Network Posture — Environments, Trust, and Validation
Contributors rarely work from a single machine. Code moves from a workstation through a workspace to servers at the edge. Each hop has different observers, egress paths, and trust boundaries. Network posture is the practice of knowing which environment you are on, who can see traffic at each layer, and whether probes confirm the region and role you expect.
This guide is general reference for operators and contributors. Planned tooling helps capture snapshots; it does not replace judgment about where secrets live or who you trust on these paths.
Status
Concepts here reference YOZSH CLI design intent. Operating out of many environments with different configurations, paths, and privileges open gaps in know-how or expertise. Tools to probe and validate unlike hosts before misplaced trust compounds into operational risk. yo log network and background JSONL watching are in development; command details live on the log network reference page.
Three Environments
Most YOZSH workflows span three layers:
[Workstation] ----remote session----> [Dev server / workspace]
| (SSH, IDE remote) |
| (optional direct deploy) |
+---------------- wrangler deploy / CI --> [Production edge]Each arrow is a trust relationship, not just a network path. That trust accumulates as closed sessions leave persistent access that outlast logins on every machine that has ever connected until someone audits the server and rotates and revokes what should have ended — Access Security (in progress) goes more in depth about SSH keys.
Egress probes classify the host you are measuring; they do not list who still holds a shell path in. Probes and trust reviews both start by naming which layer is in scope. The table maps each hop from the diagram: where that layer usually runs, what its uplink looks like to the internet, and what credentials or ingress it is expected to hold.
| Layer | Typical host | Uplink | Role |
|---|---|---|---|
| Workstation | macOS or Linux laptop, Windows desktop | Residential or office ISP | Local credentials, git auth, IDE, personal secrets |
| Workspace | Development container, EC2 or GCE VM, shared build server | Cloud provider or colo ASN | Build, test, deploy commands — often where code runs even when the UI feels local |
| Production | Serverless worker, PaaS app, CDN-fronted API | Provider or CDN edge | Public ingress, auth gates, customer-facing trust boundary |
Key insight: the three layers are separate environments, not different views of one machine. Each hop has its own uplink, observers, and credential surface — a check on your workstation only describes that workstation’s path to the internet, not the workspace where a build executes or the production edge that serves customers. Logs that look alike across layers are a hint, not proof the hosts share an uplink or role.
Three different “locations”
Probes and tunnels are often confused with physical place. Separate three ideas:
| Concept | Meaning | Example |
|---|---|---|
| Physical location | Where a person sits | Apartment in Dallas |
| Network egress | Public IP, ASN, outbound path | Residential Comcast vs AWS us-east-1 |
| Nearest edge / relay | Closest PoP or relay region from this host’s uplink | CF colo DFW, Tailscale home region dfw |
Probes measure egress and nearest edge. They do not infer physical location unless you record it separately (site tag, manual label). The same metro code on workstation and dev host does not mean they are the same machine — region label match ≠ same host.
Trust boundaries when routing data
Security posture starts with who can observe or alter traffic at each hop.
Workstation → development
Typical paths: SSH, VS Code Remote, Tailscale SSH, corporate VPN.
| Question | Why it matters |
|---|---|
| Do you trust the dev host operator? | They can read session traffic and files on the remote side |
| Who still has shell access? | Each connecting workstation may leave a long-lived SSH key on the server — access accumulates and is hard to revoke peer-to-peer |
| Split tunnel or full tunnel? | Full tunnel sends general internet via VPN/exit — shifts egress trust |
| Where do deploy credentials live? | Tokens on the workstation vs only on CI/dev affect blast radius |
Development → production
Typical paths: wrangler deploy, CI pipelines, git push to deploy hooks.
| Question | Why it matters |
|---|---|
| Who holds deploy credentials? | Compromise of dev workspace may equal production write access |
| Does CI egress match policy? | Build runners in unexpected regions may violate compliance |
| Is dev the only deploy path? | Direct deploy from a laptop bypasses review gates |
Workstation → production (direct)
Browser admin, API tokens, or local wrangler deploy skip the dev layer. Document when that is intentional — the trust model differs from “everything through CI.”
