From 2f73c700aaed36917502e1149b6e2641ec539039 Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Wed, 11 Feb 2026 16:20:50 +0100
Subject: [PATCH 01/23] initial commit

---
 core2/pkg/foundation/00_module.go             |   3 +
 core2/pkg/foundation/policies.go              | 157 ++++++++++++++++++
 .../policies/restrict_applications.yaml       |  28 ++++
 .../policies/restrict_cut_and_paste.yaml      |  21 +++
 .../policies/restrict_downloads.yaml          |  15 ++
 .../restrict_integrated_applications.yaml     |  25 +++
 .../policies/restrict_internet_access.yaml    |  18 ++
 .../restrict_organizations_members.yaml       |  18 ++
 .../restrict_provider_file_transfers.yaml     |  21 +++
 .../policies/restrict_public_ips.yaml         |  12 ++
 .../policies/restrict_public_links.yaml       |  12 ++
 .../policies/restrict_source_ip_range.yaml    |  20 +++
 core2/pkg/foundation/policy_templates.go      |  78 +++++++++
 core2/pkg/migrations/00_module.go             |   1 +
 core2/pkg/migrations/policies.go              |  23 +++
 15 files changed, 452 insertions(+)
 create mode 100644 core2/pkg/foundation/policies.go
 create mode 100644 core2/pkg/foundation/policies/restrict_applications.yaml
 create mode 100644 core2/pkg/foundation/policies/restrict_cut_and_paste.yaml
 create mode 100644 core2/pkg/foundation/policies/restrict_downloads.yaml
 create mode 100644 core2/pkg/foundation/policies/restrict_integrated_applications.yaml
 create mode 100644 core2/pkg/foundation/policies/restrict_internet_access.yaml
 create mode 100644 core2/pkg/foundation/policies/restrict_organizations_members.yaml
 create mode 100644 core2/pkg/foundation/policies/restrict_provider_file_transfers.yaml
 create mode 100644 core2/pkg/foundation/policies/restrict_public_ips.yaml
 create mode 100644 core2/pkg/foundation/policies/restrict_public_links.yaml
 create mode 100644 core2/pkg/foundation/policies/restrict_source_ip_range.yaml
 create mode 100644 core2/pkg/foundation/policy_templates.go
 create mode 100644 core2/pkg/migrations/policies.go

diff --git a/core2/pkg/foundation/00_module.go b/core2/pkg/foundation/00_module.go
index 1e916d05ad..4d138bd4ed 100644
--- a/core2/pkg/foundation/00_module.go
+++ b/core2/pkg/foundation/00_module.go
@@ -44,5 +44,8 @@ func Init() {
 	initAuthOidc()
 	times["Oidc"] = t.Mark()
 
+	initPolicies()
+	times["Policies"] = t.Mark()
+
 	coreutil.PrintStartupTimes("Foundation", times)
 }
diff --git a/core2/pkg/foundation/policies.go b/core2/pkg/foundation/policies.go
new file mode 100644
index 0000000000..e103105756
--- /dev/null
+++ b/core2/pkg/foundation/policies.go
@@ -0,0 +1,157 @@
+package foundation
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"gopkg.in/yaml.v3"
+	"ucloud.dk/shared/pkg/cfgutil"
+	db "ucloud.dk/shared/pkg/database"
+	fndapi "ucloud.dk/shared/pkg/foundation"
+	"ucloud.dk/shared/pkg/log"
+	"ucloud.dk/shared/pkg/rpc"
+	"ucloud.dk/shared/pkg/util"
+)
+
+var policySchemas map[string]fndapi.PolicySchema
+
+func initPolicies() {
+	readPolicies()
+
+	loadPoliciesFromDB()
+
+	fndapi.PoliciesRetrieve.Handler(func(info rpc.RequestInfo, request util.Empty) (map[string]fndapi.Policy, *util.HttpError) {
+		return retrievePolicies(info.Actor)
+	})
+
+	fndapi.PoliciesUpdate.Handler(func(info rpc.RequestInfo, request fndapi.PoliciesUpdateRequest) (util.Empty, *util.HttpError) {
+		return updatePolicies(info.Actor, request)
+	})
+}
+
+func readPolicies() {
+	policies := pullProjectPolicies()
+	policySchemas = make(map[string]fndapi.PolicySchema, len(policies))
+	for _, policy := range policies {
+		var document yaml.Node
+		success := true
+
+		err := yaml.Unmarshal(policy.Bytes, &document)
+		if err != nil {
+			log.Fatal("Error loading policy document ", policy.PolicyName, ": ", err)
+		}
+
+		var policySchema fndapi.PolicySchema
+
+		cfgutil.Decode("", &document, &policySchema, &success)
+
+		if !success {
+			log.Fatal("Error decoding policy document ", policy.PolicyName, ": ", err)
+		}
+		policySchemas[policySchema.Name] = policySchema
+	}
+}
+
+func loadPoliciesFromDB() {
+	db.NewTx0(func(tx *db.Transaction) {
+		db.Select[struct {
+			ProjectID string
+			Policy    string
+		}](
+			tx,
+			`
+				select * 
+				from project.policies
+				order by project_id
+		    `,
+			db.Params{},
+		)
+
+		//TODO(chaching)
+	})
+}
+
+func retrievePolicies(actor rpc.Actor) (map[string]fndapi.Policy, *util.HttpError) {
+	if !actor.Project.Present {
+		return nil, util.HttpErr(http.StatusBadRequest, "Polices only applicable to projects")
+	}
+	if !actor.Membership[actor.Project.Value].Satisfies(rpc.ProjectRoleAdmin) {
+		return nil, util.HttpErr(http.StatusForbidden, "Only PIs and Admins may list the policies")
+	}
+	return nil, nil
+}
+
+type SimplePolicyProperty struct {
+	PropertyType  fndapi.PolicyPropertyType `yaml:"property_type"`
+	PropertyValue any                       `yaml:"property_value"`
+}
+
+func updatePolicies(actor rpc.Actor, request fndapi.PoliciesUpdateRequest) (util.Empty, *util.HttpError) {
+	if !actor.Project.Present {
+		return util.Empty{}, util.HttpErr(http.StatusBadRequest, "Polices only applicable to projects")
+	}
+	if !actor.Membership[actor.Project.Value].Satisfies(rpc.ProjectRolePI) {
+		return util.Empty{}, util.HttpErr(http.StatusForbidden, "Only PIs may update the policies")
+	}
+
+	db.NewTx0(func(tx *db.Transaction) {
+		b := db.BatchNew(tx)
+		for _, specification := range request.UpdatedPolicies {
+			_, ok := policySchemas[specification.Schema]
+			//When trying to update a schema that does not exist, we just skip it
+			if !ok {
+				log.Debug("Unknown Schema ", specification.Schema)
+				continue
+			}
+			projectId := specification.Project
+
+			isEnabled := false
+			for _, property := range specification.Properties {
+				if property.Name == "enabled" {
+					isEnabled = property.Bool
+				}
+			}
+
+			//If the policy is not enabled we need to delete it form the DB.
+			//Else we need to insert or update already existing project policy
+			if !isEnabled {
+				db.BatchExec(
+					b,
+					`
+						delete from project.policies 
+					    where project_id = :project_id and policy_name = :policy_name
+				    `,
+					db.Params{
+						"project_id":  projectId,
+						"policy_name": specification.Schema,
+					},
+				)
+			} else {
+				properties, err := json.Marshal(specification.Properties)
+				if err != nil {
+					log.Debug("Error marshalling policy document ", specification.Schema, " ", specification.Properties)
+					continue
+				}
+				db.BatchExec(
+					b,
+					`
+					insert into project.policies (policy_name, policy_property, project_id)
+					values (:policy_name, :policy_properties, :project_id)
+					on conflict (policy_name, project_id) do 
+						update set policy_property = excluded.policy_property,
+			    `,
+					db.Params{
+						"policy_name":       specification.Schema,
+						"policy_properties": properties,
+						"project_id":        projectId,
+					},
+				)
+			}
+		}
+		db.BatchSend(b)
+
+		//TODO( DO caching update)
+	})
+
+	return util.Empty{}, nil
+}
diff --git a/core2/pkg/foundation/policies/restrict_applications.yaml b/core2/pkg/foundation/policies/restrict_applications.yaml
new file mode 100644
index 0000000000..dd616b5714
--- /dev/null
+++ b/core2/pkg/foundation/policies/restrict_applications.yaml
@@ -0,0 +1,28 @@
+name: "RestrictApplications"
+title: "Restrict applications available for use"
+
+description: >
+  Restricts which applications are available for use in the project.
+
+configuration:
+  - name: "enabled"
+    type: "Bool"
+    title: "Enabled"
+    description: >
+      If enabled, the project will only be able to run applications that are listed along this policy.
+      If disabled the all apps in the app catalog is available (within the regular limitations of products needed).
+  - name: "applications"
+    type: "TextList"
+    title: "Applications"
+    description: >
+      List of applications which the project should be restricted to 
+      use. This refers to the canonical application name. This name
+      can be found in the UI by copying the canonical name of a concrete
+      _flavor_.
+      
+      An empty list indicates that there are no apps available within the project. 
+      Any additions to the list will cause the project to be able to run these applications.
+      
+      This configuration option does not affect provider registered
+      applications. This option cannot be used to control Syncthing or
+      other integrated applications.
\ No newline at end of file
diff --git a/core2/pkg/foundation/policies/restrict_cut_and_paste.yaml b/core2/pkg/foundation/policies/restrict_cut_and_paste.yaml
new file mode 100644
index 0000000000..b4385d0c59
--- /dev/null
+++ b/core2/pkg/foundation/policies/restrict_cut_and_paste.yaml
@@ -0,0 +1,21 @@
+name: "CutAndPaste"
+title: "Disable copy & paste in interactive applications"
+
+description: >
+  This option will turn off copy & paste in interactive applications. This is 
+  implemented by forcing access to all interactive applications to be done 
+  through a remote desktop. This option is insufficient if Internet access 
+  is allowed. Copy & paste will still be possible internally in the 
+  application, if supported, but it will not be available on the client 
+  machine.
+  
+  This feature will automatically disable the "Open terminal" feature on all
+  jobs.
+
+configuration:
+  - name: "enabled"
+    type: "Bool"
+    title: "Enabled"
+    description: >
+      If enabled, copy & paste will be turned off. If not enabled, 
+      copy & paste will be available if the application supports it.
\ No newline at end of file
diff --git a/core2/pkg/foundation/policies/restrict_downloads.yaml b/core2/pkg/foundation/policies/restrict_downloads.yaml
new file mode 100644
index 0000000000..9cdf9fa15d
--- /dev/null
+++ b/core2/pkg/foundation/policies/restrict_downloads.yaml
@@ -0,0 +1,15 @@
+name: "RestrictDownloads"
+title: "Restrict downloads"
+
+description: >
+  Controls whether users are allowed to download data from the portal 
+  to their local machine. Note that this policy may be ineffective if
+  the provider allows direct access to the data.
+
+configuration:
+  - name: "enabled"
+    type: "Bool"
+    title: "Enabled"
+    description: >
+      If enabled, downloads to the client machine are blocked. 
+      If disabled, downloads are allowed.
\ No newline at end of file
diff --git a/core2/pkg/foundation/policies/restrict_integrated_applications.yaml b/core2/pkg/foundation/policies/restrict_integrated_applications.yaml
new file mode 100644
index 0000000000..7e6df2365f
--- /dev/null
+++ b/core2/pkg/foundation/policies/restrict_integrated_applications.yaml
@@ -0,0 +1,25 @@
+name: "RestrictIntegratedApplications"
+title: "Restrict integrated applications (e.g. Syncthing and terminal)"
+
+description: >
+    Restricts applications from running which are registered by the provider.
+    This includes applications such as Syncthing and the terminal, which can
+    be opened from the file browser.
+
+configuration:
+    - name: "enabled"
+      type: Bool
+      title: "Enabled"
+      description: >
+        If this option is checked, then restrictions will apply and only
+        applications found on the allow-list can be run. If it is not
+        checked then all integrated applications can be run and the
+        allow-list is ignored.
+    - name: "allowList"
+      type: TextList
+      title: "Allow-list"
+      description: >
+        List of applications which are explicitly allowed.
+      options:
+        - "syncthing"
+        - "terminal"
\ No newline at end of file
diff --git a/core2/pkg/foundation/policies/restrict_internet_access.yaml b/core2/pkg/foundation/policies/restrict_internet_access.yaml
new file mode 100644
index 0000000000..44293a83f6
--- /dev/null
+++ b/core2/pkg/foundation/policies/restrict_internet_access.yaml
@@ -0,0 +1,18 @@
+name: "RestrictInternetAccess"
+title: "Restrict Internet access"
+description: >
+  Limits outbound Internet connectivity from workloads belonging to the project.
+
+configuration:
+  - name: "enabled"
+    type: "Bool"
+    title: "Enabled"
+    description: >
+      If enabled, restriction of internet access will be activated and a limited predefined 
+      subnet range is enforced.
+  - name: "allowedSubnets"
+    type: "Subnet"
+    title: "Allowed subnets"
+    description: >
+      Only the specified destination subnets are reachable. An empty list means 
+      no Internet access is allowed.
\ No newline at end of file
diff --git a/core2/pkg/foundation/policies/restrict_organizations_members.yaml b/core2/pkg/foundation/policies/restrict_organizations_members.yaml
new file mode 100644
index 0000000000..fd52477be1
--- /dev/null
+++ b/core2/pkg/foundation/policies/restrict_organizations_members.yaml
@@ -0,0 +1,18 @@
+name: "RestrictOrganizationMembers"
+title: "Restrict members to organization"
+
+description: >
+  Ensures that all project members belong to the same organization. This does not remove existing project members that
+  are not a part of the organization.
+
+configuration:
+  - name: "enabled"
+    type: "Bool"
+    title: "Enabled"
+    description:  >
+      If enabled, invitations to users outside the specified organization are rejected.
+  - name: "organizations"
+    type: "TextList"
+    title: "Organizations"
+    description: >
+      The list of organizations which are allowed in the project.
\ No newline at end of file
diff --git a/core2/pkg/foundation/policies/restrict_provider_file_transfers.yaml b/core2/pkg/foundation/policies/restrict_provider_file_transfers.yaml
new file mode 100644
index 0000000000..937a9d98a9
--- /dev/null
+++ b/core2/pkg/foundation/policies/restrict_provider_file_transfers.yaml
@@ -0,0 +1,21 @@
+name: "RestrictProviderTransfers"
+title: "Restrict file transfers between providers"
+
+description: >
+  Controls which providers may participate in data transfers for this project.
+
+configuration:
+  - name: "enabled"
+    type: "Bool"
+    title: "Enabled"
+    description: >
+      If enabled, users will only be able to transfer files between specific providers.
+      If disabled, users can move files between any provider they have access to.
+  - name: "allowedProviders"
+    type: "Providers"
+    title: "Allowed providers"
+    description: >
+      Only the listed providers may be used as source or destination for file 
+      transfers. This option does not guarantee that data transfer between 
+      selected providers is possible, that is, providers may overrule this 
+      with their own transfer policies.
\ No newline at end of file
diff --git a/core2/pkg/foundation/policies/restrict_public_ips.yaml b/core2/pkg/foundation/policies/restrict_public_ips.yaml
new file mode 100644
index 0000000000..cc5343e535
--- /dev/null
+++ b/core2/pkg/foundation/policies/restrict_public_ips.yaml
@@ -0,0 +1,12 @@
+name: "RestrictPublicIPs"
+title: "Restrict public IPs"
+description: >
+  Controls whether workloads in the project may be assigned public IP addresses.
+
+configuration:
+  - name: "enabled"
+    type: "Bool"
+    title: "Enabled"
+    description: >
+      If enabled, public IP creation and use is disabled. Existing public 
+      IPs are _not_ deleted.
\ No newline at end of file
diff --git a/core2/pkg/foundation/policies/restrict_public_links.yaml b/core2/pkg/foundation/policies/restrict_public_links.yaml
new file mode 100644
index 0000000000..21bd890fbb
--- /dev/null
+++ b/core2/pkg/foundation/policies/restrict_public_links.yaml
@@ -0,0 +1,12 @@
+name: "RestrictPublicLinks"
+title: "Restrict public links"
+description: >
+  Controls whether public (unauthenticated) links to project data are allowed.
+
+configuration:
+  - name: "enabled"
+    type: "Bool"
+    title: "Enabled"
+    description: >
+      If enabled, creation and use of public links is disabled. Existing 
+      public links are _not_ deleted.
\ No newline at end of file
diff --git a/core2/pkg/foundation/policies/restrict_source_ip_range.yaml b/core2/pkg/foundation/policies/restrict_source_ip_range.yaml
new file mode 100644
index 0000000000..d798aa5e40
--- /dev/null
+++ b/core2/pkg/foundation/policies/restrict_source_ip_range.yaml
@@ -0,0 +1,20 @@
+name: "RestrictSourceIPRange"
+title: "Restrict client source IP range"
+
+description: >
+  Limits which client IP ranges are allowed to access the project.
+
+configuration:
+  - name: "enabled"
+    type: "Bool"
+    title: "Enabled"
+    description: >
+      If enabled, users will only be able to access the project from specified subnets.
+      If disabled, users can access the project from any IP in the world.
+
+  - name: "allowedClientSubnets"
+    type: "Subnet"
+    title: "Allowed client subnets"
+    description: >
+      Only clients originating from these subnets are permitted. An empty 
+      list blocks all external access.
\ No newline at end of file
diff --git a/core2/pkg/foundation/policy_templates.go b/core2/pkg/foundation/policy_templates.go
new file mode 100644
index 0000000000..984dce4445
--- /dev/null
+++ b/core2/pkg/foundation/policy_templates.go
@@ -0,0 +1,78 @@
+package foundation
+
+import _ "embed"
+
+// Generated by mailtpl/generate.sh. Please run the script from the mailtpl folder.
+
+//go:embed policies/restrict_applications.yaml
+var restrictApplications []byte
+
+//go:embed policies/restrict_cut_and_paste.yaml
+var restrictCutAndPast []byte
+
+//go:embed policies/restrict_downloads.yaml
+var restrictDownloads []byte
+
+//go:embed policies/restrict_integrated_applications.yaml
+var restrictIntegratedApplications []byte
+
+//go:embed policies/restrict_internet_access.yaml
+var restrictInternetAccess []byte
+
+//go:embed policies/restrict_organizations_members.yaml
+var restrictOrganizationsMembers []byte
+
+//go:embed policies/restrict_provider_file_transfers.yaml
+var restrictProviderTransfers []byte
+
+//go:embed policies/restrict_public_ips.yaml
+var restrictPublicIPs []byte
+
+//go:embed policies/restrict_public_links.yaml
+var restrictPublicLinks []byte
+
+//go:embed policies/restrict_source_ip_range.yaml
+var restrictSourceIpRange []byte
+
+type LoadedPolicy struct {
+	PolicyName string
+	Bytes      []byte
+}
+
+func pullProjectPolicies() []LoadedPolicy {
+	policies := []LoadedPolicy{
+		{
+			PolicyName: "restrictApplications",
+			Bytes:      restrictApplications,
+		},
+		{
+			PolicyName: "restrictCutAndPast",
+			Bytes:      restrictCutAndPast,
+		}, {
+			PolicyName: "restrictDownloads",
+			Bytes:      restrictDownloads,
+		}, {
+			PolicyName: "restrictIntegratedApplications",
+			Bytes:      restrictIntegratedApplications,
+		}, {
+			PolicyName: "restrictInternetAccess",
+			Bytes:      restrictInternetAccess,
+		}, {
+			PolicyName: "restrictOrganizationsMembers",
+			Bytes:      restrictOrganizationsMembers,
+		}, {
+			PolicyName: "restrictProviderTransfers",
+			Bytes:      restrictProviderTransfers,
+		}, {
+			PolicyName: "restrictPublicIPs",
+			Bytes:      restrictPublicIPs,
+		}, {
+			PolicyName: "restrictPublicLinks",
+			Bytes:      restrictPublicLinks,
+		}, {
+			PolicyName: "restrictSourceIpRange",
+			Bytes:      restrictSourceIpRange,
+		},
+	}
+	return policies
+}
diff --git a/core2/pkg/migrations/00_module.go b/core2/pkg/migrations/00_module.go
index e8b768daaa..dfa4a44f6d 100644
--- a/core2/pkg/migrations/00_module.go
+++ b/core2/pkg/migrations/00_module.go
@@ -27,4 +27,5 @@ func Init() {
 	db.AddMigration(authV3())
 	db.AddMigration(grantV1())
 	db.AddMigration(projectsV4())
+	db.AddMigration(policiesV1())
 }
diff --git a/core2/pkg/migrations/policies.go b/core2/pkg/migrations/policies.go
new file mode 100644
index 0000000000..973f531e04
--- /dev/null
+++ b/core2/pkg/migrations/policies.go
@@ -0,0 +1,23 @@
+package migrations
+
+import db "ucloud.dk/shared/pkg/database"
+
+func policiesV1() db.MigrationScript {
+	return db.MigrationScript{
+		Id: "policiesV1",
+		Execute: func(tx *db.Transaction) {
+			db.Exec(
+				tx,
+				`
+					create table if not exists project.policies (
+					    policy_name text not null,
+					    policy_property jsonb not null,
+					    project_id text not null references project.projects(id) on delete cascade,
+					    primary key (project_id, policy_name)
+					)
+			    `,
+				db.Params{},
+			)
+		},
+	}
+}

From 56c7cbbe0b000b2425ef715c336dabae3e1a3366 Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Wed, 11 Feb 2026 22:54:17 +0100
Subject: [PATCH 02/23] made caching

---
 core2/pkg/foundation/policies.go | 91 ++++++++++++++++++++++++++++----
 1 file changed, 80 insertions(+), 11 deletions(-)

diff --git a/core2/pkg/foundation/policies.go b/core2/pkg/foundation/policies.go
index e103105756..068e195c4b 100644
--- a/core2/pkg/foundation/policies.go
+++ b/core2/pkg/foundation/policies.go
@@ -3,6 +3,7 @@ package foundation
 import (
 	"encoding/json"
 	"net/http"
+	"sync"
 
 	"gopkg.in/yaml.v3"
 	"ucloud.dk/shared/pkg/cfgutil"
@@ -13,12 +14,20 @@ import (
 	"ucloud.dk/shared/pkg/util"
 )
 
+var projectPolicies struct {
+	Mu                sync.RWMutex
+	PoliciesByProject map[string]*AssociatedPolicies
+}
+
+type AssociatedPolicies struct {
+	EnabledPolices map[string]fndapi.PolicySpecification
+}
+
 var policySchemas map[string]fndapi.PolicySchema
 
 func initPolicies() {
-	readPolicies()
-
-	loadPoliciesFromDB()
+	populatePolicySchemas()
+	loadProjectPoliciesFromDB()
 
 	fndapi.PoliciesRetrieve.Handler(func(info rpc.RequestInfo, request util.Empty) (map[string]fndapi.Policy, *util.HttpError) {
 		return retrievePolicies(info.Actor)
@@ -29,7 +38,7 @@ func initPolicies() {
 	})
 }
 
-func readPolicies() {
+func populatePolicySchemas() {
 	policies := pullProjectPolicies()
 	policySchemas = make(map[string]fndapi.PolicySchema, len(policies))
 	for _, policy := range policies {
@@ -52,11 +61,12 @@ func readPolicies() {
 	}
 }
 
-func loadPoliciesFromDB() {
+func loadProjectPoliciesFromDB() {
 	db.NewTx0(func(tx *db.Transaction) {
-		db.Select[struct {
-			ProjectID string
-			Policy    string
+		rows := db.Select[struct {
+			ProjectId      string
+			PolicyName     string
+			PolicyProperty string
 		}](
 			tx,
 			`
@@ -67,7 +77,23 @@ func loadPoliciesFromDB() {
 			db.Params{},
 		)
 
-		//TODO(chaching)
+		projectPolicies.Mu.Lock()
+
+		for _, row := range rows {
+			projectId := row.ProjectId
+			policies, ok := projectPolicies.PoliciesByProject[projectId]
+			if !ok {
+				policies = &AssociatedPolicies{EnabledPolices: map[string]fndapi.PolicySpecification{}}
+			}
+			specification := fndapi.PolicySpecification{}
+			err := json.Unmarshal([]byte(row.PolicyProperty), &specification)
+			if err != nil {
+				log.Fatal("Error loading policy document ", row.PolicyProperty, ": ", err)
+			}
+			policies.EnabledPolices[row.PolicyName] = specification
+		}
+
+		projectPolicies.Mu.Unlock()
 	})
 }
 
@@ -78,7 +104,24 @@ func retrievePolicies(actor rpc.Actor) (map[string]fndapi.Policy, *util.HttpErro
 	if !actor.Membership[actor.Project.Value].Satisfies(rpc.ProjectRoleAdmin) {
 		return nil, util.HttpErr(http.StatusForbidden, "Only PIs and Admins may list the policies")
 	}
-	return nil, nil
+
+	result := make(map[string]fndapi.Policy, len(policySchemas))
+
+	projectPolicies.Mu.RLock()
+	policies := projectPolicies.PoliciesByProject[string(actor.Project.Value)].EnabledPolices
+	projectPolicies.Mu.RUnlock()
+	for name, schema := range policySchemas {
+
+		specification, ok := policies[name]
+		if !ok {
+			specification = fndapi.PolicySpecification{}
+		}
+		result[name] = fndapi.Policy{
+			Schema:        schema,
+			Specification: specification,
+		}
+	}
+	return result, nil
 }
 
 type SimplePolicyProperty struct {
@@ -150,7 +193,33 @@ func updatePolicies(actor rpc.Actor, request fndapi.PoliciesUpdateRequest) (util
 		}
 		db.BatchSend(b)
 
-		//TODO( DO caching update)
+		//Updating cache
+		projectPolicies.Mu.Lock()
+		for _, specification := range request.UpdatedPolicies {
+			isEnabled := false
+			for _, property := range specification.Properties {
+				if property.Name == "enabled" {
+					isEnabled = property.Bool
+				}
+			}
+			projectId := string(specification.Project)
+			if !isEnabled {
+				policies, ok := projectPolicies.PoliciesByProject[projectId]
+				//If no policies are enabled for the project then just skip the deletion
+				if !ok {
+					continue
+				}
+				policies.EnabledPolices[specification.Schema] = fndapi.PolicySpecification{}
+			} else {
+				policies, ok := projectPolicies.PoliciesByProject[projectId]
+				if !ok {
+					policies = &AssociatedPolicies{EnabledPolices: map[string]fndapi.PolicySpecification{}}
+					projectPolicies.PoliciesByProject[projectId] = policies
+				}
+				policies.EnabledPolices[specification.Schema] = specification
+			}
+		}
+		projectPolicies.Mu.Unlock()
 	})
 
 	return util.Empty{}, nil

From 2e834125ebfbc29b261c2bbe5fa96049cb86517c Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Mon, 16 Feb 2026 10:21:54 +0100
Subject: [PATCH 03/23] finished provider notification

---
 .../pkg/accounting/provider_notifications.go  |  68 +++++++-
 core2/pkg/coreutil/00_module.go               |  30 ++++
 core2/pkg/foundation/policies.go              | 154 ++++++++++--------
 .../restrict_integrated_applications.yaml     |   2 +-
 core2/pkg/foundation/policy_templates.go      |   2 -
 core2/pkg/migrations/policies.go              |  28 +++-
 .../shared/pkg/foundation/policies.go         |   5 +-
 7 files changed, 200 insertions(+), 89 deletions(-)

diff --git a/core2/pkg/accounting/provider_notifications.go b/core2/pkg/accounting/provider_notifications.go
index 95858f20bc..6947bcbe75 100644
--- a/core2/pkg/accounting/provider_notifications.go
+++ b/core2/pkg/accounting/provider_notifications.go
@@ -23,9 +23,28 @@ import (
 var providerWalletNotifications = make(chan AccWalletId, 1024*1024)
 
 var providerNotifications struct {
-	Mu                        sync.Mutex
+	Mu sync.Mutex
+
+	// All of these follow providerId -> sessionId -> channel
+
 	ProjectChannelsByProvider map[string]map[string]chan *fndapi.Project
 	WalletsByProvider         map[string]map[string]chan *accapi.WalletV2
+	PoliciesByProvider        map[string]map[string]chan policiesForProject
+}
+
+type policiesForProject struct {
+	PoliciesByName map[string]*fndapi.PolicySpecification
+}
+
+func retrieveRelevantProviders(projectId string) map[string]util.Empty {
+	projectWallets := internalRetrieveWallets(time.Now(), projectId, walletFilter{RequireActive: true})
+	relevantProviders := map[string]util.Empty{}
+
+	for _, w := range projectWallets {
+		relevantProviders[w.PaysFor.Provider] = util.Empty{}
+	}
+
+	return relevantProviders
 }
 
 func initProviderNotifications() {
@@ -37,6 +56,7 @@ func initProviderNotifications() {
 		// operations. The payload is either the project or group ID which triggered the update.
 		projectUpdates := db.Listen(context.Background(), "project_updates")
 		groupUpdates := db.Listen(context.Background(), "project_group_updates")
+		policyUpdates := db.Listen(context.Background(), "policy_updates")
 
 		for {
 			var project fndapi.Project
@@ -45,6 +65,9 @@ func initProviderNotifications() {
 			var walletId AccWalletId
 			var walletOk bool
 
+			var policySpecifications map[string]*fndapi.PolicySpecification
+			var policiesOk bool
+
 			select {
 			case projectId := <-projectUpdates:
 				db.NewTx0(func(tx *db.Transaction) {
@@ -58,15 +81,14 @@ func initProviderNotifications() {
 
 			case walletId = <-providerWalletNotifications:
 				walletOk = true
+			case projectId := <-policyUpdates:
+				db.NewTx0(func(tx *db.Transaction) {
+					policySpecifications, policiesOk = coreutil.PolicySpecificationsRetrieveFromDatabase(tx, projectId)
+				})
 			}
 
 			if projectOk {
-				projectWallets := internalRetrieveWallets(time.Now(), project.Id, walletFilter{RequireActive: true})
-				relevantProviders := map[string]util.Empty{}
-
-				for _, w := range projectWallets {
-					relevantProviders[w.PaysFor.Provider] = util.Empty{}
-				}
+				relevantProviders := retrieveRelevantProviders(project.Id)
 
 				var allChannels []chan *fndapi.Project
 
@@ -109,6 +131,29 @@ func initProviderNotifications() {
 						}
 					}
 				}
+			} else if policiesOk {
+				relevantProviders := retrieveRelevantProviders(project.Id)
+				var allChannels []chan policiesForProject
+
+				providerNotifications.Mu.Lock()
+
+				for provider := range relevantProviders {
+					channels, ok := providerNotifications.PoliciesByProvider[provider]
+					if ok {
+						for _, ch := range channels {
+							allChannels = append(allChannels, ch)
+						}
+					}
+				}
+
+				providerNotifications.Mu.Unlock()
+
+				for _, ch := range allChannels {
+					select {
+					case ch <- policiesForProject{policySpecifications}:
+					case <-time.After(200 * time.Millisecond):
+					}
+				}
 			}
 		}
 	}()
@@ -195,6 +240,7 @@ func providerNotificationHandleClient(conn *ws.Conn) {
 	sessionId := util.RandomTokenNoTs(32)
 	projectUpdates := make(chan *fndapi.Project, 128)
 	walletUpdates := make(chan *accapi.WalletV2, 128)
+	providerUpdates := make(chan policiesForProject, 128)
 
 	{
 		providerNotifications.Mu.Lock()
@@ -213,6 +259,13 @@ func providerNotificationHandleClient(conn *ws.Conn) {
 		}
 		pmap[sessionId] = projectUpdates
 
+		polmap, ok := providerNotifications.PoliciesByProvider[providerId]
+		if !ok {
+			polmap = map[string]chan policiesForProject{}
+			providerNotifications.PoliciesByProvider[providerId] = polmap
+		}
+		polmap[sessionId] = providerUpdates
+
 		providerNotifications.Mu.Unlock()
 	}
 
@@ -222,6 +275,7 @@ func providerNotificationHandleClient(conn *ws.Conn) {
 		providerNotifications.Mu.Lock()
 		delete(providerNotifications.WalletsByProvider[providerId], sessionId)
 		delete(providerNotifications.ProjectChannelsByProvider[providerId], sessionId)
+		delete(providerNotifications.PoliciesByProvider[providerId], sessionId)
 		providerNotifications.Mu.Unlock()
 	}()
 
diff --git a/core2/pkg/coreutil/00_module.go b/core2/pkg/coreutil/00_module.go
index 8a1c03c986..570f711e48 100644
--- a/core2/pkg/coreutil/00_module.go
+++ b/core2/pkg/coreutil/00_module.go
@@ -168,6 +168,36 @@ func ProjectRetrieveFromDatabaseViaGroupId(tx *db.Transaction, groupId string) (
 	}
 }
 
+func PolicySpecificationsRetrieveFromDatabase(tx *db.Transaction, projectId string) (map[string]*fndapi.PolicySpecification, bool) {
+
+	rows := db.Select[struct {
+		ProjectId      string
+		PolicyName     string
+		PolicyProperty string
+	}](
+		tx,
+		`
+			select * 
+			from project.policies
+			where projet_id = :id
+		`,
+		db.Params{
+			"id": projectId,
+		},
+	)
+	var policies map[string]*fndapi.PolicySpecification
+	for _, row := range rows {
+		specification := fndapi.PolicySpecification{}
+		err := json.Unmarshal([]byte(row.PolicyProperty), &specification)
+		if err != nil {
+			log.Debug("Error unmarshalling policy properties on update")
+			return nil, false
+		}
+		policies[specification.Schema] = &specification
+	}
+	return policies, true
+}
+
 func ProjectsListUpdatedAfter(timestamp time.Time) []rpc.ProjectId {
 	return db.NewTx(func(tx *db.Transaction) []rpc.ProjectId {
 		rows := db.Select[struct{ Id string }](
diff --git a/core2/pkg/foundation/policies.go b/core2/pkg/foundation/policies.go
index 068e195c4b..fa055bdbde 100644
--- a/core2/pkg/foundation/policies.go
+++ b/core2/pkg/foundation/policies.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"sync"
 
+	"golang.org/x/exp/maps"
 	"gopkg.in/yaml.v3"
 	"ucloud.dk/shared/pkg/cfgutil"
 	db "ucloud.dk/shared/pkg/database"
@@ -26,19 +27,19 @@ type AssociatedPolicies struct {
 var policySchemas map[string]fndapi.PolicySchema
 
 func initPolicies() {
-	populatePolicySchemas()
+	policyPopulateSchemaCache()
 	loadProjectPoliciesFromDB()
 
 	fndapi.PoliciesRetrieve.Handler(func(info rpc.RequestInfo, request util.Empty) (map[string]fndapi.Policy, *util.HttpError) {
-		return retrievePolicies(info.Actor)
+		return policiesRetrieve(info.Actor)
 	})
 
 	fndapi.PoliciesUpdate.Handler(func(info rpc.RequestInfo, request fndapi.PoliciesUpdateRequest) (util.Empty, *util.HttpError) {
-		return updatePolicies(info.Actor, request)
+		return policiesUpdate(info.Actor, request)
 	})
 }
 
-func populatePolicySchemas() {
+func policyPopulateSchemaCache() {
 	policies := pullProjectPolicies()
 	policySchemas = make(map[string]fndapi.PolicySchema, len(policies))
 	for _, policy := range policies {
@@ -64,13 +65,13 @@ func populatePolicySchemas() {
 func loadProjectPoliciesFromDB() {
 	db.NewTx0(func(tx *db.Transaction) {
 		rows := db.Select[struct {
-			ProjectId      string
-			PolicyName     string
-			PolicyProperty string
+			ProjectId        string
+			PolicyName       string
+			PolicyProperties string
 		}](
 			tx,
 			`
-				select * 
+				select project_id, policy_name, policy_properties
 				from project.policies
 				order by project_id
 		    `,
@@ -86,9 +87,9 @@ func loadProjectPoliciesFromDB() {
 				policies = &AssociatedPolicies{EnabledPolices: map[string]fndapi.PolicySpecification{}}
 			}
 			specification := fndapi.PolicySpecification{}
-			err := json.Unmarshal([]byte(row.PolicyProperty), &specification)
+			err := json.Unmarshal([]byte(row.PolicyProperties), &specification)
 			if err != nil {
-				log.Fatal("Error loading policy document ", row.PolicyProperty, ": ", err)
+				log.Fatal("Error loading policy document %v : %v", row.PolicyProperties, err)
 			}
 			policies.EnabledPolices[row.PolicyName] = specification
 		}
@@ -97,7 +98,7 @@ func loadProjectPoliciesFromDB() {
 	})
 }
 
