feat(core): DEK 缓存 + 密钥轮换管理端点

- erp-core/crypto/key_manager: DashMap LRU DEK 缓存 (TTL 5min, 100条)
- DekManager: get_or_create_dek, generate_new_dek, invalidate
- PiiCrypto 集成 DekManager
- POST /api/v1/admin/tenants/:id/rotate-key: 生成新 DEK + 缓存失效
- 权限: tenant.manage (仅超级管理员)

crates/erp-server/src/main.rs

@@ -509,6 +509,10 @@ async fn main() -> anyhow::Result<()> {
         .merge(erp_health::HealthModule::protected_routes())
         .merge(erp_ai::AiModule::protected_routes())
         .merge(handlers::audit_log::audit_log_router())
+        .route(
+            "/admin/tenants/{id}/rotate-key",
+            axum::routing::post(handlers::crypto_admin::rotate_tenant_key),
+        )
         .layer(axum::middleware::from_fn_with_state(
             state.clone(),
             middleware::rate_limit::rate_limit_by_user,