refactor: drop milestone names + consolidate clients; loss-recovery & rumble fixes

Two bodies of work in one commit (the rename moved files the fixes also touched).

Naming/structure cleanup (pre-launch):
- Host modules m3.rs->punktfunk1.rs, m0.rs->spike.rs; CLI m3-host->punktfunk1-host,
  m0->spike; bare `punktfunk-host` now prints help. Types M3Options/M3Source->
  Punktfunk1Options/Punktfunk1Source.
- Clients consolidated out of crates/ into clients/: punktfunk-client-rs->
  clients/probe (crate punktfunk-probe), client-linux->clients/linux,
  client-windows->clients/windows, punktfunk-android->clients/android/native
  (crate punktfunk-client-android; kept [lib] name=punktfunk_android so the JNI
  contract is unchanged). crates/ now holds only core + host.
- Milestone codes M0-M4 purged from code/CLI/CLAUDE.md/README/docs/docs-site,
  kept only in docs/implementation-plan.md. docs/m2-plan.md->
  docs/gamestream-host-plan.md. CI/gradle/flatpak paths updated.

Client loss-recovery (video froze and never recovered after a brief drop):
- Export punktfunk_connection_frames_dropped through the C ABI (the core already
  tracked it for the client keyframe-recovery loop; it was never reachable from
  the ABI clients). Regenerated punktfunk_core.h.
- Apple (StreamPump + Stage2Pipeline) and Android (decode.rs) now poll
  frames_dropped and request a keyframe when it climbs -- the same loss-driven
  recovery Linux/Windows already had. Under infinite GOP the decoder silently
  conceals reference-missing frames, so the decode-error trigger rarely fires.

Apple rumble robustness (worked then went spotty -- DualSense + Xbox):
- Add CHHapticEngine stopped/reset handlers (rebuild on app background / audio
  interruption / server reset) and drop the permanent `broken` latch on a
  transient drive failure; latch only when the controller truly has no haptics.
- Surface swallowed SDL set_rumble errors on Linux/Windows + diagnostic logging.

Verified: cargo build/clippy/fmt --workspace, C-ABI harness, header drift.
Not runnable on this box (verify in CI): Gitea workflows, gradle/Android,
flatpak, Swift/decky.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

clients/windows/packaging/AppxManifest.xml

@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  MSIX package manifest for the punktfunk Windows client (WinUI 3 via windows-reactor).
+
+  This is a TEMPLATE: packaging/pack-msix.ps1 substitutes {VERSION} (4-part numeric, e.g.
+  0.2.137.0) and {PUBLISHER} (must EXACTLY equal the signing cert's subject DN — default
+  `CN=unom` for the self-signed CI cert; a real code-signing cert just passes its own subject).
+
+  Why this packages cleanly even though the app was built "unpackaged": windows-reactor calls
+  MddBootstrapInitialize2 with OnPackageIdentity_NOOP (crates/libs/reactor/src/app.rs), so under
+  MSIX package identity the App SDK bootstrapper is a no-op and the runtime is resolved from the
+  <PackageDependency> below instead. The framework family + min version mirror what the runner has
+  installed and what reactor pins (WINDOWSAPPSDK_RELEASE_MAJORMINOR = 0x20000 = 2.0 ->
+  Microsoft.WindowsAppRuntime.2).
+
+  Full-trust Win32 app (EntryPoint Windows.FullTrustApplication + runFullTrust) — it owns raw D3D11,
+  Win32 low-level input hooks, WASAPI and SDL3, none of which fit the UWP app container.
+-->
+<Package
+  xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10"
+  xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10"
+  xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities"
+  IgnorableNamespaces="uap rescap">
+
+  <Identity
+    Name="unom.Punktfunk"
+    Publisher="{PUBLISHER}"
+    Version="{VERSION}"
+    ProcessorArchitecture="x64" />
+
+  <Properties>
+    <DisplayName>Punktfunk</DisplayName>
+    <PublisherDisplayName>unom</PublisherDisplayName>
+    <Logo>Assets\StoreLogo.png</Logo>
+  </Properties>
+
+  <Dependencies>
+    <TargetDeviceFamily Name="Windows.Desktop" MinVersion="10.0.17763.0" MaxVersionTested="10.0.26100.0" />
+    <PackageDependency
+      Name="Microsoft.WindowsAppRuntime.2"
+      MinVersion="2.2.0.0"
+      Publisher="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" />
+  </Dependencies>
+
+  <Resources>
+    <Resource Language="en-us" />
+  </Resources>
+
+  <Applications>
+    <Application Id="Punktfunk" Executable="punktfunk-client.exe" EntryPoint="Windows.FullTrustApplication">
+      <uap:VisualElements
+        DisplayName="Punktfunk"
+        Description="Low-latency desktop and game streaming client"
+        BackgroundColor="transparent"
+        Square150x150Logo="Assets\Square150x150Logo.png"
+        Square44x44Logo="Assets\Square44x44Logo.png">
+        <uap:DefaultTile Square71x71Logo="Assets\Square71x71Logo.png" />
+      </uap:VisualElements>
+    </Application>
+  </Applications>
+
+  <Capabilities>
+    <rescap:Capability Name="runFullTrust" />
+  </Capabilities>
+</Package>

