fix(config): resolve critical audit findings from Phase 1-3 review

- C-1: Add tenant_id to settings unique index to prevent cross-tenant conflicts
- C-2: Move pg_advisory_xact_lock inside the transaction for correct concurrency
  (previously lock was released before the numbering transaction started)
- H-5: Add CORS middleware (permissive for dev, TODO: restrict in production)

crates/erp-server/src/main.rs

@@ -153,7 +153,11 @@ async fn main() -> anyhow::Result<()> {
         .with_state(state.clone());
 
     // Merge public + protected into the final application router
-    let app = Router::new().merge(public_routes).merge(protected_routes);
+    let cors = tower_http::cors::CorsLayer::permissive(); // TODO: restrict origins in production
+    let app = Router::new()
+        .merge(public_routes)
+        .merge(protected_routes)
+        .layer(cors);
 
     let addr = format!("{}:{}", host, port);
     let listener = tokio::net::TcpListener::bind(&addr).await?;