refactor: Remove faillock support and related properties from settings

- Re-add loginConfigWatcher so installs can still fall through to
  /etc/pam.d instead of the bundled PAM assets
- Add login-faillock bundled PAM asset at runtime. Use it as the bundled fallback when dankshell config is absent
- Fix invalid bare property writes (u2fPending, u2fState, unlockInProgress,
  state) in Pam.qml
- Improve lockscreen auth feedback

quickshell/Common/settings/Processes.qml

@@ -70,14 +70,12 @@ Singleton {
             fingerprintProbeState = forcedFprintAvailable ? "ready" : "probe_failed";
         }
 
-        if (forcedFprintAvailable === null || forcedU2fAvailable === null) {
-            pamFprintSupportDetected = false;
-            pamU2fSupportDetected = false;
-            pamSupportProbeOutput = "";
-            pamSupportProbeStreamFinished = false;
-            pamSupportProbeExited = false;
-            pamSupportDetectionProcess.running = true;
-        }
+        pamFprintSupportDetected = false;
+        pamU2fSupportDetected = false;
+        pamSupportProbeOutput = "";
+        pamSupportProbeStreamFinished = false;
+        pamSupportProbeExited = false;
+        pamSupportDetectionProcess.running = true;
 
         recomputeAuthCapabilities();
     }

quickshell/Modules/Lock/LockScreenContent.qml

@@ -39,6 +39,38 @@ Item {
         lockerReadyArmed = true;
         unlocking = false;
         pamState = "";
+        if (pam)
+            pam.lockMessage = "";
+    }
+
+    function currentAuthFeedbackText() {
+        if (!pam)
+            return "";
+        if (pam.u2fState === "insert" && !pam.u2fPending)
+            return I18n.tr("Insert your security key...");
+        if (pam.u2fState === "waiting" && !pam.u2fPending)
+            return I18n.tr("Touch your security key...");
+        if (pam.lockMessage && pam.lockMessage.length > 0)
+            return pam.lockMessage;
+        if (pam.fprintState === "error") {
+            const detail = (pam.fprint.message || "").trim();
+            return detail.length > 0 ? I18n.tr("Fingerprint error: %1").arg(detail) : I18n.tr("Fingerprint error");
+        }
+        if (pam.fprintState === "max")
+            return I18n.tr("Maximum fingerprint attempts reached. Please use password.");
+        if (pam.fprintState === "fail")
+            return I18n.tr("Fingerprint not recognized (%1/%2). Please try again or use password.").arg(pam.fprint.tries).arg(SettingsData.maxFprintTries);
+        if (root.pamState === "error")
+            return I18n.tr("Authentication error - try again");
+        if (root.pamState === "max")
+            return I18n.tr("Too many attempts - locked out");
+        if (root.pamState === "fail")
+            return I18n.tr("Incorrect password - try again");
+        return "";
+    }
+
+    function authFeedbackIsHint() {
+        return pam && (pam.u2fState === "waiting" || pam.u2fState === "insert") && !pam.u2fPending;
     }
 
     Component.onCompleted: {
@@ -1045,30 +1077,18 @@ Item {
             }
 
             StyledText {
+                id: authFeedbackText
+
                 Layout.fillWidth: true
-                Layout.preferredHeight: 20
-                text: {
-                    if (pam.u2fState === "insert" && !pam.u2fPending) {
-                        return "Insert your security key...";
-                    }
-                    if (pam.u2fState === "waiting" && !pam.u2fPending) {
-                        return "Touch your security key...";
-                    }
-                    if (root.pamState === "error") {
-                        return "Authentication error - try again";
-                    }
-                    if (root.pamState === "max") {
-                        return "Too many attempts - locked out";
-                    }
-                    if (root.pamState === "fail") {
-                        return "Incorrect password - try again";
-                    }
-                    return "";
-                }
-                color: (pam.u2fState === "waiting" || pam.u2fState === "insert") ? Theme.outline : Theme.error
+                Layout.preferredHeight: text.length > 0 ? Math.min(implicitHeight, Math.ceil(Theme.fontSizeSmall * 4.5)) : 0
+                text: root.currentAuthFeedbackText()
+                color: root.authFeedbackIsHint() ? Theme.outline : Theme.error
                 font.pixelSize: Theme.fontSizeSmall
                 horizontalAlignment: Text.AlignHCenter
-                opacity: (root.pamState !== "" || ((pam.u2fState === "waiting" || pam.u2fState === "insert") && !pam.u2fPending)) ? 1 : 0
+                wrapMode: Text.WordWrap
+                maximumLineCount: 3
+                elide: Text.ElideRight
+                opacity: text.length > 0 ? 1 : 0
 
                 Behavior on opacity {
                     NumberAnimation {

quickshell/Modules/Lock/Pam.qml

@@ -34,14 +34,14 @@ Scope {
         u2fPendingTimeout.running = false;
         passwdActiveTimeout.running = false;
         unlockRequestTimeout.running = false;
-        u2fPending = false;
-        u2fState = "";
-        unlockInProgress = false;
+        root.u2fPending = false;
+        root.u2fState = "";
+        root.unlockInProgress = false;
     }
 
     function recoverFromAuthStall(newState: string): void {
         resetAuthFlows();
-        state = newState;
+        root.state = newState;
         flashMsg();
         stateReset.restart();
         fprint.checkAvail();
@@ -49,16 +49,16 @@ Scope {
     }
 
     function completeUnlock(): void {
-        if (!unlockInProgress) {
-            unlockInProgress = true;
+        if (!root.unlockInProgress) {
+            root.unlockInProgress = true;
             passwd.abort();
             fprint.abort();
             u2f.abort();
             errorRetry.running = false;
             u2fErrorRetry.running = false;
             u2fPendingTimeout.running = false;
-            u2fPending = false;
-            u2fState = "";
+            root.u2fPending = false;
+            root.u2fState = "";
             unlockRequestTimeout.restart();
             unlockRequested();
         }
@@ -73,13 +73,13 @@ Scope {
     }
 
     function cancelU2fPending(): void {
-        if (!u2fPending)
+        if (!root.u2fPending)
             return;
         u2f.abort();
         u2fErrorRetry.running = false;
         u2fPendingTimeout.running = false;
-        u2fPending = false;
-        u2fState = "";
+        root.u2fPending = false;
+        root.u2fState = "";
         fprint.checkAvail();
     }
 
@@ -90,6 +90,13 @@ Scope {
         printErrors: false
     }
 
+    FileView {
+        id: loginConfigWatcher
+
+        path: "/etc/pam.d/login"
+        printErrors: false
+    }
+
     FileView {
         id: u2fConfigWatcher
 
@@ -101,13 +108,16 @@ Scope {
         id: passwd
 
         config: dankshellConfigWatcher.loaded ? "dankshell" : "login"
-        configDirectory: dankshellConfigWatcher.loaded ? "/etc/pam.d" : Quickshell.shellDir + "/assets/pam"
+        configDirectory: (dankshellConfigWatcher.loaded || loginConfigWatcher.loaded) ? "/etc/pam.d" : Quickshell.shellDir + "/assets/pam"
 
         onMessageChanged: {
-            if (message.startsWith("The account is locked"))
+            if (message.startsWith("The account is locked")) {
                 root.lockMessage = message;
-            else if (root.lockMessage && message.endsWith(" left to unlock)"))
+            } else if (root.lockMessage && message.endsWith(" left to unlock)")) {
                 root.lockMessage += "\n" + message;
+            } else if (root.lockMessage && message && message.length > 0) {
+                root.lockMessage = "";
+            }
         }
 
         onResponseRequiredChanged: {