feat(host): Apollo-backlog hardening — cert gate, NVENC RFI, media QoS, async injector

A pass over the apollo-comparison backlog (re-verified against current code).
Lands four items end-to-end plus a Windows-DualSense scoping doc.

- #5/#92/#26 — GameStream paired-cert allow-list. tls.rs surfaces the verified
  peer cert to handlers (serve_https + PeerCertFingerprint, now shared with the
  mgmt API instead of duplicated); nvhttp gates /launch /resume /applist /cancel
  on AppState.paired and reports a real PairStatus; save_paired writes atomically
  (temp+rename). Closes the "mTLS accepts any client cert" hole. + regression test.

- #6/#51/#19/#22 — NVENC caps query -> reference-frame invalidation. nvenc.rs
  query_caps probes nvEncGetEncodeCaps (max dims / 10-bit / custom-VBV / RFI),
  rejecting over-range modes and degrading 10-bit->8-bit instead of an opaque
  InvalidParam. New Encoder::invalidate_ref_frames (default false -> caller
  keyframes); the Windows NVENC path implements real RFI (multi-ref DPB +
  nvEncInvalidateRefFrames, dedup + IDR-on-overflow). control.rs decodes the
  0x0301 lost-frame range (Apollo's IDX_INVALIDATE_REF_FRAMES) -> AppState.rfi_range
  -> encode loop, falling back to a keyframe. NOTE: the Windows NVENC impl is
  RTX-box/CI-pending (can't compile on Linux); adversarially reviewed vs the SDK.

- #43/#72 — media socket QoS + buffer growth. New punktfunk_core::transport::qos:
  grow_socket_buffers (factored out the native plane's 32MB SO_SNDBUF growth so the
  GameStream sockets reuse it) + set_media_qos (opt-in PUNKTFUNK_DSCP=1: DSCP CS5
  video / CS6 audio + Linux SO_PRIORITY, Apollo's scheme). Wired into UdpTransport
  and the GameStream video/audio sockets. Windows IP_TOS needs qWAVE (follow-up).

- #8/#45 — GameStream input injection off the ENet service thread. on_receive no
  longer injects inline (a slow inject head-blocked ENet keepalive/retransmit); it
  forwards to a dedicated injector thread. The hardened InjectorService moved from
  punktfunk1 into crate::inject (shared by both planes) + a coalesce step that sums
  adjacent relative-mouse/scroll deltas while preserving button/key/abs ordering.

Docs: re-verified apollo-comparison.md status (22 items already done/obsolete since
the snapshot) + windows-dualsense-scoping.md (ViGEm can't emulate a DualSense; real
DS5 on Windows needs a VHF virtual-HID driver — web-research pass pending).

fmt + clippy -D warnings clean; full workspace test suite green; no C-ABI/OpenAPI drift.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

crates/punktfunk-host/src/punktfunk1.rs

@@ -200,7 +200,7 @@ pub(crate) async fn serve(opts: Punktfunk1Options, np: Arc<NativePairing>) -> Re
     // RemoteDesktop-portal grant is established ONCE and reused, instead of a CreateSession per
     // session — which, under rapid client reconnects, raced a prior session's portal teardown and
     // wedged KWin's EIS setup ("EIS setup timed out"). Gamepads stay per-session (uinput).
-    let injector = InjectorService::start();
+    let injector = crate::inject::InjectorService::start();
     // One virtual microphone for the whole host lifetime (see MicService): the client's mic uplink
     // (0xCB) is Opus-decoded and fed into a persistent virtual mic host apps record from (Linux
     // PipeWire Audio/Source; Windows a virtual audio device's render endpoint).
@@ -1028,103 +1028,10 @@ impl PadState {
 /// actual pad creation at its own MAX_PADS.
 const MAX_WIRE_PADS: usize = 16;
 
