Merge remote-tracking branch 'upstream/main'

Author: Mmx233

Makefile

@@ -23,6 +23,8 @@ updatedeps: ## Update depaware deps
 		tailscale.com/cmd/derper \
 		tailscale.com/cmd/k8s-operator \
 		tailscale.com/cmd/stund
+	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update -goos=linux,darwin,windows,android,ios --internal \
+		tailscale.com/tsnet
 
 depaware: ## Run depaware checks
 	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
@@ -33,6 +35,8 @@ depaware: ## Run depaware checks
 		tailscale.com/cmd/derper \
 		tailscale.com/cmd/k8s-operator \
 		tailscale.com/cmd/stund
+	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check --goos=linux,darwin,windows,android,ios --internal \
+		tailscale.com/tsnet
 
 buildwindows: ## Build tailscale CLI for windows/amd64
 	GOOS=windows GOARCH=amd64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled

build_dist.sh

@@ -41,7 +41,7 @@ while [ "$#" -gt 1 ]; do
 		fi
 		shift
 		ldflags="$ldflags -w -s"
-		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube,ts_omit_completion,ts_omit_ssh,ts_omit_wakeonlan,ts_omit_capture,ts_omit_relayserver,ts_omit_taildrop"
+		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube,ts_omit_completion,ts_omit_ssh,ts_omit_wakeonlan,ts_omit_capture,ts_omit_relayserver,ts_omit_taildrop,ts_omit_tpm"
 		;;
 	--box)
 		if [ ! -z "${TAGS:-}" ]; then

client/local/local.go

@@ -294,7 +294,7 @@ func (lc *Client) get200(ctx context.Context, path string) ([]byte, error) {
 
 // WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
 //
-// Deprecated: use Client.WhoIs.
+// Deprecated: use [Client.WhoIs].
 func WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
 	return defaultClient.WhoIs(ctx, remoteAddr)
 }
@@ -309,7 +309,7 @@ func decodeJSON[T any](b []byte) (ret T, err error) {
 
 // WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
 //
-// If not found, the error is ErrPeerNotFound.
+// If not found, the error is [ErrPeerNotFound].
 //
 // For connections proxied by tailscaled, this looks up the owner of the given
 // address as TCP first, falling back to UDP; if you want to only check a
@@ -325,7 +325,8 @@ func (lc *Client) WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsR
 	return decodeJSON[*apitype.WhoIsResponse](body)
 }
 
-// ErrPeerNotFound is returned by WhoIs and WhoIsNodeKey when a peer is not found.
+// ErrPeerNotFound is returned by [Client.WhoIs], [Client.WhoIsNodeKey] and
+// [Client.WhoIsProto] when a peer is not found.
 var ErrPeerNotFound = errors.New("peer not found")
 
 // WhoIsNodeKey returns the owner of the given wireguard public key.
@@ -345,7 +346,7 @@ func (lc *Client) WhoIsNodeKey(ctx context.Context, key key.NodePublic) (*apityp
 // WhoIsProto returns the owner of the remoteAddr, which must be an IP or
 // IP:port, for the given protocol (tcp or udp).
 //
-// If not found, the error is ErrPeerNotFound.
+// If not found, the error is [ErrPeerNotFound].
 func (lc *Client) WhoIsProto(ctx context.Context, proto, remoteAddr string) (*apitype.WhoIsResponse, error) {
 	body, err := lc.get200(ctx, "/localapi/v0/whois?proto="+url.QueryEscape(proto)+"&addr="+url.QueryEscape(remoteAddr))
 	if err != nil {
@@ -490,7 +491,7 @@ func (lc *Client) BugReportWithOpts(ctx context.Context, opts BugReportOpts) (st
 
 // BugReport logs and returns a log marker that can be shared by the user with support.
 //
-// This is the same as calling BugReportWithOpts and only specifying the Note
+// This is the same as calling [Client.BugReportWithOpts] and only specifying the Note
 // field.
 func (lc *Client) BugReport(ctx context.Context, note string) (string, error) {
 	return lc.BugReportWithOpts(ctx, BugReportOpts{Note: note})
@@ -531,7 +532,7 @@ func (lc *Client) DebugResultJSON(ctx context.Context, action string) (any, erro
 	return x, nil
 }
 
-// DebugPortmapOpts contains options for the DebugPortmap command.
+// DebugPortmapOpts contains options for the [Client.DebugPortmap] command.
 type DebugPortmapOpts struct {
 	// Duration is how long the mapping should be created for. It defaults
 	// to 5 seconds if not set.
@@ -677,7 +678,7 @@ func (lc *Client) WaitingFiles(ctx context.Context) ([]apitype.WaitingFile, erro
 	return lc.AwaitWaitingFiles(ctx, 0)
 }
 
-// AwaitWaitingFiles is like WaitingFiles but takes a duration to await for an answer.
+// AwaitWaitingFiles is like [Client.WaitingFiles] but takes a duration to await for an answer.
 // If the duration is 0, it will return immediately. The duration is respected at second
 // granularity only. If no files are available, it returns (nil, nil).
 func (lc *Client) AwaitWaitingFiles(ctx context.Context, d time.Duration) ([]apitype.WaitingFile, error) {
@@ -946,7 +947,7 @@ func (lc *Client) SetDNS(ctx context.Context, name, value string) error {
 // The host may be a base DNS name (resolved from the netmap inside
 // tailscaled), a FQDN, or an IP address.
 //
-// The ctx is only used for the duration of the call, not the lifetime of the net.Conn.
+// The ctx is only used for the duration of the call, not the lifetime of the [net.Conn].
 func (lc *Client) DialTCP(ctx context.Context, host string, port uint16) (net.Conn, error) {
 	return lc.UserDial(ctx, "tcp", host, port)
 }
@@ -957,7 +958,7 @@ func (lc *Client) DialTCP(ctx context.Context, host string, port uint16) (net.Co
 // a FQDN, or an IP address.
 //
 // The ctx is only used for the duration of the call, not the lifetime of the
-// net.Conn.
+// [net.Conn].
 func (lc *Client) UserDial(ctx context.Context, network, host string, port uint16) (net.Conn, error) {
 	connCh := make(chan net.Conn, 1)
 	trace := httptrace.ClientTrace{
@@ -1025,7 +1026,7 @@ func (lc *Client) CurrentDERPMap(ctx context.Context) (*tailcfg.DERPMap, error)
 //
 // It returns a cached certificate from disk if it's still valid.
 //
-// Deprecated: use Client.CertPair.
+// Deprecated: use [Client.CertPair].
 func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
 	return defaultClient.CertPair(ctx, domain)
 }
@@ -1072,9 +1073,9 @@ func (lc *Client) CertPairWithValidity(ctx context.Context, domain string, minVa
 // It returns a cached certificate from disk if it's still valid.
 //
 // It's the right signature to use as the value of
-// tls.Config.GetCertificate.
+// [tls.Config.GetCertificate].
 //
-// Deprecated: use Client.GetCertificate.
+// Deprecated: use [Client.GetCertificate].
 func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
 	return defaultClient.GetCertificate(hi)
 }
@@ -1084,7 +1085,7 @@ func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
 // It returns a cached certificate from disk if it's still valid.
 //
 // It's the right signature to use as the value of
-// tls.Config.GetCertificate.
+// [tls.Config.GetCertificate].
 //
 // API maturity: this is considered a stable API.
 func (lc *Client) GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
@@ -1113,7 +1114,7 @@ func (lc *Client) GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, err
 
 // ExpandSNIName expands bare label name into the most likely actual TLS cert name.
 //
-// Deprecated: use Client.ExpandSNIName.
+// Deprecated: use [Client.ExpandSNIName].
 func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
 	return defaultClient.ExpandSNIName(ctx, name)
 }
@@ -1502,7 +1503,7 @@ func (lc *Client) SwitchProfile(ctx context.Context, profile ipn.ProfileID) erro
 
