550 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
enricobuehler	118752c136	fix(apple): drive DualSense rumble over raw HID (CoreHaptics is silent on macOS) ... GameController's CHHapticEngine never reaches the DualSense's motors on macOS — its adaptive triggers and lightbar work, but rumble stays silent (a documented platform gap). Drive the motors directly via the DualSense HID output report instead, the way SDL and the Linux hid-playstation driver do — the same report that already rumbles the pad on a Linux host. Confirmed live on macOS. - DualSenseHID (macOS): opens the Sony DualSense via IOHIDManager and writes the USB (0x02, 48 bytes) and Bluetooth (0x31, 78 bytes + CRC32) output reports through IOHIDDeviceSetReport. Allowed under the App Sandbox by the existing device.usb + device.bluetooth entitlements; coexists with GameController (non-seized open). Flags mirror the kernel driver (COMPATIBLE_VIBRATION | HAPTICS_SELECT + COMPATIBLE_VIBRATION2); valid_flag1 = 0 so a rumble report leaves the GameController-managed lightbar / triggers / player LEDs untouched. - RumbleRenderer routes a DualSense to the HID backend and keeps CoreHaptics for every other pad, fixing both live sessions and the test panel (shared renderer). - CoreHaptics path reworked too: bake the target intensity + an explicit sharpness into the continuous event (the dynamic-parameter scaling is silent on controller engines) and tear down outside the inout access to fix a latent exclusivity hazard. Adds a DEBUG-only Settings -> Controllers -> "Test Controller" panel (ControllerTestView + ControllerTester) that shows live input and fires rumble / adaptive triggers / lightbar / player LEDs straight at the pad, with a readout of the active rumble backend ("DualSense HID - USB/Bluetooth"). Used to validate the fix. Tests: DualSenseHIDTests pins the USB/BT report layout and the BT CRC32 (canonical 0xCBF43926 check vector). Debug + release build clean; gamepad suite green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-22 13:16:41 +02:00
enricobuehler	9af8e9a7d9	docs(windows): point DualSense handoff at the deploy scripts ... Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-22 10:53:51 +00:00
enricobuehler	e466814ef8	fix(windows): deploy-host reads build env from Machine scope ... Reads PUNKTFUNK_NVENC_LIB_DIR/LIBCLANG_PATH/CMAKE_POLICY_VERSION_MINIMUM directly from Machine scope into the process, so the build is correct even when the SSH/parent shell predates setup-build-env.ps1 (env is inherited at spawn). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-22 10:48:29 +00:00
enricobuehler	95c6ceb072	chore(windows): persistent build env + one-call host/web deploy scripts ... scripts/windows/: setup-build-env.ps1 persists the NVENC build env (Machine scope: PUNKTFUNK_NVENC_LIB_DIR, LIBCLANG_PATH, CMAKE_POLICY_VERSION_MINIMUM -- no FFMPEG_DIR, the nvenc build doesn't link libavcodec). deploy-host.ps1 rebuilds --release --features nvenc and restarts the PunktfunkHost service with .bak rollback on build/start failure. build-web.ps1 rebuilds the Nitro web console (bun build, node runtime) and restarts the PunktfunkWeb task. README documents the flow -- a redeploy is now a single script call. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-22 10:47:40 +00:00
enricobuehler	e919fa6a2e	docs(windows): DualSense in-game detection handoff ... The virtual DualSense is a correct, complete DS5 at the HID level (SDL3 reports PS5) and input works, but a game's native DualSense path (Cyberpunk) doesn't detect the software-enumerated (SWD) device that SDL/HIDAPI accept. Captures the diagnosis, the on-box layout + tools (SDL oracle, dualsense-windows-test, driver rebuild recipe), and the on-glass next experiments (WGI/RawInput/GameInput enumeration) so the work continues from any machine without agent memory. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-22 10:34:58 +00:00
enricobuehler	6db3525e29	fix(gamepad): working per-session SwDeviceCreate for the Windows DualSense ... create_swdevice now succeeds. The two requirements (each E_INVALIDARG otherwise): the enumerator name must have no underscore (use "punktfunk"), and the completion callback is mandatory (the docs mark pCallback [in], not optional -- NULL is rejected). Back on the typed windows-rs SwDeviceCreate (a raw-FFI diagnosis confirmed it's the OS, not the binding), parameterized by pad index (instance pf_pad_<index>), waiting on the callback. Per-session device: created on connect, SwDeviceClose'd on drop -- no leftovers, no phantom. Live-verified on the RTX box: device materializes, the UMDF driver binds, SDL3 identifies it as a PS5 ("DualSense Wireless Controller"), input flows; removed on disconnect. The dualsense-windows-test CLI now cycles input + prints any 0x02 feedback for diagnosis. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-22 10:34:58 +00:00
enricobuehler	6a501f484a	ci(audit): ignore RUSTSEC-2023-0071 (rsa Marvin timing sidechannel) ... cargo audit fails on the rsa "Marvin Attack" advisory, which has NO fixed release (the constant-time rewrite is still unreleased upstream) and rsa is required for GameStream/Moonlight pairing. The attack targets RSA *decryption* (PKCS#1 v1.5 padding oracle); the host uses rsa ONLY for PKCS#1 v1.5 signing/verifying (gamestream/cert.rs + pairing.rs), never for decryption, so the vulnerable path is not exercised. Add the documented .cargo/audit.toml ignore with the justification. The 3 unmaintained warnings (audiopus_sys / paste / rustls-pemfile) are left visible on purpose — `cargo audit` does not fail on them, and they carry a maintenance signal. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-22 10:32:04 +00:00
enricobuehler	72eeedc4da	feat(windows): AMD (AMF) + Intel (QSV) hardware encode on the Windows host ... The Windows host was NVIDIA-only (NVENC) with an openh264 software fallback. Add AMD AMF and Intel QSV via libavcodec — the Windows analogue of the Linux VAAPI backend — so one installer serves all three GPU vendors. - encode/ffmpeg_win.rs: new WinVendor{Amf,Qsv} encoder. System-memory NV12/P010 readback (default, robust) + opt-in zero-copy D3D11 (PUNKTFUNK_ZEROCOPY: shares the capturer's ID3D11Device; AMF takes AV_PIX_FMT_D3D11, QSV derives a QSV frames ctx and maps) with a system fallback for the format-group mismatch the capturer's video-processor fallback can produce. HDR Main10 (P010 + BT.2020/PQ VUI; an Rgb10a2->P010 swscale covers the shader fallback). - encode.rs: Codec::amf_name/qsv_name; open_video + windows_resolved_backend() resolve PUNKTFUNK_ENCODER=auto|nvenc|amf|qsv|sw via a DXGI adapter VendorId probe. - capture/dxgi.rs: gpu_mode mirrors the resolved backend (D3D11 NV12/P010 for AMF/QSV). - gamestream/serverinfo.rs: GPU-aware codec advertisement (windows_codec_support; AV1 gated to RDNA3+/Arc, like the VAAPI path). - Cargo.toml: amf-qsv feature (optional ffmpeg-next in the windows target block). - CI/installer: windows-host.yml sets FFMPEG_DIR + builds --features nvenc,amf-qsv; the Inno installer bundles the FFmpeg DLLs; host.env default nvenc -> auto. CI-green target; AMF/QSV not yet on-glass validated (no AMD/Intel Windows box in the lab) — NVENC stays live-validated. An adversarial-review pass caught + fixed real FFI bugs (AV_PIX_FMT_P010 is a macro -> P010LE; windows-rs 0.62 GetImmediateContext/ GetDesc1 return Result; AV_HWFRAME_MAP_* is a bindgen enum with no BitOr). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-22 10:31:54 +00:00
enricobuehler	fde438a1ed	feat(gamepad): SwDeviceCreate per-session devnode (best-effort) + windows self-test ... DualSenseWindowsManager now SwDeviceCreate's the pf_dualsense devnode per session (SwDeviceClose on drop), matching the Linux UHID pad's lifecycle. It's best-effort: SwDeviceCreate currently hits an unresolved E_INVALIDARG when a completion callback is passed (an underscore in the enumerator name was a second cause, fixed by using "punktfunk"), so on failure the host keeps the section + data plane and falls back to an out-of-band devnode (installer/devgen) — see docs/windows-dualsense-scoping.md. Add a `dualsense-windows-test` host CLI that drives the manager (create devnode + push a frame + hold), used to validate the path. Live on the RTX box: the manager creates the section + pushes report 0x01 and a devnode serves it to a HID read (b1=0xC0, b8=0x28) — the host-side data plane works end to end. cargo check + clippy -D warnings clean on x86_64-pc-windows-msvc. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-21 21:34:00 +00:00
enricobuehler	01dc0b616c	refactor(windows): trim the inert IOCTL channel from the DualSense driver ... The host<->driver channel is the shared-memory section (hidclass blocks the device stack and UMDF has no control device), so the first-attempt in-driver IOCTL channel never fired. Remove it: the custom device interface, IOCTL_PFDS_SET_INPUT/GET_OUTPUT, the output queue, and the on_set_input/complete_one_read/deliver_output helpers. The driver keeps the HID handshake, the 8ms read timer fed from the shared section, and on_output_report publishing the game's 0x02 to the section. Rebuilt + reloaded + the channel still verifies both directions live on the RTX box. Also list `pf_dualsense` as a second hardware id (alongside `root\pf_dualsense`) so the host's SwDeviceCreate'd software device binds the same driver as a devgen one. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-21 21:34:00 +00:00
enricobuehler	4a73102d48	feat(gamepad): virtual DualSense on the Windows host (UMDF shm channel) ... Wire the Windows UMDF DualSense driver into the host as a real pad backend, so a client that requests a DualSense gets a genuine one on a Windows host (instead of folding to Xbox 360). - Extract the transport-independent DualSense contract (DsState + from_gamepad, serialize_state, parse_ds_output, DUALSENSE_RDESC, feature blobs, DS_* consts) out of the Linux-only UHID backend into inject/dualsense_proto.rs, shared by both platforms; dualsense.rs is now just the /dev/uhid plumbing. - Add inject/dualsense_windows.rs: DualSenseWindowsManager mirroring the Linux DualSenseManager (same new/handle/apply_rich/pump/heartbeat surface) over a DsWinPad that creates the Global\pfds-shm-<idx> section (CreateFileMappingW + SDDL D:(A;;GA;;;WD) so WUDFHost can open it), writes serialize_state -> input slot, polls output_seq -> parse_ds_output -> rumble/hidout callbacks. - Un-gate the seam: PadBackend::DualSenseWindows arm; pick_gamepad gains a windows flag (DualSense honored on linux||windows; DS4/Xbox One stay Linux-only). Verified: Linux cargo test gamepad_resolution_precedence + clippy clean; Windows cargo check + clippy -D warnings clean (on the RTX box). Device lifecycle still uses an out-of-band devnode (devgen/installer); SwDeviceCreate per session is next. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-21 20:36:53 +00:00
enricobuehler	aa159df33f	feat(windows): Rust UMDF virtual DualSense driver + shared-memory host channel ... A self-authored UMDF2 HID minidriver (packaging/windows/dualsense-driver) that presents a virtual Sony DualSense (VID 054C/PID 0CE6) on Windows — adaptive triggers / lightbar / rumble that ViGEm structurally cannot deliver. Validated live on an RTX box (Win11 25H2, Secure Boot ON): the self-signed driver loads, Steam recognizes it as a genuine DualSense, and a game's 0x02 output report reaches the driver. The host<->driver channel is a named shared-memory section (Global\pfds-shm-<idx>) the host creates and the driver maps from its timer: input report 0x01 host->driver, output report 0x02 driver->host — input and output proven both directions live. This bypasses hidclass, which gates both a custom device interface and custom IOCTLs on the HID node, and UMDF has no control device. Built in Rust on microsoft/windows-drivers-rs. The load wall was the PE FORCE_INTEGRITY bit that wdk-build sets via /INTEGRITYCHECK (forces a CI-trusted page-hash signature a self-signed cert cannot satisfy) — cleared post-build. See packaging/windows/dualsense-driver/README.md for the build/sign/install recipe. Deferred: SwDeviceCreate per-session device lifecycle; removing the inert in-driver IOCTL-channel code; full on-glass session test. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-21 20:36:39 +00:00
enricobuehler	983adc5347	fix(docs): stop Scalar's global body bg from bleeding into the docs on client-nav ... Scalar's /api reference injects a *global* `body { background-color: var(--scalar-background-1) }` (via its linked stylesheet + a runtime <style id=scalar-style>) that TanStack doesn't remove on a client-side route change. After navigating /api -> /docs without a reload, that rule kept painting the docs body: Scalar's stock gray (#0f0f0f) while .dark-mode lingered on <body>, or transparent once the class was gone. A hard reload was fine because the stylesheet was never loaded there. Fix: give --scalar-background-1 a global fallback = --color-fd-background so any non-API page paints its own surface while Scalar's sheet lingers; /api itself overrides it via the higher-specificity body.{dark,light}-mode rule. Also strip the leftover #scalar-style/#scalar-refs nodes and body mode-class when /api unmounts so the DOM matches a fresh load. Verified light + dark via headless CDP: post-nav docs body now equals a fresh reload (#141019 / #f0ebff). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-21 18:49:20 +00:00
