wallpaper 1.2: signed-resident scaffold (caps re-mint pending)

[senseix21]

wallpaper 1.2 — signed-resident scaffold (Plan A Option A, accurately scoped)

Converts the wallpaper kernel mirror from the unsigned CapsuleSpec +
capsule_spawn::spawn anti-pattern to the signed CapsuleSpecVerified +
spawn_verified + baked-trust-anchor pattern used by desktop_shell /
login / clipboard / image_codec.

Changes (9 commits, one per file)

• src/userspace/capsule_wallpaper/embed.rs — embed signed cert + manifest
• src/userspace/capsule_wallpaper/state.rs (new) — CapsuleState /
  shared_state, byte-identical to desktop_shell
• src/userspace/capsule_wallpaper/spawn.rs — CapsuleSpecVerified +
  spawn_verified, reconciled to the signed Capsule.mk contract
  (wallpaper / port 4340); unsigned spawn path dropped
• src/userspace/capsule_wallpaper/mod.rs — export shared_state
• src/userspace/init/entry.rs — signed-resident boot() wiring; also fixes
  the latent || Some("display") Option<&str>-vs-CapsuleState type
  mismatch (same class as about)
• 4 trust artifacts (wallpaper cert / manifest / 2 publisher pub keys)

launch.rs / seed.rs (the cross-subsystem one-shot proof harness) are
deliberately untouched — removing them is a separate owner decision.
Wallpaper is not added to the production microkernel-desktop-gui
bundle (see blocker below), so the kernel build stays green.

Verification

Kernel-API surface of spawn.rs is structurally identical to main's
already-compiled desktop_shell mirror; state.rs byte-identical. Userland
capsule_wallpaper crate unchanged.

Known blocker (owner / signing-ceremony — must resolve before going live)

The wallpaper signed manifest ceiling is 0x1919 =
CoreExec|IPC|Memory|Debug|GraphicsDisplayQuery|GraphicsSurfaceCreate. It
lacks GraphicsSurfaceMap (0x2000) + GraphicsPresent (0x4000) that
wallpaper's graphics round-trip (surface_map, surface_present_full)
requires. Promoting wallpaper into a live signed profile requires
re-minting the manifest with the broader caps (a signing-ceremony action

• a caps-policy decision). This PR is the correct code scaffold; it is
  intentionally not wired into a shipped profile until the re-mint lands.

[Copilot]

Pull request overview

Converts the wallpaper kernel mirror toward the signed capsule spawn flow used by other resident capsules, with lifecycle state and signed trust artifacts.

Changes:

• Adds wallpaper lifecycle state and exports shared_state.
• Embeds wallpaper cert/manifest bytes and switches spawn to CapsuleSpecVerified + spawn_verified.
• Updates init boot wiring from display identity to wallpaper identity.

Reviewed changes

Copilot reviewed 5 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/userspace/init/entry.rs	Boots wallpaper under the wallpaper identity and lifecycle state.
src/userspace/capsule_wallpaper/state.rs	Adds shared lifecycle state for the wallpaper capsule.
src/userspace/capsule_wallpaper/spawn.rs	Replaces unsigned spawn with signed verified spawn.
src/userspace/capsule_wallpaper/mod.rs	Exports the new lifecycle state accessor.
src/userspace/capsule_wallpaper/embed.rs	Embeds wallpaper cert and manifest alongside the ELF.