[Foundation F6.6] Tailscale Funnel tunnel provider

[furukama]

TunnelProvider implementation for Tailscale Funnel — slots into the F6.2 (#567) interface alongside the ngrok reference impl.

Why this is a separate provider

• Teams already on Tailscale get auth + ACLs from their existing tailnet, no third-party SaaS account needed.
• Predictable hostnames (your-machine.tail-scale.ts.net) vs rotating subdomains on ngrok's free tier.
• Different lifecycle (tailscaled daemon vs ngrok SDK) and different auth model (machine identity / TS_AUTHKEY) — peer implementation, not a refinement of [Foundation F6.2] TunnelProvider interface + ngrok reference impl #567.

Acceptance criteria

• Implements TunnelProvider: start() → { public_url }, stop(), status().
• Reads Tailscale auth from the encrypted runtime secret store (TS_AUTHKEY) or relies on an existing tailscaled login.
• start() invokes tailscale funnel on the configured local addr; surfaces the resulting *.ts.net URL via public_url.
• stop() best-effort cleanup of the funnel binding (warns on failure, doesn't throw — same pattern as the ngrok provider).
• Token / authkey redacted in error messages.
• Mocked unit tests for happy path, missing-auth graceful failure, idempotent start.
• Skipped-by-default live test against a Tailscale sandbox tailnet (gated behind HYBRIDCLAW_RUN_LIVE_TAILSCALE=1 + TS_SANDBOX_AUTHKEY), mirroring the ngrok live test pattern.
• Operator docs in docs/content/guides/ covering tailscaled install, login, funnel grant.

Depends on

• F6.2 (#567) — TunnelProvider interface ✅ merged via PR [codex] add ngrok tunnel provider #636
• F6.1 (#566) — deployment-mode + public-URL config schema (must accept tailscale as a tunnel provider)

Priority

P1 — operator-choice work, not critical path. The system works with the ngrok reference impl alone; Tailscale is a strong alternative for teams already running it.