604 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
enricobuehler	6ea52b0372	feat(host/windows): SDR-while-secure — drop SudoVDA out of HDR on Winlogon so DDA captures it ... When the DDA-on-secure path is enabled (PUNKTFUNK_SECURE_DDA=1), the mux now toggles the SudoVDA's advanced-color (HDR) state via the CCD API (sudovda::set_advanced_color → DisplayConfigSetDeviceInfo + DISPLAYCONFIG_SET_ADVANCED_COLOR_STATE): on entering the secure (Winlogon) desktop it disables HDR so the lock/UAC renders SDR/composed (no fullscreen independent-flip → DDA can duplicate it instead of storming ACCESS_LOST/black), opens DDA fresh on the now-SDR output; on returning to normal it re-enables HDR and rebuilds the helper so WGC re-detects the restored colorspace. Also debounce the DesktopWatcher (publish a Default↔Winlogon change only after it is stable ~80ms) so transient flaps during the transition don't thrash the mux. Default (no flag) is unchanged: WGC stays live through a lock, no DDA switch. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 11:06:21 +00:00
enricobuehler	be18797df8	feat(client): request a recovery keyframe on unrecoverable loss ... Under infinite GOP the punktfunk/1 plane has no periodic IDR — the only recovery keyframe is one the client requests. But the reassembler drops unrecoverable AUs silently (frames_dropped) and hands the decoder reference-missing delta frames that libavcodec conceals and returns Ok for, so keying recovery off a decode error mostly never fires under real loss → a long/permanent freeze. Surface the data-plane pump's Session.frames_dropped to NativeClient via a shared atomic (NativeClient::frames_dropped()), updated every pump iteration so it stays current through a total-loss drought. The Linux and Windows client video loops watch it and call request_keyframe() when it climbs, throttled to 100 ms (the decode stays wedged for several frames until the IDR lands). macOS already does this; client-rs doesn't decode. Resolves reliability backlog #2. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 11:04:42 +00:00
enricobuehler	55d5a4278f	fix(host): self-heal capture loss + audio-thread death mid-session ... Two steady-state faults previously bubbled a bare `?` to conn.close / silently muted the rest of a session. Recover in place instead. #4 — capture loss (virtual_stream): a mid-session capture stall/disconnect (`try_latest` Err: PipeWire/compositor thread ended, virtual output gone) ended the whole session — and the native client has no reconnect path, so it had to cold-restart the handshake. Now rebuild the pipeline IN PLACE at the current mode via build_pipeline_with_retry (same primitive the mode/session switch uses), force a keyframe, and only propagate when the bounded retry is exhausted. A consecutive-rebuild cap stops a flapping source from looping the client through endless cold IDRs. Track the live mode so a rebuild after a mode switch targets the right mode (also fixes the session-switch rebuild using the stale mode). #3 — native audio thread (audio_thread): broke the loop on ANY next_chunk Err, spawned once per session and never restarted, so a transient 5 s quiet-sink timeout permanently muted a multi-hour session. Make a quiet sink return an empty chunk (not an Err) in both backends so only a genuinely dead capture thread is an Err, and reopen-with-backoff (INJECTOR_REOPEN_BACKOFF) on death, keeping the Opus encoder + monotonic seq. Documents the next_chunk contract; also makes the GameStream audio sender survive quiet sinks for free. Resolves reliability backlog #3 and #4. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 11:04:42 +00:00
enricobuehler	e8619c2362	fix(host/windows): keep WGC through the secure desktop by default (DDA-secure opt-in) ... Regression fix. The DDA-on-secure mux + force-composed overlay + rebuild-on-switch made the stream worse than just staying on WGC: DDA can't reliably capture the secure desktop's HDR independent-flip (storms ACCESS_LOST → instant black), and rebuilding the output on every Default↔Winlogon flip thrashed (frequent freezes). Meanwhile the WGC helper STAYS LIVE through a lock/UAC. So make the DDA-on-secure path OPT-IN (PUNKTFUNK_SECURE_DDA=1, or the test toggle). By default the mux keeps WGC the whole session — the DesktopWatcher and the force-composed overlay aren't even started — so a lock/UAC no longer black- screens or freezes the stream. The DDA-secure machinery stays in the tree for future experimentation behind the flag. (Reverts the rebuild-on-every-switch change 3f191ba via 555ec2a; this gates the remaining switch.) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 10:47:48 +00:00
enricobuehler	555ec2a3b7	Revert "fix(host/windows): rebuild the output fresh on every WGC↔DDA source switch" ... This reverts commit 3f191ba2ea.	2026-06-16 10:44:06 +00:00
enricobuehler	3f191ba2ea	fix(host/windows): rebuild the output fresh on every WGC↔DDA source switch ... Key insight (from the user): a fresh RECONNECT shows the secure desktop but the live transition does not — so the difference is what a fresh session does that the live switch skipped. A reconnect runs build() = REMOVE + fresh ADD of the SudoVDA monitor + re-isolate + a fresh capturer; the live transition instead reused the session-start output (created while on the NORMAL desktop), which goes born-lost (ACCESS_LOST storm → black) on the secure desktop. Fix: virtual_stream_relay now calls build() on EVERY source switch (both WGC→DDA and DDA→WGC), then opens DDA on the new target for secure / uses the fresh helper for normal. This makes each transition equivalent to the reconnect that works — fixing both the WGC→DDA cutover (secure desktop now in the clean output state DDA can duplicate) and the DDA→WGC cutover (a fresh helper's first frame is its opening IDR, so await_idr clears immediately instead of waiting on a wedged helper). Costs a ~1-2s rebuild per transition, acceptable for UAC/lock events. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 10:40:55 +00:00
