Fix macOS client UX and IPAM gateway reservation

- Fix tunnel helper not launching: AppleScript do shell script blocks on
  child fds; use disown + stdin close to fully detach helper process
- Fix tunnel status resetting on tab switch: kill(pid,0) returns EPERM
  for root-owned helper, now correctly treated as alive
- Fix passkey delete not updating UI: make PasskeyManager ObservableObject
  with @published hasStoredCredential flag
- Fix error messages persisting after passkey removal: clear both local
  statusMessage and appState.errorMessage on delete
- Fix app window not gaining focus: activate process and makeKeyAndOrderFront
  on launch for bare binary / .app bundle
- Reserve 10.64.0.1 for server gateway: IPAM tunnel cursor starts at
  offset 2, genesis server always gets .1, clients get .2+

Author: Geramy

apps/LemonadeNexusMac/Sources/LemonadeNexusMac/LemonadeNexusApp.swift

@@ -89,6 +89,13 @@ struct LemonadeNexusApp: App {
     private func configureAppearance() {
         // Set the accent color globally
         NSApplication.shared.appearance = NSAppearance(named: .aqua)
+
+        // When launched as a bare binary (not .app bundle), macOS may not
+        // activate the process or make the window key.  Force both.
+        NSApplication.shared.activate(ignoringOtherApps: true)
+        DispatchQueue.main.asyncAfter(deadline: .now() + 0.3) {
+            NSApplication.shared.windows.first?.makeKeyAndOrderFront(nil)
+        }
     }
 
     private func attemptAutoConnect() {

apps/LemonadeNexusMac/Sources/LemonadeNexusMac/Services/PasskeyManager.swift

@@ -35,13 +35,17 @@ struct PasskeyCredentialInfo: Codable {
     var signCount: UInt32 = 0
 }
 
-final class PasskeyManager {
+final class PasskeyManager: ObservableObject {
     static let shared = PasskeyManager()
 
+    @Published var hasStoredCredential: Bool = false
+
     private let service = "io.lemonade-nexus.passkey"
     private let credentialAccount = "passkey-credential"
 
-    private init() {}
+    private init() {
+        hasStoredCredential = loadCredentialInfo() != nil
+    }
 
     // MARK: - Registration
 
@@ -204,6 +208,7 @@ final class PasskeyManager {
             kSecAttrAccount as String: credentialAccount,
         ]
         SecItemDelete(infoQuery as CFDictionary)
+        hasStoredCredential = false
     }
 
     // MARK: - Keychain Helpers
@@ -250,6 +255,7 @@ final class PasskeyManager {
     private func saveCredentialInfo(_ info: PasskeyCredentialInfo) throws {
         let data = try JSONEncoder().encode(info)
         try saveToKeychain(data: data, tag: credentialAccount)
+        hasStoredCredential = true
     }
 
     private func loadCredentialInfo() -> PasskeyCredentialInfo? {

apps/LemonadeNexusMac/Sources/LemonadeNexusMac/Services/TunnelManager.swift

@@ -51,20 +51,24 @@ final class TunnelManager: ObservableObject {
         // Kill any existing tunnel helper first
         killExistingHelper()
 
