feat: auth hardening + codebase quality sweep

Refresh tokens: RefreshToken entity, PostgresRefreshTokenRepository,
login returns refresh token, POST /auth/refresh (rotation), POST /auth/logout,
JWT expiry 24h→1h, configurable via with_expiry().

Route protection: require_auth middleware on protected routes,
public routes split (register, login, refresh, sharing/access).

Authorization: caller_id added to ReadAssetFileQuery, ReadDerivativeQuery,
GetStackQuery, DeleteStackCommand with ownership checks. Admin-only gates
on processing, storage, sidecar, duplicates handlers.

Quality fixes: visibility filtering bypass in search(), unwrap panics in
date parsing, DRY auth header parsing, centralized parsers module,
email validation via email_address crate, value objects (Username, MimeType,
RelativePath), domain events (UserCreated, UserDeleted, AlbumCreated,
TagCreated, DuplicateDetected), postgres error mapping for constraint
violations, OptionExt::or_not_found helper, in_memory_repo! macro,
GetStackQuery moved to queries, album add_entry 200→201.

crates/domain/src/catalog/entities.rs

@@ -54,6 +54,17 @@ impl Asset {
     }
 }
 
+// --- AssetFilters ---
+
+#[derive(Default)]
+pub struct AssetFilters {
+    pub asset_type: Option<AssetType>,
+    pub mime_type: Option<String>,
+    pub date_from: Option<DateTimeStamp>,
+    pub date_to: Option<DateTimeStamp>,
+    pub is_processed: Option<bool>,
+}
+
 // --- AssetMetadata ---
 
 #[derive(