enricobuehler	ef4786387e	feat(host/windows): force-composed-flip overlay to capture the secure desktop ... The secure (Winlogon: UAC/lock/login) desktop presents via fullscreen independent-flip/MPO — it scans out bypassing DWM composition, so DXGI Desktop Duplication returns born-lost DXGI_ERROR_ACCESS_LOST (the client sees black; the UAC only "flashes" during the brief composed transition). Confirmed live: stable 4090 LUID across the storm (NOT reparenting) on an FP16 HDR output, recovering only when the screen changes. Fix (non-input, no system-wide registry change): capture/composed_flip.rs keeps a tiny click-through near-invisible TOPMOST LAYERED window alive on the current input desktop. Any visible window on the output disqualifies independent-flip → DWM composites → DDA can capture. A dedicated thread follows the input desktop (Default↔Winlogon) and recreates the window there on each switch (a window is bound to its desktop), re-asserting topmost + pumping messages every 200ms. Started for the two-process stream's lifetime; gated by PUNKTFUNK_FORCE_COMPOSED (default on, =0 to disable). Needs GENERIC_ALL on OpenInputDesktop for DESKTOP_CREATEWINDOW (0x80070005 otherwise). Validated: overlay creates on the Default desktop; live lock test pending. Also includes SET_RENDER_ADAPTER (sudovda.rs, Apollo item #16): pins the IDD render GPU to the NVENC GPU before ADD — issued + accepted live, though the secure-desktop storm was proven to be independent-flip (stable LUID), not reparenting, so it's correctness/hygiene here rather than this bug's fix. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 10:25:55 +00:00
enricobuehler	3e2888de26	docs(apollo): mark GSO #4 (GameStream Windows USO) done ... Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 10:22:53 +00:00
enricobuehler	0324719b6e	feat(host/windows): USO batched send for the GameStream video plane ... The GameStream video sender did one send() syscall per packet on Windows (the #[cfg(not(target_os="linux"))] sendmmsg_all fallback), capping throughput at high packet rates. Wire it to UDP Send Offload (the Windows analogue of Linux GSO) so each paced 16-packet burst goes out in one WSASendMsg(UDP_SEND_MSG_SIZE) syscall instead of 16, preserving the microburst pacing. Expose a reusable punktfunk_core::transport::send_uso_all (Windows-only) that reuses the proven native-plane USO primitive (send_one_uso + the uso on/off latch + uso_unsupported), with the same uniform-size guard and ≤512-segment chunking as UdpTransport::send_gso. It returns how many leading packets it sent via USO; the GameStream sendmmsg_all sends any remainder (USO off via PUNKTFUNK_GSO=0, a size-mixed burst, or a frame's short final packet) with per-packet send. On-wire packet boundaries are unchanged. Resolves #4 in docs/apollo-comparison.md. Linux build unaffected; punktfunk-core type-checks for x86_64-pc-windows-msvc. Host Windows compile deferred to CI / dev box. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 10:21:33 +00:00
enricobuehler	ba4e9a8672	docs(apollo): mark cursor #13 done, reclassify #21 as already-handled ... #13 (two-pass alpha+XOR cursor) implemented in capture/dxgi.rs. #21 (composite moved cursor without a new desktop frame) is already handled: DXGI returns S_OK for pointer-only updates so punktfunk recomposites in present_acquired; the original premise (stutter via timeout) was incorrect. Adds status banner + per-item resolution notes in Part 4 and Part 3. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 09:49:20 +00:00
enricobuehler	6d7301ccf5	fix(windows): two-pass cursor compositing (alpha + XOR) in DXGI capture ... A single DXGI cursor shape can need BOTH an alpha-blended layer AND a screen-inverting (XOR) layer at once — a masked-color text I-beam (opaque hot-spot + inverting bar) or a monochrome cursor mixing opaque and invert pixels. The old path produced ONE BGRA image per shape and picked ONE blend (cursor_invert) for the whole shape, so such mixed cursors rendered wrong (masked-color opaque pixels forced through the invert blend; monochrome (AND=1,XOR=1) invert pixels approximated as solid black). Port Apollo/Sunshine's decomposition: convert_pointer_shape now returns a CursorShape with optional alpha/xor layers; CursorCompositor holds tex_alpha + tex_xor and draw_layer renders each with its own blend (alpha = src-over, HDR-scaled; XOR = inversion, unscaled — it operates on the framebuffer reference). The CPU software path blends both layers too. Empty layers are never uploaded or drawn. Removes the single cursor_invert flag. Fixes #13 in docs/apollo-comparison.md. Independently reviewed (ship); Windows-only code — compile verified by CI / dev VM. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 09:48:34 +00:00
enricobuehler	f44317fb33	feat(windows): stable code-signing cert for the MSIX (one-time per-machine trust) ... Sign every MSIX build with one STABLE self-signed cert instead of a fresh per-build cert, so the Trusted People import is a one-time, per-machine step that survives upgrades (a fresh cert each build forced a re-import every time). The cert (CN=unom, SHA-1 CD1EFDEE…E941, valid to 2036) lives in the MSIX_CERT_PFX_B64 / MSIX_CERT_PASSWORD Actions secrets; its public half is checked in as packaging/punktfunk-codesign.cer and published next to each .msix. pack-msix.ps1 now always exports the signing cert's public .cer (extracted from a supplied pfx too, not just the ephemeral-generated path) and warns if the cert subject != manifest Publisher (the mismatch Add-AppxPackage would otherwise reject). Documents the path to a publicly-trusted (no-import) cert: swap the two secrets + pass a matching -Publisher. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 09:17:30 +00:00
enricobuehler	7bf2899301	fix(host/windows): secure-desktop black screen — capture the real frame, don't seed black ... Root cause (confirmed live: "black until I pressed a key, then the image came back"): the secure desktop (lock/login/UAC) is STATIC, and DXGI Desktop Duplication only emits a frame on CHANGE. On the normal→secure switch the duplication is rebuilt (recreate_dupl / try_reduplicate), and we then SEEDED A BLACK frame as last_present — which the static secure desktop never replaced (no change-frame) until the user pressed a key. So we streamed black. Fix: after rebuilding the duplication, CAPTURE the current desktop frame instead of seeding black. A freshly-created duplication's first AcquireNextFrame returns the full current desktop; grab it and present it. New `present_acquired` factors the frame-processing out of `acquire`; both recovery paths now call it: - recreate_dupl: after adopting the new duplication, acquire+present the real frame (born-lost ACCESS_LOST / no-initial-frame → seed black as fallback and let the 250ms-throttled caller retry — a brief flash, then real content). - try_reduplicate: adopt-first, then capture its probe frame (was discarded). Also (independently-correct safe fixes, per the adversarial review): - DesktopWatcher computes the current desktop synchronously in start() before returning, so a session that begins on the secure desktop (reconnect to a locked box) doesn't relay one stale normal-desktop frame (the "flash"). - DuplCapturer::open reasserts SudoVDA isolation at open time (mirrors recreate_dupl) — forces the secure desktop back onto the virtual output if a lock/UAC re-attached a physical monitor. - Instrumentation: dbg_black_seeds counter + a throttled warn when black is seeded, and an info when a real secure-desktop frame is captured on recovery. Pending: the user's real-lock smoke test on the 4090 (a headless PsExec LockWorkStation runs as SYSTEM and can't lock an interactive session, so this must be validated with an actual lock). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 09:15:33 +00:00
enricobuehler	cbeece119f	fix(windows): link the client as a GUI subsystem — no console window on launch ... The binary had no windows_subsystem attribute, so it linked as a console (CUI) app and Windows opened a console window alongside the WinUI window on every launch (incl. the MSIX). Add #![cfg_attr(windows, windows_subsystem = "windows")] so the windowed/MSIX launch is window-free (verified: the built exe's PE subsystem flips from WINDOWS_CUI=3 to WINDOWS_GUI=2). To keep the CLI paths usable, main now calls AttachConsole(ATTACH_PARENT_PROCESS) at startup — it binds to an existing parent console only (never creates one), so --headless/--discover still print to the launching terminal while Explorer/MSIX launches stay console-free. Adds the Win32_System_Console windows feature. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 09:06:31 +00:00
enricobuehler	183ddd5fa1	docs: Apollo (Sunshine fork) vs punktfunk architecture map + transfer backlog ... Map Apollo's architecture for future agents and compare against punktfunk, with a deep-dive on the Windows host (the focus area). Produced by the apollo-vs-punktfunk multi-agent workflow; every claim carries file:line into both codebases. Contents: Apollo architecture map + Apollo->punktfunk file index; subsystem parity; a reference-grade Windows-host deep-dive (DXGI/WGC capture, cursor compositing, HDR, NVENC-on-D3D11, SendInput/ViGEm, SudoVDA, SYSTEM/secure desktop); and a prioritized 96-item improvement backlog (89 Windows-host, 24 high-severity). Top confirmed Windows gaps: GameStream TLS accepts any client cert (verify_client_cert returns assertion()), no NVENC reference-frame invalidation, SudoVDA watchdog ignores its ioctl result, absolute-mouse mapping discards the virtual-desktop rect. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 08:54:52 +00:00
enricobuehler	bb11b2faf7	feat(windows): MSIX packaging + publish workflow for the WinUI client ... Package the Windows client as a signed MSIX (Start tile, clean install/uninstall) and publish it to Gitea's generic registry, mirroring the host's .deb/.rpm and the Mac's DMG. Validated end-to-end on the build VM: cargo build --release -> makeappx pack (16 payload files, 58 MB) -> signtool -> Add-AppxPackage deploy -> framework-dependency resolution all green. - packaging/AppxManifest.xml: full-trust Win32 app (Windows.FullTrustApplication + runFullTrust), templated {VERSION}/{PUBLISHER}. windows-reactor packages cleanly despite being built "unpackaged" because it calls MddBootstrapInitialize2 with OnPackageIdentity_NOOP — under MSIX identity the bootstrapper no-ops and the App SDK resolves from the manifest's PackageDependency on Microsoft.WindowsAppRuntime.2 (reactor pins MAJORMINOR 0x20000 = 2.0). - packaging/pack-msix.ps1: assemble layout (exe + reactor/SDL3 auto-staged DLLs + resources.pri + FFmpeg DLLs + tile assets), makeappx, signtool. Cert precedence: MSIX_CERT_PFX_B64 secret, else an ephemeral self-signed cert whose .cer is published alongside (swap in a real cert later, no manifest change). - assets: tile/store logos rasterized from packaging/flatpak/io.unom.Punktfunk.svg. - .gitea/workflows/windows-msix.yml: runs on the Windows runner on main pushes + win-v* tags + dispatch. MSIX version is 4-part numeric — win-vX.Y.Z -> X.Y.Z.0, else 0.2.<run>.0. shell: pwsh + CARGO_TARGET_DIR=C:\t like windows.yml. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 08:45:43 +00:00
enricobuehler	ec2907fc32	perf(host/windows): SendInput retry-on-failure model (two-process step 2) ... The injector reattached the input desktop (OpenInputDesktop + SetThreadDesktop, two syscalls) before EVERY event. Now it stays bound to its desktop and only reattaches on a SendInput short write (the input desktop switched into UAC/lock) + retries once — Sunshine's model. No steady-state per-event overhead; still follows the desktop across the secure boundary, serving both desktops. Validated on the RTX 4090 (host as SYSTEM): client-rs --input-test injected for ~6s with no "blocked desktop" errors. Completes all 6 steps of the two-process secure-desktop build; only a real-UAC user smoke test remains. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 08:30:49 +00:00
enricobuehler	1e8f210948	docs(windows-secure-desktop): steps 1/3/4/5/6 live-validated; soak results ... Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 08:26:10 +00:00
enricobuehler	1b68890dbf	feat(host/windows): two-process step 6 — helper relaunch watchdog ... A WGC-helper exit (crash, or a console disconnect killing its session) used to end the stream. Now virtual_stream_relay rebuilds the output + helper and resumes on the new helper's opening IDR. Rebuild — not respawn-on-the-old-target — because an abruptly-killed helper leaves the SudoVDA's DXGI output briefly unresolvable ("no DXGI output for target N yet"), and a console reconnect needs a fresh output in the new session; `build` (the same path reconfigure uses) recreates both. Bounded: 500ms backoff per attempt, give up after MAX_HELPER_FAILS (20) consecutive failures; the counter resets on the first relayed frame. Live-validated on the RTX 4090 (host as SYSTEM): force-killed the helper PID mid-stream → exactly one "WGC helper exited — rebuilt output + helper fails=1" → the stream recovered and client-rs decoded 645 HEVC Main-10 frames continuously across the kill (an earlier respawn-on-stale-target attempt storm-failed with "no DXGI output", which the rebuild fixes). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 08:23:58 +00:00
