docs: translate CLAUDE.md to English

Per the committed=English rule.

.gitea/workflows/update-pkgver.yaml

@@ -1,22 +1,22 @@
-# ABOUTME: Updates pkgver in moonarch-pkgbuilds after a push to main.
+# ABOUTME: Updates pkgver in moonarch-pkgbuilds when a new moonset tag is pushed.
-# ABOUTME: Ensures paru detects new versions of this package.
+# ABOUTME: Reads the latest version tag and bumps the PKGBUILD + .SRCINFO.
 
 name: Update PKGBUILD version
 
 on:
   push:
-    branches:
+    tags:
-      - main
+      - 'v*'
 
 jobs:
   update-pkgver:
     runs-on: moonarch
     steps:
-      - name: Checkout source repo
+      - name: Determine pkgver from latest tag
         run: |
           git clone --bare http://gitea:3000/nevaforget/moonset.git source.git
           cd source.git
-          PKGVER=$(git describe --long --tags | sed 's/^v//;s/-/.r/;s/-/./')
+          PKGVER=$(git describe --tags --abbrev=0 | sed 's/^v//')
           echo "New pkgver: $PKGVER"
           echo "$PKGVER" > /tmp/pkgver
 
@@ -26,18 +26,18 @@ jobs:
           git clone http://gitea:3000/nevaforget/moonarch-pkgbuilds.git pkgbuilds
           cd pkgbuilds
 
-          OLD_VER=$(grep '^pkgver=' moonset-git/PKGBUILD | cut -d= -f2)
+          OLD_VER=$(grep '^pkgver=' moonset/PKGBUILD | cut -d= -f2)
           if [ "$OLD_VER" = "$PKGVER" ]; then
             echo "pkgver already up to date ($PKGVER)"
             exit 0
           fi
 
-          sed -i "s/^pkgver=.*/pkgver=$PKGVER/" moonset-git/PKGBUILD
+          sed -i "s/^pkgver=.*/pkgver=$PKGVER/" moonset/PKGBUILD
-          sed -i "s/^\tpkgver = .*/\tpkgver = $PKGVER/" moonset-git/.SRCINFO
+          sed -i "s/^\tpkgver = .*/\tpkgver = $PKGVER/" moonset/.SRCINFO
           echo "Updated pkgver: $OLD_VER → $PKGVER"
 
           git config user.name "pkgver-bot"
           git config user.email "gitea@moonarch.de"
-          git add moonset-git/PKGBUILD moonset-git/.SRCINFO
+          git add moonset/PKGBUILD moonset/.SRCINFO
-          git commit -m "chore(moonset-git): bump pkgver to $PKGVER"
+          git commit -m "chore(moonset): bump pkgver to $PKGVER"
           git -c http.extraHeader="Authorization: token ${{ secrets.PKGBUILD_TOKEN }}" push

CHANGELOG.md

@@ -3,6 +3,19 @@
 All notable changes to this project will be documented in this file.
 Format based on [Keep a Changelog](https://keepachangelog.com/).
 
+## [0.8.0] - 2026-03-30
+
+### Changed
+
+- Replace `canonicalize()` with `symlink_metadata` + `is_file` + `!is_symlink` for avatar lookup — prevents symlink traversal to arbitrary files
+- Replace `canonicalize()` with same symlink-safe check in `resolve_background_path`
+- Downscale wallpaper to `MAX_BLUR_DIMENSION` (1920px) before GPU blur — prevents excessive memory use on high-res images
+- Validate `background_blur` per config source — invalid user value preserves system default instead of silently falling back to 0
+
+### Fixed
+
+- Fix blur padding offset from `(0,0)` to `(-pad,-pad)` to prevent edge darkening on blurred wallpaper
+
 ## [0.7.3] - 2026-03-29
 
 ### Fixed

CLAUDE.md

@@ -1,59 +1,57 @@
 # Moonset
 
-**Name**: Hekate (Göttin der Wegkreuzungen — passend zum Power-Menu, das den Weg der Session bestimmt)
+## Project
 
-## Projekt
+Moonset is a Wayland session power menu, built with Rust + gtk4-rs + gtk4-layer-shell.
-
+Part of the Moonarch ecosystem. A keybind-invoked overlay with 5 actions:
-Moonset ist ein Wayland Session Power Menu, gebaut mit Rust + gtk4-rs + gtk4-layer-shell.
-Teil des Moonarch-Ökosystems. Per Keybind aufrufbares Overlay mit 5 Aktionen:
 Lock, Logout, Hibernate, Reboot, Shutdown.
 
