testdata: convert .json to .hujson with header comments

Rename all 594 test data files from .json to .hujson and add
descriptive header comments to each file documenting what policy
rules are under test and what outcome is expected.

Update test loaders in all 5 _test.go files to parse HuJSON via
hujson.Parse/Standardize/Pack before json.Unmarshal.

Add cross-dependency warning to via_compat_test.go documenting
that GRANT-V29/V30/V31/V36 are shared with TestGrantsCompat.

Add .gitignore exemption for testdata HuJSON files.

.gitignore

@@ -29,6 +29,7 @@ config*.yaml
 !config-example.yaml
 derp.yaml
 *.hujson
+!hscontrol/policy/v2/testdata/*/*.hujson
 *.key
 /db.sqlite
 *.sqlite3

hscontrol/policy/v2/tailscale_acl_data_compat_test.go

@@ -27,6 +27,7 @@ import (
 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tailscale/hujson"
 	"gorm.io/gorm"
 	"tailscale.com/tailcfg"
 )
@@ -220,10 +221,14 @@ func loadACLTestFile(t *testing.T, path string) aclTestFile {
 	content, err := os.ReadFile(path)
 	require.NoError(t, err, "failed to read test file %s", path)
 
+	ast, err := hujson.Parse(content)
+	require.NoError(t, err, "failed to parse HuJSON in %s", path)
+	ast.Standardize()
+
 	var tf aclTestFile
 
-	err = json.Unmarshal(content, &tf)
-	require.NoError(t, err, "failed to parse test file %s", path)
+	err = json.Unmarshal(ast.Pack(), &tf)
+	require.NoError(t, err, "failed to unmarshal test file %s", path)
 
 	return tf
 }
@@ -255,13 +260,13 @@ func TestACLCompat(t *testing.T) {
 	t.Parallel()
 
 	files, err := filepath.Glob(
-		filepath.Join("testdata", "acl_results", "ACL-*.json"),
+		filepath.Join("testdata", "acl_results", "ACL-*.hujson"),
 	)
 	require.NoError(t, err, "failed to glob test files")
 	require.NotEmpty(
 		t,
 		files,
-		"no ACL-*.json test files found in testdata/acl_results/",
+		"no ACL-*.hujson test files found in testdata/acl_results/",
 	)
 
 	t.Logf("Loaded %d ACL test files", len(files))

hscontrol/policy/v2/tailscale_grants_compat_test.go

@@ -31,6 +31,7 @@ import (
 	"github.com/juanfont/headscale/hscontrol/policy/policyutil"
 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/stretchr/testify/require"
+	"github.com/tailscale/hujson"
 	"gorm.io/gorm"
 	"tailscale.com/tailcfg"
 )
@@ -316,10 +317,14 @@ func loadGrantTestFile(t *testing.T, path string) grantTestFile {
 	content, err := os.ReadFile(path)
 	require.NoError(t, err, "failed to read test file %s", path)
 
+	ast, err := hujson.Parse(content)
+	require.NoError(t, err, "failed to parse HuJSON in %s", path)
+	ast.Standardize()
+
 	var tf grantTestFile
 
-	err = json.Unmarshal(content, &tf)
-	require.NoError(t, err, "failed to parse test file %s", path)
+	err = json.Unmarshal(ast.Pack(), &tf)
+	require.NoError(t, err, "failed to unmarshal test file %s", path)
 
 	return tf
 }
@@ -357,9 +362,9 @@ var grantSkipReasons = map[string]string{
 func TestGrantsCompat(t *testing.T) {
 	t.Parallel()
 
-	files, err := filepath.Glob(filepath.Join("testdata", "grant_results", "GRANT-*.json"))
+	files, err := filepath.Glob(filepath.Join("testdata", "grant_results", "GRANT-*.hujson"))
 	require.NoError(t, err, "failed to glob test files")
-	require.NotEmpty(t, files, "no GRANT-*.json test files found in testdata/grant_results/")
+	require.NotEmpty(t, files, "no GRANT-*.hujson test files found in testdata/grant_results/")
 
 	t.Logf("Loaded %d grant test files", len(files))
 

hscontrol/policy/v2/tailscale_routes_data_compat_test.go

@@ -25,6 +25,7 @@ import (
 	"github.com/juanfont/headscale/hscontrol/policy/policyutil"
 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/stretchr/testify/require"
+	"github.com/tailscale/hujson"
 	"gorm.io/gorm"
 	"tailscale.com/tailcfg"
 )
@@ -71,10 +72,14 @@ func loadRoutesTestFile(t *testing.T, path string) routesTestFile {
 	content, err := os.ReadFile(path)
 	require.NoError(t, err, "failed to read test file %s", path)
 
+	ast, err := hujson.Parse(content)
+	require.NoError(t, err, "failed to parse HuJSON in %s", path)
+	ast.Standardize()
+
 	var tf routesTestFile
 
-	err = json.Unmarshal(content, &tf)
-	require.NoError(t, err, "failed to parse test file %s", path)
+	err = json.Unmarshal(ast.Pack(), &tf)
+	require.NoError(t, err, "failed to unmarshal test file %s", path)
 
 	return tf
 }
@@ -188,13 +193,13 @@ func TestRoutesCompat(t *testing.T) {
 	t.Parallel()
 
 	files, err := filepath.Glob(
-		filepath.Join("testdata", "routes_results", "ROUTES-*.json"),
+		filepath.Join("testdata", "routes_results", "ROUTES-*.hujson"),
 	)
 	require.NoError(t, err, "failed to glob test files")
 	require.NotEmpty(
 		t,
 		files,
-		"no ROUTES-*.json test files found in testdata/routes_results/",
+		"no ROUTES-*.hujson test files found in testdata/routes_results/",
 	)
 
 	t.Logf("Loaded %d routes test files", len(files))

hscontrol/policy/v2/tailscale_ssh_data_compat_test.go

@@ -29,6 +29,7 @@ import (
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/stretchr/testify/require"
+	"github.com/tailscale/hujson"
 	"gorm.io/gorm"
 	"tailscale.com/tailcfg"
 )
@@ -191,10 +192,14 @@ func loadSSHTestFile(t *testing.T, path string) sshTestFile {
 	content, err := os.ReadFile(path)
 	require.NoError(t, err, "failed to read test file %s", path)
 