-        // Run the helper with admin privileges via AppleScript.
-        // The helper creates the utun device, configures IP/routes, and runs
-        // BoringTun packet forwarding. It stays alive until signalled.
-        let escaped = helperPath
-            .replacingOccurrences(of: "\\", with: "\\\\")
-            .replacingOccurrences(of: "\"", with: "\\\"")
-        let escapedConfig = configPath
-            .replacingOccurrences(of: "\\", with: "\\\\")
-            .replacingOccurrences(of: "\"", with: "\\\"")
-
-        // Launch the helper in the background (& disown) so AppleScript returns
-        // immediately while the tunnel keeps running.
-        let cmd = "\(escaped) \(escapedConfig) &"
-        let script = "do shell script \"\(cmd)\" with administrator privileges"
+        // AppleScript's `do shell script` waits for ALL child file descriptors
+        // to close, not just the main process. We must fully detach the helper:
+        //   - close stdin (<&-)
+        //   - redirect stdout/stderr away from the pipe
+        //   - disown to remove from job table
+        let logPath = "/tmp/lnsdk_tunnel.log"
+        let launcherPath = "/tmp/lnsdk_launcher.sh"
+        let launcherContent = """
+            #!/bin/bash
+            "\(helperPath)" "\(configPath)" </dev/null >>/dev/null 2>"\(logPath)" &
+            disown $!
+            exit 0
+            """
+        try launcherContent.write(toFile: launcherPath, atomically: true, encoding: .utf8)
+        try FileManager.default.setAttributes(
+            [.posixPermissions: 0o755], ofItemAtPath: launcherPath)
+
+        let script = "do shell script \"/bin/bash \(launcherPath)\" with administrator privileges"
 
         var errorDict: NSDictionary?
         guard let appleScript = NSAppleScript(source: script) else {
@@ -107,14 +111,22 @@ final class TunnelManager: ObservableObject {
     }
 
     /// Check if the tunnel helper is still running.
+    /// The helper runs as root, so kill(pid, 0) returns EPERM (errno 1) when
+    /// the process exists but we lack permission — that still means it's alive.
     func refreshStatus() {
         guard let pidStr = try? String(contentsOfFile: pidPath, encoding: .utf8).trimmingCharacters(in: .whitespacesAndNewlines),
               let pid = Int32(pidStr) else {
-            isTunnelActive = false
+            // No PID file — only mark inactive if we didn't just start the tunnel
+            if !isTransitioning {
+                isTunnelActive = false
+            }
             return
         }
-        // kill(pid, 0) checks if the process exists without actually sending a signal
-        isTunnelActive = (kill(pid, 0) == 0)
+        let result = kill(pid, 0)
+        // result == 0: we own the process (alive)
+        // result == -1, errno == EPERM: process exists but owned by root (alive)
+        // result == -1, errno == ESRCH: no such process (dead)
+        isTunnelActive = (result == 0 || (result == -1 && errno == EPERM))
     }
 
     // MARK: - Private
@@ -123,18 +135,22 @@ final class TunnelManager: ObservableObject {
         guard let pidStr = try? String(contentsOfFile: pidPath, encoding: .utf8).trimmingCharacters(in: .whitespacesAndNewlines),
               let pid = Int32(pidStr) else { return }
 
-        // Send SIGTERM to gracefully shut down the helper (it tears down the tunnel)
-        kill(pid, SIGTERM)
-
-        // Wait briefly for it to exit
-        for _ in 0..<10 {
-            if kill(pid, 0) != 0 { break }
-            Thread.sleep(forTimeInterval: 0.2)
-        }
-
-        // Force kill if still alive
-        if kill(pid, 0) == 0 {
-            kill(pid, SIGKILL)
+        // Try direct kill first (works if we own the process)
+        if kill(pid, SIGTERM) == 0 {
+            for _ in 0..<10 {
+                if kill(pid, 0) != 0 { break }
+                Thread.sleep(forTimeInterval: 0.2)
+            }
+            if kill(pid, 0) == 0 {
+                kill(pid, SIGKILL)
+            }
+        } else if errno == EPERM {
+            // Helper runs as root — need privilege escalation to kill it
+            let script = "do shell script \"kill \(pid) 2>/dev/null; sleep 1; kill -9 \(pid) 2>/dev/null; rm -f \(pidPath)\" with administrator privileges"
+            if let as_ = NSAppleScript(source: script) {
+                var err: NSDictionary?
+                as_.executeAndReturnError(&err)
+            }
         }
 
         try? FileManager.default.removeItem(atPath: pidPath)

apps/LemonadeNexusMac/Sources/LemonadeNexusMac/Views/LoginView.swift

@@ -3,6 +3,7 @@ import AuthenticationServices
 
 struct LoginView: View {
     @EnvironmentObject private var appState: AppState
+    @ObservedObject private var passkeyManager = PasskeyManager.shared
     @State private var serverURL: String = ""
     @State private var username: String = ""
     @State private var password: String = ""
@@ -350,9 +351,9 @@ struct LoginView: View {
                 .foregroundColor(.lemonYellow)
                 .padding(.top, 8)
 
