diff --git a/README.md b/README.md
index 46c2f19..8d3b686 100644
--- a/README.md
+++ b/README.md
@@ -407,6 +407,22 @@ Allows a user to save the ACL configuration to the headscale server or load a ne
 
 <img width="1000" alt="image" src="./img/HA-ACL-Config-Load.png">
 
+### Visualise Page (Experimental)
+
+Renders an entity-relationship style graph of Users, Groups, Tags and Nodes, with ACL policies drawn as connecting arrows. Use the sidebar to toggle which entity kinds and relation types are shown, search by label, and click any entity to drill down into its direct relationships.
+
+This page is marked **Experimental** as it is still being refined — complex ACLs (for example `autogroup:*` or CIDR endpoints) are not yet represented as distinct graph nodes.
+
+<img width="1000" alt="visualise page" src="./img/HA-Visualise.png">
+
+Clicking an entity highlights its neighbours and opens a details panel from which you can drill further:
+
+<img width="1000" alt="visualise page with a user selected" src="./img/HA-Visualise-Selected.png">
+
+Filters can be combined to focus on a subset of the graph:
+
+<img width="1000" alt="visualise page with filtered entities" src="./img/HA-Visualise-Filtered.png">
+
 ### Settings Page
 
 Store API URL and API Key information in the browser's LocalStorage. Set API refresh interval (how frequently users, preauth keys, nodes, and routes are updated) and toggle console debugging.
diff --git a/e2e/mock-api.mjs b/e2e/mock-api.mjs
index 7f3a486..41a1e1e 100644
--- a/e2e/mock-api.mjs
+++ b/e2e/mock-api.mjs
@@ -152,10 +152,14 @@ function resetState() {
 resetState();
 
 const policy = JSON.stringify({
-  groups: { 'group:admin': ['alice'] },
+  groups: { 'group:admin': ['alice'], 'group:dev': ['bob'] },
   hosts: {},
-  acls: [{ action: 'accept', src: ['group:admin'], dst: ['*:*'] }],
-  tagOwners: {},
+  acls: [
+    { action: 'accept', src: ['group:admin'], dst: ['*:*'] },
+    { action: 'accept', src: ['tag:server'], dst: ['tag:infra:22'] },
+    { action: 'accept', src: ['bob'], dst: ['tag:server:443'] },
+  ],
+  tagOwners: { 'tag:server': ['group:admin'], 'tag:infra': ['alice'] },
   ssh: [],
 });
 
diff --git a/e2e/navigation.spec.ts b/e2e/navigation.spec.ts
index d197bb5..69b0487 100644
--- a/e2e/navigation.spec.ts
+++ b/e2e/navigation.spec.ts
@@ -272,7 +272,7 @@ test.describe('direct URL access (no white screen)', () => {
     await seedAuth(page);
   });
 
-  const routes = ['/', '/nodes/', '/users/', '/tags/', '/settings/', '/deploy/', '/routes/', '/acls/'];
+  const routes = ['/', '/nodes/', '/users/', '/tags/', '/settings/', '/deploy/', '/routes/', '/acls/', '/visualise/'];
 
   for (const route of routes) {
     test(`${route} renders content (not blank)`, async ({ page }) => {
diff --git a/e2e/visualise.spec.ts b/e2e/visualise.spec.ts
new file mode 100644
index 0000000..2d1591d
--- /dev/null
+++ b/e2e/visualise.spec.ts
@@ -0,0 +1,142 @@
+import { test, expect, type Page } from '@playwright/test';
+
+const MOCK_URL = 'http://localhost:8081';
+const API_KEY = 'test-api-key';
+
+async function seedAuth(page: Page) {
+  await page.goto('/');
+  await page.evaluate(
+    ([url, key]) => {
+      localStorage.setItem('apiUrl', JSON.stringify(url));
+      localStorage.setItem('apiKey', JSON.stringify(key));
+      localStorage.setItem(
+        'apiKeyInfo',
+        JSON.stringify({
+          authorized: true,
+          expires: new Date(Date.now() + 86_400_000 * 90).toISOString(),
+          informedUnauthorized: false,
+          informedExpiringSoon: false,
+        }),
+      );
+    },
+    [MOCK_URL, API_KEY],
+  );
+  await page.reload();
+  await page.locator('[data-testid="app-shell"]').waitFor({ timeout: 10000 });
+}
+
+test.describe('visualise page', () => {
+  test.beforeEach(async ({ page }) => {
+    await seedAuth(page);
+    await page.goto('/visualise/');
+    // wait for SVG (policy must have loaded too)
+    await page.locator('[data-testid="visualise-svg"]').waitFor({ timeout: 10000 });
+  });
+
+  test('is reachable from the sidebar navigation', async ({ page }) => {
+    await page.goto('/');
+    const link = page.getByRole('link', { name: /visualise/i }).first();
+    await expect(link).toBeVisible({ timeout: 10000 });
+    await link.click();
+    await expect(page).toHaveURL(/\/visualise\/?/);
+    await expect(page.getByRole('img', { name: /acl node graph/i })).toBeVisible({
+      timeout: 10000,
+    });
+  });
+
+  test('shows an Experimental banner', async ({ page }) => {
+    await expect(page.locator('[data-testid="experimental-banner"]')).toBeVisible();
+    await expect(page.locator('[data-testid="experimental-banner"]')).toContainText(
+      /experimental/i,
+    );
+  });
+
+  test('renders a node per user, node, group, tag and the wildcard', async ({ page }) => {
+    const kinds = await page
+      .locator('[data-testid="graph-node"]')
+      .evaluateAll((els) => els.map((e) => (e as HTMLElement).dataset.nodeKind));
+    expect(kinds).toEqual(expect.arrayContaining(['user', 'node', 'group', 'tag', 'wildcard']));
+  });
+
+  test('renders ACL accept edges', async ({ page }) => {
+    await expect(page.locator('[data-testid="edge-acl-accept"]').first()).toBeVisible();
+    const count = await page.locator('[data-testid="edge-acl-accept"]').count();
+    expect(count).toBeGreaterThan(0);
+  });
+
+  test('search input filters nodes by label', async ({ page }) => {
+    const allCount = await page.locator('[data-testid="graph-node"]').count();
+    await page.locator('[data-testid="visualise-search"]').fill('alice');
+    // Give Svelte a tick to apply reactive updates
+    await expect
+      .poll(async () => await page.locator('[data-testid="graph-node"]').count())
+      .toBeLessThan(allCount);
+    // alice user should still be present
+    await expect(page.locator('[data-testid="graph-node"][data-node-id="user:alice"]'))
+      .toBeVisible();
+  });
+
+  test('kind toggle hides entities of that kind', async ({ page }) => {
+    await expect(
+      page.locator('[data-testid="graph-node"][data-node-kind="tag"]').first(),
+    ).toBeVisible();
+    await page.locator('[data-testid="kind-toggle-tag"]').uncheck();
+    await expect(page.locator('[data-testid="graph-node"][data-node-kind="tag"]')).toHaveCount(0);
+  });
+
+  test('relation toggle hides edges of that kind', async ({ page }) => {
+    await expect(page.locator('[data-testid="edge-acl-accept"]').first()).toBeVisible();
+    await page.locator('[data-testid="edge-toggle-acl-accept"]').uncheck();
+    await expect(page.locator('[data-testid="edge-acl-accept"]')).toHaveCount(0);
+  });
+
+  test('reset filters restores all entities and relations', async ({ page }) => {
+    await page.locator('[data-testid="kind-toggle-tag"]').uncheck();
+    await page.locator('[data-testid="edge-toggle-acl-accept"]').uncheck();
+    await page.locator('[data-testid="visualise-search"]').fill('zzzzz');
+    await expect(page.locator('[data-testid="visualise-empty"]')).toBeVisible();
+
+    await page.locator('[data-testid="visualise-reset"]').click();
+    await expect(page.locator('[data-testid="visualise-svg"]')).toBeVisible();
+    await expect(
+      page.locator('[data-testid="graph-node"][data-node-kind="tag"]').first(),
+    ).toBeVisible();
+    await expect(page.locator('[data-testid="edge-acl-accept"]').first()).toBeVisible();
+  });
+
+  test('clicking a node opens the details panel and highlights neighbours', async ({ page }) => {
+    // Before selection, no-selection hint should be visible
+    await expect(page.locator('[data-testid="visualise-no-selection"]')).toBeVisible();
+
+    // click alice
+    await page.locator('[data-testid="graph-node"][data-node-id="user:alice"]').click();
+    const details = page.locator('[data-testid="visualise-details"]');
+    await expect(details).toContainText('alice');
+    await expect(details.getByText('Connected to:')).toBeVisible();
+    // alice should be connected to at least one other entity (her laptop, her group, etc.)
