docs(host): prove unsafe blocks in the Windows + cross-platform files + gate them (unsafe-proof program 3/N)

Continues the unsafe-proof program across the Windows/cross-platform host files
(~75 blocks, 21 files), each with a SAFETY proof of the real invariant and a
per-file #![deny(clippy::undocumented_unsafe_blocks)] gate:

  capture/windows: dxgi.rs, wgc_relay.rs, wgc.rs, desktop_watch.rs, composed_flip.rs
                   (windows-rs COM: interface validity, same-D3D11-device textures,
                    immediate-context single-thread, borrowed args outlive the call)
  windows: service.rs (SCM/token/CreateProcessAsUserW/event handles — OwnedHandle
           liveness, no double-close/signal race), win_display, wgc_helper, interactive
  vdisplay/windows: manager.rs, pf_vdisplay.rs (SwDeviceCreate/IddCx/ioctl handle
                    liveness via the OnceLock VDM singleton + OwnedHandle)
  encode/windows: ffmpeg_win.rs (full AVBufferRef refcount audit — balanced, NO leaks,
                  unlike the vaapi sibling), sw.rs
  cross-platform: gamestream/audio.rs (libopus), gamestream/stream.rs (sendmmsg),
                  inject/windows/sendinput.rs, audio/windows/wasapi_mic.rs,
                  session_tuning.rs, vdisplay.rs

Two findings (handled separately):
- wgc_relay.rs `unsafe impl Sync for HelperRelay` is UNSOUND (its mpsc Receiver is
  !Sync) though not live-exploited — marked SUSPECT inline; fix pending box check
  (it touches the in-flight punktfunk1.rs).
- capture.rs / encode.rs (PARENT modules of the WIP idd_push.rs / nvenc.rs) do NOT
  get the file deny yet — it would propagate the lint into the undocumented WIP
  children. The deny lands there once those are documented (after the WIP commits).

Linux-visible parts verified green (cargo clippy -p punktfunk-host --all-targets
-- -D warnings). The cfg(windows) deny gates are box-verified next.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

crates/punktfunk-host/src/vdisplay/windows/pf_vdisplay.rs

@@ -14,6 +14,9 @@
 //! target id, so the CCD/DXGI code works unchanged). Only the driver-specific bits (GUID, IOCTL codes,
 //! request/reply structs, the version handshake) differ, per `pf_driver_proto`.
 
+// Every `unsafe` block in this file carries a `// SAFETY:` proof; enforce it (unsafe-proof program).
+#![deny(clippy::undocumented_unsafe_blocks)]
+
 use std::ffi::c_void;
 use std::mem::size_of;
 use std::os::windows::io::{FromRawHandle, OwnedHandle};
@@ -144,15 +147,26 @@ impl VdisplayDriver for PfVdisplayDriver {
     }
 
