fix: What's New v1.3.0, backend bind 127.0.0.1 in deploy + systemd, dead man's switch permissions

- Added v1.3.0 release notes to Settings "What's New" modal
- Deploy script now auto-fixes backend bind address (0.0.0.0 → 127.0.0.1)
- All image-recipe systemd/service files updated to 127.0.0.1
- Fixed dead man's switch: alert-config.json owned by root, now chown'd
- Removed unused toggleAutoSync function (build error)
- Deploy script adds LND REST port 8080 to Tor config generation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

scripts/deploy-to-target.sh

@@ -789,6 +789,16 @@ MANIFEST_EOF
         sudo swapon /swapfile 2>/dev/null || true
     ' 2>&1 | tail -5 | sed 's/^/   /' || true
 
+    # Ensure backend binds to localhost only (security: no direct LAN access to port 5678)
+    progress "Securing backend bind address"
+    ssh $SSH_OPTS "$TARGET_HOST" '
+      if grep -q "ARCHIPELAGO_BIND=0.0.0.0" /etc/systemd/system/archipelago.service 2>/dev/null; then
+        sudo sed -i "s/ARCHIPELAGO_BIND=0.0.0.0:5678/ARCHIPELAGO_BIND=127.0.0.1:5678/" /etc/systemd/system/archipelago.service
+        sudo systemctl daemon-reload
+        echo "   Fixed: backend now binds to 127.0.0.1 only"
+      fi
+    ' 2>/dev/null || true
+
     # Restart services
     progress "Restarting services"
     ssh $SSH_OPTS "$TARGET_HOST" "sudo systemctl start archipelago && sudo systemctl restart nginx"