fix: harden avatar load against symlink TOCTOU (v0.6.19)

SEC-01 (security audit, LOW): the avatar load followed symlinks via
gio::File while the wallpaper load was already O_NOFOLLOW-hardened — the
project's lock-path hardening was applied inconsistently. Share one
read_file_nofollow loader for both file reads so they cannot diverge
again; a symlinked ~/.face now fails open with ELOOP and falls back to
the default avatar. Adds loader unit tests (regular file, symlink->ELOOP).

Bundles clippy cleanup: c"" literal in auth.rs, let-chains, drop
redundant gtk4_session_lock import, blur guard via .filter() (unifies
with moongreet/moonset).

.gitea/workflows/ci.yaml

@@ -0,0 +1,22 @@
+# ABOUTME: Runs cargo audit (RustSec CVE scan) against the locked dependency tree.
+# ABOUTME: Supply-chain gate — fails on a known advisory.
+
+name: Audit
+
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+  pull_request:
+    branches: [main]
+
+jobs:
+  cargo-audit:
+    runs-on: moonarch
+    steps:
+      - name: Checkout
+        run: git clone http://gitea:3000/nevaforget/moonlock.git src
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --locked
+      - name: Audit
+        run: cd src && cargo audit

.gitea/workflows/update-pkgver.yaml

@@ -1,22 +1,22 @@
-# ABOUTME: Updates pkgver in moonarch-pkgbuilds after a push to main.
+# ABOUTME: Updates pkgver in moonarch-pkgbuilds when a new moonlock tag is pushed.
-# ABOUTME: Ensures paru detects new versions of this package.
+# ABOUTME: Reads the latest version tag and bumps the PKGBUILD + .SRCINFO.
 
 name: Update PKGBUILD version
 
 on:
   push:
-    branches:
+    tags:
-      - main
+      - 'v*'
 
 jobs:
   update-pkgver:
     runs-on: moonarch
     steps:
-      - name: Checkout source repo
+      - name: Determine pkgver from latest tag
         run: |
           git clone --bare http://gitea:3000/nevaforget/moonlock.git source.git
           cd source.git
-          PKGVER=$(git describe --long --tags | sed 's/^v//;s/-/.r/;s/-/./')
+          PKGVER=$(git describe --tags --abbrev=0 | sed 's/^v//')
           echo "New pkgver: $PKGVER"
           echo "$PKGVER" > /tmp/pkgver
 
@@ -26,18 +26,18 @@ jobs:
           git clone http://gitea:3000/nevaforget/moonarch-pkgbuilds.git pkgbuilds
           cd pkgbuilds
 
-          OLD_VER=$(grep '^pkgver=' moonlock-git/PKGBUILD | cut -d= -f2)
+          OLD_VER=$(grep '^pkgver=' moonlock/PKGBUILD | cut -d= -f2)
           if [ "$OLD_VER" = "$PKGVER" ]; then
             echo "pkgver already up to date ($PKGVER)"
             exit 0
           fi
 
-          sed -i "s/^pkgver=.*/pkgver=$PKGVER/" moonlock-git/PKGBUILD
+          sed -i "s/^pkgver=.*/pkgver=$PKGVER/" moonlock/PKGBUILD
-          sed -i "s/^\tpkgver = .*/\tpkgver = $PKGVER/" moonlock-git/.SRCINFO
+          sed -i "s/^\tpkgver = .*/\tpkgver = $PKGVER/" moonlock/.SRCINFO
           echo "Updated pkgver: $OLD_VER → $PKGVER"
 
           git config user.name "pkgver-bot"
           git config user.email "gitea@moonarch.de"
-          git add moonlock-git/PKGBUILD moonlock-git/.SRCINFO
+          git add moonlock/PKGBUILD moonlock/.SRCINFO
-          git commit -m "chore(moonlock-git): bump pkgver to $PKGVER"
+          git commit -m "chore(moonlock): bump pkgver to $PKGVER"
           git -c http.extraHeader="Authorization: token ${{ secrets.PKGBUILD_TOKEN }}" push

.gitignore

@@ -1,7 +1,3 @@
 /target
 
-# makepkg build artifacts
+.pytest_cache/
-pkg/src/
-pkg/pkg/
-pkg/moonlock/
-pkg/*.pkg.tar.*

CLAUDE.md

@@ -1,64 +1,63 @@
 # Moonlock
 
-**Name**: Nyx (Göttin der Nacht — passend zum Lockscreen, der den Bildschirm verdunkelt)
+## Project
 
-## Projekt
+Moonlock is a secure Wayland lockscreen, built with Rust + gtk4-rs + ext-session-lock-v1.
+Part of the Moonarch ecosystem.
 
-Moonlock ist ein sicherer Wayland-Lockscreen, gebaut mit Rust + gtk4-rs + ext-session-lock-v1.
+## Tech Stack
-Teil des Moonarch-Ökosystems.
 
-## Tech-Stack
+- Rust (edition 2024), gtk4-rs 0.11, glib 0.22
+- gtk4-session-lock 0.4 for the ext-session-lock-v1 protocol
+- PAM authentication via raw FFI (libc, libpam.so)
+- fprintd D-Bus integration (gio::DBusProxy) for fingerprint unlock
+- zeroize for secure password wiping
+- `cargo test` for unit tests
 
-- Rust (Edition 2024), gtk4-rs 0.11, glib 0.22
+## Project Structure
-- gtk4-session-lock 0.4 für ext-session-lock-v1 Protokoll
-- PAM-Authentifizierung via Raw FFI (libc, libpam.so)
-- fprintd D-Bus Integration (gio::DBusProxy) für Fingerabdruck-Unlock
-- zeroize für sicheres Passwort-Wiping
-- `cargo test` für Unit-Tests
 
-## Projektstruktur
+- `src/` — Rust source code (main.rs, lockscreen.rs, auth.rs, fingerprint.rs, config.rs, i18n.rs, users.rs, power.rs)
+- `resources/` — GResource assets (style.css, default-avatar.svg)
+- `config/` — PAM configuration and example config
 
-- `src/` — Rust-Quellcode (main.rs, lockscreen.rs, auth.rs, fingerprint.rs, config.rs, i18n.rs, users.rs, power.rs)
+## Commands
-- `resources/` — GResource-Assets (style.css, default-avatar.svg)
-- `config/` — PAM-Konfiguration und Beispiel-Config
-
-## Kommandos
 
 ```bash
-# Tests ausführen
+# Run tests
 cargo test
 
-# Release-Build
+# Release build
 cargo build --release
 
-# Lockscreen starten (zum Testen)
+# Start the lockscreen (for testing)
 LD_PRELOAD=/usr/lib/libgtk4-layer-shell.so ./target/release/moonlock
 ```
 
-## Architektur
+## Architecture
 
-- `auth.rs` — PAM-Authentifizierung via Raw FFI (unsafe extern "C" conv callback, msg_style-aware, Zeroizing<CString>), check_account() für pam_acct_mgmt-Only-Checks nach Fingerprint-Unlock
+- `auth.rs` — PAM authentication via raw FFI (unsafe extern "C" conv callback, msg_style-aware, Zeroizing<CString>)
-- `fingerprint.rs` — fprintd D-Bus Listener, async init/claim/verify via gio futures, sender-validated signal handler, cleanup_dbus() für sauberen D-Bus-Lifecycle, running_flag für Race-Safety in async restarts, on_exhausted callback after MAX_FP_ATTEMPTS, resume_async() für Neustart nach transientem Fehler (mit failed_attempts-Reset und Signal-Handler-Cleanup)
+- `fingerprint.rs` — fprintd D-Bus listener, async init/claim/verify via gio futures, sender-validated signal handler, cleanup_dbus() for a clean D-Bus lifecycle, running_flag for race safety in async restarts, on_exhausted callback after MAX_FP_ATTEMPTS, resume_async() for restart after a transient error (with failed_attempts reset and signal handler cleanup)
-- `users.rs` — Aktuellen User via nix getuid, Avatar-Loading mit Symlink-Rejection
+- `users.rs` — current user via nix getuid, avatar loading with symlink rejection
-- `power.rs` — Reboot/Shutdown via /usr/bin/systemctl
+- `power.rs` — reboot/shutdown via /usr/bin/systemctl
-- `i18n.rs` — Locale-Erkennung (OnceLock-cached) und String-Tabellen (DE/EN), faillock_warning mit konfigurierbarem max_attempts
+- `i18n.rs` — locale detection (OnceLock-cached) and string tables (DE/EN), faillock_warning with configurable max_attempts
-- `config.rs` — TOML-Config (background_path, background_blur clamped [0,100], fingerprint_enabled als Option<bool>) + Wallpaper-Fallback + Symlink-Rejection via symlink_metadata + Parse-Error-Logging
+- `config.rs` — TOML config (background_path, background_blur clamped [0,200], fingerprint_enabled as Option<bool>) + wallpaper fallback + symlink rejection via symlink_metadata + parse-error logging
-- `lockscreen.rs` — GTK4 UI via LockscreenHandles, PAM-Auth via gio::spawn_blocking mit 30s Timeout und Generation Counter, FP-Label/Start separat verdrahtet mit pam_acct_mgmt-Check und auto-resume, Zeroizing<String> für Passwort, Power-Confirm, GPU-Blur via GskBlurNode (Downscale auf max 1920px), Blur/Avatar-Cache für Multi-Monitor
+- `lockscreen.rs` — GTK4 UI via LockscreenHandles, PAM auth via gio::spawn_blocking with a 30s timeout and generation counter, FP success calls unlock_callback directly (PAM stack without account module, lockout via the auth path and MAX_FP_ATTEMPTS), Zeroizing<String> for the password, power confirm, GPU blur via GskBlurNode (downscale to max 1920px), blur/avatar cache for multi-monitor
-- `main.rs` — Entry Point, Panic-Hook (vor Logging), Root-Check, ext-session-lock-v1 (Pflicht in Release), Multi-Monitor mit shared Blur/Avatar-Caches, systemd-Journal-Logging, Debug-Level per `MOONLOCK_DEBUG` Env-Var, async fprintd-Init nach window.present(), Wallpaper-Laden nach lock()
+- `main.rs` — entry point, panic hook (before logging), root check, ext-session-lock-v1 (mandatory in release), monitor hotplug via the `connect_monitor` signal (v1_2), unlock via `unlock()` + `connect_unlocked`→`app.quit()` (the lib destroys the lock windows itself when the lock ends — no own destroy/quit, otherwise double-destroy SIGSEGV), shared blur/avatar caches in Rc, systemd journal logging, debug level via the `MOONLOCK_DEBUG` env var, async fprintd init after window.present()
 
