Update dependencies

vendor/tailscale.com/util/syspolicy/setting/key.go

@@ -10,4 +10,4 @@ package setting
 type Key string
 
 // KeyPathSeparator allows logical grouping of policy settings into categories.
-const KeyPathSeparator = "/"
+const KeyPathSeparator = '/'

vendor/tailscale.com/util/syspolicy/setting/origin.go

@@ -50,22 +50,27 @@ func (s Origin) String() string {
 	return s.Scope().String()
 }
 
-// MarshalJSONV2 implements [jsonv2.MarshalerV2].
-func (s Origin) MarshalJSONV2(out *jsontext.Encoder, opts jsonv2.Options) error {
-	return jsonv2.MarshalEncode(out, &s.data, opts)
+var (
+	_ jsonv2.MarshalerTo     = (*Origin)(nil)
+	_ jsonv2.UnmarshalerFrom = (*Origin)(nil)
+)
+
+// MarshalJSONTo implements [jsonv2.MarshalerTo].
+func (s Origin) MarshalJSONTo(out *jsontext.Encoder) error {
+	return jsonv2.MarshalEncode(out, &s.data)
 }
 
-// UnmarshalJSONV2 implements [jsonv2.UnmarshalerV2].
-func (s *Origin) UnmarshalJSONV2(in *jsontext.Decoder, opts jsonv2.Options) error {
-	return jsonv2.UnmarshalDecode(in, &s.data, opts)
+// UnmarshalJSONFrom implements [jsonv2.UnmarshalerFrom].
+func (s *Origin) UnmarshalJSONFrom(in *jsontext.Decoder) error {
+	return jsonv2.UnmarshalDecode(in, &s.data)
 }
 
 // MarshalJSON implements [json.Marshaler].
 func (s Origin) MarshalJSON() ([]byte, error) {
-	return jsonv2.Marshal(s) // uses MarshalJSONV2
+	return jsonv2.Marshal(s) // uses MarshalJSONTo
 }
 
 // UnmarshalJSON implements [json.Unmarshaler].
 func (s *Origin) UnmarshalJSON(b []byte) error {
-	return jsonv2.Unmarshal(b, s) // uses UnmarshalJSONV2
+	return jsonv2.Unmarshal(b, s) // uses UnmarshalJSONFrom
 }

vendor/tailscale.com/util/syspolicy/setting/policy_scope.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"tailscale.com/types/lazy"
+	"tailscale.com/util/syspolicy/internal"
 )
 
 var (
@@ -35,6 +36,8 @@ type PolicyScope struct {
 // when querying policy settings.
 // It returns [DeviceScope], unless explicitly changed with [SetDefaultScope].
 func DefaultScope() PolicyScope {
+	// Allow deferred package init functions to override the default scope.
+	internal.Init.Do()
 	return lazyDefaultScope.Get(func() PolicyScope { return DeviceScope })
 }
 

vendor/tailscale.com/util/syspolicy/setting/raw_item.go

@@ -5,7 +5,11 @@ package setting
 
 import (
 	"fmt"
+	"reflect"
 
+	jsonv2 "github.com/go-json-experiment/json"
+	"github.com/go-json-experiment/json/jsontext"
+	"tailscale.com/types/opt"
 	"tailscale.com/types/structs"
 )
 
@@ -17,10 +21,15 @@ import (
 // or converted from strings, these setting types predate the typed policy
 // hierarchies, and must be supported at this layer.
 type RawItem struct {
-	_      structs.Incomparable
-	value  any
-	err    *ErrorText
-	origin *Origin // or nil
+	_    structs.Incomparable
+	data rawItemJSON
+}
+
+// rawItemJSON holds JSON-marshallable data for [RawItem].
+type rawItemJSON struct {
+	Value  RawValue   `json:",omitzero"`
+	Error  *ErrorText `json:",omitzero"` // or nil
+	Origin *Origin    `json:",omitzero"` // or nil
 }
 
 // RawItemOf returns a [RawItem] with the specified value.
@@ -30,20 +39,20 @@ func RawItemOf(value any) RawItem {
 
 // RawItemWith returns a [RawItem] with the specified value, error and origin.
 func RawItemWith(value any, err *ErrorText, origin *Origin) RawItem {
-	return RawItem{value: value, err: err, origin: origin}
+	return RawItem{data: rawItemJSON{Value: RawValue{opt.ValueOf(value)}, Error: err, Origin: origin}}
 }
 
 // Value returns the value of the policy setting, or nil if the policy setting
 // is not configured, or an error occurred while reading it.
 func (i RawItem) Value() any {
-	return i.value
+	return i.data.Value.Get()
 }
 
 // Error returns the error that occurred when reading the policy setting,
 // or nil if no error occurred.
 func (i RawItem) Error() error {
-	if i.err != nil {
-		return i.err
+	if i.data.Error != nil {
+		return i.data.Error
 	}
 	return nil
 }
@@ -51,17 +60,113 @@ func (i RawItem) Error() error {
 // Origin returns an optional [Origin] indicating where the policy setting is
 // configured.
 func (i RawItem) Origin() *Origin {
-	return i.origin
+	return i.data.Origin
 }
 