+	ast, err := hujson.Parse(content)
+	require.NoError(t, err, "failed to parse HuJSON in %s", path)
+	ast.Standardize()
+
 	var tf sshTestFile
 
-	err = json.Unmarshal(content, &tf)
-	require.NoError(t, err, "failed to parse test file %s", path)
+	err = json.Unmarshal(ast.Pack(), &tf)
+	require.NoError(t, err, "failed to unmarshal test file %s", path)
 
 	return tf
 }
@@ -226,13 +231,13 @@ func TestSSHDataCompat(t *testing.T) {
 	t.Parallel()
 
 	files, err := filepath.Glob(
-		filepath.Join("testdata", "ssh_results", "SSH-*.json"),
+		filepath.Join("testdata", "ssh_results", "SSH-*.hujson"),
 	)
 	require.NoError(t, err, "failed to glob test files")
 	require.NotEmpty(
 		t,
 		files,
-		"no SSH-*.json test files found in testdata/ssh_results/",
+		"no SSH-*.hujson test files found in testdata/ssh_results/",
 	)
 
 	t.Logf("Loaded %d SSH test files", len(files))

hscontrol/policy/v2/testdata/acl_results/ACL-A01.hujson

@@ -1,3 +1,8 @@
+// ACL-A01
+//
+// ACL:  accept: src=['autogroup:member'] dst=['*:*']
+//
+// Expected: Rules on 8 of 8 nodes
 {
   "test_id": "ACL-A01",
   "timestamp": "2026-03-17T14:16:33Z",

hscontrol/policy/v2/testdata/acl_results/ACL-A02.hujson

@@ -1,3 +1,8 @@
+// ACL-A02
+//
+// ACL:  accept: src=['autogroup:tagged'] dst=['*:*']
+//
+// Expected: Rules on 8 of 8 nodes
 {
   "test_id": "ACL-A02",
   "timestamp": "2026-03-17T14:16:44Z",

hscontrol/policy/v2/testdata/acl_results/ACL-A03.hujson

@@ -1,3 +1,8 @@
+// ACL-A03
+//
+// ACL:  accept: src=['autogroup:member', 'tag:client'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-A03",
   "timestamp": "2026-03-17T14:16:54Z",

hscontrol/policy/v2/testdata/acl_results/ACL-A04.hujson

@@ -1,3 +1,8 @@
+// ACL-A04
+//
+// ACL:  accept: src=['*'] dst=['autogroup:self:*']
+//
+// Expected: Rules on user-kris, user-mon, user1
 {
   "test_id": "ACL-A04",
   "timestamp": "2026-03-17T14:17:04Z",

hscontrol/policy/v2/testdata/acl_results/ACL-A05.hujson

@@ -1,3 +1,8 @@
+// ACL-A05
+//
+// ACL:  accept: src=['*'] dst=['autogroup:internet:*']
+//
+// Expected: No filter rules
 {
   "test_id": "ACL-A05",
   "timestamp": "2026-03-17T14:17:15Z",

hscontrol/policy/v2/testdata/acl_results/ACL-A06.hujson

@@ -1,3 +1,8 @@
+// ACL-A06
+//
+// ACL:  accept: src=['*'] dst=['autogroup:member:*']
+//
+// Expected: Rules on user-kris, user-mon, user1
 {
   "test_id": "ACL-A06",
   "timestamp": "2026-03-17T14:17:25Z",

hscontrol/policy/v2/testdata/acl_results/ACL-A07.hujson

@@ -1,3 +1,8 @@
+// ACL-A07
+//
+// ACL:  accept: src=['*'] dst=['autogroup:self:*', 'tag:server:22']
+//
+// Expected: Rules on tagged-server, user-kris, user-mon, user1
 {
   "test_id": "ACL-A07",
   "timestamp": "2026-03-17T14:17:36Z",

hscontrol/policy/v2/testdata/acl_results/ACL-A08.hujson

@@ -1,3 +1,8 @@
+// ACL-A08
+//
+// ACL:  accept: src=['*'] dst=['autogroup:tagged:*']
+//
+// Expected: Rules on exit-node, subnet-router, tagged-client, tagged-prod, tagged-server
 {
   "test_id": "ACL-A08",
   "timestamp": "2026-03-17T14:17:47Z",

hscontrol/policy/v2/testdata/acl_results/ACL-A09.hujson

@@ -1,3 +1,8 @@
+// ACL-A09
+//
+// ACL:  accept: src=['autogroup:member'] dst=['autogroup:self:*']
+//
+// Expected: Rules on user-kris, user-mon, user1
 {
   "test_id": "ACL-A09",
   "timestamp": "2026-03-17T14:17:57Z",

hscontrol/policy/v2/testdata/acl_results/ACL-A10.hujson

@@ -1,3 +1,8 @@
+// ACL-A10
+//
+// ACL:  accept: src=['kratail2tid@passkey'] dst=['autogroup:self:*']
+//
+// Expected: Rules on user1
 {
   "test_id": "ACL-A10",
   "timestamp": "2026-03-17T14:18:08Z",

