shanefagan
diff --git a/‎AGENTS.md‎
Lines changed: 2 additions & 2 deletions b/‎AGENTS.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 17 additions & 2 deletions b/‎README.md‎
Lines changed: 17 additions & 2 deletions
diff --git a/‎docs/todo.md‎
Lines changed: 4 additions & 1 deletion b/‎docs/todo.md‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎examples/README.md‎
Lines changed: 8 additions & 0 deletions b/‎examples/README.md‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎src/auth.rs‎
Lines changed: 21 additions & 0 deletions b/‎src/auth.rs‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎src/detectors/games/manager.rs‎
Lines changed: 13 additions & 3 deletions b/‎src/detectors/games/manager.rs‎
Lines changed: 13 additions & 3 deletions
diff --git a/‎src/detectors/hardware/manager.rs‎
Lines changed: 46 additions & 104 deletions b/‎src/detectors/hardware/manager.rs‎
Lines changed: 46 additions & 104 deletions
@@ -12,8 +12,8 @@ If you are an AI assistant working on this repository or a project that consumes
 > [!NOTE]
 > There is an **experimental and optional** RGB control interface available (`com.performativenonsense.contextd.rgb`) which allows for active state changes on supported hardware when enabled.
 
-- **Unprivileged Access**: No root/sudo is required to query the core socket or RGB sockets. The RGB control socket is currently configured with open permissions (0666).
-- **Authoritative Control**: To persist an authorized RGB controller across boots, a superuser can create `/etc/contextd/rgb-authorized-app` containing the process name of the allowed controller.
+- **Unprivileged Access**: No root/sudo is required to query the core socket or RGB sockets.
+- **Authoritative Control**: To authorize an application (e.g., an RGB controller), a superuser must add the application's systemd unit name (e.g., `openrgb.service`) to the `authorized_units` list in `/etc/contextd/config.toml`.
 - **Data Integrity**: Process IDs and hardware nodes are verified by the daemon before being reported.
 
 ### 2. Available Interfaces
 
@@ -105,13 +105,28 @@ To detach/uninstall:
 sudo portablectl detach contextd
 ```
 
+## Configuration
+
+`contextd` can be configured via a TOML file located at `/etc/contextd/config.toml`. A sample configuration is provided in `examples/config.sample.toml`.
+
+### Key Settings:
+- **TTLs**: Control how frequently the daemon polls for games, hardware, and diagnostics.
+- **Blacklisting**: Ignore specific processes or hardware devices.
+- **Security**: Authorize specific systemd units for restricted operations.
+
+## Security & Access Control
+
+The daemon implements a "dumb" but secure peer validation system:
+- **Unprivileged Public Sockets**: Basic context (active game, hardware list) is accessible via `/run/contextd/public/*.socket` to all users.
+- **Restricted Private Sockets**: Control operations (RGB lighting, controller registration) are restricted via `/run/contextd/private/*.socket`.
+- **Peer Validation**: Uses `SO_PEERCRED` to identify the systemd unit of the calling process.
+- **Granular Authorization**: Restricted methods are only allowed if the caller's systemd unit is listed in the `authorized_units` whitelist in `config.toml`.
+
 ## Development
 
 - **Repository**: [https://github.com/shanefagan/contextd](https://github.com/shanefagan/contextd)
-
 - **Author**: Shane Fagan
 
-
 ## License
 
 MIT
@@ -18,6 +18,9 @@
 
 
 ## Phase 7: Refinement & Security Hardening
-- [ ] **Systemd Peer Validation**: Use `SO_PEERCRED` to identify calling services and apply granular access control based on systemd units.
+- [x] **Systemd Peer Validation**: Uses `SO_PEERCRED` to identify calling services and apply granular access control based on systemd units.
 - [x] **Configuration Overrides**: Implemented `src/config.rs` with `/etc/contextd/config.toml` support for TTLs and blacklisting.
+- [x] **Directory Structure Cleanup**: Refactored logic into `server.rs`, `auth.rs`, and centralized detector management.