 // String implements [fmt.Stringer].
 func (i RawItem) String() string {
 	var suffix string
-	if i.origin != nil {
-		suffix = fmt.Sprintf(" - {%v}", i.origin)
+	if i.data.Origin != nil {
+		suffix = fmt.Sprintf(" - {%v}", i.data.Origin)
 	}
-	if i.err != nil {
-		return fmt.Sprintf("Error{%q}%s", i.err.Error(), suffix)
+	if i.data.Error != nil {
+		return fmt.Sprintf("Error{%q}%s", i.data.Error.Error(), suffix)
 	}
-	return fmt.Sprintf("%v%s", i.value, suffix)
+	return fmt.Sprintf("%v%s", i.data.Value.Value, suffix)
 }
+
+var (
+	_ jsonv2.MarshalerTo     = (*RawItem)(nil)
+	_ jsonv2.UnmarshalerFrom = (*RawItem)(nil)
+)
+
+// MarshalJSONTo implements [jsonv2.MarshalerTo].
+func (i RawItem) MarshalJSONTo(out *jsontext.Encoder) error {
+	return jsonv2.MarshalEncode(out, &i.data)
+}
+
+// UnmarshalJSONFrom implements [jsonv2.UnmarshalerFrom].
+func (i *RawItem) UnmarshalJSONFrom(in *jsontext.Decoder) error {
+	return jsonv2.UnmarshalDecode(in, &i.data)
+}
+
+// MarshalJSON implements [json.Marshaler].
+func (i RawItem) MarshalJSON() ([]byte, error) {
+	return jsonv2.Marshal(i) // uses MarshalJSONTo
+}
+
+// UnmarshalJSON implements [json.Unmarshaler].
+func (i *RawItem) UnmarshalJSON(b []byte) error {
+	return jsonv2.Unmarshal(b, i) // uses UnmarshalJSONFrom
+}
+
+// RawValue represents a raw policy setting value read from a policy store.
+// It is JSON-marshallable and facilitates unmarshalling of JSON values
+// into corresponding policy setting types, with special handling for JSON numbers
+// (unmarshalled as float64) and JSON string arrays (unmarshalled as []string).
+// See also [RawValue.UnmarshalJSONFrom].
+type RawValue struct {
+	opt.Value[any]
+}
+
+// RawValueType is a constraint that permits raw setting value types.
+type RawValueType interface {
+	bool | uint64 | string | []string
+}
+
+// RawValueOf returns a new [RawValue] holding the specified value.
+func RawValueOf[T RawValueType](v T) RawValue {
+	return RawValue{opt.ValueOf[any](v)}
+}
+
+var (
+	_ jsonv2.MarshalerTo     = (*RawValue)(nil)
+	_ jsonv2.UnmarshalerFrom = (*RawValue)(nil)
+)
+
+// MarshalJSONTo implements [jsonv2.MarshalerTo].
+func (v RawValue) MarshalJSONTo(out *jsontext.Encoder) error {
+	return jsonv2.MarshalEncode(out, v.Value)
+}
+
+// UnmarshalJSONFrom implements [jsonv2.UnmarshalerFrom] by attempting to unmarshal
+// a JSON value as one of the supported policy setting value types (bool, string, uint64, or []string),
+// based on the JSON value type. It fails if the JSON value is an object, if it's a JSON number that
+// cannot be represented as a uint64, or if a JSON array contains anything other than strings.
+func (v *RawValue) UnmarshalJSONFrom(in *jsontext.Decoder) error {
+	var valPtr any
+	switch k := in.PeekKind(); k {
+	case 't', 'f':
+		valPtr = new(bool)
+	case '"':
+		valPtr = new(string)
+	case '0':
+		valPtr = new(uint64) // unmarshal JSON numbers as uint64
+	case '[', 'n':
+		valPtr = new([]string) // unmarshal arrays as string slices
+	case '{':
+		return fmt.Errorf("unexpected token: %v", k)
+	default:
+		panic("unreachable")
+	}
+	if err := jsonv2.UnmarshalDecode(in, valPtr); err != nil {
+		v.Value.Clear()
+		return err
+	}
+	value := reflect.ValueOf(valPtr).Elem().Interface()
+	v.Value = opt.ValueOf(value)
+	return nil
+}
+
+// MarshalJSON implements [json.Marshaler].
+func (v RawValue) MarshalJSON() ([]byte, error) {
+	return jsonv2.Marshal(v) // uses MarshalJSONTo
+}
+
+// UnmarshalJSON implements [json.Unmarshaler].
+func (v *RawValue) UnmarshalJSON(b []byte) error {
+	return jsonv2.Unmarshal(b, v) // uses UnmarshalJSONFrom
+}
+
+// RawValues is a map of keyed setting values that can be read from a JSON.
+type RawValues map[Key]RawValue

vendor/tailscale.com/util/syspolicy/setting/setting.go

@@ -243,6 +243,9 @@ func registerLocked(d *Definition) {
 
 func settingDefinitions() (DefinitionMap, error) {
 	return definitions.GetErr(func() (DefinitionMap, error) {
+		if err := internal.Init.Do(); err != nil {
+			return nil, err
+		}
 		definitionsMu.Lock()
 		defer definitionsMu.Unlock()
 		definitionsUsed = true

vendor/tailscale.com/util/syspolicy/setting/snapshot.go

@@ -4,11 +4,14 @@
 package setting
 
 import (
+	"errors"
 	"iter"
 	"maps"
 	"slices"
 	"strings"
 
