57 Commits

Author	SHA1	Message	Date
enricobuehler	7591425f6f	feat(clients): in-app OSS / third-party-license screens ... Surface THIRD-PARTY-NOTICES.txt in every GUI client (the desktop packages already ship it as a file; this adds the on-glass screen): - Linux: Preferences -> About -> Third-party licenses (adw::AboutDialog with the app license + Legal sections; include_str! the root notices). - Apple: macOS About tab / iOS+tvOS Acknowledgements link; notices bundled as PunktfunkKit SPM resources, read via Bundle.module (the Xcode app links the SPM product, so they ride along - no .pbxproj edit). - Android: Settings -> About -> Open-source licenses (reads the bundled asset). - (Windows landed earlier in d1d2ca2: Settings -> About -> Third-party licenses.) gen-third-party-notices.sh now copies the generated file into the Apple Resources/ and Android assets/ trees so the in-tree copies never drift. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 06:52:43 +00:00
enricobuehler	d1d2ca293d	feat(pairing): seamless no-PIN delegated approval (host parks the knock, clients add "Request access") ... Web-console "Approve" (delegated pairing, roadmap §8b-1) was unreachable: every client routed a fresh pair=required host straight to the SPAKE2 PIN ceremony, so no "knock" was ever recorded; and an unpaired connect was rejected+closed with no way to resume after approval. The backend + console were complete but had no client-side trigger and no post-approval admit path. Host (native_pairing.rs, punktfunk1.rs): an unpaired identified knock is now PARKED instead of rejected — it releases its NVENC session permit, awaits an operator decision (NativePairing::wait_for_decision, woken by a Notify on approve/deny), and on approval re-acquires a slot and admits the SAME connection with no reconnect. QUIC keep-alive (4s/8s) holds the parked connection warm. The pairing gate moves out of the HANDSHAKE_TIMEOUT-bounded handshake future; approve_pending is reordered read-then-add and wait_for_decision double-checks is_paired to close a "neither pending nor paired" race. New PENDING_APPROVAL_WAIT (180s). Tests: delegated_approval_admits_after_knock now approves mid-park (no reconnect) + new wait_for_decision_approve_deny_timeout unit test (108 host tests green). Clients (Linux/Apple/Windows/Android): a fresh pair=required host now offers "Request access" alongside the PIN ceremony — a plain identified connect with a ~185s handshake budget and a cancelable "waiting for approval" UI; on success the host is saved as paired, and cancel returns the UI immediately while a late- resolving connect is torn down silently via a per-attempt flag. Apple reuses the existing C-ABI timeout_ms (no ABI change); Windows adds SessionParams.connect_timeout + a RequestAccess screen; Android adds a timeoutMs arg to the nativeConnect JNI seam (both sides + both callers). Linux built + clippy + fmt clean; Apple/Windows/ Android pending their CI/on-device compiles. SPAKE2 ceremony reviewed end-to-end against the spake2 0.4 contract — correct, no changes needed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 06:41:09 +00:00
enricobuehler	75627c8afe	feat(audio): end-to-end 5.1/7.1 surround across the native path + all clients ... Adds negotiated 5.1/7.1 surround to the punktfunk/1 protocol and every client (previously stereo-only): - core: new shared `audio` layout table (LAYOUT_51/71 + identity multistream mapping, canonical wire order FL FR FC LFE RL RR SL SR); Hello/Welcome `audio_channels` negotiation via the trailing-byte back-compat pattern (old peers fall back to stereo); C-ABI `punktfunk_connect_ex6`, `punktfunk_connection_audio_channels`, and in-core multistream decode `punktfunk_connection_next_audio_pcm` for embedders without a multistream Opus decoder. Real-libopus channel-identity round-trip test. - host: native audio thread captures + Opus-(multi)stream-encodes at the negotiated count (with a cross-session cached-capturer channel-mismatch fix); GameStream surround unified onto the safe `opus::MSEncoder`, dropping `audiopus_sys` (~4 unsafe blocks) and un-gating Windows GameStream surround; WASAPI loopback capture relaxed to 2/6/8 with the correct dwChannelMask. - clients: Linux (PipeWire), Windows (WASAPI), Android (AAudio) decode via `opus::MSDecoder` + render multichannel; Apple decodes in-core to PCM → AVAudioEngine with an explicit wire-order channel layout; each gains a Stereo/5.1/7.1 setting. `punktfunk-probe --audio-channels N` is the headless validator. Verified on Linux: core/host/linux/probe test suites + the Android Rust (cargo-ndk) build, clippy -D warnings, and rustfmt all green. Windows/Apple builds, all on-glass checks, and the live native loopback are pending (CI / a free box). Also lands the concurrent in-tree HEVC 4:4:4 host work (PUNKTFUNK_444): it shares the same touched files (quic.rs, punktfunk1.rs, encode/*, ...) and so cannot be committed separately from the surround changes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-28 21:11:05 +00:00
enricobuehler	32879f45bf	feat(apple): App Store screenshot harness + CI zip artifact ... A DEBUG-only "shot mode" renders one mock-populated screen full-bleed (PUNKTFUNK_SHOT_SCENE=<name> -> ScreenshotHostView instead of ContentView), so the OS can screenshot the REAL, fully-rendered UI. tools/screenshots.sh drives it: screencapture for the mac window, `simctl io booted screenshot` for the iOS/iPad/tvOS Simulators, at exactly the App Store Connect sizes. ImageRenderer was tried first and rejected: it can't rasterize this app's chrome (NavigationStack, Form/TabView, Liquid-Glass/NSVisualEffect all render black or the "can't render" placeholder). Capturing the live window/Simulator avoids that. Only the stream hero is synthetic (StreamView needs a live connection) - a synthwave frame + the real glass HUD, overridable via PUNKTFUNK_SHOT_HERO. CI: a new `screenshots` job in apple.yml builds the iOS (+ tvOS best-effort) xcframework slices, runs the harness per platform best-effort, and attaches the result as a single zip artifact (punktfunk-appstore-screenshots). It is isolated from the build/test job and skipped on PRs, so a capture gap (missing Simulator runtime, or no Screen Recording grant for the mac window capture) never reds the core signal. Generated PNGs (clients/apple/screenshots/) are gitignored. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-22 19:44:03 +02:00
enricobuehler	118752c136	fix(apple): drive DualSense rumble over raw HID (CoreHaptics is silent on macOS) ... GameController's CHHapticEngine never reaches the DualSense's motors on macOS — its adaptive triggers and lightbar work, but rumble stays silent (a documented platform gap). Drive the motors directly via the DualSense HID output report instead, the way SDL and the Linux hid-playstation driver do — the same report that already rumbles the pad on a Linux host. Confirmed live on macOS. - DualSenseHID (macOS): opens the Sony DualSense via IOHIDManager and writes the USB (0x02, 48 bytes) and Bluetooth (0x31, 78 bytes + CRC32) output reports through IOHIDDeviceSetReport. Allowed under the App Sandbox by the existing device.usb + device.bluetooth entitlements; coexists with GameController (non-seized open). Flags mirror the kernel driver (COMPATIBLE_VIBRATION | HAPTICS_SELECT + COMPATIBLE_VIBRATION2); valid_flag1 = 0 so a rumble report leaves the GameController-managed lightbar / triggers / player LEDs untouched. - RumbleRenderer routes a DualSense to the HID backend and keeps CoreHaptics for every other pad, fixing both live sessions and the test panel (shared renderer). - CoreHaptics path reworked too: bake the target intensity + an explicit sharpness into the continuous event (the dynamic-parameter scaling is silent on controller engines) and tear down outside the inout access to fix a latent exclusivity hazard. Adds a DEBUG-only Settings -> Controllers -> "Test Controller" panel (ControllerTestView + ControllerTester) that shows live input and fires rumble / adaptive triggers / lightbar / player LEDs straight at the pad, with a readout of the active rumble backend ("DualSense HID - USB/Bluetooth"). Used to validate the fix. Tests: DualSenseHIDTests pins the USB/BT report layout and the BT CRC32 (canonical 0xCBF43926 check vector). Debug + release build clean; gamepad suite green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-22 13:16:41 +02:00
