feat(auth,plugin): Q3 行级数据权限 — user_departments 表 + JWT 注入 department_ids + data_scope 接线

- 新增 user_departments 关联表（migration + entity）
- JWT 中间件查询用户部门并注入 TenantContext.department_ids
- role_permission entity 添加 data_scope 字段
- data_handler 接线行级数据权限过滤（list/count/aggregate）
- DataScopeParams + build_scope_sql + merge_scope_condition 实现全链路

crates/erp-server/src/main.rs

@@ -426,10 +426,14 @@ async fn main() -> anyhow::Result<()> {
             state.clone(),
             middleware::rate_limit::rate_limit_by_user,
         ))
-        .layer(axum_middleware::from_fn(move |req, next| {
-            let secret = jwt_secret.clone();
-            async move { jwt_auth_middleware_fn(secret, req, next).await }
-        }))
+        .layer({
+            let db = state.db.clone();
+            axum_middleware::from_fn(move |req, next| {
+                let secret = jwt_secret.clone();
+                let db = db.clone();
+                async move { jwt_auth_middleware_fn(secret, Some(db), req, next).await }
+            })
+        })
         .with_state(state.clone());
 
     // Merge public + protected into the final application router