-## Tech-Stack
+## Tech Stack
 
-- Rust (Edition 2024), gtk4-rs 0.11, glib 0.22
+- Rust (edition 2024), gtk4-rs 0.11, glib 0.22
-- gtk4-layer-shell 0.8 für Wayland Layer Shell (OVERLAY Layer)
+- gtk4-layer-shell 0.8 for the Wayland Layer Shell (OVERLAY layer)
-- `cargo test` für Unit-Tests
+- `cargo test` for unit tests
 
-## Projektstruktur
+## Project Structure
 
-- `src/` — Rust-Quellcode (main.rs, power.rs, i18n.rs, config.rs, users.rs, panel.rs)
+- `src/` — Rust source code (main.rs, power.rs, i18n.rs, config.rs, users.rs, panel.rs)
-- `resources/` — GResource-Assets (style.css, default-avatar.svg)
+- `resources/` — GResource assets (style.css, default-avatar.svg)
-- `config/` — Beispiel-Konfigurationsdateien
+- `config/` — example configuration files
 
-## Kommandos
+## Commands
 
 ```bash
-# Tests ausführen
+# Run tests
 cargo test
 
-# Release-Build
+# Release build
 cargo build --release
 
-# Power-Menu starten (in Niri-Session)
+# Start the power menu (in a Niri session)
 LD_PRELOAD=/usr/lib/libgtk4-layer-shell.so ./target/release/moonset
 ```
 
-## Architektur
+## Architecture
 
-- `main.rs` — Entry Point, GTK App, Layer Shell Setup, Multi-Monitor, systemd-Journal-Logging, Debug-Level per `MOONSET_DEBUG` Env-Var, zentrale `GRESOURCE_PREFIX`-Konstante
+- `main.rs` — entry point, GTK app, Layer Shell setup, multi-monitor, systemd journal logging, debug level via the `MOONSET_DEBUG` env var, central `GRESOURCE_PREFIX` constant
-- `power.rs` — 5 Power-Action-Wrapper mit absoluten Pfaden und 30s Timeout (lock, logout, hibernate, reboot, shutdown)
+- `power.rs` — 5 power-action wrappers with absolute paths and a 30s timeout (lock, logout, hibernate, reboot, shutdown)
-- `i18n.rs` — Locale-Erkennung und String-Tabellen (DE/EN)
+- `i18n.rs` — locale detection and string tables (DE/EN)
-- `config.rs` — TOML-Config + Wallpaper-Fallback
+- `config.rs` — TOML config + wallpaper fallback
-- `panel.rs` — GTK4 UI (Action-Buttons, Inline-Confirmation, WallpaperWindow)
+- `panel.rs` — GTK4 UI (action buttons, inline confirmation, WallpaperWindow)
-- `users.rs` — User-Erkennung, Avatar-Loading (AccountsService, ~/.face, GResource-Fallback)
+- `users.rs` — user detection, avatar loading (AccountsService, ~/.face, GResource fallback)
-- `resources/style.css` — GTK-Theme-Colors für Konsistenz mit dem aktiven Desktop-Theme
+- `resources/style.css` — GTK theme colors for consistency with the active desktop theme
 
 ## Design Decisions
 
-Siehe `DECISIONS.md` für das vollständige Entscheidungsprotokoll.
+See `DECISIONS.md` for the full decision log.
 
-Kurzfassung der wichtigsten Entscheidungen:
+Summary of the most important decisions:
-- **OVERLAY statt TOP Layer**: Waybar liegt auf TOP, moonset muss darüber
+- **OVERLAY instead of TOP layer**: Waybar sits on TOP, moonset must be above it
-- **Niri-spezifischer Logout** (`niri msg action quit`): Moonarch setzt fest auf Niri
+- **Niri-specific logout** (`niri msg action quit`): Moonarch commits firmly to Niri
-- **Einmal-Start per Keybind**: Kein Daemon, GTK `application_id` verhindert Doppelstart
+- **Single launch per keybind**: no daemon, the GTK `application_id` prevents double launch
-- **System-Icons**: Adwaita/Catppuccin liefern alle benötigten symbolischen Icons
+- **System icons**: Adwaita/Catppuccin provide all required symbolic icons
-- **Lock ohne Confirmation**: Lock ist sofort reversibel, braucht kein Confirm
+- **Lock without confirmation**: lock is immediately reversible, needs no confirm
-- **Absolute Pfade für Binaries**: `/usr/bin/systemctl` etc. statt relativer Pfade (Security)
+- **Absolute paths for binaries**: `/usr/bin/systemctl` etc. instead of relative paths (security)
-- **GResource-Bundle**: CSS und Default-Avatar sind in die Binary kompiliert (Wallpaper kommt vom Dateisystem)
+- **GResource bundle**: CSS and default avatar are compiled into the binary (the wallpaper comes from the filesystem)
-- **Async Power Actions**: `glib::spawn_future_local` + `gio::spawn_blocking` mit 30s Timeout
+- **Async power actions**: `glib::spawn_future_local` + `gio::spawn_blocking` with a 30s timeout
-- **Journal-Logging**: `systemd-journal-logger` statt File-Logging — `journalctl -t moonset`, Debug-Level per `MOONSET_DEBUG` Env-Var
+- **Journal logging**: `systemd-journal-logger` instead of file logging — `journalctl -t moonset`, debug level via the `MOONSET_DEBUG` env var

Cargo.lock

@@ -616,7 +616,7 @@ dependencies = [
 
 [[package]]
 name = "moonset"
-version = "0.8.0"
+version = "0.8.5"
 dependencies = [
  "dirs",
  "gdk-pixbuf",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "moonset"
-version = "0.8.0"
+version = "0.8.5"
 edition = "2024"
 description = "Wayland session power menu with GTK4 and Layer Shell"
 license = "MIT"
@@ -22,5 +22,10 @@ systemd-journal-logger = "2.2"
 [dev-dependencies]
 tempfile = "3"
 
+[profile.release]
+lto = "thin"
+codegen-units = 1
+strip = true
+
 [build-dependencies]
 glib-build-tools = "0.22"

DECISIONS.md

@@ -2,79 +2,107 @@
 
 Architectural and design decisions for Moonset, in reverse chronological order.
 
