Fix 29 audit findings across all severity tiers

Critical: fix unsquashfs arg order, quote Exec paths with spaces,
fix compare_versions antisymmetry, chunk-based signature detection,
bounded ELF header reads.

High: handle NULL CVE severity, prevent pipe deadlock in inspector,
fix glob_match edge case, fix backup archive path collisions, async
crash detection with stderr capture.

Medium: gate scan on auto-scan setting, fix window size persistence,
fix announce() for Stack containers, claim lightbox gesture, use
serde_json for CLI output, remove dead CSS @media blocks, add
detail-tab persistence, remove invalid metainfo categories, byte-level
fuse signature search.

Low: tighten Wayland env var detection, ELF magic validation,
timeout for update info extraction, quoted arg parsing, stop watcher
timer on window destroy, GSettings choices/range constraints, remove
unused CSS classes, define status-ok/status-attention CSS.

src/core/analysis.rs

@@ -15,7 +15,6 @@ const MAX_CONCURRENT_ANALYSES: usize = 2;
 static RUNNING_ANALYSES: AtomicUsize = AtomicUsize::new(0);
 
 /// Returns the number of currently running background analyses.
-#[allow(dead_code)]
 pub fn running_count() -> usize {
     RUNNING_ANALYSES.load(Ordering::Relaxed)
 }
@@ -64,6 +63,10 @@ pub fn run_background_analysis(id: i64, path: PathBuf, appimage_type: AppImageTy
 
     // Inspect metadata (app name, version, icon, desktop entry, AppStream, etc.)
     if let Ok(meta) = inspector::inspect_appimage(&path, &appimage_type) {
+        log::debug!(
+            "Metadata for id={}: name={:?}, icon_name={:?}",
+            id, meta.app_name.as_deref(), meta.icon_name.as_deref(),
+        );
         let categories = if meta.categories.is_empty() {
             None
         } else {