Auth callout does not propagate user JWT tags to client connection

[Green7]

Observed behavior

When using auth callout in operator mode, Tags from the authorization response UserClaims JWT is never copied to c.tags on the client connection. This means Client.Tags in system events ($SYS.ACCOUNT.*.DISCONNECT, etc.) is always nil for auth-callout clients, even though the auth service correctly sets tags in the response JWT.

The standard JWT auth path does propagate tags but the auth callout path in server/auth_callout.go (processReply, around line 296-312) never does the equivalent.

I believe the problem is in server/auth_callout.go, in the processReply closure.

// See if the response wants to override the username.
if arc.Name != _EMPTY_ {
    c.mu.Lock()
    c.opts.Username = arc.Name
    // Clear any others.
    c.opts.Nkey = _EMPTY_
    c.pubKey = _EMPTY_
    c.opts.Token = _EMPTY_
    c.mu.Unlock()
}

arc.Tags is never applied to c.tags.

Expected behavior

Tags set in the auth callout response JWT (UserClaims.Tags) should be available in Client.Tags in system events, the same way they are for standard JWT-authenticated clients.

Server and client version

Server v2.12.4

Host environment

Windows

Steps to reproduce

1. Configure NATS server in operator mode with auth callout
2. In the auth callout service, set Tags on the response UserClaims:

   uc := jwt.NewUserClaims(req.UserNkey)
   uc.Tags.Add("my-tag:some-value")

3. Subscribe to $SYS.ACCOUNT.<account_id>.DISCONNECT
4. Connect a client through the auth callout flow, then disconnect it
5. Observe that DisconnectEventMsg.Client.Tags is nil

[Green7]

@wallyqs I noticed that a commit referencing this issue was added in a fork. Is there a plan to open a PR for it and include the fix in an upcoming release?