After macOS sleep/wake, stale Coder Connect paths currently recover only when magicsock's periodic re-STUN runs, which can leave new SSH dials timing out for several minutes. This adds a narrow CoderVPN wake RPC so Coder Desktop can trigger the existing link-change recovery path, Rebind plus ReSTUN, immediately on wake instead of waiting for that periodic fallback.

This only exposes the tunnel-side hook and does not add polling or health checks. Coder Desktop still needs to send WakeRequest from its OS wake notification handler.

Recovery timing

magicsock's background re-STUN is not a reliable fallback across sleep:

• While a session is active, periodic re-STUN reschedules itself every 20-26s (magicsock.updateEndpoints), so the stale path lingers up to ~26s.
• After 45s with no traffic (sessionActiveTimeout), shouldDoPeriodicReSTUNLocked returns false and the periodic timer stops entirely. Sleep is idle by definition, so on wake there is no scheduled re-STUN at all.
• Recovery then waits for the next event-driven trigger (a netmon link-change). A short, same-network wake often produces no such event, so the path stays homed to a dead endpoint until something else forces re-discovery, observed as several minutes of failed dials in the support bundle on Coder Connect tunnel not re-STUN'd on system wake; dead for minutes after macOS sleep #26736.

The wake RPC collapses this to a single RPC round-trip: Rebind + ReSTUN("wake") fire immediately on the OS wake event, re-homing the path right away instead of depending on a timer that isn't running.

Follow-up

Coder Desktop must emit the hook on wake: coder/coder-desktop-macos#260.

Refs #26736

Generated by Coder Agents.