 // DeleteProfile removes the profile with the given ID.
 // If the profile is the current profile, an empty profile
-// will be selected as if SwitchToEmptyProfile was called.
+// will be selected as if [Client.SwitchToEmptyProfile] was called.
 func (lc *Client) DeleteProfile(ctx context.Context, profile ipn.ProfileID) error {
 	_, err := lc.send(ctx, "DELETE", "/localapi/v0/profiles/"+url.PathEscape(string(profile)), http.StatusNoContent, nil)
 	return err
@@ -1559,7 +1560,7 @@ func (lc *Client) DebugSetExpireIn(ctx context.Context, d time.Duration) error {
 // StreamDebugCapture streams a pcap-formatted packet capture.
 //
 // The provided context does not determine the lifetime of the
-// returned io.ReadCloser.
+// returned [io.ReadCloser].
 func (lc *Client) StreamDebugCapture(ctx context.Context) (io.ReadCloser, error) {
 	req, err := http.NewRequestWithContext(ctx, "POST", "http://"+apitype.LocalAPIHost+"/localapi/v0/debug-capture", nil)
 	if err != nil {
@@ -1582,7 +1583,7 @@ func (lc *Client) StreamDebugCapture(ctx context.Context) (io.ReadCloser, error)
 // The context is used for the life of the watch, not just the call to
 // WatchIPNBus.
 //
-// The returned IPNBusWatcher's Close method must be called when done to release
+// The returned [IPNBusWatcher]'s Close method must be called when done to release
 // resources.
 //
 // A default set of ipn.Notify messages are returned but the set can be modified by mask.
@@ -1609,7 +1610,7 @@ func (lc *Client) WatchIPNBus(ctx context.Context, mask ipn.NotifyWatchOpt) (*IP
 	}, nil
 }
 
-// CheckUpdate returns a tailcfg.ClientVersion indicating whether or not an update is available
+// CheckUpdate returns a [*tailcfg.ClientVersion] indicating whether or not an update is available
 // to be installed via the LocalAPI. In case the LocalAPI can't install updates, it returns a
 // ClientVersion that says that we are up to date.
 func (lc *Client) CheckUpdate(ctx context.Context) (*tailcfg.ClientVersion, error) {
@@ -1685,7 +1686,7 @@ func (lc *Client) DriveShareList(ctx context.Context) ([]*drive.Share, error) {
 }
 
 // IPNBusWatcher is an active subscription (watch) of the local tailscaled IPN bus.
-// It's returned by Client.WatchIPNBus.
+// It's returned by [Client.WatchIPNBus].
 //
 // It must be closed when done.
 type IPNBusWatcher struct {

client/tailscale/localclient_aliases.go

@@ -12,95 +12,95 @@ import (
 	"tailscale.com/ipn/ipnstate"
 )
 
-// ErrPeerNotFound is an alias for tailscale.com/client/local.
+// ErrPeerNotFound is an alias for [tailscale.com/client/local.ErrPeerNotFound].
 //
-// Deprecated: import tailscale.com/client/local instead.
+// Deprecated: import [tailscale.com/client/local] instead.
 var ErrPeerNotFound = local.ErrPeerNotFound
 
-// LocalClient is an alias for tailscale.com/client/local.
+// LocalClient is an alias for [tailscale.com/client/local.Client].
 //
-// Deprecated: import tailscale.com/client/local instead.
+// Deprecated: import [tailscale.com/client/local] instead.
 type LocalClient = local.Client
 
-// IPNBusWatcher is an alias for tailscale.com/client/local.
+// IPNBusWatcher is an alias for [tailscale.com/client/local.IPNBusWatcher].
 //
-// Deprecated: import tailscale.com/client/local instead.
+// Deprecated: import [tailscale.com/client/local] instead.
 type IPNBusWatcher = local.IPNBusWatcher
 
