fix: security hardening and code quality improvements

Build hardening:
- Add -fstack-protector-strong, -D_FORTIFY_SOURCE=2, PIE, full RELRO
- Enable overflow-checks in Rust release profile

Rust backend:
- Return null (not panic) if Tokio runtime or QobuzClient init fails
- Strip null bytes in FFI JSON callback to prevent CString panics
- Document MD5 and password-in-query as Qobuz API constraints

C++ frontend:
- Validate JSON document before accessing fields in onEvent()
- Handle null backend pointer from failed init
- Set biography label to PlainText and decode HTML entities to prevent
  rendering injected content from API responses
- Clamp slider position and guard negative durations
- Use qint64 for duration formatting to avoid int truncation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/backend/qobuzbackend.cpp

@@ -8,6 +8,10 @@ QobuzBackend::QobuzBackend(QObject *parent)
     : QObject(parent)
 {
     m_backend = qobuz_backend_new(&QobuzBackend::eventTrampoline, this);
+    if (!m_backend) {
+        qCritical("Failed to initialize Qobuz backend");
+        return;
+    }
 
     m_positionTimer = new QTimer(this);
     m_positionTimer->setInterval(50);
@@ -194,7 +198,12 @@ void QobuzBackend::onPositionTick()
 
 void QobuzBackend::onEvent(int eventType, const QString &json)
 {
-    const QJsonObject obj = QJsonDocument::fromJson(json.toUtf8()).object();
+    const QJsonDocument doc = QJsonDocument::fromJson(json.toUtf8());
+    if (!doc.isObject()) {
+        emit error(tr("Malformed response from backend"));
+        return;
+    }
+    const QJsonObject obj = doc.object();
 
     switch (eventType) {
     case EV_LOGIN_OK: