760 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
enricobuehler	95308d352b	feat(host/steam): M2 — virtual Steam Deck as a wired PadBackend (Linux) ... Make the virtual hid-steam device a selectable per-session host gamepad, end-to-end on Linux: PUNKTFUNK_GAMEPAD=steamdeck now builds a SteamControllerManager that creates a /dev/uhid 28DE:1205 Deck, enters gamepad_mode, and feeds the byte-exact Deck report (M1). - inject/linux/steam_controller.rs: SteamControllerManager / SteamDeckPad, mirroring dualsense.rs (open/create2, GET/SET_REPORT pump, heartbeat, RAII destroy). Two Steam-specific quirks beyond the DualSense path: * gamepad_mode entry — best-effort `lizard_mode=0` via sysfs, plus a b9.6 creation pulse (MODE_ENTER) so steam_do_deck_input_event stops early-returning, plus an anti-toggle guard (MENU_HOLD_CAP) so a long in-game Start-hold can't flip gamepad_mode back off. * UHID_SET_REPORT answered err=0 (DualSense omits it; the kernel stalls ~5s/cmd otherwise); the 0xEB rumble report parsed onto the 0xCA plane. - core config.rs: GamepadPref::SteamDeck (wire byte 6) + SteamController (byte 5, reserved — folds to Xbox360 until its backend lands); from_u8 / from_name / as_str. Forward-compatible (unknown byte -> Auto); the C-ABI PUNKTFUNK_GAMEPAD_* constants stay M3, so no generated-header drift. - punktfunk1.rs: PadBackend::SteamDeck variant + select / handle / apply_rich / pump / heartbeat arms; pick_gamepad Linux arm. On-box: an #[ignore]d backend test (backend_binds_and_input_flows) drives the real SteamDeckPad — it binds hid-steam (gamepad + IMU evdevs), enters gamepad mode, BTN_A reaches the evdev, and the device tears down on drop. Workspace clippy/fmt/test green. Not pushed. Next: M3 (protocol/ABI wire) + M4 (client capture). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	9ff7d41bfe	feat(host/steam): M1 — byte-exact Deck input serializer, on-box validated ... Flesh out inject/proto/steam_proto.rs into the full Steam Deck HID contract, transcribed verbatim from the kernel steam_do_deck_input_event / steam_do_deck_sensors_event and validated field-for-field against kernel 7.0: - SteamState: the u64 button map (bytes 8..16), sticks/triggers/trackpads/IMU stored as raw little-endian report values; serialize_deck_state is a pure, byte-exact memcpy into the 64-byte unnumbered frame. - from_gamepad (XInput frame -> Deck buttons/sticks/triggers) + apply_rich (RichInput touchpad -> right pad, motion -> IMU). - parse_steam_output: the 0xEB ID_TRIGGER_RUMBLE_CMD feedback -> (low, high) for the universal rumble plane. - serial_reply fixed: prepend the report-id-0 byte the kernel strips (steam_recv_report does memcpy(data, buf+1, ...)); M0's reply lacked it, so the kernel fell back to the "XXXXXXXXXX" serial. - SteamModel (Deck now; classic Controller later), command/feature IDs. The spike is repurposed as the M1 validator: it pulses the b9.6 mode-switch to enter gamepad_mode (steam_do_deck_input_event early-returns under the default lizard_mode otherwise), then holds a known test pattern. Reading both evdevs via EVIOCGABS/EVIOCGKEY, every field matched: ABS_X/Y/RX/RY (incl. the kernel Y-negation), both triggers, the touched right-pad HAT1X/Y, the IMU accel/gyro (with ABS_Z/RZ negations), and the 6 expected buttons incl. the L4/R5 grips. 5 unit tests + workspace clippy/fmt/test green. Next: M2 (SteamControllerManager UHID backend + PadBackend wiring). Not pushed — pipeline not yet shippable. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	2b47d8cc28	feat(host/steam): M0 — virtual hid-steam UHID device binds + parses (Linux) ... Greenfield virtual Steam Deck controller, the Steam analogue of the shipped virtual DualSense. Proves the kernel hid-steam driver binds a /dev/uhid 28DE:1205 device, registers it as a real Steam Deck, and parses our input reports — the go/no-go gate for the full Steam Controller/Deck pipeline. - inject/proto/steam_proto.rs: keeper module — the vendor HID descriptor (one feature report, the sole thing steam_is_valve_interface() checks), the command/feature IDs, serialize_deck_state, and the serial GET_REPORT reply. Unit-tested. - src/bin/steam_uhid_spike.rs: throwaway M0 spike (Linux-only) — opens /dev/uhid, creates the device, services the handshake including UHID_SET_REPORT (which the DualSense backend omits and which hid-steam stalls ~5s/cmd without), and heartbeats a neutral report. - design/steam-controller-deck-support.md: full design + M0–M7 plan; the two walls (Steam Input capture ownership; virtual-Steam recognition) and the fidelity ceiling. Status: M0 GREEN. On-box (headless Ubuntu 26.04, kernel 7.0, no Steam): journalctl -k shows hid-steam binding the device (rebind off hid-generic), "Steam Controller connected", and the kernel creating BOTH a "Steam Deck" gamepad evdev and a "Steam Deck Motion Sensors" IMU evdev (INPUT_PROP_ACCELEROMETER). A layout-agnostic mash-probe drove 23 distinct BTN_* codes through hid-steam -> evdev, proving the input-report parse path. M1 line-checks the exact per-bit report layout against the lab kernel. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	7cd9364c9e	style(host): rustfmt the #9/#13 pairing edits ... Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	3e498cd40d	docs(security): #9/#13 fixed, S7 rationale corrected (red-team follow-up) ... 17/18 now fixed. A red-team of the three accepted findings showed #9 and #13 rested on a circular premise (each was the other's "safe fallback") and S7's written rationale was wrong (signing exercises the same modexp Marvin targets). #9/#13 closed; S7 accept retained for the corrected reasons + amplifier hardened. See f0574a5, f6c9576. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	60de506f66	fix(host/gamestream): correct the rsa-Marvin (S7) rationale + cap pairing signatures ... Red-team found the .cargo/audit.toml justification for RUSTSEC-2023-0071 was materially wrong: it claimed "Marvin targets decryption, so the vulnerable path isn't exercised" — but the advisory is a variable-time modexp of the secret exponent, which RSA *signing* (signing_key.sign) also runs. The accept is still correct, for the RIGHT reasons (no decryption/padding oracle; the signed serversecret is host-random not attacker-chosen; signing is operator-PIN-gated; GameStream is off by default and the native QUIC plane uses rustls, not rsa; Moonlight mandates RSA-2048 so the GameStream key can't move off it). Rewrite the rationale accordingly. Also shut the timing-sample amplifier the review surfaced: the pairing session was never marked after phase 3, so a peer past phase 1 could loop phase2/phase3 to harvest many RSA signing-time samples. Sign exactly once per ceremony (reject a repeated serverchallengeresp). