fix: audit LOW fixes — docs, rustdoc, scope, debug gate, lto fat (v0.6.12)

- Update CLAUDE.md and README.md to reflect the blur range [0,200] that
  the code has clamped to since v0.6.8.
- Move the // SYNC: comment above the /// doc on MAX_BLUR_DIMENSION so
  rustdoc renders one coherent paragraph instead of a truncated sentence.
- Narrow check_account visibility to pub(crate) and document the caller
  precondition (username must come from users::get_current_user()).
- Gate MOONLOCK_DEBUG behind #[cfg(debug_assertions)]. Release builds
  always run at LevelFilter::Info so a session script cannot escalate
  journal verbosity to leak fprintd / D-Bus internals.
- Document why pam_setcred is deliberately not called in authenticate().
- Release profile: lto = "fat" instead of "thin" — doubles release build
  time for better cross-crate inlining on the auth + i18n hot paths.

src/auth.rs

@@ -191,7 +191,12 @@ pub fn authenticate(username: &str, password: &str) -> bool {
         return false;
     }
 
-    // Safety: handle is valid and non-null after successful pam_start
+    // Safety: handle is valid and non-null after successful pam_start.
+    // Note: pam_setcred is intentionally NOT called here. A lockscreen unlocks
+    // an existing session whose credentials were already established at login;
+    // refreshing them would duplicate work done by the session's login manager.
+    // If per-unlock credential refresh (Kerberos tickets, pam_gnome_keyring)
+    // is ever desired, hook it here with PAM_ESTABLISH_CRED.
     let auth_ret = unsafe { pam_authenticate(handle, 0) };
     let acct_ret = if auth_ret == PAM_SUCCESS {
         // Safety: handle is valid, check account restrictions
@@ -211,7 +216,12 @@ pub fn authenticate(username: &str, password: &str) -> bool {
 /// Used after fingerprint unlock to enforce account policies (lockout, expiry)
 /// that would otherwise be bypassed when not going through pam_authenticate.
 /// Returns true if the account is valid and allowed to log in.
-pub fn check_account(username: &str) -> bool {
+///
+/// **Precondition**: `username` must be the authenticated system user, derived
+/// via `users::get_current_user()` (which reads `getuid()`). Calling this with
+/// an attacker-controlled username is unsafe — `pam_acct_mgmt` returns SUCCESS
+/// for any valid unlocked account, giving a trivial unlock bypass.
+pub(crate) fn check_account(username: &str) -> bool {
     let service = match CString::new("moonlock") {
         Ok(c) => c,
         Err(_) => return false,

src/lockscreen.rs

@@ -592,11 +592,11 @@ fn create_background_picture(
     background
 }
 
-/// Maximum texture dimension for blur input. Textures larger than this are
 // SYNC: MAX_BLUR_DIMENSION, render_blurred_texture, and create_background_picture
 // are duplicated in moongreet/src/greeter.rs and moonset/src/panel.rs.
 // Changes here must be mirrored to the other two projects.
 
+/// Maximum texture dimension for blur input. Textures larger than this are
 /// downscaled before blurring — the blur destroys detail anyway, so there is
 /// no visible quality loss, but GPU work is reduced significantly.
 const MAX_BLUR_DIMENSION: f32 = 1920.0;

src/main.rs

@@ -250,11 +250,17 @@ fn setup_logging() {
             eprintln!("Failed to create journal logger: {e}");
         }
     }
+    // Debug level is only selectable in debug builds. Release binaries ignore
+    // MOONLOCK_DEBUG so a session script cannot escalate log verbosity to leak
+    // fprintd / D-Bus internals into the journal.
+    #[cfg(debug_assertions)]
     let level = if std::env::var("MOONLOCK_DEBUG").is_ok() {
         log::LevelFilter::Debug
     } else {
         log::LevelFilter::Info
     };
+    #[cfg(not(debug_assertions))]
+    let level = log::LevelFilter::Info;
     log::set_max_level(level);
 }