feat: auth hardening + codebase quality sweep

Refresh tokens: RefreshToken entity, PostgresRefreshTokenRepository,
login returns refresh token, POST /auth/refresh (rotation), POST /auth/logout,
JWT expiry 24h→1h, configurable via with_expiry().

Route protection: require_auth middleware on protected routes,
public routes split (register, login, refresh, sharing/access).

Authorization: caller_id added to ReadAssetFileQuery, ReadDerivativeQuery,
GetStackQuery, DeleteStackCommand with ownership checks. Admin-only gates
on processing, storage, sidecar, duplicates handlers.

Quality fixes: visibility filtering bypass in search(), unwrap panics in
date parsing, DRY auth header parsing, centralized parsers module,
email validation via email_address crate, value objects (Username, MimeType,
RelativePath), domain events (UserCreated, UserDeleted, AlbumCreated,
TagCreated, DuplicateDetected), postgres error mapping for constraint
violations, OptionExt::or_not_found helper, in_memory_repo! macro,
GetStackQuery moved to queries, album add_entry 200→201.

crates/adapters/event-payload/src/lib.rs

@@ -54,6 +54,29 @@ pub enum EventPayload {
         error: String,
         timestamp: String,
     },
+    UserCreated {
+        user_id: String,
+        timestamp: String,
+    },
+    UserDeleted {
+        user_id: String,
+        timestamp: String,
+    },
+    AlbumCreated {
+        album_id: String,
+        creator_id: String,
+        timestamp: String,
+    },
+    TagCreated {
+        tag_id: String,
+        asset_id: String,
+        timestamp: String,
+    },
+    DuplicateDetected {
+        group_id: String,
+        asset_ids: Vec<String>,
+        timestamp: String,
+    },
 }
 
 impl EventPayload {
@@ -69,6 +92,11 @@ impl EventPayload {
             Self::JobEnqueued { .. } => "jobs.enqueued",
             Self::JobCompleted { .. } => "jobs.completed",
             Self::JobFailed { .. } => "jobs.failed",
+            Self::UserCreated { .. } => "users.created",
+            Self::UserDeleted { .. } => "users.deleted",
+            Self::AlbumCreated { .. } => "albums.created",
+            Self::TagCreated { .. } => "tags.created",
+            Self::DuplicateDetected { .. } => "duplicates.detected",
         }
     }
 }
@@ -163,6 +191,41 @@ impl From<&DomainEvent> for EventPayload {
                 error: error.clone(),
                 timestamp: timestamp.to_string(),
             },
+            DomainEvent::UserCreated { user_id, timestamp } => Self::UserCreated {
+                user_id: user_id.to_string(),
+                timestamp: timestamp.to_string(),
+            },
+            DomainEvent::UserDeleted { user_id, timestamp } => Self::UserDeleted {
+                user_id: user_id.to_string(),
+                timestamp: timestamp.to_string(),
+            },
+            DomainEvent::AlbumCreated {
+                album_id,
+                creator_id,
+                timestamp,
+            } => Self::AlbumCreated {
+                album_id: album_id.to_string(),
+                creator_id: creator_id.to_string(),
+                timestamp: timestamp.to_string(),
+            },
+            DomainEvent::TagCreated {
+                tag_id,
+                asset_id,
+                timestamp,
+            } => Self::TagCreated {
+                tag_id: tag_id.to_string(),
+                asset_id: asset_id.to_string(),
+                timestamp: timestamp.to_string(),
+            },
+            DomainEvent::DuplicateDetected {
+                group_id,
+                asset_ids,
+                timestamp,
+            } => Self::DuplicateDetected {
+                group_id: group_id.to_string(),
+                asset_ids: asset_ids.iter().map(|id| id.to_string()).collect(),
+                timestamp: timestamp.to_string(),
+            },
         }
     }
 }
@@ -273,6 +336,44 @@ impl TryFrom<EventPayload> for DomainEvent {
                 error,
                 timestamp: parse_timestamp(&timestamp)?,
             },
+            EventPayload::UserCreated { user_id, timestamp } => DomainEvent::UserCreated {
+                user_id: SystemId::from_uuid(parse_uuid(&user_id, "user_id")?),
+                timestamp: parse_timestamp(&timestamp)?,
+            },
+            EventPayload::UserDeleted { user_id, timestamp } => DomainEvent::UserDeleted {
+                user_id: SystemId::from_uuid(parse_uuid(&user_id, "user_id")?),
+                timestamp: parse_timestamp(&timestamp)?,
+            },
+            EventPayload::AlbumCreated {
+                album_id,
+                creator_id,
+                timestamp,
+            } => DomainEvent::AlbumCreated {
+                album_id: SystemId::from_uuid(parse_uuid(&album_id, "album_id")?),
+                creator_id: SystemId::from_uuid(parse_uuid(&creator_id, "creator_id")?),
+                timestamp: parse_timestamp(&timestamp)?,
+            },
+            EventPayload::TagCreated {
+                tag_id,
+                asset_id,
+                timestamp,
+            } => DomainEvent::TagCreated {
+                tag_id: SystemId::from_uuid(parse_uuid(&tag_id, "tag_id")?),
+                asset_id: SystemId::from_uuid(parse_uuid(&asset_id, "asset_id")?),
+                timestamp: parse_timestamp(&timestamp)?,
+            },
+            EventPayload::DuplicateDetected {
+                group_id,
+                asset_ids,
+                timestamp,
+            } => DomainEvent::DuplicateDetected {
+                group_id: SystemId::from_uuid(parse_uuid(&group_id, "group_id")?),
+                asset_ids: asset_ids
+                    .iter()
+                    .map(|id| parse_uuid(id, "asset_id").map(SystemId::from_uuid))
+                    .collect::<Result<Vec<_>, _>>()?,
+                timestamp: parse_timestamp(&timestamp)?,
+            },
         })
     }
 }