docs: update README with desktop requirements, helper builds, and realistic MVP usage notes

Expand README with desktop platform requirements (Windows x86, macOS ARM), helper build commands, gateway utility scripts, and updated local test flow. Add realistic MVP usage section clarifying current platform build status, gateway configuration needs, and admin debug profile behavior with client private key handling.

docs/client-platforms.md

@@ -0,0 +1,36 @@
+# Desktop Platform Strategy
+
+## Windows x86
+
+Current MVP integration path:
+
+- NexaVPN enrolls the device and stores the generated profile locally.
+- NexaVPN is intended to ship its own bundled Windows x86 tunnel helper.
+- The end user should interact only with NexaVPN.
+- The bundled helper encapsulates the WireGuard runtime internally.
+
+Repository status:
+
+- the NexaVPN tunnel helper CLI is now included in `desktop-client/tunnel-helper/`
+- the Windows x86 build can be bundled into `src-tauri/bundled/windows-x86/`
+
+## macOS ARM
+
+Current MVP integration path:
+
+- NexaVPN enrolls the device and stores the generated profile locally.
+- NexaVPN is intended to ship its own bundled macOS ARM tunnel helper.
+- The end user should interact only with NexaVPN.
+- The bundled helper encapsulates the WireGuard runtime internally.
+
+Repository status:
+
+- the NexaVPN tunnel helper CLI is now included in `desktop-client/tunnel-helper/`
+- the macOS ARM build can be bundled into `src-tauri/bundled/macos-arm64/`
+
+## Security And Limitations
+
+- Client private keys are generated and stored locally.
+- Admin debug profile downloads intentionally contain a private-key placeholder.
+- Desktop secure-secret storage is not yet production-grade keychain integration.
+- The repository now includes the helper source and bundling paths, but platform builds and signing still need to be performed in the right target environments.