fix(security): remaining audit findings — mgmt admin gate, RTSP DoS bounds, FEC drop, ALPN, ct-compare

Addresses the lower-severity findings from docs/security-review.md (#4-#12). Each fix was
adversarially re-reviewed (5-agent pass); two review catches folded in (the Apple client's
GET /library cert path; an RTSP header-cap bypass + a spawn-panic counter leak).

- #4 [low] mgmt mTLS-paired-cert no longer grants full admin. A paired STREAMING cert authorizes
  only a read-only allowlist (GET /host,/compositors,/status,/clients,/native/clients,/library);
  every state-changing route and every PIN-exposing route (/pair, /native/pair) requires the
  operator's bearer token. New cert_auth_is_a_read_only_allowlist test. (/library kept on the
  allowlist — the native clients browse it cert-only; its mutations stay token-only.)
- #6 [low] RTSP pre-auth DoS bounds: a concurrent-connection cap (RAII slot guard), a per-read
  timeout (slow-loris), and Content-Length/header/message size caps — closing an unauthenticated
  slow-loris / memory-growth / thread-exhaustion vector on TCP 48010.
- #11 [info] A FEC reconstruction failure is now a counted drop (discard the block, keep the
  session) instead of being stream-fatal — a lossy link can't be torn down by one bad block.
- #10 [info] Fixed ALPN ("pkf1") on both native QUIC endpoints (defense-in-depth; a deliberate
  coordinated client+host upgrade — a new host rejects an ALPN-less old client).
- #8 [info] Constant-time GameStream pairing phase-4 hash compare (crypto::ct_eq).
- #7 [low] New VirtualDisplay::set_launch_command carries the launch command per-session on the
  GameStream path (no process-global env stomp under concurrent sessions); native path keeps the
  env under today's single-session model (documented; plumb per-session with concurrent sessions).
- #5 [low] Legacy GameStream GCM nonce reuse: documented as inherent to Nvidia's old-style control
  encryption (Apollo/Moonlight identical; key is client-known) — unfixable on the legacy wire; the
  real fix is V2 control-encryption negotiation. Code comment at control.rs.
- #9 [info] GameStream plain-HTTP pairing: documented (inherent to GFE compat; use punktfunk/1).
- #12 [low] Web global NODE_TLS_REJECT_UNAUTHORIZED: fix designed (undici dispatcher scoped to the
  loopback mgmt fetch) but DEFERRED — needs `bun add undici` in the web build env; reverted to keep
  the web working. Latent-only (the loopback mgmt fetch is the console's only outbound TLS).

fmt + clippy -D warnings clean; 94 host + core tests green; no C-ABI/OpenAPI drift. (The HDR
Steps 1-2 client work in the tree is the user's parallel WIP — deliberately NOT included here.)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

crates/punktfunk-core/src/packet.rs

@@ -296,8 +296,9 @@ impl Reassembler {
         stats: &StatsCounters,
     ) -> Result<Option<Frame>> {
         // On a lossy datagram link a malformed or non-video packet is dropped, never
-        // fatal: it must not abort `poll_frame`. Only a genuine FEC reconstruction
-        // failure propagates as an error.
+        // fatal: it must not abort `poll_frame`. A FEC reconstruction failure (corrupt or
+        // incompatible shards that passed the header checks) likewise drops the block rather
+        // than killing the whole session — the stream recovers at the next keyframe/RFI.
         if pkt.len() < HEADER_LEN {
             StatsCounters::add(&stats.packets_dropped, 1);
             return Ok(None);
@@ -407,8 +408,22 @@ impl Reassembler {
                 .iter()
                 .filter(|s| s.is_some())
                 .count();
-            let recovered =
-                coder.reconstruct(block.data_shards, block.recovery_shards, &mut block.shards)?;
+            let recovered = match coder.reconstruct(
+                block.data_shards,
+                block.recovery_shards,
+                &mut block.shards,
+            ) {
+                Ok(r) => r,
+                Err(_) => {
+                    // Corrupt/incompatible shards that slipped past the header checks: discard this
+                    // block (mark done so later shards for it are ignored) and keep the session
+                    // alive — a lossy link must not be torn down by one unrecoverable block; the
+                    // frame stays incomplete and the client recovers at the next keyframe/RFI.
+                    block.done = true;
+                    StatsCounters::add(&stats.packets_dropped, 1);
+                    return Ok(None);
+                }
+            };
             block.done = true;
             StatsCounters::add(
                 &stats.fec_recovered_shards,

crates/punktfunk-core/src/quic.rs

@@ -1490,6 +1490,12 @@ pub mod endpoint {
         server_from_der(cert_der, key_der, addr)
     }
 
+    /// Fixed ALPN for the punktfunk/1 QUIC handshake. Pinning it rejects a cross-protocol peer at the
+    /// TLS layer (defense-in-depth) and makes the wire protocol explicit. Both ends set the SAME value;
+    /// a host with ALPN configured rejects a client that offers none, so client + host must be updated
+    /// together (acceptable while the protocol/ABI is still evolving).
+    const QUIC_ALPN: &[u8] = b"pkf1";
+
     fn server_from_der(
         cert_der: rustls::pki_types::CertificateDer<'static>,
         key_der: rustls::pki_types::PrivateKeyDer<'static>,
@@ -1500,10 +1506,11 @@ pub mod endpoint {
         // identity is fingerprinted post-handshake (pairing / --require-pairing checks);
         // one that presents none still connects (and is rejected at the app layer when
         // pairing is required).
-        let rustls_cfg = rustls::ServerConfig::builder()
+        let mut rustls_cfg = rustls::ServerConfig::builder()
             .with_client_cert_verifier(Arc::new(AcceptAnyClientCert))
             .with_single_cert(vec![cert_der], key_der)
             .map_err(|e| anyhow_result::Error::msg(format!("server config: {e}")))?;
+        rustls_cfg.alpn_protocols = vec![QUIC_ALPN.to_vec()];
         let quic_cfg = quinn::crypto::rustls::QuicServerConfig::try_from(rustls_cfg)
             .map_err(|e| anyhow_result::Error::msg(format!("quic server config: {e}")))?;
         let mut server_config = quinn::ServerConfig::with_crypto(Arc::new(quic_cfg));
@@ -1580,7 +1587,7 @@ pub mod endpoint {
                     pin,
                     observed: observed.clone(),
                 }));
-            let rustls_cfg = match identity {
+            let mut rustls_cfg = match identity {
                 None => builder.with_no_client_auth(),
                 Some((cert_pem, key_pem)) => {
                     use rustls::pki_types::pem::PemObject;
@@ -1596,6 +1603,8 @@ pub mod endpoint {
                         .map_err(|e| anyhow_result::Error::msg(format!("client auth: {e}")))?
                 }
             };
+            // Must match the server's ALPN ([`QUIC_ALPN`]) or the handshake is rejected.
+            rustls_cfg.alpn_protocols = vec![QUIC_ALPN.to_vec()];
             let quic_cfg = quinn::crypto::rustls::QuicClientConfig::try_from(rustls_cfg)
                 .map_err(|e| anyhow_result::Error::msg(format!("quic client config: {e}")))?;
             let mut client_cfg = quinn::ClientConfig::new(Arc::new(quic_cfg));