feat(host/windows): DesktopWatcher (secure-desktop detection) — step 1 of the two-process build

Polls the input-desktop name (OpenInputDesktop + GetUserObjectInformationW(UOI_NAME)) on its own
thread → Default/Winlogon atomic; the authoritative normal-vs-secure signal for the capture mux +
input path (WTS notifications miss UAC). Not yet wired into the mux (needs the SYSTEM host + WGC
helper, steps 3-5 in docs/windows-secure-desktop.md). NOTE: detecting the secure desktop requires the
host to run as SYSTEM (a user-token process can't OpenInputDesktop the Winlogon desktop).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

crates/punktfunk-host/src/capture.rs

@@ -320,6 +320,8 @@ pub fn capture_virtual_output(_vout: crate::vdisplay::VirtualOutput) -> Result<B
     anyhow::bail!("virtual-output capture requires Linux or Windows")
 }
 
+#[cfg(target_os = "windows")]
+pub mod desktop_watch;
 #[cfg(target_os = "windows")]
 pub mod dxgi;
 #[cfg(target_os = "linux")]

crates/punktfunk-host/src/capture/desktop_watch.rs

@@ -0,0 +1,113 @@
+//! Input-desktop watcher (Windows) — the authoritative "normal vs secure desktop" signal for the
+//! two-process secure-desktop design (docs/windows-secure-desktop.md).
+//!
+//! Windows switches the *input desktop* to "Winlogon" (the secure desktop) for UAC elevation, the
+//! lock screen and the login screen, and back to "Default" for the normal session. WGC captures only
+//! the normal desktop; DDA-as-SYSTEM captures the secure one. A dedicated thread polls the input
+//! desktop's NAME (WTS session notifications miss UAC entirely, so the name is the reliable signal)
+//! and publishes it as an atomic the capture mux + input path read.
+
+use std::sync::atomic::{AtomicBool, AtomicU8, Ordering};
+use std::sync::Arc;
+use std::time::Duration;
+use windows::Win32::Foundation::HANDLE;
+use windows::Win32::System::StationsAndDesktops::{
+    CloseDesktop, GetUserObjectInformationW, OpenInputDesktop, DESKTOP_ACCESS_FLAGS,
+    DESKTOP_CONTROL_FLAGS, UOI_NAME,
+};
+
+/// The normal interactive desktop ("Default") — WGC capture applies.
+pub const DESKTOP_NORMAL: u8 = 0;
+/// The secure desktop ("Winlogon": UAC / lock / login) — DDA-as-SYSTEM capture applies.
+pub const DESKTOP_SECURE: u8 = 1;
+
+/// Polls the input-desktop name on its own thread and publishes [`DESKTOP_NORMAL`]/[`DESKTOP_SECURE`].
+pub struct DesktopWatcher {
+    state: Arc<AtomicU8>,
+    stop: Arc<AtomicBool>,
+}
+
+impl DesktopWatcher {
+    pub fn start() -> Self {
+        let state = Arc::new(AtomicU8::new(DESKTOP_NORMAL));
+        let stop = Arc::new(AtomicBool::new(false));
+        let s = state.clone();
+        let st = stop.clone();
+        let _ = std::thread::Builder::new()
+            .name("desktop-watch".into())
+            .spawn(move || {
+                let mut last = u8::MAX;
+                while !st.load(Ordering::Relaxed) {
+                    let v = if unsafe { is_secure_desktop() } {
+                        DESKTOP_SECURE
+                    } else {
+                        DESKTOP_NORMAL
+                    };
+                    s.store(v, Ordering::Release);
+                    if v != last {
+                        tracing::info!(
+                            desktop = if v == DESKTOP_SECURE {
+                                "Winlogon(secure)"
+                            } else {
+                                "Default"
+                            },
+                            "input desktop changed"
+                        );
+                        last = v;
+                    }
+                    std::thread::sleep(Duration::from_millis(20));
+                }
+            });
+        DesktopWatcher { state, stop }
+    }
+
+    /// The shared atomic ([`DESKTOP_NORMAL`]/[`DESKTOP_SECURE`]) for the capture mux to read.
+    pub fn state(&self) -> Arc<AtomicU8> {
+        self.state.clone()
+    }
+
+    /// True when the secure (Winlogon) desktop is the input desktop right now.
+    pub fn is_secure(&self) -> bool {
+        self.state.load(Ordering::Acquire) == DESKTOP_SECURE
+    }
+}
+
+impl Drop for DesktopWatcher {
+    fn drop(&mut self) {
+        self.stop.store(true, Ordering::Relaxed);
+    }
+}
+
+/// True if the current input desktop is "Winlogon" (the secure desktop). Best-effort: if the desktop
+/// can't be opened or named, report not-secure (the safe default — keep WGC/normal capture).
+unsafe fn is_secure_desktop() -> bool {
+    let desk = match OpenInputDesktop(
+        DESKTOP_CONTROL_FLAGS(0),
+        false,
+        DESKTOP_ACCESS_FLAGS(DESKTOP_READOBJECTS),
+    ) {
+        Ok(d) => d,
+        Err(_) => return false,
+    };
+    let mut buf = [0u16; 64];
+    let mut needed = 0u32;
+    let ok = GetUserObjectInformationW(
+        HANDLE(desk.0),
+        UOI_NAME,
+        Some(buf.as_mut_ptr() as *mut _),
+        (buf.len() * 2) as u32,
+        Some(&mut needed),
+    )
+    .is_ok();
+    let _ = CloseDesktop(desk);
+    if !ok {
+        return false;
+    }
+    let name = String::from_utf16_lossy(&buf);
+    name.trim_end_matches('\u{0}')
+        .eq_ignore_ascii_case("Winlogon")
+}
+
+/// `DESKTOP_READOBJECTS` access right (the windows crate exposes it as a typed flag; we need the raw
+/// bit for `OpenInputDesktop`'s access mask).
+const DESKTOP_READOBJECTS: u32 = 0x0001;