Split tunnel vs exit node (Tailscale)
Default Tailscale is split tunnel: only tailnet and advertised subnet traffic use WireGuard; general internet uses the normal ISP path.
With an exit node enabled, selected or all internet traffic may egress via another tailnet device. You trust the exit operator like a commercial VPN for that traffic. Egress probes may then describe the exit’s region and IP, not your home uplink — record whether an exit node was in use when you interpret a snapshot.
Secure tunnels — complementary roles
Tailscale and cloudflared solve different problems. Using both is common; conflating them leads to false confidence about who can reach what and where traffic exits.
| Tool | Connects | Best for | Trust implication |
|---|---|---|---|
| Tailscale | Your devices (mesh) | Private access between workstation, dev hosts, subnet routers; optional exit node | Trust tailnet ACLs and peer operators; know which peers and routes you have exposed |
| cloudflared | Your service to Cloudflare | Ingress tunnel from origin or dev preview to the edge without opening inbound ports | Trust Cloudflare path and tunnel credential; good for controlled URLs to private origins |
- Tailscale answers: “Can I reach my dev box on the tailnet?”
- cloudflared answers: “Can users reach this service through Cloudflare without a public listener?”
Both appear in the YOZSH dev stack as optional devcontainer features. Tunnels change paths — they do not replace the need to validate that a host’s egress and role still match what you expect after you enable them.
Why validate at two layers
No single check answers every posture question. Split private mesh health from internet egress:
| Layer | Question | What helps |
|---|---|---|
| Private mesh / tailnet | Can expected peers still reach this host? Is connectivity degraded? | Tailscale admin tools, occasional status / ping when troubleshooting |
| Internet egress | Which edge and provider path describe this host’s outbound traffic? Residential or cloud? | Lightweight probes to endpoints you operate (for example a Cloudflare Worker GET /v1/ping) |
Why bother with periodic checks? Tunnels, travel, VPN exit nodes, and new dev workspaces all change fingerprints without announcing themselves. A snapshot when things look wrong — or when policy says to re-verify — catches “this machine now egresses like a datacenter” or “this colo jumped after I enabled exit” before deploy credentials ride the wrong path.
Keep background checks polite. Prefer small HTTPS probes on infrastructure you control, logged on change rather than every few seconds. Reserve deep tailnet diagnostics for ad hoc troubleshooting — not a tight loop against shared relay infrastructure.
Different tools measure different paths. A mesh relay latency report and a CDN edge round-trip both mention regions like “Dallas” on a Texas uplink — that overlap is a hint, not proof they saw the same route. Use both only when you need to reconcile a mismatch.
Probing scenarios — validating operating regions
Use consistent fingerprints plus role tags to ask: is this the environment I think it is?
A — Contributor at home, dev workspace in nearby cloud
| Signal | Workstation | Dev container |
|---|---|---|
| ASN | Residential ISP | Cloud provider |
| Edge colo | Near home uplink | Near DC uplink — may share metro code with home |
| When contributor travels | Workstation fingerprint changes | Dev fingerprint stable |
Takeaway: nearby region labels on both hosts do not prove they share an uplink. ASN and stability when you travel discriminate home from cloud.
B — Remote IDE or SSH — work happens on the dev server
The UI feels local; builds and posture checks on the laptop describe the thin client only. Instrument the host where code runs for deploy and runtime validation.
The same split applies to RDP, Citrix, and VS Code Remote: network checks on the client describe home uplink, not remote compute. Access is also split: every machine that has ever connected to a shared dev server may still hold a shell path via its SSH key — retiring a laptop does not remove that trust unless someone cleans up the server side.
C — Exit node or tunneled egress
With a Tailscale exit node enabled, egress probes from the same client often show the exit region, not home. That mismatch is worth documenting in any snapshot — tunneled traffic shifts who you trust for metadata and cleartext on non-TLS paths.
D — Deploy from dev vs from workstation
Compare egress and target edge against policy:
- Deploy from dev workspace — expect cloud ASN and colo near build infrastructure.
- Deploy from workstation — expect residential or VPN egress unless CI mediates.
Drift from expected region or ASN warrants review before treating production as unchanged.
