ACL tests prevent accidental subnet or exit node access grants

Without explicit tests in the tailnet policy file, ACL changes may accidentally grant access to subnet routes or exit nodes that should remain restricted. ACLs don't limit route discovery, so access control must be enforced through explicit denial tests.

Add tests in the `tests` section that explicitly deny access to restricted subnets and public IPs. Use `deny` assertions to fail the policy if unauthorized users gain access. For subnets, test that restricted users cannot reach subnet CIDR ranges. For exit nodes, test that users without `autogroup:internet` access cannot reach public IP addresses.