cmd/tailscale/cli,ipn/ipnlocal: restrict logout when AlwaysOn mode is enabled

In this PR, we start passing a LocalAPI actor to (*LocalBackend).Logout to make it subject
to the same access check as disconnects made via tailscale down or the GUI.

We then update the CLI to allow `tailscale logout` to accept a reason, similar to `tailscale down`.

Updates tailscale/corp#26249

Signed-off-by: Nick Khyl <nickk@tailscale.com>

ipn/localapi/localapi.go

@@ -1460,7 +1460,7 @@ func (h *Handler) serveLogout(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "want POST", http.StatusBadRequest)
 		return
 	}
-	err := h.b.Logout(r.Context())
+	err := h.b.Logout(r.Context(), h.Actor)
 	if err == nil {
 		w.WriteHeader(http.StatusNoContent)
 		return