16 Commits

Author	SHA1	Message	Date
enricobuehler	86979d0abc	fix build ... improve iOS & iPadOS UI	2026-06-19 15:49:48 +02:00
enricobuehler	b140cd6837	feat(apple/macos): App Sandbox + entitlements, wire Mac App Store TestFlight ... The Mac App Store requires App Sandbox, which the macOS app didn't declare. App Sandbox is macOS-only (invalid on iOS/tvOS, fails upload validation), so the macOS target now uses a dedicated Config/Punktfunk-macOS.entitlements while iOS/tvOS keep the shared Config/Punktfunk.entitlements (unchanged). The single macOS app is sandboxed for BOTH channels — the Developer ID DMG is codesigned with the same file — so the local build equals what App Store users get. Entitlement set (verified against the code + Apple docs): - app-sandbox, network.client. - network.server: NOT optional despite the client being outbound-only — the sandbox gates the bind() syscall as network-bind, and quinn (quic.rs) + the raw-UDP plane (transport/udp.rs) both bind explicitly, so host->client datagrams never arrive without it (the classic QUIC-under-sandbox trap). - device.audio-input (mic uplink), device.bluetooth + device.usb (Xbox/DualSense controllers over BT/USB via GameController), keychain-access-groups (existing). Omitted: device.hid (undocumented), files.user-selected.* (no pickers), networking.multicast (Bonjour browse is exempt; requesting it breaks signing). CI (release.yml): add a macOS App Store archive+upload-to-TestFlight step mirroring the iOS lane (manual Apple Distribution signing + the 'Punktfunk macOS App Store Distribution' profile, app-store-connect/upload, installer-signed pkg), continue-on-error until the portal prereqs exist; point the Developer ID DMG codesign at the sandboxed entitlements. Docs (ci.md) + clients/apple README updated; the runner additionally needs the macOS platform on the App Store Connect record + the '3rd Party Mac Developer Installer' cert. Verified: signed Debug build embeds exactly the intended entitlements (codesign -d --entitlements), swift build green against the rebuilt xcframework. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 02:39:06 +02:00
enricobuehler	67a32711b3	chore(apple): Xcode 27 project upgrade + hardened runtime ... Applied via Xcode's recommended-settings upgrade and distribution prep: - LastUpgradeCheck / scheme LastUpgradeVersion 2650 -> 2700. - DEVELOPMENT_TEAM (F4H37KF6WC) hoisted to the project-level build configs; the now-redundant per-target copies are dropped (all targets inherit it). - ENABLE_HARDENED_RUNTIME = YES on the macOS app target (required for Developer ID notarization). Signing stays Apple Development + Config/Punktfunk.entitlements. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 01:09:16 +02:00
enricobuehler	e2257a6158	fix(apple): persist Keychain trust — sign macOS + data-protection keychain ... The client identity prompted for Keychain access on every launch/rebuild. Root cause: the macOS app target was ad-hoc signed (CODE_SIGN_IDENTITY = "-"), and the identity lived in the file keychain whose "Always Allow" ACL is bound to the app's exact code signature (cdhash for ad-hoc). Every rebuild changed the binary -> changed the cdhash -> the ACL no longer matched -> re-prompt. - Sign the macOS target with Apple Development (team already set) instead of ad-hoc, so the designated requirement is identity-based and stable across rebuilds. - Move the identity to the data-protection keychain (kSecUseDataProtectionKeychain) gated by a team-scoped keychain-access-group entitlement — access is granted by the app's entitlement, not a per-binary ACL, so it's prompt-free and survives rebuilds. Add Config/Punktfunk.entitlements and wire CODE_SIGN_ENTITLEMENTS into all six app configs (macOS/iOS/tvOS). - Unsigned / ad-hoc builds (e.g. `swift run`) lack the entitlement (errSecMissingEntitlement) — fall back to the legacy file keychain so they still work (with the old prompt), no hard failure. macOS re-mints the identity on first run (the old file-keychain copy isn't in the data-protection keychain) -> one re-pair, which is acceptable. iOS keeps its identity (the explicit access group equals the prior default). Validated: swift build; swift test (39 passed, 0 failures); xcodebuild -showBuildSettings confirms Apple Development + Config/Punktfunk.entitlements. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-12 23:25:51 +02:00
enricobuehler	57e7f9fe25	feat(release): production Apple builds — notarized macOS dmg + iOS TestFlight ... release.yml (v* tags / dispatch, macos-arm64 runner): universal mac + iOS xcframework -> xcodebuild archive -> Developer ID export -> notarytool + staple -> dmg on the Gitea release; iOS archive uploads to TestFlight (app-store-connect/upload). Per-run throwaway keychain; ASC API key authenticates notarization, upload, and automatic-signing profile fetch. macOS App Store lane deferred (needs App Sandbox); tvOS deferred (tier-3 Rust targets). All app targets now share bundle ID io.unom.punktfunk — ONE App Store listing with universal purchase (decided pre-submission; effectively unchangeable after). ITSAppUsesNonExemptEncryption=false declared (standard-algorithm AES-GCM, exempt). build-xcframework.sh resolves Apple toolchains itself: cargo's HOST artifacts (proc-macros, build scripts) are loaded by the running OS, and a newer-than-OS beta Xcode ld emits LINKEDIT layouts dyld rejects ("mis-aligned LINKEDIT string pool" -> misleading E0463) — so prefer a non-beta Xcode for everything, fall back to CLT for mac-only slices (env untouched: an explicit DEVELOPER_DIR=<CLT> trips xcrun's license check), refuse iOS/tvOS without a real Xcode (CLT has no iOS SDK). The runner plist no longer injects DEVELOPER_DIR for the same reason. punktfunk_Logo.icon: dropped the Xcode-27-beta-only Icon Composer features (refractivity, specular-location) — 26.5's actool crashes on them, and store builds must use release Xcode. Visual delta is the refraction/specular nuance only; re-author when 27 ships. Validated on home-mac-mini-1 with Xcode 26.5: mac+iOS xcframework slices, unified bundle IDs, signing-free app build. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-12 14:34:45 +00:00
enricobuehler	6d3ff37d9e	feat(client): cross-target input handling + LAN mDNS discovery ... Input handling, building on macOS/iOS/tvOS: - macOS recapture after navigating out: engageCapture no longer latches captured=true when the cursor grab is refused mid app-activation (which left a free cursor that no later click could re-grab); cursorCapture.capture() now reports success. + canBecomeKeyView. - iOS/iPadOS recapture: restore the prior capture on didBecomeActive (nothing re-grabbed mouse/keyboard on return before). - iPad indirect pointer (no lock) is forwarded as an absolute MOUSE (move + buttons + scroll via hover / UITouch.indirectPointer), not as touch, with the local cursor visible; GCMouse owns the locked regime, gated so the two never double-send. Adds the MouseMoveAbs wire helper. - Trackpad scroll on iOS (was entirely missing): GCMouse scroll dpad when locked + a scroll-only UIPanGestureRecognizer otherwise. - tvOS: no focusable control during play (a focusable Disconnect button ate the controller's A in the focus engine); Siri Remote Menu disconnects. - Don't leak touch to the host under the TOFU trust prompt (gate on captureEnabled). LAN discovery: HostDiscovery (NWBrowser over _punktfunk._udp, the host's crate::discovery advert) resolves each service to IP:port and parses the TXT (fp advisory, pair, id); an "On this network" section in the grid (tap to save + connect, or pair if required). iOS/tvOS get NSBonjourServices via a merged Config/Info.plist. Integration-tested end to end against a fake NWListener advert. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-12 14:08:19 +02:00
enricobuehler	92933ef46b	fix(apple/tvOS): system-style slide for in-stack pushes (swiftui-navigation-transitions) ... SwiftUI's NavigationStack on tvOS animates pushes as a bare crossfade with no public customization — the system Settings app slides. The home stack now applies .customNavigationTransition(.slide) on tvOS via davdroman/swiftui-navigation-transitions (MIT, tvOS 13+), covering the top-level routes AND the settings pickers' drill-ins. The dependency is referenced by the Xcode PROJECT only and linked solely by the Punktfunk-tvOS target: its manifest (no macOS platform declared vs 10.15 deps) breaks SwiftPM whole-graph validation for plain `swift build`, and the #if os(tvOS) import never compiles in the macOS-only SwiftPM dev shell anyway. Headless builds need xcodebuild -skipMacroValidation (the lib pulls Swift macro packages; in the Xcode UI it's a one-time Trust & Enable prompt). iOS/macOS keep their untouched system navigation animations. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 14:12:04 +02:00
enricobuehler	9e57a5a1ff	fix(apple/tvOS): native form controls — pushed pickers, single-pill fields, centered values ... The inline iOS form widgets fought the tvOS focus system at every turn: focused fields showed nested pills, rows darkened oddly and grew on activation, the Compositor picker was not even focusable, and prefilled fields (port, client name) floated their label inside the pill, shoving the value off-center. - Settings is now a fully tv-native screen: NO inline text entry — the stream mode is a preset picker (This TV native / 720p / 1080p / 4K, plus a Custom entry preserving a mode set on another platform) and both pickers use .navigationLink style (pushed selection lists, exactly like the system Settings app — and properly focusable; the cover wraps in a NavigationStack for the pushes). - Where text entry is unavoidable (Add Host, PIN pairing), the fields keep their stock single-pill chrome (the grouped form style stays off tvOS — its row platters were one of the nested pills) and prefilled fields hide their floating label so values center vertically. - All earlier row-clearing experiments reverted. Verified by screenshot in the Apple TV simulator: Settings rows render as single focus lozenges with chevrons; the Add Host pills are uniform with centered text. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 13:38:37 +02:00