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	2865368771	fix(host/pairing): close native-pairing DoS findings #9 + #13 (red-team follow-up) ... The accepts for #9 (PIN-window burn) and #13 (knock-queue flood) rested on a circular premise — each cited the other as the safe fallback — and a re-review showed one LAN attacker could defeat BOTH, denying all onboarding. Close them: - #13 per-source-IP cap on the pending-knock queue (MAX_PENDING_PER_IP) so one host can't fill/evict the 32-slot queue (QUIC validates the source address); and eviction now NEVER drops a live *parked* knock (a held-open connection awaiting operator approval), so a cert-rotating flood can't evict the genuine device being onboarded. This makes the delegated-approval path genuinely flood-resistant — restoring the validity of #9's "use delegated approval on hostile LANs" fallback. - #9 fingerprint-bindable PIN window: `NativePairing::arm_for(ttl, Some(fp))` binds the window to one operator-selected device; `pin_for_attempt` returns `BoundToOther` for any other fingerprint, which the QUIC pair path rejects WITHOUT consuming the window — so an unpaired peer can neither pair nor BURN a window armed for a specific device (it can't forge the bound fingerprint). The mgmt `POST /native/pair/arm` gains an optional `fingerprint` (from a pending knock); unbound arming keeps the legacy any-device behavior (trusted-LAN). (Web-console "pair this pending device with a PIN" UX is a follow-up; the flood-resistant knock path above is the immediate hostile-LAN onboarding path.) + regression tests (armed_pin_is_fingerprint_bindable, pending_per_ip_cap_and_parked_protection); api/openapi.json regenerated. 110 host tests + clippy + fmt green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	6e2e946bc9	docs(security): #5 fixed + on-box validated (RTX box, 2026-06-29) ... 15/18 now fixed; no finding remains open and actionable. SDDL scoped to SYSTEM+LocalService, validated live (6943-frame DualSense+IDD session works; non-SYSTEM OpenFileMapping now ACCESS_DENIED). See e59fa60. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	b5f02000d6	fix(host/security): scope Windows shared-section SDDL to SYSTEM+LocalService (close #5) ... The gamepad host<->UMDF-driver shared sections (Global\pfds-shm-*, pfxusb-shm-*) and the IDD-push frame ring/event (Global\pfvd-*) were created with `D:(A;;GA;;;WD)` — GENERIC_ALL to **Everyone** — on the assumption the driver's WUDFHost ran under a restricted token needing broad access. So any local unprivileged user could OpenFileMapping the section to inject controller input, tamper the trusted HID channel, or read captured screen frames (security-review 2026-06-28 #5). On-box validation (RTX box, 2026-06-29) disproved the restricted-token premise: the WUDFHost token is NT AUTHORITY\LocalService (S-1-5-19), SYSTEM integrity, with ZERO restricted SIDs. So the section only needs SYSTEM (the host creates + writes it) and LocalService (the driver opens it). Scope both SDDL sites to `D:(A;;GA;;;SY)(A;;GA;;;LS)`; rename the now-misnamed `permissive_sa` -> `shared_object_sa`; correct the stale "restricted-token / Everyone" docs. Validated live: a full DualSense + 1280x720x60 session — 6943 frames received, HID output round-tripped, device status OK (pf_dualsense + pf_vdisplay WUDFHosts both LocalService open the scoped sections fine), while OpenFileMapping from a non-SYSTEM admin session now returns ACCESS_DENIED (was a granted handle under WD). Host-only change (the SDDL is set when the host CREATES the section); drivers unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 19:17:37 +00:00
enricobuehler	fe562f0562	chore(apple): rename app display name to "Punktfunk" ... CFBundleDisplayName was "Punktfunkempfänger" across all targets/configs; the in-app title is already "Punktfunk", so make the home-screen name match. Built iOS app resolves CFBundleDisplayName = "Punktfunk". Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 20:34:16 +02:00
enricobuehler	4e00037a89	feat(apple): stage-2 default + pixel-perfect, decode robustness, UI/rumble polish ... Stream reliability - Default to the stage-2 presenter (VTDecompressionSession + CAMetalLayer): it detects and recovers a wedged decoder, where stage-1's AVSampleBufferDisplayLayer freezes hard on a lost HEVC reference frame with no app-side recovery (confirmed Apple limitation). Stage 1 is now a DEBUG-only presenter toggle, plus the automatic no-Metal fallback. - Stage-2 pixel-perfect: render the drawable at the decoded size (shader stays 1:1 = identity) and let the layer's contentsGravity scale via the system compositor — the same path stage-1's videoGravity used — instead of scaling in-shader. - Loss recovery in both pumps is now a persistent awaitingIDR want, retried until an IDR actually lands, so a keyframe request swallowed by the throttle can't strand a frozen frame; 100 ms keyframe throttle to match the Android path. - Fix "Publishing changes from within view updates": defer the HostStore writes out of the .onChange(of: model.phase) callback. - Move AVAudioSession setActive/setCategory off the main thread (async on a shared serial queue) to stop the UI-stall warning. Controllers - Rumble: capped-exponential backoff when the gamecontrollerd.haptics XPC breaks (-4811) so a transient server interruption self-heals instead of cascading; playsHapticsOnly so a controller engine doesn't join the always-active streaming audio session. - Host cards: iPad pointer "magnet" hover effect; iPhone press scale + light haptic. UI / design - Ship Geist (SIL OFL 1.1) as the app font (bundled OTFs + registration), with the license surfaced in Acknowledgements. - Restructure iOS/iPadOS Settings into a category NavigationSplitView; resolution wheel with custom-resolution entry; 10-bit HDR toggle in Display. - Industrial host-card redesign (left-aligned, bold, brand monogram tiles). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 20:26:10 +02:00
