Per-service tags in lists provider are ignored - all nodes get all OAuth client tags

[NickBorgers]

Description

When using the lists provider with OAuth authentication, the tailscale.tags configuration at the proxy level is ignored. All proxies receive all tags from the OAuth client regardless of the per-service tag configuration.

Environment

• TSDProxy version: 2.0.0-beta4
• Authentication: OAuth client with tag:service and tag:log-server

Configuration

tsdproxy.yaml:

defaultProxyProvider: default
docker:
  local:
    host: unix:///var/run/docker.sock
    defaultProxyProvider: default
lists:
  critical:
    filename: /config/critical.yaml
    defaultProxyAccessLog: true
tailscale:
  providers:
    default:
      clientId: "xxx"
      clientSecret: "xxx"
  dataDir: /data/

critical.yaml:

elasticsearch:
  tailscale:
    tags: tag:log-server
  ports:
    443/https:
      targets:
        - http://elasticsearch:9200
grafana:
  tailscale:
    tags: tag:service
  ports:
    443/https:
      targets:
        - http://grafana:3000

Expected Behavior

• elasticsearch should be registered with only tag:log-server
• grafana should be registered with only tag:service

Actual Behavior

Both nodes are registered with both tags (tag:service AND tag:log-server) from the OAuth client. The per-service tailscale.tags configuration has no effect.

Steps to Reproduce

1. Create OAuth client with multiple tags (e.g., tag:service,tag:log-server)
2. Configure lists provider with different tags per proxy
3. Start TSDProxy and observe Tailscale admin console
4. All nodes have all OAuth client tags regardless of per-service config

Workaround

Using multiple OAuth clients (one per tag set) with separate Tailscale providers works, but defeats the purpose of per-service tag configuration.