fix: audit fixes — password zeroize, blur downscale, symlink hardening, error filtering (v0.7.0)

- Add zeroize dependency, wrap password in Zeroizing<String> from entry extraction
  through to login_worker (prevents heap-resident plaintext)
- Add MAX_BLUR_DIMENSION (1920px) downscale before GPU blur to reduce 4K workload
- Wallpaper: use symlink_metadata + is_symlink rejection in greeter.rs and config.rs
- Avatar: add is_file() check, swap lookup order to ~/.face first (consistent with
  moonlock/moonset)
- greetd errors: show generic fallback in UI, log raw PAM details at debug level only
- fprintd: validate device path prefix before creating D-Bus proxy
- Locale: cache detected locale via OnceLock (avoid repeated env/file reads)

src/i18n.rs

@@ -4,6 +4,7 @@
 use std::env;
 use std::fs;
 use std::path::Path;
+use std::sync::OnceLock;
 
 const DEFAULT_LOCALE_CONF: &str = "/etc/locale.conf";
 
@@ -129,14 +130,17 @@ pub fn detect_locale() -> String {
     result
 }
 
+/// Cached locale — detected once, reused for the lifetime of the process.
+static CACHED_LOCALE: OnceLock<String> = OnceLock::new();
+
 /// Return the string table for the given locale, defaulting to English.
 pub fn load_strings(locale: Option<&str>) -> &'static Strings {
     let locale = match locale {
-        Some(l) => l.to_string(),
-        None => detect_locale(),
+        Some(l) => l,
+        None => CACHED_LOCALE.get_or_init(detect_locale),
     };
 
-    match locale.as_str() {
+    match locale {
         "de" => &STRINGS_DE,
         _ => &STRINGS_EN,
     }