fix: address final-review items (status endpoint, docs, tests)

Follow-up to the holistic review of the PIN-unification branch:

- /system/status now reads the real arm state from the arm_state_log
  table via get_current_arm_state, instead of returning a hardcoded
  'DISARMED' stub. Without this, polling after the new async 202
  arm/disarm flow was a UX dead-end — clients never saw the state
  change they just requested. DB read failures degrade gracefully.

- Operator guide: correct the claim that 'vigilar config set-pin'
  populates recovery_passphrase_hash. It doesn't. recovery_passphrase
  _hash has no CLI helper today; it must be set manually.

- Tests: add a fail-closed regression for verify_pin on malformed
  stored hashes, and a companion test confirming the deprecation
  warning stays silent on a fully migrated config.

All address specific review comments on the branch; no scope creep.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docs/operator-guide.md

@@ -292,10 +292,15 @@ enabled = false`, `[visitors] enabled = false`, `[highlights] enabled
 
 - `[location] latitude`, `longitude` (default `0.0`): used for sunrise
   and sunset lookups.
-- `[security] pin_hash` (canonical arm/disarm PIN store) and
-  `recovery_passphrase_hash`: both populated by
-  `vigilar config set-pin`. The `[system] arm_pin_hash` field is
-  deprecated; see the `[system]` section above.
+- `[security] pin_hash` (canonical arm/disarm PIN store): populated by
+  `vigilar config set-pin`, which emits a PBKDF2-SHA256 hash to paste
+  into the `[security]` section. The legacy `[system] arm_pin_hash`
+  field is deprecated; see the `[system]` section above.
+- `[security] recovery_passphrase_hash`: used by the web
+  `/system/api/reset-pin` endpoint to authenticate PIN-reset requests.
+  There is no CLI helper for this field today — set it by hashing a
+  passphrase manually with `vigilar.alerts.pin.hash_pin` and pasting
+  the result into `[security]`, or leave it unset to disable recovery.
 
 ## CLI reference