273 Commits

Author	SHA1	Message	Date
enricobuehler	188b26b584	fix build	2026-06-30 10:12:45 +02:00
enricobuehler	83ee53290e	feat(windows-host): mic passthrough — auto-wire audio devices + bundle VB-CABLE ... The Windows virtual mic worked only with manual Sound-settings fiddling: on a headless host (no real audio output) BOTH the desktop-audio loopback and the virtual mic must run on virtual cables, and on DIFFERENT ones or the loopback re-captures the injected mic (echo). The Steam pair gives only one usable cable (Steam Streaming Speakers loopback is silent — validated), so the mic + loopback collided and echoed, and when the default playback happened to be the mic device the anti-echo guard reported the mic "unavailable". Host now auto-wires the devices at startup (audio/windows/audio_control.rs, ensure_wired_once, hooked from open_audio_capture/open_virtual_mic): default playback = a loopback-capable render that is NOT a cable and NOT the dead Steam Speakers (real output > Steam Streaming Microphone); default recording = the mic capture (VB-Cable "CABLE Output" preferred). Uses a hand-rolled IPolicyConfig vtable (the only way to set a default endpoint; not in windows/wasapi crates). Opt out with PUNKTFUNK_KEEP_DEFAULT. wasapi_mic candidates now prefer "cable input". Validated live: from a deliberately-wrong start (playback=CABLE Input) the host corrected both default endpoints at the OS level. A Windows audio endpoint can only be created by a kernel-mode driver (no UMDF path — ACX is KMDF-only), so we cannot self-sign our own like the UMDF gamepad/ display drivers. Instead the installer bundles + silently installs the official base VB-CABLE (VB-Audio donationware, vendor-signed → loads with no test-signing, redistributed under VB-Audio's bundling grant): install-vbcable.ps1 (seed the VB-Audio cert into TrustedPublisher, run -i -h) + an installaudiocable task, gated on -VbCableDir/$env:VBCABLE_DIR (the package binary is not in the repo). Attribution in packaging/windows/licenses/VB-CABLE-NOTICE.txt. .iss compiles with the path enabled. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-30 09:09:26 +02:00
enricobuehler	0f798d62b6	feat(windows-host): pf-vdisplay — fix the ADD/REMOVE wedge + per-client display-config persistence ... Two phases of pf-vdisplay (IddCx virtual display) lifecycle work, both validated on-glass on the RTX box. Phase 1 — fix the long-standing IOCTL_ADD 0x80070490 (ERROR_NOT_FOUND) wedge that ghost-monitor slot-budget exhaustion produced under ADD/REMOVE churn (the reset-script/reboot recurring failure). Validated: 43 reconnect-churn cycles, 0 wedges, monitor-node count flat at 1. * driver: on IddCxMonitorArrival failure, tear the created-but-not-arrived monitor down with WdfObjectDelete + reclaim its id — the asymmetric-with-the-create-failure-path leak that exhausted the 16-monitor MaxMonitorsSupported budget; recover MONITOR_MODES from lock poisoning instead of failing closed (defensive; the driver builds panic=abort). * host: collapse the build-retry churn — hold ONE monitor lease across all build attempts and preempt only on Lingering (not Active), so a cold start does 1 ADD not 8; reap not-present "punktfunk" monitor PDOs on startup (the reset-script step-2 logic, in-process) and self-heal a detected 0x80070490 by reaping + retrying ADD; force-preempt a stuck-Active prior monitor on the begin_idd_setup timeout (the safety net the Lingering-only preempt would otherwise drop). Phase 2 — give each client (keyed by its cert FINGERPRINT) a STABLE virtual-monitor id (1..=15) so Windows reapplies that client's saved per-monitor config (DPI SCALING) across reconnects, and two clients never share/bleed config. Validated: distinct clients -> distinct ids (1, 2); the driver honors the host's id (echoed resolved == preferred). * proto: rename AddRequest._reserved -> preferred_monitor_id (offset 20) and AddReply._reserved -> resolved_monitor_id (offset 12) — byte-compatible (offset asserts), NO PROTOCOL_VERSION bump, so a pre-Phase-2 driver degrades gracefully to auto-id (the host detects it via the resolved echo). * driver: create_monitor honors a host-supplied preferred id via resolve_id (range 1..=15, never collides with a live monitor) and seeds the EDID serial + IddCx ConnectorIndex + ContainerId from it. * host: a persisted LRU fingerprint->id map (%ProgramData%\punktfunk\pf-vdisplay-identity.json), threaded to add_monitor via a set_client_identity no-op trait method (Linux/GameStream unaffected). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-30 09:09:26 +02:00
enricobuehler	080c55dbf7	refactor(host/windows): collapse Windows capture to IDD-push only ... Remove DXGI Desktop Duplication (DuplCapturer), Windows.Graphics.Capture (WgcCapturer), the two-process SYSTEM+helper relay (virtual_stream_relay / HelperRelay / DesktopWatcher / composed_flip), and the five source files that implemented them. IDD direct-push is now the sole Windows capture path; the session topology is always SingleProcess. Deleted files: wgc.rs, wgc_relay.rs, desktop_watch.rs, composed_flip.rs, windows/wgc_helper.rs (+ wgc-helper subcommand in main.rs). dxgi.rs is kept but carved to shared GPU primitives only (make_device, HdrP010Converter, VideoConverter, install_gpu_pref_hook, WinCaptureTarget, pack_luid) — ~2237 lines of DDA-only code removed; imports cleaned. capture.rs: IDD-push open failure fails the session cleanly (no fallback). Adds capturer_supports_444() — returns false on Windows (IDD-push 4:4:4 is a follow-up), replacing the stale single_process gate in 4:4:4 negotiation. session_plan.rs: CaptureBackend{Dda,Wgc} and SessionTopology::TwoProcessRelay removed. config.rs: no_helper/force_helper/no_wgc/capture_backend/secure_dda removed. merged_env_block relocated from wgc_relay to windows/interactive.rs. Linux cargo check clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-30 06:46:52 +00:00
enricobuehler	580b1ea7a7	feat(host/steam): shippable usbip/vhci_hcd virtual Deck + client leave-shortcuts ... Steam Deck pass-through (design/steam-deck-passthrough-plan.md), code-complete + all CI checks green on Linux + adversarially reviewed; on-glass validation pending: - usbip/`vhci_hcd` virtual Deck transport (inject/linux/steam_usbip.rs) for non-SteamOS hosts (Bazzite/generic) — presents a real interface-2 USB Deck so Steam Input promotes it. In-process vhci attach (loopback OP_REQ_IMPORT handshake → sysfs attach) with a bounded `usbip`-CLI fallback; detach on drop. - Backed by a vendored, libusb-free trim of the `usbip` crate (crates/punktfunk-host/vendor/usbip-sim, MIT + NOTICE; host/cdc/hid + rusb/nusb removed; interrupt-IN paced by bInterval). - Selection ladder raw_gadget (SteamOS fast-path) → usbip (universal) → UHID, with PUNKTFUNK_STEAM_USBIP / PUNKTFUNK_USBIP_ATTACH knobs. - Shared Deck descriptors + the 0x83/0xAE feature contract + a Steam-accepted serial consolidated into steam_proto.rs; the raw_gadget backend reuses them. - Linux client leave-shortcuts: Ctrl+Alt+Shift+D + holding the escape chord (L1+R1+Start+Select) >=1.5s end the session (short press still exits fullscreen); the chord state resets across sessions. Also bundles in-progress work already staged in the tree: - host(kwin): xdg-output logical-geometry mapping so the KWin fake_input backend places absolute coordinates correctly under display scaling. - docs: design/README index entries + design/controller-only-mode.