greeter(auth): Enhance fingerprint/U2F auth support w/Quickshell PAM

- Split auth capability state by lock screen and greeter
- Share detection between settings UI and lock runtime
- Broaden greeter PAM include detection across supported distros

quickshell/Modules/Settings/GreeterTab.qml

@@ -14,8 +14,63 @@ import qs.Modules.Settings.Widgets
 Item {
     id: root
 
-    readonly property bool greeterFprintToggleAvailable: SettingsData.fprintdAvailable || SettingsData.greeterEnableFprint
-    readonly property bool greeterU2fToggleAvailable: SettingsData.u2fAvailable || SettingsData.greeterEnableU2f
+    readonly property bool greeterFprintToggleAvailable: SettingsData.greeterFingerprintCanEnable || SettingsData.greeterEnableFprint
+    readonly property bool greeterU2fToggleAvailable: SettingsData.greeterU2fCanEnable || SettingsData.greeterEnableU2f
+
+    function greeterFingerprintDescription() {
+        const source = SettingsData.greeterFingerprintSource;
+        const reason = SettingsData.greeterFingerprintReason;
+
+        if (source === "pam") {
+            switch (reason) {
+            case "configured_externally":
+                return SettingsData.greeterEnableFprint ? I18n.tr("Enabled. PAM already provides fingerprint auth.") : I18n.tr("PAM already provides fingerprint auth. Enable this to show it at login.");
+            case "missing_enrollment":
+                return SettingsData.greeterEnableFprint ? I18n.tr("Enabled. PAM provides fingerprint auth, but no prints are enrolled yet.") : I18n.tr("PAM provides fingerprint auth, but no prints are enrolled yet.");
+            case "missing_reader":
+                return I18n.tr("PAM provides fingerprint auth, but no reader was detected.");
+            default:
+                return I18n.tr("PAM provides fingerprint auth, but availability could not be confirmed.");
+            }
+        }
+
+        switch (reason) {
+        case "ready":
+            return SettingsData.greeterEnableFprint ? I18n.tr("Run Sync to apply. Fingerprint-only login may not unlock GNOME Keyring.") : I18n.tr("Only affects DMS-managed PAM. If greetd already includes pam_fprintd, fingerprint stays enabled.");
+        case "missing_enrollment":
+            if (SettingsData.greeterEnableFprint)
+                return I18n.tr("Enabled, but no prints are enrolled yet. Enroll fingerprints and run Sync.");
+            return I18n.tr("Fingerprint reader detected, but no prints are enrolled yet. You can enable this now and run Sync later.");
+        case "missing_reader":
+            return SettingsData.greeterEnableFprint ? I18n.tr("Enabled, but no fingerprint reader was detected.") : I18n.tr("No fingerprint reader detected.");
+        case "missing_pam_support":
+            return I18n.tr("Not available — install fprintd and pam_fprintd, or configure greetd PAM.");
+        default:
+            return SettingsData.greeterEnableFprint ? I18n.tr("Enabled, but fingerprint availability could not be confirmed.") : I18n.tr("Fingerprint availability could not be confirmed.");
+        }
+    }
+
+    function greeterU2fDescription() {
+        const source = SettingsData.greeterU2fSource;
+        const reason = SettingsData.greeterU2fReason;
+
+        if (source === "pam") {
+            return SettingsData.greeterEnableU2f ? I18n.tr("Enabled. PAM already provides security-key auth.") : I18n.tr("PAM already provides security-key auth. Enable this to show it at login.");
+        }
+
+        switch (reason) {
+        case "ready":
+            return SettingsData.greeterEnableU2f ? I18n.tr("Run Sync to apply.") : I18n.tr("Available.");
+        case "missing_key_registration":
+            if (SettingsData.greeterEnableU2f)
+                return I18n.tr("Enabled, but no registered security key was found yet. Register a key and run Sync.");
+            return I18n.tr("Security-key support was detected, but no registered key was found yet. You can enable this now and register one later.");
+        case "missing_pam_support":
+            return I18n.tr("Not available — install or configure pam_u2f, or configure greetd PAM.");
+        default:
+            return SettingsData.greeterEnableU2f ? I18n.tr("Enabled, but security-key availability could not be confirmed.") : I18n.tr("Security-key availability could not be confirmed.");
+        }
+    }
 
