feat: auth hardening + codebase quality sweep

Refresh tokens: RefreshToken entity, PostgresRefreshTokenRepository,
login returns refresh token, POST /auth/refresh (rotation), POST /auth/logout,
JWT expiry 24h→1h, configurable via with_expiry().

Route protection: require_auth middleware on protected routes,
public routes split (register, login, refresh, sharing/access).

Authorization: caller_id added to ReadAssetFileQuery, ReadDerivativeQuery,
GetStackQuery, DeleteStackCommand with ownership checks. Admin-only gates
on processing, storage, sidecar, duplicates handlers.

Quality fixes: visibility filtering bypass in search(), unwrap panics in
date parsing, DRY auth header parsing, centralized parsers module,
email validation via email_address crate, value objects (Username, MimeType,
RelativePath), domain events (UserCreated, UserDeleted, AlbumCreated,
TagCreated, DuplicateDetected), postgres error mapping for constraint
violations, OptionExt::or_not_found helper, in_memory_repo! macro,
GetStackQuery moved to queries, album add_entry 200→201.

crates/adapters/postgres/migrations/013_asset_stacks.sql

@@ -0,0 +1,9 @@
+CREATE TABLE asset_stacks (
+    stack_id         UUID PRIMARY KEY,
+    stack_type       TEXT NOT NULL,
+    primary_asset_id UUID NOT NULL REFERENCES assets(asset_id),
+    owner_user_id    UUID NOT NULL,
+    members          JSONB NOT NULL DEFAULT '[]'
+);
+
+CREATE INDEX idx_stacks_owner ON asset_stacks(owner_user_id);

crates/adapters/postgres/migrations/014_refresh_tokens.sql

@@ -0,0 +1,10 @@
+CREATE TABLE refresh_tokens (
+    token_id   UUID PRIMARY KEY,
+    user_id    UUID NOT NULL REFERENCES users(id),
+    token_hash TEXT NOT NULL,
+    expires_at TIMESTAMPTZ NOT NULL,
+    revoked    BOOLEAN NOT NULL DEFAULT FALSE,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX idx_refresh_tokens_user ON refresh_tokens(user_id);