enricobuehler	78c16e5136	fix(docs): Scalar API ref uses brand bg + follows the docs light/dark toggle ... Scalar puts .light-mode/.dark-mode on document.body and renders customCss *before* its built-in theme preset in the same <style> tag, so a bare .dark-mode override loses at equal specificity and the stock #0f0f0f gray showed through. Scope the palette to body.{dark,light}-mode (0,1,1) so it beats both the linked base sheet and the in-component preset, and add a full light-lavender palette to match the docs light surface. Drive Scalar's darkMode from the resolved Fumadocs theme (next-themes) instead of hard-locking it on, so toggling the docs theme switch flips the API reference too; the React wrapper's updateConfiguration effect live-swaps the body mode class. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-21 18:36:32 +00:00
enricobuehler	0205c7b8d6	ci(release): split canary/stable tracks + unified Gitea Releases ... A push to main publishes canary builds to canary channels (fast iteration, unchanged); a single vX.Y.Z tag releases every platform at one version to the stable channels and attaches all artifacts (.deb/.rpm/.msix/.apk/.aab/.dmg + flatpak/decky/host-installer) to one Gitea Release. Collapses the host-v*/win-v*/host-win-v* tag namespaces into v* — the channel split makes the version-shadow bug structurally impossible (canary and stable are separate repos, never a shared version line). - scripts/ci/gitea-release.{sh,ps1}: one idempotent release helper (create-or-fetch + delete-before-upload), replacing 3 copy-pasted inline blocks and fixing their latent 409-on-reupload bug; prerelease flag auto-derived from the tag (an -rc tag won't shadow "Latest") - channels: apt canary/stable distributions; rpm *-canary/base groups; flatpak canary/stable OSTree branches + a 2nd .Canary.flatpakref; generic-registry canary/ vs latest/ aliases; Play internal/alpha; Apple TestFlight vs notarized DMG - android versionName threaded through gradle (versionCode stays run_number); Apple canary = TestFlight-only (no DMG/tvOS); canary base bumped to 0.3.0 - docs: new docs-site channels.md (subscribe table + cut-a-release runbook + box migration), refreshed ci.md workflow table + packaging READMEs Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 17:26:38 +00:00
enricobuehler	3e6c9f6060	feat(gamepad): add virtual Xbox One/Series + DualShock 4 pad types ... Extends virtual-controller support beyond Xbox 360 + DualSense. Goal: a physical Xbox One or PS4 pad on the client gets a near-native matching virtual pad on the host, auto-resolved from the controller type. Protocol/core: - GamepadPref gains XboxOne (wire 3) + DualShock4 (wire 4); to_u8/from_u8/ from_name/as_str + C ABI PUNKTFUNK_GAMEPAD_XBOXONE/_DUALSHOCK4 constants (compile-time guard ties them to the enum). Single-byte wire form is unchanged, so it's forward-compatible (older peers degrade to Auto). Host (Linux): - New UHID DualShock 4 backend (inject/dualshock4.rs) bound by hid-playstation: lightbar, touchpad, motion, rumble — DualSense minus adaptive triggers / player LEDs / mute. Reuses the DualSense pure state + button mapping; only the report byte layout, the real-DS4 HID descriptor, the GET_REPORT handshake (0x12 MAC mandatory; 0x02 calibration; 0xa3 firmware) and the touchpad resolution (1920x942) differ. Touchpad/motion ride the existing 0xCC plane, lightbar the 0xCD Led plane (deduped); rumble the universal 0xCA plane. - Xbox One/Series is the uinput Xbox-360 backend parameterized with the One S USB identity (045e:02ea) for matching glyphs — XInput-identical otherwise. - PadBackend dispatch + resolver handle both; off Linux the UHID pads and One/Series fold into Xbox 360. Windows-host DS4 (ViGEm) deferred. Clients (auto-resolve physical pad -> virtual type, plus manual settings): - Linux/Windows (SDL3): SDL_GAMEPAD_TYPE_PS4 -> DualShock 4, _XBOXONE -> Xbox One; PadInfo carries the resolved pref; DS4 touchpad/motion capture + lightbar already type-agnostic. Linux settings combo + label updated. - Apple (GameController): GCDualShockGamepad/GCXboxGamepad detection, DS4 touchpad capture, settings picker entries. - Android (Kotlin): InputDevice VID/PID auto-detect (matching the other clients) + settings entries. - probe: --gamepad help/aliases. Also hardens the Android JNI boundary: wrap the teardown + poll-thread shims in catch_unwind so a panic degrades to a logged no-op instead of aborting the app. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 13:34:44 +00:00
enricobuehler	b3811ff72e	fix(web): session-card button overflow + bottom-nav icon alignment ... - Dashboard session card: the header stacks the title above the action buttons on narrow screens (flex-col -> sm:flex-row) and the button group wraps (flex-wrap), so "Request IDR" / "Stop session" no longer overflow the card. - Mobile bottom nav: give each label a fixed two-line-tall centered box so a 1- or 2-line label (labels vary by locale) keeps every tab icon at the same height. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 12:33:33 +00:00
enricobuehler	b6b0b6c29e	fix(docs): load Scalar's stylesheet so the API reference isn't unstyled ... @scalar/api-reference-react@0.9.47's entry imports createApiReference but does NOT import its own style.css (nor inject it at runtime), so /api rendered with no Scalar CSS at all. Import the sheet as a route-scoped <link> (?url + head.links, same pattern as the root app.css) so it loads for SSR + the client-side Vue mount. The brand customCss still themes on top. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 12:25:22 +00:00
enricobuehler	527c2f677e	feat(web): drop material gloss, full punktfunk theme for Scalar, center mobile tabs ... - console: remove @unom/ui's specular "material" gloss (drop UnomProviders + the material.css import) so components render flat like the marketing site; the violet brand + Geist stay. - mobile bottom tab bar: center the labels (w-full text-center, leading-tight) and even out the per-tab layout. - docs /api: roll the punktfunk dark-violet palette across the whole Scalar reference (surfaces/text/sidebar/links/buttons/method colours via the full --scalar-* token set), locked to dark (hideDarkModeToggle). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 12:19:51 +00:00
enricobuehler	f3555d5eb5	feat(web): unify console + docs on @unom/ui; host OpenAPI via Scalar ... Move the management console (web/) off shadcn/ui to the shared @unom/ui design system the marketing site + docs are built on, on the punktfunk violet brand over dark chrome: - Add @unom/ui/@unom/style/motion/radix-ui/zod + Geist; web/.npmrc maps the @unom scope (packages are public-read, so CI needs no npm auth). - styles.css: one dark-violet palette (#141019/#1c1530, brand #6c5bf3 -> #a79ff8) exposed under BOTH the shadcn token names the routes use and @unom/ui's contract, so routes + components both resolve; pulls in @unom/ui's material gloss + easings. - components/ui/* now back onto @unom/ui (AnimatedButton/InputText/Label/ AnimatedCard); brand-mark/wordmark/logo replace the generic Radio icon in the shell + login. - MaterialProvider (specular gloss) at the root. No UI sounds, like the site. docs-site: new /api route renders the host management REST API as an interactive Scalar reference (reads public/openapi.json, a snapshot of docs/api/openapi.json), branded violet and linked from the top nav, the docs sidebar, the landing page, and host-cli.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 12:00:46 +00:00
