fix: address Phase 1-2 audit findings

- CORS: replace permissive() with configurable whitelist (default.toml)
- Auth store: synchronously restore state at creation to eliminate
  flash-of-login-page on refresh
- MainLayout: menu highlight now tracks current route via useLocation
- Add extractErrorMessage() utility to reduce repeated error parsing
- Fix all clippy warnings across 4 crates (erp-auth, erp-config,
  erp-workflow, erp-message): remove unnecessary casts, use div_ceil,
  collapse nested ifs, reduce function arguments with DTOs

crates/erp-message/src/module.rs

@@ -62,8 +62,6 @@ impl MessageModule {
     ///
     /// 在 main.rs 中调用，因为需要 db 连接。
     pub fn start_event_listener(db: sea_orm::DatabaseConnection, event_bus: EventBus) {
-        use sea_orm::ConnectionTrait;
-
         let mut rx = event_bus.subscribe();
         tokio::spawn(async move {
             loop {