hscontrol/policy/v2/testdata/acl_results/ACL-A11.hujson

@@ -1,3 +1,8 @@
+// ACL-A11
+//
+// ACL:  accept: src=['group:admins'] dst=['autogroup:self:*']
+//
+// Expected: Rules on user1
 {
   "test_id": "ACL-A11",
   "timestamp": "2026-03-17T14:18:18Z",

hscontrol/policy/v2/testdata/acl_results/ACL-A12.hujson

@@ -1,3 +1,8 @@
+// ACL-A12
+//
+// ACL:  accept: src=['*'] dst=['autogroup:self:22']
+//
+// Expected: Rules on user-kris, user-mon, user1
 {
   "test_id": "ACL-A12",
   "timestamp": "2026-03-17T14:18:28Z",

hscontrol/policy/v2/testdata/acl_results/ACL-A13.hujson

@@ -1,3 +1,8 @@
+// ACL-A13
+//
+// ACL:  accept: src=['*'] dst=['autogroup:self:80-443']
+//
+// Expected: Rules on user-kris, user-mon, user1
 {
   "test_id": "ACL-A13",
   "timestamp": "2026-03-17T14:18:39Z",

hscontrol/policy/v2/testdata/acl_results/ACL-A14.hujson

@@ -1,3 +1,8 @@
+// ACL-A14
+//
+// ACL:  accept: src=['*'] dst=['autogroup:self:22,80,443']
+//
+// Expected: Rules on user-kris, user-mon, user1
 {
   "test_id": "ACL-A14",
   "timestamp": "2026-03-17T14:18:49Z",

hscontrol/policy/v2/testdata/acl_results/ACL-A15.hujson

@@ -1,3 +1,8 @@
+// ACL-A15
+//
+// ACL:  accept: src=['autogroup:member', 'autogroup:tagged'] dst=['*:*']
+//
+// Expected: Rules on 8 of 8 nodes
 {
   "test_id": "ACL-A15",
   "timestamp": "2026-03-17T14:19:00Z",

hscontrol/policy/v2/testdata/acl_results/ACL-A16.hujson

@@ -1,3 +1,8 @@
+// ACL-A16
+//
+// ACL:  accept: src=['autogroup:member', 'autogroup:tagged'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-A16",
   "timestamp": "2026-03-17T14:19:10Z",

hscontrol/policy/v2/testdata/acl_results/ACL-A17.hujson

@@ -1,3 +1,8 @@
+// ACL-A17
+//
+// ACL:  accept: src=['*'] dst=['autogroup:self:*', 'tag:server:22', 'autogroup:member:80']
+//
+// Expected: Rules on tagged-server, user-kris, user-mon, user1
 {
   "test_id": "ACL-A17",
   "timestamp": "2026-03-17T14:19:21Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AH01.hujson

@@ -1,3 +1,8 @@
+// ACL-AH01
+//
+// ACL:  accept: src=['internal', 'subnet24'] dst=['*:*']
+//
+// Expected: Rules on 8 of 8 nodes
 {
   "test_id": "ACL-AH01",
   "timestamp": "2026-03-17T14:19:31Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AH02.hujson

@@ -1,3 +1,8 @@
+// ACL-AH02
+//
+// ACL:  accept: src=['internal', '100.108.74.26'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-AH02",
   "timestamp": "2026-03-17T14:19:42Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AH03.hujson

@@ -1,3 +1,8 @@
+// ACL-AH03
+//
+// ACL:  accept: src=['*'] dst=['internal:22', 'subnet24:80', 'tag:server:443']
+//
+// Expected: Rules on subnet-router, tagged-server
 {
   "test_id": "ACL-AH03",
   "timestamp": "2026-03-17T14:19:52Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AH04.hujson

@@ -1,3 +1,8 @@
+// ACL-AH04
+//
+// ACL:  accept: src=['internal', '10.0.0.0/8'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-AH04",
   "timestamp": "2026-03-17T14:20:02Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AH05.hujson

@@ -1,3 +1,8 @@
+// ACL-AH05
+//
+// ACL:  accept: src=['*'] dst=['internal:22']
+//
+// Expected: Rules on subnet-router
 {
   "test_id": "ACL-AH05",
   "timestamp": "2026-03-17T14:20:13Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AH06.hujson

@@ -1,3 +1,8 @@
+// ACL-AH06
+//
+// ACL:  accept: src=['*'] dst=['10.0.0.0/8:22']
+//
+// Expected: Rules on subnet-router
 {
   "test_id": "ACL-AH06",
   "timestamp": "2026-03-17T14:20:23Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AR01.hujson

@@ -1,3 +1,10 @@
+// ACL-AR01
+//
+// ACLs:
+//   accept: src=['tag:client'] dst=['tag:server:22']
+//   accept: src=['tag:client'] dst=['tag:server:80,443']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-AR01",
   "timestamp": "2026-03-17T14:20:34Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AR02.hujson

@@ -1,3 +1,11 @@
+// ACL-AR02
+//
+// ACLs:
+//   accept: src=['tag:client'] dst=['tag:server:22']
+//   accept: src=['tag:client'] dst=['tag:server:80,443']
+//   accept: src=['*'] dst=['tag:server:53'] proto=udp
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-AR02",
   "timestamp": "2026-03-17T14:20:44Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AR03.hujson

@@ -1,3 +1,11 @@
+// ACL-AR03
+//
+// ACLs:
+//   accept: src=['tag:client'] dst=['tag:server:22']
+//   accept: src=['tag:client'] dst=['tag:server:80']
+//   accept: src=['tag:client'] dst=['tag:server:443']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-AR03",
   "timestamp": "2026-03-17T14:20:55Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AR04.hujson