+## 2026-04-24 – Audit LOW fixes: dead uid field, home_dir warn, clippy sweep, debug value (v0.8.5)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: Five LOW findings cleared in one pass. (1) `User::uid` was populated from `getuid()` but never read — a compiler `dead_code` warning for a field on the public API. (2) Falling back to a synthetic user when `get_current_user()` returned None used `uid: u32::MAX`, an undocumented sentinel that became moot once uid was removed. (3) `dirs::home_dir().unwrap_or_default()` silently yielded `PathBuf::new()` on failure; avatars would then look for `.face` in the current working directory. (4) `cargo clippy` flagged three suggestions (two collapsible `if`, one redundant closure) that had crept in. (5) `MOONSET_DEBUG` promoted log verbosity on mere presence, leaking path information into the journal.
+- **Tradeoffs**: Dropping `uid` from `User` is a minor API break for any internal caller expecting the field — none existed. The synthetic fallback now surfaces `log::warn!` when home resolution fails, which should be rare outside of pathological sandbox environments.
+- **How**: (1) Remove `pub uid: u32` from `User` and the `uid: uid.as_raw()` assignment in `get_current_user`. (2) Panel fallback drops the `uid` field entirely. (3) `dirs::home_dir().unwrap_or_else(|| { log::warn!(...); PathBuf::new() })`. (4) `cargo clippy --fix` for the two collapsible ifs, manual collapse of `if-let` + `&&` chain, redundant closure replaced with the function itself. (5) `MOONSET_DEBUG` now requires the literal value `"1"` to escalate to Debug.
+
+## 2026-04-24 – Audit MEDIUM fixes: timeout guard, POSIX locale, button desensitize, wallpaper allowlist (v0.8.4)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: Five MEDIUM findings: (1) `run_command`'s timeout thread leaked a 30 s gio::spawn_blocking slot if `child.wait()` errored, because `done.store(true)` ran after the `?`. (2) Timeout detection compared `status.signal() == Some(9)` — a hardcoded signal number that also misclassifies OOM-killer SIGKILL as our timeout. (3) `execute_action` never desensitized the button_box, so a double-click or accidental keyboard repeat fired the action twice. (4) `detect_locale` read only `LANG`, ignoring POSIX priority order (`LC_ALL` > `LC_MESSAGES` > `LANG`) — a common dual-language setup picked the wrong UI language. (5) The wallpaper path was passed to gdk-pixbuf without extension or size restriction, widening the image-parser attack surface and allowing unbounded decode latency.
+- **Tradeoffs**: The extension allowlist (`jpg`, `jpeg`, `png`, `webp`) rejects exotic formats users might have used before. The 10 MB size cap rejects uncompressed/high-quality 4K wallpapers; acceptable for a power menu. Memory ordering on the `done` flag is now `Release`/`Acquire` instead of `Relaxed` — no runtime cost but correct across threads.
+- **How**: (1) RAII `DoneGuard` struct sets `done.store(true, Release)` in its `Drop`, so the flag fires on every function exit path. A second `timed_out` AtomicBool distinguishes our SIGKILL from an external one. (2) Replace `Some(9)` with the `timed_out` flag check. (3) `execute_action` now takes `button_box: &gtk::Box`, calls `set_sensitive(false)` on entry and re-enables it on error paths; success paths that quit skip the re-enable. All call sites updated. (4) `detect_locale` reads `LC_ALL`, `LC_MESSAGES`, `LANG` in order, picking the first non-empty value before falling back to `/etc/locale.conf`. (5) `accept_wallpaper` helper applies extension allowlist + symlink rejection + `MAX_WALLPAPER_FILE_SIZE = 10 MB`, and is called for both config-path and Moonarch fallback.
+
+## 2026-04-24 – Audit fix: avoid latent stdout pipe deadlock in run_command (v0.8.3)
+
+- **Who**: ClaudeCode, Dom
+- **Why**: Audit found that `run_command` piped the child's `stdout` but never drained it, then called blocking `child.wait()`. A child writing more than one OS pipe buffer (~64 KB on Linux) would block on `write()` while the parent blocked in `wait()` — classic pipe deadlock, broken only by the 30 s SIGKILL timeout. Current callers (`systemctl`, `niri msg`, `loginctl`) do not emit that much output, but the structure was fragile and would bite on any future command or changed behaviour.
+- **Tradeoffs**: stdout is now fully discarded. If a future caller needs stdout, it will have to drain it concurrently with `wait()` (separate reader thread).
+- **How**: Replace `.stdout(Stdio::piped())` with `.stdout(Stdio::null())` in `run_command`. `stderr` stays piped — it is drained after `wait()`, which is safe because `wait()` already reaped the child and no further writes can occur.
+
+## 2026-03-31 – Fourth audit: release profile, GResource compression, lock stderr, sync markers
+
+- **Who**: ClaudeCode, Dom
+- **Why**: Fourth triple audit found missing release profile (LTO/strip), uncompressed GResource assets, moonlock stderr suppressed (errors invisible), and duplicated code without sync markers.
+- **Tradeoffs**: moonlock stderr now inherited instead of null — errors appear in moonset's journal context. Acceptable for debugging, no security leak since moonlock logs to its own journal identifier.
+- **How**: (1) `[profile.release]` with LTO, codegen-units=1, strip. (2) `compressed="true"` on GResource entries. (3) `Stdio::inherit()` for moonlock stderr in lock(). (4) SYNC comments on duplicated blur/background functions.
+
 ## 2026-03-28 – Remove wallpaper from GResource bundle
 