-// BugReportOpts is an alias for tailscale.com/client/local.
+// BugReportOpts is an alias for [tailscale.com/client/local.BugReportOpts].
 //
-// Deprecated: import tailscale.com/client/local instead.
+// Deprecated: import [tailscale.com/client/local] instead.
 type BugReportOpts = local.BugReportOpts
 
-// DebugPortMapOpts is an alias for tailscale.com/client/local.
+// DebugPortmapOpts is an alias for [tailscale.com/client/local.DebugPortmapOpts].
 //
-// Deprecated: import tailscale.com/client/local instead.
+// Deprecated: import [tailscale.com/client/local] instead.
 type DebugPortmapOpts = local.DebugPortmapOpts
 
-// PingOpts is an alias for tailscale.com/client/local.
+// PingOpts is an alias for [tailscale.com/client/local.PingOpts].
 //
-// Deprecated: import tailscale.com/client/local instead.
+// Deprecated: import [tailscale.com/client/local] instead.
 type PingOpts = local.PingOpts
 
-// GetCertificate is an alias for tailscale.com/client/local.
+// GetCertificate is an alias for [tailscale.com/client/local.GetCertificate].
 //
-// Deprecated: import tailscale.com/client/local instead.
+// Deprecated: import [tailscale.com/client/local] instead and use [local.Client.GetCertificate].
 func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
 	return local.GetCertificate(hi)
 }
 
-// SetVersionMismatchHandler is an alias for tailscale.com/client/local.
+// SetVersionMismatchHandler is an alias for [tailscale.com/client/local.SetVersionMismatchHandler].
 //
-// Deprecated: import tailscale.com/client/local instead.
+// Deprecated: import [tailscale.com/client/local] instead.
 func SetVersionMismatchHandler(f func(clientVer, serverVer string)) {
 	local.SetVersionMismatchHandler(f)
 }
 
-// IsAccessDeniedError is an alias for tailscale.com/client/local.
+// IsAccessDeniedError is an alias for [tailscale.com/client/local.IsAccessDeniedError].
 //
-// Deprecated: import tailscale.com/client/local instead.
+// Deprecated: import [tailscale.com/client/local] instead.
 func IsAccessDeniedError(err error) bool {
 	return local.IsAccessDeniedError(err)
 }
 
-// IsPreconditionsFailedError is an alias for tailscale.com/client/local.
+// IsPreconditionsFailedError is an alias for [tailscale.com/client/local.IsPreconditionsFailedError].
 //
-// Deprecated: import tailscale.com/client/local instead.
+// Deprecated: import [tailscale.com/client/local] instead.
 func IsPreconditionsFailedError(err error) bool {
 	return local.IsPreconditionsFailedError(err)
 }
 
-// WhoIs is an alias for tailscale.com/client/local.
+// WhoIs is an alias for [tailscale.com/client/local.WhoIs].
 //
-// Deprecated: import tailscale.com/client/local instead.
+// Deprecated: import [tailscale.com/client/local] instead and use [local.Client.WhoIs].
 func WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
 	return local.WhoIs(ctx, remoteAddr)
 }
 
-// Status is an alias for tailscale.com/client/local.
+// Status is an alias for [tailscale.com/client/local.Status].
 //
-// Deprecated: import tailscale.com/client/local instead.
+// Deprecated: import [tailscale.com/client/local] instead.
 func Status(ctx context.Context) (*ipnstate.Status, error) {
 	return local.Status(ctx)
 }
 
-// StatusWithoutPeers is an alias for tailscale.com/client/local.
+// StatusWithoutPeers is an alias for [tailscale.com/client/local.StatusWithoutPeers].
 //
-// Deprecated: import tailscale.com/client/local instead.
+// Deprecated: import [tailscale.com/client/local] instead.
 func StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
 	return local.StatusWithoutPeers(ctx)
 }
 
-// CertPair is an alias for tailscale.com/client/local.
+// CertPair is an alias for [tailscale.com/client/local.CertPair].
 //
-// Deprecated: import tailscale.com/client/local instead.
+// Deprecated: import [tailscale.com/client/local] instead and use [local.Client.CertPair].
 func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
 	return local.CertPair(ctx, domain)
 }
 