@@ -1,3 +1,11 @@
+// ACL-AR04
+//
+// ACLs:
+//   accept: src=['tag:client'] dst=['tag:server:22']
+//   accept: src=['tag:prod'] dst=['tag:server:22']
+//   accept: src=['tag:router'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-AR04",
   "timestamp": "2026-03-17T14:21:05Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AR05.hujson

@@ -1,3 +1,12 @@
+// ACL-AR05
+//
+// ACLs:
+//   accept: src=['tag:client'] dst=['tag:server:22']
+//   accept: src=['tag:client'] dst=['tag:server:80']
+//   accept: src=['tag:prod'] dst=['tag:server:22']
+//   accept: src=['tag:prod'] dst=['tag:server:443']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-AR05",
   "timestamp": "2026-03-17T14:21:16Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AR06.hujson

@@ -1,3 +1,10 @@
+// ACL-AR06
+//
+// ACLs:
+//   accept: src=['tag:client'] dst=['tag:server:22']
+//   accept: src=['*'] dst=['tag:server:80']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-AR06",
   "timestamp": "2026-03-17T14:21:26Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AT01.hujson

@@ -1,3 +1,8 @@
+// ACL-AT01
+//
+// ACL:  accept: src=['tag:server', 'tag:client', 'tag:prod', 'tag:router', 'tag:exit'] dst=['*:*']
+//
+// Expected: Rules on 8 of 8 nodes
 {
   "test_id": "ACL-AT01",
   "timestamp": "2026-03-17T14:21:36Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AT02.hujson

@@ -1,3 +1,8 @@
+// ACL-AT02
+//
+// ACL:  accept: src=['*'] dst=['tag:server:22', 'tag:client:22', 'tag:prod:22', 'tag:router:22', 'tag:exit:22']
+//
+// Expected: Rules on exit-node, subnet-router, tagged-client, tagged-prod, tagged-server
 {
   "test_id": "ACL-AT02",
   "timestamp": "2026-03-17T14:21:47Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AT03.hujson

@@ -1,3 +1,8 @@
+// ACL-AT03
+//
+// ACL:  accept: src=['tag:server', 'tag:client', 'tag:prod', 'tag:router', 'tag:exit'] dst=['autogroup:member:22']
+//
+// Expected: Rules on user-kris, user-mon, user1
 {
   "test_id": "ACL-AT03",
   "timestamp": "2026-03-17T14:21:57Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AT04.hujson

@@ -1,3 +1,10 @@
+// ACL-AT04
+//
+// ACLs:
+//   accept: src=['autogroup:tagged'] dst=['tag:server:22']
+//   accept: src=['autogroup:member'] dst=['tag:server:80']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-AT04",
   "timestamp": "2026-03-17T14:22:08Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AT05.hujson

@@ -1,3 +1,10 @@
+// ACL-AT05
+//
+// ACLs:
+//   accept: src=['tag:client'] dst=['tag:server:22']
+//   accept: src=['tag:server'] dst=['tag:client:22']
+//
+// Expected: Rules on tagged-client, tagged-server
 {
   "test_id": "ACL-AT05",
   "timestamp": "2026-03-17T14:22:18Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AT06.hujson

@@ -1,3 +1,12 @@
+// ACL-AT06
+//
+// ACLs:
+//   accept: src=['tag:client'] dst=['tag:server:22']
+//   accept: src=['tag:server'] dst=['tag:prod:5432']
+//   accept: src=['tag:prod'] dst=['tag:client:80']
+//   accept: src=['tag:client'] dst=['tag:prod:443']
+//
+// Expected: Rules on tagged-client, tagged-prod, tagged-server
 {
   "test_id": "ACL-AT06",
   "timestamp": "2026-03-17T14:22:29Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AU01.hujson

@@ -1,3 +1,8 @@
+// ACL-AU01
+//
+// ACL:  accept: src=['kristoffer@dalby.cc'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-AU01",
   "timestamp": "2026-03-17T14:22:39Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AU02.hujson

@@ -1,3 +1,8 @@
+// ACL-AU02
+//
+// ACL:  accept: src=['monitorpasskeykradalby@passkey'] dst=['tag:prod:5432']
+//
+// Expected: Rules on tagged-prod
 {
   "test_id": "ACL-AU02",
   "timestamp": "2026-03-17T14:22:49Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AU03.hujson

@@ -1,3 +1,8 @@
+// ACL-AU03
+//
+// ACL:  accept: src=['group:developers'] dst=['tag:server:22', 'tag:prod:5432']
+//
+// Expected: Rules on tagged-prod, tagged-server
 {
   "test_id": "ACL-AU03",
   "timestamp": "2026-03-17T14:23:00Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AU04.hujson

@@ -1,3 +1,8 @@
+// ACL-AU04
+//
+// ACL:  accept: src=['*'] dst=['group:developers:22']
+//
+// Expected: Rules on user-kris, user1
 {
   "test_id": "ACL-AU04",
   "timestamp": "2026-03-17T14:23:10Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AU05.hujson

