punktfunk

Author	SHA1	Message	Date
enricobuehler	9c8fa9340c	refactor: drop milestone names + consolidate clients; loss-recovery & rumble fixes apple / swift (push) Failing after 40s Details audit / cargo-audit (push) Failing after 1m12s Details windows-msix / package (push) Successful in 1m37s Details windows / build (push) Successful in 1m14s Details android / android (push) Successful in 4m48s Details ci / web (push) Successful in 27s Details ci / rust (push) Successful in 4m21s Details ci / docs-site (push) Successful in 31s Details ci / bench (push) Successful in 4m39s Details decky / build-publish (push) Successful in 11s Details docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 5s Details docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 4s Details docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 4s Details docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s Details docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 19s Details deb / build-publish (push) Successful in 6m3s Details flatpak / build-publish (push) Successful in 4m13s Details rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 8m15s Details rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 8m16s Details docker / deploy-docs (push) Successful in 18s Details Two bodies of work in one commit (the rename moved files the fixes also touched). Naming/structure cleanup (pre-launch): - Host modules m3.rs->punktfunk1.rs, m0.rs->spike.rs; CLI m3-host->punktfunk1-host, m0->spike; bare `punktfunk-host` now prints help. Types M3Options/M3Source-> Punktfunk1Options/Punktfunk1Source. - Clients consolidated out of crates/ into clients/: punktfunk-client-rs-> clients/probe (crate punktfunk-probe), client-linux->clients/linux, client-windows->clients/windows, punktfunk-android->clients/android/native (crate punktfunk-client-android; kept [lib] name=punktfunk_android so the JNI contract is unchanged). crates/ now holds only core + host. - Milestone codes M0-M4 purged from code/CLI/CLAUDE.md/README/docs/docs-site, kept only in docs/implementation-plan.md. docs/m2-plan.md-> docs/gamestream-host-plan.md. CI/gradle/flatpak paths updated. Client loss-recovery (video froze and never recovered after a brief drop): - Export punktfunk_connection_frames_dropped through the C ABI (the core already tracked it for the client keyframe-recovery loop; it was never reachable from the ABI clients). Regenerated punktfunk_core.h. - Apple (StreamPump + Stage2Pipeline) and Android (decode.rs) now poll frames_dropped and request a keyframe when it climbs -- the same loss-driven recovery Linux/Windows already had. Under infinite GOP the decoder silently conceals reference-missing frames, so the decode-error trigger rarely fires. Apple rumble robustness (worked then went spotty -- DualSense + Xbox): - Add CHHapticEngine stopped/reset handlers (rebuild on app background / audio interruption / server reset) and drop the permanent `broken` latch on a transient drive failure; latch only when the controller truly has no haptics. - Surface swallowed SDL set_rumble errors on Linux/Windows + diagnostic logging. Verified: cargo build/clippy/fmt --workspace, C-ABI harness, header drift. Not runnable on this box (verify in CI): Gitea workflows, gradle/Android, flatpak, Swift/decky. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-18 21:05:58 +00:00
enricobuehler	ec2907fc32	perf(host/windows): SendInput retry-on-failure model (two-process step 2) apple / swift (push) Successful in 54s Details android / android (push) Failing after 0s Details ci / rust (push) Failing after 0s Details ci / docs-site (push) Failing after 0s Details ci / bench (push) Failing after 0s Details deb / build-publish (push) Failing after 0s Details ci / web (push) Failing after 1s Details decky / build-publish (push) Failing after 0s Details docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Failing after 1s Details docker / build-push (., web/Dockerfile, punktfunk-web) (push) Failing after 0s Details docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Failing after 1s Details docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Failing after 0s Details rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Failing after 1s Details rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Failing after 0s Details docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Failing after 0s Details docker / deploy-docs (push) Has been skipped Details The injector reattached the input desktop (OpenInputDesktop + SetThreadDesktop, two syscalls) before EVERY event. Now it stays bound to its desktop and only reattaches on a SendInput short write (the input desktop switched into UAC/lock) + retries once — Sunshine's model. No steady-state per-event overhead; still follows the desktop across the secure boundary, serving both desktops. Validated on the RTX 4090 (host as SYSTEM): client-rs --input-test injected for ~6s with no "blocked desktop" errors. Completes all 6 steps of the two-process secure-desktop build; only a real-UAC user smoke test remains. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 08:30:49 +00:00