clients/windows/packaging/README.md

@@ -0,0 +1,80 @@
+# punktfunk Windows client — MSIX packaging
+
+The Windows client ships as a **signed MSIX** so Windows boxes get a real package (Start tile,
+clean install/uninstall) instead of a loose exe. CI builds + publishes it from
+[`.gitea/workflows/windows-msix.yml`](../../../.gitea/workflows/windows-msix.yml) to Gitea's
+**generic** package registry (`https://git.unom.io/unom/-/packages`), on every `main` push that
+touches the client and on `win-v*` release tags.
+
+## What's in the package
+
+`pack-msix.ps1` assembles a layout from a `cargo build --release` and runs `makeappx` + `signtool`:
+
+| File | Source |
+|---|---|
+| `punktfunk-client.exe` | the release build |
+| `Microsoft.WindowsAppRuntime.Bootstrap.dll`, `resources.pri` | auto-staged by windows-reactor's `build.rs` |
+| `SDL3.dll` | auto-staged by the `sdl3` crate |
+| `avcodec/avformat/avutil/swscale/swresample/...-*.dll` | `FFMPEG_DIR\bin` |
+| `Assets\*.png` | checked-in tile/store logos (rasterized from `packaging/flatpak/io.unom.Punktfunk.svg`) |
+| `AppxManifest.xml` | the template here, with `{VERSION}`/`{PUBLISHER}` substituted |
+
+### Why an "unpackaged" WinUI app packages cleanly
+
+windows-reactor calls `MddBootstrapInitialize2` with `OnPackageIdentity_NOOP`
+(`crates/libs/reactor/src/app.rs`), so under MSIX **package identity** the App SDK bootstrapper is
+a no-op and the runtime is resolved from the manifest's `<PackageDependency>` on
+`Microsoft.WindowsAppRuntime.2` instead (reactor pins `WINDOWSAPPSDK_RELEASE_MAJORMINOR = 0x20000`
+= 2.0). It's a full-trust Win32 app (`EntryPoint="Windows.FullTrustApplication"` + `runFullTrust`)
+because it owns raw D3D11, Win32 low-level input hooks, WASAPI and SDL3.
+
+## Versioning
+
+MSIX requires a strictly 4-part numeric version. The workflow computes:
+- `win-vX.Y.Z` tag → `X.Y.Z.0` (a real client release; `win-v*` is its own tag namespace, kept off
+  the host's `host-v*` and Apple's `v*` to avoid the version-shadow bug).
+- `main` push / `workflow_dispatch` → `0.2.<run_number>.0` (rolling, climbs by run number).
+
+## Signing & install
+
+CI signs every build with a **stable self-signed code-signing cert** (`CN=unom`, SHA-1
+`CD1EFDEEEC9743AFC38F56C5AF30C5A3009BE941`, valid to 2036). Its public half is checked in as
+[`punktfunk-codesign.cer`](punktfunk-codesign.cer); the private `.pfx` + password live in the
+`MSIX_CERT_PFX_B64` / `MSIX_CERT_PASSWORD` Actions secrets. Because it's the *same* cert every build,
+trusting it is **one-time, per machine** — once imported, every future build and in-place upgrade is
+trusted with no further prompt:
+
+```powershell
+# once per machine (elevated): trust the publisher
+Import-Certificate -FilePath .\punktfunk-codesign.cer -CertStoreLocation Cert:\LocalMachine\TrustedPeople
+# then install (and re-run for each upgrade — no re-trust needed)
+Add-AppxPackage -Path .\punktfunk-client-windows_<ver>_x64.msix
+```
+
+The matching `.cer` is also published next to each `.msix` in the registry, so it's always at hand.
+
+The MSIX declares a dependency on the Windows App SDK 2.x runtime; install
+[the App SDK runtime](https://aka.ms/windowsappsdk) if `Add-AppxPackage` reports a missing
+`Microsoft.WindowsAppRuntime.2` framework.
+
+`pack-msix.ps1` signing precedence: it uses the **`MSIX_CERT_PFX_B64` / `MSIX_CERT_PASSWORD`** secrets
+when present (the stable cert above), else generates an *ephemeral* self-signed cert (forks / local
+builds without the secrets). Either way it exports the signing cert's public `.cer` for the import.
+**To move to a publicly-trusted (no-import) cert** — Azure Artifact Signing or a public OV cert —
+replace the two secrets with the new `.pfx`; the cert's subject DN must equal the manifest
+`Publisher`, so pass a matching `-Publisher` (it's stamped into the package `Identity`, and changing
+it changes the package identity → a one-time reinstall).
+
+## Building locally
+
+On the Windows runner / dev VM (MSVC + Windows SDK present), after a release build:
+
+```powershell
+cargo build --release -p punktfunk-client-windows
+pwsh -File clients/windows/packaging/pack-msix.ps1 `
+  -Version 0.2.0.0 -TargetDir C:\t\release -OutDir C:\t\msix
+```
+
+Validated end-to-end on the build VM (pack → sign → `Add-AppxPackage` → framework-dependency
+resolution). The only step that needs a real display is *launching* the WinUI window (same
+on-glass constraint as the rest of the client).

