fix: security hardening and code quality improvements

Build hardening:
- Add -fstack-protector-strong, -D_FORTIFY_SOURCE=2, PIE, full RELRO
- Enable overflow-checks in Rust release profile

Rust backend:
- Return null (not panic) if Tokio runtime or QobuzClient init fails
- Strip null bytes in FFI JSON callback to prevent CString panics
- Document MD5 and password-in-query as Qobuz API constraints

C++ frontend:
- Validate JSON document before accessing fields in onEvent()
- Handle null backend pointer from failed init
- Set biography label to PlainText and decode HTML entities to prevent
  rendering injected content from API responses
- Clamp slider position and guard negative durations
- Use qint64 for duration formatting to avoid int truncation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

CMakeLists.txt

@@ -88,9 +88,18 @@ if (UNIX AND NOT APPLE)
     target_link_libraries(qobuz-qt PRIVATE asound)
 endif ()
 
-# Compiler warnings
+# Compiler warnings + hardening
 if (CMAKE_CXX_COMPILER_ID STREQUAL "GNU" OR CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
-    target_compile_options(qobuz-qt PRIVATE -Wall -Wextra -Wno-unused-parameter)
+    target_compile_options(qobuz-qt PRIVATE
+        -Wall -Wextra -Wno-unused-parameter
+        -fstack-protector-strong
+        -D_FORTIFY_SOURCE=2
+        -fPIE
+    )
+    target_link_options(qobuz-qt PRIVATE
+        -pie
+        -Wl,-z,relro,-z,now
+    )
 endif ()
 
 # D-Bus