# Desktop Platform Strategy

## Windows x64

Current MVP integration path:

- NexaVPN enrolls the device and stores the generated profile locally.
- NexaVPN is intended to ship its own bundled Windows x64 tunnel helper.
- The end user should interact only with NexaVPN.
- The bundled helper encapsulates the WireGuard runtime internally.

Repository status:

- the NexaVPN tunnel helper CLI is now included in `desktop-client/tunnel-helper/`
- the Windows x64 build can be bundled into `src-tauri/bundled/windows-x64/`
- Ubuntu server builds can cross-compile the Windows x64 helper and Tauri app with `cargo-xwin`
- the Linux-based Windows packaging path targets NSIS `Setup.exe`; MSI packaging still requires a Windows environment

## macOS ARM

Current MVP integration path:

- NexaVPN enrolls the device and stores the generated profile locally.
- NexaVPN is intended to ship its own bundled macOS ARM tunnel helper.
- The end user should interact only with NexaVPN.
- The bundled helper encapsulates the WireGuard runtime internally.

Repository status:

- the NexaVPN tunnel helper CLI is now included in `desktop-client/tunnel-helper/`
- the macOS ARM build can be bundled into `src-tauri/bundled/macos-arm64/`

## Security And Limitations

- Client private keys are generated and stored locally.
- Admin debug profile downloads intentionally contain a private-key placeholder.
- Desktop secure-secret storage is not yet production-grade keychain integration.
- The repository now includes the helper source and bundling paths, but final signing still needs to be performed in the right target environments.