-## Sicherheit
+## Security
 
-- ext-session-lock-v1 garantiert: Compositor sperrt alle Surfaces bei lock()
+- ext-session-lock-v1 guarantees: the compositor locks all surfaces on lock()
-- Release-Build: Ohne ext-session-lock-v1 wird `exit(1)` aufgerufen — kein Fenster-Fallback
+- Release build: without ext-session-lock-v1, `exit(1)` is called — no window fallback
-- Panic-Hook: Bei Crash wird geloggt, aber NIEMALS unlock() aufgerufen — Screen bleibt schwarz. Hook wird vor Logging installiert.
+- Panic hook: on a crash it logs, but NEVER calls unlock() — the screen stays black. The hook is installed before logging.
-- PAM-Callback: msg_style-aware (Passwort nur bei PAM_PROMPT_ECHO_OFF), strdup-OOM-sicher, num_msg-Guard gegen negative Werte
+- PAM callback: msg_style-aware (password only on PAM_PROMPT_ECHO_OFF), strdup-OOM-safe, num_msg guard against negative values
-- fprintd: D-Bus Signal-Sender wird gegen fprintd's unique bus name validiert (Anti-Spoofing)
+- fprintd: the D-Bus signal sender is validated against fprintd's unique bus name (anti-spoofing)
-- Passwort: Zeroizing<String> ab GTK-Entry-Extraktion, Zeroizing<CString> im PAM-FFI-Layer (bekannte Einschränkung: GLib-GString und strdup-Kopie in PAM werden nicht gezeroized — inhärente GTK/libc-Limitierung)
+- Password: Zeroizing<String> from GTK entry extraction, Zeroizing<CString> in the PAM FFI layer (known limitation: the GLib GString and the strdup copy in PAM are not zeroized — an inherent GTK/libc limitation)
-- Fingerprint-Unlock: pam_acct_mgmt-Check nach verify-match erzwingt Account-Policies (Lockout, Ablauf), resume_async() startet FP bei transientem Fehler neu (mit failed_attempts-Reset und Signal-Handler-Cleanup)
+- Fingerprint unlock: calls unlock_callback directly after a verify match (no additional PAM acct check, because the PAM stack contains only `auth include login` — like swaylock); FP lockout is implemented via MAX_FP_ATTEMPTS in fingerprint.rs
-- Wallpaper wird nach lock() geladen — Disk-I/O verzögert nicht die Lock-Akquisition
+- PAM stack: only `auth include login` (standard pattern like swaylock/gtklock); no `account`/`session` stack, because the lockscreen does not manage a session lifecycle and `pam_unix(account)` requires setuid root
-- PAM-Timeout: 30s Timeout verhindert permanentes Aussperren bei hängenden PAM-Modulen, Generation Counter verhindert Interferenz paralleler Auth-Versuche
+- The wallpaper is loaded before lock() — connect_monitor fires during lock() and needs the texture; local JPEG loading is fast enough
-- Root-Check: Exit mit Fehler wenn als root gestartet
+- PAM timeout: a 30s timeout prevents permanent lockout when PAM modules hang, the generation counter prevents interference from parallel auth attempts
-- Faillock: UI-Warnung nach 3 Fehlversuchen, aber PAM entscheidet über Lockout (Entry bleibt aktiv)
+- Root check: exits with an error if started as root
-- Kein Schließen per Escape/Alt-F4 — nur durch erfolgreiche PAM-Auth oder Fingerprint
+- Faillock: UI warning after 3 failed attempts, but PAM decides on lockout (the entry stays active)
-- Kein Peek-Icon am Passwortfeld (Shoulder-Surfing-Schutz)
+- No closing via Escape/Alt-F4 — only via successful PAM auth or fingerprint
-- GResource-Bundle: CSS/Assets in der Binary kompiliert
+- Peek icon on the password field active (UX decision, consistent with moongreet)
+- GResource bundle: CSS/assets compiled into the binary

Cargo.lock

@@ -575,7 +575,7 @@ dependencies = [
 
 [[package]]
 name = "moonlock"
-version = "0.6.7"
+version = "0.6.19"
 dependencies = [
  "gdk-pixbuf",
  "gdk4",

Cargo.toml

@@ -1,13 +1,13 @@
 [package]
 name = "moonlock"
-version = "0.6.7"
+version = "0.6.19"
 edition = "2024"
 description = "A secure Wayland lockscreen with GTK4, PAM and fingerprint support"
 license = "MIT"
 
 [dependencies]
 gtk4 = { version = "0.11", features = ["v4_10"] }
-gtk4-session-lock = { version = "0.4", features = ["v1_1"] }
+gtk4-session-lock = { version = "0.4", features = ["v1_2"] }
 glib = "0.22"
 gdk4 = "0.11"
 gdk-pixbuf = "0.22"
@@ -28,6 +28,6 @@ tempfile = "3"
 glib-build-tools = "0.22"
 
 [profile.release]
-lto = "thin"
+lto = "fat"
 codegen-units = 1
 strip = true

DECISIONS.md

@@ -2,51 +2,135 @@
 
 Architectural and design decisions for Moonlock, in reverse chronological order.
 
