{"resources":{"tailscale":{"id":"tailscale","name":"tailscale","fields":{"aclPolicy":{"name":"aclPolicy","type":"\u001btailscale.aclPolicy","title":"Tailnet ACL (access control list) policy","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"device":{"name":"device","type":"\u001btailscale.device","title":"Tailscale device (also called a node or machine)","desc":" Examine a single device registered in the tailnet, identified by `id`: hostname, operating system, MagicDNS name, the user that registered it, ACL tags, all assigned Tailscale IP addresses (IPv4 and IPv6), the Tailscale client version and update-availability flag, the machine and node keys, tailnet-lock signing state, posture flags (`blocksIncomingConnections`, `authorized`, `isExternal`, `keyExpiryDisabled`), lifecycle timestamps (`createdAt`, `expiresAt`, `lastSeenAt`), and the advertised vs enabled subnet routes (each fetched per-device on demand).","provider":"go.mondoo.com/mql/v13/providers/tailscale","is_implicit_resource":true},"deviceApprovalRequired":{"name":"deviceApprovalRequired","type":"\u0004","title":"Whether new devices must be manually approved before joining the tailnet","min_provider_version":"13.0.7","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"devices":{"name":"devices","type":"\u0019\u001btailscale.device","title":"List devices in a tailnet","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"devicesAutoUpdatesEnabled":{"name":"devicesAutoUpdatesEnabled","type":"\u0004","title":"Whether devices in the tailnet are configured to receive automatic Tailscale client updates","min_provider_version":"13.0.7","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"devicesKeyDurationDays":{"name":"devicesKeyDurationDays","type":"\u0005","title":"Number of days before a device's auth key expires (0 means keys never expire)","min_provider_version":"13.0.7","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"nameservers":{"name":"nameservers","type":"\u0019\u0007","title":"List global DNS nameservers for a tailnet","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"networkFlowLoggingEnabled":{"name":"networkFlowLoggingEnabled","type":"\u0004","title":"Whether network flow logging is enabled for the tailnet","min_provider_version":"13.0.7","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"postureIdentityCollectionEnabled":{"name":"postureIdentityCollectionEnabled","type":"\u0004","title":"Whether device posture identity collection is enabled for the tailnet","min_provider_version":"13.0.7","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"tailnet":{"name":"tailnet","type":"\u0007","is_mandatory":true,"title":"Tailnet organization name","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"user":{"name":"user","type":"\u001btailscale.user","title":"Tailscale user","desc":" Examine a single user known to the tailnet, identified by `id`: display name, login name, profile picture, the owning tailnet, relation type (member vs shared), role (owner / admin / member / etc.), status (active / idle / suspended / needs-approval / over-billing-limit), the count of devices the user owns, `createdAt` / `lastSeenAt` lifecycle timestamps, and a `currentlyConnected` flag — used for access reviews and dormant / suspended-account hygiene.","provider":"go.mondoo.com/mql/v13/providers/tailscale","is_implicit_resource":true},"userApprovalRequired":{"name":"userApprovalRequired","type":"\u0004","title":"Whether new users must be manually approved before joining the tailnet","min_provider_version":"13.0.7","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"users":{"name":"users","type":"\u0019\u001btailscale.user","title":"List users of a tailnet","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"usersRoleAllowedToJoinExternalTailnets":{"name":"usersRoleAllowedToJoinExternalTailnets","type":"\u0007","title":"Lowest user role allowed to join external tailnets: 'none' (disabled), 'admin' (admins only), or 'member' (any member)","min_provider_version":"13.0.7","provider":"go.mondoo.com/mql/v13/providers/tailscale"}},"title":"Tailscale tailnet","desc":" Examine a Tailscale tailnet (organization): its name, the devices and users it contains, the configured global DNS nameservers, the ACL policy, and the tailnet-wide hardening flags — device-approval and user-approval requirements, automatic-update enrollment, the auth-key expiration window, network-flow logging, posture identity collection, and which user role is allowed to join external tailnets.","min_provider_version":"11.0.0","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"tailscale.aclPolicy":{"id":"tailscale.aclPolicy","name":"tailscale.aclPolicy","fields":{"acls":{"name":"acls","type":"\u0019\n","is_mandatory":true,"title":"ACL access rules defining what each source (src) can connect to (dst, ports, action)","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"autoApproverExitNodes":{"name":"autoApproverExitNodes","type":"\u0019\u0007","is_mandatory":true,"title":"Users or groups whose advertised exit-node routes are auto-approved","desc":"(empty means no users may auto-advertise as exit nodes)","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"autoApproverRoutes":{"name":"autoApproverRoutes","type":"\u001a\u0007\u0019\u0007","is_mandatory":true,"title":"Subnet routes that are auto-approved when advertised by listed users/groups (CIDR → owners)","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"defaultSourcePosture":{"name":"defaultSourcePosture","type":"\u0019\u0007","is_mandatory":true,"title":"Default device-posture rule names applied to every ACL source that doesn't specify its own srcPosture. Empty when posture rules are unused.","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"disableIPv4":{"name":"disableIPv4","type":"\u0004","is_mandatory":true,"title":"Whether IPv4 is disabled across the