refactor: power-confirm via PowerAction table (v0.6.14)

Align the power-confirm flow to moonset's ActionDef pattern, in lockstep
with moongreet: a PowerAction table + create_power_button factory replace
the two hand-wired reboot/shutdown handlers and the loose-param
show_power_confirm. Add an in-flight re-trigger guard
(power_box.set_sensitive(false)) and clear a stale error_label when
showing a new prompt.

CLAUDE.md

@@ -35,13 +35,13 @@ LD_PRELOAD=/usr/lib/libgtk4-layer-shell.so ./target/release/moonlock
 
 ## Architektur
 
-- `auth.rs` — PAM-Authentifizierung via Raw FFI (unsafe extern "C" conv callback, msg_style-aware, Zeroizing<CString>), check_account() für pam_acct_mgmt-Only-Checks nach Fingerprint-Unlock
+- `auth.rs` — PAM-Authentifizierung via Raw FFI (unsafe extern "C" conv callback, msg_style-aware, Zeroizing<CString>)
 - `fingerprint.rs` — fprintd D-Bus Listener, async init/claim/verify via gio futures, sender-validated signal handler, cleanup_dbus() für sauberen D-Bus-Lifecycle, running_flag für Race-Safety in async restarts, on_exhausted callback after MAX_FP_ATTEMPTS, resume_async() für Neustart nach transientem Fehler (mit failed_attempts-Reset und Signal-Handler-Cleanup)
 - `users.rs` — Aktuellen User via nix getuid, Avatar-Loading mit Symlink-Rejection
 - `power.rs` — Reboot/Shutdown via /usr/bin/systemctl
 - `i18n.rs` — Locale-Erkennung (OnceLock-cached) und String-Tabellen (DE/EN), faillock_warning mit konfigurierbarem max_attempts
-- `config.rs` — TOML-Config (background_path, background_blur clamped [0,100], fingerprint_enabled als Option<bool>) + Wallpaper-Fallback + Symlink-Rejection via symlink_metadata + Parse-Error-Logging
-- `lockscreen.rs` — GTK4 UI via LockscreenHandles, PAM-Auth via gio::spawn_blocking mit 30s Timeout und Generation Counter, FP-Label/Start separat verdrahtet mit pam_acct_mgmt-Check und auto-resume, Zeroizing<String> für Passwort, Power-Confirm, GPU-Blur via GskBlurNode (Downscale auf max 1920px), Blur/Avatar-Cache für Multi-Monitor
+- `config.rs` — TOML-Config (background_path, background_blur clamped [0,200], fingerprint_enabled als Option<bool>) + Wallpaper-Fallback + Symlink-Rejection via symlink_metadata + Parse-Error-Logging
+- `lockscreen.rs` — GTK4 UI via LockscreenHandles, PAM-Auth via gio::spawn_blocking mit 30s Timeout und Generation Counter, FP-Success ruft unlock_callback direkt (PAM-Stack ohne account-Modul, Lockout via auth-Pfad und MAX_FP_ATTEMPTS), Zeroizing<String> für Passwort, Power-Confirm, GPU-Blur via GskBlurNode (Downscale auf max 1920px), Blur/Avatar-Cache für Multi-Monitor
 - `main.rs` — Entry Point, Panic-Hook (vor Logging), Root-Check, ext-session-lock-v1 (Pflicht in Release), Monitor-Hotplug via `connect_monitor`-Signal (v1_2), shared Blur/Avatar-Caches in Rc, systemd-Journal-Logging, Debug-Level per `MOONLOCK_DEBUG` Env-Var, async fprintd-Init nach window.present()
 