+## 2026-06-17 – Harden avatar load against symlink TOCTOU via a shared O_NOFOLLOW loader (v0.6.19)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: A security audit found SEC-01 (LOW): `set_avatar_from_file` (`lockscreen.rs`) opened `~/.face` / the AccountsService icon via `gio::File::for_path().read_future()`, which follows symlinks unconditionally, while the wallpaper load (`load_background_texture`) was already hardened with `O_NOFOLLOW` (2026-04-24). `users::get_avatar_path_with` rejects symlinks via `symlink_metadata()`, but a TOCTOU window remained between that stat and the GIO open. The root cause was not the avatar code per se but that the `O_NOFOLLOW` open idiom was inlined in one place and absent from the other — the project's own lock-path hardening contract was applied inconsistently. Impact is below the primary threat model (exploiting it needs write access to `~/.face`, i.e. an already-compromised session; the screen stays locked either way), hence LOW.
+- **Tradeoffs**: Extracted a shared `read_file_nofollow` rather than duplicating the open idiom, so the two file reads on the lock path cannot diverge again. The avatar read moved onto a blocking thread via `gio::spawn_blocking` (was a GIO async read) to keep the open off the GTK main loop, then decodes from an in-memory `MemoryInputStream`, preserving the scaled `AVATAR_SIZE` decode. No integration test for `set_avatar_from_file` itself — GTK + async, not unit-testable without a harness; the security primitive (`O_NOFOLLOW` → `ELOOP`) is covered by a unit test that goes red if the flag is removed (verified by temporarily dropping it). SEC-02 (fallback wallpaper `is_file()`) and SEC-03 (PAM `strdup` not zeroed) were reviewed and left as-is: the former is still protected by `O_NOFOLLOW` at open time and is a root-only system path, the latter is an inherent PAM-API limitation outside the lock threat model, already documented in `CLAUDE.md`.
+- **How**: (1) New `read_file_nofollow(&Path) -> io::Result<Vec<u8>>` in `lockscreen.rs`, used by both `load_background_texture` and `set_avatar_from_file`. (2) The avatar load reads via `gio::spawn_blocking(read_file_nofollow)` then decodes from a `MemoryInputStream`; a symlinked avatar now fails the open with `ELOOP`, logs a warning, and falls back to the default avatar. (3) Two unit tests for the loader (regular file → bytes; symlink → `ELOOP`). (4) Clippy cleanup bundled in: `c""` C-string literal in `auth.rs`, `let`-chains in `config.rs`/`users.rs`, removed redundant `use gtk4_session_lock;` in `main.rs`, blur guard collapsed to `blur_radius.filter(|s| *s > 0.0)` (unifies with moongreet/moonset, which already used that form). Verified: `cargo test` (48 passed), `cargo clippy --release` (0 warnings), `cargo build --release`.
+
+## 2026-06-17 – Add cargo-audit CI gate, remove orphaned `-git` PKGBUILD
+
+- **Who**: ClaudeCode, Dom
+- **Why**: A hygiene audit found supply chain and dependency health clean (`cargo audit` 0.22.2: 0 vulnerabilities across 116 crates), but flagged repo-hygiene gaps: CI (`.gitea/workflows/`) only auto-bumped pkgver and ran no vulnerability scan, so a future advisory against a locked dependency would go undetected; `pkg/PKGBUILD` was an orphaned `moonlock-git` VCS PKGBUILD (`pkgver=0.4.1.r1...`, two minor versions behind v0.6.18) left over from the pre-tag-build era — the canonical packaging now lives in `moonarch-pkgbuilds/moonlock/PKGBUILD` and is auto-bumped by `update-pkgver.yaml`; a stray `.pytest_cache/` sat in the repo root of this pure-Rust project, only suppressed by a user-global gitignore.
+- **Tradeoffs**: CI gate scoped to `cargo audit` only, not `cargo test`/`clippy`/`build` — `cargo audit` parses `Cargo.lock` and needs no GTK4/PAM build environment, whereas the broader checks depend on the `moonarch` runner having the full dev toolchain, which is unverified and beyond the hygiene scope. `cargo install cargo-audit` recompiles per run (~2-3 min); accepted, caching deferred. Open risk: the runner must provide a Rust toolchain (`cargo`); `update-pkgver.yaml` only uses `git`, so this needs validation on first run. Deleting `pkg/PKGBUILD` rather than updating it: it is not in the build pipeline and the `-git` variant was abandoned at the tag-build switch (see `moonarch-pkgbuilds/DECISIONS.md` 2026-06-10).
+- **How**: New `.gitea/workflows/ci.yaml` (`Audit` workflow, triggers on push to `main`, `v*` tags, and PRs to `main`) clones the repo and runs `cargo audit`. Removed `pkg/PKGBUILD` and the empty `pkg/` dir; dropped the now-dead `pkg/*` makepkg-artifact lines from `.gitignore` and added `.pytest_cache/`. No version bump — no code or behavior change to the binary.
+
+## 2026-06-17 – Restore hardened release profile after the crash hunt (v0.6.18)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: A security audit found the `[profile.release]` in `Cargo.toml` had silently drifted from the hardened profile decided on 2026-04-24 (`lto = "fat"`, `strip = true`). Git blame traced the drift to v0.6.14 (commit `85cf039`, "refactor: power-confirm via PowerAction table"): `lto` was reverted `fat`→`thin`, `strip` flipped `true`→`false`, and `debug = true` was added — all bundled into an unrelated refactor commit, with no commit-message mention and no entry here. The pattern (no strip + debug symbols + faster thin LTO) was a debug aid for the suspend/resume SIGSEGV hunt that ran v0.6.9–v0.6.17, giving symbolized coredump backtraces. That crash is fixed as of v0.6.17, so the debug profile has outlived its purpose, while shipping debug symbols on a security-critical auth binary eases reverse-engineering of the auth path and bloats the binary.
+- **Tradeoffs**: Restoring `lto = "fat"` roughly doubles release build time (~30 s → ~60 s) for better cross-crate inlining; acceptable for a binary compiled once per release. Dropping `strip = false` + `debug = true` means field coredumps are no longer symbolized out of the box — a deliberate trade now that the crash is resolved; debug symbols can be re-enabled temporarily if a new crash needs hunting. Not chosen: keeping `lto = "fat"` but retaining the debug symbols — rejected because the symbols' only justification (the crash hunt) is gone.
+- **How**: `Cargo.toml` `[profile.release]` restored to `lto = "fat"`, `strip = true`, with the `debug = true` line removed; `codegen-units = 1` unchanged. Verified via `file target/release/moonlock` reporting a stripped binary.
+
+## 2026-06-02 – Real fix for the unlock SIGSEGV: quit in ::unlocked, never destroy windows ourselves (v0.6.17)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: The v0.6.15 "stale per-monitor window" theory was a **misdiagnosis**. A clean manual `target/release/moonlock` lock→unlock (single monitor, no suspend, no monitor removal) still crashed, preceded by `Gdk-CRITICAL: gdk_surface_get_display: assertion 'GDK_IS_SURFACE (surface)' failed`. The v0.6.16 backtrace's top app frame is the `unlock_callback` closure, which ran `lock.unlock(); app.quit();`. Per the gtk4-session-lock header (`assign_window_to_monitor`: "the window will be unmapped and `gtk_window_destroy()` called on it when the current lock ends") the **library destroys the lock windows itself** on unlock. `app.quit()` then destroyed the same windows again — surface already gone → SIGSEGV. A double-destroy in the teardown sequence, entirely independent of monitors.
+- **Tradeoffs**: Reverted the v0.6.15/v0.6.16 monitor-pruning + `LockscreenHandles.monitor` field: it targeted the wrong cause, never fired in testing, and manually called `app.remove_window()` on library-managed lock windows — exactly what the upstream example warns against ("does NOT manually destroy or close the lock windows"). Monitor-removal-during-lock is left entirely to the library (which already auto-unmaps+dereferences such windows). Three attempts total: idle_add deferral (wrong: reentrancy theory), monitor-pruning (wrong: misdiagnosis), and this one — verified against both the C header and the upstream `examples/simple.rs`.
+- **How**: `unlock_callback` now calls only `lock.unlock()`. A new `lock.connect_unlocked(|_| app.quit())` quits the app only after the library finishes its teardown and fires `::unlocked`. Mirrors the canonical gtk4-session-lock usage exactly.
+
+## 2026-06-02 – Prune per-monitor windows on monitor removal to fix resume-unlock SIGSEGV (v0.6.15)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: Chronic SIGSEGV (multiple coredumps/day) on the unlock following a suspend/resume. Backtrace: `app.quit()` → `gtk_window_destroy` → gtk4-layer-shell → `g_signal_emit` → NULL deref (`0x278`, rax=0). Root cause: `connect_monitor` is add-only — it creates one window per monitor and pushes to `all_handles`, but nothing ever removes a window when a monitor powers off on suspend. gtk4-session-lock unmaps + drops *its* ref to that window on monitor removal (per `gtk4-session-lock` 0.4 docs), but the GtkApplication (`ApplicationWindow::builder().application(app)`) and `all_handles` still hold refs. The orphaned window survives until unlock, where destroying it dereferences its now-NULL monitor association. A diagnostic confirmed the windows are GTK-valid but accumulate (3 windows for 1-2 monitors) with a NULL associated object.
+- **Tradeoffs**: An earlier attempt deferred `unlock()`/`quit()` via `glib::idle_add_local_once` on a reentrancy theory — proven wrong by the logs (crash happens *inside* the idle trampoline). Reverted. The library doc explicitly says monitor removal is detected via "GTK APIs"; we follow that rather than fighting the library. We release our refs (do **not** call `destroy` — the lib already unmapped+dereffed the window). Diagnostic UNLOCK logging is kept for now, to be removed once a suspend/resume validation cycle confirms the fix.
+- **How**: `LockscreenHandles` gains `monitor: Option<gdk::Monitor>`, set in the `connect_monitor` handler. `activate_with_session_lock` watches `display.monitors()` via `connect_items_changed`; on any change it retains only handles whose monitor `is_valid()`, calling `app.remove_window()` on the pruned ones to drop the application's ref. With both refs released, the orphaned window is gone before unlock.
+
+## 2026-06-02 – Align power-confirm to moonset's ActionDef pattern (v0.6.14)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: A code review of moongreet's power-confirm (ported from this file) flagged the shared pattern as lower-altitude than moonset's: two near-identical reboot/shutdown handlers and a `show_power_confirm` taking loose `message`/`action_fn`/`error_message` params that can drift apart. moonset already solved this with an `ActionDef` table + button factory. Changed here in lockstep with moongreet to keep the three projects symmetric.
+- **Tradeoffs**: A `PowerAction` struct + `power_actions()` table + `create_power_button` factory is slightly more machinery for two actions, but couples icon/prompt/error/action into one value (a mismatched prompt/action becomes unrepresentable) and makes a third action a one-line table entry. Did NOT touch `confirm_box: Rc<RefCell<Option<gtk::Box>>>` — moonset uses the same, it is the shared convention.
+- **How**: Replaced the two hand-wired handlers with a loop over `power_actions()`; `show_power_confirm`/`execute_power_action` now take `PowerAction` (Copy) instead of three loose strings. Added an in-flight re-trigger guard via `power_box.set_sensitive(false)` (re-enabled on failure), matching moonset; also clear a stale `error_label` when showing a new prompt.
+
+## 2026-05-04 – Drop PAM account/session stack, remove `check_account`, drop `pam_acct_mgmt` from password path (v0.6.13)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: 20 SIGSEGV coredumps in 6 days. All crashes preceded by `pam_unix(moonlock:account): setuid failed: Operation not permitted`. The previous PAM config (`auth/account/session include system-auth`) pulled `pam_unix(account)`, which needs setuid root for `/etc/shadow`. moonlock runs as the user, so `pam_acct_mgmt` always failed. The failure cascaded into the FP-resume path (`gio::spawn_blocking(check_account) → false → 2s timeout → resume_async`) where a use-after-free during `gtk_window_destroy` killed the process. Each crash left a dead `ext-session-lock-v1` client and the compositor stuck on its red fallback backdrop until manual recovery. Initial fix on 2026-04-30 dropped the FP-side `check_account` and the account/session lines from the PAM config, but left the `pam_acct_mgmt` call in `auth.rs::authenticate()` for the password path. Result: a PAM stack with no `account` module fell back to `/etc/pam.d/other` (`pam_deny`) and rejected every password — Dom got locked out on 2026-05-04.
+- **Tradeoffs**: Aligned with the swaylock/gtklock pattern (only `auth include login`). Lost: PAM-driven account expiry/lockout in both paths. Acceptable because (a) FP attempts are still bounded by `MAX_FP_ATTEMPTS` in `fingerprint.rs`, (b) password-path lockout still works through `pam_faillock.so preauth/authfail/authsucc` in the inherited `auth` stack, and (c) account validity was already verified by the login manager when the session was opened — a lockscreen unlocks an existing session, it does not gate access to a new one. Not chosen: a custom `account` stack with `pam_faillock.so` only — would have kept PAM-level FP lockout but adds a non-standard config that other lockers do not use, and `pam_faillock` standalone in `account` is rarely tested in the wild.
+- **How**: (1) `config/moonlock-pam` reduced to a single `auth include login` line. (2) `auth.rs::check_account()` and its two unit tests removed. (3) `auth.rs::authenticate()` no longer calls `pam_acct_mgmt`; `pam_authenticate` result is returned directly. The `pam_acct_mgmt` extern declaration is removed. (4) `lockscreen.rs::start_fingerprint` simplified — the `gio::spawn_blocking(check_account)` async block, the failure-side error UI, and the 2-second `resume_async` retry path all removed; on FP success the closure now goes `label.set_text(success); fp.stop(); cb()`. (5) `fingerprint.rs::resume_async()` removed. (6) `CLAUDE.md` architecture and security sections updated to describe the new PAM stack.
+
+## 2026-04-24 – Audit LOW fixes: docs, rustdoc, check_account scope, debug gating, lto fat (v0.6.12)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: Six LOW findings cleared in a single pass. (1) Docs referenced the old `[0,100]` blur range; code clamps `[0,200]` since v0.6.8. (2) The `MAX_BLUR_DIMENSION` doc comment was split by a `// SYNC:` block, producing a truncated sentence in rustdoc. (3) `check_account` was `pub` and relied on callers only ever passing `getuid()`-derived usernames; the contract was not enforced by the type system. (4) `MOONLOCK_DEBUG` env var flipped log verbosity to Debug in release builds, letting a compromised session script escalate journal noise about fprintd / D-Bus. (5) `pam_setcred` absence was undocumented. (6) `[profile.release]` used `lto = "thin"` — fine for most crates, but for a latency-critical auth binary compiled once per release, fat LTO's extra cross-crate inlining is worth the ~1 min build hit.
+- **Tradeoffs**: `lto = "fat"` roughly doubles release build time (~30 s → ~60 s) for slightly better inlining across PAM FFI wrappers and the i18n/status paths. `#[cfg(debug_assertions)]` on the debug-level selector means you have to run a debug build to raise log level — inconvenient for live troubleshooting, but aligned with the security-first posture.
+- **How**: (1) `CLAUDE.md` + `README.md` updated to `[0,200]`. (2) `// SYNC:` block moved above the `///` doc so rustdoc renders one coherent paragraph. (3) `check_account` visibility narrowed to `pub(crate)` with a `Precondition` paragraph explaining the username contract. (4) Debug-level selection wrapped in `#[cfg(debug_assertions)]`; release builds always run at `LevelFilter::Info`. (5) Added a comment block in `authenticate()` documenting why `pam_setcred` is deliberately absent and where it would hook in if needed. (6) `lto = "fat"` in `Cargo.toml`.
+
+## 2026-04-24 – Audit MEDIUM fixes: D-Bus cleanup race, TOCTOU open, FP reset, GTK entry clear (v0.6.11)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: Second round after the HIGH fixes, addressing the four MEDIUM findings. (1) `cleanup_dbus` spawned VerifyStop + Release as fire-and-forget, then `resume_async` called Claim after only a 2 s timeout — shorter than the 3 s D-Bus timeout, so on a slow bus the Claim could race the Release and fprintd would reject it, leaving the FP listener permanently dead. (2) `load_background_texture` relied on the caller's `symlink_metadata` check, re-opening the path via `gdk::Texture::from_file` — a classic TOCTOU window. (3) `resume_async` unconditionally reset `failed_attempts`, allowing an attacker with sensor control to evade the 10-attempt cap by cycling verify-match → `check_account` fail → resume. (4) The GTK `PasswordEntry` buffer was only cleared on timeout or auth failure, leaving the password in GLib malloc'd memory longer than necessary.
+- **Tradeoffs**: The D-Bus cleanup is now split into a synchronous helper (`take_cleanup_proxy` — signal disconnect + flag clear) and an async helper (`perform_dbus_cleanup` — VerifyStop + Release), so `resume_async` can await the release while `stop()` stays fire-and-forget. Dropping the `failed_attempts` reset means a flaky sensor could reach 10 failures faster, but the correct remedy is a new lock session (construction) rather than a reset that also helps attackers.
+- **How**: (1) Split `cleanup_dbus` into `take_cleanup_proxy()` (sync) + `perform_dbus_cleanup(proxy)` (async). `resume_async` now awaits `perform_dbus_cleanup` before `begin_verification`. `stop()` still spawns the cleanup fire-and-forget. (2) `load_background_texture` opens with `O_NOFOLLOW` via `std::fs::OpenOptions::custom_flags`, reads to bytes, and builds the texture via `gdk::Texture::from_bytes`. (3) Removed `listener.borrow_mut().failed_attempts = 0` from `resume_async`. (4) `password_entry.set_text("")` now fires right after the `Zeroizing::new(entry.text().to_string())` extraction, shortening the GTK-side window.
+
+## 2026-04-24 – Audit fixes: RefCell borrow across await, async avatar decode
+
+- **Who**: ClaudeCode, Dom
+- **Why**: Triple audit found two HIGH issues. (1) `init_fingerprint_async` held a `RefCell` immutable borrow across `is_available_async().await` — a concurrent `connect_monitor` signal (hotplug / suspend-resume) invoking `borrow_mut()` during the await would panic. (2) `set_avatar_from_file` decoded avatars synchronously via `Pixbuf::from_file_at_scale`, blocking the GTK main thread inside the `connect_monitor` handler. With `MAX_AVATAR_FILE_SIZE` at 10 MB the worst-case stall was 200–500 ms on monitor hotplug.
+- **Tradeoffs**: Avatar is shown as the symbolic default icon for a brief window while decoding completes. Wallpaper stays synchronous because `connect_monitor` fires during `lock()` and needs the texture already present (see 2026-04-09).
+- **How**: (1) Extract `username` into a local `String` in `init_fingerprint_async`, drop the borrow before the await, re-borrow in a new scope after — no awaits inside the second borrow, so hotplug during signal setup is safe. (2) `set_avatar_from_file` now uses `gio::File::read_future` + `Pixbuf::from_stream_at_scale_future` for async I/O and decode. The default icon is shown immediately; the decoded texture replaces it when ready. `Pixbuf` itself is `!Send`, so `gio::spawn_blocking` does not apply — the GIO async stream loader keeps the `Pixbuf` on the main thread while the kernel does the I/O asynchronously.
+
+## 2026-04-09 – Monitor hotplug via connect_monitor signal
+
+- **Who**: ClaudeCode, Dom
+- **Why**: moonlock crashed with segfault in libgtk-4.so after suspend/resume — HDMI monitor disconnect/reconnect invalidated GDK monitor objects, and the statically created windows referenced destroyed surfaces. Crash at consistent GTK4 offset (0x278 NULL dereference), 3x reproduced.
+- **Tradeoffs**: Wallpaper texture now loaded before `lock()` instead of after (connect_monitor fires during lock() and needs the texture). Local JPEG loading is fast enough that the delay is negligible. Shared state moved to Rc's for the signal closure — slightly more indirection but necessary for dynamic window creation.
+- **How**: (1) Bump gtk4-session-lock feature from `v1_1` to `v1_2` to enable `Instance::connect_monitor`. (2) Replace manual monitor iteration with `lock.connect_monitor()` signal handler that creates windows on demand. (3) Signal fires once per existing monitor at `lock()` and again on hotplug. (4) Windows auto-unmap when their monitor disappears (ext-session-lock-v1 guarantee). (5) Fingerprint listener published to shared Rc so hotplugged monitors get FP labels.
+
+## 2026-03-31 – Fourth audit: peek icon, blur limit, GResource compression, sync markers
+
+- **Who**: ClaudeCode, Dom
+- **Why**: Fourth triple audit found blur limit inconsistency (moonlock 0–100 vs moongreet/moonset 0–200), missing GResource compression, peek icon inconsistency, and duplicated code without sync markers.
+- **Tradeoffs**: Peek icon enabled in lockscreen — user decision favoring UX consistency over shoulder-surfing protection. Acceptable for single-user desktop. Blur limit raised to 200 for ecosystem consistency.
+- **How**: (1) `show_peek_icon(true)` in lockscreen password entry. (2) `clamp(0.0, 200.0)` for blur in config.rs. (3) `compressed="true"` on CSS/SVG GResource entries. (4) SYNC comments on duplicated blur/background functions pointing to moongreet and moonset.
+
 ## 2026-03-30 – Third audit: blur offset, lock-before-IO, FP signal lifecycle, TOCTOU
 