E — Cloud gaming (GeForce NOW): what you see vs where work runs
A clearer split than SSH, because there is no shell on the remote side — only a stream.
Setup: The game runs in NVIDIA’s datacenter; your home PC shows video and sends input. The PC is a thin client: it does not run the game’s network stack for game traffic.
| Where you check | What you see |
|---|---|
| Home PC (GeForce NOW app) | Residential ISP, home edge colo — looks like a normal workstation |
| Remote GPU session (when you can probe that host) | Datacenter ASN and colo — where compute actually runs |
Checks on the home PC alone cannot prove the workload is local. They only describe that machine’s uplink. The “local desktop” illusion is application-layer — pixels and input — not shared egress with the GPU host.
The same classification problem applies to RDP, Citrix, and VS Code Remote (scenario B), but GeForce NOW makes the gap obvious: residential fingerprint on the couch, datacenter workload you never SSH into. Tag role=thin-client on the machine you instrument and role=workload on the session host when you control both.
Takeaway: do not treat “this PC looks like home” as “this work runs at home.” Instrument or policy-check where compute executes, not only where the keyboard sits.
Signal matrix
| Signal | Likely workstation | Likely dev / relay | Thin client (remote UI) |
|---|---|---|---|
| ASN | ISP | AWS / GCP / colo | ISP on client only |
| Edge colo | Near user uplink | Near DC uplink | Near home on client |
| Fingerprint when user travels | Changes (if probed on laptop) | Stable on remote VM | Client changes; workload does not |
| Exit node | Usually off for baseline | Varies | Record if enabled |
Strongest discriminators: egress IP + ASN; colo/ASN change-only alerts; exit_node_in_use on every line; dual instrumentation (client + workload) when using remote devevelopment or streaming / remote display.
What validation cannot prove: malware, app-level streaming without host metadata, exact routing path, physical room, who still holds SSH keys on a shared server, or intent — only classification and drift for the host you measured.
How yo helps isolate and identify concerns
Planned yo log network packages the kind of validation described above — a repeatable snapshot when you need evidence, not a continuous scanner.
| Capability | Role |
|---|---|
| One-shot snapshot | Captures host status and edge reachability in one run; writes a human-readable log under ~/.yo/logs/ |
--watch → network.jsonl (planned) | Lightweight background checks to endpoints you control; append when fingerprint changes (colo, ASN, gateway, exit node) |
--last-json (planned) | Review the latest recorded snapshot without re-running checks |
Use snapshots to narrow concerns: unexpected cloud ASN on a machine tagged workstation, colo jump after enabling exit node, stable datacenter fingerprint while you travel (workload is remote). Follow with access review (who still has SSH or deploy access), ACL policy, and checks on the correct host.
Example JSONL shape (planned, abbreviated):
{
"event": "posture.snapshot",
"role": "dev-workspace",
"egress": { "asn": "AS16509", "public_ip": "…" },
"edges": [{ "provider": "cloudflare", "colo": "DFW", "rtt_ms": 28 }],
"tailscale": { "exit_node": null, "home_region": "dfw", "udp_ok": true }
}Protect network.jsonl like auth logs — it may contain IPs and ASN.
Operator practices
- Tag roles —
workstation,dev-workspace,productionon every snapshot host. - Probe where work runs — not only where the keyboard sits.
- Log on change — avoid noise; investigate colo, ASN, gateway, and exit-node shifts.
- ACL discipline — restrict exit node advertisement; review tailnet exposure (Tailscale exit nodes).
- Authenticate probes — bearer or header on Worker endpoints; rate-limit; do not publish URLs.
- Separate tunnel roles — Tailscale for device mesh; cloudflared for service ingress; record which path traffic used when interpreting egress.
Quick reference
| Question | What to use |
|---|---|
| Is egress mine or tunneled? | Custom probe IP/ASN/colo; note exit node / VPN state |
| Can expected peers still reach this host? | Tailscale admin, status / ping when troubleshooting |
| Did fingerprint change on this host? | Diff posture log snapshots (planned) |
| Home laptop vs datacenter dev VM? | ASN; stability when contributor travels |
| Run a validation snapshot now? | yo log network (planned) |
| Nearest Cloudflare edge from this host? | Custom Worker probe |