74 Commits

Author	SHA1	Message	Date
enricobuehler	586c4d0ddc	fix(flatpak): sign the OSTree commit, not just the summary ... Install failed with "GPG verification enabled, but no signatures found" on the commit: the deploy step only ran build-update-repo (signs the summary). Add `flatpak build-sign` to sign the commit objects too — clients with gpg-verify=true verify the commit, so summary-only signing isn't enough. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-18 22:10:07 +00:00
enricobuehler	f1032a7a23	fix(flatpak): pass stable branch to build-bundle (matches --default-branch) ... The CI added --default-branch=stable, so the repo ref is app/io.unom.Punktfunk/x86_64/stable. build-bundle defaults to `master` when no branch is given → "Refspec app/io.unom.Punktfunk/x86_64/master not found". Pass `stable` explicitly in both flatpak.yml and the local build-flatpak.sh. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-18 21:48:17 +00:00
enricobuehler	d9d495a53e	feat(flatpak): host a signed OSTree repo at flatpak.unom.io for flatpak update ... The CI only shipped a single-file .flatpak bundle, which has no remote — users couldn't `flatpak update`. Keep the bundle (Decky fallback) but also sign the OSTree repo flatpak-builder already produces and publish it to a shared, reusable unom-wide remote. - flatpak.yml: pin --default-branch=stable; import the signing key and build-update-repo --gpg-sign; generate unom.flatpakrepo + the app .flatpakref + index.html; rsync the repo to unom-1 and bring up a static Caddy container. The step no-ops until FLATPAK_GPG_PRIVATE_KEY/DEPLOY_* exist (build stays green). - packaging/flatpak/server/: compose.production.yml + Caddyfile (static file server on :3230, mirrors docker.yml deploy-docs). - unom-flatpak.gpg: committed public signing key (base64 -> GPGKey= in the descriptors). - README: hosted repo is now the recommended install; documents the one-time infra (edge Caddy vhost, infra port 3230, DNS, the GPG secret). Edge Caddy vhost + infra port allowlist + the secret are applied out-of-band. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-18 21:07:27 +00:00
enricobuehler	9c8fa9340c	refactor: drop milestone names + consolidate clients; loss-recovery & rumble fixes ... Two bodies of work in one commit (the rename moved files the fixes also touched). Naming/structure cleanup (pre-launch): - Host modules m3.rs->punktfunk1.rs, m0.rs->spike.rs; CLI m3-host->punktfunk1-host, m0->spike; bare `punktfunk-host` now prints help. Types M3Options/M3Source-> Punktfunk1Options/Punktfunk1Source. - Clients consolidated out of crates/ into clients/: punktfunk-client-rs-> clients/probe (crate punktfunk-probe), client-linux->clients/linux, client-windows->clients/windows, punktfunk-android->clients/android/native (crate punktfunk-client-android; kept [lib] name=punktfunk_android so the JNI contract is unchanged). crates/ now holds only core + host. - Milestone codes M0-M4 purged from code/CLI/CLAUDE.md/README/docs/docs-site, kept only in docs/implementation-plan.md. docs/m2-plan.md-> docs/gamestream-host-plan.md. CI/gradle/flatpak paths updated. Client loss-recovery (video froze and never recovered after a brief drop): - Export punktfunk_connection_frames_dropped through the C ABI (the core already tracked it for the client keyframe-recovery loop; it was never reachable from the ABI clients). Regenerated punktfunk_core.h. - Apple (StreamPump + Stage2Pipeline) and Android (decode.rs) now poll frames_dropped and request a keyframe when it climbs -- the same loss-driven recovery Linux/Windows already had. Under infinite GOP the decoder silently conceals reference-missing frames, so the decode-error trigger rarely fires. Apple rumble robustness (worked then went spotty -- DualSense + Xbox): - Add CHHapticEngine stopped/reset handlers (rebuild on app background / audio interruption / server reset) and drop the permanent `broken` latch on a transient drive failure; latch only when the controller truly has no haptics. - Surface swallowed SDL set_rumble errors on Linux/Windows + diagnostic logging. Verified: cargo build/clippy/fmt --workspace, C-ABI harness, header drift. Not runnable on this box (verify in CI): Gitea workflows, gradle/Android, flatpak, Swift/decky. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-18 21:05:58 +00:00
enricobuehler	1faa6c6ad4	ci(android): replace r0adkll with a direct Play Publishing-API upload ... r0adkll/upload-google-play hides real API errors behind "Unknown error occurred." Proved the full upload sequence (insert edit -> upload bundle -> track update -> validate) succeeds with the service account, so the failure was r0adkll's opaque error handling and/or a base64-encoded SERVICE_ACCOUNT_JSON secret. clients/android/ci/play-upload.py does the same sequence with stdlib + openssl (no pip), reuses the SERVICE_ACCOUNT_JSON secret, tolerates it being raw JSON or base64, auto-retries commit with changesNotSentForReview, and prints Google's actual error. Locally dry-run-validated against the live app (both secret forms). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-18 20:38:20 +00:00
enricobuehler	72d1b19743	ci(android): publish signed AAB + universal APK to Gitea generic registry ... Build a universal release APK alongside the AAB and push both to the public generic registry (punktfunk-android/<run_number>/) before the Play upload, so artifacts are downloadable even while the Play step is still failing. Matches windows-msix.yml / deb.yml (REGISTRY_TOKEN, user enricobuehler). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-18 20:26:42 +00:00
