`9d71c5e`

workspace skeleton and IPC protocol

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 3 months ago

SHA: 9d71c5e4a3d45bd8a8a2fa4bcd64e7f5ab195902
Parents: ab309fd
Tree: c2b6aa7

23 changed files

Status	File	+	-
A	`.fackr/workspace.json`	53	0
M	`.gitignore`	1	3
A	`Cargo.lock`	659	0
A	`Cargo.toml`	41	0
A	`docs/architecture.md`	219	0
A	`docs/checklist.md`	157	0
A	`docs/gardm.md`	14	0
A	`docs/sprints/sprint-0-setup.md`	246	0
A	`docs/sprints/sprint-1-pam.md`	356	0
A	`docs/sprints/sprint-2-x11.md`	487	0
A	`docs/sprints/sprint-3-greeter-ui.md`	586	0
A	`docs/sprints/sprint-4-garbg-integration.md`	453	0
A	`etc/config.toml`	34	0
A	`etc/gardm.service`	25	0
A	`gardm-greeter/Cargo.toml`	18	0
A	`gardm-greeter/src/main.rs`	35	0
A	`gardm-ipc/Cargo.toml`	12	0
A	`gardm-ipc/src/lib.rs`	199	0
A	`gardmd/Cargo.toml`	23	0
A	`gardmd/src/config.rs`	155	0
A	`gardmd/src/ipc.rs`	99	0
A	`gardmd/src/lib.rs`	9	0
A	`gardmd/src/main.rs`	174	0

.fackr/workspace.jsonadded

 +{
 +  "active_tab": 1,
 +  "tabs": [
 +    {
 +      "files": [
 +        {
 +          "path": ".gitignore",
 +          "is_orphan": false
 +        }
 +      ],
 +      "active_pane": 0,
 +      "panes": [
 +        {
 +          "buffer_idx": 0,
 +          "cursor_line": 3,
 +          "cursor_col": 0,
 +          "viewport_line": 0,
 +          "viewport_col": 0,
 +          "bounds": {
 +            "x_start": 0.0,
 +            "y_start": 0.0,
 +            "x_end": 1.0,
 +            "y_end": 1.0
 +          }
 +        }
 +      ]
 +    },
 +    {
 +      "files": [
 +        {
 +          "path": "docs/gardm.md",
 +          "is_orphan": false
 +        }
 +      ],
 +      "active_pane": 0,
 +      "panes": [
 +        {
 +          "buffer_idx": 0,
 +          "cursor_line": 13,
 +          "cursor_col": 109,
 +          "viewport_line": 0,
 +          "viewport_col": 9,
 +          "bounds": {
 +            "x_start": 0.0,
 +            "y_start": 0.0,
 +            "x_end": 1.0,
 +            "y_end": 1.0
 +          }
 +        }
 +      ]
 +    }
 +  ]
 +}

.gitignoremodified

 -docs/
 -.fackr/
 -CLAUDE.md
 +/target

Cargo.lockadded

 +# This file is automatically @generated by Cargo.
 +# It is not intended for manual editing.
 +version = 4
++
 +[[package]]
 +name = "aho-corasick"
 +version = "1.1.4"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "ddd31a130427c27518df266943a5308ed92d4b226cc639f5a8f1002816174301"
 +dependencies = [
 + "memchr",
 +]
++
 +[[package]]
 +name = "anyhow"
 +version = "1.0.100"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"
++
 +[[package]]
 +name = "bitflags"
 +version = "2.10.0"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "812e12b5285cc515a9c72a5c1d3b6d46a19dac5acfef5265968c166106e31dd3"
++
 +[[package]]
 +name = "bytes"
 +version = "1.11.0"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "b35204fbdc0b3f4446b89fc1ac2cf84a8a68971995d0bf2e925ec7cd960f9cb3"
++
 +[[package]]
 +name = "cfg-if"
 +version = "1.0.4"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
++
 +[[package]]
 +name = "equivalent"
 +version = "1.0.2"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
++
 +[[package]]
 +name = "errno"
 +version = "0.3.14"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 +dependencies = [
 + "libc",
 + "windows-sys 0.61.2",
 +]
++
 +[[package]]
 +name = "gardm-greeter"
 +version = "0.1.0"
 +dependencies = [
 + "anyhow",
 + "gardm-ipc",
 + "thiserror",
 + "tokio",
 + "tracing",
 + "tracing-subscriber",
 +]
++
 +[[package]]
 +name = "gardm-ipc"
 +version = "0.1.0"
 +dependencies = [
 + "serde",
 + "serde_json",
 + "thiserror",
 + "tokio",
 +]
++
 +[[package]]
 +name = "gardmd"
 +version = "0.1.0"
 +dependencies = [
 + "anyhow",
 + "gardm-ipc",
 + "nix",
 + "sd-notify",
 + "serde",
 + "serde_json",
 + "thiserror",
 + "tokio",
 + "toml",
 + "tracing",
 + "tracing-subscriber",
 +]
++
 +[[package]]
 +name = "hashbrown"
 +version = "0.16.1"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"
++
 +[[package]]
 +name = "indexmap"
 +version = "2.13.0"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "7714e70437a7dc3ac8eb7e6f8df75fd8eb422675fc7678aff7364301092b1017"
 +dependencies = [
 + "equivalent",
 + "hashbrown",
 +]
++
 +[[package]]
 +name = "itoa"
 +version = "1.0.17"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
++
 +[[package]]
 +name = "lazy_static"
 +version = "1.5.0"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
++
 +[[package]]
 +name = "libc"
 +version = "0.2.180"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc"
++
 +[[package]]
 +name = "lock_api"
 +version = "0.4.14"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "224399e74b87b5f3557511d98dff8b14089b3dadafcab6bb93eab67d3aace965"
 +dependencies = [
 + "scopeguard",
 +]
++
 +[[package]]
 +name = "log"
 +version = "0.4.29"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
++
 +[[package]]
 +name = "matchers"
 +version = "0.2.0"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "d1525a2a28c7f4fa0fc98bb91ae755d1e2d1505079e05539e35bc876b5d65ae9"
 +dependencies = [
 + "regex-automata",
 +]
++
 +[[package]]
 +name = "memchr"
 +version = "2.7.6"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "f52b00d39961fc5b2736ea853c9cc86238e165017a493d1d5c8eac6bdc4cc273"
++
 +[[package]]
 +name = "mio"
 +version = "1.1.1"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "a69bcab0ad47271a0234d9422b131806bf3968021e5dc9328caf2d4cd58557fc"
 +dependencies = [
 + "libc",
 + "wasi",
 + "windows-sys 0.61.2",
 +]
++
 +[[package]]
 +name = "nix"
 +version = "0.27.1"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "2eb04e9c688eff1c89d72b407f168cf79bb9e867a9d3323ed6c01519eb9cc053"
 +dependencies = [
 + "bitflags",
 + "cfg-if",
 + "libc",
 +]
++
 +[[package]]
 +name = "nu-ansi-term"
 +version = "0.50.3"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
 +dependencies = [
 + "windows-sys 0.61.2",
 +]
++
 +[[package]]
 +name = "once_cell"
 +version = "1.21.3"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
++
 +[[package]]
 +name = "parking_lot"
 +version = "0.12.5"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "93857453250e3077bd71ff98b6a65ea6621a19bb0f559a85248955ac12c45a1a"
 +dependencies = [
 + "lock_api",
 + "parking_lot_core",
 +]
++
 +[[package]]
 +name = "parking_lot_core"
 +version = "0.9.12"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1"
 +dependencies = [
 + "cfg-if",
 + "libc",
 + "redox_syscall",
 + "smallvec",
 + "windows-link",
 +]
++
 +[[package]]
 +name = "pin-project-lite"
 +version = "0.2.16"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b"
++
 +[[package]]
 +name = "proc-macro2"
 +version = "1.0.105"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "535d180e0ecab6268a3e718bb9fd44db66bbbc256257165fc699dadf70d16fe7"
 +dependencies = [
 + "unicode-ident",
 +]
++
 +[[package]]
 +name = "quote"
 +version = "1.0.43"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "dc74d9a594b72ae6656596548f56f667211f8a97b3d4c3d467150794690dc40a"
 +dependencies = [
 + "proc-macro2",
 +]
++
 +[[package]]
 +name = "redox_syscall"
 +version = "0.5.18"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
 +dependencies = [
 + "bitflags",
 +]
++
 +[[package]]
 +name = "regex-automata"
 +version = "0.4.13"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "5276caf25ac86c8d810222b3dbb938e512c55c6831a10f3e6ed1c93b84041f1c"
 +dependencies = [
 + "aho-corasick",
 + "memchr",
 + "regex-syntax",
 +]
++
 +[[package]]
 +name = "regex-syntax"
 +version = "0.8.8"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "7a2d987857b319362043e95f5353c0535c1f58eec5336fdfcf626430af7def58"
++
 +[[package]]
 +name = "scopeguard"
 +version = "1.2.0"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
++
 +[[package]]
 +name = "sd-notify"
 +version = "0.4.5"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "b943eadf71d8b69e661330cb0e2656e31040acf21ee7708e2c238a0ec6af2bf4"
 +dependencies = [
 + "libc",
 +]
++
 +[[package]]
 +name = "serde"
 +version = "1.0.228"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
 +dependencies = [
 + "serde_core",
 + "serde_derive",
 +]
++
 +[[package]]
 +name = "serde_core"
 +version = "1.0.228"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
 +dependencies = [
 + "serde_derive",
 +]
++
 +[[package]]
 +name = "serde_derive"
 +version = "1.0.228"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
 +dependencies = [
 + "proc-macro2",
 + "quote",
 + "syn",
 +]
++
 +[[package]]
 +name = "serde_json"
 +version = "1.0.149"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86"
 +dependencies = [
 + "itoa",
 + "memchr",
 + "serde",
 + "serde_core",
 + "zmij",
 +]
++
 +[[package]]
 +name = "serde_spanned"
 +version = "0.6.9"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "bf41e0cfaf7226dca15e8197172c295a782857fcb97fad1808a166870dee75a3"
 +dependencies = [
 + "serde",
 +]
++
 +[[package]]
 +name = "sharded-slab"
 +version = "0.1.7"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "f40ca3c46823713e0d4209592e8d6e826aa57e928f09752619fc696c499637f6"
 +dependencies = [
 + "lazy_static",
 +]
++
 +[[package]]
 +name = "signal-hook-registry"
 +version = "1.4.8"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "c4db69cba1110affc0e9f7bcd48bbf87b3f4fc7c61fc9155afd4c469eb3d6c1b"
 +dependencies = [
 + "errno",
 + "libc",
 +]
++
 +[[package]]
 +name = "smallvec"
 +version = "1.15.1"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
++
 +[[package]]
 +name = "socket2"
 +version = "0.6.1"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "17129e116933cf371d018bb80ae557e889637989d8638274fb25622827b03881"
 +dependencies = [
 + "libc",
 + "windows-sys 0.60.2",
 +]
++
 +[[package]]
 +name = "syn"
 +version = "2.0.114"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "d4d107df263a3013ef9b1879b0df87d706ff80f65a86ea879bd9c31f9b307c2a"
 +dependencies = [
 + "proc-macro2",
 + "quote",
 + "unicode-ident",
 +]
++
 +[[package]]
 +name = "thiserror"
 +version = "1.0.69"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
 +dependencies = [
 + "thiserror-impl",
 +]
++
 +[[package]]
 +name = "thiserror-impl"
 +version = "1.0.69"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
 +dependencies = [
 + "proc-macro2",
 + "quote",
 + "syn",
 +]
++
 +[[package]]
 +name = "thread_local"
 +version = "1.1.9"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "f60246a4944f24f6e018aa17cdeffb7818b76356965d03b07d6a9886e8962185"
 +dependencies = [
 + "cfg-if",
 +]
++
 +[[package]]
 +name = "tokio"
 +version = "1.49.0"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "72a2903cd7736441aac9df9d7688bd0ce48edccaadf181c3b90be801e81d3d86"
 +dependencies = [
 + "bytes",
 + "libc",
 + "mio",
 + "parking_lot",
 + "pin-project-lite",
 + "signal-hook-registry",
 + "socket2",
 + "tokio-macros",
 + "windows-sys 0.61.2",
 +]
++
 +[[package]]
 +name = "tokio-macros"
 +version = "2.6.0"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "af407857209536a95c8e56f8231ef2c2e2aff839b22e07a1ffcbc617e9db9fa5"
 +dependencies = [
 + "proc-macro2",
 + "quote",
 + "syn",
 +]
++
 +[[package]]
 +name = "toml"
 +version = "0.8.23"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "dc1beb996b9d83529a9e75c17a1686767d148d70663143c7854d8b4a09ced362"
 +dependencies = [
 + "serde",
 + "serde_spanned",
 + "toml_datetime",
 + "toml_edit",
 +]
++
 +[[package]]
 +name = "toml_datetime"
 +version = "0.6.11"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "22cddaf88f4fbc13c51aebbf5f8eceb5c7c5a9da2ac40a13519eb5b0a0e8f11c"
 +dependencies = [
 + "serde",
 +]
++
 +[[package]]
 +name = "toml_edit"
 +version = "0.22.27"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a"
 +dependencies = [
 + "indexmap",
 + "serde",
 + "serde_spanned",
 + "toml_datetime",
 + "toml_write",
 + "winnow",
 +]
++
 +[[package]]
 +name = "toml_write"
 +version = "0.1.2"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "5d99f8c9a7727884afe522e9bd5edbfc91a3312b36a77b5fb8926e4c31a41801"
++
 +[[package]]
 +name = "tracing"
 +version = "0.1.44"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100"
 +dependencies = [
 + "pin-project-lite",
 + "tracing-attributes",
 + "tracing-core",
 +]
++
 +[[package]]
 +name = "tracing-attributes"
 +version = "0.1.31"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "7490cfa5ec963746568740651ac6781f701c9c5ea257c58e057f3ba8cf69e8da"
 +dependencies = [
 + "proc-macro2",
 + "quote",
 + "syn",
 +]
++
 +[[package]]
 +name = "tracing-core"
 +version = "0.1.36"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "db97caf9d906fbde555dd62fa95ddba9eecfd14cb388e4f491a66d74cd5fb79a"
 +dependencies = [
 + "once_cell",
 + "valuable",
 +]
++
 +[[package]]
 +name = "tracing-log"
 +version = "0.2.0"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "ee855f1f400bd0e5c02d150ae5de3840039a3f54b025156404e34c23c03f47c3"
 +dependencies = [
 + "log",
 + "once_cell",
 + "tracing-core",
 +]
++
 +[[package]]
 +name = "tracing-subscriber"
 +version = "0.3.22"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "2f30143827ddab0d256fd843b7a66d164e9f271cfa0dde49142c5ca0ca291f1e"
 +dependencies = [
 + "matchers",
 + "nu-ansi-term",
 + "once_cell",
 + "regex-automata",
 + "sharded-slab",
 + "smallvec",
 + "thread_local",
 + "tracing",
 + "tracing-core",
 + "tracing-log",
 +]
++
 +[[package]]
 +name = "unicode-ident"
 +version = "1.0.22"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "9312f7c4f6ff9069b165498234ce8be658059c6728633667c526e27dc2cf1df5"
++
 +[[package]]
 +name = "valuable"
 +version = "0.1.1"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "ba73ea9cf16a25df0c8caa16c51acb937d5712a8429db78a3ee29d5dcacd3a65"
++
 +[[package]]
 +name = "wasi"
 +version = "0.11.1+wasi-snapshot-preview1"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
++
 +[[package]]
 +name = "windows-link"
 +version = "0.2.1"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
++
 +[[package]]
 +name = "windows-sys"
 +version = "0.60.2"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "f2f500e4d28234f72040990ec9d39e3a6b950f9f22d3dba18416c35882612bcb"
 +dependencies = [
 + "windows-targets",
 +]
++
 +[[package]]
 +name = "windows-sys"
 +version = "0.61.2"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
 +dependencies = [
 + "windows-link",
 +]
++
 +[[package]]
 +name = "windows-targets"
 +version = "0.53.5"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "4945f9f551b88e0d65f3db0bc25c33b8acea4d9e41163edf90dcd0b19f9069f3"
 +dependencies = [
 + "windows-link",
 + "windows_aarch64_gnullvm",
 + "windows_aarch64_msvc",
 + "windows_i686_gnu",
 + "windows_i686_gnullvm",
 + "windows_i686_msvc",
 + "windows_x86_64_gnu",
 + "windows_x86_64_gnullvm",
 + "windows_x86_64_msvc",
 +]
++
 +[[package]]
 +name = "windows_aarch64_gnullvm"
 +version = "0.53.1"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "a9d8416fa8b42f5c947f8482c43e7d89e73a173cead56d044f6a56104a6d1b53"
++
 +[[package]]
 +name = "windows_aarch64_msvc"
 +version = "0.53.1"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "b9d782e804c2f632e395708e99a94275910eb9100b2114651e04744e9b125006"
++
 +[[package]]
 +name = "windows_i686_gnu"
 +version = "0.53.1"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "960e6da069d81e09becb0ca57a65220ddff016ff2d6af6a223cf372a506593a3"
++
 +[[package]]
 +name = "windows_i686_gnullvm"
 +version = "0.53.1"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "fa7359d10048f68ab8b09fa71c3daccfb0e9b559aed648a8f95469c27057180c"
++
 +[[package]]
 +name = "windows_i686_msvc"
 +version = "0.53.1"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "1e7ac75179f18232fe9c285163565a57ef8d3c89254a30685b57d83a38d326c2"
++
 +[[package]]
 +name = "windows_x86_64_gnu"
 +version = "0.53.1"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "9c3842cdd74a865a8066ab39c8a7a473c0778a3f29370b5fd6b4b9aa7df4a499"
++
 +[[package]]
 +name = "windows_x86_64_gnullvm"
 +version = "0.53.1"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "0ffa179e2d07eee8ad8f57493436566c7cc30ac536a3379fdf008f47f6bb7ae1"
++
 +[[package]]
 +name = "windows_x86_64_msvc"
 +version = "0.53.1"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "d6bbff5f0aada427a1e5a6da5f1f98158182f26556f345ac9e04d36d0ebed650"
++
 +[[package]]
 +name = "winnow"
 +version = "0.7.14"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "5a5364e9d77fcdeeaa6062ced926ee3381faa2ee02d3eb83a5c27a8825540829"
 +dependencies = [
 + "memchr",
 +]
++
 +[[package]]
 +name = "zmij"
 +version = "1.0.14"
 +source = "registry+https://github.com/rust-lang/crates.io-index"
 +checksum = "bd8f3f50b848df28f887acb68e41201b5aea6bc8a8dacc00fb40635ff9a72fea"

