fix: audit LOW fixes — stdout null, utf-8 path, debug value, hidden sessions (v0.8.6)

- power::run_command: .stdout(Stdio::null()) — the pipe was never drained,
  structurally fragile even if no current caller hits it.
- config: replace to_string_lossy() on relative wallpaper paths with
  to_str() + log::warn, so non-UTF-8 paths are dropped cleanly instead
  of being mangled into unopenable U+FFFD strings.
- main: require MOONGREET_DEBUG=1 to raise verbosity. Mere presence of
  the var must not leak socket paths, usernames, and auth round counts
  into the journal.
- sessions: parse Hidden= and NoDisplay= keys, skip entries marked true.
  Keeps disabled or stub .desktop files out of the session dropdown.

src/main.rs

@@ -127,10 +127,12 @@ fn setup_logging() {
             eprintln!("Failed to create journal logger: {e}");
         }
     }
-    let level = if std::env::var("MOONGREET_DEBUG").is_ok() {
-        log::LevelFilter::Debug
-    } else {
-        log::LevelFilter::Info
+    // Require MOONGREET_DEBUG=1 to raise verbosity. Mere presence (e.g. an
+    // empty value in a session-setup script) must not escalate the journal
+    // to Debug, which leaks socket paths, usernames, and auth round counts.
+    let level = match std::env::var("MOONGREET_DEBUG").ok().as_deref() {
+        Some("1") => log::LevelFilter::Debug,
+        _ => log::LevelFilter::Info,
     };
     log::set_max_level(level);
 }