enricobuehler	3e6c9f6060	feat(gamepad): add virtual Xbox One/Series + DualShock 4 pad types ... Extends virtual-controller support beyond Xbox 360 + DualSense. Goal: a physical Xbox One or PS4 pad on the client gets a near-native matching virtual pad on the host, auto-resolved from the controller type. Protocol/core: - GamepadPref gains XboxOne (wire 3) + DualShock4 (wire 4); to_u8/from_u8/ from_name/as_str + C ABI PUNKTFUNK_GAMEPAD_XBOXONE/_DUALSHOCK4 constants (compile-time guard ties them to the enum). Single-byte wire form is unchanged, so it's forward-compatible (older peers degrade to Auto). Host (Linux): - New UHID DualShock 4 backend (inject/dualshock4.rs) bound by hid-playstation: lightbar, touchpad, motion, rumble — DualSense minus adaptive triggers / player LEDs / mute. Reuses the DualSense pure state + button mapping; only the report byte layout, the real-DS4 HID descriptor, the GET_REPORT handshake (0x12 MAC mandatory; 0x02 calibration; 0xa3 firmware) and the touchpad resolution (1920x942) differ. Touchpad/motion ride the existing 0xCC plane, lightbar the 0xCD Led plane (deduped); rumble the universal 0xCA plane. - Xbox One/Series is the uinput Xbox-360 backend parameterized with the One S USB identity (045e:02ea) for matching glyphs — XInput-identical otherwise. - PadBackend dispatch + resolver handle both; off Linux the UHID pads and One/Series fold into Xbox 360. Windows-host DS4 (ViGEm) deferred. Clients (auto-resolve physical pad -> virtual type, plus manual settings): - Linux/Windows (SDL3): SDL_GAMEPAD_TYPE_PS4 -> DualShock 4, _XBOXONE -> Xbox One; PadInfo carries the resolved pref; DS4 touchpad/motion capture + lightbar already type-agnostic. Linux settings combo + label updated. - Apple (GameController): GCDualShockGamepad/GCXboxGamepad detection, DS4 touchpad capture, settings picker entries. - Android (Kotlin): InputDevice VID/PID auto-detect (matching the other clients) + settings entries. - probe: --gamepad help/aliases. Also hardens the Android JNI boundary: wrap the teardown + poll-thread shims in catch_unwind so a panic degrades to a logged no-op instead of aborting the app. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 13:34:44 +00:00
enricobuehler	551012bb43	feat(clients): HDR Steps 2-3 — apply mastering metadata + display capability-gate ... Continues docs/hdr-pipeline-plan.md. Steps 0/1 + Step 2 (Windows/Android) already landed in 3526517; this is Step 2 (Apple) + Step 3 (all clients). Client-only — no core/host/ABI change (the 0xCE/next_hdr_meta/color_info surfaces shipped in Step 0). Step 2 — clients APPLY the host's HDR metadata (each remaps from the wire form: ST.2086 G,B,R order, mastering luminance in 0.0001 cd/m2): - Apple: connect via punktfunk_connect_ex5 (resurrects the previously-dead HDR pipeline); nextHdrMeta/colorInfo wrappers + HdrMeta SEI-blob builders; the pump drains nextHdrMeta -> VideoDecoder.setHdrMeta -> CVBufferSetAttachment of MasteringDisplayColorVolume (24B BE) + ContentLightLevelInfo (4B BE) on each HDR pixel buffer (correct for the itur_2100_PQ layer; CAEDRMetadata avoided as ambiguous there). Step 3 — capability-gate: advertise HDR caps ONLY when the display can present it, so an SDR display gets a proper BT.709 stream instead of PQ it would mis-tone-map; an HDR display self-tone-maps from the Step-1/2 mastering metadata. - Windows: present::display_supports_hdr() (DXGI any IDXGIOutput6 colour space == G2084), ANDed with the user HDR setting in session.rs; logs the SDR drop. - Apple: NSScreen.maximumExtendedDynamicRangeColorComponentValue>1 (macOS) / UIScreen.main.potentialEDRHeadroom>1 (iOS) in SessionModel. - Android: Settings.displaySupportsHdr (Display.getHdrCapabilities HDR10/HDR10+) passed through a new hdr_enabled jboolean on nativeConnect; session.rs gates the caps. Validation: Android native (incl. the jboolean gate) builds + clippy clean via cargo-ndk; fmt clean. Windows (MSVC), Apple (Swift) and the Kotlin side are CI/on-glass validated — not compilable on the Linux dev box. Deferred to the RTX box: mid-session Reconfigure SDR-downgrade on monitor move, and confirming the host emits SDR for an SDR client off an HDR desktop. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 09:46:58 +00:00
enricobuehler	86979d0abc	fix build ... improve iOS & iPadOS UI	2026-06-19 15:49:48 +02:00
enricobuehler	9abb9a2496	fix - replace Punktfunkempfänger with Punktfunk	2026-06-18 17:56:58 +02:00
enricobuehler	ef30afcf0b	fix(apple): fill the notch in macOS fullscreen — stop letterboxing below the camera housing ... The macOS sessionView branch was missing the .ignoresSafeArea() its iOS/tvOS siblings have, so in fullscreen the stream was laid out in the safe area below the notch; the aspect-fit video then scaled down to that smaller area and left black borders. Add .ignoresSafeArea() so the stream fills the whole display including behind the camera housing (a thin top-center strip occluded — normal fullscreen- video behavior); at the display's native mode it's now a 1:1 fill. Inert in windowed mode and on non-notched displays. NSPrefersDisplaySafeAreaCompatibilityMode is deliberately not used (it shrinks the whole window with borders on all sides). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 23:57:06 +02:00
enricobuehler	f5eae24c87	feat(apple): tabbed macOS Settings + stats-overlay placement/toggle + Stream menu ... The macOS Settings window had outgrown one scrolling pane — split it into a tabbed preferences window (General / Display / Audio / Controllers / Advanced). Each settings group is now a shared @ViewBuilder section, so iOS keeps its single grouped Form and tvOS its pushed-picker layout, each defined once. No setting moved or dropped. New statistics-overlay controls (Settings → Display → Statistics): a show/hide toggle (DefaultsKey.hudEnabled) and a corner picker (HUDPlacement / DefaultsKey.hudPlacement) — the HUD moves to the chosen corner and aligns its text to that edge. A Scene-level "Stream" menu (StreamCommands) carries Show/Hide Statistics (⌘⇧S) and Disconnect (⌘D). Disconnect moved off the HUD button into the menu so it survives the overlay being hidden, wired via .focusedSceneValue. On iOS a material-backed exit chip appears when the HUD is hidden (touch users have no menu/⌘D); tvOS disconnect is unchanged (Siri-Remote Menu button). Builds on macOS/iOS/tvOS; swift test green. Adversarially reviewed (8 findings refuted, 2 minor — the iOS exit-chip contrast fix is included here). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 22:11:39 +02:00