+    const chips = page.locator('[data-testid="neighbour-chip"]');
+    await expect(chips.first()).toBeVisible();
+    expect(await chips.count()).toBeGreaterThan(0);
+  });
+
+  test('drill-down: clicking a neighbour chip changes selection', async ({ page }) => {
+    await page.locator('[data-testid="graph-node"][data-node-id="user:alice"]').click();
+    const firstChip = page.locator('[data-testid="neighbour-chip"]').first();
+    const chipText = (await firstChip.innerText()).trim();
+    await firstChip.click();
+    const details = page.locator('[data-testid="visualise-details"]');
+    await expect(details).toContainText(chipText);
+  });
+
+  test('clear selection button deselects', async ({ page }) => {
+    await page.locator('[data-testid="graph-node"][data-node-id="user:alice"]').click();
+    await expect(page.locator('[data-testid="visualise-clear-selection"]')).toBeVisible();
+    await page.locator('[data-testid="visualise-clear-selection"]').click();
+    await expect(page.locator('[data-testid="visualise-no-selection"]')).toBeVisible();
+  });
+
+  test('shows empty state when filters match nothing', async ({ page }) => {
+    await page.locator('[data-testid="visualise-search"]').fill('no-such-entity-xyz');
+    await expect(page.locator('[data-testid="visualise-empty"]')).toBeVisible();
+  });
+});
diff --git a/img/HA-Visualise-Filtered.png b/img/HA-Visualise-Filtered.png
new file mode 100644
index 0000000..fa03cf3
Binary files /dev/null and b/img/HA-Visualise-Filtered.png differ
diff --git a/img/HA-Visualise-Selected.png b/img/HA-Visualise-Selected.png
new file mode 100644
index 0000000..dc589fb
Binary files /dev/null and b/img/HA-Visualise-Selected.png differ
diff --git a/img/HA-Visualise.png b/img/HA-Visualise.png
new file mode 100644
index 0000000..a36caa6
Binary files /dev/null and b/img/HA-Visualise.png differ
diff --git a/src/lib/Navigation.svelte b/src/lib/Navigation.svelte
index 33a3373..bcbea23 100644
--- a/src/lib/Navigation.svelte
+++ b/src/lib/Navigation.svelte
@@ -11,6 +11,7 @@
 	import RawMdiSettings from '~icons/mdi/settings';
 	import RawMdiTag from '~icons/mdi/tag';
 	import RawMdiKey from '~icons/mdi/key';
+	import RawMdiGraphOutline from '~icons/mdi/graph-outline';
 
 	// import { ApiKeyInfoStore, ApiKeyStore, hasValidApi } from './Stores';
 	import { onMount, type Component } from 'svelte';
@@ -18,12 +19,10 @@
 	import { App } from '$lib/States.svelte';
 
 	type NavigationProps = {
-		labels?: boolean
-	}
+		labels?: boolean;
+	};
 
-	let {
-		labels = true,
-	}: NavigationProps = $props()
+	let { labels = true }: NavigationProps = $props();
 
 	const DrawerStore = getDrawerStore();
 
@@ -52,10 +51,11 @@
 		{ path: '/deploy', name: 'Deploy', logo: RawMdiHomeGroupPlus },
 		{ path: '/routes', name: 'Routes', logo: RawMdiRouter },
 		{ path: '/acls', name: 'ACLs', logo: RawMdiSecurity },
+		{ path: '/visualise', name: 'Visualise', logo: RawMdiGraphOutline },
 		{ path: '/settings', name: 'Settings', logo: RawMdiSettings },
 	].filter((p) => p != undefined);
 
-	const pages = $derived.by(() => App.hasValidApi ? allPages : allPages.slice(-1));
+	const pages = $derived.by(() => (App.hasValidApi ? allPages : allPages.slice(-1)));
 </script>
 
 <nav class="list-nav pt-0">
diff --git a/src/lib/common/visualise.ts b/src/lib/common/visualise.ts
new file mode 100644
index 0000000..831dc6c
--- /dev/null
+++ b/src/lib/common/visualise.ts
@@ -0,0 +1,478 @@
+/**
+ * Pure helpers for the experimental "Visualise" node graph.
+ *
+ * Converts a Headscale configuration (users, nodes, ACL policy) into a
+ * generic {nodes, edges} graph that can be rendered. Kept free of Svelte
+ * state and DOM references so it can be exercised by unit tests.
+ */
+
+import type { ACL, AclPolicy } from '$lib/common/acl.svelte';
+import type { Node as HNode, User } from '$lib/common/types';
+
+export type GraphNodeKind = 'user' | 'group' | 'tag' | 'node' | 'host' | 'wildcard';
+
+export type GraphNode = {
+	/** Unique id across the whole graph, e.g. "user:alice", "tag:tag:web". */
+	id: string;
+	/** Classification used for column placement, colours and filtering. */
+	kind: GraphNodeKind;
+	/** Display label. */
+	label: string;
+	/** Underlying reference, useful for the details panel. */
+	ref?: User | HNode | { name: string; members?: string[] } | { name: string; owners?: string[] };
+};
+
+export type GraphEdgeKind =
+	| 'user-group' // user is a member of a group
+	| 'group-tag' // group owns a tag
+	| 'user-tag' // user owns a tag (tagOwners)
+	| 'user-node' // node belongs to user
+	| 'tag-node' // node has tag
+	| 'acl-accept' // acl accept policy from src → dst
+	| 'acl-deny'; // reserved; headscale only has accept today
+
+export type GraphEdge = {
+	id: string;
+	from: string; // GraphNode.id
+	to: string; // GraphNode.id
+	kind: GraphEdgeKind;
+	/** Optional index of the ACL policy that produced the edge. */
+	policyIdx?: number;
+};
+
+export type Graph = {
+	nodes: GraphNode[];
+	edges: GraphEdge[];
+};
+
+// ── id helpers ──────────────────────────────────────────────────────────────
+
+export function userId(name: string): string {
+	return `user:${name}`;
+}
+export function groupId(name: string): string {
+	// the raw policy key already starts with "group:"; don't double up.
+	return name.startsWith('group:') ? `g:${name}` : `g:group:${name}`;
+}
+export function tagId(name: string): string {
+	return name.startsWith('tag:') ? `t:${name}` : `t:tag:${name}`;
+}
+export function nodeId(id: string): string {
+	return `node:${id}`;
+}
+export function hostId(name: string): string {
+	return `host:${name}`;
+}
+
+export const WILDCARD_ID = 'wildcard:*';
+
+// ── graph construction ──────────────────────────────────────────────────────
+
+export type BuildOptions = {
+	/** Only include ACL edges whose `policyIdx` is in this set. Omit for all. */
+	policyFilter?: Set<number>;
+};
+
+/**
+ * Build a graph from the supplied data. The returned arrays are stable with
+ * respect to input order, so snapshot/visual tests are deterministic.
