feat(subsonic): per-user encrypted app-password foundation

Subsonic auth (t=md5(password+salt), legacy p=) needs a recoverable secret,
but login passwords are stored as a one-way argon2 hash. Add a separate,
per-user app-password: high-entropy, random, and encrypted at rest with a
Fernet key derived from SUBSONIC_SECRET_KEY (never stored in the DB).

- SubsonicPasswordCipher + generate_subsonic_password in core.security
- users.subsonic_password_enc column (+ Alembic migration), repo + port methods
- SubsonicAuthService: verify (t+s / p / p=enc:) and rotate/reveal lifecycle
- self-service GET/POST /users/me/subsonic-password + admin rotate endpoint
- domain SubsonicCredentials + SubsonicCipher port; deps wiring

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

app/domain/entities/__init__.py

@@ -6,7 +6,7 @@ from app.domain.entities.like import Like
 from app.domain.entities.playlist import Playlist
 from app.domain.entities.storage import ObjectStat
 from app.domain.entities.track import Artist, Track
-from app.domain.entities.user import Credentials, User
+from app.domain.entities.user import Credentials, SubsonicCredentials, User
 
 __all__ = [
     "Album",
@@ -16,6 +16,7 @@ __all__ = [
     "ObjectStat",
     "PlayHistoryEntry",
     "Playlist",
+    "SubsonicCredentials",
     "Track",
     "User",
 ]

app/domain/entities/user.py

@@ -31,3 +31,14 @@ class Credentials:
 
     user: User
     password_hash: str
+
+
+@dataclass(frozen=True, slots=True)
+class SubsonicCredentials:
+    """A user paired with their *encrypted* Subsonic app-password.
+
+    ``password_enc`` is ``None`` until the user generates one. Stays inside the
+    application layer; the plaintext is only recovered for auth verification."""
+
+    user: User
+    password_enc: str | None

app/domain/ports.py

@@ -19,6 +19,7 @@ from app.domain.entities import (
     ObjectStat,
     PlayHistoryEntry,
     Playlist,
+    SubsonicCredentials,
     User,
 )
 from app.domain.entities.track import Artist, Track
@@ -34,6 +35,19 @@ class UserRepository(Protocol):
     async def set_superuser(self, user_id: uuid.UUID, is_superuser: bool) -> User: ...
     async def set_active(self, user_id: uuid.UUID, is_active: bool) -> User: ...
     async def count(self) -> int: ...
+    # -- subsonic app-password (recoverable, encrypted at rest) ----------
+    async def get_subsonic_credentials_by_username(
+        self, username: str
+    ) -> SubsonicCredentials | None: ...
+    async def get_subsonic_password_enc(self, user_id: uuid.UUID) -> str | None: ...
+    async def set_subsonic_password_enc(self, user_id: uuid.UUID, password_enc: str) -> None: ...
+
+
+class SubsonicCipher(Protocol):
+    """Symmetric encrypt/decrypt for the recoverable Subsonic app-password."""
+
+    def encrypt(self, plaintext: str) -> str: ...
+    def decrypt(self, token: str) -> str: ...
 
 
 class RefreshTokenRepository(Protocol):
@@ -109,6 +123,9 @@ class TrackRepository(Protocol):
         added_by: uuid.UUID | None,
     ) -> Track: ...
     async def delete(self, track_id: uuid.UUID) -> None: ...
+    # genres must come before ``list`` — the method named ``list`` shadows the
+    # builtin in later annotations (same pattern as AlbumRepository below).
+    async def genres(self) -> list[tuple[str, int]]: ...
     async def list(
         self,
         *,
@@ -145,7 +162,14 @@ class AlbumRepository(Protocol):
     async def track_count_many(self, album_ids: list[uuid.UUID]) -> dict[uuid.UUID, int]: ...
     # list must come after any method using list[...] in its signature (name shadowing)
     async def list(
-        self, *, artist_id: uuid.UUID | None, q: str | None, limit: int, offset: int
+        self,
+        *,
+        artist_id: uuid.UUID | None,
+        q: str | None,
+        limit: int,
+        offset: int,
+        sort_by: str = "title",
+        order: str = "asc",
     ) -> list[Album]: ...