Docs / Access model

Access starts from the product surface, not the VM.

EnvForge separates identity, repository access, reviewer dev links, private network access, and root policy so teams can reason about who can use each workspace surface before envforge up runs.

signed dev linkdefault scope

allowed: web, api, assets, websockets, marketing

blocked: SSH, Mailpit, MinIO console, logs, secrets, runtime admin

session: workspace-scoped browser cookie

wake: runtime can start on dev request

Access paths

Every entry point has an allowed and blocked surface.

The CLI and dashboard should describe product access. Raw hostnames, runtime IDs, cloud credentials, and internal network details stay out of the normal developer handoff.

PathAllowsBlocks
Auth0 login

Dashboard, CLI login, organization context, and authenticated dev sessions.

Project actions when the EnvForge role does not allow them.

GitHub App

Selected repositories, setup PRs, checkout metadata, and webhook events.

Broad personal tokens and repositories outside the installation scope.

Signed dev link

Web, same-origin /api, assets, WebSockets, and marketing routes for one workspace.

SSH, Mailpit, MinIO console, logs, secrets, and runtime admin.

Tailscale private access

Tagged shell or runtime devices inside the customer tailnet.

Public gateway access when a workspace is configured as Tailscale-only.

Root policy

Approved org-scoped elevation or dedicated runtime workflows.

Dev link expansion, platform secrets, and cross-organization access.

Revocation checks

Access changes should name the surface being closed.

Production-facing access docs should make revocation as concrete as granting access. The action depends on whether the risk is a CLI session, repository installation, signed reviewer link, private network path, or approved root window.

CLI sessionuser + organization

Revoke the user session or product role when a person should no longer open shells, view workspace state, or issue dev links.

Shell and dashboard access close before workspace actions run.
GitHub App scopeselected repositories

Remove repository installation access when EnvForge should stop preparing or checking out a repo for new workspaces.

Repo access changes are separate from existing signed browser sessions.
Signed dev linklink id + expiration

Expire or revoke the dev link when reviewer access should stop without deleting the workspace shell or runtime state.

The gateway stops app traffic before it reaches the runtime.
Private networkTailscale tag

Remove or retag the device when shell or private runtime routes should stop using the customer tailnet.

Private access changes do not widen public dev links.
Root elevationapproval window

Close the approved elevation window when the package install, host repair, or debugging task is complete.

Root policy returns to the organization default.

Signed dev flow

One signed browser session covers web and same-origin /api.

Reviewers open the product surface, not a tunnel. EnvForge verifies the signed dev scope first, then uses that same session for browser routes, /api, assets, and realtime traffic. A sleeping runtime can wake on the first dev request without granting operational access.

request pathsame-origin signed session
  1. Signed requestservice / workspace / org / expires

    The link creates a reviewer session.

    EnvForge checks the signed service, workspace, organization, and expiration before setting a workspace-scoped browser session for the dev host.

  2. Same-origin appfetch("/api/orders")

    Web and /api share one session.

    Frontend routes, static assets, same-origin /api calls, and WebSockets pass through the same signed dev session for the branch workspace.

  3. Runtime wakeasleep -> waking -> ready

    The first dev request can wake services.

    If the runtime is asleep, the dev gateway wakes the selected runtime, waits for the declared route to become ready, then forwards app, /api, asset, or realtime traffic.

  4. Private surfacesssh / logs / secrets / admin blocked

    Wake does not widen access.

    The signed dev session never opens SSH, raw logs, secret values, Mailpit, MinIO, runtime admin, or root policy controls.

Dev link scope

Signed dev links are app sessions, not admin tunnels.

A link such as web--signed-links--bravara.dev.envforge.aicreates an expiring workspace browser session. It can wake the runtime for app traffic, but it cannot inherit shell, secret, log, or root privileges.

Allowed by defaultweb, api, assets, websockets, marketing

Frontend routes, same-origin API calls, static assets, realtime paths, and marketing pages can share one workspace session.

Reviewers see the product surface.
Blocked by defaultSSH, Mailpit, MinIO console, logs, secrets, runtime admin

Operational tools stay behind authenticated workspace access or private network access, even when the runtime wakes.

Dev access never becomes administration.
Policy escalationroot policy + Tailscale

Root and private network access remain explicit organization settings with audit trails and do not widen signed dev scope.

Privilege changes are product events.