`9d71c5e`

workspace skeleton and IPC protocol

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 3 months ago

SHA: 9d71c5e4a3d45bd8a8a2fa4bcd64e7f5ab195902
Parents: ab309fd
Tree: c2b6aa7

23 changed files

Status	File	+	-
A	`.fackr/workspace.json`	53	0
M	`.gitignore`	1	3
A	`Cargo.lock`	659	0
A	`Cargo.toml`	41	0
A	`docs/architecture.md`	219	0
A	`docs/checklist.md`	157	0
A	`docs/gardm.md`	14	0
A	`docs/sprints/sprint-0-setup.md`	246	0
A	`docs/sprints/sprint-1-pam.md`	356	0
A	`docs/sprints/sprint-2-x11.md`	487	0
A	`docs/sprints/sprint-3-greeter-ui.md`	586	0
A	`docs/sprints/sprint-4-garbg-integration.md`	453	0
A	`etc/config.toml`	34	0
A	`etc/gardm.service`	25	0
A	`gardm-greeter/Cargo.toml`	18	0
A	`gardm-greeter/src/main.rs`	35	0
A	`gardm-ipc/Cargo.toml`	12	0
A	`gardm-ipc/src/lib.rs`	199	0
A	`gardmd/Cargo.toml`	23	0
A	`gardmd/src/config.rs`	155	0
A	`gardmd/src/ipc.rs`	99	0
A	`gardmd/src/lib.rs`	9	0
A	`gardmd/src/main.rs`	174	0

.fackr/workspace.jsonadded

++{
++  "active_tab": 1,
++  "tabs": [
++    {
++      "files": [
++        {
++          "path": ".gitignore",
++          "is_orphan": false
++        }
++      ],
++      "active_pane": 0,
++      "panes": [
++        {
++          "buffer_idx": 0,
++          "cursor_line": 3,
++          "cursor_col": 0,
++          "viewport_line": 0,
++          "viewport_col": 0,
++          "bounds": {
++            "x_start": 0.0,
++            "y_start": 0.0,
++            "x_end": 1.0,
++            "y_end": 1.0
++          }
++        }
++      ]
++    },
++    {
++      "files": [
++        {
++          "path": "docs/gardm.md",
++          "is_orphan": false
++        }
++      ],
++      "active_pane": 0,
++      "panes": [
++        {
++          "buffer_idx": 0,
++          "cursor_line": 13,
++          "cursor_col": 109,
++          "viewport_line": 0,
++          "viewport_col": 9,
++          "bounds": {
++            "x_start": 0.0,
++            "y_start": 0.0,
++            "x_end": 1.0,
++            "y_end": 1.0
++          }
++        }
++      ]
++    }
++  ]
++}

.gitignoremodified

--docs/
++/target
--.fackr/
--CLAUDE.md

Cargo.lockadded

++# This file is automatically @generated by Cargo.
++# It is not intended for manual editing.
++version = 4
++
++[[package]]
++name = "aho-corasick"
++version = "1.1.4"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "ddd31a130427c27518df266943a5308ed92d4b226cc639f5a8f1002816174301"
++dependencies = [
++ "memchr",
++]
++
++[[package]]
++name = "anyhow"
++version = "1.0.100"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"
++
++[[package]]
++name = "bitflags"
++version = "2.10.0"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "812e12b5285cc515a9c72a5c1d3b6d46a19dac5acfef5265968c166106e31dd3"
++
++[[package]]
++name = "bytes"
++version = "1.11.0"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "b35204fbdc0b3f4446b89fc1ac2cf84a8a68971995d0bf2e925ec7cd960f9cb3"
++
++[[package]]
++name = "cfg-if"
++version = "1.0.4"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
++
++[[package]]
++name = "equivalent"
++version = "1.0.2"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
++
++[[package]]
++name = "errno"
++version = "0.3.14"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
++dependencies = [
++ "libc",
++ "windows-sys 0.61.2",
++]
++
++[[package]]
++name = "gardm-greeter"
++version = "0.1.0"
++dependencies = [
++ "anyhow",
++ "gardm-ipc",
++ "thiserror",
++ "tokio",
++ "tracing",
++ "tracing-subscriber",
++]
++
++[[package]]
++name = "gardm-ipc"
++version = "0.1.0"
++dependencies = [
++ "serde",
++ "serde_json",
++ "thiserror",
++ "tokio",
++]
++
++[[package]]
++name = "gardmd"
++version = "0.1.0"
++dependencies = [
++ "anyhow",
++ "gardm-ipc",
++ "nix",
++ "sd-notify",
++ "serde",
++ "serde_json",
++ "thiserror",
++ "tokio",
++ "toml",
++ "tracing",
++ "tracing-subscriber",
++]
++
++[[package]]
++name = "hashbrown"
++version = "0.16.1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"
++
++[[package]]
++name = "indexmap"
++version = "2.13.0"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "7714e70437a7dc3ac8eb7e6f8df75fd8eb422675fc7678aff7364301092b1017"
++dependencies = [
++ "equivalent",
++ "hashbrown",
++]
++
++[[package]]
++name = "itoa"
++version = "1.0.17"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
++
++[[package]]
++name = "lazy_static"
++version = "1.5.0"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
++
++[[package]]
++name = "libc"
++version = "0.2.180"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc"
++
++[[package]]
++name = "lock_api"
++version = "0.4.14"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "224399e74b87b5f3557511d98dff8b14089b3dadafcab6bb93eab67d3aace965"
++dependencies = [
++ "scopeguard",
++]
++
++[[package]]
++name = "log"
++version = "0.4.29"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
++
++[[package]]
++name = "matchers"
++version = "0.2.0"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "d1525a2a28c7f4fa0fc98bb91ae755d1e2d1505079e05539e35bc876b5d65ae9"
++dependencies = [
++ "regex-automata",
++]
++
++[[package]]
++name = "memchr"
++version = "2.7.6"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "f52b00d39961fc5b2736ea853c9cc86238e165017a493d1d5c8eac6bdc4cc273"
++
++[[package]]
++name = "mio"
++version = "1.1.1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "a69bcab0ad47271a0234d9422b131806bf3968021e5dc9328caf2d4cd58557fc"
++dependencies = [
++ "libc",
++ "wasi",
++ "windows-sys 0.61.2",
++]
++
++[[package]]
++name = "nix"
++version = "0.27.1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "2eb04e9c688eff1c89d72b407f168cf79bb9e867a9d3323ed6c01519eb9cc053"
++dependencies = [
++ "bitflags",
++ "cfg-if",
++ "libc",
++]
++
++[[package]]
++name = "nu-ansi-term"
++version = "0.50.3"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
++dependencies = [
++ "windows-sys 0.61.2",
++]
++
++[[package]]
++name = "once_cell"
++version = "1.21.3"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
++
++[[package]]
++name = "parking_lot"
++version = "0.12.5"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "93857453250e3077bd71ff98b6a65ea6621a19bb0f559a85248955ac12c45a1a"
++dependencies = [
++ "lock_api",
++ "parking_lot_core",
++]
++
++[[package]]
++name = "parking_lot_core"
++version = "0.9.12"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1"
++dependencies = [
++ "cfg-if",
++ "libc",
++ "redox_syscall",
++ "smallvec",
++ "windows-link",
++]
++
++[[package]]
++name = "pin-project-lite"
++version = "0.2.16"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b"
++
++[[package]]
++name = "proc-macro2"
++version = "1.0.105"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "535d180e0ecab6268a3e718bb9fd44db66bbbc256257165fc699dadf70d16fe7"
++dependencies = [
++ "unicode-ident",
++]
++
++[[package]]
++name = "quote"
++version = "1.0.43"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "dc74d9a594b72ae6656596548f56f667211f8a97b3d4c3d467150794690dc40a"
++dependencies = [
++ "proc-macro2",
++]
++
++[[package]]
++name = "redox_syscall"
++version = "0.5.18"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
++dependencies = [
++ "bitflags",
++]
++
++[[package]]
++name = "regex-automata"
++version = "0.4.13"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "5276caf25ac86c8d810222b3dbb938e512c55c6831a10f3e6ed1c93b84041f1c"
++dependencies = [
++ "aho-corasick",
++ "memchr",
++ "regex-syntax",
++]
++
++[[package]]
++name = "regex-syntax"
++version = "0.8.8"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "7a2d987857b319362043e95f5353c0535c1f58eec5336fdfcf626430af7def58"
++
++[[package]]
++name = "scopeguard"
++version = "1.2.0"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
++
++[[package]]
++name = "sd-notify"
++version = "0.4.5"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "b943eadf71d8b69e661330cb0e2656e31040acf21ee7708e2c238a0ec6af2bf4"
++dependencies = [
++ "libc",
++]
++
++[[package]]
++name = "serde"
++version = "1.0.228"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
++dependencies = [
++ "serde_core",
++ "serde_derive",
++]
++
++[[package]]
++name = "serde_core"
++version = "1.0.228"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
++dependencies = [
++ "serde_derive",
++]
++
++[[package]]
++name = "serde_derive"
++version = "1.0.228"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
++dependencies = [
++ "proc-macro2",
++ "quote",
++ "syn",
++]
++
++[[package]]
++name = "serde_json"
++version = "1.0.149"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86"
++dependencies = [
++ "itoa",
++ "memchr",
++ "serde",
++ "serde_core",
++ "zmij",
++]
++
++[[package]]
++name = "serde_spanned"
++version = "0.6.9"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "bf41e0cfaf7226dca15e8197172c295a782857fcb97fad1808a166870dee75a3"
++dependencies = [
++ "serde",
++]
++
++[[package]]
++name = "sharded-slab"
++version = "0.1.7"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "f40ca3c46823713e0d4209592e8d6e826aa57e928f09752619fc696c499637f6"
++dependencies = [
++ "lazy_static",
++]
++
++[[package]]
++name = "signal-hook-registry"
++version = "1.4.8"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "c4db69cba1110affc0e9f7bcd48bbf87b3f4fc7c61fc9155afd4c469eb3d6c1b"
++dependencies = [
++ "errno",
++ "libc",
++]
++
++[[package]]
++name = "smallvec"
++version = "1.15.1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
++
++[[package]]
++name = "socket2"
++version = "0.6.1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "17129e116933cf371d018bb80ae557e889637989d8638274fb25622827b03881"
++dependencies = [
++ "libc",
++ "windows-sys 0.60.2",
++]
++
++[[package]]
++name = "syn"
++version = "2.0.114"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "d4d107df263a3013ef9b1879b0df87d706ff80f65a86ea879bd9c31f9b307c2a"
++dependencies = [
++ "proc-macro2",
++ "quote",
++ "unicode-ident",
++]
++
++[[package]]
++name = "thiserror"
++version = "1.0.69"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
++dependencies = [
++ "thiserror-impl",
++]
++
++[[package]]
++name = "thiserror-impl"
++version = "1.0.69"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
++dependencies = [
++ "proc-macro2",
++ "quote",
++ "syn",
++]
++
++[[package]]
++name = "thread_local"
++version = "1.1.9"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "f60246a4944f24f6e018aa17cdeffb7818b76356965d03b07d6a9886e8962185"
++dependencies = [
++ "cfg-if",
++]
++
++[[package]]
++name = "tokio"
++version = "1.49.0"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "72a2903cd7736441aac9df9d7688bd0ce48edccaadf181c3b90be801e81d3d86"
++dependencies = [
++ "bytes",
++ "libc",
++ "mio",
++ "parking_lot",
++ "pin-project-lite",
++ "signal-hook-registry",
++ "socket2",
++ "tokio-macros",
++ "windows-sys 0.61.2",
++]
++
++[[package]]
++name = "tokio-macros"
++version = "2.6.0"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "af407857209536a95c8e56f8231ef2c2e2aff839b22e07a1ffcbc617e9db9fa5"
++dependencies = [
++ "proc-macro2",
++ "quote",
++ "syn",
++]
++
++[[package]]
++name = "toml"
++version = "0.8.23"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "dc1beb996b9d83529a9e75c17a1686767d148d70663143c7854d8b4a09ced362"
++dependencies = [
++ "serde",
++ "serde_spanned",
++ "toml_datetime",
++ "toml_edit",
++]
++
++[[package]]
++name = "toml_datetime"
++version = "0.6.11"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "22cddaf88f4fbc13c51aebbf5f8eceb5c7c5a9da2ac40a13519eb5b0a0e8f11c"
++dependencies = [
++ "serde",
++]
++
++[[package]]
++name = "toml_edit"
++version = "0.22.27"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a"
++dependencies = [
++ "indexmap",
++ "serde",
++ "serde_spanned",
++ "toml_datetime",
++ "toml_write",
++ "winnow",
++]
++
++[[package]]
++name = "toml_write"
++version = "0.1.2"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "5d99f8c9a7727884afe522e9bd5edbfc91a3312b36a77b5fb8926e4c31a41801"
++
++[[package]]
++name = "tracing"
++version = "0.1.44"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100"
++dependencies = [
++ "pin-project-lite",
++ "tracing-attributes",
++ "tracing-core",
++]
++
++[[package]]
++name = "tracing-attributes"
++version = "0.1.31"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "7490cfa5ec963746568740651ac6781f701c9c5ea257c58e057f3ba8cf69e8da"
++dependencies = [
++ "proc-macro2",
++ "quote",
++ "syn",
++]
++
++[[package]]
++name = "tracing-core"
++version = "0.1.36"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "db97caf9d906fbde555dd62fa95ddba9eecfd14cb388e4f491a66d74cd5fb79a"
++dependencies = [
++ "once_cell",
++ "valuable",
++]
++
++[[package]]
++name = "tracing-log"
++version = "0.2.0"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "ee855f1f400bd0e5c02d150ae5de3840039a3f54b025156404e34c23c03f47c3"
++dependencies = [
++ "log",
++ "once_cell",
++ "tracing-core",
++]
++
++[[package]]
++name = "tracing-subscriber"
++version = "0.3.22"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "2f30143827ddab0d256fd843b7a66d164e9f271cfa0dde49142c5ca0ca291f1e"
++dependencies = [
++ "matchers",
++ "nu-ansi-term",
++ "once_cell",
++ "regex-automata",
++ "sharded-slab",
++ "smallvec",
++ "thread_local",
++ "tracing",
++ "tracing-core",
++ "tracing-log",
++]
++
++[[package]]
++name = "unicode-ident"
++version = "1.0.22"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "9312f7c4f6ff9069b165498234ce8be658059c6728633667c526e27dc2cf1df5"
++
++[[package]]
++name = "valuable"
++version = "0.1.1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "ba73ea9cf16a25df0c8caa16c51acb937d5712a8429db78a3ee29d5dcacd3a65"
++
++[[package]]
++name = "wasi"
++version = "0.11.1+wasi-snapshot-preview1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
++
++[[package]]
++name = "windows-link"
++version = "0.2.1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
++
++[[package]]
++name = "windows-sys"
++version = "0.60.2"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "f2f500e4d28234f72040990ec9d39e3a6b950f9f22d3dba18416c35882612bcb"
++dependencies = [
++ "windows-targets",
++]
++
++[[package]]
++name = "windows-sys"
++version = "0.61.2"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
++dependencies = [
++ "windows-link",
++]
++
++[[package]]
++name = "windows-targets"
++version = "0.53.5"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "4945f9f551b88e0d65f3db0bc25c33b8acea4d9e41163edf90dcd0b19f9069f3"
++dependencies = [
++ "windows-link",
++ "windows_aarch64_gnullvm",
++ "windows_aarch64_msvc",
++ "windows_i686_gnu",
++ "windows_i686_gnullvm",
++ "windows_i686_msvc",
++ "windows_x86_64_gnu",
++ "windows_x86_64_gnullvm",
++ "windows_x86_64_msvc",
++]
++
++[[package]]
++name = "windows_aarch64_gnullvm"
++version = "0.53.1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "a9d8416fa8b42f5c947f8482c43e7d89e73a173cead56d044f6a56104a6d1b53"
++
++[[package]]
++name = "windows_aarch64_msvc"
++version = "0.53.1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "b9d782e804c2f632e395708e99a94275910eb9100b2114651e04744e9b125006"
++
++[[package]]
++name = "windows_i686_gnu"
++version = "0.53.1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "960e6da069d81e09becb0ca57a65220ddff016ff2d6af6a223cf372a506593a3"
++
++[[package]]
++name = "windows_i686_gnullvm"
++version = "0.53.1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "fa7359d10048f68ab8b09fa71c3daccfb0e9b559aed648a8f95469c27057180c"
++
++[[package]]
++name = "windows_i686_msvc"
++version = "0.53.1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "1e7ac75179f18232fe9c285163565a57ef8d3c89254a30685b57d83a38d326c2"
++
++[[package]]
++name = "windows_x86_64_gnu"
++version = "0.53.1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "9c3842cdd74a865a8066ab39c8a7a473c0778a3f29370b5fd6b4b9aa7df4a499"
++
++[[package]]
++name = "windows_x86_64_gnullvm"
++version = "0.53.1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "0ffa179e2d07eee8ad8f57493436566c7cc30ac536a3379fdf008f47f6bb7ae1"
++
++[[package]]
++name = "windows_x86_64_msvc"
++version = "0.53.1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "d6bbff5f0aada427a1e5a6da5f1f98158182f26556f345ac9e04d36d0ebed650"
++
++[[package]]
++name = "winnow"
++version = "0.7.14"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "5a5364e9d77fcdeeaa6062ced926ee3381faa2ee02d3eb83a5c27a8825540829"
++dependencies = [
++ "memchr",
++]
++
++[[package]]
++name = "zmij"
++version = "1.0.14"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "bd8f3f50b848df28f887acb68e41201b5aea6bc8a8dacc00fb40635ff9a72fea"