+ */
+export function buildGraph(
+	users: User[],
+	nodes: HNode[],
+	acl: ACL | null | undefined,
+	options: BuildOptions = {},
+): Graph {
+	const gNodes: GraphNode[] = [];
+	const gEdges: GraphEdge[] = [];
+	const seenNodeIds = new Set<string>();
+
+	function addNode(n: GraphNode): void {
+		if (seenNodeIds.has(n.id)) return;
+		seenNodeIds.add(n.id);
+		gNodes.push(n);
+	}
+
+	function addEdge(e: GraphEdge): void {
+		gEdges.push(e);
+	}
+
+	// Users
+	for (const u of users ?? []) {
+		addNode({ id: userId(u.name), kind: 'user', label: u.name, ref: u });
+	}
+
+	// Nodes and implicit edges (user owns node, node has tag)
+	for (const n of nodes ?? []) {
+		addNode({ id: nodeId(n.id), kind: 'node', label: n.givenName || n.name, ref: n });
+		if (n.user?.name) {
+			// ensure the user node exists even if not in `users` list
+			addNode({ id: userId(n.user.name), kind: 'user', label: n.user.name, ref: n.user });
+			addEdge({
+				id: `un:${n.user.name}->${n.id}`,
+				from: userId(n.user.name),
+				to: nodeId(n.id),
+				kind: 'user-node',
+			});
+		}
+		for (const t of n.tags ?? []) {
+			const normTag = t.startsWith('tag:') ? t : `tag:${t}`;
+			addNode({ id: tagId(normTag), kind: 'tag', label: normTag, ref: { name: normTag } });
+			addEdge({
+				id: `tn:${normTag}->${n.id}`,
+				from: tagId(normTag),
+				to: nodeId(n.id),
+				kind: 'tag-node',
+			});
+		}
+	}
+
+	if (!acl) {
+		return { nodes: gNodes, edges: gEdges };
+	}
+
+	// Groups and memberships
+	for (const [gname, members] of Object.entries(acl.groups ?? {})) {
+		addNode({
+			id: groupId(gname),
+			kind: 'group',
+			label: gname,
+			ref: { name: gname, members: [...(members ?? [])] },
+		});
+		for (const m of members ?? []) {
+			// Group members are user names (may or may not yet exist as User entities)
+			addNode({ id: userId(m), kind: 'user', label: m });
+			addEdge({
+				id: `ug:${m}->${gname}`,
+				from: userId(m),
+				to: groupId(gname),
+				kind: 'user-group',
+			});
+		}
+	}
+
+	// Tag owners
+	for (const [tname, owners] of Object.entries(acl.tagOwners ?? {})) {
+		addNode({
+			id: tagId(tname),
+			kind: 'tag',
+			label: tname,
+			ref: { name: tname, owners: [...(owners ?? [])] },
+		});
+		for (const owner of owners ?? []) {
+			if (owner.startsWith('group:')) {
+				addNode({ id: groupId(owner), kind: 'group', label: owner });
+				addEdge({
+					id: `gt:${owner}->${tname}`,
+					from: groupId(owner),
+					to: tagId(tname),
+					kind: 'group-tag',
+				});
+			} else {
+				addNode({ id: userId(owner), kind: 'user', label: owner });
+				addEdge({
+					id: `ut:${owner}->${tname}`,
+					from: userId(owner),
+					to: tagId(tname),
+					kind: 'user-tag',
+				});
+			}
+		}
+	}
+
+	// Hosts
+	for (const hname of Object.keys(acl.hosts ?? {})) {
+		addNode({ id: hostId(hname), kind: 'host', label: hname });
+	}
+
+	// ACL policies
+	const policies: AclPolicy[] = acl.acls ?? [];
+	policies.forEach((p, idx) => {
+		if (options.policyFilter && !options.policyFilter.has(idx)) return;
+		for (const src of p.src ?? []) {
+			for (const dst of p.dst ?? []) {
+				const srcId = resolveEndpoint(src);
+				const dstId = resolveEndpoint(dst);
+				// make sure the resolved endpoints have a corresponding node
+				if (srcId) ensureEndpointNode(srcId, src);
+				if (dstId) ensureEndpointNode(dstId, dst);
+				if (!srcId || !dstId) continue;
+				addEdge({
+					id: `acl:${idx}:${srcId}->${dstId}`,
+					from: srcId,
+					to: dstId,
+					kind: 'acl-accept',
+					policyIdx: idx,
+				});
+			}
+		}
+	});
+
+	function ensureEndpointNode(id: string, raw: string): void {
+		if (seenNodeIds.has(id)) return;
+		if (id === WILDCARD_ID) {
+			addNode({ id: WILDCARD_ID, kind: 'wildcard', label: '*' });
+		} else if (id.startsWith('g:')) {
+			addNode({ id, kind: 'group', label: raw });
+		} else if (id.startsWith('t:')) {
+			addNode({ id, kind: 'tag', label: raw });
+		} else if (id.startsWith('user:')) {
+			addNode({ id, kind: 'user', label: raw });
+		} else if (id.startsWith('host:')) {
+			addNode({ id, kind: 'host', label: raw });
+		}
+	}
+
+	return { nodes: gNodes, edges: gEdges };
+}
+
+/**
+ * Resolve an ACL endpoint expression (src or dst entry) to the id of a graph
+ * node. dst entries can contain `:port`; the port is stripped. Returns `null`
+ * for CIDRs or anything else we don't represent as a distinct graph node.
+ */
+export function resolveEndpoint(raw: string): string | null {
+	// strip dst port, e.g. "*:*" → "*", "tag:web:22" → "tag:web"
+	let expr = raw;
+	const lastColon = expr.lastIndexOf(':');
+	if (lastColon > -1) {
+		const tail = expr.slice(lastColon + 1);
+		if (tail === '*' || /^\d+$/.test(tail) || /^\d+-\d+$/.test(tail)) {
+			expr = expr.slice(0, lastColon);
+		}
+	}
+
+	if (expr === '' || expr === '*') return WILDCARD_ID;
+	if (expr.startsWith('group:')) return groupId(expr);
+	if (expr.startsWith('tag:')) return tagId(expr);
+	if (expr.startsWith('autogroup:')) return null; // not modelled
+	if (/^\d/.test(expr)) return null; // CIDR / IP – not modelled as a graph node
+	// otherwise treat as a user name
+	return userId(expr);
+}
+
+// ── layout ──────────────────────────────────────────────────────────────────
+
+/** Columns used by the default layout. */
+export const COLUMN_ORDER: GraphNodeKind[] = ['user', 'group', 'tag', 'node', 'host', 'wildcard'];
+
+export type LayoutOptions = {
+	width?: number;
+	height?: number;
+	paddingX?: number;
+	paddingY?: number;
+	rowSpacing?: number;
+};
+
+export type PositionedNode = GraphNode & { x: number; y: number };
+
+/**
+ * Columnar layout with Y-direction force-directed refinement.
+ *
+ * Kinds are placed left-to-right following {@link COLUMN_ORDER}.  Within each
+ * column the initial vertical positions are equally spaced, then an iterative
+ * spring simulation adjusts only the Y coordinates so that nodes connected by
+ * edges tend to share the same vertical level, dramatically reducing edge
+ * crossings while keeping the left-to-right semantic ordering intact.
+ */
+export function layoutGraph(
+	graph: Graph,
+	options: LayoutOptions = {},
+): { nodes: PositionedNode[]; width: number; height: number } {
+	const paddingX = options.paddingX ?? 80;
+	const paddingY = options.paddingY ?? 60;
+	const rowSpacing = options.rowSpacing ?? 90;
+
+	const byKind: Record<GraphNodeKind, GraphNode[]> = {
+		user: [],
+		group: [],
+		tag: [],
+		node: [],
+		host: [],
+		wildcard: [],
+	};
+	for (const n of graph.nodes) byKind[n.kind].push(n);
+
+	// Only keep columns with entries so the layout tightens gracefully.