-- **Who**: Nyx, Dom
+- **Who**: ClaudeCode, Dom
 - **Why**: Third triple audit (quality, performance, security) found: blur padding offset rendering texture at (0,0) instead of (-pad,-pad) causing edge darkening on left/top (BUG), wallpaper disk I/O blocking before lock() extending the unsecured window (PERF/SEC), signal handler duplication on resume_async (SEC), failed_attempts not reset on FP resume (SEC), unknown VerifyStatus with done=false hanging FP listener (SEC), TOCTOU in is_file+is_symlink checks (SEC), dead code in faillock_warning (QUALITY), unbounded blur sigma (SEC).
 - **Tradeoffs**: Wallpaper loads after lock() — screen briefly shows without wallpaper until texture is ready. Acceptable: security > aesthetics. Blur sigma clamped to [0.0, 100.0] — arbitrary upper bound but prevents GPU memory exhaustion.
 - **How**: (1) Texture offset to (-pad, -pad) in render_blurred_texture. (2) lock.lock() before resolve_background_path. (3) begin_verification disconnects old signal_id before registering new. (4) resume_async resets failed_attempts. (5) Unknown VerifyStatus with done=true triggers restart. (6) symlink_metadata() for atomic file+symlink check. (7) faillock_warning dead code removed, saturating_sub. (8) background_blur clamped. (9) Redundant Zeroizing<Vec<u8>> removed. (10) Default impl for FingerprintListener. (11) on_verify_status restricted to pub(crate). (12) Warn logging for non-UTF-8 GECOS and avatar paths.
 
 ## 2026-03-30 – Second audit: zeroize CString, FP account check, PAM timeout, blur downscale
 
-- **Who**: Nyx, Dom
+- **Who**: ClaudeCode, Dom
 - **Why**: Second triple audit (quality, performance, security) found: CString password copy not zeroized (HIGH), fingerprint unlock bypassing pam_acct_mgmt (MEDIUM), no PAM timeout leaving user locked out on hanging modules (MEDIUM), GPU blur on full wallpaper resolution (MEDIUM), no-monitor edge case doing `return` instead of `exit(1)` (MEDIUM).
 - **Tradeoffs**: PAM timeout (30s) uses a generation counter to avoid stale result interference — adds complexity but prevents parallel PAM sessions. FP restart after failed account check re-claims the device, adding a D-Bus round-trip, but prevents permanent FP death on transient failures. Blur downscale to 1920px cap trades negligible quality for ~4x less GPU work on 4K wallpapers.
 - **How**: (1) `Zeroizing<CString>` wraps password in auth.rs, `zeroize/std` feature enabled. (2) `check_account()` calls pam_acct_mgmt after FP match; `resume_async()` restarts FP on transient failure. (3) `auth_generation` counter invalidates stale PAM results; 30s timeout re-enables UI. (4) `MAX_BLUR_DIMENSION` caps blur input at 1920px, sigma scaled proportionally. (5) `exit(1)` on no-monitor after `lock.lock()`.
 
 ## 2026-03-28 – Remove embedded wallpaper from binary
 
-- **Who**: Nyx, Dom
+- **Who**: ClaudeCode, Dom
 - **Why**: Wallpaper is installed by moonarch to /usr/share/moonarch/wallpaper.jpg. Embedding a 374K JPEG in the binary is redundant. GTK background color (Catppuccin Mocha base) is a clean fallback.
 - **Tradeoffs**: Without moonarch installed AND without config, lockscreen shows plain dark background instead of wallpaper. Acceptable — that's the expected minimal state.
 - **How**: Remove wallpaper.jpg from GResources, return None from resolve_background_path when no file found, skip background picture creation when no texture available.
 
 ## 2026-03-28 – Audit-driven security and lifecycle fixes (v0.6.0)
 
-- **Who**: Nyx, Dom
+- **Who**: ClaudeCode, Dom
 - **Why**: Triple audit (quality, performance, security) revealed a critical D-Bus signal spoofing vector, fingerprint lifecycle bugs, and multi-monitor performance issues.
 - **Tradeoffs**: `cleanup_dbus()` extraction adds a method but clarifies the stop/match ownership; `running_flag: Rc<Cell<bool>>` adds a field but prevents race between async restart and stop; sender validation adds a check per signal but closes the only known auth bypass.
 - **How**: (1) Validate D-Bus VerifyStatus sender against fprintd's unique bus name. (2) Extract `cleanup_dbus()` from `stop()`, call it on verify-match. (3) `Rc<Cell<bool>>` running flag checked after await in `restart_verify_async`. (4) Consistent 3s D-Bus timeouts. (5) Panic hook before logging. (6) Blur and avatar caches shared across monitors. (7) Peek icon disabled. (8) Symlink rejection for background_path. (9) TOML parse errors logged.
 
 ## 2026-03-28 – GPU blur via GskBlurNode replaces CPU blur
 
-- **Who**: Nyx, Dom
+- **Who**: ClaudeCode, Dom
 - **Why**: CPU-side Gaussian blur (`image` crate) blocked the GTK main thread for 500ms–2s on 4K wallpapers at cold cache. Disk cache mitigated repeat starts but added ~100 lines of complexity.
 - **Tradeoffs**: GPU blur quality is slightly different (box-blur approximation vs true Gaussian), acceptable for wallpaper. Removes `image` and `dirs` dependencies entirely. No disk cache needed.
 - **How**: `Snapshot::push_blur()` + `GskRenderer::render_texture()` on `connect_realize`. Blur happens once on the GPU when the widget gets its renderer, producing a concrete `gdk::Texture`. Zero startup latency.
 
 ## 2026-03-28 – Optional background blur via `image` crate (superseded)
 
-- **Who**: Nyx, Dom
+- **Who**: ClaudeCode, Dom
 - **Why**: Consistent with moonset/moongreet — blurred wallpaper as lockscreen background is a common UX pattern
 - **Tradeoffs**: Adds `image` crate dependency (~15 transitive crates); CPU-side Gaussian blur at load time adds startup latency proportional to image size and sigma. Acceptable because blur runs once and the texture is shared across monitors.
 - **How**: `load_background_texture(bg_path, blur_radius)` loads texture, optionally applies `imageops::blur()`, returns `gdk::Texture`. Config option `background_blur: Option<f32>` in TOML.
 
 ## 2026-03-28 – Shared wallpaper texture pattern (aligned with moonset/moongreet)
 
-- **Who**: Nyx, Dom
+- **Who**: ClaudeCode, Dom
 - **Why**: Previously loaded wallpaper per-window via `Picture::for_filename()`. Multi-monitor setups decoded the JPEG redundantly. Blur feature requires texture pixel access anyway.
 - **Tradeoffs**: Slightly more code in main.rs (texture loaded before window creation), but avoids redundant decoding and enables the blur feature.
 - **How**: `load_background_texture()` in lockscreen.rs decodes once, `create_background_picture()` wraps shared `gdk::Texture` in `gtk::Picture`. Same pattern as moonset/moongreet.

README.md

@@ -5,14 +5,16 @@ Part of the Moonarch ecosystem.
 