-- **Who**: Ragnar, Dom
+- **Who**: ClaudeCode, Dom
 - **Why**: All three Moon projects (moonset, moongreet, moonlock) embedded a 374kB fallback wallpaper in the binary via GResource. Moonarch already installs `/usr/share/moonarch/wallpaper.jpg` at system setup time, making the embedded fallback unnecessary dead weight (~2MB in binary size).
 - **Tradeoffs**: If `/usr/share/moonarch/wallpaper.jpg` is missing and no user config exists, moonset shows a solid CSS background instead of a wallpaper. Acceptable — the power menu is functional without a wallpaper image.
 - **How**: Removed `wallpaper.jpg` from GResource XML and resources directory. `resolve_background_path` returns `Option<PathBuf>`. All wallpaper-related functions handle `None` gracefully. Binary size dropped from ~3.2MB to ~1.3MB.
 
 ## 2026-03-28 – Switch from env_logger to systemd-journal-logger
 
-- **Who**: Ragnar, Dom
+- **Who**: ClaudeCode, Dom
 - **Why**: moonlock and moongreet already use systemd-journal-logger. moonset used env_logger which writes to stderr — not useful for a GUI app launched via keybind. Journal integration enables `journalctl -t moonset` and consistent troubleshooting across all three Moon projects.
 - **Tradeoffs**: Requires systemd at runtime. Graceful fallback to eprintln if journal logger fails. Acceptable since Moonarch targets systemd-based Arch Linux.
 - **How**: Replace `env_logger` dep with `systemd-journal-logger`, add `setup_logging()` with `MOONSET_DEBUG` env var for debug-level output. Same pattern as moonlock/moongreet.
 
 ## 2026-03-28 – Replace action name dispatch with `quit_after` field
 
-- **Who**: Hekate, Dom
+- **Who**: ClaudeCode, Dom
 - **Why**: Post-action behavior (quit the app or not) was controlled by comparing `action_name == "lock"` — a magic string duplicated from the action definition. Renaming an action would silently break the dispatch.
 - **Tradeoffs**: Adds a field to `ActionDef` that most actions set to `false`. Acceptable because it makes the contract explicit and testable.
 - **How**: `ActionDef.quit_after: bool` — `true` for lock and logout, `false` for hibernate/reboot/shutdown.
 
 ## 2026-03-28 – GPU blur via GskBlurNode replaces CPU blur
 
-- **Who**: Ragnar, Dom
+- **Who**: ClaudeCode, Dom
 - **Why**: CPU-side Gaussian blur (`image` crate) blocked startup and added caching complexity. moonlock already migrated to GPU blur.
 - **Tradeoffs**: GPU blur quality is slightly different (box-blur approximation vs true Gaussian), acceptable for wallpaper backgrounds. Removes `image` crate dependency entirely. No disk cache needed.
 - **How**: `Snapshot::push_blur()` + `GskRenderer::render_texture()` on `connect_realize`. Blur happens once on the GPU when the widget gets its renderer. Symmetric with moonlock and moongreet.
 
 ## 2026-03-28 – Use absolute paths for system binaries
 
-- **Who**: Hekate, Dom
+- **Who**: ClaudeCode, Dom
 - **Why**: Security audit flagged PATH hijacking risk — relative binary names allow a malicious `$PATH` entry to intercept `systemctl`, `loginctl`, etc.
 - **Tradeoffs**: Hardcoded paths reduce portability to non-Arch distros where binaries may live elsewhere (e.g. `/sbin/`). Acceptable because Moonarch targets Arch Linux exclusively.
 - **How**: All five power action wrappers now use `/usr/bin/` prefixed paths.
 
 ## 2026-03-28 – Implement power action timeout via try_wait polling
 
-- **Who**: Hekate, Dom
+- **Who**: ClaudeCode, Dom
 - **Why**: `POWER_TIMEOUT` and `PowerError::Timeout` were declared but never wired up. A hanging `systemctl hibernate` (e.g. blocked NFS mount) would freeze the power menu indefinitely.
 - **Tradeoffs**: Polling with `try_wait()` + 100ms sleep is slightly less efficient than a dedicated timeout crate, but avoids adding a dependency for a single use case.
 - **How**: `run_command` now polls `child.try_wait()` against a 30s deadline, kills the child on timeout.
 