Cargo.tomladded

++[workspace]
++members = ["gardmd", "gardm-greeter", "gardm-ipc"]
++resolver = "2"
++
++[workspace.package]
++version = "0.1.0"
++edition = "2021"
++license = "MIT"
++repository = "https://github.com/mfwolffe/gardesk"
++
++[workspace.dependencies]
++# Serialization
++serde = { version = "1.0", features = ["derive"] }
++serde_json = "1.0"
++toml = "0.8"
++
++# Async runtime
++tokio = { version = "1", features = ["full", "signal"] }
++
++# Logging
++tracing = "0.1"
++tracing-subscriber = { version = "0.3", features = ["env-filter"] }
++
++# Error handling
++anyhow = "1.0"
++thiserror = "1.0"
++
++# Unix/Linux
++nix = { version = "0.27", features = ["user", "process", "signal"] }
++
++# X11
++x11rb = { version = "0.13", features = ["allow-unsafe-code"] }
++
++# Graphics
++cairo-rs = { version = "0.18", features = ["png"] }
++pango = "0.18"
++pangocairo = "0.18"
++image = "0.24"
++
++# IPC
++gardm-ipc = { path = "gardm-ipc" }

docs/architecture.mdadded

++# gardm Architecture
++
++## Overview
++
++gardm is the display manager for the gar desktop suite. It follows a **daemon + greeter** architecture similar to [greetd](https://github.com/kennylevinsen/greetd), providing clean separation between authentication/session management and the user interface.
++
++## Components
++
++```
++┌─────────────────────────────────────────────────────────────┐
++│                         gardmd                               │
++│                   (Display Manager Daemon)                   │
++│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐  │
++│  │    PAM      │  │   X11/Xorg  │  │  Session Manager    │  │
++│  │ Integration │  │   Control   │  │  (systemd-logind)   │  │
++│  └─────────────┘  └─────────────┘  └─────────────────────┘  │
++│                          │                                   │
++│                    Unix Socket IPC                           │
++│                          │                                   │
++└──────────────────────────┼──────────────────────────────────┘
++                           │
++┌──────────────────────────┼──────────────────────────────────┐
++│                          ▼                                   │
++│                   gardm-greeter                              │
++│                   (Graphical UI)                             │
++│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐  │
++│  │   Cairo/    │  │   garbg     │  │    User Input       │  │
++│  │   Pango     │  │ Integration │  │   (login form)      │  │
++│  └─────────────┘  └─────────────┘  └─────────────────────┘  │
++└─────────────────────────────────────────────────────────────┘
++```
++
++### gardmd (Daemon)
++
++The privileged daemon that runs as root. Responsibilities:
++
++1. **X11 Server Management**: Start/stop Xorg server on appropriate VT
++2. **PAM Authentication**: Verify user credentials via `/etc/pam.d/gardm`
++3. **Session Launching**: Start selected session (gar, other WMs/DEs)
++4. **systemd-logind Integration**: Register sessions, handle multi-seat
++5. **IPC Server**: Listen on Unix socket for greeter commands
++
++### gardm-greeter (Frontend)
++
++The unprivileged graphical interface. Runs as dedicated `gardm` user. Responsibilities:
++
++1. **User Interface**: Render login form, session selector, power buttons
++2. **garbg Integration**: Display same wallpaper that gar session will use
++3. **Visual Effects**: Blur background, animations, theming
++4. **IPC Client**: Send auth requests to daemon, receive responses
++
++## IPC Protocol
++
++JSON-based protocol over Unix socket at `/run/gardm.sock`:
++
++### Requests (Greeter → Daemon)
++
++```json
++// Create authentication session
++{ "type": "create_session", "username": "user" }
++
++// Attempt authentication
++{ "type": "authenticate", "response": "password123" }
++
++// Start session after successful auth
++{ "type": "start_session", "cmd": ["gar-session.sh"], "env": [] }
++
++// Cancel current auth attempt
++{ "type": "cancel_session" }
++
++// System actions
++{ "type": "shutdown" }
++{ "type": "reboot" }
++{ "type": "suspend" }
++```
++
++### Responses (Daemon → Greeter)
++
++```json
++// Success
++{ "type": "success" }
++
++// Auth prompt (PAM asking for input)
++{ "type": "auth_prompt", "prompt": "Password:", "echo": false }
++
++// Auth info message
++{ "type": "auth_info", "message": "..." }
++
++// Auth error
++{ "type": "auth_error", "message": "Authentication failed" }
++
++// General error
++{ "type": "error", "message": "..." }
++```
++
++## Session Discovery
++
++Sessions are discovered from standard locations:
++
++- `/usr/share/xsessions/*.desktop` - X11 sessions
++- `/usr/share/wayland-sessions/*.desktop` - Wayland sessions (future)
++
++gar session file example (`/usr/share/xsessions/gar.desktop`):
++```ini
++[Desktop Entry]
++Name=gar
++Comment=Tiling window manager with smart splits
++Exec=/usr/local/bin/gar-session.sh
++Type=XSession
++DesktopNames=gar
++```
++
++## User Discovery
++
++Users are enumerated from:
++
++- `/etc/passwd` (filter by UID range, shell, home directory existence)
++- AccountsService D-Bus interface (if available)
++
++Hidden users (UID < 1000, nologin shell, system accounts) are filtered out.
++
++## garbg Integration
++
++The greeter reads garbg's config to display the same wallpaper:
++
++1. Read `~/.config/garbg/config.toml` for default wallpaper source
++2. Or read playlist state from `$XDG_RUNTIME_DIR/garbg-state.json`
++3. Apply blur effect for greeter aesthetic
++4. On successful login, gar session starts garbg which shows same image (seamless transition)
++
++## Security Model
++
++- **gardmd**: Runs as root, handles PAM, minimal attack surface
++- **gardm-greeter**: Runs as unprivileged `gardm` user
++- **IPC**: Socket permissions restrict access to gardm user
++- **X11**: Greeter runs on isolated X server started by daemon
++
++## Configuration
++
++`/etc/gardm/config.toml`:
++
++```toml
++[general]
++# Default session if user hasn't selected one
++default_session = "gar"
++
++# Greeter command
++greeter = "/usr/bin/gardm-greeter"
++
++# VT to use (0 = auto-select)
++vt = 0
++
++[greeter]
++# Theme settings
++blur_radius = 20
++blur_brightness = 0.7
++
++# Show/hide elements
++show_power_buttons = true
++show_session_selector = true
++
++# garbg integration
++use_garbg_wallpaper = true
++fallback_wallpaper = "/usr/share/gardm/backgrounds/default.jpg"
++
++[security]
++# Allow empty passwords
++allow_empty_password = false
++
++# Lock after N failed attempts (0 = disabled)
++lockout_attempts = 5
++lockout_duration = 300
++```
++
++## PAM Configuration
++
++`/etc/pam.d/gardm`:
++
++```
++#%PAM-1.0
++auth       required     pam_securetty.so
++auth       requisite    pam_nologin.so
++auth       include      system-local-login
++account    include      system-local-login
++session    include      system-local-login
++password   include      system-local-login
++```
++
++## systemd Integration
++
++`/usr/lib/systemd/system/gardm.service`:
++
++```ini
++[Unit]
++Description=gar Display Manager
++After=systemd-user-sessions.service getty@tty1.service plymouth-quit.service
++Conflicts=getty@tty1.service
++
++[Service]
++ExecStart=/usr/bin/gardmd
++Restart=always
++
++[Install]
++Alias=display-manager.service
++```
++
++## Key Dependencies
++
++| Component | Crates |
++|-----------|--------|
++| gardmd | pam, nix, sd-notify, serde, tokio |
++| gardm-greeter | x11rb, cairo-rs, pango, image, serde |
++
++## References
++
++- [freedesktop.org: Writing Display Managers](https://systemd.io/WRITING_DISPLAY_MANAGERS/)
++- [greetd](https://github.com/kennylevinsen/greetd) - Architecture inspiration
++- [SDDM](https://github.com/sddm/sddm) - Feature reference
++- [LightDM](https://github.com/canonical/lightdm) - Protocol reference

docs/checklist.mdadded

++# gardm Feature Checklist
++
++## Core Functionality
++
++### Authentication
++- [ ] PAM integration for password authentication
++- [ ] Multi-factor auth support (PAM handles this transparently)
++- [ ] Account lockout after failed attempts
++- [ ] "Remember last user" functionality
++- [ ] Guest session support (optional)
++
++### Session Management
++- [ ] Discover X11 sessions from `/usr/share/xsessions/`
++- [ ] Parse .desktop files for session metadata
++- [ ] Remember user's last session choice
++- [ ] Support custom session commands
++- [ ] Proper session environment setup (DISPLAY, XDG_*, etc.)
++- [ ] systemd-logind session registration
++
++### X11 Server Management
++- [ ] Start Xorg on appropriate VT
++- [ ] Handle X server crashes gracefully
++- [ ] Support multi-seat (seat0 initially)
++- [ ] Pass correct display/VT to sessions
++- [ ] Clean X server shutdown on logout
++
++### Power Management
++- [ ] Shutdown button (requires polkit or root)
++- [ ] Reboot button
++- [ ] Suspend button
++- [ ] Hibernate button (if available)
++- [ ] Scheduled actions (shutdown in 5 min, etc.) - optional
++
++## User Interface
++
++### Login Form
++- [ ] Username input (with dropdown of available users)
++- [ ] Password input (masked)
++- [ ] Session selector dropdown
++- [ ] Login button
++- [ ] Clear error messages on auth failure
++- [ ] Loading/spinner during authentication
++
++### Visual Design
++- [ ] Centered login form
++- [ ] Blurred background image
++- [ ] Configurable blur radius/brightness
++- [ ] Smooth fade-in on greeter start
++- [ ] Smooth transition to session (fade-out)
++- [ ] Clock display
++- [ ] Current date display
++
++### User List
++- [ ] Show available users with avatars
++- [ ] Filter system accounts (UID < 1000)
++- [ ] Filter accounts with nologin shell
++- [ ] Support user icons from AccountsService
++- [ ] Keyboard navigation through user list
++
++### Theming
++- [ ] Configurable colors/fonts via config file
++- [ ] Support custom background images
++- [ ] garbg wallpaper integration
++- [ ] Logo/branding support
++- [ ] Dark/light theme variants
++
++### Accessibility
++- [ ] Keyboard-only navigation (Tab, Enter, Escape)
++- [ ] High contrast mode (optional)
++- [ ] Screen reader support (optional, complex)
++- [ ] On-screen keyboard (optional, complex)
++
++## gar Integration
++
++### garbg Wallpaper Sync
++- [ ] Read garbg config for default wallpaper
++- [ ] Read garbg playlist state for current wallpaper
++- [ ] Apply consistent blur to match gar lock screen
++- [ ] Seamless visual transition to gar session
++
++### Shared Configuration
++- [ ] Read gar color scheme for consistent theming
++- [ ] Use same fonts as garbar
++- [ ] Respect gar's corner radius settings
++
++## System Integration
++
++### systemd
++- [ ] Proper service file
++- [ ] Socket activation (optional)
++- [ ] sd_notify for readiness
++- [ ] Proper shutdown handling (SIGTERM)
++- [ ] Alias as display-manager.service
++
++### D-Bus
++- [ ] systemd-logind integration for session management
++- [ ] AccountsService for user info (optional)
++- [ ] polkit for power actions (optional)
++
++### Files and Paths
++- [ ] Config file: `/etc/gardm/config.toml`
++- [ ] PAM config: `/etc/pam.d/gardm`
++- [ ] Socket: `/run/gardm.sock`
++- [ ] PID file: `/run/gardm.pid`
++- [ ] Log file: via journald
++- [ ] State dir: `/var/lib/gardm/`
++
++## Security
++
++### Hardening
++- [ ] Greeter runs as unprivileged user
++- [ ] Minimal daemon attack surface
++- [ ] Socket permissions (0600, gardm:gardm)
++- [ ] No credentials in logs
++- [ ] Secure memory handling for passwords
++
++### Input Validation
++- [ ] Sanitize username input
++- [ ] Prevent path traversal in session selection
++- [ ] Rate limiting on auth attempts
++- [ ] Timeout for idle greeter
++
++## Error Handling
++
++- [ ] X server fail to start
++- [ ] PAM errors (account locked, expired, etc.)
++- [ ] Session fail to start
++- [ ] IPC communication errors
++- [ ] Missing configuration graceful fallback
++- [ ] Greeter crash recovery (restart greeter)
++
++## Testing
++
++- [ ] Unit tests for IPC protocol
++- [ ] Unit tests for session discovery
++- [ ] Integration tests with mock PAM
++- [ ] Manual testing checklist
++- [ ] Xephyr-based testing for greeter UI
++
++## Documentation
++
++- [ ] README with quick start
++- [ ] Configuration reference
++- [ ] Theming guide
++- [ ] Troubleshooting guide
++- [ ] Man pages (gardmd.8, gardm-greeter.1)
++
++## Nice-to-Have (Future)
++
++- [ ] Wayland greeter support
++- [ ] Network login (LDAP, etc.)
++- [ ] Fingerprint authentication
++- [ ] Auto-login configuration
++- [ ] Remote desktop support
++- [ ] Multi-monitor greeter
++- [ ] Animated backgrounds
++- [ ] Weather/calendar widgets

docs/gardm.mdadded

++# GARDM
++
++the next step in the gar desktop experience is the gar desktop manager. it should be oriented towards integration with other gar products.
++it should set the same background as will be set by garbg on launching gar so that the only thing that changes during the transition is the animation to load in
++
++it should have users centered, and all the standard desktop manger buttons.
++
++it should have a sleek interface like my current sddm approach. background should be blurred. username/pass should be  centered.
++
++first stage is planning. we need to reference existing foss greeters/desktop managers to see what ours needs to do, otherwise we're lost.
++We'll make a checklist of targets to hit and generate sprint files in the .gitignored directory docs/sprints/. each sprint file should have a list of targets and pitfalls to avoid
++
++gardm should do everything that a modern greeter does, and look pretty while doing it. it should be gar-first, that is oriented towards the gar desktop environment and window manager, but it should be compatible with all linux machines that support x11.
++we're going with x11 because of nvidia issues on wayland, but we can still make a pretty greeter in xorgland.

