temporal-community
diff --git a/‎.github/workflows/docs.yml‎
Lines changed: 36 additions & 0 deletions b/‎.github/workflows/docs.yml‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 4 additions & 0 deletions b/‎.gitignore‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 27 additions & 32 deletions b/‎README.md‎
Lines changed: 27 additions & 32 deletions
diff --git a/‎docs/architecture.md‎
Lines changed: 107 additions & 0 deletions b/‎docs/architecture.md‎
Lines changed: 107 additions & 0 deletions
diff --git a/‎docs/index.md‎
Lines changed: 56 additions & 0 deletions b/‎docs/index.md‎
Lines changed: 56 additions & 0 deletions
@@ -0,0 +1,36 @@
+name: Docs
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "docs/**"
+      - "mkdocs.yml"
+      - "pyproject.toml"
+      - ".github/workflows/docs.yml"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+
+      - name: Set up Python
+        run: uv python install 3.13
+
+      - name: Install docs dependencies
+        run: uv sync --group docs
+
+      - name: Deploy to GitHub Pages
+        run: uv run --group docs mkdocs gh-deploy --force --clean
@@ -227,3 +227,7 @@ slide-*.jpeg
 
 # Reference material used to design the theme (source PPTX, logo, bg PNGs)
 reference/
+
+# MkDocs build output
+site/
+.mkdocs_cache/
@@ -2,42 +2,35 @@
 
 Workshop materials for the joint Tailscale + Temporal session at **Replay 2026**.
 
-## What You'll Build
+## What you'll build
 
 A durable AI weather agent powered by Temporal, secured by Tailscale:
 
 - **Temporal** orchestrates an agentic loop where an LLM autonomously chains tool calls
-- **Tailscale** provides zero-config encrypted networking between your machine and the shared infrastructure
-- **Aperture** acts as an API gateway, proxying LLM calls with rate limiting and shared key management
-
-```
-┌─────────────────┐     Tailscale      ┌──────────────────┐
-│  Your Instruqt  │◄──── Tailnet ─────►│  Temporal Dev     │
-│  VM (Worker)    │                    │  Server (VPS)     │
-│                 │                    │  temporal-dev:7233│
-│  - Python agent │     Tailscale      │  temporal-dev:8233│
-│  - Go agent     │◄──── Tailnet ─────►│                  │
-│    (stretch)    │                    ├──────────────────┤
-└─────────────────┘                    │  Aperture        │
-                                       │  (API Gateway)   │
-                                       │       │          │
-                                       └───────┼──────────┘
-                                               │
-                                               ▼
-                                       ┌──────────────────┐
-                                       │  OpenAI API      │
-                                       │  (shared key)    │
-                                       └──────────────────┘
+- **Tailscale** provides zero-config encrypted networking between your VM and the shared infrastructure
+- **Aperture** proxies LLM calls with rate limiting and shared key management. No OpenAI key needed on your VM
+
+```mermaid
+flowchart LR
+  VM[Your Instruqt VM<br/>Python + Go workers]
+  TS[Temporal Dev Server<br/>temporal-dev:7233 / :8233]
+  AP[Aperture<br/>API Gateway]
+  OAI[OpenAI API<br/>shared key]
+  VM <-. Tailnet .-> TS
+  VM <-. Tailnet .-> AP
+  AP --> OAI
 ```
 
 ## Prerequisites
 
 Your Instruqt VM comes pre-configured with everything you need:
+
 - Python 3.13 and `uv`
-- Tailscale (connected to the workshop tailnet)
-- Workshop code cloned and dependencies installed
+- Go 1.26+
+- Tailscale, already connected to the workshop tailnet
+- Workshop code cloned, dependencies installed
 
-## Quick Start
+## Quick start
 
 Verify your environment:
 
@@ -52,13 +45,13 @@ Then start with [Exercise 1](exercises/01_hello_tailnet/README.md).
 | # | Exercise | Time | Description |
 |---|----------|------|-------------|
 | 1 | [Hello Tailnet](exercises/01_hello_tailnet/README.md) | 15 min | Run a geo-IP workflow on the shared Temporal server via Tailscale |
-| 2 | [Explore Tailscale](exercises/02_explore_tailscale/README.md) | 15 min | Discover your network, understand Aperture, explore access control |
+| 2 | [Explore Tailscale](exercises/02_explore_tailscale/README.md) | 15 min | Discover your network, understand Aperture, run a Go worker over `tsnet` |
 | 3 | [Weather Agent](exercises/03_weather_agent/README.md) | 25 min | Build a durable AI agent with LLM calls routed through Aperture |
 | 4 | [Go Agent](exercises/04_go_agent/README.md) | Stretch | Same agent pattern in Go (take-home challenge) |
 
 ## Temporal Web UI
 
-Once connected to the tailnet, open the shared Temporal Web UI:
+Once your VM is on the tailnet, open the shared Temporal Web UI:
 
 ```
 http://temporal-dev:8233
@@ -68,12 +61,14 @@ You'll see everyone's workflows running on the shared server.
 