 ## 2026-03-28 – Centralize GRESOURCE_PREFIX
 
-- **Who**: Hekate, Dom
+- **Who**: ClaudeCode, Dom
 - **Why**: The string `/dev/moonarch/moonset` was duplicated in `config.rs`, `users.rs`, and as literal strings in `panel.rs` and `main.rs`. Changing the application ID would require edits in 4+ locations.
 - **Tradeoffs**: Modules now depend on `crate::GRESOURCE_PREFIX` — tighter coupling to main.rs, but acceptable for an internal constant.
 - **How**: Single `pub(crate) const GRESOURCE_PREFIX` in `main.rs`, referenced everywhere else.
 
 ## 2026-03-28 – Remove journal.md
 
-- **Who**: Hekate, Dom
+- **Who**: ClaudeCode, Dom
 - **Why**: One-time development notes from the Rust rewrite, never updated after initial session. Overlapped with memory system and git history.
 - **Tradeoffs**: Historical context lost from the file, but the information is preserved in git history and the memory system.
 - **How**: Deleted. Useful technical learnings migrated to persistent memory.
 
 ## 2026-03-27 – OVERLAY layer instead of TOP
 
-- **Who**: Hekate, Dom
+- **Who**: ClaudeCode, Dom
 - **Why**: Waybar occupies the TOP layer. The power menu must appear above it.
 - **Tradeoffs**: OVERLAY is the highest layer — nothing can render above moonset while it's open. This is intentional for a session power menu.
 - **How**: `setup_layer_shell` uses `gtk4_layer_shell::Layer::Overlay` for the panel window.
 
 ## 2026-03-27 – Lock without confirmation
 
-- **Who**: Hekate, Dom
+- **Who**: ClaudeCode, Dom
 - **Why**: Lock is immediately reversible (just unlock). All other actions (logout, hibernate, reboot, shutdown) are destructive or disruptive.
 - **Tradeoffs**: One less click for the most common action. Risk of accidental lock is negligible since unlocking is trivial.
 - **How**: `ActionDef.needs_confirm = false` for lock; all others require inline confirmation.
 
 ## 2026-03-27 – Niri-specific logout via `niri msg action quit`
 
-- **Who**: Hekate, Dom
+- **Who**: ClaudeCode, Dom
 - **Why**: Moonarch is built exclusively for the Niri compositor. Generic Wayland logout mechanisms don't exist — each compositor has its own.
 - **Tradeoffs**: Hard dependency on Niri. If the compositor changes, `power::logout()` must be updated.
 - **How**: `Command::new("/usr/bin/niri").args(["msg", "action", "quit"])`.

build.rs

@@ -1,5 +1,5 @@
 // ABOUTME: Build script for compiling GResource bundle.
-// ABOUTME: Bundles style.css, wallpaper.jpg, and default-avatar.svg into the binary.
+// ABOUTME: Bundles style.css and default-avatar.svg into the binary.
 
 fn main() {
     glib_build_tools::compile_resources(

resources/resources.gresource.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <gresources>
   <gresource prefix="/dev/moonarch/moonset">
-    <file>style.css</file>
+    <file compressed="true">style.css</file>
-    <file>default-avatar.svg</file>
+    <file compressed="true">default-avatar.svg</file>
   </gresource>
 </gresources>

src/config.rs

@@ -62,21 +62,56 @@ pub fn resolve_background_path(config: &Config) -> Option<PathBuf> {
     resolve_background_path_with(config, Path::new(MOONARCH_WALLPAPER))
 }
 
+/// Wallpapers are passed to gdk-pixbuf's image loader; restrict to common image
+/// extensions to reduce the parser-attack surface for user-controlled paths.
+const ALLOWED_BG_EXT: &[&str] = &["jpg", "jpeg", "png", "webp"];
+
+/// Bound wallpaper decode latency (10 MB covers typical 4K JPEGs at Q95).
+const MAX_WALLPAPER_FILE_SIZE: u64 = 10 * 1024 * 1024;
+
+fn is_allowed_wallpaper(path: &Path) -> bool {
+    match path.extension().and_then(|e| e.to_str()) {
+        Some(ext) => ALLOWED_BG_EXT.iter().any(|a| a.eq_ignore_ascii_case(ext)),
+        None => false,
+    }
+}
+
+fn accept_wallpaper(path: &Path) -> bool {
+    if !is_allowed_wallpaper(path) {
+        log::warn!("Wallpaper rejected (extension not in allowlist): {}", path.display());
+        return false;
+    }
+    match path.symlink_metadata() {
+        Ok(meta) if meta.file_type().is_symlink() => {
+            log::warn!("Wallpaper rejected (symlink): {}", path.display());
+            false
+        }
+        Ok(meta) if !meta.is_file() => false,
+        Ok(meta) if meta.len() > MAX_WALLPAPER_FILE_SIZE => {
+            log::warn!(
+                "Wallpaper rejected ({} bytes > {} limit): {}",
+                meta.len(), MAX_WALLPAPER_FILE_SIZE, path.display()
+            );
+            false
+        }
+        Ok(_) => true,
+        Err(_) => false,
+    }
+}
+
 /// Resolve with configurable moonarch wallpaper path (for testing).
 pub fn resolve_background_path_with(config: &Config, moonarch_wallpaper: &Path) -> Option<PathBuf> {
-    // User-configured path — reject symlinks to prevent path traversal
+    // User-configured path — reject symlinks, non-image extensions, and oversized files
     if let Some(ref bg) = config.background_path {
         let path = PathBuf::from(bg);
-        if let Ok(meta) = path.symlink_metadata() {
+        if accept_wallpaper(&path) {
-            if meta.is_file() && !meta.file_type().is_symlink() {
+            log::debug!("Wallpaper source: config ({})", path.display());
-                log::debug!("Wallpaper source: config ({})", path.display());
+            return Some(path);
-                return Some(path);
-            }
         }
     }
 
