fix: restore keyboard focus on action buttons after dismiss (v0.8.2)

After cancelling a confirmation prompt, the focused widget was removed
from the tree without restoring focus to the action buttons. With
layer-shell exclusive keyboard mode, GTK does not recover focus
automatically — the UI became keyboard-unreachable.

.gitea/workflows/update-pkgver.yaml

@@ -0,0 +1,43 @@
+# ABOUTME: Updates pkgver in moonarch-pkgbuilds after a push to main.
+# ABOUTME: Ensures paru detects new versions of this package.
+
+name: Update PKGBUILD version
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  update-pkgver:
+    runs-on: moonarch
+    steps:
+      - name: Checkout source repo
+        run: |
+          git clone --bare http://gitea:3000/nevaforget/moonset.git source.git
+          cd source.git
+          PKGVER=$(git describe --long --tags | sed 's/^v//;s/-/.r/;s/-/./')
+          echo "New pkgver: $PKGVER"
+          echo "$PKGVER" > /tmp/pkgver
+
+      - name: Update PKGBUILD
+        run: |
+          PKGVER=$(cat /tmp/pkgver)
+          git clone http://gitea:3000/nevaforget/moonarch-pkgbuilds.git pkgbuilds
+          cd pkgbuilds
+
+          OLD_VER=$(grep '^pkgver=' moonset-git/PKGBUILD | cut -d= -f2)
+          if [ "$OLD_VER" = "$PKGVER" ]; then
+            echo "pkgver already up to date ($PKGVER)"
+            exit 0
+          fi
+
+          sed -i "s/^pkgver=.*/pkgver=$PKGVER/" moonset-git/PKGBUILD
+          sed -i "s/^\tpkgver = .*/\tpkgver = $PKGVER/" moonset-git/.SRCINFO
+          echo "Updated pkgver: $OLD_VER → $PKGVER"
+
+          git config user.name "pkgver-bot"
+          git config user.email "gitea@moonarch.de"
+          git add moonset-git/PKGBUILD moonset-git/.SRCINFO
+          git commit -m "chore(moonset-git): bump pkgver to $PKGVER"
+          git -c http.extraHeader="Authorization: token ${{ secrets.PKGBUILD_TOKEN }}" push

CHANGELOG.md

@@ -3,6 +3,25 @@
 All notable changes to this project will be documented in this file.
 Format based on [Keep a Changelog](https://keepachangelog.com/).
 
+## [0.8.0] - 2026-03-30
+
+### Changed
+
+- Replace `canonicalize()` with `symlink_metadata` + `is_file` + `!is_symlink` for avatar lookup — prevents symlink traversal to arbitrary files
+- Replace `canonicalize()` with same symlink-safe check in `resolve_background_path`
+- Downscale wallpaper to `MAX_BLUR_DIMENSION` (1920px) before GPU blur — prevents excessive memory use on high-res images
+- Validate `background_blur` per config source — invalid user value preserves system default instead of silently falling back to 0
+
+### Fixed
+
+- Fix blur padding offset from `(0,0)` to `(-pad,-pad)` to prevent edge darkening on blurred wallpaper
+
+## [0.7.3] - 2026-03-29
+
+### Fixed
+
+- Fix shutdown and reboot — `loginctl` does not support `poweroff`/`reboot` verbs, switched to `systemctl poweroff` and `systemctl reboot`
+
 ## [0.7.2] - 2026-03-29
 
 ### Fixed

Cargo.lock

@@ -616,7 +616,7 @@ dependencies = [
 
 [[package]]
 name = "moonset"
-version = "0.7.2"
+version = "0.8.2"
 dependencies = [
  "dirs",
  "gdk-pixbuf",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "moonset"
-version = "0.7.2"
+version = "0.8.2"
 edition = "2024"
 description = "Wayland session power menu with GTK4 and Layer Shell"
 license = "MIT"
@@ -22,5 +22,10 @@ systemd-journal-logger = "2.2"
 [dev-dependencies]
 tempfile = "3"
 
+[profile.release]
+lto = "thin"
+codegen-units = 1
+strip = true
+
 [build-dependencies]
 glib-build-tools = "0.22"

DECISIONS.md

@@ -2,6 +2,13 @@
 
 Architectural and design decisions for Moonset, in reverse chronological order.
 
