ipn/ipnauth,util/syspolicy: improve comments

Updates #cleanup
Updates #14823

Signed-off-by: Nick Khyl <nickk@tailscale.com>

ipn/ipnauth/access.go

@@ -5,7 +5,10 @@ package ipnauth
 
 // ProfileAccess is a bitmask representing the requested, required, or granted
 // access rights to an [ipn.LoginProfile].
-type ProfileAccess uint32
+//
+// It is not to be written to disk or transmitted over the network in its integer form,
+// but rather serialized to a string or other format if ever needed.
+type ProfileAccess uint
 
 // Define access rights that might be granted or denied on a per-profile basis.
 const (

ipn/ipnauth/actor.go

@@ -27,8 +27,9 @@ type Actor interface {
 	// a connected LocalAPI client. Otherwise, it returns a zero value and false.
 	ClientID() (_ ClientID, ok bool)
 
-	// CheckProfileAccess checks whether the actor has the requested access rights
-	// to the specified Tailscale profile. It returns an error if the access is denied.
+	// CheckProfileAccess checks whether the actor has the necessary access rights
+	// to perform a given action on the specified Tailscale profile.
+	// It returns an error if access is denied.
 	CheckProfileAccess(profile ipn.LoginProfileView, requestedAccess ProfileAccess) error
 
 	// IsLocalSystem reports whether the actor is the Windows' Local System account.

util/syspolicy/policy_keys.go

@@ -33,6 +33,7 @@ const (
 	//
 	// Warning: This policy setting is experimental and may change or be removed in the future.
 	// It may also not be fully supported by all Tailscale clients until it is out of experimental status.
+	// See tailscale/corp#26247, tailscale/corp#26248 and tailscale/corp#26249 for more information.
 	AlwaysOn Key = "AlwaysOn"
 
 	// ExitNodeID is the exit node's node id. default ""; if blank, no exit node is forced.