 ## Features
 
-- **ext-session-lock-v1** — Protocol-guaranteed screen locking (compositor keeps screen locked on crash)
+- **ext-session-lock-v1** — Protocol-guaranteed screen locking (compositor keeps screen locked on crash, `exit(1)` in release if unsupported)
-- **PAM authentication** — Uses system PAM stack (`/etc/pam.d/moonlock`)
+- **PAM authentication** — Uses system PAM stack (`/etc/pam.d/moonlock`) with 30s timeout and generation counter
-- **Fingerprint unlock** — fprintd D-Bus integration, async init (optional, window appears instantly)
+- **Fingerprint unlock** — fprintd D-Bus integration with sender validation, async init (window appears instantly), `pam_acct_mgmt` check after verify, auto-resume on transient errors
-- **Multi-monitor** — Lockscreen on every monitor, single shared fingerprint listener
+- **Multi-monitor + hotplug** — Lockscreen on every monitor with shared blur and avatar caches; monitors added after suspend/resume get windows automatically via `connect_monitor` signal
+- **GPU blur** — Background blur via GskBlurNode (downscale to max 1920px, configurable 0–200)
 - **i18n** — German and English (auto-detected)
-- **Faillock warning** — UI counter + system pam_faillock
+- **Faillock warning** — Progressive UI warning after failed attempts, PAM decides lockout
-- **Panic safety** — Panic hook logs but never unlocks
+- **Panic safety** — Panic hook logs but never unlocks (installed before logging)
-- **Password wiping** — Zeroize on drop
+- **Password wiping** — `Zeroize` on drop from GTK entry through PAM FFI layer
+- **Journal logging** — `journalctl -t moonlock`, debug level via `MOONLOCK_DEBUG` env var
 
 ## Requirements
 
@@ -46,6 +48,7 @@ Create `/etc/moonlock/moonlock.toml` or `~/.config/moonlock/moonlock.toml`:
 
 ```toml
 background_path = "/usr/share/wallpapers/moon.jpg"
+background_blur = 40.0    # 0.0–200.0, optional
 fingerprint_enabled = true
 ```
 

build.rs

@@ -1,5 +1,5 @@
 // ABOUTME: Build script for compiling GResource bundle.
-// ABOUTME: Bundles style.css, wallpaper.jpg, and default-avatar.svg into the binary.
+// ABOUTME: Bundles style.css and default-avatar.svg into the binary.
 
 fn main() {
     glib_build_tools::compile_resources(

config/moonlock-pam

@@ -1,4 +1,2 @@
 #%PAM-1.0
-auth		include		system-auth
+auth		include		login
-account		include		system-auth
-session		include		system-auth

pkg/PKGBUILD

@@ -1,51 +0,0 @@
-# ABOUTME: PKGBUILD for Moonlock — secure Wayland lockscreen.
-# ABOUTME: Builds from git source with automatic version detection.
-
-# Maintainer: Dominik Kressler
-
-pkgname=moonlock-git
-pkgver=0.4.1.r1.g78bcf90
-pkgrel=1
-pkgdesc="A secure Wayland lockscreen with GTK4, PAM and fingerprint support"
-arch=('x86_64')
-url="https://gitea.moonarch.de/nevaforget/moonlock"
-license=('MIT')
-depends=(
-    'gtk4'
-    'gtk4-layer-shell'
-    'gtk-session-lock'
-    'pam'
-    'systemd-libs'
-)
-makedepends=(
-    'git'
-    'cargo'
-)
-optdepends=(
-    'fprintd: fingerprint authentication support'
-)
-provides=('moonlock')
-conflicts=('moonlock')
-source=("git+${url}.git")
-sha256sums=('SKIP')
-
-pkgver() {
-    cd "$srcdir/moonlock"
-    git describe --long --tags | sed 's/^v//;s/-/.r/;s/-/./'
-}
-
-build() {
-    cd "$srcdir/moonlock"
-    cargo build --release --locked
-}
-
-package() {
-    cd "$srcdir/moonlock"
-    install -Dm755 target/release/moonlock "$pkgdir/usr/bin/moonlock"
-
-    # PAM configuration
-    install -Dm644 config/moonlock-pam "$pkgdir/etc/pam.d/moonlock"
-
-    # Example config
-    install -Dm644 config/moonlock.toml.example "$pkgdir/etc/moonlock/moonlock.toml.example"
-}

resources/resources.gresource.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <gresources>
   <gresource prefix="/dev/moonarch/moonlock">
-    <file>style.css</file>
+    <file compressed="true">style.css</file>
-    <file>default-avatar.svg</file>
+    <file compressed="true">default-avatar.svg</file>
   </gresource>
 </gresources>

resources/style.css

@@ -1,9 +1,9 @@
 /* ABOUTME: GTK4 CSS stylesheet for the Moonlock lockscreen. */
-/* ABOUTME: Dark theme styling matching the Moonarch ecosystem. */
+/* ABOUTME: Uses GTK theme colors for consistency with the active desktop theme. */
 
 /* Main window background */
 window.lockscreen {
-    background-color: #1a1a2e;
+    background-color: @theme_bg_color;
     background-size: cover;
     background-position: center;
     opacity: 0;
@@ -27,14 +27,14 @@ window.lockscreen.visible {
     min-width: 128px;
     min-height: 128px;
     background-color: @theme_selected_bg_color;
-    border: 3px solid alpha(white, 0.3);
+    border: 3px solid alpha(@theme_fg_color, 0.3);
 }
 
 /* Username label */
 .username-label {
     font-size: 24px;
     font-weight: bold;
-    color: white;
+    color: @theme_fg_color;
     margin-top: 12px;
     margin-bottom: 40px;
 }
@@ -46,29 +46,29 @@ window.lockscreen.visible {
 
 /* Error message label */
 .error-label {
-    color: #ff6b6b;
+    color: @error_color;
     font-size: 14px;
 }
 
 /* Fingerprint status indicator */
 .fingerprint-label {
-    color: alpha(white, 0.6);
+    color: alpha(@theme_fg_color, 0.6);
     font-size: 13px;
     margin-top: 8px;
 }
 
 .fingerprint-label.success {
-    color: #51cf66;
+    color: @success_color;
 }
 
 .fingerprint-label.failed {
-    color: #ff6b6b;
+    color: @error_color;
 }
 
 /* Confirmation prompt */
 .confirm-label {
     font-size: 16px;
-    color: white;
+    color: @theme_fg_color;
     margin-bottom: 4px;
 }
 
@@ -103,12 +103,12 @@ window.lockscreen.visible {
     min-height: 48px;
     padding: 0px;
     border-radius: 24px;
-    background-color: alpha(white, 0.1);
+    background-color: alpha(@theme_fg_color, 0.1);
-    color: white;
+    color: @theme_fg_color;
     border: none;
     margin: 4px;
 }
 
 .power-button:hover {
-    background-color: alpha(white, 0.25);
+    background-color: alpha(@theme_fg_color, 0.25);
 }

src/auth.rs

@@ -54,8 +54,6 @@ unsafe extern "C" {
 
     fn pam_authenticate(pamh: *mut libc::c_void, flags: libc::c_int) -> libc::c_int;
 
-    fn pam_acct_mgmt(pamh: *mut libc::c_void, flags: libc::c_int) -> libc::c_int;
-
     fn pam_end(pamh: *mut libc::c_void, pam_status: libc::c_int) -> libc::c_int;
 }
 
@@ -117,7 +115,7 @@ unsafe extern "C" fn pam_conv_callback(
                 }
                 PAM_PROMPT_ECHO_ON => {
                     // Visible prompt — provide empty string, never the password
-                    let empty = libc::strdup(b"\0".as_ptr() as *const libc::c_char);
+                    let empty = libc::strdup(c"".as_ptr());
                     if empty.is_null() {
                         for j in 0..i {
                             let prev = resp_array.offset(j);
@@ -191,64 +189,23 @@ pub fn authenticate(username: &str, password: &str) -> bool {
         return false;
     }
 
-    // Safety: handle is valid and non-null after successful pam_start
+    // Safety: handle is valid and non-null after successful pam_start.
+    // Note: pam_setcred is intentionally NOT called here. A lockscreen unlocks
+    // an existing session whose credentials were already established at login;
+    // refreshing them would duplicate work done by the session's login manager.
+    // If per-unlock credential refresh (Kerberos tickets, pam_gnome_keyring)
+    // is ever desired, hook it here with PAM_ESTABLISH_CRED.
+    //
+    // pam_acct_mgmt is intentionally NOT called: the PAM stack (`auth include
+    // login`) has no `account` module, and pam_unix(account) requires setuid
+    // root for /etc/shadow. Lockout/faillock and policy checks happen inside
+    // the inherited auth stack via pam_faillock. See DECISIONS.md 2026-04-30.
     let auth_ret = unsafe { pam_authenticate(handle, 0) };
-    let acct_ret = if auth_ret == PAM_SUCCESS {
-        // Safety: handle is valid, check account restrictions
-        unsafe { pam_acct_mgmt(handle, 0) }
-    } else {
-        auth_ret
-    };
 
     // Safety: handle is valid, pam_end cleans up the PAM session
-    unsafe { pam_end(handle, acct_ret) };
+    unsafe { pam_end(handle, auth_ret) };
 
-    acct_ret == PAM_SUCCESS
+    auth_ret == PAM_SUCCESS
-}
-
-/// Check account restrictions via PAM without authentication.
-///
-/// Used after fingerprint unlock to enforce account policies (lockout, expiry)
-/// that would otherwise be bypassed when not going through pam_authenticate.
-/// Returns true if the account is valid and allowed to log in.
-pub fn check_account(username: &str) -> bool {
-    let service = match CString::new("moonlock") {
-        Ok(c) => c,
-        Err(_) => return false,
-    };
-
-    let username_cstr = match CString::new(username) {
-        Ok(c) => c,
-        Err(_) => return false,
-    };
-
-    // No password needed — we only check account status, not authenticate.
-    // PAM conv callback is required by pam_start but won't be called for acct_mgmt.
-    let empty_password = Zeroizing::new(CString::new("").unwrap());
-    let conv = PamConv {
-        conv: pam_conv_callback,
-        appdata_ptr: std::ptr::from_ref::<CString>(&empty_password) as *mut libc::c_void,
-    };
-
-    let mut handle: *mut libc::c_void = ptr::null_mut();
-
-    let ret = unsafe {
-        pam_start(
-            service.as_ptr(),
-            username_cstr.as_ptr(),
-            &conv,
-            &mut handle,
-        )
-    };
-
-    if ret != PAM_SUCCESS || handle.is_null() {
-        return false;
-    }
-
-    let acct_ret = unsafe { pam_acct_mgmt(handle, 0) };
-    unsafe { pam_end(handle, acct_ret) };
-
-    acct_ret == PAM_SUCCESS
 }
 
 #[cfg(test)]
@@ -285,16 +242,4 @@ mod tests {
         let result = authenticate("", "password");
         assert!(!result);
     }
-
-    #[test]
-    fn check_account_empty_username_fails() {
-        let result = check_account("");
-        assert!(!result);
-    }
-
-    #[test]
-    fn check_account_null_byte_username_fails() {
-        let result = check_account("user\0name");
-        assert!(!result);
-    }
 }

src/config.rs

@@ -52,7 +52,7 @@ pub fn load_config(config_paths: Option<&[PathBuf]>) -> Config {
                 Ok(parsed) => {
                     if parsed.background_path.is_some() { merged.background_path = parsed.background_path; }
                     if let Some(blur) = parsed.background_blur {
-                        merged.background_blur = Some(blur.clamp(0.0, 100.0));
+                        merged.background_blur = Some(blur.clamp(0.0, 200.0));
                     }
                     if let Some(fp) = parsed.fingerprint_enabled { merged.fingerprint_enabled = fp; }
                 }
@@ -72,8 +72,11 @@ pub fn resolve_background_path(config: &Config) -> Option<PathBuf> {
 pub fn resolve_background_path_with(config: &Config, moonarch_wallpaper: &Path) -> Option<PathBuf> {
     if let Some(ref bg) = config.background_path {
         let path = PathBuf::from(bg);
-        if let Ok(meta) = path.symlink_metadata() {
+        if let Ok(meta) = path.symlink_metadata()
-            if meta.is_file() && !meta.file_type().is_symlink() { return Some(path); }
+            && meta.is_file()
+            && !meta.file_type().is_symlink()
+        {
+            return Some(path);
         }
     }
     if moonarch_wallpaper.is_file() { return Some(moonarch_wallpaper.to_path_buf()); }

src/fingerprint.rs

@@ -175,17 +175,6 @@ impl FingerprintListener {
         Self::begin_verification(listener, username).await;
     }
 