clients/windows/packaging/pack-msix.ps1

@@ -0,0 +1,144 @@
+<#
+.SYNOPSIS
+  Assemble, pack and sign the punktfunk Windows client as a signed MSIX.
+
+.DESCRIPTION
+  Builds a packaging layout from a release `cargo build` output (exe + the reactor/SDL3 auto-staged
+  DLLs + resources.pri + FFmpeg DLLs + the checked-in Assets + the manifest), runs makeappx, and
+  signs with signtool. Idempotent; safe to re-run.
+
+  Signing cert precedence:
+    1. -PfxBase64 / -PfxPassword  (a real or shared code-signing cert, e.g. from CI secrets) — the
+       cert's subject DN MUST match -Publisher (which is stamped into the manifest Identity).
+    2. otherwise an EPHEMERAL self-signed code-signing cert with subject = -Publisher is generated
+       in-process. The package installs only where that cert is trusted, so the matching public
+       .cer is exported next to the .msix for the user to import (Trusted People) before install.
+       Swap in a real cert later with zero manifest changes — just pass -PfxBase64/-Publisher.
+
+  Run on the Windows runner (or the dev VM) with the MSVC/Windows SDK present.
+
+.EXAMPLE
+  pwsh -File pack-msix.ps1 -Version 0.2.137.0 -TargetDir C:\t\release -FfmpegBin C:\Users\Public\ffmpeg\bin -OutDir C:\t\msix
+#>
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory = $true)][string]$Version,                     # 4-part numeric, e.g. 0.2.137.0
+    [Parameter(Mandatory = $true)][string]$TargetDir,                   # cargo --release output dir (has the exe)
+    [string]$FfmpegBin = $(if ($env:FFMPEG_DIR) { Join-Path $env:FFMPEG_DIR 'bin' } else { 'C:\Users\Public\ffmpeg\bin' }),
+    [string]$OutDir = (Join-Path $TargetDir 'msix'),
+    [string]$Publisher = 'CN=unom',                                     # MUST equal the signing cert subject DN
+    [string]$PfxBase64 = $env:MSIX_CERT_PFX_B64,                        # optional: base64 of a code-signing .pfx
+    [string]$PfxPassword = $env:MSIX_CERT_PASSWORD
+)
+$ErrorActionPreference = 'Stop'
+$ProgressPreference = 'SilentlyContinue'
+
+if ($Version -notmatch '^\d+\.\d+\.\d+\.\d+$') {
+    throw "Version must be 4-part numeric (Major.Minor.Build.Revision); got '$Version'."
+}
+
+$here = Split-Path -Parent $MyInvocation.MyCommand.Path
+$assets = Join-Path $here 'assets'
+$manifestTemplate = Join-Path $here 'AppxManifest.xml'
+
+# --- locate the Windows SDK tools (newest makeappx/signtool under the x64 kit bin) ---
+function Find-SdkTool([string]$name) {
+    $root = 'C:\Program Files (x86)\Windows Kits\10\bin'
+    # match only versioned x64 kit bins (…\10\bin\10.0.NNNNN.N\x64\tool.exe) and pick the newest
+    $hit = Get-ChildItem -Path $root -Recurse -Filter $name -ErrorAction SilentlyContinue |