 ## Sicherheit
@@ -52,7 +52,8 @@ LD_PRELOAD=/usr/lib/libgtk4-layer-shell.so ./target/release/moonlock
 - PAM-Callback: msg_style-aware (Passwort nur bei PAM_PROMPT_ECHO_OFF), strdup-OOM-sicher, num_msg-Guard gegen negative Werte
 - fprintd: D-Bus Signal-Sender wird gegen fprintd's unique bus name validiert (Anti-Spoofing)
 - Passwort: Zeroizing<String> ab GTK-Entry-Extraktion, Zeroizing<CString> im PAM-FFI-Layer (bekannte Einschränkung: GLib-GString und strdup-Kopie in PAM werden nicht gezeroized — inhärente GTK/libc-Limitierung)
-- Fingerprint-Unlock: pam_acct_mgmt-Check nach verify-match erzwingt Account-Policies (Lockout, Ablauf), resume_async() startet FP bei transientem Fehler neu (mit failed_attempts-Reset und Signal-Handler-Cleanup)
+- Fingerprint-Unlock: ruft unlock_callback direkt nach verify-match (kein zusätzlicher PAM-acct-Check, weil PAM-Stack nur `auth include login` enthält — wie swaylock); FP-Lockout ist über MAX_FP_ATTEMPTS in fingerprint.rs umgesetzt
+- PAM-Stack: nur `auth include login` (Standard-Pattern wie swaylock/gtklock); kein `account`/`session`-Stack, weil Lockscreen keinen Session-Lifecycle managed und `pam_unix(account)` setuid root benötigt
 - Wallpaper wird vor lock() geladen — connect_monitor feuert während lock() und braucht die Textur; lokales JPEG-Laden ist schnell genug
 - PAM-Timeout: 30s Timeout verhindert permanentes Aussperren bei hängenden PAM-Modulen, Generation Counter verhindert Interferenz paralleler Auth-Versuche
 - Root-Check: Exit mit Fehler wenn als root gestartet

Cargo.lock

@@ -575,7 +575,7 @@ dependencies = [
 
 [[package]]
 name = "moonlock"
-version = "0.6.9"
+version = "0.6.14"
 dependencies = [
  "gdk-pixbuf",
  "gdk4",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "moonlock"
-version = "0.6.10"
+version = "0.6.14"
 edition = "2024"
 description = "A secure Wayland lockscreen with GTK4, PAM and fingerprint support"
 license = "MIT"
@@ -30,4 +30,5 @@ glib-build-tools = "0.22"
 [profile.release]
 lto = "thin"
 codegen-units = 1
-strip = true
+strip = false
+debug = true

DECISIONS.md

@@ -2,6 +2,34 @@
 
 Architectural and design decisions for Moonlock, in reverse chronological order.
 