+	const activeColumns = COLUMN_ORDER.filter((k) => byKind[k].length > 0);
+	const colCount = Math.max(activeColumns.length, 1);
+	const tallest = Math.max(1, ...activeColumns.map((k) => byKind[k].length));
+
+	const innerWidth = options.width ?? Math.max(640, colCount * 200);
+	const colGap = (innerWidth - paddingX * 2) / Math.max(1, colCount - 1 || 1);
+	const height = options.height ?? paddingY * 2 + tallest * rowSpacing;
+
+	// ── Step 1: assign fixed column X coordinates ────────────────────────────
+	const colX = new Map<GraphNodeKind, number>();
+	activeColumns.forEach((kind, colIdx) => {
+		colX.set(kind, activeColumns.length === 1 ? innerWidth / 2 : paddingX + colIdx * colGap);
+	});
+
+	// ── Step 2: evenly space initial Y positions within each column ──────────
+	const posY = new Map<string, number>();
+	activeColumns.forEach((kind) => {
+		const col = byKind[kind];
+		const colHeight = (col.length - 1) * rowSpacing;
+		const yStart = (height - colHeight) / 2;
+		col.forEach((n, rowIdx) => posY.set(n.id, yStart + rowIdx * rowSpacing));
+	});
+
+	// ── Step 3: Y-only force-directed refinement ─────────────────────────────
+	// Repulsion keeps nodes in the same column from overlapping; attraction
+	// along edges aligns connected nodes vertically, which reduces crossings.
+	const REPULSION = rowSpacing * rowSpacing * 3;
+	const ATTRACTION = 0.012;
+	const MAX_ITER = 60;
+	const initialTemp = rowSpacing * 0.6;
+
+	for (let iter = 0; iter < MAX_ITER; iter++) {
+		const forces = new Map<string, number>();
+		for (const n of graph.nodes) forces.set(n.id, 0);
+
+		// Pairwise repulsion (Y direction only between every pair of nodes)
+		const nodes = graph.nodes;
+		for (let i = 0; i < nodes.length; i++) {
+			const ya = posY.get(nodes[i].id) ?? 0;
+			for (let j = i + 1; j < nodes.length; j++) {
+				const yb = posY.get(nodes[j].id) ?? 0;
+				const dy = yb - ya;
+				const dist = Math.abs(dy) + 0.5;
+				const f = (REPULSION / (dist * dist)) * Math.sign(dy || 1);
+				forces.set(nodes[i].id, (forces.get(nodes[i].id) ?? 0) - f);
+				forces.set(nodes[j].id, (forces.get(nodes[j].id) ?? 0) + f);
+			}
+		}
+
+		// Edge spring attraction (pull connected nodes toward the same Y)
+		for (const e of graph.edges) {
+			if (!posY.has(e.from) || !posY.has(e.to)) continue;
+			const dy = (posY.get(e.to) ?? 0) - (posY.get(e.from) ?? 0);
+			const spring = ATTRACTION * dy;
+			forces.set(e.from, (forces.get(e.from) ?? 0) + spring);
+			forces.set(e.to, (forces.get(e.to) ?? 0) - spring);
+		}
+
+		// Apply forces with linear cooling; clamp to canvas boundaries
+		const temp = initialTemp * (1 - iter / MAX_ITER);
+		for (const n of graph.nodes) {
+			const f = forces.get(n.id) ?? 0;
+			const clamped = Math.max(-temp, Math.min(temp, f));
+			const current = posY.get(n.id) ?? 0;
+			posY.set(n.id, Math.max(paddingY, Math.min(height - paddingY, current + clamped)));
+		}
+	}
+
+	// ── Step 4: assemble result ───────────────────────────────────────────────
+	const positioned: PositionedNode[] = [];
+	for (const n of graph.nodes) {
+		positioned.push({ ...n, x: colX.get(n.kind) ?? 0, y: posY.get(n.id) ?? 0 });
+	}
+
+	return { nodes: positioned, width: innerWidth, height };
+}
+
+// ── filtering helpers ───────────────────────────────────────────────────────
+
+export type KindFilter = Record<GraphNodeKind, boolean>;
+export type EdgeFilter = Record<GraphEdgeKind, boolean>;
+
+export const DEFAULT_KIND_FILTER: KindFilter = {
+	user: true,
+	group: true,
+	tag: true,
+	node: true,
+	host: true,
+	wildcard: true,
+};
+
+export const DEFAULT_EDGE_FILTER: EdgeFilter = {
+	'user-group': true,
+	'group-tag': true,
+	'user-tag': true,
+	'user-node': true,
+	'tag-node': true,
+	'acl-accept': true,
+	'acl-deny': true,
+};
+
+/**
+ * Apply kind and edge filters and an optional search string (case-insensitive
+ * substring match against node labels). Edges whose endpoints are hidden are
+ * dropped.
+ */
+export function filterGraph(
+	graph: Graph,
+	kindFilter: KindFilter,
+	edgeFilter: EdgeFilter,
+	search = '',
+): Graph {
+	const needle = search.trim().toLowerCase();
+	const visible = new Set<string>();
+	for (const n of graph.nodes) {
+		if (!kindFilter[n.kind]) continue;
+		if (needle && !n.label.toLowerCase().includes(needle)) continue;
+		visible.add(n.id);
+	}
+	const nodes = graph.nodes.filter((n) => visible.has(n.id));
+	const edges = graph.edges.filter(
+		(e) => edgeFilter[e.kind] && visible.has(e.from) && visible.has(e.to),
+	);
+	return { nodes, edges };
+}
+
+/** Return the set of node ids directly connected to `id` via any edge. */
+export function neighboursOf(graph: Graph, id: string): Set<string> {
+	const out = new Set<string>();
+	for (const e of graph.edges) {
+		if (e.from === id) out.add(e.to);
+		if (e.to === id) out.add(e.from);
+	}
+	return out;
+}
+
+// ── node-count cap ──────────────────────────────────────────────────────────
+
+/**
+ * Maximum number of nodes shown per {@link GraphNodeKind} before the graph is
+ * considered too dense to render clearly.
+ */
+export const MAX_NODES_PER_KIND = 10;
+
+/**
+ * Trim a graph so that at most {@link maxPerKind} nodes of each kind are kept
+ * (in insertion order). Edges whose endpoints were trimmed are also removed.
+ *
+ * Returns both the resulting graph and a flag indicating whether any nodes
+ * were omitted, so the UI can display a warning.