enricobuehler	8ab262f8f8	feat(trust): host-gated trust-on-first-use — PIN pairing mandatory by default ... TOFU let anyone who could reach the host click "Trust" and stream, which defeats the point on a LAN. Make SPAKE2 PIN pairing the default and only way to trust a NEW host; TOFU survives as an explicit HOST opt-in (for fully trusted networks), advertised over mDNS so clients render their trust UI from the host's policy rather than offering trust on faith. Contract: - Host advertises pair=required (default) or pair=optional. pair=required rejects unpaired clients at the handshake; pair=optional accepts them (TOFU). - Clients: a pinned host whose fingerprint matches connects silently; a pinned host whose fingerprint CHANGED forces re-pairing via PIN (no re-trust shortcut); a NEW host is offered TOFU only if it advertised pair=optional, otherwise PIN pairing is mandatory; a manually-typed or unknown-policy host is always PIN. Host (crates/punktfunk-host/src/main.rs): - m3-host now REQUIRES pairing by default (was open by default). New --allow-tofu opts into accepting unpaired clients + advertising pair=optional; pairing is always armed (PIN logged at startup). serve --native was already secure-by-default (serve --open). The mDNS advert and the accept loop already mapped require_pairing -> pair=required + reject; only the m3-host CLI default + help text changed. Clients honor the advertised policy: - Android (MainActivity.kt): TOFU only for a discovered pair=optional host; manual/unknown -> PIN; fp-change -> re-pair only (dropped the "Forget & re-TOFU" shortcut). - Apple (HostDiscovery/SessionModel/ContentView/HostCards/HostStore): new allowsTofu (pair==optional, distinct from unknown); connect() gates .awaitingTrust on it; unpinned non-optional hosts route to the PIN sheet; "Forget Identity" re-pairs rather than re-TOFUs. - Linux (app.rs/ui_hosts.rs/session.rs): ConnectRequest.pair_required -> pair_optional; initiate_connect routes pinned/fp-changed/optional/else; manual + --connect unknown -> PIN; a pinned connect rejected on trust grounds re-pairs. Docs (CLAUDE.md, README.md, docs-site/content/docs/pairing.md): describe the gated model — PIN is the default, TOFU an explicit opt-in with an impostor warning. Verified: host cargo check/clippy/fmt clean; Android built + live (emulator -> home-worker-2): a manual connect now opens the PIN dialog (no Trust button) and the PIN ceremony streams; Apple swift build clean; Linux clippy -D warnings + fmt clean on the Linux box. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 13:27:52 +02:00
enricobuehler	36107018a8	feat(apple/library): mTLS — authenticate by the paired identity, drop the token ... Phase 3: the Apple library now talks to the host's HTTPS mgmt API (b4a85a8) over mTLS using this client's persistent identity — the SAME cert the host paired over QUIC — so there is NO manual token anymore. - ClientTLS: builds a SecIdentity from the stored PEM (CryptoKit parses the rcgen P-256 PKCS#8 key → x963 → SecKey; the cert PEM → SecCertificate; SecIdentityCreateWithCertificate pairs them via the Keychain). macOS-only for now (that API is unavailable on iOS — a PKCS#12 path would be needed there; the client is macOS-first). - LibraryTLSDelegate: pins the host's self-signed cert by the fingerprint the client already trusts, and presents the identity for the client-cert challenge. - LibraryClient.fetch now does GET https://…/library with the identity + host fingerprint; the whole connection form (port + token) and StoredHost.mgmtToken/setMgmt are gone — the library "just works" for a paired host. 401 → "pair with the host first". Can't compile Swift on the Linux box; CI (apple.yml) compiles the macOS path incl. the Security/CryptoKit code. Runtime (SecIdentity build + the mTLS handshake) needs Mac validation. Pairs with the host mTLS already landed + live-tested. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 17:47:19 +00:00
enricobuehler	8c2e245c8b	fix(apple/cursor): disable the client-side cursor (gamescope traps input) ... The client-side cursor positions the host pointer with ABSOLUTE events, but gamescope's input socket (EIS) grants only a relative pointer — the host drops the absolute events (libei.rs: no PointerAbsolute → not emitted), so the pointer never moves and clicks/scroll land on the stuck position. Auto-mode enabled exactly this on gamescope, making all input appear dead until toggled off. Force `cursorVisible = false`, neuter the ⌘⇧C toggle, and hide the now-inert Settings picker. The resolution logic + handlers are kept (commented) for when per-compositor gating (KWin/GNOME/Sway have an absolute pointer) or a synthetic-cursor-over-relative path lands. Relative capture (the working path) is now always used. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 17:14:57 +00:00
enricobuehler	36a04e667c	fix(apple): capture the PS/Home button + fullscreen only while streaming ... Two issues from live Mac testing, plus a requested fullscreen option: - PS button: the Home/PS button (→ guide; the host maps it to the DualSense PS bit) does not reliably fire GCExtendedGamepad.valueChangedHandler on macOS, so its presses were dropped. Add a dedicated buttonHome.pressedChangedHandler that re-syncs. The host already maps BTN_GUIDE→PS, so this is the missing client half. - Fullscreen: a macOS FullscreenController (NSViewRepresentable) takes the window fullscreen while a session is up (incl. the trust prompt over the blurred stream) and restores it on the host list — so only the stream is fullscreen, not the picker. New `fullscreenWhileStreaming` setting (default on) + a Settings "Window" toggle. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 16:14:37 +00:00
enricobuehler	5706e7ebf4	feat(apple/library): launch a picked title (step 4 client side) ... Tapping a game in the (flagged) library now starts a session that asks the host to launch it — the picked GameEntry id rides the connect down to the host, which resolves it against its own library (27e5865). - PunktfunkConnection.init gains `launchID` and calls the new punktfunk_connect_ex4 (wrapping it in withOptionalCString; nil = host default). - Threaded SessionModel.connect(launchID:) → ContentView.connect(_:launchID:) → a `launchTitle(host, id)` helper that dismisses the browser and connects. - LibraryView gains `onLaunch`; cards become buttons that fire it. Wired on every platform (ContentView sheet on macOS/iOS, HomeView destination on tvOS) via a new `onLaunchTitle` closure on HomeView. Settings footer updated (launch is live now). Can't compile Swift on the Linux box; CI (apple.yml) verifies. The host side of this chain is live-validated on the dev box: a client `--launch custom:<id>` made the host resolve the id and spawn gamescope running the title (see 27e5865). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 15:00:58 +00:00
enricobuehler	1b610d6bf5	feat(apple/library): experimental game-library browser (flagged off) ... Plan step 3 — the Apple client surfaces the host's game library, behind a feature flag (`DefaultsKey.libraryEnabled`, default OFF). Browsing only; launching a chosen title is step 4. - PunktfunkKit `LibraryClient`: Codable GameEntry/Artwork/LaunchSpec mirroring crates/punktfunk-host/src/library.rs, and an async fetch of GET /api/v1/library with a bearer token. Typed LibraryError guides setup (the common case is "needs a --mgmt-token"). `Artwork.posterCandidates` = portrait → header → hero. - `LibraryView`: cross-platform poster grid (LazyVGrid, AsyncImage that walks the art candidates past load failures to a text placeholder), a store badge, and an inline Connection form (mgmt port + token) that surfaces when the API is unreachable / 401 / no token set. Read-only. - StoredHost gains `mgmtPort`/`mgmtToken` (the mgmt API is a distinct port from the data plane and needs a token off-loopback). Both OPTIONAL — synthesized Decodable ignores property defaults but treats a missing Optional as nil, so older saved hosts decode unchanged (a defaulted non-optional would wipe the list). HostStore.setMgmt. - Entry point: a flag-gated "Browse Library…" host-card context action → LibraryView (sheet on macOS/iOS, pushed on tvOS), mirroring the pair/speed-test plumbing. Plus a Settings "Experimental" toggle. Can't compile Swift on the Linux dev box; CI (apple.yml: swift build + swift test on the mac mini) verifies the macOS path. Added LibraryClientTests (decode + art order) for `swift test`. iOS/tvOS-only branches mirror existing patterns. Live-verify on the Mac pending. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 14:28:16 +00:00