enricobuehler	22409acba5	fix(ci): use android-36 platform as 37 is missing from sdkmanager channel	2026-06-18 12:24:00 +02:00
enricobuehler	a24679ce69	feat: setup CI for Google Play Store submission and refactor UI	2026-06-18 11:51:40 +02:00
enricobuehler	6c02acab59	build: update Android NDK to r30 (30.0.14904198)	2026-06-18 11:13:14 +02:00
enricobuehler	15d3d423fa	feat(decky): full-featured Gaming-Mode client — fullscreen page, pairing, focus-correct launch ... The plugin was a QAM launcher whose stream never appeared, with no pairing. Three fixes, plus a headless --pair mode on the GTK client: - Stream actually starts (MoonDeck's proven mechanism): gamescope only focuses the process tree Steam launched via reaper, so a flatpak spawned from the (root) backend is invisible. The frontend now registers ONE hidden non-Steam shortcut pointing at bin/punktfunkrun.sh, passes the host as the shortcut's Steam launch options, and starts it with SteamClient.Apps.RunGame — gamescope then fullscreen-focuses it. The wrapper execs `flatpak run io.unom.Punktfunk --connect <host>`. - Fullscreen page: routerHook.addRoute("/punktfunk") — host list, per-host Pair/Stream, and a settings section (resolution/refresh/ bitrate/gamepad/mic, written to client-gtk-settings.json). - Pairing: a gamepad-navigable PIN keypad. The host shows the PIN; the backend runs the SPAKE2 ceremony headlessly via the client's new `--pair <PIN> --connect host` CLI mode (app.rs), persisting the host as paired so the stream then connects silently. Same flatpak => shared identity store, verified live (ceremony against a real host). - Backend (main.py): discover / pair / runner_info / get_settings / set_settings / kill_stream; uses DECKY_USER_HOME so paths resolve to the deck user's flatpak install regardless of the plugin's root flag. CI (decky.yml) and the sideload packager now ship bin/punktfunkrun.sh. The Steam-shortcut launch and headless-pairing env follow MoonDeck exactly but need a Deck in Gaming Mode to fully confirm. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-17 09:17:14 +00:00
enricobuehler	a5b99b2928	fix(flatpak): prune microsoft/windows-rs git crates before vendoring ... The flatpak CI was failing at "Downloading sources" with "No space left on device": flatpak-cargo-generator walks the whole workspace Cargo.lock and emits a `type: git` source for the windows-rs crates (windows + windows-reactor + ~12 sub-crates, pinned by punktfunk-client-windows), and flatpak-builder then FULL-clones that multi-GB repo — for a bundle that only ever compiles `-p punktfunk-client-linux` and never touches a windows-* crate. New packaging/flatpak/prune-windows-lock.py writes a copy of Cargo.lock with the windows-rs git packages stripped (matches on the `source =` line, so a crate that merely lists a windows dependency is kept; dependency-free so it also runs on the Deck's stock python). Both the CI and build-flatpak.sh feed that pruned lock to the generator. The committed Cargo.lock is untouched — cargo --offline only needs vendored sources for the crates it actually builds, and the windows-rs crates are not in the Linux client's dependency closure. Verified locally: 14 crates pruned (507 -> 493 packages), zero windows-rs `source =` lines remain, output parses as TOML, all Linux-client deps (gtk4/ffmpeg-sys-next/sdl3/pipewire) intact. This unblocks the flatpak build carrying the VAAPI green-screen fix (64b1679) for the Steam Deck. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-17 07:43:11 +00:00
enricobuehler	bb11b2faf7	feat(windows): MSIX packaging + publish workflow for the WinUI client ... Package the Windows client as a signed MSIX (Start tile, clean install/uninstall) and publish it to Gitea's generic registry, mirroring the host's .deb/.rpm and the Mac's DMG. Validated end-to-end on the build VM: cargo build --release -> makeappx pack (16 payload files, 58 MB) -> signtool -> Add-AppxPackage deploy -> framework-dependency resolution all green. - packaging/AppxManifest.xml: full-trust Win32 app (Windows.FullTrustApplication + runFullTrust), templated {VERSION}/{PUBLISHER}. windows-reactor packages cleanly despite being built "unpackaged" because it calls MddBootstrapInitialize2 with OnPackageIdentity_NOOP — under MSIX identity the bootstrapper no-ops and the App SDK resolves from the manifest's PackageDependency on Microsoft.WindowsAppRuntime.2 (reactor pins MAJORMINOR 0x20000 = 2.0). - packaging/pack-msix.ps1: assemble layout (exe + reactor/SDL3 auto-staged DLLs + resources.pri + FFmpeg DLLs + tile assets), makeappx, signtool. Cert precedence: MSIX_CERT_PFX_B64 secret, else an ephemeral self-signed cert whose .cer is published alongside (swap in a real cert later, no manifest change). - assets: tile/store logos rasterized from packaging/flatpak/io.unom.Punktfunk.svg. - .gitea/workflows/windows-msix.yml: runs on the Windows runner on main pushes + win-v* tags + dispatch. MSIX version is 4-part numeric — win-vX.Y.Z -> X.Y.Z.0, else 0.2.<run>.0. shell: pwsh + CARGO_TARGET_DIR=C:\t like windows.yml. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 08:45:43 +00:00
enricobuehler	e39f65a228	ci(windows): set CARGO_TARGET_DIR=C:\t — dodge MAX_PATH in CMake-from-source builds ... With the BOM fixed (shell: pwsh), the build got far enough to compile audiopus_sys, which does a CMake-from-source build of libopus. The runner's host workdir sits deep under C:\Windows\System32\config\systemprofile\.cache\act\<hash>\hostexecutor\, so target\debug\build\ audiopus_sys-*\out\build\CMakeFiles\CMakeScratch\TryCompile-*\...\.tlog overran Windows' 260-char MAX_PATH and MSBuild's tracker failed to create its .tlog (DirectoryNotFoundException -> MSB6003, "CL.exe konnte nicht ausgeführt werden"). Pointing CARGO_TARGET_DIR at C:\t shortens every nested build path well under the limit (fixes audiopus_sys + SDL3, both CMake-from-source). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 08:18:34 +00:00