+        Where-Object { $_.FullName -match '\\(10\.0\.\d+\.\d+)\\x64\\' } |
+        Sort-Object { [version]([regex]::Match($_.FullName, '\\(10\.0\.\d+\.\d+)\\x64\\').Groups[1].Value) } |
+        Select-Object -Last 1
+    if (-not $hit) { throw "$name not found under $root — install the Windows 10/11 SDK." }
+    $hit.FullName
+}
+$makeappx = Find-SdkTool 'makeappx.exe'
+$signtool = Find-SdkTool 'signtool.exe'
+Write-Host "makeappx: $makeappx"
+Write-Host "signtool: $signtool"
+
+# --- assemble the package layout ---
+$layout = Join-Path $OutDir 'layout'
+if (Test-Path $layout) { Remove-Item -Recurse -Force $layout }
+New-Item -ItemType Directory -Force -Path (Join-Path $layout 'Assets') | Out-Null
+
+# binary + auto-staged runtime bits (reactor stages the App SDK bootstrap DLL + resources.pri,
+# the sdl3 crate stages SDL3.dll — see crate build output).
+$required = @('punktfunk-client.exe', 'Microsoft.WindowsAppRuntime.Bootstrap.dll', 'SDL3.dll', 'resources.pri')
+foreach ($f in $required) {
+    $src = Join-Path $TargetDir $f
+    if (-not (Test-Path $src)) { throw "missing build artifact '$f' in $TargetDir (did 'cargo build --release' run?)" }
+    Copy-Item $src (Join-Path $layout $f) -Force
+}
+
+# FFmpeg runtime DLLs (the exe link-imports the decode set; copy them all — small and correct)
+$ff = Get-ChildItem -Path $FfmpegBin -Filter *.dll -ErrorAction SilentlyContinue
+if (-not $ff) { throw "no FFmpeg DLLs in $FfmpegBin" }
+$ff | ForEach-Object { Copy-Item $_.FullName (Join-Path $layout $_.Name) -Force }
+
+# tile/store assets
+Copy-Item (Join-Path $assets '*') (Join-Path $layout 'Assets') -Force
+
+# manifest with version + publisher substituted
+$manifest = (Get-Content -Raw $manifestTemplate).Replace('{VERSION}', $Version).Replace('{PUBLISHER}', $Publisher)
+Set-Content -Path (Join-Path $layout 'AppxManifest.xml') -Value $manifest -Encoding UTF8
+
+Write-Host "layout assembled at $layout :"
+Get-ChildItem $layout -Recurse -File | ForEach-Object { "  $($_.FullName.Substring($layout.Length + 1))" }
+
+# --- pack ---
+New-Item -ItemType Directory -Force -Path $OutDir | Out-Null
+$msix = Join-Path $OutDir "punktfunk-client-windows_${Version}_x64.msix"
+& $makeappx pack /o /d $layout /p $msix
+if ($LASTEXITCODE -ne 0) { throw "makeappx pack failed ($LASTEXITCODE)" }
+
+# --- signing cert (supplied stable pfx OR ephemeral self-signed) ---
+$pfxPath = Join-Path $OutDir 'signing.pfx'
+$cerPath = Join-Path $OutDir "punktfunk-client-windows_${Version}_x64.cer"
+if ($PfxBase64) {
+    Write-Host "signing with supplied code-signing cert (MSIX_CERT_PFX_B64)"
+    [IO.File]::WriteAllBytes($pfxPath, [Convert]::FromBase64String($PfxBase64))
+} else {
+    Write-Host "no MSIX_CERT_PFX_B64 -> generating an ephemeral self-signed cert (subject $Publisher)"
