iOS: allow unicast DNS-SD discovery domain

docs/bonjour.md

@@ -8,6 +8,75 @@ read_when:
 
 Clawdis uses Bonjour (mDNS / DNS-SD) as a **LAN-only convenience** to discover a running Gateway and (optionally) its bridge transport. It is best-effort and does **not** replace SSH or Tailnet-based connectivity.
 
+## Wide-Area Bonjour (Unicast DNS-SD) over Tailscale
+
+If you want Iris/iPad auto-discovery while the Gateway is on another network (e.g. Vienna ⇄ London), you can keep the `NWBrowser` UX but switch discovery from multicast mDNS (`local.`) to **unicast DNS-SD** (“Wide-Area Bonjour”) over Tailscale.
+
+High level:
+
+1) Run a DNS server on the gateway host (reachable via tailnet IP).
+2) Publish DNS-SD records for `_clawdis-bridge._tcp` in a dedicated zone (example: `clawdis.internal.`).
+3) Configure Tailscale **split DNS** so `clawdis.internal` resolves via that DNS server for clients (including iOS).
+4) In Iris: Settings → Bridge → Advanced → set **Discovery Domain** to `clawdis.internal.`
+
+### Example: CoreDNS on macOS (gateway host)
+
+On the gateway host (macOS):
+
+```bash
+brew install coredns
+
+sudo mkdir -p /opt/homebrew/etc/coredns
+sudo tee /opt/homebrew/etc/coredns/Corefile >/dev/null <<'EOF'
+clawdis.internal:53 {
+    log
+    errors
+    file /opt/homebrew/etc/coredns/clawdis.internal.db
+}
+EOF
+
+# Replace `<TAILNET_IPV4>` with the gateway machine’s tailnet IP.
+sudo tee /opt/homebrew/etc/coredns/clawdis.internal.db >/dev/null <<'EOF'
+$ORIGIN clawdis.internal.
+$TTL 60
+
+@ IN SOA ns.clawdis.internal. hostmaster.clawdis.internal. (
+  2025121701 ; serial
+  60         ; refresh
+  60         ; retry
+  604800     ; expire
+  60         ; minimum
+)
+
+@  IN NS ns
+ns IN A <TAILNET_IPV4>
+
+gw-london IN A <TAILNET_IPV4>
+
+_clawdis-bridge._tcp IN PTR ClawdisBridgeLondon._clawdis-bridge._tcp
+ClawdisBridgeLondon._clawdis-bridge._tcp IN SRV 0 0 18790 gw-london
+ClawdisBridgeLondon._clawdis-bridge._tcp IN TXT "displayName=Mac Studio (London)"
+EOF
+
+sudo brew services start coredns
+```
+
+Validate from any tailnet-connected machine:
+
+```bash
+dns-sd -B _clawdis-bridge._tcp clawdis.internal.
+dig @<TAILNET_IPV4> -p 53 _clawdis-bridge._tcp.clawdis.internal PTR +short
+```
+
+### Tailscale DNS settings
+
+In the Tailscale admin console:
+
+- Add a nameserver pointing at the gateway’s tailnet IP (UDP/TCP 53).
+- Add split DNS so the domain `clawdis.internal` uses that nameserver.
+
+Once clients accept tailnet DNS, Iris can browse `_clawdis-bridge._tcp` in `clawdis.internal.` without multicast.
+
 ## What advertises
 
 Only the **Node Gateway** (`clawd` / `clawdis gateway`) advertises Bonjour beacons.

docs/ios/connect.md

@@ -17,7 +17,10 @@ The Gateway WebSocket stays loopback-only (`ws://127.0.0.1:18789`). Iris talks t
 ## Prerequisites
 
 - You can run the Gateway on the “master” machine.
-- Iris (iOS app) is on the same LAN (Bonjour/mDNS must work).
+- Iris (iOS app) can reach the gateway bridge:
+  - Same LAN with Bonjour/mDNS, **or**
+  - Same Tailscale tailnet using Wide-Area Bonjour / unicast DNS-SD (see below), **or**
+  - Manual bridge host/port (fallback)
 - You can run the CLI (`clawdis`) on the gateway machine (or via SSH).
 
 ## 1) Start the Gateway (with bridge enabled)
@@ -49,6 +52,16 @@ dns-sd -L "<instance name>" _clawdis-bridge._tcp local.
 
 More debugging notes: `docs/bonjour.md`.
 
+### Tailnet (Vienna ⇄ London) discovery via unicast DNS-SD
+
+If Iris and the gateway are on different networks but connected via Tailscale, multicast mDNS won’t cross the boundary. Use Wide-Area Bonjour / unicast DNS-SD instead:
+
+1) Set up a DNS-SD zone (example `clawdis.internal.`) on the gateway host and publish `_clawdis-bridge._tcp` records.
+2) Configure Tailscale split DNS for `clawdis.internal` pointing at that DNS server.
+3) In Iris: Settings → Bridge → Advanced → set **Discovery Domain** to `clawdis.internal.`
+
+Details and example CoreDNS config: `docs/bonjour.md`.
+
 ## 3) Connect from Iris (iOS)
 
 In Iris: