Stop executing AppImages during analysis, add screenshot lightbox and favicons

- fuse.rs: Replace Command::new(appimage_path) with 256KB binary scan for
  runtime detection - prevents apps like Affinity from launching on tile click
- fuse.rs: Read only 12 bytes for Type 2 magic check instead of entire file
- security.rs: Use find_squashfs_offset_for() instead of executing AppImages
  with --appimage-offset flag
- updater.rs: Read only first 1MB for update info instead of entire file
- detail_view.rs: Click screenshots to open in lightbox dialog
- detail_view.rs: Fetch favicons from Google favicon service for link rows

src/core/updater.rs

@@ -119,7 +119,14 @@ pub fn parse_update_info(raw: &str) -> Option<UpdateType> {
 /// named ".upd_info" or ".updinfo". It can also be found at a fixed offset
 /// in the AppImage runtime (bytes 0x414..0x614 in the ELF header area).
 pub fn read_update_info(path: &Path) -> Option<String> {
-    let data = fs::read(path).ok()?;
+    // Only read the first 1MB - update info is always in the ELF header area,
+    // never deep in the squashfs payload. Avoids loading 1.5GB+ files into memory.
+    let mut file = fs::File::open(path).ok()?;
+    let file_len = file.metadata().ok()?.len() as usize;
+    let read_len = file_len.min(1024 * 1024);
+    let mut data = vec![0u8; read_len];
+    use std::io::Read;
+    file.read_exact(&mut data).ok()?;
 
     // Method 1: Try to read from fixed offset range in AppImage Type 2 runtime.
     // The update info is typically at offset 0xC48 (3144) in the ELF, but the