docs/sprints/sprint-0-setup.mdadded

++# Sprint 0: Project Setup
++
++**Goal:** Establish project structure, build system, and minimal daemon that can start and stop cleanly.
++
++## Objectives
++
++- Initialize Rust workspace with two crates (gardmd, gardm-greeter)
++- Set up shared library for IPC protocol
++- Create systemd service file
++- Establish logging infrastructure
++- Basic daemon lifecycle (start, signal handling, shutdown)
++
++## Tasks
++
++### 0.1 Initialize Cargo Workspace
++
++```
++gardm/
++├── Cargo.toml              # Workspace root
++├── gardmd/
++│   ├── Cargo.toml
++│   └── src/
++│       ├── main.rs         # Daemon entry point
++│       └── lib.rs
++├── gardm-greeter/
++│   ├── Cargo.toml
++│   └── src/
++│       ├── main.rs         # Greeter entry point
++│       └── lib.rs
++└── gardm-ipc/
++    ├── Cargo.toml
++    └── src/
++        └── lib.rs          # Shared IPC types
++```
++
++**Root Cargo.toml:**
++```toml
++[workspace]
++members = ["gardmd", "gardm-greeter", "gardm-ipc"]
++resolver = "2"
++
++[workspace.dependencies]
++serde = { version = "1.0", features = ["derive"] }
++serde_json = "1.0"
++tokio = { version = "1", features = ["full"] }
++tracing = "0.1"
++tracing-subscriber = "0.3"
++anyhow = "1.0"
++thiserror = "1.0"
++```
++
++### 0.2 Define IPC Protocol Types
++
++In `gardm-ipc/src/lib.rs`:
++
++```rust
++use serde::{Deserialize, Serialize};
++
++#[derive(Debug, Serialize, Deserialize)]
++#[serde(tag = "type", rename_all = "snake_case")]
++pub enum Request {
++    CreateSession { username: String },
++    Authenticate { response: String },
++    StartSession { cmd: Vec<String>, env: Vec<String> },
++    CancelSession,
++    Shutdown,
++    Reboot,
++    Suspend,
++}
++
++#[derive(Debug, Serialize, Deserialize)]
++#[serde(tag = "type", rename_all = "snake_case")]
++pub enum Response {
++    Success,
++    AuthPrompt { prompt: String, echo: bool },
++    AuthInfo { message: String },
++    AuthError { message: String },
++    Error { message: String },
++}
++```
++
++### 0.3 Basic Daemon Skeleton
++
++In `gardmd/src/main.rs`:
++
++```rust
++use tokio::signal::unix::{signal, SignalKind};
++use tracing_subscriber::{fmt, prelude::*, EnvFilter};
++
++#[tokio::main]
++async fn main() -> anyhow::Result<()> {
++    // Initialize logging to journald
++    tracing_subscriber::registry()
++        .with(fmt::layer())
++        .with(EnvFilter::from_default_env())
++        .init();
++
++    tracing::info!("gardmd starting");
++
++    // Signal handling
++    let mut sigterm = signal(SignalKind::terminate())?;
++    let mut sigint = signal(SignalKind::interrupt())?;
++
++    tokio::select! {
++        _ = sigterm.recv() => {
++            tracing::info!("Received SIGTERM, shutting down");
++        }
++        _ = sigint.recv() => {
++            tracing::info!("Received SIGINT, shutting down");
++        }
++    }
++
++    tracing::info!("gardmd stopped");
++    Ok(())
++}
++```
++
++### 0.4 systemd Service File
++
++Create `gardm.service`:
++
++```ini
++[Unit]
++Description=gar Display Manager
++Documentation=man:gardmd(8)
++After=systemd-user-sessions.service getty@tty1.service plymouth-quit.service
++Conflicts=getty@tty1.service
++
++[Service]
++Type=notify
++ExecStart=/usr/bin/gardmd
++Restart=always
++RestartSec=1
++
++# Security hardening
++ProtectSystem=strict
++ProtectHome=read-only
++PrivateTmp=true
++NoNewPrivileges=false  # Required for PAM
++ReadWritePaths=/run
++
++[Install]
++Alias=display-manager.service
++```
++
++### 0.5 Configuration Scaffolding
++
++Create `gardmd/src/config.rs`:
++
++```rust
++use serde::Deserialize;
++use std::path::PathBuf;
++
++#[derive(Debug, Deserialize)]
++pub struct Config {
++    #[serde(default)]
++    pub general: GeneralConfig,
++    #[serde(default)]
++    pub greeter: GreeterConfig,
++}
++
++#[derive(Debug, Deserialize, Default)]
++pub struct GeneralConfig {
++    #[serde(default = "default_session")]
++    pub default_session: String,
++    #[serde(default = "default_greeter")]
++    pub greeter: PathBuf,
++    #[serde(default)]
++    pub vt: u32,
++}
++
++#[derive(Debug, Deserialize, Default)]
++pub struct GreeterConfig {
++    #[serde(default = "default_blur_radius")]
++    pub blur_radius: u32,
++}
++
++fn default_session() -> String { "gar".to_string() }
++fn default_greeter() -> PathBuf { "/usr/bin/gardm-greeter".into() }
++fn default_blur_radius() -> u32 { 20 }
++
++impl Config {
++    pub fn load() -> anyhow::Result<Self> {
++        let path = PathBuf::from("/etc/gardm/config.toml");
++        if path.exists() {
++            let content = std::fs::read_to_string(&path)?;
++            Ok(toml::from_str(&content)?)
++        } else {
++            Ok(Config::default())
++        }
++    }
++}
++```
++
++## Acceptance Criteria
++
++1. `cargo build --release` succeeds for all workspace members
++2. `gardmd` starts, logs to stdout, and exits cleanly on SIGTERM
++3. IPC types serialize/deserialize correctly (unit test)
++4. Config loads from file or uses defaults
++5. Service file passes `systemd-analyze verify`
++
++## Pitfalls to Avoid
++
++1. **Don't start X11 yet** - that's Sprint 2. Keep this sprint minimal.
++2. **Don't implement PAM yet** - that's Sprint 1. Focus on structure.
++3. **Avoid premature optimization** - get it working first.
++4. **Don't forget `sd_notify`** - systemd needs to know when daemon is ready.
++5. **Test without root first** - use `RUST_LOG=debug cargo run` for development.
++
++## Testing
++
++```bash
++# Build
++cargo build --release
++
++# Run daemon in foreground (Ctrl+C to stop)
++RUST_LOG=debug ./target/release/gardmd
++
++# Verify signal handling
++kill -TERM $(pidof gardmd)
++
++# Test config loading
++mkdir -p /tmp/gardm-test
++echo '[general]' > /tmp/gardm-test/config.toml
++echo 'default_session = "test"' >> /tmp/gardm-test/config.toml
++```
++
++## Dependencies for This Sprint
++
++```toml
++# gardmd/Cargo.toml
++[dependencies]
++gardm-ipc = { path = "../gardm-ipc" }
++tokio = { workspace = true }
++tracing = { workspace = true }
++tracing-subscriber = { workspace = true }
++anyhow = { workspace = true }
++serde = { workspace = true }
++toml = "0.8"
++sd-notify = "0.4"
++```
++
++## Next Sprint
++
++Sprint 1 will add PAM authentication to the daemon.

docs/sprints/sprint-1-pam.mdadded

++# Sprint 1: PAM Authentication
++
++**Goal:** Implement PAM-based user authentication in the daemon with proper conversation handling.
++
++## Objectives
++
++- Integrate with PAM for user authentication
++- Handle PAM conversation (prompts, messages)
++- Create IPC server for greeter communication
++- Implement session state machine
++- Test authentication flow end-to-end
++
++## Background: How PAM Works
++
++PAM (Pluggable Authentication Modules) uses a "conversation" model:
++
++1. Application calls `pam_authenticate()`
++2. PAM modules may request information via conversation callback
++3. Callback returns user input (password, OTP, etc.)
++4. PAM returns success/failure
++
++For a display manager, we need to bridge this conversation to the greeter UI:
++
++```
++Greeter ←→ IPC ←→ Daemon ←→ PAM ←→ System
++```
++
++## Tasks
++
++### 1.1 Add PAM Dependency
++
++The `pam` crate provides safe Rust bindings:
++
++```toml
++# gardmd/Cargo.toml
++[dependencies]
++pam = "0.8"
++```
++
++### 1.2 Create PAM Configuration
++
++`/etc/pam.d/gardm`:
++
++```
++#%PAM-1.0
++auth       required     pam_securetty.so
++auth       requisite    pam_nologin.so
++auth       include      system-local-login
++account    include      system-local-login
++session    include      system-local-login
++password   include      system-local-login
++```
++
++### 1.3 Implement Authentication State Machine
++
++```rust
++// gardmd/src/auth.rs
++
++use pam::Authenticator;
++use std::ffi::CString;
++
++pub enum AuthState {
++    /// No active authentication
++    Idle,
++    /// Waiting for username
++    AwaitingUsername,
++    /// PAM conversation in progress
++    Authenticating {
++        username: String,
++        authenticator: Authenticator<'static, PasswordConv>,
++    },
++    /// Authentication succeeded, ready to start session
++    Authenticated {
++        username: String,
++    },
++}
++
++pub struct AuthSession {
++    state: AuthState,
++}
++
++impl AuthSession {
++    pub fn new() -> Self {
++        Self { state: AuthState::Idle }
++    }
++
++    pub fn create_session(&mut self, username: &str) -> Result<AuthResponse> {
++        let service = CString::new("gardm")?;
++        let username_c = CString::new(username)?;
++
++        // Create PAM authenticator
++        let mut auth = Authenticator::with_password(&service)?;
++        auth.get_handler().set_credentials(username_c, /* password later */);
++
++        self.state = AuthState::Authenticating {
++            username: username.to_string(),
++            authenticator: auth,
++        };
++
++        // PAM will ask for password
++        Ok(AuthResponse::Prompt {
++            prompt: "Password:".to_string(),
++            echo: false,
++        })
++    }
++
++    pub fn authenticate(&mut self, response: &str) -> Result<AuthResponse> {
++        match &mut self.state {
++            AuthState::Authenticating { username, authenticator } => {
++                // Provide password to PAM
++                authenticator.get_handler().set_credentials(
++                    CString::new(username.as_str())?,
++                    CString::new(response)?,
++                );
++
++                // Attempt authentication
++                match authenticator.authenticate() {
++                    Ok(()) => {
++                        let username = username.clone();
++                        self.state = AuthState::Authenticated { username };
++                        Ok(AuthResponse::Success)
++                    }
++                    Err(e) => {
++                        self.state = AuthState::Idle;
++                        Ok(AuthResponse::Error {
++                            message: format!("Authentication failed: {}", e),
++                        })
++                    }
++                }
++            }
++            _ => Ok(AuthResponse::Error {
++                message: "No authentication in progress".to_string(),
++            }),
++        }
++    }
++
++    pub fn cancel(&mut self) {
++        self.state = AuthState::Idle;
++    }
++}
++```
++
++### 1.4 Implement IPC Server
++
++```rust
++// gardmd/src/ipc.rs
++
++use gardm_ipc::{Request, Response};
++use tokio::net::{UnixListener, UnixStream};
++use tokio::io::{AsyncBufReadExt, AsyncWriteExt, BufReader};
++
++pub struct IpcServer {
++    listener: UnixListener,
++}
++
++impl IpcServer {
++    pub async fn new(path: &str) -> anyhow::Result<Self> {
++        // Remove stale socket
++        let _ = std::fs::remove_file(path);
++
++        let listener = UnixListener::bind(path)?;
++
++        // Set permissions (only gardm user can connect)
++        std::fs::set_permissions(path, std::fs::Permissions::from_mode(0o600))?;
++
++        Ok(Self { listener })
++    }
++
++    pub async fn accept(&self) -> anyhow::Result<IpcClient> {
++        let (stream, _) = self.listener.accept().await?;
++        Ok(IpcClient::new(stream))
++    }
++}
++
++pub struct IpcClient {
++    reader: BufReader<tokio::net::unix::OwnedReadHalf>,
++    writer: tokio::net::unix::OwnedWriteHalf,
++}
++
++impl IpcClient {
++    pub fn new(stream: UnixStream) -> Self {
++        let (read, write) = stream.into_split();
++        Self {
++            reader: BufReader::new(read),
++            writer: write,
++        }
++    }
++
++    pub async fn read_request(&mut self) -> anyhow::Result<Option<Request>> {
++        let mut line = String::new();
++        let n = self.reader.read_line(&mut line).await?;
++        if n == 0 {
++            return Ok(None);
++        }
++        Ok(Some(serde_json::from_str(&line)?))
++    }
++
++    pub async fn send_response(&mut self, response: &Response) -> anyhow::Result<()> {
++        let json = serde_json::to_string(response)?;
++        self.writer.write_all(json.as_bytes()).await?;
++        self.writer.write_all(b"\n").await?;
++        self.writer.flush().await?;
++        Ok(())
++    }
++}
++```
++
++### 1.5 Wire Up Main Loop
++
++```rust
++// gardmd/src/main.rs
++
++async fn run() -> anyhow::Result<()> {
++    let config = Config::load()?;
++    let ipc = IpcServer::new("/run/gardm.sock").await?;
++    let mut auth = AuthSession::new();
++
++    // Notify systemd we're ready
++    sd_notify::notify(true, &[sd_notify::NotifyState::Ready])?;
++
++    tracing::info!("gardmd ready, listening for connections");
++
++    loop {
++        let mut client = ipc.accept().await?;
++
++        // Handle single client (greeter)
++        while let Some(request) = client.read_request().await? {
++            let response = match request {
++                Request::CreateSession { username } => {
++                    auth.create_session(&username)?
++                }
++                Request::Authenticate { response } => {
++                    auth.authenticate(&response)?
++                }
++                Request::CancelSession => {
++                    auth.cancel();
++                    Response::Success
++                }
++                // Power actions handled in later sprint
++                _ => Response::Error {
++                    message: "Not implemented".to_string(),
++                },
++            };
++
++            client.send_response(&response).await?;
++        }
++    }
++}
++```
++
++### 1.6 Create Test Client
++
++For testing without the full greeter:
++
++```rust
++// gardm-greeter/src/bin/test-auth.rs
++
++use gardm_ipc::{Request, Response};
++use std::io::{self, BufRead, Write};
++use std::os::unix::net::UnixStream;
++
++fn main() -> anyhow::Result<()> {
++    let mut stream = UnixStream::connect("/run/gardm.sock")?;
++
++    // Get username
++    print!("Username: ");
++    io::stdout().flush()?;
++    let mut username = String::new();
++    io::stdin().lock().read_line(&mut username)?;
++
++    // Send create_session
++    let req = Request::CreateSession {
++        username: username.trim().to_string(),
++    };
++    writeln!(stream, "{}", serde_json::to_string(&req)?)?;
++
++    // Read response
++    let mut response = String::new();
++    let mut reader = io::BufReader::new(&stream);
++    reader.read_line(&mut response)?;
++    println!("Response: {}", response);
++
++    // Get password
++    print!("Password: ");
++    io::stdout().flush()?;
++    let password = rpassword::read_password()?;
++
++    // Send authenticate
++    let req = Request::Authenticate { response: password };
++    writeln!(stream, "{}", serde_json::to_string(&req)?)?;
++
++    // Read response
++    response.clear();
++    reader.read_line(&mut response)?;
++    println!("Response: {}", response);
++
++    Ok(())
++}
++```
++
++## Acceptance Criteria
++
++1. Daemon accepts IPC connections from greeter
++2. `CreateSession` initiates PAM conversation
++3. `Authenticate` with correct password returns `Success`
++4. `Authenticate` with wrong password returns `AuthError`
++5. `CancelSession` resets state cleanly
++6. Multiple auth attempts work without daemon restart
++7. PAM config file is properly loaded
++
++## Pitfalls to Avoid
++
++1. **PAM is synchronous** - don't block the async runtime. Use `spawn_blocking` for PAM calls.
++2. **Memory safety with passwords** - zero memory after use (pam crate should handle this).
++3. **Don't store passwords** - only pass through to PAM immediately.
++4. **Handle PAM errors gracefully** - account locked, expired password, etc. have specific error types.
++5. **Test with real PAM** - mock tests are useful but test against real system too.
++6. **Remember PAM is stateful** - can't call authenticate twice on same session.
++
++## Testing
++
++```bash
++# Build and run daemon as root (required for PAM)
++sudo RUST_LOG=debug ./target/release/gardmd &
++
++# Test with CLI client
++./target/release/test-auth
++
++# Test wrong password
++# Test account lockout (if configured)
++# Test non-existent user
++```
++
++## Security Considerations
++
++- Daemon must run as root for PAM access
++- IPC socket must be protected (0600 permissions)
++- Failed auth attempts should be rate-limited (PAM may do this)
++- Log auth attempts but NOT passwords
++
++## Dependencies for This Sprint
++
++```toml
++# gardmd/Cargo.toml
++[dependencies]
++pam = "0.8"
++nix = { version = "0.27", features = ["user"] }
++
++# gardm-greeter/Cargo.toml (for test client)
++[dependencies]
++rpassword = "7.0"
++```
++
++## Next Sprint
++
++Sprint 2 will add X11 server management - starting Xorg and the greeter.