Cargo.tomladded

 +[workspace]
 +members = ["gardmd", "gardm-greeter", "gardm-ipc"]
 +resolver = "2"
++
 +[workspace.package]
 +version = "0.1.0"
 +edition = "2021"
 +license = "MIT"
 +repository = "https://github.com/mfwolffe/gardesk"
++
 +[workspace.dependencies]
 +# Serialization
 +serde = { version = "1.0", features = ["derive"] }
 +serde_json = "1.0"
 +toml = "0.8"
++
 +# Async runtime
 +tokio = { version = "1", features = ["full", "signal"] }
++
 +# Logging
 +tracing = "0.1"
 +tracing-subscriber = { version = "0.3", features = ["env-filter"] }
++
 +# Error handling
 +anyhow = "1.0"
 +thiserror = "1.0"
++
 +# Unix/Linux
 +nix = { version = "0.27", features = ["user", "process", "signal"] }
++
 +# X11
 +x11rb = { version = "0.13", features = ["allow-unsafe-code"] }
++
 +# Graphics
 +cairo-rs = { version = "0.18", features = ["png"] }
 +pango = "0.18"
 +pangocairo = "0.18"
 +image = "0.24"
++
 +# IPC
 +gardm-ipc = { path = "gardm-ipc" }

docs/architecture.mdadded

 +# gardm Architecture
++
 +## Overview
++
 +gardm is the display manager for the gar desktop suite. It follows a **daemon + greeter** architecture similar to [greetd](https://github.com/kennylevinsen/greetd), providing clean separation between authentication/session management and the user interface.
++
 +## Components
++
 +```
 +┌─────────────────────────────────────────────────────────────┐
 +│                         gardmd                               │
 +│                   (Display Manager Daemon)                   │
 +│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐  │
 +│  │    PAM      │  │   X11/Xorg  │  │  Session Manager    │  │
 +│  │ Integration │  │   Control   │  │  (systemd-logind)   │  │
 +│  └─────────────┘  └─────────────┘  └─────────────────────┘  │
 +│                          │                                   │
 +│                    Unix Socket IPC                           │
 +│                          │                                   │
 +└──────────────────────────┼──────────────────────────────────┘
 +                           │
 +┌──────────────────────────┼──────────────────────────────────┐
 +│                          ▼                                   │
 +│                   gardm-greeter                              │
 +│                   (Graphical UI)                             │
 +│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐  │
 +│  │   Cairo/    │  │   garbg     │  │    User Input       │  │
 +│  │   Pango     │  │ Integration │  │   (login form)      │  │
 +│  └─────────────┘  └─────────────┘  └─────────────────────┘  │
 +└─────────────────────────────────────────────────────────────┘
 +```
++
 +### gardmd (Daemon)
++
 +The privileged daemon that runs as root. Responsibilities:
++
 +1. **X11 Server Management**: Start/stop Xorg server on appropriate VT
 +2. **PAM Authentication**: Verify user credentials via `/etc/pam.d/gardm`
 +3. **Session Launching**: Start selected session (gar, other WMs/DEs)
 +4. **systemd-logind Integration**: Register sessions, handle multi-seat
 +5. **IPC Server**: Listen on Unix socket for greeter commands
++
 +### gardm-greeter (Frontend)
++
 +The unprivileged graphical interface. Runs as dedicated `gardm` user. Responsibilities:
++
 +1. **User Interface**: Render login form, session selector, power buttons
 +2. **garbg Integration**: Display same wallpaper that gar session will use
 +3. **Visual Effects**: Blur background, animations, theming
 +4. **IPC Client**: Send auth requests to daemon, receive responses
++
 +## IPC Protocol
++
 +JSON-based protocol over Unix socket at `/run/gardm.sock`:
++
 +### Requests (Greeter → Daemon)
++
 +```json
 +// Create authentication session
 +{ "type": "create_session", "username": "user" }
++
 +// Attempt authentication
 +{ "type": "authenticate", "response": "password123" }
++
 +// Start session after successful auth
 +{ "type": "start_session", "cmd": ["gar-session.sh"], "env": [] }
++
 +// Cancel current auth attempt
 +{ "type": "cancel_session" }
++
 +// System actions
 +{ "type": "shutdown" }
 +{ "type": "reboot" }
 +{ "type": "suspend" }
 +```
++
 +### Responses (Daemon → Greeter)
++
 +```json
 +// Success
 +{ "type": "success" }
++
 +// Auth prompt (PAM asking for input)
 +{ "type": "auth_prompt", "prompt": "Password:", "echo": false }
++
 +// Auth info message
 +{ "type": "auth_info", "message": "..." }
++
 +// Auth error
 +{ "type": "auth_error", "message": "Authentication failed" }
++
 +// General error
 +{ "type": "error", "message": "..." }
 +```
++
 +## Session Discovery
++
 +Sessions are discovered from standard locations:
++
 +- `/usr/share/xsessions/*.desktop` - X11 sessions
 +- `/usr/share/wayland-sessions/*.desktop` - Wayland sessions (future)
++
 +gar session file example (`/usr/share/xsessions/gar.desktop`):
 +```ini
 +[Desktop Entry]
 +Name=gar
 +Comment=Tiling window manager with smart splits
 +Exec=/usr/local/bin/gar-session.sh
 +Type=XSession
 +DesktopNames=gar
 +```
++
 +## User Discovery
++
 +Users are enumerated from:
++
 +- `/etc/passwd` (filter by UID range, shell, home directory existence)
 +- AccountsService D-Bus interface (if available)
++
 +Hidden users (UID < 1000, nologin shell, system accounts) are filtered out.
++
 +## garbg Integration
++
 +The greeter reads garbg's config to display the same wallpaper:
++
 +1. Read `~/.config/garbg/config.toml` for default wallpaper source
 +2. Or read playlist state from `$XDG_RUNTIME_DIR/garbg-state.json`
 +3. Apply blur effect for greeter aesthetic
 +4. On successful login, gar session starts garbg which shows same image (seamless transition)
++
 +## Security Model
++
 +- **gardmd**: Runs as root, handles PAM, minimal attack surface
 +- **gardm-greeter**: Runs as unprivileged `gardm` user
 +- **IPC**: Socket permissions restrict access to gardm user
 +- **X11**: Greeter runs on isolated X server started by daemon
++
 +## Configuration
++
 +`/etc/gardm/config.toml`:
++
 +```toml
 +[general]
 +# Default session if user hasn't selected one
 +default_session = "gar"
++
 +# Greeter command
 +greeter = "/usr/bin/gardm-greeter"
++
 +# VT to use (0 = auto-select)
 +vt = 0
++
 +[greeter]
 +# Theme settings
 +blur_radius = 20
 +blur_brightness = 0.7
++
 +# Show/hide elements
 +show_power_buttons = true
 +show_session_selector = true
++
 +# garbg integration
 +use_garbg_wallpaper = true
 +fallback_wallpaper = "/usr/share/gardm/backgrounds/default.jpg"
++
 +[security]
 +# Allow empty passwords
 +allow_empty_password = false
++
 +# Lock after N failed attempts (0 = disabled)
 +lockout_attempts = 5
 +lockout_duration = 300
 +```
++
 +## PAM Configuration
++
 +`/etc/pam.d/gardm`:
++
 +```
 +#%PAM-1.0
 +auth       required     pam_securetty.so
 +auth       requisite    pam_nologin.so
 +auth       include      system-local-login
 +account    include      system-local-login
 +session    include      system-local-login
 +password   include      system-local-login
 +```
++
 +## systemd Integration
++
 +`/usr/lib/systemd/system/gardm.service`:
++
 +```ini
 +[Unit]
 +Description=gar Display Manager
 +After=systemd-user-sessions.service getty@tty1.service plymouth-quit.service
 +Conflicts=getty@tty1.service
++
 +[Service]
 +ExecStart=/usr/bin/gardmd
 +Restart=always
++
 +[Install]
 +Alias=display-manager.service
 +```
++
 +## Key Dependencies
++
 +| Component | Crates |
 +|-----------|--------|
 +| gardmd | pam, nix, sd-notify, serde, tokio |
 +| gardm-greeter | x11rb, cairo-rs, pango, image, serde |
++
 +## References
++
 +- [freedesktop.org: Writing Display Managers](https://systemd.io/WRITING_DISPLAY_MANAGERS/)
 +- [greetd](https://github.com/kennylevinsen/greetd) - Architecture inspiration
 +- [SDDM](https://github.com/sddm/sddm) - Feature reference
 +- [LightDM](https://github.com/canonical/lightdm) - Protocol reference

docs/checklist.mdadded

 +# gardm Feature Checklist
++
 +## Core Functionality
++
 +### Authentication
 +- [ ] PAM integration for password authentication
 +- [ ] Multi-factor auth support (PAM handles this transparently)
 +- [ ] Account lockout after failed attempts
 +- [ ] "Remember last user" functionality
 +- [ ] Guest session support (optional)
++
 +### Session Management
 +- [ ] Discover X11 sessions from `/usr/share/xsessions/`
 +- [ ] Parse .desktop files for session metadata
 +- [ ] Remember user's last session choice
 +- [ ] Support custom session commands
 +- [ ] Proper session environment setup (DISPLAY, XDG_*, etc.)
 +- [ ] systemd-logind session registration
++
 +### X11 Server Management
 +- [ ] Start Xorg on appropriate VT
 +- [ ] Handle X server crashes gracefully
 +- [ ] Support multi-seat (seat0 initially)
 +- [ ] Pass correct display/VT to sessions
 +- [ ] Clean X server shutdown on logout
++
 +### Power Management
 +- [ ] Shutdown button (requires polkit or root)
 +- [ ] Reboot button
 +- [ ] Suspend button
 +- [ ] Hibernate button (if available)
 +- [ ] Scheduled actions (shutdown in 5 min, etc.) - optional
++
 +## User Interface
++
 +### Login Form
 +- [ ] Username input (with dropdown of available users)
 +- [ ] Password input (masked)
 +- [ ] Session selector dropdown
 +- [ ] Login button
 +- [ ] Clear error messages on auth failure
 +- [ ] Loading/spinner during authentication
++
 +### Visual Design
 +- [ ] Centered login form
 +- [ ] Blurred background image
 +- [ ] Configurable blur radius/brightness
 +- [ ] Smooth fade-in on greeter start
 +- [ ] Smooth transition to session (fade-out)
 +- [ ] Clock display
 +- [ ] Current date display
++
 +### User List
 +- [ ] Show available users with avatars
 +- [ ] Filter system accounts (UID < 1000)
 +- [ ] Filter accounts with nologin shell
 +- [ ] Support user icons from AccountsService
 +- [ ] Keyboard navigation through user list
++
 +### Theming
 +- [ ] Configurable colors/fonts via config file
 +- [ ] Support custom background images
 +- [ ] garbg wallpaper integration
 +- [ ] Logo/branding support
 +- [ ] Dark/light theme variants
++
 +### Accessibility
 +- [ ] Keyboard-only navigation (Tab, Enter, Escape)
 +- [ ] High contrast mode (optional)
 +- [ ] Screen reader support (optional, complex)
 +- [ ] On-screen keyboard (optional, complex)
++
 +## gar Integration
++
 +### garbg Wallpaper Sync
 +- [ ] Read garbg config for default wallpaper
 +- [ ] Read garbg playlist state for current wallpaper
 +- [ ] Apply consistent blur to match gar lock screen
 +- [ ] Seamless visual transition to gar session
++
 +### Shared Configuration
 +- [ ] Read gar color scheme for consistent theming
 +- [ ] Use same fonts as garbar
 +- [ ] Respect gar's corner radius settings
++
 +## System Integration
++
 +### systemd
 +- [ ] Proper service file
 +- [ ] Socket activation (optional)
 +- [ ] sd_notify for readiness
 +- [ ] Proper shutdown handling (SIGTERM)
 +- [ ] Alias as display-manager.service
++
 +### D-Bus
 +- [ ] systemd-logind integration for session management
 +- [ ] AccountsService for user info (optional)
 +- [ ] polkit for power actions (optional)
++
 +### Files and Paths
 +- [ ] Config file: `/etc/gardm/config.toml`
 +- [ ] PAM config: `/etc/pam.d/gardm`
 +- [ ] Socket: `/run/gardm.sock`
 +- [ ] PID file: `/run/gardm.pid`
 +- [ ] Log file: via journald
 +- [ ] State dir: `/var/lib/gardm/`
++
 +## Security
++
 +### Hardening
 +- [ ] Greeter runs as unprivileged user
 +- [ ] Minimal daemon attack surface
 +- [ ] Socket permissions (0600, gardm:gardm)
 +- [ ] No credentials in logs
 +- [ ] Secure memory handling for passwords
++
 +### Input Validation
 +- [ ] Sanitize username input
 +- [ ] Prevent path traversal in session selection
 +- [ ] Rate limiting on auth attempts
 +- [ ] Timeout for idle greeter
++
 +## Error Handling
++
 +- [ ] X server fail to start
 +- [ ] PAM errors (account locked, expired, etc.)
 +- [ ] Session fail to start
 +- [ ] IPC communication errors
 +- [ ] Missing configuration graceful fallback
 +- [ ] Greeter crash recovery (restart greeter)
++
 +## Testing
++
 +- [ ] Unit tests for IPC protocol
 +- [ ] Unit tests for session discovery
 +- [ ] Integration tests with mock PAM
 +- [ ] Manual testing checklist
 +- [ ] Xephyr-based testing for greeter UI
++
 +## Documentation
++
 +- [ ] README with quick start
 +- [ ] Configuration reference
 +- [ ] Theming guide
 +- [ ] Troubleshooting guide
 +- [ ] Man pages (gardmd.8, gardm-greeter.1)
++
 +## Nice-to-Have (Future)
++
 +- [ ] Wayland greeter support
 +- [ ] Network login (LDAP, etc.)
 +- [ ] Fingerprint authentication
 +- [ ] Auto-login configuration
 +- [ ] Remote desktop support
 +- [ ] Multi-monitor greeter
 +- [ ] Animated backgrounds
 +- [ ] Weather/calendar widgets

docs/gardm.mdadded

 +# GARDM
++
 +the next step in the gar desktop experience is the gar desktop manager. it should be oriented towards integration with other gar products.
 +it should set the same background as will be set by garbg on launching gar so that the only thing that changes during the transition is the animation to load in
++
 +it should have users centered, and all the standard desktop manger buttons.
++
 +it should have a sleek interface like my current sddm approach. background should be blurred. username/pass should be  centered.
++
 +first stage is planning. we need to reference existing foss greeters/desktop managers to see what ours needs to do, otherwise we're lost.
 +We'll make a checklist of targets to hit and generate sprint files in the .gitignored directory docs/sprints/. each sprint file should have a list of targets and pitfalls to avoid
++
 +gardm should do everything that a modern greeter does, and look pretty while doing it. it should be gar-first, that is oriented towards the gar desktop environment and window manager, but it should be compatible with all linux machines that support x11.
 +we're going with x11 because of nvidia issues on wayland, but we can still make a pretty greeter in xorgland.