 ## Resources
 
-- [temporal-ts-net](https://github.com/temporal-community/temporal-ts-net) — Temporal CLI extension for Tailscale
+- [temporal-ts-net](https://github.com/temporal-community/temporal-ts-net) - Temporal CLI extension for Tailscale
 - [Temporal Python SDK](https://docs.temporal.io/develop/python)
 - [Temporal Go SDK](https://docs.temporal.io/develop/go)
-- [Tailscale Documentation](https://tailscale.com/kb)
-- [Aperture Documentation](https://docs.tailscale.com/aperture)
+- [Tailscale docs](https://tailscale.com/kb)
+- [Aperture docs](https://docs.tailscale.com/aperture)
+
+---
 
-## Instructor Setup
+### Running this workshop yourself?
 
-See [instructor/README.md](instructor/README.md) for VPS and Instruqt configuration.
+This repo is also a community asset. If you want to teach the session, run it locally, or remix the stack, see the [**community guide**](https://temporal-community.github.io/workshop-tailscale-replay-2026/) for instructor walkthroughs (with and without Instruqt), infrastructure setup, and architecture deep-dives.
@@ -0,0 +1,107 @@
+# Architecture
+
+Three layers, one workshop.
+
+## Topology
+
+```mermaid
+flowchart LR
+  subgraph VM["Attendee VM (Instruqt or local)"]
+    PY[Python worker]
+    GO[Go worker]
+  end
+  subgraph VPS["Shared VPS"]
+    TS["Temporal Dev Server<br/>temporal-dev:7233<br/>temporal-dev:8233"]
+    AP["Aperture<br/>API Gateway"]
+  end
+  OAI["OpenAI API<br/>(shared key)"]
+  VM <-. Tailnet .-> TS
+  VM <-. Tailnet .-> AP
+  AP --> OAI
+```
+
+Everything between the attendee machine and the shared infrastructure rides on an encrypted Tailscale mesh. There is no public port open on the VPS. If you're not on the tailnet, you can't reach it.
+
+## The four pieces
+
+### Temporal (durability)
+
+A workflow orchestrator. The workshop uses a single `AgentWorkflow` that calls an Activity, feeds the result back to the LLM, and loops until the LLM is satisfied. Every tool invocation is its own Activity with its own retry policy. If the worker dies mid-reasoning, the workflow picks up exactly where it left off.
+
+### Tailscale (networking)
+
+A mesh VPN built on WireGuard. Every workshop VM joins one tailnet and can reach `temporal-dev:7233` and `http://ai` as if they were on a local network, with no port forwarding, no firewall rules, and no VPN concentrator.
+
+### `temporal-ts-net` (the glue)
+
+A Temporal CLI extension that runs the dev server and joins the tailnet via [tsnet](https://pkg.go.dev/tailscale.com/tsnet). Six lines of Go wrap `temporal server start-dev` and put it on the network under a memorable hostname. Installed on the shared VPS; the workshop consumes the hostname it exposes. Source: [temporal-community/temporal-ts-net](https://github.com/temporal-community/temporal-ts-net).
+
+### Aperture (API gateway)
+
+Sits between attendee code and OpenAI. Holds the real API key, forwards requests to `api.openai.com`, and enforces per-identity rate limits using the caller's Tailscale identity. Attendees never see the key, and one person running 500 agents can't burn the whole budget.
+
+## The two agent patterns
+
+### Tool-calling (Exercise 3, Part 1)
+
+```mermaid
+flowchart TD
+  U["User: 'Weather alerts in California?'"]
+  LLM["LLM via Aperture"]
+  A["Temporal Activity<br/>get_weather_alerts('CA')<br/>calls NWS API"]
+  R["'There are 3 active alerts<br/>in California...'"]
+  U --> LLM
+  LLM -->|decides to call tool| A
+  A -->|weather data| LLM
+  LLM --> R
+```
+
+One decision, one tool, one formatted response. Useful on its own (for example, "answer questions about our API docs") and a stepping stone to the loop.
+
+### Agentic loop (Exercise 3, Part 2)
+
+```mermaid
+flowchart TD
+  U["User: 'What's the weather where I am?'"]
+  subgraph Loop["Agentic Loop, repeats until LLM is done"]
+    direction LR
+    P[LLM picks a tool] --> E[Execute Activity]
+    E --> F[Feed result back to LLM]
+    F --> P
+  end
+  U --> Loop
+  Loop --> R[Final response]
+```
+
+The LLM reasons through multiple steps on its own. The workshop's weather agent chains `get_ip_address`, `get_location_info`, `get_weather_alerts` with no hand-coded flow control; each tool is dynamically dispatched based on what the LLM asks for.
