fix: address Phase 1-2 audit findings

- CORS: replace permissive() with configurable whitelist (default.toml)
- Auth store: synchronously restore state at creation to eliminate
  flash-of-login-page on refresh
- MainLayout: menu highlight now tracks current route via useLocation
- Add extractErrorMessage() utility to reduce repeated error parsing
- Fix all clippy warnings across 4 crates (erp-auth, erp-config,
  erp-workflow, erp-message): remove unnecessary casts, use div_ceil,
  collapse nested ifs, reduce function arguments with DTOs

crates/erp-config/src/handler/dictionary_handler.rs

@@ -35,7 +35,7 @@ where
 
     let page = pagination.page.unwrap_or(1);
     let page_size = pagination.limit();
-    let total_pages = (total + page_size - 1) / page_size;
+    let total_pages = total.div_ceil(page_size);
 
     Ok(Json(ApiResponse::ok(PaginatedResponse {
         data: dictionaries,

crates/erp-config/src/handler/language_handler.rs

@@ -7,7 +7,7 @@ use erp_core::rbac::require_permission;
 use erp_core::types::{ApiResponse, Pagination, TenantContext};
 
 use crate::config_state::ConfigState;
-use crate::dto::{LanguageResp, UpdateLanguageReq};
+use crate::dto::{LanguageResp, SetSettingParams, UpdateLanguageReq};
 use crate::service::setting_service::SettingService;
 
 /// GET /api/v1/languages
@@ -82,10 +82,12 @@ where
     let value = serde_json::json!({"is_active": req.is_active});
 
     SettingService::set(
-        &key,
-        "platform",
-        &None,
-        value,
+        SetSettingParams {
+            key,
+            scope: "platform".to_string(),
+            scope_id: None,
+            value,
+        },
         ctx.tenant_id,
         ctx.user_id,
         &state.db,

crates/erp-config/src/handler/numbering_handler.rs

@@ -33,7 +33,7 @@ where
 
     let page = pagination.page.unwrap_or(1);
     let page_size = pagination.limit();
-    let total_pages = (total + page_size - 1) / page_size;
+    let total_pages = total.div_ceil(page_size);
 
     Ok(Json(ApiResponse::ok(PaginatedResponse {
         data: rules,

crates/erp-config/src/handler/setting_handler.rs

@@ -8,7 +8,7 @@ use erp_core::types::{ApiResponse, TenantContext};
 use uuid::Uuid;
 
 use crate::config_state::ConfigState;
-use crate::dto::{SettingResp, UpdateSettingReq};
+use crate::dto::{SetSettingParams, SettingResp, UpdateSettingReq};
 use crate::service::setting_service::SettingService;
 
 /// GET /api/v1/settings/:key?scope=tenant&scope_id=xxx
@@ -54,10 +54,12 @@ where
     require_permission(&ctx, "setting.update")?;
 
     let setting = SettingService::set(
-        &key,
-        "tenant",
-        &None,
-        req.setting_value,
+        SetSettingParams {
+            key,
+            scope: "tenant".to_string(),
+            scope_id: None,
+            value: req.setting_value,
+        },
         ctx.tenant_id,
         ctx.user_id,
         &state.db,

crates/erp-config/src/handler/theme_handler.rs

@@ -7,7 +7,7 @@ use erp_core::rbac::require_permission;
 use erp_core::types::{ApiResponse, TenantContext};
 
 use crate::config_state::ConfigState;
-use crate::dto::ThemeResp;
+use crate::dto::{SetSettingParams, ThemeResp};
 use crate::service::setting_service::SettingService;
 
 /// GET /api/v1/theme
@@ -54,10 +54,12 @@ where
         .map_err(|e| AppError::Validation(format!("主题配置序列化失败: {e}")))?;
 
     SettingService::set(
-        "theme",
-        "tenant",
-        &None,
-        value,
+        SetSettingParams {
+            key: "theme".to_string(),
+            scope: "tenant".to_string(),
+            scope_id: None,
+            value,
+        },
         ctx.tenant_id,
         ctx.user_id,
         &state.db,