feat(config): add system configuration module (Phase 3)

Implement the complete erp-config crate with:
- Data dictionaries (CRUD + items management)
- Dynamic menus (tree structure with role filtering)
- System settings (hierarchical: platform > tenant > org > user)
- Numbering rules (concurrency-safe via PostgreSQL advisory_lock)
- Theme and language configuration (via settings store)
- 6 database migrations (dictionaries, menus, settings, numbering_rules)
- Frontend Settings page with 5 tabs (dictionary, menu, numbering, settings, theme)

Refactor: move RBAC functions (require_permission) from erp-auth to erp-core
to avoid cross-module dependencies.

Add 20 new seed permissions for config module operations.

crates/erp-auth/src/handler/org_handler.rs

@@ -12,7 +12,7 @@ use crate::dto::{
     CreateDepartmentReq, CreateOrganizationReq, CreatePositionReq, DepartmentResp,
     OrganizationResp, PositionResp, UpdateDepartmentReq, UpdateOrganizationReq, UpdatePositionReq,
 };
-use crate::middleware::rbac::require_permission;
+use erp_core::rbac::require_permission;
 use crate::service::dept_service::DeptService;
 use crate::service::org_service::OrgService;
 use crate::service::position_service::PositionService;

crates/erp-auth/src/handler/role_handler.rs

@@ -9,7 +9,7 @@ use uuid::Uuid;
 
 use crate::auth_state::AuthState;
 use crate::dto::{AssignPermissionsReq, CreateRoleReq, PermissionResp, RoleResp, UpdateRoleReq};
-use crate::middleware::rbac::require_permission;
+use erp_core::rbac::require_permission;
 use crate::service::permission_service::PermissionService;
 use crate::service::role_service::RoleService;
 

crates/erp-auth/src/handler/user_handler.rs

@@ -9,7 +9,7 @@ use uuid::Uuid;
 
 use crate::auth_state::AuthState;
 use crate::dto::{CreateUserReq, UpdateUserReq, UserResp};
-use crate::middleware::rbac::require_permission;
+use erp_core::rbac::require_permission;
 use crate::service::user_service::UserService;
 
 /// GET /api/v1/users