+
+## Aperture in the middle
+
+```mermaid
+sequenceDiagram
+  autonumber
+  participant VM as Attendee VM
+  participant AP as Aperture
+  participant OAI as OpenAI
+  VM->>AP: POST /v1/responses<br/>(no API key needed)
+  Note over AP: Identity: your-vm<br/>Rate: 3 / 10 requests
+  AP->>OAI: POST /v1/responses<br/>Authorization: Bearer sk-real-openai-key
+  OAI-->>AP: response
+  AP-->>VM: response
+```
+
+Two things to notice:
+
+1. The attendee never has the real key. They POST to `http://ai/v1/responses` with no Authorization header, and Aperture swaps in the real credential on the way out.
+2. Aperture uses the **caller's Tailscale identity** as the rate-limit key. No extra auth tokens, no per-attendee secrets to distribute. Whoever the tailnet says you are, that's who Aperture bills.
+
+## Why this stack
+
+Each piece removes a category of operational pain:
+
+- **Temporal** turns "my agent crashed halfway through reasoning" from a lost conversation into a resumed one.
+- **Tailscale** deletes VPN and firewall setup from the attendee onboarding path.
+- **`temporal-ts-net`** means the shared Temporal server is a hostname, not an IP:port behind a load balancer.
+- **Aperture** means one OpenAI key can serve 50 people without any of them seeing it, and without one person draining the budget.
+
+Remove any one of those and the workshop gets substantially harder to run.
@@ -0,0 +1,56 @@
+# Securing AI Applications with Tailscale and Temporal
+
+A hands-on workshop that teaches three ideas by building one thing:
+
+- **Durability** - Temporal orchestrates an agentic loop so the LLM can crash, retry, and resume without losing state.
+- **Zero-config networking** - Tailscale connects every machine in the workshop over an encrypted mesh, no VPN concentrator, no firewall rules.
+- **Shared-key safety** - Aperture acts as an API gateway so one OpenAI key serves the whole room with per-identity rate limiting.
+
+## Who this site is for
+
+This site is the **community guide**, a reference for anyone who wants to **run the workshop themselves**, whether that's a conference track, an internal training, or a weekend hack with friends.
+
+If you are *attending* a session, the [GitHub README](https://github.com/temporal-community/workshop-tailscale-replay-2026) and the in-environment instructions have everything you need during the workshop itself. You don't need this site.
+
+## Pick a path
+
+<div class="grid cards" markdown>
+
+- **I want to understand what we're building**
+
+    ---
+
+    Read the [workshop overview](workshop-overview.md) and the [architecture](architecture.md) to see the pieces and why they fit together.
+
+- **I want to try it on my own machine**
+
+    ---
+
+    [Try it locally](try-it-locally.md) runs the full Tailscale + Temporal stack on your own machine, on your personal tailnet. Only Aperture is swapped (direct OpenAI key).
+
+- **I'm teaching a cohort via Instruqt**
+
+    ---
+
+    [Running with Instruqt](run-with-instruqt.md) covers VM requirements, track configuration, and day-of checklists.
+
+- **I'm teaching a cohort without Instruqt**
+
+    ---
+
+    [Running without Instruqt](run-without-instruqt.md) covers onboarding attendees onto your tailnet, Aperture alternatives, and the pre-event checklist.
+
+- **I need to stand up the shared infrastructure**
+
+    ---
+
+    [Infrastructure](infrastructure.md) covers the persistent VPS that runs `temporal-ts-net` and the Tailscale and Aperture pieces behind it.
+
+</div>
+
+## Source material
+
+- **Workshop repo** - [temporal-community/workshop-tailscale-replay-2026](https://github.com/temporal-community/workshop-tailscale-replay-2026)
+- **`temporal-ts-net`** - [temporal-community/temporal-ts-net](https://github.com/temporal-community/temporal-ts-net)
+- **Temporal SDKs** - [Python](https://docs.temporal.io/develop/python), [Go](https://docs.temporal.io/develop/go)
+- **Tailscale** - [docs](https://tailscale.com/kb). **Aperture** - [docs](https://docs.tailscale.com/aperture)