docs/sprints/sprint-0-setup.mdadded

 +# Sprint 0: Project Setup
++
 +**Goal:** Establish project structure, build system, and minimal daemon that can start and stop cleanly.
++
 +## Objectives
++
 +- Initialize Rust workspace with two crates (gardmd, gardm-greeter)
 +- Set up shared library for IPC protocol
 +- Create systemd service file
 +- Establish logging infrastructure
 +- Basic daemon lifecycle (start, signal handling, shutdown)
++
 +## Tasks
++
 +### 0.1 Initialize Cargo Workspace
++
 +```
 +gardm/
 +├── Cargo.toml              # Workspace root
 +├── gardmd/
 +│   ├── Cargo.toml
 +│   └── src/
 +│       ├── main.rs         # Daemon entry point
 +│       └── lib.rs
 +├── gardm-greeter/
 +│   ├── Cargo.toml
 +│   └── src/
 +│       ├── main.rs         # Greeter entry point
 +│       └── lib.rs
 +└── gardm-ipc/
 +    ├── Cargo.toml
 +    └── src/
 +        └── lib.rs          # Shared IPC types
 +```
++
 +**Root Cargo.toml:**
 +```toml
 +[workspace]
 +members = ["gardmd", "gardm-greeter", "gardm-ipc"]
 +resolver = "2"
++
 +[workspace.dependencies]
 +serde = { version = "1.0", features = ["derive"] }
 +serde_json = "1.0"
 +tokio = { version = "1", features = ["full"] }
 +tracing = "0.1"
 +tracing-subscriber = "0.3"
 +anyhow = "1.0"
 +thiserror = "1.0"
 +```
++
 +### 0.2 Define IPC Protocol Types
++
 +In `gardm-ipc/src/lib.rs`:
++
 +```rust
 +use serde::{Deserialize, Serialize};
++
 +#[derive(Debug, Serialize, Deserialize)]
 +#[serde(tag = "type", rename_all = "snake_case")]
 +pub enum Request {
 +    CreateSession { username: String },
 +    Authenticate { response: String },
 +    StartSession { cmd: Vec<String>, env: Vec<String> },
 +    CancelSession,
 +    Shutdown,
 +    Reboot,
 +    Suspend,
 +}
++
 +#[derive(Debug, Serialize, Deserialize)]
 +#[serde(tag = "type", rename_all = "snake_case")]
 +pub enum Response {
 +    Success,
 +    AuthPrompt { prompt: String, echo: bool },
 +    AuthInfo { message: String },
 +    AuthError { message: String },
 +    Error { message: String },
 +}
 +```
++
 +### 0.3 Basic Daemon Skeleton
++
 +In `gardmd/src/main.rs`:
++
 +```rust
 +use tokio::signal::unix::{signal, SignalKind};
 +use tracing_subscriber::{fmt, prelude::*, EnvFilter};
++
 +#[tokio::main]
 +async fn main() -> anyhow::Result<()> {
 +    // Initialize logging to journald
 +    tracing_subscriber::registry()
 +        .with(fmt::layer())
 +        .with(EnvFilter::from_default_env())
 +        .init();
++
 +    tracing::info!("gardmd starting");
++
 +    // Signal handling
 +    let mut sigterm = signal(SignalKind::terminate())?;
 +    let mut sigint = signal(SignalKind::interrupt())?;
++
 +    tokio::select! {
 +        _ = sigterm.recv() => {
 +            tracing::info!("Received SIGTERM, shutting down");
 +        }
 +        _ = sigint.recv() => {
 +            tracing::info!("Received SIGINT, shutting down");
 +        }
 +    }
++
 +    tracing::info!("gardmd stopped");
 +    Ok(())
 +}
 +```
++
 +### 0.4 systemd Service File
++
 +Create `gardm.service`:
++
 +```ini
 +[Unit]
 +Description=gar Display Manager
 +Documentation=man:gardmd(8)
 +After=systemd-user-sessions.service getty@tty1.service plymouth-quit.service
 +Conflicts=getty@tty1.service
++
 +[Service]
 +Type=notify
 +ExecStart=/usr/bin/gardmd
 +Restart=always
 +RestartSec=1
++
 +# Security hardening
 +ProtectSystem=strict
 +ProtectHome=read-only
 +PrivateTmp=true
 +NoNewPrivileges=false  # Required for PAM
 +ReadWritePaths=/run
++
 +[Install]
 +Alias=display-manager.service
 +```
++
 +### 0.5 Configuration Scaffolding
++
 +Create `gardmd/src/config.rs`:
++
 +```rust
 +use serde::Deserialize;
 +use std::path::PathBuf;
++
 +#[derive(Debug, Deserialize)]
 +pub struct Config {
 +    #[serde(default)]
 +    pub general: GeneralConfig,
 +    #[serde(default)]
 +    pub greeter: GreeterConfig,
 +}
++
 +#[derive(Debug, Deserialize, Default)]
 +pub struct GeneralConfig {
 +    #[serde(default = "default_session")]
 +    pub default_session: String,
 +    #[serde(default = "default_greeter")]
 +    pub greeter: PathBuf,
 +    #[serde(default)]
 +    pub vt: u32,
 +}
++
 +#[derive(Debug, Deserialize, Default)]
 +pub struct GreeterConfig {
 +    #[serde(default = "default_blur_radius")]
 +    pub blur_radius: u32,
 +}
++
 +fn default_session() -> String { "gar".to_string() }
 +fn default_greeter() -> PathBuf { "/usr/bin/gardm-greeter".into() }
 +fn default_blur_radius() -> u32 { 20 }
++
 +impl Config {
 +    pub fn load() -> anyhow::Result<Self> {
 +        let path = PathBuf::from("/etc/gardm/config.toml");
 +        if path.exists() {
 +            let content = std::fs::read_to_string(&path)?;
 +            Ok(toml::from_str(&content)?)
 +        } else {
 +            Ok(Config::default())
 +        }
 +    }
 +}
 +```
++
 +## Acceptance Criteria
++
 +1. `cargo build --release` succeeds for all workspace members
 +2. `gardmd` starts, logs to stdout, and exits cleanly on SIGTERM
 +3. IPC types serialize/deserialize correctly (unit test)
 +4. Config loads from file or uses defaults
 +5. Service file passes `systemd-analyze verify`
++
 +## Pitfalls to Avoid
++
 +1. **Don't start X11 yet** - that's Sprint 2. Keep this sprint minimal.
 +2. **Don't implement PAM yet** - that's Sprint 1. Focus on structure.
 +3. **Avoid premature optimization** - get it working first.
 +4. **Don't forget `sd_notify`** - systemd needs to know when daemon is ready.
 +5. **Test without root first** - use `RUST_LOG=debug cargo run` for development.
++
 +## Testing
++
 +```bash
 +# Build
 +cargo build --release
++
 +# Run daemon in foreground (Ctrl+C to stop)
 +RUST_LOG=debug ./target/release/gardmd
++
 +# Verify signal handling
 +kill -TERM $(pidof gardmd)
++
 +# Test config loading
 +mkdir -p /tmp/gardm-test
 +echo '[general]' > /tmp/gardm-test/config.toml
 +echo 'default_session = "test"' >> /tmp/gardm-test/config.toml
 +```
++
 +## Dependencies for This Sprint
++
 +```toml
 +# gardmd/Cargo.toml
 +[dependencies]
 +gardm-ipc = { path = "../gardm-ipc" }
 +tokio = { workspace = true }
 +tracing = { workspace = true }
 +tracing-subscriber = { workspace = true }
 +anyhow = { workspace = true }
 +serde = { workspace = true }
 +toml = "0.8"
 +sd-notify = "0.4"
 +```
++
 +## Next Sprint
++
 +Sprint 1 will add PAM authentication to the daemon.

docs/sprints/sprint-1-pam.mdadded

 +# Sprint 1: PAM Authentication
++
 +**Goal:** Implement PAM-based user authentication in the daemon with proper conversation handling.
++
 +## Objectives
++
 +- Integrate with PAM for user authentication
 +- Handle PAM conversation (prompts, messages)
 +- Create IPC server for greeter communication
 +- Implement session state machine
 +- Test authentication flow end-to-end
++
 +## Background: How PAM Works
++
 +PAM (Pluggable Authentication Modules) uses a "conversation" model:
++
 +1. Application calls `pam_authenticate()`
 +2. PAM modules may request information via conversation callback
 +3. Callback returns user input (password, OTP, etc.)
 +4. PAM returns success/failure
++
 +For a display manager, we need to bridge this conversation to the greeter UI:
++
 +```
 +Greeter ←→ IPC ←→ Daemon ←→ PAM ←→ System
 +```
++
 +## Tasks
++
 +### 1.1 Add PAM Dependency
++
 +The `pam` crate provides safe Rust bindings:
++
 +```toml
 +# gardmd/Cargo.toml
 +[dependencies]
 +pam = "0.8"
 +```
++
 +### 1.2 Create PAM Configuration
++
 +`/etc/pam.d/gardm`:
++
 +```
 +#%PAM-1.0
 +auth       required     pam_securetty.so
 +auth       requisite    pam_nologin.so
 +auth       include      system-local-login
 +account    include      system-local-login
 +session    include      system-local-login
 +password   include      system-local-login
 +```
++
 +### 1.3 Implement Authentication State Machine
++
 +```rust
 +// gardmd/src/auth.rs
++
 +use pam::Authenticator;
 +use std::ffi::CString;
++
 +pub enum AuthState {
 +    /// No active authentication
 +    Idle,
 +    /// Waiting for username
 +    AwaitingUsername,
 +    /// PAM conversation in progress
 +    Authenticating {
 +        username: String,
 +        authenticator: Authenticator<'static, PasswordConv>,
 +    },
 +    /// Authentication succeeded, ready to start session
 +    Authenticated {
 +        username: String,
 +    },
 +}
++
 +pub struct AuthSession {
 +    state: AuthState,
 +}
++
 +impl AuthSession {
 +    pub fn new() -> Self {
 +        Self { state: AuthState::Idle }
 +    }
++
 +    pub fn create_session(&mut self, username: &str) -> Result<AuthResponse> {
 +        let service = CString::new("gardm")?;
 +        let username_c = CString::new(username)?;
++
 +        // Create PAM authenticator
 +        let mut auth = Authenticator::with_password(&service)?;
 +        auth.get_handler().set_credentials(username_c, /* password later */);
++
 +        self.state = AuthState::Authenticating {
 +            username: username.to_string(),
 +            authenticator: auth,
 +        };
++
 +        // PAM will ask for password
 +        Ok(AuthResponse::Prompt {
 +            prompt: "Password:".to_string(),
 +            echo: false,
 +        })
 +    }
++
 +    pub fn authenticate(&mut self, response: &str) -> Result<AuthResponse> {
 +        match &mut self.state {
 +            AuthState::Authenticating { username, authenticator } => {
 +                // Provide password to PAM
 +                authenticator.get_handler().set_credentials(
 +                    CString::new(username.as_str())?,
 +                    CString::new(response)?,
 +                );
++
 +                // Attempt authentication
 +                match authenticator.authenticate() {
 +                    Ok(()) => {
 +                        let username = username.clone();
 +                        self.state = AuthState::Authenticated { username };
 +                        Ok(AuthResponse::Success)
 +                    }
 +                    Err(e) => {
 +                        self.state = AuthState::Idle;
 +                        Ok(AuthResponse::Error {
 +                            message: format!("Authentication failed: {}", e),
 +                        })
 +                    }
 +                }
 +            }
 +            _ => Ok(AuthResponse::Error {
 +                message: "No authentication in progress".to_string(),
 +            }),
 +        }
 +    }
++
 +    pub fn cancel(&mut self) {
 +        self.state = AuthState::Idle;
 +    }
 +}
 +```
++
 +### 1.4 Implement IPC Server
++
 +```rust
 +// gardmd/src/ipc.rs
++
 +use gardm_ipc::{Request, Response};
 +use tokio::net::{UnixListener, UnixStream};
 +use tokio::io::{AsyncBufReadExt, AsyncWriteExt, BufReader};
++
 +pub struct IpcServer {
 +    listener: UnixListener,
 +}
++
 +impl IpcServer {
 +    pub async fn new(path: &str) -> anyhow::Result<Self> {
 +        // Remove stale socket
 +        let _ = std::fs::remove_file(path);
++
 +        let listener = UnixListener::bind(path)?;
++
 +        // Set permissions (only gardm user can connect)
 +        std::fs::set_permissions(path, std::fs::Permissions::from_mode(0o600))?;
++
 +        Ok(Self { listener })
 +    }
++
 +    pub async fn accept(&self) -> anyhow::Result<IpcClient> {
 +        let (stream, _) = self.listener.accept().await?;
 +        Ok(IpcClient::new(stream))
 +    }
 +}
++
 +pub struct IpcClient {
 +    reader: BufReader<tokio::net::unix::OwnedReadHalf>,
 +    writer: tokio::net::unix::OwnedWriteHalf,
 +}
++
 +impl IpcClient {
 +    pub fn new(stream: UnixStream) -> Self {
 +        let (read, write) = stream.into_split();
 +        Self {
 +            reader: BufReader::new(read),
 +            writer: write,
 +        }
 +    }
++
 +    pub async fn read_request(&mut self) -> anyhow::Result<Option<Request>> {
 +        let mut line = String::new();
 +        let n = self.reader.read_line(&mut line).await?;
 +        if n == 0 {
 +            return Ok(None);
 +        }
 +        Ok(Some(serde_json::from_str(&line)?))
 +    }
++
 +    pub async fn send_response(&mut self, response: &Response) -> anyhow::Result<()> {
 +        let json = serde_json::to_string(response)?;
 +        self.writer.write_all(json.as_bytes()).await?;
 +        self.writer.write_all(b"\n").await?;
 +        self.writer.flush().await?;
 +        Ok(())
 +    }
 +}
 +```
++
 +### 1.5 Wire Up Main Loop
++
 +```rust
 +// gardmd/src/main.rs
++
 +async fn run() -> anyhow::Result<()> {
 +    let config = Config::load()?;
 +    let ipc = IpcServer::new("/run/gardm.sock").await?;
 +    let mut auth = AuthSession::new();
++
 +    // Notify systemd we're ready
 +    sd_notify::notify(true, &[sd_notify::NotifyState::Ready])?;
++
 +    tracing::info!("gardmd ready, listening for connections");
++
 +    loop {
 +        let mut client = ipc.accept().await?;
++
 +        // Handle single client (greeter)
 +        while let Some(request) = client.read_request().await? {
 +            let response = match request {
 +                Request::CreateSession { username } => {
 +                    auth.create_session(&username)?
 +                }
 +                Request::Authenticate { response } => {
 +                    auth.authenticate(&response)?
 +                }
 +                Request::CancelSession => {
 +                    auth.cancel();
 +                    Response::Success
 +                }
 +                // Power actions handled in later sprint
 +                _ => Response::Error {
 +                    message: "Not implemented".to_string(),
 +                },
 +            };
++
 +            client.send_response(&response).await?;
 +        }
 +    }
 +}
 +```
++
 +### 1.6 Create Test Client
++
 +For testing without the full greeter:
++
 +```rust
 +// gardm-greeter/src/bin/test-auth.rs
++
 +use gardm_ipc::{Request, Response};
 +use std::io::{self, BufRead, Write};
 +use std::os::unix::net::UnixStream;
++
 +fn main() -> anyhow::Result<()> {
 +    let mut stream = UnixStream::connect("/run/gardm.sock")?;
++
 +    // Get username
 +    print!("Username: ");
 +    io::stdout().flush()?;
 +    let mut username = String::new();
 +    io::stdin().lock().read_line(&mut username)?;
++
 +    // Send create_session
 +    let req = Request::CreateSession {
 +        username: username.trim().to_string(),
 +    };
 +    writeln!(stream, "{}", serde_json::to_string(&req)?)?;
++
 +    // Read response
 +    let mut response = String::new();
 +    let mut reader = io::BufReader::new(&stream);
 +    reader.read_line(&mut response)?;
 +    println!("Response: {}", response);
++
 +    // Get password
 +    print!("Password: ");
 +    io::stdout().flush()?;
 +    let password = rpassword::read_password()?;
++
 +    // Send authenticate
 +    let req = Request::Authenticate { response: password };
 +    writeln!(stream, "{}", serde_json::to_string(&req)?)?;
++
 +    // Read response
 +    response.clear();
 +    reader.read_line(&mut response)?;
 +    println!("Response: {}", response);
++
 +    Ok(())
 +}
 +```
++
 +## Acceptance Criteria
++
 +1. Daemon accepts IPC connections from greeter
 +2. `CreateSession` initiates PAM conversation
 +3. `Authenticate` with correct password returns `Success`
 +4. `Authenticate` with wrong password returns `AuthError`
 +5. `CancelSession` resets state cleanly
 +6. Multiple auth attempts work without daemon restart
 +7. PAM config file is properly loaded
++
 +## Pitfalls to Avoid
++
 +1. **PAM is synchronous** - don't block the async runtime. Use `spawn_blocking` for PAM calls.
 +2. **Memory safety with passwords** - zero memory after use (pam crate should handle this).
 +3. **Don't store passwords** - only pass through to PAM immediately.
 +4. **Handle PAM errors gracefully** - account locked, expired password, etc. have specific error types.
 +5. **Test with real PAM** - mock tests are useful but test against real system too.
 +6. **Remember PAM is stateful** - can't call authenticate twice on same session.
++
 +## Testing
++
 +```bash
 +# Build and run daemon as root (required for PAM)
 +sudo RUST_LOG=debug ./target/release/gardmd &
++
 +# Test with CLI client
 +./target/release/test-auth
++
 +# Test wrong password
 +# Test account lockout (if configured)
 +# Test non-existent user
 +```
++
 +## Security Considerations
++
 +- Daemon must run as root for PAM access
 +- IPC socket must be protected (0600 permissions)
 +- Failed auth attempts should be rate-limited (PAM may do this)
 +- Log auth attempts but NOT passwords
++
 +## Dependencies for This Sprint
++
 +```toml
 +# gardmd/Cargo.toml
 +[dependencies]
 +pam = "0.8"
 +nix = { version = "0.27", features = ["user"] }
++
 +# gardm-greeter/Cargo.toml (for test client)
 +[dependencies]
 +rpassword = "7.0"
 +```
++
 +## Next Sprint
++
 +Sprint 2 will add X11 server management - starting Xorg and the greeter.

