Was: /system/api/arm verified the PIN against [security] pin_hash and
returned {ok: true} without ever calling the FSM. State never changed.
Now: the endpoint publishes a SYSTEM_ARM_REQUEST message to the local
MQTT broker. The event processor (see previous commit) picks it up,
ArmStateFSM verifies the PIN via alerts.pin.verify_pin and performs
the transition. Response is 202 Accepted; clients poll /system/status
for the new state.
Design: PIN travels over localhost-only MQTT, which matches the
existing trust boundary for the internal bus.
Adds PIN checking to arm/disarm endpoints using verify_pin() against
cfg.security.pin_hash, and a new POST /system/api/reset-pin endpoint
that verifies the recovery passphrase before updating the PIN hash.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