     unsafe fn open(&self) -> Result<(OwnedHandle, u32)> {
+        // SAFETY: `open_device` is `unsafe` only because it issues SetupAPI enumeration + `CreateFileW`
+        // FFI; it takes no arguments and returns an owned raw `HANDLE` (or `Err`). Called here on the
+        // backend-init thread, with no precondition beyond a valid thread context.
         let device = unsafe { open_device()? };
         // HARD protocol-version check (unlike SudoVDA's best-effort log): a mismatched host/driver pair
         // fails loudly here rather than corrupting the IOCTL stream.
         let mut info_buf = [0u8; size_of::<control::InfoReply>()];
+        // SAFETY: `ioctl` requires `h` to be a valid device handle and its slices to be valid for the
+        // call. `device` is the live handle just returned by `open_device`. `IOCTL_GET_INFO` takes no
+        // input (`&[]`) and writes into `info_buf`, a stack `[u8; size_of::<InfoReply>()]` whose length
+        // is passed as the output size — so `DeviceIoControl` can't write OOB — and which outlives this
+        // synchronous call.
         unsafe { ioctl(device, control::IOCTL_GET_INFO, &[], &mut info_buf) }
             .context("pf-vdisplay IOCTL_GET_INFO (version handshake)")?;
         let info: control::InfoReply =
             bytemuck::pod_read_unaligned(&info_buf[..size_of::<control::InfoReply>()]);
         if info.protocol_version != pf_driver_proto::PROTOCOL_VERSION {
+            // SAFETY: `device` is the valid raw handle from `open_device` and has NOT yet been wrapped
+            // in an `OwnedHandle` (that happens only on the success path below), so this error path is
+            // the sole owner closing it exactly once — no double-close.
             unsafe {
                 let _ = CloseHandle(device);
             }
@@ -171,12 +185,19 @@ impl VdisplayDriver for PfVdisplayDriver {
         );
         // Reap monitors orphaned by a crashed previous host — a FIRST-CLASS op (driver returns SUCCESS).
         let mut none: [u8; 0] = [];
+        // SAFETY: `device` is the live handle from `open_device` (still owned here, before it is wrapped
+        // below). `IOCTL_CLEAR_ALL` has no input and no output: `&[]` and the empty `none` slice pass
+        // zero-length buffers, so nothing is read or written through them.
         if unsafe { ioctl(device, control::IOCTL_CLEAR_ALL, &[], &mut none) }.is_ok() {
             tracing::info!("cleared orphaned virtual monitors on host startup");
         } else {
             tracing::warn!("pf-vdisplay IOCTL_CLEAR_ALL failed on startup (continuing)");
         }
         Ok((
+            // SAFETY: `device` is the valid handle from `open_device`, still owned here and NOT closed
+            // on this success path (the error paths above close it and return). `from_raw_handle`'s
+            // contract — caller owns a valid handle — holds, so ownership transfers cleanly into the
+            // `OwnedHandle`: exactly one owner, which `CloseHandle`s it on drop.
             unsafe { OwnedHandle::from_raw_handle(device.0 as _) },
             watchdog_s,
         ))
@@ -199,6 +220,9 @@ impl VdisplayDriver for PfVdisplayDriver {
         // SET_RENDER_ADAPTER (opt-in; pf-vdisplay IMPLEMENTS it). Non-fatal on failure: the driver reports
         // its real render LUID in the shared header, so the host binds correctly even if this is ignored.
         if let Some(luid) = render_luid {
+            // SAFETY: `add_monitor`'s `# Safety` contract guarantees `dev` is the live control handle,
+            // which is `set_render_adapter`'s precondition; we forward it unchanged. `luid` is a plain
+            // `Copy` `LUID` passed by value — no borrow crosses the call.
             match unsafe { set_render_adapter(dev, luid) } {
                 Ok(()) => tracing::info!(
                     luid = format!("{:08x}:{:08x}", luid.HighPart, luid.LowPart),
@@ -210,6 +234,10 @@ impl VdisplayDriver for PfVdisplayDriver {
             }
         }
         let mut out = [0u8; size_of::<control::AddReply>()];
+        // SAFETY: per `add_monitor`'s contract `dev` is the live control handle. `bytemuck::bytes_of(&add)`
+        // borrows the local `AddRequest` (alive across this synchronous call) as the input bytes, and
+        // `out` is a stack `[u8; size_of::<AddReply>()]` whose length bounds the kernel's write — both
+        // buffers outlive the call.
         unsafe { ioctl(dev, control::IOCTL_ADD, bytemuck::bytes_of(&add), &mut out) }.with_context(
             || {
                 format!(
@@ -260,11 +288,16 @@ impl VdisplayDriver for PfVdisplayDriver {
             session_id: *session_id,
         };
         let mut none: [u8; 0] = [];
+        // SAFETY: per `remove_monitor`'s contract `dev` is the live control handle. `bytes_of(&req)`
+        // borrows the local `RemoveRequest` for the duration of this synchronous call as the input
+        // bytes; `none` is empty, so there is no output buffer.
         unsafe { ioctl(dev, control::IOCTL_REMOVE, bytemuck::bytes_of(&req), &mut none) }.map(|_| ())
     }
 
     unsafe fn ping(&self, dev: HANDLE) -> Result<()> {
         let mut none: [u8; 0] = [];
+        // SAFETY: per `ping`'s contract `dev` is the live control handle. `IOCTL_PING` has no input
+        // (`&[]`) and no output (`none` is empty), so no memory is read or written through the buffers.
         unsafe { ioctl(dev, control::IOCTL_PING, &[], &mut none) }.map(|_| ())
     }
 }
@@ -292,7 +325,11 @@ impl VirtualDisplay for PfVdisplayDisplay {
 
 /// Readiness probe: can we open the pf-vdisplay control device?
 pub fn probe() -> Result<()> {
+    // SAFETY: `open_device` is `unsafe` only for its SetupAPI + `CreateFileW` FFI; no arguments, returns
+    // an owned raw `HANDLE` (or `Err`).
     let h = unsafe { open_device()? };
+    // SAFETY: `h` is the handle just opened by `open_device` in this function, owned here and not yet
+    // handed anywhere else, so this closes it exactly once — no double-close, no use-after-close.
     unsafe {
         let _ = CloseHandle(h);
     }
@@ -301,6 +338,9 @@ pub fn probe() -> Result<()> {
 
 /// Is the pf-vdisplay driver present (device interface enumerable)?
 pub fn is_available() -> bool {
+    // SAFETY: `open_device` returns an owned raw `HANDLE`; on `Ok(h)` the handle is moved into the
+    // closure (sole owner) and closed exactly once via `CloseHandle`, on `Err` there is nothing to
+    // close — so no double-close and no leak of an opened handle. The `unsafe` covers both FFI calls.
     unsafe { open_device().map(|h| CloseHandle(h)).is_ok() }
 }