fix(packaging/windows): vendor SudoVDA driver (no upstream release) + real nefcon URL

The first CI run failed only on the SudoVDA download: SudoMaker/SudoVDA has no
releases (source-only repo; Apollo embeds the driver in its installer), so there
was nothing to fetch. Vendor the prebuilt SIGNED driver in-repo instead.

- packaging/windows/sudovda/: SudoVDA.inf/.cat/.dll + sudovda.cer (derived from
  the .cat signer CN=sudovda@su.mk), pulled from the dev-box driver store.
  v1.10.9.289, Class=Display, HWID Root\SudoMaker\SudoVDA, MIT/CC0.
- fetch-sudovda.ps1 -> stage-sudovda.ps1: stage the vendored driver + fetch
  nefcon from its real pinned release (v1.17.40, sha256 812bae7e…, x64/nefconc.exe).
- pack-host-installer.ps1: call stage-sudovda.ps1; README updated with the
  driver-refresh recipe.

The rest of the pipeline already passed on the first run (host built --features
nvenc via the llvm-dlltool import lib; ISCC + signtool found; signed with the
real CN=unom cert).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

packaging/windows/README.md

@@ -44,13 +44,20 @@ Silent install: `punktfunk-host-setup-<ver>.exe /VERYSILENT` (omit the driver wi
 | File | Role |
 |------|------|
 | `punktfunk-host.iss` | Inno Setup script (the installer definition). |
-| `pack-host-installer.ps1` | Orchestrator: cert + sign, fetch/stage SudoVDA, run ISCC, sign setup.exe, emit registry paths. |
-| `fetch-sudovda.ps1` | Download + SHA-256-verify the **pinned** SudoVDA + nefcon releases; stage the driver payload. |
+| `pack-host-installer.ps1` | Orchestrator: cert + sign, stage the driver bundle, run ISCC, sign setup.exe, emit registry paths. |
+| `stage-sudovda.ps1` | Stage the **vendored** SudoVDA driver + fetch/verify the **pinned** nefcon release into the bundle. |
 | `install-sudovda.ps1` | Runs at install time (elevated): trust cert → gated device-node create → `pnputil` install. |
+| `sudovda/` | **Vendored** prebuilt SudoVDA driver: `SudoVDA.inf` / `sudovda.cat` / `SudoVDA.dll` / `sudovda.cer`. |
 | `nvenc/nvenc.def`, `nvenc/gen-nvenc-importlib.ps1` | Synthesise `nvencodeapi.lib` for the `--features nvenc` link (llvm-dlltool / lib.exe). |
 
-> **Pinning:** the SudoVDA / nefcon release URLs + SHA-256s in `fetch-sudovda.ps1` are the source of
-> truth for what ships. Confirm the latest asset URLs and fill the SHA-256s to lock a release.
+> **Vendored driver:** SudoVDA has no upstream release (its repo is a source-only VS solution; Apollo
+> embeds the driver in its own installer), so the prebuilt **signed** driver is checked in under
+> `sudovda/` (MIT/CC0; v1.10.9.289, signer `CN=sudovda@su.mk`, Class=Display, HWID
+> `Root\SudoMaker\SudoVDA`). To refresh it, copy the four files out of a box's driver store
+> (`C:\Windows\System32\DriverStore\FileRepository\sudovda.inf_amd64_*`) and re-derive `sudovda.cer`
+> from the `.cat` signer (`(Get-AuthenticodeSignature sudovda.cat).SignerCertificate | Export-Certificate`).
+> nefcon (the device-node tool) **is** fetched + SHA-256-verified from its pinned release in
+> `stage-sudovda.ps1`.
 
