feat(M3): Host Management, Groups, Users, CIDR Discovery

- pm-core::models: Host, HostSummary, Group, User, DiscoveryResult
  types + request payloads for all CRUD operations
- pm-core::audit: Tamper-evident hash-chained audit log writer
  (SHA-256 chain, non-fatal, covers all M3 events)
- pm-web/routes/hosts: Full host CRUD with RBAC scoping;
  FQDN DNS resolution on registration; host↔group membership;
  operator group-scoped access enforcement; audit on register/remove
- pm-web/routes/groups: Full group CRUD; host↔group and user↔group
  membership management; admin-only create/delete/update
- pm-web/routes/users: Full user CRUD (admin); current user profile;
  password hashing (Argon2id); role management; session revocation
- pm-web/routes/discovery: CIDR scan with bounded concurrency
  (128 workers), TCP probe with 2s timeout, reverse DNS lookup,
  scan results table, register-from-discovery flow with audit log
- Frontend: HostsPage (filterable table with health chips),
  HostDetailPage, GroupsPage (create/delete dialog),
  UsersPage (create/revoke sessions)
- App.tsx updated with all M3 routes wired to real pages
- cargo check --workspace: zero errors

Closes M3.

crates/pm-core/src/lib.rs

@@ -2,8 +2,16 @@ pub mod config;
 pub mod db;
 pub mod error;
 pub mod logging;
+pub mod models;
+pub mod audit;
 pub mod request_id;
 
 // Re-export commonly used types
 pub use error::{AppError, ErrorResponse};
 pub use config::AppConfig;
+pub use models::{
+    Host, HostSummary, HostHealthStatus, CreateHostRequest,
+    Group, CreateGroupRequest, UpdateGroupRequest,
+    User, UserRole as DbUserRole, AuthProvider, CreateUserRequest, UpdateUserRequest,
+    DiscoveryResult, DiscoveryCidrRequest, RegisterDiscoveredRequest,
+};