docs/sprints/sprint-2-x11.mdadded

++# Sprint 2: X11 Server Management
++
++**Goal:** Start and manage Xorg server, launch greeter process, and handle session startup.
++
++## Objectives
++
++- Start Xorg on appropriate VT with correct permissions
++- Launch greeter as unprivileged user
++- Start user session after successful auth
++- Handle X server lifecycle (crash recovery, clean shutdown)
++- Integrate with systemd-logind for session registration
++
++## Background: X11 Display Manager Flow
++
++```
++1. gardmd starts
++2. gardmd spawns Xorg on VT (e.g., :0 on vt1)
++3. gardmd waits for X to be ready (connect test)
++4. gardmd spawns greeter as unprivileged user
++5. Greeter authenticates user via IPC
++6. gardmd kills greeter, starts user session
++7. User session runs until logout
++8. gardmd restarts greeter (loop back to 4)
++```
++
++## Tasks
++
++### 2.1 X Server Launcher
++
++```rust
++// gardmd/src/x11.rs
++
++use nix::unistd::{fork, ForkResult, setsid, Pid};
++use std::process::{Command, Child};
++use std::time::Duration;
++
++pub struct XServer {
++    process: Child,
++    display: String,
++    vt: u32,
++}
++
++impl XServer {
++    /// Start Xorg server on specified display and VT
++    pub fn start(display: &str, vt: u32) -> anyhow::Result<Self> {
++        // Xorg arguments
++        let mut cmd = Command::new("/usr/bin/Xorg");
++        cmd.arg(display)
++           .arg(&format!("vt{}", vt))
++           .arg("-keeptty")
++           .arg("-noreset")
++           .arg("-novtswitch")
++           .arg("-nolisten").arg("tcp");
++
++        // For multi-seat support (future):
++        // cmd.arg("-seat").arg("seat0");
++
++        // Capture output for debugging
++        cmd.stdout(std::process::Stdio::piped())
++           .stderr(std::process::Stdio::piped());
++
++        let process = cmd.spawn()?;
++
++        tracing::info!("Started Xorg on {} (vt{}, pid={})",
++            display, vt, process.id());
++
++        let server = Self {
++            process,
++            display: display.to_string(),
++            vt,
++        };
++
++        // Wait for X to be ready
++        server.wait_ready(Duration::from_secs(10))?;
++
++        Ok(server)
++    }
++
++    /// Wait for X server to be ready by attempting connection
++    fn wait_ready(&self, timeout: Duration) -> anyhow::Result<()> {
++        use std::time::Instant;
++
++        let start = Instant::now();
++        while start.elapsed() < timeout {
++            // Try to connect to X server
++            match x11rb::connect(Some(&self.display)) {
++                Ok(_) => {
++                    tracing::debug!("X server ready on {}", self.display);
++                    return Ok(());
++                }
++                Err(_) => {
++                    std::thread::sleep(Duration::from_millis(100));
++                }
++            }
++        }
++
++        anyhow::bail!("X server failed to become ready within {:?}", timeout);
++    }
++
++    /// Get the display string (e.g., ":0")
++    pub fn display(&self) -> &str {
++        &self.display
++    }
++
++    /// Get the VT number
++    pub fn vt(&self) -> u32 {
++        self.vt
++    }
++
++    /// Check if X server is still running
++    pub fn is_running(&mut self) -> bool {
++        match self.process.try_wait() {
++            Ok(None) => true,
++            _ => false,
++        }
++    }
++
++    /// Stop the X server
++    pub fn stop(&mut self) -> anyhow::Result<()> {
++        tracing::info!("Stopping X server");
++        self.process.kill()?;
++        self.process.wait()?;
++        Ok(())
++    }
++}
++
++impl Drop for XServer {
++    fn drop(&mut self) {
++        let _ = self.stop();
++    }
++}
++```
++
++### 2.2 VT Allocation
++
++```rust
++// gardmd/src/vt.rs
++
++use std::fs::OpenOptions;
++use std::os::unix::io::AsRawFd;
++use nix::ioctl_read_bad;
++
++// ioctl for getting/setting VT
++const VT_GETSTATE: u64 = 0x5603;
++const VT_ACTIVATE: u64 = 0x5606;
++const VT_WAITACTIVE: u64 = 0x5607;
++const VT_OPENQRY: u64 = 0x5600;
++
++#[repr(C)]
++pub struct VtStat {
++    pub v_active: u16,
++    pub v_signal: u16,
++    pub v_state: u16,
++}
++
++/// Find an unused VT
++pub fn find_unused_vt() -> anyhow::Result<u32> {
++    let console = OpenOptions::new()
++        .read(true)
++        .write(true)
++        .open("/dev/tty0")?;
++
++    let mut vt: i32 = 0;
++    unsafe {
++        if libc::ioctl(console.as_raw_fd(), VT_OPENQRY as _, &mut vt) < 0 {
++            anyhow::bail!("Failed to find unused VT");
++        }
++    }
++
++    if vt <= 0 {
++        anyhow::bail!("No unused VT available");
++    }
++
++    Ok(vt as u32)
++}
++
++/// Switch to a specific VT
++pub fn switch_to_vt(vt: u32) -> anyhow::Result<()> {
++    let console = OpenOptions::new()
++        .read(true)
++        .write(true)
++        .open("/dev/tty0")?;
++
++    unsafe {
++        if libc::ioctl(console.as_raw_fd(), VT_ACTIVATE as _, vt) < 0 {
++            anyhow::bail!("Failed to activate VT {}", vt);
++        }
++        if libc::ioctl(console.as_raw_fd(), VT_WAITACTIVE as _, vt) < 0 {
++            anyhow::bail!("Failed to wait for VT {}", vt);
++        }
++    }
++
++    Ok(())
++}
++```
++
++### 2.3 Greeter Process Manager
++
++```rust
++// gardmd/src/greeter.rs
++
++use nix::unistd::{Uid, Gid, setuid, setgid, User};
++use std::process::{Command, Child};
++
++pub struct GreeterProcess {
++    process: Child,
++}
++
++impl GreeterProcess {
++    /// Start the greeter as the gardm user
++    pub fn start(greeter_cmd: &str, display: &str) -> anyhow::Result<Self> {
++        // Get gardm user info
++        let user = User::from_name("gardm")?
++            .ok_or_else(|| anyhow::anyhow!("gardm user not found"))?;
++
++        let mut cmd = Command::new(greeter_cmd);
++        cmd.env("DISPLAY", display)
++           .env("XDG_SESSION_CLASS", "greeter")
++           .env("XDG_SESSION_TYPE", "x11");
++
++        // Run as gardm user
++        unsafe {
++            cmd.pre_exec(move || {
++                setgid(Gid::from_raw(user.gid.as_raw()))?;
++                setuid(Uid::from_raw(user.uid.as_raw()))?;
++                Ok(())
++            });
++        }
++
++        let process = cmd.spawn()?;
++        tracing::info!("Started greeter (pid={})", process.id());
++
++        Ok(Self { process })
++    }
++
++    /// Check if greeter is still running
++    pub fn is_running(&mut self) -> bool {
++        matches!(self.process.try_wait(), Ok(None))
++    }
++
++    /// Wait for greeter to exit
++    pub fn wait(&mut self) -> anyhow::Result<std::process::ExitStatus> {
++        Ok(self.process.wait()?)
++    }
++
++    /// Kill the greeter
++    pub fn kill(&mut self) -> anyhow::Result<()> {
++        self.process.kill()?;
++        self.process.wait()?;
++        Ok(())
++    }
++}
++```
++
++### 2.4 Session Launcher
++
++```rust
++// gardmd/src/session.rs
++
++use nix::unistd::{Uid, Gid, setuid, setgid, User, initgroups, chdir};
++use std::process::{Command, Child};
++use std::ffi::CString;
++
++pub struct UserSession {
++    process: Child,
++    username: String,
++}
++
++impl UserSession {
++    /// Start a user session
++    pub fn start(
++        username: &str,
++        session_cmd: &[String],
++        display: &str,
++        vt: u32,
++    ) -> anyhow::Result<Self> {
++        let user = User::from_name(username)?
++            .ok_or_else(|| anyhow::anyhow!("User {} not found", username))?;
++
++        let home = user.dir.to_string_lossy().to_string();
++        let shell = user.shell.to_string_lossy().to_string();
++        let uid = user.uid;
++        let gid = user.gid;
++        let username_c = CString::new(username)?;
++
++        // Build session command
++        let (cmd_path, cmd_args) = if session_cmd.is_empty() {
++            // Default to gar-session.sh
++            ("/usr/local/bin/gar-session.sh".to_string(), vec![])
++        } else {
++            (session_cmd[0].clone(), session_cmd[1..].to_vec())
++        };
++
++        let mut cmd = Command::new(&cmd_path);
++        cmd.args(&cmd_args)
++           .env("DISPLAY", display)
++           .env("HOME", &home)
++           .env("USER", username)
++           .env("LOGNAME", username)
++           .env("SHELL", &shell)
++           .env("XDG_SESSION_TYPE", "x11")
++           .env("XDG_VTNR", vt.to_string())
++           .env("XDG_SEAT", "seat0");
++
++        // Run as the user
++        unsafe {
++            cmd.pre_exec(move || {
++                // Set groups
++                initgroups(&username_c, gid)?;
++                setgid(gid)?;
++                setuid(uid)?;
++
++                // Change to home directory
++                let home_c = CString::new(home.as_str())?;
++                chdir(&home_c)?;
++
++                Ok(())
++            });
++        }
++
++        let process = cmd.spawn()?;
++        tracing::info!("Started session for {} (pid={})", username, process.id());
++
++        Ok(Self {
++            process,
++            username: username.to_string(),
++        })
++    }
++
++    /// Wait for session to end
++    pub fn wait(&mut self) -> anyhow::Result<std::process::ExitStatus> {
++        Ok(self.process.wait()?)
++    }
++}
++```
++
++### 2.5 Main Loop Integration
++
++```rust
++// gardmd/src/main.rs
++
++async fn run() -> anyhow::Result<()> {
++    let config = Config::load()?;
++
++    // Find VT to use
++    let vt = if config.general.vt > 0 {
++        config.general.vt
++    } else {
++        vt::find_unused_vt()?
++    };
++
++    // Start X server
++    let display = ":0";
++    let mut x_server = XServer::start(display, vt)?;
++
++    // Switch to our VT
++    vt::switch_to_vt(vt)?;
++
++    // Start IPC server
++    let ipc = IpcServer::new("/run/gardm.sock").await?;
++    let mut auth = AuthSession::new();
++
++    sd_notify::notify(true, &[sd_notify::NotifyState::Ready])?;
++
++    loop {
++        // Start greeter
++        let mut greeter = GreeterProcess::start(&config.general.greeter, display)?;
++
++        // Handle greeter authentication
++        let session_info = handle_greeter_auth(&ipc, &mut auth).await?;
++
++        // Kill greeter before starting session
++        greeter.kill()?;
++
++        // Start user session
++        let mut session = UserSession::start(
++            &session_info.username,
++            &session_info.cmd,
++            display,
++            vt,
++        )?;
++
++        // Wait for session to end
++        let status = session.wait()?;
++        tracing::info!("Session ended with status: {:?}", status);
++
++        // Loop back to greeter
++    }
++}
++
++struct SessionInfo {
++    username: String,
++    cmd: Vec<String>,
++}
++
++async fn handle_greeter_auth(
++    ipc: &IpcServer,
++    auth: &mut AuthSession,
++) -> anyhow::Result<SessionInfo> {
++    let mut client = ipc.accept().await?;
++
++    loop {
++        let request = client.read_request().await?
++            .ok_or_else(|| anyhow::anyhow!("Greeter disconnected"))?;
++
++        match request {
++            Request::CreateSession { username } => {
++                let response = auth.create_session(&username)?;
++                client.send_response(&response.into()).await?;
++            }
++            Request::Authenticate { response } => {
++                let result = auth.authenticate(&response)?;
++                client.send_response(&result.clone().into()).await?;
++
++                if matches!(result, AuthResponse::Success) {
++                    // Read StartSession request
++                    if let Some(Request::StartSession { cmd, .. }) =
++                        client.read_request().await?
++                    {
++                        return Ok(SessionInfo {
++                            username: auth.username().unwrap().to_string(),
++                            cmd,
++                        });
++                    }
++                }
++            }
++            Request::CancelSession => {
++                auth.cancel();
++                client.send_response(&Response::Success).await?;
++            }
++            _ => {
++                client.send_response(&Response::Error {
++                    message: "Unexpected request".to_string(),
++                }).await?;
++            }
++        }
++    }
++}
++```
++
++## Acceptance Criteria
++
++1. Xorg starts on specified VT
++2. Greeter launches as unprivileged gardm user
++3. After auth success, greeter is killed and session starts
++4. Session runs as authenticated user with correct environment
++5. After session logout, greeter restarts
++6. X server crash triggers recovery (restart X + greeter)
++
++## Pitfalls to Avoid
++
++1. **Don't forget VT permissions** - Xorg needs access to /dev/tty*
++2. **X server takes time to start** - must wait for it to be ready
++3. **Environment inheritance** - don't leak root environment to session
++4. **Group membership** - user needs video, audio groups for hardware access
++5. **Home directory** - chdir to $HOME before starting session
++6. **Don't block on X** - use async/spawn for process management
++
++## Testing
++
++```bash
++# Test X server startup (need to be root, on real TTY)
++sudo ./target/release/gardmd
++
++# Alternative: Test in Xephyr (nested X)
++Xephyr -br -ac -noreset -screen 1280x720 :1 &
++DISPLAY=:1 ./target/release/gardm-greeter
++
++# Create gardm user for testing
++sudo useradd -r -s /usr/bin/nologin -d /var/lib/gardm gardm
++sudo mkdir -p /var/lib/gardm
++sudo chown gardm:gardm /var/lib/gardm
++```
++
++## Dependencies for This Sprint
++
++```toml
++# gardmd/Cargo.toml
++[dependencies]
++x11rb = "0.13"
++libc = "0.2"
++nix = { version = "0.27", features = ["user", "process", "ioctl"] }
++```
++
++## Next Sprint
++
++Sprint 3 will build the graphical greeter UI with Cairo/Pango.