enricobuehler	1e8f210948	docs(windows-secure-desktop): steps 1/3/4/5/6 live-validated; soak results apple / swift (push) Successful in 55s Details android / android (push) Failing after 34s Details ci / web (push) Failing after 5s Details ci / docs-site (push) Failing after 1s Details ci / bench (push) Failing after 0s Details deb / build-publish (push) Failing after 0s Details decky / build-publish (push) Failing after 1s Details docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Failing after 0s Details docker / build-push (., web/Dockerfile, punktfunk-web) (push) Failing after 1s Details docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Failing after 0s Details docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Failing after 0s Details docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Failing after 1s Details docker / deploy-docs (push) Has been skipped Details rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Failing after 0s Details rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Failing after 0s Details ci / rust (push) Failing after 2m50s Details Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 08:26:10 +00:00
enricobuehler	4edfcd4b43	feat(host/windows): two-process mux test toggle + live-validate step 5 PUNKTFUNK_SECURE_TEST_PERIOD_MS=N drives a square-wave secure/normal toggle in virtual_stream_relay (instead of the real DesktopWatcher), to exercise the mid-session helper↔DDA mux without a live UAC/lock. Gated behind the env var, in the style of PUNKTFUNK_VIDEO_DROP / PUNKTFUNK_FEC_PCT. Live-validated on the RTX 4090 (host as SYSTEM): with a 4s toggle the mux switched secure(DDA)↔normal(WGC relay) cleanly 5× in one session and the client decoded 308 HEVC Main-10 frames continuously across every switch — the wait-for-IDR latch held with no decode break. The real Winlogon DDA capture is pre-proven by the single-process secure path (`f4b4a6c`); the toggle exercises the new surface (the mux). Doc updated with the validation + the SYSTEM-mode audio caveat. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 08:13:16 +00:00
enricobuehler	140209bbfc	feat(host/windows): two-process secure-desktop step 5 — DDA mux on Winlogon `virtual_stream_relay` now muxes the AU source by input desktop. A DesktopWatcher (SYSTEM-only Winlogon-name poll) drives it: the user-session WGC helper relay feeds the normal (Default) desktop; the host's OWN DDA capturer+encoder — opened lazily on the first secure transition, on the same SudoVDA target with a no-op keepalive (the host still holds the real isolation owner) — captures the secure (Winlogon: UAC/lock/login) desktop that WGC can't see. Every switch latches "wait for IDR" and forces the now-active source to emit a keyframe (the two encoders keep independent infinite-GOP state, so the client must resume on an IDR); returning to the helper also drains its stale buffered AUs first. Reconfigure drops the stale-target DDA; keyframe requests route to the live source. Send path (FEC/seal/paced-send) unchanged. Also: wgc_relay gains try_recv (drain on switch-back); open_dda takes dims as args (avoids a closure borrow of the reassigned cur_mode); the forward! macro returns bool with `break 'outer` at the call site (no in-macro label hygiene). cfg-gated windows-only. Live validation (UAC switch over a session) pending. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 07:55:29 +00:00
enricobuehler	5c2bcbc2a2	docs(windows): secure-desktop two-process design + WGC impersonation attempt (vestigial) apple / swift (push) Successful in 55s Details android / android (push) Has been cancelled Details ci / rust (push) Has been cancelled Details ci / web (push) Has been cancelled Details ci / docs-site (push) Has been cancelled Details ci / bench (push) Has been cancelled Details deb / build-publish (push) Has been cancelled Details decky / build-publish (push) Has been cancelled Details docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Has been cancelled Details docker / build-push (., web/Dockerfile, punktfunk-web) (push) Has been cancelled Details docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Has been cancelled Details docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Has been cancelled Details docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Has been cancelled Details docker / deploy-docs (push) Has been cancelled Details rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Has been cancelled Details rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Has been cancelled Details Validated design for adding secure-desktop (UAC/lock/login) coverage on top of the shipped WGC animation fix. Key verified constraint: WGC won't activate under SYSTEM (0x80070424) even with thread-level ImpersonateLoggedOnUser, and DDA+SendInput on Winlogon need LOCAL_SYSTEM — so one process can't do both. Architecture: SYSTEM host (QUIC + SudoVDA + DDA-secure + SendInput + AU mux) + a USER-session WGC helper (CreateProcessAsUser) that relays encoded Annex-B AUs over a named pipe; the host muxes helper-AUs (normal desktop) vs its own DDA encoder (secure desktop), switched by a desktop-name watcher. No shared GPU texture (rejected — MIC/keyed-mutex pain); just AU bytes. docs/windows-secure-desktop.md has the ordered, box-testable steps. The impersonate_active_user() in wgc.rs is kept as a harmless no-op (under a user-token process WTSQueryUserToken fails → no impersonation → WGC works natively); it does NOT make WGC work under SYSTEM (the two-process design uses a real user process for WGC instead). + Win32_System_RemoteDesktop. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 07:08:50 +00:00

6 Commits