enricobuehler	46b9aa8cf0	fix(windows-host): IDD activation — resolve-first, force-EXTEND only as fallback ... force_extend_topology() was added before the resolve loop to de-clone a fresh IDD on integrated-screen boxes (laptops), but its bare SDC_TOPOLOGY_EXTEND preset is ACCESS_DENIED from the Session-0 service context on a HEADLESS box and broke the IDD auto-activation there: resolve_gdi_name stayed None -> "not an active display path" -> black screen. That regressed the headless/primary platform (live RTX box). Revert to the proven e2c9bfd flow: resolve FIRST (Windows auto-activates the IDD as its own extended path), and force-EXTEND only as the FALLBACK when resolve returns None (the integrated-screen clone case, observed live to leave resolve None). The success path is byte-identical to e2c9bfd (resolve -> set_active_mode -> isolate_displays_ccd). Validated live: the headless RTX box streams again (probe: frames flow, driver attaches to the ring, host/driver render LUIDs match). Reviewed multi-agent + adversarial: no regression on the validated headless path or the observed Optimus-laptop clone path (a cloned IddCx target resolves to None there, so the is_none() fallback fires + de-clones). Known theoretical caveat, documented inline and unobserved for IddCx but untested across GPU/driver/OS: a CCD clone that manifests as a shared-source ACTIVE path would resolve to Some and bypass the is_none() gate. Follow-up: widen the gate (a target_is_cloned helper) once an integrated-screen box is available to validate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-29 16:15:48 +02:00
enricobuehler	372b27540b	fix(apple): render Acknowledgements notices in lazy chunks ... THIRD-PARTY-NOTICES.txt is ~885 KB / 16k lines; rendering it in a single SwiftUI Text overshot the text-rendering height limit — it laid out for ages and drew blank below the cutoff (only the small punktfunk licenses above it showed). Split the notices into ~80 line-chunks (<=200 lines / <=18 KB each, computed once as Licenses.thirdPartyNoticesChunks) and render them in a top-level LazyVStack so only on-screen chunks lay out and no chunk is tall enough to clip. Chunking is lossless — rejoining the chunks reproduces the original byte-for-byte, so no notice text is dropped. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 12:34:19 +02:00
enricobuehler	db4d15bf8b	fix(apple): stop the iOS/iPadOS Add Host sheet from scrolling ... The add-host content is a SwiftUI Form (backed by a scrollable list), so it bounced/scrolled inside the fixed .height(320) detent even though the three rows + action button fit exactly. Lock it with .scrollDisabled(true) on iOS (covers iPadOS); macOS (fixed-size panel) and tvOS (custom rows, no Form) are untouched. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 12:12:08 +02:00
enricobuehler	8e24ea9ed7	fix(ci): archive Apple release builds with Automatic signing ... The in-app OSS license screens (7591425) added a `resources:` array to the PunktfunkKit SwiftPM target, which makes SwiftPM emit a resource-bundle target (PunktfunkKit_PunktfunkKit). A resource bundle is a product type that cannot carry a provisioning profile, so the explicit PROVISIONING_PROFILE_SPECIFIER each release.yml archive step set — global on macOS, sdk-scoped on iOS/tvOS — now lands on it and fails the archive ("does not support provisioning profiles") on all three platforms. (Before that commit there was no resource bundle, so the profile was harmless.) Switch all three archive steps to CODE_SIGN_STYLE=Automatic (development): Automatic signing assigns a profile only to the app target and leaves the resource bundle (and the macOS-host SwiftPM macro plugins) alone, and bakes the sandbox entitlements in. No -allowProvisioningUpdates, so it stays offline and never cloud-signs (the App-Manager ASC key can't). DISTRIBUTION signing is unchanged — still manual, in the -exportArchive step (which maps the profile to io.unom.punktfunk only). Drops the now-unneeded manual signing xcconfigs. Requires the runner to have a development provisioning profile for io.unom.punktfunk on each platform (now installed for macOS/iOS/tvOS). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 12:12:08 +02:00
enricobuehler	73c0125843	fix(mgmt): regenerate api/openapi.json for 0.3.0 ... The OpenAPI 'info.version' tracks CARGO_PKG_VERSION; the 0.3.0 bump made the checked-in spec stale (the openapi_document_is_complete_and_checked_in test). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 07:54:30 +00:00
enricobuehler	ed54f22997	docs(design): add multi-user / profiles design (schema-of-record) ... Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> v0.3.0	2026-06-29 06:52:43 +00:00
enricobuehler	031ee86ed5	chore(release): bump workspace version to 0.3.0 ... Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 06:52:43 +00:00
enricobuehler	7591425f6f	feat(clients): in-app OSS / third-party-license screens ... Surface THIRD-PARTY-NOTICES.txt in every GUI client (the desktop packages already ship it as a file; this adds the on-glass screen): - Linux: Preferences -> About -> Third-party licenses (adw::AboutDialog with the app license + Legal sections; include_str! the root notices). - Apple: macOS About tab / iOS+tvOS Acknowledgements link; notices bundled as PunktfunkKit SPM resources, read via Bundle.module (the Xcode app links the SPM product, so they ride along - no .pbxproj edit). - Android: Settings -> About -> Open-source licenses (reads the bundled asset). - (Windows landed earlier in d1d2ca2: Settings -> About -> Third-party licenses.) gen-third-party-notices.sh now copies the generated file into the Apple Resources/ and Android assets/ trees so the in-tree copies never drift. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 06:52:43 +00:00