-    /// Resume fingerprint verification after a transient interruption (e.g. failed
-    /// PAM account check). Reuses previously stored callbacks. Re-claims the device
-    /// and restarts verification from scratch.
-    pub async fn resume_async(
-        listener: &Rc<RefCell<FingerprintListener>>,
-        username: &str,
-    ) {
-        listener.borrow_mut().failed_attempts = 0;
-        Self::begin_verification(listener, username).await;
-    }
-
     /// Claim device, start verification, and connect D-Bus signal handler.
     /// Assumes device_proxy is set and callbacks are already stored.
     async fn begin_verification(
@@ -352,26 +341,32 @@ impl FingerprintListener {
         }
     }
 
-    /// Disconnect the signal handler and send VerifyStop + Release to fprintd.
+    /// Disconnect the signal handler and clear running flags. Returns the proxy
-    /// Signal disconnect is synchronous to prevent further callbacks.
+    /// the caller should use for the async D-Bus cleanup (VerifyStop + Release).
-    /// D-Bus cleanup is fire-and-forget to avoid blocking the UI.
+    fn take_cleanup_proxy(&mut self) -> Option<gio::DBusProxy> {
-    fn cleanup_dbus(&mut self) {
         self.running = false;
         self.running_flag.set(false);
 
-        if let Some(ref proxy) = self.device_proxy {
+        let proxy = self.device_proxy.clone()?;
-            if let Some(id) = self.signal_id.take() {
+        if let Some(id) = self.signal_id.take() {
-                proxy.disconnect(id);
+            proxy.disconnect(id);
-            }
+        }
-            let proxy = proxy.clone();
+        Some(proxy)
-            glib::spawn_future_local(async move {
+    }
-                let _ = proxy
+
-                    .call_future("VerifyStop", None, gio::DBusCallFlags::NONE, DBUS_TIMEOUT_MS)
+    async fn perform_dbus_cleanup(proxy: gio::DBusProxy) {
-                    .await;
+        let _ = proxy
-                let _ = proxy
+            .call_future("VerifyStop", None, gio::DBusCallFlags::NONE, DBUS_TIMEOUT_MS)
-                    .call_future("Release", None, gio::DBusCallFlags::NONE, DBUS_TIMEOUT_MS)
+            .await;
-                    .await;
+        let _ = proxy
-            });
+            .call_future("Release", None, gio::DBusCallFlags::NONE, DBUS_TIMEOUT_MS)
+            .await;
+    }
+
+    /// Fire-and-forget cleanup for code paths that cannot await (e.g. drop, stop).
+    fn cleanup_dbus(&mut self) {
+        if let Some(proxy) = self.take_cleanup_proxy() {
+            glib::spawn_future_local(Self::perform_dbus_cleanup(proxy));
         }
     }
 

src/lockscreen.rs

@@ -24,7 +24,6 @@ use crate::users;
 pub struct LockscreenHandles {
     pub window: gtk::ApplicationWindow,
     pub fp_label: gtk::Label,
-    pub password_entry: gtk::PasswordEntry,
     pub unlock_callback: Rc<dyn Fn()>,
     pub username: String,
     state: Rc<RefCell<LockscreenState>>,
@@ -67,7 +66,6 @@ pub fn create_lockscreen_window(
             return LockscreenHandles {
                 window,
                 fp_label,
-                password_entry: gtk::PasswordEntry::new(),
                 unlock_callback,
                 username: String::new(),
                 state: Rc::new(RefCell::new(LockscreenState {
@@ -137,7 +135,7 @@ pub fn create_lockscreen_window(
     // Password entry
     let password_entry = gtk::PasswordEntry::builder()
         .placeholder_text(strings.password_placeholder)
-        .show_peek_icon(false)
+        .show_peek_icon(true)
         .hexpand(true)
         .build();
     password_entry.add_css_class("password-entry");
@@ -170,55 +168,17 @@ pub fn create_lockscreen_window(
     power_box.set_margin_end(16);
     power_box.set_margin_bottom(16);
 
-    let reboot_btn = gtk::Button::new();
+    for action in power_actions() {
-    reboot_btn.set_icon_name("system-reboot-symbolic");
+        let button = create_power_button(
-    reboot_btn.add_css_class("power-button");
+            action,
-    reboot_btn.set_tooltip_text(Some(strings.reboot_tooltip));
+            strings,
-    reboot_btn.connect_clicked(clone!(
+            &power_box,
-        #[weak]
+            &confirm_area,
-        confirm_area,
+            &confirm_box,
-        #[strong]
+            &error_label,
-        confirm_box,
+        );
-        #[weak]
+        power_box.append(&button);
-        error_label,
+    }
-        move |_| {
-            show_power_confirm(
-                strings.reboot_confirm,
-                power::reboot,
-                strings.reboot_failed,
-                strings,
-                &confirm_area,
-                &confirm_box,
-                &error_label,
-            );
-        }
-    ));
-    power_box.append(&reboot_btn);
-
-    let shutdown_btn = gtk::Button::new();
-    shutdown_btn.set_icon_name("system-shutdown-symbolic");
-    shutdown_btn.add_css_class("power-button");
-    shutdown_btn.set_tooltip_text(Some(strings.shutdown_tooltip));
-    shutdown_btn.connect_clicked(clone!(
-        #[weak]
-        confirm_area,
-        #[strong]
-        confirm_box,
-        #[weak]
-        error_label,
-        move |_| {
-            show_power_confirm(
-                strings.shutdown_confirm,
-                power::shutdown,
-                strings.shutdown_failed,
-                strings,
-                &confirm_area,
-                &confirm_box,
-                &error_label,
-            );
-        }
-    ));
-    power_box.append(&shutdown_btn);
 
     overlay.add_overlay(&power_box);
 
@@ -244,6 +204,10 @@ pub fn create_lockscreen_window(
             if password.is_empty() {
                 return;
             }
+            // Clear the GTK entry's internal buffer as early as possible. GTK allocates
+            // the backing GString via libc malloc, which zeroize cannot reach — the
+            // best we can do is shorten the window during which it resides in memory.
+            entry.set_text("");
 
             entry.set_sensitive(false);
             let username = username.clone();
@@ -391,7 +355,6 @@ pub fn create_lockscreen_window(
     LockscreenHandles {
         window,
         fp_label,
-        password_entry: password_entry.clone(),
         unlock_callback,
         username: user.username,
         state: state.clone(),
@@ -423,52 +386,16 @@ pub fn start_fingerprint(
     let unlock_cb_fp = handles.unlock_callback.clone();
 
     let fp_rc_success = fp_rc.clone();
-    let fp_username = handles.username.clone();
     let on_success = move || {
         let label = fp_label_success.clone();
         let cb = unlock_cb_fp.clone();
         let fp = fp_rc_success.clone();
-        let username = fp_username.clone();
         glib::idle_add_local_once(move || {
             let strings = load_strings(None);
             label.set_text(strings.fingerprint_success);
             label.add_css_class("success");
-            // stop() is idempotent — cleanup_dbus() already ran inside on_verify_status,
-            // but this mirrors the PAM success path for defense-in-depth.
             fp.borrow_mut().stop();
-
+            cb();
-            // Enforce PAM account policies (lockout, expiry) before unlocking.
-            // Fingerprint auth bypasses pam_authenticate, so we must explicitly
-            // check account restrictions via pam_acct_mgmt.
-            glib::spawn_future_local(async move {
-                let user = username.clone();
-                let result = gio::spawn_blocking(move || {
-                    auth::check_account(&user)
-                }).await;
-                match result {
-                    Ok(true) => cb(),
-                    _ => {
-                        log::error!("PAM account check failed after fingerprint auth");
-                        let strings = load_strings(None);
-                        label.set_text(strings.wrong_password);
-                        label.remove_css_class("success");
-                        label.add_css_class("failed");
-                        // Restart FP verification after delay — the failure may be
-                        // transient (e.g. PAM module timeout). If the account is truly
-                        // locked, check_account will fail again on next match.
-                        glib::timeout_add_local_once(
-                            std::time::Duration::from_secs(2),
-                            move || {
-                                label.set_text(load_strings(None).fingerprint_prompt);
-                                label.remove_css_class("failed");
-                                glib::spawn_future_local(async move {
-                                    FingerprintListener::resume_async(&fp, &username).await;
-                                });
-                            },
-                        );
-                    }
-                }
-            });
         });
     };
 
@@ -515,15 +442,43 @@ pub fn start_fingerprint(
     });
 }
 
+/// Read a file with O_NOFOLLOW so a symlink swapped in after a prior
+/// stat-based check (TOCTOU) fails the open with ELOOP instead of being
+/// followed. Shared by the wallpaper and avatar loads — the two file reads
+/// on the lock path.
+fn read_file_nofollow(path: &Path) -> std::io::Result<Vec<u8>> {
+    use std::io::Read;
+    use std::os::unix::fs::OpenOptionsExt;
+
+    let mut file = std::fs::OpenOptions::new()
+        .read(true)
+        .custom_flags(libc::O_NOFOLLOW)
+        .open(path)?;
+    let mut bytes = Vec::new();
+    file.read_to_end(&mut bytes)?;
+    Ok(bytes)
+}
+
 /// Load the wallpaper as a texture once, for sharing across all windows.
 /// Returns None if no wallpaper path is provided or the file cannot be loaded.
 /// Blur is applied at render time via GPU (GskBlurNode), not here.
+///
+/// Opens the file with O_NOFOLLOW to close the TOCTOU window between the
+/// symlink check in `resolve_background_path_with` and this read. If the path
+/// was swapped for a symlink after the check, `open` fails with ELOOP.
 pub fn load_background_texture(bg_path: &Path) -> Option<gdk::Texture> {
-    let file = gio::File::for_path(bg_path);
+    let bytes = match read_file_nofollow(bg_path) {
-    match gdk::Texture::from_file(&file) {
+        Ok(b) => b,
+        Err(e) => {
+            log::warn!("Failed to read wallpaper {}: {e}", bg_path.display());
+            return None;
+        }
+    };
+    let glib_bytes = glib::Bytes::from_owned(bytes);
+    match gdk::Texture::from_bytes(&glib_bytes) {
         Ok(texture) => Some(texture),
         Err(e) => {
-            log::warn!("Failed to load wallpaper {}: {e}", bg_path.display());
+            log::warn!("Failed to decode wallpaper {}: {e}", bg_path.display());
             None
         }
     }
@@ -545,26 +500,28 @@ fn create_background_picture(
     background.set_hexpand(true);
     background.set_vexpand(true);
 