+ */
+export function trimGraph(
+	graph: Graph,
+	maxPerKind = MAX_NODES_PER_KIND,
+): { graph: Graph; truncated: boolean } {
+	const byKind: Record<GraphNodeKind, GraphNode[]> = {
+		user: [],
+		group: [],
+		tag: [],
+		node: [],
+		host: [],
+		wildcard: [],
+	};
+	for (const n of graph.nodes) byKind[n.kind].push(n);
+
+	let truncated = false;
+	const kept: GraphNode[] = [];
+	for (const kind of COLUMN_ORDER) {
+		const kindNodes = byKind[kind];
+		if (kindNodes.length > maxPerKind) {
+			truncated = true;
+			kept.push(...kindNodes.slice(0, maxPerKind));
+		} else {
+			kept.push(...kindNodes);
+		}
+	}
+
+	const keptIds = new Set(kept.map((n) => n.id));
+	const edges = graph.edges.filter((e) => keptIds.has(e.from) && keptIds.has(e.to));
+
+	return { graph: { nodes: kept, edges }, truncated };
+}
diff --git a/src/routes/visualise/+page.svelte b/src/routes/visualise/+page.svelte
new file mode 100644
index 0000000..59a7fb6
--- /dev/null
+++ b/src/routes/visualise/+page.svelte
@@ -0,0 +1,435 @@
+<script lang="ts">
+	import { onMount } from 'svelte';
+	import JWCC from 'json5';
+	import { getToastStore } from '@skeletonlabs/skeleton';
+
+	import Page from '$lib/page/Page.svelte';
+	import PageHeader from '$lib/page/PageHeader.svelte';
+	import { App } from '$lib/States.svelte';
+	import { getPolicy } from '$lib/common/api';
+	import { ACLBuilder, type ACL } from '$lib/common/acl.svelte';
+	import { debug } from '$lib/common/debug';
+	import { toastError } from '$lib/common/funcs';
+	import {
+		buildGraph,
+		filterGraph,
+		trimGraph,
+		layoutGraph,
+		neighboursOf,
+		DEFAULT_EDGE_FILTER,
+		DEFAULT_KIND_FILTER,
+		MAX_NODES_PER_KIND,
+		type EdgeFilter,
+		type GraphEdgeKind,
+		type GraphNodeKind,
+		type KindFilter,
+	} from '$lib/common/visualise';
+
+	const ToastStore = getToastStore();
+
+	/** Radius of an unselected node circle (px in SVG user-space). */
+	const NODE_R = 20;
+	/** Radius of the selected node circle. */
+	const NODE_R_SEL = 26;
+
+	/** MDI icon path data (24×24 viewBox) for each node kind. */
+	const iconPaths: Record<GraphNodeKind, string> = {
+		user: 'M12 4a4 4 0 0 1 4 4a4 4 0 0 1-4 4a4 4 0 0 1-4-4a4 4 0 0 1 4-4m0 10c4.42 0 8 1.79 8 4v2H4v-2c0-2.21 3.58-4 8-4',
+		group: 'M12 5.5A3.5 3.5 0 0 1 15.5 9a3.5 3.5 0 0 1-3.5 3.5A3.5 3.5 0 0 1 8.5 9A3.5 3.5 0 0 1 12 5.5M5 8c.56 0 1.08.15 1.53.42c-.15 1.43.27 2.85 1.13 3.96C7.16 13.34 6.16 14 5 14a3 3 0 0 1-3-3a3 3 0 0 1 3-3m14 0a3 3 0 0 1 3 3a3 3 0 0 1-3 3c-1.16 0-2.16-.66-2.66-1.62a5.54 5.54 0 0 0 1.13-3.96c.45-.27.97-.42 1.53-.42M5.5 18.25c0-2.07 2.91-3.75 6.5-3.75s6.5 1.68 6.5 3.75V20h-13zM0 20v-1.5c0-1.39 1.89-2.56 4.45-2.9c-.59.68-.95 1.62-.95 2.65V20zm24 0h-3.5v-1.75c0-1.03-.36-1.97-.95-2.65c2.56.34 4.45 1.51 4.45 2.9z',
+		tag: 'M5.5 7A1.5 1.5 0 0 1 4 5.5A1.5 1.5 0 0 1 5.5 4A1.5 1.5 0 0 1 7 5.5A1.5 1.5 0 0 1 5.5 7m15.91 4.58l-9-9C12.05 2.22 11.55 2 11 2H4c-1.11 0-2 .89-2 2v7c0 .55.22 1.05.59 1.41l8.99 9c.37.36.87.59 1.42.59s1.05-.23 1.41-.59l7-7c.37-.36.59-.86.59-1.41c0-.56-.23-1.06-.59-1.42',
+		node: 'M4 6h16v10H4m16 2a2 2 0 0 0 2-2V6a2 2 0 0 0-2-2H4c-1.11 0-2 .89-2 2v10a2 2 0 0 0 2 2H0v2h24v-2z',
+		host: 'M4 1h16a1 1 0 0 1 1 1v4a1 1 0 0 1-1 1H4a1 1 0 0 1-1-1V2a1 1 0 0 1 1-1m0 8h16a1 1 0 0 1 1 1v4a1 1 0 0 1-1 1H4a1 1 0 0 1-1-1v-4a1 1 0 0 1 1-1m0 8h16a1 1 0 0 1 1 1v4a1 1 0 0 1-1 1H4a1 1 0 0 1-1-1v-4a1 1 0 0 1 1-1M9 5h1V3H9zm0 8h1v-2H9zm0 8h1v-2H9zM5 3v2h2V3zm0 8v2h2v-2zm0 8v2h2v-2z',
+		wildcard:
+			'M21 13h-6.6l4.7 4.7l-1.4 1.4l-4.7-4.7V21h-2v-6.7L6.3 19l-1.4-1.4L9.4 13H3v-2h6.6L4.9 6.3l1.4-1.4L11 9.6V3h2v6.4l4.6-4.6L19 6.3L14.3 11H21z',
+	};
+
+	let acl = $state<ACL | null>(null);
+	let kindFilter = $state<KindFilter>({ ...DEFAULT_KIND_FILTER });
+	let edgeFilter = $state<EdgeFilter>({ ...DEFAULT_EDGE_FILTER });
+	let search = $state('');
+	let selectedId = $state<string | null>(null);
+
+	onMount(() => {
+		getPolicy()
+			.then((policy) => {
+				acl = ACLBuilder.fromPolicy(JWCC.parse<ACL>(policy));
+			})
+			.catch((reason) => {
+				debug('visualise: unable to get policy', reason);
+				toastError(`Unable to load ACL policy.`, ToastStore, reason);
+			});
+	});
+
+	const fullGraph = $derived(buildGraph(App.users.value, App.nodes.value, acl));
+	const filtered = $derived(filterGraph(fullGraph, kindFilter, edgeFilter, search));
+	const trimmed = $derived(trimGraph(filtered));
+	const layout = $derived(layoutGraph(trimmed.graph));
+	const selectedNeighbours = $derived(
+		selectedId ? neighboursOf(trimmed.graph, selectedId) : new Set<string>(),
+	);
+	const selected = $derived(
+		selectedId ? (trimmed.graph.nodes.find((n) => n.id === selectedId) ?? null) : null,
+	);
+
+	const positionById = $derived.by(() => {
+		const m = new Map<string, { x: number; y: number }>();
+		for (const n of layout.nodes) m.set(n.id, { x: n.x, y: n.y });
+		return m;
+	});
+
+	const kindColour: Record<GraphNodeKind, string> = {
+		user: '#3b82f6',
+		group: '#a855f7',
+		tag: '#10b981',
+		node: '#f59e0b',
+		host: '#64748b',
+		wildcard: '#ef4444',
+	};
+
+	const edgeColour: Record<GraphEdgeKind, string> = {
+		'user-group': '#94a3b8',
+		'group-tag': '#94a3b8',
+		'user-tag': '#94a3b8',
+		'user-node': '#cbd5e1',
+		'tag-node': '#cbd5e1',
+		'acl-accept': '#10b981',
+		'acl-deny': '#ef4444',
+	};
+
+	const nodeKinds: { key: GraphNodeKind; label: string }[] = [
+		{ key: 'user', label: 'Users' },
+		{ key: 'group', label: 'Groups' },
+		{ key: 'tag', label: 'Tags' },
+		{ key: 'node', label: 'Nodes' },
+		{ key: 'host', label: 'Hosts' },
+		{ key: 'wildcard', label: 'Wildcard' },
+	];
+
+	const edgeKinds: { key: GraphEdgeKind; label: string }[] = [
+		{ key: 'user-group', label: 'User → Group' },
+		{ key: 'group-tag', label: 'Group → Tag' },
+		{ key: 'user-tag', label: 'User → Tag' },
+		{ key: 'user-node', label: 'User → Node' },
+		{ key: 'tag-node', label: 'Tag → Node' },
+		{ key: 'acl-accept', label: 'ACL accept' },
+	];
+
+	function edgeVisible(from: string, to: string): boolean {
+		if (!selectedId) return true;
+		return from === selectedId || to === selectedId;
+	}
+
+	function nodeDimmed(id: string): boolean {
+		if (!selectedId) return false;
+		return id !== selectedId && !selectedNeighbours.has(id);
+	}
+
+	function selectNode(id: string) {
+		selectedId = selectedId === id ? null : id;
+	}
+
+	function resetFilters() {
+		kindFilter = { ...DEFAULT_KIND_FILTER };
+		edgeFilter = { ...DEFAULT_EDGE_FILTER };
+		search = '';
+		selectedId = null;
+	}
+
+	/**
+	 * Return the point on the circumference of the circle centred at `anchor`
+	 * (radius `r`) that faces toward `toward`.  Used to stop edge lines at the
+	 * node boundary rather than at its centre.
+	 */
+	function edgeEndpoint(
+		anchor: { x: number; y: number },
+		toward: { x: number; y: number },
+		r: number,
+	): { x: number; y: number } {
+		const dx = toward.x - anchor.x;
+		const dy = toward.y - anchor.y;
+		const dist = Math.sqrt(dx * dx + dy * dy) || 1;
+		return { x: anchor.x + (dx / dist) * r, y: anchor.y + (dy / dist) * r };
+	}
+</script>
+
+<Page>
+	<PageHeader title="Visualise" />
+
+	<div
+		class="mb-4 px-4 py-2 rounded-md variant-ghost-warning border border-warning-500 flex items-center gap-2"
+		data-testid="experimental-banner"
+	>
+		<span class="badge variant-filled-warning">Experimental</span>
+		<span class="text-sm">
+			This page is under active development. Rendering of complex ACLs may be incomplete.