enricobuehler	d1d2ca293d	feat(pairing): seamless no-PIN delegated approval (host parks the knock, clients add "Request access") ... Web-console "Approve" (delegated pairing, roadmap §8b-1) was unreachable: every client routed a fresh pair=required host straight to the SPAKE2 PIN ceremony, so no "knock" was ever recorded; and an unpaired connect was rejected+closed with no way to resume after approval. The backend + console were complete but had no client-side trigger and no post-approval admit path. Host (native_pairing.rs, punktfunk1.rs): an unpaired identified knock is now PARKED instead of rejected — it releases its NVENC session permit, awaits an operator decision (NativePairing::wait_for_decision, woken by a Notify on approve/deny), and on approval re-acquires a slot and admits the SAME connection with no reconnect. QUIC keep-alive (4s/8s) holds the parked connection warm. The pairing gate moves out of the HANDSHAKE_TIMEOUT-bounded handshake future; approve_pending is reordered read-then-add and wait_for_decision double-checks is_paired to close a "neither pending nor paired" race. New PENDING_APPROVAL_WAIT (180s). Tests: delegated_approval_admits_after_knock now approves mid-park (no reconnect) + new wait_for_decision_approve_deny_timeout unit test (108 host tests green). Clients (Linux/Apple/Windows/Android): a fresh pair=required host now offers "Request access" alongside the PIN ceremony — a plain identified connect with a ~185s handshake budget and a cancelable "waiting for approval" UI; on success the host is saved as paired, and cancel returns the UI immediately while a late- resolving connect is torn down silently via a per-attempt flag. Apple reuses the existing C-ABI timeout_ms (no ABI change); Windows adds SessionParams.connect_timeout + a RequestAccess screen; Android adds a timeoutMs arg to the nativeConnect JNI seam (both sides + both callers). Linux built + clippy + fmt clean; Apple/Windows/ Android pending their CI/on-device compiles. SPAKE2 ceremony reviewed end-to-end against the spake2 0.4 contract — correct, no changes needed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 06:41:09 +00:00
enricobuehler	705a8fa94e	chore(deps): drop unmaintained rustls-pemfile; axum-server 0.7 -> 0.8 ... axum-server was used only for the plain-HTTP nvhttp listener, but we enabled its tls-rustls feature (HTTPS is hand-rolled over tokio-rustls) — and that feature was what pulled the unmaintained rustls-pemfile (RUSTSEC-2025-0134). Drop the feature, bump axum-server to 0.8 (0.8 also no longer pulls it), and move our own PEM parsing in gamestream/tls.rs to rustls-pki-types' PemObject (the same path punktfunk-core/quic.rs already uses), removing our direct rustls-pemfile dep too. Net: rustls-pemfile fully gone; dependency graph trimmed 547 -> 529 crates (the tls-rustls feature also dragged in prettyplease + a wasm-tooling chain). cargo audit now reports only audiopus_sys + paste (transitive, latest, no successor). 108 host tests + clippy + fmt green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 06:32:58 +00:00
enricobuehler	4ba63b7da6	fix(deps): bump memmap2 0.9.10 -> 0.9.11 (RUSTSEC-2026-0186, unsound) ... memmap2 0.9.10 has an unchecked-pointer-offset unsoundness; 0.9.11 is the patched release (pulled transitively via xkbcommon in the host). cargo audit now reports only the 3 deliberately-visible `unmaintained` warnings (audiopus_sys / paste / rustls-pemfile — all latest, transitive, warn-only, do not fail CI per .cargo/audit.toml). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 06:20:55 +00:00
enricobuehler	bee1f0416d	chore(licensing): LGPL FFmpeg swap, third-party notices, attribution hygiene ... The MIT OR Apache-2.0 SOURCE license is clean (audit found no copied copyleft); the gaps were all binary-distribution (Layer-2). This makes the shipped artifacts honest: - Windows host + client: bundled FFmpeg BtbN gpl-shared -> lgpl-shared (AMF/QSV/decode unaffected; the GPL-only x264/x265 were never used), and ship the FFmpeg LGPL notice + license text in the installer + MSIX (licenses/). - THIRD-PARTY-NOTICES.txt generated + bundled into installer/MSIX/deb/rpm. Offline generator (scripts/gen-third-party-notices.{py,sh}) + cargo-about config (about.toml/ .hbs) with a permissive-only accepted-license allow-list as a copyleft regression gate. - Reword the win32u GPU-preference hook comments to reflect independent reimplementation (no Apollo/Sunshine GPL-3.0 source copied). - README dual-license + inbound=outbound contributor clause + non-affiliation trademark disclaimer; new CONTRIBUTING.md. - LICENSE files into the standalone driver + vk-layer workspaces; deb copyright holder aligned to "unom and the punktfunk contributors". Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 06:20:38 +00:00
enricobuehler	54d9246ca7	fix(deps): bump quinn-proto 0.11.14 -> 0.11.15 (RUSTSEC-2026-0185) ... The 0.11.15 bump for S1 (pre-auth out-of-order STREAM reassembly memory exhaustion on the default QUIC listener) was reverted before the original fix commit, so Cargo.lock on main still pinned the vulnerable 0.11.14 and the new cargo-audit CI gate failed. Re-apply and lock it in. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 06:05:10 +00:00
enricobuehler	91bb955d0c	style(host): rustfmt the security-fix wrapping (cargo fmt --all --check) ... Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-29 05:19:22 +00:00
enricobuehler	36259b264f	docs(security): record remediation status for the 2026-06-28 host audit ... 14/18 fixed (3532e35 Linux-verified + 6f903f7 Windows DACL paths pending CI/box); #5 deferred (needs on-box validation), #9/#13 accepted, S7 acknowledged (no upstream rsa fix). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 22:16:25 +00:00
