From 5b40f0bc547701f461605a418d49a20a0edc9f8b Mon Sep 17 00:00:00 2001
From: Joe Tsai <joetsai@digital-static.net>
Date: Wed, 5 Nov 2025 16:17:49 -0800
Subject: [PATCH] cmd/vet: add static vet checker that runs jsontags (#17778)

This starts running the jsontags vet checker on the module.
All existing findings are adding to an allowlist.

Updates tailscale/corp#791

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
---
 .github/workflows/vet.yml  |  38 +++++
 cmd/vet/jsontags_allowlist | 315 +++++++++++++++++++++++++++++++++++++
 cmd/vet/vet.go             |  24 +++
 flake.nix                  |   2 +-
 go.mod.sri                 |   2 +-
 shell.nix                  |   2 +-
 6 files changed, 380 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/vet.yml
 create mode 100644 cmd/vet/jsontags_allowlist
 create mode 100644 cmd/vet/vet.go

diff --git a/.github/workflows/vet.yml b/.github/workflows/vet.yml
new file mode 100644
index 000000000..7eff6b45f
--- /dev/null
+++ b/.github/workflows/vet.yml
@@ -0,0 +1,38 @@
+name: tailscale.com/cmd/vet
+
+env:
+  HOME: ${{ github.workspace }}
+  # GOMODCACHE is the same definition on all OSes. Within the workspace, we use
+  # toplevel directories "src" (for the checked out source code), and "gomodcache"
+  # and other caches as siblings to follow.
+  GOMODCACHE: ${{ github.workspace }}/gomodcache
+
+on:
+  push:
+    branches:
+      - main
+      - "release-branch/*"
+    paths:
+      - "**.go"
+  pull_request:
+    paths:
+      - "**.go"
+
+jobs:
+  vet:
+    runs-on: [ self-hosted, linux ]
+    timeout-minutes: 5
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          path: src
+
+      - name: Build 'go vet' tool
+        working-directory: src
+        run: ./tool/go build -o /tmp/vettool tailscale.com/cmd/vet
+
+      - name: Run 'go vet'
+        working-directory: src
+        run: ./tool/go vet -vettool=/tmp/vettool tailscale.com/...
diff --git a/cmd/vet/jsontags_allowlist b/cmd/vet/jsontags_allowlist
new file mode 100644
index 000000000..060a81b05
--- /dev/null
+++ b/cmd/vet/jsontags_allowlist
@@ -0,0 +1,315 @@
+OmitEmptyShouldBeOmitZero	tailscale.com/client/web.authResponse.ViewerIdentity
+OmitEmptyShouldBeOmitZero	tailscale.com/cmd/k8s-operator.OwnerRef.Resource
+OmitEmptyShouldBeOmitZero	tailscale.com/cmd/tailscale/cli.apiResponse.Error
+OmitEmptyShouldBeOmitZero	tailscale.com/health.UnhealthyState.PrimaryAction
+OmitEmptyShouldBeOmitZero	tailscale.com/internal/client/tailscale.VIPService.Name
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.AcceptDNS
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.AcceptRoutes
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.AllowLANWhileUsingExitNode
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.AppConnector
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.AuthKey
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.AutoUpdate
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.DisableSNAT
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.Enabled
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.ExitNode
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.Hostname
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.Locked
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.NetfilterMode
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.NoStatefulFiltering
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.OperatorUser
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.PostureChecking
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.RunSSHServer
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.RunWebClient
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.ServeConfigTemp
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.ServerURL
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.ConfigVAlpha.ShieldsUp
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.OutgoingFile.PeerID
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.Prefs.AutoExitNode
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.Prefs.NoStatefulFiltering
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn.Prefs.RelayServerPort
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn/auditlog.transaction.Action
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn/ipnstate.PeerStatus.AllowedIPs
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn/ipnstate.PeerStatus.Location
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn/ipnstate.PeerStatus.PrimaryRoutes
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn/ipnstate.PeerStatus.Tags
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn/ipnstate.Status.ExitNodeStatus
