Fix DB paths, add auth to sensitive endpoints, misc bug fixes

- scheduler.py: Use full path for scheduler_state.db instead of relative name
- recycle.py: Use full path for thumbnails.db instead of relative name
- cloud_backup.py, maintenance.py, stats.py: Require admin for config/cleanup/settings endpoints
- press.py: Add auth to press image serving endpoint
- private_gallery.py: Fix _create_pg_job call and add missing secrets import
- appearances.py: Use sync httpx instead of asyncio.run for background thread HTTP call

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

web/backend/routers/recycle.py

@@ -490,7 +490,7 @@ def _get_or_create_thumbnail(file_path: Path, media_type: str, content_hash: str
     from datetime import datetime
 
     try:
-        with sqlite3.connect('thumbnails', timeout=30.0) as conn:
+        with sqlite3.connect(str(settings.PROJECT_ROOT / 'database' / 'thumbnails.db'), timeout=30.0) as conn:
             cursor = conn.cursor()
 
             # 1. Try content hash first (new method - survives file moves)
@@ -546,7 +546,7 @@ def _get_or_create_thumbnail(file_path: Path, media_type: str, content_hash: str
                 file_mtime = file_path.stat().st_mtime if file_path.exists() else None
                 # Compute file_hash if not provided
                 thumb_file_hash = content_hash if content_hash else hashlib.sha256(str(file_path).encode()).hexdigest()
-                with sqlite3.connect('thumbnails') as conn:
+                with sqlite3.connect(str(settings.PROJECT_ROOT / 'database' / 'thumbnails.db')) as conn:
                     conn.execute("""
                         INSERT OR REPLACE INTO thumbnails
                         (file_hash, file_path, thumbnail_data, created_at, file_mtime)