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-C04.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-C04.json
@ -0,0 +1,238 @@
+{
+  "test_id": "ACL-C04",
+  "timestamp": "2026-03-17T14:24:13Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_c04.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:22"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:server"],
+          "dst": ["tag:prod:5432"]
+        },
+        {
+          "action": "accept",
+          "src": ["autogroup:member"],
+          "dst": ["autogroup:self:*"]
+        },
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["autogroup:internet:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.110.121.96", "fd7a:115c:a1e0::1737:7960"],
+          "DstPorts": [
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.103.90.82", "fd7a:115c:a1e0::9e37:5a52"],
+          "DstPorts": [
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-C05.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-C05.json
@ -0,0 +1,388 @@
+{
+  "test_id": "ACL-C05",
+  "timestamp": "2026-03-17T14:24:23Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_c05.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": [
+            "tag:server:22",
+            "tag:prod:5432",
+            "tag:client:80",
+            "tag:router:*",
+            "tag:exit:*",
+            "autogroup:member:443",
+            "autogroup:self:*"
+          ]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.85.66.106",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::7c37:426a",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.92.142.61",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::3e37:8e3d",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.83.200.69",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::c537:c845",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": ["100.110.121.96", "fd7a:115c:a1e0::1737:7960"],
+          "DstPorts": [
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": ["100.103.90.82", "fd7a:115c:a1e0::9e37:5a52"],
+          "DstPorts": [
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-C06.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-C06.json
@ -0,0 +1,156 @@
+{
+  "test_id": "ACL-C06",
+  "timestamp": "2026-03-17T14:24:34Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_c06.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:client", "tag:prod", "tag:server", "autogroup:member", "group:admins"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-C07.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-C07.json
@ -0,0 +1,200 @@
+{
+  "test_id": "ACL-C07",
+  "timestamp": "2026-03-17T14:24:44Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_c07.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:22"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:80"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:443"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:8080"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 8080,
+                "Last": 8080
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 8080,
+                "Last": 8080
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-C08.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-C08.json
@ -0,0 +1,248 @@
+{
+  "test_id": "ACL-C08",
+  "timestamp": "2026-03-17T14:24:55Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_c08.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["tag:server:22", "tag:prod:22", "tag:client:22", "tag:router:22", "tag:exit:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.85.66.106",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::7c37:426a",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.92.142.61",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::3e37:8e3d",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.83.200.69",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::c537:c845",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-C09.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-C09.json
@ -0,0 +1,287 @@
+{
+  "test_id": "ACL-C09",
+  "timestamp": "2026-03-17T14:25:05Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_c09.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:22"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:prod:22"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:server"],
+          "dst": ["tag:prod:5432"]
+        },
+        {
+          "action": "accept",
+          "src": ["autogroup:member"],
+          "dst": ["autogroup:self:*"]
+        },
+        {
+          "action": "accept",
+          "src": ["group:developers"],
+          "dst": ["tag:router:*"]
+        },
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["autogroup:internet:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.110.121.96", "100.90.199.68", "fd7a:115c:a1e0::1737:7960", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.92.142.61",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::3e37:8e3d",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.110.121.96", "fd7a:115c:a1e0::1737:7960"],
+          "DstPorts": [
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.103.90.82", "fd7a:115c:a1e0::9e37:5a52"],
+          "DstPorts": [
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-C10.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-C10.json
@ -0,0 +1,400 @@
+{
+  "test_id": "ACL-C10",
+  "timestamp": "2026-03-17T14:25:16Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_c10.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["autogroup:member"],
+          "dst": ["autogroup:self:*"]
+        },
+        {
+          "action": "accept",