enricobuehler	75d5a6d7fb	docs(steamos): reframe Steam Deck host page to SteamOS ... - Rename steam-deck-host.md → steamos-host.md (nav + install table updated). - Lead with the rationale: SteamOS host support targets the upcoming Steam Machine; the Steam Deck is the SteamOS device validated against today. - Soften the WiFi note: ~250 Mbps was our testing on one device/network, not a universal ceiling — other SteamOS hardware/drivers/bands may do more. - Generalize Deck-specific language to SteamOS devices throughout. - Document --no-gamestream (secure native-only) + GameStream-compat caveat. - decky README: drop stale `serve --native` (now just `serve`). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 10:33:49 +00:00
enricobuehler	1fe4161d4d	feat(steamdeck): --no-gamestream installer flag for a secure native-only SteamOS host ... Completes the GameStream-opt-in posture (54b75c9) on the SteamOS path: the installer keeps Moonlight compat on by default (`serve --gamestream`, the Deck commonly streams to Moonlight), but `--no-gamestream` now installs a secure native-only host with no GameStream on-path surface (plain-HTTP pairing / legacy GCM nonce reuse — security-review #5/#9; native clients only). Documented in the installer --help; the SteamOS host doc references it. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 10:29:40 +00:00
enricobuehler	54b75c9be4	feat(host): GameStream/Moonlight compat is now opt-in (--gamestream) — secure native-only by default ... Follows the security audit (#5/#9): the GameStream-compat plane carries inherent on-path weaknesses that can't be fixed on the wire without breaking stock Moonlight — its pairing runs over plain HTTP (#9, MITM-able during the pairing window) and its legacy control encryption can reuse GCM nonces (#5, a passive eavesdropper can recover/forge input). The native punktfunk/1 plane (SPAKE2 PIN pairing + per-direction AEAD nonces) has neither. So flip the default to secure-by-default: - `serve` → native punktfunk/1 plane + management API ONLY (no GameStream surface). - `serve --gamestream` → ALSO the GameStream/Moonlight-compat planes (nvhttp pairing, RTSP, ENet control, _nvstream mDNS). Opt-in, logged with a trusted-LAN caveat. `--moonlight` is an alias. - The native plane is now ALWAYS on in `serve` (`--native` is a kept-for-compat no-op); the unified GameStream+native host is `serve --gamestream`. `gamestream::serve` gates the GameStream spawns (nvhttp/rtsp/control/mdns) on the flag; the native plane + mgmt + native-pairing handle always run. To avoid silently regressing validated Moonlight deployments, the explicit deployment configs PRESERVE Moonlight via `--gamestream` (each documents dropping it for a secure native-only host): the Linux systemd unit, the Steam Deck installer, and the Windows service default (DEFAULT_HOST_CMD). The bare `serve` default (new/manual use) is secure. Docs swept to match (host-cli, moonlight, quickstart, install, packaging READMEs, CLAUDE.md, README, …): Moonlight setup now instructs `--gamestream`; native/console refs use bare `serve`. OpenAPI regenerated (a stale "run `serve --native`" string). fmt + clippy clean; 94 host tests green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 10:19:40 +00:00
enricobuehler	3c55ec37fa	fix(security): remaining audit findings — mgmt admin gate, RTSP DoS bounds, FEC drop, ALPN, ct-compare ... Addresses the lower-severity findings from docs/security-review.md (#4-#12). Each fix was adversarially re-reviewed (5-agent pass); two review catches folded in (the Apple client's GET /library cert path; an RTSP header-cap bypass + a spawn-panic counter leak). - #4 [low] mgmt mTLS-paired-cert no longer grants full admin. A paired STREAMING cert authorizes only a read-only allowlist (GET /host,/compositors,/status,/clients,/native/clients,/library); every state-changing route and every PIN-exposing route (/pair, /native/pair) requires the operator's bearer token. New cert_auth_is_a_read_only_allowlist test. (/library kept on the allowlist — the native clients browse it cert-only; its mutations stay token-only.) - #6 [low] RTSP pre-auth DoS bounds: a concurrent-connection cap (RAII slot guard), a per-read timeout (slow-loris), and Content-Length/header/message size caps — closing an unauthenticated slow-loris / memory-growth / thread-exhaustion vector on TCP 48010. - #11 [info] A FEC reconstruction failure is now a counted drop (discard the block, keep the session) instead of being stream-fatal — a lossy link can't be torn down by one bad block. - #10 [info] Fixed ALPN ("pkf1") on both native QUIC endpoints (defense-in-depth; a deliberate coordinated client+host upgrade — a new host rejects an ALPN-less old client). - #8 [info] Constant-time GameStream pairing phase-4 hash compare (crypto::ct_eq). - #7 [low] New VirtualDisplay::set_launch_command carries the launch command per-session on the GameStream path (no process-global env stomp under concurrent sessions); native path keeps the env under today's single-session model (documented; plumb per-session with concurrent sessions). - #5 [low] Legacy GameStream GCM nonce reuse: documented as inherent to Nvidia's old-style control encryption (Apollo/Moonlight identical; key is client-known) — unfixable on the legacy wire; the real fix is V2 control-encryption negotiation. Code comment at control.rs. - #9 [info] GameStream plain-HTTP pairing: documented (inherent to GFE compat; use punktfunk/1). - #12 [low] Web global NODE_TLS_REJECT_UNAUTHORIZED: fix designed (undici dispatcher scoped to the loopback mgmt fetch) but DEFERRED — needs `bun add undici` in the web build env; reverted to keep the web working. Latent-only (the loopback mgmt fetch is the console's only outbound TLS). fmt + clippy -D warnings clean; 94 host + core tests green; no C-ABI/OpenAPI drift. (The HDR Steps 1-2 client work in the tree is the user's parallel WIP — deliberately NOT included here.) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 09:50:24 +00:00
