feat(M1): Project scaffolding, DB schema, core infrastructure

- Initialize Rust workspace with 7 crates (pm-web, pm-worker, pm-core,
  pm-agent-client, pm-auth, pm-ca, pm-reports)
- React + TypeScript + Vite + MUI frontend scaffold
- Full PostgreSQL schema: all 17 tables with indexes and constraints
- pm-core: config (TOML+env), db (SQLx pool + migrations), error
  (unified AppError + JSON envelope), request_id (ULID middleware),
  logging (tracing JSON/pretty)
- pm-web: Axum skeleton, /status/health endpoint, static file serving
- pm-worker: Tokio skeleton, heartbeat writer, schema version check
- Embedded sqlx migrations with advisory lock (single-writer)
- systemd unit files, setup.sh, build-frontend.sh
- config.example.toml with all configuration keys
- docs/runbooks/restore.md
- cargo check passes with zero warnings

Closes M1.

crates/pm-auth/Cargo.toml

@@ -0,0 +1,19 @@
+[package]
+name = "pm-auth"
+version.workspace = true
+edition.workspace = true
+authors.workspace = true
+license.workspace = true
+
+[dependencies]
+pm-core = { path = "../pm-core" }
+tokio = { workspace = true }
+axum = { workspace = true }
+sqlx = { workspace = true }
+serde = { workspace = true }
+serde_json = { workspace = true }
+thiserror = { workspace = true }
+anyhow = { workspace = true }
+tracing = { workspace = true }
+uuid = { workspace = true }
+chrono = { workspace = true }

crates/pm-auth/src/jwt.rs

@@ -0,0 +1 @@
+//! jwt — stub for M2.

crates/pm-auth/src/lib.rs

@@ -0,0 +1,10 @@
+//! pm-auth — Authentication and authorization.
+//!
+//! Modules: password (Argon2id), jwt (EdDSA), refresh tokens,
+//! mfa_totp, mfa_webauthn, rbac, session.
+//!
+//! M1: Stub. Full implementation in M2.
+pub mod password;
+pub mod jwt;
+pub mod rbac;
+pub mod session;

crates/pm-auth/src/password.rs

@@ -0,0 +1 @@
+//! password — stub for M2.

crates/pm-auth/src/rbac.rs

@@ -0,0 +1 @@
+//! rbac — stub for M2.

crates/pm-auth/src/session.rs

@@ -0,0 +1 @@
+//! session — stub for M2.