fix: address Phase 1-2 audit findings

- CORS: replace permissive() with configurable whitelist (default.toml)
- Auth store: synchronously restore state at creation to eliminate
  flash-of-login-page on refresh
- MainLayout: menu highlight now tracks current route via useLocation
- Add extractErrorMessage() utility to reduce repeated error parsing
- Fix all clippy warnings across 4 crates (erp-auth, erp-config,
  erp-workflow, erp-message): remove unnecessary casts, use div_ceil,
  collapse nested ifs, reduce function arguments with DTOs

crates/erp-config/src/handler/theme_handler.rs

@@ -7,7 +7,7 @@ use erp_core::rbac::require_permission;
 use erp_core::types::{ApiResponse, TenantContext};
 
 use crate::config_state::ConfigState;
-use crate::dto::ThemeResp;
+use crate::dto::{SetSettingParams, ThemeResp};
 use crate::service::setting_service::SettingService;
 
 /// GET /api/v1/theme
@@ -54,10 +54,12 @@ where
         .map_err(|e| AppError::Validation(format!("主题配置序列化失败: {e}")))?;
 
     SettingService::set(
-        "theme",
-        "tenant",
-        &None,
-        value,
+        SetSettingParams {
+            key: "theme".to_string(),
+            scope: "tenant".to_string(),
+            scope_id: None,
+            value,
+        },
         ctx.tenant_id,
         ctx.user_id,
         &state.db,