feat: systematic functional audit — fix 18 issues across Phase A/B

Phase A (P1 production blockers):
- A1: Apply IP rate limiting to public routes (login/refresh)
- A2: Publish domain events for workflow instance state transitions
  (completed/suspended/resumed/terminated) via outbox pattern
- A3: Replace hardcoded nil UUID default tenant with dynamic DB lookup
- A4: Add GET /api/v1/audit-logs query endpoint with pagination
- A5: Enhance CORS wildcard warning for production environments

Phase B (P2 functional gaps):
- B1: Remove dead erp-common crate (zero references in codebase)
- B2: Refactor 5 settings pages to use typed API modules instead of
  direct client calls; create api/themes.ts; delete dead errors.ts
- B3: Add resume/suspend buttons to InstanceMonitor page
- B4: Remove unused EventHandler trait from erp-core
- B5: Handle task.completed events in message module (send notifications)
- B6: Wire TimeoutChecker as 60s background task
- B7: Auto-skip ServiceTask nodes instead of crashing the process
- B8: Remove empty register_routes() from ErpModule trait and modules

Cargo.toml

@@ -2,7 +2,6 @@
 resolver = "2"
 members = [
     "crates/erp-core",
-    "crates/erp-common",
     "crates/erp-server",
     "crates/erp-auth",
     "crates/erp-workflow",
@@ -75,7 +74,6 @@ async-trait = "0.1"
 
 # Internal crates
 erp-core = { path = "crates/erp-core" }
-erp-common = { path = "crates/erp-common" }
 erp-auth = { path = "crates/erp-auth" }
 erp-workflow = { path = "crates/erp-workflow" }
 erp-message = { path = "crates/erp-message" }