feat(auth): add handlers, JWT middleware, RBAC, and module registration

- Auth handlers: login/refresh/logout + user CRUD with tenant isolation
- JWT middleware: Bearer token validation → TenantContext injection
- RBAC helpers: require_permission, require_any_permission, require_role
- AuthModule: implements ErpModule with public/protected route split
- AuthState: FromRef pattern avoids circular deps between erp-auth and erp-server
- Server: public routes (health+login+refresh) + protected routes (JWT middleware)
- ErpModule trait: added as_any() for downcast support
- Workspace: added async-trait, sha2 dependencies

crates/erp-core/Cargo.toml

@@ -14,4 +14,4 @@ anyhow.workspace = true
 tracing.workspace = true
 axum.workspace = true
 sea-orm.workspace = true
-async-trait = "0.1"
+async-trait.workspace = true

crates/erp-core/src/module.rs

@@ -1,3 +1,4 @@
+use std::any::Any;
 use std::sync::Arc;
 
 use axum::Router;
@@ -38,6 +39,12 @@ pub trait ErpModule: Send + Sync {
     async fn on_tenant_deleted(&self, _tenant_id: Uuid) -> AppResult<()> {
         Ok(())
     }
+
+    /// Downcast support: return `self` as `&dyn Any` for concrete type access.
+    ///
+    /// This allows the server crate to retrieve module-specific methods
+    /// (e.g. `AuthModule::public_routes()`) that are not part of the trait.
+    fn as_any(&self) -> &dyn Any;
 }
 
 /// 模块注册器 — 用 Arc 包装使其可 Clone（用于 Axum State）