tka: refer consistently to "DisablementValues"

This avoids putting "DisablementSecrets" in the JSON output from
`tailscale lock log`, which is potentially scary to somebody who doesn't
understand the distinction.

AUMs are stored and transmitted in CBOR-encoded format, which uses an
integer rather than a string key, so this doesn't break already-created
TKAs.

Fixes #19189

Change-Id: I15b4e81a7cef724a450bafcfa0b938da223c78c9
Signed-off-by: Alex Chan <alexc@tailscale.com>

tka/sig_test.go

@@ -175,8 +175,8 @@ func TestSigNested_DeepNesting(t *testing.T) {
 	// Test this works with our public API
 	a, _ := Open(newTestchain(t, "G1\nG1.template = genesis",
 		optTemplate("genesis", AUM{MessageKind: AUMCheckpoint, State: &State{
-			Keys:               []Key{k},
-			DisablementSecrets: [][]byte{DisablementKDF([]byte{1, 2, 3})},
+			Keys:              []Key{k},
+			DisablementValues: [][]byte{DisablementKDF([]byte{1, 2, 3})},
 		}})).Chonk())
 	if err := a.NodeKeyAuthorized(lastNodeKey.Public(), outer.Serialize()); err != nil {
 		t.Errorf("NodeKeyAuthorized(lastNodeKey) failed: %v", err)
@@ -240,8 +240,8 @@ func TestSigCredential(t *testing.T) {
 	// Test someone can't misuse our public API for verifying node-keys
 	a, _ := Open(newTestchain(t, "G1\nG1.template = genesis",
 		optTemplate("genesis", AUM{MessageKind: AUMCheckpoint, State: &State{
-			Keys:               []Key{k},
-			DisablementSecrets: [][]byte{DisablementKDF([]byte{1, 2, 3})},
+			Keys:              []Key{k},
+			DisablementValues: [][]byte{DisablementKDF([]byte{1, 2, 3})},
 		}})).Chonk())
 	if err := a.NodeKeyAuthorized(node.Public(), nestedSig.Serialize()); err == nil {
 		t.Error("NodeKeyAuthorized(SigCredential, node) did not fail")