enricobuehler	e39f65a228	ci(windows): set CARGO_TARGET_DIR=C:\t — dodge MAX_PATH in CMake-from-source builds ... With the BOM fixed (shell: pwsh), the build got far enough to compile audiopus_sys, which does a CMake-from-source build of libopus. The runner's host workdir sits deep under C:\Windows\System32\config\systemprofile\.cache\act\<hash>\hostexecutor\, so target\debug\build\ audiopus_sys-*\out\build\CMakeFiles\CMakeScratch\TryCompile-*\...\.tlog overran Windows' 260-char MAX_PATH and MSBuild's tracker failed to create its .tlog (DirectoryNotFoundException -> MSB6003, "CL.exe konnte nicht ausgeführt werden"). Pointing CARGO_TARGET_DIR at C:\t shortens every nested build path well under the limit (fixes audiopus_sys + SDL3, both CMake-from-source). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 08:18:34 +00:00
enricobuehler	4edfcd4b43	feat(host/windows): two-process mux test toggle + live-validate step 5 ... PUNKTFUNK_SECURE_TEST_PERIOD_MS=N drives a square-wave secure/normal toggle in virtual_stream_relay (instead of the real DesktopWatcher), to exercise the mid-session helper↔DDA mux without a live UAC/lock. Gated behind the env var, in the style of PUNKTFUNK_VIDEO_DROP / PUNKTFUNK_FEC_PCT. Live-validated on the RTX 4090 (host as SYSTEM): with a 4s toggle the mux switched secure(DDA)↔normal(WGC relay) cleanly 5× in one session and the client decoded 308 HEVC Main-10 frames continuously across every switch — the wait-for-IDR latch held with no decode break. The real Winlogon DDA capture is pre-proven by the single-process secure path (f4b4a6c); the toggle exercises the new surface (the mux). Doc updated with the validation + the SYSTEM-mode audio caveat. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 08:13:16 +00:00
enricobuehler	372483abf0	ci(windows): use shell: pwsh (PowerShell 7) — fixes GITHUB_ENV BOM corruption ... Windows PowerShell 5.1's Out-File -Encoding utf8 prepends a UTF-8 BOM, corrupting the first GITHUB_ENV line so CARGO_WORKSPACE_DIR silently never got set -> windows-reactor build.rs panic -> CI build failed (runs 8765/8768). pwsh 7 writes UTF-8 without a BOM. Installed PowerShell 7.6.2 MSI on the runner and put C:\Program Files\PowerShell\7 on the daemon wrapper PATH so jobs find pwsh; switched all windows.yml steps to shell: pwsh. (Reproduced locally with CARGO_WORKSPACE_DIR set: the build is green in 2m37s — the BOM was the only issue.) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 08:10:30 +00:00
enricobuehler	8d6cbb81fe	fix(host/windows): merge host PUNKTFUNK_* env into the WGC helper's environment ... CreateProcessAsUserW gives the spawned helper the *user's* environment block, so the host's PUNKTFUNK_ENCODER=nvenc (and ZEROCOPY/PERF/…) were dropped and the helper fell back to the software (H.264-only) encoder — the client negotiated H265 → "WGC helper exited". `merged_env_block` now parses the user block, strips any PUNKTFUNK_* it carried, overlays this (host) process's PUNKTFUNK_* vars, and passes the merged UTF-16 block. Validated live on the RTX 4090 (host as SYSTEM): the helper spawns via CreateProcessAsUserW, runs WGC with no hang (HDR FP16 BT.2020 PQ), opens NVENC (D3D11 Main10), and relays AUs over the pipe — client-rs decoded 411 HEVC Main-10 frames over the LAN. Step 4 (spawn + relay) complete. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 08:05:43 +00:00
enricobuehler	140209bbfc	feat(host/windows): two-process secure-desktop step 5 — DDA mux on Winlogon ... `virtual_stream_relay` now muxes the AU source by input desktop. A DesktopWatcher (SYSTEM-only Winlogon-name poll) drives it: the user-session WGC helper relay feeds the normal (Default) desktop; the host's OWN DDA capturer+encoder — opened lazily on the first secure transition, on the same SudoVDA target with a no-op keepalive (the host still holds the real isolation owner) — captures the secure (Winlogon: UAC/lock/login) desktop that WGC can't see. Every switch latches "wait for IDR" and forces the now-active source to emit a keyframe (the two encoders keep independent infinite-GOP state, so the client must resume on an IDR); returning to the helper also drains its stale buffered AUs first. Reconfigure drops the stale-target DDA; keyframe requests route to the live source. Send path (FEC/seal/paced-send) unchanged. Also: wgc_relay gains try_recv (drain on switch-back); open_dda takes dims as args (avoids a closure borrow of the reassigned cur_mode); the forward! macro returns bool with `break 'outer` at the call site (no in-macro label hygiene). cfg-gated windows-only. Live validation (UAC switch over a session) pending. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 07:55:29 +00:00
enricobuehler	9f50b3930d	feat(host/windows): two-process secure-desktop step 4 — spawn helper + relay AUs ... The SYSTEM host now sources the normal-desktop video from a user-session WGC helper instead of capturing in-process (WGC won't activate as SYSTEM). New `capture/wgc_relay.rs`: `HelperRelay::spawn` launches `m3-host wgc-helper` in the interactive user session via CreateProcessAsUserW (WTSQueryUserToken → DuplicateTokenEx(TokenPrimary) → lpDesktop="winsta0\\default", CREATE_NO_WINDOW) with three anonymous pipes — stdout (framed Annex-B AUs → parsed back to RelayAu), stdin (control: force-keyframe), stderr (helper logs → host tracing). The host holds the SudoVDA keepalive (sole isolation/topology owner); the helper captures by GDI name only. m3.rs: `virtual_stream` dispatches to the new `virtual_stream_relay` when `should_use_helper()` (running as SYSTEM, or PUNKTFUNK_FORCE_HELPER; disable with PUNKTFUNK_NO_HELPER). The relay loop feeds the existing send thread — same FEC/seal/paced-send path. Reconfigure rebuilds the output + re-spawns the helper; keyframe requests forward over the control pipe; helper pts_ns (same-machine monotonic clock) is used directly as capture_ns. Disconnect ends the stream (step 6 adds the relaunch watchdog). wgc_helper.rs: reads the stdin control byte to request an IDR; --bit-depth flag threaded through so SDR 10-bit (Main10) negotiation reaches the helper's encoder. cfg-gated windows-only; Linux/macOS build unaffected. Step 5 (DesktopWatcher mux to host DDA on the Winlogon secure desktop) is next. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 07:43:20 +00:00