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	963c406f33	feat(host/steam): default the gadget Deck on for SteamOS (glass-confirmed) ... The virtual Steam Deck is validated glass-to-glass on a Deck: it appears as a distinct second Steam controller, a held A drives Steam's overlay ("Resume Game"), and a button press registers in a real game (confirmed in-game). gadget_preferred() now defaults ON for SteamOS hosts (/etc/os-release ID=steamos or ID_LIKE), OFF elsewhere where the universal UHID path stays the default; PUNKTFUNK_STEAM_GADGET=1/0 forces it. A Deck-as-host with a physical Deck never reaches this path — resolve_gamepad's conflict gate degrades SteamDeck → DualSense first, so the two-Deck case never happens in production (it was only a test-rig confound on the dev Deck). The feature is complete: a virtual Steam Deck that Steam Input recognizes + promotes, churn-free, with input flowing to games. Workspace clippy/fmt/test green. Not pushed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	7ab8acaf55	feat(host/steam): harden the gadget feature contract — fixes the evdev churn ... The virtual Deck's gamepad evdev was churning (destroyed + recreated) because Steam kept re-probing: GetControllerInfo reads HID feature reports, and the gadget served zeros for them. Captured the real contract off a physical Deck (packaging/linux/steam-deck-gadget/get_deck_attrs.c, hidraw HIDIOCGFEATURE — usbmon truncates to 32B) and implemented it in steam_gadget.rs::feature_reply: - 0x83 GET_ATTRIBUTES_VALUES: [83, 2d, 9×(attr-id, u32-LE)] — product id 0x1205, a per-instance unit serial (0x0a/0x04, so a gadget never collides with a real Deck or another gadget), and the capability attrs (0x09=0x2e, 0x0b=0x0fa0, rest 0). - 0xAE GET_STRING_ATTRIBUTE: [ae, len, attr, ascii] — serial (attr 1) / board serial (attr 0). - other commands (0x87 settings): echo the last write. Validated on the Deck: 1 connect / 0 disconnect / 1 gamepad evdev (was constant churn), Steam activates the gadget cleanly (no GetControllerInfo failed, no zombie) and emits its X-Box 360 pad. usbmon on the gadget's bus confirms our state reports (pressed button at byte 8) are delivered on the interrupt-IN and consumed by hid-steam — so with M1/M2's byte-8→BTN_SOUTH decode the input chain is proven end-to-end. Remaining: a foreground-game confirmation of Steam Input's XInput mapping, then default the gadget on for SteamOS. Workspace clippy/fmt/test green. Not pushed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	c8e19396e4	feat(host/steam): raw_gadget Deck host backend (Steam-Input path, opt-in) ... Port the proven raw_gadget virtual Deck to a Rust host gamepad backend, the SteamOS-only transport that gets Steam Input to actually promote the Deck. - inject/linux/steam_gadget.rs (new): SteamDeckGadget — a userspace raw_gadget emulator of the real 3-interface USB Deck (mouse=0/keyboard=1/controller=2, 28DE:1205) on a dummy_hcd loopback UDC, descriptors captured from a physical Deck, answering every control transfer incl. the HID feature reports. Driven by the same steam_proto::serialize_deck_state as the UHID pad; rumble feedback via parse_steam_output. The raw_gadget UAPI is funneled through 4 documented ioctl wrappers (the crate denies undocumented unsafe). - inject/linux/steam_controller.rs: the manager pad is now a DeckTransport enum (Uhid | Gadget); ensure() prefers the gadget when PUNKTFUNK_STEAM_GADGET=1 (best-effort modprobe dummy_hcd+raw_gadget), gracefully falling back to the universal UHID SteamDeckPad. write/pump/heartbeat dispatch through the enum. Validated on a real Deck via a static musl harness that #[path]-includes the module: enumerates, hid-steam binds + reads our serial + creates the Steam Deck + Motion Sensors evdevs — identical to the C PoC. Caught a real portability bug: raw_gadget's no-arg ioctls (RUN/CONFIGURE/EP0_STALL) reject a non-zero `value` with EINVAL, and on musl an omitted ioctl vararg is a garbage register — so they must pass an explicit 0. Opt-in (default off) while the Steam GetControllerInfo feature contract is hardened (to stop the gamepad-evdev churn). Workspace clippy/fmt/test green. Not pushed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	4f40fa3cb7	feat(host/steam): M6 — Steam-pad conflict gate (hardware-validated) ... Don't present a virtual Steam (28DE) pad on a host that already has a physical Steam controller — the host's own Steam Input would then manage two Decks and confuse player assignment. - physical_steam_controller_present(): scans /sys/bus/hid/devices for a 28DE HID device on a real (non-/virtual/) path. - degrade_steam_on_conflict() in resolve_gamepad: a resolved SteamDeck / SteamController with a physical Steam controller attached degrades to DualSense (then the M5 uhid ladder); PUNKTFUNK_STEAM_FORCE=1 overrides (e.g. a remote-only box with no competing Steam Input). Validated on real hardware (a SteamOS Steam Deck @ .253 + a Bazzite host @ .41, both running Steam): - Conflict confirmed: the Deck-as-host already has its physical 28DE:1205 AND Steam's 28DE:11FF XInput output pad live; a 2nd virtual 28DE = two Decks. - Bind robustness: the virtual Deck binds hid-steam on a SECOND kernel (Bazzite 6.17.7, vs the dev box 7.0) and the kernel accepted our serial (the M1 fix). - Criterion-4 (running-Steam recognition) PARTIAL: a userspace consumer (Steam/ SDL) engaged the virtual Deck (opened the hidraw, ran the lizard-disable + settings sequence the kernel's Deck path skips) but emitted NO 28DE:11FF XInput pad on the desktop — so Steam recognizes it enough to manage lizard mode but did not promote it to a managed XInput controller (likely needs a Big-Picture/game context, or a richer device; the 0x83/0xA1 attribute probes never fired, so it wasn't a probe-reject either). - The heuristic itself checks TRUE on the Deck, FALSE on Bazzite. Workspace clippy/fmt/test green. Not pushed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	486a292845	feat(host/steam): M5 — fallback remap, motion rescale, degrade ladder ... Keep the rich Steam inputs from silently dropping when the resolved backend isn't the virtual hid-steam device, and fix a cross-device motion-scale bug. - inject/proto/steam_remap.rs (new, pure + unit-tested): * motion_wire_to_deck — the wire carries DualSense-convention units (20 LSB/ deg.s gyro, 10000 LSB/g accel — what every client capture emits), but the Deck's hid-steam report wants 16 LSB/deg.s + 16384 LSB/g. The Deck backend now rescales (gyro x16/20, accel x16384/10000): a real Deck<->Deck gyro/ accel correctness fix (the DualSense/DS4 backends consume the wire 1:1). * fold_paddles + RemapConfig (PUNKTFUNK_STEAM_REMAP=paddles=drop|stickclicks| shoulders, default drop) — the DualSense + DS4 managers fold a client's back grips onto standard buttons rather than dropping them (those pads have no back-button HID slot; the uinput Xbox pad already exposes them as Elite paddles BTN_TRIGGER_HAPPY5-8). - resolve_gamepad: a runtime degrade ladder — a UHID backend (DualSense / DS4 / Steam Deck) on a host where /dev/uhid isn't writable now falls back to the uinput Xbox 360 pad instead of a dead controller (the device-create would just fail). Separate from pick_gamepad's compile-time platform check, so the existing pick_gamepad tests are untouched. - Delete the throwaway M0/M1 spike (src/bin/steam_uhid_spike.rs) — M2's #[ignore]d backend test subsumes its validation, and removing it frees steam_proto to reference steam_remap cleanly. On-box backend test still green; workspace clippy/fmt/test green (incl. the new steam_remap tests). Deferred as optional RemapConfig growth: gyro->mouse / trackpad->stick synthesis on an Xbox target (no slot — documented drop today). Not pushed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	01c55aed38	feat(proto/steam): M3 — rich Steam wire (back buttons + 2nd trackpad) ... Carry the rich Steam Controller / Steam Deck inputs end-to-end on the wire — strictly additive + forward-compatible (unknown kinds/bits drop on old peers). Core (punktfunk-core): - input.rs: BTN_PADDLE1..4 + BTN_MISC1 in Moonlight's buttonFlags2<<16 namespace (so the GameStream paddle path and native grips share one host injector map; Steam L4/L5/R4/R5 reuse the four Xbox-Elite paddle slots). - quic.rs: RichInput::TouchpadEx (kind 0x03 — surface 0/1/2, touch+click, signed coords, pressure; the second trackpad the single Touchpad can't express) and HidOutput::TrackpadHaptic (kind 0x04 — the SC voice-coil pulse). Round-tripped. - abi.rs: PUNKTFUNK_GAMEPAD_STEAMDECK=6 / _STEAMCONTROLLER=5, the paddle bits, RICH_TOUCHPAD_EX / HIDOUT_TRACKPAD_HAPTIC constants. from_hid packs TrackpadHaptic into the existing which + effect[0..6] — the legacy structs do NOT grow (guarded by new size_of==20/19 asserts); GamepadPref lockstep + paddle-bit lockstep asserts extended. include/punktfunk_core.h regenerated. Host (punktfunk-host): - steam_proto::from_gamepad maps the wire paddles -> the four Deck grips + QAM; apply_rich routes TouchpadEx left/right -> the matching pad. - every DualSense/DS4 manager (Linux + Windows) gained a TouchpadEx arm (surface 0/2 -> its one touchpad; surface 1 ignored) so the variant compiles everywhere and a Steam client streaming to a DS host keeps its right pad. - the xpad BUTTON_MAP finally consumes the GameStream paddle bits (BTN_TRIGGER_HAPPY5-8) — Sunshine/Moonlight paddle clients were silently no-op'd before (design §5.6). - Android feedback: drop TrackpadHaptic (no coils; rumble rides 0xCA). Validated on-box: the ignored backend test now drives the full wire path — from_gamepad (BTN_A + the L4 grip) + apply_rich (a left-pad TouchpadEx) reach the evdev as BTN_A + ABS_HAT0X=-8000. Wire round-trips + paddle/TouchpadEx mapping unit-tested. Workspace clippy/fmt/test green. Not pushed. Deferred to M4: the C-ABI PunktfunkRichInputEx + send_rich_input2 (only the Apple/embedder *send* path needs it; the host decodes TouchpadEx today). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	95308d352b	feat(host/steam): M2 — virtual Steam Deck as a wired PadBackend (Linux) ... Make the virtual hid-steam device a selectable per-session host gamepad, end-to-end on Linux: PUNKTFUNK_GAMEPAD=steamdeck now builds a SteamControllerManager that creates a /dev/uhid 28DE:1205 Deck, enters gamepad_mode, and feeds the byte-exact Deck report (M1). - inject/linux/steam_controller.rs: SteamControllerManager / SteamDeckPad, mirroring dualsense.rs (open/create2, GET/SET_REPORT pump, heartbeat, RAII destroy). Two Steam-specific quirks beyond the DualSense path: * gamepad_mode entry — best-effort `lizard_mode=0` via sysfs, plus a b9.6 creation pulse (MODE_ENTER) so steam_do_deck_input_event stops early-returning, plus an anti-toggle guard (MENU_HOLD_CAP) so a long in-game Start-hold can't flip gamepad_mode back off. * UHID_SET_REPORT answered err=0 (DualSense omits it; the kernel stalls ~5s/cmd otherwise); the 0xEB rumble report parsed onto the 0xCA plane. - core config.rs: GamepadPref::SteamDeck (wire byte 6) + SteamController (byte 5, reserved — folds to Xbox360 until its backend lands); from_u8 / from_name / as_str. Forward-compatible (unknown byte -> Auto); the C-ABI PUNKTFUNK_GAMEPAD_* constants stay M3, so no generated-header drift. - punktfunk1.rs: PadBackend::SteamDeck variant + select / handle / apply_rich / pump / heartbeat arms; pick_gamepad Linux arm. On-box: an #[ignore]d backend test (backend_binds_and_input_flows) drives the real SteamDeckPad — it binds hid-steam (gamepad + IMU evdevs), enters gamepad mode, BTN_A reaches the evdev, and the device tears down on drop. Workspace clippy/fmt/test green. Not pushed. Next: M3 (protocol/ABI wire) + M4 (client capture). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	9ff7d41bfe	feat(host/steam): M1 — byte-exact Deck input serializer, on-box validated ... Flesh out inject/proto/steam_proto.rs into the full Steam Deck HID contract, transcribed verbatim from the kernel steam_do_deck_input_event / steam_do_deck_sensors_event and validated field-for-field against kernel 7.0: - SteamState: the u64 button map (bytes 8..16), sticks/triggers/trackpads/IMU stored as raw little-endian report values; serialize_deck_state is a pure, byte-exact memcpy into the 64-byte unnumbered frame. - from_gamepad (XInput frame -> Deck buttons/sticks/triggers) + apply_rich (RichInput touchpad -> right pad, motion -> IMU). - parse_steam_output: the 0xEB ID_TRIGGER_RUMBLE_CMD feedback -> (low, high) for the universal rumble plane. - serial_reply fixed: prepend the report-id-0 byte the kernel strips (steam_recv_report does memcpy(data, buf+1, ...)); M0's reply lacked it, so the kernel fell back to the "XXXXXXXXXX" serial. - SteamModel (Deck now; classic Controller later), command/feature IDs. The spike is repurposed as the M1 validator: it pulses the b9.6 mode-switch to enter gamepad_mode (steam_do_deck_input_event early-returns under the default lizard_mode otherwise), then holds a known test pattern. Reading both evdevs via EVIOCGABS/EVIOCGKEY, every field matched: ABS_X/Y/RX/RY (incl. the kernel Y-negation), both triggers, the touched right-pad HAT1X/Y, the IMU accel/gyro (with ABS_Z/RZ negations), and the 6 expected buttons incl. the L4/R5 grips. 5 unit tests + workspace clippy/fmt/test green. Next: M2 (SteamControllerManager UHID backend + PadBackend wiring). Not pushed — pipeline not yet shippable. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	2b47d8cc28	feat(host/steam): M0 — virtual hid-steam UHID device binds + parses (Linux) ... Greenfield virtual Steam Deck controller, the Steam analogue of the shipped virtual DualSense. Proves the kernel hid-steam driver binds a /dev/uhid 28DE:1205 device, registers it as a real Steam Deck, and parses our input reports — the go/no-go gate for the full Steam Controller/Deck pipeline. - inject/proto/steam_proto.rs: keeper module — the vendor HID descriptor (one feature report, the sole thing steam_is_valve_interface() checks), the command/feature IDs, serialize_deck_state, and the serial GET_REPORT reply. Unit-tested. - src/bin/steam_uhid_spike.rs: throwaway M0 spike (Linux-only) — opens /dev/uhid, creates the device, services the handshake including UHID_SET_REPORT (which the DualSense backend omits and which hid-steam stalls ~5s/cmd without), and heartbeats a neutral report. - design/steam-controller-deck-support.md: full design + M0–M7 plan; the two walls (Steam Input capture ownership; virtual-Steam recognition) and the fidelity ceiling. Status: M0 GREEN. On-box (headless Ubuntu 26.04, kernel 7.0, no Steam): journalctl -k shows hid-steam binding the device (rebind off hid-generic), "Steam Controller connected", and the kernel creating BOTH a "Steam Deck" gamepad evdev and a "Steam Deck Motion Sensors" IMU evdev (INPUT_PROP_ACCELEROMETER). A layout-agnostic mash-probe drove 23 distinct BTN_* codes through hid-steam -> evdev, proving the input-report parse path. M1 line-checks the exact per-bit report layout against the lab kernel. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	7cd9364c9e	style(host): rustfmt the #9/#13 pairing edits ... Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	60de506f66	fix(host/gamestream): correct the rsa-Marvin (S7) rationale + cap pairing signatures ... Red-team found the .cargo/audit.toml justification for RUSTSEC-2023-0071 was materially wrong: it claimed "Marvin targets decryption, so the vulnerable path isn't exercised" — but the advisory is a variable-time modexp of the secret exponent, which RSA *signing* (signing_key.sign) also runs. The accept is still correct, for the RIGHT reasons (no decryption/padding oracle; the signed serversecret is host-random not attacker-chosen; signing is operator-PIN-gated; GameStream is off by default and the native QUIC plane uses rustls, not rsa; Moonlight mandates RSA-2048 so the GameStream key can't move off it). Rewrite the rationale accordingly. Also shut the timing-sample amplifier the review surfaced: the pairing session was never marked after phase 3, so a peer past phase 1 could loop phase2/phase3 to harvest many RSA signing-time samples. Sign exactly once per ceremony (reject a repeated serverchallengeresp). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	2865368771	fix(host/pairing): close native-pairing DoS findings #9 + #13 (red-team follow-up) ... The accepts for #9 (PIN-window burn) and #13 (knock-queue flood) rested on a circular premise — each cited the other as the safe fallback — and a re-review showed one LAN attacker could defeat BOTH, denying all onboarding. Close them: - #13 per-source-IP cap on the pending-knock queue (MAX_PENDING_PER_IP) so one host can't fill/evict the 32-slot queue (QUIC validates the source address); and eviction now NEVER drops a live *parked* knock (a held-open connection awaiting operator approval), so a cert-rotating flood can't evict the genuine device being onboarded. This makes the delegated-approval path genuinely flood-resistant — restoring the validity of #9's "use delegated approval on hostile LANs" fallback. - #9 fingerprint-bindable PIN window: `NativePairing::arm_for(ttl, Some(fp))` binds the window to one operator-selected device; `pin_for_attempt` returns `BoundToOther` for any other fingerprint, which the QUIC pair path rejects WITHOUT consuming the window — so an unpaired peer can neither pair nor BURN a window armed for a specific device (it can't forge the bound fingerprint). The mgmt `POST /native/pair/arm` gains an optional `fingerprint` (from a pending knock); unbound arming keeps the legacy any-device behavior (trusted-LAN). (Web-console "pair this pending device with a PIN" UX is a follow-up; the flood-resistant knock path above is the immediate hostile-LAN onboarding path.) + regression tests (armed_pin_is_fingerprint_bindable, pending_per_ip_cap_and_parked_protection); api/openapi.json regenerated. 