+		</span>
+	</div>
+
+	{#if trimmed.truncated}
+		<div
+			class="mb-4 px-4 py-2 rounded-md variant-ghost-surface border border-surface-400 flex items-center gap-2"
+			data-testid="truncation-banner"
+		>
+			<span class="badge variant-filled-surface">Note</span>
+			<span class="text-sm">
+				Large graph: only the first {MAX_NODES_PER_KIND} entities of each type are shown. Use the
+				search or entity filters to focus on a subset.
+			</span>
+		</div>
+	{/if}
+
+	<div class="grid grid-cols-1 lg:grid-cols-4 gap-4" data-testid="visualise-root">
+		<aside class="card p-4 lg:col-span-1 space-y-4" data-testid="visualise-filters">
+			<div>
+				<label class="label">
+					<span class="text-sm font-semibold">Search</span>
+					<input
+						type="text"
+						class="input rounded-md text-sm"
+						placeholder="Filter by label..."
+						bind:value={search}
+						data-testid="visualise-search"
+					/>
+				</label>
+			</div>
+
+			<div>
+				<div class="text-sm font-semibold mb-2">Entities</div>
+				<ul class="space-y-1">
+					{#each nodeKinds as k}
+						<li class="flex items-center justify-between">
+							<label class="flex items-center gap-2 text-sm">
+								<input
+									type="checkbox"
+									class="checkbox"
+									bind:checked={kindFilter[k.key]}
+									data-testid="kind-toggle-{k.key}"
+								/>
+								<svg
+									viewBox="0 0 24 24"
+									class="w-5 h-5 shrink-0"
+									style="color: {kindColour[k.key]}"
+									aria-hidden="true"
+								>
+									<path fill="currentColor" d={iconPaths[k.key]} />
+								</svg>
+								{k.label}
+							</label>
+						</li>
+					{/each}
+				</ul>
+			</div>
+
+			<div>
+				<div class="text-sm font-semibold mb-2">Relations</div>
+				<ul class="space-y-1">
+					{#each edgeKinds as e}
+						<li>
+							<label class="flex items-center gap-2 text-sm">
+								<input
+									type="checkbox"
+									class="checkbox"
+									bind:checked={edgeFilter[e.key]}
+									data-testid="edge-toggle-{e.key}"
+								/>
+								<span class="inline-block w-4 h-[2px]" style="background: {edgeColour[e.key]}"
+								></span>
+								{e.label}
+							</label>
+						</li>
+					{/each}
+				</ul>
+			</div>
+
+			<button
+				type="button"
+				class="btn btn-sm variant-soft w-full"
+				onclick={resetFilters}
+				data-testid="visualise-reset"
+			>
+				Reset filters
+			</button>
+
+			<div class="text-xs opacity-70" data-testid="visualise-counts">
+				Entities: {trimmed.graph.nodes.length} · Relations: {trimmed.graph.edges.length}
+			</div>
+		</aside>
+
+		<div class="lg:col-span-3 space-y-4">
+			<div class="card p-2 bg-surface-100-800-token overflow-auto" data-testid="visualise-canvas">
+				{#if trimmed.graph.nodes.length === 0}
+					<div class="p-8 text-center opacity-70" data-testid="visualise-empty">
+						No entities match the current filters.
+					</div>
+				{:else}
+					<svg
+						role="img"
+						aria-label="ACL node graph"
+						viewBox="0 0 {layout.width} {layout.height}"
+						width="100%"
+						height={layout.height}
+						data-testid="visualise-svg"
+					>
+						<defs>
+							<marker
+								id="arrow-acl"
+								viewBox="0 0 10 10"
+								refX="10"
+								refY="5"
+								markerWidth="8"
+								markerHeight="8"
+								orient="auto-start-reverse"
+							>
+								<path d="M0,0 L10,5 L0,10 z" fill={edgeColour['acl-accept']} />
+							</marker>
+							<marker
+								id="arrow-default"
+								viewBox="0 0 10 10"
+								refX="10"
+								refY="5"
+								markerWidth="8"
+								markerHeight="8"
+								orient="auto-start-reverse"
+							>
+								<path d="M0,0 L10,5 L0,10 z" fill="#94a3b8" />
+							</marker>
+						</defs>
+
+						<g class="edges">
+							{#each trimmed.graph.edges as e (e.id)}
+								{@const from = positionById.get(e.from)}
+								{@const to = positionById.get(e.to)}
+								{#if from && to}
+									{@const fromR = selectedId === e.from ? NODE_R_SEL : NODE_R}
+									{@const toR = selectedId === e.to ? NODE_R_SEL : NODE_R}
+									{@const ep1 = edgeEndpoint(from, to, fromR)}
+									{@const ep2 = edgeEndpoint(to, from, toR)}
+									<line
+										x1={ep1.x}
+										y1={ep1.y}
+										x2={ep2.x}
+										y2={ep2.y}
+										stroke={edgeColour[e.kind]}
+										stroke-width={e.kind === 'acl-accept' ? 2.5 : 1.5}
+										stroke-dasharray={e.kind === 'tag-node' ? '5 5' : undefined}
+										opacity={edgeVisible(e.from, e.to) ? 0.85 : 0.1}
+										marker-end={e.kind === 'acl-accept' ? 'url(#arrow-acl)' : 'url(#arrow-default)'}
+										data-testid="edge-{e.kind}"
+									/>
+								{/if}
+							{/each}
+						</g>
+
+						<g class="nodes">
+							{#each layout.nodes as n (n.id)}
+								{@const isSelected = selectedId === n.id}
+								{@const r = isSelected ? NODE_R_SEL : NODE_R}
+								<g
+									transform="translate({n.x},{n.y})"
+									class="cursor-pointer"
+									opacity={nodeDimmed(n.id) ? 0.2 : 1}
+									role="button"
+									tabindex="0"
+									aria-label="{n.kind} {n.label}"
+									data-testid="graph-node"
+									data-node-id={n.id}
+									data-node-kind={n.kind}
+									onclick={() => selectNode(n.id)}
+									onkeydown={(ev) => {
+										if (ev.key === 'Enter' || ev.key === ' ') {
+											ev.preventDefault();
+											selectNode(n.id);
+										}
+									}}
+								>
+									<!-- Coloured background circle -->
+									<circle
+										{r}
+										fill={kindColour[n.kind]}
+										stroke="white"
+										stroke-width={isSelected ? 3 : 2}
+									/>
+									<!-- MDI icon centred on the node, scaled to fit inside the circle -->
+									<g transform="translate(-12,-12) scale(1)">
+										<path d={iconPaths[n.kind]} fill="white" />
+									</g>
+									<!-- Label centred below the circle -->
+									<text
+										x="0"
+										y={r + 18}
+										font-size="13"
+										text-anchor="middle"
+										fill="currentColor"
+										class="select-none"
+									>
+										{n.label}
+									</text>
+								</g>
+							{/each}
+						</g>
+					</svg>
+				{/if}
+			</div>
+
+			<div class="card p-4" data-testid="visualise-details">
+				{#if selected}
+					<div class="flex items-center justify-between mb-2">
+						<div class="flex items-center gap-2">
+							<svg
+								viewBox="0 0 24 24"
+								class="w-5 h-5 shrink-0"
+								style="color: {kindColour[selected.kind]}"
+								aria-hidden="true"
+							>
+								<path fill="currentColor" d={iconPaths[selected.kind]} />
+							</svg>
+							<span class="font-semibold">{selected.label}</span>
+							<span class="badge variant-soft text-xs uppercase">{selected.kind}</span>
+						</div>
+						<button
+							type="button"
+							class="btn btn-sm variant-soft"
+							onclick={() => (selectedId = null)}
+							data-testid="visualise-clear-selection"
+						>
+							Clear
+						</button>
+					</div>
+					<div class="text-sm">
+						<div class="font-semibold mb-1">Connected to:</div>
+						{#if selectedNeighbours.size === 0}
+							<div class="opacity-70">No connections under the current filters.</div>
+						{:else}
+							<ul class="flex flex-wrap gap-2">
+								{#each trimmed.graph.nodes.filter((n) => selectedNeighbours.has(n.id)) as n}
+									<li>
+										<button
+											type="button"
+											class="chip variant-soft hover:variant-filled"
+											onclick={() => selectNode(n.id)}
+											data-testid="neighbour-chip"
+										>
+											<svg
+												viewBox="0 0 24 24"
+												class="w-3 h-3 mr-1 shrink-0"
+												style="color: {kindColour[n.kind]}"
+												aria-hidden="true"
+											>
+												<path fill="currentColor" d={iconPaths[n.kind]} />
+											</svg>
+											{n.label}
+										</button>
+									</li>
+								{/each}
+							</ul>
+						{/if}
+					</div>
+				{:else}
+					<div class="text-sm opacity-70" data-testid="visualise-no-selection">
+						Click an entity to inspect its direct relationships.