+OmitEmptyShouldBeOmitZero	tailscale.com/ipn/ipnstate.UpdateProgress.Status
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.ConnectorSpec.AppConnector
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.ConnectorSpec.Hostname
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.ConnectorSpec.HostnamePrefix
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.ConnectorSpec.Replicas
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.ConnectorSpec.SubnetRouter
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.Container.Debug
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.Container.ImagePullPolicy
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.Container.SecurityContext
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.KubeAPIServerConfig.Mode
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.Nameserver.Image
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.Nameserver.Pod
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.Nameserver.Replicas
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.Nameserver.Service
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.Pod.Affinity
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.Pod.DNSConfig
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.Pod.DNSPolicy
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.Pod.SecurityContext
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.Pod.TailscaleContainer
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.Pod.TailscaleInitContainer
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.ProxyClassSpec.Metrics
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.ProxyClassSpec.StaticEndpoints
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.ProxyClassSpec.TailscaleConfig
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.ProxyGroupSpec.HostnamePrefix
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.ProxyGroupSpec.KubeAPIServer
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.ProxyGroupSpec.Replicas
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.RecorderContainer.ImagePullPolicy
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.RecorderContainer.SecurityContext
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.RecorderPod.Affinity
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.RecorderPod.SecurityContext
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.StatefulSet.Pod
+OmitEmptyShouldBeOmitZero	tailscale.com/k8s-operator/apis/v1alpha1.Storage.S3
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/ingressservices.Config.IPv4Mapping
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/ingressservices.Config.IPv6Mapping
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/k8s-proxy/conf.APIServerProxyConfig.Enabled
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/k8s-proxy/conf.APIServerProxyConfig.IssueCerts
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/k8s-proxy/conf.APIServerProxyConfig.Mode
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/k8s-proxy/conf.APIServerProxyConfig.ServiceName
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/k8s-proxy/conf.ConfigV1Alpha1.AcceptRoutes
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/k8s-proxy/conf.ConfigV1Alpha1.APIServerProxy
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/k8s-proxy/conf.ConfigV1Alpha1.App
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/k8s-proxy/conf.ConfigV1Alpha1.AuthKey
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/k8s-proxy/conf.ConfigV1Alpha1.HealthCheckEnabled
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/k8s-proxy/conf.ConfigV1Alpha1.Hostname
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/k8s-proxy/conf.ConfigV1Alpha1.LocalAddr
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/k8s-proxy/conf.ConfigV1Alpha1.LocalPort
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/k8s-proxy/conf.ConfigV1Alpha1.LogLevel
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/k8s-proxy/conf.ConfigV1Alpha1.MetricsEnabled
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/k8s-proxy/conf.ConfigV1Alpha1.ServerURL
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/k8s-proxy/conf.ConfigV1Alpha1.State
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/k8s-proxy/conf.VersionedConfig.V1Alpha1
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/kubeapi.ObjectMeta.DeletionGracePeriodSeconds
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/kubeapi.Status.Details
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/kubeclient.JSONPatch.Value
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/kubetypes.*.Mode
