cmd/tailscale,ipn: store disallowed TKA's in prefs, lock local-disable

Take 2 of https://github.com/tailscale/tailscale/pull/6546

Builds on https://github.com/tailscale/tailscale/pull/6560

Signed-off-by: Tom DNetto <tom@tailscale.com>

cmd/tailscale/cli/network-lock.go

@@ -37,6 +37,7 @@ var netlockCmd = &ffcli.Command{
 		nlDisableCmd,
 		nlDisablementKDFCmd,
 		nlLogCmd,
+		nlLocalDisableCmd,
 	},
 	Exec: runNetworkLockStatus,
 }
@@ -348,6 +349,17 @@ func runNetworkLockDisable(ctx context.Context, args []string) error {
 	return localClient.NetworkLockDisable(ctx, secrets[0])
 }
 
+var nlLocalDisableCmd = &ffcli.Command{
+	Name:       "local-disable",
+	ShortUsage: "local-disable",
+	ShortHelp:  "Disables the currently-active tailnet lock for this node",
+	Exec:       runNetworkLockLocalDisable,
+}
+
+func runNetworkLockLocalDisable(ctx context.Context, args []string) error {
+	return localClient.NetworkLockForceLocalDisable(ctx)
+}
+
 var nlDisablementKDFCmd = &ffcli.Command{
 	Name:       "disablement-kdf",
 	ShortUsage: "disablement-kdf <hex-encoded-disablement-secret>",