CLAUDE.md

@@ -1,5 +1,7 @@
 # Moonset
 
+**Name**: Hekate (Göttin der Wegkreuzungen — passend zum Power-Menu, das den Weg der Session bestimmt)
+
 ## Projekt
 
 Moonset ist ein Wayland Session Power Menu, gebaut mit Rust + gtk4-rs + gtk4-layer-shell.

Cargo.lock

@@ -616,7 +616,7 @@ dependencies = [
 
 [[package]]
 name = "moonset"
-version = "0.8.5"
+version = "0.8.2"
 dependencies = [
  "dirs",
  "gdk-pixbuf",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "moonset"
-version = "0.8.5"
+version = "0.8.2"
 edition = "2024"
 description = "Wayland session power menu with GTK4 and Layer Shell"
 license = "MIT"

DECISIONS.md

@@ -2,107 +2,86 @@
 
 Architectural and design decisions for Moonset, in reverse chronological order.
 
-## 2026-04-24 – Audit LOW fixes: dead uid field, home_dir warn, clippy sweep, debug value (v0.8.5)
-
-- **Who**: ClaudeCode, Dom
-- **Why**: Five LOW findings cleared in one pass. (1) `User::uid` was populated from `getuid()` but never read — a compiler `dead_code` warning for a field on the public API. (2) Falling back to a synthetic user when `get_current_user()` returned None used `uid: u32::MAX`, an undocumented sentinel that became moot once uid was removed. (3) `dirs::home_dir().unwrap_or_default()` silently yielded `PathBuf::new()` on failure; avatars would then look for `.face` in the current working directory. (4) `cargo clippy` flagged three suggestions (two collapsible `if`, one redundant closure) that had crept in. (5) `MOONSET_DEBUG` promoted log verbosity on mere presence, leaking path information into the journal.
-- **Tradeoffs**: Dropping `uid` from `User` is a minor API break for any internal caller expecting the field — none existed. The synthetic fallback now surfaces `log::warn!` when home resolution fails, which should be rare outside of pathological sandbox environments.
-- **How**: (1) Remove `pub uid: u32` from `User` and the `uid: uid.as_raw()` assignment in `get_current_user`. (2) Panel fallback drops the `uid` field entirely. (3) `dirs::home_dir().unwrap_or_else(|| { log::warn!(...); PathBuf::new() })`. (4) `cargo clippy --fix` for the two collapsible ifs, manual collapse of `if-let` + `&&` chain, redundant closure replaced with the function itself. (5) `MOONSET_DEBUG` now requires the literal value `"1"` to escalate to Debug.
-
-## 2026-04-24 – Audit MEDIUM fixes: timeout guard, POSIX locale, button desensitize, wallpaper allowlist (v0.8.4)
-
-- **Who**: ClaudeCode, Dom
-- **Why**: Five MEDIUM findings: (1) `run_command`'s timeout thread leaked a 30 s gio::spawn_blocking slot if `child.wait()` errored, because `done.store(true)` ran after the `?`. (2) Timeout detection compared `status.signal() == Some(9)` — a hardcoded signal number that also misclassifies OOM-killer SIGKILL as our timeout. (3) `execute_action` never desensitized the button_box, so a double-click or accidental keyboard repeat fired the action twice. (4) `detect_locale` read only `LANG`, ignoring POSIX priority order (`LC_ALL` > `LC_MESSAGES` > `LANG`) — a common dual-language setup picked the wrong UI language. (5) The wallpaper path was passed to gdk-pixbuf without extension or size restriction, widening the image-parser attack surface and allowing unbounded decode latency.
-- **Tradeoffs**: The extension allowlist (`jpg`, `jpeg`, `png`, `webp`) rejects exotic formats users might have used before. The 10 MB size cap rejects uncompressed/high-quality 4K wallpapers; acceptable for a power menu. Memory ordering on the `done` flag is now `Release`/`Acquire` instead of `Relaxed` — no runtime cost but correct across threads.
-- **How**: (1) RAII `DoneGuard` struct sets `done.store(true, Release)` in its `Drop`, so the flag fires on every function exit path. A second `timed_out` AtomicBool distinguishes our SIGKILL from an external one. (2) Replace `Some(9)` with the `timed_out` flag check. (3) `execute_action` now takes `button_box: &gtk::Box`, calls `set_sensitive(false)` on entry and re-enables it on error paths; success paths that quit skip the re-enable. All call sites updated. (4) `detect_locale` reads `LC_ALL`, `LC_MESSAGES`, `LANG` in order, picking the first non-empty value before falling back to `/etc/locale.conf`. (5) `accept_wallpaper` helper applies extension allowlist + symlink rejection + `MAX_WALLPAPER_FILE_SIZE = 10 MB`, and is called for both config-path and Moonarch fallback.
-
-## 2026-04-24 – Audit fix: avoid latent stdout pipe deadlock in run_command (v0.8.3)
-
-- **Who**: ClaudeCode, Dom
-- **Why**: Audit found that `run_command` piped the child's `stdout` but never drained it, then called blocking `child.wait()`. A child writing more than one OS pipe buffer (~64 KB on Linux) would block on `write()` while the parent blocked in `wait()` — classic pipe deadlock, broken only by the 30 s SIGKILL timeout. Current callers (`systemctl`, `niri msg`, `loginctl`) do not emit that much output, but the structure was fragile and would bite on any future command or changed behaviour.
-- **Tradeoffs**: stdout is now fully discarded. If a future caller needs stdout, it will have to drain it concurrently with `wait()` (separate reader thread).
-- **How**: Replace `.stdout(Stdio::piped())` with `.stdout(Stdio::null())` in `run_command`. `stderr` stays piped — it is drained after `wait()`, which is safe because `wait()` already reaped the child and no further writes can occur.
-
 ## 2026-03-31 – Fourth audit: release profile, GResource compression, lock stderr, sync markers
 