+OmitEmptyShouldBeOmitZero	tailscale.com/kube/kubetypes.KubernetesCapRule.Impersonate
+OmitEmptyShouldBeOmitZero	tailscale.com/sessionrecording.CastHeader.Kubernetes
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.AuditLogRequest.Action
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.Debug.Exit
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.DERPMap.HomeParams
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.DisplayMessage.PrimaryAction
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.Hostinfo.AppConnector
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.Hostinfo.Container
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.Hostinfo.Desktop
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.Hostinfo.Location
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.Hostinfo.NetInfo
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.Hostinfo.StateEncrypted
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.Hostinfo.TPM
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.Hostinfo.Userspace
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.Hostinfo.UserspaceRouter
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.MapResponse.ClientVersion
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.MapResponse.CollectServices
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.MapResponse.ControlDialPlan
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.MapResponse.Debug
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.MapResponse.DefaultAutoUpdate
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.MapResponse.DERPMap
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.MapResponse.DNSConfig
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.MapResponse.Node
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.MapResponse.PingRequest
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.MapResponse.SSHPolicy
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.MapResponse.TKAInfo
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.NetPortRange.Bits
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.Node.Online
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.Node.SelfNodeV4MasqAddrForThisPeer
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.Node.SelfNodeV6MasqAddrForThisPeer
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.PeerChange.Online
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.RegisterRequest.Auth
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.RegisterResponseAuth.Oauth2Token
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.SSHAction.OnRecordingFailure
+OmitEmptyShouldBeOmitZero	tailscale.com/tailcfg.SSHPrincipal.Node
+OmitEmptyShouldBeOmitZero	tailscale.com/tempfork/acme.*.ExternalAccountBinding
+OmitEmptyShouldBeOmitZero	tailscale.com/tsweb.AccessLogRecord.RequestID
+OmitEmptyShouldBeOmitZero	tailscale.com/types/opt.*.Unset
+OmitEmptyShouldBeOmitZero	tailscale.com/types/views.viewStruct.AddrsPtr
+OmitEmptyShouldBeOmitZero	tailscale.com/types/views.viewStruct.StringsPtr
+OmitEmptyShouldBeOmitZero	tailscale.com/wgengine/magicsock.EndpointChange.From
+OmitEmptyShouldBeOmitZero	tailscale.com/wgengine/magicsock.EndpointChange.To
+OmitEmptyShouldBeOmitZeroButHasIsZero	tailscale.com/types/persist.Persist.AttestationKey
+OmitEmptyUnsupportedInV1	tailscale.com/client/tailscale.KeyCapabilities.Devices
+OmitEmptyUnsupportedInV1	tailscale.com/client/tailscale/apitype.ExitNodeSuggestionResponse.Location
+OmitEmptyUnsupportedInV1	tailscale.com/cmd/k8s-operator.ServiceMonitorSpec.NamespaceSelector
+OmitEmptyUnsupportedInV1	tailscale.com/derp.ClientInfo.MeshKey
+OmitEmptyUnsupportedInV1	tailscale.com/ipn.MaskedPrefs.AutoUpdateSet
+OmitEmptyUnsupportedInV1	tailscale.com/k8s-operator/apis/v1alpha1.Connector.ObjectMeta
+OmitEmptyUnsupportedInV1	tailscale.com/k8s-operator/apis/v1alpha1.Container.Resources
+OmitEmptyUnsupportedInV1	tailscale.com/k8s-operator/apis/v1alpha1.DNSConfig.ObjectMeta
+OmitEmptyUnsupportedInV1	tailscale.com/k8s-operator/apis/v1alpha1.ProxyClass.ObjectMeta
+OmitEmptyUnsupportedInV1	tailscale.com/k8s-operator/apis/v1alpha1.ProxyGroup.ObjectMeta
+OmitEmptyUnsupportedInV1	tailscale.com/k8s-operator/apis/v1alpha1.Recorder.ObjectMeta
+OmitEmptyUnsupportedInV1	tailscale.com/k8s-operator/apis/v1alpha1.RecorderContainer.Resources
+OmitEmptyUnsupportedInV1	tailscale.com/k8s-operator/apis/v1alpha1.RecorderPod.Container
+OmitEmptyUnsupportedInV1	tailscale.com/k8s-operator/apis/v1alpha1.RecorderPod.ServiceAccount
+OmitEmptyUnsupportedInV1	tailscale.com/k8s-operator/apis/v1alpha1.RecorderSpec.Storage
+OmitEmptyUnsupportedInV1	tailscale.com/k8s-operator/apis/v1alpha1.RecorderStatefulSet.Pod