@@ -1,3 +1,8 @@
+// ACL-AU05
+//
+// ACL:  accept: src=['*'] dst=['group:monitors:*']
+//
+// Expected: Rules on user-mon
 {
   "test_id": "ACL-AU05",
   "timestamp": "2026-03-17T14:23:21Z",

hscontrol/policy/v2/testdata/acl_results/ACL-AU06.hujson

@@ -1,3 +1,8 @@
+// ACL-AU06
+//
+// ACL:  accept: src=['group:admins', 'group:developers', 'group:monitors'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-AU06",
   "timestamp": "2026-03-17T14:23:31Z",

hscontrol/policy/v2/testdata/acl_results/ACL-C01.hujson

@@ -1,3 +1,11 @@
+// ACL-C01
+//
+// ACLs:
+//   accept: src=['tag:client'] dst=['tag:server:22']
+//   accept: src=['autogroup:member'] dst=['tag:server:80']
+//   accept: src=['*'] dst=['tag:prod:5432']
+//
+// Expected: Rules on tagged-prod, tagged-server
 {
   "test_id": "ACL-C01",
   "timestamp": "2026-03-17T14:23:42Z",

hscontrol/policy/v2/testdata/acl_results/ACL-C02.hujson

@@ -1,3 +1,11 @@
+// ACL-C02
+//
+// ACLs:
+//   accept: src=['tag:client', 'autogroup:member'] dst=['tag:server:22']
+//   accept: src=['tag:prod'] dst=['tag:server:80']
+//   accept: src=['group:admins'] dst=['tag:prod:5432']
+//
+// Expected: Rules on tagged-prod, tagged-server
 {
   "test_id": "ACL-C02",
   "timestamp": "2026-03-17T14:23:52Z",

hscontrol/policy/v2/testdata/acl_results/ACL-C03.hujson

@@ -1,3 +1,10 @@
+// ACL-C03
+//
+// ACLs:
+//   accept: src=['tag:client'] dst=['tag:server:22', 'tag:prod:5432', 'webserver:80']
+//   accept: src=['autogroup:member'] dst=['autogroup:self:*']
+//
+// Expected: Rules on tagged-prod, tagged-server, user-kris, user-mon, user1
 {
   "test_id": "ACL-C03",
   "timestamp": "2026-03-17T14:24:03Z",

hscontrol/policy/v2/testdata/acl_results/ACL-C04.hujson

@@ -1,3 +1,12 @@
+// ACL-C04
+//
+// ACLs:
+//   accept: src=['tag:client'] dst=['tag:server:22']
+//   accept: src=['tag:server'] dst=['tag:prod:5432']
+//   accept: src=['autogroup:member'] dst=['autogroup:self:*']
+//   accept: src=['*'] dst=['autogroup:internet:*']
+//
+// Expected: Rules on tagged-prod, tagged-server, user-kris, user-mon, user1
 {
   "test_id": "ACL-C04",
   "timestamp": "2026-03-17T14:24:13Z",

hscontrol/policy/v2/testdata/acl_results/ACL-C05.hujson

@@ -1,3 +1,8 @@
+// ACL-C05
+//
+// ACL:  accept: src=['*'] dst=['tag:server:22', 'tag:prod:5432', 'tag:client:80', 'tag:router:*', 'tag:exit:*', 'autogroup:member:443', 'autogroup:self:*']
+//
+// Expected: Rules on 8 of 8 nodes
 {
   "test_id": "ACL-C05",
   "timestamp": "2026-03-17T14:24:23Z",

hscontrol/policy/v2/testdata/acl_results/ACL-C06.hujson

@@ -1,3 +1,8 @@
+// ACL-C06
+//
+// ACL:  accept: src=['tag:client', 'tag:prod', 'tag:server', 'autogroup:member', 'group:admins'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-C06",
   "timestamp": "2026-03-17T14:24:34Z",

hscontrol/policy/v2/testdata/acl_results/ACL-C07.hujson

@@ -1,3 +1,12 @@
+// ACL-C07
+//
+// ACLs:
+//   accept: src=['tag:client'] dst=['tag:server:22']
+//   accept: src=['tag:client'] dst=['tag:server:80']
+//   accept: src=['tag:client'] dst=['tag:server:443']
+//   accept: src=['tag:client'] dst=['tag:server:8080']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-C07",
   "timestamp": "2026-03-17T14:24:44Z",

hscontrol/policy/v2/testdata/acl_results/ACL-C08.hujson

@@ -1,3 +1,8 @@
+// ACL-C08
+//
+// ACL:  accept: src=['*'] dst=['tag:server:22', 'tag:prod:22', 'tag:client:22', 'tag:router:22', 'tag:exit:22']
+//
+// Expected: Rules on exit-node, subnet-router, tagged-client, tagged-prod, tagged-server
 {
   "test_id": "ACL-C08",
   "timestamp": "2026-03-17T14:24:55Z",

hscontrol/policy/v2/testdata/acl_results/ACL-C09.hujson

@@ -1,3 +1,12 @@
+// ACL-C09
+//
+// ACLs:
+//   accept: src=['tag:client'] dst=['tag:server:22']
+//   accept: src=['tag:client'] dst=['tag:prod:22']
+//   accept: src=['tag:server'] dst=['tag:prod:5432']
+//   ... (6 rules total)
+//
+// Expected: Rules on subnet-router, tagged-prod, tagged-server, user-kris, user-mon, user1
 {
   "test_id": "ACL-C09",
   "timestamp": "2026-03-17T14:25:05Z",

hscontrol/policy/v2/testdata/acl_results/ACL-C10.hujson

@@ -1,3 +1,11 @@
+// ACL-C10
+//
+// ACLs:
+//   accept: src=['autogroup:member'] dst=['autogroup:self:*']
+//   accept: src=['autogroup:member'] dst=['tag:server:22', 'tag:prod:5432']
+//   accept: src=['autogroup:tagged'] dst=['autogroup:tagged:*']
+//
+// Expected: Rules on 8 of 8 nodes
 {
   "test_id": "ACL-C10",
   "timestamp": "2026-03-17T14:25:16Z",