-- **Who**: ClaudeCode, Dom
+- **Who**: Ragnar, Dom
 - **Why**: Fourth triple audit found missing release profile (LTO/strip), uncompressed GResource assets, moonlock stderr suppressed (errors invisible), and duplicated code without sync markers.
 - **Tradeoffs**: moonlock stderr now inherited instead of null — errors appear in moonset's journal context. Acceptable for debugging, no security leak since moonlock logs to its own journal identifier.
 - **How**: (1) `[profile.release]` with LTO, codegen-units=1, strip. (2) `compressed="true"` on GResource entries. (3) `Stdio::inherit()` for moonlock stderr in lock(). (4) SYNC comments on duplicated blur/background functions.
 
 ## 2026-03-28 – Remove wallpaper from GResource bundle
 
-- **Who**: ClaudeCode, Dom
+- **Who**: Ragnar, Dom
 - **Why**: All three Moon projects (moonset, moongreet, moonlock) embedded a 374kB fallback wallpaper in the binary via GResource. Moonarch already installs `/usr/share/moonarch/wallpaper.jpg` at system setup time, making the embedded fallback unnecessary dead weight (~2MB in binary size).
 - **Tradeoffs**: If `/usr/share/moonarch/wallpaper.jpg` is missing and no user config exists, moonset shows a solid CSS background instead of a wallpaper. Acceptable — the power menu is functional without a wallpaper image.
 - **How**: Removed `wallpaper.jpg` from GResource XML and resources directory. `resolve_background_path` returns `Option<PathBuf>`. All wallpaper-related functions handle `None` gracefully. Binary size dropped from ~3.2MB to ~1.3MB.
 
 ## 2026-03-28 – Switch from env_logger to systemd-journal-logger
 
-- **Who**: ClaudeCode, Dom
+- **Who**: Ragnar, Dom
 - **Why**: moonlock and moongreet already use systemd-journal-logger. moonset used env_logger which writes to stderr — not useful for a GUI app launched via keybind. Journal integration enables `journalctl -t moonset` and consistent troubleshooting across all three Moon projects.
 - **Tradeoffs**: Requires systemd at runtime. Graceful fallback to eprintln if journal logger fails. Acceptable since Moonarch targets systemd-based Arch Linux.
 - **How**: Replace `env_logger` dep with `systemd-journal-logger`, add `setup_logging()` with `MOONSET_DEBUG` env var for debug-level output. Same pattern as moonlock/moongreet.
 
 ## 2026-03-28 – Replace action name dispatch with `quit_after` field
 
-- **Who**: ClaudeCode, Dom
+- **Who**: Hekate, Dom
 - **Why**: Post-action behavior (quit the app or not) was controlled by comparing `action_name == "lock"` — a magic string duplicated from the action definition. Renaming an action would silently break the dispatch.
 - **Tradeoffs**: Adds a field to `ActionDef` that most actions set to `false`. Acceptable because it makes the contract explicit and testable.
 - **How**: `ActionDef.quit_after: bool` — `true` for lock and logout, `false` for hibernate/reboot/shutdown.
 
