Surprising ACL test failure depending on machines

I have an issue with surprising ACL test failures. I have the following policy

  "acls": [
    { "action": "accept", "users": ["tag:personal"], "ports": ["*:*"] },
  "hosts": {
    "laptop": "",
  "tests": [
      "user": "tag:location",
      "allow": [],
      "deny": ["laptop:443"],

the following machines:

laptop: [tag:personal]
server: [tag:personal, tag:location]

and this test fails when server has tag:personal and passes when I untag it. That implies to me that the tests are somehow testing using other tags when testing tag:location.

Having the tests depend on the existing machines (when I don’t refer to that specific machine) feels unexpected. When I write a test like this, I want to test my rules about tag:location. This test should fail, because having tag:location isn’t enough to open a connection to laptop:443. It’s unrelated that a host tagged with tag:location also has tag:personal, which allows it to open the connection.

Otherwise, what’s the point of tests using "user": "tag:..."? I obviously want server to be able to do the things I tagged it to do, the other tags on the hosts under test should be irrelevant for "user:"tag...". This makes such a test useless anytime there is more than one tag involved on a machine.

Furthermore, this is the current policy which fails when it’s saved again because server was added after the policy was saved initially. This feels odd, shouldn’t a failure introduced by adding a machine either prevent the machine from being tagged or raise a notification or be surfaced somehow?

What can I do here?