3 Commits

Author	SHA1	Message	Date
enricobuehler	3526517eb1	feat: HDR Step-0 colour-metadata transport + security-audit hardening ... Two strands, entangled in punktfunk1.rs, committed together (one builds-green tree). HDR pipeline Step 0 — glass-to-glass colour-metadata transport (docs/hdr-pipeline-plan.md): - Protocol/ABI: ColorInfo on the Welcome + a 0xCE HdrMeta datagram carry the source colour space + HDR10 static mastering metadata (quic.rs, abi.rs connect_ex5 fixing caps=0). - New platform-independent, unit-tested HDR static-metadata helpers (hdr.rs): chromaticities (1/50000), mastering luminance (0.0001 cd/m2), MaxCLL/MaxFALL in HDR10/ST.2086 units. - Capture/encode hooks (capture.rs, encode.rs set_hdr_meta) + Linux client / probe plumbing. Security-audit hardening — top 3 from docs/security-review.md, each adversarially verified: - #1 [HIGH] Secret file permissions. The host key.pem/cert.pem and both trust stores are now written owner-only: 0600 + dir 0700 on Unix (mirrors mgmt_token), best-effort SYSTEM/Administrators/OWNER-only icacls DACL on Windows (%ProgramData% is Users-readable). Closes a local key-disclosure -> host-impersonation gap. New gamestream::{create_private_dir, write_secret_file} + a 0600 regression test. - #2 [HIGH] Native SPAKE2 PIN is single-use. The PIN is consumed the moment the host sends its key-confirmation (which lets the client test its one guess), before reading the proof, so any completed attempt -- right OR wrong -- disarms the window. A wrong PIN isn't observable host-side (the client aborts before sending its proof), so consuming on first attempt is what delivers the documented "one online guess" instead of an unbounded brute-force of the static 4-digit PIN. Test verifies single-use. - #3 [MEDIUM] RTSP packetSize is bounded ([64,2048] in stream_config) and VideoPacketizer::new uses saturating .max(1), killing a PRE-AUTH div-by-zero/underflow panic of the video thread. Tests for {0,15,16,17} + out-of-range rejection. fmt + clippy -D warnings clean; full workspace test suite green (93 host tests). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 09:07:59 +00:00
enricobuehler	0cc36fa130	feat(windows-client): D3D11VA zero-copy hw decode + HDR10 present + GUI polish ... The client was pure software HEVC decode + CPU swscale->RGBA + a full-frame dynamic-texture upload every frame -- the reason performance was poor on a GPU box (the GPU sat idle while the CPU churned). This adds a hardware path, HDR, and a GUI pass. Performance -- D3D11VA zero-copy: - gpu.rs (new): one D3D11 device (hardware + VIDEO_SUPPORT, WARP fallback, multithread-protected) shared by decoder and presenter via a Send/Sync OnceLock. Sharing is mandatory -- a decoded texture is only bindable on the device that created it. windows-rs COM interfaces are !Send/!Sync, so the unsafe impl is sound only under the multithread protection + disjoint decode(video ctx)/present(immediate ctx) split. - video.rs: D3d11vaDecoder (raw FFI mirroring the Linux VAAPI module). The COM-typed AVD3D11VA{Device,Frames}Context are declared here (stable FFmpeg ABI) to avoid ffmpeg-sys binding the d3d11 headers; get_format builds a frames ctx with BindFlags=SHADER_RESOURCE so the NV12/P010 array slices are sampleable. av_frame_clone guard keeps each surface out of the reuse pool until the presenter drops it. Software decode stays as the fallback (DecoderPref Auto/Hardware/Software; auto falls back on init/decode error). - present.rs: shared device; per-plane SRVs over the array slice (NV12->R8/R8G8, P010->R16/R16G16) + three pixel shaders (RGBA passthrough, NV12/BT.709, P010/BT.2020-PQ). present() now takes the frame by value so the GPU surface survives re-presents. HDR: - Detected in-band (transfer == SMPTE2084), same signal as the other clients. Swapchain flips to R10G10B10A2 + ST.2084 + HDR10 metadata. New Settings toggle gates advertising VIDEO_CAP_10BIT|HDR; host still gates 10-bit behind its own PUNKTFUNK_10BIT + actual-HDR-content checks. GUI (windows-reactor): - Host cards with accent-monogram avatars + colored status pills, InfoBar for errors/pairing hints, ToggleSwitch settings (+ HDR, decoder, bitrate), button icons, a richer connecting screen, and a stream HUD with GPU/CPU-decode + HDR status chips. Not yet on-glass validated: the Linux dev box can't compile the cfg(windows) code (ffmpeg/windows crates unfetched; WARP has no hw decode) -- only cargo fmt checks it here. API shapes verified against the windows-rs/reactor source and the YUV->RGB coefficients checked by hand, but D3D11VA + shaders + the GUI need a real build (Windows CI / build VM) and on-glass test on the RTX box. The host-side HDR encode path is unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-18 23:16:07 +00:00
enricobuehler	9c8fa9340c	refactor: drop milestone names + consolidate clients; loss-recovery & rumble fixes ... Two bodies of work in one commit (the rename moved files the fixes also touched). Naming/structure cleanup (pre-launch): - Host modules m3.rs->punktfunk1.rs, m0.rs->spike.rs; CLI m3-host->punktfunk1-host, m0->spike; bare `punktfunk-host` now prints help. Types M3Options/M3Source-> Punktfunk1Options/Punktfunk1Source. - Clients consolidated out of crates/ into clients/: punktfunk-client-rs-> clients/probe (crate punktfunk-probe), client-linux->clients/linux, client-windows->clients/windows, punktfunk-android->clients/android/native (crate punktfunk-client-android; kept [lib] name=punktfunk_android so the JNI contract is unchanged). crates/ now holds only core + host. - Milestone codes M0-M4 purged from code/CLI/CLAUDE.md/README/docs/docs-site, kept only in docs/implementation-plan.md. docs/m2-plan.md-> docs/gamestream-host-plan.md. CI/gradle/flatpak paths updated. Client loss-recovery (video froze and never recovered after a brief drop): - Export punktfunk_connection_frames_dropped through the C ABI (the core already tracked it for the client keyframe-recovery loop; it was never reachable from the ABI clients). Regenerated punktfunk_core.h. - Apple (StreamPump + Stage2Pipeline) and Android (decode.rs) now poll frames_dropped and request a keyframe when it climbs -- the same loss-driven recovery Linux/Windows already had. Under infinite GOP the decoder silently conceals reference-missing frames, so the decode-error trigger rarely fires. Apple rumble robustness (worked then went spotty -- DualSense + Xbox): - Add CHHapticEngine stopped/reset handlers (rebuild on app background / audio interruption / server reset) and drop the permanent `broken` latch on a transient drive failure; latch only when the controller truly has no haptics. - Surface swallowed SDL set_rumble errors on Linux/Windows + diagnostic logging. Verified: cargo build/clippy/fmt --workspace, C-ABI harness, header drift. Not runnable on this box (verify in CI): Gitea workflows, gradle/Android, flatpak, Swift/decky. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-18 21:05:58 +00:00