fix: comprehensive security, stability, and code quality audit

Security:
- Force API key auth for LAN (non-loopback) requests; remove shipped dev key
- Block path-traversal in backup restore; require auth on backup endpoints
- SSRF protection: DNS resolve + private/loopback/link-local IP rejection
- AES-256-GCM encryption for HA tokens and MQTT passwords with auto-migration
- WebSocket auth migrated from query-string to first-message protocol
- Asset upload: extension allowlist, server-side mime, Content-Disposition
- Update installer: SHA256 verification, tar/zip member validation
- Tightened CORS (explicit methods/headers, no credentials)
- ADB serial regex allowlist, webhook rate-limit key fix, log scrubbing

Android:
- Root-capture: ordered teardown, screenrecord respawn watchdog, child reaping
- USB permission blocking API via CompletableDeferred
- Python init crash guard with fatal-error screen
- Moved root grant + QR generation off Main thread
- Cached PyObject engine for per-frame bridge calls
- Ordered ScreenCapture resource cleanup, allowBackup=false

Python:
- Replaced all asyncio.get_event_loop() with get_running_loop/to_thread
- Split color_strip_sources.py (1683->5 files) and color_strip_stream.py
  (1324->7 files) into packages
- Extracted FrameLimiter utility, migrated 9 stream loops
- Provider base-class reuse, WLED state caching + URL normalization
- Narrowed broad except-pass in WS routes, threading fixes in BaseStore

Frontend:
- XSS fix: escapeHtml on dynamic option labels, reconcile-based list renders
- Typed DOM helpers, safe localStorage access, AbortController listener hygiene
- openAuthedWs helper for first-message WS auth protocol
- Migrated remaining plain <select>s to IconSelect/EntitySelect

Design:
- WCAG AA primary color on light theme (#2e7d32, 5.4:1 contrast)
- Android TV 10-foot breakpoint (tv.css)
- Consolidated z-index tokens, unified easing, card-running GPU hints

server/config/default_config.yaml

@@ -8,11 +8,15 @@ server:
     - "http://localhost:8080"
 
 auth:
-  # API keys — when empty, authentication is disabled (open access).
-  # To enable auth, add one or more label: "api-key" entries.
+  # API keys — required for any non-loopback (LAN) request.
+  # When empty:
+  #   - loopback (127.0.0.1, ::1, localhost) requests are allowed anonymously
+  #   - LAN requests are REJECTED with 401 (security default)
+  # To enable LAN access, add one or more label: "api-key" entries below
+  # and send `Authorization: Bearer <api-key>` with each request.
   # Generate secure keys: openssl rand -hex 32
-  api_keys:
-    dev: "development-key-change-in-production"
+  api_keys: {}
+  #  dev: "replace-with-openssl-rand-hex-32"
 
 storage:
   database_file: "data/ledgrab.db"
@@ -31,3 +35,10 @@ logging:
   file: "logs/ledgrab.log"
   max_size_mb: 100
   backup_count: 5
+
+updates:
+  # When false (default), updates without a published sha256 checksum
+  # (sibling .sha256 asset OR 64-hex string in release body) are aborted
+  # before any installer/extractor runs. NEVER set true unless you
+  # control the release server end-to-end.
+  allow_unchecked: false