hscontrol/policy/v2/testdata/acl_results/ACL-D01.hujson

@@ -1,3 +1,10 @@
+// ACL-D01
+//
+// ACLs:
+//   accept: src=['tag:client'] dst=['tag:server:22']
+//   accept: src=['*'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-D01",
   "timestamp": "2026-03-17T14:25:26Z",

hscontrol/policy/v2/testdata/acl_results/ACL-D02.hujson

@@ -1,3 +1,8 @@
+// ACL-D02
+//
+// ACL:  accept: src=['tag:client'] dst=['tag:server:22', 'webserver:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-D02",
   "timestamp": "2026-03-17T14:25:37Z",

hscontrol/policy/v2/testdata/acl_results/ACL-D03.hujson

@@ -1,3 +1,8 @@
+// ACL-D03
+//
+// ACL:  accept: src=['100.108.74.26', 'tag:server'] dst=['*:*']
+//
+// Expected: Rules on 8 of 8 nodes
 {
   "test_id": "ACL-D03",
   "timestamp": "2026-03-17T14:25:47Z",

hscontrol/policy/v2/testdata/acl_results/ACL-D04.hujson

@@ -1,3 +1,8 @@
+// ACL-D04
+//
+// ACL:  accept: src=['100.108.74.26', 'webserver'] dst=['*:*']
+//
+// Expected: Rules on 8 of 8 nodes
 {
   "test_id": "ACL-D04",
   "timestamp": "2026-03-17T14:25:57Z",

hscontrol/policy/v2/testdata/acl_results/ACL-D05.hujson

@@ -1,3 +1,8 @@
+// ACL-D05
+//
+// ACL:  accept: src=['*'] dst=['100.108.74.26:22', 'tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-D05",
   "timestamp": "2026-03-17T14:26:08Z",

hscontrol/policy/v2/testdata/acl_results/ACL-D06.hujson

@@ -1,3 +1,8 @@
+// ACL-D06
+//
+// ACL:  accept: src=['*'] dst=['100.108.74.26:22', 'webserver:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-D06",
   "timestamp": "2026-03-17T14:26:18Z",

hscontrol/policy/v2/testdata/acl_results/ACL-D07.hujson

@@ -1,3 +1,8 @@
+// ACL-D07
+//
+// ACL:  accept: src=['autogroup:member', 'autogroup:tagged'] dst=['*:*']
+//
+// Expected: Rules on 8 of 8 nodes
 {
   "test_id": "ACL-D07",
   "timestamp": "2026-03-17T14:26:29Z",

hscontrol/policy/v2/testdata/acl_results/ACL-D08.hujson

@@ -1,3 +1,10 @@
+// ACL-D08
+//
+// ACLs:
+//   accept: src=['*'] dst=['autogroup:self:*']
+//   accept: src=['kratail2tid@passkey'] dst=['kratail2tid@passkey:*']
+//
+// Expected: Rules on user-kris, user-mon, user1
 {
   "test_id": "ACL-D08",
   "timestamp": "2026-03-17T14:26:39Z",

hscontrol/policy/v2/testdata/acl_results/ACL-E01.hujson

@@ -1,3 +1,8 @@
+// ACL-E01
+//
+// ACL:  accept: src=['100.108.74.26'] dst=['*:*']
+//
+// Expected: Rules on 8 of 8 nodes
 {
   "test_id": "ACL-E01",
   "timestamp": "2026-03-17T14:26:50Z",

hscontrol/policy/v2/testdata/acl_results/ACL-E02.hujson

@@ -1,3 +1,8 @@
+// ACL-E02
+//
+// ACL:  accept: src=['tag:server'] dst=['*:*']
+//
+// Expected: Rules on 8 of 8 nodes
 {
   "test_id": "ACL-E02",
   "timestamp": "2026-03-17T14:27:00Z",

hscontrol/policy/v2/testdata/acl_results/ACL-E03.hujson

@@ -1,3 +1,8 @@
+// ACL-E03
+//
+// ACL:  accept: src=['webserver'] dst=['*:*']
+//
+// Expected: Rules on 8 of 8 nodes
 {
   "test_id": "ACL-E03",
   "timestamp": "2026-03-17T14:27:11Z",

hscontrol/policy/v2/testdata/acl_results/ACL-E04.hujson

@@ -1,3 +1,8 @@
+// ACL-E04
+//
+// ACL:  accept: src=['*'] dst=['100.108.74.26:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-E04",
   "timestamp": "2026-03-17T14:27:21Z",

hscontrol/policy/v2/testdata/acl_results/ACL-E05.hujson

@@ -1,3 +1,8 @@
+// ACL-E05
+//
+// ACL:  accept: src=['*'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-E05",
   "timestamp": "2026-03-17T14:27:32Z",

hscontrol/policy/v2/testdata/acl_results/ACL-E06.hujson

@@ -1,3 +1,8 @@
+// ACL-E06
+//
+// ACL:  accept: src=['*'] dst=['webserver:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-E06",
   "timestamp": "2026-03-17T14:27:42Z",

hscontrol/policy/v2/testdata/acl_results/ACL-E07.hujson

@@ -1,3 +1,8 @@
+// ACL-E07
+//
+// ACL:  accept: src=['kratail2tid@passkey'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-E07",
   "timestamp": "2026-03-17T14:27:52Z",

hscontrol/policy/v2/testdata/acl_results/ACL-E08.hujson

@@ -1,3 +1,8 @@
+// ACL-E08
+//
+// ACL:  accept: src=['group:admins'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-E08",
   "timestamp": "2026-03-17T14:28:03Z",

hscontrol/policy/v2/testdata/acl_results/ACL-E09.hujson

@@ -1,3 +1,8 @@
+// ACL-E09
+//
+// ACL:  accept: src=['kratail2tid@passkey', 'group:admins'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-E09",
   "timestamp": "2026-03-17T14:28:13Z",