+    if (-not $PfxPassword) { $PfxPassword = 'punktfunk' }
+    $tmp = New-SelfSignedCertificate -Type Custom -Subject $Publisher `
+        -KeyUsage DigitalSignature -FriendlyName 'punktfunk MSIX (self-signed)' `
+        -CertStoreLocation 'Cert:\CurrentUser\My' `
+        -TextExtension @('2.5.29.37={text}1.3.6.1.5.5.7.3.3', '2.5.29.19={text}')
+    $sec = ConvertTo-SecureString -String $PfxPassword -Force -AsPlainText
+    Export-PfxCertificate -Cert "Cert:\CurrentUser\My\$($tmp.Thumbprint)" -FilePath $pfxPath -Password $sec | Out-Null
+    Remove-Item "Cert:\CurrentUser\My\$($tmp.Thumbprint)" -Force
+}
+
+# Always export the public .cer from the pfx. For a self-signed / private-trust cert it's the file
+# users import once (Trusted People) — a STABLE cert (same pfx every build via the secret) means that
+# import is a one-time, per-machine step that keeps working across upgrades. For a public-CA cert
+# it's just an unused extra (harmless). The manifest Publisher must equal the cert's subject DN.
+$pwsec = if ($PfxPassword) { ConvertTo-SecureString -String $PfxPassword -Force -AsPlainText } else { $null }
+$pubCert = if ($pwsec) { Get-PfxCertificate -FilePath $pfxPath -Password $pwsec } else { Get-PfxCertificate -FilePath $pfxPath }
+Export-Certificate -Cert $pubCert -FilePath $cerPath | Out-Null
+Write-Host "signing cert subject=$($pubCert.Subject) thumbprint=$($pubCert.Thumbprint)"
+if ($pubCert.Subject -ne $Publisher) {
+    Write-Warning "cert subject '$($pubCert.Subject)' != manifest Publisher '$Publisher' — Add-AppxPackage will reject the mismatch. Pass -Publisher '$($pubCert.Subject)'."
+}
+
+# --- sign (timestamp best-effort) ---
+$signArgs = @('sign', '/fd', 'SHA256', '/f', $pfxPath)
+if ($PfxPassword) { $signArgs += @('/p', $PfxPassword) }
+& $signtool ($signArgs + @('/tr', 'http://timestamp.digicert.com', '/td', 'SHA256', $msix))
+if ($LASTEXITCODE -ne 0) {
+    Write-Warning "timestamped sign failed — retrying without a timestamp"
+    & $signtool ($signArgs + @($msix))
+    if ($LASTEXITCODE -ne 0) { throw "signtool sign failed ($LASTEXITCODE)" }
+}
+Remove-Item $pfxPath -Force -ErrorAction SilentlyContinue
+
+Write-Host ""
+Write-Host "==> MSIX: $msix"
+Write-Host "==> trust the cert once per machine (then it stays trusted across all future builds):"
+Write-Host "    Import-Certificate -FilePath '$cerPath' -CertStoreLocation Cert:\LocalMachine\TrustedPeople"
+# emit paths for the workflow to publish (only under CI, where GITHUB_ENV is set)
+if ($env:GITHUB_ENV) {
+    "MSIX_PATH=$msix" | Out-File -FilePath $env:GITHUB_ENV -Append -Encoding utf8
+    "MSIX_CER_PATH=$cerPath" | Out-File -FilePath $env:GITHUB_ENV -Append -Encoding utf8
+}