10 Commits

Author	SHA1	Message	Date
enricobuehler	54b75c9be4	feat(host): GameStream/Moonlight compat is now opt-in (--gamestream) — secure native-only by default ... Follows the security audit (#5/#9): the GameStream-compat plane carries inherent on-path weaknesses that can't be fixed on the wire without breaking stock Moonlight — its pairing runs over plain HTTP (#9, MITM-able during the pairing window) and its legacy control encryption can reuse GCM nonces (#5, a passive eavesdropper can recover/forge input). The native punktfunk/1 plane (SPAKE2 PIN pairing + per-direction AEAD nonces) has neither. So flip the default to secure-by-default: - `serve` → native punktfunk/1 plane + management API ONLY (no GameStream surface). - `serve --gamestream` → ALSO the GameStream/Moonlight-compat planes (nvhttp pairing, RTSP, ENet control, _nvstream mDNS). Opt-in, logged with a trusted-LAN caveat. `--moonlight` is an alias. - The native plane is now ALWAYS on in `serve` (`--native` is a kept-for-compat no-op); the unified GameStream+native host is `serve --gamestream`. `gamestream::serve` gates the GameStream spawns (nvhttp/rtsp/control/mdns) on the flag; the native plane + mgmt + native-pairing handle always run. To avoid silently regressing validated Moonlight deployments, the explicit deployment configs PRESERVE Moonlight via `--gamestream` (each documents dropping it for a secure native-only host): the Linux systemd unit, the Steam Deck installer, and the Windows service default (DEFAULT_HOST_CMD). The bare `serve` default (new/manual use) is secure. Docs swept to match (host-cli, moonlight, quickstart, install, packaging READMEs, CLAUDE.md, README, …): Moonlight setup now instructs `--gamestream`; native/console refs use bare `serve`. OpenAPI regenerated (a stale "run `serve --native`" string). fmt + clippy clean; 94 host tests green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 10:19:40 +00:00
enricobuehler	9c8fa9340c	refactor: drop milestone names + consolidate clients; loss-recovery & rumble fixes ... Two bodies of work in one commit (the rename moved files the fixes also touched). Naming/structure cleanup (pre-launch): - Host modules m3.rs->punktfunk1.rs, m0.rs->spike.rs; CLI m3-host->punktfunk1-host, m0->spike; bare `punktfunk-host` now prints help. Types M3Options/M3Source-> Punktfunk1Options/Punktfunk1Source. - Clients consolidated out of crates/ into clients/: punktfunk-client-rs-> clients/probe (crate punktfunk-probe), client-linux->clients/linux, client-windows->clients/windows, punktfunk-android->clients/android/native (crate punktfunk-client-android; kept [lib] name=punktfunk_android so the JNI contract is unchanged). crates/ now holds only core + host. - Milestone codes M0-M4 purged from code/CLI/CLAUDE.md/README/docs/docs-site, kept only in docs/implementation-plan.md. docs/m2-plan.md-> docs/gamestream-host-plan.md. CI/gradle/flatpak paths updated. Client loss-recovery (video froze and never recovered after a brief drop): - Export punktfunk_connection_frames_dropped through the C ABI (the core already tracked it for the client keyframe-recovery loop; it was never reachable from the ABI clients). Regenerated punktfunk_core.h. - Apple (StreamPump + Stage2Pipeline) and Android (decode.rs) now poll frames_dropped and request a keyframe when it climbs -- the same loss-driven recovery Linux/Windows already had. Under infinite GOP the decoder silently conceals reference-missing frames, so the decode-error trigger rarely fires. Apple rumble robustness (worked then went spotty -- DualSense + Xbox): - Add CHHapticEngine stopped/reset handlers (rebuild on app background / audio interruption / server reset) and drop the permanent `broken` latch on a transient drive failure; latch only when the controller truly has no haptics. - Surface swallowed SDL set_rumble errors on Linux/Windows + diagnostic logging. Verified: cargo build/clippy/fmt --workspace, C-ABI harness, header drift. Not runnable on this box (verify in CI): Gitea workflows, gradle/Android, flatpak, Swift/decky. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-18 21:05:58 +00:00
enricobuehler	802e98d3a3	feat(packaging): bundle the web console into the RPM / Arch / bootc host packages ... The punktfunk-web management console (pairing + status) shipped only via apt. Extend it to the other HOST packaging methods, mirroring the Debian punktfunk-web .deb (flatpak is the client, correctly excluded): - rpm/punktfunk.spec: new noarch `punktfunk-web` subpackage (the .output bundle + a /usr/bin/punktfunk-web-server node launcher + both systemd --user units + web-init.sh + web.env.example), gated behind `%bcond_with web`. OFF by default because building the Nitro/Node SSR bundle needs `bun`, which a plain rpmbuild / COPR mock chroot lacks. Host package weak-Recommends punktfunk-web. - ci/fedora-rpm.Dockerfile: install bun (+ unzip) so the CI builder can build