enricobuehler	c64816c70a	feat(apple): client-side cursor for gamescope sessions (toggle + shortcut) ... gamescope's PipeWire capture carries no cursor (verified upstream — it never composites the cursor or adds SPA_META_Cursor), so the cursor must be drawn on the client. New macOS "cursor-visible" capture mode: instead of disassociating+hiding the system cursor and sending relative deltas (the game path, unchanged), it keeps the system cursor visible over the stream and sends ABSOLUTE positions (MouseMoveAbs), mapped through the video's aspect-fit (AVMakeRect) to host pixels with the letterbox bars dropped. The visible system cursor IS the client cursor — zero added latency, no double cursor (gamescope draws none), accurate (the client drives the host's absolute mouse). - Default: on iff the session's resolved compositor is gamescope (via the new punktfunk_connection_compositor getter, fc30307). - Settings: "Cursor in stream" → Auto (gamescope) / Always / Never. - Shortcut: ⌘⇧C toggles it live mid-session (re-engages capture so disassociation + abs/rel forwarding swap atomically); shown in the HUD. macOS-only (the visible-cursor mode lives in the macOS StreamView). Verified to compile + link via xcodebuild Release on the Mac; runtime behavior (cursor landing, hover forwarding) to be confirmed live. Rust ABI side committed separately. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 12:07:15 +00:00
enricobuehler	c2ae40ef9e	feat(net/mac): default-on recvmsg_x batched Mac recv + GSO host + longer probe ... The Mac/iOS client's wall around ~380 Mbps on a 2.5 G path is the receive drain, not the transport: a loopback speed-test pushes 380/600/1000 Mbps at 0.0% loss, but Darwin has no recvmmsg(2), so the macOS client was doing one recv() syscall per packet — ~40-90k syscalls/s on one core. When the recv loop can't drain fast enough the kernel socket buffer backs up and drops, which the client sees as a sustained stream stalling/freezing in the 300-400 Mbps range (and an immediate "session ended" when a 500 Mbps+ first keyframe bursts in). - core/transport: flip recvmsg_x (the batched Darwin recv, ~30x fewer syscalls) from opt-in to default ON, opt-out via PUNKTFUNK_RECVMSG_X=0. Keeps the auto-fallback to the scalar loop on any unexpected syscall error. The Apple CI swift-test loopback now exercises this path by default. - packaging/kde host.env: enable PUNKTFUNK_GSO=1 — UDP segmentation offload on the host send path (one sendmsg per ~64 packets), the dominant lever above ~1 Gbps. Already wired (send_sealed -> send_gso) with sendmmsg auto-fallback. - apple SpeedTestSheet: lengthen the bandwidth probe 2 s -> 5 s so the measured number stops swinging wildly (50 vs 900 Mbps on the same link) — long enough for steady-state send + recv drain to settle. Matches host MAX_PROBE_MS. - host capture: PUNKTFUNK_SYNTH_NOISE synthetic high-entropy source for reproducible throughput testing of the encode->FEC->send->recv path. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 00:35:26 +00:00
enricobuehler	47112f44b7	feat(apple): surface host online status on the home grid ... Saved host cards now show a presence dot — green when the host is advertising on the LAN right now, grey when not seen. Cross-references each StoredHost against the live mDNS discovery set (HostDiscovery). No host changes: the host already advertises _punktfunk._udp with a stable id + cert fingerprint, which the client already browses. - StoredHost.matches(DiscoveredHost): fingerprint-first (survives a DHCP address change), address:port fallback. The discovered-section dedup now uses the same match, so a saved host whose IP changed no longer also shows up as a stranger. - HostCardView gains an isOnline presence dot (accessibility-labelled). - HomeView.isOnline recomputes on every @Published discovery change, so the dot tracks hosts joining/leaving the network live. Online detection is LAN-scoped by design: a remote/cross-subnet host that doesn't advertise here shows grey ("not seen"), not a false "offline". Swift-only. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 14:32:57 +02:00
enricobuehler	e2257a6158	fix(apple): persist Keychain trust — sign macOS + data-protection keychain ... The client identity prompted for Keychain access on every launch/rebuild. Root cause: the macOS app target was ad-hoc signed (CODE_SIGN_IDENTITY = "-"), and the identity lived in the file keychain whose "Always Allow" ACL is bound to the app's exact code signature (cdhash for ad-hoc). Every rebuild changed the binary -> changed the cdhash -> the ACL no longer matched -> re-prompt. - Sign the macOS target with Apple Development (team already set) instead of ad-hoc, so the designated requirement is identity-based and stable across rebuilds. - Move the identity to the data-protection keychain (kSecUseDataProtectionKeychain) gated by a team-scoped keychain-access-group entitlement — access is granted by the app's entitlement, not a per-binary ACL, so it's prompt-free and survives rebuilds. Add Config/Punktfunk.entitlements and wire CODE_SIGN_ENTITLEMENTS into all six app configs (macOS/iOS/tvOS). - Unsigned / ad-hoc builds (e.g. `swift run`) lack the entitlement (errSecMissingEntitlement) — fall back to the legacy file keychain so they still work (with the old prompt), no hard failure. macOS re-mints the identity on first run (the old file-keychain copy isn't in the data-protection keychain) -> one re-pair, which is acceptable. iOS keeps its identity (the explicit access group equals the prior default). Validated: swift build; swift test (39 passed, 0 failures); xcodebuild -showBuildSettings confirms Apple Development + Config/Punktfunk.entitlements. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-12 23:25:51 +02:00
enricobuehler	9291568ce0	refactor(apple): decompose ContentView (735 -> 272 lines) ... Split the monolithic ContentView into focused view files — a pure structural refactor with no behavior change (verified: builds macOS/iOS/tvOS, the test suite is green, and a fidelity review against the original found no discrepancies): - ContentView (272): the coordinator — owns the session model / host store / discovery, switches home<->session, holds the connect logic (it reads @AppStorage) + the dev hooks, and the stream builder (whose stable identity across awaiting-trust->streaming must NOT move — it stays here). - HomeView (251): the hosts grid + navigation + toolbar + sheets + "On this network" discovery section + empty state. - HostCards (158): HostCardView + DiscoveredCardView, sharing a CardMetrics struct (dedupes the platform-tuned sizing the two cards had copy-pasted). - TrustCardView (80): the TOFU prompt + fingerprint formatting. - StreamHUDView (67): the streaming overlay HUD. State flows idiomatically: @StateObject (ContentView) -> @ObservedObject in subviews, @State -> @Binding; the connect logic is passed as closures. Sheet placement is preserved — the pairing/speed-test sheets stay on the outer body so they survive the trust->home transition. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-12 16:30:34 +02:00
