fix(shutdown): survive PC restart with WAL fsync + Win32 session-end guard

Two bugs caused user data ('G502' target's color-strip ref, etc.) to
revert after PC restart while persisting fine across normal app
restarts:

1. SQLite was in WAL mode with synchronous=NORMAL and Database.close()
   was never called. On graceful Python exit the sqlite3 finalizer
   checkpoints the WAL, but on an unclean PC shutdown (power loss,
   forced reboot, or Windows force-terminating pythonw.exe) the WAL
   stayed in OS cache, never reached disk, and the next boot rolled the
   DB back to the last checkpoint -- losing recent edits.

2. Nothing handled WM_QUERYENDSESSION / WM_ENDSESSION, so on PC
   shutdown Windows force-killed pythonw.exe after ~5s and the FastAPI
   lifespan never ran. The 'stop_targets' setting was silently ignored
   and devices were left at their last frame.

Changes:
- Database: PRAGMA synchronous=FULL + wal_autocheckpoint=100, plus an
  explicit wal_checkpoint(TRUNCATE) inside Database.close().
- New utils/win_shutdown.py: hidden top-level window in a daemon thread
  with a ctypes WindowProc that catches WM_QUERYENDSESSION (calls
  ShutdownBlockReasonCreate to extend Windows' 5s hung-app timeout up
  to the ~20s GUI ceiling), fires the shutdown callback, then waits in
  WM_ENDSESSION on a completion event before returning. Also raises
  the process shutdown priority via SetProcessShutdownParameters. All
  Win32 argtypes/restypes are bound once at import to avoid LPARAM
  overflow on x64.
- New shutdown_state.py: leaf module owning the cross-thread Event so
  __main__ does not import the heavy ledgrab.main at startup.
- main.py lifespan: per-step asyncio.wait_for budgets (8s for
  processor_manager.stop_all, 1.5s each for HA/MQTT, etc.) so a hung
  device cannot starve the DB checkpoint, then db.close() and
  shutdown_complete.set() always run.
- __main__.py: install the Windows shutdown guard before tray start;
  install SIGINT/SIGTERM/SIGBREAK handlers only on the tray path
  (uvicorn overwrites them on no-tray); raise server_thread.join to 20s.
- Tests cover WM_QUERYENDSESSION (fires callback, returns TRUE,
  idempotent), WM_ENDSESSION (waits on event, times out cleanly,
  cancel-path returns instantly), signal handler installation, and
  that main and shutdown_state share the same Event instance.

server/tests/test_main_entrypoint.py

@@ -0,0 +1,67 @@
+"""Tests for the ``__main__`` entry-point helpers.
+
+These cover the bits that aren't exercised by the FastAPI test client —
+the signal-handler install path and the shutdown-state plumbing — so a
+regression in the launcher can't silently break the user's
+"stop targets on PC shutdown" guarantee.
+"""
+
+from __future__ import annotations
+
+import signal
+import threading
+from types import SimpleNamespace
+
+from ledgrab.__main__ import _install_signal_handlers, _request_shutdown
+
+
+def test_request_shutdown_sets_should_exit() -> None:
+    server = SimpleNamespace(should_exit=False)
+    _request_shutdown(server)
+    assert server.should_exit is True
+
+
+def test_install_signal_handlers_installs_for_known_signals() -> None:
+    """Tray path runs uvicorn on a background thread, so our handlers must
+    actually survive — verify each catchable signal is replaced.
+    """
+    server = SimpleNamespace(should_exit=False)
+    previous = {
+        name: signal.getsignal(getattr(signal, name))
+        for name in ("SIGINT",)
+        if hasattr(signal, name)
+    }
+
+    try:
+        _install_signal_handlers(server)
+        for name in ("SIGINT", "SIGTERM", "SIGBREAK"):
+            sig = getattr(signal, name, None)
+            if sig is None:
+                continue
+            current = signal.getsignal(sig)
+            # The handler is our local closure — its qualname starts with the function it's defined in.
+            assert callable(current), f"{name} handler should be installed"
+            assert getattr(current, "__qualname__", "").startswith(
+                "_install_signal_handlers"
+            ), f"{name} should be replaced by our handler, got {current!r}"
+    finally:
+        # Restore original handlers so the rest of the test suite isn't poisoned.
+        for name, handler in previous.items():
+            signal.signal(getattr(signal, name), handler)
+
+
+def test_shutdown_state_is_shared_threading_event() -> None:
+    """``__main__`` and ``main`` must share the same Event instance — if a
+    fresh one is constructed on either side, WM_ENDSESSION waits forever.
+    """
+    from ledgrab.shutdown_state import shutdown_complete as state_event
+
+    assert isinstance(state_event, threading.Event)
+
+    # If main.py is importable, confirm it re-exports the same object.
+    try:
+        from ledgrab.main import shutdown_complete as main_event
+    except Exception:
+        return  # main.py needs full app state — fine to skip on a bare test run.
+
+    assert main_event is state_event, "main.py must re-export the same Event, not create a new one"