enricobuehler	372483abf0	ci(windows): use shell: pwsh (PowerShell 7) — fixes GITHUB_ENV BOM corruption ... Windows PowerShell 5.1's Out-File -Encoding utf8 prepends a UTF-8 BOM, corrupting the first GITHUB_ENV line so CARGO_WORKSPACE_DIR silently never got set -> windows-reactor build.rs panic -> CI build failed (runs 8765/8768). pwsh 7 writes UTF-8 without a BOM. Installed PowerShell 7.6.2 MSI on the runner and put C:\Program Files\PowerShell\7 on the daemon wrapper PATH so jobs find pwsh; switched all windows.yml steps to shell: pwsh. (Reproduced locally with CARGO_WORKSPACE_DIR set: the build is green in 2m37s — the BOM was the only issue.) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 08:10:30 +00:00
enricobuehler	7a814b5f18	ci(windows): restore paths filter + document global runner scope ... Re-add the paths filter (the trigger was never the problem — the runner was registered at the wrong scope, so org-repo runs found 'no fitting runner' despite the runner showing idle). Document in setup-windows-runner.ps1 that the registration token must be GLOBAL (Site Administration -> Actions -> Runners), like the Linux runner. CARGO_WORKSPACE_DIR is set via GITHUB_ENV in a step (the job-env ${{ github.workspace }} form didn't resolve, leaving it unset -> reactor build.rs panic). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 07:38:08 +00:00
enricobuehler	644274c33e	ci(windows): set CARGO_WORKSPACE_DIR via GITHUB_ENV (not job-env expression) ... Mirror apple.yml's shape — drop the job-level env + defaults blocks; set CARGO_WORKSPACE_DIR from $GITHUB_WORKSPACE in a step (Gitea can't resolve github.workspace at job-env-eval time) and use per-step shell: powershell. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 07:24:53 +00:00
enricobuehler	dd9dfecbe4	ci(windows): drop paths filter (trigger reliability) + NO_COLOR runner logs ... The paths filter wasn't dispatching the run on the newly-added workflow (the runner is healthy and 'declare successfully', but received no task). Match apple.yml: trigger on every push to main + PRs. Also set NO_COLOR in the daemon wrapper so runner.log is plain text (the ANSI spinner garbled it). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 07:16:26 +00:00
enricobuehler	fc11a42b63	ci(windows): build/clippy/fmt/test workflow on the self-hosted Windows runner ... runs-on: windows-amd64 (home-windows-1, host mode). Build + clippy(-D warnings) + fmt + test the WinUI 3 client. The toolchain is baked into the runner's daemon env; the workflow only sets CARGO_WORKSPACE_DIR=${{ github.workspace }} (windows-reactor's build.rs needs it). Triggers on changes to the windows crate / core / Cargo / this workflow. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 07:11:11 +00:00
enricobuehler	8446ca1e47	ci(android): keep platforms;android-36 (android-37 not in the runner SDK channel) ... The previous CI fix bumped the pinned platform to android-37, but the runner's sdkmanager has no such package yet ("Failed to find package 'platforms;android-37'"), failing the SDK step before it could install CMake. Revert to platforms;android-36 (AGP auto-installs the compileSdk-37 platform during the build, as it did before) while keeping the cmake;3.22.1 package that fixes the libopus cross-build. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 16:31:46 +02:00
enricobuehler	8265742e74	ci: bust the re-poisoned cargo cache (v3) + burst-guard the runner prune ... This session's push storm refilled the runner to 100% WITHIN the prune timer's 24h window (it only trims >24h), so a build hit ENOSPC and actions/cache saved a truncated target/ -> `error[E0463]: can't find crate for shlex` in ci.yml's clippy. Two fixes: - Bump cargo-target-v2- -> v3- in ci.yml + deb.yml so the poisoned tarball is bypassed (a suffix bump can't — restore-keys falls back to the old prefix; same as the v1->v2 fix). - Harden scripts/ci/docker-prune: run HOURLY (was 6h) with a burst guard — if the disk is still >85% after the normal until=12h trim, prune ALL idle images + build cache (in-use protected). A fast push-burst can fill 99 GB inside any time window, so the disk-pressure trigger, not the age filter, is the real backstop. Applied live on home-runner-1 (reclaimed 95%->66%) and checked in. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 14:25:40 +00:00
enricobuehler	6e572a38cd	ci(android): install the SDK CMake package so cargo-ndk can build libopus ... The android.yml runner installed the NDK but not cmake/ninja, so cargo-ndk's audiopus_sys (libopus via CMake) failed with "is `cmake` not installed?" — broken since the audio increment added the libopus dependency. kit/build.gradle.kts prepends $ANDROID_SDK/cmake/3.22.1/bin to PATH (the same SDK CMake that makes local builds work); install cmake;3.22.1 (cmake + ninja) so that path exists in CI too. Also pin platforms;android-37 to match compileSdk (AGP auto-installs it otherwise). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 16:17:14 +02:00
enricobuehler	262305b771	fix(ci): provide bun for deb.yml's web-console build ... deb.yml builds the punktfunk-web .output in the rust-ci image, but that image had no bun (only ci.yml's web/docs jobs use the oven/bun image) -> "bun: not found". Bake bun (+ unzip for its installer) into ci/rust-ci.Dockerfile, and bootstrap it in the deb web step too so the job is green against the previous image (docker.yml rebuild lag) — mirroring the rpm.yml fix. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 14:06:12 +00:00