-func retrievePolicies(actor rpc.Actor) (map[string]fndapi.Policy, *util.HttpError) {
+func policiesRetrieve(actor rpc.Actor) (map[string]fndapi.Policy, *util.HttpError) {
 	if !actor.Project.Present {
 		return nil, util.HttpErr(http.StatusBadRequest, "Polices only applicable to projects")
 	}
@@ -108,7 +109,7 @@ func retrievePolicies(actor rpc.Actor) (map[string]fndapi.Policy, *util.HttpErro
 	result := make(map[string]fndapi.Policy, len(policySchemas))
 
 	projectPolicies.Mu.RLock()
-	policies := projectPolicies.PoliciesByProject[string(actor.Project.Value)].EnabledPolices
+	policies := maps.Clone(projectPolicies.PoliciesByProject[string(actor.Project.Value)].EnabledPolices)
 	projectPolicies.Mu.RUnlock()
 	for name, schema := range policySchemas {
 
@@ -129,7 +130,7 @@ type SimplePolicyProperty struct {
 	PropertyValue any                       `yaml:"property_value"`
 }
 
-func updatePolicies(actor rpc.Actor, request fndapi.PoliciesUpdateRequest) (util.Empty, *util.HttpError) {
+func policiesUpdate(actor rpc.Actor, request fndapi.PoliciesUpdateRequest) (util.Empty, *util.HttpError) {
 	if !actor.Project.Present {
 		return util.Empty{}, util.HttpErr(http.StatusBadRequest, "Polices only applicable to projects")
 	}
@@ -137,86 +138,95 @@ func updatePolicies(actor rpc.Actor, request fndapi.PoliciesUpdateRequest) (util
 		return util.Empty{}, util.HttpErr(http.StatusForbidden, "Only PIs may update the policies")
 	}
 
+	filteredUpdates := map[string]map[string]fndapi.PolicySpecification{}
+	for _, specification := range request.UpdatedPolicies {
+		projectId := string(specification.Project)
+		filteredUpdates[projectId][specification.Schema] = specification
+	}
+
 	db.NewTx0(func(tx *db.Transaction) {
 		b := db.BatchNew(tx)
-		for _, specification := range request.UpdatedPolicies {
-			_, ok := policySchemas[specification.Schema]
-			//When trying to update a schema that does not exist, we just skip it
-			if !ok {
-				log.Debug("Unknown Schema ", specification.Schema)
-				continue
-			}
-			projectId := specification.Project
+		for projectId, updates := range filteredUpdates {
+			for _, specification := range updates {
+				_, ok := policySchemas[specification.Schema]
+				//When trying to update a schema that does not exist, we just skip it
+				if !ok {
+					log.Debug("Unknown Schema ", specification.Schema)
+					continue
+				}
 
-			isEnabled := false
-			for _, property := range specification.Properties {
-				if property.Name == "enabled" {
-					isEnabled = property.Bool
+				isEnabled := false
+				for _, property := range specification.Properties {
+					if property.Name == "enabled" {
+						isEnabled = property.Bool
+					}
 				}
-			}
 
-			//If the policy is not enabled we need to delete it form the DB.
-			//Else we need to insert or update already existing project policy
-			if !isEnabled {
-				db.BatchExec(
-					b,
-					`
+				//If the policy is not enabled we need to delete it form the DB.
+				//Else we need to insert or update already existing project policy
+				if !isEnabled {
+					db.BatchExec(
+						b,
+						`
 						delete from project.policies 
 					    where project_id = :project_id and policy_name = :policy_name
 				    `,
-					db.Params{
-						"project_id":  projectId,
-						"policy_name": specification.Schema,
-					},
-				)
-			} else {
-				properties, err := json.Marshal(specification.Properties)
-				if err != nil {
-					log.Debug("Error marshalling policy document ", specification.Schema, " ", specification.Properties)
-					continue
-				}
-				db.BatchExec(
-					b,
-					`
+						db.Params{
+							"project_id":  projectId,
+							"policy_name": specification.Schema,
+						},
+					)
+				} else {
+					properties, err := json.Marshal(specification.Properties)
+					if err != nil {
+						log.Debug("Error marshalling policy document ", specification.Schema, " ", specification.Properties)
+						continue
+					}
+					db.BatchExec(
+						b,
+						`
 					insert into project.policies (policy_name, policy_property, project_id)
 					values (:policy_name, :policy_properties, :project_id)
 					on conflict (policy_name, project_id) do 
 						update set policy_property = excluded.policy_property,
 			    `,
-					db.Params{
-						"policy_name":       specification.Schema,
-						"policy_properties": properties,
-						"project_id":        projectId,
-					},
-				)
+						db.Params{
+							"policy_name":       specification.Schema,
+							"policy_properties": properties,
+							"project_id":        projectId,
+						},
+					)
+				}
 			}
 		}
 		db.BatchSend(b)
 
 		//Updating cache
 		projectPolicies.Mu.Lock()
-		for _, specification := range request.UpdatedPolicies {
-			isEnabled := false
-			for _, property := range specification.Properties {
-				if property.Name == "enabled" {
-					isEnabled = property.Bool
-				}
-			}
-			projectId := string(specification.Project)
-			if !isEnabled {
-				policies, ok := projectPolicies.PoliciesByProject[projectId]
-				//If no policies are enabled for the project then just skip the deletion
-				if !ok {
-					continue
+		for _, updates := range filteredUpdates {
+			for _, specification := range updates {
+				isEnabled := false
+				for _, property := range specification.Properties {
+					if property.Name == "enabled" {
+						isEnabled = property.Bool
+					}
 				}
-				policies.EnabledPolices[specification.Schema] = fndapi.PolicySpecification{}
-			} else {
-				policies, ok := projectPolicies.PoliciesByProject[projectId]
-				if !ok {
-					policies = &AssociatedPolicies{EnabledPolices: map[string]fndapi.PolicySpecification{}}
-					projectPolicies.PoliciesByProject[projectId] = policies
+				projectId := string(specification.Project)
+				if !isEnabled {
+					policies, ok := projectPolicies.PoliciesByProject[projectId]
+					//If no policies are enabled for the project then just skip the deletion
+					if !ok {
+						continue
+					}
+					policies.EnabledPolices[specification.Schema] = fndapi.PolicySpecification{}
+				} else {
+					policies, ok := projectPolicies.PoliciesByProject[projectId]
+					if !ok {
+						policies = &AssociatedPolicies{EnabledPolices: map[string]fndapi.PolicySpecification{}}
+						projectPolicies.PoliciesByProject[projectId] = policies
+					}
+					policies.EnabledPolices[specification.Schema] = specification
 				}
-				policies.EnabledPolices[specification.Schema] = specification
 			}
 		}
 		projectPolicies.Mu.Unlock()
diff --git a/core2/pkg/foundation/policies/restrict_integrated_applications.yaml b/core2/pkg/foundation/policies/restrict_integrated_applications.yaml
index 7e6df2365f..be27ea2512 100644
--- a/core2/pkg/foundation/policies/restrict_integrated_applications.yaml
+++ b/core2/pkg/foundation/policies/restrict_integrated_applications.yaml
@@ -16,7 +16,7 @@ configuration:
         checked then all integrated applications can be run and the
         allow-list is ignored.
     - name: "allowList"
-      type: TextList
+      type: EnumSet
       title: "Allow-list"
       description: >
         List of applications which are explicitly allowed.
diff --git a/core2/pkg/foundation/policy_templates.go b/core2/pkg/foundation/policy_templates.go
index 984dce4445..277e9365ed 100644
--- a/core2/pkg/foundation/policy_templates.go
+++ b/core2/pkg/foundation/policy_templates.go
@@ -2,8 +2,6 @@ package foundation
 
 import _ "embed"
 
-// Generated by mailtpl/generate.sh. Please run the script from the mailtpl folder.
-
 //go:embed policies/restrict_applications.yaml
 var restrictApplications []byte
 
diff --git a/core2/pkg/migrations/policies.go b/core2/pkg/migrations/policies.go
index 973f531e04..59c05f1a9d 100644
--- a/core2/pkg/migrations/policies.go
+++ b/core2/pkg/migrations/policies.go
@@ -6,18 +6,36 @@ func policiesV1() db.MigrationScript {
 	return db.MigrationScript{
 		Id: "policiesV1",
 		Execute: func(tx *db.Transaction) {
-			db.Exec(
-				tx,
+			statements := []string{
 				`
 					create table if not exists project.policies (
 					    policy_name text not null,
-					    policy_property jsonb not null,
+					    policy_properties jsonb not null,
 					    project_id text not null references project.projects(id) on delete cascade,
 					    primary key (project_id, policy_name)
 					)
 			    `,
-				db.Params{},
-			)
+				`
+					create or replace function project.notify_policy_change()
+					returns trigger as $$
+					begin
+						perform pg_notify('policy_updates', new.project_id::text);
+						return new;
+					end;
+					$$ language plpgsql;
+				`,
+				`
+					create trigger policy_update_trigger
+					after insert or update or delete
+					on project.policies
+					for each row
+					execute function project.notify_policy_change();
+				`,
+			}
+
+			for _, statement := range statements {
+				db.Exec(tx, statement, db.Params{})
+			}
 		},
 	}
 }
diff --git a/provider-integration/shared/pkg/foundation/policies.go b/provider-integration/shared/pkg/foundation/policies.go
index 2555f18495..f0a9d8a2f6 100644
--- a/provider-integration/shared/pkg/foundation/policies.go
+++ b/provider-integration/shared/pkg/foundation/policies.go
@@ -23,7 +23,7 @@ type PolicyProperty struct {
 	Title       string `json:"title"`
 	Description string `json:"description"`
 
-	Options []string `json:"options,omitempty"` // Enum
+	Options []string `json:"options,omitempty"` // Enum, EnumSet
 }
 
 type PolicyPropertyType string
@@ -37,6 +37,7 @@ const (
 	PolicyPropertyProviders PolicyPropertyType = "Providers"
 	PolicyPropertyBool      PolicyPropertyType = "Bool"
 	PolicyPropertyTextList  PolicyPropertyType = "TextList"
+	PolicyPropertyEnumSet   PolicyPropertyType = "EnumSet"
 )
 
 type PolicySpecification struct {
@@ -54,7 +55,7 @@ type PolicyPropertyValue struct {
 	Int          int      `json:"int,omitempty"`          // Int
 	Float        float64  `json:"float,omitempty"`        // Float
 	Bool         bool     `json:"bool,omitempty"`         // Bool
-	TextElements []string `json:"textElements,omitempty"` // TextList
+	TextElements []string `json:"textElements,omitempty"` // TextList, EnumSet
 }
 
 type Policy struct {

From 6c01d89d3cdf0d423c0b53231ec5d77ad053ffd9 Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Mon, 16 Feb 2026 11:01:05 +0100
Subject: [PATCH 04/23] added policy cache for accountiong and orchestrator

---
 core2/pkg/accounting/policy_cache.go          | 44 ++++++++++++
 .../pkg/accounting/provider_notifications.go  |  3 +
 core2/pkg/orchestrator/00_module.go           |  3 +
 core2/pkg/orchestrator/policy_cache.go        | 67 +++++++++++++++++++
 4 files changed, 117 insertions(+)
 create mode 100644 core2/pkg/accounting/policy_cache.go
 create mode 100644 core2/pkg/orchestrator/policy_cache.go

diff --git a/core2/pkg/accounting/policy_cache.go b/core2/pkg/accounting/policy_cache.go
new file mode 100644
index 0000000000..3653e23b83
--- /dev/null
+++ b/core2/pkg/accounting/policy_cache.go
@@ -0,0 +1,44 @@
+package accounting
+
+import (
+	"sync"
+
+	"ucloud.dk/core/pkg/coreutil"
+	db "ucloud.dk/shared/pkg/database"
+	fndapi "ucloud.dk/shared/pkg/foundation"
+	"ucloud.dk/shared/pkg/log"
+)
+
+// policyCache is a mapping of projectId -> map[schemaName] -> PolicySpecification
+var policyCache struct {
+	Mu                sync.RWMutex
+	PoliciesByProject map[string]map[string]*fndapi.PolicySpecification
+}
+
+// policiesByProject returns mapping of [schema Name] => PolicySpecification. If no policy is cached for the project it
+// will attempt to retrieve it from DB. This is also how it is populated.
+func policiesByProject(projectId string) map[string]*fndapi.PolicySpecification {
+	projectPolicies := map[string]*fndapi.PolicySpecification{}
+	policyCache.Mu.Lock()
+	projectPolicies, ok := policyCache.PoliciesByProject[projectId]
+	if !ok {
+		log.Debug("No policies for project %v", projectId)
+		db.NewTx0(func(tx *db.Transaction) {
+			policySpecifications, policiesOk := coreutil.PolicySpecificationsRetrieveFromDatabase(tx, projectId)
+			if policiesOk {
+				policyCache.PoliciesByProject[projectId] = policySpecifications
+			} else {
+				log.Debug("No policies for project %v found in DB", projectId)
+			}
+		})
+	}
+	policyCache.Mu.Unlock()
+
+	return projectPolicies
+}
+
+func updatePolicyCacheForProject(projectId string, policySpecifications map[string]*fndapi.PolicySpecification) {
+	policyCache.Mu.Lock()
+	policyCache.PoliciesByProject[projectId] = policySpecifications
+	policyCache.Mu.Unlock()
+}
diff --git a/core2/pkg/accounting/provider_notifications.go b/core2/pkg/accounting/provider_notifications.go
index 99daac2fc6..f1ca35b4cf 100644
--- a/core2/pkg/accounting/provider_notifications.go
+++ b/core2/pkg/accounting/provider_notifications.go
@@ -81,6 +81,7 @@ func initProviderNotifications() {
 
 			case walletId = <-providerWalletNotifications:
 				walletOk = true
+
 			case projectId := <-policyUpdates:
 				db.NewTx0(func(tx *db.Transaction) {
 					policySpecifications, policiesOk = coreutil.PolicySpecificationsRetrieveFromDatabase(tx, projectId)
@@ -148,6 +149,8 @@ func initProviderNotifications() {
 
 				providerNotifications.Mu.Unlock()
 
+				updatePolicyCacheForProject(project.Id, policySpecifications)
+
 				for _, ch := range allChannels {
 					select {
 					case ch <- policiesForProject{policySpecifications}:
diff --git a/core2/pkg/orchestrator/00_module.go b/core2/pkg/orchestrator/00_module.go
index 6061347f36..03e9e4ae24 100644
--- a/core2/pkg/orchestrator/00_module.go
+++ b/core2/pkg/orchestrator/00_module.go
@@ -35,6 +35,9 @@ func Init() {
 	initApiTokens()
 	times["ApiTokens"] = t.Mark()
 
+	initPolicySubscriptions()
+	times["PolicySubscriptions"] = t.Mark()
+
 	// Storage
 	//==================================================================================================================
 
diff --git a/core2/pkg/orchestrator/policy_cache.go b/core2/pkg/orchestrator/policy_cache.go
new file mode 100644
index 0000000000..e3680a48e1
--- /dev/null
+++ b/core2/pkg/orchestrator/policy_cache.go
@@ -0,0 +1,67 @@
+package orchestrator
+
+import (
+	"context"
+	"sync"
+
+	"ucloud.dk/core/pkg/coreutil"
+	db "ucloud.dk/shared/pkg/database"
+	fndapi "ucloud.dk/shared/pkg/foundation"
+	"ucloud.dk/shared/pkg/log"
+)
+
+// policyCache is a mapping of projectId -> map[schemaName] -> PolicySpecification
+var policyCache struct {
+	Mu                sync.RWMutex
+	PoliciesByProject map[string]map[string]*fndapi.PolicySpecification
+}
+
+func initPolicySubscriptions() {
+	go func() {
+		policyUpdates := db.Listen(context.Background(), "policy_updates")
+
+		var policySpecifications map[string]*fndapi.PolicySpecification
+		var policiesOk bool
+
+		for {
+			projectId := <-policyUpdates
+
+			db.NewTx0(func(tx *db.Transaction) {
+				policySpecifications, policiesOk = coreutil.PolicySpecificationsRetrieveFromDatabase(tx, projectId)
+			})
+
+			if policiesOk {
+				updatePolicyCacheForProject(projectId, policySpecifications)
+			}
+		}
+
+	}()
+}
+
+// policiesByProject returns mapping of [schema Name] => PolicySpecification. If no policy is cached for the project it
+// will attempt to retrieve it from DB. This is also how it is populated.
+func policiesByProject(projectId string) map[string]*fndapi.PolicySpecification {
+	projectPolicies := map[string]*fndapi.PolicySpecification{}
+	policyCache.Mu.Lock()
+	projectPolicies, ok := policyCache.PoliciesByProject[projectId]
+	if !ok {
+		log.Debug("No policies for project %v", projectId)
+		db.NewTx0(func(tx *db.Transaction) {
+			policySpecifications, policiesOk := coreutil.PolicySpecificationsRetrieveFromDatabase(tx, projectId)
+			if policiesOk {
+				policyCache.PoliciesByProject[projectId] = policySpecifications
+			} else {
+				log.Debug("No policies for project %v found in DB", projectId)
+			}
+		})
+	}
+	policyCache.Mu.Unlock()
+
+	return projectPolicies
+}
+
+func updatePolicyCacheForProject(projectId string, policySpecifications map[string]*fndapi.PolicySpecification) {
+	policyCache.Mu.Lock()
+	policyCache.PoliciesByProject[projectId] = policySpecifications
+	policyCache.Mu.Unlock()
+}

From 369ae1e1207848a602ebcd387898624c24e21942 Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Mon, 16 Feb 2026 12:38:56 +0100
Subject: [PATCH 05/23] Added restriction names to api and restricted
 Downloads. Fixes #5310

---
 core2/pkg/orchestrator/files.go               |  7 +++++++
 .../shared/pkg/foundation/policies.go         | 20 +++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/core2/pkg/orchestrator/files.go b/core2/pkg/orchestrator/files.go
index dc3d3ebb36..6cc9a27c03 100644
--- a/core2/pkg/orchestrator/files.go
+++ b/core2/pkg/orchestrator/files.go
@@ -380,6 +380,13 @@ func FilesCreateDownload(
 	actor rpc.Actor,
 	request fndapi.BulkRequest[fndapi.FindByStringId],
 ) (fndapi.BulkResponse[orcapi.FilesCreateDownloadResponse], *util.HttpError) {
+	if actor.Project.Present {
+		_, isRestricted := policiesByProject(string(actor.Project.Value))[fndapi.RestrictDownloads.String()]
+		if isRestricted {
+			return fndapi.BulkResponse[orcapi.FilesCreateDownloadResponse]{}, util.HttpErr(http.StatusForbidden, "This project does not allow downloads")
+		}
+	}
+
 	var result fndapi.BulkResponse[orcapi.FilesCreateDownloadResponse]
 	var paths []string
 	for _, reqItem := range request.Items {
diff --git a/provider-integration/shared/pkg/foundation/policies.go b/provider-integration/shared/pkg/foundation/policies.go
index f0a9d8a2f6..cfd2ea97ac 100644
--- a/provider-integration/shared/pkg/foundation/policies.go
+++ b/provider-integration/shared/pkg/foundation/policies.go
@@ -40,6 +40,26 @@ const (
 	PolicyPropertyEnumSet   PolicyPropertyType = "EnumSet"
 )
 
+// Policy "Name"s. Remember to edit here when adding or editing policies
+type PoliciesType string
+
+const (
+	RestrictApplications           PoliciesType = "RestrictApplications"
+	CutAndPaste                    PoliciesType = "CutAndPaste"
+	RestrictDownloads              PoliciesType = "RestrictDownloads"
+	RestrictIntegratedApplications PoliciesType = "RestrictIntegratedApplications"
+	RestrictInternetAccess         PoliciesType = "RestrictInternetAccess"
+	RestrictOrganizationMembers    PoliciesType = "RestrictOrganizationMembers"
+	RestrictProviderTransfers      PoliciesType = "RestrictProviderTransfers"
+	RestrictPublicIPs              PoliciesType = "RestrictPublicIPs"
+	RestrictPublicLinks            PoliciesType = "RestrictPublicLinks"
+	RestrictSourceIPRange          PoliciesType = "RestrictSourceIPRange"
+)
+
+func (t PoliciesType) String() string {
+	return string(t)
+}
+
 type PolicySpecification struct {
 	Schema     string                `json:"schema"`
 	Project    rpc.ProjectId         `json:"project"`

From 8cc7b3fcd59cd363ae7b320d52532630b47df2b7 Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Wed, 18 Feb 2026 13:46:56 +0100
Subject: [PATCH 06/23] clear up failing entiries and added check for files and
 publicLins

---
 .../pkg/accounting/provider_notifications.go  |   5 +
 core2/pkg/coreutil/00_module.go               |  22 ++--
 core2/pkg/foundation/policies.go              |  10 +-
 core2/pkg/orchestrator/ingress.go             |   6 +
 core2/pkg/orchestrator/policy_cache.go        |   6 +
 .../webclient/app/UCloud/FilesApi.tsx         | 108 ++++++++++++------
 6 files changed, 110 insertions(+), 47 deletions(-)

diff --git a/core2/pkg/accounting/provider_notifications.go b/core2/pkg/accounting/provider_notifications.go
index f1ca35b4cf..303a27ca62 100644
--- a/core2/pkg/accounting/provider_notifications.go
+++ b/core2/pkg/accounting/provider_notifications.go
@@ -50,6 +50,11 @@ func retrieveRelevantProviders(projectId string) map[string]util.Empty {
 func initProviderNotifications() {
 	providerNotifications.ProjectChannelsByProvider = map[string]map[string]chan *fndapi.Project{}
 	providerNotifications.WalletsByProvider = map[string]map[string]chan *accapi.WalletV2{}
+	providerNotifications.PoliciesByProvider = map[string]map[string]chan policiesForProject{}
+
+	policyCache.Mu.Lock()
+	policyCache.PoliciesByProject = make(map[string]map[string]*fndapi.PolicySpecification)
+	policyCache.Mu.Unlock()
 
 	go func() {
 		// NOTE(Dan): These two channels receive events from database triggers set on the relevant insert/update/delete
diff --git a/core2/pkg/coreutil/00_module.go b/core2/pkg/coreutil/00_module.go
index 570f711e48..742edc122e 100644
--- a/core2/pkg/coreutil/00_module.go
+++ b/core2/pkg/coreutil/00_module.go
@@ -171,28 +171,34 @@ func ProjectRetrieveFromDatabaseViaGroupId(tx *db.Transaction, groupId string) (
 func PolicySpecificationsRetrieveFromDatabase(tx *db.Transaction, projectId string) (map[string]*fndapi.PolicySpecification, bool) {
 
 	rows := db.Select[struct {
-		ProjectId      string
-		PolicyName     string
-		PolicyProperty string
+		ProjectId        string
+		PolicyName       string
+		PolicyProperties string
 	}](
 		tx,
 		`
-			select * 
+			select project_id, policy_name, policy_properties 
 			from project.policies
-			where projet_id = :id
+			where project_id = :id
 		`,
 		db.Params{
 			"id": projectId,
 		},
 	)
-	var policies map[string]*fndapi.PolicySpecification
+	var policies = make(map[string]*fndapi.PolicySpecification)
 	for _, row := range rows {
-		specification := fndapi.PolicySpecification{}
-		err := json.Unmarshal([]byte(row.PolicyProperty), &specification)
+		properties := []fndapi.PolicyPropertyValue{}
+		err := json.Unmarshal([]byte(row.PolicyProperties), &properties)
 		if err != nil {
 			log.Debug("Error unmarshalling policy properties on update")
 			return nil, false
 		}
+		specification := fndapi.PolicySpecification{
+			Schema:     row.PolicyName,
+			Project:    rpc.ProjectId(row.ProjectId),
+			Properties: properties,
+		}
+
 		policies[specification.Schema] = &specification
 	}
 	return policies, true
diff --git a/core2/pkg/foundation/policies.go b/core2/pkg/foundation/policies.go
index fa055bdbde..fad6099a70 100644
--- a/core2/pkg/foundation/policies.go
+++ b/core2/pkg/foundation/policies.go
@@ -86,11 +86,17 @@ func loadProjectPoliciesFromDB() {
 			if !ok {
 				policies = &AssociatedPolicies{EnabledPolices: map[string]fndapi.PolicySpecification{}}
 			}
-			specification := fndapi.PolicySpecification{}
-			err := json.Unmarshal([]byte(row.PolicyProperties), &specification)
+			properties := []fndapi.PolicyPropertyValue{}
+			err := json.Unmarshal([]byte(row.PolicyProperties), &properties)
 			if err != nil {
 				log.Fatal("Error loading policy document %v : %v", row.PolicyProperties, err)
 			}
+			specification := fndapi.PolicySpecification{
+				Schema:     row.PolicyName,
+				Project:    rpc.ProjectId(projectId),
+				Properties: properties,
+			}
+
 			policies.EnabledPolices[row.PolicyName] = specification
 		}
 
diff --git a/core2/pkg/orchestrator/ingress.go b/core2/pkg/orchestrator/ingress.go
index 41e411094a..8d4787a117 100644
--- a/core2/pkg/orchestrator/ingress.go
+++ b/core2/pkg/orchestrator/ingress.go
@@ -79,6 +79,12 @@ func initIngresses() {
 	hostnamePartRegex := regexp.MustCompile(`^[A-Za-z0-9](?:[A-Za-z0-9-]{0,61}[A-Za-z0-9])?$`)
 
 	orcapi.IngressesCreate.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.IngressSpecification]) (fndapi.BulkResponse[fndapi.FindByStringId], *util.HttpError) {
+		if info.Actor.Project.Present {
+			_, restricted := policiesByProject(string(info.Actor.Project.Value))[fndapi.RestrictPublicLinks.String()]
+			if restricted {
+				return fndapi.BulkResponse[fndapi.FindByStringId]{}, util.HttpErr(http.StatusForbidden, "Project does not allow creation of public links")
+			}
+		}
 		var result []fndapi.FindByStringId
 		for _, item := range request.Items {
 			supp, ok := SupportByProduct[orcapi.IngressSupport](ingressType, item.Product)
diff --git a/core2/pkg/orchestrator/policy_cache.go b/core2/pkg/orchestrator/policy_cache.go
index e3680a48e1..dc45f80ceb 100644
--- a/core2/pkg/orchestrator/policy_cache.go
+++ b/core2/pkg/orchestrator/policy_cache.go
@@ -17,6 +17,11 @@ var policyCache struct {
 }
 
 func initPolicySubscriptions() {
+
+	policyCache.Mu.Lock()
+	policyCache.PoliciesByProject = make(map[string]map[string]*fndapi.PolicySpecification)
+	policyCache.Mu.Unlock()
+
 	go func() {
 		policyUpdates := db.Listen(context.Background(), "policy_updates")
 
@@ -50,6 +55,7 @@ func policiesByProject(projectId string) map[string]*fndapi.PolicySpecification
 			policySpecifications, policiesOk := coreutil.PolicySpecificationsRetrieveFromDatabase(tx, projectId)
 			if policiesOk {
 				policyCache.PoliciesByProject[projectId] = policySpecifications
+				projectPolicies = policySpecifications
 			} else {
 				log.Debug("No policies for project %v found in DB", projectId)
 			}
diff --git a/frontend-web/webclient/app/UCloud/FilesApi.tsx b/frontend-web/webclient/app/UCloud/FilesApi.tsx
index 2015c12bb2..1469fdf50b 100644
--- a/frontend-web/webclient/app/UCloud/FilesApi.tsx
+++ b/frontend-web/webclient/app/UCloud/FilesApi.tsx
@@ -9,7 +9,21 @@ import {
 } from "@/UCloud/ResourceApi";
 import {BulkRequest, BulkResponse, PageV2} from "@/UCloud/index";
 import FileCollectionsApi, {FileCollection, FileCollectionSupport} from "@/UCloud/FileCollectionsApi";
-import {Box, Button, Card, ExternalLink, Flex, FtIcon, Icon, MainContainer, Markdown, Select, Text, TextArea, Truncate} from "@/ui-components";
+import {
+    Box,
+    Button,
+    Card,
+    ExternalLink,
+    Flex,
+    FtIcon,
+    Icon,
+    MainContainer,
+    Markdown,
+    Select,
+    Text,
+    TextArea,
+    Truncate
+} from "@/ui-components";
 import * as React from "react";
 import {useCallback, useEffect, useMemo, useState} from "react";
 import {fileName, getParentPath, readableUnixMode, sizeToString} from "@/Utilities/FileUtilities";
@@ -20,7 +34,7 @@ import {
     errorMessageOrDefault,
     extensionFromPath,
     ExtensionType,
-    extensionType,
+    extensionType, extractErrorMessage,
     inDevEnvironment,
     onDevSite,
     prettierString,
@@ -32,7 +46,7 @@ import * as Heading from "@/ui-components/Heading";
 import {Operation, ShortcutKey} from "@/ui-components/Operation";
 import {dialogStore} from "@/Dialog/DialogStore";
 import {ItemRenderer} from "@/ui-components/Browse";
-import {PrettyFilePath, prettyFilePath, usePrettyFilePath} from "@/Files/FilePath";
+import {prettyFilePath, usePrettyFilePath} from "@/Files/FilePath";
 import {OpenWithBrowser} from "@/Applications/OpenWith";
 import {addStandardDialog, addStandardInputDialog} from "@/UtilityComponents";
 import {ProductStorage} from "@/Accounting";
@@ -201,8 +215,7 @@ class FilesApi extends ResourceApi<UFile, ProductStorage, UFileSpecification,
 
     public idIsUriEncoded = true;
 
-    renderer: ItemRenderer<UFile, ResourceBrowseCallbacks<UFile> & ExtraFileCallbacks> = {
-    };
+    renderer: ItemRenderer<UFile, ResourceBrowseCallbacks<UFile> & ExtraFileCallbacks> = {};
 
     private defaultRetrieveFlags: Partial<UFileIncludeFlags> = {
         includeMetadata: true,
@@ -213,7 +226,7 @@ class FilesApi extends ResourceApi<UFile, ProductStorage, UFileSpecification,
     };
 
     public Properties = () => {
-        const {id} = useParams<{id?: string}>();
+        const {id} = useParams<{ id?: string }>();
 
         const [fileData, fetchFile] = useCloudAPI<UFile | null>({noop: true}, null);
 
@@ -230,10 +243,11 @@ class FilesApi extends ResourceApi<UFile, ProductStorage, UFileSpecification,
 
         const file = fileData.data;
 
-        if (!id) return <MainContainer main={<h1>Missing file id.</h1>} />;
-        if (!file) return <MainContainer main={<h1><Link to={AppRoutes.files.drives()}>File not found. Click to go to drives.</Link></h1>} />;
+        if (!id) return <MainContainer main={<h1>Missing file id.</h1>}/>;
+        if (!file) return <MainContainer
+            main={<h1><Link to={AppRoutes.files.drives()}>File not found. Click to go to drives.</Link></h1>}/>;
 
-        return <FilePreview initialFile={file} />
+        return <FilePreview initialFile={file}/>
     }
 
     public retrieveOperations(): Operation<UFile, ResourceBrowseCallbacks<UFile> & ExtraFileCallbacks>[] {
@@ -318,7 +332,7 @@ class FilesApi extends ResourceApi<UFile, ProductStorage, UFileSpecification,
                 enabled: (selected, cb) => selected.length === 1 && cb.collection != null,
                 onClick: (selected) => {
                     dialogStore.addDialog(
-                        <OpenWithBrowser opts={{isModal: true}} file={selected[0]} />,
+                        <OpenWithBrowser opts={{isModal: true}} file={selected[0]}/>,
                         doNothing,
                         true,
                         this.fileSelectorModalStyle,
@@ -403,7 +417,7 @@ class FilesApi extends ResourceApi<UFile, ProductStorage, UFileSpecification,
                                             res.specification.product.provider !== selected[0].specification.product.provider ||
                                             res.specification.product.provider === "go-slurm" ||
                                             res.specification.product.provider === "goslurm1" ||
-                                            res.specification.product.provider === "gok8s"  ||
+                                            res.specification.product.provider === "gok8s" ||
                                             res.specification.product.provider === "k8s"
                                         );
                                 },
@@ -428,7 +442,7 @@ class FilesApi extends ResourceApi<UFile, ProductStorage, UFileSpecification,
                                 }
                             },
                             initialPath: pathRef.current,
-                        }} />,
+                        }}/>,
                         doNothing,
                         true,
                         this.fileSelectorModalStyle
@@ -739,7 +753,10 @@ class FilesApi extends ResourceApi<UFile, ProductStorage, UFileSpecification,
             this.createDownload(bulkRequestOf(
                 ...ids.map(id => ({id})),
             ))
-        );
+        ).catch(err => {
+            snackbarStore.addFailure(extractErrorMessage(err), false);
+        });
+        ;
 
         const responses = result?.responses ?? [];
         for (const {endpoint} of responses) {
@@ -783,7 +800,7 @@ class FilesApi extends ResourceApi<UFile, ProductStorage, UFileSpecification,
                     filterProvider: provider
                 },
                 initialPath: pathRef.current,
-            }} />,
+            }}/>,
             doNothing,
             true,
             this.fileSelectorModalStyle
@@ -823,7 +840,7 @@ class FilesApi extends ResourceApi<UFile, ProductStorage, UFileSpecification,
                 },
                 initialPath: pathRef.current,
                 additionalFilters: {filterProvider: provider}
-            }} />,
+            }}/>,
             doNothing,
             true,
             this.fileSelectorModalStyle
@@ -841,8 +858,9 @@ function handleSyncthingWarning(files: UFile[], cb: ExtraFileCallbacks, op: () =
                 {operationText} the folder(s) will break Syncthing synchronization for this folder.
                 {(["Moving", "Renaming"] as typeof operationText[]).includes(operationText) ?
                     <div>
-                        <br />
-                        To learn how to move a folder or rename a folder with Syncthing, click <ExternalLink href={"https://docs.syncthing.net/users/faq.html#how-do-i-rename-move-a-synced-folder"}>here</ExternalLink>.
+                        <br/>
+                        To learn how to move a folder or rename a folder with Syncthing, click <ExternalLink
+                        href={"https://docs.syncthing.net/users/faq.html#how-do-i-rename-move-a-synced-folder"}>here</ExternalLink>.
                     </div> : null}
             </div>,
             onConfirm: op,
@@ -1083,10 +1101,10 @@ export async function addFileSensitivityDialog(file: UFile, invokeCommand: Invok
         dialogStore.addDialog(
             <>
                 <Heading.h2>
-                    Sensitive files not supported <Icon name="warning" color="errorMain" size="32" />
+                    Sensitive files not supported <Icon name="warning" color="errorMain" size="32"/>
                 </Heading.h2>
                 <p>
-                    This provider (<ProviderTitle providerId={file.specification.product.provider} />) has declared
+                    This provider (<ProviderTitle providerId={file.specification.product.provider}/>) has declared
                     that they do not support sensitive data. This means that you <b>cannot/should not</b>:
 
                     <ul>
@@ -1114,7 +1132,7 @@ export async function addFileSensitivityDialog(file: UFile, invokeCommand: Invok
     }
 
     dialogStore.addDialog(<SensitivityDialog file={file} invokeCommand={invokeCommand}
-        onUpdated={onUpdated} />, () => undefined, true);
+                                             onUpdated={onUpdated}/>, () => undefined, true);
 }
 
 const api = new FilesApi();
@@ -1168,7 +1186,7 @@ export function FilePreview({initialFile}: {
         })
     }, []);
 
-    const mediaFileMetadata: null | {type: ExtensionType, data: string, error: string | null} = useMemo(() => {
+    const mediaFileMetadata: null | { type: ExtensionType, data: string, error: string | null } = useMemo(() => {
         let [file, contentBuffer] = openFile;
 
         const isSvg = extensionFromPath(file) === "svg";
@@ -1259,15 +1277,17 @@ export function FilePreview({initialFile}: {
                 return null;
             case "image":
                 // Note(Jonas): extensions like .HEIC will fall back to just showing the alt.
-                return <img key={elementKey} className={Image} alt={elementKey} src={mediaFileMetadata.data} />
+                return <img key={elementKey} className={Image} alt={elementKey} src={mediaFileMetadata.data}/>
             case "audio":
-                return <audio key={elementKey} className={Audio} controls src={mediaFileMetadata.data} />;
+                return <audio key={elementKey} className={Audio} controls src={mediaFileMetadata.data}/>;
             case "video":
-                return <video key={elementKey} className={Video} src={mediaFileMetadata.data} controls />;
+                return <video key={elementKey} className={Video} src={mediaFileMetadata.data} controls/>;
             case "pdf":
-                return <object key={elementKey} type="application/pdf" className={classConcat("fullscreen", PreviewObject)} data={mediaFileMetadata.data} />;
+                return <object key={elementKey} type="application/pdf"
+                               className={classConcat("fullscreen", PreviewObject)} data={mediaFileMetadata.data}/>;
             case "markdown":
-                return <div key={elementKey} className={MarkdownStyling}><Markdown>{mediaFileMetadata.data}</Markdown></div>;
+                return <div key={elementKey} className={MarkdownStyling}><Markdown>{mediaFileMetadata.data}</Markdown>
+                </div>;
         }
 
         return null;
@@ -1372,7 +1392,11 @@ export function FilePreview({initialFile}: {
         }, 1000);
     }, [openFile[0]]);
 
-    const onRename = React.useCallback(async ({newAbsolutePath, oldAbsolutePath, cancel}: {newAbsolutePath: string, oldAbsolutePath: string, cancel: boolean}): Promise<boolean> => {
+    const onRename = React.useCallback(async ({newAbsolutePath, oldAbsolutePath, cancel}: {
+        newAbsolutePath: string,
+        oldAbsolutePath: string,
+        cancel: boolean
+    }): Promise<boolean> => {
         let success = false;
         if (cancel) {
             setRenamingFile(undefined);
@@ -1505,7 +1529,9 @@ export function FilePreview({initialFile}: {
                 enabled: () => vfs.isReal(),
                 onClick() {
                     vfs.getFileInfo(file.absolutePath).then(ufile => {
-                        dispatch(setPopInChild({el: <FileProperties routingNamespace={api.routingNamespace} file={ufile} inPopIn />}));
+                        dispatch(setPopInChild({
+                            el: <FileProperties routingNamespace={api.routingNamespace} file={ufile} inPopIn/>
+                        }));
                     });
                 },
                 shortcut: ShortcutKey.V,
@@ -1516,7 +1542,7 @@ export function FilePreview({initialFile}: {
     const navigate = useNavigate();
 
     if (initialFile.status.type === "DIRECTORY") {
-        return <MainContainer main={<FileProperties file={initialFile} routingNamespace={api.routingNamespace} />} />
+        return <MainContainer main={<FileProperties file={initialFile} routingNamespace={api.routingNamespace}/>}/>
     }
 
     return <Editor
@@ -1573,8 +1599,8 @@ export function FilePreview({initialFile}: {
         operations={operations}
         fileHeaderOperations={
             <>
-                <Icon name="heroDocumentPlus" cursor="pointer" size="18px" onClick={() => newFile(initialFile.id)} />
-                <Icon name="heroFolderPlus" cursor="pointer" size="18px" onClick={() => newFolder(initialFile.id)} />
+                <Icon name="heroDocumentPlus" cursor="pointer" size="18px" onClick={() => newFile(initialFile.id)}/>
+                <Icon name="heroFolderPlus" cursor="pointer" size="18px" onClick={() => newFolder(initialFile.id)}/>
             </>
         }
         help={
@@ -1585,7 +1611,9 @@ export function FilePreview({initialFile}: {
                         <Button mx="auto" onClick={() => newFile(initialFile.id)}>New file</Button>
                         <Button mx="auto" onClick={() => newFolder(initialFile.id)}>New folder</Button>
                     </Flex>
-                    <Button width="95%" m="5px" onClick={() => navigate(AppRoutes.files.path(getParentPath(initialFile.id)))}>Go to parent folder</Button>
+                    <Button width="95%" m="5px"
+                            onClick={() => navigate(AppRoutes.files.path(getParentPath(initialFile.id)))}>Go to parent
+                        folder</Button>
                 </Box>
             </Flex>
         }
@@ -1719,7 +1747,8 @@ class PreviewVfs implements Vfs {
 
         if (file.status.type !== "FILE") {
             throw window.Error("Only files can be previewed");
-        };
+        }
+        ;
 
         if (file.status.sizeInBytes === 0) {
             return "";
@@ -1773,13 +1802,18 @@ export interface WriteToFileEventProps {
     content: string;
 }
 
-function FileProperties({file, routingNamespace, inPopIn}: {file: UFile, routingNamespace: string, inPopIn?: boolean;}) {
+function FileProperties({file, routingNamespace, inPopIn}: {
+    file: UFile,
+    routingNamespace: string,
+    inPopIn?: boolean;
+}) {
     const prettyPath = usePrettyFilePath(file.id);
 
     return <>
         <Flex maxWidth={inPopIn ? `var(--popInWidth)` : undefined}>
-            <FtIcon fileIcon={{type: file.status.type, ext: extensionFromPath(file.id)}} size={128} />
-            <Box maxWidth={inPopIn ? `calc(var(--popInWidth) - 128px - 32px)` : undefined} ml={inPopIn ? "16px" : "32px"}>
+            <FtIcon fileIcon={{type: file.status.type, ext: extensionFromPath(file.id)}} size={128}/>
+            <Box maxWidth={inPopIn ? `calc(var(--popInWidth) - 128px - 32px)` : undefined}
+                 ml={inPopIn ? "16px" : "32px"}>
                 <Truncate fontSize={25}>{fileName(file.id)}</Truncate>
                 <Truncate fontSize={20}>{prettierString(file.status.type)}</Truncate>
             </Box>
@@ -1795,7 +1829,7 @@ function FileProperties({file, routingNamespace, inPopIn}: {file: UFile, routing
             </div>
             <Flex gap="8px">
                 <b>Provider: </b>
-                <ProviderTitle providerId={file.specification.product.provider} />
+                <ProviderTitle providerId={file.specification.product.provider}/>
             </Flex>
             <div><b>Created at:</b> {dateToString(file.createdAt)}</div>
             {file.status.modifiedAt ?