+					</div>
+				{/if}
+			</div>
+		</div>
+	</div>
+</Page>
diff --git a/src/visualise.test.ts b/src/visualise.test.ts
new file mode 100644
index 0000000..817a847
--- /dev/null
+++ b/src/visualise.test.ts
@@ -0,0 +1,343 @@
+import { describe, it, expect } from 'vitest';
+import {
+	buildGraph,
+	filterGraph,
+	trimGraph,
+	layoutGraph,
+	neighboursOf,
+	resolveEndpoint,
+	userId,
+	groupId,
+	tagId,
+	nodeId,
+	WILDCARD_ID,
+	MAX_NODES_PER_KIND,
+	DEFAULT_KIND_FILTER,
+	DEFAULT_EDGE_FILTER,
+	type KindFilter,
+	type EdgeFilter,
+} from '$lib/common/visualise';
+import type { ACL } from '$lib/common/acl.svelte';
+import type { Node, User } from '$lib/common/types';
+
+function user(name: string, id = name): User {
+	return {
+		id,
+		name,
+		createdAt: '2025-01-01T00:00:00Z',
+		displayName: name,
+		email: '',
+		providerId: '',
+		provider: 'local',
+		profilePicUrl: '',
+	};
+}
+
+function node(id: string, givenName: string, u: User, tags: string[] = []): Node {
+	return {
+		id,
+		machineKey: '',
+		nodeKey: '',
+		discoKey: '',
+		ipAddresses: [],
+		name: givenName,
+		givenName,
+		user: u,
+		lastSeen: null,
+		expiry: null,
+		preAuthKey: null,
+		createdAt: '2025-01-01T00:00:00Z',
+		registerMethod: 'REGISTER_METHOD_CLI',
+		online: true,
+		approvedRoutes: [],
+		availableRoutes: [],
+		subnetRoutes: [],
+		tags,
+	};
+}
+
+const sampleAcl: ACL = {
+	groups: { 'group:admin': ['alice'], 'group:dev': ['bob'] },
+	tagOwners: { 'tag:web': ['group:admin'], 'tag:db': ['alice'] },
+	hosts: {},
+	acls: [
+		{ action: 'accept', src: ['group:admin'], dst: ['*:*'] },
+		{ action: 'accept', src: ['tag:web'], dst: ['tag:db:5432'] },
+		{ action: 'accept', src: ['bob'], dst: ['tag:web:443'] },
+	],
+	ssh: [],
+};
+
+describe('resolveEndpoint', () => {
+	it('strips dst ports', () => {
+		expect(resolveEndpoint('tag:web:22')).toBe(tagId('tag:web'));
+		expect(resolveEndpoint('tag:web:80-90')).toBe(tagId('tag:web'));
+		expect(resolveEndpoint('*:*')).toBe(WILDCARD_ID);
+	});
+
+	it('resolves groups, tags, users, wildcards', () => {
+		expect(resolveEndpoint('group:admin')).toBe(groupId('group:admin'));
+		expect(resolveEndpoint('tag:web')).toBe(tagId('tag:web'));
+		expect(resolveEndpoint('alice')).toBe(userId('alice'));
+		expect(resolveEndpoint('*')).toBe(WILDCARD_ID);
+	});
+
+	it('returns null for CIDR and autogroup endpoints', () => {
+		expect(resolveEndpoint('10.0.0.0/8')).toBeNull();
+		expect(resolveEndpoint('192.168.1.1')).toBeNull();
+		expect(resolveEndpoint('autogroup:internet')).toBeNull();
+	});
+});
+
+describe('buildGraph', () => {
+	const users = [user('alice'), user('bob')];
+	const nodes = [
+		node('1', 'alice-laptop', users[0]),
+		node('2', 'bob-server', users[1], ['tag:web']),
+	];
+
+	it('creates one graph node per user/node/tag/group', () => {
+		const g = buildGraph(users, nodes, sampleAcl);
+		const ids = new Set(g.nodes.map((n) => n.id));
+		expect(ids.has(userId('alice'))).toBe(true);
+		expect(ids.has(userId('bob'))).toBe(true);
+		expect(ids.has(nodeId('1'))).toBe(true);
+		expect(ids.has(nodeId('2'))).toBe(true);
+		expect(ids.has(groupId('group:admin'))).toBe(true);
+		expect(ids.has(groupId('group:dev'))).toBe(true);
+		expect(ids.has(tagId('tag:web'))).toBe(true);
+		expect(ids.has(tagId('tag:db'))).toBe(true);
+		expect(ids.has(WILDCARD_ID)).toBe(true);
+	});
+
+	it('does not duplicate a node if the user appears in several contexts', () => {
+		const g = buildGraph(users, nodes, sampleAcl);
+		const aliceCount = g.nodes.filter((n) => n.id === userId('alice')).length;
+		expect(aliceCount).toBe(1);
+	});
+
+	it('adds user-node edges', () => {
+		const g = buildGraph(users, nodes, sampleAcl);
+		const e = g.edges.find(
+			(x) => x.kind === 'user-node' && x.from === userId('alice') && x.to === nodeId('1'),
+		);
+		expect(e).toBeDefined();
+	});
+
+	it('adds tag-node edges for tagged nodes', () => {
+		const g = buildGraph(users, nodes, sampleAcl);
+		const e = g.edges.find(
+			(x) => x.kind === 'tag-node' && x.from === tagId('tag:web') && x.to === nodeId('2'),
+		);
+		expect(e).toBeDefined();
+	});
+
+	it('adds user-group membership edges', () => {
+		const g = buildGraph(users, nodes, sampleAcl);
+		expect(
+			g.edges.some(
+				(x) =>
+					x.kind === 'user-group' && x.from === userId('alice') && x.to === groupId('group:admin'),
+			),
+		).toBe(true);
+	});
+
+	it('adds group-tag and user-tag ownership edges', () => {
+		const g = buildGraph(users, nodes, sampleAcl);
+		expect(
+			g.edges.some(
+				(x) =>
+					x.kind === 'group-tag' && x.from === groupId('group:admin') && x.to === tagId('tag:web'),
+			),
+		).toBe(true);
+		expect(
+			g.edges.some(
+				(x) => x.kind === 'user-tag' && x.from === userId('alice') && x.to === tagId('tag:db'),
+			),
+		).toBe(true);
+	});
+
+	it('creates acl-accept edges resolving src/dst', () => {
+		const g = buildGraph(users, nodes, sampleAcl);
+		const aclEdges = g.edges.filter((e) => e.kind === 'acl-accept');
+		// group:admin -> *
+		expect(aclEdges.some((e) => e.from === groupId('group:admin') && e.to === WILDCARD_ID)).toBe(
+			true,
+		);
+		// tag:web -> tag:db (port stripped)
+		expect(aclEdges.some((e) => e.from === tagId('tag:web') && e.to === tagId('tag:db'))).toBe(
+			true,
+		);
+		// bob (user) -> tag:web
+		expect(aclEdges.some((e) => e.from === userId('bob') && e.to === tagId('tag:web'))).toBe(true);
+	});
+
+	it('tags every acl edge with its policy index', () => {
+		const g = buildGraph(users, nodes, sampleAcl);
+		const indexes = new Set(g.edges.filter((e) => e.kind === 'acl-accept').map((e) => e.policyIdx));
+		expect(indexes).toEqual(new Set([0, 1, 2]));
+	});
+
+	it('respects a policy index filter', () => {
+		const g = buildGraph(users, nodes, sampleAcl, { policyFilter: new Set([1]) });
+		const aclEdges = g.edges.filter((e) => e.kind === 'acl-accept');
+		expect(aclEdges.every((e) => e.policyIdx === 1)).toBe(true);
+	});
+
+	it('works when the ACL is missing', () => {
+		const g = buildGraph(users, nodes, null);
+		expect(g.nodes.length).toBeGreaterThan(0);
+		expect(g.edges.some((e) => e.kind === 'acl-accept')).toBe(false);
+	});
+});
+
+describe('filterGraph', () => {
+	const users = [user('alice'), user('bob')];
+	const nodes = [
+		node('1', 'alice-laptop', users[0]),
+		node('2', 'bob-server', users[1], ['tag:web']),
+	];
+	const graph = buildGraph(users, nodes, sampleAcl);
+
+	it('returns the graph untouched with default filters', () => {
+		const f = filterGraph(graph, DEFAULT_KIND_FILTER, DEFAULT_EDGE_FILTER);
+		expect(f.nodes.length).toBe(graph.nodes.length);
+		expect(f.edges.length).toBe(graph.edges.length);
+	});
+
+	it('hides nodes of a disabled kind and drops their edges', () => {
+		const kf: KindFilter = { ...DEFAULT_KIND_FILTER, tag: false };
+		const f = filterGraph(graph, kf, DEFAULT_EDGE_FILTER);
+		expect(f.nodes.some((n) => n.kind === 'tag')).toBe(false);
+		expect(f.edges.some((e) => e.kind === 'tag-node')).toBe(false);
+		expect(f.edges.some((e) => e.kind === 'group-tag')).toBe(false);
+	});
+
+	it('hides edges of a disabled kind but keeps endpoints', () => {
+		const ef: EdgeFilter = { ...DEFAULT_EDGE_FILTER, 'acl-accept': false };
+		const f = filterGraph(graph, DEFAULT_KIND_FILTER, ef);
+		expect(f.edges.some((e) => e.kind === 'acl-accept')).toBe(false);
+		expect(f.nodes.length).toBe(graph.nodes.length);
+	});
+
+	it('applies a case-insensitive search', () => {
+		const f = filterGraph(graph, DEFAULT_KIND_FILTER, DEFAULT_EDGE_FILTER, 'ALICE');
+		expect(f.nodes.some((n) => n.label === 'alice')).toBe(true);
+		expect(f.nodes.some((n) => n.label === 'bob')).toBe(false);
+	});
+});
+
+describe('neighboursOf', () => {
+	const users = [user('alice')];
+	const nodes = [node('1', 'alice-laptop', users[0], ['tag:web'])];
+	const g = buildGraph(users, nodes, {
+		groups: {},
+		tagOwners: {},
+		hosts: {},
+		acls: [],
+		ssh: [],
+	});
+
+	it('returns nodes connected by any edge, in either direction', () => {
+		const n = neighboursOf(g, nodeId('1'));
+		expect(n.has(userId('alice'))).toBe(true);
+		expect(n.has(tagId('tag:web'))).toBe(true);
+	});
+
+	it('returns empty for isolated nodes', () => {
+		expect(neighboursOf(g, 'does-not-exist').size).toBe(0);
+	});
+});
+
+describe('layoutGraph', () => {
+	const users = [user('alice'), user('bob')];
+	const nodes = [
+		node('1', 'alice-laptop', users[0]),
+		node('2', 'bob-server', users[1], ['tag:web']),
+	];
+	const g = buildGraph(users, nodes, sampleAcl);
+
+	it('assigns an (x,y) to every graph node', () => {
+		const laid = layoutGraph(g);
+		expect(laid.nodes.length).toBe(g.nodes.length);
+		for (const n of laid.nodes) {
+			expect(Number.isFinite(n.x)).toBe(true);
+			expect(Number.isFinite(n.y)).toBe(true);
+		}
+	});
+
+	it('places nodes of the same kind in a single column (shared x)', () => {
+		const laid = layoutGraph(g);
+		const userXs = new Set(laid.nodes.filter((n) => n.kind === 'user').map((n) => n.x));
+		expect(userXs.size).toBe(1);
+		const tagXs = new Set(laid.nodes.filter((n) => n.kind === 'tag').map((n) => n.x));
+		expect(tagXs.size).toBe(1);
+	});
+
+	it('places kinds in the documented left-to-right order', () => {
+		const laid = layoutGraph(g);
+		const xOf = (k: string) => laid.nodes.find((n) => n.kind === k)?.x ?? 0;
+		expect(xOf('user')).toBeLessThan(xOf('group'));
+		expect(xOf('group')).toBeLessThan(xOf('tag'));
+		expect(xOf('tag')).toBeLessThan(xOf('node'));
+	});
+
+	it('is deterministic for identical input', () => {
+		const a = layoutGraph(g);
+		const b = layoutGraph(g);
+		expect(a.nodes.map((n) => [n.id, n.x, n.y])).toEqual(b.nodes.map((n) => [n.id, n.x, n.y]));
+	});
+});
+
+describe('trimGraph', () => {
+	const alice = user('alice');
+	const bob = user('bob');
+
+	it('returns graph unchanged when all kinds are within limit', () => {
+		const g = buildGraph([alice, bob], [], null);
+		const { graph, truncated } = trimGraph(g, 5);
+		expect(graph.nodes.length).toBe(g.nodes.length);
+		expect(truncated).toBe(false);
+	});
+
+	it('keeps at most maxPerKind nodes per kind and sets truncated', () => {
+		// Build a graph with 5 users and check that trimming to 3 works.
+		const manyUsers = Array.from({ length: 5 }, (_, i) => user(`u${i}`, String(i)));
+		const g = buildGraph(manyUsers, [], null);
+		const usersBefore = g.nodes.filter((n) => n.kind === 'user').length;
+		expect(usersBefore).toBe(5);
+
+		const { graph, truncated } = trimGraph(g, 3);
+		expect(graph.nodes.filter((n) => n.kind === 'user').length).toBe(3);
+		expect(truncated).toBe(true);
+	});
+
+	it('drops edges whose endpoints were trimmed', () => {
+		const manyUsers = Array.from({ length: 5 }, (_, i) => user(`u${i}`, String(i)));
+		const acl: import('$lib/common/acl.svelte').ACL = {
+			groups: { 'group:all': manyUsers.map((u) => u.name) },
+			tagOwners: {},
+			hosts: {},
+			acls: [],
+			ssh: [],
+		};
+		const g = buildGraph(manyUsers, [], acl);
+		const { graph } = trimGraph(g, 2);
+		// All remaining edges must connect kept node ids
+		const keptIds = new Set(graph.nodes.map((n) => n.id));
+		for (const e of graph.edges) {
+			expect(keptIds.has(e.from)).toBe(true);
+			expect(keptIds.has(e.to)).toBe(true);
+		}
+	});
+
+	it('uses MAX_NODES_PER_KIND as the default limit', () => {
+		const manyUsers = Array.from({ length: MAX_NODES_PER_KIND + 1 }, (_, i) =>
+			user(`u${i}`, String(i)),
+		);
+		const g = buildGraph(manyUsers, [], null);
+		const { graph, truncated } = trimGraph(g);
+		expect(graph.nodes.filter((n) => n.kind === 'user').length).toBe(MAX_NODES_PER_KIND);
+		expect(truncated).toBe(true);
+	});
+});