enricobuehler	59bcfa1a12	fix(ci): rpm signing uses rpm's default signer; flatpak installs node before checkout ... Two CI fixes: - rpm signing (2nd bug): overriding %__gpg_sign_cmd via --define reached gpg with %{__plaintext_filename}/%{__signature_filename} UNEXPANDED ("No such file or directory"). Stop overriding it — use rpm's default signer (which expands those correctly) and just set _gpg_name; a passphrase-less key + loopback in gpg.conf makes gpg sign headless. (Requires a passphrase-less signing key, as the runbook's %no-protection key is.) - flatpak: the job runs in fedora:43 which has no node, so actions/checkout (a JS action) failed with "node: not found". Install nodejs in a plain `run:` step (shell, no node needed) before checkout. Also scope the heavy flatpak-builder run to client/core/manifest changes (+ tags) so it stops rebuilding on every unrelated docs/host push (tag pushes still build — paths filters only branch pushes). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 13:54:43 +00:00
enricobuehler	1fd4c97139	feat(rpm): wire per-package GPG signing (dormant until a key secret is set) ... The audit's signing recommendation, scoped to RPM (apt's signed Release metadata already covers .debs; bootc cosign deferred). packaging/rpm/sign-rpms.sh GPG-signs dist/*.rpm and self-verifies (rpmkeys --checksig), run from rpm.yml between build + publish. Safe to ship: the step is a NO-OP (exit 0, unsigned as today) until RPM_GPG_PRIVATE_KEY is set as a CI secret — so it can't break current CI, and when enabled a bad macro fails loudly via the in-step checksig rather than shipping bad signatures. rpm/README gains the one-time enablement runbook (generate a dedicated passphrase-less key, add the secret, publish the public key, flip gpgcheck=1 only after a signed build lands) and notes step-ca is for TLS, not OpenPGP (it can't sign RPMs). Also fixes the rpm/README version staleness the doc review caught: rolling is 0.2.0-0.ciN (outranks the stray 0.1.1, no pin needed), host releases use host-v* not the client's v*. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 10:46:27 +00:00
enricobuehler	837b6fabb1	feat(dist): aarch64 honesty, Debian KWin-unit parity, cargo-audit CVE scan (P1/P2) ... - spec: narrow ExclusiveArch to x86_64 — no aarch64 build is produced/published (NVENC is desktop-NVIDIA), so claiming aarch64 advertised an arch we never ship. - build-deb.sh: ship punktfunk-kde-session.service (ExecStart repointed to the packaged run-headless-kde.sh) + host.env.kde, matching the RPM/Arch — the deb README's "mirrors the Fedora RPM" claim now holds. - audit.yml: weekly + Cargo.lock-change `cargo audit` over the network-facing crypto dep tree (RustSec advisories); ignore unfixables via .cargo/audit.toml. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 10:34:32 +00:00
enricobuehler	fe9921cc1c	fix(dist): kill the version-shadow + add build provenance (P0) ... The stale code a default install/upgrade got was a TAG LEAK: deb.yml/rpm.yml shared `tags: ['v*']` with the Apple-client release.yml, so the v0.1.0/v0.1.1 tags cut to ship the macOS app ALSO published host packages versioned 0.1.1 — which outranks every rolling 0.0.1~ciN / 0.0.1-0.ciN build in both registries (dpkg/rpm version compares confirm), so `apt install`/`rpm-ostree install` silently fetched ~99-commits-stale code while the READMEs claimed auto-tracking. Two fixes: - Decouple host publishing from Apple `v*` tags: deb.yml/rpm.yml now trigger on `host-v*` only, so a client tag can never poison the host channel again. - Bump the rolling base 0.0.1 -> 0.2.0 (deb `0.2.0~ciN`, rpm `0.2.0-0.ciN`): sits ABOVE the stray 0.1.1 yet BELOW a future 0.2.0 tag, and still climbs monotonically by run number — so `apt upgrade`/`rpm-ostree upgrade` genuinely move forward. Spec default + build scripts + PKGBUILD pkgver bumped to match. Build provenance (so a stale/shadowed host is detectable): build.rs stamps PUNKTFUNK_BUILD_VERSION (set by CI = the full package version, e.g. 0.2.0~ci120.g802e98d; falls back to the crate version for a plain `cargo build`) into the binary via rustc-env. Surfaced in `punktfunk-host --version`, the startup log, and the mgmt /health + /host `version` field (was a hardcoded CARGO_PKG_VERSION). Deliberately env-driven, not git-derived — the RPM builds from a git-archive tarball with no .git. Version computed BEFORE the build in deb.yml; the spec %build exports it from %{version}-%{release} (and gains --locked for reproducibility parity with the .deb path). Validated: plain build reports 0.0.1, env-stamped build reports 0.2.0~ci999.gdeadbee. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 10:30:21 +00:00
enricobuehler	802e98d3a3	feat(packaging): bundle the web console into the RPM / Arch / bootc host packages ... The punktfunk-web management console (pairing + status) shipped only via apt. Extend it to the other HOST packaging methods, mirroring the Debian punktfunk-web .deb (flatpak is the client, correctly excluded): - rpm/punktfunk.spec: new noarch `punktfunk-web` subpackage (the .output bundle + a /usr/bin/punktfunk-web-server node launcher + both systemd --user units + web-init.sh + web.env.example), gated behind `%bcond_with web`. OFF by default because building the Nitro/Node SSR bundle needs `bun`, which a plain rpmbuild / COPR mock chroot lacks. Host package weak-Recommends punktfunk-web. - ci/fedora-rpm.Dockerfile: install bun (+ unzip) so the CI builder can build the console. - rpm.yml: build `PF_WITH_WEB=1` (Prep bootstraps bun to stay green pre-image-rebuild); the publish