fix(pam): correct success=end → success=done across all 9 sites

[ccross2]

Summary

pam.conf(5) documents exactly ignore | bad | die | ok | done | reset | N as the legal value-keywords inside the [control=value …] syntax. end is not in that list. libpam logs a warning and silently treats the unknown keyword as ignore, which means PAM_SUCCESS from pam_visage.so was being dropped and the stack fell through to whatever came next (typically pam_unix.so → password prompt). Effectively: face auth has been working as if Visage weren't installed, since v0.1.0.

This sweeps the 11 occurrences in 9 files:

File	Count	Surface
README.md	1	Arch install instructions
docs/operations-guide.md	2	Setup + verification
docs/architecture.md	1	PAM stack integration narrative
docs/research/architecture-review-and-roadmap.md	2	Roadmap context
docs/research/domain-audit.md	1	Implementation plan
docs/research/howdy-analysis-and-visage-design.md	1	Design comparison
packaging/debian/pam-auth-update	1	Ubuntu profile (live config)
packaging/nix/module.nix	2	NixOS module (sudo + login rules)

The Ubuntu profile and the NixOS module are the load-bearing live configs — fixing those is the actual user-impact change. The docs sweep is so users following our setup instructions today don't reintroduce the bug.

Origin

Caught by @SelfRef in #27 — the README diff there flagged it as the right fix for the Arch manual-edit case. The bug is broader than the README, so I'm landing the fleet sweep separately and leaving #27 for the other improvements (resume-unit enable, visage verify step). Attribution preserved via Reported-by: in the commit.

Existing-user impact

This is a behavior change for anyone whose PAM stack still references success=end:

• Arch users who hand-edited /etc/pam.d/system-auth per the prior README — they need to swap the keyword in their config. The CHANGELOG entry calls this out.
• Debian/Ubuntu .deb users from a release before this lands — their /etc/pam.d/common-auth (generated by pam-auth-update --package) contains the broken keyword and won't fix itself until the new .deb is installed AND they re-run pam-auth-update (the postinst already does this).
• NixOS users on the affected module versions — fixed automatically on next nixos-rebuild switch.

For all of them: face auth was silently a no-op. After this fix, face match actually terminates the auth stack with success, as intended.

Test plan

• CI: cargo fmt --all -- --check clean
• CI: cargo clippy --workspace -- -D warnings clean
• CI: cargo test --workspace green (this PR doesn't touch Rust code, but workspace test is the contract)
• CI: build-deb produces a .deb cleanly with the corrected pam-auth-update profile
• Manual smoke (Arch):
  • Edit /etc/pam.d/system-auth to use success=done
  • sudo visage enroll && sudo true — should authenticate via face without password prompt
• Manual smoke (Ubuntu via .deb):
  • Install the freshly built .deb; postinst runs pam-auth-update --package
  • grep pam_visage /etc/pam.d/common-auth shows success=done
  • sudo true authenticates via face

CHANGELOG

Entry added under [Unreleased] > Fixed with the existing-user upgrade note.

Related

• docs: update Arch Linux installation instructions in README #27 — original report (still open; will land its remaining improvements once amended)
• visaged: blocks for 90s on systemctl restart after hibernate due to stale camera fd #26 / fix(visaged): handle SIGTERM (closes #26) #30 — sibling shipped-bug fix (SIGTERM handler); both land in v0.3.2

🤖 Generated with Claude Code