2 files changed, 15 insertions, 5 deletions

diff --git a/client/tailscale/apitype/apitype.go b/client/tailscale/apitype/apitype.go
index b63abf69c..693f83a89 100644
--- a/client/tailscale/apitype/apitype.go
+++ b/client/tailscale/apitype/apitype.go
@@ -10,9 +10,16 @@ import "tailscale.com/tailcfg"
 const LocalAPIHost = "local-tailscaled.sock"
 
 // WhoIsResponse is the JSON type returned by tailscaled debug server's /whois?ip=$IP handler.
-// In successful whois responses, Node and UserProfile are never nil.
 type WhoIsResponse struct {
-	Node        *tailcfg.Node
+	// Node is the node that the IP address belongs to.
+	//
+	// It is always non-nil in successful responses.
+	Node *tailcfg.Node
+
+	// UserProfile is the profile of the Node.User if the node is not tagged.
+	// For tagged nodes, the profile should be ignored.
+	//
+	// It is always non-nil in successful responses.
 	UserProfile *tailcfg.UserProfile
 
 	// CapMap is a map of capabilities to their values.
diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go
index 68fec3e03..d945e962d 100644
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -221,9 +221,12 @@ type Node struct {
 	// e.g. "host.tail-scale.ts.net."
 	Name string
 
-	// User is the user who created the node. If ACL tags are in
-	// use for the node then it doesn't reflect the ACL identity
-	// that the node is running as.
+	// User represents the owner of an untagged node. This field should be
+	// ignored for tagged nodes, as the value is undefined and may change in the
+	// future.
+	//
+	// To support old clients, the value is used to group all tagged nodes
+	// together for UI purposes and to circumvent isSelf checks for the PeerAPI.
 	User UserID
 
 	// Sharer, if non-zero, is the user who shared this node, if different than User.