-/// Host-lifetime pointer/keyboard injector, shared across punktfunk/1 sessions.
-///
-/// The injector backend (libei/RemoteDesktop on KWin/GNOME, gamescope's EIS, wlr, uinput) owns
-/// compositor resources and is `!Send`, so — unlike the audio capturer — it can't be handed
-/// between per-session threads through a slot. Instead one host-lifetime thread *owns* it and
-/// injects events forwarded over a clonable `Send` channel. Opening it ONCE means the privileged
-/// RemoteDesktop-portal grant is established once and held for the whole run, eliminating the
-/// per-session `CreateSession` churn that wedged KWin's EIS setup (rapid client reconnects raced
-/// a prior session's portal teardown — "EIS setup timed out"). The service opens lazily on the
-/// first event and reopens, after a backoff, if injection fails — so a transient portal hiccup,
-/// or a gamescope EIS socket that respawns with its nested session, self-heals.
-struct InjectorService {
-    tx: std::sync::mpsc::Sender<InputEvent>,
-}
-
-impl InjectorService {
-    fn start() -> InjectorService {
-        let (tx, rx) = std::sync::mpsc::channel::<InputEvent>();
-        if let Err(e) = std::thread::Builder::new()
-            .name("punktfunk1-injector".into())
-            .spawn(move || injector_service_thread(rx))
-        {
-            tracing::error!(error = %e, "injector service thread spawn failed — pointer/keyboard input disabled");
-        }
-        InjectorService { tx }
-    }
-
-    /// A sender a session forwards its pointer/keyboard events to. Cloned per session; dropping a
-    /// clone does NOT stop the service (the service holds the original sender for the host life).
-    fn sender(&self) -> std::sync::mpsc::Sender<InputEvent> {
-        self.tx.clone()
-    }
-}
-
-/// Backoff between reopen attempts after the injector backend fails to open or its worker dies,
-/// so a persistently-unavailable portal isn't hammered once per event.
+/// Backoff between reopen attempts after a host-lifetime service's backend (the mic source, a
+/// capturer) fails to open or its worker dies, so a persistently-unavailable resource isn't hammered.
 const INJECTOR_REOPEN_BACKOFF: std::time::Duration = std::time::Duration::from_secs(2);
 
-/// The host-lifetime injector worker: lazily open the pointer/keyboard backend, then inject every
-/// forwarded event into it. Reopen (after [`INJECTOR_REOPEN_BACKOFF`]) on open failure or if the
-/// backend's worker dies mid-stream. Exits only when every session sender *and* the service's own
-/// sender have dropped (host shutdown), which drops the injector and closes its portal session.
-fn injector_service_thread(rx: std::sync::mpsc::Receiver<InputEvent>) {
-    let mut injector: Option<Box<dyn crate::inject::InputInjector>> = None;
-    let mut open_backend: Option<crate::inject::Backend> = None;
-    let mut last_failed: Option<std::time::Instant> = None;
-    for ev in rx {
-        // The resolved input backend (PUNKTFUNK_INPUT_BACKEND, set per connect by apply_input_env,
-        // also on a mid-stream session switch) may have changed since we opened. Reopen against it
-        // so input FOLLOWS the active session instead of injecting into a stale, still-warm backend
-        // (e.g. the managed gamescope's EIS socket after the user switched to the KDE desktop).
-        let want = crate::inject::default_backend();
-        if injector.is_some() && open_backend != Some(want) {
-            tracing::info!(
-                ?open_backend,
-                ?want,
-                "input: backend changed — reopening injector for the active session"
-            );
-            injector = None;
-            last_failed = None; // re-resolve immediately
-        }
-        if injector.is_none() {
-            // Open on the first event; after a failure wait out the backoff before retrying (a
-            // few events drop during setup — acceptable, input is lossy).
-            let ready = last_failed.is_none_or(|t| t.elapsed() >= INJECTOR_REOPEN_BACKOFF);
-            if ready {
-                match crate::inject::open(want) {
-                    Ok(i) => {
-                        tracing::info!(
-                            backend = ?want,
-                            "punktfunk/1 input injector ready (host-lifetime)"
-                        );
-                        injector = Some(i);
-                        open_backend = Some(want);
-                        last_failed = None;
-                    }
-                    Err(e) => {
-                        tracing::error!(error = %format!("{e:#}"), "pointer/keyboard injection unavailable — will retry");
-                        last_failed = Some(std::time::Instant::now());
-                    }
-                }
-            }
-        }
-        if let Some(inj) = injector.as_mut() {
-            if let Err(e) = inj.inject(&ev) {
-                // The backend's worker (portal session / EIS socket) died — drop it and reopen on
-                // a later event (covers a gamescope EIS socket that respawns with its session).
-                tracing::warn!(error = %format!("{e:#}"), "inject failed — reopening injector");
-                injector = None;
-                open_backend = None;
-                last_failed = Some(std::time::Instant::now());
-            }
-        }
-    }
-    tracing::debug!("injector service stopped (host shutting down)");
-}
-
 /// Mic is 48 kHz stereo — matches the Opus stereo decoder and the host→client audio layout.
 const MIC_CHANNELS: u32 = 2;