policy/v2: convert ACL compat tests to data-driven format with Tailscale SaaS captures

Replace 9,937 lines of inline Go test expectations with 215 JSON golden files captured from Tailscale SaaS. The new data-driven test driver compares headscale's filter compilation output against real Tailscale behavior for each node in an 8-node topology.

Updates #2180

hscontrol/policy/v2/testdata/acl_results/ACL-SF04.json

@@ -0,0 +1,46 @@
+{
+  "test_id": "ACL-SF04",
+  "timestamp": "2026-03-17T14:45:23Z",
+  "error": true,
+  "input": {
+    "policy_file": "acl_policies/acl_sf04.json",
+    "full_policy": {
+      "groups": {
+        "group:admins": ["kratail2tid@passkey"],
+        "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"],
+        "group:monitors": ["monitorpasskeykradalby@passkey"],
+        "group:empty": []
+      },
+      "tagOwners": {
+        "tag:server": ["kratail2tid@passkey"],
+        "tag:prod": ["kratail2tid@passkey"],
+        "tag:client": ["kratail2tid@passkey"],
+        "tag:router": ["kratail2tid@passkey"],
+        "tag:exit": ["kratail2tid@passkey"]
+      },
+      "hosts": {
+        "webserver": "100.108.74.26",
+        "prodbox": "100.103.8.15",
+        "internal": "10.0.0.0/8",
+        "subnet24": "192.168.1.0/24"
+      },
+      "autoApprovers": {
+        "routes": {
+          "10.33.0.0/16": ["tag:router"],
+          "0.0.0.0/0": ["tag:exit"],
+          "::/0": ["tag:exit"]
+        }
+      },
+      "acls": [
+        {
+          "action": "accept",
+          "src": ["webserver"],
+          "dst": ["autogroup:self:*"]
+        }
+      ]
+    },
+    "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl",
+    "api_response_code": 400,
+    "api_response_body": { "message": "autogroup:self can only be used with users, groups, or supported autogroups" }
+  }
+}