110 host tests + clippy + fmt green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	b5f02000d6	fix(host/security): scope Windows shared-section SDDL to SYSTEM+LocalService (close #5) ... The gamepad host<->UMDF-driver shared sections (Global\pfds-shm-*, pfxusb-shm-*) and the IDD-push frame ring/event (Global\pfvd-*) were created with `D:(A;;GA;;;WD)` — GENERIC_ALL to **Everyone** — on the assumption the driver's WUDFHost ran under a restricted token needing broad access. So any local unprivileged user could OpenFileMapping the section to inject controller input, tamper the trusted HID channel, or read captured screen frames (security-review 2026-06-28 #5). On-box validation (RTX box, 2026-06-29) disproved the restricted-token premise: the WUDFHost token is NT AUTHORITY\LocalService (S-1-5-19), SYSTEM integrity, with ZERO restricted SIDs. So the section only needs SYSTEM (the host creates + writes it) and LocalService (the driver opens it). Scope both SDDL sites to `D:(A;;GA;;;SY)(A;;GA;;;LS)`; rename the now-misnamed `permissive_sa` -> `shared_object_sa`; correct the stale "restricted-token / Everyone" docs. Validated live: a full DualSense + 1280x720x60 session — 6943 frames received, HID output round-tripped, device status OK (pf_dualsense + pf_vdisplay WUDFHosts both LocalService open the scoped sections fine), while OpenFileMapping from a non-SYSTEM admin session now returns ACCESS_DENIED (was a granted handle under WD). Host-only change (the SDDL is set when the host CREATES the section); drivers unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	46b9aa8cf0	fix(windows-host): IDD activation — resolve-first, force-EXTEND only as fallback ... force_extend_topology() was added before the resolve loop to de-clone a fresh IDD on integrated-screen boxes (laptops), but its bare SDC_TOPOLOGY_EXTEND preset is ACCESS_DENIED from the Session-0 service context on a HEADLESS box and broke the IDD auto-activation there: resolve_gdi_name stayed None -> "not an active display path" -> black screen. That regressed the headless/primary platform (live RTX box). Revert to the proven e2c9bfd flow: resolve FIRST (Windows auto-activates the IDD as its own extended path), and force-EXTEND only as the FALLBACK when resolve returns None (the integrated-screen clone case, observed live to leave resolve None). The success path is byte-identical to e2c9bfd (resolve -> set_active_mode -> isolate_displays_ccd). Validated live: the headless RTX box streams again (probe: frames flow, driver attaches to the ring, host/driver render LUIDs match). Reviewed multi-agent + adversarial: no regression on the validated headless path or the observed Optimus-laptop clone path (a cloned IddCx target resolves to None there, so the is_none() fallback fires + de-clones). Known theoretical caveat, documented inline and unobserved for IddCx but untested across GPU/driver/OS: a CCD clone that manifests as a shared-source ACTIVE path would resolve to Some and bypass the is_none() gate. Follow-up: widen the gate (a target_is_cloned helper) once an integrated-screen box is available to validate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-29 16:15:48 +02:00
enricobuehler	d1d2ca293d	feat(pairing): seamless no-PIN delegated approval (host parks the knock, clients add "Request access") ... Web-console "Approve" (delegated pairing, roadmap §8b-1) was unreachable: every client routed a fresh pair=required host straight to the SPAKE2 PIN ceremony, so no "knock" was ever recorded; and an unpaired connect was rejected+closed with no way to resume after approval. The backend + console were complete but had no client-side trigger and no post-approval admit path. Host (native_pairing.rs, punktfunk1.rs): an unpaired identified knock is now PARKED instead of rejected — it releases its NVENC session permit, awaits an operator decision (NativePairing::wait_for_decision, woken by a Notify on approve/deny), and on approval re-acquires a slot and admits the SAME connection with no reconnect. QUIC keep-alive (4s/8s) holds the parked connection warm. The pairing gate moves out of the HANDSHAKE_TIMEOUT-bounded handshake future; approve_pending is reordered read-then-add and wait_for_decision double-checks is_paired to close a "neither pending nor paired" race. New PENDING_APPROVAL_WAIT (180s). Tests: delegated_approval_admits_after_knock now approves mid-park (no reconnect) + new wait_for_decision_approve_deny_timeout unit test (108 host tests green). Clients (Linux/Apple/Windows/Android): a fresh pair=required host now offers "Request access" alongside the PIN ceremony — a plain identified connect with a ~185s handshake budget and a cancelable "waiting for approval" UI; on success the host is saved as paired, and cancel returns the UI immediately while a late- resolving connect is torn down silently via a per-attempt flag. Apple reuses the existing C-ABI timeout_ms (no ABI change); Windows adds SessionParams.connect_timeout + a RequestAccess screen; Android adds a timeoutMs arg to the nativeConnect JNI seam (both sides + both callers). Linux built + clippy + fmt clean; Apple/Windows/ Android pending their CI/on-device compiles. SPAKE2 ceremony reviewed end-to-end against the spake2 0.4 contract — correct, no changes needed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 06:41:09 +00:00
enricobuehler	705a8fa94e	chore(deps): drop unmaintained rustls-pemfile; axum-server 0.7 -> 0.8 ... axum-server was used only for the plain-HTTP nvhttp listener, but we enabled its tls-rustls feature (HTTPS is hand-rolled over tokio-rustls) — and that feature was what pulled the unmaintained rustls-pemfile (RUSTSEC-2025-0134). Drop the feature, bump axum-server to 0.8 (0.8 also no longer pulls it), and move our own PEM parsing in gamestream/tls.rs to rustls-pki-types' PemObject (the same path punktfunk-core/quic.rs already uses), removing our direct rustls-pemfile dep too. Net: rustls-pemfile fully gone; dependency graph trimmed 547 -> 529 crates (the tls-rustls feature also dragged in prettyplease + a wasm-tooling chain). cargo audit now reports only audiopus_sys + paste (transitive, latest, no successor). 108 host tests + clippy + fmt green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 06:32:58 +00:00
enricobuehler	bee1f0416d	chore(licensing): LGPL FFmpeg swap, third-party notices, attribution hygiene ... The MIT OR Apache-2.0 SOURCE license is clean (audit found no copied copyleft); the gaps were all binary-distribution (Layer-2). This makes the shipped artifacts honest: - Windows host + client: bundled FFmpeg BtbN gpl-shared -> lgpl-shared (AMF/QSV/decode unaffected; the GPL-only x264/x265 were never used), and ship the FFmpeg LGPL notice + license text in the installer + MSIX (licenses/). - THIRD-PARTY-NOTICES.txt generated + bundled into installer/MSIX/deb/rpm. Offline generator (scripts/gen-third-party-notices.{py,sh}) + cargo-about config (about.toml/ .hbs) with a permissive-only accepted-license allow-list as a copyleft regression gate. - Reword the win32u GPU-preference hook comments to reflect independent reimplementation (no Apollo/Sunshine GPL-3.0 source copied). - README dual-license + inbound=outbound contributor clause + non-affiliation trademark disclaimer; new CONTRIBUTING.md. - LICENSE files into the standalone driver + vk-layer workspaces; deb copyright holder aligned to "unom and the punktfunk contributors". Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 06:20:38 +00:00
enricobuehler	91bb955d0c	style(host): rustfmt the security-fix wrapping (cargo fmt --all --check) ... Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 05:19:22 +00:00
enricobuehler	6f903f79bc	fix(host/security): Windows DACL hardening — close audit #2, #3, #8, #11 ... Windows local-privilege findings from design/security-review-2026-06-28.md. These are #[cfg(windows)] paths (verify in CI / on the box; this Linux dev VM can't compile MSVC). They follow the existing write_secret_file/icacls patterns; the cross-platform parts are cargo check/clippy/test green. - #2 [HIGH]: route the mgmt bearer token write through the shared write_secret_file so it gets the SAME Windows DACL (SYSTEM/Administrators) as the host key — it was cfg(unix)-only and left Users-readable, leaking full mgmt admin authority to any local user. - #3 [HIGH]: create_private_dir now applies a restrictive DACL to the %ProgramData%\punktfunk config directory (re-owns to Administrators to defeat a pre-creation, strips inheritance, SYSTEM/Admins/OWNER full + Users read-only) so a local user can't plant host.env/apps.json that the SYSTEM service trusts (env/arg-injection LPE). host.env is now written DACL-locked via write_secret_file; the config + logs dirs go through create_private_dir. - #8 [LOW]: write the web-console password file empty, icacls-lock it, THEN write the secret — closes the brief write-then-icacls TOCTOU window. - #11 [LOW]: the SYSTEM logs dir is DACL-locked (Users read-only, no create), so a local user can't pre-plant host.log as a reparse/hardlink to redirect SYSTEM's writes (subsumed by the #3 dir lockdown). Deferred: #5 (host<->UMDF gamepad/IDD shared-section Everyone:GENERIC_ALL). The section SDDL is intentionally permissive because the UMDF driver opens it under a restricted token of unknown SID/integrity; scoping it blind would likely break the live-validated gamepad/IDD pipeline, so it needs on-box validation first. Tracked in the report. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 22:14:19 +00:00
