feat(packaging): pre-spawn cleanup wrapper for clean restarts

Symptom: each app restart that didn't go through Stop daemon left
an orphan mycelium running as root, claiming the TUN \"mycelium\",
UDP/9650 (multicast discovery) and TCP/8990 (JSON-RPC, hardcoded
in 0.6.1 — no flag). Subsequent starts panicked with EBUSY or
\"Address in use\" on whichever port the orphan held.

We can't SIGKILL the orphan from user-space (root process). Move
the cleanup into an elevated context that runs in the same pkexec
authentication as the daemon spawn:

  /usr/bin/mycellium-bootstrap   (new shell script in the .deb)
    pkill -9 -x mycelium
    ip link del mycelium / mycel0
    exec /usr/bin/mycelium \"\$@\"

The polkit policy now annotates this exact path with
auth_admin_keep so a single password prompt covers every
subsequent restart in the user's session.

Sidecar: when /usr/bin/mycellium-bootstrap exists (production
install) we hand pkexec that path instead of the bare daemon.
\`pnpm tauri dev\` falls back to the unwrapped binary path.

src-tauri/packaging/mycellium-bootstrap

@@ -0,0 +1,27 @@
+#!/bin/sh
+# /usr/bin/mycellium-bootstrap — installed by mycellium-ui.deb
+#
+# Wrapper around the mycelium daemon that guarantees a clean start
+# every time. Without this, an orphan mycelium left over from a
+# previous run (which the user-space launcher cannot SIGKILL because
+# the daemon runs as root via pkexec) would block the next start
+# with one of:
+#
+#   * EBUSY on TUN device "mycelium" creation
+#   * "Address in use" on the JSON-RPC port (hardcoded 8990 in 0.6.1)
+#   * "Failed to bind multicast discovery socket" on UDP 9650
+#
+# This script runs under the same elevated context as the mycelium
+# daemon itself (single pkexec call), so polkit's auth_admin_keep
+# caching only fires one prompt per session.
+
+set -e
+
+# Best-effort cleanup. Errors ignored so the exec at the end always
+# runs even on a clean machine.
+pkill -9 -x mycelium 2>/dev/null || true
+sleep 0.3
+ip link del mycelium 2>/dev/null || true
+ip link del mycel0 2>/dev/null || true
+
+exec /usr/bin/mycelium "$@"

src-tauri/packaging/polkit/tech.threefold.mycellium-ui.policy

@@ -6,7 +6,14 @@
   <vendor>Threefold</vendor>
   <vendor_url>https://threefold.io</vendor_url>
 
-  <action id="tech.threefold.mycellium-ui.spawn">
+  <!--
+    Bootstrap action: covers the wrapper that cleans up orphan
+    mycelium state and then execs the daemon. pkexec matches the
+    binary path against `org.freedesktop.policykit.exec.path` to
+    pick this action up; auth_admin_keep then caches the auth for
+    the user's session so subsequent restarts don't re-prompt.
+  -->
+  <action id="tech.threefold.mycellium-ui.bootstrap">
     <description>Run the Mycelium overlay daemon</description>
     <description xml:lang="fr">Lancer le démon de l'overlay Mycelium</description>
     <message>Authentication is required to start the Mycelium overlay daemon.</message>
@@ -14,11 +21,8 @@
     <defaults>
       <allow_any>auth_admin</allow_any>
       <allow_inactive>auth_admin</allow_inactive>
-      <!-- Cache the authentication for the user's session so the polkit
-           dialog only appears once per login (5-minute window). To allow
-           passwordless start for trusted desktops, change to "yes" — be
-           aware this lets any process on the machine spawn the daemon. -->
       <allow_active>auth_admin_keep</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/mycellium-bootstrap</annotate>
   </action>
 </policyconfig>