+## 2026-06-02 – Align power-confirm to moonset's ActionDef pattern (v0.6.14)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: A code review of moongreet's power-confirm (ported from this file) flagged the shared pattern as lower-altitude than moonset's: two near-identical reboot/shutdown handlers and a `show_power_confirm` taking loose `message`/`action_fn`/`error_message` params that can drift apart. moonset already solved this with an `ActionDef` table + button factory. Changed here in lockstep with moongreet to keep the three projects symmetric.
+- **Tradeoffs**: A `PowerAction` struct + `power_actions()` table + `create_power_button` factory is slightly more machinery for two actions, but couples icon/prompt/error/action into one value (a mismatched prompt/action becomes unrepresentable) and makes a third action a one-line table entry. Did NOT touch `confirm_box: Rc<RefCell<Option<gtk::Box>>>` — moonset uses the same, it is the shared convention.
+- **How**: Replaced the two hand-wired handlers with a loop over `power_actions()`; `show_power_confirm`/`execute_power_action` now take `PowerAction` (Copy) instead of three loose strings. Added an in-flight re-trigger guard via `power_box.set_sensitive(false)` (re-enabled on failure), matching moonset; also clear a stale `error_label` when showing a new prompt.
+
+## 2026-05-04 – Drop PAM account/session stack, remove `check_account`, drop `pam_acct_mgmt` from password path (v0.6.13)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: 20 SIGSEGV coredumps in 6 days. All crashes preceded by `pam_unix(moonlock:account): setuid failed: Operation not permitted`. The previous PAM config (`auth/account/session include system-auth`) pulled `pam_unix(account)`, which needs setuid root for `/etc/shadow`. moonlock runs as the user, so `pam_acct_mgmt` always failed. The failure cascaded into the FP-resume path (`gio::spawn_blocking(check_account) → false → 2s timeout → resume_async`) where a use-after-free during `gtk_window_destroy` killed the process. Each crash left a dead `ext-session-lock-v1` client and the compositor stuck on its red fallback backdrop until manual recovery. Initial fix on 2026-04-30 dropped the FP-side `check_account` and the account/session lines from the PAM config, but left the `pam_acct_mgmt` call in `auth.rs::authenticate()` for the password path. Result: a PAM stack with no `account` module fell back to `/etc/pam.d/other` (`pam_deny`) and rejected every password — Dom got locked out on 2026-05-04.
+- **Tradeoffs**: Aligned with the swaylock/gtklock pattern (only `auth include login`). Lost: PAM-driven account expiry/lockout in both paths. Acceptable because (a) FP attempts are still bounded by `MAX_FP_ATTEMPTS` in `fingerprint.rs`, (b) password-path lockout still works through `pam_faillock.so preauth/authfail/authsucc` in the inherited `auth` stack, and (c) account validity was already verified by the login manager when the session was opened — a lockscreen unlocks an existing session, it does not gate access to a new one. Not chosen: a custom `account` stack with `pam_faillock.so` only — would have kept PAM-level FP lockout but adds a non-standard config that other lockers do not use, and `pam_faillock` standalone in `account` is rarely tested in the wild.
+- **How**: (1) `config/moonlock-pam` reduced to a single `auth include login` line. (2) `auth.rs::check_account()` and its two unit tests removed. (3) `auth.rs::authenticate()` no longer calls `pam_acct_mgmt`; `pam_authenticate` result is returned directly. The `pam_acct_mgmt` extern declaration is removed. (4) `lockscreen.rs::start_fingerprint` simplified — the `gio::spawn_blocking(check_account)` async block, the failure-side error UI, and the 2-second `resume_async` retry path all removed; on FP success the closure now goes `label.set_text(success); fp.stop(); cb()`. (5) `fingerprint.rs::resume_async()` removed. (6) `CLAUDE.md` architecture and security sections updated to describe the new PAM stack.
+
+## 2026-04-24 – Audit LOW fixes: docs, rustdoc, check_account scope, debug gating, lto fat (v0.6.12)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: Six LOW findings cleared in a single pass. (1) Docs referenced the old `[0,100]` blur range; code clamps `[0,200]` since v0.6.8. (2) The `MAX_BLUR_DIMENSION` doc comment was split by a `// SYNC:` block, producing a truncated sentence in rustdoc. (3) `check_account` was `pub` and relied on callers only ever passing `getuid()`-derived usernames; the contract was not enforced by the type system. (4) `MOONLOCK_DEBUG` env var flipped log verbosity to Debug in release builds, letting a compromised session script escalate journal noise about fprintd / D-Bus. (5) `pam_setcred` absence was undocumented. (6) `[profile.release]` used `lto = "thin"` — fine for most crates, but for a latency-critical auth binary compiled once per release, fat LTO's extra cross-crate inlining is worth the ~1 min build hit.
+- **Tradeoffs**: `lto = "fat"` roughly doubles release build time (~30 s → ~60 s) for slightly better inlining across PAM FFI wrappers and the i18n/status paths. `#[cfg(debug_assertions)]` on the debug-level selector means you have to run a debug build to raise log level — inconvenient for live troubleshooting, but aligned with the security-first posture.
+- **How**: (1) `CLAUDE.md` + `README.md` updated to `[0,200]`. (2) `// SYNC:` block moved above the `///` doc so rustdoc renders one coherent paragraph. (3) `check_account` visibility narrowed to `pub(crate)` with a `Precondition` paragraph explaining the username contract. (4) Debug-level selection wrapped in `#[cfg(debug_assertions)]`; release builds always run at `LevelFilter::Info`. (5) Added a comment block in `authenticate()` documenting why `pam_setcred` is deliberately absent and where it would hook in if needed. (6) `lto = "fat"` in `Cargo.toml`.
+
+## 2026-04-24 – Audit MEDIUM fixes: D-Bus cleanup race, TOCTOU open, FP reset, GTK entry clear (v0.6.11)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: Second round after the HIGH fixes, addressing the four MEDIUM findings. (1) `cleanup_dbus` spawned VerifyStop + Release as fire-and-forget, then `resume_async` called Claim after only a 2 s timeout — shorter than the 3 s D-Bus timeout, so on a slow bus the Claim could race the Release and fprintd would reject it, leaving the FP listener permanently dead. (2) `load_background_texture` relied on the caller's `symlink_metadata` check, re-opening the path via `gdk::Texture::from_file` — a classic TOCTOU window. (3) `resume_async` unconditionally reset `failed_attempts`, allowing an attacker with sensor control to evade the 10-attempt cap by cycling verify-match → `check_account` fail → resume. (4) The GTK `PasswordEntry` buffer was only cleared on timeout or auth failure, leaving the password in GLib malloc'd memory longer than necessary.
+- **Tradeoffs**: The D-Bus cleanup is now split into a synchronous helper (`take_cleanup_proxy` — signal disconnect + flag clear) and an async helper (`perform_dbus_cleanup` — VerifyStop + Release), so `resume_async` can await the release while `stop()` stays fire-and-forget. Dropping the `failed_attempts` reset means a flaky sensor could reach 10 failures faster, but the correct remedy is a new lock session (construction) rather than a reset that also helps attackers.
+- **How**: (1) Split `cleanup_dbus` into `take_cleanup_proxy()` (sync) + `perform_dbus_cleanup(proxy)` (async). `resume_async` now awaits `perform_dbus_cleanup` before `begin_verification`. `stop()` still spawns the cleanup fire-and-forget. (2) `load_background_texture` opens with `O_NOFOLLOW` via `std::fs::OpenOptions::custom_flags`, reads to bytes, and builds the texture via `gdk::Texture::from_bytes`. (3) Removed `listener.borrow_mut().failed_attempts = 0` from `resume_async`. (4) `password_entry.set_text("")` now fires right after the `Zeroizing::new(entry.text().to_string())` extraction, shortening the GTK-side window.
+
 ## 2026-04-24 – Audit fixes: RefCell borrow across await, async avatar decode
 
