fix: address Phase 1-2 audit findings

- CORS: replace permissive() with configurable whitelist (default.toml)
- Auth store: synchronously restore state at creation to eliminate
  flash-of-login-page on refresh
- MainLayout: menu highlight now tracks current route via useLocation
- Add extractErrorMessage() utility to reduce repeated error parsing
- Fix all clippy warnings across 4 crates (erp-auth, erp-config,
  erp-workflow, erp-message): remove unnecessary casts, use div_ceil,
  collapse nested ifs, reduce function arguments with DTOs

crates/erp-config/src/handler/language_handler.rs

@@ -7,7 +7,7 @@ use erp_core::rbac::require_permission;
 use erp_core::types::{ApiResponse, Pagination, TenantContext};
 
 use crate::config_state::ConfigState;
-use crate::dto::{LanguageResp, UpdateLanguageReq};
+use crate::dto::{LanguageResp, SetSettingParams, UpdateLanguageReq};
 use crate::service::setting_service::SettingService;
 
 /// GET /api/v1/languages
@@ -82,10 +82,12 @@ where
     let value = serde_json::json!({"is_active": req.is_active});
 
     SettingService::set(
-        &key,
-        "platform",
-        &None,
-        value,
+        SetSettingParams {
+            key,
+            scope: "platform".to_string(),
+            scope_id: None,
+            value,
+        },
         ctx.tenant_id,
         ctx.user_id,
         &state.db,