feat(tsconnect): expose service advertisement to JS

Add SetExplicitServices on LocalBackend so the browser WASM node can
declare TCP/UDP services that get uploaded to the control server and
distributed to all peers in the netmap — without the OS port-scanner
(portlist extension) that cannot run in a browser.

The ShouldUploadServices gate in hostInfoWithServicesLocked is bypassed
when services were set explicitly, leaving all other callers unaffected.

On the JS side, a new setServices(services) method accepts an array of
{proto, port, description?} objects.  The netmap JSON now includes a
services field on every node (self and peers), populated from
Hostinfo.Services with internal peerapi entries stripped (they are
already reflected in peerAPIURL).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

cmd/tsconnect/wasm/wasm_js.go

@@ -361,6 +361,13 @@ func newIPN(jsConfig js.Value) map[string]any {
 		"suggestExitNode": js.FuncOf(func(this js.Value, args []js.Value) any {
 			return jsIPN.suggestExitNode()
 		}),
+		"setServices": js.FuncOf(func(this js.Value, args []js.Value) any {
+			if len(args) != 1 {
+				log.Printf("Usage: setServices(services)")
+				return nil
+			}
+			return jsIPN.setServices(args[0])
+		}),
 		"localAPI": js.FuncOf(func(this js.Value, args []js.Value) any {
 			if len(args) < 2 {
 				log.Printf("Usage: localAPI(method, path[, body])")
@@ -467,6 +474,7 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
 						NodeKey:    nm.NodeKey.String(),
 						MachineKey: nm.MachineKey.String(),
 						PeerAPIURL: selfPeerAPIURL,
+						Services:   userServicesFromView(nm.SelfNode.Hostinfo().Services()),
 					},
 					MachineStatus: jsMachineStatus[nm.GetMachineStatus()],
 				},
@@ -516,6 +524,7 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
 							MachineKey: p.Machine().String(),
 							NodeKey:    p.Key().String(),
 							PeerAPIURL: peerURL,
+							Services:   userServicesFromView(p.Hostinfo().Services()),
 						},
 						Online:              p.Online().Clone(),
 						TailscaleSSHEnabled: p.Hostinfo().TailscaleSSHEnabled(),
@@ -1328,6 +1337,39 @@ func (i *jsIPN) suggestExitNode() js.Value {
 	})
 }
 
+func (i *jsIPN) setServices(jsServices js.Value) js.Value {
+	return makePromise(func() (any, error) {
+		n := jsServices.Length()
+		svcs := make([]tailcfg.Service, 0, n)
+		for idx := range n {
+			s := jsServices.Index(idx)
+			proto := tailcfg.ServiceProto(s.Get("proto").String())
+			port := uint16(s.Get("port").Int())
+			var desc string
+			if d := s.Get("description"); d.Type() == js.TypeString {
+				desc = d.String()
+			}
+			svcs = append(svcs, tailcfg.Service{Proto: proto, Port: port, Description: desc})
+		}
+		i.lb.SetExplicitServices(svcs)
+		return nil, nil
+	})
+}
+
+// userServicesFromView converts a hostinfo services slice to jsService entries,
+// filtering out internal peerapi protocol entries (already reflected in peerAPIURL).
+func userServicesFromView(svcs views.Slice[tailcfg.Service]) []jsService {
+	var out []jsService
+	for _, s := range svcs.All() {
+		switch s.Proto {
+		case tailcfg.PeerAPI4, tailcfg.PeerAPI6, tailcfg.PeerAPIDNS:
+			continue
+		}
+		out = append(out, jsService{Proto: string(s.Proto), Port: s.Port, Description: s.Description})
+	}
+	return out
+}
+
 func (i *jsIPN) localAPI(method, path, body string) js.Value {
 	return makePromise(func() (any, error) {
 		h := localapi.NewHandler(localapi.HandlerConfig{
@@ -1564,12 +1606,19 @@ type jsNetMap struct {
 	LockedOut bool               `json:"lockedOut"`
 }
 
+type jsService struct {
+	Proto       string `json:"proto"`
+	Port        uint16 `json:"port"`
+	Description string `json:"description,omitempty"`
+}
+
 type jsNetMapNode struct {
-	Name        string   `json:"name"`
-	Addresses   []string `json:"addresses"`
-	MachineKey  string   `json:"machineKey"`
-	NodeKey     string   `json:"nodeKey"`
-	PeerAPIURL  string   `json:"peerAPIURL,omitempty"`
+	Name       string      `json:"name"`
+	Addresses  []string    `json:"addresses"`
+	MachineKey string      `json:"machineKey"`
+	NodeKey    string      `json:"nodeKey"`
+	PeerAPIURL string      `json:"peerAPIURL,omitempty"`
+	Services   []jsService `json:"services,omitempty"`
 }
 
 type jsNetMapSelfNode struct {