loop already globs the new noarch rpm into the registry. build-rpm.sh: `--with web` when PF_WITH_WEB=1. - bootc/Containerfile: install from the Gitea RPM registry (which carries punktfunk-web) instead of COPR — `dnf5 install punktfunk punktfunk-web`. - arch/PKGBUILD: opt-in `punktfunk-web` split member (PF_WITH_WEB=1 appends it + bun) so a default makepkg still builds host+client with no JS tooling — matching the spec's bcond. - docs: packaging/README, rpm/README, copr/README (the no-bun caveat), bazzite/README (Path B rewritten COPR→Gitea registry), arch/README — enable + journal-password steps. Reviewed across methods by an adversarial multi-agent pass (rpm/ci/arch/bootc/consistency lenses, each blocking finding 3x-verified); fixed the two it confirmed real — the Arch bun-mandatory regression (now opt-in) and the stale COPR wording in bazzite Path B. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 09:56:58 +00:00
enricobuehler	bf65d264fd	ci: bound runner disk + bust the disk-full-corrupted cargo target cache ... The self-hosted runner filled its disk (95%, builds failing on ENOSPC): every CI push builds a sha-<commit>-tagged Docker image per pipeline, and since those tags are never dangling a plain `docker image prune` skips them — they piled up to 589 images / ~85 GB plus 18 GB of build cache. Two parts: - scripts/ci/docker-prune.{service,timer}: a host-level systemd timer (every 6h, Persistent) that prunes images/build-cache/containers older than 24h — in-use images stay protected. Checked in (the runner is hand-provisioned and shared across orgs) and already installed live; reclaimed 89 GB -> 39 GB (95% -> 42%). - ci.yml / deb.yml: bump the `cargo-target-<rustc>-*` cache key to `-v2-`. The disk-full build let actions/cache save a truncated target/ (a dep's .rmeta went missing -> "error[E0463]: can't find crate for pem_rfc7468" while compiling der). A suffix bump is useless here — restore-keys would fall back to the poisoned prefix — so the prefix is versioned to force one clean rebuild. cargo-home is untouched (sources were intact; the failure was a missing build artifact). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 09:10:56 +00:00
enricobuehler	df005e2963	feat(packaging/web): bundle the web console into the apt install (punktfunk-web) ... Every user needs the console for pairing, so ship it via apt, auto-wired to the host — no manual bun/env setup. New punktfunk-web .deb (Architecture: all, Depends: nodejs >= 20 — runs the node-server build under apt-native node, no bundled bun): - packaging/debian/build-web-deb.sh: stages web/.output (server + public) + a /usr/bin/punktfunk-web-server wrapper (node) + the systemd --user units + the web.env template + docs. Refuses a bun bundle (Bun.serve) as a wrong-preset guard. - scripts/punktfunk-web.service: --user unit on :3000, EnvironmentFile sources the host's ~/.config/punktfunk/mgmt-token (the shared bearer) + the generated web-password; sets PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990 + NODE_TLS_REJECT_UNAUTHORIZED=0 (loopback self-signed cert). Restart=on-failure rides out the host-writes-token-first ordering. - scripts/punktfunk-web-init.service + web-init.sh: --user one-shot that generates the login password (a .deb postinst runs as root → wrong $HOME) and surfaces it to the journal. - build-deb.sh: punktfunk-host now Recommends punktfunk-web (apt pulls it by default; headless boxes opt out with --no-install-recommends). - deb.yml: build the web console + smoke-boot it under node (gate the .deb on a real /login 200) + build-web-deb.sh; the publish loop globs it automatically. - web/{.env.example,web.env.example}: document the auto-wiring vs a manual deploy. End state: `apt install punktfunk-host` pulls punktfunk-web; enable both --user services; the console logs in (password from the journal) and proxies the host's HTTPS mgmt API with the shared token — zero hand-edited env. Local .deb build + node smoke-boot verified. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 08:50:40 +00:00
enricobuehler	8534959021	fix(ci/flatpak): cargo-sources generator needs python3-tomlkit, not toml ... flatpak-cargo-generator.py (master) imports `tomlkit` + `aiohttp`; the workflow installed `python3-toml`, so the "Generate offline cargo sources" step would fail with ModuleNotFoundError. Install python3-tomlkit instead, and correct the same note in build-flatpak.sh. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 01:47:09 +02:00
enricobuehler	8956bc14de	feat(packaging/flatpak,decky): Steam Deck client flatpak + plugin deploy + CI ... Ship the punktfunk Linux client to the Steam Deck as a Flatpak — the only viable SteamOS install path, since /usr is read-only and lacks libadwaita/SDL3 — and publish both it and the Decky plugin through Gitea. Built and validated live on a Steam Deck (SteamOS 3.7): bundle installs user-scope, all libs resolve, libavcodec resolves to the codecs-extra HEVC build, devices=all for DualSense hidraw. packaging/flatpak (new): - io.unom.Punktfunk.yml on GNOME 50 / freedesktop-sdk 25.08. rust-stable//25.08 (rustc 1.96 — the GTK4 chain needs >=1.92; the EOL GNOME-48/24.08 rust-stable at 1.89 could not build it) + llvm20 (libclang for bindgen in ffmpeg-sys-next/sdl3-sys). HEVC libavcodec comes from the runtime's auto codecs-extra extension point (no app-side codec declaration). Bundled SDL3 3.4.10 (matches sdl3-sys 0.6.6+SDL-3.4.10). finish-args: wayland/fallback-x11, --device=all (GPU/VAAPI + evdev + hidraw — flatpak cannot bind /dev/hidrawN char devices via --filesystem), pulseaudio, network, ~/.config/punktfunk. - metainfo.xml, desktop, square SVG icon, build-flatpak.sh (offline cargo-sources; on-Deck org.flatpak.Builder or CI), README. clients/decky: - add LICENSE (MIT), fix package.json license (BSD-3-Clause -> Apache-2.0 OR MIT), add scripts/{package.sh,deploy.sh} (the plugins dir is root-owned: stage to /tmp, sudo install, restart plugin_loader), align the launcher fallback to the real flatpak app id io.unom.Punktfunk, rewrite the install section. .gitea/workflows: - flatpak.yml: privileged Fedora container builds the bundle and publishes to the Gitea generic registry (+ release attachment on tags). - decky.yml: pnpm build -> store-layout zip -> registry (stable latest/ URL for Decky "install from URL"). docs: packaging/README + packaging/flatpak/README. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 01:43:35 +02:00