+- [ ] **Privacy Masking**: Implement logic to mask specific apps/devices from public Varlink calls via `config.toml`.
+- [ ] **Expanded Launcher Support**: Add Legendary (Epic) and Minigalaxy (GOG) manifests.
 - [ ] **Arch Linux PKGBUILD**: Finalize the AUR package for the 1.0 release.
@@ -38,4 +38,12 @@ Remember the daemon exposes three interfaces:
 2. **RGB Observer**: `/run/contextd/public/contextd-rgb-observer.socket`
 3. **RGB Control**: `/run/contextd/private/contextd-rgb-control.socket`
 
+## Security Note
+
+Methods like `RegisterController` and `SetLightingContext` are restricted. To run examples that use these methods (like `register_controller.py`), you must ensure:
+1. You are connecting to the **Private** socket path if applicable.
+2. The systemd unit running your script/app is listed in the `authorized_units` whitelist in `/etc/contextd/config.toml`.
+
+If you are running an example script manually in a terminal, it will likely be identified by its `session-X.scope`. You can add that scope to the whitelist for testing, or run the script as a transient service with `systemd-run`.
+
 > **Note:** The daemon must be running for these examples to work.
@@ -83,6 +83,27 @@ impl PeerInfo {
     }
 }
 
+/// Checks if the current calling peer is authorized based on a list of systemd units.
+/// Returns Ok(()) if authorized (or if the list is empty), otherwise returns Err(unit_name).
+pub fn verify_unit_access(authorized_units: &[String]) -> Result<(), String> {
+    if authorized_units.is_empty() {
+        return Ok(());
+    }
+
+    let peer = get_current_peer();
+    let unit = peer
+        .as_ref()
+        .and_then(|p| p.unit.as_ref())
+        .map(|s| s.as_str())
+        .unwrap_or("unknown");
+
+    if authorized_units.iter().any(|u| u == unit) {
+        Ok(())
+    } else {
+        Err(unit.to_string())
+    }
+}
+
 /// Sets the current peer info for the local thread.
 pub fn set_current_peer(info: Option<PeerInfo>) {
     CURRENT_PEER.with(|p| *p.borrow_mut() = info);
 
@@ -1,3 +1,6 @@
+use super::heroic::HeroicDetector;
+use super::lutris::LutrisDetector;
+use super::steam::SteamDetector;
 use super::{Game, GameDetector};
 use crate::config::CONFIG;
 use std::time::{Duration, Instant};
@@ -11,12 +14,17 @@ pub struct GameManager {
 impl GameManager {
     pub fn new() -> Self {
         Self {
-            detectors: Vec::new(),
+            detectors: vec![
+                Box::new(SteamDetector::new()),
+                Box::new(LutrisDetector::new()),
+                Box::new(HeroicDetector::new()),
+            ],
             installed_cache: None,
             active_cache: None,
         }
     }
 
+    #[allow(dead_code)]
     pub fn add_detector(&mut self, detector: Box<dyn GameDetector>) {
         self.detectors.push(detector);
         self.installed_cache = None; // Invalidate cache
@@ -59,6 +67,7 @@ impl GameManager {
         game
     }
 }
+
 impl Default for GameManager {
     fn default() -> Self {
         Self::new()
@@ -89,6 +98,9 @@ mod tests {
     #[test]
     fn test_game_manager_cache() {
         let mut mgr = GameManager::new();
+        // Clear default detectors for testing
+        mgr.detectors.clear();
+
         let game = Game {
             name: "Test Game".to_string(),
             id: Some("123".to_string()),
@@ -107,8 +119,6 @@ mod tests {
         assert_eq!(games[0].name, "Test Game");
 
         // Even if we add more games to the detector, cache should return old value
-        // Note: In this simple mock we can't easily change the detector's state since it's boxed
-        // but we can verify that the second call is immediate.