     function refreshAuthDetection() {
         SettingsData.refreshAuthAvailability();
@@ -481,15 +536,8 @@ Item {
                     settingKey: "greeterEnableFprint"
                     tags: ["greeter", "fingerprint", "fprintd", "login", "auth"]
                     text: I18n.tr("Enable fingerprint at login")
-                    description: {
-                        if (!SettingsData.fprintdAvailable) {
-                            if (SettingsData.greeterEnableFprint)
-                                return I18n.tr("Enabled in settings, but fingerprint availability could not yet be confirmed. Re-open after enrolling fingerprints or reconnecting the reader.");
-                            return I18n.tr("Not available — install fprintd and enroll fingerprints.");
-                        }
-                        return SettingsData.greeterEnableFprint ? I18n.tr("Run Sync to apply. Fingerprint-only login may not unlock GNOME Keyring.") : I18n.tr("Only off for DMS-managed PAM lines. If greetd includes system-auth/common-auth/password-auth with pam_fprintd, fingerprint still stays enabled.");
-                    }
-                    descriptionColor: SettingsData.fprintdAvailable ? Theme.surfaceVariantText : Theme.warning
+                    description: root.greeterFingerprintDescription()
+                    descriptionColor: (SettingsData.greeterFingerprintReason === "ready" || SettingsData.greeterFingerprintReason === "configured_externally") ? Theme.surfaceVariantText : Theme.warning
                     checked: SettingsData.greeterEnableFprint
                     enabled: root.greeterFprintToggleAvailable
                     onToggled: checked => SettingsData.set("greeterEnableFprint", checked)
@@ -499,15 +547,8 @@ Item {
                     settingKey: "greeterEnableU2f"
                     tags: ["greeter", "u2f", "security", "key", "login", "auth"]
                     text: I18n.tr("Enable security key at login")
-                    description: {
-                        if (!SettingsData.u2fAvailable) {
-                            if (SettingsData.greeterEnableU2f)
-                                return I18n.tr("Enabled in settings, but security key availability could not yet be confirmed. Re-open after enrolling keys or updating pam_u2f.");
-                            return I18n.tr("Not available — install pam_u2f and enroll keys.");
-                        }
-                        return SettingsData.greeterEnableU2f ? I18n.tr("Run Sync to apply.") : I18n.tr("Disabled.");
-                    }
-                    descriptionColor: SettingsData.u2fAvailable ? Theme.surfaceVariantText : Theme.warning
+                    description: root.greeterU2fDescription()
+                    descriptionColor: (SettingsData.greeterU2fReason === "ready" || SettingsData.greeterU2fReason === "configured_externally") ? Theme.surfaceVariantText : Theme.warning
                     checked: SettingsData.greeterEnableU2f
                     enabled: root.greeterU2fToggleAvailable
                     onToggled: checked => SettingsData.set("greeterEnableU2f", checked)