From 119fde27ed8a5f2da752cad8f3c16ee0775af124 Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Fri, 20 Feb 2026 14:11:53 +0100
Subject: [PATCH 07/23] Added additional policy checks. Fixes #5310, Fixes
 #5308, Fixes #5312, Fixes #5313, Fixes #5316, fixes #5317, fixes #5314

---
 core2/pkg/foundation/policies.go    |  7 +++
 core2/pkg/foundation/projects.go    | 74 +++++++++++++++++++++++++++++
 core2/pkg/orchestrator/files.go     | 28 +++++++++++
 core2/pkg/orchestrator/job.go       | 29 +++++++++++
 core2/pkg/orchestrator/public_ip.go |  6 +++
 5 files changed, 144 insertions(+)

diff --git a/core2/pkg/foundation/policies.go b/core2/pkg/foundation/policies.go
index fad6099a70..a3af481da0 100644
--- a/core2/pkg/foundation/policies.go
+++ b/core2/pkg/foundation/policies.go
@@ -63,6 +63,10 @@ func policyPopulateSchemaCache() {
 }
 
 func loadProjectPoliciesFromDB() {
+	projectPolicies.Mu.Lock()
+	projectPolicies.PoliciesByProject = make(map[string]*AssociatedPolicies)
+	projectPolicies.Mu.Unlock()
+
 	db.NewTx0(func(tx *db.Transaction) {
 		rows := db.Select[struct {
 			ProjectId        string
@@ -97,7 +101,10 @@ func loadProjectPoliciesFromDB() {
 				Properties: properties,
 			}
 
+			log.Debug("Loading policy %v \n", specification)
+
 			policies.EnabledPolices[row.PolicyName] = specification
+			projectPolicies.PoliciesByProject[projectId] = policies
 		}
 
 		projectPolicies.Mu.Unlock()
diff --git a/core2/pkg/foundation/projects.go b/core2/pkg/foundation/projects.go
index 3cbb028931..4f89c3e1a8 100644
--- a/core2/pkg/foundation/projects.go
+++ b/core2/pkg/foundation/projects.go
@@ -1439,6 +1439,28 @@ func ProjectAcceptInviteLink(actor rpc.Actor, token string) (fndapi.ProjectInvit
 		return fndapi.ProjectInviteLinkInfo{}, err
 	}
 
+	projectPolicies.Mu.Lock()
+	projectRestrictions, hasRestrictions := projectPolicies.PoliciesByProject[linkInfo.Project.Id]
+	projectPolicies.Mu.Unlock()
+
+	if hasRestrictions {
+		policySpec, restrictingMemberOrgs := projectRestrictions.EnabledPolices[fndapi.RestrictOrganizationMembers.String()]
+		if restrictingMemberOrgs {
+			var allowedOrgs []string
+			for _, property := range policySpec.Properties {
+				if property.Name == "organizations" {
+					allowedOrgs = property.TextElements
+				}
+				break
+			}
+			for _, org := range allowedOrgs {
+				if org == actor.OrgId {
+					return fndapi.ProjectInviteLinkInfo{}, util.HttpErr(http.StatusForbidden, "Project does not allow your organization.")
+				}
+			}
+		}
+	}
+
 	if linkInfo.IsMember {
 		return fndapi.ProjectInviteLinkInfo{}, util.HttpErr(http.StatusBadRequest, "You are already a member of this project!")
 	}
@@ -1589,6 +1611,58 @@ func ProjectCreateInvite(actor rpc.Actor, recipient string) *util.HttpError {
 		return util.HttpErr(http.StatusBadRequest, "you cannot invite this user to the project")
 	}
 
+	restrictingProjectMemberOrganization := false
+	var allowedOrgs []string
+	if actor.Project.Present {
+		projectPolicies.Mu.Lock()
+		policies, found := projectPolicies.PoliciesByProject[actor.Project.String()]
+		if found {
+			policySpecification, restricted := policies.EnabledPolices[fndapi.RestrictOrganizationMembers.String()]
+			if restricted {
+				restrictingProjectMemberOrganization = true
+				for _, property := range policySpecification.Properties {
+					if property.Name == "organizations" {
+						allowedOrgs = property.TextElements
+						break
+					}
+				}
+			}
+		}
+		projectPolicies.Mu.Unlock()
+	}
+
+	if restrictingProjectMemberOrganization {
+		canBeInvited := false
+		for _, org := range allowedOrgs {
+			if org == recipientActor.OrgId {
+				canBeInvited = true
+			}
+		}
+		if !canBeInvited {
+			errorMessage := "Cannot invite user."
+			if len(allowedOrgs) == 0 {
+				errorMessage = errorMessage + " Invites disabled by project manager"
+			} else {
+				errorMessage = errorMessage + " Only users from"
+				for i, org := range allowedOrgs {
+					if i == len(allowedOrgs)-1 {
+						errorMessage = errorMessage + fmt.Sprintf(" %s", org)
+					} else {
+						errorMessage = errorMessage + fmt.Sprintf(" %s,", org)
+					}
+				}
+				errorMessage = errorMessage + " allowed to be invited."
+			}
+
+			//remove invite if already sent
+			_, found := info.InvitesSent[recipientActor.Username]
+			if found {
+				delete(info.InvitesSent, recipientActor.Username)
+			}
+
+			return util.HttpErr(http.StatusForbidden, errorMessage)
+		}
+	}
 	info.Mu.Lock()
 	alreadyAMember := false
 	for _, member := range info.Project.Status.Members {
diff --git a/core2/pkg/orchestrator/files.go b/core2/pkg/orchestrator/files.go
index 6cc9a27c03..a54b3abe9c 100644
--- a/core2/pkg/orchestrator/files.go
+++ b/core2/pkg/orchestrator/files.go
@@ -898,6 +898,34 @@ func FilesTransfer(actor rpc.Actor, request orcapi.FilesTransferRequest) *util.H
 		return util.MergeHttpErr(err1, err2)
 	}
 
+	if actor.Project.Present {
+		var allowedProviders []string
+		polices := policiesByProject(actor.Project.String())
+		policySpecification, isRestricted := polices[fndapi.RestrictProviderTransfers.String()]
+		if isRestricted {
+			for _, property := range policySpecification.Properties {
+				if property.Name == "allowedProviders" {
+					allowedProviders = property.Providers
+					break
+				}
+			}
+			if len(allowedProviders) == 0 {
+				return util.HttpErr(http.StatusForbidden, "Project does not allow transfers between providers")
+			} else {
+				for _, provider := range allowedProviders {
+					if provider == sourceDrive.Specification.Product.Provider {
+						errorMsg := fmt.Sprintf("Project does not allow transfers from %v", provider)
+						return util.HttpErr(http.StatusForbidden, errorMsg)
+					}
+					if provider == destDrive.Specification.Product.Provider {
+						errorMsg := fmt.Sprintf("Project does not allow transfers to %v", provider)
+						return util.HttpErr(http.StatusForbidden, errorMsg)
+					}
+				}
+			}
+		}
+	}
+
 	if featureSupported(driveType, destDrive.Specification.Product, driveOpsReadOnly) {
 		return util.HttpErr(http.StatusForbidden, "cannot transfer between these paths (destination is read-only)")
 	}
diff --git a/core2/pkg/orchestrator/job.go b/core2/pkg/orchestrator/job.go
index 4176787230..91ddaca8c1 100644
--- a/core2/pkg/orchestrator/job.go
+++ b/core2/pkg/orchestrator/job.go
@@ -1047,6 +1047,35 @@ func jobsValidateForSubmission(actor rpc.Actor, spec *orcapi.JobSpecification) *
 		return util.HttpErr(http.StatusBadRequest, "unknown application requested")
 	}
 
+	if actor.Project.Present {
+		var allowedApps []string
+		polices := policiesByProject(actor.Project.String())
+		specification, restricted := polices[fndapi.RestrictApplications.String()]
+		if restricted {
+			for _, property := range specification.Properties {
+				if property.Name == "applications" {
+					allowedApps = property.TextElements
+					break
+				}
+			}
+			allowed := false
+			if len(allowedApps) == 0 {
+				return util.HttpErr(http.StatusForbidden, "Application is not allowed to run in this project context.")
+			} else {
+				for _, allowedApp := range allowedApps {
+					println(allowedApp)
+					if allowedApp == app.Metadata.Name {
+						allowed = true
+						break
+					}
+				}
+			}
+			if !allowed {
+				return util.HttpErr(http.StatusForbidden, "Application is not allowed to run in this project context.")
+			}
+		}
+	}
+
 	support, ok := SupportByProduct[orcapi.JobSupport](jobType, spec.Product)
 	if !ok {
 		return util.HttpErr(http.StatusBadRequest, "bad machine type requested")
diff --git a/core2/pkg/orchestrator/public_ip.go b/core2/pkg/orchestrator/public_ip.go
index f38041246b..dc5cceb2df 100644
--- a/core2/pkg/orchestrator/public_ip.go
+++ b/core2/pkg/orchestrator/public_ip.go
@@ -72,6 +72,12 @@ func initPublicIps() {
 	})
 
 	orcapi.PublicIpsCreate.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.PublicIPSpecification]) (fndapi.BulkResponse[fndapi.FindByStringId], *util.HttpError) {
+		if info.Actor.Project.Present {
+			_, restricted := policiesByProject(info.Actor.Project.String())[fndapi.RestrictPublicIPs.String()]
+			if restricted {
+				return fndapi.BulkResponse[fndapi.FindByStringId]{}, util.HttpErr(http.StatusForbidden, "Project does not allow public IPs.")
+			}
+		}
 		var ids []fndapi.FindByStringId
 		for _, item := range request.Items {
 			supp, ok := SupportByProduct[orcapi.PublicIpSupport](publicIpType, item.Product)

From a694197ad2c4c526364895c45860bc448e10d15c Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Wed, 4 Mar 2026 13:50:10 +0100
Subject: [PATCH 08/23] pre checkout. notifications to provider is being tested

---
 .../pkg/accounting/provider_notifications.go  |  82 +++++++++++---
 core2/pkg/orchestrator/job.go                 |  21 ++++
 core2/pkg/orchestrator/syncthing.go           |  37 +++++-
 .../webclient/app/UCloud/FilesApi.tsx         |   1 +
 .../im2/pkg/controller/event.go               | 105 ++++++++++++++++++
 .../im2/pkg/migrations/00_migrations.go       |   1 +
 .../im2/pkg/migrations/apm_events.go          |  20 ++++
 .../shared/pkg/foundation/policies.go         |   5 +
 8 files changed, 254 insertions(+), 18 deletions(-)

diff --git a/core2/pkg/accounting/provider_notifications.go b/core2/pkg/accounting/provider_notifications.go
index 303a27ca62..44a073d57a 100644
--- a/core2/pkg/accounting/provider_notifications.go
+++ b/core2/pkg/accounting/provider_notifications.go
@@ -29,11 +29,7 @@ var providerNotifications struct {
 
 	ProjectChannelsByProvider map[string]map[string]chan *fndapi.Project
 	WalletsByProvider         map[string]map[string]chan *accapi.WalletV2
-	PoliciesByProvider        map[string]map[string]chan policiesForProject
-}
-
-type policiesForProject struct {
-	PoliciesByName map[string]*fndapi.PolicySpecification
+	PoliciesByProvider        map[string]map[string]chan fndapi.PoliciesForProject
 }
 
 func retrieveRelevantProviders(projectId string) map[string]util.Empty {
@@ -50,7 +46,7 @@ func retrieveRelevantProviders(projectId string) map[string]util.Empty {
 func initProviderNotifications() {
 	providerNotifications.ProjectChannelsByProvider = map[string]map[string]chan *fndapi.Project{}
 	providerNotifications.WalletsByProvider = map[string]map[string]chan *accapi.WalletV2{}
-	providerNotifications.PoliciesByProvider = map[string]map[string]chan policiesForProject{}
+	providerNotifications.PoliciesByProvider = map[string]map[string]chan fndapi.PoliciesForProject{}
 
 	policyCache.Mu.Lock()
 	policyCache.PoliciesByProject = make(map[string]map[string]*fndapi.PolicySpecification)
@@ -139,7 +135,7 @@ func initProviderNotifications() {
 				}
 			} else if policiesOk {
 				relevantProviders := retrieveRelevantProviders(project.Id)
-				var allChannels []chan policiesForProject
+				var allChannels []chan fndapi.PoliciesForProject
 
 				providerNotifications.Mu.Lock()
 
@@ -158,7 +154,7 @@ func initProviderNotifications() {
 
 				for _, ch := range allChannels {
 					select {
-					case ch <- policiesForProject{policySpecifications}:
+					case ch <- fndapi.PoliciesForProject{project.Id, policySpecifications}:
 					case <-time.After(200 * time.Millisecond):
 					}
 				}
@@ -228,6 +224,12 @@ func providerNotificationHandleClient(conn *ws.Conn) {
 			RefToCategory map[int]accapi.ProductCategory
 		}
 
+		policies struct {
+			Counter        int
+			ProjectIdToRef map[string]int
+			RefToProjectId map[int]string
+		}
+
 		ctx    context.Context
 		cancel context.CancelFunc
 	)
@@ -241,6 +243,9 @@ func providerNotificationHandleClient(conn *ws.Conn) {
 	productCategories.IdToRef = map[accapi.ProductCategoryIdV2]int{}
 	productCategories.RefToCategory = map[int]accapi.ProductCategory{}
 
+	policies.ProjectIdToRef = map[string]int{}
+	policies.RefToProjectId = map[int]string{}
+
 	ctx, cancel = context.WithCancel(context.Background())
 
 	// Subscription
@@ -248,7 +253,7 @@ func providerNotificationHandleClient(conn *ws.Conn) {
 	sessionId := util.RandomTokenNoTs(32)
 	projectUpdates := make(chan *fndapi.Project, 128)
 	walletUpdates := make(chan *accapi.WalletV2, 128)
-	providerUpdates := make(chan policiesForProject, 128)
+	policyUpdates := make(chan fndapi.PoliciesForProject, 128)
 
 	{
 		providerNotifications.Mu.Lock()
@@ -269,10 +274,10 @@ func providerNotificationHandleClient(conn *ws.Conn) {
 
 		polmap, ok := providerNotifications.PoliciesByProvider[providerId]
 		if !ok {
-			polmap = map[string]chan policiesForProject{}
+			polmap = map[string]chan fndapi.PoliciesForProject{}
 			providerNotifications.PoliciesByProvider[providerId] = polmap
 		}
-		polmap[sessionId] = providerUpdates
+		polmap[sessionId] = policyUpdates
 
 		providerNotifications.Mu.Unlock()
 	}
@@ -406,6 +411,7 @@ func providerNotificationHandleClient(conn *ws.Conn) {
 
 	projectsToSend := map[int]util.Empty{}
 	usersToSend := map[int]util.Empty{}
+	policiesToSend := map[int]fndapi.PoliciesForProject{}
 	var walletsToSend []*accapi.WalletV2
 	categoriesToSend := map[int]util.Empty{}
 
@@ -427,6 +433,25 @@ func providerNotificationHandleClient(conn *ws.Conn) {
 		return ref
 	}
 
+	appendPolicies := func(policiesForProject fndapi.PoliciesForProject, forced bool) int {
+		projectID := policiesForProject.ProjectId
+		ref, ok := policies.ProjectIdToRef[projectID]
+		if !ok {
+			ref, ok = policies.Counter, true
+			policies.ProjectIdToRef[projectID] = ref
+			policies.RefToProjectId[ref] = projectID
+			policiesToSend[ref] = policiesForProject
+
+			policies.Counter++
+		} else if forced {
+			policies.ProjectIdToRef[projectID] = ref
+			policies.RefToProjectId[ref] = projectID
+			policiesToSend[ref] = policiesForProject
+		}
+
+		return ref
+	}
+
 	appendProjectById := func(projectId string) int {
 		ref, ok := projects.ProjectIdToRef[projectId]
 		if !ok {
@@ -501,6 +526,22 @@ func providerNotificationHandleClient(conn *ws.Conn) {
 			out.WriteString(string(projectJson))
 		}
 
+		for policyRef, _ := range policiesToSend {
+			project := policies.RefToProjectId[policyRef]
+
+			policyCache.Mu.Lock()
+			currentPolices := policyCache.PoliciesByProject[project]
+			var specifications []fndapi.PolicySpecification
+			for _, specification := range currentPolices {
+				specifications = append(specifications, *specification)
+			}
+			currentPolicesSpecificationsJson, _ := json.Marshal(specifications)
+			policyCache.Mu.Unlock()
+			out.WriteU8(opPolicyChange)
+			out.WriteU32(uint32(policyRef))
+			out.WriteString(string(currentPolicesSpecificationsJson))
+		}
+
 		for categoryRef, _ := range categoriesToSend {
 			category := productCategories.RefToCategory[categoryRef]
 			categoryJson, _ := json.Marshal(category)
@@ -547,6 +588,7 @@ func providerNotificationHandleClient(conn *ws.Conn) {
 			categoriesToSend = map[int]util.Empty{}
 			usersToSend = map[int]util.Empty{}
 			walletsToSend = nil
+			policiesToSend = nil
 
 			if err != nil {
 				cancel()
@@ -570,6 +612,11 @@ func providerNotificationHandleClient(conn *ws.Conn) {
 			if ok {
 				appendProject(project, true)
 			}
+
+		case projectPolicies, ok := <-policyUpdates:
+			if ok {
+				appendPolicies(projectPolicies, true)
+			}
 		}
 
 		flush()
@@ -577,10 +624,11 @@ func providerNotificationHandleClient(conn *ws.Conn) {
 }
 
 const (
-	opAuth       = 0
-	opWallet     = 1
-	opProject    = 2
-	opCategory   = 3
-	opUser       = 4
-	opReplayUser = 5
+	opAuth         = 0
+	opWallet       = 1
+	opProject      = 2
+	opCategory     = 3
+	opUser         = 4
+	opReplayUser   = 5
+	opPolicyChange = 6
 )
diff --git a/core2/pkg/orchestrator/job.go b/core2/pkg/orchestrator/job.go
index 8712527959..cd0e4573ad 100644
--- a/core2/pkg/orchestrator/job.go
+++ b/core2/pkg/orchestrator/job.go
@@ -666,6 +666,27 @@ func initJobs() {
 	})
 
 	orcapi.JobsOpenTerminalInFolder.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.JobsOpenTerminalInFolderRequestItem]) (fndapi.BulkResponse[orcapi.OpenSessionWithProvider], *util.HttpError) {
+		if info.Actor.Project.Present {
+			policies := policiesByProject(info.Actor.Project.String())
+			specifications, ok := policies[fndapi.RestrictIntegratedApplications.String()]
+			if ok {
+				for _, property := range specifications.Properties {
+					if property.Name == "allowList" {
+						restricted := true
+						for _, element := range property.TextElements {
+							if element == "terminal" {
+								restricted = false
+								break
+							}
+						}
+						if restricted {
+							return fndapi.BulkResponse[orcapi.OpenSessionWithProvider]{}, util.HttpErr(http.StatusForbidden, "Project does not allow users to use the integrated terminal")
+						}
+					}
+				}
+			}
+		}
+
 		updatesByProvider := map[string][]orcapi.JobsOpenTerminalInFolderRequestItem{}
 		indicesByProvider := map[string][]int{}
 
diff --git a/core2/pkg/orchestrator/syncthing.go b/core2/pkg/orchestrator/syncthing.go
index 59eb7280fb..ab54215bd9 100644
--- a/core2/pkg/orchestrator/syncthing.go
+++ b/core2/pkg/orchestrator/syncthing.go
@@ -1,11 +1,35 @@
 package orchestrator
 
 import (
+	"net/http"
+
+	"ucloud.dk/shared/pkg/foundation"
 	orcapi "ucloud.dk/shared/pkg/orchestrators"
 	"ucloud.dk/shared/pkg/rpc"
 	"ucloud.dk/shared/pkg/util"
 )
 
+func syncthingIsRestricted(actor rpc.Actor) bool {
+	if actor.Project.Present {
+		policies, hasRestriction := policiesByProject(actor.Project.String())[foundation.RestrictIntegratedApplications.String()]
+		if hasRestriction {
+			for _, property := range policies.Properties {
+				isRestricted := true
+				if property.Name == "allowList" {
+					for _, element := range property.TextElements {
+						if element == "syncthing" {
+							isRestricted = false
+							break
+						}
+					}
+				}
+				return isRestricted
+			}
+		}
+	}
+	return false
+}
+
 func initSyncthing() {
 	// !! NOTE(Dan): The comment below is potentially outdated and has simply been moved from the old Core. !!
 	// -----------------------------------------------------------------------------------------------------------------
@@ -36,6 +60,9 @@ func initSyncthing() {
 	}
 
 	orcapi.SyncthingRetrieveConfiguration.Handler(func(info rpc.RequestInfo, request orcapi.IAppRetrieveConfigRequest) (orcapi.IAppRetrieveConfigResponse[orcapi.SyncthingConfig], *util.HttpError) {
+		if syncthingIsRestricted(info.Actor) {
+			return orcapi.IAppRetrieveConfigResponse[orcapi.SyncthingConfig]{}, util.HttpErr(http.StatusForbidden, "Project does not allow users to use Syncthing")
+		}
 		resp, err := InvokeProvider(
 			request.Provider,
 			orcapi.SyncthingProviderRetrieveConfiguration,
@@ -54,7 +81,9 @@ func initSyncthing() {
 	orcapi.SyncthingUpdateConfiguration.Handler(func(info rpc.RequestInfo, request orcapi.IAppUpdateConfigurationRequest[orcapi.SyncthingConfig]) (util.Empty, *util.HttpError) {
 		// NOTE(Dan): This used to do permission checks in the Core, but this is no longer required since the provider
 		// will do this instead.
-
+		if syncthingIsRestricted(info.Actor) {
+			return util.Empty{}, util.HttpErr(http.StatusForbidden, "Project does not allow users to use Syncthing")
+		}
 		_, err := InvokeProvider(
 			request.Provider,
 			orcapi.SyncthingProviderUpdateConfiguration,
@@ -73,6 +102,9 @@ func initSyncthing() {
 	})
 
 	orcapi.SyncthingRestart.Handler(func(info rpc.RequestInfo, request orcapi.IAppRestartRequest) (util.Empty, *util.HttpError) {
+		if syncthingIsRestricted(info.Actor) {
+			return util.Empty{}, util.HttpErr(http.StatusForbidden, "Project does not allow users to use Syncthing")
+		}
 		_, err := InvokeProvider(
 			request.Provider,
 			orcapi.SyncthingProviderRestart,
@@ -89,6 +121,9 @@ func initSyncthing() {
 	})
 
 	orcapi.SyncthingReset.Handler(func(info rpc.RequestInfo, request orcapi.IAppRestartRequest) (util.Empty, *util.HttpError) {
+		if syncthingIsRestricted(info.Actor) {
+			return util.Empty{}, util.HttpErr(http.StatusForbidden, "Project does not allow users to use Syncthing")
+		}
 		_, err := InvokeProvider(
 			request.Provider,
 			orcapi.SyncthingProviderReset,
diff --git a/frontend-web/webclient/app/UCloud/FilesApi.tsx b/frontend-web/webclient/app/UCloud/FilesApi.tsx
index 3c3aa12cd0..794c27dbca 100644
--- a/frontend-web/webclient/app/UCloud/FilesApi.tsx
+++ b/frontend-web/webclient/app/UCloud/FilesApi.tsx
@@ -635,6 +635,7 @@ class FilesApi extends ResourceApi<UFile, ProductStorage, UFileSpecification,
                     const folder = cb.directory?.id ?? "/";
 
                     cb.dispatch({type: "TerminalOpen"});
+                    //TODO(HENRIK) handle if denied by policy
                     cb.dispatch({type: "TerminalOpenTab", payload: {tab: {title: providerTitle, folder}}});
                 },
                 shortcut: ShortcutKey.O
diff --git a/provider-integration/im2/pkg/controller/event.go b/provider-integration/im2/pkg/controller/event.go
index e410757ce6..79f54e7842 100644
--- a/provider-integration/im2/pkg/controller/event.go
+++ b/provider-integration/im2/pkg/controller/event.go
@@ -86,6 +86,10 @@ func initEvents() {
 			}
 		}
 	}()
+
+	policyCache.Mu.Lock()
+	policyCache.PoliciesByProject = make(map[string]map[string]*fnd.PolicySpecification)
+	policyCache.Mu.Unlock()
 }
 
 func eventHandleNotification(nType EventNotificationMessageType, notification any) {
@@ -186,6 +190,10 @@ func eventHandleNotification(nType EventNotificationMessageType, notification an
 		}
 
 		eventUpdateReplayFromToNow()
+
+	case EventNotificationMessagePolicesUpdated:
+		update := notification.(*EventPoliciesUpdated)
+		updatePolicyCacheForProject(update.ProjectId, update.PoliciesSpecifications)
 	}
 }
 
@@ -213,6 +221,7 @@ const (
 	EvOpCategoryInfo uint8 = 3
 	EvOpUserInfo     uint8 = 4
 	EvOpReplayUser   uint8 = 5
+	EvOpPolicyChange uint8 = 6
 )
 
 const (
@@ -225,6 +234,7 @@ func eventHandleSession(session *ws.Conn, userReplayChannel chan string, replayF
 	projects := make(map[uint32]fnd.Project)
 	products := make(map[uint32]apm.ProductCategory)
 	users := make(map[uint32]string)
+	policies := make(map[uint32]fnd.PoliciesForProject)
 
 	writeBuf := buf{}
 	writeBuf.PutU8(EvOpAuth)
@@ -343,6 +353,25 @@ func eventHandleSession(session *ws.Conn, userReplayChannel chan string, replayF
 					}
 
 					eventHandleNotification(EventNotificationMessageProjectUpdated, &notification)
+				case EvOpPolicyChange:
+					ref := readBuf.GetU32()
+					policiesJson := readBuf.GetString()
+					var projectPolicies fnd.PoliciesForProject
+					err := json.Unmarshal([]byte(policiesJson), &projectPolicies)
+					if err != nil {
+						log.Warn("Failed to read policies: %v\n%v", err, policiesJson)
+						return
+					}
+
+					policies[ref] = projectPolicies
+
+					notification := EventPoliciesUpdated{
+						projectPolicies.ProjectId,
+						projectPolicies.PoliciesByName,
+					}
+
+					eventHandleNotification(EventNotificationMessagePolicesUpdated, &notification)
+
 				default:
 					log.Warn("Invalid APM opcode received: %v", op)
 				}
@@ -362,6 +391,7 @@ type EventNotificationMessageType int
 const (
 	EventNotificationMessageWalletUpdated EventNotificationMessageType = iota
 	EventNotificationMessageProjectUpdated
+	EventNotificationMessagePolicesUpdated
 )
 
 type EventWalletUpdated struct {
@@ -380,6 +410,11 @@ type EventProjectUpdated struct {
 	ProjectComparison
 }
 
+type EventPoliciesUpdated struct {
+	ProjectId              string
+	PoliciesSpecifications map[string]*fnd.PolicySpecification
+}
+
 type buf struct {
 	bytes.Buffer
 	Error error
@@ -792,3 +827,73 @@ func WalletIsLocked(owner apm.WalletOwner, category string) bool {
 func ResourceIsLocked(resource orc.Resource, ref apm.ProductReference) bool {
 	return WalletIsLocked(apm.WalletOwnerFromIds(resource.Owner.CreatedBy, resource.Owner.Project.Value), ref.Category)
 }
+
+var policyCache struct {
+	Mu                sync.RWMutex
+	PoliciesByProject map[string]map[string]*fnd.PolicySpecification
+}
+
+func policiesByProject(projectId string) map[string]*fnd.PolicySpecification {
+	if RunsServerCode() {
+		projectPolicies := map[string]*fnd.PolicySpecification{}
+		policyCache.Mu.Lock()
+		projectPolicies, ok := policyCache.PoliciesByProject[projectId]
+		if !ok {
+			log.Debug("No policies for project %v", projectId)
+			db.NewTx0(func(tx *db.Transaction) {
+				policySpecifications, policiesOk := policySpecificationsRetrieveFromDatabase(tx, projectId)
+				if policiesOk {
+					policyCache.PoliciesByProject[projectId] = policySpecifications
+					projectPolicies = policySpecifications
+				} else {
+					log.Debug("No policies for project %v found in DB", projectId)
+				}
+			})
+		}
+		policyCache.Mu.Unlock()
+		return projectPolicies
+	} else {
+		panic("PoliciesByProject is only implemented for server mode")
+	}
+}
+
+func policySpecificationsRetrieveFromDatabase(tx *db.Transaction, projectId string) (map[string]*fnd.PolicySpecification, bool) {
+	rows := db.Select[struct {
+		ProjectId        string
+		PolicyName       string
+		PolicyProperties string
+	}](
+		tx,
+		`
+			select project_id, policy_name, policy_properties 
+			from project.policies
+			where project_id = :id
+		`,
+		db.Params{
+			"id": projectId,
+		},
+	)
+	var policies = make(map[string]*fnd.PolicySpecification)
+	for _, row := range rows {
+		properties := []fnd.PolicyPropertyValue{}
+		err := json.Unmarshal([]byte(row.PolicyProperties), &properties)
+		if err != nil {
+			log.Debug("Error unmarshalling policy properties on update")
+			return nil, false
+		}
+		specification := fnd.PolicySpecification{
+			Schema:     row.PolicyName,
+			Project:    rpc.ProjectId(row.ProjectId),
+			Properties: properties,
+		}
+
+		policies[specification.Schema] = &specification
+	}
+	return policies, true
+}
+
+func updatePolicyCacheForProject(projectId string, policySpecifications map[string]*fnd.PolicySpecification) {
+	policyCache.Mu.Lock()
+	policyCache.PoliciesByProject[projectId] = policySpecifications
+	policyCache.Mu.Unlock()
+}
diff --git a/provider-integration/im2/pkg/migrations/00_migrations.go b/provider-integration/im2/pkg/migrations/00_migrations.go
index ac9bcd6410..6621006ec0 100644
--- a/provider-integration/im2/pkg/migrations/00_migrations.go
+++ b/provider-integration/im2/pkg/migrations/00_migrations.go
@@ -33,4 +33,5 @@ func Init() {
 	db.AddMigration(inferenceV1())
 	db.AddMigration(audit.MigrationV1())
 	db.AddMigration(audit.MigrationV2())
+	db.AddMigration(apmEventsV3())
 }
diff --git a/provider-integration/im2/pkg/migrations/apm_events.go b/provider-integration/im2/pkg/migrations/apm_events.go
index 43e1c45049..685a9e3ce3 100644
--- a/provider-integration/im2/pkg/migrations/apm_events.go
+++ b/provider-integration/im2/pkg/migrations/apm_events.go
@@ -64,3 +64,23 @@ func apmEventsV2() db.MigrationScript {
 		},
 	}
 }
+
+func apmEventsV3() db.MigrationScript {
+	return db.MigrationScript{
+		Id: "apmEventsV3",
+		Execute: func(tx *db.Transaction) {
+			db.Exec(
+				tx,
+				`
+						create table if not exists tracked_policies (
+							policy_name text not null,
+							policy_properties jsonb not null,
+							project_id text not null,
+							primary key (project_id, policy_name)
+						)
+					`,
+				db.Params{},
+			)
+		},
+	}
+}
diff --git a/provider-integration/shared/pkg/foundation/policies.go b/provider-integration/shared/pkg/foundation/policies.go
index cfd2ea97ac..3cda940adb 100644
--- a/provider-integration/shared/pkg/foundation/policies.go
+++ b/provider-integration/shared/pkg/foundation/policies.go
@@ -60,6 +60,11 @@ func (t PoliciesType) String() string {
 	return string(t)
 }
 
+type PoliciesForProject struct {
+	ProjectId      string
+	PoliciesByName map[string]*PolicySpecification
+}
+
 type PolicySpecification struct {
 	Schema     string                `json:"schema"`
 	Project    rpc.ProjectId         `json:"project"`

From a9cca0487212e81943174379138ee521843fad65 Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Fri, 6 Mar 2026 09:58:18 +0100
Subject: [PATCH 09/23] missing import after merge of master and syncthing
 policy at core

---
 core2/pkg/orchestrator/provider_brandings.go  |   1 +
 core2/pkg/orchestrator/syncthing.go           |  29 ++--
 .../webclient/app/Syncthing/Overview.tsx      | 124 +++++++++---------
 3 files changed, 82 insertions(+), 72 deletions(-)

diff --git a/core2/pkg/orchestrator/provider_brandings.go b/core2/pkg/orchestrator/provider_brandings.go
index 487b088485..6edb3b64fe 100644
--- a/core2/pkg/orchestrator/provider_brandings.go
+++ b/core2/pkg/orchestrator/provider_brandings.go
@@ -5,6 +5,7 @@ import (
 	"sync/atomic"
 	"time"
 
+	"golang.org/x/exp/maps"
 	db "ucloud.dk/shared/pkg/database"
 	"ucloud.dk/shared/pkg/log"
 	orcapi "ucloud.dk/shared/pkg/orchestrators"
diff --git a/core2/pkg/orchestrator/syncthing.go b/core2/pkg/orchestrator/syncthing.go
index ab54215bd9..a8a1993f07 100644
--- a/core2/pkg/orchestrator/syncthing.go
+++ b/core2/pkg/orchestrator/syncthing.go
@@ -1,6 +1,7 @@
 package orchestrator
 
 import (
+	"fmt"
 	"net/http"
 
 	"ucloud.dk/shared/pkg/foundation"
@@ -12,6 +13,7 @@ import (
 func syncthingIsRestricted(actor rpc.Actor) bool {
 	if actor.Project.Present {
 		policies, hasRestriction := policiesByProject(actor.Project.String())[foundation.RestrictIntegratedApplications.String()]
+		fmt.Printf("has them: %v policies: %v\n", hasRestriction, policies)
 		if hasRestriction {
 			for _, property := range policies.Properties {
 				isRestricted := true
@@ -23,6 +25,7 @@ func syncthingIsRestricted(actor rpc.Actor) bool {
 						}
 					}
 				}
+				fmt.Printf("isRestricted: %v \n", isRestricted)
 				return isRestricted
 			}
 		}
@@ -60,9 +63,6 @@ func initSyncthing() {
 	}
 
 	orcapi.SyncthingRetrieveConfiguration.Handler(func(info rpc.RequestInfo, request orcapi.IAppRetrieveConfigRequest) (orcapi.IAppRetrieveConfigResponse[orcapi.SyncthingConfig], *util.HttpError) {
-		if syncthingIsRestricted(info.Actor) {
-			return orcapi.IAppRetrieveConfigResponse[orcapi.SyncthingConfig]{}, util.HttpErr(http.StatusForbidden, "Project does not allow users to use Syncthing")
-		}
 		resp, err := InvokeProvider(
 			request.Provider,
 			orcapi.SyncthingProviderRetrieveConfiguration,
@@ -81,8 +81,21 @@ func initSyncthing() {
 	orcapi.SyncthingUpdateConfiguration.Handler(func(info rpc.RequestInfo, request orcapi.IAppUpdateConfigurationRequest[orcapi.SyncthingConfig]) (util.Empty, *util.HttpError) {
 		// NOTE(Dan): This used to do permission checks in the Core, but this is no longer required since the provider
 		// will do this instead.
-		if syncthingIsRestricted(info.Actor) {
-			return util.Empty{}, util.HttpErr(http.StatusForbidden, "Project does not allow users to use Syncthing")
+		for _, folder := range request.Config.Folders {
+			driveID, found := orcapi.DriveIdFromUCloudPath(folder.UCloudPath)
+			if found {
+				dInfo, err := ResourceRetrieve[orcapi.Drive](info.Actor, driveType, ResourceParseId(driveID), orcapi.ResourceFlags{})
+				if err != nil {
+					return util.Empty{}, err
+				}
+				if dInfo.Owner.Project.Present {
+					actorWithProject := info.Actor
+					actorWithProject.Project.Set(rpc.ProjectId(dInfo.Owner.Project.Value))
+					if syncthingIsRestricted(actorWithProject) {
+						return util.Empty{}, util.HttpErr(http.StatusForbidden, "Project does not allow users to use Syncthing")
+					}
+				}
+			}
 		}
 		_, err := InvokeProvider(
 			request.Provider,
@@ -102,9 +115,6 @@ func initSyncthing() {
 	})
 
 	orcapi.SyncthingRestart.Handler(func(info rpc.RequestInfo, request orcapi.IAppRestartRequest) (util.Empty, *util.HttpError) {
-		if syncthingIsRestricted(info.Actor) {
-			return util.Empty{}, util.HttpErr(http.StatusForbidden, "Project does not allow users to use Syncthing")
-		}
 		_, err := InvokeProvider(
 			request.Provider,
 			orcapi.SyncthingProviderRestart,
@@ -121,9 +131,6 @@ func initSyncthing() {
 	})
 
 	orcapi.SyncthingReset.Handler(func(info rpc.RequestInfo, request orcapi.IAppRestartRequest) (util.Empty, *util.HttpError) {
-		if syncthingIsRestricted(info.Actor) {
-			return util.Empty{}, util.HttpErr(http.StatusForbidden, "Project does not allow users to use Syncthing")
-		}
 		_, err := InvokeProvider(
 			request.Provider,
 			orcapi.SyncthingProviderReset,
diff --git a/frontend-web/webclient/app/Syncthing/Overview.tsx b/frontend-web/webclient/app/Syncthing/Overview.tsx
index 15e26db78a..f6b8c249d1 100644
--- a/frontend-web/webclient/app/Syncthing/Overview.tsx
+++ b/frontend-web/webclient/app/Syncthing/Overview.tsx
@@ -194,7 +194,7 @@ interface OperationCallbacks {
 // Primary user interface
 // ================================================================================
 export const Overview: React.FunctionComponent = () => {
-    return <NewOverview />;
+    return <NewOverview/>;
 };
 
 const NewOverview: React.FunctionComponent = () => {
@@ -341,7 +341,7 @@ const NewOverview: React.FunctionComponent = () => {
 
     let main: React.ReactNode;
     if (uiState.devices !== undefined && uiState.devices.length === 0) {
-        main = <AddDeviceWizard onDeviceAdded={onDeviceAdded} onWizardClose={closeWizard} />;
+        main = <AddDeviceWizard onDeviceAdded={onDeviceAdded} onWizardClose={closeWizard}/>;
     } else {
         main = <Flex gap={"16px"} flexWrap={"wrap"}>
             {uiState.showDeviceWizard !== true ? null :
@@ -353,7 +353,7 @@ const NewOverview: React.FunctionComponent = () => {
                     onRequestClose={closeWizard}
                     className={CardClass}
                 >
-                    <AddDeviceWizard onDeviceAdded={onDeviceAdded} onWizardClose={closeWizard} />
+                    <AddDeviceWizard onDeviceAdded={onDeviceAdded} onWizardClose={closeWizard}/>
                 </ReactModal>
             }
 
@@ -364,7 +364,7 @@ const NewOverview: React.FunctionComponent = () => {
                 flexGrow={1}
                 subtitle={<Flex>
                     <ExternalLink href="https://syncthing.net/downloads/" mr="8px">
-                        <Button><Icon name="open" mr="4px" size="14px" /> Download Syncthing</Button>
+                        <Button><Icon name="open" mr="4px" size="14px"/> Download Syncthing</Button>
                     </ExternalLink>
                     <Button onClick={openWizard}>Add device</Button>
                 </Flex>}
@@ -376,7 +376,7 @@ const NewOverview: React.FunctionComponent = () => {
 
                 <List mt="16px">
                     <DeviceBrowse devices={devices} dispatch={dispatch}
-                        opts={{embedded: {disableKeyhandlers: true, hideFilters: false}}} />
+                                  opts={{embedded: {disableKeyhandlers: true, hideFilters: false}}}/>
                 </List>
             </TitledCard>
 
@@ -386,6 +386,7 @@ const NewOverview: React.FunctionComponent = () => {
                 flexBasis={600}
                 flexGrow={1}
                 subtitle={<Button onClick={openFileSelector}>Add Folder</Button>}
+                //TODO(HENRIK) Handle rejection due to policy. Currently adds to the UI, but removed on refresh since the config was not updated
             >
                 <Text mb="12px" color="textSecondary">
                     These are the files which will be synchronized to your devices.
@@ -393,20 +394,21 @@ const NewOverview: React.FunctionComponent = () => {
                 </Text>
 
                 {uiState.folders?.length === 0 ?
-                    <EmptyFolders onAddFolder={openFileSelector} /> :
+                    <EmptyFolders onAddFolder={openFileSelector}/> :
                     <SyncedFolders folders={uiState.folders} dispatch={dispatch}
-                        opts={{embedded: {disableKeyhandlers: true, hideFilters: false}}} />
+                                   opts={{embedded: {disableKeyhandlers: true, hideFilters: false}}}/>
                 }
             </TitledCard>
 
             {folders.length > 0 && devices.length > 0 ?
-                <ServerStatus productId={selectedProduct?.product.name ?? ""} providerId={provider ?? ""} reload={reload} />
+                <ServerStatus productId={selectedProduct?.product.name ?? ""} providerId={provider ?? ""}
+                              reload={reload}/>
                 : null
             }
         </Flex>;
     }
 
-    return <MainContainer main={main} />;
+    return <MainContainer main={main}/>;
 };
 
 function useHomeDrive(providerId: string, projectOverride?: string): string | null {
@@ -547,49 +549,49 @@ const ServerStatus: React.FunctionComponent<{
         {status !== null ? null : <>
             <Flex gap={"16px"} alignItems={"center"} flexDirection={"column"}>
                 <div><i>Syncthing is currently starting up. This process may take a few minutes.</i></div>
-                <div><HexSpin size={48} /></div>
+                <div><HexSpin size={48}/></div>
             </Flex>
         </>}
         {status === null ? null : <>
             <Table tableType={"presentation"}>
                 <tbody>
-                    <TableRow>
-                        <TableHeaderCell width={"200px"}>Status</TableHeaderCell>
-                        <TableCell>
-                            {!restartRequested && status.state === "RUNNING" ? <>
-                                <Icon name={"heroCheck"} color={"successMain"} /> Your Syncthing server is currently running.
-                                (<a style={{color: "var(--primaryMain)"}} href={"#"} onClick={doRestart}>Restart</a>)
-                            </> : <Flex gap={"8px"} alignItems={"center"}>
-                                <HexSpin size={16} margin={"0"} /> <Box flexGrow={1}>Your Syncthing server is currently
-                                    restarting.</Box>
-                            </Flex>}
-                        </TableCell>
-                    </TableRow>
-                    <TableRow>
-                        <TableHeaderCell width={"200px"}>Job ID</TableHeaderCell>
-                        <TableCell>
-                            <ExternalLink href={AppRoutes.prefix + AppRoutes.jobs.view(status.jobId)} target={"_blank"}>
-                                {status.jobId} <Icon name={"open"} size={10} />
-                            </ExternalLink>
-                        </TableCell>
-                    </TableRow>
-                    <TableRow>
-                        <TableHeaderCell width={"200px"}>Device ID</TableHeaderCell>
-                        <TableCell>{status.deviceId}</TableCell>
-                    </TableRow>
-                    <TableRow>
-                        <TableHeaderCell width={"200px"}>Factory reset</TableHeaderCell>
-                        <TableCell>
-                            <ConfirmationButton
-                                icon={"heroTrash"}
-                                actionText={"Factory reset"}
-                                onAction={doFactoryReset}
-                                width={280}
-                                mt="8px"
-                                mb="4px"
-                            />
-                        </TableCell>
-                    </TableRow>
+                <TableRow>
+                    <TableHeaderCell width={"200px"}>Status</TableHeaderCell>
+                    <TableCell>
+                        {!restartRequested && status.state === "RUNNING" ? <>
+                            <Icon name={"heroCheck"} color={"successMain"}/> Your Syncthing server is currently running.
+                            (<a style={{color: "var(--primaryMain)"}} href={"#"} onClick={doRestart}>Restart</a>)
+                        </> : <Flex gap={"8px"} alignItems={"center"}>
+                            <HexSpin size={16} margin={"0"}/> <Box flexGrow={1}>Your Syncthing server is currently
+                            restarting.</Box>
+                        </Flex>}
+                    </TableCell>
+                </TableRow>
+                <TableRow>
+                    <TableHeaderCell width={"200px"}>Job ID</TableHeaderCell>
+                    <TableCell>
+                        <ExternalLink href={AppRoutes.prefix + AppRoutes.jobs.view(status.jobId)} target={"_blank"}>
+                            {status.jobId} <Icon name={"open"} size={10}/>
+                        </ExternalLink>
+                    </TableCell>
+                </TableRow>
+                <TableRow>
+                    <TableHeaderCell width={"200px"}>Device ID</TableHeaderCell>
+                    <TableCell>{status.deviceId}</TableCell>
+                </TableRow>
+                <TableRow>
+                    <TableHeaderCell width={"200px"}>Factory reset</TableHeaderCell>
+                    <TableCell>
+                        <ConfirmationButton
+                            icon={"heroTrash"}
+                            actionText={"Factory reset"}
+                            onAction={doFactoryReset}
+                            width={280}
+                            mt="8px"
+                            mb="4px"
+                        />
+                    </TableCell>
+                </TableRow>
                 </tbody>
             </Table>
         </>}
@@ -743,7 +745,7 @@ function SyncedFolders({folders, dispatch, opts}: {
         });
     }
 
-    return <div ref={mountRef} />;
+    return <div ref={mountRef}/>;
 }
 
 function DeviceBrowse({devices, dispatch, opts}: {
@@ -850,7 +852,7 @@ function DeviceBrowse({devices, dispatch, opts}: {
         });
     }
 
-    return <div ref={mountRef} />;
+    return <div ref={mountRef}/>;
 }
 
 const AddDeviceWizard: React.FunctionComponent<{
@@ -952,17 +954,17 @@ const AddDeviceWizard: React.FunctionComponent<{
 
                             <Flex justifyContent="center" mt="8px">
                                 <ExternalLink href="https://syncthing.net/downloads/">
-                                    <Button><Icon name="open" mr="4px" size="14px" /> Download Syncthing</Button>
+                                    <Button><Icon name="open" mr="4px" size="14px"/> Download Syncthing</Button>
                                 </ExternalLink>
                             </Flex>
                         </li>
                         <li>
-                            <b>Open the Syncthing application</b><br /><br />
+                            <b>Open the Syncthing application</b><br/><br/>
 
-                            If you are using a desktop PC/laptop then your window should now look like this:<br />
+                            If you are using a desktop PC/laptop then your window should now look like this:<br/>
 
                             <Flex justifyContent="center" mt="8px">
-                                <Screenshot src={syncthingScreen4} />
+                                <Screenshot src={syncthingScreen4}/>
                             </Flex>
                         </li>
                     </TutorialList>
@@ -988,20 +990,20 @@ const AddDeviceWizard: React.FunctionComponent<{
                                 In the <i>Actions</i> menu in the top-right corner, click the <i>Show ID</i> button:
                             </li>
                             <li>
-                                A window containing your Device ID, as well as a QR code will appear.<br />
+                                A window containing your Device ID, as well as a QR code will appear.<br/>
                                 Copy the Device ID and paste it into the field below:
                             </li>
                         </TutorialList>
 
                         <Box ml={"auto"}>
-                            <Screenshot src={syncthingScreen1} />
+                            <Screenshot src={syncthingScreen1}/>
                         </Box>
                     </Flex>
 
                     <form onSubmit={tutorialNext}>
                         <Label>
                             Device Name
-                            <Input inputRef={deviceNameRef} placeholder={"My phone"} error={deviceNameError !== null} />
+                            <Input inputRef={deviceNameRef} placeholder={"My phone"} error={deviceNameError !== null}/>
                             {!deviceNameError ?
                                 <Text color="textSecondary">
                                     A name to help you remember which device this is. For example: "Work phone".
@@ -1126,12 +1128,12 @@ const EmptyFolders: React.FunctionComponent<{
                         <p><b>Open Syncthing</b></p>
                         <p>
                             A pop-up will appear, saying that UCloud wants to connect.
-                            Click the <i>Add device</i> button, then <i>Save</i> in the window that appears. <br />
+                            Click the <i>Add device</i> button, then <i>Save</i> in the window that appears. <br/>
                             <b>Note: it can take a few minutes before the pop-up appears.</b>
                         </p>
                     </Box>
                     <Box pl={40}>
-                        <Screenshot src={syncthingScreen2} />
+                        <Screenshot src={syncthingScreen2}/>
                     </Box>
                 </Flex>
             </li>
@@ -1149,7 +1151,7 @@ const EmptyFolders: React.FunctionComponent<{
                     </Box>
 
                     <Box pl={40}>
-                        <Screenshot src={syncthingScreen3} />
+                        <Screenshot src={syncthingScreen3}/>
                     </Box>
                 </Flex>
             </li>
@@ -1182,9 +1184,9 @@ const TutorialListClass = injectStyle("tutorial-list", k => `
     }
 `);
 
-function Screenshot(props: {src: string}): React.ReactNode {
+function Screenshot(props: { src: string }): React.ReactNode {
     return <Image alt="Descriptive screenshot showing how to set up Syncthing." className={ScreenshotClass}
-        src={props.src} />
+                  src={props.src}/>
 }
 
 const ScreenshotClass = injectStyleSimple("screenshot", `

From 55642736e5216168b7a6672fb9c13da886f97763 Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Wed, 11 Mar 2026 16:55:54 +0100
Subject: [PATCH 10/23] Fixes #5315

---
 .../pkg/accounting/provider_notifications.go  | 18 ++---
 core2/pkg/foundation/policies.go              | 26 +++++---
 core2/pkg/migrations/policies.go              | 18 ++++-
 core2/pkg/orchestrator/syncthing.go           | 13 ++--
 .../im2/pkg/controller/event.go               | 65 +++++++------------
 .../im2/pkg/controller/jobs.go                | 30 +++++++++
 .../integrations/k8s/containers/syncthing.go  | 29 +++++++++
 .../im2/pkg/migrations/00_migrations.go       |  1 -
 .../im2/pkg/migrations/apm_events.go          | 20 ------
 .../shared/pkg/foundation/policies.go         |  8 ++-
 10 files changed, 136 insertions(+), 92 deletions(-)

diff --git a/core2/pkg/accounting/provider_notifications.go b/core2/pkg/accounting/provider_notifications.go
index 44a073d57a..f9d2401198 100644
--- a/core2/pkg/accounting/provider_notifications.go
+++ b/core2/pkg/accounting/provider_notifications.go
@@ -67,6 +67,7 @@ func initProviderNotifications() {
 			var walletOk bool
 
 			var policySpecifications map[string]*fndapi.PolicySpecification
+			var projectIdForPolices string
 			var policiesOk bool
 
 			select {
@@ -87,6 +88,7 @@ func initProviderNotifications() {
 				db.NewTx0(func(tx *db.Transaction) {
 					policySpecifications, policiesOk = coreutil.PolicySpecificationsRetrieveFromDatabase(tx, projectId)
 				})
+				projectIdForPolices = projectId
 			}
 
 			if projectOk {
@@ -134,7 +136,7 @@ func initProviderNotifications() {
 					}
 				}
 			} else if policiesOk {
-				relevantProviders := retrieveRelevantProviders(project.Id)
+				relevantProviders := retrieveRelevantProviders(projectIdForPolices)
 				var allChannels []chan fndapi.PoliciesForProject
 
 				providerNotifications.Mu.Lock()
@@ -150,11 +152,11 @@ func initProviderNotifications() {
 
 				providerNotifications.Mu.Unlock()
 
-				updatePolicyCacheForProject(project.Id, policySpecifications)
+				updatePolicyCacheForProject(projectIdForPolices, policySpecifications)
 
 				for _, ch := range allChannels {
 					select {
-					case ch <- fndapi.PoliciesForProject{project.Id, policySpecifications}:
+					case ch <- fndapi.PoliciesForProject{projectIdForPolices, policySpecifications}:
 					case <-time.After(200 * time.Millisecond):
 					}
 				}
@@ -531,15 +533,15 @@ func providerNotificationHandleClient(conn *ws.Conn) {
 
 			policyCache.Mu.Lock()
 			currentPolices := policyCache.PoliciesByProject[project]
-			var specifications []fndapi.PolicySpecification
-			for _, specification := range currentPolices {
-				specifications = append(specifications, *specification)
+			projectPolicies := fndapi.PoliciesForProject{
+				project,
+				currentPolices,
 			}
-			currentPolicesSpecificationsJson, _ := json.Marshal(specifications)
+			currentProjectPoliciesJson, _ := json.Marshal(projectPolicies)
 			policyCache.Mu.Unlock()
 			out.WriteU8(opPolicyChange)
 			out.WriteU32(uint32(policyRef))
-			out.WriteString(string(currentPolicesSpecificationsJson))
+			out.WriteString(string(currentProjectPoliciesJson))
 		}
 
 		for categoryRef, _ := range categoriesToSend {
diff --git a/core2/pkg/foundation/policies.go b/core2/pkg/foundation/policies.go
index a3af481da0..db6e50c86e 100644
--- a/core2/pkg/foundation/policies.go
+++ b/core2/pkg/foundation/policies.go
@@ -30,8 +30,8 @@ func initPolicies() {
 	policyPopulateSchemaCache()
 	loadProjectPoliciesFromDB()
 
-	fndapi.PoliciesRetrieve.Handler(func(info rpc.RequestInfo, request util.Empty) (map[string]fndapi.Policy, *util.HttpError) {
-		return policiesRetrieve(info.Actor)
+	fndapi.PoliciesRetrieve.Handler(func(info rpc.RequestInfo, request fndapi.RetrievePoliciesRequest) (map[string]fndapi.Policy, *util.HttpError) {
+		return policiesRetrieve(info.Actor, request)
 	})
 
 	fndapi.PoliciesUpdate.Handler(func(info rpc.RequestInfo, request fndapi.PoliciesUpdateRequest) (util.Empty, *util.HttpError) {
@@ -111,18 +111,26 @@ func loadProjectPoliciesFromDB() {
 	})
 }
 
-func policiesRetrieve(actor rpc.Actor) (map[string]fndapi.Policy, *util.HttpError) {
-	if !actor.Project.Present {
-		return nil, util.HttpErr(http.StatusBadRequest, "Polices only applicable to projects")
-	}
-	if !actor.Membership[actor.Project.Value].Satisfies(rpc.ProjectRoleAdmin) {
-		return nil, util.HttpErr(http.StatusForbidden, "Only PIs and Admins may list the policies")
+func policiesRetrieve(actor rpc.Actor, request fndapi.RetrievePoliciesRequest) (map[string]fndapi.Policy, *util.HttpError) {
+	projectId := request.ProjectId
+	if actor.Role != rpc.RoleProvider {
+		if !actor.Project.Present {
+			return nil, util.HttpErr(http.StatusBadRequest, "Polices only applicable to projects")
+		}
+		if !actor.Membership[actor.Project.Value].Satisfies(rpc.ProjectRoleAdmin) {
+			return nil, util.HttpErr(http.StatusForbidden, "Only PIs and Admins may list the policies")
+		}
+		projectId = actor.Project.String()
 	}
 
 	result := make(map[string]fndapi.Policy, len(policySchemas))
 
 	projectPolicies.Mu.RLock()
-	policies := maps.Clone(projectPolicies.PoliciesByProject[string(actor.Project.Value)].EnabledPolices)
+	_, ok := projectPolicies.PoliciesByProject[projectId]
+	if !ok {
+		projectPolicies.PoliciesByProject[projectId] = &AssociatedPolicies{}
+	}
+	policies := maps.Clone(projectPolicies.PoliciesByProject[projectId].EnabledPolices)
 	projectPolicies.Mu.RUnlock()
 	for name, schema := range policySchemas {
 
diff --git a/core2/pkg/migrations/policies.go b/core2/pkg/migrations/policies.go
index 59c05f1a9d..14c3513244 100644
--- a/core2/pkg/migrations/policies.go
+++ b/core2/pkg/migrations/policies.go
@@ -26,11 +26,27 @@ func policiesV1() db.MigrationScript {
 				`,
 				`
 					create trigger policy_update_trigger
-					after insert or update or delete
+					after insert or update
 					on project.policies
 					for each row
 					execute function project.notify_policy_change();
 				`,
+				`
+					create or replace function project.notify_policy_deleted()
+					returns trigger as $$
+					begin
+						perform pg_notify('policy_deleted', old.project_id::text);
+						return old;
+					end;
+					$$ language plpgsql;
+				`,
+				`
+					create trigger policy_delete_trigger
+					after delete
+					on project.policies
+					for each row
+					execute function project.notify_policy_deleted();
+				`,
 			}
 
 			for _, statement := range statements {
diff --git a/core2/pkg/orchestrator/syncthing.go b/core2/pkg/orchestrator/syncthing.go
index a8a1993f07..039c6c368c 100644
--- a/core2/pkg/orchestrator/syncthing.go
+++ b/core2/pkg/orchestrator/syncthing.go
@@ -1,9 +1,6 @@
 package orchestrator
 
 import (
-	"fmt"
-	"net/http"
-
 	"ucloud.dk/shared/pkg/foundation"
 	orcapi "ucloud.dk/shared/pkg/orchestrators"
 	"ucloud.dk/shared/pkg/rpc"
@@ -13,10 +10,9 @@ import (
 func syncthingIsRestricted(actor rpc.Actor) bool {
 	if actor.Project.Present {
 		policies, hasRestriction := policiesByProject(actor.Project.String())[foundation.RestrictIntegratedApplications.String()]
-		fmt.Printf("has them: %v policies: %v\n", hasRestriction, policies)
 		if hasRestriction {
+			isRestricted := true
 			for _, property := range policies.Properties {
-				isRestricted := true
 				if property.Name == "allowList" {
 					for _, element := range property.TextElements {
 						if element == "syncthing" {
@@ -25,9 +21,8 @@ func syncthingIsRestricted(actor rpc.Actor) bool {
 						}
 					}
 				}
-				fmt.Printf("isRestricted: %v \n", isRestricted)
-				return isRestricted
 			}
+			return isRestricted
 		}
 	}
 	return false
@@ -91,9 +86,9 @@ func initSyncthing() {
 				if dInfo.Owner.Project.Present {
 					actorWithProject := info.Actor
 					actorWithProject.Project.Set(rpc.ProjectId(dInfo.Owner.Project.Value))
-					if syncthingIsRestricted(actorWithProject) {
+					/*if syncthingIsRestricted(actorWithProject) {
 						return util.Empty{}, util.HttpErr(http.StatusForbidden, "Project does not allow users to use Syncthing")
-					}
+					}*/
 				}
 			}
 		}
diff --git a/provider-integration/im2/pkg/controller/event.go b/provider-integration/im2/pkg/controller/event.go
index 79f54e7842..eda33b55f4 100644
--- a/provider-integration/im2/pkg/controller/event.go
+++ b/provider-integration/im2/pkg/controller/event.go
@@ -192,7 +192,9 @@ func eventHandleNotification(nType EventNotificationMessageType, notification an
 		eventUpdateReplayFromToNow()
 
 	case EventNotificationMessagePolicesUpdated:
+		fmt.Printf("%v \n", notification)
 		update := notification.(*EventPoliciesUpdated)
+		fmt.Printf("UPDTA: %+v \n", update)
 		updatePolicyCacheForProject(update.ProjectId, update.PoliciesSpecifications)
 	}
 }
@@ -366,8 +368,8 @@ func eventHandleSession(session *ws.Conn, userReplayChannel chan string, replayF
 					policies[ref] = projectPolicies
 
 					notification := EventPoliciesUpdated{
-						projectPolicies.ProjectId,
-						projectPolicies.PoliciesByName,
+						ProjectId:              projectPolicies.ProjectId,
+						PoliciesSpecifications: projectPolicies.PoliciesByName,
 					}
 
 					eventHandleNotification(EventNotificationMessagePolicesUpdated, &notification)
@@ -833,22 +835,21 @@ var policyCache struct {
 	PoliciesByProject map[string]map[string]*fnd.PolicySpecification
 }
 
-func policiesByProject(projectId string) map[string]*fnd.PolicySpecification {
+func RetrievePoliciesByProject(projectId string) map[string]*fnd.PolicySpecification {
 	if RunsServerCode() {
 		projectPolicies := map[string]*fnd.PolicySpecification{}
 		policyCache.Mu.Lock()
 		projectPolicies, ok := policyCache.PoliciesByProject[projectId]
 		if !ok {
 			log.Debug("No policies for project %v", projectId)
-			db.NewTx0(func(tx *db.Transaction) {
-				policySpecifications, policiesOk := policySpecificationsRetrieveFromDatabase(tx, projectId)
-				if policiesOk {
-					policyCache.PoliciesByProject[projectId] = policySpecifications
-					projectPolicies = policySpecifications
-				} else {
-					log.Debug("No policies for project %v found in DB", projectId)
-				}
-			})
+			policySpecifications, policiesOk := policySpecificationsRetrieveFromCore(projectId)
+			if policiesOk {
+				policyCache.PoliciesByProject[projectId] = policySpecifications
+				projectPolicies = policySpecifications
+			} else {
+				log.Debug("No policies for project %v found in DB", projectId)
+			}
+
 		}
 		policyCache.Mu.Unlock()
 		return projectPolicies
@@ -857,37 +858,17 @@ func policiesByProject(projectId string) map[string]*fnd.PolicySpecification {
 	}
 }
 
-func policySpecificationsRetrieveFromDatabase(tx *db.Transaction, projectId string) (map[string]*fnd.PolicySpecification, bool) {
-	rows := db.Select[struct {
-		ProjectId        string
-		PolicyName       string
-		PolicyProperties string
-	}](
-		tx,
-		`
-			select project_id, policy_name, policy_properties 
-			from project.policies
-			where project_id = :id
-		`,
-		db.Params{
-			"id": projectId,
-		},
-	)
+func policySpecificationsRetrieveFromCore(projectId string) (map[string]*fnd.PolicySpecification, bool) {
+	println("PULLING FROM CORE")
+	retrievedPolices, err := fnd.PoliciesRetrieve.Invoke(fnd.RetrievePoliciesRequest{ProjectId: projectId})
+	if err != nil {
+		fmt.Printf("Error %v\n", err)
+		return nil, false
+	}
+	fmt.Printf("%v \n ", retrievedPolices)
 	var policies = make(map[string]*fnd.PolicySpecification)
-	for _, row := range rows {
-		properties := []fnd.PolicyPropertyValue{}
-		err := json.Unmarshal([]byte(row.PolicyProperties), &properties)
-		if err != nil {
-			log.Debug("Error unmarshalling policy properties on update")
-			return nil, false
-		}
-		specification := fnd.PolicySpecification{
-			Schema:     row.PolicyName,
-			Project:    rpc.ProjectId(row.ProjectId),
-			Properties: properties,
-		}
-
-		policies[specification.Schema] = &specification
+	for _, policy := range retrievedPolices {
+		policies[policy.Specification.Schema] = &policy.Specification
 	}
 	return policies, true
 }
diff --git a/provider-integration/im2/pkg/controller/jobs.go b/provider-integration/im2/pkg/controller/jobs.go
index 6bb947821b..168b06ed38 100644
--- a/provider-integration/im2/pkg/controller/jobs.go
+++ b/provider-integration/im2/pkg/controller/jobs.go
@@ -422,6 +422,36 @@ func initJobs() {
 		})
 
 		orcapi.JobsProviderOpenTerminalInFolder.Handler(func(info rpc.RequestInfo, request fnd.BulkRequest[orcapi.JobsOpenTerminalInFolderRequestItem]) (fnd.BulkResponse[orcapi.OpenSession], *util.HttpError) {
+			for _, item := range request.Items {
+				driveId, ok := orcapi.DriveIdFromUCloudPath(item.Folder)
+				if ok {
+					dInfo, found := DriveRetrieve(driveId)
+					if found {
+						policies := RetrievePoliciesByProject(dInfo.Owner.Project.String())
+						specs, hasIntegratedRestrictions := policies[fnd.RestrictIntegratedApplications.String()]
+						if hasIntegratedRestrictions {
+							isRestricted := true
+							for _, property := range specs.Properties {
+								if property.Name == "allowList" {
+									for _, element := range property.TextElements {
+										if element == "terminal" {
+											isRestricted = false
+											break
+										}
+									}
+									break
+								}
+							}
+							if isRestricted {
+								return fnd.BulkResponse[orcapi.OpenSession]{}, util.HttpErr(http.StatusForbidden, "Project does not allow integrated terminal (IM side)")
+							}
+						}
+					} else {
+						return fnd.BulkResponse[orcapi.OpenSession]{}, util.HttpErr(http.StatusNotFound, "Folder cannot be found")
+					}
+				}
+			}
+
 			var errors []*util.HttpError
 			var responses []orcapi.OpenSession
 
diff --git a/provider-integration/im2/pkg/integrations/k8s/containers/syncthing.go b/provider-integration/im2/pkg/integrations/k8s/containers/syncthing.go
index 37de6456ef..e96bc66aaa 100644
--- a/provider-integration/im2/pkg/integrations/k8s/containers/syncthing.go
+++ b/provider-integration/im2/pkg/integrations/k8s/containers/syncthing.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"math/rand"
+	"net/http"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -22,6 +23,7 @@ import (
 	"ucloud.dk/pkg/controller"
 	"ucloud.dk/pkg/integrations/k8s/filesystem"
 	"ucloud.dk/pkg/integrations/k8s/shared"
+	"ucloud.dk/shared/pkg/foundation"
 	"ucloud.dk/shared/pkg/log"
 	orc "ucloud.dk/shared/pkg/orchestrators"
 	"ucloud.dk/shared/pkg/util"
@@ -161,6 +163,33 @@ func syncthingBeforeRestart(job *orc.Job) *util.HttpError {
 
 func syncthingValidateConfiguration(job *orc.Job, configuration json.RawMessage) *util.HttpError {
 	var config orc.SyncthingConfig
+	configErr := json.Unmarshal(configuration, &config)
+	if configErr == nil {
+		for _, folder := range config.Folders {
+			driveId, ok := filesystem.DriveIdFromUCloudPath(folder.UCloudPath)
+			if ok {
+				dInfo, found := controller.DriveRetrieve(driveId)
+				if found {
+					policySpecs, hasRestriction := controller.RetrievePoliciesByProject(dInfo.Owner.Project.String())[foundation.RestrictIntegratedApplications.String()]
+					isAllowed := false
+					if hasRestriction {
+						for _, property := range policySpecs.Properties {
+							if property.Name == "allowList" {
+								for _, element := range property.TextElements {
+									if element == "syncthing" {
+										isAllowed = true
+									}
+								}
+							}
+						}
+					}
+					if !isAllowed {
+						return util.HttpErr(http.StatusForbidden, "Project does not allow usage of syncthing (IM)")
+					}
+				}
+			}
+		}
+	}
 	return util.HttpErrorFromErr(json.Unmarshal(configuration, &config))
 }
 
diff --git a/provider-integration/im2/pkg/migrations/00_migrations.go b/provider-integration/im2/pkg/migrations/00_migrations.go
index 6621006ec0..ac9bcd6410 100644
--- a/provider-integration/im2/pkg/migrations/00_migrations.go
+++ b/provider-integration/im2/pkg/migrations/00_migrations.go
@@ -33,5 +33,4 @@ func Init() {
 	db.AddMigration(inferenceV1())
 	db.AddMigration(audit.MigrationV1())
 	db.AddMigration(audit.MigrationV2())
-	db.AddMigration(apmEventsV3())
 }
diff --git a/provider-integration/im2/pkg/migrations/apm_events.go b/provider-integration/im2/pkg/migrations/apm_events.go
index 685a9e3ce3..43e1c45049 100644
--- a/provider-integration/im2/pkg/migrations/apm_events.go
+++ b/provider-integration/im2/pkg/migrations/apm_events.go
@@ -64,23 +64,3 @@ func apmEventsV2() db.MigrationScript {
 		},
 	}
 }
-
-func apmEventsV3() db.MigrationScript {
-	return db.MigrationScript{
-		Id: "apmEventsV3",
-		Execute: func(tx *db.Transaction) {
-			db.Exec(
-				tx,
-				`
-						create table if not exists tracked_policies (
-							policy_name text not null,
-							policy_properties jsonb not null,
-							project_id text not null,
-							primary key (project_id, policy_name)
-						)
-					`,
-				db.Params{},
-			)
-		},
-	}
-}
diff --git a/provider-integration/shared/pkg/foundation/policies.go b/provider-integration/shared/pkg/foundation/policies.go
index 3cda940adb..4fc2998348 100644
--- a/provider-integration/shared/pkg/foundation/policies.go
+++ b/provider-integration/shared/pkg/foundation/policies.go
@@ -93,10 +93,14 @@ type Policy struct {
 
 const policiesBaseContext = "projects/v2/policies"
 
-var PoliciesRetrieve = rpc.Call[util.Empty, map[string]Policy]{
+type RetrievePoliciesRequest struct {
+	ProjectId string `json:"projectId"`
+}
+
+var PoliciesRetrieve = rpc.Call[RetrievePoliciesRequest, map[string]Policy]{
 	BaseContext: policiesBaseContext,
 	Convention:  rpc.ConventionRetrieve,
-	Roles:       rpc.RolesEndUser,
+	Roles:       rpc.RolesAuthenticated,
 }
 
 type PoliciesUpdateRequest struct {

From db0ec8226c83fdbb0c5a9df39fc2b18094d3120e Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Wed, 11 Mar 2026 16:56:23 +0100
Subject: [PATCH 11/23] missed comment

---
 core2/pkg/orchestrator/syncthing.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/core2/pkg/orchestrator/syncthing.go b/core2/pkg/orchestrator/syncthing.go
index 039c6c368c..4c28e49cc9 100644
--- a/core2/pkg/orchestrator/syncthing.go
+++ b/core2/pkg/orchestrator/syncthing.go
@@ -1,6 +1,8 @@
 package orchestrator
 
 import (
+	"net/http"
+
 	"ucloud.dk/shared/pkg/foundation"
 	orcapi "ucloud.dk/shared/pkg/orchestrators"
 	"ucloud.dk/shared/pkg/rpc"
@@ -86,9 +88,9 @@ func initSyncthing() {
 				if dInfo.Owner.Project.Present {
 					actorWithProject := info.Actor
 					actorWithProject.Project.Set(rpc.ProjectId(dInfo.Owner.Project.Value))
-					/*if syncthingIsRestricted(actorWithProject) {
+					if syncthingIsRestricted(actorWithProject) {
 						return util.Empty{}, util.HttpErr(http.StatusForbidden, "Project does not allow users to use Syncthing")
-					}*/
+					}
 				}
 			}
 		}

From 7cfdb507c2c9a53b9755d94aeef61ecc64773afe Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Fri, 13 Mar 2026 08:42:37 +0100
Subject: [PATCH 12/23] Fixes #5311

---
 .../policies/restrict_internet_access.yaml      |  2 +-
 .../policies/restrict_source_ip_range.yaml      |  2 +-
 .../integrations/k8s/containers/job_builder.go  | 17 +++++++++++++++++
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/core2/pkg/foundation/policies/restrict_internet_access.yaml b/core2/pkg/foundation/policies/restrict_internet_access.yaml
index 44293a83f6..74f464ecb4 100644
--- a/core2/pkg/foundation/policies/restrict_internet_access.yaml
+++ b/core2/pkg/foundation/policies/restrict_internet_access.yaml
@@ -14,5 +14,5 @@ configuration:
     type: "Subnet"
     title: "Allowed subnets"
     description: >
-      Only the specified destination subnets are reachable. An empty list means 
+      Only the specified destination subnets are reachable. An empty string means 
       no Internet access is allowed.
\ No newline at end of file
diff --git a/core2/pkg/foundation/policies/restrict_source_ip_range.yaml b/core2/pkg/foundation/policies/restrict_source_ip_range.yaml
index d798aa5e40..80f0815eea 100644
--- a/core2/pkg/foundation/policies/restrict_source_ip_range.yaml
+++ b/core2/pkg/foundation/policies/restrict_source_ip_range.yaml
@@ -17,4 +17,4 @@ configuration:
     title: "Allowed client subnets"
     description: >
       Only clients originating from these subnets are permitted. An empty 
-      list blocks all external access.
\ No newline at end of file
+      string blocks all external access.
\ No newline at end of file
diff --git a/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go b/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go
index 7da7a24978..59eb01ec09 100644
--- a/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go
+++ b/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go
@@ -18,6 +18,7 @@ import (
 	"ucloud.dk/pkg/controller"
 	"ucloud.dk/pkg/integrations/k8s/filesystem"
 	"ucloud.dk/pkg/integrations/k8s/shared"
+	"ucloud.dk/shared/pkg/foundation"
 	orc "ucloud.dk/shared/pkg/orchestrators"
 	"ucloud.dk/shared/pkg/util"
 )
@@ -158,6 +159,22 @@ func StartScheduledJob(job *orc.Job, rank int, node string) *util.HttpError {
 		allowNetworkFrom(firewall, job.Id)
 		allowNetworkTo(firewall, job.Id)
 
+		if job.Owner.Project.Present {
+			policySpec, hasRestriction := controller.RetrievePoliciesByProject(job.Owner.Project.String())[foundation.RestrictInternetAccess.String()]
+			if hasRestriction {
+				for _, prop := range policySpec.Properties {
+					if prop.Name == "allowedSubnets" {
+						if prop.Text == "" {
+							firewall.Spec.PolicyTypes = []networking.PolicyType{networking.PolicyTypeEgress}
+						} else {
+							allowNetworkToSubnet(firewall, prop.Text)
+						}
+						break
+					}
+				}
+			}
+		}
+
 		serviceLabel := shared.JobIdLabel(job.Id)
 		service = &core.Service{
 			ObjectMeta: meta.ObjectMeta{

From bb4685e8936131cd7b9cc94063c7f26820275e3a Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Fri, 13 Mar 2026 12:58:56 +0100
Subject: [PATCH 13/23] Blocking on IP Restiction

---
 core2/pkg/accounting/accounting.go            |  9 ++++
 core2/pkg/accounting/grants.go                | 15 ++++++
 core2/pkg/accounting/grants_export.go         |  7 +++
 core2/pkg/accounting/policy_cache.go          | 27 ++++++++++
 core2/pkg/orchestrator/api_tokens.go          |  9 ++++
 core2/pkg/orchestrator/drive.go               | 24 +++++++++
 core2/pkg/orchestrator/files.go               | 36 +++++++++++++
 core2/pkg/orchestrator/ingress.go             | 25 +++++++++
 core2/pkg/orchestrator/job.go                 | 47 ++++++++++++++++
 core2/pkg/orchestrator/license.go             | 20 +++++++
 core2/pkg/orchestrator/policy_cache.go        | 27 ++++++++++
 core2/pkg/orchestrator/public_ip.go           | 19 +++++++
 core2/pkg/orchestrator/ssh.go                 | 15 ++++++
 core2/pkg/orchestrator/syncthing.go           |  3 ++
 .../im2/pkg/controller/event.go               |  6 +--
 .../im2/pkg/controller/jobs.go                | 53 ++++++++++---------
 .../k8s/containers/job_builder.go             | 18 ++++++-
 17 files changed, 328 insertions(+), 32 deletions(-)

diff --git a/core2/pkg/accounting/accounting.go b/core2/pkg/accounting/accounting.go
index 5b486b8f90..83662233ca 100644
--- a/core2/pkg/accounting/accounting.go
+++ b/core2/pkg/accounting/accounting.go
@@ -28,6 +28,9 @@ func initAccounting() {
 	go accountingProcessTasks()
 
 	accapi.RootAllocate.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[accapi.RootAllocateRequest]) (fndapi.BulkResponse[fndapi.FindByStringId], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[fndapi.FindByStringId]{}, util.HttpErr(http.StatusForbidden, "Client IP is not allowed by project")
+		}
 		var result []fndapi.FindByStringId
 		for _, reqItem := range request.Items {
 			id, err := RootAllocate(info.Actor, reqItem)
@@ -41,6 +44,9 @@ func initAccounting() {
 	})
 
 	accapi.UpdateAllocation.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[accapi.UpdateAllocationRequest]) (util.Empty, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return util.Empty{}, util.HttpErr(http.StatusForbidden, "Client IP is not allowed by project")
+		}
 		return UpdateAllocation(info.Actor, request.Items)
 	})
 
@@ -58,6 +64,9 @@ func initAccounting() {
 	})
 
 	accapi.WalletsBrowse.Handler(func(info rpc.RequestInfo, request accapi.WalletsBrowseRequest) (fndapi.PageV2[accapi.WalletV2], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.PageV2[accapi.WalletV2]{}, util.HttpErr(http.StatusForbidden, "Client IP is not allowed by project")
+		}
 		return WalletsBrowse(info.Actor, request), nil
 	})
 
diff --git a/core2/pkg/accounting/grants.go b/core2/pkg/accounting/grants.go
index 446a4fd37c..ac09391601 100644
--- a/core2/pkg/accounting/grants.go
+++ b/core2/pkg/accounting/grants.go
@@ -2037,14 +2037,23 @@ func initGrants() {
 
 	if !grantGlobals.Testing.Enabled {
 		accapi.GrantsBrowse.Handler(func(info rpc.RequestInfo, request accapi.GrantsBrowseRequest) (fndapi.PageV2[accapi.GrantApplication], *util.HttpError) {
+			if sourceIPisRestricted(info) {
+				return fndapi.PageV2[accapi.GrantApplication]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+			}
 			return GrantsBrowse(info.Actor, request), nil
 		})
 
 		accapi.GrantsRetrieve.Handler(func(info rpc.RequestInfo, request fndapi.FindByStringId) (accapi.GrantApplication, *util.HttpError) {
+			if sourceIPisRestricted(info) {
+				return accapi.GrantApplication{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+			}
 			return GrantsRetrieve(info.Actor, request.Id)
 		})
 
 		accapi.GrantsSubmitRevision.Handler(func(info rpc.RequestInfo, request accapi.GrantsSubmitRevisionRequest) (fndapi.FindByStringId, *util.HttpError) {
+			if sourceIPisRestricted(info) {
+				return fndapi.FindByStringId{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+			}
 			id, err := GrantsSubmitRevision(info.Actor, request)
 			if err != nil {
 				return fndapi.FindByStringId{}, err
@@ -2067,6 +2076,9 @@ func initGrants() {
 		})
 
 		accapi.GrantsPostComment.Handler(func(info rpc.RequestInfo, request accapi.GrantsPostCommentRequest) (fndapi.FindByStringId, *util.HttpError) {
+			if sourceIPisRestricted(info) {
+				return fndapi.FindByStringId{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+			}
 			id, err := GrantsPostComment(info.Actor, request)
 			if err != nil {
 				return fndapi.FindByStringId{}, err
@@ -2076,6 +2088,9 @@ func initGrants() {
 		})
 
 		accapi.GrantsDeleteComment.Handler(func(info rpc.RequestInfo, request accapi.GrantsDeleteCommentRequest) (util.Empty, *util.HttpError) {
+			if sourceIPisRestricted(info) {
+				return util.Empty{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+			}
 			return util.Empty{}, GrantsDeleteComment(info.Actor, request)
 		})
 
diff --git a/core2/pkg/accounting/grants_export.go b/core2/pkg/accounting/grants_export.go
index 03a0775e47..5eaa31566d 100644
--- a/core2/pkg/accounting/grants_export.go
+++ b/core2/pkg/accounting/grants_export.go
@@ -2,6 +2,7 @@ package accounting
 
 import (
 	"fmt"
+	"net/http"
 	"strings"
 	"time"
 
@@ -14,10 +15,16 @@ import (
 
 func initGrantsExport() {
 	accapi.GrantsExport.Handler(func(info rpc.RequestInfo, request util.Empty) ([]accapi.GrantsExportResponse, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return nil, util.HttpErr(http.StatusForbidden, "Client IP is not allowed by project")
+		}
 		return GrantsExportBrowse(info.Actor), nil
 	})
 
 	accapi.GrantsExportCsv.Handler(func(info rpc.RequestInfo, request util.Empty) (accapi.GrantsExportCsvResponse, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return accapi.GrantsExportCsvResponse{}, util.HttpErr(http.StatusForbidden, "Client IP is not allowed by project")
+		}
 		csv := GrantsExportBrowseToCsv(GrantsExportBrowse(info.Actor))
 		return accapi.GrantsExportCsvResponse{
 			FileName: "grants.csv",
diff --git a/core2/pkg/accounting/policy_cache.go b/core2/pkg/accounting/policy_cache.go
index 3653e23b83..98435552bc 100644
--- a/core2/pkg/accounting/policy_cache.go
+++ b/core2/pkg/accounting/policy_cache.go
@@ -1,12 +1,15 @@
 package accounting
 
 import (
+	"net"
 	"sync"
 
 	"ucloud.dk/core/pkg/coreutil"
 	db "ucloud.dk/shared/pkg/database"
 	fndapi "ucloud.dk/shared/pkg/foundation"
 	"ucloud.dk/shared/pkg/log"
+	"ucloud.dk/shared/pkg/rpc"
+	"ucloud.dk/shared/pkg/util"
 )
 
 // policyCache is a mapping of projectId -> map[schemaName] -> PolicySpecification
@@ -42,3 +45,27 @@ func updatePolicyCacheForProject(projectId string, policySpecifications map[stri
 	policyCache.PoliciesByProject[projectId] = policySpecifications
 	policyCache.Mu.Unlock()
 }
+
+func sourceIPisRestricted(info rpc.RequestInfo) bool {
+	if info.Actor.Project.Present {
+		sourceIpSpecs, hasSourceRestriction := policiesByProject(info.Actor.Project.String())[fndapi.RestrictSourceIPRange.String()]
+		if hasSourceRestriction {
+			isRestricted := true
+			for _, property := range sourceIpSpecs.Properties {
+				if property.Name == "allowedClientSubnets" {
+					allowedIps := property.Text
+					if allowedIps == "" {
+						break
+					}
+					_, subnet, _ := net.ParseCIDR(allowedIps)
+					ip := net.ParseIP(util.ClientIP(info.HttpRequest).String())
+					if subnet.Contains(ip) {
+						isRestricted = false
+					}
+				}
+			}
+			return isRestricted
+		}
+	}
+	return false
+}
diff --git a/core2/pkg/orchestrator/api_tokens.go b/core2/pkg/orchestrator/api_tokens.go
index 1677103c4d..5bfec6654c 100644
--- a/core2/pkg/orchestrator/api_tokens.go
+++ b/core2/pkg/orchestrator/api_tokens.go
@@ -30,10 +30,16 @@ func initApiTokens() {
 	)
 
 	orcapi.ApiTokenCreate.Handler(func(info rpc.RequestInfo, request orcapi.ApiTokenSpecification) (orcapi.ApiToken, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return orcapi.ApiToken{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return ApiTokenCreate(info.Actor, request)
 	})
 
 	orcapi.ApiTokenBrowse.Handler(func(info rpc.RequestInfo, request orcapi.ApiTokenBrowseRequest) (fndapi.PageV2[orcapi.ApiToken], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.PageV2[orcapi.ApiToken]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return ApiTokenBrowse(info.Actor, request)
 	})
 
@@ -42,6 +48,9 @@ func initApiTokens() {
 	})
 
 	orcapi.ApiTokenRevoke.Handler(func(info rpc.RequestInfo, request fndapi.FindByStringId) (util.Empty, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return util.Empty{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return util.Empty{}, ApiTokenRevoke(info.Actor, ResourceParseId(request.Id))
 	})
 
diff --git a/core2/pkg/orchestrator/drive.go b/core2/pkg/orchestrator/drive.go
index 5bcfc2f873..18da3065d0 100644
--- a/core2/pkg/orchestrator/drive.go
+++ b/core2/pkg/orchestrator/drive.go
@@ -28,6 +28,10 @@ func initDrives() {
 	)
 
 	orcapi.DrivesBrowse.Handler(func(info rpc.RequestInfo, request orcapi.DrivesBrowseRequest) (fndapi.PageV2[orcapi.Drive], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.PageV2[orcapi.Drive]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
+
 		sortByFn := ResourceDefaultComparator(func(item orcapi.Drive) orcapi.Resource {
 			return item.Resource
 		}, request.ResourceFlags)
@@ -70,10 +74,16 @@ func initDrives() {
 	})
 
 	orcapi.DrivesRetrieve.Handler(func(info rpc.RequestInfo, request orcapi.DrivesRetrieveRequest) (orcapi.Drive, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return orcapi.Drive{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return ResourceRetrieve[orcapi.Drive](info.Actor, driveType, ResourceParseId(request.Id), request.ResourceFlags)
 	})
 
 	orcapi.DrivesCreate.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.DriveSpecification]) (fndapi.BulkResponse[fndapi.FindByStringId], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[fndapi.FindByStringId]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		var responses []fndapi.FindByStringId
 		for _, reqItem := range request.Items {
 			d, err := DriveCreate(info.Actor, reqItem)
@@ -87,6 +97,9 @@ func initDrives() {
 	})
 
 	orcapi.DrivesRename.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.DriveRenameRequest]) (util.Empty, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return util.Empty{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		for _, reqItem := range request.Items {
 			err := DriveRename(info.Actor, reqItem.Id, reqItem.NewTitle)
 			if err != nil {
@@ -100,6 +113,10 @@ func initDrives() {
 	orcapi.DrivesSearch.Handler(func(info rpc.RequestInfo, request orcapi.DrivesSearchRequest) (fndapi.PageV2[orcapi.Drive], *util.HttpError) {
 		// TODO Sorting through the items would be ideal
 
+		if sourceIPisRestricted(info) {
+			return fndapi.PageV2[orcapi.Drive]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
+
 		items := ResourceBrowse[orcapi.Drive](info.Actor, driveType, request.Next, request.ItemsPerPage, request.ResourceFlags, func(item orcapi.Drive) bool {
 			return strings.Contains(strings.ToLower(item.Specification.Title), strings.ToLower(request.Query))
 		}, nil)
@@ -112,6 +129,10 @@ func initDrives() {
 	})
 
 	orcapi.DrivesUpdateAcl.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.UpdatedAcl]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
+
 		var responses []util.Empty
 		for _, item := range request.Items {
 			err := ResourceUpdateAcl(info.Actor, driveType, item)
@@ -124,6 +145,9 @@ func initDrives() {
 	})
 
 	orcapi.DrivesDelete.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[fndapi.FindByStringId]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		var responses []util.Empty
 		for _, item := range request.Items {
 			err := ResourceDeleteThroughProvider(info.Actor, driveType, item.Id, orcapi.DrivesProviderDelete)
diff --git a/core2/pkg/orchestrator/files.go b/core2/pkg/orchestrator/files.go
index 1d3f31f706..9cad543c92 100644
--- a/core2/pkg/orchestrator/files.go
+++ b/core2/pkg/orchestrator/files.go
@@ -21,51 +21,87 @@ import (
 
 func initFiles() {
 	orcapi.FilesBrowse.Handler(func(info rpc.RequestInfo, request orcapi.FilesBrowseRequest) (fndapi.PageV2[orcapi.UFile], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.PageV2[orcapi.UFile]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return FilesBrowse(info.Actor, request)
 	})
 
 	orcapi.FilesRetrieve.Handler(func(info rpc.RequestInfo, request orcapi.FilesRetrieveRequest) (orcapi.UFile, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return orcapi.UFile{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return FilesRetrieve(info.Actor, request)
 	})
 
 	orcapi.FilesMove.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.FilesSourceAndDestination]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return FilesMove(info.Actor, request)
 	})
 
 	orcapi.FilesCopy.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.FilesSourceAndDestination]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return FilesCopy(info.Actor, request)
 	})
 
 	orcapi.FilesCreateUpload.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.FilesCreateUploadRequest]) (fndapi.BulkResponse[orcapi.FilesCreateUploadResponse], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[orcapi.FilesCreateUploadResponse]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return FilesCreateUpload(info.Actor, request)
 	})
 
 	orcapi.FilesCreateDownload.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[fndapi.FindByStringId]) (fndapi.BulkResponse[orcapi.FilesCreateDownloadResponse], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[orcapi.FilesCreateDownloadResponse]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return FilesCreateDownload(info.Actor, request)
 	})
 
 	orcapi.FilesCreateFolder.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.FilesCreateFolderRequest]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return FilesCreateFolder(info.Actor, request)
 	})
 
 	orcapi.FilesDelete.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[fndapi.FindByStringId]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return FilesDelete(info.Actor, request)
 	})
 
 	orcapi.FilesTrash.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[fndapi.FindByStringId]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return FilesMoveToTrash(info.Actor, request)
 	})
 
 	orcapi.FilesEmptyTrash.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[fndapi.FindByStringId]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return FilesEmptyTrash(info.Actor, request)
 	})
 
 	orcapi.FilesStreamingSearch.Handler(func(info rpc.RequestInfo, request util.Empty) (util.Empty, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return util.Empty{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		FilesStreamingSearch(info.WebSocket)
 		return util.Empty{}, nil
 	})
 
 	orcapi.FilesTransfer.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.FilesTransferRequest]) (util.Empty, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return util.Empty{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		for _, reqItem := range request.Items {
 			err := FilesTransfer(info.Actor, reqItem)
 			if err != nil {
diff --git a/core2/pkg/orchestrator/ingress.go b/core2/pkg/orchestrator/ingress.go
index 8d4787a117..476aab510c 100644
--- a/core2/pkg/orchestrator/ingress.go
+++ b/core2/pkg/orchestrator/ingress.go
@@ -38,6 +38,10 @@ func initIngresses() {
 	)
 
 	orcapi.IngressesBrowse.Handler(func(info rpc.RequestInfo, request orcapi.IngressesBrowseRequest) (fndapi.PageV2[orcapi.Ingress], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.PageV2[orcapi.Ingress]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
+
 		sortByFn := ResourceDefaultComparator(func(item orcapi.Ingress) orcapi.Resource {
 			return item.Resource
 		}, request.ResourceFlags)
@@ -63,6 +67,9 @@ func initIngresses() {
 	})
 
 	orcapi.IngressesControlBrowse.Handler(func(info rpc.RequestInfo, request orcapi.IngressesControlBrowseRequest) (fndapi.PageV2[orcapi.Ingress], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.PageV2[orcapi.Ingress]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return ResourceBrowse[orcapi.Ingress](
 			info.Actor,
 			ingressType,
@@ -79,6 +86,9 @@ func initIngresses() {
 	hostnamePartRegex := regexp.MustCompile(`^[A-Za-z0-9](?:[A-Za-z0-9-]{0,61}[A-Za-z0-9])?$`)
 
 	orcapi.IngressesCreate.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.IngressSpecification]) (fndapi.BulkResponse[fndapi.FindByStringId], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[fndapi.FindByStringId]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		if info.Actor.Project.Present {
 			_, restricted := policiesByProject(string(info.Actor.Project.Value))[fndapi.RestrictPublicLinks.String()]
 			if restricted {
@@ -181,6 +191,9 @@ func initIngresses() {
 	})
 
 	orcapi.IngressesDelete.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[fndapi.FindByStringId]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		for _, item := range request.Items {
 			err := ResourceDeleteThroughProvider[orcapi.Ingress](
 				info.Actor,
@@ -198,6 +211,9 @@ func initIngresses() {
 	})
 
 	orcapi.IngressesSearch.Handler(func(info rpc.RequestInfo, request orcapi.IngressesSearchRequest) (fndapi.PageV2[orcapi.Ingress], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.PageV2[orcapi.Ingress]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return ResourceBrowse[orcapi.Ingress](
 			info.Actor,
 			ingressType,
@@ -216,14 +232,23 @@ func initIngresses() {
 	})
 
 	orcapi.IngressesRetrieve.Handler(func(info rpc.RequestInfo, request orcapi.IngressesRetrieveRequest) (orcapi.Ingress, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return orcapi.Ingress{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return ResourceRetrieve[orcapi.Ingress](info.Actor, ingressType, ResourceParseId(request.Id), request.ResourceFlags)
 	})
 
 	orcapi.IngressesControlRetrieve.Handler(func(info rpc.RequestInfo, request orcapi.IngressesControlRetrieveRequest) (orcapi.Ingress, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return orcapi.Ingress{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return ResourceRetrieve[orcapi.Ingress](info.Actor, ingressType, ResourceParseId(request.Id), request.ResourceFlags)
 	})
 
 	orcapi.IngressesUpdateAcl.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.UpdatedAcl]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		for _, item := range request.Items {
 			err := ResourceUpdateAcl(info.Actor, ingressType, item)
 			if err != nil {
diff --git a/core2/pkg/orchestrator/job.go b/core2/pkg/orchestrator/job.go
index 1c6518a8c6..464f1a432e 100644
--- a/core2/pkg/orchestrator/job.go
+++ b/core2/pkg/orchestrator/job.go
@@ -58,6 +58,10 @@ func initJobs() {
 	go jobNotificationsLoopSendPending()
 
 	orcapi.JobsCreate.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.JobSpecification]) (fndapi.BulkResponse[fndapi.FindByStringId], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[fndapi.FindByStringId]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
+
 		var ids []fndapi.FindByStringId
 		jobSettings := JobSettingsRetrieve(info.Actor)
 
@@ -227,6 +231,10 @@ func initJobs() {
 	})
 
 	orcapi.JobsBrowse.Handler(func(info rpc.RequestInfo, request orcapi.JobsBrowseRequest) (fndapi.PageV2[orcapi.Job], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.PageV2[orcapi.Job]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
+
 		return JobsBrowse(info.Actor, request.Next, request.ItemsPerPage, request.JobFlags)
 	})
 
@@ -235,6 +243,9 @@ func initJobs() {
 	})
 
 	orcapi.JobsRetrieve.Handler(func(info rpc.RequestInfo, request orcapi.JobsRetrieveRequest) (orcapi.Job, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return orcapi.Job{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return JobsRetrieve(info.Actor, request.Id, request.JobFlags)
 	})
 
@@ -247,6 +258,9 @@ func initJobs() {
 	})
 
 	orcapi.JobsSearch.Handler(func(info rpc.RequestInfo, request orcapi.JobsSearchRequest) (fndapi.PageV2[orcapi.Job], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.PageV2[orcapi.Job]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return JobsSearch(info.Actor, request.Query, request.Next, request.ItemsPerPage, request.JobFlags)
 	})
 
@@ -340,6 +354,9 @@ func initJobs() {
 	})
 
 	orcapi.JobsUpdateAcl.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.UpdatedAcl]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		var responses []util.Empty
 		for _, item := range request.Items {
 			err := ResourceUpdateAcl(info.Actor, jobType, item)
@@ -352,6 +369,10 @@ func initJobs() {
 	})
 
 	orcapi.JobsExtend.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.JobsExtendRequestItem]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
+
 		updatesByProvider := map[string][]orcapi.JobsProviderExtendRequestItem{}
 
 		for _, item := range request.Items {
@@ -403,6 +424,10 @@ func initJobs() {
 	})
 
 	orcapi.JobsTerminate.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[fndapi.FindByStringId]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
+
 		updatesByProvider := map[string][]orcapi.Job{}
 
 		for _, item := range request.Items {
@@ -443,6 +468,10 @@ func initJobs() {
 	})
 
 	orcapi.JobsSuspend.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[fndapi.FindByStringId]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
+
 		updatesByProvider := map[string][]orcapi.JobsProviderSuspendRequestItem{}
 
 		for _, item := range request.Items {
@@ -482,6 +511,10 @@ func initJobs() {
 	})
 
 	orcapi.JobsUnsuspend.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[fndapi.FindByStringId]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
+
 		updatesByProvider := map[string][]orcapi.JobsProviderUnsuspendRequestItem{}
 
 		for _, item := range request.Items {
@@ -521,6 +554,10 @@ func initJobs() {
 	})
 
 	orcapi.JobsOpenInteractiveSession.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.JobsOpenInteractiveSessionRequestItem]) (fndapi.BulkResponse[orcapi.OpenSessionWithProvider], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[orcapi.OpenSessionWithProvider]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
+
 		updatesByProvider := map[string][]orcapi.JobsProviderOpenInteractiveSessionRequestItem{}
 		indicesByProvider := map[string][]int{}
 
@@ -666,6 +703,10 @@ func initJobs() {
 	})
 
 	orcapi.JobsOpenTerminalInFolder.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.JobsOpenTerminalInFolderRequestItem]) (fndapi.BulkResponse[orcapi.OpenSessionWithProvider], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[orcapi.OpenSessionWithProvider]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
+
 		if info.Actor.Project.Present {
 			policies := policiesByProject(info.Actor.Project.String())
 			specifications, ok := policies[fndapi.RestrictIntegratedApplications.String()]
@@ -863,10 +904,16 @@ func initJobs() {
 	})
 
 	orcapi.JobSettingsRetrieve.Handler(func(info rpc.RequestInfo, request util.Empty) (orcapi.JobSettings, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return orcapi.JobSettings{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return JobSettingsRetrieve(info.Actor), nil
 	})
 
 	orcapi.JobSettingsUpdate.Handler(func(info rpc.RequestInfo, request orcapi.JobSettings) (util.Empty, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return util.Empty{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		err := JobSettingsUpdate(info.Actor, request)
 		if err != nil {
 			return util.Empty{}, err
diff --git a/core2/pkg/orchestrator/license.go b/core2/pkg/orchestrator/license.go
index 2224d1b122..9f8a09d402 100644
--- a/core2/pkg/orchestrator/license.go
+++ b/core2/pkg/orchestrator/license.go
@@ -27,6 +27,10 @@ func initLicenses() {
 	)
 
 	orcapi.LicensesBrowse.Handler(func(info rpc.RequestInfo, request orcapi.LicensesBrowseRequest) (fndapi.PageV2[orcapi.License], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.PageV2[orcapi.License]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
+
 		sortByFn := ResourceDefaultComparator(func(item orcapi.License) orcapi.Resource {
 			return item.Resource
 		}, request.ResourceFlags)
@@ -59,6 +63,10 @@ func initLicenses() {
 	})
 
 	orcapi.LicensesCreate.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.LicenseSpecification]) (fndapi.BulkResponse[fndapi.FindByStringId], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[fndapi.FindByStringId]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
+
 		var result []fndapi.FindByStringId
 		for _, item := range request.Items {
 			license, err := ResourceCreateThroughProvider(
@@ -80,6 +88,10 @@ func initLicenses() {
 	})
 
 	orcapi.LicensesDelete.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[fndapi.FindByStringId]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
+
 		for _, item := range request.Items {
 			err := ResourceDeleteThroughProvider(info.Actor, licenseType, item.Id, orcapi.LicensesProviderDelete)
 			if err != nil {
@@ -105,6 +117,10 @@ func initLicenses() {
 	})
 
 	orcapi.LicensesRetrieve.Handler(func(info rpc.RequestInfo, request orcapi.LicensesRetrieveRequest) (orcapi.License, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return orcapi.License{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
+
 		return ResourceRetrieve[orcapi.License](info.Actor, licenseType, ResourceParseId(request.Id), request.ResourceFlags)
 	})
 
@@ -113,6 +129,10 @@ func initLicenses() {
 	})
 
 	orcapi.LicensesUpdateAcl.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.UpdatedAcl]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
+
 		for _, item := range request.Items {
 			err := ResourceUpdateAcl(info.Actor, licenseType, item)
 			if err != nil {
diff --git a/core2/pkg/orchestrator/policy_cache.go b/core2/pkg/orchestrator/policy_cache.go
index dc45f80ceb..c8b724f3d3 100644
--- a/core2/pkg/orchestrator/policy_cache.go
+++ b/core2/pkg/orchestrator/policy_cache.go
@@ -2,12 +2,15 @@ package orchestrator
 
 import (
 	"context"
+	"net"
 	"sync"
 
 	"ucloud.dk/core/pkg/coreutil"
 	db "ucloud.dk/shared/pkg/database"
 	fndapi "ucloud.dk/shared/pkg/foundation"
 	"ucloud.dk/shared/pkg/log"
+	"ucloud.dk/shared/pkg/rpc"
+	"ucloud.dk/shared/pkg/util"
 )
 
 // policyCache is a mapping of projectId -> map[schemaName] -> PolicySpecification
@@ -71,3 +74,27 @@ func updatePolicyCacheForProject(projectId string, policySpecifications map[stri
 	policyCache.PoliciesByProject[projectId] = policySpecifications
 	policyCache.Mu.Unlock()
 }
+
+func sourceIPisRestricted(info rpc.RequestInfo) bool {
+	if info.Actor.Project.Present {
+		sourceIpSpecs, hasSourceRestriction := policiesByProject(info.Actor.Project.String())[fndapi.RestrictSourceIPRange.String()]
+		if hasSourceRestriction {
+			isRestricted := true
+			for _, property := range sourceIpSpecs.Properties {
+				if property.Name == "allowedClientSubnets" {
+					allowedIps := property.Text
+					if allowedIps == "" {
+						break
+					}
+					_, subnet, _ := net.ParseCIDR(allowedIps)
+					ip := net.ParseIP(util.ClientIP(info.HttpRequest).String())
+					if subnet.Contains(ip) {
+						isRestricted = false
+					}
+				}
+			}
+			return isRestricted
+		}
+	}
+	return false
+}
diff --git a/core2/pkg/orchestrator/public_ip.go b/core2/pkg/orchestrator/public_ip.go
index dc5cceb2df..463816c792 100644
--- a/core2/pkg/orchestrator/public_ip.go
+++ b/core2/pkg/orchestrator/public_ip.go
@@ -29,6 +29,10 @@ func initPublicIps() {
 	)
 
 	orcapi.PublicIpsBrowse.Handler(func(info rpc.RequestInfo, request orcapi.PublicIpsBrowseRequest) (fndapi.PageV2[orcapi.PublicIp], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.PageV2[orcapi.PublicIp]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
+
 		sortByFn := ResourceDefaultComparator(func(item orcapi.PublicIp) orcapi.Resource {
 			return item.Resource
 		}, request.ResourceFlags)
@@ -61,6 +65,9 @@ func initPublicIps() {
 	})
 
 	orcapi.PublicIpsDelete.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[fndapi.FindByStringId]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		for _, item := range request.Items {
 			err := ResourceDeleteThroughProvider(info.Actor, publicIpType, item.Id, orcapi.PublicIpsProviderDelete)
 			if err != nil {
@@ -72,6 +79,9 @@ func initPublicIps() {
 	})
 
 	orcapi.PublicIpsCreate.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.PublicIPSpecification]) (fndapi.BulkResponse[fndapi.FindByStringId], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[fndapi.FindByStringId]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		if info.Actor.Project.Present {
 			_, restricted := policiesByProject(info.Actor.Project.String())[fndapi.RestrictPublicIPs.String()]
 			if restricted {
@@ -139,14 +149,23 @@ func initPublicIps() {
 	})
 
 	orcapi.PublicIpsRetrieve.Handler(func(info rpc.RequestInfo, request orcapi.PublicIpsRetrieveRequest) (orcapi.PublicIp, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return orcapi.PublicIp{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return ResourceRetrieve[orcapi.PublicIp](info.Actor, publicIpType, ResourceParseId(request.Id), request.ResourceFlags)
 	})
 
 	orcapi.PublicIpsControlRetrieve.Handler(func(info rpc.RequestInfo, request orcapi.PublicIpsControlRetrieveRequest) (orcapi.PublicIp, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return orcapi.PublicIp{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		return ResourceRetrieve[orcapi.PublicIp](info.Actor, publicIpType, ResourceParseId(request.Id), request.ResourceFlags)
 	})
 
 	orcapi.PublicIpsUpdateAcl.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.UpdatedAcl]) (fndapi.BulkResponse[util.Empty], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[util.Empty]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		for _, item := range request.Items {
 			err := ResourceUpdateAcl(info.Actor, publicIpType, item)
 			if err != nil {
diff --git a/core2/pkg/orchestrator/ssh.go b/core2/pkg/orchestrator/ssh.go
index b29792c85c..32833894f4 100644
--- a/core2/pkg/orchestrator/ssh.go
+++ b/core2/pkg/orchestrator/ssh.go
@@ -19,6 +19,9 @@ import (
 
 func initSsh() {
 	orcapi.SshCreate.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[orcapi.SshKeySpecification]) (fndapi.BulkResponse[fndapi.FindByStringId], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[fndapi.FindByStringId]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		result, err := SshKeyCreate(info.Actor, request.Items)
 		if err != nil {
 			return fndapi.BulkResponse[fndapi.FindByStringId]{}, err
@@ -28,21 +31,33 @@ func initSsh() {
 	})
 
 	orcapi.SshRetrieve.Handler(func(info rpc.RequestInfo, request fndapi.FindByStringId) (orcapi.SshKey, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return orcapi.SshKey{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		result, err := SshKeyRetrieve(info.Actor, request.Id)
 		return result, err
 	})
 
 	orcapi.SshBrowse.Handler(func(info rpc.RequestInfo, request orcapi.SshKeysBrowseRequest) (fndapi.PageV2[orcapi.SshKey], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.PageV2[orcapi.SshKey]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		result := SshKeyBrowse(info.Actor, request)
 		return result, nil
 	})
 
 	orcapi.SshDelete.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[fndapi.FindByStringId]) (util.Empty, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return util.Empty{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		err := SshKeyDelete(info.Actor, request.Items)
 		return util.Empty{}, err
 	})
 
 	orcapi.JobsControlBrowseSshKeys.Handler(func(info rpc.RequestInfo, request orcapi.JobsControlBrowseSshKeysRequest) (fndapi.PageV2[orcapi.SshKey], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.PageV2[orcapi.SshKey]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+		}
 		keys, err := SshKeyRetrieveByJob(info.Actor, request.JobId)
 		if err != nil {
 			return fndapi.PageV2[orcapi.SshKey]{}, err
diff --git a/core2/pkg/orchestrator/syncthing.go b/core2/pkg/orchestrator/syncthing.go
index 4c28e49cc9..0d756a7306 100644
--- a/core2/pkg/orchestrator/syncthing.go
+++ b/core2/pkg/orchestrator/syncthing.go
@@ -91,6 +91,9 @@ func initSyncthing() {
 					if syncthingIsRestricted(actorWithProject) {
 						return util.Empty{}, util.HttpErr(http.StatusForbidden, "Project does not allow users to use Syncthing")
 					}
+					if sourceIPisRestricted(info) {
+						return util.Empty{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+					}
 				}
 			}
 		}
diff --git a/provider-integration/im2/pkg/controller/event.go b/provider-integration/im2/pkg/controller/event.go
index eda33b55f4..ca3e21b965 100644
--- a/provider-integration/im2/pkg/controller/event.go
+++ b/provider-integration/im2/pkg/controller/event.go
@@ -192,9 +192,7 @@ func eventHandleNotification(nType EventNotificationMessageType, notification an
 		eventUpdateReplayFromToNow()
 
 	case EventNotificationMessagePolicesUpdated:
-		fmt.Printf("%v \n", notification)
 		update := notification.(*EventPoliciesUpdated)
-		fmt.Printf("UPDTA: %+v \n", update)
 		updatePolicyCacheForProject(update.ProjectId, update.PoliciesSpecifications)
 	}
 }
@@ -854,18 +852,16 @@ func RetrievePoliciesByProject(projectId string) map[string]*fnd.PolicySpecifica
 		policyCache.Mu.Unlock()
 		return projectPolicies
 	} else {
-		panic("PoliciesByProject is only implemented for server mode")
+		panic("RetrievePoliciesByProject is only implemented for server mode")
 	}
 }
 
 func policySpecificationsRetrieveFromCore(projectId string) (map[string]*fnd.PolicySpecification, bool) {
-	println("PULLING FROM CORE")
 	retrievedPolices, err := fnd.PoliciesRetrieve.Invoke(fnd.RetrievePoliciesRequest{ProjectId: projectId})
 	if err != nil {
 		fmt.Printf("Error %v\n", err)
 		return nil, false
 	}
-	fmt.Printf("%v \n ", retrievedPolices)
 	var policies = make(map[string]*fnd.PolicySpecification)
 	for _, policy := range retrievedPolices {
 		policies[policy.Specification.Schema] = &policy.Specification
diff --git a/provider-integration/im2/pkg/controller/jobs.go b/provider-integration/im2/pkg/controller/jobs.go
index 168b06ed38..deb6e665fc 100644
--- a/provider-integration/im2/pkg/controller/jobs.go
+++ b/provider-integration/im2/pkg/controller/jobs.go
@@ -4,6 +4,7 @@ import (
 	"database/sql"
 	"encoding/json"
 	"fmt"
+	"net"
 	"net/http"
 	"slices"
 	"strings"
@@ -300,29 +301,6 @@ func initJobs() {
 			}
 		})
 