enricobuehler	6f903f79bc	fix(host/security): Windows DACL hardening — close audit #2, #3, #8, #11 ... Windows local-privilege findings from design/security-review-2026-06-28.md. These are #[cfg(windows)] paths (verify in CI / on the box; this Linux dev VM can't compile MSVC). They follow the existing write_secret_file/icacls patterns; the cross-platform parts are cargo check/clippy/test green. - #2 [HIGH]: route the mgmt bearer token write through the shared write_secret_file so it gets the SAME Windows DACL (SYSTEM/Administrators) as the host key — it was cfg(unix)-only and left Users-readable, leaking full mgmt admin authority to any local user. - #3 [HIGH]: create_private_dir now applies a restrictive DACL to the %ProgramData%\punktfunk config directory (re-owns to Administrators to defeat a pre-creation, strips inheritance, SYSTEM/Admins/OWNER full + Users read-only) so a local user can't plant host.env/apps.json that the SYSTEM service trusts (env/arg-injection LPE). host.env is now written DACL-locked via write_secret_file; the config + logs dirs go through create_private_dir. - #8 [LOW]: write the web-console password file empty, icacls-lock it, THEN write the secret — closes the brief write-then-icacls TOCTOU window. - #11 [LOW]: the SYSTEM logs dir is DACL-locked (Users read-only, no create), so a local user can't pre-plant host.log as a reparse/hardlink to redirect SYSTEM's writes (subsumed by the #3 dir lockdown). Deferred: #5 (host<->UMDF gamepad/IDD shared-section Everyone:GENERIC_ALL). The section SDDL is intentionally permissive because the UMDF driver opens it under a restricted token of unknown SID/integrity; scoping it blind would likely break the live-validated gamepad/IDD pipeline, so it needs on-box validation first. Tracked in the report. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 22:14:19 +00:00
enricobuehler	3532e35b75	fix(host/security): close audit findings S1,#1,#4,#10,#12,#7,#6,S2-S6 (Linux/cross-platform) ... Remediations from design/security-review-2026-06-28.md verified on Linux (cargo check/clippy/test green; Windows-gated paths verify in CI): - S1 [HIGH]: bump quinn-proto 0.11.14 -> 0.11.15 (RUSTSEC-2026-0185, pre-auth out-of-order STREAM reassembly memory exhaustion on the always-on default QUIC listener). - #1 [HIGH]: remove the unauthenticated nvhttp `GET /pin` endpoint; the GameStream PIN is delivered ONLY via the bearer-gated mgmt API, so a network client can no longer submit its own displayed PIN and self-pair. - #4 [HIGH->MED]: gate the unauthenticated RTSP/UDP media plane on a paired `/launch` and bind it to the launching client's source IP (threaded through the HTTPS handler), so an unpaired peer can neither start capture on an idle host nor ride a paired client's active launch. - #12: bound concurrent parked pairing waiters (MAX_PARKED_WAITERS) so a pre-auth peer can't pin unbounded 300s handshakes. +regression test. - #10: throttle the per-packet ENet control GCM-decrypt-failed warn (exponential backoff) so a junk flood can't spam the log. - #7 [MED->LOW]: serialize all process-global env mutation on the session-setup path under a new vdisplay::ENV_LOCK (apply_session_env / apply_input_env / the launch-cmd set_var / the gamescope env read), so concurrent native sessions can't race set_var/getenv (data-race UB -> host-wide DoS). Full per-session SessionContext threading remains a follow-up for cross-session value confusion. - #6 [MED]: move the gamescope EIS socket relay from world-writable /tmp to $XDG_RUNTIME_DIR (per-user 0700) and reject a symlinked relay file, so a local user can't intercept (keylog) or deny the remote session's input. - S2: a malformed client Opus mic frame now drops that frame instead of tearing down the shared host-lifetime virtual mic (cross-session DoS). - S3: track held buttons/keys in capped HashSets (was unbounded Vec with O(n) scans) so a paired client can't grow per-session input state. - S5: reject fps==0/absurd at the open_video chokepoint (covers Hello, ANNOUNCE, Reconfigure) so the encoder time_base/pts math can't div-by-0. - S6: bound the shared mic mpsc (drop-newest when full). - S4: cap Epic launcher-cache reads (catcache.bin/.item) so a planted giant can't OOM the host during library enumeration. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 22:06:24 +00:00
enricobuehler	6b846913f5	docs(security): 2026-06-28 host security audit (follow-up) report ... Multi-agent follow-up audit of the privileged streaming host: 18 attack surfaces, every finding adversarially double-verified, plus a coverage critic. Records 15 confirmed + 9 partial findings and a prior-fix re-verification of the 2026-06-21 review. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 22:05:58 +00:00
enricobuehler	26c6c939a2	fix(ci/apple): set CMAKE_POLICY_VERSION_MINIMUM=3.5 for the vendored libopus ... With cmake now found, Homebrew's CMake 4 refuses the vendored libopus's `cmake_minimum_required(VERSION <3.5)` ("Compatibility with CMake < 3.5 has been removed"). Export CMAKE_POLICY_VERSION_MINIMUM=3.5 (the same knob the Windows build uses) so the cmake crate's child cmake configures the audiopus_sys libopus. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-28 21:49:27 +00:00
enricobuehler	b6e6f2bff5	fix(ci/apple): locate Homebrew explicitly for the cmake install ... The self-hosted macOS runner runs steps with `bash --noprofile --norc`, so Homebrew's bin dir is not on PATH — the previous `brew install cmake` died with `brew: command not found` (exit 127). Find brew at its known prefix, install cmake only if missing, and export the brew bin dir to $GITHUB_PATH so the subsequent xcframework build (audiopus_sys → vendored libopus) actually finds `cmake`. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-28 21:47:05 +00:00
enricobuehler	e3034958ee	fix(ci): unbreak the Apple + Windows-client builds after the surround-audio merge ... The 5.1/7.1 surround commit (75627c8) added in-core Opus, which broke two CI jobs that the merge didn't touch: * Windows MSIX client: clients/windows/src/main.rs's headless `SessionParams` initializer was missing the new `audio_channels` field (the GUI path sets it from settings). Default the CLI/test path to stereo (2), matching trust.rs. * Apple xcframework (apple.yml + release.yml): in-core Opus decode pulls `audiopus_sys`, which builds a vendored *static* libopus via CMake when pkg-config finds no system Opus — keeping the xcframework self-contained (no runtime libopus.dylib on end-user Macs/devices). The self-hosted macOS runner lacked `cmake`; install it self-healing before every xcframework build. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-28 21:44:44 +00:00
enricobuehler	8672026e97	fix(host): clear clippy doc_lazy_continuation in the 4:4:4 docs ... A line-wrap put `+`/`*`-style markers at the start of two doc lines, which clippy (Windows host job, rust 1.96) reads as markdown list items whose unindented follow-on lines trip `doc_lazy_continuation` under `-D warnings`: - encode/windows/nvenc.rs `chroma_444` field doc (the failing Windows-host clippy job): "+ chromaFormatIDC = 3" → "and chromaFormatIDC = 3". - encode/linux/vaapi.rs `probe_can_encode_444` doc: "+ validate" → "and validate" (last line, didn't fire yet, but fragile — fixed pre-emptively). Pure doc rewording, no behaviour change. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-28 21:38:07 +00:00