+## 2026-03-31 – Fourth audit: release profile, GResource compression, lock stderr, sync markers
+
+- **Who**: Ragnar, Dom
+- **Why**: Fourth triple audit found missing release profile (LTO/strip), uncompressed GResource assets, moonlock stderr suppressed (errors invisible), and duplicated code without sync markers.
+- **Tradeoffs**: moonlock stderr now inherited instead of null — errors appear in moonset's journal context. Acceptable for debugging, no security leak since moonlock logs to its own journal identifier.
+- **How**: (1) `[profile.release]` with LTO, codegen-units=1, strip. (2) `compressed="true"` on GResource entries. (3) `Stdio::inherit()` for moonlock stderr in lock(). (4) SYNC comments on duplicated blur/background functions.
+
 ## 2026-03-28 – Remove wallpaper from GResource bundle
 
 - **Who**: Ragnar, Dom

build.rs

@@ -1,5 +1,5 @@
 // ABOUTME: Build script for compiling GResource bundle.
-// ABOUTME: Bundles style.css, wallpaper.jpg, and default-avatar.svg into the binary.
+// ABOUTME: Bundles style.css and default-avatar.svg into the binary.
 
 fn main() {
     glib_build_tools::compile_resources(

resources/resources.gresource.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <gresources>
   <gresource prefix="/dev/moonarch/moonset">
-    <file>style.css</file>
+    <file compressed="true">style.css</file>
-    <file>default-avatar.svg</file>
+    <file compressed="true">default-avatar.svg</file>
   </gresource>
 </gresources>

src/config.rs

@@ -37,8 +37,11 @@ pub fn load_config(config_paths: Option<&[PathBuf]>) -> Config {
                     if parsed.background_path.is_some() {
                         merged.background_path = parsed.background_path;
                     }
-                    if parsed.background_blur.is_some() {
+                    // Validate blur per source — invalid values preserve the previous default
+                    if parsed.background_blur.is_some_and(|b| b.is_finite() && (0.0..=200.0).contains(&b)) {
                         merged.background_blur = parsed.background_blur;
+                    } else if parsed.background_blur.is_some() {
+                        log::warn!("Invalid background_blur in {}, ignoring", path.display());
                     }
                 }
                 Err(e) => {
@@ -48,14 +51,6 @@ pub fn load_config(config_paths: Option<&[PathBuf]>) -> Config {
         }
     }
 
-    // Validate blur range
-    if let Some(blur) = merged.background_blur {
-        if !blur.is_finite() || blur < 0.0 || blur > 200.0 {
-            log::warn!("Invalid background_blur value {blur}, ignoring");
-            merged.background_blur = None;
-        }
-    }
-
     merged
 }
 
@@ -69,12 +64,14 @@ pub fn resolve_background_path(config: &Config) -> Option<PathBuf> {
 
 /// Resolve with configurable moonarch wallpaper path (for testing).
 pub fn resolve_background_path_with(config: &Config, moonarch_wallpaper: &Path) -> Option<PathBuf> {
-    // User-configured path
+    // User-configured path — reject symlinks to prevent path traversal
     if let Some(ref bg) = config.background_path {
         let path = PathBuf::from(bg);
-        if path.is_file() {
+        if let Ok(meta) = path.symlink_metadata() {
-            log::debug!("Wallpaper source: config ({})", path.display());
+            if meta.is_file() && !meta.file_type().is_symlink() {
-            return Some(path);
+                log::debug!("Wallpaper source: config ({})", path.display());
+                return Some(path);
+            }
         }
     }
 

src/panel.rs

@@ -103,11 +103,22 @@ pub fn load_background_texture(bg_path: Option<&Path>) -> Option<gdk::Texture> {
 
 // -- GPU blur via GskBlurNode -------------------------------------------------
 
+// SYNC: MAX_BLUR_DIMENSION, render_blurred_texture, and create_background_picture
+// are duplicated in moonlock/src/lockscreen.rs and moongreet/src/greeter.rs.
+// Changes here must be mirrored to the other two projects.
+
+/// Maximum texture dimension before downscaling for blur.
+/// Keeps GPU work reasonable on 4K+ displays.
+const MAX_BLUR_DIMENSION: f32 = 1920.0;
+
 /// Render a blurred texture using the GPU via GskBlurNode.
 ///
 /// To avoid edge darkening (blur samples transparent pixels outside bounds),
 /// the texture is rendered with padding equal to 3x the blur sigma. The blur
 /// is applied to the padded area, then cropped back to the original size.
+///
+/// Large textures (> MAX_BLUR_DIMENSION) are downscaled before blurring to
+/// reduce GPU work. The sigma is scaled proportionally.
 fn render_blurred_texture(
     widget: &impl IsA<gtk::Widget>,
     texture: &gdk::Texture,
@@ -116,17 +127,29 @@ fn render_blurred_texture(
     let native = widget.native()?;
     let renderer = native.renderer()?;
 