-            if PasskeyManager.shared.hasCredential {
+            if passkeyManager.hasStoredCredential {
                 // Existing passkey — show sign-in
-                if let storedUser = PasskeyManager.shared.storedUserId {
+                if let storedUser = passkeyManager.storedUserId {
                     Text("Sign in as **\(storedUser)** using Touch ID.")
                         .font(.subheadline)
                         .foregroundColor(.textSecondary)
@@ -368,7 +369,12 @@ struct LoginView: View {
                 .buttonStyle(LemonButtonStyle())
                 .disabled(appState.isLoading)
 
-                Button(action: { PasskeyManager.shared.deleteCredential() }) {
+                Button(action: {
+                    passkeyManager.deleteCredential()
+                    statusMessage = nil
+                    isError = false
+                    appState.errorMessage = nil
+                }) {
                     Text("Remove stored passkey")
                         .font(.caption2)
                 }

projects/LemonadeNexus/include/LemonadeNexus/IPAM/IPAMService.hpp

@@ -75,7 +75,8 @@ class IPAMService : public core::IService<IPAMService>,
     std::unordered_map<std::string, AllocationSet> allocations_;
 
     /// Cursor trackers for sequential allocation within each block.
-    uint32_t next_tunnel_ip_{0};   // next offset within 10.64.0.0/10
+    /// Tunnel starts at offset 2: .0 = network, .1 = server gateway.
+    uint32_t next_tunnel_ip_{2};   // next offset within 10.64.0.0/10
     uint32_t next_private_ip_{0};  // next offset within 10.128.0.0/9
     uint32_t next_shared_ip_{0};   // next offset within 172.20.0.0/14
 };

projects/LemonadeNexus/src/Core/ServerIdentity.cpp

@@ -151,12 +151,12 @@ std::string resolve_tunnel_ip(
             tunnel_bind_ip = alloc.base_network;
         }
     } else {
-        // Genesis server (no peers): self-allocate the first tunnel IP
-        auto alloc = ipam.allocate_tunnel_ip(server_node_id);
-        if (!alloc.base_network.empty()) {
-            tunnel_bind_ip = alloc.base_network;
-            spdlog::info("Genesis server -- allocated tunnel IP: {}", tunnel_bind_ip);
-        }
+        // Genesis/root server: always use .1 as the gateway address.
+        // Record an allocation so IPAM tracks this node, but override to .1.
+        auto server_alloc = ipam.allocate_tunnel_ip(server_node_id);
+        (void)server_alloc;
+        tunnel_bind_ip = "10.64.0.1";
+        spdlog::info("Genesis server -- gateway tunnel IP: {}", tunnel_bind_ip);
     }
 
     // Strip CIDR suffix (e.g. "10.64.0.1/32" -> "10.64.0.1")

projects/LemonadeNexus/src/IPAM/IPAMService.cpp

@@ -337,7 +337,8 @@ void IPAMService::load_allocations() {
         if (aset.tunnel) {
             auto [ip, prefix] = parse_cidr(aset.tunnel->base_network);
             uint32_t offset = ip - kTunnelBase + 1;
-            if (offset > next_tunnel_ip_) next_tunnel_ip_ = offset;
+            // Never go below 2 — .0 is network, .1 is server gateway
+            if (offset > next_tunnel_ip_) next_tunnel_ip_ = std::max(offset, uint32_t{2});
         }
         if (aset.private_subnet) {
             auto [ip, prefix] = parse_cidr(aset.private_subnet->base_network);