enricobuehler	75627c8afe	feat(audio): end-to-end 5.1/7.1 surround across the native path + all clients ... Adds negotiated 5.1/7.1 surround to the punktfunk/1 protocol and every client (previously stereo-only): - core: new shared `audio` layout table (LAYOUT_51/71 + identity multistream mapping, canonical wire order FL FR FC LFE RL RR SL SR); Hello/Welcome `audio_channels` negotiation via the trailing-byte back-compat pattern (old peers fall back to stereo); C-ABI `punktfunk_connect_ex6`, `punktfunk_connection_audio_channels`, and in-core multistream decode `punktfunk_connection_next_audio_pcm` for embedders without a multistream Opus decoder. Real-libopus channel-identity round-trip test. - host: native audio thread captures + Opus-(multi)stream-encodes at the negotiated count (with a cross-session cached-capturer channel-mismatch fix); GameStream surround unified onto the safe `opus::MSEncoder`, dropping `audiopus_sys` (~4 unsafe blocks) and un-gating Windows GameStream surround; WASAPI loopback capture relaxed to 2/6/8 with the correct dwChannelMask. - clients: Linux (PipeWire), Windows (WASAPI), Android (AAudio) decode via `opus::MSDecoder` + render multichannel; Apple decodes in-core to PCM → AVAudioEngine with an explicit wire-order channel layout; each gains a Stereo/5.1/7.1 setting. `punktfunk-probe --audio-channels N` is the headless validator. Verified on Linux: core/host/linux/probe test suites + the Android Rust (cargo-ndk) build, clippy -D warnings, and rustfmt all green. Windows/Apple builds, all on-glass checks, and the live native loopback are pending (CI / a free box). Also lands the concurrent in-tree HEVC 4:4:4 host work (PUNKTFUNK_444): it shares the same touched files (quic.rs, punktfunk1.rs, encode/*, ...) and so cannot be committed separately from the surround changes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-28 21:11:05 +00:00
enricobuehler	6383e5f4fd	feat(client/android): CI screenshot capture via Roborazzi ... Play-listing/marketing screenshots of the Compose client rendered on the host JVM by Roborazzi (Robolectric Native Graphics) — no emulator, GPU, KVM, host, or JNI core. Five scenes render the REAL composables with embedded mock state under a forced brand palette (Material You has no wallpaper to seed from on the JVM): hosts grid, settings, TOFU + PIN dialogs, and the live stats HUD. Validated 5/5 locally. - New JVM unit-test source set (app/src/test) + Roborazzi/Robolectric test deps; @Config(sdk=36) is mandatory (no android-all jar for compileSdk 37) and the animation clock is paused so a text-bearing scene reaches idle. - kit: `-PskipRustBuild` skips the cargo-ndk native build so the JVM-only test job needs no Rust/NDK; normal APK/AAR builds are unchanged. - Widen BrandDark / StatsOverlay to internal so the tests can use them. - Standalone best-effort tag-gated workflow; PNGs upload as a 30-day artifact. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 15:05:54 +00:00
enricobuehler	6a93d164a0	feat(client/linux): CI screenshot capture ... Host-free UI screenshots of the GTK4/libadwaita client under a virtual X display (clients/linux/tools/screenshots.sh) — Xvfb + software GL (llvmpipe) + a root-window grab, one app launch per scene. PUNKTFUNK_SHOT_SCENE routes build_ui to render one mock-populated REAL view (hosts grid / settings dialog / TOFU + PIN dialogs) and print PF_SHOT_READY once it has settled; the saved-hosts grid is driven by a seeded client-known-hosts.json. NON_UNIQUE in shot mode so back-to-back launches don't collide. The stream scene is deferred — its page needs a live NativeClient. Gated to stable release tags in a standalone best-effort workflow that builds the client in the rust-ci image and captures under Xvfb; PNGs upload as a 30-day artifact, not committed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 15:05:38 +00:00
enricobuehler	9e98618e5f	feat(web): CI screenshot capture for the mgmt console ... Marketing/store screenshots of the console, captured from the built Storybook with headless Chromium (web/tools/screenshots.mjs) — every Pages/* + Shell/* story rendered at 1440x900@2x. The page stories render from fixtures, so no live mgmt API, login, or GPU is needed (the web analogue of apple.yml's screenshots job). Gated to stable release tags in a standalone best-effort workflow; PNGs upload as a 30-day artifact, not committed. - Add Stats + Pairing stories (the two pages that lacked them) with stats/pairing fixtures typed against the generated models. - Extract a pure PairingView (index.tsx -> view.tsx), matching the Dashboard/Clients/Stats split, so the page renders host-free from mock state instead of racing its polling queries. Container wiring is behaviour-identical. - Playwright driver + a chromium-capable tag-gated job. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 15:05:27 +00:00
enricobuehler	1bd60ffb34	refactor(docs): use shared @unom/app-ui/footer component ... The docs footer was a hand-maintained mirror of the marketing site's. Both now render the same @unom/app-ui/footer component, so they stay in sync. The shared view themes itself through @unom/style tokens (which the docs already map onto their Fumadocs surfaces), and a resolveHref hook rebases root-relative links onto the marketing-site origin. Footer types now come from the library too. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-28 14:34:45 +00:00
