feat: add token-authenticated cron trigger for weather refresh

[giancarloerra]

Summary

Add a public, token-authenticated trigger endpoint for external cron services to refresh weather data without needing session/cookie auth.

Motivation

The POST /api/weather/refresh endpoint sits behind requireAuth, which requires a session cookie. External cron services like cron-job.org and GitHub Actions cannot send cookies, so scheduled weather refreshes fail when MASTER_PASSWORD is enabled.

Changes

• Add POST /api/weather/refresh/trigger?key=… — public endpoint placed before requireAuth, validated by a high-entropy token (SHA-256 hashed, constant-time comparison)
• Add dedicated rate limiter for trigger (3 req/min, separate from manual refresh's 5/min)
• Add GET/POST/DELETE /api/settings/cron-token — protected endpoints to manage the trigger key (generate, rotate, revoke)
• Add optional CRON_TRIGGER_TOKEN env var override (consistent with other API key patterns)
• Add "Automated Weather Refresh" card to Settings UI — generate key, copy trigger URL, rotate/revoke
• Extend /api/settings response with cronTrigger status
• Update README: rewrite cron setup docs, add new endpoints to API table, add env var, rename section from "Automated Data Collection" to "Automated Weather Refresh"
• Update .env.example with CRON_TRIGGER_TOKEN

Testing

• npm run lint passes
• npm run typecheck passes
• npm test passes
• Verified manually in dev / built production mode

Breaking changes

• No breaking changes
• Breaking change — describe migration steps below:

No breaking changes. Existing POST /api/weather/refresh (manual/UI) is unchanged. The new trigger endpoint is additive.

Screenshots (if applicable)

---

By submitting this pull request I confirm that my contribution is made under the terms of the GNU Affero General Public License v3.0 or later.