docs/sprints/sprint-2-x11.mdadded

 +# Sprint 2: X11 Server Management
++
 +**Goal:** Start and manage Xorg server, launch greeter process, and handle session startup.
++
 +## Objectives
++
 +- Start Xorg on appropriate VT with correct permissions
 +- Launch greeter as unprivileged user
 +- Start user session after successful auth
 +- Handle X server lifecycle (crash recovery, clean shutdown)
 +- Integrate with systemd-logind for session registration
++
 +## Background: X11 Display Manager Flow
++
 +```
 +1. gardmd starts
 +2. gardmd spawns Xorg on VT (e.g., :0 on vt1)
 +3. gardmd waits for X to be ready (connect test)
 +4. gardmd spawns greeter as unprivileged user
 +5. Greeter authenticates user via IPC
 +6. gardmd kills greeter, starts user session
 +7. User session runs until logout
 +8. gardmd restarts greeter (loop back to 4)
 +```
++
 +## Tasks
++
 +### 2.1 X Server Launcher
++
 +```rust
 +// gardmd/src/x11.rs
++
 +use nix::unistd::{fork, ForkResult, setsid, Pid};
 +use std::process::{Command, Child};
 +use std::time::Duration;
++
 +pub struct XServer {
 +    process: Child,
 +    display: String,
 +    vt: u32,
 +}
++
 +impl XServer {
 +    /// Start Xorg server on specified display and VT
 +    pub fn start(display: &str, vt: u32) -> anyhow::Result<Self> {
 +        // Xorg arguments
 +        let mut cmd = Command::new("/usr/bin/Xorg");
 +        cmd.arg(display)
 +           .arg(&format!("vt{}", vt))
 +           .arg("-keeptty")
 +           .arg("-noreset")
 +           .arg("-novtswitch")
 +           .arg("-nolisten").arg("tcp");
++
 +        // For multi-seat support (future):
 +        // cmd.arg("-seat").arg("seat0");
++
 +        // Capture output for debugging
 +        cmd.stdout(std::process::Stdio::piped())
 +           .stderr(std::process::Stdio::piped());
++
 +        let process = cmd.spawn()?;
++
 +        tracing::info!("Started Xorg on {} (vt{}, pid={})",
 +            display, vt, process.id());
++
 +        let server = Self {
 +            process,
 +            display: display.to_string(),
 +            vt,
 +        };
++
 +        // Wait for X to be ready
 +        server.wait_ready(Duration::from_secs(10))?;
++
 +        Ok(server)
 +    }
++
 +    /// Wait for X server to be ready by attempting connection
 +    fn wait_ready(&self, timeout: Duration) -> anyhow::Result<()> {
 +        use std::time::Instant;
++
 +        let start = Instant::now();
 +        while start.elapsed() < timeout {
 +            // Try to connect to X server
 +            match x11rb::connect(Some(&self.display)) {
 +                Ok(_) => {
 +                    tracing::debug!("X server ready on {}", self.display);
 +                    return Ok(());
 +                }
 +                Err(_) => {
 +                    std::thread::sleep(Duration::from_millis(100));
 +                }
 +            }
 +        }
++
 +        anyhow::bail!("X server failed to become ready within {:?}", timeout);
 +    }
++
 +    /// Get the display string (e.g., ":0")
 +    pub fn display(&self) -> &str {
 +        &self.display
 +    }
++
 +    /// Get the VT number
 +    pub fn vt(&self) -> u32 {
 +        self.vt
 +    }
++
 +    /// Check if X server is still running
 +    pub fn is_running(&mut self) -> bool {
 +        match self.process.try_wait() {
 +            Ok(None) => true,
 +            _ => false,
 +        }
 +    }
++
 +    /// Stop the X server
 +    pub fn stop(&mut self) -> anyhow::Result<()> {
 +        tracing::info!("Stopping X server");
 +        self.process.kill()?;
 +        self.process.wait()?;
 +        Ok(())
 +    }
 +}
++
 +impl Drop for XServer {
 +    fn drop(&mut self) {
 +        let _ = self.stop();
 +    }
 +}
 +```
++
 +### 2.2 VT Allocation
++
 +```rust
 +// gardmd/src/vt.rs
++
 +use std::fs::OpenOptions;
 +use std::os::unix::io::AsRawFd;
 +use nix::ioctl_read_bad;
++
 +// ioctl for getting/setting VT
 +const VT_GETSTATE: u64 = 0x5603;
 +const VT_ACTIVATE: u64 = 0x5606;
 +const VT_WAITACTIVE: u64 = 0x5607;
 +const VT_OPENQRY: u64 = 0x5600;
++
 +#[repr(C)]
 +pub struct VtStat {
 +    pub v_active: u16,
 +    pub v_signal: u16,
 +    pub v_state: u16,
 +}
++
 +/// Find an unused VT
 +pub fn find_unused_vt() -> anyhow::Result<u32> {
 +    let console = OpenOptions::new()
 +        .read(true)
 +        .write(true)
 +        .open("/dev/tty0")?;
++
 +    let mut vt: i32 = 0;
 +    unsafe {
 +        if libc::ioctl(console.as_raw_fd(), VT_OPENQRY as _, &mut vt) < 0 {
 +            anyhow::bail!("Failed to find unused VT");
 +        }
 +    }
++
 +    if vt <= 0 {
 +        anyhow::bail!("No unused VT available");
 +    }
++
 +    Ok(vt as u32)
 +}
++
 +/// Switch to a specific VT
 +pub fn switch_to_vt(vt: u32) -> anyhow::Result<()> {
 +    let console = OpenOptions::new()
 +        .read(true)
 +        .write(true)
 +        .open("/dev/tty0")?;
++
 +    unsafe {
 +        if libc::ioctl(console.as_raw_fd(), VT_ACTIVATE as _, vt) < 0 {
 +            anyhow::bail!("Failed to activate VT {}", vt);
 +        }
 +        if libc::ioctl(console.as_raw_fd(), VT_WAITACTIVE as _, vt) < 0 {
 +            anyhow::bail!("Failed to wait for VT {}", vt);
 +        }
 +    }
++
 +    Ok(())
 +}
 +```
++
 +### 2.3 Greeter Process Manager
++
 +```rust
 +// gardmd/src/greeter.rs
++
 +use nix::unistd::{Uid, Gid, setuid, setgid, User};
 +use std::process::{Command, Child};
++
 +pub struct GreeterProcess {
 +    process: Child,
 +}
++
 +impl GreeterProcess {
 +    /// Start the greeter as the gardm user
 +    pub fn start(greeter_cmd: &str, display: &str) -> anyhow::Result<Self> {
 +        // Get gardm user info
 +        let user = User::from_name("gardm")?
 +            .ok_or_else(|| anyhow::anyhow!("gardm user not found"))?;
++
 +        let mut cmd = Command::new(greeter_cmd);
 +        cmd.env("DISPLAY", display)
 +           .env("XDG_SESSION_CLASS", "greeter")
 +           .env("XDG_SESSION_TYPE", "x11");
++
 +        // Run as gardm user
 +        unsafe {
 +            cmd.pre_exec(move || {
 +                setgid(Gid::from_raw(user.gid.as_raw()))?;
 +                setuid(Uid::from_raw(user.uid.as_raw()))?;
 +                Ok(())
 +            });
 +        }
++
 +        let process = cmd.spawn()?;
 +        tracing::info!("Started greeter (pid={})", process.id());
++
 +        Ok(Self { process })
 +    }
++
 +    /// Check if greeter is still running
 +    pub fn is_running(&mut self) -> bool {
 +        matches!(self.process.try_wait(), Ok(None))
 +    }
++
 +    /// Wait for greeter to exit
 +    pub fn wait(&mut self) -> anyhow::Result<std::process::ExitStatus> {
 +        Ok(self.process.wait()?)
 +    }
++
 +    /// Kill the greeter
 +    pub fn kill(&mut self) -> anyhow::Result<()> {
 +        self.process.kill()?;
 +        self.process.wait()?;
 +        Ok(())
 +    }
 +}
 +```
++
 +### 2.4 Session Launcher
++
 +```rust
 +// gardmd/src/session.rs
++
 +use nix::unistd::{Uid, Gid, setuid, setgid, User, initgroups, chdir};
 +use std::process::{Command, Child};
 +use std::ffi::CString;
++
 +pub struct UserSession {
 +    process: Child,
 +    username: String,
 +}
++
 +impl UserSession {
 +    /// Start a user session
 +    pub fn start(
 +        username: &str,
 +        session_cmd: &[String],
 +        display: &str,
 +        vt: u32,
 +    ) -> anyhow::Result<Self> {
 +        let user = User::from_name(username)?
 +            .ok_or_else(|| anyhow::anyhow!("User {} not found", username))?;
++
 +        let home = user.dir.to_string_lossy().to_string();
 +        let shell = user.shell.to_string_lossy().to_string();
 +        let uid = user.uid;
 +        let gid = user.gid;
 +        let username_c = CString::new(username)?;
++
 +        // Build session command
 +        let (cmd_path, cmd_args) = if session_cmd.is_empty() {
 +            // Default to gar-session.sh
 +            ("/usr/local/bin/gar-session.sh".to_string(), vec![])
 +        } else {
 +            (session_cmd[0].clone(), session_cmd[1..].to_vec())
 +        };
++
 +        let mut cmd = Command::new(&cmd_path);
 +        cmd.args(&cmd_args)
 +           .env("DISPLAY", display)
 +           .env("HOME", &home)
 +           .env("USER", username)
 +           .env("LOGNAME", username)
 +           .env("SHELL", &shell)
 +           .env("XDG_SESSION_TYPE", "x11")
 +           .env("XDG_VTNR", vt.to_string())
 +           .env("XDG_SEAT", "seat0");
++
 +        // Run as the user
 +        unsafe {
 +            cmd.pre_exec(move || {
 +                // Set groups
 +                initgroups(&username_c, gid)?;
 +                setgid(gid)?;
 +                setuid(uid)?;
++
 +                // Change to home directory
 +                let home_c = CString::new(home.as_str())?;
 +                chdir(&home_c)?;
++
 +                Ok(())
 +            });
 +        }
++
 +        let process = cmd.spawn()?;
 +        tracing::info!("Started session for {} (pid={})", username, process.id());
++
 +        Ok(Self {
 +            process,
 +            username: username.to_string(),
 +        })
 +    }
++
 +    /// Wait for session to end
 +    pub fn wait(&mut self) -> anyhow::Result<std::process::ExitStatus> {
 +        Ok(self.process.wait()?)
 +    }
 +}
 +```
++
 +### 2.5 Main Loop Integration
++
 +```rust
 +// gardmd/src/main.rs
++
 +async fn run() -> anyhow::Result<()> {
 +    let config = Config::load()?;
++
 +    // Find VT to use
 +    let vt = if config.general.vt > 0 {
 +        config.general.vt
 +    } else {
 +        vt::find_unused_vt()?
 +    };
++
 +    // Start X server
 +    let display = ":0";
 +    let mut x_server = XServer::start(display, vt)?;
++
 +    // Switch to our VT
 +    vt::switch_to_vt(vt)?;
++
 +    // Start IPC server
 +    let ipc = IpcServer::new("/run/gardm.sock").await?;
 +    let mut auth = AuthSession::new();
++
 +    sd_notify::notify(true, &[sd_notify::NotifyState::Ready])?;
++
 +    loop {
 +        // Start greeter
 +        let mut greeter = GreeterProcess::start(&config.general.greeter, display)?;
++
 +        // Handle greeter authentication
 +        let session_info = handle_greeter_auth(&ipc, &mut auth).await?;
++
 +        // Kill greeter before starting session
 +        greeter.kill()?;
++
 +        // Start user session
 +        let mut session = UserSession::start(
 +            &session_info.username,
 +            &session_info.cmd,
 +            display,
 +            vt,
 +        )?;
++
 +        // Wait for session to end
 +        let status = session.wait()?;
 +        tracing::info!("Session ended with status: {:?}", status);
++
 +        // Loop back to greeter
 +    }
 +}
++
 +struct SessionInfo {
 +    username: String,
 +    cmd: Vec<String>,
 +}
++
 +async fn handle_greeter_auth(
 +    ipc: &IpcServer,
 +    auth: &mut AuthSession,
 +) -> anyhow::Result<SessionInfo> {
 +    let mut client = ipc.accept().await?;
++
 +    loop {
 +        let request = client.read_request().await?
 +            .ok_or_else(|| anyhow::anyhow!("Greeter disconnected"))?;
++
 +        match request {
 +            Request::CreateSession { username } => {
 +                let response = auth.create_session(&username)?;
 +                client.send_response(&response.into()).await?;
 +            }
 +            Request::Authenticate { response } => {
 +                let result = auth.authenticate(&response)?;
 +                client.send_response(&result.clone().into()).await?;
++
 +                if matches!(result, AuthResponse::Success) {
 +                    // Read StartSession request
 +                    if let Some(Request::StartSession { cmd, .. }) =
 +                        client.read_request().await?
 +                    {
 +                        return Ok(SessionInfo {
 +                            username: auth.username().unwrap().to_string(),
 +                            cmd,
 +                        });
 +                    }
 +                }
 +            }
 +            Request::CancelSession => {
 +                auth.cancel();
 +                client.send_response(&Response::Success).await?;
 +            }
 +            _ => {
 +                client.send_response(&Response::Error {
 +                    message: "Unexpected request".to_string(),
 +                }).await?;
 +            }
 +        }
 +    }
 +}
 +```
++
 +## Acceptance Criteria
++
 +1. Xorg starts on specified VT
 +2. Greeter launches as unprivileged gardm user
 +3. After auth success, greeter is killed and session starts
 +4. Session runs as authenticated user with correct environment
 +5. After session logout, greeter restarts
 +6. X server crash triggers recovery (restart X + greeter)
++
 +## Pitfalls to Avoid
++
 +1. **Don't forget VT permissions** - Xorg needs access to /dev/tty*
 +2. **X server takes time to start** - must wait for it to be ready
 +3. **Environment inheritance** - don't leak root environment to session
 +4. **Group membership** - user needs video, audio groups for hardware access
 +5. **Home directory** - chdir to $HOME before starting session
 +6. **Don't block on X** - use async/spawn for process management
++
 +## Testing
++
 +```bash
 +# Test X server startup (need to be root, on real TTY)
 +sudo ./target/release/gardmd
++
 +# Alternative: Test in Xephyr (nested X)
 +Xephyr -br -ac -noreset -screen 1280x720 :1 &
 +DISPLAY=:1 ./target/release/gardm-greeter
++
 +# Create gardm user for testing
 +sudo useradd -r -s /usr/bin/nologin -d /var/lib/gardm gardm
 +sudo mkdir -p /var/lib/gardm
 +sudo chown gardm:gardm /var/lib/gardm
 +```
++
 +## Dependencies for This Sprint
++
 +```toml
 +# gardmd/Cargo.toml
 +[dependencies]
 +x11rb = "0.13"
 +libc = "0.2"
 +nix = { version = "0.27", features = ["user", "process", "ioctl"] }
 +```
++
 +## Next Sprint
++
 +Sprint 3 will build the graphical greeter UI with Cairo/Pango.