 ## Build locally (Windows, MSVC + Windows SDK + Inno Setup)
 

packaging/windows/fetch-sudovda.ps1

@@ -1,91 +0,0 @@
-<#
-.SYNOPSIS
-  Download + verify the SudoVDA virtual-display driver and the nefcon device tool, and stage the
-  files the installer bundles into -OutDir.
-
-.DESCRIPTION
-  The host uses SudoVDA (the SudoMaker Indirect Display Driver the Apollo Sunshine-fork ships) for
-  client-native-resolution virtual outputs (crates/punktfunk-host/src/vdisplay/sudovda.rs). The
-  driver isn't in this repo; CI fetches a PINNED release at pack time so the installer can carry it.
-  nefcon (nefarius/nefcon) provides `nefconc.exe`, used to create the root-enumerated device node
-  (pnputil cannot create a software/root device node from nothing).
-
-  Output (consumed by punktfunk-host.iss): -OutDir gets the driver payload (*.inf/*.cat/*.dll/*.sys
-  + the signing *.cer) and nefconc.exe, flattened. install-sudovda.ps1 is copied in by the packer.
-
-  PINNING: the URLs + SHA-256s below are the single source of truth for what ships. If a Sha256 is
-  left empty, the script downloads, prints the computed hash, and continues with a loud warning —
-  fill it in to lock the release. Override any field with the params for a one-off build.
-
-.EXAMPLE
-  pwsh -File fetch-sudovda.ps1 -OutDir C:\t\out\stage
-#>
-[CmdletBinding()]
-param(
-    [Parameter(Mandatory = $true)][string]$OutDir,
-
-    # --- PINNED SudoVDA release (https://github.com/SudoMaker/SudoVDA/releases) ---------------
-    # Baseline validated by the host backend: SudoVDA 0.2.1 (sudovda.rs header). Confirm the latest
-    # asset name/URL at impl time; fill Sha256 to lock it.
-    [string]$SudoVdaTag = 'v0.2.1',
-    [string]$SudoVdaUrl = 'https://github.com/SudoMaker/SudoVDA/releases/download/v0.2.1/SudoVDA-v0.2.1.zip',
-    [string]$SudoVdaSha256 = '',
-
-    # --- PINNED nefcon release (https://github.com/nefarius/nefcon/releases) ------------------
-    [string]$NefconUrl = 'https://github.com/nefarius/nefcon/releases/download/v1.0.2.0/nefconw.zip',
-    [string]$NefconSha256 = ''
-)
-$ErrorActionPreference = 'Stop'
-$ProgressPreference = 'SilentlyContinue'
-
-function Get-Verified([string]$Url, [string]$ExpectedSha256, [string]$Dest) {
-    Write-Host "==> downloading $Url"
-    Invoke-WebRequest -Uri $Url -OutFile $Dest -UseBasicParsing
-    $got = (Get-FileHash -Algorithm SHA256 -Path $Dest).Hash.ToLowerInvariant()
-    if ($ExpectedSha256) {
-        if ($got -ne $ExpectedSha256.ToLowerInvariant()) {
-            throw "SHA-256 mismatch for $Url`n  expected $ExpectedSha256`n  got      $got"
-        }
-        Write-Host "    sha256 ok ($got)"
-    }
-    else {
-        Write-Warning "no pinned SHA-256 for $Url — computed $got (PIN THIS in fetch-sudovda.ps1)"
-    }
-}
-
-# fresh staging dir
-if (Test-Path $OutDir) { Remove-Item -Recurse -Force $OutDir }
-New-Item -ItemType Directory -Force -Path $OutDir | Out-Null
-$work = Join-Path $OutDir '_work'
-New-Item -ItemType Directory -Force -Path $work | Out-Null
-
-# --- SudoVDA driver payload -------------------------------------------------------------------
-$sudoZip = Join-Path $work 'sudovda.zip'
-Get-Verified -Url $SudoVdaUrl -ExpectedSha256 $SudoVdaSha256 -Dest $sudoZip
-$sudoEx = Join-Path $work 'sudovda'
-Expand-Archive -Path $sudoZip -DestinationPath $sudoEx -Force
-
-# Flatten the driver files we need into -OutDir. SudoVDA is a user-mode IDD (a .dll registered by an
-# .inf); pull the .inf/.cat/.dll plus a .sys if present and the signing .cer.
-$driverFiles = Get-ChildItem -Path $sudoEx -Recurse -Include *.inf, *.cat, *.dll, *.sys, *.cer
-if (-not ($driverFiles | Where-Object Extension -eq '.inf')) {
-    throw "no .inf found in the SudoVDA archive ($SudoVdaUrl) — wrong asset?"
-}
-$driverFiles | ForEach-Object { Copy-Item $_.FullName (Join-Path $OutDir $_.Name) -Force }
-
-# --- nefcon (nefconc.exe) ---------------------------------------------------------------------
-$nefZip = Join-Path $work 'nefcon.zip'
-Get-Verified -Url $NefconUrl -ExpectedSha256 $NefconSha256 -Dest $nefZip
-$nefEx = Join-Path $work 'nefcon'
-Expand-Archive -Path $nefZip -DestinationPath $nefEx -Force
-# Prefer the x64 console build.
-$nefc = Get-ChildItem -Path $nefEx -Recurse -Filter 'nefconc.exe' |
-    Where-Object { $_.FullName -match '(?i)(x64|amd64)' } |
-    Select-Object -First 1
-if (-not $nefc) { $nefc = Get-ChildItem -Path $nefEx -Recurse -Filter 'nefconc.exe' | Select-Object -First 1 }
-if (-not $nefc) { throw "nefconc.exe not found in $NefconUrl" }
-Copy-Item $nefc.FullName (Join-Path $OutDir 'nefconc.exe') -Force
-
-Remove-Item -Recurse -Force $work
-Write-Host "==> staged SudoVDA + nefcon in $OutDir :"
-Get-ChildItem $OutDir -File | ForEach-Object { "    $($_.Name)" }

