diff --git a/docs/changelog.d/+tailscale-doc-review.doc.md b/docs/changelog.d/+tailscale-doc-review.doc.md
new file mode 100644
index 0000000..25a1fcc
--- /dev/null
+++ b/docs/changelog.d/+tailscale-doc-review.doc.md
@@ -0,0 +1 @@
+Review and correct Tailscale reference doc: fix ACL path, add missing device tags (ringtail, per-service tags, ci-gateway, flyio-proxy), correct access matrix (PyPI→DevPI, homelab grants), add SSH homelab→homelab rule, document auto approvers, add last-reviewed frontmatter.
diff --git a/docs/reference/infrastructure/tailscale.md b/docs/reference/infrastructure/tailscale.md
index 5ccbaf1..e266a05 100644
--- a/docs/reference/infrastructure/tailscale.md
+++ b/docs/reference/infrastructure/tailscale.md
@@ -1,6 +1,7 @@
 ---
 title: Tailscale
-modified: 2026-02-08
+modified: 2026-03-22
+last-reviewed: 2026-03-22
 tags:
   - infrastructure
   - networking
@@ -12,7 +13,7 @@ Tailnet `tail8d86e.ts.net` provides secure networking for all BlumeOps infrastru
 
 ## ACL Management
 
-ACLs managed via Pulumi in `pulumi/policy.hujson`.
+ACLs managed via Pulumi in `pulumi/tailscale/policy.hujson`.
 
 ## Groups
 
@@ -24,27 +25,42 @@ ACLs managed via Pulumi in `pulumi/policy.hujson`.
 
 | Tag | Devices | Purpose |
 |-----|---------|---------|
-| `tag:homelab` | indri | Server infrastructure |
+| `tag:homelab` | indri, ringtail | Server infrastructure |
 | `tag:nas` | sifaka | Network-attached storage |
-| `tag:blumeops` | indri, sifaka | Pulumi IaC managed resources |
-| `tag:registry` | indri | Container registry access |
-| `tag:k8s-api` | indri | Kubernetes API server access |
-| `tag:k8s-operator` | (operator pod) | Tailscale operator for k8s |
-| `tag:k8s` | (Ingress proxy pods) | Kubernetes Tailscale Ingress nodes |
-| `tag:flyio-target` | (k8s Ingress nodes) | Endpoints reachable by fly.io proxy |
+| `tag:blumeops` | indri, sifaka, ringtail | Pulumi IaC managed resources |
+| `tag:registry` | indri | Container registry (Zot) |
+| `tag:forge` | indri | Forgejo git hosting |
+| `tag:loki` | indri | Loki log aggregation |
+| `tag:k8s-api` | indri | Kubernetes API server (minikube) |
+| `tag:k8s-operator` | (operator pod) | Tailscale operator for k8s — see [[tailscale-operator]] |
+| `tag:k8s` | (Ingress proxy pods) | Kubernetes Tailscale Ingress nodes; each also carries a per-service tag (`tag:grafana`, `tag:kiwix`, `tag:devpi`, `tag:feed`, `tag:pg`) |
+| `tag:ci-gateway` | (ephemeral CI containers) | CI containers pushing images to registry |
+| `tag:flyio-proxy` | (Fly.io proxy container) | Public reverse proxy |
+| `tag:flyio-target` | (designated Ingress endpoints) | Endpoints reachable by the Fly.io proxy |
 
-**Important:** Don't tag user-owned devices (like gilbert). Tagging converts them to "tagged devices" which lose user identity and break user-based SSH rules.
+**Important:** Don't tag user-owned devices (like gilbert) via Pulumi. Tagging converts them to "tagged devices" which lose user identity and break user-based SSH rules. Gilbert is referenced as `tag:workstation` in tagOwners for ownership purposes but remains user-owned so `blume.erich@gmail.com` identity is preserved.
 
 ## Access Matrix
 
-| Source | Kiwix | Forge | PyPI | Miniflux | PostgreSQL | NAS | Grafana | Loki |
-|--------|-------|-------|------|----------|------------|-----|---------|------|
+| Source | Kiwix | Forge | DevPI | Miniflux | PostgreSQL | NAS | Grafana | Loki |
+|--------|-------|-------|-------|----------|------------|-----|---------|------|
 | `autogroup:admin` | Y | Y | Y | Y | Y | Y | Y | Y |
-| `autogroup:member` | Y | Y | Y | Y | Y | - | - | - |
-| `tag:homelab` | - | - | - | - | - | Y | - | - |
+| `autogroup:member` | Y | Y (443, SSH) | Y | Y | Y (5432) | - | - | - |
+| `tag:homelab` | - | - | - | - | Y (5432) | Y | - | Y (3100) |
+| `tag:k8s` | - | Y (3001, 2200) | - | - | - | - | - | - |
 
-- **Admins** - full access to all services
-- **Members** - member services only, no Grafana/Loki/NAS
+- **Admins** — full access to all services
+- **Members** — user-facing services only; no Grafana, Loki, or NAS
+- **Homelab** — server-to-server: full mutual access between homelab peers (including SSH), full NAS access, and k8s service access (443, 5432, 9187)
+- **K8s** — can reach registry (443) and forge on indri (HTTP 3001, SSH 2200) for GitOps
+
+Additional grants not shown in the matrix:
+- `tag:flyio-proxy` → `tag:flyio-target` on tcp:443 only
+- `tag:ci-gateway` → `tag:registry` on tcp:443
+- `tag:k8s` → `tag:registry` on tcp:443
+- `tag:homelab` → `tag:k8s` on tcp:443, tcp:5432, tcp:9187
+
+See `pulumi/tailscale/policy.hujson` for the full grant definitions.
 
 ## SSH Access
 
@@ -53,6 +69,11 @@ ACLs managed via Pulumi in `pulumi/policy.hujson`.
 | `autogroup:member` | `autogroup:self` | check |
 | `autogroup:admin` | `tag:homelab` | check (12h) |
 | `autogroup:admin` | `tag:nas` | check (12h) |
+| `tag:homelab` | `tag:homelab` | accept (tagged devices cannot perform interactive auth) |
+
+## Auto Approvers
+
+ProxyGroup pods (`tag:k8s`) can auto-approve their own VIP Services. This is required for multi-cluster Tailscale Ingress routing — without it, advertised ProxyGroup routes are not approved. See [[tailscale-operator]] for ProxyGroup configuration details.
 
 ## OAuth Credentials