-    // Moonarch ecosystem default
+    // Moonarch ecosystem default — apply the same checks for consistency
-    if moonarch_wallpaper.is_file() {
+    if accept_wallpaper(moonarch_wallpaper) {
         log::debug!("Wallpaper source: moonarch default ({})", moonarch_wallpaper.display());
         return Some(moonarch_wallpaper.to_path_buf());
     }

src/i18n.rs

@@ -110,15 +110,22 @@ fn read_lang_from_conf(path: &Path) -> Option<String> {
     None
 }
 
-/// Determine the system language from LANG env var or /etc/locale.conf.
+/// Determine the system language from POSIX locale env vars or /etc/locale.conf.
+/// Checks LC_ALL, LC_MESSAGES, LANG in POSIX priority order (LC_ALL overrides
+/// everything; LC_MESSAGES overrides LANG for text categories).
 pub fn detect_locale() -> String {
-    detect_locale_with(env::var("LANG").ok().as_deref(), Path::new(DEFAULT_LOCALE_CONF))
+    let env_val = env::var("LC_ALL")
+        .ok()
+        .filter(|s| !s.is_empty())
+        .or_else(|| env::var("LC_MESSAGES").ok().filter(|s| !s.is_empty()))
+        .or_else(|| env::var("LANG").ok().filter(|s| !s.is_empty()));
+    detect_locale_with(env_val.as_deref(), Path::new(DEFAULT_LOCALE_CONF))
 }
 
 /// Determine locale with configurable inputs (for testing).
 pub fn detect_locale_with(env_lang: Option<&str>, locale_conf_path: &Path) -> String {
     let (raw, source) = if let Some(val) = env_lang.filter(|s| !s.is_empty()) {
-        (Some(val.to_string()), "LANG env")
+        (Some(val.to_string()), "env")
     } else if let Some(val) = read_lang_from_conf(locale_conf_path) {
         (Some(val), "locale.conf")
     } else {

src/main.rs

@@ -88,10 +88,12 @@ fn setup_logging() {
             eprintln!("Failed to create journal logger: {e}");
         }
     }
-    let level = if std::env::var("MOONSET_DEBUG").is_ok() {
+    // Require MOONSET_DEBUG=1 to raise verbosity so mere presence (empty
-        log::LevelFilter::Debug
+    // value in a session script) cannot escalate journal noise with path
-    } else {
+    // information an attacker could use.
-        log::LevelFilter::Info
+    let level = match std::env::var("MOONSET_DEBUG").ok().as_deref() {
+        Some("1") => log::LevelFilter::Debug,
+        _ => log::LevelFilter::Info,
     };
     log::set_max_level(level);
 }

src/panel.rs

@@ -7,7 +7,7 @@ use glib::clone;
 use gtk4::prelude::*;
 use gtk4::{self as gtk, gio};
 use std::cell::RefCell;
-use std::path::Path;
+use std::path::{Path, PathBuf};
 use std::rc::Rc;
 use std::time::Duration;
 
@@ -103,6 +103,10 @@ pub fn load_background_texture(bg_path: Option<&Path>) -> Option<gdk::Texture> {
 
 // -- GPU blur via GskBlurNode -------------------------------------------------
 
+// SYNC: MAX_BLUR_DIMENSION, render_blurred_texture, and create_background_picture
+// are duplicated in moonlock/src/lockscreen.rs and moongreet/src/greeter.rs.
+// Changes here must be mirrored to the other two projects.
+
 /// Maximum texture dimension before downscaling for blur.
 /// Keeps GPU work reasonable on 4K+ displays.
 const MAX_BLUR_DIMENSION: f32 = 1920.0;
@@ -204,11 +208,16 @@ pub fn create_panel_window(texture: Option<&gdk::Texture>, blur_radius: Option<f
     window.add_css_class("panel");
 
     let strings = load_strings(None);
-    let user = users::get_current_user().unwrap_or_else(|| users::User {
+    let user = users::get_current_user().unwrap_or_else(|| {
-        username: "user".to_string(),
+        let home = dirs::home_dir().unwrap_or_else(|| {
-        display_name: "User".to_string(),
+            log::warn!("Could not resolve HOME — using an empty path");
-        home: dirs::home_dir().unwrap_or_default(),
+            PathBuf::new()
-        uid: u32::MAX,
+        });
+        users::User {
+            username: "user".to_string(),
+            display_name: "User".to_string(),
+            home,
+        }
     });
     log::debug!("User: {} ({})", user.display_name, user.username);
 