         let games2 = mgr.list_all_installed();
         assert_eq!(games2.len(), 1);
     }
 
@@ -1,38 +1,38 @@
+use super::udev::UdevDetector;
 use super::{Device, HardwareDetector};
 use crate::config::CONFIG;
 use std::time::{Duration, Instant};
 
 pub struct HardwareManager {
     detectors: Vec<Box<dyn HardwareDetector>>,
-    cache: Option<(Vec<Device>, Instant)>,
+    device_cache: Option<(Vec<Device>, Instant)>,
     rgb_cache: Option<(Vec<Device>, Instant)>,
 }
 
 impl HardwareManager {
     pub fn new() -> Self {
         Self {
-            detectors: Vec::new(),
-            cache: None,
+            detectors: vec![Box::new(UdevDetector::new())],
+            device_cache: None,
             rgb_cache: None,
         }
     }
 
+    #[allow(dead_code)]
     pub fn add_detector(&mut self, detector: Box<dyn HardwareDetector>) {
         self.detectors.push(detector);
-        self.cache = None;
-        self.rgb_cache = None;
+        self.invalidate_caches();
     }
 
     #[allow(dead_code)]
-    pub fn invalidate(&mut self) {
-        log::debug!("Hardware cache invalidated due to hotplug event");
-        self.cache = None;
+    pub fn invalidate_caches(&mut self) {
+        self.device_cache = None;
         self.rgb_cache = None;
     }
 
     pub fn list_all_devices(&mut self) -> Vec<Device> {
         let ttl = Duration::from_secs(CONFIG.ttls.hardware);
-        if let Some((cache, ts)) = &self.cache
+        if let Some((cache, ts)) = &self.device_cache
             && ts.elapsed() < ttl
         {
             return cache.clone();
@@ -43,10 +43,9 @@ impl HardwareManager {
             .iter()
             .flat_map(|d| d.list_devices())
             .filter(|d| !CONFIG.blacklist.devices.contains(&d.path))
-            .filter(|d| self.is_gaming_device(d))
             .collect();
 
-        self.cache = Some((devices.clone(), Instant::now()));
+        self.device_cache = Some((devices.clone(), Instant::now()));
         devices
     }
 
@@ -58,61 +57,15 @@ impl HardwareManager {
             return cache.clone();
         }
 
-        let devices: Vec<Device> = self
-            .detectors
-            .iter()
-            .flat_map(|d| d.list_devices())
-            .filter(|d| !CONFIG.blacklist.devices.contains(&d.path))
-            .filter(|d| self.is_rgb_device(d))
-            .collect();
+        // For now, we consider all detected devices as candidates for RGB control
+        // hints, though in the future we might filter for "hid" or "audio" classes.
+        let devices = self.list_all_devices();
 
         self.rgb_cache = Some((devices.clone(), Instant::now()));
         devices
     }
-
-    fn is_gaming_device(&self, dev: &Device) -> bool {
-        // Exclude security keys (Yubico)
-        if dev.vendor_id == "1050" {
-            return false;
-        }
-
-        // Exclude obvious lighting controllers from main list
-        let name = dev.name.to_lowercase();
-        if name.contains("lighting")
-            || name.contains("aura")
-            || name.contains("fan")
-            || name.contains("rgb")
-        {
-            return false;
-        }
-
-        // Must have uaccess for many gaming devices, or be a classic input
-        let is_classic = dev.classes.contains(&"mouse".to_string())
-            || dev.classes.contains(&"keyboard".to_string())
-            || dev.classes.contains(&"controller".to_string())
-            || dev.classes.contains(&"audio".to_string())
-            || dev.classes.contains(&"wheel".to_string())
-            || dev.classes.contains(&"flight_stick".to_string());
-
-        // Ensure audio devices actually have user-level permissions (filters out motherboard HDMI/PCI noise)
-        if dev.classes.contains(&"audio".to_string()) && !dev.has_uaccess {
-            return false;
