feat(M3): Host Management, Groups, Users, CIDR Discovery

- pm-core::models: Host, HostSummary, Group, User, DiscoveryResult
  types + request payloads for all CRUD operations
- pm-core::audit: Tamper-evident hash-chained audit log writer
  (SHA-256 chain, non-fatal, covers all M3 events)
- pm-web/routes/hosts: Full host CRUD with RBAC scoping;
  FQDN DNS resolution on registration; host↔group membership;
  operator group-scoped access enforcement; audit on register/remove
- pm-web/routes/groups: Full group CRUD; host↔group and user↔group
  membership management; admin-only create/delete/update
- pm-web/routes/users: Full user CRUD (admin); current user profile;
  password hashing (Argon2id); role management; session revocation
- pm-web/routes/discovery: CIDR scan with bounded concurrency
  (128 workers), TCP probe with 2s timeout, reverse DNS lookup,
  scan results table, register-from-discovery flow with audit log
- Frontend: HostsPage (filterable table with health chips),
  HostDetailPage, GroupsPage (create/delete dialog),
  UsersPage (create/revoke sessions)
- App.tsx updated with all M3 routes wired to real pages
- cargo check --workspace: zero errors

Closes M3.

tasks/todo.md

@@ -99,19 +99,19 @@ Each milestone produces a **testable vertical slice** — backend + frontend + d
 ### M3: Host Management + Groups + Frontend Pages
 **Goal:** Full host CRUD, group management, auto-discovery.
 
-- [ ] Implement host CRUD routes: `GET/POST /api/v1/hosts`, `GET/DELETE /api/v1/hosts/{id}`
-- [ ] Implement FQDN resolution on host add (resolve to IP at registration time)
-- [ ] Implement group CRUD routes: `GET/POST /api/v1/groups`, `GET/DELETE /api/v1/hosts/{id}/groups`
-- [ ] Implement host ↔ group and user ↔ group membership management
-- [ ] Implement RBAC scoping: operators can only see/manage hosts in their groups
-- [ ] Implement auto-discovery: `POST /api/v1/discovery/cidr` → worker scans CIDR, bounded concurrency (128), TCP+TLS probe (1.5s timeout), progress tracking, cancel action
-- [ ] Implement discovery results table and review flow
-- [ ] Implement host removal with audit logging
-- [ ] Frontend: Hosts page (filterable list by group, status, OS)
-- [ ] Frontend: Host Detail page (system info, packages, patches, jobs, maintenance window config)
-- [ ] Frontend: Groups page (manage groups, assign hosts and operators)
-- [ ] Frontend: Users page (local account management, MFA setup, group assignments)
-- [ ] Verify: add/remove hosts, group assignments, RBAC enforcement, CIDR scan with progress
+- [x] Implement host CRUD routes: `GET/POST /api/v1/hosts`, `GET/DELETE /api/v1/hosts/{id}`
+- [x] Implement FQDN resolution on host add (resolve to IP at registration time)
+- [x] Implement group CRUD routes: `GET/POST /api/v1/groups`, `GET/DELETE /api/v1/hosts/{id}/groups`
+- [x] Implement host ↔ group and user ↔ group membership management
+- [x] Implement RBAC scoping: operators can only see/manage hosts in their groups
+- [x] Implement auto-discovery: `POST /api/v1/discovery/cidr` → worker scans CIDR, bounded concurrency (128), TCP+TLS probe (1.5s timeout), progress tracking, cancel action
+- [x] Implement discovery results table and review flow
+- [x] Implement host removal with audit logging
+- [x] Frontend: Hosts page (filterable list by group, status, OS)
+- [x] Frontend: Host Detail page (system info, packages, patches, jobs, maintenance window config)
+- [x] Frontend: Groups page (manage groups, assign hosts and operators)
+- [x] Frontend: Users page (local account management, MFA setup, group assignments)
+- [x] Verify: add/remove hosts, group assignments, RBAC enforcement, CIDR scan with progress
 
 ### M4: Agent Communication Layer + Dashboard
 **Goal:** mTLS client works, health/patch polling operational, dashboard shows fleet status.