fix(config): resolve critical audit findings from Phase 1-3 review

- C-1: Add tenant_id to settings unique index to prevent cross-tenant conflicts
- C-2: Move pg_advisory_xact_lock inside the transaction for correct concurrency
  (previously lock was released before the numbering transaction started)
- H-5: Add CORS middleware (permissive for dev, TODO: restrict in production)

crates/erp-server/migration/src/m20260412_000016_create_settings.rs

@@ -68,7 +68,7 @@ impl MigrationTrait for Migration {
 
         manager.get_connection().execute(sea_orm::Statement::from_string(
             sea_orm::DatabaseBackend::Postgres,
-            "CREATE UNIQUE INDEX idx_settings_scope_key ON settings (scope, scope_id, setting_key) WHERE deleted_at IS NULL".to_string(),
+            "CREATE UNIQUE INDEX idx_settings_scope_key ON settings (tenant_id, scope, scope_id, setting_key) WHERE deleted_at IS NULL".to_string(),
         )).await.map_err(|e| DbErr::Custom(e.to_string()))?;
 
         Ok(())

crates/erp-server/src/main.rs

@@ -153,7 +153,11 @@ async fn main() -> anyhow::Result<()> {
         .with_state(state.clone());
 
     // Merge public + protected into the final application router
-    let app = Router::new().merge(public_routes).merge(protected_routes);
+    let cors = tower_http::cors::CorsLayer::permissive(); // TODO: restrict origins in production
+    let app = Router::new()
+        .merge(public_routes)
+        .merge(protected_routes)
+        .layer(cors);
 
     let addr = format!("{}:{}", host, port);
     let listener = tokio::net::TcpListener::bind(&addr).await?;