-		orcapi.JobsProviderUnsuspend.Handler(func(info rpc.RequestInfo, request fnd.BulkRequest[orcapi.JobsProviderUnsuspendRequestItem]) (fnd.BulkResponse[util.Empty], *util.HttpError) {
-			var errors []*util.HttpError
-
-			for _, item := range request.Items {
-				err := Jobs.Unsuspend(item.Job)
-
-				if err != nil {
-					errors = append(errors, err)
-				}
-			}
-
-			if len(errors) > 0 {
-				return fnd.BulkResponse[util.Empty]{}, errors[0]
-			} else {
-				var response fnd.BulkResponse[util.Empty]
-				for i := 0; i < len(request.Items); i++ {
-					response.Responses = append(response.Responses, util.Empty{})
-				}
-
-				return response, nil
-			}
-		})
-
 		orcapi.JobsProviderExtend.Handler(func(info rpc.RequestInfo, request fnd.BulkRequest[orcapi.JobsProviderExtendRequestItem]) (fnd.BulkResponse[util.Empty], *util.HttpError) {
 			var errors []*util.HttpError
 
@@ -428,10 +406,10 @@ func initJobs() {
 					dInfo, found := DriveRetrieve(driveId)
 					if found {
 						policies := RetrievePoliciesByProject(dInfo.Owner.Project.String())
-						specs, hasIntegratedRestrictions := policies[fnd.RestrictIntegratedApplications.String()]
+						iAppSpecs, hasIntegratedRestrictions := policies[fnd.RestrictIntegratedApplications.String()]
 						if hasIntegratedRestrictions {
 							isRestricted := true
-							for _, property := range specs.Properties {
+							for _, property := range iAppSpecs.Properties {
 								if property.Name == "allowList" {
 									for _, element := range property.TextElements {
 										if element == "terminal" {
@@ -446,6 +424,9 @@ func initJobs() {
 								return fnd.BulkResponse[orcapi.OpenSession]{}, util.HttpErr(http.StatusForbidden, "Project does not allow integrated terminal (IM side)")
 							}
 						}
+						if IsSourceIPRestricted(policies, info) {
+							return fnd.BulkResponse[orcapi.OpenSession]{}, util.HttpErr(http.StatusForbidden, "Client IP is not allowed")
+						}
 					} else {
 						return fnd.BulkResponse[orcapi.OpenSession]{}, util.HttpErr(http.StatusNotFound, "Folder cannot be found")
 					}
@@ -1768,3 +1749,25 @@ func jobRoutesRefresh() {
 
 	webSessionsMutex.Unlock()
 }
+
+func IsSourceIPRestricted(projectPolices map[string]*fnd.PolicySpecification, info rpc.RequestInfo) bool {
+	sourceIPSpecs, hasSourceIpRestriction := projectPolices[fnd.RestrictSourceIPRange.String()]
+	if hasSourceIpRestriction {
+		isRestricted := true
+		for _, property := range sourceIPSpecs.Properties {
+			if property.Name == "allowedClientSubnets" {
+				allowedIps := property.Text
+				if allowedIps == "" {
+					break
+				}
+				_, subnet, _ := net.ParseCIDR(allowedIps)
+				ip := net.ParseIP(util.ClientIP(info.HttpRequest).String())
+				if subnet.Contains(ip) {
+					isRestricted = false
+				}
+			}
+		}
+		return isRestricted
+	}
+	return false
+}
diff --git a/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go b/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go
index 59eb01ec09..e3836e7676 100644
--- a/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go
+++ b/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go
@@ -160,9 +160,9 @@ func StartScheduledJob(job *orc.Job, rank int, node string) *util.HttpError {
 		allowNetworkTo(firewall, job.Id)
 
 		if job.Owner.Project.Present {
-			policySpec, hasRestriction := controller.RetrievePoliciesByProject(job.Owner.Project.String())[foundation.RestrictInternetAccess.String()]
+			policyAccessSpec, hasRestriction := controller.RetrievePoliciesByProject(job.Owner.Project.String())[foundation.RestrictInternetAccess.String()]
 			if hasRestriction {
-				for _, prop := range policySpec.Properties {
+				for _, prop := range policyAccessSpec.Properties {
 					if prop.Name == "allowedSubnets" {
 						if prop.Text == "" {
 							firewall.Spec.PolicyTypes = []networking.PolicyType{networking.PolicyTypeEgress}
@@ -173,6 +173,20 @@ func StartScheduledJob(job *orc.Job, rank int, node string) *util.HttpError {
 					}
 				}
 			}
+
+			policySourceSpec, hasRestriction := controller.RetrievePoliciesByProject(job.Owner.Project.String())[foundation.RestrictSourceIPRange.String()]
+			if hasRestriction {
+				for _, prop := range policySourceSpec.Properties {
+					if prop.Name == "allowedSubnets" {
+						if prop.Text == "" {
+							firewall.Spec.PolicyTypes = []networking.PolicyType{networking.PolicyTypeIngress}
+						} else {
+							allowNetworkToSubnet(firewall, prop.Text)
+						}
+						break
+					}
+				}
+			}
 		}
 
 		serviceLabel := shared.JobIdLabel(job.Id)

From 491b5b9c2db622c77dcadda925c932fd22e05901 Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Fri, 13 Mar 2026 13:31:52 +0100
Subject: [PATCH 14/23] fixed missing updates on delete

---
 core2/pkg/accounting/00_module.go             |  3 ++
 core2/pkg/accounting/policy_cache.go          | 36 +++++++++++++++++++
 .../pkg/accounting/provider_notifications.go  |  9 ++++-
 core2/pkg/orchestrator/policy_cache.go        | 17 ++++++---
 4 files changed, 60 insertions(+), 5 deletions(-)

diff --git a/core2/pkg/accounting/00_module.go b/core2/pkg/accounting/00_module.go
index 0bf4440b27..b8215b4fef 100644
--- a/core2/pkg/accounting/00_module.go
+++ b/core2/pkg/accounting/00_module.go
@@ -43,6 +43,9 @@ func Init() {
 	initGrantsExport()
 	times["GrantsExport"] = t.Mark()
 
+	initPolicySubscriptions()
+	times["PolicySubscriptions"] = t.Mark()
+
 	coreutil.PrintStartupTimes("Accounting", times)
 
 	if util.DevelopmentModeEnabled() {
diff --git a/core2/pkg/accounting/policy_cache.go b/core2/pkg/accounting/policy_cache.go
index 98435552bc..0c416a3115 100644
--- a/core2/pkg/accounting/policy_cache.go
+++ b/core2/pkg/accounting/policy_cache.go
@@ -1,6 +1,7 @@
 package accounting
 
 import (
+	"context"
 	"net"
 	"sync"
 
@@ -18,6 +19,41 @@ var policyCache struct {
 	PoliciesByProject map[string]map[string]*fndapi.PolicySpecification
 }
 
+func initPolicySubscriptions() {
+
+	policyCache.Mu.Lock()
+	policyCache.PoliciesByProject = make(map[string]map[string]*fndapi.PolicySpecification)
+	policyCache.Mu.Unlock()
+
+	go func() {
+		policyUpdates := db.Listen(context.Background(), "policy_updates")
+		policyDeletes := db.Listen(context.Background(), "policy_deleted")
+
+		var projectId string
+		var policySpecifications map[string]*fndapi.PolicySpecification
+		var policiesOk bool
+
+		for {
+			select {
+			case projectId = <-policyUpdates:
+				db.NewTx0(func(tx *db.Transaction) {
+					policySpecifications, policiesOk = coreutil.PolicySpecificationsRetrieveFromDatabase(tx, projectId)
+				})
+			case projectId = <-policyDeletes:
+				db.NewTx0(func(tx *db.Transaction) {
+
+					policySpecifications, policiesOk = coreutil.PolicySpecificationsRetrieveFromDatabase(tx, projectId)
+				})
+			}
+
+			if policiesOk {
+				updatePolicyCacheForProject(projectId, policySpecifications)
+			}
+		}
+
+	}()
+}
+
 // policiesByProject returns mapping of [schema Name] => PolicySpecification. If no policy is cached for the project it
 // will attempt to retrieve it from DB. This is also how it is populated.
 func policiesByProject(projectId string) map[string]*fndapi.PolicySpecification {
diff --git a/core2/pkg/accounting/provider_notifications.go b/core2/pkg/accounting/provider_notifications.go
index f9d2401198..59c1481139 100644
--- a/core2/pkg/accounting/provider_notifications.go
+++ b/core2/pkg/accounting/provider_notifications.go
@@ -58,6 +58,7 @@ func initProviderNotifications() {
 		projectUpdates := db.Listen(context.Background(), "project_updates")
 		groupUpdates := db.Listen(context.Background(), "project_group_updates")
 		policyUpdates := db.Listen(context.Background(), "policy_updates")
+		policyDeletes := db.Listen(context.Background(), "policy_deleted")
 
 		for {
 			var project fndapi.Project
@@ -89,6 +90,12 @@ func initProviderNotifications() {
 					policySpecifications, policiesOk = coreutil.PolicySpecificationsRetrieveFromDatabase(tx, projectId)
 				})
 				projectIdForPolices = projectId
+
+			case projectId := <-policyDeletes:
+				db.NewTx0(func(tx *db.Transaction) {
+					policySpecifications, policiesOk = coreutil.PolicySpecificationsRetrieveFromDatabase(tx, projectId)
+				})
+				projectIdForPolices = projectId
 			}
 
 			if projectOk {
@@ -156,7 +163,7 @@ func initProviderNotifications() {
 
 				for _, ch := range allChannels {
 					select {
-					case ch <- fndapi.PoliciesForProject{projectIdForPolices, policySpecifications}:
+					case ch <- fndapi.PoliciesForProject{ProjectId: projectIdForPolices, PoliciesByName: policySpecifications}:
 					case <-time.After(200 * time.Millisecond):
 					}
 				}
diff --git a/core2/pkg/orchestrator/policy_cache.go b/core2/pkg/orchestrator/policy_cache.go
index c8b724f3d3..13684c2efd 100644
--- a/core2/pkg/orchestrator/policy_cache.go
+++ b/core2/pkg/orchestrator/policy_cache.go
@@ -27,16 +27,25 @@ func initPolicySubscriptions() {
 
 	go func() {
 		policyUpdates := db.Listen(context.Background(), "policy_updates")
+		policyDeletes := db.Listen(context.Background(), "policy_deleted")
 
+		var projectId string
 		var policySpecifications map[string]*fndapi.PolicySpecification
 		var policiesOk bool
 
 		for {
-			projectId := <-policyUpdates
+			select {
+			case projectId = <-policyUpdates:
 
-			db.NewTx0(func(tx *db.Transaction) {
-				policySpecifications, policiesOk = coreutil.PolicySpecificationsRetrieveFromDatabase(tx, projectId)
-			})
+				db.NewTx0(func(tx *db.Transaction) {
+					policySpecifications, policiesOk = coreutil.PolicySpecificationsRetrieveFromDatabase(tx, projectId)
+				})
+			case projectId = <-policyDeletes:
+
+				db.NewTx0(func(tx *db.Transaction) {
+					policySpecifications, policiesOk = coreutil.PolicySpecificationsRetrieveFromDatabase(tx, projectId)
+				})
+			}
 
 			if policiesOk {
 				updatePolicyCacheForProject(projectId, policySpecifications)

From e9b07c4a0edd70196ea49d7d151365cda9d0afb3 Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Mon, 16 Mar 2026 08:56:12 +0100
Subject: [PATCH 15/23] Data Manager Role for Projects

---
 core2/pkg/foundation/policies.go                |  8 ++++----
 .../shared/pkg/foundation/projects.go           | 16 ++++++++++++----
 .../shared/pkg/rpc/00_module.go                 | 17 ++++++++++++-----
 3 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/core2/pkg/foundation/policies.go b/core2/pkg/foundation/policies.go
index db6e50c86e..ac4d979995 100644
--- a/core2/pkg/foundation/policies.go
+++ b/core2/pkg/foundation/policies.go
@@ -117,8 +117,8 @@ func policiesRetrieve(actor rpc.Actor, request fndapi.RetrievePoliciesRequest) (
 		if !actor.Project.Present {
 			return nil, util.HttpErr(http.StatusBadRequest, "Polices only applicable to projects")
 		}
-		if !actor.Membership[actor.Project.Value].Satisfies(rpc.ProjectRoleAdmin) {
-			return nil, util.HttpErr(http.StatusForbidden, "Only PIs and Admins may list the policies")
+		if !actor.Membership[actor.Project.Value].Equals(rpc.ProjectRoleDataManager) {
+			return nil, util.HttpErr(http.StatusForbidden, "Only data managers may list the policies")
 		}
 		projectId = actor.Project.String()
 	}
@@ -155,8 +155,8 @@ func policiesUpdate(actor rpc.Actor, request fndapi.PoliciesUpdateRequest) (util
 	if !actor.Project.Present {
 		return util.Empty{}, util.HttpErr(http.StatusBadRequest, "Polices only applicable to projects")
 	}
-	if !actor.Membership[actor.Project.Value].Satisfies(rpc.ProjectRolePI) {
-		return util.Empty{}, util.HttpErr(http.StatusForbidden, "Only PIs may update the policies")
+	if !actor.Membership[actor.Project.Value].Equals(rpc.ProjectRoleDataManager) {
+		return util.Empty{}, util.HttpErr(http.StatusForbidden, "Only data managers may update the policies")
 	}
 
 	filteredUpdates := map[string]map[string]fndapi.PolicySpecification{}
diff --git a/provider-integration/shared/pkg/foundation/projects.go b/provider-integration/shared/pkg/foundation/projects.go
index e8236fd977..50c1a14775 100644
--- a/provider-integration/shared/pkg/foundation/projects.go
+++ b/provider-integration/shared/pkg/foundation/projects.go
@@ -56,13 +56,15 @@ type ProjectRetrieveSubProjectRenamingResponse struct {
 type ProjectRole string
 
 const (
-	ProjectRoleUser  ProjectRole = "USER"
-	ProjectRoleAdmin ProjectRole = "ADMIN"
-	ProjectRolePI    ProjectRole = "PI"
+	ProjectRoleUser        ProjectRole = "USER"
+	ProjectRoleDataManager ProjectRole = "DATA_MANAGER"
+	ProjectRoleAdmin       ProjectRole = "ADMIN"
+	ProjectRolePI          ProjectRole = "PI"
 )
 
 var ProjectRoleOptions = []ProjectRole{
 	ProjectRoleUser,
+	ProjectRoleDataManager,
 	ProjectRoleAdmin,
 	ProjectRolePI,
 }
@@ -70,8 +72,10 @@ var ProjectRoleOptions = []ProjectRole{
 func (p ProjectRole) Power() int {
 	switch p {
 	case ProjectRolePI:
-		return 3
+		return 4
 	case ProjectRoleAdmin:
+		return 3
+	case ProjectRoleDataManager:
 		return 2
 	case ProjectRoleUser:
 		return 1
@@ -98,6 +102,10 @@ func (p ProjectRole) Satisfies(requirement ProjectRole) bool {
 	}
 }
 
+func (p ProjectRole) Equals(requirement ProjectRole) bool {
+	return p == requirement
+}
+
 type ProjectMember struct {
 	Username string      `json:"username,omitempty"`
 	Role     ProjectRole `json:"role,omitempty"`
diff --git a/provider-integration/shared/pkg/rpc/00_module.go b/provider-integration/shared/pkg/rpc/00_module.go
index 91efa409a4..ea9f9e393a 100644
--- a/provider-integration/shared/pkg/rpc/00_module.go
+++ b/provider-integration/shared/pkg/rpc/00_module.go
@@ -62,18 +62,21 @@ type ProjectRole string
 type ProviderId string
 
 const (
-	ProjectRolePI    ProjectRole = "PI"
-	ProjectRoleAdmin ProjectRole = "ADMIN"
-	ProjectRoleUser  ProjectRole = "USER"
+	ProjectRolePI          ProjectRole = "PI"
+	ProjectRoleAdmin       ProjectRole = "ADMIN"
+	ProjectRoleDataManager ProjectRole = "DATA_MANAGER"
+	ProjectRoleUser        ProjectRole = "USER"
 )
 
-var ProjectRoleOptions = []ProjectRole{ProjectRolePI, ProjectRoleAdmin, ProjectRoleUser}
+var ProjectRoleOptions = []ProjectRole{ProjectRolePI, ProjectRoleAdmin, ProjectRoleDataManager, ProjectRoleUser}
 
 func (p ProjectRole) Power() int {
 	switch p {
 	case ProjectRolePI:
-		return 3
+		return 4
 	case ProjectRoleAdmin:
+		return 3
+	case ProjectRoleDataManager:
 		return 2
 	case ProjectRoleUser:
 		return 1
@@ -100,6 +103,10 @@ func (p ProjectRole) Satisfies(requirement ProjectRole) bool {
 	}
 }
 
+func (p ProjectRole) Equals(requirement ProjectRole) bool {
+	return p == requirement
+}
+
 type GroupMembership map[GroupId]ProjectId
 type ProjectMembership map[ProjectId]ProjectRole
 type ProviderProjects map[ProviderId]ProjectId

From 08b51a1558052be0a90b741a6bf7f3a647d50fcf Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Thu, 26 Mar 2026 15:45:00 +0100
Subject: [PATCH 16/23] compile error

---
 core2/pkg/orchestrator/provider_brandings.go                  | 1 -
 .../im2/pkg/integrations/k8s/containers/job_builder.go        | 4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/core2/pkg/orchestrator/provider_brandings.go b/core2/pkg/orchestrator/provider_brandings.go
index c3e21f8844..f9dd0d8253 100644
--- a/core2/pkg/orchestrator/provider_brandings.go
+++ b/core2/pkg/orchestrator/provider_brandings.go
@@ -6,7 +6,6 @@ import (
 	"sync/atomic"
 	"time"
 
-	"golang.org/x/exp/maps"
 	db "ucloud.dk/shared/pkg/database"
 	"ucloud.dk/shared/pkg/log"
 	orcapi "ucloud.dk/shared/pkg/orchestrators"
diff --git a/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go b/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go
index 163617759d..258ac18c0a 100644
--- a/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go
+++ b/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go
@@ -166,7 +166,7 @@ func StartScheduledJob(job *orc.Job, rank int, node string) *util.HttpError {
 						if prop.Text == "" {
 							firewall.Spec.PolicyTypes = []networking.PolicyType{networking.PolicyTypeEgress}
 						} else {
-							allowNetworkToSubnet(firewall, prop.Text)
+							allowNetworkTo(firewall, prop.Text)
 						}
 						break
 					}
@@ -180,7 +180,7 @@ func StartScheduledJob(job *orc.Job, rank int, node string) *util.HttpError {
 						if prop.Text == "" {
 							firewall.Spec.PolicyTypes = []networking.PolicyType{networking.PolicyTypeIngress}
 						} else {
-							allowNetworkToSubnet(firewall, prop.Text)
+							allowNetworkTo(firewall, prop.Text)
 						}
 						break
 					}

From bcd72e8f7b486902e89981c07c1a08ede68abbea Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 3 Apr 2026 03:46:23 +0000
Subject: [PATCH 17/23] Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4
 in /core2

Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.1.3 to 4.1.4.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Commits](https://github.com/go-jose/go-jose/compare/v4.1.3...v4.1.4)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-version: 4.1.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 core2/go.mod | 2 +-
 core2/go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/core2/go.mod b/core2/go.mod
index 1213d260de..aad9aa8886 100644
--- a/core2/go.mod
+++ b/core2/go.mod
@@ -50,7 +50,7 @@ require (
 	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
diff --git a/core2/go.sum b/core2/go.sum
index d4c0592ae3..008af4749d 100644
--- a/core2/go.sum
+++ b/core2/go.sum
@@ -56,8 +56,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
-github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=

From 821e66c6e4be631591fe5d7da62a0b88dad68209 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 3 Apr 2026 04:02:01 +0000
Subject: [PATCH 18/23] Bump github.com/go-jose/go-jose/v4 in
 /provider-integration/im2

Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.1.3 to 4.1.4.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Commits](https://github.com/go-jose/go-jose/compare/v4.1.3...v4.1.4)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-version: 4.1.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 provider-integration/im2/go.mod | 2 +-
 provider-integration/im2/go.sum | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/provider-integration/im2/go.mod b/provider-integration/im2/go.mod
index f127279f41..7a1b8bf3f3 100644
--- a/provider-integration/im2/go.mod
+++ b/provider-integration/im2/go.mod
@@ -56,7 +56,7 @@ require (
 	github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/go-kit/kit v0.13.0 // indirect
 	github.com/go-kit/log v0.2.1 // indirect
 	github.com/go-logfmt/logfmt v0.6.0 // indirect
diff --git a/provider-integration/im2/go.sum b/provider-integration/im2/go.sum
index 68d0f82027..794d6be53a 100644
--- a/provider-integration/im2/go.sum
+++ b/provider-integration/im2/go.sum
@@ -93,7 +93,6 @@ github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkX
 github.com/containernetworking/cni v0.7.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
 github.com/coreos/go-oidc/v3 v3.13.0 h1:M66zd0pcc5VxvBNM4pB331Wrsanby+QomQYjN8HamW8=
 github.com/coreos/go-oidc/v3 v3.13.0/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
-github.com/creack/pty v1.1.9 h1:uDmaGzcdjhF4i/plgjmEsriH11Y0o7RKapEf/LDaM3w=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
@@ -135,8 +134,8 @@ github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXE
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
-github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-kit/kit v0.13.0 h1:OoneCcHKHQ03LfBpoQCUfCluwd2Vt3ohz+kvbJneZAU=
 github.com/go-kit/kit v0.13.0/go.mod h1:phqEHMMUbyrCFCTgH48JueqrM3md2HcAZ8N3XE4FKDg=
 github.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU=

From 8e243ea98374bce40d30931a910853d799998258 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 6 Apr 2026 21:37:30 +0000
Subject: [PATCH 19/23] Bump vite from 7.3.1 to 7.3.2 in
 /frontend-web/webclient

Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 7.3.1 to 7.3.2.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-version: 7.3.2
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 frontend-web/webclient/package-lock.json | 8 ++++----
 frontend-web/webclient/package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/frontend-web/webclient/package-lock.json b/frontend-web/webclient/package-lock.json
index e14ae4b4a2..bbdc94f15c 100644
--- a/frontend-web/webclient/package-lock.json
+++ b/frontend-web/webclient/package-lock.json
@@ -70,7 +70,7 @@
                 "@vitejs/plugin-react": "5.1.4",
                 "@vitejs/plugin-react-refresh": "1.3.6",
                 "typescript": "5.9.3",
-                "vite": "7.3.1"
+                "vite": "7.3.2"
             }
         },
         "node_modules/@antfu/install-pkg": {
@@ -8197,9 +8197,9 @@
             }
         },
         "node_modules/vite": {
-            "version": "7.3.1",
-            "resolved": "https://registry.npmjs.org/vite/-/vite-7.3.1.tgz",
-            "integrity": "sha512-w+N7Hifpc3gRjZ63vYBXA56dvvRlNWRczTdmCBBa+CotUzAPf5b7YMdMR/8CQoeYE5LX3W4wj6RYTgonm1b9DA==",
+            "version": "7.3.2",
+            "resolved": "https://registry.npmjs.org/vite/-/vite-7.3.2.tgz",
+            "integrity": "sha512-Bby3NOsna2jsjfLVOHKes8sGwgl4TT0E6vvpYgnAYDIF/tie7MRaFthmKuHx1NSXjiTueXH3do80FMQgvEktRg==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
diff --git a/frontend-web/webclient/package.json b/frontend-web/webclient/package.json
index 090511866c..259f9e8d73 100644
--- a/frontend-web/webclient/package.json
+++ b/frontend-web/webclient/package.json
@@ -85,6 +85,6 @@
         "@vitejs/plugin-react": "5.1.4",
         "@vitejs/plugin-react-refresh": "1.3.6",
         "typescript": "5.9.3",
-        "vite": "7.3.1"
+        "vite": "7.3.2"
     }
 }
\ No newline at end of file

From 2039de2db9b9eb45155672e99ed9df08d53010bd Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 8 Apr 2026 07:56:56 +0000
Subject: [PATCH 20/23] Bump lodash-es and mermaid in /frontend-web/webclient

Bumps [lodash-es](https://github.com/lodash/lodash) to 4.18.1 and updates ancestor dependency [mermaid](https://github.com/mermaid-js/mermaid). These dependencies need to be updated together.


Updates `lodash-es` from 4.17.21 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.21...4.18.1)

Updates `mermaid` from 11.12.2 to 11.14.0
- [Release notes](https://github.com/mermaid-js/mermaid/releases)
- [Commits](https://github.com/mermaid-js/mermaid/compare/mermaid@11.12.2...mermaid@11.14.0)

---
updated-dependencies:
- dependency-name: lodash-es
  dependency-version: 4.18.1
  dependency-type: indirect
- dependency-name: mermaid
  dependency-version: 11.14.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 frontend-web/webclient/package-lock.json | 135 +++++++++++++++--------
 frontend-web/webclient/package.json      |   2 +-
 2 files changed, 93 insertions(+), 44 deletions(-)

diff --git a/frontend-web/webclient/package-lock.json b/frontend-web/webclient/package-lock.json
index bbdc94f15c..186f5a755a 100644
--- a/frontend-web/webclient/package-lock.json
+++ b/frontend-web/webclient/package-lock.json
@@ -28,7 +28,7 @@
                 "jsrsasign": "11.1.1",
                 "localforage": "1.10.0",
                 "magic-bytes.js": "1.13.0",
-                "mermaid": "11.12.2",
+                "mermaid": "11.14.0",
                 "monaco-editor": "0.55.1",
                 "monaco-vim": "0.4.2",
                 "react": "19.2.4",
@@ -363,32 +363,40 @@
             "license": "MIT"
         },
         "node_modules/@chevrotain/cst-dts-gen": {
-            "version": "11.0.3",
+            "version": "12.0.0",
+            "resolved": "https://registry.npmjs.org/@chevrotain/cst-dts-gen/-/cst-dts-gen-12.0.0.tgz",
+            "integrity": "sha512-fSL4KXjTl7cDgf0B5Rip9Q05BOrYvkJV/RrBTE/bKDN096E4hN/ySpcBK5B24T76dlQ2i32Zc3PAE27jFnFrKg==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@chevrotain/gast": "11.0.3",
-                "@chevrotain/types": "11.0.3",
-                "lodash-es": "4.17.21"
+                "@chevrotain/gast": "12.0.0",
+                "@chevrotain/types": "12.0.0"
             }
         },
         "node_modules/@chevrotain/gast": {
-            "version": "11.0.3",
+            "version": "12.0.0",
+            "resolved": "https://registry.npmjs.org/@chevrotain/gast/-/gast-12.0.0.tgz",
+            "integrity": "sha512-1ne/m3XsIT8aEdrvT33so0GUC+wkctpUPK6zU9IlOyJLUbR0rg4G7ZiApiJbggpgPir9ERy3FRjT6T7lpgetnQ==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@chevrotain/types": "11.0.3",
-                "lodash-es": "4.17.21"
+                "@chevrotain/types": "12.0.0"
             }
         },
         "node_modules/@chevrotain/regexp-to-ast": {
-            "version": "11.0.3",
+            "version": "12.0.0",
+            "resolved": "https://registry.npmjs.org/@chevrotain/regexp-to-ast/-/regexp-to-ast-12.0.0.tgz",
+            "integrity": "sha512-p+EW9MaJwgaHguhoqwOtx/FwuGr+DnNn857sXWOi/mClXIkPGl3rn7hGNWvo31HA3vyeQxjqe+H36yZJwYU8cA==",
             "license": "Apache-2.0"
         },
         "node_modules/@chevrotain/types": {
-            "version": "11.0.3",
+            "version": "12.0.0",
+            "resolved": "https://registry.npmjs.org/@chevrotain/types/-/types-12.0.0.tgz",
+            "integrity": "sha512-S+04vjFQKeuYw0/eW3U52LkAHQsB1ASxsPGsLPUyQgrZ2iNNibQrsidruDzjEX2JYfespXMG0eZmXlhA6z7nWA==",
             "license": "Apache-2.0"
         },
         "node_modules/@chevrotain/utils": {
-            "version": "11.0.3",
+            "version": "12.0.0",
+            "resolved": "https://registry.npmjs.org/@chevrotain/utils/-/utils-12.0.0.tgz",
+            "integrity": "sha512-lB59uJoaGIfOOL9knQqQRfhl9g7x8/wqFkp13zTdkRu1huG9kg6IJs1O8hqj9rs6h7orGxHJUKb+mX3rPbWGhA==",
             "license": "Apache-2.0"
         },
         "node_modules/@esbuild/aix-ppc64": {
@@ -949,10 +957,12 @@
             }
         },
         "node_modules/@mermaid-js/parser": {
-            "version": "0.6.3",
+            "version": "1.1.0",
+            "resolved": "https://registry.npmjs.org/@mermaid-js/parser/-/parser-1.1.0.tgz",
+            "integrity": "sha512-gxK9ZX2+Fex5zu8LhRQoMeMPEHbc73UKZ0FQ54YrQtUxE1VVhMwzeNtKRPAu5aXks4FasbMe4xB4bWrmq6Jlxw==",
             "license": "MIT",
             "dependencies": {
-                "langium": "3.3.1"
+                "langium": "^4.0.0"
             }
         },
         "node_modules/@novnc/novnc": {
@@ -2089,6 +2099,16 @@
             "version": "1.2.0",
             "license": "ISC"
         },
+        "node_modules/@upsetjs/venn.js": {
+            "version": "2.0.0",
+            "resolved": "https://registry.npmjs.org/@upsetjs/venn.js/-/venn.js-2.0.0.tgz",
+            "integrity": "sha512-WbBhLrooyePuQ1VZxrJjtLvTc4NVfpOyKx0sKqioq9bX1C1m7Jgykkn8gLrtwumBioXIqam8DLxp88Adbue6Hw==",
+            "license": "MIT",
+            "optionalDependencies": {
+                "d3-selection": "^3.0.0",
+                "d3-transition": "^3.0.1"
+            }
+        },
         "node_modules/@vitejs/plugin-react": {
             "version": "5.1.4",
             "resolved": "https://registry.npmjs.org/@vitejs/plugin-react/-/plugin-react-5.1.4.tgz",
@@ -2533,25 +2553,31 @@
             }
         },
         "node_modules/chevrotain": {
-            "version": "11.0.3",
+            "version": "12.0.0",
+            "resolved": "https://registry.npmjs.org/chevrotain/-/chevrotain-12.0.0.tgz",
+            "integrity": "sha512-csJvb+6kEiQaqo1woTdSAuOWdN0WTLIydkKrBnS+V5gZz0oqBrp4kQ35519QgK6TpBThiG3V1vNSHlIkv4AglQ==",
             "license": "Apache-2.0",
             "dependencies": {
-                "@chevrotain/cst-dts-gen": "11.0.3",
-                "@chevrotain/gast": "11.0.3",
-                "@chevrotain/regexp-to-ast": "11.0.3",
-                "@chevrotain/types": "11.0.3",
-                "@chevrotain/utils": "11.0.3",
-                "lodash-es": "4.17.21"
+                "@chevrotain/cst-dts-gen": "12.0.0",
+                "@chevrotain/gast": "12.0.0",
+                "@chevrotain/regexp-to-ast": "12.0.0",
+                "@chevrotain/types": "12.0.0",
+                "@chevrotain/utils": "12.0.0"
+            },
+            "engines": {
+                "node": ">=22.0.0"
             }
         },
         "node_modules/chevrotain-allstar": {
-            "version": "0.3.1",
+            "version": "0.4.1",
+            "resolved": "https://registry.npmjs.org/chevrotain-allstar/-/chevrotain-allstar-0.4.1.tgz",
+            "integrity": "sha512-PvVJm3oGqrveUVW2Vt/eZGeiAIsJszYweUcYwcskg9e+IubNYKKD+rHHem7A6XVO22eDAL+inxNIGAzZ/VIWlA==",
             "license": "MIT",
             "dependencies": {
                 "lodash-es": "^4.17.21"
             },
             "peerDependencies": {
-                "chevrotain": "^11.0.0"
+                "chevrotain": "^12.0.0"
             }
         },
         "node_modules/clsx": {
@@ -3161,7 +3187,9 @@
             }
         },
         "node_modules/dagre-d3-es": {
-            "version": "7.0.13",
+            "version": "7.0.14",
+            "resolved": "https://registry.npmjs.org/dagre-d3-es/-/dagre-d3-es-7.0.14.tgz",
+            "integrity": "sha512-P4rFMVq9ESWqmOgK+dlXvOtLwYg0i7u0HBGJER0LZDJT2VHIPAMZ/riPxqJceWMStH5+E61QxFra9kIS3AqdMg==",
             "license": "MIT",
             "dependencies": {
                 "d3": "^7.9.0",
@@ -4227,17 +4255,21 @@
             "license": "MIT"
         },
         "node_modules/langium": {
-            "version": "3.3.1",
+            "version": "4.2.2",
+            "resolved": "https://registry.npmjs.org/langium/-/langium-4.2.2.tgz",
+            "integrity": "sha512-JUshTRAfHI4/MF9dH2WupvjSXyn8JBuUEWazB8ZVJUtXutT0doDlAv1XKbZ1Pb5sMexa8FF4CFBc0iiul7gbUQ==",
             "license": "MIT",
             "dependencies": {
-                "chevrotain": "~11.0.3",
-                "chevrotain-allstar": "~0.3.0",
+                "@chevrotain/regexp-to-ast": "~12.0.0",
+                "chevrotain": "~12.0.0",
+                "chevrotain-allstar": "~0.4.1",
                 "vscode-languageserver": "~9.0.1",
                 "vscode-languageserver-textdocument": "~1.0.11",
-                "vscode-uri": "~3.0.8"
+                "vscode-uri": "~3.1.0"
             },
             "engines": {
-                "node": ">=16.0.0"
+                "node": ">=20.10.0",
+                "npm": ">=10.2.3"
             }
         },
         "node_modules/layout-base": {
@@ -4278,7 +4310,9 @@
             }
         },
         "node_modules/lodash-es": {
-            "version": "4.17.21",
+            "version": "4.18.1",
+            "resolved": "https://registry.npmjs.org/lodash-es/-/lodash-es-4.18.1.tgz",
+            "integrity": "sha512-J8xewKD/Gk22OZbhpOVSwcs60zhd95ESDwezOFuA3/099925PdHJ7OFHNTGtajL3AlZkykD32HykiMo+BIBI8A==",
             "license": "MIT"
         },
         "node_modules/longest-streak": {
@@ -4997,27 +5031,28 @@
             "license": "MIT"
         },
         "node_modules/mermaid": {
-            "version": "11.12.2",
-            "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-11.12.2.tgz",
-            "integrity": "sha512-n34QPDPEKmaeCG4WDMGy0OT6PSyxKCfy2pJgShP+Qow2KLrvWjclwbc3yXfSIf4BanqWEhQEpngWwNp/XhZt6w==",
+            "version": "11.14.0",
+            "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-11.14.0.tgz",
+            "integrity": "sha512-GSGloRsBs+JINmmhl0JDwjpuezCsHB4WGI4NASHxL3fHo3o/BRXTxhDLKnln8/Q0lRFRyDdEjmk1/d5Sn1Xz8g==",
             "license": "MIT",
             "dependencies": {
                 "@braintree/sanitize-url": "^7.1.1",
-                "@iconify/utils": "^3.0.1",
-                "@mermaid-js/parser": "^0.6.3",
+                "@iconify/utils": "^3.0.2",
+                "@mermaid-js/parser": "^1.1.0",
                 "@types/d3": "^7.4.3",
-                "cytoscape": "^3.29.3",
+                "@upsetjs/venn.js": "^2.0.0",
+                "cytoscape": "^3.33.1",
                 "cytoscape-cose-bilkent": "^4.1.0",
                 "cytoscape-fcose": "^2.2.0",
                 "d3": "^7.9.0",
                 "d3-sankey": "^0.12.3",
-                "dagre-d3-es": "7.0.13",
-                "dayjs": "^1.11.18",
-                "dompurify": "^3.2.5",
-                "katex": "^0.16.22",
+                "dagre-d3-es": "7.0.14",
+                "dayjs": "^1.11.19",
+                "dompurify": "^3.3.1",
+                "katex": "^0.16.25",
                 "khroma": "^2.1.0",
-                "lodash-es": "^4.17.21",
-                "marked": "^16.2.1",
+                "lodash-es": "^4.17.23",
+                "marked": "^16.3.0",
                 "roughjs": "^4.6.6",
                 "stylis": "^4.3.6",
                 "ts-dedent": "^2.2.0",
@@ -5025,7 +5060,9 @@
             }
         },
         "node_modules/mermaid/node_modules/dompurify": {
-            "version": "3.3.0",
+            "version": "3.3.3",
+            "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.3.tgz",
+            "integrity": "sha512-Oj6pzI2+RqBfFG+qOaOLbFXLQ90ARpcGG6UePL82bJLtdsa6CYJD7nmiU8MW9nQNOtCHV3lZ/Bzq1X0QYbBZCA==",
             "license": "(MPL-2.0 OR Apache-2.0)",
             "optionalDependencies": {
                 "@types/trusted-types": "^2.0.7"
@@ -8315,6 +8352,8 @@
         },
         "node_modules/vscode-jsonrpc": {
             "version": "8.2.0",
+            "resolved": "https://registry.npmjs.org/vscode-jsonrpc/-/vscode-jsonrpc-8.2.0.tgz",
+            "integrity": "sha512-C+r0eKJUIfiDIfwJhria30+TYWPtuHJXHtI7J0YlOmKAo7ogxP20T0zxB7HZQIFhIyvoBPwWskjxrvAtfjyZfA==",
             "license": "MIT",
             "engines": {
                 "node": ">=14.0.0"
@@ -8322,6 +8361,8 @@
         },
         "node_modules/vscode-languageserver": {
             "version": "9.0.1",
+            "resolved": "https://registry.npmjs.org/vscode-languageserver/-/vscode-languageserver-9.0.1.tgz",
+            "integrity": "sha512-woByF3PDpkHFUreUa7Hos7+pUWdeWMXRd26+ZX2A8cFx6v/JPTtd4/uN0/jB6XQHYaOlHbio03NTHCqrgG5n7g==",
             "license": "MIT",
             "dependencies": {
                 "vscode-languageserver-protocol": "3.17.5"
@@ -8332,6 +8373,8 @@
         },
         "node_modules/vscode-languageserver-protocol": {
             "version": "3.17.5",
+            "resolved": "https://registry.npmjs.org/vscode-languageserver-protocol/-/vscode-languageserver-protocol-3.17.5.tgz",
+            "integrity": "sha512-mb1bvRJN8SVznADSGWM9u/b07H7Ecg0I3OgXDuLdn307rl/J3A9YD6/eYOssqhecL27hK1IPZAsaqh00i/Jljg==",
             "license": "MIT",
             "dependencies": {
                 "vscode-jsonrpc": "8.2.0",
@@ -8340,14 +8383,20 @@
         },
         "node_modules/vscode-languageserver-textdocument": {
             "version": "1.0.12",
+            "resolved": "https://registry.npmjs.org/vscode-languageserver-textdocument/-/vscode-languageserver-textdocument-1.0.12.tgz",
+            "integrity": "sha512-cxWNPesCnQCcMPeenjKKsOCKQZ/L6Tv19DTRIGuLWe32lyzWhihGVJ/rcckZXJxfdKCFvRLS3fpBIsV/ZGX4zA==",
             "license": "MIT"
         },
         "node_modules/vscode-languageserver-types": {
             "version": "3.17.5",
+            "resolved": "https://registry.npmjs.org/vscode-languageserver-types/-/vscode-languageserver-types-3.17.5.tgz",
+            "integrity": "sha512-Ld1VelNuX9pdF39h2Hgaeb5hEZM2Z3jUrrMgWQAu82jMtZp7p3vJT3BzToKtZI7NgQssZje5o0zryOrhQvzQAg==",
             "license": "MIT"
         },
         "node_modules/vscode-uri": {
-            "version": "3.0.8",
+            "version": "3.1.0",
+            "resolved": "https://registry.npmjs.org/vscode-uri/-/vscode-uri-3.1.0.tgz",
+            "integrity": "sha512-/BpdSx+yCQGnCvecbyXdxHDkuk55/G3xwnC0GqY4gmQ3j+A+g8kzzgB4Nk/SINjqn6+waqw3EgbVF2QKExkRxQ==",
             "license": "MIT"
         },
         "node_modules/warning": {
diff --git a/frontend-web/webclient/package.json b/frontend-web/webclient/package.json
index 259f9e8d73..73cab1e27c 100644
--- a/frontend-web/webclient/package.json
+++ b/frontend-web/webclient/package.json
@@ -43,7 +43,7 @@
         "jsrsasign": "11.1.1",
         "localforage": "1.10.0",
         "magic-bytes.js": "1.13.0",
-        "mermaid": "11.12.2",
+        "mermaid": "11.14.0",
         "monaco-editor": "0.55.1",
         "monaco-vim": "0.4.2",
         "react": "19.2.4",

