fix: avoid mac wireguard dns rewrites

skills/nordvpn-client/scripts/nordvpn-client.test.js

@@ -9,6 +9,8 @@ function loadInternals() {
   const source = fs.readFileSync(scriptPath, "utf8").replace(/\nmain\(\);\s*$/, "\n");
   const wrapped = `${source}
 module.exports = {
+  buildWireguardConfig:
+    typeof buildWireguardConfig === "function" ? buildWireguardConfig : undefined,
   buildLookupResult:
     typeof buildLookupResult === "function" ? buildLookupResult : undefined,
   detectMacWireguardActiveFromIfconfig:
@@ -60,6 +62,23 @@ test("buildLookupResult supports lookup all=true mode", () => {
   assert.equal(JSON.stringify(buildLookupResult("104.26.9.44", { all: false })), JSON.stringify(["104.26.9.44", 4]));
 });
 
+test("buildWireguardConfig omits DNS so macOS wg-quick does not rewrite system resolvers", () => {
+  const { buildWireguardConfig } = loadInternals();
+  assert.equal(typeof buildWireguardConfig, "function");
+
+  const config = buildWireguardConfig(
+    {
+      hostname: "tr73.nordvpn.com",
+      ips: [{ ip: { version: 4, ip: "45.89.52.1" } }],
+      technologies: [{ identifier: "wireguard_udp", metadata: [{ name: "public_key", value: "PUBKEY" }] }],
+    },
+    "PRIVATEKEY"
+  );
+
+  assert.equal(config.includes("DNS ="), false);
+  assert.equal(config.includes("AllowedIPs = 0.0.0.0/0"), true);
+});
+
 test("verifyConnectionWithRetry retries transient reachability failures", async () => {
   const { verifyConnectionWithRetry } = loadInternals();
   assert.equal(typeof verifyConnectionWithRetry, "function");