quickshell/Modules/Settings/LockScreenTab.qml

@@ -8,8 +8,40 @@ import qs.Modules.Settings.Widgets
 Item {
     id: root
 
-    readonly property bool lockFprintToggleAvailable: SettingsData.fprintdAvailable || SettingsData.enableFprint
-    readonly property bool lockU2fToggleAvailable: SettingsData.u2fAvailable || SettingsData.enableU2f
+    readonly property bool lockFprintToggleAvailable: SettingsData.lockFingerprintCanEnable || SettingsData.enableFprint
+    readonly property bool lockU2fToggleAvailable: SettingsData.lockU2fCanEnable || SettingsData.enableU2f
+
+    function lockFingerprintDescription() {
+        switch (SettingsData.lockFingerprintReason) {
+        case "ready":
+            return I18n.tr("Use fingerprint authentication for the lock screen.");
+        case "missing_enrollment":
+            if (SettingsData.enableFprint)
+                return I18n.tr("Enabled, but no prints are enrolled yet. Enroll fingerprints to use it.");
+            return I18n.tr("Fingerprint reader detected, but no prints are enrolled yet. You can enable this now and enroll later.");
+        case "missing_reader":
+            return SettingsData.enableFprint ? I18n.tr("Enabled, but no fingerprint reader was detected.") : I18n.tr("No fingerprint reader detected.");
+        case "missing_pam_support":
+            return I18n.tr("Not available — install fprintd and pam_fprintd.");
+        default:
+            return SettingsData.enableFprint ? I18n.tr("Enabled, but fingerprint availability could not be confirmed.") : I18n.tr("Fingerprint availability could not be confirmed.");
+        }
+    }
+
+    function lockU2fDescription() {
+        switch (SettingsData.lockU2fReason) {
+        case "ready":
+            return I18n.tr("Use a security key for lock screen authentication.", "lock screen U2F security key setting");
+        case "missing_key_registration":
+            if (SettingsData.enableU2f)
+                return I18n.tr("Enabled, but no registered security key was found yet. Register a key or update your U2F config.");
+            return I18n.tr("Security-key support was detected, but no registered key was found yet. You can enable this now and register one later.");
+        case "missing_pam_support":
+            return I18n.tr("Not available — install or configure pam_u2f.");
+        default:
+            return SettingsData.enableU2f ? I18n.tr("Enabled, but security-key availability could not be confirmed.") : I18n.tr("Security-key availability could not be confirmed.");
+        }
+    }
 
     function refreshAuthDetection() {
         SettingsData.refreshAuthAvailability();
@@ -184,14 +216,8 @@ Item {
                     settingKey: "enableFprint"
                     tags: ["lock", "screen", "fingerprint", "authentication", "biometric", "fprint"]
                     text: I18n.tr("Enable fingerprint authentication")
-                    description: {
-                        if (SettingsData.fprintdAvailable)
-                            return I18n.tr("Use fingerprint reader for lock screen authentication (requires enrolled fingerprints)");
-                        if (SettingsData.enableFprint)
-                            return I18n.tr("Enabled in settings, but fingerprint availability could not yet be confirmed. Re-open after enrolling fingerprints or reconnecting the reader.");
-                        return I18n.tr("Not available — install fprintd and enroll fingerprints.");
-                    }
-                    descriptionColor: SettingsData.fprintdAvailable ? Theme.surfaceVariantText : Theme.warning
+                    description: root.lockFingerprintDescription()
+                    descriptionColor: SettingsData.lockFingerprintReason === "ready" ? Theme.surfaceVariantText : Theme.warning
                     checked: SettingsData.enableFprint
                     enabled: root.lockFprintToggleAvailable
                     onToggled: checked => SettingsData.set("enableFprint", checked)
@@ -201,14 +227,8 @@ Item {
                     settingKey: "enableU2f"
                     tags: ["lock", "screen", "u2f", "yubikey", "security", "key", "fido", "authentication", "hardware"]
                     text: I18n.tr("Enable security key authentication", "Enable FIDO2/U2F hardware security key for lock screen")
-                    description: {
-                        if (SettingsData.u2fAvailable)
-                            return I18n.tr("Use a FIDO2/U2F security key (e.g. YubiKey) for lock screen authentication (requires enrolled keys)", "lock screen U2F security key setting");
-                        if (SettingsData.enableU2f)
-                            return I18n.tr("Enabled in settings, but security key availability could not yet be confirmed. Re-open after enrolling keys or updating pam_u2f.");
-                        return I18n.tr("Not available — install pam_u2f and enroll keys.");
-                    }
-                    descriptionColor: SettingsData.u2fAvailable ? Theme.surfaceVariantText : Theme.warning
+                    description: root.lockU2fDescription()
+                    descriptionColor: SettingsData.lockU2fReason === "ready" ? Theme.surfaceVariantText : Theme.warning
                     checked: SettingsData.enableU2f
                     enabled: root.lockU2fToggleAvailable
                     onToggled: checked => SettingsData.set("enableU2f", checked)