enricobuehler	75396c20c2	feat(apple/tvOS): parallax app icon + top shelf images from the brand layers ... Icon Composer doesn't cover tvOS — tvOS app icons are the older parallax format: flat layers in an asset-catalog "App Icon & Top Shelf Image" brand asset. Generated from the same Affinity layer exports the Icon Composer .icon uses, mirroring its composition (violet automatic-gradient background → light circle → dark circle → blob in front), via scripts/render-tvos-icon.swift (checked in for regeneration): - App Icon.imagestack 400×240 @1x/@2x + App Icon - App Store.imagestack 1280×768, four layers each so the focus engine gets real parallax depth. - Top Shelf Image (1920×720) + Wide (2320×720) @1x/@2x as flat composites. - ASSETCATALOG_COMPILER_APPICON_NAME = "App Icon & Top Shelf Image" on the tvOS configs; verified on the Apple TV simulator home screen. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 13:19:15 +02:00
enricobuehler	bfd8c7be93	feat(apple): tvOS client — third app target, first-lit in the Apple TV simulator ... The same app now runs on tvOS (target Punktfunk-tvOS, bundle io.unom.punktfunk.tvos), validated live against the box: vkcube at 1280x720@60, 60 fps in the Apple TV 4K simulator, glass HUD with a focusable Disconnect button. - PunktfunkCore.xcframework grows tvOS device + universal-simulator slices. These are TIER-3 Rust targets (no prebuilt std): BUILD_TVOS=1 builds them with nightly and -Zbuild-std from rust-src — the full quic stack (quinn/rustls-ring/tokio) compiles for tvOS unchanged. - The UIKit stream view covers iOS AND tvOS, with pointer interaction, pointer lock, touch forwarding and InputCapture gated to iOS — tvOS is view-only until gamepad capture lands (the natural tvOS input). - SessionAudio on tvOS: .playback session, no mic (no app-accessible microphone). - App chrome gates: keyboardShortcut/textSelection/controlSize/statusBarHidden are iOS/macOS-only; host cards use the focus-native .card button style on tvOS; the Audio settings section hides (system-routed); mode seeding works from the TV screen (1920x1080@60). - Package platforms += .tvOS(.v17); new Xcode target + shared scheme (TARGETED_DEVICE_FAMILY 3, local-network usage description included). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 13:10:40 +02:00
enricobuehler	b7a6670b4a	feat(apple): brand accent color (#6656F2) via the asset catalog ... AccentColor color set + ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME on all four app configurations — the platform-sanctioned global tint, so the host-card icons, prominent buttons, toggles, pickers and links all carry the brand violet on macOS and iOS without any per-view styling. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 12:56:20 +02:00
enricobuehler	7c24832ad0	fix(apple/iOS): touch-first control sizing — toolbar circles + large sheet buttons ... The iOS chrome inherited macOS dialog sizing and read as undersized on a phone: - Toolbar: the two trailing actions shared one compact glass pill; on iOS 26+ each now gets its own full-size circle (explicit .topBarTrailing placements split by a fixed ToolbarSpacer — the system-app look, e.g. Files), with the grouped-pill fallback on iOS 17–18. The buttons are extracted so macOS keeps SettingsLink + .help untouched. - Sheets and CTAs (AddHostSheet, PairSheet, trust card, empty-state Add Host) get .controlSize(.large) on iOS — proper touch targets instead of macOS dialog buttons. Verified in the iPhone 17 simulator: two ~44 pt glass circles matching the Files app's toolbar sizing; macOS suite and app build unchanged. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 11:47:30 +02:00
enricobuehler	e1af4d57c6	feat(apple): iOS/iPadOS client — touch, pointer lock, shared SwiftUI shell ... The whole client now runs on iPadOS/iOS from the same sources, first-lit live in the iPad simulator against the real host at 1280x720@60 (60 fps on the HUD, capture state machine active, mic permission flow shown). - PunktfunkCore.xcframework grows iOS device + universal-simulator slices (BUILD_IOS=1; rustup targets aarch64-apple-ios{,-sim} + x86_64-apple-ios). - The decode pump is extracted into a shared StreamPump (identical IDR re-gate logic on both platforms); the iOS StreamView (StreamViewIOS.swift) has the same name/signature as the macOS one, so ContentView & co. are byte-identical across platforms — hosted in a UIViewController for prefersPointerLocked (the iPadOS cursor capture; see README note 9 for the UIHostingController forwarding caveat). - Touch is always forwarded: per-finger wire ids, coordinates mapped through the aspect-fit letterbox into LIVE host-mode pixels (surface == host mode, identity rescale