enricobuehler	9e8135ccec	refactor(apple): code-quality pass — audit fixes + centralized defaults keys ... A 6-agent adversarial audit of the client (11 confirmed of 39 findings, the rest filtered) drove these: - fix: SessionAudio ring buffer — guard a write larger than the ring (would push readIdx past writeIdx and corrupt the buffer; never happens, but guard not corrupt). - fix: CADisplayLink retain cycle (stage-2 presenter) — a weak-target DisplayLinkProxy so the view can deallocate (the link retains its target); stage-2 teardown added to both StreamView/StreamViewController deinits as a safety net. - fix: GamepadFeedback deinit { flag.stop() } — the drain thread holds the connection strongly and self weakly, so an abrupt teardown without stop() would leak it. - refactor: centralize the 12 UserDefaults/@AppStorage key literals (scattered across 8 files) into one DefaultsKey enum — a typo silently splits a setting's reader from its writer. - docs: RumbleRenderer @unchecked Sendable invariant; the HID digit-row table; the stage-2 layer compositing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-12 16:30:34 +02:00
enricobuehler	7b10714b62	feat(apple): stage-2 presenter — explicit decode + Metal present + glass-to-glass ... Opt-in (Settings -> Presenter; `punktfunk.presenter`, default stage-1). Stage-1's AVSampleBufferDisplayLayer decodes AND presents internally with no per-frame callback, so neither decode nor present can be stamped or hand-paced. Stage-2 takes explicit control: - VideoDecoder: VTDecompressionSession, async output callback stamps decode-completion, session rebuilt on every IDR / format change. Unit-tested (testVideoDecoderAsyncCallbackDeliversPixels). - MetalVideoPresenter: CAMetalLayer + CVMetalTextureCache + a runtime-compiled BT.709 limited-range NV12->RGB shader, present at the next vsync. The CVMetalTextures + pixel buffer are held until the GPU completes. - Stage2Pipeline: pump thread -> decoder -> newest-ready 1-slot ring; the hosting view's display link drains it once per vsync and stamps capture->present (the display-link target time projected into CLOCK_REALTIME). - LatencyMeter gains record(ptsNs:atNs:offsetNs:); the HUD shows a capture->present (glass-to-glass, modulo host render->capture) line, skew-corrected via clockOffsetNs. Measured live ~11 ms p50 vs ~2.2 ms capture->client. - StreamView / StreamViewIOS host the CAMetalLayer as a sublayer + a CADisplayLink (NSView.displayLink on macOS) when stage-2; input capture + HUD unchanged. The session-active gates switch from `pump != nil` to `connection != nil` so capture engages without a StreamPump. Validated: builds macOS/iOS/tvOS; the decode half is unit-tested; the Metal present is live-validated on glass (correct image + the capture->present number). Colorspace is BT.709 SDR for now; 10-bit/HDR + a pacing policy are later. Plan: docs-site/content/docs/apple-stage2-presenter.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-12 15:29:23 +02:00
enricobuehler	8f596ba6c5	fix(apple): latency HUD — interpolate the (same-host) suffix, don't concat ... The capture->client latency line concatenated a String onto a LocalizedStringKey (Text("...\(x, specifier:)..." + (cond ? "" : "...")), which doesn't type-check: the specifier: interpolation makes the literal a LocalizedStringKey, which has no '+'. Fold the conditional suffix into the interpolation instead — the Apple client didn't build on the latency-HUD commit (e04328f). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-12 14:11:45 +02:00
enricobuehler	6d3ff37d9e	feat(client): cross-target input handling + LAN mDNS discovery ... Input handling, building on macOS/iOS/tvOS: - macOS recapture after navigating out: engageCapture no longer latches captured=true when the cursor grab is refused mid app-activation (which left a free cursor that no later click could re-grab); cursorCapture.capture() now reports success. + canBecomeKeyView. - iOS/iPadOS recapture: restore the prior capture on didBecomeActive (nothing re-grabbed mouse/keyboard on return before). - iPad indirect pointer (no lock) is forwarded as an absolute MOUSE (move + buttons + scroll via hover / UITouch.indirectPointer), not as touch, with the local cursor visible; GCMouse owns the locked regime, gated so the two never double-send. Adds the MouseMoveAbs wire helper. - Trackpad scroll on iOS (was entirely missing): GCMouse scroll dpad when locked + a scroll-only UIPanGestureRecognizer otherwise. - tvOS: no focusable control during play (a focusable Disconnect button ate the controller's A in the focus engine); Siri Remote Menu disconnects. - Don't leak touch to the host under the TOFU trust prompt (gate on captureEnabled). LAN discovery: HostDiscovery (NWBrowser over _punktfunk._udp, the host's crate::discovery advert) resolves each service to IP:port and parses the TXT (fp advisory, pair, id); an "On this network" section in the grid (tap to save + connect, or pair if required). iOS/tvOS get NSBonjourServices via a merged Config/Info.plist. Integration-tested end to end against a fake NWListener advert. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-12 14:08:19 +02:00
enricobuehler	6b4de5d738	feat(client/speedtest): request the host's full 3 Gbps probe ceiling ... The Apple speed test asked for only 400 Mbps, capping the measured throughput there and hiding the link's real headroom. Request the host's full MAX_PROBE_KBPS (3 Gbps) instead, and raise the recommended-bitrate clamp from 500 Mbps to the host's 2 Gbps session ceiling so a fast measurement yields a usable recommendation. Also fix the stale caps left when the host clamps were raised (b8a33e2): the resolved-bitrate range and the probe doc comments (abi.rs, client.rs, regenerated header), plus the section 9 roadmap copy, now read 3 Gbps probe / 2 Gbps session. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-12 14:08:19 +02:00
enricobuehler	e04328f086	feat(apple): capture->client latency HUD (skew-corrected) via the connect offset ... The Apple client now consumes the connector's clock offset. PunktfunkConnection reads punktfunk_connection_clock_offset_ns into clockOffsetNs at connect; a new LatencyMeter (PunktfunkKit, NSLock + percentiles, mirrors FrameMeter) records each AU's capture->client-receipt latency = now(CLOCK_REALTIME) + offset - pts_ns, and SessionModel drains p50/p95 into the macOS HUD ("capture->client N/N ms p50/p95", "(same-host)" when the host didn't answer the skew handshake). Wired at the existing onFrame hook in ContentView — additive, no change to the decode/present path. Unit test for the meter (percentiles, skew flag, absurd-value guard). This is the first cross-machine latency the real Apple client reports. SCOPE: stage-1 AVSampleBufferDisplayLayer decodes+presents compressed samples internally with no per-frame callback, so this excludes decode+present; true decode->present needs the stage-2 presenter (VTDecompressionSession + CAMetalLayer). Rebuild PunktfunkCore.xcframework (for the new C getter) before swift build/test on a Mac. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-12 11:58:54 +00:00