 ## 2026-03-28 – GPU blur via GskBlurNode replaces CPU blur
 
-- **Who**: ClaudeCode, Dom
+- **Who**: Ragnar, Dom
 - **Why**: CPU-side Gaussian blur (`image` crate) blocked startup and added caching complexity. moonlock already migrated to GPU blur.
 - **Tradeoffs**: GPU blur quality is slightly different (box-blur approximation vs true Gaussian), acceptable for wallpaper backgrounds. Removes `image` crate dependency entirely. No disk cache needed.
 - **How**: `Snapshot::push_blur()` + `GskRenderer::render_texture()` on `connect_realize`. Blur happens once on the GPU when the widget gets its renderer. Symmetric with moonlock and moongreet.
 
 ## 2026-03-28 – Use absolute paths for system binaries
 
-- **Who**: ClaudeCode, Dom
+- **Who**: Hekate, Dom
 - **Why**: Security audit flagged PATH hijacking risk — relative binary names allow a malicious `$PATH` entry to intercept `systemctl`, `loginctl`, etc.
 - **Tradeoffs**: Hardcoded paths reduce portability to non-Arch distros where binaries may live elsewhere (e.g. `/sbin/`). Acceptable because Moonarch targets Arch Linux exclusively.
 - **How**: All five power action wrappers now use `/usr/bin/` prefixed paths.
 
 ## 2026-03-28 – Implement power action timeout via try_wait polling
 
-- **Who**: ClaudeCode, Dom
+- **Who**: Hekate, Dom
 - **Why**: `POWER_TIMEOUT` and `PowerError::Timeout` were declared but never wired up. A hanging `systemctl hibernate` (e.g. blocked NFS mount) would freeze the power menu indefinitely.
 - **Tradeoffs**: Polling with `try_wait()` + 100ms sleep is slightly less efficient than a dedicated timeout crate, but avoids adding a dependency for a single use case.
 - **How**: `run_command` now polls `child.try_wait()` against a 30s deadline, kills the child on timeout.
 
 ## 2026-03-28 – Centralize GRESOURCE_PREFIX
 
-- **Who**: ClaudeCode, Dom
+- **Who**: Hekate, Dom
 - **Why**: The string `/dev/moonarch/moonset` was duplicated in `config.rs`, `users.rs`, and as literal strings in `panel.rs` and `main.rs`. Changing the application ID would require edits in 4+ locations.
 - **Tradeoffs**: Modules now depend on `crate::GRESOURCE_PREFIX` — tighter coupling to main.rs, but acceptable for an internal constant.
 - **How**: Single `pub(crate) const GRESOURCE_PREFIX` in `main.rs`, referenced everywhere else.
 
 ## 2026-03-28 – Remove journal.md
 
-- **Who**: ClaudeCode, Dom
+- **Who**: Hekate, Dom
 - **Why**: One-time development notes from the Rust rewrite, never updated after initial session. Overlapped with memory system and git history.
 - **Tradeoffs**: Historical context lost from the file, but the information is preserved in git history and the memory system.
 - **How**: Deleted. Useful technical learnings migrated to persistent memory.
 
 ## 2026-03-27 – OVERLAY layer instead of TOP
 
-- **Who**: ClaudeCode, Dom
+- **Who**: Hekate, Dom
 - **Why**: Waybar occupies the TOP layer. The power menu must appear above it.
 - **Tradeoffs**: OVERLAY is the highest layer — nothing can render above moonset while it's open. This is intentional for a session power menu.
 - **How**: `setup_layer_shell` uses `gtk4_layer_shell::Layer::Overlay` for the panel window.
 
 ## 2026-03-27 – Lock without confirmation
 
-- **Who**: ClaudeCode, Dom
+- **Who**: Hekate, Dom
 - **Why**: Lock is immediately reversible (just unlock). All other actions (logout, hibernate, reboot, shutdown) are destructive or disruptive.
 - **Tradeoffs**: One less click for the most common action. Risk of accidental lock is negligible since unlocking is trivial.
 - **How**: `ActionDef.needs_confirm = false` for lock; all others require inline confirmation.
 
