feat(config): add system configuration module (Phase 3)

Implement the complete erp-config crate with:
- Data dictionaries (CRUD + items management)
- Dynamic menus (tree structure with role filtering)
- System settings (hierarchical: platform > tenant > org > user)
- Numbering rules (concurrency-safe via PostgreSQL advisory_lock)
- Theme and language configuration (via settings store)
- 6 database migrations (dictionaries, menus, settings, numbering_rules)
- Frontend Settings page with 5 tabs (dictionary, menu, numbering, settings, theme)

Refactor: move RBAC functions (require_permission) from erp-auth to erp-core
to avoid cross-module dependencies.

Add 20 new seed permissions for config module operations.

crates/erp-server/src/main.rs

@@ -101,8 +101,14 @@ async fn main() -> anyhow::Result<()> {
     let auth_module = erp_auth::AuthModule::new();
     tracing::info!(module = auth_module.name(), version = auth_module.version(), "Auth module initialized");
 
-    // Initialize module registry and register auth module
-    let registry = ModuleRegistry::new().register(auth_module);
+    // Initialize config module
+    let config_module = erp_config::ConfigModule::new();
+    tracing::info!(module = config_module.name(), version = config_module.version(), "Config module initialized");
+
+    // Initialize module registry and register modules
+    let registry = ModuleRegistry::new()
+        .register(auth_module)
+        .register(config_module);
     tracing::info!(module_count = registry.modules().len(), "Modules registered");
 
     // Register event handlers
@@ -139,6 +145,7 @@ async fn main() -> anyhow::Result<()> {
 
     // Protected routes (JWT authentication required)
     let protected_routes = erp_auth::AuthModule::protected_routes()
+        .merge(erp_config::ConfigModule::protected_routes())
         .layer(middleware::from_fn(move |req, next| {
             let secret = jwt_secret.clone();
             async move { jwt_auth_middleware_fn(secret, req, next).await }

crates/erp-server/src/state.rs

@@ -50,3 +50,13 @@ impl FromRef<AppState> for erp_auth::AuthState {
         }
     }
 }
+
+/// Allow erp-config handlers to extract their required state without depending on erp-server.
+impl FromRef<AppState> for erp_config::ConfigState {
+    fn from_ref(state: &AppState) -> Self {
+        Self {
+            db: state.db.clone(),
+            event_bus: state.event_bus.clone(),
+        }
+    }
+}