v0.30.2: Report geo-restriction + logo/favicon update + Hub geo auth

- Add GeoRestrictionReport to report types and builder, so Hub can
  display geo-blocking status on customer detail pages
- Update all 5 BuildReport() call sites with new geoRestriction param
- Add /api/geo/ to selfUpdateAuthMiddleware (Hub Bearer token auth)
- Replace embedded logo SVG with updated logo.svg (white text variant)
- Add FelhomFaviconSVG constant + /static/favicon.svg route
- Update layout.html and catchall.html favicon links

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

controller/internal/web/server.go

@@ -275,6 +275,8 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		s.serveChartJSHandler(w, r)
 	case path == "/static/felhom-logo.svg":
 		s.serveLogoHandler(w, r)
+	case path == "/static/favicon.svg":
+		s.serveFaviconHandler(w, r)
 	case strings.HasPrefix(path, "/static/assets/"):
 		s.serveAsset(w, r, strings.TrimPrefix(path, "/static/assets/"))
 	case strings.HasPrefix(path, "/apps/"):
@@ -446,6 +448,22 @@ func (s *Server) serveLogoHandler(w http.ResponseWriter, r *http.Request) {
 	fmt.Fprint(w, FelhomLogoSVG)
 }
 
+func (s *Server) serveFaviconHandler(w http.ResponseWriter, r *http.Request) {
+	// Try synced asset first
+	if s.assetsSyncer != nil {
+		path := s.assetsSyncer.Resolve("felhom-favicon.svg")
+		if _, err := os.Stat(path); err == nil {
+			w.Header().Set("Cache-Control", "public, max-age=86400")
+			http.ServeFile(w, r, path)
+			return
+		}
+	}
+	// Fallback to embedded favicon
+	w.Header().Set("Content-Type", "image/svg+xml")
+	w.Header().Set("Cache-Control", "public, max-age=86400")
+	fmt.Fprint(w, FelhomFaviconSVG)
+}
+
 // serveAsset serves baked-in app assets (logos, screenshots) from /usr/share/felhom/assets/
 const assetsDir = "/usr/share/felhom/assets"