feat: roadmap batch (2026-06-19) — solar/linear-light/dither/nanoleaf + integrations

Eight roadmap features from the 2026-06-19 review, each a full vertical
(backend + tests + frontend + i18n en/ru/zh); ~67 new unit tests:

- automations: SolarRule sunrise/sunset trigger (new utils/solar.py, shared
  with the daylight cycle; window logic mirrors TimeOfDayRule)
- ci: best-effort arm64 multi-arch Docker manifest via QEMU + docker manifest
  (release.yml; amd64 path untouched, continue-on-error)
- game-integration: wire the orphaned LoLPoller via a LoLPollManager + a shared
  runtime_state module (poll lifecycle on enable/CRUD/startup/shutdown)
- ui: color-harmony gradient generator (complementary/analogous/triadic/...)
- effects: audio-reactive palette modulation (new audio_energy_tap; brightness/
  saturation modulation across all 12 procedural effects)
- capture: linear-light blending + spatio-temporal dithering, opt-in per
  calibration (new utils/linear_light.py, utils/dither.py)
- devices: Nanoleaf extControl v2 per-panel UDP streaming (per_panel mode)

Also bundles the pending 2026-06-18 production-review fixes and other
in-progress work already in the working tree (manual-trigger rule, etc.),
since they share files and could not be cleanly separated.

Gate: ruff + tsc clean; pytest 2654 passed / 2 skipped. The single failing
test (automation manual_trigger handler coverage) is a separate in-progress
item owned elsewhere, intentionally left as-is.

server/tests/api/routes/test_game_integration_routes.py

@@ -161,10 +161,42 @@ class TestCreateIntegration:
             description="My game",
             tags=["fps"],
         )
-        assert data["adapter_config"] == {"auth_token": "secret123"}
+        # The auth_token is a live shared secret and must NEVER be echoed back
+        # over the API — it is masked to "" in every response.
+        assert data["adapter_config"] == {"auth_token": ""}
         assert data["description"] == "My game"
         assert data["tags"] == ["fps"]
 
+    def test_update_with_blank_token_preserves_secret(self, client, game_store):
+        """The API masks secrets, so the edit form re-submits a blank token for
+        an unchanged secret. The update must PRESERVE the stored secret rather
+        than overwrite it with the blank (otherwise a no-op edit wipes the key).
+        """
+        created = _create_integration(client, adapter_config={"auth_token": "secret123"})
+        gi_id = created["id"]
+
+        resp = client.put(
+            f"/api/v1/game-integrations/{gi_id}",
+            json={"name": "Renamed", "adapter_config": {"auth_token": ""}},
+        )
+        assert resp.status_code == 200, resp.text
+
+        # The stored (decrypted) secret is unchanged despite the blank submit.
+        cfg = game_store.get_integration(gi_id)
+        assert cfg.adapter_config.get("auth_token") == "secret123"
+
+    def test_update_with_new_token_replaces_secret(self, client, game_store):
+        """A non-empty token in the update is a deliberate change and is kept."""
+        created = _create_integration(client, adapter_config={"auth_token": "secret123"})
+        gi_id = created["id"]
+
+        resp = client.put(
+            f"/api/v1/game-integrations/{gi_id}",
+            json={"adapter_config": {"auth_token": "rotated456"}},
+        )
+        assert resp.status_code == 200, resp.text
+        assert game_store.get_integration(gi_id).adapter_config.get("auth_token") == "rotated456"
+
     def test_create_duplicate_name(self, client):
         _create_integration(client, name="Unique")
         resp = client.post(