From 06fbaae85db7bc43d4b1170885f9e1953ffaab4c Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Mon, 13 Apr 2026 13:02:42 +0200
Subject: [PATCH 21/23] cut and paste

---
 .../policies/restrict_cut_and_paste.yaml      |   2 +-
 .../webclient/app/Applications/Jobs/View.tsx  | 207 ++++++++++--------
 .../webclient/app/Applications/Jobs/Vnc.tsx   |  23 +-
 .../webclient/app/Applications/Jobs/Web.tsx   |   2 +-
 .../im2/pkg/controller/jobs.go                |  28 ++-
 .../integrations/k8s/containers/00_module.go  |  28 ++-
 .../k8s/containers/job_builder.go             |  53 ++++-
 .../shared/pkg/foundation/policies.go         |   2 +-
 8 files changed, 228 insertions(+), 117 deletions(-)

diff --git a/core2/pkg/foundation/policies/restrict_cut_and_paste.yaml b/core2/pkg/foundation/policies/restrict_cut_and_paste.yaml
index b4385d0c59..e1fe98a989 100644
--- a/core2/pkg/foundation/policies/restrict_cut_and_paste.yaml
+++ b/core2/pkg/foundation/policies/restrict_cut_and_paste.yaml
@@ -1,4 +1,4 @@
-name: "CutAndPaste"
+name: "RestrictCutAndPaste"
 title: "Disable copy & paste in interactive applications"
 
 description: >
diff --git a/frontend-web/webclient/app/Applications/Jobs/View.tsx b/frontend-web/webclient/app/Applications/Jobs/View.tsx
index 378a45fa1c..731d8c6a24 100644
--- a/frontend-web/webclient/app/Applications/Jobs/View.tsx
+++ b/frontend-web/webclient/app/Applications/Jobs/View.tsx
@@ -51,7 +51,7 @@ import {useScrollToBottom} from "@/ui-components/ScrollToBottom";
 import {ExternalStoreBase} from "@/Utilities/ReduxUtilities";
 import {appendToXterm, useXTerm} from "./XTermLib";
 import {SidebarTabId} from "@/ui-components/SidebarComponents";
-import {WebSession} from "./Web";
+import {VncSession, WebSession} from "./Web";
 import {RichSelect, RichSelectChildComponent} from "@/ui-components/RichSelect";
 import {useDidUnmount} from "@/Utilities/ReactUtilities";
 import * as JobViz from "@/Applications/Jobs/JobViz"
@@ -268,18 +268,18 @@ function useJobUpdates(job: Job | undefined, callback: (entry: JobsFollowRespons
 
         const conn = WSFactory.open(
             "/jobs", {
-            init: async conn => {
-                await conn.subscribe({
-                    call: "jobs.follow",
-                    payload: {id: job.id},
-                    handler: message => {
-                        const streamEntry = message.payload as JobsFollowResponse;
-                        callback(streamEntry);
-                    }
-                });
-                conn.close();
-            },
-        });
+                init: async conn => {
+                    await conn.subscribe({
+                        call: "jobs.follow",
+                        payload: {id: job.id},
+                        handler: message => {
+                            const streamEntry = message.payload as JobsFollowResponse;
+                            callback(streamEntry);
+                        }
+                    });
+                    conn.close();
+                },
+            });
 
         return () => {
             conn.close();
@@ -299,8 +299,8 @@ function getBackend(job?: Job): string {
     return job?.status.resolvedApplication?.invocation.tool.tool?.description.backend ?? "";
 }
 
-export function View(props: {id?: string; embedded?: boolean;}): React.ReactNode {
-    const id = props.id ?? useParams<{id: string}>().id!;
+export function View(props: { id?: string; embedded?: boolean; }): React.ReactNode {
+    const id = props.id ?? useParams<{ id: string }>().id!;
 
     // Note: This might not match the real app name
     const location = useLocation();
@@ -504,7 +504,7 @@ export function View(props: {id?: string; embedded?: boolean;}): React.ReactNode
     const transitionRefThree = useRef(null);
 
     if (jobFetcher.error !== undefined) {
-        return <MainContainer main={<Heading.h2>An error occurred</Heading.h2>} />;
+        return <MainContainer main={<Heading.h2>An error occurred</Heading.h2>}/>;
     }
 
     if (isVirtualMachine && job && status && hasFeature(Feature.NEW_VM_UI)) {
@@ -517,7 +517,7 @@ export function View(props: {id?: string; embedded?: boolean;}): React.ReactNode
             updatesState={jobUpdateState}
         />;
         if (props.embedded) return vm;
-        return <MainContainer main={vm} />;
+        return <MainContainer main={vm}/>;
     }
 
     const main = (
@@ -526,8 +526,8 @@ export function View(props: {id?: string; embedded?: boolean;}): React.ReactNode
                 <div className="logo-scale">
                     <div className="logo">
                         <SafeLogo name={job?.specification?.application?.name ?? appNameHint}
-                            type={"APPLICATION"}
-                            size={"var(--logoSize)"} />
+                                  type={"APPLICATION"}
+                                  size={"var(--logoSize)"}/>
                     </div>
                 </div>
             </div>
@@ -544,16 +544,16 @@ export function View(props: {id?: string; embedded?: boolean;}): React.ReactNode
                 >
                     <div ref={transitionRefOne} className={"data"}>
                         <Flex flexDirection={"row"} flexWrap={"wrap"} className={"header"}>
-                            <div className={"fake-logo"} />
+                            <div className={"fake-logo"}/>
                             <div className={"header-text"}>
-                                <InQueueText job={job} state={status.state ?? "IN_QUEUE"} />
+                                <InQueueText job={job} state={status.state ?? "IN_QUEUE"}/>
                             </div>
                         </Flex>
 
                         <div className={Content}>
                             <Box width={"100%"} maxWidth={"1572px"} margin={"0 auto"}>
                                 <TitledCard>
-                                    <ProviderUpdates key={job.id} job={job} state={jobUpdateState} addOverflow={true} />
+                                    <ProviderUpdates key={job.id} job={job} state={jobUpdateState} addOverflow={true}/>
                                 </TitledCard>
                             </Box>
                         </div>
@@ -571,9 +571,10 @@ export function View(props: {id?: string; embedded?: boolean;}): React.ReactNode
                 >
                     <div ref={transitionRefTwo} className={"data"}>
                         <Flex flexDirection={"row"} flexWrap={"wrap"} className={"header"}>
-                            <div className={"fake-logo"} />
+                            <div className={"fake-logo"}/>
                             <div className={"header-text"}>
-                                <RunningText job={job} interfaceLinks={interfaceTargets} defaultInterfaceName={targetRequests.defaultName} />
+                                <RunningText job={job} interfaceLinks={interfaceTargets}
+                                             defaultInterfaceName={targetRequests.defaultName}/>
                             </div>
                         </Flex>
 
@@ -596,22 +597,22 @@ export function View(props: {id?: string; embedded?: boolean;}): React.ReactNode
                 >
                     <div ref={transitionRefThree} className={"data"}>
                         <Flex flexDirection={"row"} flexWrap={"wrap"} className={"header"}>
-                            <div className={"fake-logo"} />
+                            <div className={"fake-logo"}/>
                             <div className={"header-text"}>
-                                <CompletedText job={job} state={status.state} />
+                                <CompletedText job={job} state={status.state}/>
                             </div>
                         </Flex>
 
-                        <CompletedContent job={job} state={jobUpdateState} />
+                        <CompletedContent job={job} state={jobUpdateState}/>
                     </div>
                 </CSSTransition>
             )}
-            {status && isJobStateTerminal(status.state) && job ? <OutputFiles job={job} /> : null}
+            {status && isJobStateTerminal(status.state) && job ? <OutputFiles job={job}/> : null}
         </div>
     );
 
     if (props.embedded) return main;
-    return <MainContainer main={main} />;
+    return <MainContainer main={main}/>;
 }
 
 const CompletedContent: React.FunctionComponent<{
@@ -630,7 +631,7 @@ const CompletedContent: React.FunctionComponent<{
                     <Box><b>ID:</b> {shortUUID(job.id)}</Box>
                     <Box>
                         <b>Reservation:</b>{" "}
-                        <ProviderTitle providerId={job.specification.product.provider} />
+                        <ProviderTitle providerId={job.specification.product.provider}/>
                         {" "}/{" "}
                         {job.specification.product.id}{" "}
                         (x{job.specification.replicas})
@@ -643,7 +644,7 @@ const CompletedContent: React.FunctionComponent<{
         <TabbedCard style={{flexBasis: "600px"}}>
             <StandardPanelBody>
                 <TabbedCardTab icon={"heroChatBubbleBottomCenter"} name={"Messages"}>
-                    <ProviderUpdates key={job.id} job={job} state={state} addOverflow={false} />
+                    <ProviderUpdates key={job.id} job={job} state={state} addOverflow={false}/>
                 </TabbedCardTab>
             </StandardPanelBody>
         </TabbedCard>
@@ -663,14 +664,14 @@ const Content = injectStyle("content", k => `
     }
 `);
 
-function PublicLinkEntry({id}: {id: string}): React.ReactNode {
+function PublicLinkEntry({id}: { id: string }): React.ReactNode {
     const [publicLink] = useCloudAPI<PublicLink | null>(PublicLinkApi.retrieve({id}), null);
-    if (!id.startsWith("fake-") && publicLink.data == null) return <div />
+    if (!id.startsWith("fake-") && publicLink.data == null) return <div/>
     let domain: string;
     if (id.startsWith("fake")) {
         domain = "https://fake-public-link.example.com";
     } else if (publicLink.data == null) {
-        return <li />;
+        return <li/>;
     } else {
         domain = publicLink.data.specification.domain;
     }
@@ -679,7 +680,7 @@ function PublicLinkEntry({id}: {id: string}): React.ReactNode {
     return <li><a target={"_blank"} title={domain} href={httpDomain}>{domain}</a></li>;
 }
 
-const InQueueText: React.FunctionComponent<{job: Job, state: JobState}> = ({job, state}) => {
+const InQueueText: React.FunctionComponent<{ job: Job, state: JobState }> = ({job, state}) => {
     const [utilization, setUtilization] = useCloudAPI<compute.JobsRetrieveUtilizationResponse | null>(
         {noop: true},
         null
@@ -701,10 +702,10 @@ const InQueueText: React.FunctionComponent<{job: Job, state: JobState}> = ({job,
             {state === "IN_QUEUE" ?
                 <>
                     {job.specification.application.name === "unknown" ? <>
-                        {job.specification.name ? <>Starting {job.specification.name}</> : <>Job is starting</>}
-                        {" "}
-                        (ID: {shortUUID(job.id)})
-                    </> :
+                            {job.specification.name ? <>Starting {job.specification.name}</> : <>Job is starting</>}
+                            {" "}
+                            (ID: {shortUUID(job.id)})
+                        </> :
                         job.specification.name ?
                             (<>
                                 Starting {job.status.resolvedApplication?.metadata?.title ?? job.specification.application.name} {job.specification.application.version}
@@ -739,7 +740,7 @@ const InQueueText: React.FunctionComponent<{job: Job, state: JobState}> = ({job,
                 }
             </Heading.h3>
         }
-        <Busy job={job} state={state} utilization={utilization.data} />
+        <Busy job={job} state={state} utilization={utilization.data}/>
     </>;
 };
 
@@ -777,8 +778,8 @@ const Busy: React.FunctionComponent<{
             <Box>We are currently preparing your job. This step might take a few minutes.</Box>
         }
 
-        <Box flexGrow={1} />
-        <Box><CancelButton job={job} state={"IN_QUEUE"} /></Box>
+        <Box flexGrow={1}/>
+        <Box><CancelButton job={job} state={"IN_QUEUE"}/></Box>
     </Box>;
 };
 
@@ -811,10 +812,10 @@ const RunningText: React.FunctionComponent<{
                     {" "}
                     <Box style={{display: "inline"}} color={"textSecondary"}>(ID: {job.id})</Box>
                 </Heading.h2>
-                <Box flexGrow={1} />
-                <div><CancelButton job={job} state={"RUNNING"} /></div>
+                <Box flexGrow={1}/>
+                <div><CancelButton job={job} state={"RUNNING"}/></div>
             </Flex>
-            <RunningButtonGroup job={job} interfaceLinks={interfaceLinks} defaultInterfaceName={defaultInterfaceName} />
+            <RunningButtonGroup job={job} interfaceLinks={interfaceLinks} defaultInterfaceName={defaultInterfaceName}/>
         </Flex>
     </>;
 };
@@ -867,7 +868,7 @@ const RunningInfoWrapper = injectStyle("running-info-wrapper", k => `
     }
 `);
 
-function AltButtonGroup(props: React.PropsWithChildren<{minButtonWidth: string} & MarginProps>) {
+function AltButtonGroup(props: React.PropsWithChildren<{ minButtonWidth: string } & MarginProps>) {
     return <div
         style={{
             ...unbox({marginTop: props.marginTop ?? "8px", marginBottom: props.marginBottom ?? "8px", ...props}),
@@ -1030,13 +1031,39 @@ async function resolveInterfaceTargets(request: TargetRequests): Promise<Interfa
             );
             let i = 0;
             for (const res of sessionResult?.responses ?? []) {
-                const webSession = (res.session as WebSession);
-                result.push({
-                    target: request.requestsToMake[i].target ?? undefined,
-                    rank: webSession.rank,
-                    type: "WEB",
-                    link: webSession.redirectClientTo,
-                });
+                switch (res.session.type) {
+                    case "web": {
+                        const webSession = (res.session as WebSession);
+
+                        result.push({
+                            target: request.requestsToMake[i].target ?? undefined,
+                            rank: webSession.rank,
+                            type: "WEB",
+                            link: webSession.redirectClientTo,
+                        });
+                        break;
+                    }
+                    case "shell": {
+                        break;
+                    }
+                    case "vnc": {
+                        const vncSession = res.session as VncSession;
+
+                        result.push({
+                            target: request.requestsToMake[i].target ?? undefined,
+                            rank: vncSession.rank,
+                            type: "VNC",
+                            link: buildQueryString(`/applications/vnc/${res.session.jobId}/0`, {
+                                "hide-frame": "true",
+                                "t": vncSession.password ?? "",
+                                "u": vncSession.url
+                            }),
+                        });
+                        break;
+                    }
+                }
+
+
                 i++;
             }
         } catch (e) {
@@ -1192,11 +1219,11 @@ const RunningContent: React.FunctionComponent<{
                                         <b>Job expiry: </b> {dateToString(expiresAt ?? timestampUnixMs())}
                                     </Box>
                                     <Box>
-                                        <b>Time remaining: </b><TimeLeft expiresAt={expiresAt ?? -1} />
+                                        <b>Time remaining: </b><TimeLeft expiresAt={expiresAt ?? -1}/>
                                     </Box>
                                 </>
                             }
-                            <Box flexGrow={1} />
+                            <Box flexGrow={1}/>
                             <Box mb="12px">
                                 {(!expiresAt || !supportsExtension) && !localStorage.getItem("useFakeState") ? null : <>
                                     Extend allocation (hours):
@@ -1209,7 +1236,7 @@ const RunningContent: React.FunctionComponent<{
                                 {!supportsSuspend ? null :
                                     suspended ?
                                         <Button color={"successMain"} fullWidth onClick={unsuspendJob}>
-                                            <Icon name={"heroPower"} mr={"8px"} />
+                                            <Icon name={"heroPower"} mr={"8px"}/>
                                             Power on
                                         </Button> :
                                         <ConfirmationButton
@@ -1260,21 +1287,21 @@ const RunningContent: React.FunctionComponent<{
                                     </TableRow>
                                 </TableHeader>
                                 <tbody>
-                                    {peers.map(it =>
-                                        <TableRow key={it.jobId}>
-                                            <TableCell textAlign="left" width={"120px"}>
-                                                <Link to={`/jobs/properties/${it.jobId}?app=`} target={"_blank"}>
-                                                    {it.jobId}
-                                                    {" "}
-                                                    <Icon name={"heroArrowTopRightOnSquare"} mt={"-5px"} />
-                                                </Link>
-                                            </TableCell>
-
-                                            <TableCell textAlign="left">
-                                                <code><Truncate width={1}>{it.hostname}</Truncate></code>
-                                            </TableCell>
-                                        </TableRow>
-                                    )}
+                                {peers.map(it =>
+                                    <TableRow key={it.jobId}>
+                                        <TableCell textAlign="left" width={"120px"}>
+                                            <Link to={`/jobs/properties/${it.jobId}?app=`} target={"_blank"}>
+                                                {it.jobId}
+                                                {" "}
+                                                <Icon name={"heroArrowTopRightOnSquare"} mt={"-5px"}/>
+                                            </Link>
+                                        </TableCell>
+
+                                        <TableCell textAlign="left">
+                                            <code><Truncate width={1}>{it.hostname}</Truncate></code>
+                                        </TableCell>
+                                    </TableRow>
+                                )}
                                 </tbody>
                             </Table>
                         </TabbedCardTab>
@@ -1284,7 +1311,7 @@ const RunningContent: React.FunctionComponent<{
                         <TabbedCardTab icon={"heroGlobeEuropeAfrica"} name={`Links (${ingresses.length})`}>
                             This job is publicly available through:
                             <ul style={{paddingLeft: "2em"}}>
-                                {ingresses.map(ingress => <PublicLinkEntry key={ingress.id} id={ingress.id} />)}
+                                {ingresses.map(ingress => <PublicLinkEntry key={ingress.id} id={ingress.id}/>)}
                             </ul>
                         </TabbedCardTab>
                     }
@@ -1294,7 +1321,7 @@ const RunningContent: React.FunctionComponent<{
             <TabbedCard style={{flexBasis: "600px"}}>
                 <StandardPanelBody divRef={messagesRef}>
                     <TabbedCardTab icon={"heroChatBubbleBottomCenter"} name={"Messages"}>
-                        <ProviderUpdates key={job.id} job={job} state={state} addOverflow={false} />
+                        <ProviderUpdates key={job.id} job={job} state={state} addOverflow={false}/>
                     </TabbedCardTab>
                 </StandardPanelBody>
             </TabbedCard>
@@ -1304,7 +1331,7 @@ const RunningContent: React.FunctionComponent<{
             <TabbedCard>
                 <Box divRef={scrollRef}>
                     {Array(job.specification.replicas).fill(0).map((_, i) =>
-                        <RunningJobRank key={i} job={job} rank={i} state={state} />
+                        <RunningJobRank key={i} job={job} rank={i} state={state}/>
                     )}
                 </Box>
             </TabbedCard>
@@ -1362,7 +1389,7 @@ const StandardPanelBody: React.FunctionComponent<React.PropsWithChildren<{
     return <div style={{height: "165px", overflowY: "auto"}} ref={divRef}>{children}</div>;
 };
 
-function TimeLeft({expiresAt}: {expiresAt: number}) {
+function TimeLeft({expiresAt}: { expiresAt: number }) {
     const calculateTimeLeft = useCallback((expiresAt: number | undefined) => {
         if (!expiresAt) return {hours: 0, minutes: 0, seconds: 0};
 
@@ -1487,7 +1514,7 @@ const RunningJobRank: React.FunctionComponent<{
 
     return <TabbedCardTab icon={"heroServer"} name={`Node ${rank + 1}`}>
         <div className={RunningJobRankWrapper} data-has-replicas={hasMultipleNodes}>
-            <div ref={termRef} className="term" />
+            <div ref={termRef} className="term"/>
         </div>
     </TabbedCardTab>
 };
@@ -1509,7 +1536,7 @@ function jobStateToText(state: JobState) {
 
 const UNKNOWN_APP_NAME = "unknown";
 
-const CompletedText: React.FunctionComponent<{job: Job, state: JobState}> = ({job, state}) => {
+const CompletedText: React.FunctionComponent<{ job: Job, state: JobState }> = ({job, state}) => {
     const app = job.specification.application;
     const isUnknownApp = app.name === UNKNOWN_APP_NAME;
     return <Flex flexDirection={"column"} flexGrow={1}>
@@ -1530,7 +1557,7 @@ const CompletedText: React.FunctionComponent<{job: Job, state: JobState}> = ({jo
             </>}
             {" "}(ID: {shortUUID(job.id)})
         </Heading.h3>
-        <Box flexGrow={1} />
+        <Box flexGrow={1}/>
         {isUnknownApp || isSyncthingApp(job) ? null :
             <Link to={buildQueryString(`/jobs/create`, {app: app.name, version: app.version, import: job.id})}>
                 <Button>Run application again</Button>
@@ -1539,7 +1566,7 @@ const CompletedText: React.FunctionComponent<{job: Job, state: JobState}> = ({jo
     </Flex>;
 };
 
-function OutputFiles({job}: React.PropsWithChildren<{job: Job}>): React.ReactNode {
+function OutputFiles({job}: React.PropsWithChildren<{ job: Job }>): React.ReactNode {
     const pathRef = React.useRef(job.output?.outputFolder ?? "");
     if (!pathRef.current) {
         console.warn("No output folder found. Showing nothing.");
@@ -1605,7 +1632,7 @@ const InterfaceLinkRow: RichSelectChildComponent<SearchableInterfaceTarget> = ({
                 alignItems={"center"}
                 p={8}
             >
-                <Icon name="heroArrowTopRightOnSquare" />
+                <Icon name="heroArrowTopRightOnSquare"/>
                 <Truncate>{element.target ?? element.defaultName ?? "Open interface"}</Truncate>
 
                 {!element.showNode ? null :
@@ -1620,7 +1647,7 @@ const InterfaceLinkRow: RichSelectChildComponent<SearchableInterfaceTarget> = ({
 
 const InterfaceLinkSelectedRow: RichSelectChildComponent<SearchableInterfaceTarget> = () => {
     return <div className={InterfaceSelectorTrigger}>
-        <Icon name="heroChevronDown" />
+        <Icon name="heroChevronDown"/>
     </div>;
 }
 
@@ -1633,7 +1660,7 @@ const TerminalLinkRow: RichSelectChildComponent<SearchableTerminalTarget> = ({el
             alignItems={"center"}
             p={8}
         >
-            <Icon name="heroCommandLine" />
+            <Icon name="heroCommandLine"/>
             <Truncate>Node {element.rank + 1}</Truncate>
         </Flex>
     </Link>;
@@ -1641,12 +1668,12 @@ const TerminalLinkRow: RichSelectChildComponent<SearchableTerminalTarget> = ({el
 
 const TerminalLinkSelectedRow: RichSelectChildComponent<SearchableTerminalTarget> = () => {
     return <div className={InterfaceSelectorTrigger}>
-        <Icon name="heroChevronDown" />
+        <Icon name="heroChevronDown"/>
     </div>;
 }
 
-type SearchableInterfaceTarget = (InterfaceTarget & {searchString: string; showNode: boolean;})
-type SearchableTerminalTarget = (TerminalTarget & {searchString: string;})
+type SearchableInterfaceTarget = (InterfaceTarget & { searchString: string; showNode: boolean; })
+type SearchableTerminalTarget = (TerminalTarget & { searchString: string; })
 
 const RunningButtonGroup: React.FunctionComponent<{
     job: Job;
@@ -1707,7 +1734,7 @@ const RunningButtonGroup: React.FunctionComponent<{
             <Flex>
                 <Link to={`/applications/shell/${job.id}/0?hide-frame`} target={"_blank"}>
                     <Button attachedLeft={hasMultipleNodes}>
-                        <Icon name="heroCommandLine" />
+                        <Icon name="heroCommandLine"/>
                         <div style={{minWidth: hasMultipleNodes ? "130px" : "164px", maxWidth: "164px"}}>
                             <Truncate>
                                 Open terminal{hasMultipleNodes ? ` (Node 1)` : null}
@@ -1730,9 +1757,9 @@ const RunningButtonGroup: React.FunctionComponent<{
         {interfaceLinks.length < 1 ? null : (
             <Flex>
                 <Link to={interfaceLinks[defaultInterfaceId]?.link ?? ""}
-                    aria-disabled={!interfaceLinks[defaultInterfaceId]} target={"_blank"}>
+                      aria-disabled={!interfaceLinks[defaultInterfaceId]} target={"_blank"}>
                     <Button attachedLeft={interfaceLinks.length > 1} disabled={!interfaceLinks[defaultInterfaceId]}>
-                        <Icon name="heroArrowTopRightOnSquare" />
+                        <Icon name="heroArrowTopRightOnSquare"/>
                         <div style={{minWidth: interfaceLinks.length > 1 ? "130px" : "164px", maxWidth: "164px"}}>
                             <Truncate>
                                 {interfaceLinks[defaultInterfaceId]?.target ?? (defaultInterfaceName ?? "Open interface" + (hasMultipleNodes ? ` (Node 1)` : ""))}
@@ -1855,10 +1882,10 @@ const ProviderUpdates: React.FunctionComponent<{
 
     if (addOverflow) {
         return <Box height={"200px"} overflowY="auto">
-            <LogOutput updates={updates} maxHeight="200px" />
+            <LogOutput updates={updates} maxHeight="200px"/>
         </Box>
     } else {
-        return <LogOutput updates={updates} />;
+        return <LogOutput updates={updates}/>;
     }
 };
 
diff --git a/frontend-web/webclient/app/Applications/Jobs/Vnc.tsx b/frontend-web/webclient/app/Applications/Jobs/Vnc.tsx
index 313f1c52b1..7dd5d293bb 100644
--- a/frontend-web/webclient/app/Applications/Jobs/Vnc.tsx
+++ b/frontend-web/webclient/app/Applications/Jobs/Vnc.tsx
@@ -4,7 +4,7 @@ import jobs = UCloud.compute.jobs;
 import {useCloudAPI} from "@/Authentication/DataHook";
 import {errorMessageOrDefault, isAbsoluteUrl, shortUUID} from "@/UtilityFunctions";
 import {usePage} from "@/Navigation/Redux";
-import {useParams} from "react-router-dom";
+import {useLocation, useParams} from "react-router-dom";
 import {useCallback, useEffect, useLayoutEffect, useRef, useState} from "react";
 import {compute} from "@/UCloud";
 import JobsOpenInteractiveSessionResponse = compute.JobsOpenInteractiveSessionResponse;
@@ -15,6 +15,7 @@ import {TermAndShellWrapper} from "@/Applications/Jobs/TermAndShellWrapper";
 import {bulkRequestOf} from "@/UtilityFunctions";
 import {SidebarTabId} from "@/ui-components/SidebarComponents";
 import {sendFailureNotification} from "@/Notifications";
+import {getQueryParam} from "@/Utilities/URIUtilities";
 
 interface ConnectionDetails {
     url: string;
@@ -22,7 +23,7 @@ interface ConnectionDetails {
 }
 
 export const Vnc: React.FunctionComponent = () => {
-    const params = useParams<{jobId: string, rank: string}>();
+    const params = useParams<{ jobId: string, rank: string }>();
     const jobId = params.jobId!;
     const rank = params.rank!;
     const [isConnected, setConnected] = React.useState(false);
@@ -31,13 +32,23 @@ export const Vnc: React.FunctionComponent = () => {
         null
     );
 
+    const location = useLocation();
+    const passwordFromQueryParameter = getQueryParam(location.search, "t");
+    const urlFromQueryParameter = getQueryParam(location.search, "u");
+
     const pasteEventsToCancel = useRef<EventListener[]>([]);
 
     const [connectionDetails, setConnectionDetails] = useState<ConnectionDetails | null>(null);
     usePage(`Remote Desktop: ${shortUUID(jobId)} [Node: ${parseInt(rank, 10) + 1}]`, SidebarTabId.APPLICATIONS);
 
     useEffect(() => {
-        if (sessionResp.data !== null && sessionResp.data.responses.length > 0) {
+        if (passwordFromQueryParameter && urlFromQueryParameter) {
+            const url = urlFromQueryParameter
+                .replace("http://", "ws://")
+                .replace("https://", "wss://");
+            const password = passwordFromQueryParameter;
+            setConnectionDetails({url, password});
+        } else if (sessionResp.data !== null && sessionResp.data.responses.length > 0) {
             const {providerDomain, session} = sessionResp.data.responses[0];
             if (session.type !== "vnc") {
                 sendFailureNotification("Unexpected response from UCloud. Unable to open remote desktop!");
@@ -56,7 +67,7 @@ export const Vnc: React.FunctionComponent = () => {
                 document.removeEventListener("paste", listener);
             }
         }
-    }, [sessionResp.data]);
+    }, [sessionResp.data, passwordFromQueryParameter, urlFromQueryParameter]);
 
     const connect = useCallback(() => {
         if (connectionDetails === null) return;
@@ -115,7 +126,7 @@ export const Vnc: React.FunctionComponent = () => {
             </div>
         )}
 
-        <div className={"contents"} />
+        <div className={"contents"}/>
     </TermAndShellWrapper>;
 };
 
@@ -128,7 +139,7 @@ export const Vnc: React.FunctionComponent = () => {
  * block the Clipboard API without a user gesture.
  */
 async function onRemoteClipboard(ev: CustomEvent): Promise<void> {
-    const text = (ev.detail as {text?: string}).text ?? "";
+    const text = (ev.detail as { text?: string }).text ?? "";
     if (!text) return;
 
     try {
diff --git a/frontend-web/webclient/app/Applications/Jobs/Web.tsx b/frontend-web/webclient/app/Applications/Jobs/Web.tsx
index 01de8f57dd..f24604f170 100644
--- a/frontend-web/webclient/app/Applications/Jobs/Web.tsx
+++ b/frontend-web/webclient/app/Applications/Jobs/Web.tsx
@@ -13,7 +13,7 @@ export interface WebSession extends SessionType {
     redirectClientTo: string;
 }
 
