feat(core): lift M7.1 tenant types, db helper, and auth middleware into compliance-core

Moves the tenant-aware HTTP infrastructure into compliance-core so every
future product (compliance-agent, compliance-dast, compliance-mcp, the
upcoming smoke harness) shares one source of truth instead of each crate
re-implementing claims extraction and the status gate.

* tenant.rs — TenantStatus / OrgRole / TenantContext (unconditional)
* db.rs — tenant_filter + tenant_filter_merge for query scoping
* auth.rs — require_jwt_auth + require_tenant_status + JwksState
* tenant_ctx.rs — Axum TenantCtx extractor
* `axum` cargo feature gates the HTTP-dependent modules so wasm
  consumers (the dashboard frontend) don't pull axum/jsonwebtoken/reqwest

40 unit tests across the moved modules — all green.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

compliance-core/Cargo.toml

@@ -18,6 +18,15 @@ telemetry = [
     "dep:tracing-subscriber",
     "dep:tracing",
 ]
+# Pulls in the M7.1 Axum middleware + extractor. Consumers that don't
+# embed an HTTP server (e.g. the wasm dashboard frontend) leave it off.
+axum = [
+    "dep:axum",
+    "dep:jsonwebtoken",
+    "dep:reqwest",
+    "dep:tokio",
+    "dep:tracing",
+]
 
 [dependencies]
 serde = { workspace = true }
@@ -37,3 +46,7 @@ opentelemetry-appender-tracing = { version = "0.29", optional = true }
 tracing-opentelemetry = { version = "0.30", optional = true }
 tracing-subscriber = { workspace = true, optional = true }
 tracing = { workspace = true, optional = true }
+axum = { version = "0.8", optional = true }
+jsonwebtoken = { version = "9", optional = true }
+reqwest = { workspace = true, optional = true }
+tokio = { workspace = true, optional = true }