feat(windows-host): bundle + auto-run the web console in the installer

The Windows host installer shipped only the host exe + SudoVDA driver + FFmpeg, so a
fresh install had no web management console — required for basically every user (status,
paired devices, the PIN pairing flow). The console was only ever set up by hand on the
dev box (build-web.ps1 + a hand-made PunktfunkWeb task whose web-run.cmd wasn't even
committed). Bundle it into the same installer, mirroring the proven Linux punktfunk-web
deploy.

- windows-host.yml builds the Nitro node-server console (bun, deb.yml's shape) + fetches
  a pinned portable Node, smoke-boots it under node (/login == 200) to gate the build, and
  hands web/.output + node.exe to the pack script.
- pack-host-installer.ps1 gains -WebDir/-NodeExe and stages the .output tree, node, and
  the two new scripts into the non-WOW64-redirected build area.
- punktfunk-host.iss lays the payload into {app}\web\.output + {app}\node\node.exe, adds
  a wizard page for the console login password pre-filled with a crypto-random default
  (shown on the finish page; kept on upgrade), and runs web-setup.ps1.
- web-setup.ps1 writes the ACL'd %ProgramData%\punktfunk\web-password (Administrators +
  SYSTEM), registers the PunktfunkWeb scheduled task (boot, SYSTEM, restart-on-failure ->
  web-run.cmd -> node on :3000), opens inbound TCP 3000, and starts it. web-run.cmd
  sources the host's mgmt-token + the password and runs the bundled node.
- The console proxies the host's loopback mgmt API with the host's own
  %ProgramData%\punktfunk\mgmt-token (no host-code change). Uninstall removes the task +
  firewall rule.

Validated locally: bun build -> node-server bundle, node boot serves /login (200) and
gates /api (401). The Windows-only bits (ISCC compile, scheduled task, password page,
firewall) validate on the Windows runner CI + on-glass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

packaging/windows/punktfunk-host.iss

@@ -28,6 +28,14 @@
 #ifndef Readme
   #define Readme "README.md"
 #endif
+; The web console launcher (the PunktfunkWeb task action) + its post-install provisioner — committed
+; scripts staged next to the .iss by pack-host-installer.ps1 (absolute paths passed in).
+#ifndef WebRunCmd
+  #define WebRunCmd "..\..\scripts\windows\web-run.cmd"
+#endif
+#ifndef WebSetup
+  #define WebSetup "..\..\scripts\windows\web-setup.ps1"
+#endif
 ; StageDir (the staged SudoVDA payload + nefconc.exe + install-sudovda.ps1) is optional.
 #ifdef StageDir
   #define WithDriver
@@ -41,6 +49,13 @@
 #ifdef FfmpegBin
   #define WithFfmpeg
 #endif
+; WebDir (the built web .output tree) + NodeExe (a portable node.exe) are passed together by
+; pack-host-installer.ps1 to bundle the management console. Both required → WithWeb.
+#ifdef WebDir
+  #ifdef NodeExe
+    #define WithWeb
+  #endif
+#endif
 