 ## 2026-03-27 – Niri-specific logout via `niri msg action quit`
 
-- **Who**: ClaudeCode, Dom
+- **Who**: Hekate, Dom
 - **Why**: Moonarch is built exclusively for the Niri compositor. Generic Wayland logout mechanisms don't exist — each compositor has its own.
 - **Tradeoffs**: Hard dependency on Niri. If the compositor changes, `power::logout()` must be updated.
 - **How**: `Command::new("/usr/bin/niri").args(["msg", "action", "quit"])`.

src/config.rs

@@ -62,56 +62,21 @@ pub fn resolve_background_path(config: &Config) -> Option<PathBuf> {
     resolve_background_path_with(config, Path::new(MOONARCH_WALLPAPER))
 }
 
-/// Wallpapers are passed to gdk-pixbuf's image loader; restrict to common image
-/// extensions to reduce the parser-attack surface for user-controlled paths.
-const ALLOWED_BG_EXT: &[&str] = &["jpg", "jpeg", "png", "webp"];
-
-/// Bound wallpaper decode latency (10 MB covers typical 4K JPEGs at Q95).
-const MAX_WALLPAPER_FILE_SIZE: u64 = 10 * 1024 * 1024;
-
-fn is_allowed_wallpaper(path: &Path) -> bool {
-    match path.extension().and_then(|e| e.to_str()) {
-        Some(ext) => ALLOWED_BG_EXT.iter().any(|a| a.eq_ignore_ascii_case(ext)),
-        None => false,
-    }
-}
-
-fn accept_wallpaper(path: &Path) -> bool {
-    if !is_allowed_wallpaper(path) {
-        log::warn!("Wallpaper rejected (extension not in allowlist): {}", path.display());
-        return false;
-    }
-    match path.symlink_metadata() {
-        Ok(meta) if meta.file_type().is_symlink() => {
-            log::warn!("Wallpaper rejected (symlink): {}", path.display());
-            false
-        }
-        Ok(meta) if !meta.is_file() => false,
-        Ok(meta) if meta.len() > MAX_WALLPAPER_FILE_SIZE => {
-            log::warn!(
-                "Wallpaper rejected ({} bytes > {} limit): {}",
-                meta.len(), MAX_WALLPAPER_FILE_SIZE, path.display()
-            );
-            false
-        }
-        Ok(_) => true,
-        Err(_) => false,
-    }
-}
-
 /// Resolve with configurable moonarch wallpaper path (for testing).
 pub fn resolve_background_path_with(config: &Config, moonarch_wallpaper: &Path) -> Option<PathBuf> {
-    // User-configured path — reject symlinks, non-image extensions, and oversized files
+    // User-configured path — reject symlinks to prevent path traversal
     if let Some(ref bg) = config.background_path {
         let path = PathBuf::from(bg);
-        if accept_wallpaper(&path) {
+        if let Ok(meta) = path.symlink_metadata() {
+            if meta.is_file() && !meta.file_type().is_symlink() {
                 log::debug!("Wallpaper source: config ({})", path.display());
                 return Some(path);
             }
         }
+    }
 
-    // Moonarch ecosystem default — apply the same checks for consistency
+    // Moonarch ecosystem default
-    if accept_wallpaper(moonarch_wallpaper) {
+    if moonarch_wallpaper.is_file() {
         log::debug!("Wallpaper source: moonarch default ({})", moonarch_wallpaper.display());
         return Some(moonarch_wallpaper.to_path_buf());
     }

src/i18n.rs

@@ -110,22 +110,15 @@ fn read_lang_from_conf(path: &Path) -> Option<String> {
     None
 }
 
-/// Determine the system language from POSIX locale env vars or /etc/locale.conf.
+/// Determine the system language from LANG env var or /etc/locale.conf.
-/// Checks LC_ALL, LC_MESSAGES, LANG in POSIX priority order (LC_ALL overrides
-/// everything; LC_MESSAGES overrides LANG for text categories).
 pub fn detect_locale() -> String {
-    let env_val = env::var("LC_ALL")
+    detect_locale_with(env::var("LANG").ok().as_deref(), Path::new(DEFAULT_LOCALE_CONF))
-        .ok()
-        .filter(|s| !s.is_empty())
-        .or_else(|| env::var("LC_MESSAGES").ok().filter(|s| !s.is_empty()))
-        .or_else(|| env::var("LANG").ok().filter(|s| !s.is_empty()));
-    detect_locale_with(env_val.as_deref(), Path::new(DEFAULT_LOCALE_CONF))
 }
 
