fix: audit findings — security, i18n, validation, dead code (v0.3.2)

Quality:
- Q-5: Allow relative session commands (e.g. niri-session), greetd resolves PATH
- Q-3: Socket read+write timeouts with proper error logging
- Q-2: Remove unused PowerError::Timeout variant
- Q-M1: i18n for all login_worker error messages (new: unexpected_greetd_response)
- Q-M2: Explicit INVALID_LIST_POSITION check in session dropdown
- Q-M4: Log SVG loader.close() errors instead of silencing
- Q-M6: Testable persistence functions with proper roundtrip tests

Security:
- S-2: Validate GTK theme name (alphanumeric, _, -, +, . only)
- S-3: Log file created with mode 0o640
- S-4: Cache files (last-user, last-session) created with mode 0o600

Performance:
- P-3: Single symlink_metadata() call instead of exists() + is_symlink()
- P-4: Avoid Vec allocation in IPC send_message (two write_all calls)

Config:
- Update example GTK theme to Colloid-Catppuccin

src/ipc.rs

@@ -75,7 +75,6 @@ fn recv_payload(stream: &mut UnixStream, n: usize) -> Result<Vec<u8>, IpcError>
 }
 
 /// Send a length-prefixed JSON message to the greetd socket.
-/// Header and payload are sent in a single write for atomicity.
 pub fn send_message(
     stream: &mut UnixStream,
     msg: &serde_json::Value,
@@ -86,10 +85,8 @@ pub fn send_message(
     }
 
     let header = (payload.len() as u32).to_le_bytes();
-    let mut buf = Vec::with_capacity(4 + payload.len());
-    buf.extend_from_slice(&header);
-    buf.extend_from_slice(&payload);
-    stream.write_all(&buf)?;
+    stream.write_all(&header)?;
+    stream.write_all(&payload)?;
     Ok(())
 }