enricobuehler	551012bb43	feat(clients): HDR Steps 2-3 — apply mastering metadata + display capability-gate ... Continues docs/hdr-pipeline-plan.md. Steps 0/1 + Step 2 (Windows/Android) already landed in 3526517; this is Step 2 (Apple) + Step 3 (all clients). Client-only — no core/host/ABI change (the 0xCE/next_hdr_meta/color_info surfaces shipped in Step 0). Step 2 — clients APPLY the host's HDR metadata (each remaps from the wire form: ST.2086 G,B,R order, mastering luminance in 0.0001 cd/m2): - Apple: connect via punktfunk_connect_ex5 (resurrects the previously-dead HDR pipeline); nextHdrMeta/colorInfo wrappers + HdrMeta SEI-blob builders; the pump drains nextHdrMeta -> VideoDecoder.setHdrMeta -> CVBufferSetAttachment of MasteringDisplayColorVolume (24B BE) + ContentLightLevelInfo (4B BE) on each HDR pixel buffer (correct for the itur_2100_PQ layer; CAEDRMetadata avoided as ambiguous there). Step 3 — capability-gate: advertise HDR caps ONLY when the display can present it, so an SDR display gets a proper BT.709 stream instead of PQ it would mis-tone-map; an HDR display self-tone-maps from the Step-1/2 mastering metadata. - Windows: present::display_supports_hdr() (DXGI any IDXGIOutput6 colour space == G2084), ANDed with the user HDR setting in session.rs; logs the SDR drop. - Apple: NSScreen.maximumExtendedDynamicRangeColorComponentValue>1 (macOS) / UIScreen.main.potentialEDRHeadroom>1 (iOS) in SessionModel. - Android: Settings.displaySupportsHdr (Display.getHdrCapabilities HDR10/HDR10+) passed through a new hdr_enabled jboolean on nativeConnect; session.rs gates the caps. Validation: Android native (incl. the jboolean gate) builds + clippy clean via cargo-ndk; fmt clean. Windows (MSVC), Apple (Swift) and the Kotlin side are CI/on-glass validated — not compilable on the Linux dev box. Deferred to the RTX box: mid-session Reconfigure SDR-downgrade on monitor move, and confirming the host emits SDR for an SDR client off an HDR desktop. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 09:46:58 +00:00
enricobuehler	3526517eb1	feat: HDR Step-0 colour-metadata transport + security-audit hardening ... Two strands, entangled in punktfunk1.rs, committed together (one builds-green tree). HDR pipeline Step 0 — glass-to-glass colour-metadata transport (docs/hdr-pipeline-plan.md): - Protocol/ABI: ColorInfo on the Welcome + a 0xCE HdrMeta datagram carry the source colour space + HDR10 static mastering metadata (quic.rs, abi.rs connect_ex5 fixing caps=0). - New platform-independent, unit-tested HDR static-metadata helpers (hdr.rs): chromaticities (1/50000), mastering luminance (0.0001 cd/m2), MaxCLL/MaxFALL in HDR10/ST.2086 units. - Capture/encode hooks (capture.rs, encode.rs set_hdr_meta) + Linux client / probe plumbing. Security-audit hardening — top 3 from docs/security-review.md, each adversarially verified: - #1 [HIGH] Secret file permissions. The host key.pem/cert.pem and both trust stores are now written owner-only: 0600 + dir 0700 on Unix (mirrors mgmt_token), best-effort SYSTEM/Administrators/OWNER-only icacls DACL on Windows (%ProgramData% is Users-readable). Closes a local key-disclosure -> host-impersonation gap. New gamestream::{create_private_dir, write_secret_file} + a 0600 regression test. - #2 [HIGH] Native SPAKE2 PIN is single-use. The PIN is consumed the moment the host sends its key-confirmation (which lets the client test its one guess), before reading the proof, so any completed attempt -- right OR wrong -- disarms the window. A wrong PIN isn't observable host-side (the client aborts before sending its proof), so consuming on first attempt is what delivers the documented "one online guess" instead of an unbounded brute-force of the static 4-digit PIN. Test verifies single-use. - #3 [MEDIUM] RTSP packetSize is bounded ([64,2048] in stream_config) and VideoPacketizer::new uses saturating .max(1), killing a PRE-AUTH div-by-zero/underflow panic of the video thread. Tests for {0,15,16,17} + out-of-range rejection. fmt + clippy -D warnings clean; full workspace test suite green (93 host tests). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 09:07:59 +00:00
enricobuehler	22a9ce4229	Merge remote-tracking branch 'origin/main' ... # Conflicts: # docs-site/content/docs/meta.json	2026-06-21 00:07:36 +00:00
enricobuehler	450bcf1e7b	feat(host): Apollo-backlog hardening — cert gate, NVENC RFI, media QoS, async injector ... A pass over the apollo-comparison backlog (re-verified against current code). Lands four items end-to-end plus a Windows-DualSense scoping doc. - #5/#92/#26 — GameStream paired-cert allow-list. tls.rs surfaces the verified peer cert to handlers (serve_https + PeerCertFingerprint, now shared with the mgmt API instead of duplicated); nvhttp gates /launch /resume /applist /cancel on AppState.paired and reports a real PairStatus; save_paired writes atomically (temp+rename). Closes the "mTLS accepts any client cert" hole. + regression test. - #6/#51/#19/#22 — NVENC caps query -> reference-frame invalidation. nvenc.rs query_caps probes nvEncGetEncodeCaps (max dims / 10-bit / custom-VBV / RFI), rejecting over-range modes and degrading 10-bit->8-bit instead of an opaque InvalidParam. New Encoder::invalidate_ref_frames (default false -> caller keyframes); the Windows NVENC path implements real RFI (multi-ref DPB + nvEncInvalidateRefFrames, dedup + IDR-on-overflow). control.rs decodes the 0x0301 lost-frame range (Apollo's IDX_INVALIDATE_REF_FRAMES) -> AppState.rfi_range -> encode loop, falling back to a keyframe. NOTE: the Windows NVENC impl is RTX-box/CI-pending (can't compile on Linux); adversarially reviewed vs the SDK. - #43/#72 — media socket QoS + buffer growth. New punktfunk_core::transport::qos: grow_socket_buffers (factored out the native plane's 32MB SO_SNDBUF growth so the GameStream sockets reuse it) + set_media_qos (opt-in PUNKTFUNK_DSCP=1: DSCP CS5 video / CS6 audio + Linux SO_PRIORITY, Apollo's scheme). Wired into UdpTransport and the GameStream video/audio sockets. Windows IP_TOS needs qWAVE (follow-up). - #8/#45 — GameStream input injection off the ENet service thread. on_receive no longer injects inline (a slow inject head-blocked ENet keepalive/retransmit); it forwards to a dedicated injector thread. The hardened InjectorService moved from punktfunk1 into crate::inject (shared by both planes) + a coalesce step that sums adjacent relative-mouse/scroll deltas while preserving button/key/abs ordering. Docs: re-verified apollo-comparison.md status (22 items already done/obsolete since the snapshot) + windows-dualsense-scoping.md (ViGEm can't emulate a DualSense; real DS5 on Windows needs a VHF virtual-HID driver — web-research pass pending). fmt + clippy -D warnings clean; full workspace test suite green; no C-ABI/OpenAPI drift. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 00:06:30 +00:00
