docs(windows-host): record the shared gamepad RAII reduction (e5c2b4e)

Goal 3 scorecard + §4 P2: the OwnedHandle/RAII rollout now covers the three
gamepad backends via the shared inject/windows/gamepad_raii.rs (Shm + SwDevice).
Scratched the IOCTL-dispatcher item (control.rs's read_input/write_output_complete
are already generic — would be churn, not reduction). The only remaining unsafe
reductions are the deliberately-left service.rs SCM-handler event smuggling and
the on-glass-gated KeyedMutexGuard hot-loop RAII.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docs/windows-host-rewrite.md

@@ -34,7 +34,7 @@ which kept the live-validated host working at every step. The driver, by contras
 |---|---|---|
 | **Goal 1** — clean, layered host architecture | ✅ **DONE** | `config.rs` (`HostConfig`), `session_plan.rs` (`SessionPlan`), `SessionContext`, `windows/`+`linux/` confinement (`38c68c3`), `VirtualDisplayManager` (§2.5), `EncoderCaps` (`0ccd0fe`) |
 | **Goal 2** — drop every trace of SudoVDA | ✅ **DONE** | reach-in decoupled (F1: `d638a93`/`e60cda3` → `win_adapter`/`win_display`), then the `sudovda.rs` backend + the dual-backend select **deleted** (this branch) — pf-vdisplay is the sole Windows virtual-display backend |
-| **Goal 3** — minimize `unsafe` + P0 lints | 🟡 **PARTIAL** | driver `deny(unsafe_op_in_unsafe_fn)` (`a755d6e`); **`OwnedHandle` RAII rollout** — `idd_push.rs` (`011607e`, also fixes a view leak) + `service.rs` child/job (`4c95ba7`), on top of `manager.rs`/`pf_vdisplay.rs`; **driver `pod_init!`** (`bf57704`, 27→1). Remaining: host-crate P0 lints (deferred — high churn, low value), the `service.rs` SCM-handler event smuggling, the driver IOCTL-dispatch / `KeyedMutexGuard` levers |
+| **Goal 3** — minimize `unsafe` + P0 lints | 🟡 **PARTIAL** | driver `deny(unsafe_op_in_unsafe_fn)` (`a755d6e`); **`OwnedHandle`/RAII rollout** — `idd_push.rs` (`011607e`, also a view-leak fix) + `service.rs` child/job (`4c95ba7`) + the 3 gamepad backends via shared `gamepad_raii.rs` (`e5c2b4e`), on top of `manager.rs`/`pf_vdisplay.rs`; **driver `pod_init!`** (`bf57704`, 27→1). Remaining: host-crate P0 lints (deferred — high churn, low value), the `service.rs` SCM-handler event smuggling, the on-glass-gated `KeyedMutexGuard` hot-loop RAII |
 | **M0** — proto ABI + driver toolchain + `/INTEGRITYCHECK` + `iddcx` | ✅ **DONE** | `pf-driver-proto`; vendored `windows-drivers-rs` 0.5.1; `clear-force-integrity.ps1`; CI-green |
 | **M1** — new IddCx driver, first light + HDR | ✅ **DONE (on-glass)** | STEP 0–8 (`d7a9fbf`…`cd59151`); HDR live ("Mac connects WITH HDR", `6399d28`) |
 | **M2** — IDD-push capture + NVENC, glass-to-glass | ✅ **DONE (on-glass)** | 5120×1440@240 HDR zero-copy; integrated into the host path |
@@ -226,18 +226,22 @@ These are expensive empirical wins; keep them intact when touching the code:
    `unsafe fn`s need an inner `unsafe {}`). Stage it **per-module, Linux-first** (item-level `#[deny]` on
    `linux/zerocopy/cuda.rs`/`egl.rs`, `encode/linux/vaapi.rs` — locally verifiable), then the Windows
    modules (CI-gated), then promote to crate-level. The driver already has the deny.
-5. **D2 — `OwnedHandle` rollout.** ✅ **mostly done** — `capture/windows/idd_push.rs` (`011607e`: a
+5. **D2 — `OwnedHandle` / RAII rollout.** ✅ **done** — `capture/windows/idd_push.rs` (`011607e`: a
    `MappedSection` RAII for the mapping handle **+** the leaked `MapViewOfFile` view, + `OwnedHandle` for the
-   event / ring-slot shared handles) and `windows/service.rs` (`4c95ba7`: the child process/thread + Job
-   handles, ~9 `CloseHandle` deleted). **Remaining:** the `service.rs` `AtomicIsize` STOP/SESSION events
-   (deliberately left — smuggled into the C SCM handler, a separate riskier redesign) and the gamepad shm
-   handles. `manager.rs`/`pf_vdisplay.rs` already used the pattern.
+   event / ring-slot shared handles); `windows/service.rs` (`4c95ba7`: the child process/thread + Job
+   handles, ~9 `CloseHandle` deleted); and the **three gamepad backends** (`e5c2b4e`: a shared
+   `inject/windows/gamepad_raii.rs` — `Shm` for the section+view, `SwDevice` for the devnode — replacing the
+   duplicated `create_shm_section` + three hand-written `Drop`s). **Remaining (deliberately left):** the
+   `service.rs` `AtomicIsize` STOP/SESSION events — smuggled into the C SCM handler, a separate riskier
+   redesign. `manager.rs`/`pf_vdisplay.rs` already used the pattern.
 6. **Driver unsafe levers** (the driver is already `deny`-clean with per-site SAFETY; these *reduce count*):
-   ✅ **`pod_init!` macro done** (`bf57704`, 27 `mem::zeroed` → 1). **Skipped `ThreadBound<T>`** — not a
-   clean win (each `unsafe impl Send` wraps a distinct type; consolidating churns every access for no real
-   safety gain over the per-struct `// SAFETY:`). **Remaining:** a generic IOCTL dispatch helper in
-   `control.rs`, and a `KeyedMutexGuard`/`AcquiredSurface` RAII for the frame-transport hot loop (needs an
-   on-glass latency check).
+   ✅ **`pod_init!` macro done** (`bf57704`, 27 `mem::zeroed` → 1). **Skipped `ThreadBound<T>`** — not a clean
+   win (each `unsafe impl Send` wraps a distinct type; consolidating churns every access for no real safety
+   gain over the per-struct `// SAFETY:`). **Scratched the IOCTL dispatcher** — `control.rs`'s
+   `read_input<T>`/`write_output_complete<T>` are already generic helpers with minimal, documented unsafe;
+   re-factoring would be churn, not reduction. **Remaining (on-glass-gated):** a `KeyedMutexGuard`/
+   `AcquiredSurface` RAII for the frame-transport hot loop — perf-sensitive, needs an on-glass latency check,
+   so held rather than rushed blind.
 7. **D1-host P0 lints — deferred (low value / high churn).** A crate-wide `#![deny(unsafe_op_in_unsafe_fn)]`
    produced 100+ FFI-wrap sites across the Linux modules; it *wraps* unsafe (discipline) rather than
    reducing it and doesn't improve stability, so it was deprioritized vs the `OwnedHandle`/RAII reductions