fix: address Phase 1-2 audit findings

- CORS: replace permissive() with configurable whitelist (default.toml)
- Auth store: synchronously restore state at creation to eliminate
  flash-of-login-page on refresh
- MainLayout: menu highlight now tracks current route via useLocation
- Add extractErrorMessage() utility to reduce repeated error parsing
- Fix all clippy warnings across 4 crates (erp-auth, erp-config,
  erp-workflow, erp-message): remove unnecessary casts, use div_ceil,
  collapse nested ifs, reduce function arguments with DTOs

crates/erp-config/src/service/menu_service.rs

@@ -142,10 +142,10 @@ impl MenuService {
             .map_err(|e| ConfigError::Validation(e.to_string()))?;
 
         // 关联角色（如果提供了 role_ids）
-        if let Some(role_ids) = &req.role_ids {
-            if !role_ids.is_empty() {
-                Self::assign_roles(id, role_ids, tenant_id, operator_id, db).await?;
-            }
+        if let Some(role_ids) = &req.role_ids
+            && !role_ids.is_empty()
+        {
+            Self::assign_roles(id, role_ids, tenant_id, operator_id, db).await?;
         }
 
         event_bus.publish(erp_core::events::DomainEvent::new(