enricobuehler	1d605fb781	feat(gamepad): controller discovery + client-negotiated pad type + rich DualSense end to end ... The Apple client grows full gamepad support and punktfunk/1 learns to negotiate the virtual pad type: - Protocol: Hello carries a GamepadPref byte (offset 21, the same trailing-byte back-compat pattern as the compositor; echoed resolved in Welcome at 54). Host precedence: explicit client choice > PUNKTFUNK_GAMEPAD env > Xbox 360, DualSense (UHID) only where available. ABI: punktfunk_connect_ex2 + punktfunk_connection_gamepad (connect_ex delegates; ABI_VERSION stays 2 — the trailing byte IS the compat mechanism). punktfunk-client-rs gets --gamepad. - Swift client: GamepadManager (app-lifetime discovery + selection — Settings lists every controller with capabilities/battery/"In use"; exactly ONE pad forwards as pad 0, auto = most recently connected, or pinned), GamepadCapture (snapshot-diff button/axis events, DualSense touchpad + ~250 Hz motion on the rich-input plane, held state released on switch/deactivate/stop), GamepadFeedback (rumble → CoreHaptics per-handle engines; lightbar → GCDeviceLight; player LEDs → playerIndex; adaptive-trigger blocks → the table-driven DualSenseTriggerEffect parser → GCDualSenseAdaptiveTrigger, exact for the 10-zone positional modes). The pad type auto-resolves from the physical controller at connect time, user-overridable in Settings. - Host DualSense fixes surfaced by adversarial review against hid-playstation / SDL / Nielk1 ground truth: input-report sensor/touch offsets were off by one (the kernel read garbage motion + phantom touches), the L2/R2 trigger blocks were swapped (the report is right-trigger-first), feedback now gates on the report's valid-flags (a plain rumble write no longer blanks lightbar/ triggers), and the touchpad rescale clamps to the advertised ABS_MT extents. - Tests: Hello/Welcome trailing-byte back-compat, pick_gamepad precedence, byte-exact input-report layout, valid-flag gating, per-mode trigger-parser table (incl. packed 3-bit zones), wire conversions, and a scripted loopback feedback burst (PUNKTFUNK_TEST_FEEDBACK=1) asserted through the xcframework on the rumble + HID-output planes. Validated: cargo test/clippy/fmt green on macOS + Linux (61 host tests), swift build/test green, test-loopback.sh green, tvOS/iOS targets compile. DualSense motion sign/scale is derived from the calibration blob, not yet live-verified (constants isolated in GamepadWire). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 16:28:33 +02:00
enricobuehler	a17997bb01	fix(apple): pairing copy points at the web console for the PIN ... The PIN now surfaces in the host's web admin UI (port 3000 → Pairing), which is where users will actually read it — the pairing sheet's footer, field prompts, the tvOS keyboard title, and the wrong-PIN/failure errors all reference the console instead of the host log / --allow-pairing flag (the log mention stays in the README as the secondary path). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 14:31:24 +02:00
enricobuehler	ea42fcf15a	fix(apple/tvOS): spring-driven slide transition ... The slide now runs on UISpringTimingParameters (stiffness 300, damping 30 — a ~0.87 damping ratio: settles quickly with a hint of life, no overshoot ping-pong) via the transition library's .interpolatingSpring animation. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 14:28:08 +02:00
enricobuehler	7655c36f34	fix(apple/tvOS): hand-rolled selection screens — kills the black-text flash in pickers ... The navigationLink Picker's INTERNAL destination list renders its rows in the focused (dark-text) style while the push animates — black text over the dark backdrop until focus settles (present under the old fade too; a SwiftUI-on-tvOS quirk we don't control). Settings now uses its own primitives instead: - TVSelectionRow: label + current value, pushes… - TVSelectionList: a Settings-app-style option list (plain button rows + checkmark, selecting pops back) — ordinary button chrome, no focused-style pre-rendering. The stream-mode and compositor pickers are gone on tvOS; the Settings screen itself is a plain scroll of rows + footer (no Form), matching the rest of the tv UI. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 14:19:54 +02:00
enricobuehler	92933ef46b	fix(apple/tvOS): system-style slide for in-stack pushes (swiftui-navigation-transitions) ... SwiftUI's NavigationStack on tvOS animates pushes as a bare crossfade with no public customization — the system Settings app slides. The home stack now applies .customNavigationTransition(.slide) on tvOS via davdroman/swiftui-navigation-transitions (MIT, tvOS 13+), covering the top-level routes AND the settings pickers' drill-ins. The dependency is referenced by the Xcode PROJECT only and linked solely by the Punktfunk-tvOS target: its manifest (no macOS platform declared vs 10.15 deps) breaks SwiftPM whole-graph validation for plain `swift build`, and the #if os(tvOS) import never compiles in the macOS-only SwiftPM dev shell anyway. Headless builds need xcodebuild -skipMacroValidation (the lib pulls Swift macro packages; in the Xcode UI it's a one-time Trust & Enable prompt). iOS/macOS keep their untouched system navigation animations. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 14:12:04 +02:00
enricobuehler	f01b07a973	fix(apple/tvOS): pushed routes instead of modal covers — the Settings-app navigation feel ... Add Host, Settings and PIN pairing were fullScreenCover overlays, which is why navigating felt unlike the system Settings app (no push animation, no Menu-pops-a-level semantics). They are now navigationDestination ROUTES pushed inside the home NavigationStack: - the system push/pop animation and Menu-button back navigation come for free; - the Settings pickers' navigationLink pushes reuse the same stack (its inner NavigationStack wrapper is gone, as is the tvOS Done row — Menu pops, like Settings); - Add Host is a real full-screen page (system navigation title, Settings-style rows on the standard backdrop) instead of a floating dialog, same for the pairing page; - the thickMaterial cover backdrops became unnecessary and are gone. The system keyboard entries stay as covers — that presentation is system-owned either way. iOS/macOS keep their sheets. Verified by screenshot: Add Host renders as a pushed full-screen route with the title top-center. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 14:03:10 +02:00
enricobuehler	06a2d5e0ca	fix(apple/tvOS): system fullscreen keyboard for all text entry — no inline fields ... SwiftUI's inline TextField on tvOS is structurally wrong for television: it grows when activated, shows a full-width editing surface behind the pill, and floats labels off-center — none of it stylable into the Settings-app look. Per Apple's tvOS text input guidance, real tvOS apps never edit inline: a field is a value ROW, and pressing it raises the SYSTEM fullscreen keyboard. - TVTextEntry (UIViewControllerRepresentable): a UITextField that becomesFirstResponder on appear, presenting the standard tvOS fullscreen keyboard with the field's prompt; done/dismiss commits the text. TVFieldRow is the Settings-style label+value lozenge. - Add Host and PIN pairing on tvOS now use rows + keyboard covers exclusively (the port row also fixes the off-center value text for good — it's a Text, not a field); the port input validates 1...65535. - No SwiftUI TextField remains in any tvOS code path. Verified by screenshot: the dialog rows render exactly like the Settings app, and the address row raises the system linear keyboard with prompt + done. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 13:56:39 +02:00
enricobuehler	f292b3fe3a	fix(apple/tvOS): focus-native home grid, separated actions, Form-free dialogs ... Three more tvOS-isms, all the same lesson — let the focus engine own the chrome: - Host cards drew their own material platter + accent ring INSIDE the .card button style, muting the native grow/tilt focus motion. On tvOS the card style now owns the platter outright (material/ring stay on the pointer platforms), and the grid gets 48 pt spacing so the focused card swells without overlapping siblings. - Add Host and Settings no longer sit in the hosts row: they're a compact button row below the grid (and the empty state gains a Settings button, since tvOS has no toolbar). - The Add Host and pairing dialogs drop Form entirely on tvOS — list rows added a full-width focus fill plus a row platter behind every field's own pill (the "second outer pill"). As standalone fields in a centered dialog over the dimmed home, each input is exactly one pill with vertically centered text. Verified by screenshot in the Apple TV simulator (home grid + Add Host dialog). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 13:47:27 +02:00