docs/sprints/sprint-3-greeter-ui.mdadded

 +# Sprint 3: Greeter UI
++
 +**Goal:** Build a sleek, centered login interface with blurred background using Cairo/Pango rendering.
++
 +## Objectives
++
 +- Create X11 window that covers the full screen
 +- Render blurred background image
 +- Implement centered login form (username, password inputs)
 +- Add session selector dropdown
 +- Add power buttons (shutdown, reboot, suspend)
 +- Handle keyboard input and focus
 +- Connect UI to daemon via IPC
++
 +## Design Reference
++
 +```
 +┌─────────────────────────────────────────────────────────────────────┐
 +│                                                                     │
 +│                         [Blurred Background]                        │
 +│                                                                     │
 +│                     ┌───────────────────────┐                       │
 +│                     │       User Avatar     │                       │
 +│                     │          👤           │                       │
 +│                     ├───────────────────────┤                       │
 +│                     │  Username: [       ]  │                       │
 +│                     │  Password: [*******]  │                       │
 +│                     │                       │                       │
 +│                     │  Session:  [gar    ▼] │                       │
 +│                     │                       │                       │
 +│                     │      [ Login ]        │                       │
 +│                     │                       │                       │
 +│                     │   Error message here  │                       │
 +│                     └───────────────────────┘                       │
 +│                                                                     │
 +│  12:34 PM                                          [⏻] [↻] [⏾]     │
 +│  January 14, 2026                                                   │
 +└─────────────────────────────────────────────────────────────────────┘
 +```
++
 +## Tasks
++
 +### 3.1 Window Setup
++
 +```rust
 +// gardm-greeter/src/window.rs
++
 +use x11rb::connection::Connection;
 +use x11rb::protocol::xproto::*;
 +use x11rb::wrapper::ConnectionExt;
++
 +pub struct GreeterWindow {
 +    conn: x11rb::rust_connection::RustConnection,
 +    screen_num: usize,
 +    window: Window,
 +    width: u16,
 +    height: u16,
 +    gc: Gcontext,
 +}
++
 +impl GreeterWindow {
 +    pub fn new() -> anyhow::Result<Self> {
 +        let (conn, screen_num) = x11rb::connect(None)?;
 +        let screen = &conn.setup().roots[screen_num];
++
 +        let width = screen.width_in_pixels;
 +        let height = screen.height_in_pixels;
 +        let root = screen.root;
 +        let depth = screen.root_depth;
 +        let visual = screen.root_visual;
++
 +        // Create window
 +        let window = conn.generate_id()?;
 +        conn.create_window(
 +            depth,
 +            window,
 +            root,
 +            0, 0,
 +            width, height,
 +            0,
 +            WindowClass::INPUT_OUTPUT,
 +            visual,
 +            &CreateWindowAux::new()
 +                .background_pixel(screen.black_pixel)
 +                .event_mask(
 +                    EventMask::EXPOSURE
 +                        | EventMask::KEY_PRESS
 +                        | EventMask::BUTTON_PRESS
 +                        | EventMask::STRUCTURE_NOTIFY
 +                ),
 +        )?;
++
 +        // Make it fullscreen (bypass WM)
 +        let net_wm_state = conn.intern_atom(false, b"_NET_WM_STATE")?.reply()?.atom;
 +        let fullscreen = conn.intern_atom(false, b"_NET_WM_STATE_FULLSCREEN")?.reply()?.atom;
 +        conn.change_property32(
 +            PropMode::REPLACE,
 +            window,
 +            net_wm_state,
 +            AtomEnum::ATOM,
 +            &[fullscreen],
 +        )?;
++
 +        // Override redirect for greeter (no WM decorations)
 +        conn.change_window_attributes(
 +            window,
 +            &ChangeWindowAttributesAux::new().override_redirect(1),
 +        )?;
++
 +        // Create graphics context
 +        let gc = conn.generate_id()?;
 +        conn.create_gc(gc, window, &CreateGCAux::new())?;
++
 +        conn.map_window(window)?;
 +        conn.flush()?;
++
 +        Ok(Self {
 +            conn,
 +            screen_num,
 +            window,
 +            width,
 +            height,
 +            gc,
 +        })
 +    }
++
 +    pub fn width(&self) -> u16 { self.width }
 +    pub fn height(&self) -> u16 { self.height }
 +    pub fn window(&self) -> Window { self.window }
 +    pub fn conn(&self) -> &x11rb::rust_connection::RustConnection { &self.conn }
 +}
 +```
++
 +### 3.2 Cairo Rendering Surface
++
 +```rust
 +// gardm-greeter/src/render.rs
++
 +use cairo::{Context, ImageSurface, Format};
 +use x11rb::protocol::xproto::*;
++
 +pub struct Renderer {
 +    surface: ImageSurface,
 +    width: i32,
 +    height: i32,
 +}
++
 +impl Renderer {
 +    pub fn new(width: u16, height: u16) -> anyhow::Result<Self> {
 +        let surface = ImageSurface::create(Format::ARgb32, width as i32, height as i32)?;
 +        Ok(Self {
 +            surface,
 +            width: width as i32,
 +            height: height as i32,
 +        })
 +    }
++
 +    pub fn context(&self) -> anyhow::Result<Context> {
 +        Ok(Context::new(&self.surface)?)
 +    }
++
 +    /// Get raw pixel data for X11
 +    pub fn data(&self) -> Vec<u8> {
 +        let stride = self.surface.stride() as usize;
 +        let height = self.height as usize;
 +        let data = self.surface.data().unwrap();
++
 +        // Cairo uses ARGB, X11 uses BGRA - but with same byte order on little-endian
 +        data[..stride * height].to_vec()
 +    }
++
 +    pub fn width(&self) -> i32 { self.width }
 +    pub fn height(&self) -> i32 { self.height }
 +}
 +```
++
 +### 3.3 Background with Blur
++
 +```rust
 +// gardm-greeter/src/background.rs
++
 +use image::{RgbaImage, imageops};
++
 +/// Load and blur a background image
 +pub fn load_blurred_background(
 +    path: &str,
 +    width: u32,
 +    height: u32,
 +    blur_radius: f32,
 +    brightness: f32,
 +) -> anyhow::Result<RgbaImage> {
 +    // Load image
 +    let img = image::open(path)?.to_rgba8();
++
 +    // Scale to screen size (cover mode)
 +    let scaled = scale_to_cover(&img, width, height);
++
 +    // Apply gaussian blur
 +    let blurred = imageops::blur(&scaled, blur_radius);
++
 +    // Adjust brightness (darken for better text contrast)
 +    let adjusted = adjust_brightness(&blurred, brightness);
++
 +    Ok(adjusted)
 +}
++
 +fn scale_to_cover(img: &RgbaImage, target_w: u32, target_h: u32) -> RgbaImage {
 +    let (src_w, src_h) = img.dimensions();
 +    let scale = (target_w as f32 / src_w as f32)
 +        .max(target_h as f32 / src_h as f32);
++
 +    let new_w = (src_w as f32 * scale) as u32;
 +    let new_h = (src_h as f32 * scale) as u32;
++
 +    let resized = imageops::resize(img, new_w, new_h, imageops::FilterType::Lanczos3);
++
 +    // Crop to center
 +    let x = (new_w - target_w) / 2;
 +    let y = (new_h - target_h) / 2;
++
 +    imageops::crop_imm(&resized, x, y, target_w, target_h).to_image()
 +}
++
 +fn adjust_brightness(img: &RgbaImage, factor: f32) -> RgbaImage {
 +    let mut result = img.clone();
 +    for pixel in result.pixels_mut() {
 +        pixel[0] = (pixel[0] as f32 * factor).min(255.0) as u8;
 +        pixel[1] = (pixel[1] as f32 * factor).min(255.0) as u8;
 +        pixel[2] = (pixel[2] as f32 * factor).min(255.0) as u8;
 +    }
 +    result
 +}
 +```
++
 +### 3.4 Login Form Widget
++
 +```rust
 +// gardm-greeter/src/widgets/login_form.rs
++
 +use cairo::Context;
 +use pango::{FontDescription, Layout};
++
 +pub struct LoginForm {
 +    pub username: String,
 +    pub password: String,
 +    pub focused_field: FocusedField,
 +    pub error_message: Option<String>,
 +    pub is_loading: bool,
++
 +    // Layout
 +    x: f64,
 +    y: f64,
 +    width: f64,
 +    height: f64,
 +}
++
 +#[derive(Clone, Copy, PartialEq)]
 +pub enum FocusedField {
 +    Username,
 +    Password,
 +}
++
 +impl LoginForm {
 +    pub fn new(screen_width: f64, screen_height: f64) -> Self {
 +        let width = 400.0;
 +        let height = 300.0;
++
 +        Self {
 +            username: String::new(),
 +            password: String::new(),
 +            focused_field: FocusedField::Username,
 +            error_message: None,
 +            is_loading: false,
 +            x: (screen_width - width) / 2.0,
 +            y: (screen_height - height) / 2.0,
 +            width,
 +            height,
 +        }
 +    }
++
 +    pub fn render(&self, ctx: &Context, pango_ctx: &pango::Context) -> anyhow::Result<()> {
 +        // Background panel (semi-transparent)
 +        ctx.set_source_rgba(0.1, 0.1, 0.1, 0.85);
 +        rounded_rectangle(ctx, self.x, self.y, self.width, self.height, 16.0);
 +        ctx.fill()?;
++
 +        // Title
 +        let title_layout = Layout::new(pango_ctx);
 +        let mut font = FontDescription::new();
 +        font.set_family("Sans");
 +        font.set_size(24 * pango::SCALE);
 +        font.set_weight(pango::Weight::Bold);
 +        title_layout.set_font_description(Some(&font));
 +        title_layout.set_text("Welcome");
++
 +        ctx.set_source_rgb(1.0, 1.0, 1.0);
 +        ctx.move_to(self.x + self.width / 2.0 - 50.0, self.y + 30.0);
 +        pangocairo::show_layout(ctx, &title_layout);
++
 +        // Username field
 +        self.render_input_field(
 +            ctx, pango_ctx,
 +            "Username",
 +            &self.username,
 +            self.y + 100.0,
 +            self.focused_field == FocusedField::Username,
 +            false,
 +        )?;
++
 +        // Password field
 +        self.render_input_field(
 +            ctx, pango_ctx,
 +            "Password",
 +            &"•".repeat(self.password.len()),
 +            self.y + 160.0,
 +            self.focused_field == FocusedField::Password,
 +            true,
 +        )?;
++
 +        // Error message
 +        if let Some(ref msg) = self.error_message {
 +            ctx.set_source_rgb(1.0, 0.3, 0.3);
 +            let err_layout = Layout::new(pango_ctx);
 +            font.set_size(12 * pango::SCALE);
 +            font.set_weight(pango::Weight::Normal);
 +            err_layout.set_font_description(Some(&font));
 +            err_layout.set_text(msg);
 +            ctx.move_to(self.x + 30.0, self.y + 230.0);
 +            pangocairo::show_layout(ctx, &err_layout);
 +        }
++
 +        // Login button
 +        self.render_button(ctx, pango_ctx, "Login", self.y + 260.0)?;
++
 +        Ok(())
 +    }
++
 +    fn render_input_field(
 +        &self,
 +        ctx: &Context,
 +        pango_ctx: &pango::Context,
 +        label: &str,
 +        value: &str,
 +        y: f64,
 +        focused: bool,
 +        _is_password: bool,
 +    ) -> anyhow::Result<()> {
 +        let field_x = self.x + 30.0;
 +        let field_width = self.width - 60.0;
 +        let field_height = 40.0;
++
 +        // Label
 +        let mut font = FontDescription::new();
 +        font.set_family("Sans");
 +        font.set_size(11 * pango::SCALE);
++
 +        let label_layout = Layout::new(pango_ctx);
 +        label_layout.set_font_description(Some(&font));
 +        label_layout.set_text(label);
++
 +        ctx.set_source_rgba(0.8, 0.8, 0.8, 1.0);
 +        ctx.move_to(field_x, y - 18.0);
 +        pangocairo::show_layout(ctx, &label_layout);
++
 +        // Input box
 +        if focused {
 +            ctx.set_source_rgba(0.3, 0.5, 0.8, 1.0);
 +        } else {
 +            ctx.set_source_rgba(0.3, 0.3, 0.3, 1.0);
 +        }
 +        rounded_rectangle(ctx, field_x, y, field_width, field_height, 8.0);
 +        ctx.fill()?;
++
 +        // Text value
 +        ctx.set_source_rgb(1.0, 1.0, 1.0);
 +        font.set_size(14 * pango::SCALE);
 +        let value_layout = Layout::new(pango_ctx);
 +        value_layout.set_font_description(Some(&font));
 +        value_layout.set_text(if value.is_empty() { " " } else { value });
 +        ctx.move_to(field_x + 10.0, y + 10.0);
 +        pangocairo::show_layout(ctx, &value_layout);
++
 +        // Cursor
 +        if focused {
 +            let (text_width, _) = value_layout.pixel_size();
 +            ctx.set_source_rgb(1.0, 1.0, 1.0);
 +            ctx.rectangle(field_x + 10.0 + text_width as f64, y + 8.0, 2.0, 24.0);
 +            ctx.fill()?;
 +        }
++
 +        Ok(())
 +    }
++
 +    fn render_button(
 +        &self,
 +        ctx: &Context,
 +        pango_ctx: &pango::Context,
 +        text: &str,
 +        y: f64,
 +    ) -> anyhow::Result<()> {
 +        let btn_width = 120.0;
 +        let btn_height = 36.0;
 +        let btn_x = self.x + (self.width - btn_width) / 2.0;
++
 +        // Button background
 +        ctx.set_source_rgba(0.2, 0.5, 0.8, 1.0);
 +        rounded_rectangle(ctx, btn_x, y, btn_width, btn_height, 8.0);
 +        ctx.fill()?;
++
 +        // Button text
 +        ctx.set_source_rgb(1.0, 1.0, 1.0);
 +        let mut font = FontDescription::new();
 +        font.set_family("Sans");
 +        font.set_size(14 * pango::SCALE);
 +        font.set_weight(pango::Weight::Bold);
++
 +        let layout = Layout::new(pango_ctx);
 +        layout.set_font_description(Some(&font));
 +        layout.set_text(text);
++
 +        let (text_w, _) = layout.pixel_size();
 +        ctx.move_to(btn_x + (btn_width - text_w as f64) / 2.0, y + 8.0);
 +        pangocairo::show_layout(ctx, &layout);
++
 +        Ok(())
 +    }
++
 +    pub fn handle_key(&mut self, key: char) {
 +        match self.focused_field {
 +            FocusedField::Username => self.username.push(key),
 +            FocusedField::Password => self.password.push(key),
 +        }
 +    }
++
 +    pub fn handle_backspace(&mut self) {
 +        match self.focused_field {
 +            FocusedField::Username => { self.username.pop(); }
 +            FocusedField::Password => { self.password.pop(); }
 +        }
 +    }
++
 +    pub fn handle_tab(&mut self) {
 +        self.focused_field = match self.focused_field {
 +            FocusedField::Username => FocusedField::Password,
 +            FocusedField::Password => FocusedField::Username,
 +        };
 +    }
 +}
++
 +fn rounded_rectangle(ctx: &Context, x: f64, y: f64, w: f64, h: f64, r: f64) {
 +    let degrees = std::f64::consts::PI / 180.0;
 +    ctx.new_sub_path();
 +    ctx.arc(x + w - r, y + r, r, -90.0 * degrees, 0.0 * degrees);
 +    ctx.arc(x + w - r, y + h - r, r, 0.0 * degrees, 90.0 * degrees);
 +    ctx.arc(x + r, y + h - r, r, 90.0 * degrees, 180.0 * degrees);
 +    ctx.arc(x + r, y + r, r, 180.0 * degrees, 270.0 * degrees);
 +    ctx.close_path();
 +}
 +```
++
 +### 3.5 Main Event Loop
++
 +```rust
 +// gardm-greeter/src/main.rs
++
 +use x11rb::protocol::Event;
++
 +fn main() -> anyhow::Result<()> {
 +    let window = GreeterWindow::new()?;
 +    let renderer = Renderer::new(window.width(), window.height())?;
 +    let mut form = LoginForm::new(window.width() as f64, window.height() as f64);
++
 +    // Load background
 +    let background = load_blurred_background(
 +        "/usr/share/gardm/backgrounds/default.jpg",
 +        window.width() as u32,
 +        window.height() as u32,
 +        20.0,
 +        0.7,
 +    )?;
++
 +    // Connect to daemon
 +    let mut daemon = DaemonClient::connect()?;
++
 +    loop {
 +        // Render frame
 +        {
 +            let ctx = renderer.context()?;
 +            render_background(&ctx, &background)?;
 +            form.render(&ctx, &pango_ctx)?;
 +        }
++
 +        // Copy to X11
 +        window.put_image(&renderer.data())?;
++
 +        // Handle events
 +        let event = window.conn().wait_for_event()?;
 +        match event {
 +            Event::Expose(_) => {
 +                // Redraw handled above
 +            }
 +            Event::KeyPress(e) => {
 +                match e.detail {
 +                    9 => break,  // Escape - exit (for testing)
 +                    36 => {      // Enter - submit
 +                        if form.focused_field == FocusedField::Password {
 +                            // Authenticate
 +                            daemon.create_session(&form.username)?;
 +                            match daemon.authenticate(&form.password)? {
 +                                Response::Success => {
 +                                    daemon.start_session(&["gar-session.sh"])?;
 +                                    break;
 +                                }
 +                                Response::AuthError { message } => {
 +                                    form.error_message = Some(message);
 +                                }
 +                                _ => {}
 +                            }
 +                        } else {
 +                            form.handle_tab();
 +                        }
 +                    }
 +                    23 => form.handle_tab(),  // Tab
 +                    22 => form.handle_backspace(),  // Backspace
 +                    _ => {
 +                        // Regular key
 +                        if let Some(c) = keycode_to_char(e.detail, e.state) {
 +                            form.handle_key(c);
 +                        }
 +                    }
 +                }
 +            }
 +            _ => {}
 +        }
 +    }
++
 +    Ok(())
 +}
 +```
++
 +## Acceptance Criteria
++
 +1. Greeter displays fullscreen with blurred background
 +2. Login form is centered and styled
 +3. Keyboard input works for username/password
 +4. Tab switches between fields
 +5. Enter submits form
 +6. Error messages display correctly
 +7. Successful auth triggers session start
++
 +## Pitfalls to Avoid
++
 +1. **X11 keycodes vary by layout** - use XKB for proper key mapping
 +2. **Cairo surface format** - ensure ARGB matches X11 expectations
 +3. **Font rendering** - initialize Pango context correctly
 +4. **Fullscreen on all monitors** - may need per-monitor handling
 +5. **Input focus** - greeter window must grab keyboard
 +6. **Memory leaks** - Cairo contexts need proper cleanup
++
 +## Testing
++
 +```bash
 +# Test in Xephyr
 +Xephyr -br -ac -noreset -screen 1280x720 :1 &
 +DISPLAY=:1 ./target/release/gardm-greeter
++
 +# Test keyboard input
 +# Test form submission
 +# Test error display
 +```
++
 +## Dependencies for This Sprint
++
 +```toml
 +# gardm-greeter/Cargo.toml
 +[dependencies]
 +x11rb = "0.13"
 +cairo-rs = { version = "0.18", features = ["png"] }
 +pango = "0.18"
 +pangocairo = "0.18"
 +image = "0.24"
 +```
++
 +## Next Sprint
++
 +Sprint 4 will add garbg integration for seamless wallpaper sync.