+          "src": ["autogroup:member"],
+          "dst": ["tag:server:22", "tag:prod:5432"]
+        },
+        {
+          "action": "accept",
+          "src": ["autogroup:tagged"],
+          "dst": ["autogroup:tagged:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.85.66.106",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::7c37:426a",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.92.142.61",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::3e37:8e3d",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.83.200.69",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::c537:c845",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::9e37:5a52"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::9e37:5a52"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.108.74.26",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.110.121.96", "fd7a:115c:a1e0::1737:7960"],
+          "DstPorts": [
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.103.90.82", "fd7a:115c:a1e0::9e37:5a52"],
+          "DstPorts": [
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-D01.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-D01.json
@ -0,0 +1,172 @@
+{
+  "test_id": "ACL-D01",
+  "timestamp": "2026-03-17T14:25:26Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_d01.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:22"]
+        },
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        },
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-D02.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-D02.json
@ -0,0 +1,150 @@
+{
+  "test_id": "ACL-D02",
+  "timestamp": "2026-03-17T14:25:37Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_d02.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["tag:server:22", "webserver:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-D03.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-D03.json
@ -0,0 +1,227 @@
+{
+  "test_id": "ACL-D03",
+  "timestamp": "2026-03-17T14:25:47Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_d03.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["100.108.74.26", "tag:server"],
+          "dst": ["*:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-D04.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-D04.json
@ -0,0 +1,227 @@
+{
+  "test_id": "ACL-D04",
+  "timestamp": "2026-03-17T14:25:57Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_d04.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["100.108.74.26", "webserver"],
+          "dst": ["*:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-D05.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-D05.json
@ -0,0 +1,155 @@
+{
+  "test_id": "ACL-D05",
+  "timestamp": "2026-03-17T14:26:08Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_d05.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["100.108.74.26:22", "tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-D06.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-D06.json
@ -0,0 +1,148 @@
+{
+  "test_id": "ACL-D06",
+  "timestamp": "2026-03-17T14:26:18Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_d06.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["100.108.74.26:22", "webserver:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-D07.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-D07.json
@ -0,0 +1,363 @@
+{
+  "test_id": "ACL-D07",
+  "timestamp": "2026-03-17T14:26:29Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_d07.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["autogroup:member", "autogroup:tagged"],
+          "dst": ["*:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-D08.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-D08.json
@ -0,0 +1,202 @@
+{
+  "test_id": "ACL-D08",
+  "timestamp": "2026-03-17T14:26:39Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_d08.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["autogroup:self:*"]
+        },
+        {
+          "action": "accept",
+          "src": ["kratail2tid@passkey"],
+          "dst": ["kratail2tid@passkey:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.110.121.96", "fd7a:115c:a1e0::1737:7960"],
+          "DstPorts": [
+            {
+              "IP": "100.110.121.96",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::1737:7960",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.103.90.82", "fd7a:115c:a1e0::9e37:5a52"],
+          "DstPorts": [
+            {
+              "IP": "100.103.90.82",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::9e37:5a52",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-E01.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-E01.json
@ -0,0 +1,227 @@
+{
+  "test_id": "ACL-E01",
+  "timestamp": "2026-03-17T14:26:50Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_e01.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["100.108.74.26"],
+          "dst": ["*:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-E02.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-E02.json
@ -0,0 +1,227 @@
+{
+  "test_id": "ACL-E02",
+  "timestamp": "2026-03-17T14:27:00Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_e02.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:server"],
+          "dst": ["*:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "fd7a:115c:a1e0::b901:4a87"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-E03.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-E03.json
@ -0,0 +1,227 @@
+{
+  "test_id": "ACL-E03",
+  "timestamp": "2026-03-17T14:27:11Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_e03.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["webserver"],
