feat(host/windows): SDR-while-secure — drop SudoVDA out of HDR on Winlogon so DDA captures it

When the DDA-on-secure path is enabled (PUNKTFUNK_SECURE_DDA=1), the mux now
toggles the SudoVDA's advanced-color (HDR) state via the CCD API
(sudovda::set_advanced_color → DisplayConfigSetDeviceInfo +
DISPLAYCONFIG_SET_ADVANCED_COLOR_STATE): on entering the secure (Winlogon)
desktop it disables HDR so the lock/UAC renders SDR/composed (no fullscreen
independent-flip → DDA can duplicate it instead of storming ACCESS_LOST/black),
opens DDA fresh on the now-SDR output; on returning to normal it re-enables HDR
and rebuilds the helper so WGC re-detects the restored colorspace.

Also debounce the DesktopWatcher (publish a Default↔Winlogon change only after it
is stable ~80ms) so transient flaps during the transition don't thrash the mux.

Default (no flag) is unchanged: WGC stays live through a lock, no DDA switch.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

crates/punktfunk-host/src/capture/desktop_watch.rs

@@ -45,24 +45,36 @@ impl DesktopWatcher {
         let _ = std::thread::Builder::new()
             .name("desktop-watch".into())
             .spawn(move || {
-                let mut last = initial;
+                // Debounce: only publish a change after the raw reading has been stable for several
+                // polls. The input desktop flaps Default↔Winlogon transiently during a lock/UAC
+                // transition; publishing every flap makes the capture mux thrash (rebuild storms).
+                const STABLE_POLLS: u32 = 4; // ~80ms
+                let mut published = initial;
+                let mut candidate = initial;
+                let mut stable = 0u32;
                 while !st.load(Ordering::Relaxed) {
                     let v = if unsafe { is_secure_desktop() } {
                         DESKTOP_SECURE
                     } else {
                         DESKTOP_NORMAL
                     };
-                    s.store(v, Ordering::Release);
-                    if v != last {
+                    if v == candidate {
+                        stable = stable.saturating_add(1);
+                    } else {
+                        candidate = v;
+                        stable = 1;
+                    }
+                    if stable >= STABLE_POLLS && candidate != published {
+                        s.store(candidate, Ordering::Release);
+                        published = candidate;
                         tracing::info!(
-                            desktop = if v == DESKTOP_SECURE {
+                            desktop = if candidate == DESKTOP_SECURE {
                                 "Winlogon(secure)"
                             } else {
                                 "Default"
                             },
-                            "input desktop changed"
+                            "input desktop changed (debounced)"
                         );
-                        last = v;
                     }
                     std::thread::sleep(Duration::from_millis(20));
                 }