tailnet","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"etag":{"name":"etag","type":"\u0007","is_mandatory":true,"title":"ETag (version identifier) of the policy","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"groups":{"name":"groups","type":"\u001a\u0007\u0019\u0007","is_mandatory":true,"title":"Named groups of users used in ACL rules (group name → list of members)","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"hosts":{"name":"hosts","type":"\u001a\u0007\u0007","is_mandatory":true,"title":"Named hosts (alias → IP/CIDR) referenced by ACL rules","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"nodeAttrs":{"name":"nodeAttrs","type":"\u0019\n","is_mandatory":true,"title":"Per-node attribute grants","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"oneCGNATRoute":{"name":"oneCGNATRoute","type":"\u0007","is_mandatory":true,"title":"Setting that affects how Tailscale routes traffic on the 100.64.0.0/10 CGNAT range","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"postures":{"name":"postures","type":"\u001a\u0007\u0019\u0007","is_mandatory":true,"title":"Named device posture rules referenced by name from src/defaultSrcPosture (rule name -\u003e list of posture conditions)","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"randomizeClientPort":{"name":"randomizeClientPort","type":"\u0004","is_mandatory":true,"title":"Whether the Tailscale client is set to randomize its source port on each connection","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"raw":{"name":"raw","type":"\u0007","title":"Raw HuJSON representation of the policy","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"ssh":{"name":"ssh","type":"\u0019\n","is_mandatory":true,"title":"Tailscale SSH access rules","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"tagOwners":{"name":"tagOwners","type":"\u001a\u0007\u0019\u0007","is_mandatory":true,"title":"Tag owners — users or groups allowed to assign each ACL tag (tag → list of owners)","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"tailnet":{"name":"tailnet","type":"\u0007","is_mandatory":true,"title":"Tailnet name this ACL policy belongs to","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"tests":{"name":"tests","type":"\u0019\n","is_mandatory":true,"title":"Connectivity tests embedded in the policy","provider":"go.mondoo.com/mql/v13/providers/tailscale"}},"title":"Tailscale tailnet ACL (access control list) policy","desc":" Examine the tailnet's parsed HuJSON ACL policy (https://tailscale.com/kb/1018/acls). The policy governs which users and devices can reach which others, and the resource exposes the ACL rules, named groups, host aliases, tag-owner assignments, Tailscale SSH rules, embedded connectivity tests, per-node attribute grants, exit-node and subnet-route auto-approvers, default and named device-posture rules, the IPv4-disabled flag, the OneCGNATRoute setting, the randomize-client-port flag, the policy `etag`, and the raw HuJSON for fall-through pattern matching.","min_provider_version":"13.0.7","defaults":"tailnet","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"tailscale.device":{"id":"tailscale.device","name":"tailscale.device","fields":{"addresses":{"name":"addresses","type":"\u0019\u0007","is_mandatory":true,"title":"List of Tailscale IP addresses for the device, including both IPv4 and IPv6 addresses","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"advertisedRoutes":{"name":"advertisedRoutes","type":"\u0019\u0007","title":"Subnet routes that the device is advertising (fetched per-device on demand)","min_provider_version":"13.0.7","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"authorized":{"name":"authorized","type":"\u0004","is_mandatory":true,"title":"Whether the device is authorized to join the tailnet","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"blocksIncomingConnections":{"name":"blocksIncomingConnections","type":"\u0004","is_mandatory":true,"title":"Whether the device is blocked from accepting connections over Tailscale, including pings","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"clientVersion":{"name":"clientVersion","type":"\u0007","is_mandatory":true,"title":"Version of the Tailscale client software (empty for external devices)","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"createdAt":{"name":"createdAt","type":"\t","is_mandatory":true,"title":"Date when the device was added to the tailnet (empty for external devices)","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"enabledRoutes":{"name":"enabledRoutes","type":"\u0019\u0007","title":"Subnet routes that are enabled (allowed) for the device — the device's effective subnet scope (fetched per-device on demand)","min_provider_version":"13.0.7","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"expiresAt":{"name":"expiresAt","type":"\t","is_mandatory":true,"title":"Expiration date of the device's auth key","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"hostname":{"name":"hostname","type":"\u0007","is_mandatory":true,"title":"Preferred identifier for a device (not supported yet)","desc":"nodeId string Machine name in the admin console","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"id":{"name":"id","type":"\u0007","is_mandatory":true,"title":"Legacy identifier for a device","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"isExternal":{"name":"isExternal","type":"\u0004","is_mandatory":true,"title":"Whether a device is shared into the tailnet (rather than a member of the tailnet)","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"keyExpiryDisabled":{"name":"keyExpiryDisabled","type":"\u0004","is_mandatory":true,"title":"Whether key expiration is disabled for the device","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"lastSeenAt":{"name":"lastSeenAt","type":"\t","is_mandatory":true,"title":"When device was last active on the