+          "dst": ["*:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-E04.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-E04.json
@ -0,0 +1,141 @@
+{
+  "test_id": "ACL-E04",
+  "timestamp": "2026-03-17T14:27:21Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_e04.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["100.108.74.26:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-E05.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-E05.json
@ -0,0 +1,148 @@
+{
+  "test_id": "ACL-E05",
+  "timestamp": "2026-03-17T14:27:32Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_e05.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-E06.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-E06.json
@ -0,0 +1,141 @@
+{
+  "test_id": "ACL-E06",
+  "timestamp": "2026-03-17T14:27:42Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_e06.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["webserver:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-E07.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-E07.json
@ -0,0 +1,143 @@
+{
+  "test_id": "ACL-E07",
+  "timestamp": "2026-03-17T14:27:52Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_e07.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["kratail2tid@passkey"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-E08.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-E08.json
@ -0,0 +1,143 @@
+{
+  "test_id": "ACL-E08",
+  "timestamp": "2026-03-17T14:28:03Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_e08.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["group:admins"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-E09.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-E09.json
@ -0,0 +1,143 @@
+{
+  "test_id": "ACL-E09",
+  "timestamp": "2026-03-17T14:28:13Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_e09.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["kratail2tid@passkey", "group:admins"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-ERR01.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-ERR01.json
@ -0,0 +1,46 @@
+{
+  "test_id": "ACL-ERR01",
+  "timestamp": "2026-03-17T14:28:24Z",
+  "error": true,
+  "input": {
+    "policy_file": "acl_policies/acl_err01.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:nonexistent"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 400,
+    "api_response_body": { "message": "src=tag not found: \"tag:nonexistent\"" }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-ERR02.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-ERR02.json
@ -0,0 +1,46 @@
+{
+  "test_id": "ACL-ERR02",
+  "timestamp": "2026-03-17T14:28:24Z",
+  "error": true,
+  "input": {
+    "policy_file": "acl_policies/acl_err02.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["autogroup:self"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 400,
+    "api_response_body": { "message": "\"autogroup:self\" not valid on the src side of a rule" }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-ERR03.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-ERR03.json
@ -0,0 +1,46 @@
+{
+  "test_id": "ACL-ERR03",
+  "timestamp": "2026-03-17T14:28:24Z",
+  "error": true,
+  "input": {
+    "policy_file": "acl_policies/acl_err03.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["autogroup:self"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 400,
+    "api_response_body": { "message": "dst=\"autogroup:self\": port range \"self\": invalid first integer" }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-ERR04.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-ERR04.json
@ -0,0 +1,46 @@
+{
+  "test_id": "ACL-ERR04",
+  "timestamp": "2026-03-17T14:28:25Z",
+  "error": true,
+  "input": {
+    "policy_file": "acl_policies/acl_err04.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:nonexistent"],
+          "dst": ["*:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 400,
+    "api_response_body": { "message": "src=tag not found: \"tag:nonexistent\"" }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-ERR05.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-ERR05.json
@ -0,0 +1,46 @@
+{
+  "test_id": "ACL-ERR05",
+  "timestamp": "2026-03-17T14:28:25Z",
+  "error": true,
+  "input": {
+    "policy_file": "acl_policies/acl_err05.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["tag:nonexistent:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 400,
+    "api_response_body": { "message": "dst=\"tag:nonexistent\": tag not found: \"tag:nonexistent\"" }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-ERR06.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-ERR06.json
@ -0,0 +1,46 @@
+{
+  "test_id": "ACL-ERR06",
+  "timestamp": "2026-03-17T14:28:25Z",
+  "error": true,
+  "input": {
+    "policy_file": "acl_policies/acl_err06.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "deny",
+          "src": ["tag:client"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 400,
+    "api_response_body": { "message": "action=\"deny\" is not supported" }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-ERR07.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-ERR07.json
@ -0,0 +1,46 @@
+{
+  "test_id": "ACL-ERR07",
+  "timestamp": "2026-03-17T14:28:29Z",
+  "error": true,
+  "input": {
+    "policy_file": "acl_policies/acl_err07.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["tag:server:ssh"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 400,
+    "api_response_body": { "message": "dst=\"tag:server:ssh\": port range \"ssh\": invalid first integer" }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-ERR08.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-ERR08.json
