feat(security): patch some holes

[meldaravaniel]

from Claude:

HIGH — File permissions (both install.sh and build-image-chroot.sh):

• Config dir /etc/hello-operator: chmod 750 (was 755), chown
  hello-operator:hello-operator
• Config files config.env and radio_stations.json: chmod 640 (new), chowned
  to service user
• SQLite data dir /var/lib/hello-operator: created with chmod 750, owned by
  service user
• Prevents any non-root, non-hello-operator user on the Pi from reading
  PLEX_TOKEN

MEDIUM — Dedicated service user (install.sh):

• install.sh now creates hello-operator system account (no home, no login
  shell)
• Adds it to audio, gpio, plugdev groups
• Both systemd services (hello-operator and hello-operator-web) run as this
  account
• Venv is created as root then chowned to hello-operator
• Sudoers rule grants hello-operator the restart privilege (not the login
  user)
• build-image-chroot.sh already used this user — only the permission fixes
  were needed there

HIGH — Web UI password (Flask + Angular):

• ADMIN_PASSWORD env var (empty = auth disabled, backward compatible)
• SECRET_KEY env var for Flask sessions
• @require_auth decorator on service_restart, api_config_get,
  api_config_env, api_config_radio
• /api/auth/login, /api/auth/logout, /api/auth/status routes (always public)
• Angular authInterceptor catches 401s and navigates to /login
• LoginComponent with Material form
• ApiService gains login(), logout(), checkAuthStatus(), authenticated$
• 92 Python tests pass (78 existing + 14 new auth tests), 103 Angular tests
  pass
• config.env.example documents ADMIN_PASSWORD and SECRET_KEY