-        }
-
-        is_classic
-    }
-
-    fn is_rgb_device(&self, dev: &Device) -> bool {
-        let name = dev.name.to_lowercase();
-        name.contains("rgb")
-            || name.contains("lighting")
-            || name.contains("led")
-            || name.contains("fan")
-            || name.contains("aura")
-            || name.contains("glow")
-            || name.contains("litra")
-    }
 }
+
 impl Default for HardwareManager {
     fn default() -> Self {
         Self::new()
@@ -123,56 +76,45 @@ impl Default for HardwareManager {
 mod tests {
     use super::*;
 
-    fn mock_device(name: &str, vendor_id: &str, classes: Vec<&str>, uaccess: bool) -> Device {
-        Device {
-            name: name.to_string(),
-            vendor: "TestVendor".to_string(),
-            vendor_id: vendor_id.to_string(),
-            product_id: "0001".to_string(),
-            bus_type: "usb".to_string(),
-            path: "/dev/test".to_string(),
-            classes: classes.into_iter().map(|s| s.to_string()).collect(),
-            has_uaccess: uaccess,
-            controllers: Vec::new(),
-        }
+    struct MockDetector {
+        devices: Vec<Device>,
     }
 
-    #[test]
-    fn test_is_gaming_device() {
-        let mgr = HardwareManager::new();
-
-        // Standard Mouse
-        let mouse = mock_device("Gaming Mouse", "1234", vec!["mouse"], true);
-        assert!(mgr.is_gaming_device(&mouse));
-
-        // YubiKey (Security Key) - Should be blocked
-        let yubikey = mock_device("YubiKey", "1050", vec!["keyboard"], true);
-        assert!(!mgr.is_gaming_device(&yubikey));
-
-        // RGB Fan - Should be blocked from main list
-        let fan = mock_device("LianLi Fan RGB", "9999", vec!["hid"], true);
-        assert!(!mgr.is_gaming_device(&fan));
-
-        // Audio Device (No UAccess) - Should be blocked (filtered noise)
-        let audio_noise = mock_device("HDMI Audio", "1002", vec!["audio"], false);
-        assert!(!mgr.is_gaming_device(&audio_noise));
-
-        // BEACN Mic (Audio with UAccess)
-        let beacn = mock_device("BEACN Mic", "33ae", vec!["audio"], true);
-        assert!(mgr.is_gaming_device(&beacn));
+    impl HardwareDetector for MockDetector {
+        fn name(&self) -> &str {
+            "Mock"
+        }
+        fn list_devices(&self) -> Vec<Device> {
+            self.devices.clone()
+        }
     }
 
     #[test]
-    fn test_is_rgb_device() {
-        let mgr = HardwareManager::new();
+    fn test_hardware_manager_cache() {
+        let mut mgr = HardwareManager::new();
+        mgr.detectors.clear(); // Clear default detectors for testing
+
+        let dev = Device {
+            name: "Test Mouse".to_string(),
+            vendor: "TestVendor".to_string(),
+            vendor_id: "1234".to_string(),
+            product_id: "5678".to_string(),
+            bus_type: "usb".to_string(),
+            path: "/dev/input/event0".to_string(),
+            classes: vec!["mouse".to_string()],
+            has_uaccess: true,
+            controllers: Vec::new(),
+        };
 
-        let rgb_strip = mock_device("Lighting Node PRO", "1b1c", vec!["hid"], true);
-        assert!(mgr.is_rgb_device(&rgb_strip));
+        mgr.add_detector(Box::new(MockDetector {
+            devices: vec![dev.clone()],
+        }));
 
-        let fan = mock_device("Cooler RGB Fan", "0000", vec!["hid"], true);
-        assert!(mgr.is_rgb_device(&fan));
+        let devices = mgr.list_all_devices();
+        assert_eq!(devices.len(), 1);
+        assert_eq!(devices[0].name, "Test Mouse");
 
-        let mouse = mock_device("Plain Mouse", "0000", vec!["mouse"], true);
-        assert!(!mgr.is_rgb_device(&mouse));
+        let devices2 = mgr.list_all_devices();
+        assert_eq!(devices2.len(), 1);
     }
 }