enricobuehler	a2a6b858f7	fix(steamdeck): run the web console with node, not bun (Nitro node-server preset) ... The management console is a Nitro `node-server` build (per web/vite.config.ts) — it must be run with `node`, not `bun`. Run under bun it 500s on every page render with "Cannot find package 'srvx'": bun mis-resolves Nitro's externalized server deps from the nested SSR chunk at request time. (This was pre-existing — the old manual pfweb.sh ran it with bun too.) - Provision `nodejs` in the pf2 distrobox; run the web service with `node .output/server/index.mjs`. - Use `enable` + `restart` (not `enable --now`) so re-running the installer actually applies unit-file changes instead of no-opping against the running service. Verified on the Deck: web `/login` now returns 200 (was 500), "Listening on http://0.0.0.0:3000", no srvx error. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-20 23:32:23 +00:00
enricobuehler	f85d51b9f9	feat(steamdeck): one-command host install + docs (build-on-device) ... SteamOS is immutable read-only Arch, and the Deck is AMD (VAAPI) — so none of the checked-in packaging (arch/sysext is NVENC-first + client-oriented, deb/rpm are soname-mismatched) actually installs a working host on a Steam Deck. The proven path (distrobox-built native binary + systemd-run units) was 100% manual. Make it one command. - scripts/steamdeck/install.sh — idempotent installer: ensure the pf2 Debian-trixie distrobox + toolchain → build host (+web console) → write config (generated web login password) → raise UDP buffers to 32 MB + udev + input group (sudo, skipped gracefully if unavailable) → install + start punktfunk-host / punktfunk-web systemd USER services with linger. Flags: --open (accept unpaired clients), --no-web, --src=DIR. Builds on-device so a rebuild always matches the running SteamOS (no prebuilt-binary fragility across OS updates); VAAPI on the Deck's AMD GPU. - scripts/steamdeck/update.sh — rebuild from current source + restart (config/pairings persist). - scripts/steamdeck/README.md — deep reference (why on-device, what's installed, gotchas). - docs-site: new "Steam Deck (Host)" guide + sidebar entry; install.md splits Arch from the Steam Deck host path; packaging/arch/README points Deck-host users here and corrects the stale "NVENC-only" note (VAAPI host encode landed). Live-validated on the Deck: installer runs clean, both services come up, host listens (QUIC :9777 + mgmt :47990), web serves (302→login); on a client connect it takes over the Game-Mode gamescope session at the client's mode, captures via PipeWire, and VAAPI-encodes (hevc_vaapi) — full pipeline confirmed in the host journal. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-20 22:20:00 +00:00
enricobuehler	516efcc3a3	feat(core/fec): adaptive FEC — size recovery to measured loss, not a flat 20% ... On a clean link the flat 20% FEC is pure waste: extra wire bytes AND extra packets. On a packet-rate-bound uplink (the Steam Deck's WiFi tx caps ~22k pps regardless of bitrate) those extra packets directly cost goodput — measured at 200 Mbps goodput, 20% FEC drove ~10% loss vs ~2.6% at 0% (it saturated the link). Adaptive FEC closes the loop: - Client measures the loss FEC is absorbing each ~750 ms window from session stats (recovered shards / received, + a bump when a frame went unrecoverable) and sends a periodic `LossReport { loss_ppm }` on the control stream (new message; `window_loss_ppm` helper, shared + unit-tested). Connector (Apple/Linux/Windows) and probe both report; suppressed during a speed test so its filler can't skew it. - Host maps loss → recovery % (`adapt_fec`: ≈ loss×1.4 + 1pt, clamped 1..50) and applies it live via `Session::set_fec_percent` (the wire is self-describing — each packet carries its block's data/recovery counts, so the receiver needs no notice). A clean link decays to ~1%; loss ramps it up and converges. - `PUNKTFUNK_FEC_PCT`, when set, now PINS FEC static (disables adaptation) so speed-test / measurement runs keep a fixed, known overhead. Unset ⇒ adaptive, starting at 10%. An older host ignores LossReport (unknown control message) and keeps static FEC; an older client simply never reports and the host holds its start value. Builds + clippy + fmt + tests green (adapt_fec / window_loss_ppm / loss_report unit tests). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-20 21:31:07 +00:00
enricobuehler	4afdb18cc4	docs: clarify HDR is supported on the Windows host (Linux still blocked) ... HDR (10-bit BT.2020 PQ) works end-to-end with the Windows host — it captures an HDR desktop (WGC FP16 / Desktop-Duplication FP16 for the secure desktop) and encodes HEVC Main10 to HDR-capable clients (Windows, Android). Only the Linux host is blocked upstream (no 10-bit compositor capture). Corrected the roadmap (grid + shipped/blocked), Windows Host page, status, and CLAUDE.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-20 22:13:09 +02:00
enricobuehler	9f049f965f	docs(site): add Windows host install, restructure nav, new public roadmap ... - install (host): add a Windows (NVIDIA) section with signed-installer and certificate-trust steps; note the .cer is the same across releases. - install-client: clarify the Windows MSIX certificate is the same every release (trust once, updates need nothing). - Move "Project & Internals" out of the public docs site: relocate implementation-plan, apple-stage2-presenter, gamescope-multiuser, dualsense-haptics, ci, and gamestream-host-plan to docs/; drop them from the nav. Move windows-host into Host Setup. - Rewrite roadmap as a lean public page with an at-a-glance grid and current statuses (Windows host shipped/beta, Apple incl. tvOS shipped, Android shipped, concurrent sessions + delegated pairing done). - Fix status.md link to the now-internal implementation plan. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-20 19:52:23 +02:00
enricobuehler	f37a304fba	fix(core/speed-test): packet-level throughput + paced burst (kill the 0/100% cliff) ... The punktfunk/1 speed test was unusable across every client/host: at the start of a burst a little data got through, then everything read as dropped (~10 MB total). Two compounding bugs: 1. Receive side measured throughput from fully-reassembled FLAG_PROBE *access units* only. The instant loss crossed the 20% FEC budget no AU completed, so the figure cliffed to 0 / 100% loss even though most bytes still arrived — a binary cliff, not a graded measurement. 2. Send side blasted each filler AU (up to 256 KB ≈ 200 packets) into the socket buffer in one unpaced batch, unlike the real video path which paces. On a small buffer (e.g. the Steam Deck's 416 KB) a single AU overflowed it, so the test measured self-inflicted buffer overflow instead of the link. Fixes: - Host `run_probe_burst` keeps each AU a small (~16 KB) burst and paces by the byte budget, mirroring `paced_submit`; reports the WIRE packets the kernel accepted and the ones the send buffer dropped (stat deltas), separating host-side drops from link loss. - `ProbeResult` gains `wire_packets_sent` + `send_dropped` (back-compat decode: a 21-byte pre-wire-stats result still decodes, new fields 0). - Clients (probe + connector) count delivered traffic at the packet level via `session.stats()` deltas over the burst window, so throughput/loss degrade gracefully. Connector freezes the delivered figure when the host report lands so resumed video can't inflate it. New `ProbeOutcome`/`PunktfunkProbeResult` fields: `host_drop_pct`, `wire_packets_sent`, `send_dropped`. Validated on loopback (graded 142→1391 Mbps, host_drop/link_loss split correctly, no cliff) and live against the Deck: clean to ~200 Mbps goodput / 273 Mbps wire at 0% link loss, host send buffer the wall above that (the lever-#1 target). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-20 17:46:17 +00:00