enricobuehler	7a814b5f18	ci(windows): restore paths filter + document global runner scope ... Re-add the paths filter (the trigger was never the problem — the runner was registered at the wrong scope, so org-repo runs found 'no fitting runner' despite the runner showing idle). Document in setup-windows-runner.ps1 that the registration token must be GLOBAL (Site Administration -> Actions -> Runners), like the Linux runner. CARGO_WORKSPACE_DIR is set via GITHUB_ENV in a step (the job-env ${{ github.workspace }} form didn't resolve, leaving it unset -> reactor build.rs panic). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 07:38:08 +00:00
enricobuehler	a0f6cddc70	feat(host/windows): WGC helper subcommand (two-process secure-desktop, step 3) ... `m3-host wgc-helper --target-id N --gdi NAME --mode WxHxHz --bitrate K`: the USER-session half of the two-process secure-desktop design (docs/windows-secure-desktop.md). Opens WGC on the EXISTING SudoVDA output by GDI name only (never creates a virtual output — a second topology owner re-trips the ACCESS_LOST born-lost storm), encodes via NVENC, and ships framed Annex-B AUs on stdout for the SYSTEM host to relay onto the live QUIC session: `[u32 magic "PFAU"][u32 len][u64 pts_ns][u8 keyframe][data]`. tracing → stderr so stdout stays the pure AU stream. cfg-gated windows-only; Linux build unaffected. scripts/headless/win-build.cmd: the canonical box build script (sets PUNKTFUNK_BUILD_VERSION so build.rs stamps the version + the NVENC LIB path). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 07:28:05 +00:00
enricobuehler	644274c33e	ci(windows): set CARGO_WORKSPACE_DIR via GITHUB_ENV (not job-env expression) ... Mirror apple.yml's shape — drop the job-level env + defaults blocks; set CARGO_WORKSPACE_DIR from $GITHUB_WORKSPACE in a step (Gitea can't resolve github.workspace at job-env-eval time) and use per-step shell: powershell. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 07:24:53 +00:00
enricobuehler	933b1640db	ci: trigger windows run (runner now stably online) ... Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 07:18:33 +00:00
enricobuehler	dd9dfecbe4	ci(windows): drop paths filter (trigger reliability) + NO_COLOR runner logs ... The paths filter wasn't dispatching the run on the newly-added workflow (the runner is healthy and 'declare successfully', but received no task). Match apple.yml: trigger on every push to main + PRs. Also set NO_COLOR in the daemon wrapper so runner.log is plain text (the ANSI spinner garbled it). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 07:16:26 +00:00
enricobuehler	80e222d3b8	feat(host/windows): DesktopWatcher (secure-desktop detection) — step 1 of the two-process build ... Polls the input-desktop name (OpenInputDesktop + GetUserObjectInformationW(UOI_NAME)) on its own thread → Default/Winlogon atomic; the authoritative normal-vs-secure signal for the capture mux + input path (WTS notifications miss UAC). Not yet wired into the mux (needs the SYSTEM host + WGC helper, steps 3-5 in docs/windows-secure-desktop.md). NOTE: detecting the secure desktop requires the host to run as SYSTEM (a user-token process can't OpenInputDesktop the Winlogon desktop). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 07:13:33 +00:00
enricobuehler	fc11a42b63	ci(windows): build/clippy/fmt/test workflow on the self-hosted Windows runner ... runs-on: windows-amd64 (home-windows-1, host mode). Build + clippy(-D warnings) + fmt + test the WinUI 3 client. The toolchain is baked into the runner's daemon env; the workflow only sets CARGO_WORKSPACE_DIR=${{ github.workspace }} (windows-reactor's build.rs needs it). Triggers on changes to the windows crate / core / Cargo / this workflow. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 07:11:11 +00:00
enricobuehler	5c2bcbc2a2	docs(windows): secure-desktop two-process design + WGC impersonation attempt (vestigial) ... Validated design for adding secure-desktop (UAC/lock/login) coverage on top of the shipped WGC animation fix. Key verified constraint: WGC won't activate under SYSTEM (0x80070424) even with thread-level ImpersonateLoggedOnUser, and DDA+SendInput on Winlogon need LOCAL_SYSTEM — so one process can't do both. Architecture: SYSTEM host (QUIC + SudoVDA + DDA-secure + SendInput + AU mux) + a USER-session WGC helper (CreateProcessAsUser) that relays encoded Annex-B AUs over a named pipe; the host muxes helper-AUs (normal desktop) vs its own DDA encoder (secure desktop), switched by a desktop-name watcher. No shared GPU texture (rejected — MIC/keyed-mutex pain); just AU bytes. docs/windows-secure-desktop.md has the ordered, box-testable steps. The impersonate_active_user() in wgc.rs is kept as a harmless no-op (under a user-token process WTSQueryUserToken fails → no impersonation → WGC works natively); it does NOT make WGC work under SYSTEM (the two-process design uses a real user process for WGC instead). + Win32_System_RemoteDesktop. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 07:08:50 +00:00
enricobuehler	589b364c01	ci(windows): fix runner registration CWD + capture clean daemon logs ... Two fixes after live setup on home-windows-1: register from $RunnerHome (act_runner writes .runner relative to CWD, so it must run there — it had landed in the SSH home and the daemon couldn't find it), and run the daemon under cmd-level redirect (>> runner.log 2>&1) so its native stderr stays out of PowerShell's error stream. Runner is live: windows-amd64:host, SYSTEM scheduled task, "declare successfully" against git.unom.io. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 07:06:54 +00:00
enricobuehler	fb88b18fb4	ci(windows): make setup-windows-runner.ps1 ASCII-clean ... PowerShell 5.1 reads .ps1 in the system code page; an em-dash inside a string literal misparsed (its bytes look like a quote) and the non-ASCII username in the daemon wrapper would have been mangled. Drop the em-dash and copy rustup toolchains to C:\Users\Public\.rustup so the wrapper carries no non-ASCII path. Prep validated: act_runner 1.0.8 + Node 20 + config generated. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 07:01:37 +00:00
