fix: audit fixes — CString zeroize, FP account check, PAM timeout, blur downscale (v0.6.5)

Address findings from second triple audit (quality, performance, security):

- Wrap PAM CString password in Zeroizing<CString> to wipe on drop (S-H1)
- Add check_account() for pam_acct_mgmt after fingerprint unlock,
  with resume_async() to restart FP on transient failure (S-M1)
- 30s PAM timeout with generation counter to prevent stale result
  interference from parallel auth attempts (S-M3)
- Downscale wallpaper to max 1920px before GPU blur, reducing work
  by ~4x on 4K wallpapers (P-M1)
- exit(1) instead of return on no-monitor after lock.lock() (Q-2.1)

src/main.rs

@@ -115,7 +115,7 @@ fn activate_with_session_lock(
 
     if !created_any {
         log::error!("No lockscreen windows created — screen stays locked (compositor policy)");
-        return;
+        std::process::exit(1);
     }
 
     // Async fprintd initialization — runs after windows are visible