hscontrol/policy/v2/testdata/acl_results/ACL-ERR01.hujson

@@ -1,3 +1,8 @@
+// ACL-ERR01
+//
+// ACL:  accept: src=['tag:nonexistent'] dst=['tag:server:22']
+//
+// Expected: Error — src=tag not found: "tag:nonexistent"
 {
   "test_id": "ACL-ERR01",
   "timestamp": "2026-03-17T14:28:24Z",

hscontrol/policy/v2/testdata/acl_results/ACL-ERR02.hujson

@@ -1,3 +1,8 @@
+// ACL-ERR02
+//
+// ACL:  accept: src=['autogroup:self'] dst=['tag:server:22']
+//
+// Expected: Error — "autogroup:self" not valid on the src side of a rule
 {
   "test_id": "ACL-ERR02",
   "timestamp": "2026-03-17T14:28:24Z",

hscontrol/policy/v2/testdata/acl_results/ACL-ERR03.hujson

@@ -1,3 +1,8 @@
+// ACL-ERR03
+//
+// ACL:  accept: src=['*'] dst=['autogroup:self']
+//
+// Expected: Error — dst="autogroup:self": port range "self": invalid first integer
 {
   "test_id": "ACL-ERR03",
   "timestamp": "2026-03-17T14:28:24Z",

hscontrol/policy/v2/testdata/acl_results/ACL-ERR04.hujson

@@ -1,3 +1,8 @@
+// ACL-ERR04
+//
+// ACL:  accept: src=['tag:nonexistent'] dst=['*:*']
+//
+// Expected: Error — src=tag not found: "tag:nonexistent"
 {
   "test_id": "ACL-ERR04",
   "timestamp": "2026-03-17T14:28:25Z",

hscontrol/policy/v2/testdata/acl_results/ACL-ERR05.hujson

@@ -1,3 +1,8 @@
+// ACL-ERR05
+//
+// ACL:  accept: src=['*'] dst=['tag:nonexistent:22']
+//
+// Expected: Error — dst="tag:nonexistent": tag not found: "tag:nonexistent"
 {
   "test_id": "ACL-ERR05",
   "timestamp": "2026-03-17T14:28:25Z",

hscontrol/policy/v2/testdata/acl_results/ACL-ERR06.hujson

@@ -1,3 +1,8 @@
+// ACL-ERR06
+//
+// ACL:  deny: src=['tag:client'] dst=['tag:server:22']
+//
+// Expected: Error — action="deny" is not supported
 {
   "test_id": "ACL-ERR06",
   "timestamp": "2026-03-17T14:28:25Z",

hscontrol/policy/v2/testdata/acl_results/ACL-ERR07.hujson

@@ -1,3 +1,8 @@
+// ACL-ERR07
+//
+// ACL:  accept: src=['*'] dst=['tag:server:ssh']
+//
+// Expected: Error — dst="tag:server:ssh": port range "ssh": invalid first integer
 {
   "test_id": "ACL-ERR07",
   "timestamp": "2026-03-17T14:28:29Z",

hscontrol/policy/v2/testdata/acl_results/ACL-ERR08.hujson

@@ -1,3 +1,10 @@
+// ACL-ERR08
+//
+// ACLs:
+//   accept: src=['*'] dst=['autogroup:self:*']
+//   accept: src=['tag:client'] dst=['autogroup:self:22']
+//
+// Expected: Error — autogroup:self can only be used with users, groups, or supported autogroups
 {
   "test_id": "ACL-ERR08",
   "timestamp": "2026-03-17T14:28:34Z",

hscontrol/policy/v2/testdata/acl_results/ACL-ERR09.hujson

@@ -1,3 +1,10 @@
+// ACL-ERR09
+//
+// ACLs:
+//   accept: src=['*'] dst=['autogroup:self:*']
+//   accept: src=['autogroup:tagged'] dst=['autogroup:self:22']
+//
+// Expected: Error — autogroup:self can only be used with users, groups, or supported autogroups
 {
   "test_id": "ACL-ERR09",
   "timestamp": "2026-03-17T14:28:39Z",

hscontrol/policy/v2/testdata/acl_results/ACL-H01.hujson

@@ -1,3 +1,8 @@
+// ACL-H01
+//
+// ACL:  accept: src=['*'] dst=['webserver:80']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-H01",
   "timestamp": "2026-03-17T14:28:44Z",

hscontrol/policy/v2/testdata/acl_results/ACL-H02.hujson

@@ -1,3 +1,8 @@
+// ACL-H02
+//
+// ACL:  accept: src=['webserver'] dst=['*:*']
+//
+// Expected: Rules on 8 of 8 nodes
 {
   "test_id": "ACL-H02",
   "timestamp": "2026-03-17T14:28:59Z",

hscontrol/policy/v2/testdata/acl_results/ACL-H03.hujson

@@ -1,3 +1,8 @@
+// ACL-H03
+//
+// ACL:  accept: src=['internal'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-H03",
   "timestamp": "2026-03-17T14:29:10Z",

hscontrol/policy/v2/testdata/acl_results/ACL-H04.hujson

@@ -1,3 +1,8 @@
+// ACL-H04
+//
+// ACL:  accept: src=['*'] dst=['internal:22']
+//
+// Expected: Rules on subnet-router
 {
   "test_id": "ACL-H04",
   "timestamp": "2026-03-17T14:29:20Z",