enricobuehler	9e57a5a1ff	fix(apple/tvOS): native form controls — pushed pickers, single-pill fields, centered values ... The inline iOS form widgets fought the tvOS focus system at every turn: focused fields showed nested pills, rows darkened oddly and grew on activation, the Compositor picker was not even focusable, and prefilled fields (port, client name) floated their label inside the pill, shoving the value off-center. - Settings is now a fully tv-native screen: NO inline text entry — the stream mode is a preset picker (This TV native / 720p / 1080p / 4K, plus a Custom entry preserving a mode set on another platform) and both pickers use .navigationLink style (pushed selection lists, exactly like the system Settings app — and properly focusable; the cover wraps in a NavigationStack for the pushes). - Where text entry is unavoidable (Add Host, PIN pairing), the fields keep their stock single-pill chrome (the grouped form style stays off tvOS — its row platters were one of the nested pills) and prefilled fields hide their floating label so values center vertically. - All earlier row-clearing experiments reverted. Verified by screenshot in the Apple TV simulator: Settings rows render as single focus lozenges with chevrons; the Add Host pills are uniform with centered text. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 13:38:37 +02:00
enricobuehler	f7ed87e97f	fix(apple/tvOS): opaque material backdrop behind the full-screen covers ... tvOS forms/lists have CLEAR backgrounds and a fullScreenCover only shows what the presented view paints, so Settings/Add Host/pairing rendered transparently over the hosts grid. All three covers now sit on .thickMaterial edge to edge — the standard tvOS blur-over-content panel look (verified in the Apple TV simulator). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 13:26:48 +02:00
enricobuehler	7dd479f9e4	fix(apple/tvOS): television-idiomatic chrome — grid action tiles + full-screen covers ... The iOS chrome half-worked on tvOS: toolbar items rendered tiny with clipped labels and could not even be focused (which is why "+" never opened the add-host form), and sheet presentations are not a tvOS idiom (the Settings form looked broken). - The toolbar is gone on tvOS. Add Host and Settings live IN the hosts grid as full-size, focus-native tiles (.card style, same geometry as the host cards) — the natural way actions work on television. - Every modal (Add Host, Settings, PIN pairing) presents as a fullScreenCover on tvOS; Settings gains a tvOS-only Done button (covers don't dismiss themselves). - iOS/macOS keep their existing toolbar + sheets untouched. Verified in the Apple TV simulator: title, host card and both action tiles render full-size and focusable. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 13:22:18 +02:00
enricobuehler	bfd8c7be93	feat(apple): tvOS client — third app target, first-lit in the Apple TV simulator ... The same app now runs on tvOS (target Punktfunk-tvOS, bundle io.unom.punktfunk.tvos), validated live against the box: vkcube at 1280x720@60, 60 fps in the Apple TV 4K simulator, glass HUD with a focusable Disconnect button. - PunktfunkCore.xcframework grows tvOS device + universal-simulator slices. These are TIER-3 Rust targets (no prebuilt std): BUILD_TVOS=1 builds them with nightly and -Zbuild-std from rust-src — the full quic stack (quinn/rustls-ring/tokio) compiles for tvOS unchanged. - The UIKit stream view covers iOS AND tvOS, with pointer interaction, pointer lock, touch forwarding and InputCapture gated to iOS — tvOS is view-only until gamepad capture lands (the natural tvOS input). - SessionAudio on tvOS: .playback session, no mic (no app-accessible microphone). - App chrome gates: keyboardShortcut/textSelection/controlSize/statusBarHidden are iOS/macOS-only; host cards use the focus-native .card button style on tvOS; the Audio settings section hides (system-routed); mode seeding works from the TV screen (1920x1080@60). - Package platforms += .tvOS(.v17); new Xcode target + shared scheme (TARGETED_DEVICE_FAMILY 3, local-network usage description included). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 13:10:40 +02:00
enricobuehler	ee12e535ee	feat(apple): styling pass — dark-mode accent, recent-host state, glass HUD, security-sheet polish ... Working through the brand-color follow-ups: - AccentColor gains a dark-appearance variant (#8678F5 — the brand violet lifted one step toward the icon's light periwinkle) so tinted controls keep contrast on dark. - Host cards remember sessions: StoredHost.lastConnected (set when a session reaches streaming) renders as a "Connected … ago" relative-time line, and the most recent host's card carries a subtle accent ring — the grid finally has hierarchy. - The HUD swaps the pre-glass black-50% rectangle for .regularMaterial with an accent live-dot; hint lines use semantic .secondary instead of opacity. - Security moments: the trust card's lock.shield and the pairing sheet's header take the brand tint; the PIN field is larger monospaced and uses the number pad on iOS. Icon ↔ accent decision: the accent stays the exact brand #6656F2; the Icon Composer layers keep their adjacent palette (#6C5BF3 family) — close enough to read as one brand, and the icon remains the design-tool source of truth. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 12:59:55 +02:00
enricobuehler	0b735ac632	fix(apple/iOS): larger host cards — touch-first sizing ... The 160 pt grid minimum packed five small cards per iPad row. iOS columns now use a 280 pt minimum (one full-width card on iPhone portrait, 3–4 generous cards on iPad) and the card content scales with it: 56 pt icon, title3 name, taller padding. macOS keeps its compact 180–240 pt cards. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 12:52:45 +02:00
enricobuehler	bce820ec67	fix(apple): title the app "Punktfunkempfänger" — navigation title + window title ... Matches the bundle display name; was the lowercase project name "punktfunk" in the home navigation title (iOS large title / macOS titlebar) and the WindowGroup title. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 12:49:17 +02:00
enricobuehler	154da2dc58	fix(apple/iOS): immersive streaming — edge-to-edge, no status bar, hidden cursor, native default mode ... Streaming on iPad left the status bar up and the video boxed inside the safe areas, on top of a 16:9 default mode letterboxing on the 4:3 screen, with the iPadOS cursor hovering over the video. The session view is now immersive on iOS: - .ignoresSafeArea + .statusBarHidden + .persistentSystemOverlays(.hidden) for the session only (home gets its chrome back on disconnect). - First run seeds the stream mode from the device's native screen (UIScreen.nativeBounds + maximumFramesPerSecond) instead of 1920×1080 — verified live: a fresh install negotiated the iPad's 2752×2064 with the host. macOS keeps the 1080p default (a desktop window is not the screen). - The iPadOS cursor hides while over the video (UIPointerInteraction .hidden(), re-resolved on capture toggles) — the host renders its own cursor from our deltas; true pointer lock through UIHostingController remains the documented gap. Found along the way (host-side, not fixed here): at very high modes a keyframe burst can fill the UDP send buffer and m3 treats the sendmmsg WouldBlock as fatal ("session ended with error: submit_frame: WouldBlock") instead of backpressuring. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 12:44:37 +02:00