enricobuehler	3532e35b75	fix(host/security): close audit findings S1,#1,#4,#10,#12,#7,#6,S2-S6 (Linux/cross-platform) ... Remediations from design/security-review-2026-06-28.md verified on Linux (cargo check/clippy/test green; Windows-gated paths verify in CI): - S1 [HIGH]: bump quinn-proto 0.11.14 -> 0.11.15 (RUSTSEC-2026-0185, pre-auth out-of-order STREAM reassembly memory exhaustion on the always-on default QUIC listener). - #1 [HIGH]: remove the unauthenticated nvhttp `GET /pin` endpoint; the GameStream PIN is delivered ONLY via the bearer-gated mgmt API, so a network client can no longer submit its own displayed PIN and self-pair. - #4 [HIGH->MED]: gate the unauthenticated RTSP/UDP media plane on a paired `/launch` and bind it to the launching client's source IP (threaded through the HTTPS handler), so an unpaired peer can neither start capture on an idle host nor ride a paired client's active launch. - #12: bound concurrent parked pairing waiters (MAX_PARKED_WAITERS) so a pre-auth peer can't pin unbounded 300s handshakes. +regression test. - #10: throttle the per-packet ENet control GCM-decrypt-failed warn (exponential backoff) so a junk flood can't spam the log. - #7 [MED->LOW]: serialize all process-global env mutation on the session-setup path under a new vdisplay::ENV_LOCK (apply_session_env / apply_input_env / the launch-cmd set_var / the gamescope env read), so concurrent native sessions can't race set_var/getenv (data-race UB -> host-wide DoS). Full per-session SessionContext threading remains a follow-up for cross-session value confusion. - #6 [MED]: move the gamescope EIS socket relay from world-writable /tmp to $XDG_RUNTIME_DIR (per-user 0700) and reject a symlinked relay file, so a local user can't intercept (keylog) or deny the remote session's input. - S2: a malformed client Opus mic frame now drops that frame instead of tearing down the shared host-lifetime virtual mic (cross-session DoS). - S3: track held buttons/keys in capped HashSets (was unbounded Vec with O(n) scans) so a paired client can't grow per-session input state. - S5: reject fps==0/absurd at the open_video chokepoint (covers Hello, ANNOUNCE, Reconfigure) so the encoder time_base/pts math can't div-by-0. - S6: bound the shared mic mpsc (drop-newest when full). - S4: cap Epic launcher-cache reads (catcache.bin/.item) so a planted giant can't OOM the host during library enumeration. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 22:06:24 +00:00
enricobuehler	8672026e97	fix(host): clear clippy doc_lazy_continuation in the 4:4:4 docs ... A line-wrap put `+`/`*`-style markers at the start of two doc lines, which clippy (Windows host job, rust 1.96) reads as markdown list items whose unindented follow-on lines trip `doc_lazy_continuation` under `-D warnings`: - encode/windows/nvenc.rs `chroma_444` field doc (the failing Windows-host clippy job): "+ chromaFormatIDC = 3" → "and chromaFormatIDC = 3". - encode/linux/vaapi.rs `probe_can_encode_444` doc: "+ validate" → "and validate" (last line, didn't fire yet, but fragile — fixed pre-emptively). Pure doc rewording, no behaviour change. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-28 21:38:07 +00:00
enricobuehler	75627c8afe	feat(audio): end-to-end 5.1/7.1 surround across the native path + all clients ... Adds negotiated 5.1/7.1 surround to the punktfunk/1 protocol and every client (previously stereo-only): - core: new shared `audio` layout table (LAYOUT_51/71 + identity multistream mapping, canonical wire order FL FR FC LFE RL RR SL SR); Hello/Welcome `audio_channels` negotiation via the trailing-byte back-compat pattern (old peers fall back to stereo); C-ABI `punktfunk_connect_ex6`, `punktfunk_connection_audio_channels`, and in-core multistream decode `punktfunk_connection_next_audio_pcm` for embedders without a multistream Opus decoder. Real-libopus channel-identity round-trip test. - host: native audio thread captures + Opus-(multi)stream-encodes at the negotiated count (with a cross-session cached-capturer channel-mismatch fix); GameStream surround unified onto the safe `opus::MSEncoder`, dropping `audiopus_sys` (~4 unsafe blocks) and un-gating Windows GameStream surround; WASAPI loopback capture relaxed to 2/6/8 with the correct dwChannelMask. - clients: Linux (PipeWire), Windows (WASAPI), Android (AAudio) decode via `opus::MSDecoder` + render multichannel; Apple decodes in-core to PCM → AVAudioEngine with an explicit wire-order channel layout; each gains a Stereo/5.1/7.1 setting. `punktfunk-probe --audio-channels N` is the headless validator. Verified on Linux: core/host/linux/probe test suites + the Android Rust (cargo-ndk) build, clippy -D warnings, and rustfmt all green. Windows/Apple builds, all on-glass checks, and the live native loopback are pending (CI / a free box). Also lands the concurrent in-tree HEVC 4:4:4 host work (PUNKTFUNK_444): it shares the same touched files (quic.rs, punktfunk1.rs, encode/*, ...) and so cannot be committed separately from the surround changes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-28 21:11:05 +00:00
enricobuehler	3947d5b07a	fix(host/audio): drive the Linux virtual mic with RT_PROCESS (was silent) ... The punktfunk-mic PipeWire source connected without RT_PROCESS, so it ran as an async/main-loop node. In the host's busy multi-stream graph (desktop audio + video capture + the session) it never acquired a driver, stayed suspended, and its process() callback never fired — every recorder reading the remote mic heard pure silence (the long-standing "Linux host mic broken"). Connect the mic stream with RT_PROCESS so it is a synchronous node that joins its consumer's driver group and is actually driven. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 12:46:06 +00:00
enricobuehler	238501597e	feat(host/gamestream): follow Desktop<->Game session switches ... The GameStream/Moonlight video plane is a separate encode loop that lacked the session-following the native punktfunk/1 plane has, so a mid-stream Desktop<->Game switch killed the stream ("video stream failed") instead of following it. * Normalize the session env like the native plane: extract open_gs_virtual_source, which detects the LIVE compositor + apply_session_env/apply_input_env (gamescope ATTACH default -> resize-on-attach to the box's own game-mode session at the client mode; KWin/Mutter retargeting). GameStream previously ran a bare detect() against raw process env, so in game mode it bare-spawned a COMPETING gamescope instead of attaching to the box's session. * In-place capture-loss rebuild: replace the `?` that ended the stream with a bounded rebuild (re-detect the live compositor via the same factory, build the new source BEFORE dropping the old, reopen the encoder, force an IDR) — keeping the send thread + packetizer + socket + RTP clock. A same-resolution Desktop<->Game toggle is now FOLLOWED with no Moonlight reconnect. Protocol limit (unchanged): a mid-stream RESOLUTION change is impossible on GameStream (WxH locked at ANNOUNCE; no Reconfigure) — a session toggle keeps the negotiated mode, so this isn't hit. The portal/synthetic source passes no rebuild closure (propagates as before). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 12:22:12 +00:00