 - **Who**: ClaudeCode, Dom

README.md

@@ -9,7 +9,7 @@ Part of the Moonarch ecosystem.
 - **PAM authentication** — Uses system PAM stack (`/etc/pam.d/moonlock`) with 30s timeout and generation counter
 - **Fingerprint unlock** — fprintd D-Bus integration with sender validation, async init (window appears instantly), `pam_acct_mgmt` check after verify, auto-resume on transient errors
 - **Multi-monitor + hotplug** — Lockscreen on every monitor with shared blur and avatar caches; monitors added after suspend/resume get windows automatically via `connect_monitor` signal
-- **GPU blur** — Background blur via GskBlurNode (downscale to max 1920px, configurable 0–100)
+- **GPU blur** — Background blur via GskBlurNode (downscale to max 1920px, configurable 0–200)
 - **i18n** — German and English (auto-detected)
 - **Faillock warning** — Progressive UI warning after failed attempts, PAM decides lockout
 - **Panic safety** — Panic hook logs but never unlocks (installed before logging)
@@ -48,7 +48,7 @@ Create `/etc/moonlock/moonlock.toml` or `~/.config/moonlock/moonlock.toml`:
 
 ```toml
 background_path = "/usr/share/wallpapers/moon.jpg"
-background_blur = 40.0    # 0.0–100.0, optional
+background_blur = 40.0    # 0.0–200.0, optional
 fingerprint_enabled = true
 ```
 

config/moonlock-pam

@@ -1,4 +1,2 @@
 #%PAM-1.0
-auth		include		system-auth
-account		include		system-auth
-session		include		system-auth
+auth		include		login

src/auth.rs

@@ -54,8 +54,6 @@ unsafe extern "C" {
 
     fn pam_authenticate(pamh: *mut libc::c_void, flags: libc::c_int) -> libc::c_int;
 
-    fn pam_acct_mgmt(pamh: *mut libc::c_void, flags: libc::c_int) -> libc::c_int;
-
     fn pam_end(pamh: *mut libc::c_void, pam_status: libc::c_int) -> libc::c_int;
 }
 
@@ -191,64 +189,23 @@ pub fn authenticate(username: &str, password: &str) -> bool {
         return false;
     }
 
-    // Safety: handle is valid and non-null after successful pam_start
+    // Safety: handle is valid and non-null after successful pam_start.
+    // Note: pam_setcred is intentionally NOT called here. A lockscreen unlocks
+    // an existing session whose credentials were already established at login;
+    // refreshing them would duplicate work done by the session's login manager.
+    // If per-unlock credential refresh (Kerberos tickets, pam_gnome_keyring)
+    // is ever desired, hook it here with PAM_ESTABLISH_CRED.
+    //
+    // pam_acct_mgmt is intentionally NOT called: the PAM stack (`auth include
+    // login`) has no `account` module, and pam_unix(account) requires setuid
+    // root for /etc/shadow. Lockout/faillock and policy checks happen inside
+    // the inherited auth stack via pam_faillock. See DECISIONS.md 2026-04-30.
     let auth_ret = unsafe { pam_authenticate(handle, 0) };
-    let acct_ret = if auth_ret == PAM_SUCCESS {
-        // Safety: handle is valid, check account restrictions
-        unsafe { pam_acct_mgmt(handle, 0) }
-    } else {
-        auth_ret
-    };
 
     // Safety: handle is valid, pam_end cleans up the PAM session
-    unsafe { pam_end(handle, acct_ret) };
+    unsafe { pam_end(handle, auth_ret) };
 
