feat(M1): Project scaffolding, DB schema, core infrastructure

- Initialize Rust workspace with 7 crates (pm-web, pm-worker, pm-core,
  pm-agent-client, pm-auth, pm-ca, pm-reports)
- React + TypeScript + Vite + MUI frontend scaffold
- Full PostgreSQL schema: all 17 tables with indexes and constraints
- pm-core: config (TOML+env), db (SQLx pool + migrations), error
  (unified AppError + JSON envelope), request_id (ULID middleware),
  logging (tracing JSON/pretty)
- pm-web: Axum skeleton, /status/health endpoint, static file serving
- pm-worker: Tokio skeleton, heartbeat writer, schema version check
- Embedded sqlx migrations with advisory lock (single-writer)
- systemd unit files, setup.sh, build-frontend.sh
- config.example.toml with all configuration keys
- docs/runbooks/restore.md
- cargo check passes with zero warnings

Closes M1.

systemd/patch-manager-worker.service

@@ -0,0 +1,37 @@
+[Unit]
+Description=Linux Patch Manager — Background Worker
+Documentation=https://gitea.moon-dragon.us/echo/linux_patch_manager
+After=network.target postgresql.service patch-manager-web.service
+Requires=postgresql.service
+# Worker waits for the web process to apply migrations before starting tasks
+Wants=patch-manager-web.service
+
+[Service]
+Type=simple
+User=patch-manager
+Group=patch-manager
+WorkingDirectory=/opt/patch-manager
+
+# Configuration
+Environment="PATCH_MANAGER_CONFIG=/etc/patch-manager/config.toml"
+
+ExecStart=/usr/local/bin/pm-worker
+Restart=on-failure
+RestartSec=10s
+TimeoutStopSec=60s
+
+# Security hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/log/patch-manager
+PrivateTmp=true
+PrivateDevices=true
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=patch-manager-worker
+
+[Install]
+WantedBy=multi-user.target