fix: audit fixes — peek icon, blur limit, GResource compression, sync markers (v0.6.8)

- Enable peek icon on password entry (consistent with moongreet)
- Raise blur limit from 100 to 200 (consistent with moongreet/moonset)
- Add compressed="true" to GResource CSS/SVG entries
- Add SYNC comments to duplicated blur/background functions

CLAUDE.md

@@ -60,5 +60,5 @@ LD_PRELOAD=/usr/lib/libgtk4-layer-shell.so ./target/release/moonlock
 - Root-Check: Exit mit Fehler wenn als root gestartet
 - Faillock: UI-Warnung nach 3 Fehlversuchen, aber PAM entscheidet über Lockout (Entry bleibt aktiv)
 - Kein Schließen per Escape/Alt-F4 — nur durch erfolgreiche PAM-Auth oder Fingerprint
-- Kein Peek-Icon am Passwortfeld (Shoulder-Surfing-Schutz)
+- Peek-Icon am Passwortfeld aktiv (UX-Entscheidung, konsistent mit moongreet)
 - GResource-Bundle: CSS/Assets in der Binary kompiliert

Cargo.lock

@@ -575,7 +575,7 @@ dependencies = [
 
 [[package]]
 name = "moonlock"
-version = "0.6.7"
+version = "0.6.8"
 dependencies = [
  "gdk-pixbuf",
  "gdk4",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "moonlock"
-version = "0.6.7"
+version = "0.6.8"
 edition = "2024"
 description = "A secure Wayland lockscreen with GTK4, PAM and fingerprint support"
 license = "MIT"

DECISIONS.md

@@ -2,6 +2,13 @@
 
 Architectural and design decisions for Moonlock, in reverse chronological order.
 
+## 2026-03-31 – Fourth audit: peek icon, blur limit, GResource compression, sync markers
+
+- **Who**: Ragnar, Dom
+- **Why**: Fourth triple audit found blur limit inconsistency (moonlock 0–100 vs moongreet/moonset 0–200), missing GResource compression, peek icon inconsistency, and duplicated code without sync markers.
+- **Tradeoffs**: Peek icon enabled in lockscreen — user decision favoring UX consistency over shoulder-surfing protection. Acceptable for single-user desktop. Blur limit raised to 200 for ecosystem consistency.
+- **How**: (1) `show_peek_icon(true)` in lockscreen password entry. (2) `clamp(0.0, 200.0)` for blur in config.rs. (3) `compressed="true"` on CSS/SVG GResource entries. (4) SYNC comments on duplicated blur/background functions pointing to moongreet and moonset.
+
 ## 2026-03-30 – Third audit: blur offset, lock-before-IO, FP signal lifecycle, TOCTOU
 
 - **Who**: Nyx, Dom

resources/resources.gresource.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <gresources>
   <gresource prefix="/dev/moonarch/moonlock">
-    <file>style.css</file>
-    <file>default-avatar.svg</file>
+    <file compressed="true">style.css</file>
+    <file compressed="true">default-avatar.svg</file>
   </gresource>
 </gresources>

src/config.rs

@@ -52,7 +52,7 @@ pub fn load_config(config_paths: Option<&[PathBuf]>) -> Config {
                 Ok(parsed) => {
                     if parsed.background_path.is_some() { merged.background_path = parsed.background_path; }
                     if let Some(blur) = parsed.background_blur {
-                        merged.background_blur = Some(blur.clamp(0.0, 100.0));
+                        merged.background_blur = Some(blur.clamp(0.0, 200.0));
                     }
                     if let Some(fp) = parsed.fingerprint_enabled { merged.fingerprint_enabled = fp; }
                 }

src/lockscreen.rs

@@ -137,7 +137,7 @@ pub fn create_lockscreen_window(
     // Password entry
     let password_entry = gtk::PasswordEntry::builder()
         .placeholder_text(strings.password_placeholder)
-        .show_peek_icon(false)
+        .show_peek_icon(true)
         .hexpand(true)
         .build();
     password_entry.add_css_class("password-entry");
@@ -566,6 +566,10 @@ fn create_background_picture(
 }
 
 /// Maximum texture dimension for blur input. Textures larger than this are
+// SYNC: MAX_BLUR_DIMENSION, render_blurred_texture, and create_background_picture
+// are duplicated in moongreet/src/greeter.rs and moonset/src/panel.rs.
+// Changes here must be mirrored to the other two projects.
+
 /// downscaled before blurring — the blur destroys detail anyway, so there is
 /// no visible quality loss, but GPU work is reduced significantly.
 const MAX_BLUR_DIMENSION: f32 = 1920.0;