enricobuehler	3faec8415a	fix(apple/iOS): stock header + edge-aligned host grid — drop the custom title mode ... The "title looks off" report traced to the GRID, not the title: the Mac-tuned adaptive(180–240) columns yielded a single max-width card, centered, so nothing aligned with the leading large title. The header is now entirely stock primitives — default .navigationTitle large-title behavior (the inlineLarge experiment is gone), default .padding() so content sits on the system 16 pt margins — and the grid columns are platform-tuned: iOS drops the max so columns FILL the width and the cards stay edge-aligned with the title; macOS keeps the 180–240 cap (huge windows shouldn't grow huge cards). Verified in the iPhone 17 simulator with seeded hosts: pill top-right, large title at system metrics, two full-width-filling cards flush with the title's leading edge. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 11:59:05 +02:00
enricobuehler	fa553b1e2a	fix(apple/iOS): action buttons back into one shared glass pill ... The ToolbarSpacer split into separate circles was the wrong read — with the inline-large title row in place, the expected header is the single grouped pill (the system default for adjacent trailing items). Dropped the spacer and the availability fork; the two trailing items now share one pill next to the title. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 11:55:26 +02:00
enricobuehler	1d35df201c	fix(apple/iOS): inline-large header — title and action circles share the bar row ... The home screen stacked the toolbar row above the large title; the modern (iOS 26 Liquid Glass) header puts the large title leading and the glass action circles trailing on the SAME row. That's exactly .toolbarTitleDisplayMode(.inlineLarge) — applied on iOS only, macOS keeps its window chrome untouched. Verified in the iPhone 17 simulator: "punktfunk" large title left, gear/+ circles right, one row. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 11:53:56 +02:00
enricobuehler	7c24832ad0	fix(apple/iOS): touch-first control sizing — toolbar circles + large sheet buttons ... The iOS chrome inherited macOS dialog sizing and read as undersized on a phone: - Toolbar: the two trailing actions shared one compact glass pill; on iOS 26+ each now gets its own full-size circle (explicit .topBarTrailing placements split by a fixed ToolbarSpacer — the system-app look, e.g. Files), with the grouped-pill fallback on iOS 17–18. The buttons are extracted so macOS keeps SettingsLink + .help untouched. - Sheets and CTAs (AddHostSheet, PairSheet, trust card, empty-state Add Host) get .controlSize(.large) on iOS — proper touch targets instead of macOS dialog buttons. Verified in the iPhone 17 simulator: two ~44 pt glass circles matching the Files app's toolbar sizing; macOS suite and app build unchanged. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 11:47:30 +02:00
enricobuehler	e1af4d57c6	feat(apple): iOS/iPadOS client — touch, pointer lock, shared SwiftUI shell ... The whole client now runs on iPadOS/iOS from the same sources, first-lit live in the iPad simulator against the real host at 1280x720@60 (60 fps on the HUD, capture state machine active, mic permission flow shown). - PunktfunkCore.xcframework grows iOS device + universal-simulator slices (BUILD_IOS=1; rustup targets aarch64-apple-ios{,-sim} + x86_64-apple-ios). - The decode pump is extracted into a shared StreamPump (identical IDR re-gate logic on both platforms); the iOS StreamView (StreamViewIOS.swift) has the same name/signature as the macOS one, so ContentView & co. are byte-identical across platforms — hosted in a UIViewController for prefersPointerLocked (the iPadOS cursor capture; see README note 9 for the UIHostingController forwarding caveat). - Touch is always forwarded: per-finger wire ids, coordinates mapped through the aspect-fit letterbox into LIVE host-mode pixels (surface == host mode, identity rescale host-side; follows mid-stream requestMode switches). - InputCapture is cross-platform: GC works the same on iPadOS, ⌘⎋ is detected from the HID stream there; stale-⌘ tracking after focus loss fixed on both platforms (releaseAll now drops the modifier/latch state — a ⌘ released in another app otherwise hijacked Esc forever). - SessionAudio: AVAudioSession on iOS (.playAndRecord + .defaultToSpeaker — without it iPhones route host audio to the EARPIECE; deactivated with notifyOthersOnDeactivation on stop so interrupted background audio resumes); HAL device pinning + the Settings pickers stay macOS-only. - New Punktfunk-iOS app target (shared synchronized sources, generated Info.plist with mic + local-network usage descriptions — QUIC to a LAN host trips local network privacy on real devices — scene manifest + indirect input events for Stage Manager / external displays), shared scheme, macOS min-window frames gated off iOS. For the iPad-on-an-external-screen idea: with multiple scenes + indirect input enabled, Stage Manager iPads can drag the punktfunk window onto the external display and drive the PC with keyboard/mouse/touch. Known gaps (README note 9): the pointer-lock preference isn't consulted through UIHostingController (relative mouse works, the local cursor just stays visible) and AVAudioSession interruptions don't auto-restart audio. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 11:18:25 +02:00
enricobuehler	b26f138699	feat(apple): session audio — host playback + mic uplink, device pickers in Settings ... Both directions of the audio plane, on CoreAudio's built-in Opus codec (kAudioFormatOpus — no bundled libopus; OpusCodec.swift, round trip unit-tested): - Playback: a drain thread pulls nextAudio() packets, decodes, and writes a priming jitter ring feeding an AVAudioSourceNode (~20 ms prefill, adaptive to the device's render quantum so large-buffer devices don't oscillate prime/dropout; a high-water clamp sheds stall backlog so one network hiccup can't permanently lag audio behind video; underrun re-primes — one dip, not sustained crackle). - Mic: a second engine taps the input device, resamples to 48 kHz stereo, Opus-encodes 20 ms chunks and sendMic()s them into the host's virtual PipeWire source. Permission via AVCaptureDevice (NSMicrophoneUsageDescription added to the Xcode target). - Settings: Speaker + Microphone pickers (CoreAudio HAL enumeration, persisted by device UID — "System default" leaves the engine unpinned so it follows macOS device changes) and a "Send microphone" toggle (default on). Applies from the next session. - Audio starts with streaming, never during the trust prompt (no host sound — and no mic uplink — before the user trusted the host); teardown stops audio before close(). Adversarial-review fixes baked in: stop() and the dangling mic-permission callback share one lock+flag protocol (no hot mic with no owner), the connect-success handler bails when the attempt was abandoned mid-handshake (no session/mic for a dead window), SessionAudio gets a deinit backstop (a dropped instance can't pin the connection via its drain thread), and the render scratch buffer is block-owned (was leaked per session). Verified live against the box: remote test decodes 100 host Opus packets to PCM and the host opens its virtual mic on the first uplinked frame ("punktfunk/1 virtual mic ready"); on-glass session runs with both engines up. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 09:39:15 +02:00