RG40XXV Tailscale No-Gate Access

The RG40XXV must remain reachable from any WiFi through Tailscale, but deploy/debug access must not depend on browser-gated Tailscale SSH.

Desired State

• Tailscale is running on the RG.
• The RG keeps its tailnet IP: 100.119.202.114.
• The Pi keeps its tailnet IP: 100.120.38.37.
• Preferred Tailscale SSH policy uses action: "accept" for the deploy source and RG destination, not action: "check".
• If Tailscale SSH policy cannot be made non-interactive, disable Tailscale SSH on the RG: RunSSH: false.
• Deploy/debug commands use ordinary OpenSSH to the Tailscale IP:

ssh root@100.119.202.114

This keeps all traffic on the tailnet and prevents browser approval prompts during agent deploy/debug sessions.