fix: address audit findings — security, performance, and correctness

- Use absolute paths for all binaries in power.rs to prevent PATH hijacking
- Implement POWER_TIMEOUT via try_wait() polling (was declared but unused)
- Fix potential panic in load_background_texture when GResource path
  fails to_str() — now falls back to known wallpaper resource path
- Compress wallpaper.jpg in GResource bundle (saves ~374 KB in binary)
- Merge double idle_add_local_once into single cycle for faster focus
- Centralize GRESOURCE_PREFIX as pub(crate) const in main.rs
- Fix fallback user UID from 0 (root) to u32::MAX
- Fix CSS comment: "square card" → "circular card" (border-radius: 50%)

src/users.rs

@@ -5,7 +5,6 @@ use nix::unistd::{getuid, User as NixUser};
 use std::path::{Path, PathBuf};
 
 const DEFAULT_ACCOUNTSSERVICE_DIR: &str = "/var/lib/AccountsService/icons";
-const GRESOURCE_PREFIX: &str = "/dev/moonarch/moonset";
 
 /// Represents the current user for the power menu.
 #[derive(Debug, Clone)]
@@ -74,7 +73,8 @@ pub fn get_avatar_path_with(
 
 /// Return the GResource path to the default avatar SVG.
 pub fn get_default_avatar_path() -> String {
-    format!("{GRESOURCE_PREFIX}/default-avatar.svg")
+    let prefix = crate::GRESOURCE_PREFIX;
+    format!("{prefix}/default-avatar.svg")
 }
 
 #[cfg(test)]