+	jsonv2 "github.com/go-json-experiment/json"
+	"github.com/go-json-experiment/json/jsontext"
 	xmaps "golang.org/x/exp/maps"
 	"tailscale.com/util/deephash"
 )
@@ -65,6 +68,9 @@ func (s *Snapshot) GetSetting(k Key) (setting RawItem, ok bool) {
 
 // Equal reports whether s and s2 are equal.
 func (s *Snapshot) Equal(s2 *Snapshot) bool {
+	if s == s2 {
+		return true
+	}
 	if !s.EqualItems(s2) {
 		return false
 	}
@@ -135,6 +141,50 @@ func (s *Snapshot) String() string {
 	return sb.String()
 }
 
+// snapshotJSON holds JSON-marshallable data for [Snapshot].
+type snapshotJSON struct {
+	Summary  Summary         `json:",omitzero"`
+	Settings map[Key]RawItem `json:",omitempty"`
+}
+
+var (
+	_ jsonv2.MarshalerTo     = (*Snapshot)(nil)
+	_ jsonv2.UnmarshalerFrom = (*Snapshot)(nil)
+)
+
+// MarshalJSONTo implements [jsonv2.MarshalerTo].
+func (s *Snapshot) MarshalJSONTo(out *jsontext.Encoder) error {
+	data := &snapshotJSON{}
+	if s != nil {
+		data.Summary = s.summary
+		data.Settings = s.m
+	}
+	return jsonv2.MarshalEncode(out, data)
+}
+
+// UnmarshalJSONFrom implements [jsonv2.UnmarshalerFrom].
+func (s *Snapshot) UnmarshalJSONFrom(in *jsontext.Decoder) error {
+	if s == nil {
+		return errors.New("s must not be nil")
+	}
+	data := &snapshotJSON{}
+	if err := jsonv2.UnmarshalDecode(in, data); err != nil {
+		return err
+	}
+	*s = Snapshot{m: data.Settings, sig: deephash.Hash(&data.Settings), summary: data.Summary}
+	return nil
+}
+
+// MarshalJSON implements [json.Marshaler].
+func (s *Snapshot) MarshalJSON() ([]byte, error) {
+	return jsonv2.Marshal(s) // uses MarshalJSONTo
+}
+
+// UnmarshalJSON implements [json.Unmarshaler].
+func (s *Snapshot) UnmarshalJSON(b []byte) error {
+	return jsonv2.Unmarshal(b, s) // uses UnmarshalJSONFrom
+}
+
 // MergeSnapshots returns a [Snapshot] that contains all [RawItem]s
 // from snapshot1 and snapshot2 and the [Summary] with the narrower [PolicyScope].
 // If there's a conflict between policy settings in the two snapshots,

vendor/tailscale.com/util/syspolicy/setting/summary.go

@@ -54,24 +54,29 @@ func (s Summary) String() string {
 	return s.data.Scope.String()
 }
 
-// MarshalJSONV2 implements [jsonv2.MarshalerV2].
-func (s Summary) MarshalJSONV2(out *jsontext.Encoder, opts jsonv2.Options) error {
-	return jsonv2.MarshalEncode(out, &s.data, opts)
+var (
+	_ jsonv2.MarshalerTo     = (*Summary)(nil)
+	_ jsonv2.UnmarshalerFrom = (*Summary)(nil)
+)
+
+// MarshalJSONTo implements [jsonv2.MarshalerTo].
+func (s Summary) MarshalJSONTo(out *jsontext.Encoder) error {
+	return jsonv2.MarshalEncode(out, &s.data)
 }
 
-// UnmarshalJSONV2 implements [jsonv2.UnmarshalerV2].
-func (s *Summary) UnmarshalJSONV2(in *jsontext.Decoder, opts jsonv2.Options) error {
-	return jsonv2.UnmarshalDecode(in, &s.data, opts)
+// UnmarshalJSONFrom implements [jsonv2.UnmarshalerFrom].
+func (s *Summary) UnmarshalJSONFrom(in *jsontext.Decoder) error {
+	return jsonv2.UnmarshalDecode(in, &s.data)
 }
 
 // MarshalJSON implements [json.Marshaler].
 func (s Summary) MarshalJSON() ([]byte, error) {
-	return jsonv2.Marshal(s) // uses MarshalJSONV2
+	return jsonv2.Marshal(s) // uses MarshalJSONTo
 }
 
 // UnmarshalJSON implements [json.Unmarshaler].
 func (s *Summary) UnmarshalJSON(b []byte) error {
-	return jsonv2.Unmarshal(b, s) // uses UnmarshalJSONV2
+	return jsonv2.Unmarshal(b, s) // uses UnmarshalJSONFrom
 }
 
 // SummaryOption is an option that configures [Summary]