-    acct_ret == PAM_SUCCESS
-}
-
-/// Check account restrictions via PAM without authentication.
-///
-/// Used after fingerprint unlock to enforce account policies (lockout, expiry)
-/// that would otherwise be bypassed when not going through pam_authenticate.
-/// Returns true if the account is valid and allowed to log in.
-pub fn check_account(username: &str) -> bool {
-    let service = match CString::new("moonlock") {
-        Ok(c) => c,
-        Err(_) => return false,
-    };
-
-    let username_cstr = match CString::new(username) {
-        Ok(c) => c,
-        Err(_) => return false,
-    };
-
-    // No password needed — we only check account status, not authenticate.
-    // PAM conv callback is required by pam_start but won't be called for acct_mgmt.
-    let empty_password = Zeroizing::new(CString::new("").unwrap());
-    let conv = PamConv {
-        conv: pam_conv_callback,
-        appdata_ptr: std::ptr::from_ref::<CString>(&empty_password) as *mut libc::c_void,
-    };
-
-    let mut handle: *mut libc::c_void = ptr::null_mut();
-
-    let ret = unsafe {
-        pam_start(
-            service.as_ptr(),
-            username_cstr.as_ptr(),
-            &conv,
-            &mut handle,
-        )
-    };
-
-    if ret != PAM_SUCCESS || handle.is_null() {
-        return false;
-    }
-
-    let acct_ret = unsafe { pam_acct_mgmt(handle, 0) };
-    unsafe { pam_end(handle, acct_ret) };
-
-    acct_ret == PAM_SUCCESS
+    auth_ret == PAM_SUCCESS
 }
 
 #[cfg(test)]
@@ -285,16 +242,4 @@ mod tests {
         let result = authenticate("", "password");
         assert!(!result);
     }
-
-    #[test]
-    fn check_account_empty_username_fails() {
-        let result = check_account("");
-        assert!(!result);
-    }
-
-    #[test]
-    fn check_account_null_byte_username_fails() {
-        let result = check_account("user\0name");
-        assert!(!result);
-    }
 }

src/fingerprint.rs

@@ -175,17 +175,6 @@ impl FingerprintListener {
         Self::begin_verification(listener, username).await;
     }
 
-    /// Resume fingerprint verification after a transient interruption (e.g. failed
-    /// PAM account check). Reuses previously stored callbacks. Re-claims the device
-    /// and restarts verification from scratch.
-    pub async fn resume_async(
-        listener: &Rc<RefCell<FingerprintListener>>,
-        username: &str,
-    ) {
-        listener.borrow_mut().failed_attempts = 0;
-        Self::begin_verification(listener, username).await;
-    }
-
     /// Claim device, start verification, and connect D-Bus signal handler.
     /// Assumes device_proxy is set and callbacks are already stored.
     async fn begin_verification(
@@ -352,26 +341,32 @@ impl FingerprintListener {
         }
     }
 
-    /// Disconnect the signal handler and send VerifyStop + Release to fprintd.
-    /// Signal disconnect is synchronous to prevent further callbacks.
-    /// D-Bus cleanup is fire-and-forget to avoid blocking the UI.
-    fn cleanup_dbus(&mut self) {
+    /// Disconnect the signal handler and clear running flags. Returns the proxy
+    /// the caller should use for the async D-Bus cleanup (VerifyStop + Release).
+    fn take_cleanup_proxy(&mut self) -> Option<gio::DBusProxy> {
         self.running = false;
         self.running_flag.set(false);
 
-        if let Some(ref proxy) = self.device_proxy {
-            if let Some(id) = self.signal_id.take() {
-                proxy.disconnect(id);
-            }
-            let proxy = proxy.clone();
-            glib::spawn_future_local(async move {
-                let _ = proxy
-                    .call_future("VerifyStop", None, gio::DBusCallFlags::NONE, DBUS_TIMEOUT_MS)
-                    .await;
-                let _ = proxy
-                    .call_future("Release", None, gio::DBusCallFlags::NONE, DBUS_TIMEOUT_MS)
-                    .await;
-            });
+        let proxy = self.device_proxy.clone()?;
+        if let Some(id) = self.signal_id.take() {
+            proxy.disconnect(id);
+        }
+        Some(proxy)
+    }
+
+    async fn perform_dbus_cleanup(proxy: gio::DBusProxy) {
+        let _ = proxy
+            .call_future("VerifyStop", None, gio::DBusCallFlags::NONE, DBUS_TIMEOUT_MS)
+            .await;
+        let _ = proxy
+            .call_future("Release", None, gio::DBusCallFlags::NONE, DBUS_TIMEOUT_MS)
+            .await;
+    }
+
+    /// Fire-and-forget cleanup for code paths that cannot await (e.g. drop, stop).
+    fn cleanup_dbus(&mut self) {
+        if let Some(proxy) = self.take_cleanup_proxy() {
+            glib::spawn_future_local(Self::perform_dbus_cleanup(proxy));
         }
     }
 

src/lockscreen.rs

@@ -170,55 +170,17 @@ pub fn create_lockscreen_window(
     power_box.set_margin_end(16);
     power_box.set_margin_bottom(16);
 
