Remove planning docs, phase summaries, old installers, and redundant
documentation. These were development-phase artifacts that don't belong
in the shipped project. install.sh replaces setup.sh and
install-system.sh. API docs can be generated with cargo doc.
Removed:
- .planning/ (37 files of threat modeling and review docs)
- CODING_STANDARDS.md, TESTING.md, CHANGELOG.md
- docs/API.md, docs/BENCHMARKS.md
- scripts/setup.sh, scripts/install-system.sh
- tests/PHASE*_TEST_SUMMARY.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Support GDM, SDDM, and LightDM for PAM integration. Detect which
display manager is running and configure the correct PAM file. Show
manual instructions if no supported DM is found.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Check known install paths (/usr/local/lib/linux-hello/, ~/.local/lib/)
for libonnxruntime.so at startup so users don't need to set
ORT_DYLIB_PATH manually. Applies to both CLI and daemon.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add install.sh that handles the full setup: dependencies, build, ONNX
models, ONNX runtime, IR emitter configuration, system installation,
face enrollment, and PAM lock screen integration. Includes --uninstall.
Simplify README to just: clone, ./install.sh, done.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace plain TemplateStore with SecureTemplateStore in the auth
service. Templates are now encrypted with AES-256-GCM via TPM2 when
available, falling back to software encryption with PBKDF2 key
derivation (600k iterations) otherwise.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace developer-heavy README with a clean install guide. Focus on
quick install steps, tested hardware, and the one PAM line needed for
lock screen integration. Remove phase-by-phase feature lists and
redundant architecture/development sections.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Wire up ONNX RetinaFace detector and MobileFaceNet embeddings in the CLI
and auth pipeline. Add IR camera detection for Windows Hello-style
"Integrated I" cameras and greyscale-only format heuristic. Add histogram
normalization for underexposed IR frames from low-power emitters.
- Add `onnx` feature flag to CLI crate forwarding to daemon
- Wire ONNX detector into `detect` command with fallback to simple detector
- Fix IR camera detection for Chicony "Integrated I" naming pattern
- Add `normalize_if_dark()` for underexposed IR frames in auth pipeline
- Load user config from ~/.config/linux-hello/ as fallback
- Update systemd service for IR emitter integration and camera access
- Add system installation script and ONNX runtime installer
- Update .gitignore for local dev artifacts
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Reviewed all tracing/log statements in daemon modules
- No credentials, templates, embeddings, or biometric data logged
- Username logging for audit purposes only (acceptable)
- Similarity scores only at debug level (not production)
- Risk: LOW - logging follows security best practices
- Reviewed error messages in auth, camera, storage, TPM modules
- Authentication errors are generic (doesn't reveal if user exists)
- No template/embedding/key material in error messages
- Error.rs has explicit security note about information disclosure
- Risk: LOW - no actionable issues
- Reviewed all FFI boundaries: SO_PEERCRED, getpwnam, mlock/munlock
- TPM2 uses safe tss-esapi bindings (no direct FFI)
- Camera uses safe v4l crate for V4L2
- All return values checked, null pointers handled
- No memory safety issues found
- Documented 11 unsafe blocks across ipc.rs, secure_memory.rs, camera/linux.rs
- Each block includes file path, line numbers, purpose, safety justification, risk level
- 9 LOW risk, 1 LOW-MEDIUM, 1 MEDIUM (camera transmute)
- No HIGH risk blocks found
- Created SUMMARY.md documenting all 4 security tool runs
- Updated STATE.md to reflect phase 2 progress
- Fixed clippy warnings in 7 files
Key findings:
- 1 HIGH vulnerability (bytes crate)
- Need deny.toml for license policy
- Miri limited by system call support
- tool-audit-results.md: cargo-audit findings (1 high vulnerability in bytes)
- deny-check-results.md: cargo-deny findings (license policy needed)
- clippy-results.md: clippy findings (style warnings, no security issues)
- miri-results.md: Miri findings (limited by system call support)
These are the output artifacts from running security tooling.
- Created comprehensive security control mapping document
- Documented IPC, cryptographic, memory, authorization, and PAD controls
- Each control includes implementation location and effectiveness rating
- Included gap analysis identifying missing mitigations
- Links STRIDE threats to corresponding security controls
- Created comprehensive threat analysis for all DFD components
- Covered all 6 STRIDE categories: Spoofing, Tampering, Repudiation,
Information Disclosure, Denial of Service, Elevation of Privilege
- Included risk ratings (likelihood x impact) for each threat
- Priority matrix ranking top 10 threats by risk rating
- References attack-surface.md and dfd.md
- Add README.md with project overview, features, installation, and usage
- Document current Phase 3 completion status
- Include architecture diagrams and security information
- Add roadmap for Phase 4-5
- Update status.md to reflect current codebase state