@ -0,0 +1,51 @@
+{
+  "test_id": "ACL-ERR08",
+  "timestamp": "2026-03-17T14:28:34Z",
+  "error": true,
+  "input": {
+    "policy_file": "acl_policies/acl_err08.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["autogroup:self:*"]
+        },
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": ["autogroup:self:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 400,
+    "api_response_body": { "message": "autogroup:self can only be used with users, groups, or supported autogroups" }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-ERR09.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-ERR09.json
@ -0,0 +1,51 @@
+{
+  "test_id": "ACL-ERR09",
+  "timestamp": "2026-03-17T14:28:39Z",
+  "error": true,
+  "input": {
+    "policy_file": "acl_policies/acl_err09.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["autogroup:self:*"]
+        },
+        {
+          "action": "accept",
+          "src": ["autogroup:tagged"],
+          "dst": ["autogroup:self:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 400,
+    "api_response_body": { "message": "autogroup:self can only be used with users, groups, or supported autogroups" }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-H01.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-H01.json
@ -0,0 +1,141 @@
+{
+  "test_id": "ACL-H01",
+  "timestamp": "2026-03-17T14:28:44Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_h01.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["webserver:80"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-H02.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-H02.json
@ -0,0 +1,227 @@
+{
+  "test_id": "ACL-H02",
+  "timestamp": "2026-03-17T14:28:59Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_h02.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["webserver"],
+          "dst": ["*:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26"],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-H03.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-H03.json
@ -0,0 +1,143 @@
+{
+  "test_id": "ACL-H03",
+  "timestamp": "2026-03-17T14:29:10Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_h03.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["internal"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["10.0.0.0/8"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-H04.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-H04.json
@ -0,0 +1,141 @@
+{
+  "test_id": "ACL-H04",
+  "timestamp": "2026-03-17T14:29:20Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_h04.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["internal:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "10.0.0.0/8",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-H05.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-H05.json
@ -0,0 +1,159 @@
+{
+  "test_id": "ACL-H05",
+  "timestamp": "2026-03-17T14:29:31Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_h05.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["webserver:22", "prodbox:5432"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-H06.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-H06.json
@ -0,0 +1,143 @@
+{
+  "test_id": "ACL-H06",
+  "timestamp": "2026-03-17T14:29:41Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_h06.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["webserver", "tag:client"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-H07.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-H07.json
@ -0,0 +1,136 @@
+{
+  "test_id": "ACL-H07",
+  "timestamp": "2026-03-17T14:29:52Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_h07.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["group:admins"],
+          "dst": ["webserver:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.90.199.68", "fd7a:115c:a1e0::2d01:c747"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-H08.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-H08.json
@ -0,0 +1,123 @@
+{
+  "test_id": "ACL-H08",
+  "timestamp": "2026-03-17T14:30:02Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_h08.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": ["subnet24:80"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-K01.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-K01.json
@ -0,0 +1,172 @@
+{
+  "test_id": "ACL-K01",
+  "timestamp": "2026-03-17T14:30:13Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_k01.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": [
+            "*",
+            "autogroup:member",
+            "autogroup:tagged",
+            "group:admins",
+            "tag:client",
+            "webserver",
+            "100.90.199.68"
+          ],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::/48",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-K02.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-K02.json
@ -0,0 +1,226 @@
+{
+  "test_id": "ACL-K02",
+  "timestamp": "2026-03-17T14:30:23Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_k02.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["tag:client"],
+          "dst": [
+            "tag:server:22",
+            "tag:prod:5432",
+            "webserver:80",
+            "prodbox:443",
+            "group:admins:8080",
+            "kratail2tid@passkey:3000",
+            "100.108.74.26:9000"
+          ]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 9000,
+                "Last": 9000
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 3000,
+                "Last": 3000
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 3000,
+                "Last": 3000
+              }
+            },