 /// Determine locale with configurable inputs (for testing).
 pub fn detect_locale_with(env_lang: Option<&str>, locale_conf_path: &Path) -> String {
     let (raw, source) = if let Some(val) = env_lang.filter(|s| !s.is_empty()) {
-        (Some(val.to_string()), "env")
+        (Some(val.to_string()), "LANG env")
     } else if let Some(val) = read_lang_from_conf(locale_conf_path) {
         (Some(val), "locale.conf")
     } else {

src/main.rs

@@ -88,12 +88,10 @@ fn setup_logging() {
             eprintln!("Failed to create journal logger: {e}");
         }
     }
-    // Require MOONSET_DEBUG=1 to raise verbosity so mere presence (empty
+    let level = if std::env::var("MOONSET_DEBUG").is_ok() {
-    // value in a session script) cannot escalate journal noise with path
+        log::LevelFilter::Debug
-    // information an attacker could use.
+    } else {
-    let level = match std::env::var("MOONSET_DEBUG").ok().as_deref() {
+        log::LevelFilter::Info
-        Some("1") => log::LevelFilter::Debug,
-        _ => log::LevelFilter::Info,
     };
     log::set_max_level(level);
 }

src/panel.rs

@@ -7,7 +7,7 @@ use glib::clone;
 use gtk4::prelude::*;
 use gtk4::{self as gtk, gio};
 use std::cell::RefCell;
-use std::path::{Path, PathBuf};
+use std::path::Path;
 use std::rc::Rc;
 use std::time::Duration;
 
@@ -208,16 +208,11 @@ pub fn create_panel_window(texture: Option<&gdk::Texture>, blur_radius: Option<f
     window.add_css_class("panel");
 
     let strings = load_strings(None);
-    let user = users::get_current_user().unwrap_or_else(|| {
+    let user = users::get_current_user().unwrap_or_else(|| users::User {
-        let home = dirs::home_dir().unwrap_or_else(|| {
-            log::warn!("Could not resolve HOME — using an empty path");
-            PathBuf::new()
-        });
-        users::User {
         username: "user".to_string(),
         display_name: "User".to_string(),
-            home,
+        home: dirs::home_dir().unwrap_or_default(),
-        }
+        uid: u32::MAX,
     });
     log::debug!("User: {} ({})", user.display_name, user.username);
 
@@ -450,7 +445,7 @@ fn on_action_clicked(
     error_label.set_visible(false);
 
     if !action_def.needs_confirm {
-        execute_action(action_def, strings, app, confirm_area, confirm_box, error_label, button_box);
+        execute_action(action_def, strings, app, confirm_area, confirm_box, error_label);
         return;
     }
 
@@ -493,8 +488,6 @@ fn show_confirm(
         confirm_box,
         #[weak]
         error_label,
-        #[weak]
-        button_box,
         move |_| {
             execute_action(
                 &action_def_clone,
@@ -503,7 +496,6 @@ fn show_confirm(
                 &confirm_area,
                 &confirm_box,
                 &error_label,
-                &button_box,
             );
         }
     ));
@@ -551,7 +543,6 @@ fn execute_action(
     confirm_area: &gtk::Box,
     confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
     error_label: &gtk::Label,
-    button_box: &gtk::Box,
 ) {
     dismiss_confirm(confirm_area, confirm_box);
     log::debug!("Executing power action: {}", action_def.name);
@@ -561,10 +552,6 @@ fn execute_action(
     let quit_after = action_def.quit_after;
     let error_message = (action_def.error_attr)(strings).to_string();
 
-    // Desensitize buttons so a double-click or accidental keyboard repeat
-    // cannot fire the same action twice while it is in flight.
-    button_box.set_sensitive(false);
-
     // Use glib::spawn_future_local + gio::spawn_blocking to avoid Send issues
     // with GTK objects. The blocking closure runs on a thread pool, the result
     // is handled back on the main thread.
@@ -573,30 +560,24 @@ fn execute_action(
         app,
         #[weak]
         error_label,
-        #[weak]
-        button_box,
         async move {
-            let result = gio::spawn_blocking(action_fn).await;
+            let result = gio::spawn_blocking(move || action_fn()).await;
 
             match result {
                 Ok(Ok(())) => {
                     if quit_after {
                         fade_out_and_quit(&app);
-                    } else {
-                        button_box.set_sensitive(true);
                     }
                 }
                 Ok(Err(e)) => {
                     log::error!("Power action '{}' failed: {}", action_name, e);
                     error_label.set_text(&error_message);
                     error_label.set_visible(true);
-                    button_box.set_sensitive(true);
                 }
                 Err(_) => {
                     log::error!("Power action '{}' panicked", action_name);
                     error_label.set_text(&error_message);
                     error_label.set_visible(true);
-                    button_box.set_sensitive(true);
                 }
             }
         }