hscontrol/policy/v2/testdata/acl_results/ACL-H05.hujson

@@ -1,3 +1,8 @@
+// ACL-H05
+//
+// ACL:  accept: src=['*'] dst=['webserver:22', 'prodbox:5432']
+//
+// Expected: Rules on tagged-prod, tagged-server
 {
   "test_id": "ACL-H05",
   "timestamp": "2026-03-17T14:29:31Z",

hscontrol/policy/v2/testdata/acl_results/ACL-H06.hujson

@@ -1,3 +1,8 @@
+// ACL-H06
+//
+// ACL:  accept: src=['webserver', 'tag:client'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-H06",
   "timestamp": "2026-03-17T14:29:41Z",

hscontrol/policy/v2/testdata/acl_results/ACL-H07.hujson

@@ -1,3 +1,8 @@
+// ACL-H07
+//
+// ACL:  accept: src=['group:admins'] dst=['webserver:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-H07",
   "timestamp": "2026-03-17T14:29:52Z",

hscontrol/policy/v2/testdata/acl_results/ACL-H08.hujson

@@ -1,3 +1,8 @@
+// ACL-H08
+//
+// ACL:  accept: src=['*'] dst=['subnet24:80']
+//
+// Expected: No filter rules
 {
   "test_id": "ACL-H08",
   "timestamp": "2026-03-17T14:30:02Z",

hscontrol/policy/v2/testdata/acl_results/ACL-K01.hujson

@@ -1,3 +1,8 @@
+// ACL-K01
+//
+// ACL:  accept: src=['*', 'autogroup:member', 'autogroup:tagged', 'group:admins', 'tag:client', 'webserver', '100.90.199.68'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-K01",
   "timestamp": "2026-03-17T14:30:13Z",

hscontrol/policy/v2/testdata/acl_results/ACL-K02.hujson

@@ -1,3 +1,8 @@
+// ACL-K02
+//
+// ACL:  accept: src=['tag:client'] dst=['tag:server:22', 'tag:prod:5432', 'webserver:80', 'prodbox:443', 'group:admins:8080', 'kratail2tid@passkey:3000', '100.108.74.26:9000']
+//
+// Expected: Rules on tagged-prod, tagged-server, user1
 {
   "test_id": "ACL-K02",
   "timestamp": "2026-03-17T14:30:23Z",

hscontrol/policy/v2/testdata/acl_results/ACL-K03.hujson

@@ -1,3 +1,8 @@
+// ACL-K03
+//
+// ACL:  accept: src=['autogroup:member', 'autogroup:tagged', 'group:admins', 'group:developers', 'kratail2tid@passkey', 'tag:client', 'tag:prod', 'tag:server', 'webserver', 'prodbox'] dst=['*:*']
+//
+// Expected: Rules on 8 of 8 nodes
 {
   "test_id": "ACL-K03",
   "timestamp": "2026-03-17T14:30:34Z",

hscontrol/policy/v2/testdata/acl_results/ACL-K04.hujson

@@ -1,3 +1,8 @@
+// ACL-K04
+//
+// ACL:  accept: src=['*'] dst=['tag:server:22', 'tag:server:80', 'tag:server:443', 'tag:prod:5432', 'tag:prod:3306', 'tag:client:80', 'tag:client:443', 'webserver:8080', 'prodbox:8080']
+//
+// Expected: Rules on tagged-client, tagged-prod, tagged-server
 {
   "test_id": "ACL-K04",
   "timestamp": "2026-03-17T14:30:44Z",

hscontrol/policy/v2/testdata/acl_results/ACL-K05.hujson

@@ -1,3 +1,8 @@
+// ACL-K05
+//
+// ACL:  accept: src=['autogroup:member', 'group:admins', 'kratail2tid@passkey', 'tag:client', 'tag:prod', '100.83.200.69', '100.103.8.15'] dst=['tag:server:22', 'webserver:80', '100.108.74.26:443', 'group:admins:8080', 'kratail2tid@passkey:9000']
+//
+// Expected: Rules on tagged-server, user1
 {
   "test_id": "ACL-K05",
   "timestamp": "2026-03-17T14:30:54Z",

hscontrol/policy/v2/testdata/acl_results/ACL-M01.hujson

@@ -1,3 +1,8 @@
+// ACL-M01
+//
+// ACL:  accept: src=['kratail2tid@passkey', 'tag:client', 'group:monitors'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-M01",
   "timestamp": "2026-03-17T14:31:05Z",

hscontrol/policy/v2/testdata/acl_results/ACL-M02.hujson

@@ -1,3 +1,8 @@
+// ACL-M02
+//
+// ACL:  accept: src=['100.90.199.68', 'tag:client'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-M02",
   "timestamp": "2026-03-17T14:31:15Z",

hscontrol/policy/v2/testdata/acl_results/ACL-M03.hujson

@@ -1,3 +1,8 @@
+// ACL-M03
+//
+// ACL:  accept: src=['webserver', 'tag:client'] dst=['tag:prod:5432']
+//
+// Expected: Rules on tagged-prod
 {
   "test_id": "ACL-M03",
   "timestamp": "2026-03-17T14:31:26Z",

hscontrol/policy/v2/testdata/acl_results/ACL-M04.hujson

@@ -1,3 +1,8 @@
+// ACL-M04
+//
+// ACL:  accept: src=['group:admins', 'tag:client'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-M04",
   "timestamp": "2026-03-17T14:31:36Z",

hscontrol/policy/v2/testdata/acl_results/ACL-M05.hujson

@@ -1,3 +1,8 @@
+// ACL-M05
+//
+// ACL:  accept: src=['kratail2tid@passkey', 'group:monitors'] dst=['tag:server:22']
+//
+// Expected: Rules on tagged-server
 {
   "test_id": "ACL-M05",
   "timestamp": "2026-03-17T14:31:47Z",