0.3.2 — Type=notify, watchdog, and SECURITY.md

Best-practices polish release. Three small, independent changes that bring the project closer to "modern systemd-native daemon" baseline: a documented vulnerability-disclosure channel, Type=notify + WatchdogSec= integration, and a CI gate that prevents the unit's hardening score from regressing in future PRs. No source-code behavior change beyond the systemd integration; the existing CMocka suite passes unchanged and systemd-analyze security still scores 2.2.

CI

• systemd-analyze security regression gate. The test-deb job now runs systemd-analyze security --threshold=30 pamsignal.service after install. Current internal score is 22 (displayed as 2.2 — "OK", second-best band). systemd-analyze's --threshold operates on a 0–100 internal scale; the displayed "Overall exposure level" line shows the same value divided by 10. Threshold 30 leaves 8 points of headroom (equivalent to 0.8 in displayed-decimal units) for routine adjustments but fails the workflow if a future PR strips a major hardening directive (MemoryDenyWriteExecute=, SystemCallFilter=, CapabilityBoundingSet=, RestrictNamespaces=, etc., each worth 5+ score points internally). Catches the class of regression where an unrelated change accidentally weakens the daemon's sandbox.

Operations

• Type=notify + WatchdogSec=30s in pamsignal.service. The daemon now signals readiness via sd_notify(READY=1) after ps_journal_watch_init() succeeds (and not before), so systemd holds the unit in activating until pamsignal can actually process events — Wants=/After= chains resolve correctly and systemctl status doesn't briefly lie about state during the startup window. The main loop also pings sd_notify(WATCHDOG=1) every iteration; if sd_journal_wait ever wedges (kernel bug, journal corruption) systemd auto-restarts pamsignal at the 30 s threshold instead of letting the daemon silently stop processing auth events. NotifyAccess=main confines notification socket access to the parent process so the fork+exec curl children can't spoof readiness/watchdog messages. No-op when NOTIFY_SOCKET is unset (manual launch, tests).

Documentation

• SECURITY.md at the repo root documents the responsible-disclosure channel (GitHub Security Advisories preferred, email fallback with the same PGP key fingerprint that signs the release packages), 90-day coordinated-disclosure timeline, supported version policy (latest minor only), and a scope table separating in-scope findings (parser bypasses, brute-force tracker bugs, alert-payload injection, hardening regressions) from out-of-scope dependencies (curl, libsystemd, alert delivery channels, root-already-on-host scenarios).