feat: Sprint 2 REST API layer — full implementation

- Fix critical Hibernate @Filter activation bug (TenantFilterAspect)
- Rename UserRole.ROLE_MANAGER → ROLE_STAFF (future-proofing)
- SecurityConfig: ADMIN + MEMBER roles only for Sprint 2
- AuthController: POST /auth/login + POST /auth/refresh with JWT
- AuthService: login, refresh token rotation, hashed refresh storage
- MemberController: CRUD (GET/POST/PUT /members)
- DistributionController: list + record distributions (CanG §26)
- StockController: batch management (GET/POST /stock/batches)
- ComplianceController: quota check (GET /compliance/quota/{id})
- OpenAPI/Swagger config with bearer-jwt security scheme
- GlobalExceptionHandler: full RFC 9457 problem+json coverage
- UserRepository: findByEmail, findByEmailAndTenantId
- Flyway V2: role rename migration + login indexes
- Testcontainers + test profile infrastructure (integration tests deferred)
- Parent POM: Testcontainers BOM, entity scan via properties

Controllers use validated DTOs (Jakarta Bean Validation records).
Compliance checks run before distribution recording.
Tenant filter AOP aspect ensures multi-tenant data isolation.

cannamanage-domain/src/main/java/de/cannamanage/domain/enums/UserRole.java

@@ -1,8 +1,12 @@
 package de.cannamanage.domain.enums;
 
+/**
+ * User roles for access control.
+ * Sprint 2: ADMIN + MEMBER only.
+ * Sprint 3: STAFF added (replaces old MANAGER concept).
+ */
 public enum UserRole {
     ROLE_ADMIN,
-    ROLE_MANAGER,
-    ROLE_MEMBER,
-    ROLE_PREVENTION_OFFICER
+    ROLE_STAFF,
+    ROLE_MEMBER
 }