Expose ports from the sandbox to your Tailnet to preview web apps running inside the agent's environment.
- Run a web server in the sandbox (e.g.,
npm run devon port 3000) - Expose the port
- Get a preview URL accessible from your Tailnet
Your Device → Tailscale (MagicDNS) → Sandbox Pod → Your App
iOS App: Previews tab → + → enter port → Expose
Agent: Can auto-expose ports when it detects a server starting.
Preview URL format: http://sandbox-<session-id>.YOUR-TAILNET.ts.net:<port>
iOS App: Previews tab → long-press or menu on a port → Remove Port
CLI: netclode port unexpose <session-id> <port>
Unexposing removes the port from the Tailscale Service and revokes network ingress. The preview URL stops working immediately.
- Tailnet only - URLs only work from devices on your Tailnet
- HTTP only - no HTTPS (Tailnet traffic is already encrypted by WireGuard)
- Multiple ports - same hostname, different ports
- Survives reconnects - exposed/unexposed state is persisted and restored on resume
Control-plane creates a Kubernetes Service with tailscale.com/expose: "true". Tailscale operator assigns MagicDNS hostname. NetworkPolicy updated to allow ingress from Tailscale CGNAT range (100.64.0.0/10).
Connection refused - server might be listening on 127.0.0.1 instead of 0.0.0.0. Use --host 0.0.0.0 for Vite, HOST=0.0.0.0 for CRA, etc.
Slow first request - Tailscale establishing direct connection. Subsequent requests are fast.