src/power.rs

@@ -40,9 +40,7 @@ fn run_command(action: &'static str, program: &str, args: &[&str]) -> Result<(),
     log::debug!("Power action: {action} ({program} {args:?})");
     let mut child = Command::new(program)
         .args(args)
-        // stdout is discarded — piping without draining would deadlock if a
+        .stdout(Stdio::piped())
-        // command ever wrote more than one OS pipe buffer before wait() returned.
-        .stdout(Stdio::null())
         .stderr(Stdio::piped())
         .spawn()
         .map_err(|e| PowerError::CommandFailed {
@@ -52,50 +50,44 @@ fn run_command(action: &'static str, program: &str, args: &[&str]) -> Result<(),
 
     let child_pid = nix::unistd::Pid::from_raw(child.id() as i32);
     let done = Arc::new(AtomicBool::new(false));
-    let timed_out = Arc::new(AtomicBool::new(false));
     let done_clone = done.clone();
-    let timed_out_clone = timed_out.clone();
 
-    let _timeout_thread = std::thread::spawn(move || {
+    let timeout_thread = std::thread::spawn(move || {
+        // Sleep in short intervals so we can exit early when the child finishes
         let interval = Duration::from_millis(100);
         let mut elapsed = Duration::ZERO;
         while elapsed < POWER_TIMEOUT {
             std::thread::sleep(interval);
-            if done_clone.load(Ordering::Acquire) {
+            if done_clone.load(Ordering::Relaxed) {
                 return;
             }
             elapsed += interval;
         }
-        // Record that we fired the kill so we don't misclassify an external
-        // SIGKILL (OOM killer, kill -9) as our timeout.
-        timed_out_clone.store(true, Ordering::Release);
         // ESRCH if the process already exited — harmless
         let _ = nix::sys::signal::kill(child_pid, nix::sys::signal::Signal::SIGKILL);
     });
 
-    // Drop guard ensures the timeout thread sees done=true even if child.wait()
-    // errors out — otherwise the thread sleeps its full 30 s holding a slot in
-    // the gio::spawn_blocking pool.
-    struct DoneGuard(Arc<AtomicBool>);
-    impl Drop for DoneGuard {
-        fn drop(&mut self) {
-            self.0.store(true, Ordering::Release);
-        }
-    }
-    let _done_guard = DoneGuard(done);
-
     let status = child.wait().map_err(|e| PowerError::CommandFailed {
         action,
         message: e.to_string(),
     })?;
 
+    done.store(true, Ordering::Relaxed);
+    let _ = timeout_thread.join();
+
     if status.success() {
         log::debug!("Power action {action} completed");
         Ok(())
     } else {
-        if timed_out.load(Ordering::Acquire) {
+        // Check if killed by our timeout (SIGKILL = signal 9)
+        #[cfg(unix)]
+        {
+            use std::os::unix::process::ExitStatusExt;
+            if status.signal() == Some(9) {
                 return Err(PowerError::Timeout { action });
             }
+        }
+
         let mut stderr_buf = String::new();
         if let Some(mut stderr) = child.stderr.take() {
             let _ = stderr.read_to_string(&mut stderr_buf);

src/users.rs

@@ -12,6 +12,7 @@ pub struct User {
     pub username: String,
     pub display_name: String,
     pub home: PathBuf,
+    pub uid: u32,
 }
 
 /// Get the currently logged-in user's info from the system.
@@ -36,6 +37,7 @@ pub fn get_current_user() -> Option<User> {
         username: nix_user.name,
         display_name,
         home: nix_user.dir,
+        uid: uid.as_raw(),
     })
 }
 
@@ -63,9 +65,8 @@ pub fn get_avatar_path_with(
     }
 
     // AccountsService icon fallback
-    if let Some(name) = username
+    if let Some(name) = username {
-        && accountsservice_dir.exists()
+        if accountsservice_dir.exists() {
-    {
             let icon = accountsservice_dir.join(name);
             if let Ok(meta) = icon.symlink_metadata() {
                 if meta.file_type().is_symlink() {
@@ -76,6 +77,7 @@ pub fn get_avatar_path_with(
                 }
             }
         }
+    }
 
     None
 }