+OmitEmptyUnsupportedInV1	tailscale.com/k8s-operator/apis/v1alpha1.S3.Credentials
+OmitEmptyUnsupportedInV1	tailscale.com/k8s-operator/apis/v1alpha1.S3Credentials.Secret
+OmitEmptyUnsupportedInV1	tailscale.com/kube/kubeapi.Event.FirstTimestamp
+OmitEmptyUnsupportedInV1	tailscale.com/kube/kubeapi.Event.LastTimestamp
+OmitEmptyUnsupportedInV1	tailscale.com/kube/kubeapi.Event.Source
+OmitEmptyUnsupportedInV1	tailscale.com/kube/kubeapi.ObjectMeta.CreationTimestamp
+OmitEmptyUnsupportedInV1	tailscale.com/tailcfg_test.*.Groups
+OmitEmptyUnsupportedInV1	tailscale.com/tailcfg.Oauth2Token.Expiry
+OmitEmptyUnsupportedInV1	tailscale.com/tailcfg.QueryFeatureRequest.NodeKey
+OmitEmptyUnsupportedInV2	tailscale.com/client/tailscale.*.ExpirySeconds
+OmitEmptyUnsupportedInV2	tailscale.com/client/tailscale.DerpRegion.Preferred
+OmitEmptyUnsupportedInV2	tailscale.com/client/tailscale.DevicePostureIdentity.Disabled
+OmitEmptyUnsupportedInV2	tailscale.com/client/tailscale/apitype.DNSResolver.UseWithExitNode
+OmitEmptyUnsupportedInV2	tailscale.com/client/web.authResponse.NeedsSynoAuth
+OmitEmptyUnsupportedInV2	tailscale.com/cmd/tsidp.tailscaleClaims.UserID
+OmitEmptyUnsupportedInV2	tailscale.com/derp.ClientInfo.IsProber
+OmitEmptyUnsupportedInV2	tailscale.com/derp.ClientInfo.Version
+OmitEmptyUnsupportedInV2	tailscale.com/derp.ServerInfo.TokenBucketBytesBurst
+OmitEmptyUnsupportedInV2	tailscale.com/derp.ServerInfo.TokenBucketBytesPerSecond
+OmitEmptyUnsupportedInV2	tailscale.com/derp.ServerInfo.Version
+OmitEmptyUnsupportedInV2	tailscale.com/health.UnhealthyState.ImpactsConnectivity
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.AutoUpdatePrefsMask.ApplySet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.AutoUpdatePrefsMask.CheckSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.AdvertiseRoutesSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.AdvertiseServicesSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.AdvertiseTagsSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.AppConnectorSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.AutoExitNodeSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.ControlURLSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.CorpDNSSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.DriveSharesSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.EggSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.ExitNodeAllowLANAccessSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.ExitNodeIDSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.ExitNodeIPSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.ForceDaemonSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.HostnameSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.InternalExitNodePriorSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.LoggedOutSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.NetfilterKindSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.NetfilterModeSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.NoSNATSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.NoStatefulFilteringSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.NotepadURLsSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.OperatorUserSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.PostureCheckingSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.ProfileNameSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.RelayServerPortSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.RouteAllSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.RunSSHSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.RunWebClientSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.ShieldsUpSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.MaskedPrefs.WantRunningSet
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.PartialFile.Done
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.Prefs.Egg
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.Prefs.ForceDaemon
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.ServiceConfig.Tun
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.TCPPortHandler.HTTP
+OmitEmptyUnsupportedInV2	tailscale.com/ipn.TCPPortHandler.HTTPS
+OmitEmptyUnsupportedInV2	tailscale.com/ipn/auditlog.transaction.Retries
+OmitEmptyUnsupportedInV2	tailscale.com/ipn/ipnstate.PeerStatus.AltSharerUserID
+OmitEmptyUnsupportedInV2	tailscale.com/ipn/ipnstate.PeerStatus.Expired
+OmitEmptyUnsupportedInV2	tailscale.com/ipn/ipnstate.PeerStatus.ShareeNode
+OmitEmptyUnsupportedInV2	tailscale.com/ipn/ipnstate.PingResult.IsLocalIP
+OmitEmptyUnsupportedInV2	tailscale.com/ipn/ipnstate.PingResult.PeerAPIPort