docs/sprints/sprint-3-greeter-ui.mdadded

++# Sprint 3: Greeter UI
++
++**Goal:** Build a sleek, centered login interface with blurred background using Cairo/Pango rendering.
++
++## Objectives
++
++- Create X11 window that covers the full screen
++- Render blurred background image
++- Implement centered login form (username, password inputs)
++- Add session selector dropdown
++- Add power buttons (shutdown, reboot, suspend)
++- Handle keyboard input and focus
++- Connect UI to daemon via IPC
++
++## Design Reference
++
++```
++┌─────────────────────────────────────────────────────────────────────┐
++│                                                                     │
++│                         [Blurred Background]                        │
++│                                                                     │
++│                     ┌───────────────────────┐                       │
++│                     │       User Avatar     │                       │
++│                     │          👤           │                       │
++│                     ├───────────────────────┤                       │
++│                     │  Username: [       ]  │                       │
++│                     │  Password: [*******]  │                       │
++│                     │                       │                       │
++│                     │  Session:  [gar    ▼] │                       │
++│                     │                       │                       │
++│                     │      [ Login ]        │                       │
++│                     │                       │                       │
++│                     │   Error message here  │                       │
++│                     └───────────────────────┘                       │
++│                                                                     │
++│  12:34 PM                                          [⏻] [↻] [⏾]     │
++│  January 14, 2026                                                   │
++└─────────────────────────────────────────────────────────────────────┘
++```
++
++## Tasks
++
++### 3.1 Window Setup
++
++```rust
++// gardm-greeter/src/window.rs
++
++use x11rb::connection::Connection;
++use x11rb::protocol::xproto::*;
++use x11rb::wrapper::ConnectionExt;
++
++pub struct GreeterWindow {
++    conn: x11rb::rust_connection::RustConnection,
++    screen_num: usize,
++    window: Window,
++    width: u16,
++    height: u16,
++    gc: Gcontext,
++}
++
++impl GreeterWindow {
++    pub fn new() -> anyhow::Result<Self> {
++        let (conn, screen_num) = x11rb::connect(None)?;
++        let screen = &conn.setup().roots[screen_num];
++
++        let width = screen.width_in_pixels;
++        let height = screen.height_in_pixels;
++        let root = screen.root;
++        let depth = screen.root_depth;
++        let visual = screen.root_visual;
++
++        // Create window
++        let window = conn.generate_id()?;
++        conn.create_window(
++            depth,
++            window,
++            root,
++            0, 0,
++            width, height,
++            0,
++            WindowClass::INPUT_OUTPUT,
++            visual,
++            &CreateWindowAux::new()
++                .background_pixel(screen.black_pixel)
++                .event_mask(
++                    EventMask::EXPOSURE
++                        | EventMask::KEY_PRESS
++                        | EventMask::BUTTON_PRESS
++                        | EventMask::STRUCTURE_NOTIFY
++                ),
++        )?;
++
++        // Make it fullscreen (bypass WM)
++        let net_wm_state = conn.intern_atom(false, b"_NET_WM_STATE")?.reply()?.atom;
++        let fullscreen = conn.intern_atom(false, b"_NET_WM_STATE_FULLSCREEN")?.reply()?.atom;
++        conn.change_property32(
++            PropMode::REPLACE,
++            window,
++            net_wm_state,
++            AtomEnum::ATOM,
++            &[fullscreen],
++        )?;
++
++        // Override redirect for greeter (no WM decorations)
++        conn.change_window_attributes(
++            window,
++            &ChangeWindowAttributesAux::new().override_redirect(1),
++        )?;
++
++        // Create graphics context
++        let gc = conn.generate_id()?;
++        conn.create_gc(gc, window, &CreateGCAux::new())?;
++
++        conn.map_window(window)?;
++        conn.flush()?;
++
++        Ok(Self {
++            conn,
++            screen_num,
++            window,
++            width,
++            height,
++            gc,
++        })
++    }
++
++    pub fn width(&self) -> u16 { self.width }
++    pub fn height(&self) -> u16 { self.height }
++    pub fn window(&self) -> Window { self.window }
++    pub fn conn(&self) -> &x11rb::rust_connection::RustConnection { &self.conn }
++}
++```
++
++### 3.2 Cairo Rendering Surface
++
++```rust
++// gardm-greeter/src/render.rs
++
++use cairo::{Context, ImageSurface, Format};
++use x11rb::protocol::xproto::*;
++
++pub struct Renderer {
++    surface: ImageSurface,
++    width: i32,
++    height: i32,
++}
++
++impl Renderer {
++    pub fn new(width: u16, height: u16) -> anyhow::Result<Self> {
++        let surface = ImageSurface::create(Format::ARgb32, width as i32, height as i32)?;
++        Ok(Self {
++            surface,
++            width: width as i32,
++            height: height as i32,
++        })
++    }
++
++    pub fn context(&self) -> anyhow::Result<Context> {
++        Ok(Context::new(&self.surface)?)
++    }
++
++    /// Get raw pixel data for X11
++    pub fn data(&self) -> Vec<u8> {
++        let stride = self.surface.stride() as usize;
++        let height = self.height as usize;
++        let data = self.surface.data().unwrap();
++
++        // Cairo uses ARGB, X11 uses BGRA - but with same byte order on little-endian
++        data[..stride * height].to_vec()
++    }
++
++    pub fn width(&self) -> i32 { self.width }
++    pub fn height(&self) -> i32 { self.height }
++}
++```
++
++### 3.3 Background with Blur
++
++```rust
++// gardm-greeter/src/background.rs
++
++use image::{RgbaImage, imageops};
++
++/// Load and blur a background image
++pub fn load_blurred_background(
++    path: &str,
++    width: u32,
++    height: u32,
++    blur_radius: f32,
++    brightness: f32,
++) -> anyhow::Result<RgbaImage> {
++    // Load image
++    let img = image::open(path)?.to_rgba8();
++
++    // Scale to screen size (cover mode)
++    let scaled = scale_to_cover(&img, width, height);
++
++    // Apply gaussian blur
++    let blurred = imageops::blur(&scaled, blur_radius);
++
++    // Adjust brightness (darken for better text contrast)
++    let adjusted = adjust_brightness(&blurred, brightness);
++
++    Ok(adjusted)
++}
++
++fn scale_to_cover(img: &RgbaImage, target_w: u32, target_h: u32) -> RgbaImage {
++    let (src_w, src_h) = img.dimensions();
++    let scale = (target_w as f32 / src_w as f32)
++        .max(target_h as f32 / src_h as f32);
++
++    let new_w = (src_w as f32 * scale) as u32;
++    let new_h = (src_h as f32 * scale) as u32;
++
++    let resized = imageops::resize(img, new_w, new_h, imageops::FilterType::Lanczos3);
++
++    // Crop to center
++    let x = (new_w - target_w) / 2;
++    let y = (new_h - target_h) / 2;
++
++    imageops::crop_imm(&resized, x, y, target_w, target_h).to_image()
++}
++
++fn adjust_brightness(img: &RgbaImage, factor: f32) -> RgbaImage {
++    let mut result = img.clone();
++    for pixel in result.pixels_mut() {
++        pixel[0] = (pixel[0] as f32 * factor).min(255.0) as u8;
++        pixel[1] = (pixel[1] as f32 * factor).min(255.0) as u8;
++        pixel[2] = (pixel[2] as f32 * factor).min(255.0) as u8;
++    }
++    result
++}
++```
++
++### 3.4 Login Form Widget
++
++```rust
++// gardm-greeter/src/widgets/login_form.rs
++
++use cairo::Context;
++use pango::{FontDescription, Layout};
++
++pub struct LoginForm {
++    pub username: String,
++    pub password: String,
++    pub focused_field: FocusedField,
++    pub error_message: Option<String>,
++    pub is_loading: bool,
++
++    // Layout
++    x: f64,
++    y: f64,
++    width: f64,
++    height: f64,
++}
++
++#[derive(Clone, Copy, PartialEq)]
++pub enum FocusedField {
++    Username,
++    Password,
++}
++
++impl LoginForm {
++    pub fn new(screen_width: f64, screen_height: f64) -> Self {
++        let width = 400.0;
++        let height = 300.0;
++
++        Self {
++            username: String::new(),
++            password: String::new(),
++            focused_field: FocusedField::Username,
++            error_message: None,
++            is_loading: false,
++            x: (screen_width - width) / 2.0,
++            y: (screen_height - height) / 2.0,
++            width,
++            height,
++        }
++    }
++
++    pub fn render(&self, ctx: &Context, pango_ctx: &pango::Context) -> anyhow::Result<()> {
++        // Background panel (semi-transparent)
++        ctx.set_source_rgba(0.1, 0.1, 0.1, 0.85);
++        rounded_rectangle(ctx, self.x, self.y, self.width, self.height, 16.0);
++        ctx.fill()?;
++
++        // Title
++        let title_layout = Layout::new(pango_ctx);
++        let mut font = FontDescription::new();
++        font.set_family("Sans");
++        font.set_size(24 * pango::SCALE);
++        font.set_weight(pango::Weight::Bold);
++        title_layout.set_font_description(Some(&font));
++        title_layout.set_text("Welcome");
++
++        ctx.set_source_rgb(1.0, 1.0, 1.0);
++        ctx.move_to(self.x + self.width / 2.0 - 50.0, self.y + 30.0);
++        pangocairo::show_layout(ctx, &title_layout);
++
++        // Username field
++        self.render_input_field(
++            ctx, pango_ctx,
++            "Username",
++            &self.username,
++            self.y + 100.0,
++            self.focused_field == FocusedField::Username,
++            false,
++        )?;
++
++        // Password field
++        self.render_input_field(
++            ctx, pango_ctx,
++            "Password",
++            &"•".repeat(self.password.len()),
++            self.y + 160.0,
++            self.focused_field == FocusedField::Password,
++            true,
++        )?;
++
++        // Error message
++        if let Some(ref msg) = self.error_message {
++            ctx.set_source_rgb(1.0, 0.3, 0.3);
++            let err_layout = Layout::new(pango_ctx);
++            font.set_size(12 * pango::SCALE);
++            font.set_weight(pango::Weight::Normal);
++            err_layout.set_font_description(Some(&font));
++            err_layout.set_text(msg);
++            ctx.move_to(self.x + 30.0, self.y + 230.0);
++            pangocairo::show_layout(ctx, &err_layout);
++        }
++
++        // Login button
++        self.render_button(ctx, pango_ctx, "Login", self.y + 260.0)?;
++
++        Ok(())
++    }
++
++    fn render_input_field(
++        &self,
++        ctx: &Context,
++        pango_ctx: &pango::Context,
++        label: &str,
++        value: &str,
++        y: f64,
++        focused: bool,
++        _is_password: bool,
++    ) -> anyhow::Result<()> {
++        let field_x = self.x + 30.0;
++        let field_width = self.width - 60.0;
++        let field_height = 40.0;
++
++        // Label
++        let mut font = FontDescription::new();
++        font.set_family("Sans");
++        font.set_size(11 * pango::SCALE);
++
++        let label_layout = Layout::new(pango_ctx);
++        label_layout.set_font_description(Some(&font));
++        label_layout.set_text(label);
++
++        ctx.set_source_rgba(0.8, 0.8, 0.8, 1.0);
++        ctx.move_to(field_x, y - 18.0);
++        pangocairo::show_layout(ctx, &label_layout);
++
++        // Input box
++        if focused {
++            ctx.set_source_rgba(0.3, 0.5, 0.8, 1.0);
++        } else {
++            ctx.set_source_rgba(0.3, 0.3, 0.3, 1.0);
++        }
++        rounded_rectangle(ctx, field_x, y, field_width, field_height, 8.0);
++        ctx.fill()?;
++
++        // Text value
++        ctx.set_source_rgb(1.0, 1.0, 1.0);
++        font.set_size(14 * pango::SCALE);
++        let value_layout = Layout::new(pango_ctx);
++        value_layout.set_font_description(Some(&font));
++        value_layout.set_text(if value.is_empty() { " " } else { value });
++        ctx.move_to(field_x + 10.0, y + 10.0);
++        pangocairo::show_layout(ctx, &value_layout);
++
++        // Cursor
++        if focused {
++            let (text_width, _) = value_layout.pixel_size();
++            ctx.set_source_rgb(1.0, 1.0, 1.0);
++            ctx.rectangle(field_x + 10.0 + text_width as f64, y + 8.0, 2.0, 24.0);
++            ctx.fill()?;
++        }
++
++        Ok(())
++    }
++
++    fn render_button(
++        &self,
++        ctx: &Context,
++        pango_ctx: &pango::Context,
++        text: &str,
++        y: f64,
++    ) -> anyhow::Result<()> {
++        let btn_width = 120.0;
++        let btn_height = 36.0;
++        let btn_x = self.x + (self.width - btn_width) / 2.0;
++
++        // Button background
++        ctx.set_source_rgba(0.2, 0.5, 0.8, 1.0);
++        rounded_rectangle(ctx, btn_x, y, btn_width, btn_height, 8.0);
++        ctx.fill()?;
++
++        // Button text
++        ctx.set_source_rgb(1.0, 1.0, 1.0);
++        let mut font = FontDescription::new();
++        font.set_family("Sans");
++        font.set_size(14 * pango::SCALE);
++        font.set_weight(pango::Weight::Bold);
++
++        let layout = Layout::new(pango_ctx);
++        layout.set_font_description(Some(&font));
++        layout.set_text(text);
++
++        let (text_w, _) = layout.pixel_size();
++        ctx.move_to(btn_x + (btn_width - text_w as f64) / 2.0, y + 8.0);
++        pangocairo::show_layout(ctx, &layout);
++
++        Ok(())
++    }
++
++    pub fn handle_key(&mut self, key: char) {
++        match self.focused_field {
++            FocusedField::Username => self.username.push(key),
++            FocusedField::Password => self.password.push(key),
++        }
++    }
++
++    pub fn handle_backspace(&mut self) {
++        match self.focused_field {
++            FocusedField::Username => { self.username.pop(); }
++            FocusedField::Password => { self.password.pop(); }
++        }
++    }
++
++    pub fn handle_tab(&mut self) {
++        self.focused_field = match self.focused_field {
++            FocusedField::Username => FocusedField::Password,
++            FocusedField::Password => FocusedField::Username,
++        };
++    }
++}
++
++fn rounded_rectangle(ctx: &Context, x: f64, y: f64, w: f64, h: f64, r: f64) {
++    let degrees = std::f64::consts::PI / 180.0;
++    ctx.new_sub_path();
++    ctx.arc(x + w - r, y + r, r, -90.0 * degrees, 0.0 * degrees);
++    ctx.arc(x + w - r, y + h - r, r, 0.0 * degrees, 90.0 * degrees);
++    ctx.arc(x + r, y + h - r, r, 90.0 * degrees, 180.0 * degrees);
++    ctx.arc(x + r, y + r, r, 180.0 * degrees, 270.0 * degrees);
++    ctx.close_path();
++}
++```
++
++### 3.5 Main Event Loop
++
++```rust
++// gardm-greeter/src/main.rs
++
++use x11rb::protocol::Event;
++
++fn main() -> anyhow::Result<()> {
++    let window = GreeterWindow::new()?;
++    let renderer = Renderer::new(window.width(), window.height())?;
++    let mut form = LoginForm::new(window.width() as f64, window.height() as f64);
++
++    // Load background
++    let background = load_blurred_background(
++        "/usr/share/gardm/backgrounds/default.jpg",
++        window.width() as u32,
++        window.height() as u32,
++        20.0,
++        0.7,
++    )?;
++
++    // Connect to daemon
++    let mut daemon = DaemonClient::connect()?;
++
++    loop {
++        // Render frame
++        {
++            let ctx = renderer.context()?;
++            render_background(&ctx, &background)?;
++            form.render(&ctx, &pango_ctx)?;
++        }
++
++        // Copy to X11
++        window.put_image(&renderer.data())?;
++
++        // Handle events
++        let event = window.conn().wait_for_event()?;
++        match event {
++            Event::Expose(_) => {
++                // Redraw handled above
++            }
++            Event::KeyPress(e) => {
++                match e.detail {
++                    9 => break,  // Escape - exit (for testing)
++                    36 => {      // Enter - submit
++                        if form.focused_field == FocusedField::Password {
++                            // Authenticate
++                            daemon.create_session(&form.username)?;
++                            match daemon.authenticate(&form.password)? {
++                                Response::Success => {
++                                    daemon.start_session(&["gar-session.sh"])?;
++                                    break;
++                                }
++                                Response::AuthError { message } => {
++                                    form.error_message = Some(message);
++                                }
++                                _ => {}
++                            }
++                        } else {
++                            form.handle_tab();
++                        }
++                    }
++                    23 => form.handle_tab(),  // Tab
++                    22 => form.handle_backspace(),  // Backspace
++                    _ => {
++                        // Regular key
++                        if let Some(c) = keycode_to_char(e.detail, e.state) {
++                            form.handle_key(c);
++                        }
++                    }
++                }
++            }
++            _ => {}
++        }
++    }
++
++    Ok(())
++}
++```
++
++## Acceptance Criteria
++
++1. Greeter displays fullscreen with blurred background
++2. Login form is centered and styled
++3. Keyboard input works for username/password
++4. Tab switches between fields
++5. Enter submits form
++6. Error messages display correctly
++7. Successful auth triggers session start
++
++## Pitfalls to Avoid
++
++1. **X11 keycodes vary by layout** - use XKB for proper key mapping
++2. **Cairo surface format** - ensure ARGB matches X11 expectations
++3. **Font rendering** - initialize Pango context correctly
++4. **Fullscreen on all monitors** - may need per-monitor handling
++5. **Input focus** - greeter window must grab keyboard
++6. **Memory leaks** - Cairo contexts need proper cleanup
++
++## Testing
++
++```bash
++# Test in Xephyr
++Xephyr -br -ac -noreset -screen 1280x720 :1 &
++DISPLAY=:1 ./target/release/gardm-greeter
++
++# Test keyboard input
++# Test form submission
++# Test error display
++```
++
++## Dependencies for This Sprint
++
++```toml
++# gardm-greeter/Cargo.toml
++[dependencies]
++x11rb = "0.13"
++cairo-rs = { version = "0.18", features = ["png"] }
++pango = "0.18"
++pangocairo = "0.18"
++image = "0.24"
++```
++
++## Next Sprint
++
++Sprint 4 will add garbg integration for seamless wallpaper sync.