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 8080,
+                "Last": 8080
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 8080,
+                "Last": 8080
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-K03.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-K03.json
@ -0,0 +1,374 @@
+{
+  "test_id": "ACL-K03",
+  "timestamp": "2026-03-17T14:30:34Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_k03.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": [
+            "autogroup:member",
+            "autogroup:tagged",
+            "group:admins",
+            "group:developers",
+            "kratail2tid@passkey",
+            "tag:client",
+            "tag:prod",
+            "tag:server",
+            "webserver",
+            "prodbox"
+          ],
+          "dst": ["*:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "subnet-router": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-mon": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.108.74.26",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.85.66.106",
+            "100.90.199.68",
+            "100.92.142.61",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::3e37:8e3d",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::7c37:426a",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::b901:4a87",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "*",
+              "Ports": {
+                "First": 0,
+                "Last": 65535
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-K04.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-K04.json
@ -0,0 +1,278 @@
+{
+  "test_id": "ACL-K04",
+  "timestamp": "2026-03-17T14:30:44Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_k04.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*"],
+          "dst": [
+            "tag:server:22",
+            "tag:server:80",
+            "tag:server:443",
+            "tag:prod:5432",
+            "tag:prod:3306",
+            "tag:client:80",
+            "tag:client:443",
+            "webserver:8080",
+            "prodbox:8080"
+          ]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.83.200.69",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "100.83.200.69",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::c537:c845",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::c537:c845",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 8080,
+                "Last": 8080
+              }
+            },
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            },
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 3306,
+                "Last": 3306
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 3306,
+                "Last": 3306
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "fd7a:115c:a1e0::/48"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 8080,
+                "Last": 8080
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-K05.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-K05.json
@ -0,0 +1,221 @@
+{
+  "test_id": "ACL-K05",
+  "timestamp": "2026-03-17T14:30:54Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_k05.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": [
+            "autogroup:member",
+            "group:admins",
+            "kratail2tid@passkey",
+            "tag:client",
+            "tag:prod",
+            "100.83.200.69",
+            "100.103.8.15"
+          ],
+          "dst": ["tag:server:22", "webserver:80", "100.108.74.26:443", "group:admins:8080", "kratail2tid@passkey:9000"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.8.15",
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::5b37:80f",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 9000,
+                "Last": 9000
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 9000,
+                "Last": 9000
+              }
+            },
+            {
+              "IP": "100.90.199.68",
+              "Ports": {
+                "First": 8080,
+                "Last": 8080
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::2d01:c747",
+              "Ports": {
+                "First": 8080,
+                "Last": 8080
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-M01.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-M01.json
@ -0,0 +1,150 @@
+{
+  "test_id": "ACL-M01",
+  "timestamp": "2026-03-17T14:31:05Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_m01.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["kratail2tid@passkey", "tag:client", "group:monitors"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.90.82",
+            "100.83.200.69",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-M02.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-M02.json
@ -0,0 +1,143 @@
+{
+  "test_id": "ACL-M02",
+  "timestamp": "2026-03-17T14:31:15Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_m02.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["100.90.199.68", "tag:client"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "100.90.199.68", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-M03.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-M03.json
@ -0,0 +1,143 @@
+{
+  "test_id": "ACL-M03",
+  "timestamp": "2026-03-17T14:31:26Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_m03.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["webserver", "tag:client"],
+          "dst": ["tag:prod:5432"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.108.74.26", "100.83.200.69", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.103.8.15",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::5b37:80f",
+              "Ports": {
