feat(auth): implement core service layer (password, JWT, auth, user CRUD)

- error.rs: AuthError with proper HTTP status mapping
- service/password.rs: Argon2 hash/verify with tests
- service/token_service.rs: JWT sign/validate, token DB storage with SHA-256 hash
- service/auth_service.rs: login/refresh/logout flows with event publishing
- service/user_service.rs: user CRUD with soft delete and tenant isolation
- Added sha2 dependency to workspace for token hashing

crates/erp-auth/src/error.rs

@@ -0,0 +1,42 @@
+use erp_core::error::AppError;
+
+/// Auth module error types
+#[derive(Debug, thiserror::Error)]
+pub enum AuthError {
+    #[error("用户名或密码错误")]
+    InvalidCredentials,
+
+    #[error("Token 已过期")]
+    TokenExpired,
+
+    #[error("Token 已被吊销")]
+    TokenRevoked,
+
+    #[error("用户已被{0}")]
+    UserDisabled(String),
+
+    #[error("密码哈希错误")]
+    HashError(String),
+
+    #[error("JWT 错误: {0}")]
+    JwtError(#[from] jsonwebtoken::errors::Error),
+
+    #[error("{0}")]
+    Validation(String),
+}
+
+impl From<AuthError> for AppError {
+    fn from(err: AuthError) -> Self {
+        match err {
+            AuthError::InvalidCredentials => AppError::Unauthorized,
+            AuthError::TokenExpired => AppError::Unauthorized,
+            AuthError::TokenRevoked => AppError::Unauthorized,
+            AuthError::UserDisabled(s) => AppError::Forbidden(s),
+            AuthError::Validation(s) => AppError::Validation(s),
+            AuthError::HashError(_) => AppError::Internal(err.to_string()),
+            AuthError::JwtError(_) => AppError::Unauthorized,
+        }
+    }
+}
+
+pub type AuthResult<T> = Result<T, AuthError>;