+OmitEmptyUnsupportedInV2	tailscale.com/ipn/ipnstate.Status.HaveNodeKey
+OmitEmptyUnsupportedInV2	tailscale.com/k8s-operator/apis/v1alpha1.PortRange.EndPort
+OmitEmptyUnsupportedInV2	tailscale.com/k8s-operator/apis/v1alpha1.ProxyClassSpec.UseLetsEncryptStagingEnvironment
+OmitEmptyUnsupportedInV2	tailscale.com/k8s-operator/apis/v1alpha1.RecorderSpec.EnableUI
+OmitEmptyUnsupportedInV2	tailscale.com/k8s-operator/apis/v1alpha1.TailscaleConfig.AcceptRoutes
+OmitEmptyUnsupportedInV2	tailscale.com/kube/kubeapi.Event.Count
+OmitEmptyUnsupportedInV2	tailscale.com/kube/kubeapi.ObjectMeta.Generation
+OmitEmptyUnsupportedInV2	tailscale.com/kube/kubeapi.Status.Code
+OmitEmptyUnsupportedInV2	tailscale.com/kube/kubetypes.KubernetesCapRule.EnforceRecorder
+OmitEmptyUnsupportedInV2	tailscale.com/log/sockstatlog.event.IsCellularInterface
+OmitEmptyUnsupportedInV2	tailscale.com/sessionrecording.CastHeader.SrcNodeUserID
+OmitEmptyUnsupportedInV2	tailscale.com/sessionrecording.Source.NodeUserID
+OmitEmptyUnsupportedInV2	tailscale.com/sessionrecording.v2ResponseFrame.Ack
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg_test.*.ToggleOn
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.AuditLogRequest.Version
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.C2NPostureIdentityResponse.PostureDisabled
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.C2NSSHUsernamesRequest.Max
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.C2NTLSCertInfo.Expired
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.C2NTLSCertInfo.Missing
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.C2NTLSCertInfo.Valid
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.ClientVersion.Notify
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.ClientVersion.RunningLatest
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.ClientVersion.UrgentSecurityUpdate
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.ControlIPCandidate.DialStartDelaySec
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.ControlIPCandidate.DialTimeoutSec
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.ControlIPCandidate.Priority
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Debug.DisableLogTail
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Debug.SleepSeconds
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.DERPMap.OmitDefaultRegions
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.DERPNode.CanPort80
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.DERPNode.DERPPort
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.DERPNode.InsecureForTests
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.DERPNode.STUNOnly
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.DERPNode.STUNPort
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.DERPRegion.Avoid
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.DERPRegion.Latitude
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.DERPRegion.Longitude
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.DERPRegion.NoMeasureNoHome
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.DisplayMessage.ImpactsConnectivity
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.DNSConfig.Proxied
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Hostinfo.AllowsUpdate
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Hostinfo.IngressEnabled
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Hostinfo.NoLogsNoSupport
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Hostinfo.ShareeNode
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Hostinfo.ShieldsUp
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Hostinfo.WireIngress
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Location.Latitude
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Location.Longitude
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Location.Priority
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.MapRequest.MapSessionSeq
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.MapRequest.OmitPeers
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.MapRequest.ReadOnly
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.MapResponse.KeepAlive
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.MapResponse.Seq
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.NetInfo.HavePortMap
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Node.Cap
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Node.Expired
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Node.HomeDERP
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Node.IsJailed
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Node.IsWireGuardOnly