+                "First": 5432,
+                "Last": 5432
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "tagged-server": {
+      "packet_filter_rules": null
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-M04.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-M04.json
@ -0,0 +1,143 @@
+{
+  "test_id": "ACL-M04",
+  "timestamp": "2026-03-17T14:31:36Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_m04.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["group:admins", "tag:client"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.83.200.69", "100.90.199.68", "fd7a:115c:a1e0::2d01:c747", "fd7a:115c:a1e0::c537:c845"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-M05.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-M05.json
@ -0,0 +1,143 @@
+{
+  "test_id": "ACL-M05",
+  "timestamp": "2026-03-17T14:31:47Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_m05.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["kratail2tid@passkey", "group:monitors"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": ["100.103.90.82", "100.90.199.68", "fd7a:115c:a1e0::2d01:c747", "fd7a:115c:a1e0::9e37:5a52"],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-M06.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-M06.json
@ -0,0 +1,150 @@
+{
+  "test_id": "ACL-M06",
+  "timestamp": "2026-03-17T14:31:57Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_m06.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["*", "tag:client"],
+          "dst": ["tag:server:22"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "10.33.0.0/16",
+            "100.115.94.0-100.127.255.255",
+            "100.64.0.0-100.115.91.255",
+            "100.83.200.69",
+            "fd7a:115c:a1e0::/48",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-M07.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-M07.json
@ -0,0 +1,180 @@
+{
+  "test_id": "ACL-M07",
+  "timestamp": "2026-03-17T14:32:08Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_m07.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["autogroup:member", "tag:client"],
+          "dst": ["tag:server:22,80,443"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 22,
+                "Last": 22
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 80,
+                "Last": 80
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 443,
+                "Last": 443
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/acl_results/ACL-M08.json
+++ b/hscontrol/policy/v2/testdata/acl_results/ACL-M08.json
@ -0,0 +1,152 @@
+{
+  "test_id": "ACL-M08",
+  "timestamp": "2026-03-17T14:32:18Z",
+  "propagation_wait_seconds": 10,
+  "input": {
+    "policy_file": "acl_policies/acl_m08.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["autogroup:member", "tag:client"],
+          "dst": ["tag:server:80-443"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 200
+  },
+  "topology": {
+    "nodes": {
+      "exit-node": {
+        "hostname": "exit-node",
+        "tags": ["tag:exit"],
+        "ipv4": "100.85.66.106",
+        "ipv6": "fd7a:115c:a1e0::7c37:426a"
+      },
+      "subnet-router": {
+        "hostname": "subnet-router",
+        "tags": ["tag:router"],
+        "ipv4": "100.92.142.61",
+        "ipv6": "fd7a:115c:a1e0::3e37:8e3d"
+      },
+      "tagged-client": {
+        "hostname": "tagged-client",
+        "tags": ["tag:client"],
+        "ipv4": "100.83.200.69",
+        "ipv6": "fd7a:115c:a1e0::c537:c845"
+      },
+      "tagged-prod": {
+        "hostname": "tagged-prod",
+        "tags": ["tag:prod"],
+        "ipv4": "100.103.8.15",
+        "ipv6": "fd7a:115c:a1e0::5b37:80f"
+      },
+      "tagged-server": {
+        "hostname": "tagged-server",
+        "tags": ["tag:server"],
+        "ipv4": "100.108.74.26",
+        "ipv6": "fd7a:115c:a1e0::b901:4a87"
+      },
+      "user-kris": {
+        "hostname": "user-kris",
+        "tags": [],
+        "ipv4": "100.110.121.96",
+        "ipv6": "fd7a:115c:a1e0::1737:7960"
+      },
+      "user-mon": {
+        "hostname": "user-mon",
+        "tags": [],
+        "ipv4": "100.103.90.82",
+        "ipv6": "fd7a:115c:a1e0::9e37:5a52"
+      },
+      "user1": {
+        "hostname": "user1",
+        "tags": [],
+        "ipv4": "100.90.199.68",
+        "ipv6": "fd7a:115c:a1e0::2d01:c747"
+      }
+    }
+  },
+  "captures": {
+    "exit-node": {
+      "packet_filter_rules": null
+    },
+    "subnet-router": {
+      "packet_filter_rules": null
+    },
+    "tagged-client": {
+      "packet_filter_rules": null
+    },
+    "tagged-prod": {
+      "packet_filter_rules": null
+    },
+    "tagged-server": {
+      "packet_filter_rules": [
+        {
+          "SrcIPs": [
+            "100.103.90.82",
+            "100.110.121.96",
+            "100.83.200.69",
+            "100.90.199.68",
+            "fd7a:115c:a1e0::1737:7960",
+            "fd7a:115c:a1e0::2d01:c747",
+            "fd7a:115c:a1e0::9e37:5a52",
+            "fd7a:115c:a1e0::c537:c845"
+          ],
+          "DstPorts": [
+            {
+              "IP": "100.108.74.26",
+              "Ports": {
+                "First": 80,
+                "Last": 443
+              }
+            },
+            {
+              "IP": "fd7a:115c:a1e0::b901:4a87",
+              "Ports": {
+                "First": 80,
+                "Last": 443
+              }
+            }
+          ]
+        }
+      ]
+    },
+    "user-kris": {
+      "packet_filter_rules": null
+    },
+    "user-mon": {
+      "packet_filter_rules": null
+    },
+    "user1": {
+      "packet_filter_rules": null
+    }
+  }
+}
--- a/Show More
+++ b/Show More