Refactor: modular layout, security hardening, CI, and off-target tests

[Copilot]

The ~1.5k-line source/main.c mixed UI, networking, archive handling, and config parsing, with a duplicated hand-rolled ZIP path, no CI, no tests, and .3dsx/.smdh checked in. This PR delivers phases 1, 2, 4, and 5 of the planned refactor; phase 3 (UX/GUI overhaul) is deferred to a follow-up since it can't be validated outside hardware/emulator.

Module split (Phase 1)

• source/main.c reduced to ~470 lines (state machine + lifecycle only). New modules with headers in include/: led, gdrive, config, download, file_browser, queue, integrity, plus a pure archive_extractor_detect carved out so detection is host-testable without libarchive.
• Removed the duplicated ZIP path (extract_zip_file, manual inflate, mkdir_recursive, ZIP_LOCAL_SIGNATURE); all formats now go through extract_archive_libarchive.
• libarchive options hardened: SECURE_SYMLINKS | SECURE_NOABSOLUTEPATHS on top of the existing SECURE_NODOTDOT.
• umask / getpwnam / getgrnam / LZ4_* stubs warn once on first use instead of failing silently.
• .3dsx / .smdh removed from tracking and gitignored. Fixed a latent Makefile bug (ICON unset → empty path passed to smdhtool) that the untracking exposed.

Security & reliability (Phase 2)

• Unique per-run temp paths sdmc:/3ds/zip-extractor/tmp/run_<ts>_<n>.part with orphan sweep at startup and shutdown.
• Resume hardened: detects servers replying 200 to a Range request and restarts from zero.
• Optional integrity check via URL sha256:<64-hex> syntax — mbedtls on target, vendored pure-C SHA-256 on host so tests stay dependency-free. Backwards compatible (lines without the suffix work as before).
• New optional config keys max_urls, download_buffer_kb, connect_timeout_s (defaults 100 / 128 / 30, clamped to safe ranges).

extract_path=sdmc:/extracted/
auto_retry=true
max_retries=3
download_buffer_kb=256
https://example.com/payload.zip sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

CI (Phase 1.6)

• .github/workflows/build.yml: build-3ds (devkitpro/devkitarm container, uploads .3dsx/.smdh artifacts) and host-tests (ASan+UBSan) jobs, both required. Release-on-tag job publishes the artifacts on v* tags. GITHUB_TOKEN permissions pinned to contents: read (write only on the release job).

Off-target test suite (Phase 5)

• tests/Makefile.host with test, test-asan, coverage, clean. Vendored Unity 2.6.0 (unity.{c,h}, internals inlined). tests/3ds_stubs.h covers the few libctru types the pure modules need; sources guard <3ds.h> with #ifndef HOST_BUILD.
• 38 tests across test_gdrive (incl. small-buffer/NULL/folder-URL edge cases), test_config (BOM, overlong-line truncation, clamping, sha256 split, max_urls cap), test_archive_detect (every magic, too-short, missing, NULL), test_sha256 (NIST vectors, file hashing, case-insensitive verify).
• tests/make_fixtures.sh generates archive and config fixtures deterministically — no zip/tar/zstd tools required on the host.

Docs (Phase 4)

• README: Docker build, host-tests targets, expanded controls table, sha256: example.
• New docs/ARCHITECTURE.md (module map + per-URL data flow + threading model).
• CHANGELOG.md [Unreleased] section.
• CLAUDE.md realigned: [post-refactor] markers and "Stato attuale" notice updated to reflect the new layout.

Deferred (Phase 3)

Bottom-screen interactive queue, swkbd URL entry, extraction progress bar, MB/s+ETA, local archive picker. These are UI changes that need on-device iteration; tracking for a separate PR.