-    let w = texture.width() as f32;
+    let orig_w = texture.width() as f32;
-    let h = texture.height() as f32;
+    let orig_h = texture.height() as f32;
+
+    // Downscale large textures to reduce GPU blur work
+    let max_dim = orig_w.max(orig_h);
+    let scale = if max_dim > MAX_BLUR_DIMENSION {
+        MAX_BLUR_DIMENSION / max_dim
+    } else {
+        1.0
+    };
+    let w = (orig_w * scale).round();
+    let h = (orig_h * scale).round();
+    let scaled_sigma = sigma * scale;
+
     // Padding must cover the blur kernel radius (typically ~3x sigma)
-    let pad = (sigma * 3.0).ceil();
+    let pad = (scaled_sigma * 3.0).ceil();
 
     let snapshot = gtk::Snapshot::new();
-    // Clip output to original texture size
+    // Clip output to scaled texture size
     snapshot.push_clip(&graphene_rs::Rect::new(pad, pad, w, h));
-    snapshot.push_blur(sigma as f64);
+    snapshot.push_blur(scaled_sigma as f64);
     // Render texture with padding on all sides (edges repeat via oversized bounds)
-    snapshot.append_texture(texture, &graphene_rs::Rect::new(0.0, 0.0, w + 2.0 * pad, h + 2.0 * pad));
+    snapshot.append_texture(texture, &graphene_rs::Rect::new(-pad, -pad, w + 2.0 * pad, h + 2.0 * pad));
     snapshot.pop(); // blur
     snapshot.pop(); // clip
 
@@ -269,6 +292,7 @@ pub fn create_panel_window(texture: Option<&gdk::Texture>, blur_radius: Option<f
             &confirm_area,
             &confirm_box,
             &error_label,
+            &button_box,
         );
         button_box.append(&button);
     }
@@ -352,6 +376,7 @@ fn create_action_button(
     confirm_area: &gtk::Box,
     confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
     error_label: &gtk::Label,
+    button_box: &gtk::Box,
 ) -> gtk::Button {
     let button_content = gtk::Box::new(gtk::Orientation::Vertical, 4);
     button_content.set_halign(gtk::Align::Center);
@@ -381,6 +406,8 @@ fn create_action_button(
         confirm_box,
         #[weak]
         error_label,
+        #[weak]
+        button_box,
         move |_| {
             on_action_clicked(
                 &action_def,
@@ -389,6 +416,7 @@ fn create_action_button(
                 &confirm_area,
                 &confirm_box,
                 &error_label,
+                &button_box,
             );
         }
     ));
@@ -411,6 +439,7 @@ fn on_action_clicked(
     confirm_area: &gtk::Box,
     confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
     error_label: &gtk::Label,
+    button_box: &gtk::Box,
 ) {
     dismiss_confirm(confirm_area, confirm_box);
     error_label.set_visible(false);
@@ -420,7 +449,7 @@ fn on_action_clicked(
         return;
     }
 
-    show_confirm(action_def, strings, app, confirm_area, confirm_box, error_label);
+    show_confirm(action_def, strings, app, confirm_area, confirm_box, error_label, button_box);
 }
 
 /// Show inline confirmation below the action buttons.
@@ -431,6 +460,7 @@ fn show_confirm(
     confirm_area: &gtk::Box,
     confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
     error_label: &gtk::Label,
+    button_box: &gtk::Box,
 ) {
     let new_box = gtk::Box::new(gtk::Orientation::Vertical, 8);
     new_box.set_halign(gtk::Align::Center);
@@ -478,8 +508,13 @@ fn show_confirm(
         confirm_area,
         #[strong]
         confirm_box,
+        #[weak]
+        button_box,
         move |_| {
             dismiss_confirm(&confirm_area, &confirm_box);
+            if let Some(first) = button_box.first_child() {
+                first.grab_focus();
+            }
         }
     ));
     button_row.append(&no_btn);

src/power.rs

@@ -107,7 +107,7 @@ pub fn lock() -> Result<(), PowerError> {
     Command::new("/usr/bin/moonlock")
         .stdin(Stdio::null())
         .stdout(Stdio::null())
-        .stderr(Stdio::null())
+        .stderr(Stdio::inherit())
         .spawn()
         .map_err(|e| PowerError::CommandFailed {
             action: "lock",
@@ -127,14 +127,14 @@ pub fn hibernate() -> Result<(), PowerError> {
     run_command("hibernate", "/usr/bin/systemctl", &["hibernate"])
 }
 
