fix(host/security): close audit findings S1,#1,#4,#10,#12,#7,#6,S2-S6 (Linux/cross-platform)

Remediations from design/security-review-2026-06-28.md verified on Linux
(cargo check/clippy/test green; Windows-gated paths verify in CI):

- S1 [HIGH]: bump quinn-proto 0.11.14 -> 0.11.15 (RUSTSEC-2026-0185,
  pre-auth out-of-order STREAM reassembly memory exhaustion on the
  always-on default QUIC listener).
- #1 [HIGH]: remove the unauthenticated nvhttp `GET /pin` endpoint; the
  GameStream PIN is delivered ONLY via the bearer-gated mgmt API, so a
  network client can no longer submit its own displayed PIN and self-pair.
- #4 [HIGH->MED]: gate the unauthenticated RTSP/UDP media plane on a paired
  `/launch` and bind it to the launching client's source IP (threaded
  through the HTTPS handler), so an unpaired peer can neither start capture
  on an idle host nor ride a paired client's active launch.
- #12: bound concurrent parked pairing waiters (MAX_PARKED_WAITERS) so a
  pre-auth peer can't pin unbounded 300s handshakes. +regression test.
- #10: throttle the per-packet ENet control GCM-decrypt-failed warn
  (exponential backoff) so a junk flood can't spam the log.
- #7 [MED->LOW]: serialize all process-global env mutation on the
  session-setup path under a new vdisplay::ENV_LOCK (apply_session_env /
  apply_input_env / the launch-cmd set_var / the gamescope env read), so
  concurrent native sessions can't race set_var/getenv (data-race UB ->
  host-wide DoS). Full per-session SessionContext threading remains a
  follow-up for cross-session value confusion.
- #6 [MED]: move the gamescope EIS socket relay from world-writable /tmp to
  $XDG_RUNTIME_DIR (per-user 0700) and reject a symlinked relay file, so a
  local user can't intercept (keylog) or deny the remote session's input.
- S2: a malformed client Opus mic frame now drops that frame instead of
  tearing down the shared host-lifetime virtual mic (cross-session DoS).
- S3: track held buttons/keys in capped HashSets (was unbounded Vec with
  O(n) scans) so a paired client can't grow per-session input state.
- S5: reject fps==0/absurd at the open_video chokepoint (covers Hello,
  ANNOUNCE, Reconfigure) so the encoder time_base/pts math can't div-by-0.
- S6: bound the shared mic mpsc (drop-newest when full).
- S4: cap Epic launcher-cache reads (catcache.bin/.item) so a planted giant
  can't OOM the host during library enumeration.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

crates/punktfunk-host/src/gamestream/control.rs

@@ -56,6 +56,9 @@ pub fn spawn(state: Arc<AppState>) -> Result<()> {
         .spawn(move || {
             // GCM scheme detected from the first authenticating packet; reused thereafter.
             let mut detected: Option<Scheme> = None;
+            // Consecutive control-decrypt failures for this peer — throttles the warn log so a
+            // junk-packet flood can't spam unbounded lines (security-review 2026-06-28 #10).
+            let mut decrypt_fails: u64 = 0;
             // Decoded keyboard/mouse is forwarded to a dedicated host-lifetime injector thread —
             // NEVER injected inline, so a slow Wayland/libei/SendInput call can't head-block ENet
             // keepalive/retransmit servicing on this thread. The injector owns non-Send compositor
@@ -77,6 +80,7 @@ pub fn spawn(state: Arc<AppState>) -> Result<()> {
                             Event::Disconnect { .. } => {
                                 tracing::info!("control: client disconnected");
                                 detected = None;
+                                decrypt_fails = 0;
                                 peer = None;
                                 // Unplug the session's virtual pads.
                                 pads = GamepadManager::new();
@@ -89,6 +93,7 @@ pub fn spawn(state: Arc<AppState>) -> Result<()> {
                                     channel_id,
                                     packet.data(),
                                     &mut detected,
+                                    &mut decrypt_fails,
                                     &inj_tx,
                                     &mut pads,
                                 );
@@ -163,6 +168,7 @@ fn on_receive(
     _channel_id: u8,
     d: &[u8],
     detected: &mut Option<Scheme>,
+    decrypt_fails: &mut u64,
     inj_tx: &Sender<InputEvent>,
     pads: &mut GamepadManager,
 ) {
@@ -180,10 +186,20 @@ fn on_receive(
                 tracing::info!(?scheme, "control: GCM scheme locked in");
             }
             *detected = Some(scheme);
+            *decrypt_fails = 0;
             pt
         }
         None => {
-            tracing::warn!(len = d.len(), "control: GCM decrypt failed");
+            // Throttle: a junk-packet flood must not spam one warn line per packet. Log the first
+            // failure, then only at exponentially-spaced counts (1, 2, 4, 8, …).
+            *decrypt_fails += 1;
+            if decrypt_fails.is_power_of_two() {
+                tracing::warn!(
+                    len = d.len(),
+                    fails = *decrypt_fails,
+                    "control: GCM decrypt failed"
+                );
+            }
             return;
         }
     };