private SSH surfaceDevelopers and agents can reach the workspace shell through the customer tailnet when the organization enables private shell access.
Docs / Tailscale private access
Tailscale is a first-class access mode for teams that want private shell or runtime routes. It can run beside Auth0 login and signed dev links, or a workspace can be Tailscale-only when public dev link access should stay closed.
tailnet: acme.ts.net
shell: tagged envforge-shell
runtime: tagged envforge-runtime
public dev gateway: optional
signed dev links: app surface only
Access modes
The product setting should say whether the team is opening shell access, runtime access, or a fully private workspace. Users should not need raw VM names, IP addresses, or unmanaged SSH hostnames.
private SSH surfaceDevelopers and agents can reach the workspace shell through the customer tailnet when the organization enables private shell access.
private service surfaceRuntime services can join the same tailnet for private app, API, database proxy, cache, or worker debugging without turning those routes public.
public gateway disabledA workspace can keep public dev link access off while still allowing approved tailnet users to reach shell and runtime surfaces.
Provisioning
EnvForge should own the lifecycle instead of asking every workspace to paste an auth key into a shell. The organization connects once, then shell and runtime VMs join with tags that policy can understand.
An organization admin connects a scoped Tailscale OAuth client for automated device provisioning.
EnvForge stores the OAuth client secret as an organization-scoped SecureString and does not copy it into workspace repos.
Shell and runtime VMs join the tailnet with organization and workspace tags so policy can distinguish shell, runtime, and dedicated hosts.
When a host is replaced, a runtime is deprovisioned, or an organization disconnects Tailscale, EnvForge removes stale devices.
Policy boundary
The public dev gateway can stay enabled for signed reviewer links while Tailscale covers private shell or runtime surfaces. Signed dev links still block SSH, logs, secrets, and runtime admin.
Login, organization context, project role checks, signed link creation, billing, and admin settings.
Bypassing EnvForge product authorization just because a device is on the tailnet.
Public reviewer access to web, same-origin /api, assets, WebSockets, and marketing routes.
SSH, logs, secrets, runtime admin, root policy, Mailpit, and private resource consoles.
Private shell and runtime routes for approved tailnet users and tagged EnvForge devices.
Expanding public dev link scope or replacing EnvForge role checks.