docs/sprints/sprint-4-garbg-integration.mdadded

++# Sprint 4: garbg Integration
++
++**Goal:** Integrate with garbg to display the same wallpaper that will be shown after login, creating a seamless visual transition.
++
++## Objectives
++
++- Read garbg configuration to determine wallpaper source
++- Read garbg playlist state for current wallpaper
++- Apply consistent blur settings
++- Ensure seamless transition from greeter to gar session
++- Handle fallback when garbg config not available
++
++## Background: Seamless Transition
++
++The goal is that when a user logs in, the transition from greeter to desktop should feel smooth:
++
++```
++┌─────────────────────────────────────────────────────────────────┐
++│ Greeter                                                         │
++│ - Shows blurred version of current garbg wallpaper              │
++│ - User enters credentials                                       │
++│ - Login succeeds                                                │
++└─────────────────────────────────────────────────────────────────┘
++                              │
++                              ▼ (fade out greeter)
++┌─────────────────────────────────────────────────────────────────┐
++│ gar Session                                                     │
++│ - garbg starts and sets SAME wallpaper (unblurred)              │
++│ - Only visible change: blur fades away, UI elements appear      │
++└─────────────────────────────────────────────────────────────────┘
++```
++
++## Tasks
++
++### 4.1 Read garbg Configuration
++
++```rust
++// gardm-greeter/src/garbg.rs
++
++use serde::Deserialize;
++use std::path::PathBuf;
++
++#[derive(Debug, Deserialize)]
++pub struct GarbgConfig {
++    #[serde(default)]
++    pub general: GeneralConfig,
++    #[serde(default)]
++    pub default: DefaultConfig,
++}
++
++#[derive(Debug, Deserialize, Default)]
++pub struct GeneralConfig {
++    #[serde(default = "default_mode")]
++    pub mode: String,
++}
++
++#[derive(Debug, Deserialize, Default)]
++pub struct DefaultConfig {
++    #[serde(default)]
++    pub source: String,
++}
++
++fn default_mode() -> String { "fill".to_string() }
++
++impl GarbgConfig {
++    /// Load garbg config from user or system location
++    pub fn load(username: Option<&str>) -> Option<Self> {
++        // Try user config first (if we know the username)
++        if let Some(user) = username {
++            if let Some(home) = get_user_home(user) {
++                let user_config = home.join(".config/garbg/config.toml");
++                if let Ok(content) = std::fs::read_to_string(&user_config) {
++                    if let Ok(config) = toml::from_str(&content) {
++                        return Some(config);
++                    }
++                }
++            }
++        }
++
++        // Try system-wide default
++        let system_config = PathBuf::from("/etc/garbg/config.toml");
++        if let Ok(content) = std::fs::read_to_string(&system_config) {
++            if let Ok(config) = toml::from_str(&content) {
++                return Some(config);
++            }
++        }
++
++        None
++    }
++
++    /// Get the default wallpaper path
++    pub fn default_wallpaper(&self) -> Option<String> {
++        if self.default.source.is_empty() {
++            None
++        } else {
++            Some(expand_path(&self.default.source))
++        }
++    }
++}
++
++fn get_user_home(username: &str) -> Option<PathBuf> {
++    use nix::unistd::User;
++    User::from_name(username).ok()?
++        .map(|u| PathBuf::from(u.dir))
++}
++
++fn expand_path(path: &str) -> String {
++    shellexpand::tilde(path).to_string()
++}
++```
++
++### 4.2 Read garbg Playlist State
++
++```rust
++// gardm-greeter/src/garbg.rs (continued)
++
++#[derive(Debug, Deserialize)]
++pub struct PlaylistState {
++    pub source: String,
++    pub images: Vec<String>,
++    pub current_index: usize,
++    #[serde(default)]
++    pub shuffled: bool,
++}
++
++impl PlaylistState {
++    /// Load current playlist state from runtime directory
++    pub fn load(username: Option<&str>) -> Option<Self> {
++        // Playlist state is stored in XDG_RUNTIME_DIR
++        let runtime_dir = std::env::var("XDG_RUNTIME_DIR").ok()?;
++        let state_file = PathBuf::from(&runtime_dir).join("garbg-state.json");
++
++        // If that doesn't exist, try user-specific location
++        if !state_file.exists() {
++            if let Some(user) = username {
++                // Try /run/user/<uid>/garbg-state.json
++                if let Some(uid) = get_user_uid(user) {
++                    let user_runtime = format!("/run/user/{}/garbg-state.json", uid);
++                    if let Ok(content) = std::fs::read_to_string(&user_runtime) {
++                        if let Ok(state) = serde_json::from_str(&content) {
++                            return Some(state);
++                        }
++                    }
++                }
++            }
++        }
++
++        let content = std::fs::read_to_string(&state_file).ok()?;
++        serde_json::from_str(&content).ok()
++    }
++
++    /// Get the current wallpaper path
++    pub fn current_wallpaper(&self) -> Option<&str> {
++        self.images.get(self.current_index).map(|s| s.as_str())
++    }
++}
++
++fn get_user_uid(username: &str) -> Option<u32> {
++    use nix::unistd::User;
++    User::from_name(username).ok()?
++        .map(|u| u.uid.as_raw())
++}
++```
++
++### 4.3 Wallpaper Resolution Logic
++
++```rust
++// gardm-greeter/src/garbg.rs (continued)
++
++/// Resolve which wallpaper to use for the greeter
++pub struct WallpaperResolver {
++    fallback_path: String,
++}
++
++impl WallpaperResolver {
++    pub fn new(fallback: &str) -> Self {
++        Self {
++            fallback_path: fallback.to_string(),
++        }
++    }
++
++    /// Resolve wallpaper path, trying multiple sources
++    pub fn resolve(&self, username: Option<&str>) -> String {
++        // Priority 1: Current playlist state (what user was last seeing)
++        if let Some(state) = PlaylistState::load(username) {
++            if let Some(current) = state.current_wallpaper() {
++                let expanded = expand_path(current);
++                if std::path::Path::new(&expanded).exists() {
++                    tracing::info!("Using wallpaper from playlist: {}", expanded);
++                    return expanded;
++                }
++            }
++        }
++
++        // Priority 2: garbg config default
++        if let Some(config) = GarbgConfig::load(username) {
++            if let Some(default) = config.default_wallpaper() {
++                // If it's a directory, pick first image
++                let path = std::path::Path::new(&default);
++                if path.is_dir() {
++                    if let Some(first) = first_image_in_dir(&default) {
++                        tracing::info!("Using first image from garbg source dir: {}", first);
++                        return first;
++                    }
++                } else if path.exists() {
++                    tracing::info!("Using wallpaper from garbg config: {}", default);
++                    return default;
++                }
++            }
++        }
++
++        // Priority 3: Fallback
++        tracing::info!("Using fallback wallpaper: {}", self.fallback_path);
++        self.fallback_path.clone()
++    }
++}
++
++/// Get first image file in a directory
++fn first_image_in_dir(dir: &str) -> Option<String> {
++    let extensions = ["jpg", "jpeg", "png", "webp"];
++
++    let mut entries: Vec<_> = std::fs::read_dir(dir).ok()?
++        .filter_map(|e| e.ok())
++        .filter(|e| {
++            let path = e.path();
++            if let Some(ext) = path.extension() {
++                extensions.contains(&ext.to_string_lossy().to_lowercase().as_str())
++            } else {
++                false
++            }
++        })
++        .collect();
++
++    entries.sort_by_key(|e| e.path());
++    entries.first().map(|e| e.path().to_string_lossy().to_string())
++}
++```
++
++### 4.4 Shared Visual Settings
++
++```rust
++// gardm-greeter/src/config.rs
++
++use serde::Deserialize;
++
++#[derive(Debug, Deserialize)]
++pub struct GreeterConfig {
++    #[serde(default)]
++    pub visual: VisualConfig,
++    #[serde(default)]
++    pub garbg: GarbgIntegration,
++}
++
++#[derive(Debug, Deserialize, Default)]
++pub struct VisualConfig {
++    /// Blur radius for background (should match gar lock screen)
++    #[serde(default = "default_blur_radius")]
++    pub blur_radius: f32,
++
++    /// Background brightness (0.0-1.0, lower = darker)
++    #[serde(default = "default_brightness")]
++    pub blur_brightness: f32,
++
++    /// Corner radius for UI elements (match gar's corner_radius)
++    #[serde(default = "default_corner_radius")]
++    pub corner_radius: f64,
++}
++
++#[derive(Debug, Deserialize, Default)]
++pub struct GarbgIntegration {
++    /// Whether to use garbg wallpaper
++    #[serde(default = "default_true")]
++    pub enabled: bool,
++
++    /// Fallback wallpaper if garbg not configured
++    #[serde(default = "default_fallback")]
++    pub fallback: String,
++}
++
++fn default_blur_radius() -> f32 { 20.0 }
++fn default_brightness() -> f32 { 0.7 }
++fn default_corner_radius() -> f64 { 18.0 }
++fn default_true() -> bool { true }
++fn default_fallback() -> String { "/usr/share/gardm/backgrounds/default.jpg".to_string() }
++```
++
++### 4.5 Integration with Greeter Main Loop
++
++```rust
++// gardm-greeter/src/main.rs (updated)
++
++fn main() -> anyhow::Result<()> {
++    let config = GreeterConfig::load()?;
++    let window = GreeterWindow::new()?;
++
++    // Resolve wallpaper using garbg integration
++    let wallpaper_path = if config.garbg.enabled {
++        let resolver = WallpaperResolver::new(&config.garbg.fallback);
++        // Initially no username known, use system defaults
++        resolver.resolve(None)
++    } else {
++        config.garbg.fallback.clone()
++    };
++
++    // Load and blur background
++    let background = load_blurred_background(
++        &wallpaper_path,
++        window.width() as u32,
++        window.height() as u32,
++        config.visual.blur_radius,
++        config.visual.blur_brightness,
++    )?;
++
++    let mut form = LoginForm::new(
++        window.width() as f64,
++        window.height() as f64,
++        config.visual.corner_radius,
++    );
++
++    // When username is entered, potentially update wallpaper
++    // to user-specific one (optional enhancement)
++
++    // ... rest of event loop ...
++}
++```
++
++### 4.6 Session Transition Effect
++
++```rust
++// gardm-greeter/src/transition.rs
++
++use std::time::{Duration, Instant};
++
++/// Fade out transition before starting session
++pub struct FadeOutTransition {
++    start_time: Instant,
++    duration: Duration,
++}
++
++impl FadeOutTransition {
++    pub fn new(duration_ms: u64) -> Self {
++        Self {
++            start_time: Instant::now(),
++            duration: Duration::from_millis(duration_ms),
++        }
++    }
++
++    /// Get current opacity (1.0 -> 0.0)
++    pub fn opacity(&self) -> f64 {
++        let elapsed = self.start_time.elapsed();
++        if elapsed >= self.duration {
++            0.0
++        } else {
++            1.0 - (elapsed.as_secs_f64() / self.duration.as_secs_f64())
++        }
++    }
++
++    pub fn is_complete(&self) -> bool {
++        self.start_time.elapsed() >= self.duration
++    }
++}
++
++/// Apply fade during session start
++pub fn render_with_fade(
++    ctx: &cairo::Context,
++    background: &image::RgbaImage,
++    form: &LoginForm,
++    fade: Option<&FadeOutTransition>,
++) -> anyhow::Result<()> {
++    // Render background (always full opacity)
++    render_background(ctx, background)?;
++
++    // Render UI with fade
++    if let Some(fade) = fade {
++        ctx.push_group();
++        form.render(ctx, &pango_ctx)?;
++        ctx.pop_group_to_source()?;
++        ctx.paint_with_alpha(fade.opacity())?;
++    } else {
++        form.render(ctx, &pango_ctx)?;
++    }
++
++    Ok(())
++}
++```
++
++## Acceptance Criteria
++
++1. Greeter shows same wallpaper as garbg will after login
++2. Blur settings are consistent with gar lock screen
++3. Fallback works when garbg is not configured
++4. User-specific wallpaper is used when username is known
++5. Smooth fade transition when starting session
++6. No flash of different wallpaper during login
++
++## Pitfalls to Avoid
++
++1. **File permissions** - greeter runs as gardm user, may not access user home
++2. **Race conditions** - garbg state file might be stale
++3. **Directory vs file** - garbg source might be a directory
++4. **Missing files** - wallpaper might have been deleted
++5. **Large images** - blur on 4K images is slow, cache if needed
++
++## Testing
++
++```bash
++# Test wallpaper resolution
++# 1. With garbg configured and running
++garbg set ~/Pictures/wallpapers --random
++DISPLAY=:1 ./target/release/gardm-greeter
++
++# 2. With garbg config but no playlist
++rm ~/.local/state/garbg-state.json
++DISPLAY=:1 ./target/release/gardm-greeter
++
++# 3. Without any garbg config (should use fallback)
++mv ~/.config/garbg/config.toml ~/.config/garbg/config.toml.bak
++DISPLAY=:1 ./target/release/gardm-greeter
++```
++
++## Dependencies for This Sprint
++
++```toml
++# gardm-greeter/Cargo.toml
++[dependencies]
++shellexpand = "3.0"
++toml = "0.8"
++serde_json = "1.0"
++```
++
++## Integration Checklist
++
++- [ ] Greeter reads `~/.config/garbg/config.toml`
++- [ ] Greeter reads `$XDG_RUNTIME_DIR/garbg-state.json`
++- [ ] Blur radius matches gar lock screen (if implemented)
++- [ ] Corner radius matches gar's `corner_radius` setting
++- [ ] Fallback image is bundled with gardm package
++- [ ] Fade transition timing feels smooth (150-200ms)
++
++## Future Enhancements
++
++- [ ] Per-user wallpaper preview before login
++- [ ] Animated wallpaper support (match garbg animation)
++- [ ] Workspace-specific wallpaper from garbg config
++- [ ] Live wallpaper update if garbg changes during greeter
++
++## Next Steps
++
++After Sprint 4, consider:
++- Sprint 5: Power buttons and session selector
++- Sprint 6: User list with avatars
++- Sprint 7: Accessibility and theming
++- Sprint 8: Multi-monitor support