-    let reboot_btn = gtk::Button::new();
-    reboot_btn.set_icon_name("system-reboot-symbolic");
-    reboot_btn.add_css_class("power-button");
-    reboot_btn.set_tooltip_text(Some(strings.reboot_tooltip));
-    reboot_btn.connect_clicked(clone!(
-        #[weak]
-        confirm_area,
-        #[strong]
-        confirm_box,
-        #[weak]
-        error_label,
-        move |_| {
-            show_power_confirm(
-                strings.reboot_confirm,
-                power::reboot,
-                strings.reboot_failed,
-                strings,
-                &confirm_area,
-                &confirm_box,
-                &error_label,
-            );
-        }
-    ));
-    power_box.append(&reboot_btn);
-
-    let shutdown_btn = gtk::Button::new();
-    shutdown_btn.set_icon_name("system-shutdown-symbolic");
-    shutdown_btn.add_css_class("power-button");
-    shutdown_btn.set_tooltip_text(Some(strings.shutdown_tooltip));
-    shutdown_btn.connect_clicked(clone!(
-        #[weak]
-        confirm_area,
-        #[strong]
-        confirm_box,
-        #[weak]
-        error_label,
-        move |_| {
-            show_power_confirm(
-                strings.shutdown_confirm,
-                power::shutdown,
-                strings.shutdown_failed,
-                strings,
-                &confirm_area,
-                &confirm_box,
-                &error_label,
-            );
-        }
-    ));
-    power_box.append(&shutdown_btn);
+    for action in power_actions() {
+        let button = create_power_button(
+            action,
+            strings,
+            &power_box,
+            &confirm_area,
+            &confirm_box,
+            &error_label,
+        );
+        power_box.append(&button);
+    }
 
     overlay.add_overlay(&power_box);
 
@@ -244,6 +206,10 @@ pub fn create_lockscreen_window(
             if password.is_empty() {
                 return;
             }
+            // Clear the GTK entry's internal buffer as early as possible. GTK allocates
+            // the backing GString via libc malloc, which zeroize cannot reach — the
+            // best we can do is shorten the window during which it resides in memory.
+            entry.set_text("");
 
             entry.set_sensitive(false);
             let username = username.clone();
@@ -423,52 +389,16 @@ pub fn start_fingerprint(
     let unlock_cb_fp = handles.unlock_callback.clone();
 
     let fp_rc_success = fp_rc.clone();
-    let fp_username = handles.username.clone();
     let on_success = move || {
         let label = fp_label_success.clone();
         let cb = unlock_cb_fp.clone();
         let fp = fp_rc_success.clone();
-        let username = fp_username.clone();
         glib::idle_add_local_once(move || {
             let strings = load_strings(None);
             label.set_text(strings.fingerprint_success);
             label.add_css_class("success");
-            // stop() is idempotent — cleanup_dbus() already ran inside on_verify_status,
-            // but this mirrors the PAM success path for defense-in-depth.
             fp.borrow_mut().stop();
-
-            // Enforce PAM account policies (lockout, expiry) before unlocking.
-            // Fingerprint auth bypasses pam_authenticate, so we must explicitly
-            // check account restrictions via pam_acct_mgmt.
-            glib::spawn_future_local(async move {
-                let user = username.clone();
-                let result = gio::spawn_blocking(move || {
-                    auth::check_account(&user)
-                }).await;
-                match result {
-                    Ok(true) => cb(),
-                    _ => {
-                        log::error!("PAM account check failed after fingerprint auth");
-                        let strings = load_strings(None);
-                        label.set_text(strings.wrong_password);
-                        label.remove_css_class("success");
-                        label.add_css_class("failed");
-                        // Restart FP verification after delay — the failure may be
-                        // transient (e.g. PAM module timeout). If the account is truly
-                        // locked, check_account will fail again on next match.
-                        glib::timeout_add_local_once(
-                            std::time::Duration::from_secs(2),
-                            move || {
-                                label.set_text(load_strings(None).fingerprint_prompt);
-                                label.remove_css_class("failed");
-                                glib::spawn_future_local(async move {
-                                    FingerprintListener::resume_async(&fp, &username).await;
-                                });
-                            },
-                        );
-                    }
-                }
-            });
+            cb();
         });
     };
 