 [Setup]
 AppId={{7C9E6A52-1F4B-4E8D-A3C7-2B5D8F1E0A93}
@@ -86,6 +101,16 @@ Source: "{#Readme}"; DestDir: "{app}"; DestName: "README.txt"; Flags: ignorevers
 ; only builds simply omit this block.
 Source: "{#FfmpegBin}\*.dll"; DestDir: "{app}"; Flags: ignoreversion
 #endif
+#ifdef WithWeb
+; The web management console: the built Nitro/Node SSR bundle (.output = server + public assets) →
+; {app}\web\.output, a portable Node runtime → {app}\node\node.exe, and the launcher the
+; PunktfunkWeb task runs → {app}\web\web-run.cmd. web-setup.ps1 (the provisioner) goes to {tmp} and
+; is removed after install.
+Source: "{#WebDir}\*"; DestDir: "{app}\web\.output"; Flags: ignoreversion recursesubdirs createallsubdirs
+Source: "{#NodeExe}"; DestDir: "{app}\node"; DestName: "node.exe"; Flags: ignoreversion
+Source: "{#WebRunCmd}"; DestDir: "{app}\web"; DestName: "web-run.cmd"; Flags: ignoreversion
+Source: "{#WebSetup}"; DestDir: "{tmp}"; DestName: "web-setup.ps1"; Flags: deleteafterinstall
+#endif
 #ifdef WithDriver
 ; The driver payload + nefconc.exe + install-sudovda.ps1, extracted to {tmp} and removed after install.
 Source: "{#StageDir}\*"; DestDir: "{tmp}\sudovda"; Flags: deleteafterinstall recursesubdirs createallsubdirs; Tasks: installdriver
@@ -114,11 +139,112 @@ Filename: "{app}\punktfunk-host.exe"; Parameters: "service install"; WorkingDir:
   StatusMsg: "Registering the punktfunk host service..."; Flags: runhidden waituntilterminated
 Filename: "{app}\punktfunk-host.exe"; Parameters: "service start"; WorkingDir: "{app}"; \
   StatusMsg: "Starting the punktfunk host service..."; Flags: runhidden waituntilterminated; Tasks: startservice
+#ifdef WithWeb
+; Provision the console AFTER the host service is up (so the mgmt token exists): write the ACL'd
+; login password, register the PunktfunkWeb scheduled task (boot, SYSTEM, restart-on-failure),
+; open TCP 3000, and start it. {code:WebSetupParams} appends -PasswordFile only on a fresh install.
+Filename: "powershell.exe"; \
+  Parameters: "-NoProfile -ExecutionPolicy Bypass -File ""{tmp}\web-setup.ps1"" {code:WebSetupParams}"; \
+  StatusMsg: "Setting up the punktfunk web console..."; Flags: runhidden waituntilterminated
+#endif
 
 [UninstallRun]
 Filename: "{app}\punktfunk-host.exe"; Parameters: "service uninstall"; Flags: runhidden waituntilterminated; RunOnceId: "PunktfunkHostServiceUninstall"
+#ifdef WithWeb
+; Stop + remove the PunktfunkWeb task and its firewall rule (leaves %ProgramData%\punktfunk config,
+; like the host uninstall does).
+Filename: "powershell.exe"; \
+  Parameters: "-NoProfile -ExecutionPolicy Bypass -Command ""Stop-ScheduledTask -TaskName PunktfunkWeb -ErrorAction SilentlyContinue; Unregister-ScheduledTask -TaskName PunktfunkWeb -Confirm:$false -ErrorAction SilentlyContinue; Get-NetFirewallRule -Name 'PunktfunkWeb-TCP-3000' -ErrorAction SilentlyContinue | Remove-NetFirewallRule"""; \
+  Flags: runhidden waituntilterminated; RunOnceId: "PunktfunkWebCleanup"
+#endif
 