enricobuehler	79217eb93d	feat(android): scaffold the native Android client (Rust-heavy JNI bridge) ... Rust-heavy client model (like punktfunk-client-linux): a new cdylib crate crates/punktfunk-android links punktfunk-core and exposes the JNI seam; Kotlin (clients/android) owns only the Android-framework surface. Kotlin can't import the C header the way Swift can, so the bridge is written in Rust to reuse the Linux client's orchestration rather than re-port it. - crates/punktfunk-android: JNI bridge — abiVersion/coreVersion native-link proof + session connect/close handle; plane pumps stubbed for M4 stage 1. - clients/android: Gradle project — :app (Compose) + :kit (Android library with a cargo-ndk Exec task -> jniLibs). AGP 9.2 / Gradle 9.4.1 / Kotlin 2.3.21 / Compose BOM 2026.05.01 / compileSdk 37 / targetSdk 36 / minSdk 31, shipping arm64-v8a + x86_64. Phone + TV (leanback) installable. README rewritten. - .gitea/workflows/android.yml: CI mirroring apple.yml on a Linux runner. - punktfunk-core: switch rcgen to the ring backend so the whole quic tree is aws-lc-free (smaller client .so, cmake-free cross-compile; a win for all targets). Validated on this box: :app:assembleDebug -> APK with both ABIs; emulator first-light renders the bridge linked (core ABI v2) with logcat confirmation; clippy -D warnings + cargo fmt clean; core tests green on the ring backend. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-15 01:38:35 +02:00
enricobuehler	abc057fbfe	fix(ci/apple): scope iOS/tvOS archive signing to the device SDK ... A global PROVISIONING_PROFILE_SPECIFIER on the xcodebuild command line is applied to every target in the graph, including the shared SwiftPM compiler- plugin macros (OnceMacro/SwizzlingMacro/AssociationMacro). Those build for the macOS host and reject a provisioning profile, so the iOS/tvOS device archives failed at build-description time with "<macro> does not support provisioning profiles". (The macOS archive is immune: its host-SDK macros carry CODE_SIGNING_ALLOWED=NO, so the global specifier is silently ignored there.) Move the signing settings into a generated -xcconfig and condition the profile + identity on the device SDK ([sdk=iphoneos*] / [sdk=appletvos*]). xcconfig conditionals are honored and a command-line -xcconfig outranks target settings, whereas a CLI "SETTING[sdk=..]=val" is mis-parsed — both verified via xcodebuild -showBuildSettings against the real project. The profile now lands on the app/framework slices only; the macosx-host macros get nothing. macOS App Store archive is unchanged (already green; installer cert now present on the runner). tvOS upload may still need tvOS on the App Store Connect record, but that step is continue-on-error. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 12:58:23 +02:00
enricobuehler	b140cd6837	feat(apple/macos): App Sandbox + entitlements, wire Mac App Store TestFlight ... The Mac App Store requires App Sandbox, which the macOS app didn't declare. App Sandbox is macOS-only (invalid on iOS/tvOS, fails upload validation), so the macOS target now uses a dedicated Config/Punktfunk-macOS.entitlements while iOS/tvOS keep the shared Config/Punktfunk.entitlements (unchanged). The single macOS app is sandboxed for BOTH channels — the Developer ID DMG is codesigned with the same file — so the local build equals what App Store users get. Entitlement set (verified against the code + Apple docs): - app-sandbox, network.client. - network.server: NOT optional despite the client being outbound-only — the sandbox gates the bind() syscall as network-bind, and quinn (quic.rs) + the raw-UDP plane (transport/udp.rs) both bind explicitly, so host->client datagrams never arrive without it (the classic QUIC-under-sandbox trap). - device.audio-input (mic uplink), device.bluetooth + device.usb (Xbox/DualSense controllers over BT/USB via GameController), keychain-access-groups (existing). Omitted: device.hid (undocumented), files.user-selected.* (no pickers), networking.multicast (Bonjour browse is exempt; requesting it breaks signing). CI (release.yml): add a macOS App Store archive+upload-to-TestFlight step mirroring the iOS lane (manual Apple Distribution signing + the 'Punktfunk macOS App Store Distribution' profile, app-store-connect/upload, installer-signed pkg), continue-on-error until the portal prereqs exist; point the Developer ID DMG codesign at the sandboxed entitlements. Docs (ci.md) + clients/apple README updated; the runner additionally needs the macOS platform on the App Store Connect record + the '3rd Party Mac Developer Installer' cert. Verified: signed Debug build embeds exactly the intended entitlements (codesign -d --entitlements), swift build green against the rebuilt xcframework. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 02:39:06 +02:00