@@ -518,12 +448,35 @@ pub fn start_fingerprint(
 /// Load the wallpaper as a texture once, for sharing across all windows.
 /// Returns None if no wallpaper path is provided or the file cannot be loaded.
 /// Blur is applied at render time via GPU (GskBlurNode), not here.
+///
+/// Opens the file with O_NOFOLLOW to close the TOCTOU window between the
+/// symlink check in `resolve_background_path_with` and this read. If the path
+/// was swapped for a symlink after the check, `open` fails with ELOOP.
 pub fn load_background_texture(bg_path: &Path) -> Option<gdk::Texture> {
-    let file = gio::File::for_path(bg_path);
-    match gdk::Texture::from_file(&file) {
+    use std::io::Read;
+    use std::os::unix::fs::OpenOptionsExt;
+
+    let mut file = match std::fs::OpenOptions::new()
+        .read(true)
+        .custom_flags(libc::O_NOFOLLOW)
+        .open(bg_path)
+    {
+        Ok(f) => f,
+        Err(e) => {
+            log::warn!("Failed to open wallpaper {}: {e}", bg_path.display());
+            return None;
+        }
+    };
+    let mut bytes = Vec::new();
+    if let Err(e) = file.read_to_end(&mut bytes) {
+        log::warn!("Failed to read wallpaper {}: {e}", bg_path.display());
+        return None;
+    }
+    let glib_bytes = glib::Bytes::from_owned(bytes);
+    match gdk::Texture::from_bytes(&glib_bytes) {
         Ok(texture) => Some(texture),
         Err(e) => {
-            log::warn!("Failed to load wallpaper {}: {e}", bg_path.display());
+            log::warn!("Failed to decode wallpaper {}: {e}", bg_path.display());
             None
         }
     }
@@ -565,11 +518,11 @@ fn create_background_picture(
     background
 }
 
-/// Maximum texture dimension for blur input. Textures larger than this are
 // SYNC: MAX_BLUR_DIMENSION, render_blurred_texture, and create_background_picture
 // are duplicated in moongreet/src/greeter.rs and moonset/src/panel.rs.
 // Changes here must be mirrored to the other two projects.
 
+/// Maximum texture dimension for blur input. Textures larger than this are
 /// downscaled before blurring — the blur destroys detail anyway, so there is
 /// no visible quality loss, but GPU work is reduced significantly.
 const MAX_BLUR_DIMENSION: f32 = 1920.0;
@@ -697,23 +650,84 @@ fn set_default_avatar(
     image.set_icon_name(Some("avatar-default-symbolic"));
 }
 
+/// Definition for a single power-action button (reboot, shutdown).
+/// Couples icon, prompt, error text and action so a button cannot be wired
+/// with a mismatched prompt/action pair. Mirrors moonset's `ActionDef`.
+#[derive(Clone, Copy)]
+struct PowerAction {
+    icon_name: &'static str,
+    tooltip_attr: fn(&Strings) -> &'static str,
+    confirm_attr: fn(&Strings) -> &'static str,
+    error_attr: fn(&Strings) -> &'static str,
+    action_fn: fn() -> Result<(), PowerError>,
+}
+
+/// The power actions offered on the lockscreen.
+fn power_actions() -> [PowerAction; 2] {
+    [
+        PowerAction {
+            icon_name: "system-reboot-symbolic",
+            tooltip_attr: |s| s.reboot_tooltip,
+            confirm_attr: |s| s.reboot_confirm,
+            error_attr: |s| s.reboot_failed,
+            action_fn: power::reboot,
+        },
+        PowerAction {
+            icon_name: "system-shutdown-symbolic",
+            tooltip_attr: |s| s.shutdown_tooltip,
+            confirm_attr: |s| s.shutdown_confirm,
+            error_attr: |s| s.shutdown_failed,
+            action_fn: power::shutdown,
+        },
+    ]
+}
+
+/// Build a power-action icon button wired to the confirmation flow.
+fn create_power_button(
+    action: PowerAction,
+    strings: &'static Strings,
+    power_box: &gtk::Box,
+    confirm_area: &gtk::Box,
+    confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
+    error_label: &gtk::Label,
+) -> gtk::Button {
+    let button = gtk::Button::new();
+    button.set_icon_name(action.icon_name);
+    button.add_css_class("power-button");
+    button.set_tooltip_text(Some((action.tooltip_attr)(strings)));
+    button.connect_clicked(clone!(
+        #[weak]
+        power_box,
+        #[weak]
+        confirm_area,
+        #[strong]
+        confirm_box,
+        #[weak]
+        error_label,
+        move |_| {
+            show_power_confirm(action, strings, &power_box, &confirm_area, &confirm_box, &error_label);
+        }
+    ));
+    button
+}
+
 /// Show inline power confirmation.
 fn show_power_confirm(
-    message: &'static str,
-    action_fn: fn() -> Result<(), PowerError>,
-    error_message: &'static str,
+    action: PowerAction,
     strings: &'static Strings,
+    power_box: &gtk::Box,
     confirm_area: &gtk::Box,
     confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
     error_label: &gtk::Label,
 ) {
     dismiss_power_confirm(confirm_area, confirm_box);
+    error_label.set_visible(false);
 