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Node.MachineAuthorized
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Node.Sharer
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.Node.UnsignedPeerAPIOnly
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.PeerChange.Cap
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.PeerChange.DERPRegion
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.PingRequest.Log
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.PingRequest.URLIsNoise
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.PingResponse.DERPRegionID
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.PingResponse.IsLocalIP
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.PingResponse.LatencySeconds
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.PingResponse.PeerAPIPort
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.QueryFeatureResponse.Complete
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.QueryFeatureResponse.ShouldWait
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.RegisterRequest.Ephemeral
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.RegisterRequest.SignatureType
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.SSHAction.Accept
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.SSHAction.AllowAgentForwarding
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.SSHAction.AllowLocalPortForwarding
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.SSHAction.AllowRemotePortForwarding
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.SSHAction.Reject
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.SSHAction.SessionDuration
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.SSHPrincipal.Any
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.TKAInfo.Disabled
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.TPMInfo.FirmwareVersion
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.TPMInfo.Model
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.TPMInfo.SpecRevision
+OmitEmptyUnsupportedInV2	tailscale.com/tailcfg.WebClientAuthResponse.Complete
+OmitEmptyUnsupportedInV2	tailscale.com/tempfork/acme.*.TermsAgreed
+OmitEmptyUnsupportedInV2	tailscale.com/tstime/rate.jsonValue.Updated
+OmitEmptyUnsupportedInV2	tailscale.com/tstime/rate.jsonValue.Value
+OmitEmptyUnsupportedInV2	tailscale.com/tsweb.AccessLogRecord.Bytes
+OmitEmptyUnsupportedInV2	tailscale.com/tsweb.AccessLogRecord.Code
+OmitEmptyUnsupportedInV2	tailscale.com/tsweb.AccessLogRecord.Seconds
+OmitEmptyUnsupportedInV2	tailscale.com/tsweb.AccessLogRecord.TLS
+OmitEmptyUnsupportedInV2	tailscale.com/tsweb/varz.SomeStats.TotalY
+OmitEmptyUnsupportedInV2	tailscale.com/types/appctype.AppConnectorConfig.AdvertiseRoutes
+OmitEmptyUnsupportedInV2	tailscale.com/types/dnstype.Resolver.UseWithExitNode
+OmitEmptyUnsupportedInV2	tailscale.com/types/opt.testStruct.Int
+OmitEmptyUnsupportedInV2	tailscale.com/version.Meta.GitDirty
+OmitEmptyUnsupportedInV2	tailscale.com/version.Meta.IsDev
+OmitEmptyUnsupportedInV2	tailscale.com/version.Meta.UnstableBranch
diff --git a/cmd/vet/vet.go b/cmd/vet/vet.go
new file mode 100644
index 000000000..45473af48
--- /dev/null
+++ b/cmd/vet/vet.go
@@ -0,0 +1,24 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package vet is a tool to statically check Go source code.
+package main
+
+import (
+	_ "embed"
+
+	"golang.org/x/tools/go/analysis/unitchecker"
+	"tailscale.com/cmd/vet/jsontags"
+)
+
+//go:embed jsontags_allowlist
+var jsontagsAllowlistSource string
+
+func init() {
+	jsontags.RegisterAllowlist(jsontags.ParseAllowlist(jsontagsAllowlistSource))
+	jsontags.RegisterPureIsZeroMethods(jsontags.PureIsZeroMethodsInTailscaleModule)
+}
+
+func main() {
+	unitchecker.Main(jsontags.Analyzer)
+}
diff --git a/flake.nix b/flake.nix
index e50f39638..d2f03d4d8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -151,5 +151,5 @@
     });
   };
 }
-# nix-direnv cache busting line: sha256-D0znIEcy9d822snZbdNCNLoN47cOP1F2SKmfwSFRvXw=
+# nix-direnv cache busting line: sha256-p8dVVZm2bLL4J/d4TtnUOp3bfMqUkBGE+53RUhamF+A=
 
diff --git a/go.mod.sri b/go.mod.sri
index 108423f4e..325a03b43 100644
--- a/go.mod.sri
+++ b/go.mod.sri
@@ -1 +1 @@
-sha256-D0znIEcy9d822snZbdNCNLoN47cOP1F2SKmfwSFRvXw=
+sha256-p8dVVZm2bLL4J/d4TtnUOp3bfMqUkBGE+53RUhamF+A=
diff --git a/shell.nix b/shell.nix
index 6b579b455..c11b4bbcf 100644
--- a/shell.nix
+++ b/shell.nix
@@ -16,4 +16,4 @@
 ) {
   src =  ./.;
 }).shellNix
-# nix-direnv cache busting line: sha256-D0znIEcy9d822snZbdNCNLoN47cOP1F2SKmfwSFRvXw=
+# nix-direnv cache busting line: sha256-p8dVVZm2bLL4J/d4TtnUOp3bfMqUkBGE+53RUhamF+A=