etc/config.tomladded

++# gardm configuration
++# Place this file at /etc/gardm/config.toml
++
++[general]
++# Default session to launch (without .desktop extension)
++default_session = "gar"
++# Path to greeter executable
++greeter = "/usr/bin/gardm-greeter"
++# VT to use (0 = auto-select)
++vt = 0
++# X11 display
++display = ":0"
++
++[greeter]
++# Background blur radius
++blur_radius = 20
++# Background brightness (0.0-1.0)
++blur_brightness = 0.7
++# Show power buttons (shutdown, reboot, suspend)
++show_power_buttons = true
++# Show session selector dropdown
++show_session_selector = true
++# Use garbg's current wallpaper
++use_garbg_wallpaper = true
++# Fallback wallpaper if garbg not available
++fallback_wallpaper = "/usr/share/gardm/backgrounds/default.jpg"
++
++[security]
++# Allow empty passwords (NOT recommended)
++allow_empty_password = false
++# Lock after N failed attempts (0 = disabled)
++lockout_attempts = 5
++# Lockout duration in seconds
++lockout_duration = 300

etc/gardm.serviceadded

++[Unit]
++Description=gar Display Manager
++Documentation=https://github.com/mfwolffe/gardesk
++After=systemd-user-sessions.service getty@tty1.service plymouth-quit.service
++Conflicts=getty@tty1.service
++
++[Service]
++Type=notify
++ExecStart=/usr/bin/gardmd
++ExecReload=/bin/kill -HUP $MAINPID
++Restart=always
++RestartSec=1
++
++# Security hardening
++NoNewPrivileges=no
++ProtectSystem=strict
++ProtectHome=read-only
++PrivateTmp=yes
++ReadWritePaths=/run
++
++# PAM needs access to various system files
++ReadOnlyPaths=/etc/passwd /etc/shadow /etc/group /etc/pam.d
++
++[Install]
++Alias=display-manager.service

gardm-greeter/Cargo.tomladded

++[package]
++name = "gardm-greeter"
++version.workspace = true
++edition.workspace = true
++license.workspace = true
++description = "gar display manager greeter"
++
++[[bin]]
++name = "gardm-greeter"
++path = "src/main.rs"
++
++[dependencies]
++gardm-ipc = { workspace = true }
++tokio = { workspace = true }
++tracing = { workspace = true }
++tracing-subscriber = { workspace = true }
++anyhow = { workspace = true }
++thiserror = { workspace = true }

gardm-greeter/src/main.rsadded

++//! gardm-greeter - gar display manager greeter
++//!
++//! Graphical login UI that communicates with gardmd.
++
++use anyhow::Result;
++use gardm_ipc::{Client, Request};
++use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt, EnvFilter};
++
++#[tokio::main]
++async fn main() -> Result<()> {
++    // Initialize logging
++    tracing_subscriber::registry()
++        .with(EnvFilter::try_from_default_env().unwrap_or_else(|_| EnvFilter::new("info")))
++        .with(tracing_subscriber::fmt::layer())
++        .init();
++
++    tracing::info!("gardm-greeter starting");
++
++    // Connect to daemon
++    let mut client = Client::connect().await?;
++    tracing::info!("Connected to gardmd");
++
++    // TODO: Initialize X11/rendering
++    // TODO: Main UI loop
++
++    // For now, just test the connection
++    let response = client.request(&Request::ListSessions).await?;
++    tracing::info!(?response, "Got sessions");
++
++    let response = client.request(&Request::ListUsers).await?;
++    tracing::info!(?response, "Got users");
++
++    tracing::info!("gardm-greeter exiting (UI not yet implemented)");
++    Ok(())
++}

gardm-ipc/Cargo.tomladded

++[package]
++name = "gardm-ipc"
++version.workspace = true
++edition.workspace = true
++license.workspace = true
++description = "IPC protocol types for gardm display manager"
++
++[dependencies]
++serde = { workspace = true }
++serde_json = { workspace = true }
++thiserror = { workspace = true }
++tokio = { workspace = true, features = ["net", "io-util"] }

gardm-ipc/src/lib.rsadded

++//! IPC protocol for gardm display manager
++//!
++//! Defines the JSON-based protocol between gardmd (daemon) and gardm-greeter (UI).
++
++use serde::{Deserialize, Serialize};
++use std::path::PathBuf;
++use tokio::io::{AsyncBufReadExt, AsyncWriteExt, BufReader};
++use tokio::net::UnixStream;
++
++/// Socket path for gardm IPC
++pub const SOCKET_PATH: &str = "/run/gardm.sock";
++
++/// Requests from greeter to daemon
++#[derive(Debug, Clone, Serialize, Deserialize)]
++#[serde(tag = "type", rename_all = "snake_case")]
++pub enum Request {
++    /// Create a new authentication session for a user
++    CreateSession { username: String },
++
++    /// Provide authentication response (password, OTP, etc.)
++    Authenticate { response: String },
++
++    /// Start the user's session after successful auth
++    StartSession {
++        /// Session command (e.g., ["gar-session.sh"])
++        cmd: Vec<String>,
++        /// Additional environment variables
++        #[serde(default)]
++        env: Vec<String>,
++    },
++
++    /// Cancel the current authentication attempt
++    CancelSession,
++
++    /// Request system shutdown
++    Shutdown,
++
++    /// Request system reboot
++    Reboot,
++
++    /// Request system suspend
++    Suspend,
++
++    /// Get list of available sessions
++    ListSessions,
++
++    /// Get list of available users
++    ListUsers,
++}
++
++/// Responses from daemon to greeter
++#[derive(Debug, Clone, Serialize, Deserialize)]
++#[serde(tag = "type", rename_all = "snake_case")]
++pub enum Response {
++    /// Operation completed successfully
++    Success,
++
++    /// PAM is requesting user input
++    AuthPrompt {
++        /// Prompt message (e.g., "Password:")
++        prompt: String,
++        /// Whether to echo input (false for passwords)
++        echo: bool,
++    },
++
++    /// PAM informational message
++    AuthInfo { message: String },
++
++    /// Authentication failed
++    AuthError { message: String },
++
++    /// General error
++    Error { message: String },
++
++    /// List of available sessions
++    Sessions { sessions: Vec<SessionInfo> },
++
++    /// List of available users
++    Users { users: Vec<UserInfo> },
++}
++
++/// Information about an available session
++#[derive(Debug, Clone, Serialize, Deserialize)]
++pub struct SessionInfo {
++    /// Session identifier (desktop file name without .desktop)
++    pub id: String,
++    /// Display name
++    pub name: String,
++    /// Optional comment/description
++    pub comment: Option<String>,
++    /// Exec command
++    pub exec: String,
++    /// Session type (x11, wayland)
++    pub session_type: String,
++}
++
++/// Information about a user
++#[derive(Debug, Clone, Serialize, Deserialize)]
++pub struct UserInfo {
++    /// Username
++    pub name: String,
++    /// Full name (GECOS field)
++    pub full_name: Option<String>,
++    /// Home directory
++    pub home: PathBuf,
++    /// Path to user avatar (if available)
++    pub avatar: Option<PathBuf>,
++}
++
++/// IPC client for connecting to gardmd
++pub struct Client {
++    reader: BufReader<tokio::net::unix::OwnedReadHalf>,
++    writer: tokio::net::unix::OwnedWriteHalf,
++}
++
++impl Client {
++    /// Connect to the daemon
++    pub async fn connect() -> Result<Self, std::io::Error> {
++        Self::connect_to(SOCKET_PATH).await
++    }
++
++    /// Connect to a specific socket path
++    pub async fn connect_to(path: &str) -> Result<Self, std::io::Error> {
++        let stream = UnixStream::connect(path).await?;
++        let (read, write) = stream.into_split();
++        Ok(Self {
++            reader: BufReader::new(read),
++            writer: write,
++        })
++    }
++
++    /// Send a request to the daemon
++    pub async fn send(&mut self, request: &Request) -> Result<(), std::io::Error> {
++        let json = serde_json::to_string(request).map_err(|e| {
++            std::io::Error::new(std::io::ErrorKind::InvalidData, e)
++        })?;
++        self.writer.write_all(json.as_bytes()).await?;
++        self.writer.write_all(b"\n").await?;
++        self.writer.flush().await?;
++        Ok(())
++    }
++
++    /// Receive a response from the daemon
++    pub async fn recv(&mut self) -> Result<Response, std::io::Error> {
++        let mut line = String::new();
++        let n = self.reader.read_line(&mut line).await?;
++        if n == 0 {
++            return Err(std::io::Error::new(
++                std::io::ErrorKind::UnexpectedEof,
++                "daemon closed connection",
++            ));
++        }
++        serde_json::from_str(&line).map_err(|e| {
++            std::io::Error::new(std::io::ErrorKind::InvalidData, e)
++        })
++    }
++
++    /// Send request and wait for response
++    pub async fn request(&mut self, request: &Request) -> Result<Response, std::io::Error> {
++        self.send(request).await?;
++        self.recv().await
++    }
++}
++
++#[cfg(test)]
++mod tests {
++    use super::*;
++
++    #[test]
++    fn test_request_serialization() {
++        let req = Request::CreateSession {
++            username: "testuser".to_string(),
++        };
++        let json = serde_json::to_string(&req).unwrap();
++        assert!(json.contains("create_session"));
++        assert!(json.contains("testuser"));
++    }
++
++    #[test]
++    fn test_response_serialization() {
++        let resp = Response::AuthPrompt {
++            prompt: "Password:".to_string(),
++            echo: false,
++        };
++        let json = serde_json::to_string(&resp).unwrap();
++        assert!(json.contains("auth_prompt"));
++        assert!(json.contains("Password:"));
++    }
++
++    #[test]
++    fn test_request_deserialization() {
++        let json = r#"{"type":"authenticate","response":"secret123"}"#;
++        let req: Request = serde_json::from_str(json).unwrap();
++        match req {
++            Request::Authenticate { response } => assert_eq!(response, "secret123"),
++            _ => panic!("Wrong variant"),
++        }
++    }
++}

