user + organizationRevoke the user session or product role when a person should no longer open shells, view workspace state, or issue dev links.
Shell and dashboard access close before workspace actions run.Docs / Access model
EnvForge separates identity, repository access, reviewer dev links, private network access, and root policy so teams can reason about who can use each workspace surface before envforge up runs.
allowed: web, api, assets, websockets, marketing
blocked: SSH, Mailpit, MinIO console, logs, secrets, runtime admin
session: workspace-scoped browser cookie
wake: runtime can start on dev request
Access paths
The CLI and dashboard should describe product access. Raw hostnames, runtime IDs, cloud credentials, and internal network details stay out of the normal developer handoff.
Dashboard, CLI login, organization context, and authenticated dev sessions.
Project actions when the EnvForge role does not allow them.
Selected repositories, setup PRs, checkout metadata, and webhook events.
Broad personal tokens and repositories outside the installation scope.
Web, same-origin /api, assets, WebSockets, and marketing routes for one workspace.
SSH, Mailpit, MinIO console, logs, secrets, and runtime admin.
Tagged shell or runtime devices inside the customer tailnet.
Public gateway access when a workspace is configured as Tailscale-only.
Approved org-scoped elevation or dedicated runtime workflows.
Dev link expansion, platform secrets, and cross-organization access.
Revocation checks
Production-facing access docs should make revocation as concrete as granting access. The action depends on whether the risk is a CLI session, repository installation, signed reviewer link, private network path, or approved root window.
user + organizationRevoke the user session or product role when a person should no longer open shells, view workspace state, or issue dev links.
Shell and dashboard access close before workspace actions run.selected repositoriesRemove repository installation access when EnvForge should stop preparing or checking out a repo for new workspaces.
Repo access changes are separate from existing signed browser sessions.link id + expirationExpire or revoke the dev link when reviewer access should stop without deleting the workspace shell or runtime state.
The gateway stops app traffic before it reaches the runtime.Tailscale tagRemove or retag the device when shell or private runtime routes should stop using the customer tailnet.
Private access changes do not widen public dev links.approval windowClose the approved elevation window when the package install, host repair, or debugging task is complete.
Root policy returns to the organization default.Signed dev flow
Reviewers open the product surface, not a tunnel. EnvForge verifies the signed dev scope first, then uses that same session for browser routes, /api, assets, and realtime traffic. A sleeping runtime can wake on the first dev request without granting operational access.
service / workspace / org / expiresEnvForge checks the signed service, workspace, organization, and expiration before setting a workspace-scoped browser session for the dev host.
fetch("/api/orders")Frontend routes, static assets, same-origin /api calls, and WebSockets pass through the same signed dev session for the branch workspace.
asleep -> waking -> readyIf the runtime is asleep, the dev gateway wakes the selected runtime, waits for the declared route to become ready, then forwards app, /api, asset, or realtime traffic.
ssh / logs / secrets / admin blockedThe signed dev session never opens SSH, raw logs, secret values, Mailpit, MinIO, runtime admin, or root policy controls.
Dev link scope
A link such as web--signed-links--bravara.dev.envforge.aicreates an expiring workspace browser session. It can wake the runtime for app traffic, but it cannot inherit shell, secret, log, or root privileges.
web, api, assets, websockets, marketingFrontend routes, same-origin API calls, static assets, realtime paths, and marketing pages can share one workspace session.
Reviewers see the product surface.SSH, Mailpit, MinIO console, logs, secrets, runtime adminOperational tools stay behind authenticated workspace access or private network access, even when the runtime wakes.
Dev access never becomes administration.root policy + TailscaleRoot and private network access remain explicit organization settings with audit trails and do not widen signed dev scope.
Privilege changes are product events.