enricobuehler	76f4484ded	docs(CLAUDE.md): refresh stale status ... - Add the Windows host (implemented & shipping: DXGI capture, SudoVDA virtual display, NVENC, ViGEm, WASAPI, LocalSystem service installer; NVIDIA-only, x64-only) — it was absent entirely. - Add the Android client (full client: AMediaCodec/HDR10 decode, Oboe audio + mic, gamepad feedback, discovery, pairing, Compose phone+TV UI; Google Play internal testing) and drop the stale "scaffolds" item. - macOS stage-2 presenter: built + live-validated behind the opt-in flag, not "next". - Concurrent sessions + delegated pairing approval marked done. - Layout/CI: note Windows host backends and per-client release workflows. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-20 19:10:51 +02:00
enricobuehler	cba3ae48e2	docs: update README + docs site for public readiness ... Refresh the README and documentation for public visitors: - README: public-facing rewrite with accurate status for all four native clients (macOS, Linux, Windows, Android) and the Windows host. - docs site: fix stale client status (Android is a full client, not a scaffold; Windows client is stage-1 complete + signed MSIX), add the missing Android client section, correct "which client" guidance. - Windows host: corrected from "deferred/scoped" to implemented & shipping (NVIDIA-only, x64-only) across windows-host, roadmap, status, requirements, running-as-a-service, and the README. - Remove internal infrastructure from public docs (box names, private IPs, SSH/token commands, deploy topology); rewrite status.md as a public project-status page; sanitize ci.md and implementation-plan.md. - Update clients/android and clients/apple READMEs to current state. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-20 18:59:23 +02:00
enricobuehler	2dc54bc651	Merge remote-tracking branch 'origin/main'	2026-06-20 16:30:32 +00:00
enricobuehler	480dee863d	feat(host/gamescope): custom-resolution Game-Mode streaming on the Steam Deck ... The Steam Deck (SteamOS) ships its OWN gaming session — `gamescope-session.target` driven by `/usr/lib/steamos/gamescope-session`, not Bazzite's `gamescope-session-plus`. That script `exec gamescope`s with HARDCODED physical-panel args (`-w 1280 -h 800 -O '*',eDP-1`) and launches Steam via a SEPARATE `steam-launcher.service`, so the existing managed-session path (which assumes session-plus) couldn't honor the client's mode — an attach captured the panel's native 1280x800 instead. Add a SteamOS branch to the managed-session path: detect it, write a `gamescope` PATH-shim that rewrites the hardcoded args to `--backend headless -W <client> -H <client> -r <hz>`, drop a transient user `gamescope-session.service.d` override pointing PATH at the shim + the mode, then RESTART the whole target so `steam-launcher.service` brings Steam up IN the headless gamescope at the client's resolution. Attach to the one fresh node (the restart kills any prior gamescope, so no stale-node attach). Restore-on-disconnect removes the override + restarts the target back to the physical panel (debounced; skipped if the user switched to a desktop session). All user-level (`systemctl --user`) — no root. Also widen `build_pipeline_with_retry` to 8 attempts (~90s): a host-managed gamescope session cold-starting Steam Big Picture takes 30-60s to first frame, and a first-connect timeout would tear down the warm session (forcing another cold start on reconnect). Permanent failures still fail fast via `is_permanent_build_error`. Validated live on a Steam Deck: Game Mode auto-detected, host takes over headless at the client's mode (720p / 1080p), Steam Big Picture streamed glass-to-glass to the Mac at the requested resolution. Single-tenant (concurrent clients at different modes still thrash — a follow-up). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-20 16:30:24 +00:00
enricobuehler	618602d802	feat(docs-site): read footer from the per-tenant CMS collection ... The shared unom CMS is now multi-tenant; the footer global became a per-tenant collection. Query footers scoped to tenant.slug = punktfunk instead of the removed /globals/footer. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-20 17:11:42 +02:00
enricobuehler	fdf388436a	Merge remote-tracking branch 'origin/main'	2026-06-20 14:50:09 +00:00
enricobuehler	0f7f1be3c3	fix(core/transport): treat ENOBUFS as a transient drop, not a fatal error ... WiFi drivers (e.g. ath11k on the Steam Deck) return ENOBUFS — not EAGAIN/EWOULDBLOCK — when the tx queue is momentarily full. Rust maps ENOBUFS to ErrorKind::Uncategorized, so `is_transient_io` (which only matched WouldBlock/ConnRefused/ConnReset) treated it as a real error and tore the whole stream down on a single transient burst. This presented as a vicious Heisenbug on the Deck: the native host streamed flawlessly on loopback and under a debugger (anything slow enough not to fill the small ~416 KB wlan0 buffer), but died at full rate cross-machine over WiFi — flaky hang-or-SIGKILL because tx-queue-full is probabilistic. Diagnosed live via a forced core dump (gdb on the hung core): the data-plane thread had bailed on a fatal send error. Treat ENOBUFS (and asynchronous network-path blips ENETUNREACH / EHOSTUNREACH / ENETDOWN / EHOSTDOWN) as a lossy drop like WouldBlock — FEC + the next frame recover. Validated: 6/6 back-to-back cross-machine streams over the Deck's WiFi, host stable, p50 ~4.4 ms (one run dropped 4/300 frames *gracefully*, 0 mismatched — the fix working as intended). Also surface a data-plane bind/hole-punch failure directly in punktfunk1 (it was previously only reported after teardown, which a stall could swallow entirely). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-20 14:49:59 +00:00
enricobuehler	e88c28c15c	feat(docs-site): add a Gitea repo link to the nav ... Link to https://git.unom.io/unom/punktfunk in the top bar, alongside the Docs and Website links. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-20 16:08:44 +02:00
