refactor(windows-drivers): STEP 8 (1/n) — unsafe-reduction pass (per-site // SAFETY)

Audit pass over the new pf-vdisplay driver's unsafe surface: 92 per-site // SAFETY comments added
across adapter.rs / monitor.rs / entry.rs / callbacks.rs / swap_chain_processor.rs /
frame_transport.rs / direct_3d_device.rs (control.rs already had full coverage). COMMENTS ONLY — zero
logic, signature, or control-flow change (verified via git diff: every added line is a // SAFETY
comment or blank).

The dominant gap was the pervasive `core::mem::zeroed()` FFI-struct builds (IDDCX_*/WDF_*/
DISPLAYCONFIG_* C PODs whose all-zero bit pattern is a valid uninitialized/Invalid state, with the
required .Size/fields set immediately after) — each now carries a one-line // SAFETY. Plus explicit
notes on the two stack/local-pointer-into-FFI hazards (adapter.rs `version` ptr into
IddCxAdapterInitAsync; monitor.rs `edid` Vec ptr into IddCxMonitorCreate — both read synchronously
before the local drops) and the frame_transport.rs raw-HANDLE / mapped-header derefs + cleanup paths.
The already-justified Send/Sync wrappers (SendAdapter, CtxTypeInfo/DevCtxInfo, MonitorObject,
Sendable, FramePublisher) were audited — each already carried a // SAFETY. No site needed a code
change.

First slice of STEP 8 (the SudoVDA drop). Comments-only ⇒ build-neutral; windows-drivers.yml verifies
on the next runner build. Remaining STEP 8: re-vendor the installer's driver binary from the new
drivers/ tree (the shipping packaging/windows/pf-vdisplay/ binary is still built from the OLD oracle
tree with the SudoVDA-compat GUID — ABI-mismatched with the host's proto GUID), add an .inx to the
new tree, re-point scripts/README from vdisplay-driver/ to drivers/, flip the selector default to
pf-vdisplay, then delete the old oracle tree. Keep sudovda.rs (the runtime fallback + the
backend-neutral CCD helpers pf_vdisplay.rs reuses) and the WGC-relay/DDA secure path (the
secure-desktop gate is not yet passed on glass).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

packaging/windows/drivers/pf-vdisplay/src/swap_chain_processor.rs

@@ -112,6 +112,8 @@ impl SwapChainProcessor {
             // Service. It will intelligently prioritize the thread for improved throughput in high
             // CPU-load scenarios.
             let mut av_task = 0u32;
+            // SAFETY: `w!("Distribution")` is a 'static null-terminated UTF-16 task name; `av_task` is a
+            // valid local out-param. The returned handle is reverted with AvRevertMmThreadCharacteristics.
             let res = unsafe { AvSetMmThreadCharacteristicsW(w!("Distribution"), &mut av_task) };
             let Ok(av_handle) = res else {
                 dbglog!("[pf-vd] swap-chain: failed to prioritize thread: {res:?}");
@@ -141,6 +143,8 @@ impl SwapChainProcessor {
             }
 
             // Revert the thread to normal once it's done.
+            // SAFETY: `av_handle` is the live characteristics handle returned by AvSetMmThreadCharacteristicsW
+            // above, reverted exactly once here at thread exit.
             let res = unsafe { AvRevertMmThreadCharacteristics(av_handle) };
             if let Err(e) = res {
                 dbglog!("[pf-vd] swap-chain: failed to revert prioritized thread: {e:?}");
@@ -179,6 +183,8 @@ impl SwapChainProcessor {
             }
         };
         // Built zeroed + field-assigned (driver style) — robust against a bindgen field-set difference.
+        // SAFETY: building a C POD — the all-zero bit pattern is a valid uninitialized
+        // IDARG_IN_SWAPCHAINSETDEVICE; the `pDevice` field is set immediately below.
         let mut set_device: IDARG_IN_SWAPCHAINSETDEVICE = unsafe { core::mem::zeroed() };
         set_device.pDevice = dxgi_device.as_raw().cast();
         let mut set_ok = false;
@@ -274,6 +280,8 @@ impl SwapChainProcessor {
             // the GPU surface (out.MetaData.pSurface) — STEP 6 publishes it into the shared ring in the
             // success branch below. Built zeroed + field-assigned (driver style) so a bindgen field-set
             // difference can't break a positional struct literal.
+            // SAFETY: building a C POD — the all-zero bit pattern is a valid uninitialized
+            // IDARG_IN_RELEASEANDACQUIREBUFFER2; the required `.Size`/AcquireSystemMemoryBuffer are set below.
             let mut in_args: IDARG_IN_RELEASEANDACQUIREBUFFER2 = unsafe { core::mem::zeroed() };
             #[allow(clippy::cast_possible_truncation)]
             {
@@ -283,6 +291,8 @@ impl SwapChainProcessor {
             // `core::mem::zeroed()` (not `::default()`) — consistent with every other IddCx out-struct
             // in this driver, and robust whether or not bindgen derives `Default` for this type (its
             // `MetaData` field carries a raw `pSurface` pointer + union which can suppress the derive).
+            // SAFETY: building a C POD — the all-zero bit pattern is a valid uninitialized
+            // IDARG_OUT_RELEASEANDACQUIREBUFFER2 (an out-param the framework fills).
             let mut buffer: IDARG_OUT_RELEASEANDACQUIREBUFFER2 = unsafe { core::mem::zeroed() };
             // SAFETY: driver is loaded; `swap_chain` is valid; in/out point to valid local storage.
             let hr: NTSTATUS = unsafe {