 [Code]
+#ifdef WithWeb
+var
+  WebPwPage: TInputQueryWizardPage;
+  FreshWebInstall: Boolean;   { captured at start — web-setup creates the file mid-run }
+
+function WebPasswordPath: String;
+begin
+  Result := ExpandConstant('{commonappdata}\punktfunk\web-password');
+end;
+
+{ Pre-fill the console password field with a crypto-strong default (Inno has no RNG): a one-shot
+  PowerShell writes 12 random bytes as dashed hex; strip the dashes → a 24-char hex password. }
+procedure GenerateRandomWebPassword(var Pw: String);
+var
+  ResultCode: Integer;
+  TmpOut: String;
+  Lines: TArrayOfString;
+begin
+  Pw := '';
+  TmpOut := ExpandConstant('{tmp}\webpwgen.txt');
+  if Exec('powershell.exe',
+      '-NoProfile -ExecutionPolicy Bypass -Command "' +
+      '$b=New-Object byte[] 12;' +
+      '([System.Security.Cryptography.RandomNumberGenerator]::Create()).GetBytes($b);' +
+      '[IO.File]::WriteAllText(' + '''' + TmpOut + '''' + ',[System.BitConverter]::ToString($b))"',
+      '', SW_HIDE, ewWaitUntilTerminated, ResultCode) then
+  begin
+    if (ResultCode = 0) and LoadStringsFromFile(TmpOut, Lines) and (GetArrayLength(Lines) > 0) then
+    begin
+      Pw := Trim(Lines[0]);
+      StringChangeEx(Pw, '-', '', True);
+    end;
+    DeleteFile(TmpOut);
+  end;
+end;
+
+procedure InitializeWizard;
+var
+  DefaultPw: String;
+begin
+  FreshWebInstall := not FileExists(WebPasswordPath);
+  WebPwPage := CreateInputQueryPage(wpSelectTasks,
+    'Web console', 'Set the punktfunk web console login password',
+    'The management console is served on http://this-computer:3000 and is login-gated. Keep the ' +
+    'secure password generated below (it is shown again on the final page) or enter your own — you ' +
+    'can change it later in %ProgramData%\punktfunk\web-password.');
+  WebPwPage.Add('Console password:', False);   { visible, so the admin can read the generated default }
+  DefaultPw := '';
+  GenerateRandomWebPassword(DefaultPw);
+  WebPwPage.Values[0] := DefaultPw;
+end;
+
+function ShouldSkipPage(PageID: Integer): Boolean;
+begin
+  { On upgrade the password already exists — keep it, don't re-prompt. }
+  Result := (PageID = WebPwPage.ID) and (not FreshWebInstall);
+end;
+
+function NextButtonClick(CurPageID: Integer): Boolean;
+begin
+  Result := True;
+  if (CurPageID = WebPwPage.ID) and (Trim(WebPwPage.Values[0]) = '') then
+  begin
+    MsgBox('Please enter a web console password (it cannot be empty).', mbError, MB_OK);
+    Result := False;
+  end;
+end;
+
+procedure CurPageChanged(CurPageID: Integer);
+begin
+  if (CurPageID = wpFinished) and FreshWebInstall then
+    WizardForm.FinishedLabel.Caption := WizardForm.FinishedLabel.Caption + #13#10#13#10 +
+      'Web console:  http://<this-PC-IP>:3000' + #13#10 +
+      'Login password:  ' + Trim(WebPwPage.Values[0]);
+end;
+
+function WebSetupParams(Param: String): String;
+begin
+  { Pass the password to web-setup.ps1 via a temp file, not the cmdline (which lands in the install
+    log). Only on a fresh install — on upgrade web-setup keeps the existing file. }
+  Result := '-AppDir "' + ExpandConstant('{app}') + '"';
+  if FreshWebInstall then
+    Result := Result + ' -PasswordFile "' + ExpandConstant('{tmp}\webpw.txt') + '"';
+end;
+#endif
+
 { On upgrade the running service locks punktfunk-host.exe (and the supervisor would respawn it from
   the OLD binary), so stop it and WAIT for STOPPED before files are copied. Best-effort; a fresh
   install is a no-op (the service doesn't exist yet). }
@@ -138,5 +264,12 @@ end;
 procedure CurStepChanged(CurStep: TSetupStep);
 begin
   if CurStep = ssInstall then
+  begin
     StopHostServiceAndWait;
+#ifdef WithWeb
+    { Stash the chosen password for web-setup.ps1 (fresh install only); {tmp} is auto-cleaned. }
+    if FreshWebInstall then
+      SaveStringToFile(ExpandConstant('{tmp}\webpw.txt'), Trim(WebPwPage.Values[0]), False);
+#endif
+  end;
 end;