enricobuehler	627188b4b7	ci(windows): setup-windows-runner.ps1 — Gitea Actions host runner provisioner ... The Windows analogue of scripts/ci/setup-macos-runner.sh: downloads act_runner (gitea-runner) in host mode, bumps Node 20 via nvm4w (actions/checkout@v4), registers against git.unom.io with labels windows-amd64:host, and installs a SYSTEM scheduled task that keeps the daemon alive across reboots. The daemon's env wrapper hard-codes this box's MSVC/WinUI toolchain (cargo/rustup, NASM, CMake, LLVM, FFmpeg, the ASCII CARGO_HOME SDL3's PCH needs) so the Windows workflow inherits a working toolchain. Idempotent; token (from org unom -> Settings -> Actions -> Runners) not persisted. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 06:59:40 +00:00
enricobuehler	28ab448a29	feat(host/windows): WGC capture backend (overlay/HDR-correct) with watchdog'd DDA fallback ... The capture-architecture reset from the research: add a Windows.Graphics.Capture (WGC) backend that captures the COMPOSED desktop — including the overlay/independent-flip/MPO planes DXGI Desktop Duplication misses — which structurally fixes the frozen HDR animations + video (proven live: a WGC frame decodes to the real 5120x1440 HDR content DDA freezes on). It reuses the whole pipeline unchanged: the WGC frame's GPU texture → same scRGB→BT.2020-PQ shader → NVENC zero-copy; the OS composites the cursor (IsCursorCaptureEnabled) so no manual cursor pass. crates/punktfunk-host/src/ capture/wgc.rs; find_output/make_device/HdrConverter/nudge_cursor_onto made pub(crate) for reuse. Reliability findings + mitigations (live on the RTX 4090): - WGC can't activate under the SYSTEM account (0x80070424) — it needs the interactive user token. The host must run as the user for WGC (run.cmd: drop PsExec -s). DDA still needs SYSTEM for the secure desktop — that token reconciliation (impersonation) is the remaining task. - WGC's Direct3D11CaptureFramePool::CreateFreeThreaded intermittently HANGS on the headless SudoVDA (IddCx) display, correlated with accumulated SudoVDA churn (failed REMOVEs leaving lingering displays); clean-state opens reliably. Since it's a blocking hang, capture_virtual_output runs WGC open on a watchdog thread with a 5s timeout and falls back to DDA on hang/error — the session is NEVER left black: WGC when it opens (fixed animations), DDA otherwise. First-frame nudge added (WGC fires FrameArrived on change; a static desktop otherwise never delivers the first frame). - Default WGC; PUNKTFUNK_CAPTURE=dda forces DDA. DDA path unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 06:32:54 +00:00
enricobuehler	84e17fbb49	feat(windows-client): polish the WinUI 3 UI — Mica, cards, typography ... The first cut was a flat stack of buttons. Reworked the chrome to match the windows-reactor gallery's look: - Mica backdrop on the window. - A centred, scrollable, max-width column (`page()` helper) instead of full-width sprawl. - Card surfaces (`border` + `ThemeRef::CardBackground`/`CardStroke`, rounded, padded) grouping content, with all-caps section labels. - Host rows are clickable cards: name (semibold) + address + a PIN/Open/Paired badge + chevron, laid out with a grid so the badge/chevron sit right; tap to connect. - Header row with title + Settings button; a ProgressRing while searching / connecting; settings as grouped "Stream" / "Audio" cards; the pairing screen is a centred card. Pure styling/layout — no logic change. Build + clippy + fmt green on x86_64-pc-windows-msvc. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 05:28:15 +00:00
enricobuehler	3b3940dc8c	docs(windows-client): correct the WinUI 3 record — reactor IS used (PR #4499) ... The winit-commit docs claimed "Reactor rejected, no SwapChainPanel hatch" — that was wrong. windows-rs PR #4499 added the SwapChainPanel widget; the client now uses WinUI 3 via windows-reactor. Update CLAUDE.md M4, the bootstrap-doc status banner (reactor integration: pinned git dep, CARGO_WORKSPACE_DIR, App-SDK build.rs, LL-hook stream input), and the docs-site clients page (WinUI 3, launch-and-pick-a-host). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-15 23:07:05 +00:00
enricobuehler	5029fa727e	feat(windows-client): stream input — Win32 low-level keyboard/mouse hooks ... windows-reactor exposes no raw key-down/up or pointer-position/wheel events (only keyboard accelerators + pointer button-state), so the WinUI 3 stream page captures input below XAML via WH_KEYBOARD_LL / WH_MOUSE_LL, installed on the UI thread when the stream page mounts and removed on unmount (held keys/buttons flushed). The SwapChainPanel fills the window, so the pointer maps through the client rect (Contain-fit into the negotiated mode); keys carry the native Windows VK directly (the wire contract — no table needed). While captured, events inside the video area are swallowed so Alt+Tab/Win reach the host; Ctrl+Alt+Shift+Q toggles capture; clicks on the title bar (outside the client rect) pass through. Mouse buttons (L/M/R/X1/X2), vertical + horizontal wheel, and absolute motion all forwarded. Build + clippy + fmt green on x86_64-pc-windows-msvc. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-15 23:04:17 +00:00
enricobuehler	4994f7f4ba	feat(windows-client): WinUI 3 (windows-reactor) UI — host list, settings, pairing, SwapChainPanel present ... Replaces the winit + raw-HWND-D3D11 shell with a native WinUI 3 UI via windows-reactor (a declarative React-like framework backed by WinUI). The earlier "Reactor can't host a swapchain" read was wrong — PR #4499 (merged 2026-06-01) added a SwapChainPanel widget with `set_swap_chain` over `CreateSwapChainForComposition`. Builds + clippy + fmt green on x86_64-pc-windows-msvc. - Cargo: drop winit/raw-window-handle; add windows-reactor + the `windows` crate, both pinned to the SAME windows-rs commit (b4129fcc) so the `IDXGISwapChain1` handed to `set_swap_chain` satisfies reactor's `windows_core::Interface`. Reactor's build.rs downloads the Windows App SDK NuGets + stages the bootstrap DLL/resources.pri — it requires `CARGO_WORKSPACE_DIR` set (now in the VM build env); /temp + /winmd gitignored. - present.rs: composition swapchain (B8G8R8A8 FLIP_SEQUENTIAL premultiplied) bound to the SwapChainPanel; WARP fallback, runtime D3DCompile shaders, dynamic RGBA texture, Contain-fit letterbox; driven by reactor's per-frame `on_rendering`. - app.rs: the WinUI 3 shell — host list (live mDNS + saved + manual), settings (resolution/ refresh/mic combos+toggle), in-app SPAKE2 PIN pairing screen, and the stream page. Trust gate mirrors the GTK client (pinned → silent, pair=optional → TOFU, else PIN); a pinned-fp mismatch routes to re-pair. The session pump + decoded-frame handoff cross to the UI thread via a Mutex side-channel + thread-locals (the SwapChainPanel sample's pattern). - gamepad: `ctl` sender now `Arc<Mutex<…>>` so GamepadService is `Sync` (shared across the UI and session-pump threads). main.rs: windowed = in-app UI; `--headless`/`--discover` keep the CLI paths. Not yet wired: raw stream keyboard/mouse input (next commit — reactor exposes no raw key/ pointer events, so it needs Win32 low-level hooks or Microsoft.UI.Xaml bindings). On-glass validation pending a display (the dev VM is headless/GPU-less). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-15 22:58:48 +00:00
