fix: address Phase 1-2 audit findings

- CORS: replace permissive() with configurable whitelist (default.toml)
- Auth store: synchronously restore state at creation to eliminate
  flash-of-login-page on refresh
- MainLayout: menu highlight now tracks current route via useLocation
- Add extractErrorMessage() utility to reduce repeated error parsing
- Fix all clippy warnings across 4 crates (erp-auth, erp-config,
  erp-workflow, erp-message): remove unnecessary casts, use div_ceil,
  collapse nested ifs, reduce function arguments with DTOs

Cargo.lock

@@ -875,15 +875,19 @@ name = "erp-message"
 version = "0.1.0"
 dependencies = [
  "anyhow",
+ "async-trait",
  "axum",
  "chrono",
  "erp-core",
  "sea-orm",
  "serde",
  "serde_json",
+ "thiserror",
  "tokio",
  "tracing",
+ "utoipa",
  "uuid",
+ "validator",
 ]
 
 [[package]]
@@ -897,6 +901,7 @@ dependencies = [
  "erp-common",
  "erp-config",
  "erp-core",
+ "erp-message",
  "erp-server-migration",
  "erp-workflow",
  "redis",