enricobuehler	72ca0419db	feat(docs-site): add the site-wide footer, shared with the marketing site ... Pull the same footer from the shared unom CMS global (cms.unom.io) and render it globally under both the home and docs layouts. Read-only typed fetch in a server-side root loader (falls back to null on a CMS hiccup). Root-relative links target the marketing site, so they're resolved against its origin (the docs don't host /legal/* etc.); themed with Fumadocs tokens for light/dark. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-20 15:42:39 +02:00
enricobuehler	40109056e9	refactor(docs-site): use the vector SVG wordmark instead of the raster ... Replace the CSS-mask/webp wordmark with the inline vector from Export/Punktfunk_Logo-Text_No-Border_Dark.svg (white export background dropped), painted via currentColor — deep-violet on light, light-violet on dark. Crisp at any size; drops the now-unused funk-wordmark.{webp,png}. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-20 15:34:19 +02:00
enricobuehler	3df9dd6d32	feat(docs-site): use the funk wordmark logo instead of "punktfunk" text ... Swap the plain "punktfunk" text in the nav and landing hero for the real brand wordmark from the marketing site. The source asset is a single light-violet variant (made for dark surfaces), so it's painted as a CSS mask and coloured per theme — deep-violet on light, light-violet on dark — to stay legible with the docs' light/dark toggle. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-20 15:05:23 +02:00
enricobuehler	e8bc178d45	feat(docs-site): brand the docs to match the punktfunk website ... Theme the Fumadocs docs site with the punktfunk identity, mirroring the marketing site: - Swap the stock `neutral` preset for `purple`, then override --color-fd-* with the violet lens-mark palette (#6c5bf3 / #a79ff8). The brand is the violet, not the site's blue marketing background, so the blue is not used as a reading surface; dark mode tints the chrome toward the app-icon violet-dark (#1c1530). - Adopt @unom/ui's token contract (--brand/--primary/--accent + bg-brand etc.) as the shared token source, and @source its dist. - Load Geist (the brand typeface) via @fontsource-variable/geist. - Add the BrandMark lens to the nav + landing hero, wire the brand favicon.svg, and add Docs/Website nav links. - Keep the Fumadocs light/dark toggle. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-20 14:40:52 +02:00
enricobuehler	333f66b45b	fix(host/serverinfo): don't advertise an empty codec mask when the VAAPI probe finds nothing ... The Phase 3 GPU-aware codec mask (6922e1c) probes VAAPI on any non-NVIDIA host. On a GPU-less box (CI container: no /dev/nvidia* -> `auto` picks VAAPI, but there's no VA display) the probe returns all-false, so the mask was 0 -- the host advertised NO codecs, and the serverinfo unit test failed. Fall back to the static superset when the probe yields nothing (VAAPI wasn't usable, not "the GPU encodes nothing"); quiet ffmpeg's expected "No VA display" error during the probe; and assert the test against codec_mode_support() rather than a hardcoded 65793 so it's deterministic regardless of the build host's GPU. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-20 11:52:17 +00:00
enricobuehler	6922e1c467	feat(host): VAAPI codec probe + AMD/Intel packaging + neutral logs (Phase 3) ... Polish for AMD/Intel support: - GameStream serverinfo advertises only codecs the GPU can ACTUALLY encode on the VAAPI backend (probed once by opening a tiny encoder per codec). AV1 encode is narrow (Intel Arc/Xe2+, AMD RDNA3+/RDNA4) and an old iGPU may lack HEVC, so a Moonlight client never negotiates a codec the encoder can't open. NVENC/Windows keep the Moonlight-validated static mask. Validated on a Radeon 780M: h264/h265/av1 all probe true -> mask unchanged (65793). - Packaging: Recommends mesa-va-drivers + intel-media-va-driver (deb) / mesa-va-drivers + intel-media-driver (rpm) so the auto-selected VAAPI backend works out of the box on AMD/Intel; NVIDIA boxes can --no-install-recommends. (Fedora note: stock mesa-va-drivers disables HEVC/AV1 -- needs the freeworld variant from RPM Fusion.) - De-NVIDIA-fy the user-facing encoder log/context strings ("open NVENC" -> "open video encoder") now that VAAPI is a first-class backend. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-20 10:41:37 +00:00
enricobuehler	708c62788d	feat(host/encode): VAAPI zero-copy dmabuf import (AMD/Intel GPU CSC) ... Phase 2 of AMD/Intel support: the VAAPI encoder now takes the capture dmabuf directly and does the RGB->NV12 colour conversion on the GPU's video engine, eliminating the host-side de-pad + swscale CSC + upload the CPU path pays. - capture: a vendor-neutral FramePayload::Dmabuf (dup'd fd + fourcc/modifier/ layout). When zero-copy is on, the EGL->CUDA importer is unavailable (any non-NVIDIA host), and the backend is VAAPI, the capturer advertises LINEAR dmabuf and hands the raw buffer to the encoder instead of CPU-copying it. - encode/vaapi: the encoder self-configures from the first frame's payload (no open_video signature change). The dmabuf arm wraps the buffer as an AV_PIX_FMT_DRM_PRIME frame and pushes it through a filter graph buffer(drm_prime) -> hwmap(vaapi) -> scale_vaapi=nv12 -> buffersink; the encoder takes NV12 surfaces straight from the sink. The Phase 1 CPU-upload path is kept as the other arm (used when capture produces CPU frames). Live-validated on a Radeon 780M (real Sway/xdpw desktop capture): correct, pixel-perfect HEVC, and ~10x less host CPU at 1440p (4.2s -> 0.4s of CPU for 300 frames) -- the de-pad/CSC/upload moves to the GPU. NVIDIA unchanged (zero-copy still imports to CUDA; the passthrough path only engages on non-NVIDIA hosts). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-20 09:57:00 +00:00
enricobuehler	5e27f65f2e	fix(host/capture): mmap the buffer fd ourselves — xdpw MemFd over-reads MAP_BUFFERS ... The CPU de-pad path trusted PipeWire's MAP_BUFFERS slice (`d.data()`, length = `data.maxsize`). xdg-desktop-portal-wlr hands MemFd ScreenCast buffers whose maxsize exceeds the bytes PipeWire actually maps into our process, so reading to maxsize ran off the end of the mapping and SIGSEGV'd the capture thread — crashing every CPU-path capture on Sway/wlroots (and thus any non-NVIDIA host, which has no CUDA zero-copy importer and always falls back to this path). mmap the fd ourselves, sized to its real length (fstat), for any fd-backed buffer (MemFd SHM or DmaBuf); fall back to `d.data()` then drop. The existing `needed > avail` guard now drops cleanly instead of over-reading. This also subsumes the original "MAP_BUFFERS didn't map a Vulkan dmabuf" fallback. Verified: fixes real Sway-desktop portal capture -> VAAPI HEVC on a Radeon 780M (correct image + colours); the NVIDIA zero-copy path (returns before this code) and the NVIDIA/KWin CPU path (self-mmap, fd_len == maxsize) both still work. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-19 21:48:49 +00:00