     let new_box = gtk::Box::new(gtk::Orientation::Vertical, 8);
     new_box.set_halign(gtk::Align::Center);
     new_box.set_margin_top(16);
 
-    let confirm_label = gtk::Label::new(Some(message));
+    let confirm_label = gtk::Label::new(Some((action.confirm_attr)(strings)));
     confirm_label.add_css_class("confirm-label");
     new_box.append(&confirm_label);
 
@@ -723,6 +737,8 @@ fn show_power_confirm(
     let yes_btn = gtk::Button::with_label(strings.confirm_yes);
     yes_btn.add_css_class("confirm-yes");
     yes_btn.connect_clicked(clone!(
+        #[weak]
+        power_box,
         #[weak]
         confirm_area,
         #[strong]
@@ -730,8 +746,7 @@ fn show_power_confirm(
         #[weak]
         error_label,
         move |_| {
-            dismiss_power_confirm(&confirm_area, &confirm_box);
-            execute_power_action(action_fn, error_message, &error_label);
+            execute_power_action(action, strings, &power_box, &confirm_area, &confirm_box, &error_label);
         }
     ));
     button_row.append(&yes_btn);
@@ -762,28 +777,44 @@ fn dismiss_power_confirm(confirm_area: &gtk::Box, confirm_box: &Rc<RefCell<Optio
     }
 }
 
-/// Execute a power action in a background thread.
+/// Execute a power action in a background thread, guarding against re-trigger.
 fn execute_power_action(
-    action_fn: fn() -> Result<(), PowerError>,
-    error_message: &'static str,
+    action: PowerAction,
+    strings: &'static Strings,
+    power_box: &gtk::Box,
+    confirm_area: &gtk::Box,
+    confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
     error_label: &gtk::Label,
 ) {
+    dismiss_power_confirm(confirm_area, confirm_box);
+
+    let action_fn = action.action_fn;
+    let error_message = (action.error_attr)(strings);
+
+    // Desensitize the power buttons so a double-click or keyboard repeat cannot
+    // fire the same action twice while it is in flight.
+    power_box.set_sensitive(false);
+
     glib::spawn_future_local(clone!(
+        #[weak]
+        power_box,
         #[weak]
         error_label,
         async move {
-            let result = gio::spawn_blocking(move || action_fn()).await;
+            let result = gio::spawn_blocking(action_fn).await;
             match result {
                 Ok(Ok(())) => {}
                 Ok(Err(e)) => {
                     log::error!("Power action failed: {e}");
                     error_label.set_text(error_message);
                     error_label.set_visible(true);
+                    power_box.set_sensitive(true);
                 }
                 Err(_) => {
                     log::error!("Power action panicked");
                     error_label.set_text(error_message);
                     error_label.set_visible(true);
+                    power_box.set_sensitive(true);
                 }
             }
         }

src/main.rs

@@ -250,11 +250,17 @@ fn setup_logging() {
             eprintln!("Failed to create journal logger: {e}");
         }
     }
+    // Debug level is only selectable in debug builds. Release binaries ignore
+    // MOONLOCK_DEBUG so a session script cannot escalate log verbosity to leak
+    // fprintd / D-Bus internals into the journal.
+    #[cfg(debug_assertions)]
     let level = if std::env::var("MOONLOCK_DEBUG").is_ok() {
         log::LevelFilter::Debug
     } else {
         log::LevelFilter::Info
     };
+    #[cfg(not(debug_assertions))]
+    let level = log::LevelFilter::Info;
     log::set_max_level(level);
 }