docs/sprints/sprint-4-garbg-integration.mdadded

 +# Sprint 4: garbg Integration
++
 +**Goal:** Integrate with garbg to display the same wallpaper that will be shown after login, creating a seamless visual transition.
++
 +## Objectives
++
 +- Read garbg configuration to determine wallpaper source
 +- Read garbg playlist state for current wallpaper
 +- Apply consistent blur settings
 +- Ensure seamless transition from greeter to gar session
 +- Handle fallback when garbg config not available
++
 +## Background: Seamless Transition
++
 +The goal is that when a user logs in, the transition from greeter to desktop should feel smooth:
++
 +```
 +┌─────────────────────────────────────────────────────────────────┐
 +│ Greeter                                                         │
 +│ - Shows blurred version of current garbg wallpaper              │
 +│ - User enters credentials                                       │
 +│ - Login succeeds                                                │
 +└─────────────────────────────────────────────────────────────────┘
 +                              │
 +                              ▼ (fade out greeter)
 +┌─────────────────────────────────────────────────────────────────┐
 +│ gar Session                                                     │
 +│ - garbg starts and sets SAME wallpaper (unblurred)              │
 +│ - Only visible change: blur fades away, UI elements appear      │
 +└─────────────────────────────────────────────────────────────────┘
 +```
++
 +## Tasks
++
 +### 4.1 Read garbg Configuration
++
 +```rust
 +// gardm-greeter/src/garbg.rs
++
 +use serde::Deserialize;
 +use std::path::PathBuf;
++
 +#[derive(Debug, Deserialize)]
 +pub struct GarbgConfig {
 +    #[serde(default)]
 +    pub general: GeneralConfig,
 +    #[serde(default)]
 +    pub default: DefaultConfig,
 +}
++
 +#[derive(Debug, Deserialize, Default)]
 +pub struct GeneralConfig {
 +    #[serde(default = "default_mode")]
 +    pub mode: String,
 +}
++
 +#[derive(Debug, Deserialize, Default)]
 +pub struct DefaultConfig {
 +    #[serde(default)]
 +    pub source: String,
 +}
++
 +fn default_mode() -> String { "fill".to_string() }
++
 +impl GarbgConfig {
 +    /// Load garbg config from user or system location
 +    pub fn load(username: Option<&str>) -> Option<Self> {
 +        // Try user config first (if we know the username)
 +        if let Some(user) = username {
 +            if let Some(home) = get_user_home(user) {
 +                let user_config = home.join(".config/garbg/config.toml");
 +                if let Ok(content) = std::fs::read_to_string(&user_config) {
 +                    if let Ok(config) = toml::from_str(&content) {
 +                        return Some(config);
 +                    }
 +                }
 +            }
 +        }
++
 +        // Try system-wide default
 +        let system_config = PathBuf::from("/etc/garbg/config.toml");
 +        if let Ok(content) = std::fs::read_to_string(&system_config) {
 +            if let Ok(config) = toml::from_str(&content) {
 +                return Some(config);
 +            }
 +        }
++
 +        None
 +    }
++
 +    /// Get the default wallpaper path
 +    pub fn default_wallpaper(&self) -> Option<String> {
 +        if self.default.source.is_empty() {
 +            None
 +        } else {
 +            Some(expand_path(&self.default.source))
 +        }
 +    }
 +}
++
 +fn get_user_home(username: &str) -> Option<PathBuf> {
 +    use nix::unistd::User;
 +    User::from_name(username).ok()?
 +        .map(|u| PathBuf::from(u.dir))
 +}
++
 +fn expand_path(path: &str) -> String {
 +    shellexpand::tilde(path).to_string()
 +}
 +```
++
 +### 4.2 Read garbg Playlist State
++
 +```rust
 +// gardm-greeter/src/garbg.rs (continued)
++
 +#[derive(Debug, Deserialize)]
 +pub struct PlaylistState {
 +    pub source: String,
 +    pub images: Vec<String>,
 +    pub current_index: usize,
 +    #[serde(default)]
 +    pub shuffled: bool,
 +}
++
 +impl PlaylistState {
 +    /// Load current playlist state from runtime directory
 +    pub fn load(username: Option<&str>) -> Option<Self> {
 +        // Playlist state is stored in XDG_RUNTIME_DIR
 +        let runtime_dir = std::env::var("XDG_RUNTIME_DIR").ok()?;
 +        let state_file = PathBuf::from(&runtime_dir).join("garbg-state.json");
++
 +        // If that doesn't exist, try user-specific location
 +        if !state_file.exists() {
 +            if let Some(user) = username {
 +                // Try /run/user/<uid>/garbg-state.json
 +                if let Some(uid) = get_user_uid(user) {
 +                    let user_runtime = format!("/run/user/{}/garbg-state.json", uid);
 +                    if let Ok(content) = std::fs::read_to_string(&user_runtime) {
 +                        if let Ok(state) = serde_json::from_str(&content) {
 +                            return Some(state);
 +                        }
 +                    }
 +                }
 +            }
 +        }
++
 +        let content = std::fs::read_to_string(&state_file).ok()?;
 +        serde_json::from_str(&content).ok()
 +    }
++
 +    /// Get the current wallpaper path
 +    pub fn current_wallpaper(&self) -> Option<&str> {
 +        self.images.get(self.current_index).map(|s| s.as_str())
 +    }
 +}
++
 +fn get_user_uid(username: &str) -> Option<u32> {
 +    use nix::unistd::User;
 +    User::from_name(username).ok()?
 +        .map(|u| u.uid.as_raw())
 +}
 +```
++
 +### 4.3 Wallpaper Resolution Logic
++
 +```rust
 +// gardm-greeter/src/garbg.rs (continued)
++
 +/// Resolve which wallpaper to use for the greeter
 +pub struct WallpaperResolver {
 +    fallback_path: String,
 +}
++
 +impl WallpaperResolver {
 +    pub fn new(fallback: &str) -> Self {
 +        Self {
 +            fallback_path: fallback.to_string(),
 +        }
 +    }
++
 +    /// Resolve wallpaper path, trying multiple sources
 +    pub fn resolve(&self, username: Option<&str>) -> String {
 +        // Priority 1: Current playlist state (what user was last seeing)
 +        if let Some(state) = PlaylistState::load(username) {
 +            if let Some(current) = state.current_wallpaper() {
 +                let expanded = expand_path(current);
 +                if std::path::Path::new(&expanded).exists() {
 +                    tracing::info!("Using wallpaper from playlist: {}", expanded);
 +                    return expanded;
 +                }
 +            }
 +        }
++
 +        // Priority 2: garbg config default
 +        if let Some(config) = GarbgConfig::load(username) {
 +            if let Some(default) = config.default_wallpaper() {
 +                // If it's a directory, pick first image
 +                let path = std::path::Path::new(&default);
 +                if path.is_dir() {
 +                    if let Some(first) = first_image_in_dir(&default) {
 +                        tracing::info!("Using first image from garbg source dir: {}", first);
 +                        return first;
 +                    }
 +                } else if path.exists() {
 +                    tracing::info!("Using wallpaper from garbg config: {}", default);
 +                    return default;
 +                }
 +            }
 +        }
++
 +        // Priority 3: Fallback
 +        tracing::info!("Using fallback wallpaper: {}", self.fallback_path);
 +        self.fallback_path.clone()
 +    }
 +}
++
 +/// Get first image file in a directory
 +fn first_image_in_dir(dir: &str) -> Option<String> {
 +    let extensions = ["jpg", "jpeg", "png", "webp"];
++
 +    let mut entries: Vec<_> = std::fs::read_dir(dir).ok()?
 +        .filter_map(|e| e.ok())
 +        .filter(|e| {
 +            let path = e.path();
 +            if let Some(ext) = path.extension() {
 +                extensions.contains(&ext.to_string_lossy().to_lowercase().as_str())
 +            } else {
 +                false
 +            }
 +        })
 +        .collect();
++
 +    entries.sort_by_key(|e| e.path());
 +    entries.first().map(|e| e.path().to_string_lossy().to_string())
 +}
 +```
++
 +### 4.4 Shared Visual Settings
++
 +```rust
 +// gardm-greeter/src/config.rs
++
 +use serde::Deserialize;
++
 +#[derive(Debug, Deserialize)]
 +pub struct GreeterConfig {
 +    #[serde(default)]
 +    pub visual: VisualConfig,
 +    #[serde(default)]
 +    pub garbg: GarbgIntegration,
 +}
++
 +#[derive(Debug, Deserialize, Default)]
 +pub struct VisualConfig {
 +    /// Blur radius for background (should match gar lock screen)
 +    #[serde(default = "default_blur_radius")]
 +    pub blur_radius: f32,
++
 +    /// Background brightness (0.0-1.0, lower = darker)
 +    #[serde(default = "default_brightness")]
 +    pub blur_brightness: f32,
++
 +    /// Corner radius for UI elements (match gar's corner_radius)
 +    #[serde(default = "default_corner_radius")]
 +    pub corner_radius: f64,
 +}
++
 +#[derive(Debug, Deserialize, Default)]
 +pub struct GarbgIntegration {
 +    /// Whether to use garbg wallpaper
 +    #[serde(default = "default_true")]
 +    pub enabled: bool,
++
 +    /// Fallback wallpaper if garbg not configured
 +    #[serde(default = "default_fallback")]
 +    pub fallback: String,
 +}
++
 +fn default_blur_radius() -> f32 { 20.0 }
 +fn default_brightness() -> f32 { 0.7 }
 +fn default_corner_radius() -> f64 { 18.0 }
 +fn default_true() -> bool { true }
 +fn default_fallback() -> String { "/usr/share/gardm/backgrounds/default.jpg".to_string() }
 +```
++
 +### 4.5 Integration with Greeter Main Loop
++
 +```rust
 +// gardm-greeter/src/main.rs (updated)
++
 +fn main() -> anyhow::Result<()> {
 +    let config = GreeterConfig::load()?;
 +    let window = GreeterWindow::new()?;
++
 +    // Resolve wallpaper using garbg integration
 +    let wallpaper_path = if config.garbg.enabled {
 +        let resolver = WallpaperResolver::new(&config.garbg.fallback);
 +        // Initially no username known, use system defaults
 +        resolver.resolve(None)
 +    } else {
 +        config.garbg.fallback.clone()
 +    };
++
 +    // Load and blur background
 +    let background = load_blurred_background(
 +        &wallpaper_path,
 +        window.width() as u32,
 +        window.height() as u32,
 +        config.visual.blur_radius,
 +        config.visual.blur_brightness,
 +    )?;
++
 +    let mut form = LoginForm::new(
 +        window.width() as f64,
 +        window.height() as f64,
 +        config.visual.corner_radius,
 +    );
++
 +    // When username is entered, potentially update wallpaper
 +    // to user-specific one (optional enhancement)
++
 +    // ... rest of event loop ...
 +}
 +```
++
 +### 4.6 Session Transition Effect
++
 +```rust
 +// gardm-greeter/src/transition.rs
++
 +use std::time::{Duration, Instant};
++
 +/// Fade out transition before starting session
 +pub struct FadeOutTransition {
 +    start_time: Instant,
 +    duration: Duration,
 +}
++
 +impl FadeOutTransition {
 +    pub fn new(duration_ms: u64) -> Self {
 +        Self {
 +            start_time: Instant::now(),
 +            duration: Duration::from_millis(duration_ms),
 +        }
 +    }
++
 +    /// Get current opacity (1.0 -> 0.0)
 +    pub fn opacity(&self) -> f64 {
 +        let elapsed = self.start_time.elapsed();
 +        if elapsed >= self.duration {
 +            0.0
 +        } else {
 +            1.0 - (elapsed.as_secs_f64() / self.duration.as_secs_f64())
 +        }
 +    }
++
 +    pub fn is_complete(&self) -> bool {
 +        self.start_time.elapsed() >= self.duration
 +    }
 +}
++
 +/// Apply fade during session start
 +pub fn render_with_fade(
 +    ctx: &cairo::Context,
 +    background: &image::RgbaImage,
 +    form: &LoginForm,
 +    fade: Option<&FadeOutTransition>,
 +) -> anyhow::Result<()> {
 +    // Render background (always full opacity)
 +    render_background(ctx, background)?;
++
 +    // Render UI with fade
 +    if let Some(fade) = fade {
 +        ctx.push_group();
 +        form.render(ctx, &pango_ctx)?;
 +        ctx.pop_group_to_source()?;
 +        ctx.paint_with_alpha(fade.opacity())?;
 +    } else {
 +        form.render(ctx, &pango_ctx)?;
 +    }
++
 +    Ok(())
 +}
 +```
++
 +## Acceptance Criteria
++
 +1. Greeter shows same wallpaper as garbg will after login
 +2. Blur settings are consistent with gar lock screen
 +3. Fallback works when garbg is not configured
 +4. User-specific wallpaper is used when username is known
 +5. Smooth fade transition when starting session
 +6. No flash of different wallpaper during login
++
 +## Pitfalls to Avoid
++
 +1. **File permissions** - greeter runs as gardm user, may not access user home
 +2. **Race conditions** - garbg state file might be stale
 +3. **Directory vs file** - garbg source might be a directory
 +4. **Missing files** - wallpaper might have been deleted
 +5. **Large images** - blur on 4K images is slow, cache if needed
++
 +## Testing
++
 +```bash
 +# Test wallpaper resolution
 +# 1. With garbg configured and running
 +garbg set ~/Pictures/wallpapers --random
 +DISPLAY=:1 ./target/release/gardm-greeter
++
 +# 2. With garbg config but no playlist
 +rm ~/.local/state/garbg-state.json
 +DISPLAY=:1 ./target/release/gardm-greeter
++
 +# 3. Without any garbg config (should use fallback)
 +mv ~/.config/garbg/config.toml ~/.config/garbg/config.toml.bak
 +DISPLAY=:1 ./target/release/gardm-greeter
 +```
++
 +## Dependencies for This Sprint
++
 +```toml
 +# gardm-greeter/Cargo.toml
 +[dependencies]
 +shellexpand = "3.0"
 +toml = "0.8"
 +serde_json = "1.0"
 +```
++
 +## Integration Checklist
++
 +- [ ] Greeter reads `~/.config/garbg/config.toml`
 +- [ ] Greeter reads `$XDG_RUNTIME_DIR/garbg-state.json`
 +- [ ] Blur radius matches gar lock screen (if implemented)
 +- [ ] Corner radius matches gar's `corner_radius` setting
 +- [ ] Fallback image is bundled with gardm package
 +- [ ] Fade transition timing feels smooth (150-200ms)
++
 +## Future Enhancements
++
 +- [ ] Per-user wallpaper preview before login
 +- [ ] Animated wallpaper support (match garbg animation)
 +- [ ] Workspace-specific wallpaper from garbg config
 +- [ ] Live wallpaper update if garbg changes during greeter
++
 +## Next Steps
++
 +After Sprint 4, consider:
 +- Sprint 5: Power buttons and session selector
 +- Sprint 6: User list with avatars
 +- Sprint 7: Accessibility and theming
 +- Sprint 8: Multi-monitor support