enricobuehler	c7c08b2855	fix(ci/release): skip Swift macro/plugin validation in archives ... tvOS archive failed 'Macro AssociationMacro/SwizzlingMacro/OnceMacro must be enabled before it can be used' — Xcode 15+ requires interactive trust for SPM Swift macros (objc-runtime-tools, swift-once-macro via swiftui-navigation- transitions), which a headless build can't grant. Add -skipMacroValidation -skipPackagePluginValidation to all three archive commands so CI never hits the trust prompt. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 23:36:36 +00:00
enricobuehler	9c23ad5303	feat(ci/release): add tvOS TestFlight build + use renamed iOS profile ... tvOS is scaffolded (Punktfunk-tvOS target/scheme + build-xcframework BUILD_TVOS). Wire it: install nightly + rust-src (tier-3 -Zbuild-std), build the xcframework with BUILD_TVOS=1, and add a tvOS archive+export+upload step mirroring iOS (manual signing with the 'Punktfunk tvOS App Store Distribution' profile, since the App-Manager ASC key can't cloud-sign). Also point iOS at the renamed 'Punktfunk iOS App Store Distribution' profile. macOS App Store/TestFlight still pending (needs App Sandbox entitlements). Needs tvOS on the App Store Connect app record + the tvOS platform installed on the runner. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 23:23:01 +00:00
enricobuehler	5c1aa453c1	fix(ci/release): quit Xcode before iOS build so it can't prune the profile ... A running Xcode.app manages ~/Library/Developer/Xcode/UserData/Provisioning Profiles/ and deletes manually-installed (unrecognized) distribution profiles — which is why the App Store profile vanishes. Quit Xcode at the start of the iOS step so the manually-installed 'Punktfunk App Store Distribution' profile survives for manual signing; headless xcodebuild doesn't need the GUI app. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 22:02:44 +00:00
enricobuehler	53e3f1e4e6	fix(ci/release): iOS manual App Store signing (App-Manager key can't cloud-sign) ... macOS Developer ID + notarize + DMG now works with the clean login-keychain workflow. iOS export failed with 'Cloud signing permission error' — with -allowProvisioningUpdates Xcode forces cloud-managed signing, which the App-Manager-role ASC key can't authorize. Switch iOS to MANUAL signing with the local (valid) Apple Distribution identity + the 'Punktfunk App Store Distribution' provisioning profile; ASC key stays only for the upload. Profile must be installed via Xcode -> Accounts -> Download Manual Profiles. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 21:52:50 +00:00
enricobuehler	31b04a2ab8	refactor(ci/release): xcodebuild-native signing via login keychain ... The runner now runs as a user LaunchAgent in the logged-in Aqua session, so it uses the login keychain directly, where Developer ID Application + Apple Distribution are installed and VALID (the missing WWDR intermediate — the real root cause of the whole iOS saga — is now present). Delete all the throwaway- keychain / secret-cert-import / raw-keychain-plumbing / Xcode-quit / diagnostic machinery: macOS = archive-unsigned + a single Developer ID codesign + notarize/ DMG; iOS = standard xcodebuild archive + export with -allowProvisioningUpdates (automatic signing manages the App Store cert + profile). Only ASC_API_KEY_* secrets remain; DEVID_CERT_*/IOS_DIST_CERT_*/IOS_PROFILE_B64 no longer needed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 21:42:47 +00:00
enricobuehler	822988029c	diag(ci/release): sign iOS by identity hash + max-verbose codesign ... The throwaway-keychain codesign still fails 'unable to build chain to self-signed root / errSecInternalComponent' despite cert/chain/key all verifying. Sign by the Apple Distribution identity's SHA-1 hash (eliminates name-matching ambiguity, a known cause) and run codesign --verbose=4 + print valid/matching identities at sign time, to surface the exact failure on the next run. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 20:29:45 +00:00
enricobuehler	596c92f785	fix(ci/release): re-set key partition list + stage full chain before iOS codesign ... iOS codesign still failed with 'unable to build chain to self-signed root / errSecInternalComponent' after the keychain re-assert. verify-cert proves the chain is trusted, so this is the private-key ACL (errSecInternalComponent is classically that) and/or codesign not finding the chain certs in the identity's keychain. Right before the iOS codesign: re-run set-key-partition-list (re-grant codesign access to the key) and import the WWDR G3 intermediate + Apple Root CA into the throwaway keychain so the full leaf->WWDR->root chain is present there. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 20:22:27 +00:00
enricobuehler	ecfef43040	fix(ci/release): re-assert keychain before the iOS codesign ... The iOS archive SUCCEEDS now (raw-codesign path), but codesign failed with 'unable to build chain to self-signed root / errSecInternalComponent'. Cause: xcodebuild archive (run in the same step, just before codesign) resets the user keychain search list, so codesign can no longer find the WWDR intermediate that lives only in the throwaway keychain. The macOS sign avoids this by running in a separate step after its re-assert. Re-assert the search list + default keychain (and unlock, via KEYCHAIN_PASS now exported to GITHUB_ENV, masked) immediately before the iOS codesign. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 20:08:56 +00:00