enricobuehler	296b976b8f	feat(windows-client): SDL3 gamepads + docs — full stage-1 parity, MSVC-green ... Adds the SDL3 gamepad service (near-verbatim port of the GTK client's — SDL3 is cross-platform) and wires it into the winit app: per-session capture (buttons/axes, DualSense touchpad + motion 0xCC), feedback (rumble, lightbar, raw DualSense effects), single-pad-forwarded model with auto pad-type from the physical controller. Built from source on Windows (no system SDL3). - gamepad.rs: GamepadService (app-lifetime SDL thread) attach/detach on session connect/end; auto_pref resolves "Automatic" to the attached pad's type. - app.rs: hold the service, attach on Connected, detach on Ended/Failed/close. Also simplify the keydown path (drop the identical if/else arms). - main.rs: start the service for the windowed path, resolve GamepadPref from settings + the physical pad. Build gotcha documented + fixed in the dev loop: SDL3's build-from-source MSVC precompiled-header chokes on the `ü` in the dev box's username embedded in the cargo registry path (MSB8084/C4828) — CARGO_HOME must be an ASCII path (C:\Users\Public\.cargo). Unrelated to our code. Docs: CLAUDE.md M4 + docs/windows-client-bootstrap.md status banner (winit-not-Reactor rationale, CARGO_HOME gotcha, what's pending) + docs-site clients.md "Windows desktop client (in development)". Crate is build + clippy + fmt + test green on x86_64-pc-windows-msvc. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-15 22:11:35 +00:00
enricobuehler	e4bdec97bd	feat(windows-client): winit + D3D11 present, WASAPI render, input — builds live on MSVC ... Builds on the prior headless scaffold (which was committed but never VM-built — its audio.rs had two non-compiling wasapi calls). This makes the whole crate build + clippy + fmt + test green on x86_64-pc-windows-msvc and adds the windowed client. - Fix audio.rs: `DeviceEnumerator::new()?.get_default_device(...)` (the free fn doesn't exist) and the 3-arg `write_to_device` (wasapi 0.23). WASAPI shared-mode event-driven render + mic capture now compile and link. - present.rs: D3D11 renderer with WARP fallback (GPU-less dev box), runtime-compiled fullscreen-triangle shaders, dynamic RGBA video-texture upload, Contain-fit letterbox draw, and a flip-model swapchain on the window HWND. - app.rs: winit 0.30 ApplicationHandler — present loop + Moonlight-style click-to-capture input (keyboard via the physical-KeyCode→VK keymap, absolute mouse, wheel, F11), held state flushed on release/focus-loss. - keymap.rs: winit physical KeyCode → Windows VK (layout-independent positional mapping, the analogue of the Linux client's evdev table). - main.rs: windowed default + `--headless` counting mode, `--discover` (mDNS list), `--pair PIN` (SPAKE2 ceremony), `--pin HEX`/known-host/TOFU trust, settings-backed CLI defaults. UI decision: winit + raw D3D11 (the bootstrap doc's sanctioned fallback), confirmed by a research pass — windows-rs "Reactor" ships no SwapChainPanel / SetSwapChain escape hatch, so it can't host the presenter; winit+WARP validates on the GPU-less VM. Native-chrome host-list/settings GUI + D3D11VA hardware decode + 10-bit/HDR present are follow-ups. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-15 21:59:40 +00:00
enricobuehler	ef30afcf0b	fix(apple): fill the notch in macOS fullscreen — stop letterboxing below the camera housing ... The macOS sessionView branch was missing the .ignoresSafeArea() its iOS/tvOS siblings have, so in fullscreen the stream was laid out in the safe area below the notch; the aspect-fit video then scaled down to that smaller area and left black borders. Add .ignoresSafeArea() so the stream fills the whole display including behind the camera housing (a thin top-center strip occluded — normal fullscreen- video behavior); at the display's native mode it's now a 1:1 fill. Inert in windowed mode and on non-notched displays. NSPrefersDisplaySafeAreaCompatibilityMode is deliberately not used (it shrinks the whole window with borders on all sides). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 23:57:06 +02:00
enricobuehler	4b0b775e8e	fix(apple): allow CoreHaptics audioanalyticsd mach-lookup under the macOS sandbox ... GCDeviceHaptics.createEngine returns a CHHapticEngine (the only controller-rumble API on Apple platforms); starting it spins up CoreHaptics, which looks up the system audio-analytics daemon over Mach. The App Sandbox denies that global-name lookup and the framework's precondition turns the denial into a hard crash ("Process is sandboxed but com.apple.security.exception.mach-lookup.global-name doesn't contain com.apple.audioanalyticsd") the moment a controller's rumble engine starts. Add the documented, App-Store-acceptable temporary-exception whitelisting exactly that one service. Verified embedded into the signed binary (codesign -d --entitlements) alongside the existing entitlements. macOS-only (iOS/tvOS reject temporary-exception keys and don't need it). App Store: declare it in App Sandbox Entitlement Usage Information. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 23:57:06 +02:00
enricobuehler	b9f4cf1f3e	fix(host/windows): don't 2-way-split-encode Main10 — it's SLOWER on Ada (fixes broken HDR animations) ... The "broken animations in HDR" was an encode-throughput cliff, not the ACCESS_LOST churn. Measured at 5120x1440@240 HEVC Main10 on the RTX 4090: forced 2-way split-encode = 7.6 ms/frame (~131 fps, well over the 4.17 ms/240fps budget → choppy), while SINGLE engine = 2.8-3.9 ms/frame (~256-357 fps, fits 240). The split/merge overhead dominates for 10-bit; a single Ada NVENC engine already handles 5K@240 Main10 comfortably. So the split decision now forces DISABLE for Main10 (bit_depth >= 10), keeping the existing forced-2 only for 8-bit above 1 Gpix/s. PUNKTFUNK_SPLIT_ENCODE still overrides. Added a split-mode log line. Validated live on the 4090: encode_us_p50 7.6 ms → 3.9 ms at 5K240 HDR with no env override. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 21:40:28 +00:00
