feat(packaging/bazzite): one-shot KDE Desktop-mode setup for the host

The session-aware selector drives a KWin virtual output at the client's
resolution when the Bazzite box is in KDE Desktop Mode — validated live. But a
normal KDE login withholds two things the headless host needs:
  1. KWIN_WAYLAND_NO_PERMISSION_CHECKS=1 — so KWin exposes the privileged
     zkde_screencast virtual-output protocol to an external client.
  2. the kde-authorized RemoteDesktop grant — so libei input auto-approves
     instead of popping a dialog a headless host can't answer.

Add packaging/bazzite/kde-desktop-setup.sh (idempotent, no root): writes the
environment.d KWIN drop-in and seeds the grant DB (shipped at
/usr/share/punktfunk/headless/kde-authorized) into ~/.local/share/flatpak/db/,
restarting the portal chain. Ship it via the RPM at
/usr/share/punktfunk/bazzite/ and document it in the Bazzite README (new §6.5).
Gaming Mode needs none of this (auto-attach).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

packaging/bazzite/README.md

@@ -291,6 +291,28 @@ sudo firewall-cmd --permanent --add-port=9777/udp && sudo firewall-cmd --reload
 
 ---
 
+## 6.5 Desktop (KDE) mode — stream the desktop at the client's resolution (optional)
+
+The host **auto-detects** the live session per connect: in **Steam Gaming Mode** it attaches to the
+running gamescope (no setup); switch the box to the **KDE Desktop** and it drives a KWin *virtual
+output at the connecting client's exact resolution* (no TV-stretch, churn-free). The Desktop path
+needs one one-shot setup the first time, because a normal KDE login withholds two things the
+headless host needs — the privileged `zkde_screencast` virtual-output protocol, and an
+auto-approved RemoteDesktop input grant:
+
+```sh
+bash /usr/share/punktfunk/bazzite/kde-desktop-setup.sh
+# then log out + back into the KDE Desktop session once (or reboot) so KWin restarts with the flag
+```
+
+That writes `~/.config/environment.d/10-punktfunk-kwin.conf`
+(`KWIN_WAYLAND_NO_PERMISSION_CHECKS=1`) and seeds the `kde-authorized` RemoteDesktop grant into
+`~/.local/share/flatpak/db/`. Gaming Mode is unaffected. To connect from Desktop Mode, switch to it
+(Steam → Power → Switch to Desktop), then connect the client; switching **mid-stream** requires a
+reconnect (the host resolves the backend per connect).
+
+---
+
 ## 7. Verify it's working
 
 **1. Watch the startup log:**

packaging/bazzite/kde-desktop-setup.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+# One-shot setup so the punktfunk host can stream the Bazzite KDE *Desktop* session (KWin virtual
+# output at the client's resolution). Run ONCE as the streaming user (no root needed). Gaming Mode
+# (gamescope) needs none of this — it auto-attaches. Idempotent: safe to re-run.
+#
+#   bash /usr/share/punktfunk/bazzite/kde-desktop-setup.sh
+#
+# Two things a normal KDE login lacks that the headless host needs:
+#  1. KWIN_WAYLAND_NO_PERMISSION_CHECKS=1 — so KWin exposes the privileged `zkde_screencast`
+#     virtual-output protocol to the host (an external client) at all.
+#  2. The `kde-authorized` RemoteDesktop grant — so libei input setup auto-approves instead of
+#     popping an "Allow remote control?" dialog the headless host can't answer.
+# After running, log out + back into the KDE Desktop session once (or reboot) so KWin restarts
+# with the flag. Gaming Mode is unaffected.
+set -euo pipefail
+
+GRANT_SRC="${PUNKTFUNK_GRANT_SRC:-/usr/share/punktfunk/headless/kde-authorized}"
+ENVD="$HOME/.config/environment.d/10-punktfunk-kwin.conf"
+GRANT_DST="$HOME/.local/share/flatpak/db/kde-authorized"
+
+echo "punktfunk: KDE Desktop-mode setup"
+
+# 1. KWin permission-check bypass (persistent, picked up by the next KDE session via systemd).
+mkdir -p "$(dirname "$ENVD")"
+cat > "$ENVD" <<'EOF'
+# punktfunk: let the streaming host bind KWin's privileged zkde_screencast (virtual output).
+# A dedicated streaming box; this relaxes KWin's Wayland permission checks for the desktop path.
+KWIN_WAYLAND_NO_PERMISSION_CHECKS=1
+EOF
+echo "  wrote $ENVD"
+
+# 2. RemoteDesktop portal grant for headless libei input (never clobber an existing one).
+if [[ -s "$GRANT_DST" ]]; then
+    echo "  grant DB already present ($GRANT_DST) — leaving it"
+elif [[ -s "$GRANT_SRC" ]]; then
+    mkdir -p "$(dirname "$GRANT_DST")"
+    cp "$GRANT_SRC" "$GRANT_DST"
+    echo "  seeded RemoteDesktop grant -> $GRANT_DST"
+    # Pick it up now without a relogin (the portal store caches at start).
+    systemctl --user restart xdg-permission-store 2>/dev/null || true
+    systemctl --user restart plasma-xdg-desktop-portal-kde xdg-desktop-portal-kde 2>/dev/null || true
+    systemctl --user restart xdg-desktop-portal 2>/dev/null || true
+else
+    echo "  WARN: grant source not found at $GRANT_SRC — input will need a manual portal approval" >&2
+fi
+
+echo "punktfunk: done. Log out + back into the KDE Desktop session (or reboot) so KWin restarts"
+echo "          with the flag, then connect a client while in Desktop Mode."

packaging/rpm/punktfunk.spec

@@ -172,6 +172,9 @@ install -Dm0644 scripts/headless/punktfunk-sink.conf   %{buildroot}%{_datadir}/%
 install -Dm0644 scripts/host.env.example               %{buildroot}%{_datadir}/%{name}/host.env.example
 install -Dm0644 packaging/bazzite/host.env             %{buildroot}%{_datadir}/%{name}/host.env.bazzite
 install -Dm0644 packaging/kde/host.env                 %{buildroot}%{_datadir}/%{name}/host.env.kde
+# Bazzite KDE Desktop-mode one-shot setup (KWIN_WAYLAND_NO_PERMISSION_CHECKS + RemoteDesktop grant).
+install -d %{buildroot}%{_datadir}/%{name}/bazzite
+install -Dm0755 packaging/bazzite/kde-desktop-setup.sh %{buildroot}%{_datadir}/%{name}/bazzite/kde-desktop-setup.sh
 install -Dm0644 docs/api/openapi.json                  %{buildroot}%{_datadir}/%{name}/openapi.json
 
 %files