enricobuehler	61aa1053e7	feat(host/gamescope): headless game mode that follows the box + matches the client ... Make Steam game mode work on a display-less streaming host and stream it at the client's resolution: * Ship /etc/gamescope-session-plus/sessions.d/steam (packaging/bazzite/ gamescope-headless-session, installed by the RPM + Arch PKGBUILD): fall back to gamescope's headless backend when no display is connected, so "Switch to Game Mode" boots offscreen instead of crashing on the missing panel (and 5-striking back to desktop). No-op on display-attached boxes; only sets unset values so the host's per-client mode still wins. * Default Bazzite/SteamOS to ATTACH (PUNKTFUNK_GAMESCOPE_ATTACH=1 in host.env): the box owns its session (Desktop<->Game, persistent), the host follows + captures it and never tears it down — so switching is rock-solid and a disconnect leaves the box in its mode (reconnect returns there). * Resize-on-attach (gamescope.rs): on connect, ensure the box's own game-mode session runs at the CLIENT's resolution — reuse it when already matching (fast path, no restart), else reconfigure + restart the box's own autologin gamescope-session-plus@<client> at the client mode (cooperative: no competing unit, so no autologin-respawn fight). Detect the live gamescope's -W/-H via argv[0] in /proc (its /proc/<pid>/exe is unreadable for that process). Validated live on a headless bazzite-deck-nvidia box: game mode boots headless + stable (0 strikes); the host attaches + streams video/audio/EIS input; a 5120x1440 client reuses the matching session and streams at 5120x1440. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 11:09:45 +00:00
enricobuehler	50e17b3508	fix(host/capture): hold the session through a slow compositor switch ... A Bazzite/SteamOS Gaming↔Desktop switch tears the old compositor down and can take 15s+ to bring the new one up — longer than the capture-loss rebuild's ~10s window, so the session failed mid-switch ("disconnect — session failed") and forced the client to cold-reconnect. Retry the rebuild within a 40s budget instead of giving up after one round, and re-detect the live compositor on each attempt so the stream follows the box to whatever session comes up (a new instance of the same compositor, or a different one — the kind-change case). The QUIC keepalive runs on its own thread, so the client stays connected (frozen on the last frame) and the stream resumes when the new output appears, with no reconnect. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 09:31:47 +00:00
enricobuehler	94c556f0e3	fix(host/capture): recover from compositor loss instead of freezing ... When the compositor is torn down mid-stream (a Gaming↔Desktop switch removes the virtual output), its PipeWire stream leaves Streaming for Paused rather than disconnecting. try_latest treated that as Ok(None) ("static desktop — repeat the last frame"), so the stream froze on the last frame forever and neither recovery path fired: the capture-loss rebuild keys on Err, and the session watcher keys on a session-KIND change (a desktop→desktop new KWin instance is the same kind). Track the PipeWire stream state via state_changed (a `streaming` flag) and, in try_latest, surface a sustained non-Streaming state (1.5s grace for a transient renegotiation blip) as a capture-loss Err — which the encode loop already handles by rebuilding the pipeline in place. A static desktop stays Streaming, so no false trigger. Complements the now-default session watcher. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 09:00:35 +00:00
enricobuehler	32c1929948	feat(host/session-watch): default Gaming↔Desktop follow on for Bazzite/SteamOS ... The mid-stream session watcher (rebuild the backend in place when the box flips Gaming↔Desktop) was opt-in via PUNKTFUNK_SESSION_WATCH, so it never ran on a stock Bazzite/SteamOS box — switching modes froze the stream on the now-dead compositor. Default it ON when os-release ID/ID_LIKE is bazzite/steamos (the platforms that flip sessions); still off on plain desktops. Also parse the env properly so PUNKTFUNK_SESSION_WATCH=0 actually disables it (was: any value, including "0", enabled it). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 08:43:27 +00:00
enricobuehler	3915a82780	fix(host/input): route KWin auto-detect to the fake_input backend ... apply_input_env() hard-pinned PUNKTFUNK_INPUT_BACKEND=libei for KWin, and default_backend() reads that env first — so the auto-detecting host (the normal `serve` service) ignored the new KwinFakeInput backend and fell back to the RemoteDesktop portal path that needs a user to approve. Route KWin to "kwin" (org_kde_kwin_fake_input); GNOME/Mutter stay on libei (no fake_input there). Validated live on a Bazzite KDE box via the auto-detect path: backend=KwinFakeInput, "KWin fake_input ready (no portal)", input events forwarded with no errors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-27 11:52:02 +00:00
enricobuehler	f74bc4a3f1	feat(host/input): headless KDE input via org_kde_kwin_fake_input ... Desktop-mode (KWin) streaming had no input: the path was libei via the RemoteDesktop portal, which (a) isn't reachable from the host service env and (b) requires a human to approve "Allow remote control?" — a non-starter on a headless box. KWin's own headless RDP server (krdpserver) solves this with org_kde_kwin_fake_input, authorized by the exact same .desktop X-KDE-Wayland-Interfaces grant we already ship (org_kde_kwin_fake_input is listed alongside zkde_screencast_unstable_v1). Add a fake_input injector: vendor the protocol XML, bind the global as an ordinary Wayland client, authenticate (auto-accepted for an interface-authorized client — no dialog), and translate pointer (rel/abs), button, scroll, keyboard (raw evdev keycodes resolved by KWin's own keymap) and touch. Select it for KWin (compositor=="kwin" or XDG_CURRENT_DESKTOP KDE); GNOME stays on libei (it has neither fake_input nor the wlr protocols). PUNKTFUNK_INPUT_BACKEND=kwin forces it. cargo check + clippy + fmt green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-27 11:26:04 +00:00
enricobuehler	8e18d01af5	fix(host/kwin): authorize Desktop-mode streaming via a shipped .desktop ... Streaming the KDE *Desktop* (KWin) session failed on a real interactive Plasma session with "KWin does not expose zkde_screencast_unstable_v1": KWin treats the screencast/virtual-output and fake_input globals as restricted and advertises them only to a client whose installed .desktop lists them under X-KDE-Wayland-Interfaces (matched by /proc/<pid>/exe -> Exec, and cached per-executable on first connect). The host shipped no .desktop, so it was permanently denied; it only ever worked on the headless dev box via KWIN_WAYLAND_NO_PERMISSION_CHECKS=1. Ship packaging/linux/io.unom.Punktfunk.Host.desktop (least-privilege: only the host, only zkde_screencast_unstable_v1 + org_kde_kwin_fake_input) and install it from the RPM/.deb/Arch host packaging so it is present before the host first connects. Drop the blunt session-wide NO_PERMISSION_CHECKS hack from kde-desktop-setup.sh (it now only seeds the RemoteDesktop input grant) and fix the now-misleading kwin.rs docs/errors. Validated live on a Bazzite Kinoite box (KWin 6.6.4): probe-compositor + spike --source kwin-virtual succeed against a KWin running WITHOUT the permission bypass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-27 11:15:39 +00:00
enricobuehler	3477cbe7ce	fix(audio/windows): stop the client mic echoing back through the loopback ... The Windows virtual mic fakes a capture endpoint by writing the client's uplinked PCM into a virtual device's *render* endpoint, while the desktop-audio plane loopback-captures the *default render* endpoint — with no mutual exclusion between the two. WASAPI loopback captures the mixed output of an endpoint (everything any app renders to it, including our mic writes), so when both resolve to the same device — VB-CABLE used for both, or the auto-installed Steam Streaming Microphone being the default render on a headless box — the injected mic is captured straight back into the host->client audio stream: an infinite echo. find_device() now resolves the loopback's endpoint id (default render) and skips any candidate matching it, scanning on to the next non-loopback match, so the mic can never land on the device the loopback reads. The auto-install path now provisions the full Steam pair (Streaming Microphone + Streaming Speakers) so a bare host gets two distinct devices instead of one shared one. Errors distinguish "no device" from "only candidate is the loopback device". Linux was already immune (its mic is a dedicated Audio/Source node, structurally separate from the monitored sink). Windows-only (#[cfg(windows)]); rustfmt-clean, compile-checked in windows-host CI, needs on-glass validation on the RTX box. Does not force the system default playback onto Steam Streaming Speakers (IPolicyConfig) — not required to break the echo. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-26 23:51:46 +00:00
