fix: audit findings — security, i18n, validation, dead code (v0.3.2)

Quality:
- Q-5: Allow relative session commands (e.g. niri-session), greetd resolves PATH
- Q-3: Socket read+write timeouts with proper error logging
- Q-2: Remove unused PowerError::Timeout variant
- Q-M1: i18n for all login_worker error messages (new: unexpected_greetd_response)
- Q-M2: Explicit INVALID_LIST_POSITION check in session dropdown
- Q-M4: Log SVG loader.close() errors instead of silencing
- Q-M6: Testable persistence functions with proper roundtrip tests

Security:
- S-2: Validate GTK theme name (alphanumeric, _, -, +, . only)
- S-3: Log file created with mode 0o640
- S-4: Cache files (last-user, last-session) created with mode 0o600

Performance:
- P-3: Single symlink_metadata() call instead of exists() + is_symlink()
- P-4: Avoid Vec allocation in IPC send_message (two write_all calls)

Config:
- Update example GTK theme to Colloid-Catppuccin

src/users.rs

@@ -106,14 +106,18 @@ pub fn get_avatar_path_with(
     // AccountsService icon takes priority
     if accountsservice_dir.exists() {
         let icon = accountsservice_dir.join(username);
-        if icon.exists() && !icon.is_symlink() {
+        if let Ok(meta) = icon.symlink_metadata()
+            && !meta.file_type().is_symlink()
+        {
             return Some(icon);
         }
     }
 
     // ~/.face fallback
     let face = home.join(".face");
-    if face.exists() && !face.is_symlink() {
+    if let Ok(meta) = face.symlink_metadata()
+        && !meta.file_type().is_symlink()
+    {
         return Some(face);
     }