MAJOR RELEASE - SECURITY FIX

Security fix (critical)

All API endpoints were previously registered directly on the raw aiohttp
app, bypassing Home Assistant's authentication middleware entirely. This
meant that anyone able to reach the HA HTTP port — including unauthenticated
users on the local network — could call these endpoints with no token:

• POST /delete — permanently remove any entity from the registry
• POST /export — write arbitrary files into the config directory
• GET /scan, GET/POST /ignore_list — read and mutate integration state

This has been fixed. All routes are now registered through
HomeAssistantView subclasses, which restore HA's standard auth handling:

• /scan, GET /ignore_list — require a valid authenticated session
• /delete, /export, POST /ignore_list — require admin privileges
• /panel, /orphan-cleaner-panel.js, /icon.png — remain public static
  assets (HTML/JS/image only, no data exposure), consistent with how Home
  Assistant core serves panel assets

No functional changes for the end user — the panel works exactly as before
for any user with admin access, which was already required to see it in
the sidebar (require_admin: true). Non-admin users will now correctly
receive a 401/403 instead of being able to call the API directly.

Breaking changes

None for normal usage. If you were calling these endpoints directly
(outside the panel) without authentication, you will now need to include
a valid HA long-lived access token or session cookie.

Credit

Reported during HACS default repository review by @frenck.