-    if let Some(sigma) = blur_radius {
+    if let Some(sigma) = blur_radius.filter(|s| *s > 0.0) {
-        if sigma > 0.0 {
+        let texture = texture.clone();
-            let texture = texture.clone();
+        let cache = blur_cache.clone();
-            let cache = blur_cache.clone();
+        background.connect_realize(move |picture| {
-            background.connect_realize(move |picture| {
+            if let Some(ref cached) = *cache.borrow() {
-                if let Some(ref cached) = *cache.borrow() {
+                picture.set_paintable(Some(cached));
-                    picture.set_paintable(Some(cached));
+                return;
-                    return;
+            }
-                }
+            if let Some(blurred) = render_blurred_texture(picture, &texture, sigma) {
-                if let Some(blurred) = render_blurred_texture(picture, &texture, sigma) {
+                picture.set_paintable(Some(&blurred));
-                    picture.set_paintable(Some(&blurred));
+                *cache.borrow_mut() = Some(blurred);
-                    *cache.borrow_mut() = Some(blurred);
+            }
-                }
+        });
-            });
-        }
     }
 
     background
 }
 
+// SYNC: MAX_BLUR_DIMENSION, render_blurred_texture, and create_background_picture
+// are duplicated in moongreet/src/greeter.rs and moonset/src/panel.rs.
+// Changes here must be mirrored to the other two projects.
+
 /// Maximum texture dimension for blur input. Textures larger than this are
 /// downscaled before blurring — the blur destroys detail anyway, so there is
 /// no visible quality loss, but GPU work is reduced significantly.
@@ -619,30 +576,48 @@ fn render_blurred_texture(
 }
 
 /// Load an image file and set it as the avatar. Stores the texture in the cache.
+/// Decoding runs via GIO async I/O + async pixbuf stream loader so the GTK main
+/// loop stays responsive — avatars may be loaded inside the `connect_monitor`
+/// signal handler at hotplug time, which must not block. The fallback icon is
+/// shown immediately; the decoded texture replaces it when ready.
 fn set_avatar_from_file(
     image: &gtk::Image,
     path: &Path,
     cache: &Rc<RefCell<Option<gdk::Texture>>>,
 ) {
-    let path_str = match path.to_str() {
+    image.set_icon_name(Some("avatar-default-symbolic"));
-        Some(s) => s,
+
-        None => {
+    let display_path = path.to_path_buf();
-            log::warn!("Avatar path is not valid UTF-8: {:?}", path);
+    let read_path = path.to_path_buf();
-            image.set_icon_name(Some("avatar-default-symbolic"));
+    let image_clone = image.clone();
-            return;
+    let cache_clone = cache.clone();
+
+    glib::spawn_future_local(async move {
+        // Read with O_NOFOLLOW on a blocking thread to close the TOCTOU window
+        // between the symlink check in users::get_avatar_path_with and this open.
+        let bytes = match gio::spawn_blocking(move || read_file_nofollow(&read_path)).await {
+            Ok(Ok(b)) => b,
+            Ok(Err(e)) => {
+                log::warn!("Failed to open avatar {}: {e}", display_path.display());
+                return;
+            }
+            Err(_) => {
+                log::warn!("Avatar read task failed for {}", display_path.display());
+                return;
+            }
+        };
+        let stream = gio::MemoryInputStream::from_bytes(&glib::Bytes::from_owned(bytes));
+        match Pixbuf::from_stream_at_scale_future(&stream, AVATAR_SIZE, AVATAR_SIZE, true).await {
+            Ok(pixbuf) => {
+                let texture = gdk::Texture::for_pixbuf(&pixbuf);
+                image_clone.set_paintable(Some(&texture));
+                *cache_clone.borrow_mut() = Some(texture);
+            }
+            Err(e) => {
+                log::warn!("Failed to decode avatar from {}: {e}", display_path.display());
+            }
         }
-    };
+    });
-    match Pixbuf::from_file_at_scale(path_str, AVATAR_SIZE, AVATAR_SIZE, true) {
-        Ok(pixbuf) => {
-            let texture = gdk::Texture::for_pixbuf(&pixbuf);
-            image.set_paintable(Some(&texture));
-            *cache.borrow_mut() = Some(texture);
-        }
-        Err(e) => {
-            log::warn!("Failed to load avatar from {:?}: {e}", path);
-            image.set_icon_name(Some("avatar-default-symbolic"));
-        }
-    }
 }
 
 /// Load the default avatar SVG from GResources, tinted with the foreground color.
@@ -682,23 +657,84 @@ fn set_default_avatar(
     image.set_icon_name(Some("avatar-default-symbolic"));
 }
 
+/// Definition for a single power-action button (reboot, shutdown).
+/// Couples icon, prompt, error text and action so a button cannot be wired
+/// with a mismatched prompt/action pair. Mirrors moonset's `ActionDef`.
+#[derive(Clone, Copy)]
+struct PowerAction {
+    icon_name: &'static str,
+    tooltip_attr: fn(&Strings) -> &'static str,
+    confirm_attr: fn(&Strings) -> &'static str,
+    error_attr: fn(&Strings) -> &'static str,
+    action_fn: fn() -> Result<(), PowerError>,
+}
+
+/// The power actions offered on the lockscreen.
+fn power_actions() -> [PowerAction; 2] {
+    [
+        PowerAction {
+            icon_name: "system-reboot-symbolic",
+            tooltip_attr: |s| s.reboot_tooltip,
+            confirm_attr: |s| s.reboot_confirm,
+            error_attr: |s| s.reboot_failed,
+            action_fn: power::reboot,
+        },
+        PowerAction {
+            icon_name: "system-shutdown-symbolic",
+            tooltip_attr: |s| s.shutdown_tooltip,
+            confirm_attr: |s| s.shutdown_confirm,
+            error_attr: |s| s.shutdown_failed,
+            action_fn: power::shutdown,
+        },
+    ]
+}
+
+/// Build a power-action icon button wired to the confirmation flow.
+fn create_power_button(
+    action: PowerAction,
+    strings: &'static Strings,
+    power_box: &gtk::Box,
+    confirm_area: &gtk::Box,
+    confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
+    error_label: &gtk::Label,
+) -> gtk::Button {
+    let button = gtk::Button::new();
+    button.set_icon_name(action.icon_name);
+    button.add_css_class("power-button");
+    button.set_tooltip_text(Some((action.tooltip_attr)(strings)));
+    button.connect_clicked(clone!(
+        #[weak]
+        power_box,
+        #[weak]
+        confirm_area,
+        #[strong]
+        confirm_box,
+        #[weak]
+        error_label,
+        move |_| {
+            show_power_confirm(action, strings, &power_box, &confirm_area, &confirm_box, &error_label);
+        }
+    ));
+    button
+}
+
 /// Show inline power confirmation.
 fn show_power_confirm(
-    message: &'static str,
+    action: PowerAction,
-    action_fn: fn() -> Result<(), PowerError>,
-    error_message: &'static str,
     strings: &'static Strings,
+    power_box: &gtk::Box,
     confirm_area: &gtk::Box,
     confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
     error_label: &gtk::Label,
 ) {
     dismiss_power_confirm(confirm_area, confirm_box);
+    error_label.set_visible(false);
 
     let new_box = gtk::Box::new(gtk::Orientation::Vertical, 8);
     new_box.set_halign(gtk::Align::Center);
     new_box.set_margin_top(16);
 
-    let confirm_label = gtk::Label::new(Some(message));
+    let confirm_label = gtk::Label::new(Some((action.confirm_attr)(strings)));
     confirm_label.add_css_class("confirm-label");
     new_box.append(&confirm_label);
 
@@ -708,6 +744,8 @@ fn show_power_confirm(
     let yes_btn = gtk::Button::with_label(strings.confirm_yes);
     yes_btn.add_css_class("confirm-yes");
     yes_btn.connect_clicked(clone!(
+        #[weak]
+        power_box,
         #[weak]
         confirm_area,
         #[strong]
@@ -715,8 +753,7 @@ fn show_power_confirm(
         #[weak]
         error_label,
         move |_| {
-            dismiss_power_confirm(&confirm_area, &confirm_box);
+            execute_power_action(action, strings, &power_box, &confirm_area, &confirm_box, &error_label);
-            execute_power_action(action_fn, error_message, &error_label);
         }
     ));
     button_row.append(&yes_btn);
@@ -747,28 +784,44 @@ fn dismiss_power_confirm(confirm_area: &gtk::Box, confirm_box: &Rc<RefCell<Optio
     }
 }
 
-/// Execute a power action in a background thread.
+/// Execute a power action in a background thread, guarding against re-trigger.
 fn execute_power_action(
-    action_fn: fn() -> Result<(), PowerError>,
+    action: PowerAction,
-    error_message: &'static str,
+    strings: &'static Strings,
+    power_box: &gtk::Box,
+    confirm_area: &gtk::Box,
+    confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
     error_label: &gtk::Label,
 ) {
+    dismiss_power_confirm(confirm_area, confirm_box);
+
+    let action_fn = action.action_fn;
+    let error_message = (action.error_attr)(strings);
+
+    // Desensitize the power buttons so a double-click or keyboard repeat cannot
+    // fire the same action twice while it is in flight.
+    power_box.set_sensitive(false);
+
     glib::spawn_future_local(clone!(
+        #[weak]
+        power_box,
         #[weak]
         error_label,
         async move {
-            let result = gio::spawn_blocking(move || action_fn()).await;
+            let result = gio::spawn_blocking(action_fn).await;
             match result {
                 Ok(Ok(())) => {}
                 Ok(Err(e)) => {
                     log::error!("Power action failed: {e}");
                     error_label.set_text(error_message);
                     error_label.set_visible(true);
+                    power_box.set_sensitive(true);
                 }
                 Err(_) => {
                     log::error!("Power action panicked");
                     error_label.set_text(error_message);
                     error_label.set_visible(true);
+                    power_box.set_sensitive(true);
                 }
             }
         }
@@ -788,4 +841,25 @@ mod tests {
     fn avatar_size_matches_css() {
         assert_eq!(AVATAR_SIZE, 128);
     }
+
+    #[test]
+    fn read_file_nofollow_reads_regular_file() {
+        let dir = tempfile::tempdir().unwrap();
+        let file = dir.path().join("avatar.png");
+        std::fs::write(&file, b"avatar-bytes").unwrap();
+        assert_eq!(read_file_nofollow(&file).unwrap(), b"avatar-bytes");
+    }
+
+    #[test]
+    fn read_file_nofollow_rejects_symlink() {
+        use std::os::unix::fs::symlink;
+        let dir = tempfile::tempdir().unwrap();
+        let target = dir.path().join("secret");
+        std::fs::write(&target, b"secret").unwrap();
+        let link = dir.path().join("avatar.png");
+        symlink(&target, &link).unwrap();
+        // O_NOFOLLOW makes the open fail with ELOOP instead of following the link.
+        let err = read_file_nofollow(&link).unwrap_err();
+        assert_eq!(err.raw_os_error(), Some(libc::ELOOP));
+    }
 }

src/main.rs

@@ -12,7 +12,6 @@ mod users;
 use gdk4 as gdk;
 use gtk4::prelude::*;
 use gtk4::{self as gtk, gio};
-use gtk4_session_lock;
 use std::cell::{Cell, RefCell};
 use std::rc::Rc;
 
