fix: security hardening and code quality improvements

Build hardening:
- Add -fstack-protector-strong, -D_FORTIFY_SOURCE=2, PIE, full RELRO
- Enable overflow-checks in Rust release profile

Rust backend:
- Return null (not panic) if Tokio runtime or QobuzClient init fails
- Strip null bytes in FFI JSON callback to prevent CString panics
- Document MD5 and password-in-query as Qobuz API constraints

C++ frontend:
- Validate JSON document before accessing fields in onEvent()
- Handle null backend pointer from failed init
- Set biography label to PlainText and decode HTML entities to prevent
  rendering injected content from API responses
- Clamp slider position and guard negative durations
- Use qint64 for duration formatting to avoid int truncation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

rust/src/api/client.rs

@@ -60,6 +60,8 @@ impl QobuzClient {
             .as_secs()
     }
 
+    /// Compute the request signature required by the Qobuz API.
+    /// NOTE: MD5 is mandated by the Qobuz API protocol — not our choice.
     fn request_sig(&self, method: &str, params: &mut Vec<(&str, String)>, ts: u64) -> String {
         params.sort_by_key(|(k, _)| *k);
         let mut s = method.replace('/', "");
@@ -116,6 +118,7 @@ impl QobuzClient {
         }
     }
 
+    /// NOTE: Qobuz API requires credentials as GET query params — not our choice.
     async fn oauth2_login(&mut self, email: &str, password: &str) -> Result<OAuthLoginResponse> {
         let ts = Self::ts();
         let mut sign_params: Vec<(&str, String)> = vec![