enricobuehler	b1e95a386f	fix(host/windows): tiered DXGI recovery — cheap re-DuplicateOutput for the HDR ACCESS_LOST churn ... The HDR path produced a constant ACCESS_LOST churn during real desktop activity (window resize / Start menu / DWM transitions): the duplication keeps getting invalidated but the OUTPUT stays valid (probe passes — 0 born-lost over 72 rebuilds). The old recovery did a FULL rebuild (new device + factory) on every loss, which re-inits NVENC + seeds black + was throttled to 4x/s → mostly-frozen, re-init churn = "broken animations". Now recovery is tiered (mirrors Sunshine): try_reduplicate() does a fresh DuplicateOutput on the EXISTING device+output — no new device, so NO encoder re-init, NO black seed, gpu_copy/HDR textures/last_present kept → frames resume immediately. Only a genuine output loss (secure-desktop switch) or a dead device (DEVICE_REMOVED/RESET) falls back to the full, throttled recreate_dupl. Both paths probe the new duplication and reject a born-lost one. Validated synthetically (1080p60 + 5120x1440@240 HDR): pipeline stable, 0 churn, frames flow. The real-desktop churn needs live validation (can't synthesize DWM animations). Secure-desktop "UI never appears in-session" is a separate issue (output gone in-session; only a fresh monitor re-add works) — still open. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 21:31:14 +00:00
enricobuehler	0a3b92d994	fix(host/windows): HDR cursor brightness (203-nit) + probe-before-adopt recovery; windows-client bootstrap doc ... - HDR cursor: sRGB→linear decode + scale to HDR graphics white (PUNKTFUNK_HDR_CURSOR_NITS, default 203 per BT.2408) in the FP16 cursor composite, so it's no longer ~2.5x too dim. SDR path unchanged; the masked-color (I-beam) inversion blend left unscaled. Cursor cbuffer widened 16→32 + bound to PS. (Validated live: cursor now correct brightness in HDR.) - Secure-desktop recovery: recreate_dupl now PROBES the rebuilt duplication with a 50ms AcquireNextFrame and only adopts it when live (Ok/WAIT_TIMEOUT); a born-lost one (immediate ACCESS_LOST) is dropped so the caller repeats the last frame + retries. Plus reassert_isolation() re-detaches physical displays on every recovery (re-routing the secure/HDR desktop to the virtual output, the delta a fresh reconnect has). NOTE: the born-lost ACCESS_LOST storm in HDR is NOT yet resolved by these — still under investigation (animations/secure-UI/cursor-trail in HDR remain). - docs/windows-client-bootstrap.md: handoff for the native Windows Rust client (windows-rs Reactor + WinUI 3 SwapChainPanel, D3D11VA decode, WASAPI audio, SDL3 input; ports crates/punktfunk-client-linux; 10-bit/HDR present; dev boxes + gotchas). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 21:20:42 +00:00
enricobuehler	e99a1aea43	fix(apple): resolve QoS priority inversions + two Swift concurrency warnings ... Priority inversions (Thread Performance Checker): the Apple client drains every plane on .userInteractive threads (video pump, audio, gamepad feedback) and connects on a .userInitiated Task, but the connector's producer threads ran at the default QoS — so a high-QoS consumer parked waiting on a lower-QoS producer. Pin the connector's producers (outer worker thread, all tokio runtime threads via on_thread_start, and the data-plane spawn_blocking pump) to .userInteractive on Apple so they match the consumers. #[cfg(target_vendor = "apple")] helper using the existing libc dep; no-op off Apple, no Swift-side change (no latency regression). GamepadFeedback.swift: the init's MainActor hop captured self implicitly-strong while the inner $active sink captured it weakly — capture [weak self] in the hop too (the sink stays weak to avoid the retain cycle). StreamPump.swift: the @Sendable pump-thread closure captured the non-Sendable AVSampleBufferDisplayLayer. enqueue/flush are documented thread-safe and only the pump thread drives it after start(), so assert that with nonisolated(unsafe). cargo build/test/clippy/fmt green (core + host); xcframework rebuilt; swift build + iOS/tvOS targets clean with both warnings gone. Runtime confirmation of the inversion warnings needs a GUI run under Xcode's Thread Performance Checker. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 22:48:10 +02:00
enricobuehler	bbabc04bca	feat(hdr): Windows HDR10 + 10-bit end-to-end, negotiated; non-blocking capture recovery ... Adds true HDR (BT.2020 PQ) and 10-bit (HEVC Main10) streaming, negotiated so an 8-bit/SDR client is never sent a stream it can't decode, plus a robust fix for the capture losing the stream across a secure-desktop transition. Protocol (punktfunk-core/quic.rs): - Hello gains `video_caps` (VIDEO_CAP_10BIT / VIDEO_CAP_HDR), Welcome gains `bit_depth`, both as optional trailing bytes (back-compat). client-rs advertises 10-bit via PUNKTFUNK_CLIENT_10BIT; the connector advertises 0 for now (in-band detection drives the native clients). Regenerated punktfunk_core.h. Windows host: - 10-bit Main10: host enables it only when the client advertised VIDEO_CAP_10BIT AND PUNKTFUNK_10BIT is set; threaded through open_video → NVENC (profile Main10, pixelBitDepthMinus8). - HDR: when the captured desktop is scRGB FP16 (R16G16B16A16_FLOAT, HDR on), copy it to an FP16 surface, composite the cursor there, convert scRGB → BT.2020 PQ 10-bit (R10G10B10A2) via a shader, and encode HEVC Main10 with the BT.2020/PQ colour VUI (ABGR10 input). Fixes the freeze + cursor-trail that came from feeding FP16 into the BGRA path. Reacts dynamically to the HDR toggle. - Capture recovery: rebuild is now a single NON-BLOCKING attempt, throttled to ~4×/s, repeating the last good frame between attempts (format-tagged last_present). During a secure-desktop dwell SudoVDA's output is gone; the old blocking 12 s retry starved the send loop for seconds so the client timed out and disconnected — now the session stays fed (frozen) until the desktop returns. Also seeds a black frame on recovery. Apple client (PunktfunkKit): - Detects HDR in-band from the stream VUI (PQ transfer function), decodes to 10-bit P010, and presents via an rgba16Float + BT.2020 PQ CAMetalLayer with EDR; SDR path unchanged. Switches automatically on a mid-session HDR toggle. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 20:28:52 +00:00