-interface VncSession extends SessionType {
+export interface VncSession extends SessionType {
     type: "vnc";
     url: string;
     password: string | null;
diff --git a/provider-integration/im2/pkg/controller/jobs.go b/provider-integration/im2/pkg/controller/jobs.go
index bf95d51554..fd8ee74ce0 100644
--- a/provider-integration/im2/pkg/controller/jobs.go
+++ b/provider-integration/im2/pkg/controller/jobs.go
@@ -86,10 +86,11 @@ type ConfiguredWebSessionResult struct {
 }
 
 type ConfiguredWebEndpoint struct {
-	Host         cfg.HostInfo
-	TargetDomain string
-	Flags        RegisteredIngressFlags
-	IsPublic     bool
+	Host                cfg.HostInfo
+	TargetDomain        string
+	Flags               RegisteredIngressFlags
+	IsPublic            bool
+	VncPasswordOverride util.Option[string]
 }
 
 type ConfiguredWebIngress struct {
@@ -391,7 +392,6 @@ func initJobs() {
 		orcapi.JobsProviderOpenInteractiveSession.Handler(func(info rpc.RequestInfo, request fnd.BulkRequest[orcapi.JobsProviderOpenInteractiveSessionRequestItem]) (fnd.BulkResponse[orcapi.OpenSession], *util.HttpError) {
 			var errors []*util.HttpError
 			var responses []orcapi.OpenSession
-
 			for _, item := range request.Items {
 				switch item.SessionType {
 				case orcapi.InteractiveSessionTypeShell:
@@ -409,16 +409,17 @@ func initJobs() {
 				case orcapi.InteractiveSessionTypeVnc:
 					fallthrough
 				case orcapi.InteractiveSessionTypeWeb:
-					isVnc := item.SessionType == orcapi.InteractiveSessionTypeVnc
-
 					targetResult, err := Jobs.OpenWebSession(&item.Job, item.SessionType, item.Rank, item.Target)
 					if err != nil {
 						errors = append(errors, err)
 					} else {
+						isVnc := false
+
 						endpoints := targetResult.Endpoints
 						for i := range endpoints {
 							if endpoints[i].Flags == 0 {
-								if isVnc {
+								isDefaultVnc := item.SessionType == orcapi.InteractiveSessionTypeVnc
+								if isDefaultVnc {
 									endpoints[i].Flags = RegisteredIngressFlagsVnc
 								} else {
 									endpoints[i].Flags = RegisteredIngressFlagsWeb
@@ -426,6 +427,10 @@ func initJobs() {
 							}
 						}
 
+						if len(endpoints) > 0 {
+							isVnc = endpoints[0].Flags&RegisteredIngressFlagsVnc != 0
+						}
+
 						redirect, err := IngressRegisterEndpointsWithJob(&item.Job, item.Rank, item.Target, endpoints)
 						if err != nil {
 							errors = append(errors, err)
@@ -433,6 +438,13 @@ func initJobs() {
 							if isVnc {
 								password := item.Job.Status.ResolvedApplication.Value.Invocation.Vnc.Value.Password
 
+								if len(endpoints) > 0 {
+									override := endpoints[0].VncPasswordOverride
+									if override.Present {
+										password = override.Value
+									}
+								}
+
 								responses = append(
 									responses,
 									orcapi.OpenSessionVnc(item.Job.Id, item.Rank, redirect, password, ""),
diff --git a/provider-integration/im2/pkg/integrations/k8s/containers/00_module.go b/provider-integration/im2/pkg/integrations/k8s/containers/00_module.go
index 2b4f3ed49b..d7e8422f30 100644
--- a/provider-integration/im2/pkg/integrations/k8s/containers/00_module.go
+++ b/provider-integration/im2/pkg/integrations/k8s/containers/00_module.go
@@ -468,7 +468,12 @@ func requestDynamicParameters(owner orc.ResourceOwner, app *orc.Application) []o
 	return []orc.ApplicationParameter{param}
 }
 
-func openWebSession(job *orc.Job, sessionType orc.InteractiveSessionType, rank int, target util.Option[string]) (controller.ConfiguredWebSessionResult, *util.HttpError) {
+func openWebSession(
+	job *orc.Job,
+	sessionType orc.InteractiveSessionType,
+	rank int,
+	target util.Option[string],
+) (controller.ConfiguredWebSessionResult, *util.HttpError) {
 	podName := idAndRankToPodName(job.Id, rank)
 
 	app := &job.Status.ResolvedApplication.Value.Invocation
@@ -483,6 +488,17 @@ func openWebSession(job *orc.Job, sessionType orc.InteractiveSessionType, rank i
 		flags = controller.RegisteredIngressFlagsWeb
 	}
 
+	vncRedirectPassword := util.Option[string]{}
+	if job.Owner.Project.Present {
+		_, hasRestriction := controller.RetrievePoliciesByProject(job.Owner.Project.Value)[fnd.RestrictCutAndPaste.String()]
+
+		if hasRestriction {
+			flags = controller.RegisteredIngressFlagsVnc
+			port = 6080
+			vncRedirectPassword.Set("mypassword")
+		}
+	}
+
 	if target.Present {
 		updates := job.Updates
 		length := len(updates)
@@ -522,10 +538,11 @@ func openWebSession(job *orc.Job, sessionType orc.InteractiveSessionType, rank i
 	if (flags & controller.RegisteredIngressFlagsVnc) != 0 {
 		return controller.ConfiguredWebSessionResult{
 			Endpoints: []controller.ConfiguredWebEndpoint{{
-				Host:         address,
-				TargetDomain: config.Provider.Hosts.SelfPublic.Address,
-				Flags:        flags,
-				IsPublic:     false,
+				Host:                address,
+				TargetDomain:        config.Provider.Hosts.SelfPublic.Address,
+				Flags:               flags,
+				IsPublic:            false,
+				VncPasswordOverride: vncRedirectPassword,
 			}},
 		}, nil
 	}
@@ -605,4 +622,5 @@ func JobAnnotations(job *orc.Job, rank int) map[string]string {
 const (
 	ContainerUserJob  = "user-job"
 	ContainerAuditLog = "audit-log"
+	ContainerProxyVNC = "proxy-vnc"
 )
diff --git a/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go b/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go
index 39253fc9a6..d9864f9b41 100644
--- a/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go
+++ b/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go
@@ -111,6 +111,7 @@ func StartScheduledJob(job *orc.Job, rank int, node string) *util.HttpError {
 		},
 		Spec: core.PodSpec{},
 	}
+	pod.Spec.Containers = make([]core.Container, 0, 16)
 
 	if iappConfig.Present {
 		pod.Annotations[IAppAnnotationEtag] = iappConfig.Value.ETag
@@ -147,6 +148,48 @@ func StartScheduledJob(job *orc.Job, rank int, node string) *util.HttpError {
 		jobAuditLogSetup(job, rank, spec, userContainer, "48291")
 	}
 
+	if job.Owner.Project.Present {
+		_, hasRestriction := controller.RetrievePoliciesByProject(job.Owner.Project.String())[foundation.RestrictCutAndPaste.String()]
+		if hasRestriction {
+			url := "http://localhost"
+			if job.Status.ResolvedApplication.Present && job.Status.ResolvedApplication.Value.Invocation.Web.Present {
+				url = fmt.Sprintf("%v:%v", url, job.Status.ResolvedApplication.Value.Invocation.Web.Value.Port)
+			}
+			fmt.Printf("url: %v\n", url)
+			vnc := orc.VncDescription{
+				Password: "mypassword",
+				Port:     20000,
+			}
+			if job.Status.ResolvedApplication.Present && job.Status.ResolvedApplication.Value.Invocation.Vnc.Present {
+				vnc = job.Status.ResolvedApplication.Value.Invocation.Vnc.Value
+			}
+
+			fmt.Printf("vnc: %v\n", vnc)
+
+			spec.Containers = append(spec.Containers, core.Container{
+				Name:  ContainerProxyVNC,
+				Image: "mrcolorrain/vnc-browser:debian",
+				Env: []core.EnvVar{
+					{Name: "AUTO_START_BROWSER", Value: "true"},
+					{Name: "BROWSER_OPTIONS", Value: "--start-fullscreen --kiosk"},
+					{Name: "STARTING_WEBSITE_URL", Value: url},
+
+					{Name: "AUTO_START_VNC", Value: "true"},
+					{Name: "AUTO_START_XTERM", Value: "false"},
+					{Name: "VNC_OPTIONS", Value: "-noclipboard -SendClipboard=0"},
+					{Name: "VNC_PASSWORD", Value: vnc.Password},
+					{Name: "AUTO_START_WM", Value: "false"},
+				},
+				ImagePullPolicy: core.PullIfNotPresent,
+				Resources: core.ResourceRequirements{
+					Limits:   core.ResourceList{},
+					Requests: core.ResourceList{},
+				},
+				SecurityContext: &core.SecurityContext{},
+			})
+		}
+	}
+
 	// Setting up network policy and service
 	// -----------------------------------------------------------------------------------------------------------------
 	// Only rank 0 is responsible for creating these additional resources. Their pointers will be nil if they should
@@ -170,8 +213,8 @@ func StartScheduledJob(job *orc.Job, rank int, node string) *util.HttpError {
 		allowNetworkTo(firewall, job.Id)
 
 		if job.Owner.Project.Present {
-			policyAccessSpec, hasRestriction := controller.RetrievePoliciesByProject(job.Owner.Project.String())[foundation.RestrictInternetAccess.String()]
-			if hasRestriction {
+			policyAccessSpec, hasEngressRestriction := controller.RetrievePoliciesByProject(job.Owner.Project.String())[foundation.RestrictInternetAccess.String()]
+			if hasEngressRestriction {
 				for _, prop := range policyAccessSpec.Properties {
 					if prop.Name == "allowedSubnets" {
 						if prop.Text == "" {
@@ -184,14 +227,14 @@ func StartScheduledJob(job *orc.Job, rank int, node string) *util.HttpError {
 				}
 			}
 
-			policySourceSpec, hasRestriction := controller.RetrievePoliciesByProject(job.Owner.Project.String())[foundation.RestrictSourceIPRange.String()]
-			if hasRestriction {
+			policySourceSpec, hasIngressRestriction := controller.RetrievePoliciesByProject(job.Owner.Project.String())[foundation.RestrictSourceIPRange.String()]
+			if hasIngressRestriction {
 				for _, prop := range policySourceSpec.Properties {
 					if prop.Name == "allowedSubnets" {
 						if prop.Text == "" {
 							firewall.Spec.PolicyTypes = []networking.PolicyType{networking.PolicyTypeIngress}
 						} else {
-							allowNetworkTo(firewall, prop.Text)
+							allowNetworkFrom(firewall, prop.Text)
 						}
 						break
 					}
diff --git a/provider-integration/shared/pkg/foundation/policies.go b/provider-integration/shared/pkg/foundation/policies.go
index 4fc2998348..22c352bab7 100644
--- a/provider-integration/shared/pkg/foundation/policies.go
+++ b/provider-integration/shared/pkg/foundation/policies.go
@@ -45,7 +45,7 @@ type PoliciesType string
 
 const (
 	RestrictApplications           PoliciesType = "RestrictApplications"
-	CutAndPaste                    PoliciesType = "CutAndPaste"
+	RestrictCutAndPaste            PoliciesType = "RestrictCutAndPaste"
 	RestrictDownloads              PoliciesType = "RestrictDownloads"
 	RestrictIntegratedApplications PoliciesType = "RestrictIntegratedApplications"
 	RestrictInternetAccess         PoliciesType = "RestrictInternetAccess"

From 810728871e740dc7282466a32532d956b88dad9a Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Thu, 16 Apr 2026 14:53:44 +0200
Subject: [PATCH 22/23] cut and paste

---
 .../im2/pkg/controller/jobs.go                | 15 ++++++-
 .../k8s/containers/job_builder.go             | 44 ++++++++++++++-----
 2 files changed, 46 insertions(+), 13 deletions(-)

diff --git a/provider-integration/im2/pkg/controller/jobs.go b/provider-integration/im2/pkg/controller/jobs.go
index fd8ee74ce0..495f8baf4e 100644
--- a/provider-integration/im2/pkg/controller/jobs.go
+++ b/provider-integration/im2/pkg/controller/jobs.go
@@ -396,7 +396,13 @@ func initJobs() {
 				switch item.SessionType {
 				case orcapi.InteractiveSessionTypeShell:
 					jobCleanupShellSessions()
-
+					if item.Job.Owner.Project.Present {
+						policies := RetrievePoliciesByProject(item.Job.Owner.Project.Value)
+						_, isRestricted := policies[fnd.RestrictCutAndPaste.String()]
+						if isRestricted {
+							break
+						}
+					}
 					shellSessionsMutex.Lock()
 					tok := util.RandomToken(32)
 					shellSessions[tok] = &ShellSession{Alive: true, Job: &item.Job, Rank: item.Rank, UCloudUsername: info.Actor.Username}
@@ -504,6 +510,13 @@ func initJobs() {
 						if IsSourceIPRestricted(policies, info) {
 							return fnd.BulkResponse[orcapi.OpenSession]{}, util.HttpErr(http.StatusForbidden, "Client IP is not allowed")
 						}
+						if dInfo.Owner.Project.Present {
+							policies := RetrievePoliciesByProject(dInfo.Owner.Project.Value)
+							_, isRestricted := policies[fnd.RestrictCutAndPaste.String()]
+							if isRestricted {
+								return fnd.BulkResponse[orcapi.OpenSession]{}, util.HttpErr(http.StatusForbidden, "Project does not allow integrated terminal (IM side)")
+							}
+						}
 					} else {
 						return fnd.BulkResponse[orcapi.OpenSession]{}, util.HttpErr(http.StatusNotFound, "Folder cannot be found")
 					}
diff --git a/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go b/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go
index d9864f9b41..641d182383 100644
--- a/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go
+++ b/provider-integration/im2/pkg/integrations/k8s/containers/job_builder.go
@@ -148,14 +148,29 @@ func StartScheduledJob(job *orc.Job, rank int, node string) *util.HttpError {
 		jobAuditLogSetup(job, rank, spec, userContainer, "48291")
 	}
 
+	product := job.Status.ResolvedProduct.Value
+	cpuMillis := shared.NodeCpuMillisNormalizedWithReserved(&product)
+	memoryMegabytes := int64(product.MemoryInGigs * 1000)
+
 	if job.Owner.Project.Present {
 		_, hasRestriction := controller.RetrievePoliciesByProject(job.Owner.Project.String())[foundation.RestrictCutAndPaste.String()]
 		if hasRestriction {
+
+			// (Henrik) If this restriction is in effect then the sidecar needs to consume resources from the main job
+			// to run. It is accepted that if the machine is to small the main job is killed OOM while there always
+			// is enough to run the VNC needed to connect.
+
+			vncCPUMillis := min(max(500, cpuMillis/4), 1000)
+			vncMemMB := min(max(750, memoryMegabytes/4), 4000)
+
+			cpuMillis = max(1, cpuMillis-vncCPUMillis)
+			memoryMegabytes = max(1, memoryMegabytes-vncMemMB)
+
 			url := "http://localhost"
 			if job.Status.ResolvedApplication.Present && job.Status.ResolvedApplication.Value.Invocation.Web.Present {
 				url = fmt.Sprintf("%v:%v", url, job.Status.ResolvedApplication.Value.Invocation.Web.Value.Port)
 			}
-			fmt.Printf("url: %v\n", url)
+
 			vnc := orc.VncDescription{
 				Password: "mypassword",
 				Port:     20000,
@@ -164,8 +179,6 @@ func StartScheduledJob(job *orc.Job, rank int, node string) *util.HttpError {
 				vnc = job.Status.ResolvedApplication.Value.Invocation.Vnc.Value
 			}
 
-			fmt.Printf("vnc: %v\n", vnc)
-
 			spec.Containers = append(spec.Containers, core.Container{
 				Name:  ContainerProxyVNC,
 				Image: "mrcolorrain/vnc-browser:debian",
@@ -175,17 +188,27 @@ func StartScheduledJob(job *orc.Job, rank int, node string) *util.HttpError {
 					{Name: "STARTING_WEBSITE_URL", Value: url},
 
 					{Name: "AUTO_START_VNC", Value: "true"},
-					{Name: "AUTO_START_XTERM", Value: "false"},
-					{Name: "VNC_OPTIONS", Value: "-noclipboard -SendClipboard=0"},
+					{Name: "VNC_RESOLUTION", Value: "1280x720"},
 					{Name: "VNC_PASSWORD", Value: vnc.Password},
-					{Name: "AUTO_START_WM", Value: "false"},
+					{Name: "VNC_OPTIONS", Value: "SendCutText=false"},
+
+					{Name: "AUTO_START_XTERM", Value: "false"},
 				},
 				ImagePullPolicy: core.PullIfNotPresent,
 				Resources: core.ResourceRequirements{
-					Limits:   core.ResourceList{},
-					Requests: core.ResourceList{},
+					Limits: map[core.ResourceName]resource.Quantity{
+						core.ResourceCPU:    *resource.NewScaledQuantity(int64(vncCPUMillis), resource.Milli),
+						core.ResourceMemory: *resource.NewScaledQuantity(int64(vncMemMB), resource.Mega),
+					},
+					Requests: map[core.ResourceName]resource.Quantity{
+						core.ResourceCPU:    *resource.NewScaledQuantity(int64(vncCPUMillis), resource.Milli),
+						core.ResourceMemory: *resource.NewScaledQuantity(int64(vncMemMB), resource.Mega),
+					},
+				},
+				SecurityContext: &core.SecurityContext{
+					RunAsNonRoot:             util.BoolPointer(!application.Container.RunAsRoot),
+					AllowPrivilegeEscalation: util.BoolPointer(application.Container.RunAsRoot),
 				},
-				SecurityContext: &core.SecurityContext{},
 			})
 		}
 	}
@@ -321,9 +344,6 @@ func StartScheduledJob(job *orc.Job, rank int, node string) *util.HttpError {
 		userContainer.Resources.Requests[name] = *quantity
 	}
 
-	product := job.Status.ResolvedProduct.Value
-	cpuMillis := shared.NodeCpuMillisNormalizedWithReserved(&product)
-	memoryMegabytes := int64(product.MemoryInGigs * 1000)
 	gpus := int64(product.Gpu)
 
 	gpuType := "nvidia.com/gpu"

From 93c0408c250abce454ab3a644826cb2797a04f63 Mon Sep 17 00:00:00 2001
From: Schulz <schulz@imada.sdu.dk>
Date: Fri, 17 Apr 2026 09:32:59 +0200
Subject: [PATCH 23/23] FE update

---
 core2/pkg/foundation/policies.go              |   2 +-
 .../webclient/app/Project/ProjectSettings.tsx | 307 ++++++++++--------
 frontend-web/webclient/app/Project/index.ts   |  82 ++++-
 3 files changed, 249 insertions(+), 142 deletions(-)

diff --git a/core2/pkg/foundation/policies.go b/core2/pkg/foundation/policies.go
index ac4d979995..42836d6814 100644
--- a/core2/pkg/foundation/policies.go
+++ b/core2/pkg/foundation/policies.go
@@ -117,7 +117,7 @@ func policiesRetrieve(actor rpc.Actor, request fndapi.RetrievePoliciesRequest) (
 		if !actor.Project.Present {
 			return nil, util.HttpErr(http.StatusBadRequest, "Polices only applicable to projects")
 		}
-		if !actor.Membership[actor.Project.Value].Equals(rpc.ProjectRoleDataManager) {
+		if !actor.Membership[actor.Project.Value].Equals(rpc.ProjectRolePI) {
 			return nil, util.HttpErr(http.StatusForbidden, "Only data managers may list the policies")
 		}
 		projectId = actor.Project.String()
diff --git a/frontend-web/webclient/app/Project/ProjectSettings.tsx b/frontend-web/webclient/app/Project/ProjectSettings.tsx
index 5c5487d034..cfd2f933ba 100644
--- a/frontend-web/webclient/app/Project/ProjectSettings.tsx
+++ b/frontend-web/webclient/app/Project/ProjectSettings.tsx
@@ -37,7 +37,7 @@ import {useDidUnmount} from "@/Utilities/ReactUtilities";
 import {ProjectSwitcher, projectTitleFromCache} from "./ProjectSwitcher";
 import WAYF from "@/Grants/wayf-idps.json";
 import {FlexClass} from "@/ui-components/Flex";
-import {OldProjectRole, isAdminOrPI} from ".";
+import {OldProjectRole, isAdminOrPI, isDataSteward, Policy, retrieveRequestPolicies} from ".";
 import {SidebarTabId} from "@/ui-components/SidebarComponents";
 import AppRoutes from "@/Routes";
 import {sendFailureNotification, sendInformationNotification, sendSuccessNotification} from "@/Notifications";
@@ -116,6 +116,8 @@ export const ProjectSettings: React.FunctionComponent = () => {
         }
     });
 
+    const [policies, setPolicies] = useState<Map<string, Policy>>(new Map())
+
     const templatePersonal = useRef<HTMLInputElement>(null);
     const templateExisting = useRef<HTMLInputElement>(null);
     const templateNew = useRef<HTMLInputElement>(null);
@@ -139,6 +141,24 @@ export const ProjectSettings: React.FunctionComponent = () => {
         })();
     }, [projectId]);
 
+    useEffect(() => {
+        if (!projectId) {
+            navigate(AppRoutes.dashboard.dashboardA());
+            return;
+        }
+        (async () => {
+            const res = await callAPIWithErrorHandler<Map<string, Policy>>(
+                {
+                    ...retrieveRequestPolicies(),
+                    projectOverride: projectId
+                }
+            );
+
+            if (!res) return;
+            if (!didUnmount.current) setPolicies(res);
+        })();
+    }, [projectId]);
+
     useEffect(() => {
         const p = templatePersonal.current;
         const e = templateExisting.current;
@@ -241,7 +261,7 @@ export const ProjectSettings: React.FunctionComponent = () => {
         header={
             <Spacer
                 left={<h3 className="title">Project settings</h3>}
-                right={<ProjectSwitcher />}
+                right={<ProjectSwitcher/>}
             />
         }
         headerSize={64}
@@ -255,100 +275,105 @@ export const ProjectSettings: React.FunctionComponent = () => {
                     showTitle
                 />
             </Card>) : <>
-                <Card>
-                    <Heading.h3>Project information</Heading.h3>
+                {!isDataSteward(status.myRole) ? (<Card>
+                    <Heading.h3>Project Policies</Heading.h3>
 
-                    <ChangeProjectTitle
-                        projectId={projectId}
-                        projectTitle={project.specification.title}
-                        onSuccess={() => projectOps.reload()}
-                    />
 
-                    {Client.userIsAdmin ? <>
-                        <Label>Project ID (only visible to UCloud Admins)</Label>
-                        <Flex>
-                            <Text color={"textSecondary"}>{projectId}</Text>
-                            <Icon
-                                name="heroDocumentDuplicate"
-                                ml="10px"
-                                onClick={() => {
-                                    copyToClipboard(projectId);
-                                    sendInformationNotification("Copied project ID to clipboard!");
-                                }}
-                            />
-                        </Flex>
-                    </> : null}
+                </Card>) : <>
+                    <Card>
+                        <Heading.h3>Project information</Heading.h3>
 
-                    <SubprojectSettings
-                        projectId={projectId}
-                        projectRole={status.myRole!}
-                        setLoading={() => false}
-                    />
+                        <ChangeProjectTitle
+                            projectId={projectId}
+                            projectTitle={project.specification.title}
+                            onSuccess={() => projectOps.reload()}
+                        />
 
-                </Card>
+                        {Client.userIsAdmin ? <>
+                            <Label>Project ID (only visible to UCloud Admins)</Label>
+                            <Flex>
+                                <Text color={"textSecondary"}>{projectId}</Text>
+                                <Icon
+                                    name="heroDocumentDuplicate"
+                                    ml="10px"
+                                    onClick={() => {
+                                        copyToClipboard(projectId);
+                                        sendInformationNotification("Copied project ID to clipboard!");
+                                    }}
+                                />
+                            </Flex>
+                        </> : null}
 
-                <Card>
-                    <Heading.h3>Grant settings</Heading.h3>
-
-                    <UpdateProjectLogo />
-
-                    <form onSubmit={onSave}>
-                        <Flex gap="32px">
-                            <label>
-                                Project description <br />
-                                <TextArea width="100%" rows={5} inputRef={description} />
-                            </label>
-
-                            <label>
-                                Template for personal projects <br />
-                                <TextArea width="100%" rows={5} inputRef={templatePersonal} />
-                            </label>
-                        </Flex>
-
-                        <Flex gap="32px">
-                            <label>
-                                Template for existing projects <br />
-                                <TextArea rows={5} inputRef={templateExisting} />
-                            </label>
-
-                            <label>
-                                Template for new projects <br />
-                                <TextArea rows={5} inputRef={templateNew} />
-                            </label>
-                        </Flex>
-
-                        {settings.enabled && <>
-                            <Flex flexDirection={"row"} gap={"32px"}>
-                                <div>
-                                    <label style={{marginBottom: "16px"}}>Allow applications from</label>
-                                    <UserCriteriaEditor
-                                        criteria={settings.allowRequestsFrom}
-                                        onSubmit={onAllowAdd}
-                                        isExclusion={false}
-                                        onRemove={onAllowRemove}
-                                        showSubprojects={settings.enabled}
-                                    />
-                                </div>
-
-                                <div>
-                                    <label>Exclude applications from</label>
-                                    <UserCriteriaEditor
-                                        criteria={settings.excludeRequestsFrom}
-                                        onSubmit={onExcludeAdd}
-                                        isExclusion={true}
-                                        onRemove={onExcludeRemove}
-                                        showSubprojects={false}
-                                    />
-                                </div>
+                        <SubprojectSettings
+                            projectId={projectId}
+                            projectRole={status.myRole!}
+                            setLoading={() => false}
+                        />
+
+                    </Card>
+
+                    <Card>
+                        <Heading.h3>Grant settings</Heading.h3>
+
+                        <UpdateProjectLogo/>
+
+                        <form onSubmit={onSave}>
+                            <Flex gap="32px">
+                                <label>
+                                    Project description <br/>
+                                    <TextArea width="100%" rows={5} inputRef={description}/>
+                                </label>
+
+                                <label>
+                                    Template for personal projects <br/>
+                                    <TextArea width="100%" rows={5} inputRef={templatePersonal}/>
+                                </label>
                             </Flex>
-                        </>}
 
-                        <Flex justifyContent={"center"} mt={32}>
-                            <Button type={"submit"} fullWidth>Save</Button>
-                        </Flex>
-                    </form>
-                </Card>
+                            <Flex gap="32px">
+                                <label>
+                                    Template for existing projects <br/>
+                                    <TextArea rows={5} inputRef={templateExisting}/>
+                                </label>
+
+                                <label>
+                                    Template for new projects <br/>
+                                    <TextArea rows={5} inputRef={templateNew}/>
+                                </label>
+                            </Flex>
 
+                            {settings.enabled && <>
+                                <Flex flexDirection={"row"} gap={"32px"}>
+                                    <div>
+                                        <label style={{marginBottom: "16px"}}>Allow applications from</label>
+                                        <UserCriteriaEditor
+                                            criteria={settings.allowRequestsFrom}
+                                            onSubmit={onAllowAdd}
+                                            isExclusion={false}
+                                            onRemove={onAllowRemove}
+                                            showSubprojects={settings.enabled}
+                                        />
+                                    </div>
+
+                                    <div>
+                                        <label>Exclude applications from</label>
+                                        <UserCriteriaEditor
+                                            criteria={settings.excludeRequestsFrom}
+                                            onSubmit={onExcludeAdd}
+                                            isExclusion={true}
+                                            onRemove={onExcludeRemove}
+                                            showSubprojects={false}
+                                        />
+                                    </div>
+                                </Flex>
+                            </>}
+
+                            <Flex justifyContent={"center"} mt={32}>
+                                <Button type={"submit"} fullWidth>Save</Button>
+                            </Flex>
+                        </form>
+                    </Card>
+                </>}
                 <Card>
                     <LeaveProject
                         onSuccess={() => navigate("/")}
@@ -545,7 +570,8 @@ export function LeaveProject(props: LeaveProjectProps): React.ReactNode {
     return (
         <ActionBox>
             <Box flexGrow={1}>
-                <Heading.h3>Leave project {props.showTitle ? `"${projectTitleFromCache(Client.projectId)}"` : ""}</Heading.h3>
+                <Heading.h3>Leave
+                    project {props.showTitle ? `"${projectTitleFromCache(Client.projectId)}"` : ""}</Heading.h3>
                 <Text>
                     If you leave the project the following will happen:
 
@@ -612,7 +638,7 @@ export function UpdateProjectLogo(): React.ReactNode {
             Project logo (click{" "}
             <span style={{color: "var(--primaryLight)", cursor: "pointer"}}>here</span>
             {" "}to upload a new logo)
-            <br />
+            <br/>
 
             <HiddenInputField
                 type="file"
@@ -635,7 +661,7 @@ export function UpdateProjectLogo(): React.ReactNode {
             />
         </label>
 
-        <ProjectLogo projectId={projectId} size={"128px"} />
+        <ProjectLogo projectId={projectId} size={"128px"}/>
     </div>
 }
 
@@ -662,56 +688,57 @@ const UserCriteriaEditor: React.FunctionComponent<{
     return <>
         <Table mb={16}>
             <thead>
-                <TableRow>
-                    <TableHeaderCell textAlign={"left"}>Type</TableHeaderCell>
-                    <TableHeaderCell textAlign={"left"}>Constraint</TableHeaderCell>
-                    <TableHeaderCell />
-                </TableRow>
+            <TableRow>
+                <TableHeaderCell textAlign={"left"}>Type</TableHeaderCell>
+                <TableHeaderCell textAlign={"left"}>Constraint</TableHeaderCell>
+                <TableHeaderCell/>
+            </TableRow>
             </thead>
             <tbody>
 
-                {!props.showSubprojects ? null :
-                    <TableRow>
-                        <TableCell>Subprojects</TableCell>
-                        <TableCell>None</TableCell>
-                        <TableCell />
-                    </TableRow>
-                }
+            {!props.showSubprojects ? null :
+                <TableRow>
+                    <TableCell>Subprojects</TableCell>
+                    <TableCell>None</TableCell>
+                    <TableCell/>
+                </TableRow>
+            }
 
-                {!props.showSubprojects && props.criteria.length === 0 && !showRequestFromEditor ? <>
-                    <TableRow>
-                        <TableCell>No one</TableCell>
-                        <TableCell>None</TableCell>
-                        <TableCell />
-                    </TableRow>
-                </> : null}
-
-                {props.criteria.map((it, idx) =>
-                    <TableRow key={keyFromCriteria(it)}>
-                        <TableCell textAlign={"left"}>{userCriteriaTypePrettifier(it.type)}</TableCell>
-                        <TableCell textAlign={"left"}>
-                            {it.type === "wayf" ? it.org : null}
-                            {it.type === "email" ? it.domain : null}
-                            {it.type === "anyone" ? "None" : null}
-                        </TableCell>
-                        <TableCell textAlign={"right"}>
-                            <Icon color={"errorMain"} name={"trash"} cursor={"pointer"} onClick={() => props.onRemove(idx)} />
-                        </TableCell>
-                    </TableRow>
-                )}
+            {!props.showSubprojects && props.criteria.length === 0 && !showRequestFromEditor ? <>
+                <TableRow>
+                    <TableCell>No one</TableCell>
+                    <TableCell>None</TableCell>
+                    <TableCell/>
+                </TableRow>
+            </> : null}
+
+            {props.criteria.map((it, idx) =>
+                <TableRow key={keyFromCriteria(it)}>
+                    <TableCell textAlign={"left"}>{userCriteriaTypePrettifier(it.type)}</TableCell>
+                    <TableCell textAlign={"left"}>
+                        {it.type === "wayf" ? it.org : null}
+                        {it.type === "email" ? it.domain : null}
+                        {it.type === "anyone" ? "None" : null}
+                    </TableCell>
+                    <TableCell textAlign={"right"}>
+                        <Icon color={"errorMain"} name={"trash"} cursor={"pointer"}
+                              onClick={() => props.onRemove(idx)}/>
+                    </TableCell>
+                </TableRow>
+            )}
 
-                {showRequestFromEditor ?
-                    <UserCriteriaRowEditor
-                        onSubmit={(c) => {
-                            props.onSubmit(c);
-                            setShowRequestFromEditor(false);
-                        }}
-                        onCancel={() => setShowRequestFromEditor(false)}
-                        allowAnyone={!props.isExclusion && props.criteria.find(it => it.type === "anyone") === undefined}
-                        allowWayf={!props.isExclusion}
-                    /> :
-                    null
-                }
+            {showRequestFromEditor ?
+                <UserCriteriaRowEditor
+                    onSubmit={(c) => {
+                        props.onSubmit(c);
+                        setShowRequestFromEditor(false);
+                    }}
+                    onCancel={() => setShowRequestFromEditor(false)}
+                    allowAnyone={!props.isExclusion && props.criteria.find(it => it.type === "anyone") === undefined}
+                    allowWayf={!props.isExclusion}
+                /> :
+                null
+            }
 
             </tbody>
         </Table>
@@ -769,7 +796,7 @@ const UserCriteriaRowEditor: React.FunctionComponent<{
         }
     }, [props.onSubmit, type, selectedWayfOrg]);
 
-    const options: {text: string, value: string}[] = [];
+    const options: { text: string, value: string }[] = [];
     if (props.allowAnyone) {
         options.push({text: "Anyone", value: "anyone"});
     }
@@ -794,7 +821,7 @@ const UserCriteriaRowEditor: React.FunctionComponent<{
                 <Flex height={47}>
                     {type.type !== "anyone" ? null : null}
                     {type.type !== "email" ? null : <>
-                        <Input inputRef={inputRef} placeholder={"Email domain"} />
+                        <Input inputRef={inputRef} placeholder={"Email domain"}/>
                     </>}
                     {type.type !== "wayf" ? null : <>
                         {/* WAYF idps extracted from https://metadata.wayf.dk/idps.js*/}
@@ -805,11 +832,11 @@ const UserCriteriaRowEditor: React.FunctionComponent<{
                             placeholder={"Type to search..."}
                         />
                     </>}
-                    <ConfirmCancelButtons height={"unset"} onConfirm={onClick} onCancel={props.onCancel} />
+                    <ConfirmCancelButtons height={"unset"} onConfirm={onClick} onCancel={props.onCancel}/>
                 </Flex>
             </div>
         </TableCell>
-        <TableCell />
+        <TableCell/>
     </TableRow>;
 }
 
diff --git a/frontend-web/webclient/app/Project/index.ts b/frontend-web/webclient/app/Project/index.ts
index ebde143d7a..77b6c810f1 100644
--- a/frontend-web/webclient/app/Project/index.ts
+++ b/frontend-web/webclient/app/Project/index.ts
@@ -1,10 +1,15 @@
+import {apiRetrieve, apiUpdate} from "@/Authentication/DataHook";
+import {RequestSettings} from "@/Grants";
+
 export interface ProjectCache {
     expiresAt: number;
     project: Project;
 }
+
 export enum OldProjectRole {
     PI = "PI",
     ADMIN = "ADMIN",
+    DATAMANAGER = "DATA_MANAGER",
     USER = "USER",
 }
 
@@ -13,7 +18,13 @@ export function isAdminOrPI(role?: ProjectRole | null): boolean {
     return [OldProjectRole.PI, OldProjectRole.ADMIN].includes(role);
 }
 
+export function isDataSteward(role?: ProjectRole | null): boolean {
+    if (!role) return false;
+    return OldProjectRole.DATAMANAGER == role;
+}
+
 export type ProjectRole = OldProjectRole;
+
 export interface ProjectMember {
     username: string;
     role: ProjectRole;
@@ -67,4 +78,73 @@ export interface ProjectGroupSpecification {
 
 export interface ProjectGroupStatus {
     members?: string[] | null;
-}
\ No newline at end of file
+}
+
+export interface PolicyProperty {
+    name: string;
+    type: string;
+    title: string;
+    description: string;
+    options: string[];
+}
+
+export interface PolicySchema {
+    name: string;
+    configuration: PolicyProperty[];
+    title: string;
+    description: string;
+}
+
+export enum PolicyPropertyType {
+    ENUM = 'Enum',
+    TEXT = 'Text',
+    SUBNET = 'Subnet',
+    INTEGER = 'Integer',
+    FLOAT = 'Float',
+    PROVIDERS = 'Providers',
+    BOOLEAN = 'Bool',
+    TEXTLIST = 'TextList',
+    ENUMSET = 'EnumSet',
+}
+
+export interface PolicesForProject {
+    projectId: string;
+    PolicesByName: Map<string, PolicySpecification>;
+}
+
+export interface PolicySpecification {
+    schema: string;
+    project: string;
+    properties: PolicyPropertyValue[]
+}
+
+export interface PolicyPropertyValue {
+    name: string;
+    text: string | null;
+    providers: string[] | null;
+    int: number | null;
+    float: number | null;
+    bool: boolean | null;
+    textElements: string[] | null;
+}
+
+export interface Policy {
+    schema: PolicySchema;
+    specification: PolicySpecification;
+}
+
+const baseContext = "/api/projects/v2/policies";
+
+export interface PoliciesUpdateRequest {
+    updatedPolicies: Map<string, PolicySpecification>
+}
+
+export function updatePolicyRequest(
+    request: PoliciesUpdateRequest,
+): APICallParameters<unknown, {}> {
+    return apiUpdate(request, baseContext, "");
+}
+
+export function retrieveRequestPolicies(): APICallParameters<unknown, Map<string, Policy>> {
+    return apiRetrieve({}, baseContext, "");
+}