feat(web): consolidate paired devices, self-contained sections, docs + lint

Web console
- Pairing/Library/Stats refactored into self-contained subsections that each own
  their own queries + mutations; a shared slot-based layout (view.tsx) is filled by
  the live page (containers) and Storybook (pure cards + fixtures) so the layout can't
  drift.
- All paired devices in one list on Pairing with a protocol column (punktfunk/1 +
  Moonlight), routing each unpair to the right endpoint; the redundant Clients page is
  removed.
- Library: overview grid split from the add/edit form into separate files.
- Login screen links out to the docs.

Docs
- "Console login password" section on every host page (apt/RPM/Bazzite/SteamOS/Windows)
  plus a new "Forgot your Password?" troubleshooting page, linked from the login screen.
- Console served as HTTP/1.1 over TLS (drop the unusable HTTP/3 advertising) across the
  Bun entry, launchers, systemd units, and packaging.

Tooling
- Biome now respects .gitignore (stops linting generated code), config migrated to
  2.5.1; all lint issues fixed cleanly.

Also includes this branch's in-progress host, Apple client, packaging, and CI changes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

scripts/punktfunk-web.service

@@ -1,9 +1,10 @@
-# punktfunk management web console — systemd USER unit (Nitro/Node SSR, port 3000).
+# punktfunk management web console — systemd USER unit (Nitro SSR on bun, port 3000, HTTPS).
 #
 # Installed by the punktfunk-web .deb to /usr/lib/systemd/user/. AUTO-WIRED — no env editing:
-# it sources the host's mgmt token + the generated login password, and points at the host's
-# loopback HTTPS mgmt API (self-signed cert → NODE_TLS_REJECT_UNAUTHORIZED for the proxy's only
-# outbound hop, which is loopback). Enable per user:
+# it sources the host's mgmt token + the generated login password, serves HTTPS (HTTP/1.1 over TLS)
+# with the host's own identity cert (~/.config/punktfunk/{cert,key}.pem), and points the /api proxy
+# at the host's loopback HTTPS mgmt API (self-signed cert → NODE_TLS_REJECT_UNAUTHORIZED for the
+# proxy's only outbound hop, which is loopback). Enable per user:
 #   systemctl --user enable --now punktfunk-web
 [Unit]
 Description=punktfunk management web console
@@ -22,6 +23,12 @@ Environment=PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990
 Environment=NODE_TLS_REJECT_UNAUTHORIZED=0
 Environment=PORT=3000
 Environment=HOST=0.0.0.0
+# Serve HTTPS (HTTP/1.1 over TLS) with the host's own identity cert; mark the
+# session cookie Secure. The host's `serve` writes these PEMs; if absent at start the unit fails and
+# Restart retries (same as the mgmt-token wait above) rather than silently serving plain HTTP.
+Environment=PUNKTFUNK_UI_TLS_CERT=%h/.config/punktfunk/cert.pem
+Environment=PUNKTFUNK_UI_TLS_KEY=%h/.config/punktfunk/key.pem
+Environment=PUNKTFUNK_UI_SECURE=1
 ExecStart=/usr/bin/punktfunk-web-server
 Restart=on-failure
 RestartSec=2

scripts/steamdeck/README.md

@@ -22,10 +22,10 @@ is only the build environment; `punktfunk-host` is launched directly, not via `d
 rebuild always matches the running OS. Encode is **VAAPI** on the Deck's AMD GPU (NVENC on NVIDIA),
 auto-selected by `PUNKTFUNK_ENCODER=auto`.
 
-The web console is the one part that stays in the container at runtime: it's a Nitro **node-server**
-build (`bun` builds it; **`node` runs it** — bun mis-resolves Nitro's externalized server deps like
-`srvx` at request time), so its service does `distrobox enter pf2 -- … node .output/server/index.mjs`.
-Both `bun` and `nodejs` are provisioned in the container.
+The web console is the one part that stays in the container at runtime: it's a Nitro **`bun`**
+build (`bun` both builds **and runs** it — the bun-preset output uses `Bun.serve` with TLS,
+serving HTTPS (HTTP/1.1 over TLS) with the host's identity cert), so its service does
+`distrobox enter pf2 -- … bun .output/server/index.mjs`. `bun` is provisioned in the container.
 
 ## Scripts
 

scripts/steamdeck/install.sh

@@ -92,8 +92,8 @@ sudo apt-get install -y -qq --no-install-recommends \
     nodejs >/dev/null
 command -v rustc >/dev/null 2>&1 || command -v ~/.cargo/bin/rustc >/dev/null 2>&1 || \
     curl --proto =https --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --no-modify-path >/dev/null
-# bun builds the web console; node runs it (the node-server preset; bun mis-resolves the Nitro
-# externalized server deps like srvx at request time).
+# bun builds AND runs the web console now (the Nitro `bun` preset + our Bun.serve TLS entry —
+# bun-native output, so the old srvx mis-resolution that forced node no longer applies).
 command -v bun >/dev/null 2>&1 || command -v ~/.bun/bin/bun >/dev/null 2>&1 || \
     curl -fsSL https://bun.sh/install | bash >/dev/null
 '
@@ -199,8 +199,8 @@ EOF
 ok "punktfunk-host.service ($SERVE_ARGS)"
 
 if [ "$WITH_WEB" = 1 ]; then
-    # The console is a Nitro/Node server run by bun; it lives in the build container (bun + node
-    # libs) and proxies to the host's loopback HTTPS mgmt API.
+    # The console is a Nitro server run by bun (Bun.serve, HTTPS — HTTP/1.1 over TLS — with the host's
+    # identity cert); it lives in the build container and proxies to the host's loopback HTTPS mgmt API.
     cat > "$UNITS/punktfunk-web.service" <<EOF
 # Generated by scripts/steamdeck/install.sh — punktfunk web console (bun in the '$BOX' distrobox).
 [Unit]
@@ -208,7 +208,7 @@ Description=punktfunk management web console
 After=punktfunk-host.service
 