enricobuehler	30d0d36efe	feat(decky): self-update without the store + Gaming-Mode launch polish, and ship the Steam Deck docs ... Plugin self-update (no Decky store): CI publishes a per-channel manifest.json ({version, immutable per-version artifact, sha256}) beside the zip and bakes update.json {channel, manifest} into the plugin. main.py `check_update` reads the installed version from package.json (the value Decky reports — not plugin.json), fetches the channel manifest, and the frontend shows an "Update to vX" button that drives Decky Loader's own install RPC (root downloads + SHA-256-verifies + hot-reloads). CI now stamps a plain-numeric semver (0.3.<run> canary / X.Y.Z stable) into package.json — a -ciN suffix would mis-order under compare-versions. Linux client: `--fullscreen` (plus SteamDeck/gamescope env fallback) enters GTK fullscreen on stream start so Gaming-Mode chrome is hidden; native-mode resolution falls back to the display's first monitor when the window isn't mapped yet (was dropping to the 1080p floor — wrong on the Deck's 1280×800); add a confirmed "Remove saved host" action (KnownHosts::remove_by_fp). Docs: new docs/steam-deck.md (Decky install/pair/stream/self-update/troubleshooting), wired into meta.json nav, and cross-linked from clients/install-client/channels. This is the page docs.punktfunk.unom.io/docs/steam-deck — the website's download link pointed at it before it existed; committing it makes that link resolve. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 13:03:44 +00:00
enricobuehler	3947d5b07a	fix(host/audio): drive the Linux virtual mic with RT_PROCESS (was silent) ... The punktfunk-mic PipeWire source connected without RT_PROCESS, so it ran as an async/main-loop node. In the host's busy multi-stream graph (desktop audio + video capture + the session) it never acquired a driver, stayed suspended, and its process() callback never fired — every recorder reading the remote mic heard pure silence (the long-standing "Linux host mic broken"). Connect the mic stream with RT_PROCESS so it is a synchronous node that joins its consumer's driver group and is actually driven. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> v0.2.1	2026-06-28 12:46:06 +00:00
enricobuehler	238501597e	feat(host/gamestream): follow Desktop<->Game session switches ... The GameStream/Moonlight video plane is a separate encode loop that lacked the session-following the native punktfunk/1 plane has, so a mid-stream Desktop<->Game switch killed the stream ("video stream failed") instead of following it. * Normalize the session env like the native plane: extract open_gs_virtual_source, which detects the LIVE compositor + apply_session_env/apply_input_env (gamescope ATTACH default -> resize-on-attach to the box's own game-mode session at the client mode; KWin/Mutter retargeting). GameStream previously ran a bare detect() against raw process env, so in game mode it bare-spawned a COMPETING gamescope instead of attaching to the box's session. * In-place capture-loss rebuild: replace the `?` that ended the stream with a bounded rebuild (re-detect the live compositor via the same factory, build the new source BEFORE dropping the old, reopen the encoder, force an IDR) — keeping the send thread + packetizer + socket + RTP clock. A same-resolution Desktop<->Game toggle is now FOLLOWED with no Moonlight reconnect. Protocol limit (unchanged): a mid-stream RESOLUTION change is impossible on GameStream (WxH locked at ANNOUNCE; no Reconfigure) — a session toggle keeps the negotiated mode, so this isn't hit. The portal/synthetic source passes no rebuild closure (propagates as before). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 12:22:12 +00:00
enricobuehler	04dd3e3a19	docs: refresh Windows host page for new users; drop stale Status/NVIDIA-only/SudoVDA ... Rewrite the Windows host docs page for first-time setup, on par with the other host guides: remove the standout "Status:" banner, restructure into Requirements / Install (web console + pairing + configure) / How it works / Notes & limits. Bring the content up to date with the shipping host: - encode is all-vendor (NVENC/AMF/QSV + software fallback), not NVIDIA-only - virtual display is punktfunk's own pf-vdisplay IDD (SudoVDA removed) - gamepads need no prerequisite — UMDF drivers bundled; ViGEmBus is gone - add HDR10 + Vulkan-game HDR layer coverage Fix the same stale claims where other pages cross-reference the Windows host (requirements, running-as-a-service, install, roadmap, status). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 11:22:50 +00:00
enricobuehler	61aa1053e7	feat(host/gamescope): headless game mode that follows the box + matches the client ... Make Steam game mode work on a display-less streaming host and stream it at the client's resolution: * Ship /etc/gamescope-session-plus/sessions.d/steam (packaging/bazzite/ gamescope-headless-session, installed by the RPM + Arch PKGBUILD): fall back to gamescope's headless backend when no display is connected, so "Switch to Game Mode" boots offscreen instead of crashing on the missing panel (and 5-striking back to desktop). No-op on display-attached boxes; only sets unset values so the host's per-client mode still wins. * Default Bazzite/SteamOS to ATTACH (PUNKTFUNK_GAMESCOPE_ATTACH=1 in host.env): the box owns its session (Desktop<->Game, persistent), the host follows + captures it and never tears it down — so switching is rock-solid and a disconnect leaves the box in its mode (reconnect returns there). * Resize-on-attach (gamescope.rs): on connect, ensure the box's own game-mode session runs at the CLIENT's resolution — reuse it when already matching (fast path, no restart), else reconfigure + restart the box's own autologin gamescope-session-plus@<client> at the client mode (cooperative: no competing unit, so no autologin-respawn fight). Detect the live gamescope's -W/-H via argv[0] in /proc (its /proc/<pid>/exe is unreadable for that process). Validated live on a headless bazzite-deck-nvidia box: game mode boots headless + stable (0 strikes); the host attaches + streams video/audio/EIS input; a 5120x1440 client reuses the matching session and streams at 5120x1440. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 11:09:45 +00:00
enricobuehler	50e17b3508	fix(host/capture): hold the session through a slow compositor switch ... A Bazzite/SteamOS Gaming↔Desktop switch tears the old compositor down and can take 15s+ to bring the new one up — longer than the capture-loss rebuild's ~10s window, so the session failed mid-switch ("disconnect — session failed") and forced the client to cold-reconnect. Retry the rebuild within a 40s budget instead of giving up after one round, and re-detect the live compositor on each attempt so the stream follows the box to whatever session comes up (a new instance of the same compositor, or a different one — the kind-change case). The QUIC keepalive runs on its own thread, so the client stays connected (frozen on the last frame) and the stream resumes when the new output appears, with no reconnect. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 09:31:47 +00:00