the console. - rpm.yml: build `PF_WITH_WEB=1` (Prep bootstraps bun to stay green pre-image-rebuild); the publish loop already globs the new noarch rpm into the registry. build-rpm.sh: `--with web` when PF_WITH_WEB=1. - bootc/Containerfile: install from the Gitea RPM registry (which carries punktfunk-web) instead of COPR — `dnf5 install punktfunk punktfunk-web`. - arch/PKGBUILD: opt-in `punktfunk-web` split member (PF_WITH_WEB=1 appends it + bun) so a default makepkg still builds host+client with no JS tooling — matching the spec's bcond. - docs: packaging/README, rpm/README, copr/README (the no-bun caveat), bazzite/README (Path B rewritten COPR→Gitea registry), arch/README — enable + journal-password steps. Reviewed across methods by an adversarial multi-agent pass (rpm/ci/arch/bootc/consistency lenses, each blocking finding 3x-verified); fixed the two it confirmed real — the Arch bun-mandatory regression (now opt-in) and the stale COPR wording in bazzite Path B. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 09:56:58 +00:00
enricobuehler	f869b434ba	fix(host): input follows session per-connect + restore-guard on desktop switch ... Two fixes from live Bazzite testing of the managed-Gaming + mid-stream work: 1. Input now FOLLOWS the active session. The host-lifetime injector was pinned to the first backend it opened and only reopened on an inject FAILURE — but with Feature A keeping the managed gamescope warm, its EIS socket stays alive, so a switch to the KDE desktop + reconnect kept injecting into the idle gamescope (input silently dead on KDE). injector_service_thread now compares the resolved input backend (default_backend() ← PUNKTFUNK_INPUT_BACKEND, set per connect by apply_input_env, and on a mid-stream switch) each event and reopens when it changes. Fixes input on a Gaming->Desktop reconnect AND Feature B's mid-stream input re-route, with no plumbing. 2. Debounced TV-restore no longer yanks you back to gaming. do_restore_tv_session now checks detect_active_session(): if a desktop session is active (the user switched), it tears down the idle managed gamescope but does NOT restart the gaming autologin. Observed live: the restore fired and restarted gamescope-session-plus@ogui-steam while the client was already on the KDE desktop. Also: document PUNKTFUNK_SESSION_WATCH (Feature B opt-in) in the Bazzite host.env and correct the managed-default description. Compiles, clippy/fmt clean, 78 tests. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 23:14:36 +00:00
enricobuehler	c25706b355	feat(host/gamescope): managed-default Gaming with debounced TV-restore ... Feature A: in Gaming Mode, default to a host-managed gamescope at the CLIENT's mode (tear the TV's autologin down on connect) instead of attaching to the running TV session — so the client receives ITS resolution (capture == encode == client mode, fixing the InitializeEncoder size mismatch the attach path hit), not the TV's 4K. Reliability is the debounce: restore_managed_session() now SCHEDULES the TV restore RESTORE_DEBOUNCE (5s) after the last disconnect via a host-lifetime worker, instead of restoring immediately per-disconnect. A reconnect inside the window cancels the pending restore and reuses the still-warm managed session (create_managed_session clears PENDING_RESTORE at the top) — so a quick reconnect (e.g. a controller hiccup) never triggers a gamescope stop/relaunch, which is the per-connect churn that leaked NVIDIA GPU context on F44 (the black-screen reconnect). - vdisplay/gamescope.rs: PENDING_RESTORE + RESTORE_DEBOUNCE; schedule_restore_tv_session (debounced), do_restore_tv_session (the actual restore, worker-driven), start_restore_worker (100ms tick, RAII keepalive handle). create_managed_session cancels the pending restore + reuse path unchanged. - vdisplay.rs: apply_input_env flips gamescope to managed-DEFAULT; PUNKTFUNK_GAMESCOPE_ATTACH (or an explicit _NODE) opts back to attach for couch-on-TV; _MANAGED forces managed. restore_managed_session schedules; new start_restore_worker wrapper. - m3.rs serve(): hold the restore worker for the host lifetime. - bazzite host.env: document managed-default + the ATTACH opt-out. Compiles, clippy-clean, 78 host tests pass. F44 single stop/start leak to be verified live on the box. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 22:34:33 +00:00
enricobuehler	66c2bee183	feat(packaging/bazzite): one-shot KDE Desktop-mode setup for the host ... The session-aware selector drives a KWin virtual output at the client's resolution when the Bazzite box is in KDE Desktop Mode — validated live. But a normal KDE login withholds two things the headless host needs: 1. KWIN_WAYLAND_NO_PERMISSION_CHECKS=1 — so KWin exposes the privileged zkde_screencast virtual-output protocol to an external client. 2. the kde-authorized RemoteDesktop grant — so libei input auto-approves instead of popping a dialog a headless host can't answer. Add packaging/bazzite/kde-desktop-setup.sh (idempotent, no root): writes the environment.d KWIN drop-in and seeds the grant DB (shipped at /usr/share/punktfunk/headless/kde-authorized) into ~/.local/share/flatpak/db/, restarting the portal chain. Ship it via the RPM at /usr/share/punktfunk/bazzite/ and document it in the Bazzite README (new §6.5). Gaming Mode needs none of this (auto-attach). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 22:26:21 +00:00