packaging/windows/pack-host-installer.ps1

@@ -113,7 +113,7 @@ Sign-File $exe
 $defines = @("/DMyAppVersion=$Version", "/DBinDir=$TargetDir", "/DOutputDir=$OutDir")
 if (-not $NoDriver) {
     $stage = Join-Path $OutDir 'stage'
-    & (Join-Path $here 'fetch-sudovda.ps1') -OutDir $stage
+    & (Join-Path $here 'stage-sudovda.ps1') -OutDir $stage
     Copy-Item (Join-Path $here 'install-sudovda.ps1') (Join-Path $stage 'install-sudovda.ps1') -Force
     $defines += "/DStageDir=$stage"
 }

packaging/windows/stage-sudovda.ps1

@@ -0,0 +1,65 @@
+<#
+.SYNOPSIS
+  Stage the driver bundle the installer ships into -OutDir: the VENDORED SudoVDA driver + the
+  fetched nefcon device tool.
+
+.DESCRIPTION
+  SudoVDA has no upstream release (its repo is a source-only VS solution; Apollo embeds the driver in
+  its single installer), so the prebuilt, signed driver is VENDORED in this repo under
+  packaging/windows/sudovda/ (MIT/CC0; SudoVDA v1.10.9.289, signer CN=sudovda@su.mk, Class=Display,
+  HWID Root\SudoMaker\SudoVDA). nefcon DOES publish a pinned release, so we fetch + SHA-256-verify it
+  (it provides nefconc.exe, used to create the root-enumerated device node — pnputil can't).
+
+  Output (consumed by punktfunk-host.iss): -OutDir gets SudoVDA.inf/.cat/.dll + sudovda.cer and
+  nefconc.exe (x64). pack-host-installer.ps1 also drops install-sudovda.ps1 in.
+
+.EXAMPLE
+  pwsh -File stage-sudovda.ps1 -OutDir C:\t\out\stage
+#>
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory = $true)][string]$OutDir,
+    [string]$VendorDir = (Join-Path $PSScriptRoot 'sudovda'),
+    # PINNED nefcon release (https://github.com/nefarius/nefcon/releases). MIT-licensed.
+    [string]$NefconUrl = 'https://github.com/nefarius/nefcon/releases/download/v1.17.40/nefcon_v1.17.40.zip',
+    [string]$NefconSha256 = '812bae7ed7dfb7d6d2284bc7de2f8ccebc92ed2a0b1ae893c53b337096e50c1a'
+)
+$ErrorActionPreference = 'Stop'
+$ProgressPreference = 'SilentlyContinue'
+$PSNativeCommandUseErrorActionPreference = $false
+
+if (Test-Path $OutDir) { Remove-Item -Recurse -Force $OutDir }
+New-Item -ItemType Directory -Force -Path $OutDir | Out-Null
+
+# --- vendored SudoVDA driver ------------------------------------------------------------------
+$inf = Get-ChildItem -Path $VendorDir -Filter *.inf -ErrorAction SilentlyContinue | Select-Object -First 1
+if (-not $inf) { throw "no vendored SudoVDA .inf under $VendorDir — see packaging/windows/README.md" }
+Copy-Item (Join-Path $VendorDir '*') $OutDir -Force
+Write-Host "==> vendored SudoVDA staged from $VendorDir"
+
+# --- nefcon (fetched + verified) --------------------------------------------------------------
+$work = Join-Path ([IO.Path]::GetTempPath()) ('nefcon-' + [IO.Path]::GetRandomFileName())
+New-Item -ItemType Directory -Force -Path $work | Out-Null
+try {
+    $zip = Join-Path $work 'nefcon.zip'
+    Write-Host "==> downloading $NefconUrl"
+    Invoke-WebRequest -Uri $NefconUrl -OutFile $zip -UseBasicParsing
+    $got = (Get-FileHash $zip -Algorithm SHA256).Hash.ToLowerInvariant()
+    if ($NefconSha256) {
+        if ($got -ne $NefconSha256.ToLowerInvariant()) {
+            throw "nefcon SHA-256 mismatch`n  expected $NefconSha256`n  got      $got"
+        }
+        Write-Host "    sha256 ok ($got)"
+    }
+    else { Write-Warning "no pinned nefcon SHA-256 — computed $got (PIN THIS in stage-sudovda.ps1)" }
+    Expand-Archive -Path $zip -DestinationPath $work -Force
+    $nefc = Get-ChildItem -Path $work -Recurse -Filter 'nefconc.exe' |
+        Where-Object { $_.FullName -match '(?i)\\x64\\' } | Select-Object -First 1
+    if (-not $nefc) { $nefc = Get-ChildItem -Path $work -Recurse -Filter 'nefconc.exe' | Select-Object -First 1 }
+    if (-not $nefc) { throw "nefconc.exe not found in $NefconUrl" }
+    Copy-Item $nefc.FullName (Join-Path $OutDir 'nefconc.exe') -Force
+}
+finally { Remove-Item -Recurse -Force $work -ErrorAction SilentlyContinue }
+
+Write-Host "==> staged driver bundle in $OutDir :"
+Get-ChildItem $OutDir -File | ForEach-Object { "    $($_.Name)" }