fix: detect tailscale tag permission errors and clean access output

ansible/roles/tailscale-operator/tasks/main.yml

@@ -115,17 +115,17 @@
 - name: Fail when Tailscale OAuth permissions are insufficient
   fail:
     msg: |
-      Tailscale operator started but cannot create auth keys (403 permission error).
+      Tailscale operator started but cannot create auth keys (OAuth/tag permission error).
       Fix your Tailscale OAuth client/tag permissions.
 
       Required checks in Tailscale admin:
-      - OAuth client has devices:core write access
+      - OAuth client has devices:core, auth_keys, and services write access
       - OAuth client can create tagged devices for: {{ tailscale_operator_default_tags | join(', ') }}
       - ACL/tag ownership allows those tags for this OAuth client
 
       Operator log excerpt:
       {{ tailscale_operator_logs.stdout | default('n/a') }}
-  when: "tailscale_operator_logs.stdout is defined and ('does not have enough permissions' in tailscale_operator_logs.stdout or 'Status: 403' in tailscale_operator_logs.stdout)"
+  when: "tailscale_operator_logs.stdout is defined and ('does not have enough permissions' in tailscale_operator_logs.stdout or 'Status: 403' in tailscale_operator_logs.stdout or 'invalid or not permitted' in tailscale_operator_logs.stdout or 'Status: 400' in tailscale_operator_logs.stdout)"
 
 - name: Warn if Tailscale operator is not ready yet
   debug: