fix: security hardening and code quality improvements

Build hardening:
- Add -fstack-protector-strong, -D_FORTIFY_SOURCE=2, PIE, full RELRO
- Enable overflow-checks in Rust release profile

Rust backend:
- Return null (not panic) if Tokio runtime or QobuzClient init fails
- Strip null bytes in FFI JSON callback to prevent CString panics
- Document MD5 and password-in-query as Qobuz API constraints

C++ frontend:
- Validate JSON document before accessing fields in onEvent()
- Handle null backend pointer from failed init
- Set biography label to PlainText and decode HTML entities to prevent
  rendering injected content from API responses
- Clamp slider position and guard negative durations
- Use qint64 for duration formatting to avoid int truncation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

rust/src/lib.rs

@@ -96,7 +96,9 @@ pub struct Backend(BackendInner);
 // ---------- Helpers ----------
 
 fn call_cb(cb: EventCallback, ud: SendPtr, ev: c_int, json: &str) {
-    let cstr = CString::new(json).unwrap_or_else(|_| CString::new("{}").unwrap());
+    // Strip null bytes that would cause CString::new to fail
+    let safe = json.replace('\0', "");
+    let cstr = CString::new(safe).unwrap_or_else(|_| CString::new("{}").unwrap());
     unsafe { cb(ud.0, ev, cstr.as_ptr()) };
 }
 
@@ -119,8 +121,14 @@ pub unsafe extern "C" fn qobuz_backend_new(
     event_cb: EventCallback,
     userdata: *mut c_void,
 ) -> *mut Backend {
-    let rt     = Runtime::new().expect("tokio runtime");
-    let client = Arc::new(Mutex::new(QobuzClient::new().expect("QobuzClient")));
+    let rt = match Runtime::new() {
+        Ok(r) => r,
+        Err(_) => return std::ptr::null_mut(),
+    };
+    let client = match QobuzClient::new() {
+        Ok(c) => Arc::new(Mutex::new(c)),
+        Err(_) => return std::ptr::null_mut(),
+    };
     let player = Player::new();
 
     Box::into_raw(Box::new(Backend(BackendInner {