# NordVPN Tailscale Coordination Design

## Goal
Stabilize macOS NordVPN connects by explicitly stopping Tailscale before bringing up the NordVPN WireGuard tunnel, then restarting Tailscale after NordVPN disconnects.

## Behavior
- macOS only
- on `connect`:
  - detect whether Tailscale is active
  - if active, stop it and record that state
  - bring up NordVPN
- on `disconnect`:
  - tear down NordVPN
  - if the skill stopped Tailscale earlier, start it again
  - clear the saved state
- on connect failure after stopping Tailscale:
  - attempt to start Tailscale again before returning the error

## State
- persist `tailscaleWasActive` under `~/.nordvpn-client`
- only restart Tailscale if the skill actually stopped it

## Rollback target if successful
- remove the temporary macOS physical-service DNS management patch
- restore the simpler NordVPN config path that uses NordVPN DNS directly in the WireGuard config
- keep Tailscale suspend/resume as the macOS coexistence solution