-// ExpandSNIName is an alias for tailscale.com/client/local.
+// ExpandSNIName is an alias for [tailscale.com/client/local.ExpandSNIName].
 //
-// Deprecated: import tailscale.com/client/local instead.
+// Deprecated: import [tailscale.com/client/local] instead and use [local.Client.ExpandSNIName].
 func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
 	return local.ExpandSNIName(ctx, name)
 }

client/tailscale/tailscale.go

@@ -8,7 +8,7 @@
 // This package is only intended for internal and transitional use.
 //
 // Deprecated: the official control plane client is available at
-// tailscale.com/client/tailscale/v2.
+// [tailscale.com/client/tailscale/v2].
 package tailscale
 
 import (
@@ -22,7 +22,7 @@ import (
 )
 
 // I_Acknowledge_This_API_Is_Unstable must be set true to use this package
-// for now. This package is being replaced by tailscale.com/client/tailscale/v2.
+// for now. This package is being replaced by [tailscale.com/client/tailscale/v2].
 var I_Acknowledge_This_API_Is_Unstable = false
 
 // TODO: use url.PathEscape() for deviceID and tailnets when constructing requests.
@@ -34,10 +34,10 @@ const maxReadSize = 10 << 20
 
 // Client makes API calls to the Tailscale control plane API server.
 //
-// Use NewClient to instantiate one. Exported fields should be set before
+// Use [NewClient] to instantiate one. Exported fields should be set before
 // the client is used and not changed thereafter.
 //
-// Deprecated: use tailscale.com/client/tailscale/v2 instead.
+// Deprecated: use [tailscale.com/client/tailscale/v2] instead.
 type Client struct {
 	// tailnet is the globally unique identifier for a Tailscale network, such
 	// as "example.com" or "user@gmail.com".
@@ -51,7 +51,7 @@ type Client struct {
 	BaseURL string
 
 	// HTTPClient optionally specifies an alternate HTTP client to use.
-	// If nil, http.DefaultClient is used.
+	// If nil, [http.DefaultClient] is used.
 	HTTPClient *http.Client
 
 	// UserAgent optionally specifies an alternate User-Agent header
@@ -119,7 +119,7 @@ type AuthMethod interface {
 	modifyRequest(req *http.Request)
 }
 
-// APIKey is an AuthMethod for NewClient that authenticates requests
+// APIKey is an [AuthMethod] for [NewClient] that authenticates requests
 // using an authkey.
 type APIKey string
 
@@ -133,15 +133,15 @@ func (c *Client) setAuth(r *http.Request) {
 	}
 }
 
-// NewClient is a convenience method for instantiating a new Client.
+// NewClient is a convenience method for instantiating a new [Client].
 //
 // tailnet is the globally unique identifier for a Tailscale network, such
 // as "example.com" or "user@gmail.com".
-// If httpClient is nil, then http.DefaultClient is used.
+// If httpClient is nil, then [http.DefaultClient] is used.
 // "api.tailscale.com" is set as the BaseURL for the returned client
 // and can be changed manually by the user.
 //
-// Deprecated: use tailscale.com/client/tailscale/v2 instead.
+// Deprecated: use [tailscale.com/client/tailscale/v2] instead.
 func NewClient(tailnet string, auth AuthMethod) *Client {
 	return &Client{
 		tailnet:   tailnet,
@@ -193,9 +193,9 @@ func (e ErrResponse) Error() string {
 }
 
 // HandleErrorResponse decodes the error message from the server and returns
-// an ErrResponse from it.
+// an [ErrResponse] from it.
 //
-// Deprecated: use tailscale.com/client/tailscale/v2 instead.
+// Deprecated: use [tailscale.com/client/tailscale/v2] instead.
 func HandleErrorResponse(b []byte, resp *http.Response) error {
 	var errResp ErrResponse
 	if err := json.Unmarshal(b, &errResp); err != nil {