fix: audit fixes — release profile, GResource compression, lock stderr, sync markers (v0.8.1)

- Add [profile.release] with LTO, codegen-units=1, strip
- Add compressed="true" to GResource CSS/SVG entries
- Inherit moonlock stderr instead of /dev/null (errors visible in journal)
- Add SYNC comments to duplicated blur/background functions

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "moonset"
-version = "0.8.0"
+version = "0.8.1"
 edition = "2024"
 description = "Wayland session power menu with GTK4 and Layer Shell"
 license = "MIT"
@@ -22,5 +22,10 @@ systemd-journal-logger = "2.2"
 [dev-dependencies]
 tempfile = "3"
 
+[profile.release]
+lto = "thin"
+codegen-units = 1
+strip = true
+
 [build-dependencies]
 glib-build-tools = "0.22"

DECISIONS.md

@@ -2,6 +2,13 @@
 
 Architectural and design decisions for Moonset, in reverse chronological order.
 
+## 2026-03-31 – Fourth audit: release profile, GResource compression, lock stderr, sync markers
+
+- **Who**: Ragnar, Dom
+- **Why**: Fourth triple audit found missing release profile (LTO/strip), uncompressed GResource assets, moonlock stderr suppressed (errors invisible), and duplicated code without sync markers.
+- **Tradeoffs**: moonlock stderr now inherited instead of null — errors appear in moonset's journal context. Acceptable for debugging, no security leak since moonlock logs to its own journal identifier.
+- **How**: (1) `[profile.release]` with LTO, codegen-units=1, strip. (2) `compressed="true"` on GResource entries. (3) `Stdio::inherit()` for moonlock stderr in lock(). (4) SYNC comments on duplicated blur/background functions.
+
 ## 2026-03-28 – Remove wallpaper from GResource bundle
 
 - **Who**: Ragnar, Dom

resources/resources.gresource.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <gresources>
   <gresource prefix="/dev/moonarch/moonset">
-    <file>style.css</file>
+    <file compressed="true">style.css</file>
-    <file>default-avatar.svg</file>
+    <file compressed="true">default-avatar.svg</file>
   </gresource>
 </gresources>

src/panel.rs

@@ -103,6 +103,10 @@ pub fn load_background_texture(bg_path: Option<&Path>) -> Option<gdk::Texture> {
 
 // -- GPU blur via GskBlurNode -------------------------------------------------
 
+// SYNC: MAX_BLUR_DIMENSION, render_blurred_texture, and create_background_picture
+// are duplicated in moonlock/src/lockscreen.rs and moongreet/src/greeter.rs.
+// Changes here must be mirrored to the other two projects.
+
 /// Maximum texture dimension before downscaling for blur.
 /// Keeps GPU work reasonable on 4K+ displays.
 const MAX_BLUR_DIMENSION: f32 = 1920.0;

src/power.rs

@@ -107,7 +107,7 @@ pub fn lock() -> Result<(), PowerError> {
     Command::new("/usr/bin/moonlock")
         .stdin(Stdio::null())
         .stdout(Stdio::null())
-        .stderr(Stdio::null())
+        .stderr(Stdio::inherit())
         .spawn()
         .map_err(|e| PowerError::CommandFailed {
             action: "lock",