@@ -288,6 +297,7 @@ pub fn create_panel_window(texture: Option<&gdk::Texture>, blur_radius: Option<f
             &confirm_area,
             &confirm_box,
             &error_label,
+            &button_box,
         );
         button_box.append(&button);
     }
@@ -371,6 +381,7 @@ fn create_action_button(
     confirm_area: &gtk::Box,
     confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
     error_label: &gtk::Label,
+    button_box: &gtk::Box,
 ) -> gtk::Button {
     let button_content = gtk::Box::new(gtk::Orientation::Vertical, 4);
     button_content.set_halign(gtk::Align::Center);
@@ -400,6 +411,8 @@ fn create_action_button(
         confirm_box,
         #[weak]
         error_label,
+        #[weak]
+        button_box,
         move |_| {
             on_action_clicked(
                 &action_def,
@@ -408,6 +421,7 @@ fn create_action_button(
                 &confirm_area,
                 &confirm_box,
                 &error_label,
+                &button_box,
             );
         }
     ));
@@ -430,16 +444,17 @@ fn on_action_clicked(
     confirm_area: &gtk::Box,
     confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
     error_label: &gtk::Label,
+    button_box: &gtk::Box,
 ) {
     dismiss_confirm(confirm_area, confirm_box);
     error_label.set_visible(false);
 
     if !action_def.needs_confirm {
-        execute_action(action_def, strings, app, confirm_area, confirm_box, error_label);
+        execute_action(action_def, strings, app, confirm_area, confirm_box, error_label, button_box);
         return;
     }
 
-    show_confirm(action_def, strings, app, confirm_area, confirm_box, error_label);
+    show_confirm(action_def, strings, app, confirm_area, confirm_box, error_label, button_box);
 }
 
 /// Show inline confirmation below the action buttons.
@@ -450,6 +465,7 @@ fn show_confirm(
     confirm_area: &gtk::Box,
     confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
     error_label: &gtk::Label,
+    button_box: &gtk::Box,
 ) {
     let new_box = gtk::Box::new(gtk::Orientation::Vertical, 8);
     new_box.set_halign(gtk::Align::Center);
@@ -477,6 +493,8 @@ fn show_confirm(
         confirm_box,
         #[weak]
         error_label,
+        #[weak]
+        button_box,
         move |_| {
             execute_action(
                 &action_def_clone,
@@ -485,6 +503,7 @@ fn show_confirm(
                 &confirm_area,
                 &confirm_box,
                 &error_label,
+                &button_box,
             );
         }
     ));
@@ -497,8 +516,13 @@ fn show_confirm(
         confirm_area,
         #[strong]
         confirm_box,
+        #[weak]
+        button_box,
         move |_| {
             dismiss_confirm(&confirm_area, &confirm_box);
+            if let Some(first) = button_box.first_child() {
+                first.grab_focus();
+            }
         }
     ));
     button_row.append(&no_btn);
@@ -527,6 +551,7 @@ fn execute_action(
     confirm_area: &gtk::Box,
     confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
     error_label: &gtk::Label,
+    button_box: &gtk::Box,
 ) {
     dismiss_confirm(confirm_area, confirm_box);
     log::debug!("Executing power action: {}", action_def.name);
@@ -536,6 +561,10 @@ fn execute_action(
     let quit_after = action_def.quit_after;
     let error_message = (action_def.error_attr)(strings).to_string();
 
+    // Desensitize buttons so a double-click or accidental keyboard repeat
+    // cannot fire the same action twice while it is in flight.
+    button_box.set_sensitive(false);
+
     // Use glib::spawn_future_local + gio::spawn_blocking to avoid Send issues
     // with GTK objects. The blocking closure runs on a thread pool, the result
     // is handled back on the main thread.
@@ -544,24 +573,30 @@ fn execute_action(
         app,
         #[weak]
         error_label,
+        #[weak]
+        button_box,
         async move {
-            let result = gio::spawn_blocking(move || action_fn()).await;
+            let result = gio::spawn_blocking(action_fn).await;
 
             match result {
                 Ok(Ok(())) => {
                     if quit_after {
                         fade_out_and_quit(&app);
+                    } else {
+                        button_box.set_sensitive(true);
                     }
                 }
                 Ok(Err(e)) => {
                     log::error!("Power action '{}' failed: {}", action_name, e);
                     error_label.set_text(&error_message);
                     error_label.set_visible(true);
+                    button_box.set_sensitive(true);
                 }
                 Err(_) => {
                     log::error!("Power action '{}' panicked", action_name);
                     error_label.set_text(&error_message);
                     error_label.set_visible(true);
+                    button_box.set_sensitive(true);
                 }
             }
         }

src/power.rs

@@ -40,7 +40,9 @@ fn run_command(action: &'static str, program: &str, args: &[&str]) -> Result<(),
     log::debug!("Power action: {action} ({program} {args:?})");
     let mut child = Command::new(program)
         .args(args)
-        .stdout(Stdio::piped())
+        // stdout is discarded — piping without draining would deadlock if a
+        // command ever wrote more than one OS pipe buffer before wait() returned.
+        .stdout(Stdio::null())
         .stderr(Stdio::piped())
         .spawn()
         .map_err(|e| PowerError::CommandFailed {
@@ -50,44 +52,50 @@ fn run_command(action: &'static str, program: &str, args: &[&str]) -> Result<(),
 
     let child_pid = nix::unistd::Pid::from_raw(child.id() as i32);
     let done = Arc::new(AtomicBool::new(false));
+    let timed_out = Arc::new(AtomicBool::new(false));
     let done_clone = done.clone();
+    let timed_out_clone = timed_out.clone();
 
-    let timeout_thread = std::thread::spawn(move || {
+    let _timeout_thread = std::thread::spawn(move || {
-        // Sleep in short intervals so we can exit early when the child finishes
         let interval = Duration::from_millis(100);
         let mut elapsed = Duration::ZERO;
         while elapsed < POWER_TIMEOUT {
             std::thread::sleep(interval);
-            if done_clone.load(Ordering::Relaxed) {
+            if done_clone.load(Ordering::Acquire) {
                 return;
             }
             elapsed += interval;
         }
+        // Record that we fired the kill so we don't misclassify an external
+        // SIGKILL (OOM killer, kill -9) as our timeout.
+        timed_out_clone.store(true, Ordering::Release);
         // ESRCH if the process already exited — harmless
         let _ = nix::sys::signal::kill(child_pid, nix::sys::signal::Signal::SIGKILL);
     });
 
+    // Drop guard ensures the timeout thread sees done=true even if child.wait()
+    // errors out — otherwise the thread sleeps its full 30 s holding a slot in
+    // the gio::spawn_blocking pool.
+    struct DoneGuard(Arc<AtomicBool>);
+    impl Drop for DoneGuard {
+        fn drop(&mut self) {
+            self.0.store(true, Ordering::Release);
+        }
+    }
+    let _done_guard = DoneGuard(done);
+
     let status = child.wait().map_err(|e| PowerError::CommandFailed {
         action,
         message: e.to_string(),
     })?;
 
-    done.store(true, Ordering::Relaxed);
-    let _ = timeout_thread.join();
-
     if status.success() {
         log::debug!("Power action {action} completed");
         Ok(())
     } else {
-        // Check if killed by our timeout (SIGKILL = signal 9)
+        if timed_out.load(Ordering::Acquire) {
-        #[cfg(unix)]
+            return Err(PowerError::Timeout { action });
-        {
-            use std::os::unix::process::ExitStatusExt;
-            if status.signal() == Some(9) {
-                return Err(PowerError::Timeout { action });
-            }
         }
-
         let mut stderr_buf = String::new();
         if let Some(mut stderr) = child.stderr.take() {
             let _ = stderr.read_to_string(&mut stderr_buf);
@@ -107,7 +115,7 @@ pub fn lock() -> Result<(), PowerError> {
     Command::new("/usr/bin/moonlock")
         .stdin(Stdio::null())
         .stdout(Stdio::null())
-        .stderr(Stdio::null())
+        .stderr(Stdio::inherit())
         .spawn()
         .map_err(|e| PowerError::CommandFailed {
             action: "lock",

src/users.rs

@@ -12,7 +12,6 @@ pub struct User {
     pub username: String,
     pub display_name: String,
     pub home: PathBuf,
-    pub uid: u32,
 }
 
 /// Get the currently logged-in user's info from the system.
@@ -37,7 +36,6 @@ pub fn get_current_user() -> Option<User> {
         username: nix_user.name,
         display_name,
         home: nix_user.dir,
-        uid: uid.as_raw(),
     })
 }
 
@@ -65,16 +63,16 @@ pub fn get_avatar_path_with(
     }
 
     // AccountsService icon fallback
-    if let Some(name) = username {
+    if let Some(name) = username
-        if accountsservice_dir.exists() {
+        && accountsservice_dir.exists()
-            let icon = accountsservice_dir.join(name);
+    {
-            if let Ok(meta) = icon.symlink_metadata() {
+        let icon = accountsservice_dir.join(name);
-                if meta.file_type().is_symlink() {
+        if let Ok(meta) = icon.symlink_metadata() {
-                    log::warn!("Rejecting symlink avatar: {}", icon.display());
+            if meta.file_type().is_symlink() {
-                } else if meta.is_file() {
+                log::warn!("Rejecting symlink avatar: {}", icon.display());
-                    log::debug!("Avatar: using AccountsService icon ({})", icon.display());
+            } else if meta.is_file() {
-                    return Some(icon);
+                log::debug!("Avatar: using AccountsService icon ({})", icon.display());
-                }
+                return Some(icon);
             }
         }
     }