-/// Reboot the system via loginctl.
+/// Reboot the system via systemctl.
 pub fn reboot() -> Result<(), PowerError> {
-    run_command("reboot", "/usr/bin/loginctl", &["reboot"])
+    run_command("reboot", "/usr/bin/systemctl", &["reboot"])
 }
 
-/// Shut down the system via loginctl.
+/// Shut down the system via systemctl.
 pub fn shutdown() -> Result<(), PowerError> {
-    run_command("shutdown", "/usr/bin/loginctl", &["poweroff"])
+    run_command("shutdown", "/usr/bin/systemctl", &["poweroff"])
 }
 
 #[cfg(test)]

src/users.rs

@@ -47,32 +47,34 @@ pub fn get_avatar_path(home: &Path, username: Option<&str>) -> Option<PathBuf> {
 }
 
 /// Find avatar with configurable AccountsService dir (for testing).
+/// Rejects symlinks to prevent path traversal.
 pub fn get_avatar_path_with(
     home: &Path,
     username: Option<&str>,
     accountsservice_dir: &Path,
 ) -> Option<PathBuf> {
-    // ~/.face takes priority — canonicalize to resolve symlinks
+    // ~/.face takes priority
     let face = home.join(".face");
-    if face.exists() {
+    if let Ok(meta) = face.symlink_metadata() {
-        if let Ok(canonical) = std::fs::canonicalize(&face) {
+        if meta.file_type().is_symlink() {
-            log::debug!("Avatar: using ~/.face ({})", canonical.display());
+            log::warn!("Rejecting symlink avatar: {}", face.display());
-            return Some(canonical);
+        } else if meta.is_file() {
+            log::debug!("Avatar: using ~/.face ({})", face.display());
+            return Some(face);
         }
-        // canonicalize failed (e.g. permissions) — skip rather than return unresolved symlink
-        log::warn!("Avatar: ~/.face exists but canonicalize failed, skipping");
     }
 
-    // AccountsService icon — also canonicalize for consistency
+    // AccountsService icon fallback
     if let Some(name) = username {
         if accountsservice_dir.exists() {
             let icon = accountsservice_dir.join(name);
-            if icon.exists() {
+            if let Ok(meta) = icon.symlink_metadata() {
-                if let Ok(canonical) = std::fs::canonicalize(&icon) {
+                if meta.file_type().is_symlink() {
-                    log::debug!("Avatar: using AccountsService icon ({})", canonical.display());
+                    log::warn!("Rejecting symlink avatar: {}", icon.display());
-                    return Some(canonical);
+                } else if meta.is_file() {
+                    log::debug!("Avatar: using AccountsService icon ({})", icon.display());
+                    return Some(icon);
                 }
-                log::warn!("Avatar: AccountsService icon exists but canonicalize failed, skipping");
             }
         }
     }
@@ -107,8 +109,7 @@ mod tests {
         let face = dir.path().join(".face");
         fs::write(&face, "fake image").unwrap();
         let path = get_avatar_path_with(dir.path(), None, Path::new("/nonexistent"));
-        let expected = fs::canonicalize(&face).unwrap();
+        assert_eq!(path, Some(face));
-        assert_eq!(path, Some(expected));
     }
 
     #[test]
@@ -119,8 +120,7 @@ mod tests {
         let icon = icons_dir.join("testuser");
         fs::write(&icon, "fake image").unwrap();
         let path = get_avatar_path_with(dir.path(), Some("testuser"), &icons_dir);
-        let expected = fs::canonicalize(&icon).unwrap();
+        assert_eq!(path, Some(icon));
-        assert_eq!(path, Some(expected));
     }
 
     #[test]
@@ -133,8 +133,18 @@ mod tests {
         let icon = icons_dir.join("testuser");
         fs::write(&icon, "fake image").unwrap();
         let path = get_avatar_path_with(dir.path(), Some("testuser"), &icons_dir);
-        let expected = fs::canonicalize(&face).unwrap();
+        assert_eq!(path, Some(face));
-        assert_eq!(path, Some(expected));
+    }
+
+    #[test]
+    fn rejects_symlink_avatar() {
+        let dir = tempfile::tempdir().unwrap();
+        let target = dir.path().join("secret");
+        fs::write(&target, "secret content").unwrap();
+        let face = dir.path().join(".face");
+        std::os::unix::fs::symlink(&target, &face).unwrap();
+        let path = get_avatar_path_with(dir.path(), None, Path::new("/nonexistent"));
+        assert!(path.is_none());
     }
 
     #[test]