feat(launch): punktfunk/1 launch integration — client picks a title, host runs it

Plan step 4 (plumbing + host behavior). A client can ask the host to launch a
library title on connect; the host resolves it against ITS OWN library and runs it
in the session — the client sends only the store-qualified id, never a command, so a
remote peer can't inject one.

- Protocol (quic.rs): `Hello.launch: Option<String>` (the GameEntry id). Appended
  after `name`; when launch is present but name absent, a zero-length name placeholder
  keeps the offset deterministic — so a Hello with neither field stays byte-identical
  to the bitrate-era 26-byte form (test-asserted). Old peers ignore it; new hosts
  decode None from old clients. Round-trip + back-compat + truncation tests.
- Host: `library::launch_command(id)` resolves id → command via the host's own library —
  `steam_appid` → `steam steam://rungameid/<appid>` (appid validated as digits, the only
  client-influenced part), `command` → the host-stored command verbatim (trusted, never
  from the client). m3.rs sets PUNKTFUNK_GAMESCOPE_APP from it before bringup, exactly
  as the GameStream /launch path does (one session at a time). Unit-tested incl. an
  injection-attempt guard. Takes effect on the bare-spawn gamescope path; a no-op on a
  shared desktop / attach-to-existing session.
- C ABI: `punktfunk_connect_ex4` adds `launch_id` (NULL = none); `_ex3` now delegates to
  it. Threaded through NativeClient::connect → WorkerArgs → Hello.
- client-rs gains `--launch ID` (headless testing); client-linux passes None (no picker
  yet). Header regenerated.

Next: the Apple library grid passes the picked id via punktfunk_connect_ex4.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

crates/punktfunk-core/src/abi.rs

@@ -796,6 +796,53 @@ pub unsafe extern "C" fn punktfunk_connect_ex3(
     client_cert_pem: *const std::os::raw::c_char,
     client_key_pem: *const std::os::raw::c_char,
     timeout_ms: u32,
+) -> *mut PunktfunkConnection {
+    // Delegate to the launch-aware variant with no game requested (the host's default session).
+    unsafe {
+        punktfunk_connect_ex4(
+            host,
+            port,
+            width,
+            height,
+            refresh_hz,
+            compositor,
+            gamepad,
+            bitrate_kbps,
+            std::ptr::null(),
+            pin_sha256,
+            observed_sha256_out,
+            client_cert_pem,
+            client_key_pem,
+            timeout_ms,
+        )
+    }
+}
+
+/// Like [`punktfunk_connect_ex3`], but additionally asks the host to launch a library title in
+/// this session. `launch_id` is a store-qualified [`crate::library`-style] id as returned by the
+/// host's `GET /api/v1/library` (`steam:<appid>` / `custom:<id>`); the host resolves it against
+/// its OWN library and runs the matching recipe — the client never sends a raw command. `NULL`
+/// (or an empty / unknown id) ⇒ the host's default session, no game launched.
+///
+/// # Safety
+/// Same as [`punktfunk_connect`]; `launch_id`, when non-NULL, must be a NUL-terminated C string.
+#[cfg(feature = "quic")]
+#[no_mangle]
+pub unsafe extern "C" fn punktfunk_connect_ex4(
+    host: *const std::os::raw::c_char,
+    port: u16,
+    width: u32,
+    height: u32,
+    refresh_hz: u32,
+    compositor: u32,
+    gamepad: u32,
+    bitrate_kbps: u32,
+    launch_id: *const std::os::raw::c_char,
+    pin_sha256: *const u8,
+    observed_sha256_out: *mut u8,
+    client_cert_pem: *const std::os::raw::c_char,
+    client_key_pem: *const std::os::raw::c_char,
+    timeout_ms: u32,
 ) -> *mut PunktfunkConnection {
     let r = std::panic::catch_unwind(AssertUnwindSafe(|| {
         if host.is_null() {
@@ -805,6 +852,11 @@ pub unsafe extern "C" fn punktfunk_connect_ex3(
             Ok(s) => s,
             Err(_) => return std::ptr::null_mut(),
         };
+        // A bad-UTF-8 launch id is non-fatal — treat it as "no game" rather than failing connect.
+        let launch = match unsafe { opt_cstr(launch_id) } {
+            Ok(Some(s)) if !s.is_empty() => Some(s.to_string()),
+            _ => None,
+        };
         let mode = crate::config::Mode {
             width,
             height,
@@ -839,6 +891,7 @@ pub unsafe extern "C" fn punktfunk_connect_ex3(
             pref,
             gamepad,
             bitrate_kbps,
+            launch,
             pin,
             identity,
             std::time::Duration::from_millis(timeout_ms as u64),