[User Story] Add tag:infisical to Tailscale ACL tagOwners #352
Description
Story Summary
As a platform engineer, I want tag:infisical defined in the Tailscale ACL tagOwners, so that infisical-stack can provision Tailscale auth keys for the Infisical server without a 400 permission error.
✅ Acceptance Criteria
- "tag:infisical" = ["group:devs"] added to tagOwners in soc_tailnet_acl in opentofu/modules/tailscale/main.tofu
- ghost-stack apply succeeds with updated ACL
- infisical-stack tailscale unit creates auth key with tag:infisical without error
📝 Additional Context
- infisical-stack provisions its Hetzner server on the same Tailscale tailnet as ghost-stack. The ACL is owned by ghost-stack — infisical-stack only creates auth keys, it does not manage the tailnet policy.
- Blocked: infisical-stack OFF-49 deploy cannot complete until this tag exists in the ACL.
📦 Definition of Ready
- Acceptance criteria defined
- No unresolved external dependencies
- Story is estimated
- Team has necessary skills and access
- Priority is clear
- Business value understood
✅ Definition of Done
- All acceptance criteria met
- Unit/integration tests written & passing
- Peer-reviewed
- Docs updated (if applicable)
- Verified in staging (if needed)
- No critical bugs/regressions