@@ -59,24 +58,28 @@ fn activate(app: &gtk::Application) {
 
 fn activate_with_session_lock(
     app: &gtk::Application,
-    display: &gdk::Display,
+    _display: &gdk::Display,
     config: &config::Config,
 ) {
     let lock = gtk4_session_lock::Instance::new();
-    lock.lock();
 
-    // Load wallpaper AFTER lock — disk I/O must not delay the lock acquisition
+    // Load wallpaper before lock — connect_monitor fires during lock() and needs the
-    let bg_texture = config::resolve_background_path(config)
+    // texture. This means disk I/O happens before locking, but loading a local JPEG
-        .and_then(|path| lockscreen::load_background_texture(&path));
+    // is fast enough that the delay is negligible.
-
+    let bg_texture: Rc<Option<gdk::Texture>> = Rc::new(
-    let monitors = display.monitors();
+        config::resolve_background_path(config)
+            .and_then(|path| lockscreen::load_background_texture(&path)),
+    );
 
     // Shared unlock callback — unlocks session and quits.
     // Guard prevents double-unlock if PAM and fingerprint succeed simultaneously.
     let lock_clone = lock.clone();
-    let app_clone = app.clone();
     let already_unlocked = Rc::new(Cell::new(false));
     let au = already_unlocked.clone();
+    // unlock() only. The library destroys the lock windows itself when the lock ends,
+    // and the ::unlocked handler quits the app afterwards. Calling app.quit() here too
+    // double-destroyed the windows (their surface was already gone) and segfaulted
+    // gtk_window_destroy. Matches the upstream gtk4-session-lock example.
     let unlock_callback: Rc<dyn Fn()> = Rc::new(move || {
         if au.get() {
             log::debug!("Unlock already triggered, ignoring duplicate");
@@ -84,75 +87,132 @@ fn activate_with_session_lock(
         }
         au.set(true);
         lock_clone.unlock();
-        app_clone.quit();
     });
 
     // Shared caches for multi-monitor — first monitor renders, rest reuse
     let blur_cache: Rc<RefCell<Option<gdk::Texture>>> = Rc::new(RefCell::new(None));
     let avatar_cache: Rc<RefCell<Option<gdk::Texture>>> = Rc::new(RefCell::new(None));
 
-    // Create all monitor windows immediately — no D-Bus calls here
+    // Shared config for use in the monitor signal handler
-    let mut all_handles = Vec::new();
+    let config = Rc::new(config.clone());
-    let mut created_any = false;
+
-    for i in 0..monitors.n_items() {
+    // Shared handles list — populated by connect_monitor, read by fingerprint init
-        if let Some(monitor) = monitors
+    let all_handles: Rc<RefCell<Vec<lockscreen::LockscreenHandles>>> =
-            .item(i)
+        Rc::new(RefCell::new(Vec::new()));
-            .and_then(|obj| obj.downcast::<gdk::Monitor>().ok())
+
-        {
+    // Shared fingerprint listener — None until async init completes.
+    // The monitor handler checks this to wire up FP labels on hotplugged monitors.
+    let shared_fp: Rc<RefCell<Option<Rc<RefCell<FingerprintListener>>>>> =
+        Rc::new(RefCell::new(None));
+
+    // The ::monitor signal fires once per existing monitor at lock(), and again
+    // whenever a monitor is hotplugged (e.g. after suspend/resume). This replaces
+    // the old manual monitor iteration and handles hotplug automatically.
+    let lock_for_signal = lock.clone();
+    lock.connect_monitor(glib::clone!(
+        #[strong]
+        app,
+        #[strong]
+        config,
+        #[strong]
+        bg_texture,
+        #[strong]
+        unlock_callback,
+        #[strong]
+        blur_cache,
+        #[strong]
+        avatar_cache,
+        #[strong]
+        all_handles,
+        #[strong]
+        shared_fp,
+        move |_instance, monitor| {
+            log::debug!("Monitor signal: creating lockscreen window");
             let handles = lockscreen::create_lockscreen_window(
-                bg_texture.as_ref(),
+                bg_texture.as_ref().as_ref(),
-                config,
+                &config,
-                app,
+                &app,
                 unlock_callback.clone(),
                 &blur_cache,
                 &avatar_cache,
             );
-            lock.assign_window_to_monitor(&handles.window, &monitor);
+            lock_for_signal.assign_window_to_monitor(&handles.window, monitor);
             handles.window.present();
-            all_handles.push(handles);
-            created_any = true;
-        }
-    }
 
-    if !created_any {
+            // If fingerprint is already initialized, wire up the label
-        log::error!("No lockscreen windows created — screen stays locked (compositor policy)");
+            if let Some(ref fp_rc) = *shared_fp.borrow() {
-        std::process::exit(1);
+                lockscreen::show_fingerprint_label(&handles, fp_rc);
-    }
+            }
+
+            all_handles.borrow_mut().push(handles);
+        }
+    ));
+
+    // Quit only after the library finishes unlocking (::unlocked fires after the lock
+    // ends). gtk4-session-lock destroys the lock windows itself at lock-end; quitting
+    // earlier — or destroying windows ourselves — races that teardown and segfaults
+    // gtk_window_destroy on an already-gone surface. Mirrors the upstream example.
+    lock.connect_unlocked(glib::clone!(
+        #[weak]
+        app,
+        move |_| app.quit()
+    ));
+
+    lock.lock();
 
     // Async fprintd initialization — runs after windows are visible
     if config.fingerprint_enabled {
-        init_fingerprint_async(all_handles);
+        init_fingerprint_async(all_handles, shared_fp);
     }
 }
 
 /// Initialize fprintd asynchronously after windows are visible.
 /// Uses a single FingerprintListener shared across all monitors —
-/// only the first monitor's handles get the fingerprint UI wired up.
+/// only the first monitor's handles get the fingerprint verification wired up.
-fn init_fingerprint_async(all_handles: Vec<lockscreen::LockscreenHandles>) {
+/// The `shared_fp` is set after init so that the connect_monitor handler can
+/// wire up FP labels on monitors that appear after initialization.
+fn init_fingerprint_async(
+    all_handles: Rc<RefCell<Vec<lockscreen::LockscreenHandles>>>,
+    shared_fp: Rc<RefCell<Option<Rc<RefCell<FingerprintListener>>>>>,
+) {
     glib::spawn_future_local(async move {
         let mut listener = FingerprintListener::new();
         listener.init_async().await;
 
-        // Use the first monitor's username to check enrollment
+        // Extract username without holding a borrow across the await below —
-        let username = &all_handles[0].username;
+        // otherwise a concurrent connect_monitor signal (hotplug / suspend-resume)
-        if username.is_empty() {
+        // that tries to borrow_mut() panics at runtime.
-            return;
+        let username = {
-        }
+            let handles = all_handles.borrow();
+            if handles.is_empty() {
+                return;
+            }
+            let u = handles[0].username.clone();
+            if u.is_empty() {
+                return;
+            }
+            u
+        };
 
-        if !listener.is_available_async(username).await {
+        if !listener.is_available_async(&username).await {
             log::debug!("fprintd not available or no enrolled fingers");
             return;
         }
 
         let fp_rc = Rc::new(RefCell::new(listener));
 
-        // Show fingerprint label on all monitors
+        // Re-borrow after the await — no further awaits in this scope, so it is
-        for handles in &all_handles {
+        // safe to hold the borrow briefly while wiring up the labels.
-            lockscreen::show_fingerprint_label(handles, &fp_rc);
+        {
+            let handles = all_handles.borrow();
+            for h in handles.iter() {
+                lockscreen::show_fingerprint_label(h, &fp_rc);
+            }
+            lockscreen::start_fingerprint(&handles[0], &fp_rc);
         }
 
-        // Start verification listener on the first monitor only
+        // Publish the listener so hotplugged monitors get FP labels too
-        lockscreen::start_fingerprint(&all_handles[0], &fp_rc);
+        *shared_fp.borrow_mut() = Some(fp_rc);
     });
 }
 
@@ -184,7 +244,9 @@ fn activate_without_lock(
 
     // Async fprintd initialization for development mode
     if config.fingerprint_enabled {
-        init_fingerprint_async(vec![handles]);
+        let all_handles = Rc::new(RefCell::new(vec![handles]));
+        let shared_fp = Rc::new(RefCell::new(None));
+        init_fingerprint_async(all_handles, shared_fp);
     }
 }
 
@@ -199,11 +261,17 @@ fn setup_logging() {
             eprintln!("Failed to create journal logger: {e}");
         }
     }
+    // Debug level is only selectable in debug builds. Release binaries ignore
+    // MOONLOCK_DEBUG so a session script cannot escalate log verbosity to leak
+    // fprintd / D-Bus internals into the journal.
+    #[cfg(debug_assertions)]
     let level = if std::env::var("MOONLOCK_DEBUG").is_ok() {
         log::LevelFilter::Debug
     } else {
         log::LevelFilter::Info
     };
+    #[cfg(not(debug_assertions))]
+    let level = log::LevelFilter::Info;
     log::set_max_level(level);
 }
 

src/users.rs

@@ -12,7 +12,6 @@ pub struct User {
     pub username: String,
     pub display_name: String,
     pub home: PathBuf,
-    pub uid: u32,
 }
 
 pub fn get_current_user() -> Option<User> {
@@ -29,7 +28,7 @@ pub fn get_current_user() -> Option<User> {
         let first = gecos.split(',').next().unwrap_or("");
         if first.is_empty() { nix_user.name.clone() } else { first.to_string() }
     } else { nix_user.name.clone() };
-    Some(User { username: nix_user.name, display_name, home: nix_user.dir, uid: uid.as_raw() })
+    Some(User { username: nix_user.name, display_name, home: nix_user.dir })
 }
 
 pub fn get_avatar_path(home: &Path, username: &str) -> Option<PathBuf> {
@@ -39,14 +38,20 @@ pub fn get_avatar_path(home: &Path, username: &str) -> Option<PathBuf> {
 pub fn get_avatar_path_with(home: &Path, username: &str, accountsservice_dir: &Path) -> Option<PathBuf> {
     // ~/.face takes priority — single stat via symlink_metadata to avoid TOCTOU
     let face = home.join(".face");
-    if let Ok(meta) = face.symlink_metadata() {
+    if let Ok(meta) = face.symlink_metadata()
-        if meta.is_file() && !meta.file_type().is_symlink() { return Some(face); }
+        && meta.is_file()
+        && !meta.file_type().is_symlink()
+    {
+        return Some(face);
     }
     // AccountsService icon
     if accountsservice_dir.exists() {
         let icon = accountsservice_dir.join(username);
-        if let Ok(meta) = icon.symlink_metadata() {
+        if let Ok(meta) = icon.symlink_metadata()
-            if meta.is_file() && !meta.file_type().is_symlink() { return Some(icon); }
+            && meta.is_file()
+            && !meta.file_type().is_symlink()
+        {
+            return Some(icon);
         }
     }
     None