enricobuehler	5a2e07e865	style(windows): rustfmt install.rs to unbreak cargo fmt --all --check ... The pnputil /add-driver call in windows/install.rs was committed unwrapped; `cargo fmt --all --check` (which checks cfg(windows) files too) flagged it and failed the `rust` CI job at the Format step, skipping clippy/build/test. Apply rustfmt — no behavior change. Clears the way to cut the v0.2.0 release from green main. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-26 23:19:12 +00:00
enricobuehler	125a51d81d	feat(windows-installer): move driver + web install into the host exe (ASCII root fix) ... Port the three install-time PowerShell *files* (install-pf-vdisplay.ps1, install-gamepad-drivers.ps1, web-setup.ps1) into punktfunk-host.exe subcommands: `driver install [--gamepad] --dir <stage>` and `web setup --app-dir <app> [--password-file <f>]` (windows/install.rs). Why: PowerShell 5.1 reads a BOM-less .ps1 FILE in the machine ANSI codepage, so a stray non-ASCII byte mis-decodes and aborts on a non-English box - exactly how the pf-vdisplay driver install silently failed. A compiled subcommand drives the same external tools (certutil/pnputil/nefconc/schtasks/netsh/icacls) as fixed string literals, with no file-codepage surface. (The .iss's INLINE -Command PowerShell is a command-line string, not a file read, so it's unaffected and stays.) - windows/install.rs: faithful port - cert trust, gated nefconc node create + pnputil for pf-vdisplay; pnputil per-inf for gamepads; web-password ACL, the PunktfunkWeb task (generated UTF-16 XML), firewall rule, start. Best-effort (a hiccup warns, never aborts). - punktfunk-host.iss [Run]: call the exe instead of `powershell -File`; drop the web-setup.ps1 staging + WebSetup define; WebSetupParams emits --app-dir/--password-file. - pack-host-installer.ps1: stop copying the three install scripts into the stages. - delete the three .ps1 files. The `mod install;` + dispatch arms in main.rs landed in the preceding docs commit (swept up by a concurrent commit); this commit adds the module + installer wiring. CI-compile-validated via windows-host; the install path is on-glass-validated on the next canary install (the test box is offline). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-26 16:43:18 +00:00
enricobuehler	7b99b41ede	docs(design): trim shipped plans, consolidate cluster, add index ... Much of design/ described work that has since shipped. Trim each doc to its durable rationale + still-open items (the code is the source of truth for shipped detail; git history holds the full originals). - Shipped plans -> status stubs: stats-capture, gamestream-host-plan, apple-stage2-presenter, windows-service. - Trimmed completed-out / open-kept: implementation-plan, hdr-pipeline, host-latency, gpu-contention (fixed stale status table), game-library, linux-setup (fixed m0->spike + stale zero-copy claim), session-aware-host-followups, windows-client-bootstrap, windows-dualsense-{scoping,game-detection}, windows-virtual-display, security-review (per-finding status table; #12 still open), apollo-comparison (shipped backlog collapsed to one-liners). - Windows-host cluster consolidated: windows-host.md -> redirect into windows-host-rewrite.md (whose stale scorecard is corrected -- goal1 is merged, M4 done); windows-secure-desktop.md archived (now a fallback behind IDD-push primary). - Kept evergreen: ci.md, gamescope-multiuser.md, windows-build-and-packaging.md. - New design/README.md: per-doc status table + consolidated open-items roll-up so nothing is tracked in only one buried doc. - Repoint 5 code comments to the archived secure-desktop doc path. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-26 16:39:06 +00:00
enricobuehler	8e87e617df	fix(windows-host): force EXTEND topology so a new IddCx display isn't cloned ... A freshly-added IddCx virtual display lands in CLONE/duplicate mode when a physical display is already active (a laptop panel, an attached monitor): the cloned output shares that display's source, so the OS never commits a distinct path for it, never calls ASSIGN_SWAPCHAIN, and capture sees no frames - the session fails "not an active display path / needs a WDDM GPU to activate" and tears down with 0 frames (seen live on an Intel-iGPU + NVIDIA-Optimus laptop). force_extend_topology() applies the EXTEND preset (the programmatic Win+P "Extend") right after ADD so the IDD comes up as its own active path; the existing resolve_gdi_name -> set_active_mode -> isolate_displays_ccd bring-up then proceeds. Idempotent / no-op on a sole-display (headless single-GPU) box, so it's safe on the path that already worked. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-26 14:33:15 +00:00
enricobuehler	5bf787eb2b	feat(host): web-console performance capture — record stream stats, graph them ... Arm streaming-perf-stats capture from the web console, play, stop, and review the run as graphs; finished captures are saved to disk as browsable/exportable recordings. Covers both the native punktfunk/1 path and GameStream. - stats_recorder.rs: one shared Arc<StatsRecorder> ring (created in gamestream::serve, shared with the mgmt API + both streaming loops, mirroring NativePairing). The hot-path gate is a runtime AtomicBool that replaces the startup-only PUNKTFUNK_PERF for *recording* (PERF stdout logging unchanged); bounded ring (~3 h); atomic temp+rename writes to ~/.config/punktfunk/captures/*.json; path-traversal-safe ids; poison-resilient locks. - native (punktfunk1.rs) + GameStream (stream.rs) emit a StatsSample at their existing ~2 s / ~1 s aggregation boundary — per-stage latency p50/p99, fps new/repeat, goodput, loss/FEC deltas — with no new per-frame work beyond the cheap atomic check. FrameMsg.was_measured keeps pre-arm in-flight frames out of the first window's percentiles (without zeroing the Windows-relay path's fps/encode). - mgmt.rs: 7 bearer-only /api/v1/stats/* endpoints (capture start/stop/status/live; recordings list/get/delete); api/openapi.json regenerated, in sync. - web: new "Performance" page (recharts, rendered SSR-safe) — capture control, live graphs while armed, recordings table (view / download-JSON / delete), and a detail view with the latency stacked-area bottleneck breakdown (p50/p99 toggle) + throughput + health. Charts adapt to either path's stage set. Design: design/stats-capture-plan.md. Built and adversarially reviewed via a multi-agent workflow; workspace build/clippy(-D warnings)/fmt/tests green, OpenAPI no-drift. Not yet on-glass validated against a live session. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-26 13:59:39 +00:00
enricobuehler	f6490f4c28	fix: complete the docs/→design/ and openapi→api/ rename references ... The file moves (docs/ → design/, docs/api/openapi.json → api/openapi.json) landed in d01a8fd, but the matching reference updates did not — so mgmt.rs's drift-test `include_str!("../../../docs/api/openapi.json")` pointed at a path that no longer exists and the host failed to build. This restores it and updates every reference: - mgmt.rs include_str! → ../../../api/openapi.json (fixes the build) - web/orval.config.ts codegen target, web/Dockerfile, .dockerignore - deb/rpm/Arch packaging install paths - CLAUDE.md, the .gitea CI workflows, code doc-comments, design-doc cross-links docs-site route URLs (/docs/...) untouched. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-26 11:53:02 +00:00
enricobuehler	3e7c9bd059	fix(host): remove unsound unsafe impl Sync for HelperRelay ... The one genuine soundness defect the unsafe-proof program surfaced (flagged SUSPECT in program 3/N). `HelperRelay` holds an `rx: Receiver<RelayAu>`, which is `!Sync` (std mpsc is single-consumer), so asserting `Sync` claimed more than the fields support — an `Arc<HelperRelay>` recv'd from two threads would compile and be UB. It was never live-exploited, and it turns out `Sync` is also unnecessary: the relay is a single-owner `mut relay` local in the punktfunk1 two-process mux loop (recv_timeout/try_recv/request_keyframe all called on the owning thread; no `Arc`, no `thread::spawn` capturing it). So the fix is simply to delete the impl — the struct keeps its sound `unsafe impl Send` (needed for the raw `HANDLE` fields), which is all the code uses. Box-verified: cargo clippy -p punktfunk-host --features nvenc --target x86_64-pc-windows-msvc -- -D warnings stays green without the Sync impl. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-26 10:00:40 +00:00
