feat(server): add tailscale service listen mode

Add a tssvc:// listen endpoint that configures Tailscale Services via LocalAPI, updates CLI/docs, and covers behavior with endpoint/server tests.

Also wire tsnet internal logs through the existing structured logger.

Author: lox

README.md

@@ -56,6 +56,19 @@ Then connect with:
 cleanroom exec --host tsnet://cleanroom:7777 -- "npm test"
 ```
 
+To expose the API as a Tailscale Service using the local `tailscaled` daemon:
+
+```bash
+cleanroom serve --listen tssvc://cleanroom
+```
+
+This configures `svc:cleanroom` with HTTPS on port 443 and advertises the
+service from this host. Connect from another tailnet device with:
+
+```bash
+cleanroom exec --host https://cleanroom.<your-tailnet>.ts.net -- "npm test"
+```
+
 ### 3) Launch -> Run -> Terminate via API
 
 ```bash

internal/cli/cli.go

@@ -82,7 +82,7 @@ type ConsoleCommand struct {
 }
 
 type ServeCommand struct {
-	Listen   string `help:"Listen endpoint for control API (defaults to runtime endpoint; supports tsnet://hostname[:port])"`
+	Listen   string `help:"Listen endpoint for control API (defaults to runtime endpoint; supports tsnet://hostname[:port] and tssvc://service[:local-port])"`
 	LogLevel string `help:"Server log level (debug|info|warn|error)"`
 }
 

internal/controlserver/server.go

@@ -40,10 +40,25 @@ type tsnetServer interface {
 	Close() error
 }
 
-var newTSNetServer = func(ep endpoint.Endpoint, stateDir string) tsnetServer {
+var newTSNetServer = func(ep endpoint.Endpoint, stateDir string, tsLogf func(format string, args ...any)) tsnetServer {
 	return &tsnet.Server{
 		Dir:      stateDir,
 		Hostname: ep.TSNetHostname,
+		Logf:     tsLogf,
+	}
+}
+
+func tsnetLogf(logger *log.Logger) func(format string, args ...any) {
+	if logger == nil {
+		return nil
+	}
+	tsLogger := logger.With("subsystem", "tsnet")
+	return func(format string, args ...any) {
+		msg := strings.TrimSpace(fmt.Sprintf(format, args...))
+		if msg == "" {
+			return
+		}
+		tsLogger.Debug(msg)
 	}
 }
 
@@ -606,7 +621,7 @@ func (s *Server) handleTerminateCleanroom(w http.ResponseWriter, r *http.Request
 }
 
 func Serve(ctx context.Context, ep endpoint.Endpoint, handler http.Handler, logger *log.Logger) error {
-	listener, cleanup, err := listen(ep)
+	listener, cleanup, err := listen(ep, logger)
 	if err != nil {
 		return err
 	}
@@ -653,7 +668,7 @@ func Serve(ctx context.Context, ep endpoint.Endpoint, handler http.Handler, logg
 	}
 }
 
-func listen(ep endpoint.Endpoint) (net.Listener, func() error, error) {
+func listen(ep endpoint.Endpoint, logger *log.Logger) (net.Listener, func() error, error) {
 	if ep.Scheme == "unix" {
 		if err := os.MkdirAll(filepath.Dir(ep.Address), 0o755); err != nil {
 			return nil, nil, err
@@ -680,7 +695,7 @@ func listen(ep endpoint.Endpoint) (net.Listener, func() error, error) {
 		if err := os.MkdirAll(stateDir, 0o700); err != nil {
 			return nil, nil, fmt.Errorf("create tsnet state directory: %w", err)
 		}
-		server := newTSNetServer(ep, stateDir)
+		server := newTSNetServer(ep, stateDir, tsnetLogf(logger))
 		listener, err := server.Listen("tcp", ep.Address)
 		if err != nil {
 			_ = server.Close()
@@ -689,6 +704,20 @@ func listen(ep endpoint.Endpoint) (net.Listener, func() error, error) {
 		return listener, server.Close, nil
 	}
 
+	if ep.Scheme == "tssvc" {
+		listener, err := net.Listen("tcp", ep.Address)
+		if err != nil {
+			return nil, nil, fmt.Errorf("start tailscale service listener for %q: %w", ep.Address, err)
+		}
+		setupCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+		defer cancel()
+		if err := configureTailscaleService(setupCtx, ep, listener.Addr().String()); err != nil {
+			_ = listener.Close()
+			return nil, nil, err
+		}
+		return listener, nil, nil
+	}
+
 	if ep.Scheme == "https" {
 		return nil, nil, errors.New("https listen endpoints are not supported yet: TLS configuration is not implemented")
 	}