gardmd/Cargo.tomladded

++[package]
++name = "gardmd"
++version.workspace = true
++edition.workspace = true
++license.workspace = true
++description = "gar display manager daemon"
++
++[[bin]]
++name = "gardmd"
++path = "src/main.rs"
++
++[dependencies]
++gardm-ipc = { workspace = true }
++tokio = { workspace = true }
++tracing = { workspace = true }
++tracing-subscriber = { workspace = true }
++anyhow = { workspace = true }
++thiserror = { workspace = true }
++serde = { workspace = true }
++serde_json = { workspace = true }
++toml = { workspace = true }
++nix = { workspace = true }
++sd-notify = "0.4"

gardmd/src/config.rsadded

++//! Configuration for gardmd
++
++use serde::Deserialize;
++use std::path::PathBuf;
++
++/// Main configuration structure
++#[derive(Debug, Clone, Deserialize)]
++pub struct Config {
++    #[serde(default)]
++    pub general: GeneralConfig,
++    #[serde(default)]
++    pub greeter: GreeterConfig,
++    #[serde(default)]
++    pub security: SecurityConfig,
++}
++
++impl Default for Config {
++    fn default() -> Self {
++        Self {
++            general: GeneralConfig::default(),
++            greeter: GreeterConfig::default(),
++            security: SecurityConfig::default(),
++        }
++    }
++}
++
++/// General daemon settings
++#[derive(Debug, Clone, Deserialize)]
++pub struct GeneralConfig {
++    /// Default session if user hasn't selected one
++    #[serde(default = "default_session")]
++    pub default_session: String,
++
++    /// Path to greeter executable
++    #[serde(default = "default_greeter")]
++    pub greeter: PathBuf,
++
++    /// VT to use (0 = auto-select)
++    #[serde(default)]
++    pub vt: u32,
++
++    /// X11 display to use
++    #[serde(default = "default_display")]
++    pub display: String,
++}
++
++impl Default for GeneralConfig {
++    fn default() -> Self {
++        Self {
++            default_session: default_session(),
++            greeter: default_greeter(),
++            vt: 0,
++            display: default_display(),
++        }
++    }
++}
++
++/// Greeter visual settings
++#[derive(Debug, Clone, Deserialize)]
++pub struct GreeterConfig {
++    /// Blur radius for background
++    #[serde(default = "default_blur_radius")]
++    pub blur_radius: u32,
++
++    /// Background brightness (0.0-1.0)
++    #[serde(default = "default_blur_brightness")]
++    pub blur_brightness: f32,
++
++    /// Show power buttons
++    #[serde(default = "default_true")]
++    pub show_power_buttons: bool,
++
++    /// Show session selector
++    #[serde(default = "default_true")]
++    pub show_session_selector: bool,
++
++    /// Use garbg wallpaper
++    #[serde(default = "default_true")]
++    pub use_garbg_wallpaper: bool,
++
++    /// Fallback wallpaper path
++    #[serde(default = "default_fallback_wallpaper")]
++    pub fallback_wallpaper: PathBuf,
++}
++
++impl Default for GreeterConfig {
++    fn default() -> Self {
++        Self {
++            blur_radius: default_blur_radius(),
++            blur_brightness: default_blur_brightness(),
++            show_power_buttons: true,
++            show_session_selector: true,
++            use_garbg_wallpaper: true,
++            fallback_wallpaper: default_fallback_wallpaper(),
++        }
++    }
++}
++
++/// Security settings
++#[derive(Debug, Clone, Deserialize)]
++pub struct SecurityConfig {
++    /// Allow empty passwords
++    #[serde(default)]
++    pub allow_empty_password: bool,
++
++    /// Lock after N failed attempts (0 = disabled)
++    #[serde(default = "default_lockout_attempts")]
++    pub lockout_attempts: u32,
++
++    /// Lockout duration in seconds
++    #[serde(default = "default_lockout_duration")]
++    pub lockout_duration: u64,
++}
++
++impl Default for SecurityConfig {
++    fn default() -> Self {
++        Self {
++            allow_empty_password: false,
++            lockout_attempts: default_lockout_attempts(),
++            lockout_duration: default_lockout_duration(),
++        }
++    }
++}
++
++// Default value functions
++fn default_session() -> String { "gar".to_string() }
++fn default_greeter() -> PathBuf { PathBuf::from("/usr/bin/gardm-greeter") }
++fn default_display() -> String { ":0".to_string() }
++fn default_blur_radius() -> u32 { 20 }
++fn default_blur_brightness() -> f32 { 0.7 }
++fn default_true() -> bool { true }
++fn default_fallback_wallpaper() -> PathBuf {
++    PathBuf::from("/usr/share/gardm/backgrounds/default.jpg")
++}
++fn default_lockout_attempts() -> u32 { 5 }
++fn default_lockout_duration() -> u64 { 300 }
++
++impl Config {
++    /// Load configuration from default path
++    pub fn load() -> anyhow::Result<Self> {
++        Self::load_from("/etc/gardm/config.toml")
++    }
++
++    /// Load configuration from specified path
++    pub fn load_from(path: &str) -> anyhow::Result<Self> {
++        let path = PathBuf::from(path);
++        if path.exists() {
++            let content = std::fs::read_to_string(&path)?;
++            Ok(toml::from_str(&content)?)
++        } else {
++            tracing::info!("Config file not found at {}, using defaults", path.display());
++            Ok(Config::default())
++        }
++    }
++}

gardmd/src/ipc.rsadded

++//! IPC server for gardmd
++//!
++//! Handles connections from the greeter and processes requests.
++
++use anyhow::Result;
++use gardm_ipc::{Request, Response, SOCKET_PATH};
++use std::path::Path;
++use tokio::io::{AsyncBufReadExt, AsyncWriteExt, BufReader};
++use tokio::net::{UnixListener, UnixStream};
++use tokio::sync::mpsc;
++
++/// IPC server for handling greeter connections
++pub struct Server {
++    listener: UnixListener,
++}
++
++impl Server {
++    /// Create a new IPC server
++    pub async fn new() -> Result<Self> {
++        Self::bind(SOCKET_PATH).await
++    }
++
++    /// Bind to a specific socket path
++    pub async fn bind(path: &str) -> Result<Self> {
++        let path = Path::new(path);
++
++        // Remove stale socket if it exists
++        if path.exists() {
++            std::fs::remove_file(path)?;
++        }
++
++        // Ensure parent directory exists
++        if let Some(parent) = path.parent() {
++            std::fs::create_dir_all(parent)?;
++        }
++
++        let listener = UnixListener::bind(path)?;
++        tracing::info!("IPC server listening on {}", path.display());
++
++        Ok(Self { listener })
++    }
++
++    /// Accept a new connection
++    pub async fn accept(&self) -> Result<ClientConnection> {
++        let (stream, _addr) = self.listener.accept().await?;
++        tracing::debug!("New greeter connection");
++        Ok(ClientConnection::new(stream))
++    }
++}
++
++/// A connected greeter client
++pub struct ClientConnection {
++    reader: BufReader<tokio::net::unix::OwnedReadHalf>,
++    writer: tokio::net::unix::OwnedWriteHalf,
++}
++
++impl ClientConnection {
++    fn new(stream: UnixStream) -> Self {
++        let (read, write) = stream.into_split();
++        Self {
++            reader: BufReader::new(read),
++            writer: write,
++        }
++    }
++
++    /// Receive a request from the greeter
++    pub async fn recv(&mut self) -> Result<Option<Request>> {
++        let mut line = String::new();
++        let n = self.reader.read_line(&mut line).await?;
++        if n == 0 {
++            return Ok(None);
++        }
++        let request: Request = serde_json::from_str(&line)?;
++        tracing::debug!(?request, "Received request");
++        Ok(Some(request))
++    }
++
++    /// Send a response to the greeter
++    pub async fn send(&mut self, response: &Response) -> Result<()> {
++        let json = serde_json::to_string(response)?;
++        self.writer.write_all(json.as_bytes()).await?;
++        self.writer.write_all(b"\n").await?;
++        self.writer.flush().await?;
++        tracing::debug!(?response, "Sent response");
++        Ok(())
++    }
++}
++
++/// Commands from external sources (e.g., signal handlers)
++#[derive(Debug)]
++pub enum DaemonCommand {
++    Shutdown,
++    Reload,
++}
++
++/// Create a channel for daemon commands
++pub fn command_channel() -> (mpsc::Sender<DaemonCommand>, mpsc::Receiver<DaemonCommand>) {
++    mpsc::channel(16)
++}

gardmd/src/lib.rsadded

++//! gardmd - gar display manager daemon
++//!
++//! Handles PAM authentication, X11 server management, and session launching.
++
++pub mod config;
++pub mod ipc;
++
++pub use config::Config;
++pub use ipc::{ClientConnection, Server};

gardmd/src/main.rsadded

++//! gardmd - gar display manager daemon
++//!
++//! Main entry point with signal handling and systemd integration.
++
++use anyhow::Result;
++use gardmd::{config::Config, ipc};
++use tokio::signal::unix::{signal, SignalKind};
++use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt, EnvFilter};
++
++#[tokio::main]
++async fn main() -> Result<()> {
++    // Initialize logging
++    tracing_subscriber::registry()
++        .with(EnvFilter::try_from_default_env().unwrap_or_else(|_| EnvFilter::new("info")))
++        .with(tracing_subscriber::fmt::layer())
++        .init();
++
++    tracing::info!("gardmd starting");
++
++    // Load configuration
++    let config = Config::load()?;
++    tracing::debug!(?config, "Loaded configuration");
++
++    // Create IPC server
++    let server = ipc::Server::new().await?;
++
++    // Set up signal handlers
++    let mut sigterm = signal(SignalKind::terminate())?;
++    let mut sigint = signal(SignalKind::interrupt())?;
++    let mut sighup = signal(SignalKind::hangup())?;
++
++    // Notify systemd we're ready
++    if let Err(e) = sd_notify::notify(true, &[sd_notify::NotifyState::Ready]) {
++        tracing::warn!("Failed to notify systemd: {}", e);
++    }
++
++    tracing::info!("gardmd ready");
++
++    // Main event loop
++    loop {
++        tokio::select! {
++            // Handle new greeter connections
++            result = server.accept() => {
++                match result {
++                    Ok(conn) => {
++                        tokio::spawn(handle_client(conn, config.clone()));
++                    }
++                    Err(e) => {
++                        tracing::error!("Failed to accept connection: {}", e);
++                    }
++                }
++            }
++
++            // Handle SIGTERM
++            _ = sigterm.recv() => {
++                tracing::info!("Received SIGTERM, shutting down");
++                break;
++            }
++
++            // Handle SIGINT
++            _ = sigint.recv() => {
++                tracing::info!("Received SIGINT, shutting down");
++                break;
++            }
++
++            // Handle SIGHUP (reload config)
++            _ = sighup.recv() => {
++                tracing::info!("Received SIGHUP, reloading config");
++                // TODO: Implement config reload
++            }
++        }
++    }
++
++    // Notify systemd we're stopping
++    let _ = sd_notify::notify(true, &[sd_notify::NotifyState::Stopping]);
++
++    tracing::info!("gardmd stopped");
++    Ok(())
++}
++
++/// Handle a connected greeter client
++async fn handle_client(mut conn: ipc::ClientConnection, _config: Config) {
++    loop {
++        match conn.recv().await {
++            Ok(Some(request)) => {
++                let response = handle_request(request).await;
++                if let Err(e) = conn.send(&response).await {
++                    tracing::error!("Failed to send response: {}", e);
++                    break;
++                }
++            }
++            Ok(None) => {
++                tracing::debug!("Greeter disconnected");
++                break;
++            }
++            Err(e) => {
++                tracing::error!("Error receiving request: {}", e);
++                break;
++            }
++        }
++    }
++}
++
++/// Process a request and return a response
++async fn handle_request(request: gardm_ipc::Request) -> gardm_ipc::Response {
++    use gardm_ipc::{Request, Response};
++
++    match request {
++        Request::CreateSession { username } => {
++            tracing::info!("Creating session for user: {}", username);
++            // TODO: Implement PAM session creation
++            Response::AuthPrompt {
++                prompt: "Password:".to_string(),
++                echo: false,
++            }
++        }
++
++        Request::Authenticate { response: _ } => {
++            // TODO: Implement PAM authentication
++            Response::Error {
++                message: "PAM not yet implemented".to_string(),
++            }
++        }
++
++        Request::StartSession { cmd, env } => {
++            tracing::info!("Start session request: {:?} env={:?}", cmd, env);
++            // TODO: Implement session start
++            Response::Error {
++                message: "Session start not yet implemented".to_string(),
++            }
++        }
++
++        Request::CancelSession => {
++            tracing::info!("Session cancelled");
++            Response::Success
++        }
++
++        Request::Shutdown => {
++            tracing::info!("Shutdown requested");
++            // TODO: Implement via logind
++            Response::Error {
++                message: "Shutdown not yet implemented".to_string(),
++            }
++        }
++
++        Request::Reboot => {
++            tracing::info!("Reboot requested");
++            // TODO: Implement via logind
++            Response::Error {
++                message: "Reboot not yet implemented".to_string(),
++            }
++        }
++
++        Request::Suspend => {
++            tracing::info!("Suspend requested");
++            // TODO: Implement via logind
++            Response::Error {
++                message: "Suspend not yet implemented".to_string(),
++            }
++        }
++
++        Request::ListSessions => {
++            tracing::debug!("Listing sessions");
++            // TODO: Enumerate /usr/share/xsessions and /usr/share/wayland-sessions
++            Response::Sessions { sessions: vec![] }
++        }
++
++        Request::ListUsers => {
++            tracing::debug!("Listing users");
++            // TODO: Enumerate users from /etc/passwd
++            Response::Users { users: vec![] }
++        }
++    }
++}