enricobuehler	97d4300d50	feat(ci/release): iOS — raw codesign + altool upload (bypass xcodebuild) ... xcodebuild's signing-identity selection enforces an online revocation/OCSP check that excludes the freshly-minted Apple Distribution cert (find-identity -v drops it) even though verify-cert confirms it's valid and codesign signs with it fine. So sign iOS the same way as the macOS DMG: archive CODE_SIGNING_ALLOWED=NO, embed the profile, raw 'codesign --keychain' with the profile's entitlements (extracted via plutil), package the .ipa, and upload with 'xcrun altool --upload-app'. Drops the xcodebuild manual-signing path entirely — no profile-dir install, no Xcode-quit, no provisioning-profile discovery. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 19:53:14 +00:00
enricobuehler	b547b9d92f	fix(ci/release): quit Xcode.app so it stops pruning the iOS profile ... Root cause of 'No profile matching Punktfunk App Store Distribution': the GUI Xcode.app was running on the runner and actively manages ~/Library/Developer/Xcode/UserData/Provisioning Profiles, pruning our manually-installed App Store profile from the exact dir xcodebuild reads, right before signing (the legacy ~/Library/MobileDevice copy survives but Xcode 26's xcodebuild doesn't read it). Quit Xcode.app at the top of the iOS signing block; xcodebuild runs independently and headless CI doesn't need the GUI app. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 19:25:33 +00:00
enricobuehler	ec617f9c6b	bench(ci): report-only regression harness — Tier-1/2 in CI + Tier-3 GPU runner ... - scripts/bench/compare.py: diff criterion medians (target/criterion/**/estimates.json) vs a committed baseline, print a markdown table to the job summary, flag >threshold regressions, always exit 0 (shared CI hardware is too noisy to gate on). --update rewrites the baseline. - ci.yml `bench` job: runs Tier-1 (criterion) + Tier-2 (loss-harness FEC recovery) GPU-free in the rust-ci container, then compare.py — report-only visibility per push/PR. - scripts/bench/gpu-stream.sh + bench-gpu.yml: Tier-3 real pipeline (virtual output → zero-copy → NVENC → punktfunk/1 → reassemble) on a self-hosted GPU runner; captures encode_us/tx_mbps/ send_dropped + client capture→reassembled latency, compares to gpu-baseline.json (20% threshold). Needs the dev box registered as a `[self-hosted, gpu]` act_runner (one-time, see the workflow header) — the dedicated hardware makes its absolute baseline meaningful, unlike shared CI. - baseline.json: dev-box Tier-1 numbers. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 19:24:52 +00:00
enricobuehler	2976daf2e3	diag(ci/release): dump provisioning-profile dirs around the iOS archive ... iOS manual signing fails 'No profile matching Punktfunk App Store Distribution' despite the profile being installed (content verified: right name/team/iOS/app-id). The profile is in ~/Library/MobileDevice but Xcode 26 reads ~/Library/Developer/Xcode/UserData/Provisioning Profiles, which is empty. Print both dirs before the archive and again at failure to confirm whether Xcode regenerates/prunes the UserData copy during the build. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 19:23:16 +00:00
enricobuehler	46572b4a25	fix(ci/release): robust iOS provisioning-profile extraction + diagnostics ... The profile-name/UUID read used 'security cms -D ... || true' which masked a failed decode, then PlistBuddy printed 'Error Reading File' to stdout and that got captured as the UUID, producing a garbage cp path. Now: check the extracted plist is non-empty, fall back to 'openssl smime' if 'security cms' fails, validate the UUID is actually hex+dashes, and print the decoded byte count + decoder stderr + first bytes so a bad IOS_PROFILE_B64 is obvious in-log. Still non-fatal (skips iOS, never blocks the macOS release). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 19:05:35 +00:00
enricobuehler	0fc3012954	feat(ci/release): iOS App Store manual distribution signing + profile ... Automatic signing during the iOS archive resolved to App *Development* (wanted an Apple Development cert + tried to revoke the account's orphaned one, and no dev profile) — wrong for App Store. Switch to MANUAL distribution signing: import an App Store provisioning profile from IOS_PROFILE_B64, read its Name/UUID, install it, and archive with CODE_SIGN_STYLE=Manual + Apple Distribution + that profile; export with manual signingStyle + provisioningProfiles map. Step self-skips until IOS_PROFILE_B64 is set. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 17:09:46 +00:00
enricobuehler	6aa57ffd7b	fix(ci/release): gate iOS signing on matching identity, not find-identity -v ... The Apple Distribution identity has its key + intermediate + valid dates (it's in 'Matching identities') but stayed out of 'Valid identities only' — a trust strictness (most likely a pending online revocation check on an hour-old cert) that codesign/xcodebuild do NOT enforce. Gate the iOS step on the MATCHING list so the archive actually attempts signing, and print 'security verify-cert -p codeSign' in the import step so the exact trust verdict shows if it still balks. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 16:30:57 +00:00
enricobuehler	eb5d282936	fix(ci/release): retry Apple intermediate fetch + chain/clock diagnostic ... The iOS Apple Distribution identity imported WITH its private key (it's a 'Matching identity') but was dropped from find-identity -v — i.e. an untrusted chain: the WWDR G3 intermediate it chains through didn't land, while Developer ID's DeveloperIDG2CA did. The fetch was a single 'curl || warn' with no retry, so a transient miss silently breaks iOS only. Retry each intermediate 3x, and print the runner UTC date + whether the WWDR intermediate is present, to separate a chain miss from the cert's notBefore being ahead of the runner clock. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 16:22:32 +00:00