From 837b6fabb172cb6ec2735c962e0641be19fbc377 Mon Sep 17 00:00:00 2001
From: enricobuehler <buehler@unom.io>
Date: Mon, 15 Jun 2026 10:34:32 +0000
Subject: [PATCH] feat(dist): aarch64 honesty, Debian KWin-unit parity,
 cargo-audit CVE scan (P1/P2)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- spec: narrow ExclusiveArch to x86_64 — no aarch64 build is produced/published (NVENC is
  desktop-NVIDIA), so claiming aarch64 advertised an arch we never ship.
- build-deb.sh: ship punktfunk-kde-session.service (ExecStart repointed to the packaged
  run-headless-kde.sh) + host.env.kde, matching the RPM/Arch — the deb README's "mirrors the
  Fedora RPM" claim now holds.
- audit.yml: weekly + Cargo.lock-change `cargo audit` over the network-facing crypto dep tree
  (RustSec advisories); ignore unfixables via .cargo/audit.toml.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/audit.yml    | 33 +++++++++++++++++++++++++++++++++
 packaging/debian/build-deb.sh |  6 ++++++
 packaging/rpm/punktfunk.spec  |  6 ++++--
 3 files changed, 43 insertions(+), 2 deletions(-)
 create mode 100644 .gitea/workflows/audit.yml

diff --git a/.gitea/workflows/audit.yml b/.gitea/workflows/audit.yml
new file mode 100644
index 0000000..b855906
--- /dev/null
+++ b/.gitea/workflows/audit.yml
@@ -0,0 +1,33 @@
+# Supply-chain advisory scan for the (network-facing, crypto-heavy) Rust dependency tree.
+# Runs `cargo audit` against the RustSec advisory DB: weekly (catch newly-disclosed CVEs in
+# pinned deps), on every Cargo.lock change (catch a bad dep the moment it lands), and on demand.
+# To silence a known-unfixable advisory, add it to `.cargo/audit.toml` ([advisories] ignore = [...]).
+name: audit
+
+on:
+  schedule:
+    - cron: '0 6 * * 1'   # Mondays 06:00 UTC
+  push:
+    branches: [main]
+    paths: ['Cargo.lock', '.gitea/workflows/audit.yml']
+  workflow_dispatch:
+
+jobs:
+  cargo-audit:
+    runs-on: ubuntu-24.04
+    container:
+      image: git.unom.io/unom/punktfunk-rust-ci:latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v4
+      # Cache /usr/local/cargo so the cargo-audit binary (and the advisory DB clone) persist.
+      - uses: actions/cache@v4
+        with:
+          path: /usr/local/cargo
+          key: cargo-audit-${{ hashFiles('Cargo.lock') }}
+          restore-keys: cargo-audit-
+      - name: cargo audit
+        run: |
+          git config --global --add safe.directory "$PWD"
+          command -v cargo-audit >/dev/null 2>&1 || cargo install --locked cargo-audit
+          cargo audit
diff --git a/packaging/debian/build-deb.sh b/packaging/debian/build-deb.sh
index f0cec39..4ab6b7f 100755
--- a/packaging/debian/build-deb.sh
+++ b/packaging/debian/build-deb.sh
@@ -45,12 +45,18 @@ install -Dm0644 scripts/punktfunk-host.service     "$STAGE/usr/lib/systemd/user/
 # /usr/bin. Rewrite it so a fresh apt install (no hand-rolled unit) starts the installed binary.
 sed -i 's#%h/punktfunk/target/release/punktfunk-host#/usr/bin/punktfunk-host#' \
     "$STAGE/usr/lib/systemd/user/punktfunk-host.service"
+# Optional headless KWin session unit (the kwin --virtual appliance), as the RPM/Arch ship.
+# Repoint its ExecStart from the dev source tree to the packaged script. NOT enabled by default.
+install -Dm0644 scripts/punktfunk-kde-session.service "$STAGE/usr/lib/systemd/user/punktfunk-kde-session.service"
+sed -i 's#%h/punktfunk/scripts/headless/run-headless-kde.sh#/usr/share/punktfunk-host/headless/run-headless-kde.sh#' \
+    "$STAGE/usr/lib/systemd/user/punktfunk-kde-session.service"
 install -Dm0755 scripts/headless/run-headless-kde.sh   "$SHAREDIR/headless/run-headless-kde.sh"
 install -Dm0755 scripts/headless/run-headless-sway.sh  "$SHAREDIR/headless/run-headless-sway.sh"
 install -Dm0644 scripts/headless/kde-authorized        "$SHAREDIR/headless/kde-authorized"
 install -Dm0644 scripts/headless/punktfunk-sink.conf   "$SHAREDIR/headless/punktfunk-sink.conf"
 install -Dm0644 scripts/host.env.example           "$SHAREDIR/host.env.example"
 install -Dm0644 packaging/bazzite/host.env         "$SHAREDIR/host.env.bazzite"
+install -Dm0644 packaging/kde/host.env             "$SHAREDIR/host.env.kde"
 install -Dm0644 docs/api/openapi.json              "$SHAREDIR/openapi.json"
 install -Dm0644 LICENSE-MIT                         "$DOCDIR/LICENSE-MIT"
 install -Dm0644 LICENSE-APACHE                      "$DOCDIR/LICENSE-APACHE"
diff --git a/packaging/rpm/punktfunk.spec b/packaging/rpm/punktfunk.spec
index fa2b9a7..93d4880 100644
--- a/packaging/rpm/punktfunk.spec
+++ b/packaging/rpm/punktfunk.spec
@@ -31,8 +31,10 @@ URL:            https://git.unom.io/unom/punktfunk
 # COPR SCM builds provide the checkout; for a tarball build, drop a git archive here:
 Source0:        %{name}-%{version}.tar.gz
 
-# punktfunk-host is Linux-only and links system FFmpeg/PipeWire/Opus.
-ExclusiveArch:  x86_64 aarch64
+# punktfunk-host is Linux-only and links system FFmpeg/PipeWire/Opus. x86_64 only for now: encode
+# is NVENC (desktop NVIDIA) and no aarch64 build is produced/published by CI — claiming aarch64
+# here would advertise an arch we never ship. Re-add aarch64 once there's an arm64 build leg.
+ExclusiveArch:  x86_64
 
 # The zerocopy FFI links the NVIDIA driver's libcuda.so.1; rpm's auto-dep generator would turn
 # that into a hard Requires on libcuda.so.1 (and we never want to pin the driver — NVENC/EGL come