feat(host): GameStream/Moonlight compat is now opt-in (--gamestream) — secure native-only by default

Follows the security audit (#5/#9): the GameStream-compat plane carries inherent on-path weaknesses
that can't be fixed on the wire without breaking stock Moonlight — its pairing runs over plain HTTP
(#9, MITM-able during the pairing window) and its legacy control encryption can reuse GCM nonces (#5,
a passive eavesdropper can recover/forge input). The native punktfunk/1 plane (SPAKE2 PIN pairing +
per-direction AEAD nonces) has neither. So flip the default to secure-by-default:

- `serve`              → native punktfunk/1 plane + management API ONLY (no GameStream surface).
- `serve --gamestream` → ALSO the GameStream/Moonlight-compat planes (nvhttp pairing, RTSP, ENet
  control, _nvstream mDNS). Opt-in, logged with a trusted-LAN caveat. `--moonlight` is an alias.
- The native plane is now ALWAYS on in `serve` (`--native` is a kept-for-compat no-op); the unified
  GameStream+native host is `serve --gamestream`.

`gamestream::serve` gates the GameStream spawns (nvhttp/rtsp/control/mdns) on the flag; the native
plane + mgmt + native-pairing handle always run.

To avoid silently regressing validated Moonlight deployments, the explicit deployment configs PRESERVE
Moonlight via `--gamestream` (each documents dropping it for a secure native-only host): the Linux
systemd unit, the Steam Deck installer, and the Windows service default (DEFAULT_HOST_CMD). The bare
`serve` default (new/manual use) is secure.

Docs swept to match (host-cli, moonlight, quickstart, install, packaging READMEs, CLAUDE.md, README,
…): Moonlight setup now instructs `--gamestream`; native/console refs use bare `serve`. OpenAPI
regenerated (a stale "run `serve --native`" string). fmt + clippy clean; 94 host tests green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

scripts/punktfunk-host.service

@@ -1,4 +1,6 @@
-# punktfunk streaming host — systemd USER unit (`serve --native` = GameStream + punktfunk/1).
+# punktfunk streaming host — systemd USER unit (`serve --gamestream` = native punktfunk/1 + the
+# GameStream/Moonlight-compat planes). For a SECURE native-only host (no plain-HTTP pairing / legacy
+# GCM nonce reuse — security-review #5/#9; native clients only), drop `--gamestream` from ExecStart.
 #
 # Install (against an already-running compositor session):
 #   mkdir -p ~/.config/systemd/user && cp scripts/punktfunk-host.service ~/.config/systemd/user/
@@ -29,7 +31,7 @@ PartOf=punktfunk-kde-session.service
 
 [Service]
 EnvironmentFile=%h/.config/punktfunk/host.env
-ExecStart=%h/punktfunk/target/release/punktfunk-host serve --native
+ExecStart=%h/punktfunk/target/release/punktfunk-host serve --gamestream
 Restart=on-failure
 RestartSec=2
 

scripts/steamdeck/README.md

@@ -51,9 +51,10 @@ default `pf2`), `PUNKTFUNK_MGMT_PORT` (47990), `PUNKTFUNK_WEB_PORT` (3000).
 - **Config:** `~/.config/punktfunk/host.env` (encoder/compositor) and `web.env` (generated web login
   password + session secret). Trust material (`cert.pem`, `mgmt-token`, `punktfunk1-paired.json`) lives
   here too and persists across updates.
-- **Services:** `~/.config/systemd/user/punktfunk-host.service` (runs `serve --native --mgmt-bind
-  0.0.0.0:47990`, `+ --open` if chosen) and `punktfunk-web.service`. Linger is enabled so they run
-  without a login session.
+- **Services:** `~/.config/systemd/user/punktfunk-host.service` (runs `serve --gamestream --mgmt-bind
+  0.0.0.0:47990`, `+ --open` if chosen — `--gamestream` adds the Moonlight-compat planes so the Deck's
+  Game Mode also streams to stock Moonlight; the native `punktfunk/1` plane is always on) and
+  `punktfunk-web.service`. Linger is enabled so they run without a login session.
 - **System tuning (sudo):** `/etc/sysctl.d/99-punktfunk-net.conf` (32 MB UDP buffers — the #1
   high-bitrate lever), `/etc/udev/rules.d/60-punktfunk.rules`, and `$USER` in the `input` group.
 

scripts/steamdeck/install.sh

@@ -170,7 +170,9 @@ fi
 # --- 5. systemd user services ---------------------------------------------
 log "Installing systemd user services"
 mkdir -p "$UNITS"
-SERVE_ARGS="serve --native --mgmt-bind 0.0.0.0:$MGMT_PORT"
+# --gamestream keeps the Moonlight-compat planes (the Deck commonly streams to Moonlight too); drop
+# it for a secure native-only host (no #5/#9 surface — native clients only).
+SERVE_ARGS="serve --gamestream --mgmt-bind 0.0.0.0:$MGMT_PORT"
 [ "$OPEN" = 1 ] && SERVE_ARGS="$SERVE_ARGS --open"
 cat > "$UNITS/punktfunk-host.service" <<EOF
 # Generated by scripts/steamdeck/install.sh — punktfunk Steam Deck host (native binary).

scripts/windows/host.env.example

@@ -23,9 +23,10 @@ PUNKTFUNK_SECURE_DDA=1
 # Log level (info | debug | trace). Logs land in %ProgramData%\punktfunk\logs\.
 RUST_LOG=info
 
-# The host subcommand the service launches. Default: `serve --native` (GameStream/Moonlight + the
-# native punktfunk/1 QUIC host in one process). Uncomment to override.
-#PUNKTFUNK_HOST_CMD=serve --native
+# The host subcommand the service launches. Default: `serve --gamestream` (native punktfunk/1 host
+# ALWAYS on + the GameStream/Moonlight-compat planes). Use `serve` for a SECURE native-only host
+# (no plain-HTTP pairing / legacy GCM nonce reuse — security-review #5/#9). Uncomment to override.
+#PUNKTFUNK_HOST_CMD=serve --gamestream
 
 # Multi-GPU boxes only: force the NVENC/Desktop-Duplication GPU by Description substring. Leave
 # unset on single-GPU machines (the default auto-picks the discrete adapter).