 [Service]
-ExecStart=$DISTROBOX enter $BOX -- bash -lc 'cd $SRC/web; set -a; . $CONFIG/mgmt-token; . $CONFIG/web.env; set +a; export PUNKTFUNK_MGMT_URL=https://127.0.0.1:$MGMT_PORT NODE_TLS_REJECT_UNAUTHORIZED=0 PORT=$WEB_PORT HOST=0.0.0.0 NITRO_PORT=$WEB_PORT NITRO_HOST=0.0.0.0; exec node .output/server/index.mjs'
+ExecStart=$DISTROBOX enter $BOX -- bash -lc 'cd $SRC/web; set -a; . $CONFIG/mgmt-token; . $CONFIG/web.env; set +a; export PUNKTFUNK_MGMT_URL=https://127.0.0.1:$MGMT_PORT NODE_TLS_REJECT_UNAUTHORIZED=0 PORT=$WEB_PORT HOST=0.0.0.0 NITRO_PORT=$WEB_PORT NITRO_HOST=0.0.0.0 PUNKTFUNK_UI_TLS_CERT=$CONFIG/cert.pem PUNKTFUNK_UI_TLS_KEY=$CONFIG/key.pem PUNKTFUNK_UI_SECURE=1; exec bun .output/server/index.mjs'
 Restart=on-failure
 RestartSec=3
 

scripts/windows/web-run.cmd

@@ -4,21 +4,29 @@ rem
 rem Lays out next to the installed payload: {app}\web\web-run.cmd, {app}\web\.output\... and
 rem {app}\bun\bun.exe (so %~dp0 = {app}\web\). Auto-wires the console the same way the Linux
 rem systemd unit does: it sources the host's mgmt bearer token + the console login password from
-rem %ProgramData%\punktfunk\, points the /api proxy at the host's loopback HTTPS mgmt API, and runs
-rem the (self-contained, no-node_modules) Nitro server on :3000 with the bundled bun. No env editing.
+rem %ProgramData%\punktfunk\, points the /api proxy at the host's loopback HTTPS mgmt API, and serves
+rem the (self-contained, no-node_modules) Nitro console over HTTPS (HTTP/1.1 over TLS) on :3000 with the
+rem bundled bun, using the host's OWN identity cert. No env editing.
 setlocal EnableExtensions
 
 set "PFDATA=%ProgramData%\punktfunk"
 set "TOKENFILE=%PFDATA%\mgmt-token"
 set "PWFILE=%PFDATA%\web-password"
+set "CERTFILE=%PFDATA%\cert.pem"
+set "KEYFILE=%PFDATA%\key.pem"
 
-rem The host's `serve` writes the mgmt token on first run. Until it exists the proxy has no
-rem credential, so fail and let the task's restart-on-failure retry (mirrors the Linux unit's
-rem Restart=on-failure waiting for the host to create it).
+rem The host's `serve` writes the mgmt token + its identity cert/key on first run. Until they exist
+rem we have no credential and no TLS material, so fail and let the task's restart-on-failure retry
+rem (mirrors the Linux unit's Restart=on-failure waiting for the host to create them) rather than
+rem silently downgrading to plain HTTP.
 if not exist "%TOKENFILE%" (
   echo [punktfunk-web] mgmt token not present yet at "%TOKENFILE%" - waiting for the host service.
   exit /b 1
 )
+if not exist "%CERTFILE%" (
+  echo [punktfunk-web] host identity cert not present yet at "%CERTFILE%" - waiting for the host service.
+  exit /b 1
+)
 
 rem Both files are single KEY=VALUE lines (LF), written 0600/ACL'd: PUNKTFUNK_MGMT_TOKEN=... and
 rem PUNKTFUNK_UI_PASSWORD=... . Split on the first '=' and import each into the environment.
@@ -30,6 +38,10 @@ set "PORT=3000"
 set "HOST=0.0.0.0"
 set "PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990"
 set "NODE_TLS_REJECT_UNAUTHORIZED=0"
+rem Serve HTTPS (HTTP/1.1 over TLS) with the host's identity cert; mark the session cookie Secure.
+set "PUNKTFUNK_UI_TLS_CERT=%CERTFILE%"
+set "PUNKTFUNK_UI_TLS_KEY=%KEYFILE%"
+set "PUNKTFUNK_UI_SECURE=1"
 
 set "BUN=%~dp0..\bun\bun.exe"
 set "SERVER=%~dp0.output\server\index.mjs"