feat(auth): add handlers, JWT middleware, RBAC, and module registration

- Auth handlers: login/refresh/logout + user CRUD with tenant isolation
- JWT middleware: Bearer token validation → TenantContext injection
- RBAC helpers: require_permission, require_any_permission, require_role
- AuthModule: implements ErpModule with public/protected route split
- AuthState: FromRef pattern avoids circular deps between erp-auth and erp-server
- Server: public routes (health+login+refresh) + protected routes (JWT middleware)
- ErpModule trait: added as_any() for downcast support
- Workspace: added async-trait, sha2 dependencies

crates/erp-auth/src/middleware/mod.rs

@@ -0,0 +1,5 @@
+pub mod jwt_auth;
+pub mod rbac;
+
+pub use jwt_auth::jwt_auth_middleware_fn;
+pub use rbac::{require_any_permission, require_permission, require_role};