refactor(windows-drivers): STEP 8 (1/n) — unsafe-reduction pass (per-site // SAFETY)

Audit pass over the new pf-vdisplay driver's unsafe surface: 92 per-site // SAFETY comments added
across adapter.rs / monitor.rs / entry.rs / callbacks.rs / swap_chain_processor.rs /
frame_transport.rs / direct_3d_device.rs (control.rs already had full coverage). COMMENTS ONLY — zero
logic, signature, or control-flow change (verified via git diff: every added line is a // SAFETY
comment or blank).

The dominant gap was the pervasive `core::mem::zeroed()` FFI-struct builds (IDDCX_*/WDF_*/
DISPLAYCONFIG_* C PODs whose all-zero bit pattern is a valid uninitialized/Invalid state, with the
required .Size/fields set immediately after) — each now carries a one-line // SAFETY. Plus explicit
notes on the two stack/local-pointer-into-FFI hazards (adapter.rs `version` ptr into
IddCxAdapterInitAsync; monitor.rs `edid` Vec ptr into IddCxMonitorCreate — both read synchronously
before the local drops) and the frame_transport.rs raw-HANDLE / mapped-header derefs + cleanup paths.
The already-justified Send/Sync wrappers (SendAdapter, CtxTypeInfo/DevCtxInfo, MonitorObject,
Sendable, FramePublisher) were audited — each already carried a // SAFETY. No site needed a code
change.

First slice of STEP 8 (the SudoVDA drop). Comments-only ⇒ build-neutral; windows-drivers.yml verifies
on the next runner build. Remaining STEP 8: re-vendor the installer's driver binary from the new
drivers/ tree (the shipping packaging/windows/pf-vdisplay/ binary is still built from the OLD oracle
tree with the SudoVDA-compat GUID — ABI-mismatched with the host's proto GUID), add an .inx to the
new tree, re-point scripts/README from vdisplay-driver/ to drivers/, flip the selector default to
pf-vdisplay, then delete the old oracle tree. Keep sudovda.rs (the runtime fallback + the
backend-neutral CCD helpers pf_vdisplay.rs reuses) and the WGC-relay/DDA secure path (the
secure-desktop gate is not yet passed on glass).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

packaging/windows/drivers/pf-vdisplay/src/adapter.rs

@@ -66,6 +66,8 @@ pub fn init_adapter(device: WDFDEVICE) -> NTSTATUS {
     // Firmware/hardware version (telemetry). The oracle points BOTH at one IDDCX_ENDPOINT_VERSION.
     // `version` is a stack local read synchronously by IddCxAdapterInitAsync (same as the oracle). `.Size`
     // is `size_of` throughout — these are the IddCx 1.10 structs and the framework here is 1.10 (= upstream).
+    // SAFETY: building a C POD — the all-zero bit pattern is a valid uninitialized IDDCX_ENDPOINT_VERSION;
+    // the required `.Size` (+ version fields) are set immediately below before the struct is used.
     let mut version: iddcx::IDDCX_ENDPOINT_VERSION = unsafe { core::mem::zeroed() };
     version.Size = core::mem::size_of::<iddcx::IDDCX_ENDPOINT_VERSION>() as u32;
     version.MajorVer = env!("CARGO_PKG_VERSION_MAJOR").parse().unwrap_or(0);
@@ -76,6 +78,8 @@ pub fn init_adapter(device: WDFDEVICE) -> NTSTATUS {
     // zeroed value is IDDCX_FEATURE_IMPLEMENTATION_UNINITIALIZED (0), which the framework's adapter Validate
     // rejects with INVALID_PARAMETER (ddivalidation.cpp:797) — set it to NONE (1) like upstream. THIS was
     // the on-glass adapter-init blocker.
+    // SAFETY: building a C POD — the all-zero bit pattern is a valid uninitialized
+    // IDDCX_ENDPOINT_DIAGNOSTIC_INFO; the required `.Size` (+ the fields read by Validate) are set below.
     let mut diag: iddcx::IDDCX_ENDPOINT_DIAGNOSTIC_INFO = unsafe { core::mem::zeroed() };
     diag.Size = core::mem::size_of::<iddcx::IDDCX_ENDPOINT_DIAGNOSTIC_INFO>() as u32;
     diag.GammaSupport = iddcx::IDDCX_FEATURE_IMPLEMENTATION::IDDCX_FEATURE_IMPLEMENTATION_NONE;
@@ -83,9 +87,13 @@ pub fn init_adapter(device: WDFDEVICE) -> NTSTATUS {
     diag.pEndPointFriendlyName = wstr!("punktfunk Virtual Display Adapter");
     diag.pEndPointManufacturerName = wstr!("punktfunk");
     diag.pEndPointModelName = wstr!("Virtual Display");
+    // SAFETY: `version` is a stack local that outlives this `init_adapter` call; IddCxAdapterInitAsync
+    // (below) reads through these pointers SYNCHRONOUSLY, before `version` drops — the pointer never escapes.
     diag.pFirmwareVersion = (&raw mut version).cast();
     diag.pHardwareVersion = (&raw mut version).cast();
 
+    // SAFETY: building a C POD — the all-zero bit pattern is a valid uninitialized IDDCX_ADAPTER_CAPS;
+    // the required `.Size` (+ flags/limits/diag) are set immediately below.
     let mut caps: iddcx::IDDCX_ADAPTER_CAPS = unsafe { core::mem::zeroed() };
     caps.Size = core::mem::size_of::<iddcx::IDDCX_ADAPTER_CAPS>() as u32;
     // STEP 7 (HDR): declare we can process FP16 (scRGB) desktop surfaces — this is what marks the virtual
@@ -101,6 +109,8 @@ pub fn init_adapter(device: WDFDEVICE) -> NTSTATUS {
 
     // The adapter WDF object's attributes: Size + Synchronization/Execution = InheritFromParent (NOT zeroed,
     // since zero = *Invalid*) + the adapter context type (STEP 4 stores adapter state here).
+    // SAFETY: building a C POD — the all-zero bit pattern is a valid uninitialized WDF_OBJECT_ATTRIBUTES;
+    // the required `.Size` (+ execution/sync scope + context type) are set immediately below.
     let mut attr: wdk_sys::WDF_OBJECT_ATTRIBUTES = unsafe { core::mem::zeroed() };
     attr.Size = core::mem::size_of::<wdk_sys::WDF_OBJECT_ATTRIBUTES>() as u32;
     attr.ExecutionLevel = wdk_sys::_WDF_EXECUTION_LEVEL::WdfExecutionLevelInheritFromParent;
@@ -112,6 +122,8 @@ pub fn init_adapter(device: WDFDEVICE) -> NTSTATUS {
         pCaps: &raw mut caps,
         ObjectAttributes: &raw mut attr,
     };
+    // SAFETY: building a C POD — the all-zero bit pattern is a valid uninitialized IDARG_OUT_ADAPTER_INIT
+    // (an out-param the framework fills).
     let mut out: iddcx::IDARG_OUT_ADAPTER_INIT = unsafe { core::mem::zeroed() };
     // SAFETY: `init`/`out` are valid local storage; IddCxAdapterInitAsync reads the caps synchronously
     // (the adapter object itself is delivered later via adapter_init_finished). Called once per device.