etc/config.tomladded

 +# gardm configuration
 +# Place this file at /etc/gardm/config.toml
++
 +[general]
 +# Default session to launch (without .desktop extension)
 +default_session = "gar"
 +# Path to greeter executable
 +greeter = "/usr/bin/gardm-greeter"
 +# VT to use (0 = auto-select)
 +vt = 0
 +# X11 display
 +display = ":0"
++
 +[greeter]
 +# Background blur radius
 +blur_radius = 20
 +# Background brightness (0.0-1.0)
 +blur_brightness = 0.7
 +# Show power buttons (shutdown, reboot, suspend)
 +show_power_buttons = true
 +# Show session selector dropdown
 +show_session_selector = true
 +# Use garbg's current wallpaper
 +use_garbg_wallpaper = true
 +# Fallback wallpaper if garbg not available
 +fallback_wallpaper = "/usr/share/gardm/backgrounds/default.jpg"
++
 +[security]
 +# Allow empty passwords (NOT recommended)
 +allow_empty_password = false
 +# Lock after N failed attempts (0 = disabled)
 +lockout_attempts = 5
 +# Lockout duration in seconds
 +lockout_duration = 300

etc/gardm.serviceadded

 +[Unit]
 +Description=gar Display Manager
 +Documentation=https://github.com/mfwolffe/gardesk
 +After=systemd-user-sessions.service getty@tty1.service plymouth-quit.service
 +Conflicts=getty@tty1.service
++
 +[Service]
 +Type=notify
 +ExecStart=/usr/bin/gardmd
 +ExecReload=/bin/kill -HUP $MAINPID
 +Restart=always
 +RestartSec=1
++
 +# Security hardening
 +NoNewPrivileges=no
 +ProtectSystem=strict
 +ProtectHome=read-only
 +PrivateTmp=yes
 +ReadWritePaths=/run
++
 +# PAM needs access to various system files
 +ReadOnlyPaths=/etc/passwd /etc/shadow /etc/group /etc/pam.d
++
 +[Install]
 +Alias=display-manager.service

gardm-greeter/Cargo.tomladded

 +[package]
 +name = "gardm-greeter"
 +version.workspace = true
 +edition.workspace = true
 +license.workspace = true
 +description = "gar display manager greeter"
++
 +[[bin]]
 +name = "gardm-greeter"
 +path = "src/main.rs"
++
 +[dependencies]
 +gardm-ipc = { workspace = true }
 +tokio = { workspace = true }
 +tracing = { workspace = true }
 +tracing-subscriber = { workspace = true }
 +anyhow = { workspace = true }
 +thiserror = { workspace = true }

gardm-greeter/src/main.rsadded

 +//! gardm-greeter - gar display manager greeter
 +//!
 +//! Graphical login UI that communicates with gardmd.
++
 +use anyhow::Result;
 +use gardm_ipc::{Client, Request};
 +use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt, EnvFilter};
++
 +#[tokio::main]
 +async fn main() -> Result<()> {
 +    // Initialize logging
 +    tracing_subscriber::registry()
 +        .with(EnvFilter::try_from_default_env().unwrap_or_else(|_| EnvFilter::new("info")))
 +        .with(tracing_subscriber::fmt::layer())
 +        .init();
++
 +    tracing::info!("gardm-greeter starting");
++
 +    // Connect to daemon
 +    let mut client = Client::connect().await?;
 +    tracing::info!("Connected to gardmd");
++
 +    // TODO: Initialize X11/rendering
 +    // TODO: Main UI loop
++
 +    // For now, just test the connection
 +    let response = client.request(&Request::ListSessions).await?;
 +    tracing::info!(?response, "Got sessions");
++
 +    let response = client.request(&Request::ListUsers).await?;
 +    tracing::info!(?response, "Got users");
++
 +    tracing::info!("gardm-greeter exiting (UI not yet implemented)");
 +    Ok(())
 +}

gardm-ipc/Cargo.tomladded

 +[package]
 +name = "gardm-ipc"
 +version.workspace = true
 +edition.workspace = true
 +license.workspace = true
 +description = "IPC protocol types for gardm display manager"
++
 +[dependencies]
 +serde = { workspace = true }
 +serde_json = { workspace = true }
 +thiserror = { workspace = true }
 +tokio = { workspace = true, features = ["net", "io-util"] }

gardm-ipc/src/lib.rsadded

 +//! IPC protocol for gardm display manager
 +//!
 +//! Defines the JSON-based protocol between gardmd (daemon) and gardm-greeter (UI).
++
 +use serde::{Deserialize, Serialize};
 +use std::path::PathBuf;
 +use tokio::io::{AsyncBufReadExt, AsyncWriteExt, BufReader};
 +use tokio::net::UnixStream;
++
 +/// Socket path for gardm IPC
 +pub const SOCKET_PATH: &str = "/run/gardm.sock";
++
 +/// Requests from greeter to daemon
 +#[derive(Debug, Clone, Serialize, Deserialize)]
 +#[serde(tag = "type", rename_all = "snake_case")]
 +pub enum Request {
 +    /// Create a new authentication session for a user
 +    CreateSession { username: String },
++
 +    /// Provide authentication response (password, OTP, etc.)
 +    Authenticate { response: String },
++
 +    /// Start the user's session after successful auth
 +    StartSession {
 +        /// Session command (e.g., ["gar-session.sh"])
 +        cmd: Vec<String>,
 +        /// Additional environment variables
 +        #[serde(default)]
 +        env: Vec<String>,
 +    },
++
 +    /// Cancel the current authentication attempt
 +    CancelSession,
++
 +    /// Request system shutdown
 +    Shutdown,
++
 +    /// Request system reboot
 +    Reboot,
++
 +    /// Request system suspend
 +    Suspend,
++
 +    /// Get list of available sessions
 +    ListSessions,
++
 +    /// Get list of available users
 +    ListUsers,
 +}
++
 +/// Responses from daemon to greeter
 +#[derive(Debug, Clone, Serialize, Deserialize)]
 +#[serde(tag = "type", rename_all = "snake_case")]
 +pub enum Response {
 +    /// Operation completed successfully
 +    Success,
++
 +    /// PAM is requesting user input
 +    AuthPrompt {
 +        /// Prompt message (e.g., "Password:")
 +        prompt: String,
 +        /// Whether to echo input (false for passwords)
 +        echo: bool,
 +    },
++
 +    /// PAM informational message
 +    AuthInfo { message: String },
++
 +    /// Authentication failed
 +    AuthError { message: String },
++
 +    /// General error
 +    Error { message: String },
++
 +    /// List of available sessions
 +    Sessions { sessions: Vec<SessionInfo> },
++
 +    /// List of available users
 +    Users { users: Vec<UserInfo> },
 +}
++
 +/// Information about an available session
 +#[derive(Debug, Clone, Serialize, Deserialize)]
 +pub struct SessionInfo {
 +    /// Session identifier (desktop file name without .desktop)
 +    pub id: String,
 +    /// Display name
 +    pub name: String,
 +    /// Optional comment/description
 +    pub comment: Option<String>,
 +    /// Exec command
 +    pub exec: String,
 +    /// Session type (x11, wayland)
 +    pub session_type: String,
 +}
++
 +/// Information about a user
 +#[derive(Debug, Clone, Serialize, Deserialize)]
 +pub struct UserInfo {
 +    /// Username
 +    pub name: String,
 +    /// Full name (GECOS field)
 +    pub full_name: Option<String>,
 +    /// Home directory
 +    pub home: PathBuf,
 +    /// Path to user avatar (if available)
 +    pub avatar: Option<PathBuf>,
 +}
++
 +/// IPC client for connecting to gardmd
 +pub struct Client {
 +    reader: BufReader<tokio::net::unix::OwnedReadHalf>,
 +    writer: tokio::net::unix::OwnedWriteHalf,
 +}
++
 +impl Client {
 +    /// Connect to the daemon
 +    pub async fn connect() -> Result<Self, std::io::Error> {
 +        Self::connect_to(SOCKET_PATH).await
 +    }
++
 +    /// Connect to a specific socket path
 +    pub async fn connect_to(path: &str) -> Result<Self, std::io::Error> {
 +        let stream = UnixStream::connect(path).await?;
 +        let (read, write) = stream.into_split();
 +        Ok(Self {
 +            reader: BufReader::new(read),
 +            writer: write,
 +        })
 +    }
++
 +    /// Send a request to the daemon
 +    pub async fn send(&mut self, request: &Request) -> Result<(), std::io::Error> {
 +        let json = serde_json::to_string(request).map_err(|e| {
 +            std::io::Error::new(std::io::ErrorKind::InvalidData, e)
 +        })?;
 +        self.writer.write_all(json.as_bytes()).await?;
 +        self.writer.write_all(b"\n").await?;
 +        self.writer.flush().await?;
 +        Ok(())
 +    }
++
 +    /// Receive a response from the daemon
 +    pub async fn recv(&mut self) -> Result<Response, std::io::Error> {
 +        let mut line = String::new();
 +        let n = self.reader.read_line(&mut line).await?;
 +        if n == 0 {
 +            return Err(std::io::Error::new(
 +                std::io::ErrorKind::UnexpectedEof,
 +                "daemon closed connection",
 +            ));
 +        }
 +        serde_json::from_str(&line).map_err(|e| {
 +            std::io::Error::new(std::io::ErrorKind::InvalidData, e)
 +        })
 +    }
++
 +    /// Send request and wait for response
 +    pub async fn request(&mut self, request: &Request) -> Result<Response, std::io::Error> {
 +        self.send(request).await?;
 +        self.recv().await
 +    }
 +}
++
 +#[cfg(test)]
 +mod tests {
 +    use super::*;
++
 +    #[test]
 +    fn test_request_serialization() {
 +        let req = Request::CreateSession {
 +            username: "testuser".to_string(),
 +        };
 +        let json = serde_json::to_string(&req).unwrap();
 +        assert!(json.contains("create_session"));
 +        assert!(json.contains("testuser"));
 +    }
++
 +    #[test]
 +    fn test_response_serialization() {
 +        let resp = Response::AuthPrompt {
 +            prompt: "Password:".to_string(),
 +            echo: false,
 +        };
 +        let json = serde_json::to_string(&resp).unwrap();
 +        assert!(json.contains("auth_prompt"));
 +        assert!(json.contains("Password:"));
 +    }
++
 +    #[test]
 +    fn test_request_deserialization() {
 +        let json = r#"{"type":"authenticate","response":"secret123"}"#;
 +        let req: Request = serde_json::from_str(json).unwrap();
 +        match req {
 +            Request::Authenticate { response } => assert_eq!(response, "secret123"),
 +            _ => panic!("Wrong variant"),
 +        }
 +    }
 +}

