feat: auth hardening + codebase quality sweep

Refresh tokens: RefreshToken entity, PostgresRefreshTokenRepository,
login returns refresh token, POST /auth/refresh (rotation), POST /auth/logout,
JWT expiry 24h→1h, configurable via with_expiry().

Route protection: require_auth middleware on protected routes,
public routes split (register, login, refresh, sharing/access).

Authorization: caller_id added to ReadAssetFileQuery, ReadDerivativeQuery,
GetStackQuery, DeleteStackCommand with ownership checks. Admin-only gates
on processing, storage, sidecar, duplicates handlers.

Quality fixes: visibility filtering bypass in search(), unwrap panics in
date parsing, DRY auth header parsing, centralized parsers module,
email validation via email_address crate, value objects (Username, MimeType,
RelativePath), domain events (UserCreated, UserDeleted, AlbumCreated,
TagCreated, DuplicateDetected), postgres error mapping for constraint
violations, OptionExt::or_not_found helper, in_memory_repo! macro,
GetStackQuery moved to queries, album add_entry 200→201.

crates/presentation/src/state.rs

@@ -2,16 +2,21 @@ use std::sync::Arc;
 
 use application::{
     catalog::{
-        GetAssetHandler, GetTimelineHandler, ReadAssetFileHandler, ReadDerivativeHandler,
-        RegisterAssetHandler, UpdateMetadataHandler,
+        CreateStackHandler, DeleteAssetHandler, DeleteStackHandler, DetectLivePhotosHandler,
+        GetAssetHandler, GetStackHandler, GetTimelineHandler, ListDuplicatesHandler,
+        ReadAssetFileHandler, ReadDerivativeHandler, RegisterAssetHandler, ResolveDuplicateHandler,
+        SearchAssetsHandler, UpdateMetadataHandler,
+    },
+    identity::{
+        GetProfileHandler, LoginUserHandler, LogoutHandler, RefreshTokenHandler,
+        RegisterUserHandler,
     },
-    identity::{GetProfileHandler, LoginUserHandler, RegisterUserHandler},
     organization::{
         CreateAlbumHandler, GetAlbumHandler, ManageAlbumEntriesHandler, TagAssetHandler,
     },
     processing::{
         CompleteJobHandler, ConfigurePipelineHandler, EnqueueJobHandler, FailJobHandler,
-        ManagePluginHandler, ReportBatchProgressHandler, StartJobHandler,
+        ListJobsHandler, ManagePluginHandler, ReportBatchProgressHandler, StartJobHandler,
     },
     sharing::{
         AccessSharedResourceHandler, GenerateShareLinkHandler, RevokeShareHandler,
@@ -25,13 +30,16 @@ use application::{
         CheckQuotaHandler, IngestAssetHandler, RegisterLibraryPathHandler, RegisterVolumeHandler,
     },
 };
-use domain::ports::TokenIssuer;
+use domain::ports::{RefreshTokenRepository, TokenIssuer};
 
 #[derive(Clone)]
 pub struct IdentityHandlers {
     pub register: Arc<RegisterUserHandler>,
     pub login: Arc<LoginUserHandler>,
     pub get_profile: Arc<GetProfileHandler>,
+    pub refresh: Arc<RefreshTokenHandler>,
+    pub logout: Arc<LogoutHandler>,
+    pub refresh_token_repo: Arc<dyn RefreshTokenRepository>,
 }
 
 #[derive(Clone)]
@@ -43,6 +51,14 @@ pub struct CatalogHandlers {
     pub read_asset_file: Arc<ReadAssetFileHandler>,
     pub read_derivative: Arc<ReadDerivativeHandler>,
     pub register_asset: Arc<RegisterAssetHandler>,
+    pub delete_asset: Arc<DeleteAssetHandler>,
+    pub search_assets: Arc<SearchAssetsHandler>,
+    pub list_duplicates: Arc<ListDuplicatesHandler>,
+    pub resolve_duplicate: Arc<ResolveDuplicateHandler>,
+    pub create_stack: Arc<CreateStackHandler>,
+    pub get_stack: Arc<GetStackHandler>,
+    pub delete_stack: Arc<DeleteStackHandler>,
+    pub detect_live_photos: Arc<DetectLivePhotosHandler>,
 }
 
 #[derive(Clone)]
@@ -84,6 +100,7 @@ pub struct ProcessingHandlers {
     pub start_job: Arc<StartJobHandler>,
     pub complete_job: Arc<CompleteJobHandler>,
     pub fail_job: Arc<FailJobHandler>,
+    pub list_jobs: Arc<ListJobsHandler>,
     pub batch_progress: Arc<ReportBatchProgressHandler>,
     pub manage_plugin: Arc<ManagePluginHandler>,
     pub configure_pipeline: Arc<ConfigurePipelineHandler>,