enricobuehler	6f77574876	feat(host/vdisplay): per-connect active-session backend selection ... Bazzite/SteamOS boxes flip between Steam Gaming Mode (gamescope) and a KDE/GNOME desktop. The host statically read PUNKTFUNK_COMPOSITOR / XDG_CURRENT_DESKTOP once, so switching to Desktop Mode failed the stream, and the gamescope managed-session path stopped+relaunched the autologin per connect — leaking GPU context on F44 (reconnect → black screen). Replace the static read with a runtime probe of the live session and route each connect to the right backend, churn-free: - vdisplay::detect_active_session() probes /proc for the running compositor of our uid (gamescope|kwin_wayland|gnome-shell|sway, desktop outranks a leftover gamescope) + scans the runtime dir for the live wayland-* socket. Returns an ActiveKind + the SessionEnv (WAYLAND_DISPLAY/XDG_RUNTIME_DIR/DBUS/ XDG_CURRENT_DESKTOP) that targets it. - apply_session_env() writes that into the process env per connect (host serves one session at a time), so every backend (capture + input) opens against the live session; apply_input_env() points input at the matching backend and selects gamescope ATTACH (no managed restart) unless PUNKTFUNK_GAMESCOPE_MANAGED. - resolve_compositor() (native path) auto-detects + applies; explicit PUNKTFUNK_COMPOSITOR still wins (legacy/CI/forcing). detect() is now active-aware for the GameStream/mgmt callers too. - Bazzite host.env drops the static gamescope force; documents auto-detection + the optional overrides. Result: Desktop Mode → KWin/Mutter virtual output at the client's mode (churn-free, the reliable path); Gaming Mode → attach to the running gamescope (no SIGSEGV/GPU leak on reconnect). Compiles + clippy-clean; 78 host tests pass. Live validation on the Bazzite box pending (box offline). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 21:41:51 +00:00
enricobuehler	902cc162f7	docs(bazzite): join the input group via ujust add-user-to-input-group ... On Bazzite (atomic rpm-ostree) `sudo usermod -aG input $USER` doesn't stick — /etc/group is managed declaratively, so the change is dropped or reverted on the next update. The supported path is the `ujust add-user-to-input-group` recipe, which edits the group the immutable-OS-correct way. Update the bazzite README + the packaging quickstart + the troubleshooting note (which also now points at the host's "virtual gamepad/DualSense created" vs "creation failed" log as the unambiguous signal). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-11 20:32:55 +00:00
enricobuehler	12b047b0ae	docs(packaging): add end-to-end Bazzite setup guide ... A step-by-step walkthrough for running the host on Bazzite (the immutable Fedora-Atomic gaming distro): the two install paths (rpm-ostree layering vs the bootc image), udev + the `input` group, host.env knobs (gamescope-default), the systemd --user service, firewall ports, verification, and troubleshooting — all grounded in the packaging/ files. Flags the operator-run COPR, the loopback-only mgmt port, and that the bundled unit runs the GameStream `serve` host (not m3-host). Linked from packaging/README.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-11 08:40:16 +00:00
enricobuehler	23bb814bac	feat(packaging): Fedora/Bazzite packaging — COPR RPM, bootc image, gamescope-default config ... Roadmap #3 (install on other devices). Bazzite already ships gamescope + PipeWire + the NVIDIA stack, so the host slots in with minimal new deps (ffmpeg-libs from RPM Fusion + opus + libei). - packaging/rpm/punktfunk.spec — builds punktfunk-host from source (cargo), installs the binary + udev rule + systemd user unit + headless helpers; Requires/Recommends mapped from the Ubuntu bootstrap deps to Fedora. - packaging/bootc/Containerfile — layer punktfunk into a bazzite-nvidia bootc image for atomic, image-based installs. - packaging/bazzite/host.env — gamescope-default appliance config (spawned per session). - packaging/copr/ + packaging/README.md — COPR build-from-SCM settings + install docs (rpm-ostree and bootc paths), and why not Flatpak. - LICENSE-MIT + LICENSE-APACHE — materialize the declared `MIT OR Apache-2.0` (was unfiled); the RPM ships them. Not buildable on the Ubuntu dev box (no rpm tooling) — the COPR/Fedora build is operator-run; all spec-referenced files verified present and the cargo build is green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-10 22:29:01 +00:00