gardmd/Cargo.tomladded

 +[package]
 +name = "gardmd"
 +version.workspace = true
 +edition.workspace = true
 +license.workspace = true
 +description = "gar display manager daemon"
++
 +[[bin]]
 +name = "gardmd"
 +path = "src/main.rs"
++
 +[dependencies]
 +gardm-ipc = { workspace = true }
 +tokio = { workspace = true }
 +tracing = { workspace = true }
 +tracing-subscriber = { workspace = true }
 +anyhow = { workspace = true }
 +thiserror = { workspace = true }
 +serde = { workspace = true }
 +serde_json = { workspace = true }
 +toml = { workspace = true }
 +nix = { workspace = true }
 +sd-notify = "0.4"

gardmd/src/config.rsadded

 +//! Configuration for gardmd
++
 +use serde::Deserialize;
 +use std::path::PathBuf;
++
 +/// Main configuration structure
 +#[derive(Debug, Clone, Deserialize)]
 +pub struct Config {
 +    #[serde(default)]
 +    pub general: GeneralConfig,
 +    #[serde(default)]
 +    pub greeter: GreeterConfig,
 +    #[serde(default)]
 +    pub security: SecurityConfig,
 +}
++
 +impl Default for Config {
 +    fn default() -> Self {
 +        Self {
 +            general: GeneralConfig::default(),
 +            greeter: GreeterConfig::default(),
 +            security: SecurityConfig::default(),
 +        }
 +    }
 +}
++
 +/// General daemon settings
 +#[derive(Debug, Clone, Deserialize)]
 +pub struct GeneralConfig {
 +    /// Default session if user hasn't selected one
 +    #[serde(default = "default_session")]
 +    pub default_session: String,
++
 +    /// Path to greeter executable
 +    #[serde(default = "default_greeter")]
 +    pub greeter: PathBuf,
++
 +    /// VT to use (0 = auto-select)
 +    #[serde(default)]
 +    pub vt: u32,
++
 +    /// X11 display to use
 +    #[serde(default = "default_display")]
 +    pub display: String,
 +}
++
 +impl Default for GeneralConfig {
 +    fn default() -> Self {
 +        Self {
 +            default_session: default_session(),
 +            greeter: default_greeter(),
 +            vt: 0,
 +            display: default_display(),
 +        }
 +    }
 +}
++
 +/// Greeter visual settings
 +#[derive(Debug, Clone, Deserialize)]
 +pub struct GreeterConfig {
 +    /// Blur radius for background
 +    #[serde(default = "default_blur_radius")]
 +    pub blur_radius: u32,
++
 +    /// Background brightness (0.0-1.0)
 +    #[serde(default = "default_blur_brightness")]
 +    pub blur_brightness: f32,
++
 +    /// Show power buttons
 +    #[serde(default = "default_true")]
 +    pub show_power_buttons: bool,
++
 +    /// Show session selector
 +    #[serde(default = "default_true")]
 +    pub show_session_selector: bool,
++
 +    /// Use garbg wallpaper
 +    #[serde(default = "default_true")]
 +    pub use_garbg_wallpaper: bool,
++
 +    /// Fallback wallpaper path
 +    #[serde(default = "default_fallback_wallpaper")]
 +    pub fallback_wallpaper: PathBuf,
 +}
++
 +impl Default for GreeterConfig {
 +    fn default() -> Self {
 +        Self {
 +            blur_radius: default_blur_radius(),
 +            blur_brightness: default_blur_brightness(),
 +            show_power_buttons: true,
 +            show_session_selector: true,
 +            use_garbg_wallpaper: true,
 +            fallback_wallpaper: default_fallback_wallpaper(),
 +        }
 +    }
 +}
++
 +/// Security settings
 +#[derive(Debug, Clone, Deserialize)]
 +pub struct SecurityConfig {
 +    /// Allow empty passwords
 +    #[serde(default)]
 +    pub allow_empty_password: bool,
++
 +    /// Lock after N failed attempts (0 = disabled)
 +    #[serde(default = "default_lockout_attempts")]
 +    pub lockout_attempts: u32,
++
 +    /// Lockout duration in seconds
 +    #[serde(default = "default_lockout_duration")]
 +    pub lockout_duration: u64,
 +}
++
 +impl Default for SecurityConfig {
 +    fn default() -> Self {
 +        Self {
 +            allow_empty_password: false,
 +            lockout_attempts: default_lockout_attempts(),
 +            lockout_duration: default_lockout_duration(),
 +        }
 +    }
 +}
++
 +// Default value functions
 +fn default_session() -> String { "gar".to_string() }
 +fn default_greeter() -> PathBuf { PathBuf::from("/usr/bin/gardm-greeter") }
 +fn default_display() -> String { ":0".to_string() }
 +fn default_blur_radius() -> u32 { 20 }
 +fn default_blur_brightness() -> f32 { 0.7 }
 +fn default_true() -> bool { true }
 +fn default_fallback_wallpaper() -> PathBuf {
 +    PathBuf::from("/usr/share/gardm/backgrounds/default.jpg")
 +}
 +fn default_lockout_attempts() -> u32 { 5 }
 +fn default_lockout_duration() -> u64 { 300 }
++
 +impl Config {
 +    /// Load configuration from default path
 +    pub fn load() -> anyhow::Result<Self> {
 +        Self::load_from("/etc/gardm/config.toml")
 +    }
++
 +    /// Load configuration from specified path
 +    pub fn load_from(path: &str) -> anyhow::Result<Self> {
 +        let path = PathBuf::from(path);
 +        if path.exists() {
 +            let content = std::fs::read_to_string(&path)?;
 +            Ok(toml::from_str(&content)?)
 +        } else {
 +            tracing::info!("Config file not found at {}, using defaults", path.display());
 +            Ok(Config::default())
 +        }
 +    }
 +}

gardmd/src/ipc.rsadded

 +//! IPC server for gardmd
 +//!
 +//! Handles connections from the greeter and processes requests.
++
 +use anyhow::Result;
 +use gardm_ipc::{Request, Response, SOCKET_PATH};
 +use std::path::Path;
 +use tokio::io::{AsyncBufReadExt, AsyncWriteExt, BufReader};
 +use tokio::net::{UnixListener, UnixStream};
 +use tokio::sync::mpsc;
++
 +/// IPC server for handling greeter connections
 +pub struct Server {
 +    listener: UnixListener,
 +}
++
 +impl Server {
 +    /// Create a new IPC server
 +    pub async fn new() -> Result<Self> {
 +        Self::bind(SOCKET_PATH).await
 +    }
++
 +    /// Bind to a specific socket path
 +    pub async fn bind(path: &str) -> Result<Self> {
 +        let path = Path::new(path);
++
 +        // Remove stale socket if it exists
 +        if path.exists() {
 +            std::fs::remove_file(path)?;
 +        }
++
 +        // Ensure parent directory exists
 +        if let Some(parent) = path.parent() {
 +            std::fs::create_dir_all(parent)?;
 +        }
++
 +        let listener = UnixListener::bind(path)?;
 +        tracing::info!("IPC server listening on {}", path.display());
++
 +        Ok(Self { listener })
 +    }
++
 +    /// Accept a new connection
 +    pub async fn accept(&self) -> Result<ClientConnection> {
 +        let (stream, _addr) = self.listener.accept().await?;
 +        tracing::debug!("New greeter connection");
 +        Ok(ClientConnection::new(stream))
 +    }
 +}
++
 +/// A connected greeter client
 +pub struct ClientConnection {
 +    reader: BufReader<tokio::net::unix::OwnedReadHalf>,
 +    writer: tokio::net::unix::OwnedWriteHalf,
 +}
++
 +impl ClientConnection {
 +    fn new(stream: UnixStream) -> Self {
 +        let (read, write) = stream.into_split();
 +        Self {
 +            reader: BufReader::new(read),
 +            writer: write,
 +        }
 +    }
++
 +    /// Receive a request from the greeter
 +    pub async fn recv(&mut self) -> Result<Option<Request>> {
 +        let mut line = String::new();
 +        let n = self.reader.read_line(&mut line).await?;
 +        if n == 0 {
 +            return Ok(None);
 +        }
 +        let request: Request = serde_json::from_str(&line)?;
 +        tracing::debug!(?request, "Received request");
 +        Ok(Some(request))
 +    }
++
 +    /// Send a response to the greeter
 +    pub async fn send(&mut self, response: &Response) -> Result<()> {
 +        let json = serde_json::to_string(response)?;
 +        self.writer.write_all(json.as_bytes()).await?;
 +        self.writer.write_all(b"\n").await?;
 +        self.writer.flush().await?;
 +        tracing::debug!(?response, "Sent response");
 +        Ok(())
 +    }
 +}
++
 +/// Commands from external sources (e.g., signal handlers)
 +#[derive(Debug)]
 +pub enum DaemonCommand {
 +    Shutdown,
 +    Reload,
 +}
++
 +/// Create a channel for daemon commands
 +pub fn command_channel() -> (mpsc::Sender<DaemonCommand>, mpsc::Receiver<DaemonCommand>) {
 +    mpsc::channel(16)
 +}

gardmd/src/lib.rsadded

 +//! gardmd - gar display manager daemon
 +//!
 +//! Handles PAM authentication, X11 server management, and session launching.
++
 +pub mod config;
 +pub mod ipc;
++
 +pub use config::Config;
 +pub use ipc::{ClientConnection, Server};

gardmd/src/main.rsadded

 +//! gardmd - gar display manager daemon
 +//!
 +//! Main entry point with signal handling and systemd integration.
++
 +use anyhow::Result;
 +use gardmd::{config::Config, ipc};
 +use tokio::signal::unix::{signal, SignalKind};
 +use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt, EnvFilter};
++
 +#[tokio::main]
 +async fn main() -> Result<()> {
 +    // Initialize logging
 +    tracing_subscriber::registry()
 +        .with(EnvFilter::try_from_default_env().unwrap_or_else(|_| EnvFilter::new("info")))
 +        .with(tracing_subscriber::fmt::layer())
 +        .init();
++
 +    tracing::info!("gardmd starting");
++
 +    // Load configuration
 +    let config = Config::load()?;
 +    tracing::debug!(?config, "Loaded configuration");
++
 +    // Create IPC server
 +    let server = ipc::Server::new().await?;
++
 +    // Set up signal handlers
 +    let mut sigterm = signal(SignalKind::terminate())?;
 +    let mut sigint = signal(SignalKind::interrupt())?;
 +    let mut sighup = signal(SignalKind::hangup())?;
++
 +    // Notify systemd we're ready
 +    if let Err(e) = sd_notify::notify(true, &[sd_notify::NotifyState::Ready]) {
 +        tracing::warn!("Failed to notify systemd: {}", e);
 +    }
++
 +    tracing::info!("gardmd ready");
++
 +    // Main event loop
 +    loop {
 +        tokio::select! {
 +            // Handle new greeter connections
 +            result = server.accept() => {
 +                match result {
 +                    Ok(conn) => {
 +                        tokio::spawn(handle_client(conn, config.clone()));
 +                    }
 +                    Err(e) => {
 +                        tracing::error!("Failed to accept connection: {}", e);
 +                    }
 +                }
 +            }
++
 +            // Handle SIGTERM
 +            _ = sigterm.recv() => {
 +                tracing::info!("Received SIGTERM, shutting down");
 +                break;
 +            }
++
 +            // Handle SIGINT
 +            _ = sigint.recv() => {
 +                tracing::info!("Received SIGINT, shutting down");
 +                break;
 +            }
++
 +            // Handle SIGHUP (reload config)
 +            _ = sighup.recv() => {
 +                tracing::info!("Received SIGHUP, reloading config");
 +                // TODO: Implement config reload
 +            }
 +        }
 +    }
++
 +    // Notify systemd we're stopping
 +    let _ = sd_notify::notify(true, &[sd_notify::NotifyState::Stopping]);
++
 +    tracing::info!("gardmd stopped");
 +    Ok(())
 +}
++
 +/// Handle a connected greeter client
 +async fn handle_client(mut conn: ipc::ClientConnection, _config: Config) {
 +    loop {
 +        match conn.recv().await {
 +            Ok(Some(request)) => {
 +                let response = handle_request(request).await;
 +                if let Err(e) = conn.send(&response).await {
 +                    tracing::error!("Failed to send response: {}", e);
 +                    break;
 +                }
 +            }
 +            Ok(None) => {
 +                tracing::debug!("Greeter disconnected");
 +                break;
 +            }
 +            Err(e) => {
 +                tracing::error!("Error receiving request: {}", e);
 +                break;
 +            }
 +        }
 +    }
 +}
++
 +/// Process a request and return a response
 +async fn handle_request(request: gardm_ipc::Request) -> gardm_ipc::Response {
 +    use gardm_ipc::{Request, Response};
++
 +    match request {
 +        Request::CreateSession { username } => {
 +            tracing::info!("Creating session for user: {}", username);
 +            // TODO: Implement PAM session creation
 +            Response::AuthPrompt {
 +                prompt: "Password:".to_string(),
 +                echo: false,
 +            }
 +        }
++
 +        Request::Authenticate { response: _ } => {
 +            // TODO: Implement PAM authentication
 +            Response::Error {
 +                message: "PAM not yet implemented".to_string(),
 +            }
 +        }
++
 +        Request::StartSession { cmd, env } => {
 +            tracing::info!("Start session request: {:?} env={:?}", cmd, env);
 +            // TODO: Implement session start
 +            Response::Error {
 +                message: "Session start not yet implemented".to_string(),
 +            }
 +        }
++
 +        Request::CancelSession => {
 +            tracing::info!("Session cancelled");
 +            Response::Success
 +        }
++
 +        Request::Shutdown => {
 +            tracing::info!("Shutdown requested");
 +            // TODO: Implement via logind
 +            Response::Error {
 +                message: "Shutdown not yet implemented".to_string(),
 +            }
 +        }
++
 +        Request::Reboot => {
 +            tracing::info!("Reboot requested");
 +            // TODO: Implement via logind
 +            Response::Error {
 +                message: "Reboot not yet implemented".to_string(),
 +            }
 +        }
++
 +        Request::Suspend => {
 +            tracing::info!("Suspend requested");
 +            // TODO: Implement via logind
 +            Response::Error {
 +                message: "Suspend not yet implemented".to_string(),
 +            }
 +        }
++
 +        Request::ListSessions => {
 +            tracing::debug!("Listing sessions");
 +            // TODO: Enumerate /usr/share/xsessions and /usr/share/wayland-sessions
 +            Response::Sessions { sessions: vec![] }
 +        }
++
 +        Request::ListUsers => {
 +            tracing::debug!("Listing users");
 +            // TODO: Enumerate users from /etc/passwd
 +            Response::Users { users: vec![] }
 +        }
 +    }
 +}