coilyco-flight-deck/ward
1
0
Fork 0
Code Issues 16 Pull requests Projects Releases Packages Wiki Activity Actions 2

Backfill read-only tailscale commands as coily passthroughs #17

New issue
Open
opened 2026-05-27 00:23:44 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-27 00:23:44 +00:00
Owner
Copy link

Problem

Bare tailscale is denied by the coily lockdown (correctly - tagged devices and tailnet-wide actions are sensitive). But there's no coily verb for the day-to-day read-only commands either, so Kai has to drop down to bare invocations or fall back to the admin web UI.

The investigation today (WSL SSH access debugging) needed tailscale status to see which devices are online and at what IPs, plus tailscale ping <host> to confirm reachability. Neither has a coily wrapper. Workaround was a one-off Python script (list_tailscale_devices.py, just filed as infrastructure#149) that hits the admin REST API.

Fix

Backfill the simple read-only tailscale CLI commands into coily as passthroughs. First pass:

  • coily ops tailscale status [--json] - device list with state
  • coily ops tailscale netcheck - NAT/derp diagnostics
  • coily ops tailscale ping <host> - reachability check
  • coily ops tailscale ip [host] - resolve tailnet IP
  • coily ops tailscale whois <ip|host> - reverse-lookup user/tags
  • coily ops tailscale dns status - MagicDNS state

These are all read-only on the local daemon. Pure passthroughs, no SSM resolution needed (the host is already authenticated to the tailnet).

Mutating commands stay denied (or move to a separate coily ops tailscale up-style flow with their own gates). The destructive ones - tailscale up, tailscale down, tailscale logout, tailscale set - are out of scope here.

Why coily and not a per-script Makefile target

The Python-script workaround pattern (one file per query) doesn't scale - every diagnostic question becomes a new file. Direct passthrough to the local tailscale binary is correct for read-only state. Same shape as coily ops kubectl and coily ops aws.

Where this lives

Code repo for the routing is coilysiren/agent-guard (the coilyRoutes table). The user-facing framing stays coily.

**Problem** Bare `tailscale` is denied by the coily lockdown (correctly - tagged devices and tailnet-wide actions are sensitive). But there's no coily verb for the day-to-day read-only commands either, so Kai has to drop down to bare invocations or fall back to the admin web UI. The investigation today (WSL SSH access debugging) needed `tailscale status` to see which devices are online and at what IPs, plus `tailscale ping <host>` to confirm reachability. Neither has a coily wrapper. Workaround was a one-off Python script (`list_tailscale_devices.py`, just filed as infrastructure#149) that hits the admin REST API. **Fix** Backfill the simple read-only tailscale CLI commands into coily as passthroughs. First pass: - `coily ops tailscale status [--json]` - device list with state - `coily ops tailscale netcheck` - NAT/derp diagnostics - `coily ops tailscale ping <host>` - reachability check - `coily ops tailscale ip [host]` - resolve tailnet IP - `coily ops tailscale whois <ip|host>` - reverse-lookup user/tags - `coily ops tailscale dns status` - MagicDNS state These are all read-only on the local daemon. Pure passthroughs, no SSM resolution needed (the host is already authenticated to the tailnet). Mutating commands stay denied (or move to a separate `coily ops tailscale up`-style flow with their own gates). The destructive ones - `tailscale up`, `tailscale down`, `tailscale logout`, `tailscale set` - are out of scope here. **Why coily and not a per-script Makefile target** The Python-script workaround pattern (one file per query) doesn't scale - every diagnostic question becomes a new file. Direct passthrough to the local `tailscale` binary is correct for read-only state. Same shape as `coily ops kubectl` and `coily ops aws`. **Where this lives** Code repo for the routing is `coilysiren/agent-guard` (the `coilyRoutes` table). The user-facing framing stays coily.
coilysiren added
P4
 and removed
P3
 labels 2026-05-31 07:01:26 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v0.5.3
v0.5.2
v0.5.1
v0.5.0
v0.4.0
v0.3.0
v0.2.2
v0.2.1
v0.2.0
v0.1.3
v0.1.2
v0.1.1
v0.1.0
v0.0.18
v0.0.17
v0.0.16
v0.0.15
v0.0.14
v0.0.13
v0.0.12
v0.0.11
v0.0.10
v0.0.9
v0.0.8
v0.0.7
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/ward#17
No description provided.