CLAUDE.md

@@ -60,5 +60,5 @@ LD_PRELOAD=/usr/lib/libgtk4-layer-shell.so ./target/release/moonlock
 - Root-Check: Exit mit Fehler wenn als root gestartet
 - Faillock: UI-Warnung nach 3 Fehlversuchen, aber PAM entscheidet über Lockout (Entry bleibt aktiv)
 - Kein Schließen per Escape/Alt-F4 — nur durch erfolgreiche PAM-Auth oder Fingerprint
-- Peek-Icon am Passwortfeld aktiv (UX-Entscheidung, konsistent mit moongreet)
+- Kein Peek-Icon am Passwortfeld (Shoulder-Surfing-Schutz)
 - GResource-Bundle: CSS/Assets in der Binary kompiliert

Cargo.lock

@@ -575,7 +575,7 @@ dependencies = [
 
 [[package]]
 name = "moonlock"
-version = "0.6.8"
+version = "0.6.7"
 dependencies = [
  "gdk-pixbuf",
  "gdk4",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "moonlock"
-version = "0.6.8"
+version = "0.6.7"
 edition = "2024"
 description = "A secure Wayland lockscreen with GTK4, PAM and fingerprint support"
 license = "MIT"

DECISIONS.md

@@ -2,13 +2,6 @@
 
 Architectural and design decisions for Moonlock, in reverse chronological order.
 
-## 2026-03-31 – Fourth audit: peek icon, blur limit, GResource compression, sync markers
-
-- **Who**: Ragnar, Dom
-- **Why**: Fourth triple audit found blur limit inconsistency (moonlock 0–100 vs moongreet/moonset 0–200), missing GResource compression, peek icon inconsistency, and duplicated code without sync markers.
-- **Tradeoffs**: Peek icon enabled in lockscreen — user decision favoring UX consistency over shoulder-surfing protection. Acceptable for single-user desktop. Blur limit raised to 200 for ecosystem consistency.
-- **How**: (1) `show_peek_icon(true)` in lockscreen password entry. (2) `clamp(0.0, 200.0)` for blur in config.rs. (3) `compressed="true"` on CSS/SVG GResource entries. (4) SYNC comments on duplicated blur/background functions pointing to moongreet and moonset.
-
 ## 2026-03-30 – Third audit: blur offset, lock-before-IO, FP signal lifecycle, TOCTOU
 
 - **Who**: Nyx, Dom

README.md

@@ -5,17 +5,14 @@ Part of the Moonarch ecosystem.
 
 ## Features
 
-- **ext-session-lock-v1** — Protocol-guaranteed screen locking (compositor keeps screen locked on crash, `exit(1)` in release if unsupported)
+- **ext-session-lock-v1** — Protocol-guaranteed screen locking (compositor keeps screen locked on crash)
-- **PAM authentication** — Uses system PAM stack (`/etc/pam.d/moonlock`) with 30s timeout and generation counter
+- **PAM authentication** — Uses system PAM stack (`/etc/pam.d/moonlock`)
-- **Fingerprint unlock** — fprintd D-Bus integration with sender validation, async init (window appears instantly), `pam_acct_mgmt` check after verify, auto-resume on transient errors
+- **Fingerprint unlock** — fprintd D-Bus integration, async init (optional, window appears instantly)
-- **Multi-monitor** — Lockscreen on every monitor with shared blur and avatar caches
+- **Multi-monitor** — Lockscreen on every monitor, single shared fingerprint listener
-- **GPU blur** — Background blur via GskBlurNode (downscale to max 1920px, configurable 0–100)
 - **i18n** — German and English (auto-detected)
-- **Faillock warning** — Progressive UI warning after failed attempts, PAM decides lockout
+- **Faillock warning** — UI counter + system pam_faillock
-- **Panic safety** — Panic hook logs but never unlocks (installed before logging)
+- **Panic safety** — Panic hook logs but never unlocks
-- **Password wiping** — `Zeroize` on drop from GTK entry through PAM FFI layer
+- **Password wiping** — Zeroize on drop
-- **Journal logging** — `journalctl -t moonlock`, debug level via `MOONLOCK_DEBUG` env var
-- **Lock-first architecture** — Wallpaper loaded after `lock()` so disk I/O never delays lock acquisition
 
 ## Requirements
 
@@ -49,7 +46,6 @@ Create `/etc/moonlock/moonlock.toml` or `~/.config/moonlock/moonlock.toml`:
 
 ```toml
 background_path = "/usr/share/wallpapers/moon.jpg"
-background_blur = 40.0    # 0.0–100.0, optional
 fingerprint_enabled = true
 ```
 

build.rs

@@ -1,5 +1,5 @@
 // ABOUTME: Build script for compiling GResource bundle.
-// ABOUTME: Bundles style.css and default-avatar.svg into the binary.
+// ABOUTME: Bundles style.css, wallpaper.jpg, and default-avatar.svg into the binary.
 
 fn main() {
     glib_build_tools::compile_resources(

resources/resources.gresource.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <gresources>
   <gresource prefix="/dev/moonarch/moonlock">
-    <file compressed="true">style.css</file>
+    <file>style.css</file>
-    <file compressed="true">default-avatar.svg</file>
+    <file>default-avatar.svg</file>
   </gresource>
 </gresources>

src/config.rs

@@ -52,7 +52,7 @@ pub fn load_config(config_paths: Option<&[PathBuf]>) -> Config {
                 Ok(parsed) => {
                     if parsed.background_path.is_some() { merged.background_path = parsed.background_path; }
                     if let Some(blur) = parsed.background_blur {
-                        merged.background_blur = Some(blur.clamp(0.0, 200.0));
+                        merged.background_blur = Some(blur.clamp(0.0, 100.0));
                     }
                     if let Some(fp) = parsed.fingerprint_enabled { merged.fingerprint_enabled = fp; }
                 }

src/lockscreen.rs

@@ -137,7 +137,7 @@ pub fn create_lockscreen_window(
     // Password entry
     let password_entry = gtk::PasswordEntry::builder()
         .placeholder_text(strings.password_placeholder)
-        .show_peek_icon(true)
+        .show_peek_icon(false)
         .hexpand(true)
         .build();
     password_entry.add_css_class("password-entry");
@@ -566,10 +566,6 @@ fn create_background_picture(
 }
 
 /// Maximum texture dimension for blur input. Textures larger than this are
-// SYNC: MAX_BLUR_DIMENSION, render_blurred_texture, and create_background_picture
-// are duplicated in moongreet/src/greeter.rs and moonset/src/panel.rs.
-// Changes here must be mirrored to the other two projects.
-
 /// downscaled before blurring — the blur destroys detail anyway, so there is
 /// no visible quality loss, but GPU work is reduced significantly.
 const MAX_BLUR_DIMENSION: f32 = 1920.0;