fix(dist): kill the version-shadow + add build provenance (P0)

The stale code a default install/upgrade got was a TAG LEAK: deb.yml/rpm.yml shared
`tags: ['v*']` with the Apple-client release.yml, so the v0.1.0/v0.1.1 tags cut to ship
the macOS app ALSO published host packages versioned 0.1.1 — which outranks every rolling
0.0.1~ciN / 0.0.1-0.ciN build in both registries (dpkg/rpm version compares confirm), so
`apt install`/`rpm-ostree install` silently fetched ~99-commits-stale code while the READMEs
claimed auto-tracking. Two fixes:

- Decouple host publishing from Apple `v*` tags: deb.yml/rpm.yml now trigger on `host-v*`
  only, so a client tag can never poison the host channel again.
- Bump the rolling base 0.0.1 -> 0.2.0 (deb `0.2.0~ciN`, rpm `0.2.0-0.ciN`): sits ABOVE the
  stray 0.1.1 yet BELOW a future 0.2.0 tag, and still climbs monotonically by run number — so
  `apt upgrade`/`rpm-ostree upgrade` genuinely move forward. Spec default + build scripts +
  PKGBUILD pkgver bumped to match.

Build provenance (so a stale/shadowed host is detectable): build.rs stamps PUNKTFUNK_BUILD_VERSION
(set by CI = the full package version, e.g. 0.2.0~ci120.g802e98d; falls back to the crate version
for a plain `cargo build`) into the binary via rustc-env. Surfaced in `punktfunk-host --version`,
the startup log, and the mgmt /health + /host `version` field (was a hardcoded CARGO_PKG_VERSION).
Deliberately env-driven, not git-derived — the RPM builds from a git-archive tarball with no .git.
Version computed BEFORE the build in deb.yml; the spec %build exports it from %{version}-%{release}
(and gains --locked for reproducibility parity with the .deb path). Validated: plain build reports
0.0.1, env-stamped build reports 0.2.0~ci999.gdeadbee.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

packaging/arch/PKGBUILD

@@ -19,7 +19,7 @@ pkgbase=punktfunk
 # the RPM spec's `%bcond_with web` (off by default). Set PF_WITH_WEB=1 to also build punktfunk-web
 # (appended to pkgname + bun to makedepends below).
 pkgname=('punktfunk-host' 'punktfunk-client')
-pkgver=0.0.1
+pkgver=0.2.0
 pkgrel=1
 arch=('x86_64')
 url="https://git.unom.io/unom/punktfunk"
@@ -46,6 +46,7 @@ _repo() { printf '%s' "${PF_SRCDIR:-$srcdir/punktfunk}"; }
 build() {
   cd "$(_repo)"
   export RUSTUP_TOOLCHAIN=stable CARGO_TARGET_DIR="$srcdir/target"
+  export PUNKTFUNK_BUILD_VERSION="${pkgver}-${pkgrel}"   # stamp --version / mgmt /health (build.rs)
   # The host's zero-copy FFI link-needs libcuda at build time; nvidia-utils provides it on an
   # NVIDIA builder. On a GPU-less builder symlink the CUDA stub into the link path first (same
   # caveat the RPM documents): ln -s "$(find / -name libcuda.so -path '*stubs*'|head -1)" /usr/lib/

packaging/debian/build-deb.sh

@@ -26,7 +26,7 @@ cd "$ROOTDIR"
 BIN="target/release/$PKG"
 if [ ! -x "$BIN" ]; then
   echo "==> building $PKG (release)"
-  cargo build --release -p "$PKG" --locked
+  PUNKTFUNK_BUILD_VERSION="$VERSION" cargo build --release -p "$PKG" --locked   # stamp --version (build.rs)
 fi
 
 STAGE="$(mktemp -d)"

packaging/rpm/build-rpm.sh

@@ -9,7 +9,7 @@
 # Output: dist/punktfunk-<version>-<release>.<arch>.rpm  (+ the -debuginfo/-debugsource subpkgs)
 set -euo pipefail
 
-PF_VERSION="${PF_VERSION:-0.0.1}"
+PF_VERSION="${PF_VERSION:-0.2.0}"
 PF_RELEASE="${PF_RELEASE:-1}"
 # PF_WITH_WEB=1 builds the punktfunk-web subpackage too (needs `bun` on PATH — present in the CI
 # builder image, not in a plain mock chroot). Default off so a bare `rpmbuild`/COPR still works.

packaging/rpm/punktfunk.spec

@@ -18,10 +18,11 @@
 
 Name:           punktfunk
 # Version/Release are overridable so CI can stamp a rolling snapshot: a main build passes
-#   --define "pf_version 0.0.1" --define "pf_release 0.ci42.gdeadbee"
-# (Release starting "0." sorts BEFORE the eventual "1" release), a v* tag passes the clean
-# version with "pf_release 1". A plain `rpmbuild` (or COPR) with no defines builds 0.0.1-1.
-Version:        %{?pf_version}%{!?pf_version:0.0.1}
+#   --define "pf_version 0.2.0" --define "pf_release 0.ci42.gdeadbee"
+# (Release starting "0." sorts BEFORE the eventual "1" release; base 0.2.0 sits ABOVE the stray
+# 0.1.1), a host-v* tag passes the clean version with "pf_release 1". A plain `rpmbuild` (or COPR)
+# with no defines builds 0.2.0-1.
+Version:        %{?pf_version}%{!?pf_version:0.2.0}
 Release:        %{?pf_release}%{!?pf_release:1}%{?dist}
 Summary:        Low-latency desktop/game streaming host (Moonlight-compatible + punktfunk/1)
 
@@ -149,7 +150,10 @@ editing. Enable with `systemctl --user enable --now punktfunk-web`.
 # Release build of the host + client binaries (the workspace also has the core lib).
 # cargo fetches crates over the network; COPR build hosts allow this.
 export RUSTFLAGS="%{?build_rustflags}"
-cargo build --release -p punktfunk-host -p punktfunk-client-linux
+# Stamp the exact NVR into the binary for --version / mgmt /health provenance (build.rs reads it).
+export PUNKTFUNK_BUILD_VERSION="%{version}-%{release}"
+# --locked: reproducible from (commit + Cargo.lock), matching the .deb build path.
+cargo build --release --locked -p punktfunk-host -p punktfunk-client-linux
 
 %if %{with web}
 # Management web console: build the Nitro/Node SSR bundle (node-server preset) with bun. The