enricobuehler	7aa787a789	docs(host): prove the last 3 files + crate-root deny (unsafe-proof program 4/N, final) ... Completes the unsafe-proof program now that the parallel WIP has landed: - idd_push.rs (25 sites), nvenc.rs (7), punktfunk1.rs (21): a SAFETY proof on every unsafe block — D3D11/DXGI COM (same-device textures, immediate-context single-thread, keyed-mutex-held convert), the NVENC SDK table (versioned POD, register/map/lock-bitstream pairing), cross-process shm reads (atomic magic/generation handshake), and the C-ABI harness (each call cross-checked against its abi.rs `# Safety` doc). No SUSPECT (UB) blocks. - capture.rs / encode.rs: the parent-module deny is restored (their WIP children are now proven), and main.rs gains a crate-root #![deny(clippy::undocumented_unsafe_blocks)] — the permanent catch-all gate so no future unsafe block anywhere in the crate can land without a proof. - Fixed 4 blocks the agents missed: unsafe blocks nested inside `assert_eq!(...)` macro args (the comment-above-statement didn't associate) — hoisted to a `let`. - rustfmt-canonicalized the Windows files (the agents' SAFETY comments + some pre-existing 1.9.0 drift) so `cargo fmt --all --check` is clean. Verified: cargo clippy -p punktfunk-host --all-targets -- -D warnings AND cargo fmt -p punktfunk-host --check both green with the crate-root deny active. Windows cfg(windows) re-verified on the box next. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-26 09:57:00 +00:00
enricobuehler	3514702d8c	feat(windows-host): IDD-push encodes native NV12/P010 (skip NVENC's SM-side CSC) ... GPU-contention work (host-latency plan §5.A): the IDD-push output ring now hands NVENC native YUV instead of RGB, so NVENC skips its internal RGB→YUV colour conversion on the SM/3D engine the running game saturates. - idd_push.rs: out_ring is now NV12 (SDR, BT.709 limited) via a D3D11 VIDEO-engine BGRA→NV12 VideoConverter (keeps the CSC off the contended 3D/compute engine), or P010 (HDR, BT.2020 PQ limited) via the FP16→P010 shader (NVIDIA's VideoProcessor can't do RGB→P010). The ring drops its per-slot RTV (textures only), matching the WGC YUV ring; converters rebuild on a size/HDR flip. - nvenc.rs: NV12 input forces bit_depth=8 so an HDR→SDR toggle (or a 10-bit- negotiated client on an SDR display) re-inits the session at the matching depth — NV12 can't feed a 10-bit session (register_resource rejects it). - punktfunk1.rs: per-stage latency instrumentation under PUNKTFUNK_PERF (cap=try_latest, submit=encode_picture, wait=lock_bitstream µs p50/p99/max) to pinpoint where capture→encoded latency goes under GPU saturation.	2026-06-26 09:35:23 +00:00
enricobuehler	327a5fa828	docs(host): prove unsafe blocks in the Windows + cross-platform files + gate them (unsafe-proof program 3/N) ... Continues the unsafe-proof program across the Windows/cross-platform host files (~75 blocks, 21 files), each with a SAFETY proof of the real invariant and a per-file #![deny(clippy::undocumented_unsafe_blocks)] gate: capture/windows: dxgi.rs, wgc_relay.rs, wgc.rs, desktop_watch.rs, composed_flip.rs (windows-rs COM: interface validity, same-D3D11-device textures, immediate-context single-thread, borrowed args outlive the call) windows: service.rs (SCM/token/CreateProcessAsUserW/event handles — OwnedHandle liveness, no double-close/signal race), win_display, wgc_helper, interactive vdisplay/windows: manager.rs, pf_vdisplay.rs (SwDeviceCreate/IddCx/ioctl handle liveness via the OnceLock VDM singleton + OwnedHandle) encode/windows: ffmpeg_win.rs (full AVBufferRef refcount audit — balanced, NO leaks, unlike the vaapi sibling), sw.rs cross-platform: gamestream/audio.rs (libopus), gamestream/stream.rs (sendmmsg), inject/windows/sendinput.rs, audio/windows/wasapi_mic.rs, session_tuning.rs, vdisplay.rs Two findings (handled separately): - wgc_relay.rs `unsafe impl Sync for HelperRelay` is UNSOUND (its mpsc Receiver is !Sync) though not live-exploited — marked SUSPECT inline; fix pending box check (it touches the in-flight punktfunk1.rs). - capture.rs / encode.rs (PARENT modules of the WIP idd_push.rs / nvenc.rs) do NOT get the file deny yet — it would propagate the lint into the undocumented WIP children. The deny lands there once those are documented (after the WIP commits). Linux-visible parts verified green (cargo clippy -p punktfunk-host --all-targets -- -D warnings). The cfg(windows) deny gates are box-verified next. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-26 09:23:25 +00:00
enricobuehler	9777ed7fb3	fix(host/vaapi): plug two AVBufferRef leaks in DmabufInner::open ... Surfaced while writing the unsafe-soundness proofs (2/N): both are refcount leaks (sound — never dangling/double-free — so the SAFETY proofs held, but real bugs on the persistent punktfunk1-host listener that opens a fresh encoder per session). 1. Per-session leak: `par->hw_frames_ctx = av_buffer_ref(drm_frames)` created a second owned ref. `av_buffersrc_parameters_set` takes its OWN ref of `par->hw_frames_ctx`, and `av_free(par)` frees only the struct, not the ref — so the extra ref leaked every session, pinning the DRM frames ctx + device. Fix: assign `drm_frames` borrowed (the standard ffmpeg pattern); our single owned ref lives in DmabufInner and is unref'd in Drop. 2. Error-path leak: the final `open_vaapi_encoder(...)?` returned without the unref ladder every other error path runs, leaking graph/drm_frames/ vaapi_device/drm_device on encoder-open failure. Fix: match + clean up before returning (nv12_ctx is borrowed from the sink → freed by graph teardown). cargo clippy -p punktfunk-host --all-targets -- -D warnings clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-26 09:02:54 +00:00
enricobuehler	ba68a98873	docs(host): prove every unsafe block in the Linux FFI files + gate them (unsafe-proof program 2/N) ... Continues the structural unsafe-proof program (every unsafe carries a documented proof of soundness; the file gains #![deny(clippy::undocumented_unsafe_blocks)] so it stays proven). This batch covers all 10 remaining pure-Linux files (104 blocks), each proof stating the REAL invariant — not boilerplate: zerocopy/cuda.rs (26) leaked process-lifetime libcuda fn-ptr table; opaque CUcontext never dereferenced; free-exactly-once via the Arc<Mutex<PoolInner>> ownership graph; dmabuf fd take/close split zerocopy/egl.rs (18) eglGetProcAddress'd procs with the GL context current; EGLImage liveness; the two-call modifier-query bounds zerocopy/vulkan.rs (4) copy-bounds arithmetic (src_size>=span); Send = thread confinement to the punktfunk-pipewire thread dmabuf_fence.rs (4) poll/ioctl/close fd liveness + ownership capture/linux/mod.rs (16) spa_data repr(transparent) cast; null-checked spa derefs; single-loop-thread buffer ownership until requeue inject/linux/gamepad.rs (10) uinput ioctl request-number ↔ struct-size match (static-asserted); InputEventRaw no-padding for the byte cast encode/linux/vaapi.rs (15) + encode/linux/mod.rs (9) ffmpeg object ownership/ free ladders; VAAPI/DRM graph; Send = single-thread transfer inject/linux/wlr.rs (2), vdisplay/linux/kwin.rs (1) No memory-unsafety SUSPECT blocks were found — the unsafe is sound. The vaapi agent did flag two real AVBufferRef *leaks* (not UB) in DmabufInner::open; marked inline with NOTE(leak) and addressed in a follow-up. Verified: cargo clippy -p punktfunk-host --all-targets -- -D warnings is clean (each file's deny gate hard-errors on any undocumented block). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-26 09:00:30 +00:00
enricobuehler	22359f5dc8	docs(host): prove every unsafe block in drm_sync.rs + gate it (unsafe-proof program 1/N) ... Start of the structural unsafe-proof program (per the "every unsafe needs a documented proof of soundness" goal): each `unsafe` block gets an accurate `// SAFETY:` proof of WHY it is sound, and the file gains `#![deny(clippy::undocumented_unsafe_blocks)]` so the proof requirement is permanently enforced (a future undocumented unsafe in this file fails CI). drm_sync.rs (10 blocks: libc open/ioctl/clock_gettime/close + 3 in tests): each proof states the real invariant — fd liveness/ownership, the ioctl request number encoding the matching struct size, the `&mut req` being a live correctly-sized `#[repr(C)]` struct, and (for the timeline ioctls) the `handles`/`points` arrays outliving the synchronous call with `count_handles` matching their length. The gate grows file-by-file (CI stays green; undone files don't carry the lint yet); it promotes to a crate-root deny once every file is done. ~122 Linux blocks + the Windows files remain. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-26 08:35:32 +00:00