Files
punktfunk/scripts/windows/host.env.example
T
enricobuehler 0da9d8ec10 fix(windows): IDD-push audit highs — keyed-mutex timeout, two per-frame leaks, IDD_PUSH knob, pooled-device threading
Five verified findings from the IDD-push/pf-vdisplay deep audit:

- Keyed-mutex acquire (BOTH endpoints): AcquireSync returns WAIT_TIMEOUT
  (0x102) / WAIT_ABANDONED (0x80) as SUCCESS-severity HRESULTs, which the
  windows-rs Result wrapper erases — a busy slot read as "acquired", so
  driver and host could race the same ring texture (torn frames) and the
  designed busy-skip backpressure was dead code. Both sides now classify
  the raw vtable HRESULT; WAIT_ABANDONED counts as acquired (ownership
  transfers — refusing it would wedge the slot forever).
- Host SDR hot path leaked one ID3D11VideoProcessorInputView per converted
  frame: the D3D11_VIDEO_PROCESSOR_STREAM ManuallyDrop field suppressed the
  release after VideoProcessorBlt. Released by hand now, success or not.
- Driver leaked IddCx's per-acquire surface reference (from_raw_borrowed on
  a TRANSFERRED reference — the MS sample Attach/Reset's it): the swap-chain
  surface set survived swap-chain destruction, the likely true root cause of
  the ~50 MB-per-reconnect VRAM loss that device pooling only mitigated.
  Now adopted via from_raw (publisher or not) and dropped pre-Finished.
- PUNKTFUNK_IDD_PUSH removed: capture is unconditionally IDD-push, but the
  vdisplay manager still gated the lingering-monitor preempt (and render
  pin) on the knob, whose default was OFF — dev/CLI runs reused a lingering
  monitor whose IddCx swap-chain is dead (black reconnect). The preempt and
  the render-GPU pin are now unconditional; host.env comments no longer
  promise the removed DDA/WGC fallback.
- Driver D3D device: dropped D3D11_CREATE_DEVICE_SINGLETHREADED (unsound
  since DEVICE_POOL shares one device across processors) and the pooled
  immediate context is now SetMultithreadProtected — two concurrent
  monitors' workers otherwise race an unlocked context (UB in the UMD).

No wire-contract change (pf-driver-proto untouched); the driver fixes take
effect on the next pf-vdisplay redeploy.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-03 16:27:13 +00:00

50 lines
2.6 KiB
Bash

# punktfunk host configuration (Windows) — read by the `PunktfunkHost` service.
#
# `punktfunk-host service install` writes a default copy of this to
# %ProgramData%\punktfunk\host.env
# Edit that file (not this one) and restart the service to apply:
# punktfunk-host service stop
# punktfunk-host service start
#
# Format: KEY=VALUE per line; '#' starts a comment. The service loads these into its environment
# and passes PUNKTFUNK_* and RUST_LOG through to the host it launches into the active session.
# Hardware encode backend. `auto` (default) detects the GPU vendor: NVIDIA->nvenc (direct SDK),
# AMD->amf, Intel->qsv (both libavcodec). Force one with: nvenc | amf | qsv | sw (software H.264).
# nvenc needs the `--features nvenc` build; amf/qsv need the `--features amf-qsv` build (FFmpeg DLLs
# ship in the installer). The published installer is built with all three.
PUNKTFUNK_ENCODER=auto
# Video source: `virtual` creates a per-client virtual display at the client's exact resolution +
# refresh — the flagship mode. Requires the bundled pf-vdisplay indirect display driver installed.
PUNKTFUNK_VIDEO_SOURCE=virtual
# Virtual-display backend: the all-Rust pf-vdisplay IddCx driver the installer bundles is the only
# backend now (the legacy SudoVDA backend was removed). This is informational; leave it as `pf`.
PUNKTFUNK_VDISPLAY=pf
# Capture is IDD-push: straight from the pf-vdisplay driver's shared ring — zero-copy, includes the
# secure desktop. It is the SOLE capture path (DDA/WGC were removed; the former PUNKTFUNK_IDD_PUSH
# knob is gone — a stale setting is ignored).
# Capture the secure desktop (UAC / lock / login) so the stream survives those transitions.
PUNKTFUNK_SECURE_DDA=1
# Log level (info | debug | trace). Logs land in %ProgramData%\punktfunk\logs\.
RUST_LOG=info
# The host subcommand the service launches. Default: `serve --gamestream` (native punktfunk/1 host
# ALWAYS on + the GameStream/Moonlight-compat planes). Use `serve` for a SECURE native-only host
# (no plain-HTTP pairing / legacy GCM nonce reuse — security-review #5/#9). The installer's
# "Enable GameStream (Moonlight) compatibility" task sets this; a custom value you write here is
# never overwritten by a reinstall/upgrade.
#PUNKTFUNK_HOST_CMD=serve --gamestream
# Multi-GPU boxes only: force the NVENC/Desktop-Duplication GPU by Description substring. Leave
# unset on single-GPU machines (the default auto-picks the discrete adapter).
#PUNKTFUNK_RENDER_ADAPTER=4090
# Keep a per-client virtual display alive briefly after disconnect so a quick reconnect reuses it
# (no display connect/disconnect chime). Default 10000 ms.
#PUNKTFUNK_MONITOR_LINGER_MS=10000