fix: suppress spurious VPN disconnect/reconnect notifications

NWPathMonitor and ifconfig can momentarily miss the VPN interface
during network transitions, causing a false disconnect→reconnect
cycle with duplicate notifications. Now rechecks after 1.5s before
committing to a disconnect state.

Author: GeiserX

CLAUDE.md

@@ -92,6 +92,7 @@ After CI completes: `brew update && brew upgrade --cask vpn-bypass` to install l
 - **CI handles releases end-to-end** — pushing a `v*` tag triggers `.github/workflows/release.yml` which builds the DMG, creates the GitHub release, AND updates the Homebrew cask. Do NOT manually create releases or update the cask — CI will overwrite them. Just commit, tag, push.
 - **Test the stale-helper upgrade path after release** — especially with VPN already connected and an older helper still installed. Expected flow: helper preflight on startup, admin prompt if needed, helper update, route apply, and DNS refresh timer start automatically.
 - **Some VPNs route via interface link, not IP gateway** — Cisco Secure Client sets the default route to `link#N` (an interface reference) instead of an IP address. `route -n get default` shows `interface: utunX` with no `gateway:` line. VPN Only mode handles this via `iface:<interface>` convention: the helper uses `route add -host <dest> -interface utunX` instead of an IP gateway. See #26.
+- **VPN interface flaps cause spurious notifications.** `NWPathMonitor` and `ifconfig` can momentarily miss the VPN interface during network transitions. `checkVPNStatus()` must recheck after a short delay (1.5s) before committing to a disconnect state, otherwise the app fires false disconnect→reconnect notifications.
 - **Wildcard domains (`*.example.com`) are impossible at the macOS routing level.** macOS routing tables are IP-based — you can only route specific IPs or CIDR ranges, not domain patterns. `/etc/hosts` also does not support wildcards. Any wildcard implementation can only resolve the base domain's IPs, not actual subdomains with different IPs. Don't reintroduce this feature.
 - **Helper launchd plist MUST have `RunAtLoad: true`** — without it, the daemon relies on on-demand XPC activation, which macOS blocks when the Login Items toggle is disabled. Homebrew cask upgrades re-sign the app, causing macOS to reset the toggle, which re-breaks the helper on every boot. `RunAtLoad: true` makes the daemon start unconditionally — no Login Items dependency. NEVER set `RunAtLoad` back to `false`. See #25.
 

Casks/vpn-bypass.rb

@@ -3,7 +3,7 @@
 # Or if using local tap: brew install --cask --no-quarantine ./Casks/vpn-bypass.rb
 
 cask "vpn-bypass" do
-  version "2.6.1"
+  version "2.6.2"
   sha256 "8da2ba2e2073f8dbcd9d413658e995d244b52adc94559aecc31690448a9acf42"
 
   url "https://github.com/GeiserX/VPN-Bypass/releases/download/v#{version}/VPN-Bypass-#{version}.dmg"

Info.plist

@@ -23,7 +23,7 @@
 	<key>CFBundlePackageType</key>
 	<string>APPL</string>
 	<key>CFBundleShortVersionString</key>
-	<string>2.6.1</string><!-- VERSION -->
+	<string>2.6.2</string><!-- VERSION -->
 	<key>CFBundleVersion</key>
 	<string>22</string>
 	<key>LSMinimumSystemVersion</key>

Sources/RouteManager.swift

@@ -706,13 +706,28 @@ final class RouteManager: ObservableObject {
         let wasVPNConnected = isVPNConnected
         let oldInterface = vpnInterface
         let oldTailscaleFingerprint = lastTailscaleSelfFingerprint
-        
+
         // Detect current network first
         await detectCurrentNetwork()
-        
+
         // Use scutil to detect VPN interfaces with IPv4 addresses
-        let (connected, interface, detectedType) = await detectVPNInterface()
-        
+        var (connected, interface, detectedType) = await detectVPNInterface()
+
+        // Guard against transient VPN interface flaps: if VPN was connected but
+        // now appears disconnected, recheck after a short delay before committing.
+        // NWPathMonitor and ifconfig can momentarily miss the interface during
+        // network transitions, causing spurious disconnect→reconnect notifications.
+        if wasVPNConnected && !connected {
+            try? await Task.sleep(nanoseconds: 1_500_000_000)
+            let (recheckConnected, recheckInterface, recheckType) = await detectVPNInterface()
+            if recheckConnected {
+                log(.info, "VPN flap suppressed — interface reappeared after recheck")
+                connected = recheckConnected
+                interface = recheckInterface
+                detectedType = recheckType
+            }
+        }
+
         isVPNConnected = connected
         vpnInterface = connected ? interface : nil
         vpnType = connected ? detectedType : nil

docs/CHANGELOG.md

@@ -5,6 +5,11 @@ All notable changes to VPN Bypass will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.6.2] - 2026-05-03
+
+### Fixed
+- **Spurious VPN notifications** — Suppress transient VPN interface flaps that caused repeated "VPN Connected" notifications while VPN was still active. Now rechecks after 1.5s before committing to a disconnect state.
+
 ## [2.6.1] - 2026-05-03
 
 ### Removed