tailnet","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"machineKey":{"name":"machineKey","type":"\u0007","is_mandatory":true,"title":"Machine key used by Tailscale (empty for external devices)","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"name":{"name":"name","type":"\u0007","is_mandatory":true,"title":"MagicDNS name of the device","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"nodeKey":{"name":"nodeKey","type":"\u0007","is_mandatory":true,"title":"Node key primarily used by Tailscale and required for select operations, such as adding a node to a locked tailnet","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"os":{"name":"os","type":"\u0007","is_mandatory":true,"title":"Operating system that the device is running","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"tags":{"name":"tags","type":"\u0019\u0007","is_mandatory":true,"title":"An identity for the device that is separate from human users (used as part of an ACL to restrict access)","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"tailnetLockError":{"name":"tailnetLockError","type":"\u0007","is_mandatory":true,"title":"Issue with the tailnet lock node-key signature on this device (only populated when tailnet lock is enabled)","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"tailnetLockKey":{"name":"tailnetLockKey","type":"\u0007","is_mandatory":true,"title":"Node's tailnet lock key","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"updateAvailable":{"name":"updateAvailable","type":"\u0004","is_mandatory":true,"title":"Whether a Tailscale client version upgrade is available (empty for external devices)","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"user":{"name":"user","type":"\u0007","is_mandatory":true,"title":"User who registered the device. For untagged devices this is also the device owner.","provider":"go.mondoo.com/mql/v13/providers/tailscale"}},"init":{"args":[{"name":"id","type":"\u0007","optional":true}]},"title":"Tailscale device (also called a node or machine)","desc":" Examine a single device registered in the tailnet, identified by `id`: hostname, operating system, MagicDNS name, the user that registered it, ACL tags, all assigned Tailscale IP addresses (IPv4 and IPv6), the Tailscale client version and update-availability flag, the machine and node keys, tailnet-lock signing state, posture flags (`blocksIncomingConnections`, `authorized`, `isExternal`, `keyExpiryDisabled`), lifecycle timestamps (`createdAt`, `expiresAt`, `lastSeenAt`), and the advertised vs enabled subnet routes (each fetched per-device on demand).","min_provider_version":"11.0.0","defaults":"id hostname os","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"tailscale.user":{"id":"tailscale.user","name":"tailscale.user","fields":{"createdAt":{"name":"createdAt","type":"\t","is_mandatory":true,"title":"Time the user joined the tailnet","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"currentlyConnected":{"name":"currentlyConnected","type":"\u0004","is_mandatory":true,"title":"Whether the user is currently connected to the tailnet","min_provider_version":"13.0.7","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"deviceCount":{"name":"deviceCount","type":"\u0005","is_mandatory":true,"title":"Number of devices the user owns","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"displayName":{"name":"displayName","type":"\u0007","is_mandatory":true,"title":"Name of the user","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"id":{"name":"id","type":"\u0007","is_mandatory":true,"title":"Unique identifier for the user","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"lastSeenAt":{"name":"lastSeenAt","type":"\t","is_mandatory":true,"title":"Last time the user was active on the tailnet — either via a node connection or by authenticating to a Tailscale service (including the admin panel)","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"loginName":{"name":"loginName","type":"\u0007","is_mandatory":true,"title":"Email-like login name of the user","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"profilePicUrl":{"name":"profilePicUrl","type":"\u0007","is_mandatory":true,"title":"Profile picture URL for the user","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"role":{"name":"role","type":"\u0007","is_mandatory":true,"title":"Role of the user (owner, member, admin, etc.)","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"status":{"name":"status","type":"\u0007","is_mandatory":true,"title":"Status of the user","desc":"'active' - Last seen within 28 days 'idle' - Last seen more than 28 days ago 'suspended' - Suspended from accessing the tailnet 'needs-approval' - Unable to join tailnet until approved 'over-billing-limit' - Unable to join tailnet until billing count increased","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"tailnetId":{"name":"tailnetId","type":"\u0007","is_mandatory":true,"title":"Tailnet that owns the user","provider":"go.mondoo.com/mql/v13/providers/tailscale"},"type":{"name":"type","type":"\u0007","is_mandatory":true,"title":"Type of relation this user has to the tailnet (member or shared)","provider":"go.mondoo.com/mql/v13/providers/tailscale"}},"init":{"args":[{"name":"id","type":"\u0007","optional":true}]},"title":"Tailscale user","desc":" Examine a single user known to the tailnet, identified by `id`: display name, login name, profile picture, the owning tailnet, relation type (member vs shared), role (owner / admin / member / etc.), status (active / idle / suspended / needs-approval / over-billing-limit), the count of devices the user owns, `createdAt` / `lastSeenAt` lifecycle timestamps, and a `currentlyConnected` flag — used for access reviews and dormant / suspended-account hygiene.","min_provider_version":"11.0.0","defaults":"id displayName type","provider":"go.mondoo.com/mql/v13/providers/tailscale"}}}