enricobuehler	94c556f0e3	fix(host/capture): recover from compositor loss instead of freezing ... When the compositor is torn down mid-stream (a Gaming↔Desktop switch removes the virtual output), its PipeWire stream leaves Streaming for Paused rather than disconnecting. try_latest treated that as Ok(None) ("static desktop — repeat the last frame"), so the stream froze on the last frame forever and neither recovery path fired: the capture-loss rebuild keys on Err, and the session watcher keys on a session-KIND change (a desktop→desktop new KWin instance is the same kind). Track the PipeWire stream state via state_changed (a `streaming` flag) and, in try_latest, surface a sustained non-Streaming state (1.5s grace for a transient renegotiation blip) as a capture-loss Err — which the encode loop already handles by rebuilding the pipeline in place. A static desktop stays Streaming, so no false trigger. Complements the now-default session watcher. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 09:00:35 +00:00
enricobuehler	32c1929948	feat(host/session-watch): default Gaming↔Desktop follow on for Bazzite/SteamOS ... The mid-stream session watcher (rebuild the backend in place when the box flips Gaming↔Desktop) was opt-in via PUNKTFUNK_SESSION_WATCH, so it never ran on a stock Bazzite/SteamOS box — switching modes froze the stream on the now-dead compositor. Default it ON when os-release ID/ID_LIKE is bazzite/steamos (the platforms that flip sessions); still off on plain desktops. Also parse the env properly so PUNKTFUNK_SESSION_WATCH=0 actually disables it (was: any value, including "0", enabled it). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-28 08:43:27 +00:00
enricobuehler	3915a82780	fix(host/input): route KWin auto-detect to the fake_input backend ... apply_input_env() hard-pinned PUNKTFUNK_INPUT_BACKEND=libei for KWin, and default_backend() reads that env first — so the auto-detecting host (the normal `serve` service) ignored the new KwinFakeInput backend and fell back to the RemoteDesktop portal path that needs a user to approve. Route KWin to "kwin" (org_kde_kwin_fake_input); GNOME/Mutter stay on libei (no fake_input there). Validated live on a Bazzite KDE box via the auto-detect path: backend=KwinFakeInput, "KWin fake_input ready (no portal)", input events forwarded with no errors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-27 11:52:02 +00:00
enricobuehler	a4833e4780	feat(android/touch): trackpad-relative cursor (default), with a direct-touch toggle ... One-finger touch was absolute "direct pointing" — the host cursor jumped to the finger and was recomputed from each touch-start, so you couldn't precisely reach a target. Now a relative trackpad: the cursor stays put on touch-down and moves by the finger delta (host MouseMove via nativeSendPointerMove, already supported — no protocol change), with mild pointer acceleration and sub-pixel remainder accumulation so slow precise moves aren't lost to Int truncation. Swipe, lift, and re-swipe to walk it across; tap = left-click at the cursor's current position. Two-finger scroll / right-click, three-finger HUD toggle, and tap-then-hold-drag are preserved unchanged; finger-id re-anchoring keeps multi-touch transitions jump-free. Added Settings → Pointer → "Trackpad mode" (default on); turning it off restores the old direct-pointing path verbatim. :app:compileDebugKotlin green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-27 11:34:03 +00:00
enricobuehler	4e79e6cdad	fix(android/audio): kill the AAudio crackle (RT-safe ring + deeper buffer + XRun sizing) ... The jitter ring was a port of the Linux client's, but Linux runs on PipeWire (adaptive resampling masks host↔DAC drift + a shallow buffer); AAudio hands us a raw realtime callback and we own the buffer, so the same code crackled only on Android. Three converging causes, all fixed: - Heap free on the realtime audio thread every quantum (Android's Scudo free() has unbounded tail latency → XRun → click). Decoded buffers are now recycled back to the producer via a free-list instead of freed on the audio thread; the ring is pre-reserved so extend() never reallocates there. - The ring collapsed to ~15 ms on the tiny LowLatency burst and re-primed (a fresh silence) on every single empty callback. Now ~40 ms prime / ~150 ms hard cap, decoupled from the burst size, with de-prime hysteresis (re-prime only after a sustained drain). - AAudio's anti-glitch knobs were unused: prime the HW buffer above its 2-burst default and grow it on getXRunCount(). The post-open log now reports perf/sharing/buffer so a fall to a resampled legacy path is visible. Steady-state audio latency ~15 → ~40 ms (within lip-sync tolerance; matches the Moonlight/Sunshine operating point). cargo-ndk build both ABIs + fmt + clippy green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-27 11:33:51 +00:00
enricobuehler	f74bc4a3f1	feat(host/input): headless KDE input via org_kde_kwin_fake_input ... Desktop-mode (KWin) streaming had no input: the path was libei via the RemoteDesktop portal, which (a) isn't reachable from the host service env and (b) requires a human to approve "Allow remote control?" — a non-starter on a headless box. KWin's own headless RDP server (krdpserver) solves this with org_kde_kwin_fake_input, authorized by the exact same .desktop X-KDE-Wayland-Interfaces grant we already ship (org_kde_kwin_fake_input is listed alongside zkde_screencast_unstable_v1). Add a fake_input injector: vendor the protocol XML, bind the global as an ordinary Wayland client, authenticate (auto-accepted for an interface-authorized client — no dialog), and translate pointer (rel/abs), button, scroll, keyboard (raw evdev keycodes resolved by KWin's own keymap) and touch. Select it for KWin (compositor=="kwin" or XDG_CURRENT_DESKTOP KDE); GNOME stays on libei (it has neither fake_input nor the wlr protocols). PUNKTFUNK_INPUT_BACKEND=kwin forces it. cargo check + clippy + fmt green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-27 11:26:04 +00:00