fix(security): atomic hw-status write, narrow bare excepts, urllib3 CVE floor

- display_manager: replace open()+bare-except with tempfile.mkstemp→fsync→
  chmod(0o600)→os.replace; adds symlink guard and logs errors via logger
  instead of swallowing them silently; pull json/tempfile to module imports
- display_manager cleanup(): narrow broad `except Exception: pass` to
  (OSError, RuntimeError, ValueError, MemoryError) with debug log
- api_v3 get_hardware_status(): catch json.JSONDecodeError and PermissionError
  explicitly; log full traceback server-side; return generic "Unable to read
  hardware status" to client instead of leaking str(e)
- march-madness/requirements.txt: bump urllib3 floor 2.2.2→2.6.3 (CVE fix)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

web_interface/blueprints/api_v3.py

@@ -1545,8 +1545,12 @@ def get_hardware_status():
         return jsonify({"status": "success", "data": hw_data})
     except FileNotFoundError:
         return jsonify({"status": "success", "data": {"ok": None, "error": "Display service not yet started"}})
-    except Exception as e:
-        return jsonify({"status": "error", "message": str(e)}), 500
+    except (json.JSONDecodeError, PermissionError):
+        logger.error("Failed to read hardware status file", exc_info=True)
+        return jsonify({"status": "error", "message": "Unable to read hardware status"}), 500
+    except Exception:
+        logger.error("Unexpected error reading hardware status", exc_info=True)
+        return jsonify({"status": "error", "message": "Unable to read hardware status"}), 500
 
 @api_v3.route('/display/current', methods=['GET'])
 def get_display_current():