Refactor storage to provider-agnostic band-scoped model

Replaces per-member Nextcloud credentials with a BandStorage model that
supports multiple providers. Credentials are Fernet-encrypted at rest;
worker receives audio via an internal streaming endpoint instead of
direct storage access.

- Add BandStorage DB model with partial unique index (one active per band)
- Add migrations 0007 (create band_storage) and 0008 (drop old nc columns)
- Add StorageFactory that builds the correct StorageClient from BandStorage
- Add storage router: connect/nextcloud, OAuth2 authorize/callback, list, disconnect
- Add Fernet encryption helpers in security/encryption.py
- Rewrite watcher for per-band polling via internal API config endpoint
- Update worker to stream audio from API instead of accessing storage directly
- Update frontend: new storage API in bands.ts, rewritten StorageSection,
  simplified band creation modal (no storage step)
- Add STORAGE_ENCRYPTION_KEY to all docker-compose files

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/src/rehearsalhub/main.py

@@ -20,6 +20,7 @@ from rehearsalhub.routers import (
     members_router,
     sessions_router,
     songs_router,
+    storage_router,
     versions_router,
     ws_router,
 )
@@ -94,6 +95,7 @@ def create_app() -> FastAPI:
     app.include_router(annotations_router, prefix=prefix)
     app.include_router(members_router, prefix=prefix)
     app.include_router(internal_router, prefix=prefix)
+    app.include_router(storage_router, prefix=prefix)
     app.include_router(ws_router)  # WebSocket routes don't use /api/v1 prefix
 
     @app.get("/api/health")