host-side; follows mid-stream requestMode switches). - InputCapture is cross-platform: GC works the same on iPadOS, ⌘⎋ is detected from the HID stream there; stale-⌘ tracking after focus loss fixed on both platforms (releaseAll now drops the modifier/latch state — a ⌘ released in another app otherwise hijacked Esc forever). - SessionAudio: AVAudioSession on iOS (.playAndRecord + .defaultToSpeaker — without it iPhones route host audio to the EARPIECE; deactivated with notifyOthersOnDeactivation on stop so interrupted background audio resumes); HAL device pinning + the Settings pickers stay macOS-only. - New Punktfunk-iOS app target (shared synchronized sources, generated Info.plist with mic + local-network usage descriptions — QUIC to a LAN host trips local network privacy on real devices — scene manifest + indirect input events for Stage Manager / external displays), shared scheme, macOS min-window frames gated off iOS. For the iPad-on-an-external-screen idea: with multiple scenes + indirect input enabled, Stage Manager iPads can drag the punktfunk window onto the external display and drive the PC with keyboard/mouse/touch. Known gaps (README note 9): the pointer-lock preference isn't consulted through UIHostingController (relative mouse works, the local cursor just stays visible) and AVAudioSession interruptions don't auto-restart audio. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 11:18:25 +02:00
enricobuehler	b26f138699	feat(apple): session audio — host playback + mic uplink, device pickers in Settings ... Both directions of the audio plane, on CoreAudio's built-in Opus codec (kAudioFormatOpus — no bundled libopus; OpusCodec.swift, round trip unit-tested): - Playback: a drain thread pulls nextAudio() packets, decodes, and writes a priming jitter ring feeding an AVAudioSourceNode (~20 ms prefill, adaptive to the device's render quantum so large-buffer devices don't oscillate prime/dropout; a high-water clamp sheds stall backlog so one network hiccup can't permanently lag audio behind video; underrun re-primes — one dip, not sustained crackle). - Mic: a second engine taps the input device, resamples to 48 kHz stereo, Opus-encodes 20 ms chunks and sendMic()s them into the host's virtual PipeWire source. Permission via AVCaptureDevice (NSMicrophoneUsageDescription added to the Xcode target). - Settings: Speaker + Microphone pickers (CoreAudio HAL enumeration, persisted by device UID — "System default" leaves the engine unpinned so it follows macOS device changes) and a "Send microphone" toggle (default on). Applies from the next session. - Audio starts with streaming, never during the trust prompt (no host sound — and no mic uplink — before the user trusted the host); teardown stops audio before close(). Adversarial-review fixes baked in: stop() and the dangling mic-permission callback share one lock+flag protocol (no hot mic with no owner), the connect-success handler bails when the attempt was abandoned mid-handshake (no session/mic for a dead window), SessionAudio gets a deinit backstop (a dropped instance can't pin the connection via its drain thread), and the render scratch buffer is block-owned (was leaked per session). Verified live against the box: remote test decodes 100 host Opus packets to PCM and the host opens its virtual mic on the first uplinked frame ("punktfunk/1 virtual mic ready"); on-glass session runs with both engines up. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 09:39:15 +02:00
enricobuehler	dc42d6a375	feat: app icon (Icon Composer) + Xcode project settings for it ... punktfunk_Logo.icon (Icon Composer 2.0) in App/, ASSETCATALOG_COMPILER_APPICON_NAME set. Compiles with Xcode 27 beta's actool; Xcode 26.5's actool crashes on EVERY .icon file (known regression, Apple FB20183399, expo/expo#46121) — build with the beta (or 26.4.1) until a 26.x fix lands. The icon itself is fine. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-10 16:15:15 +02:00
enricobuehler	b21fffc3d1	feat: Xcode app project for the macOS client (Punktfunk.app) ... clients/apple was a bare Swift package — fine for swift run/test, but app icons, a real bundle (Info.plist, signing identity, TCC), and the normal Xcode build/run flow need an app target. Punktfunk.xcodeproj (synchronized-folder format) wraps the SAME sources as the CLI dev shell (Sources/PunktfunkClient) plus App/Assets.xcassets, and links PunktfunkKit from the local package — no source duplication, both flows stay green: swift build / swift test / swift run PunktfunkClient, and xcodebuild -scheme Punktfunk. The asset catalog ships an empty AppIcon slot ready for the Icon Composer .icon (drag in + set as App Icon + drop the placeholder; see README — including the actool crash observed with the current icon bundle). Package tests on ⌘U need one GUI step (Edit Scheme → Test → +); a hand-written package-test scheme reference doesn't resolve headlessly. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-10 15:50:50 +02:00