feat: POS PIN unlock with employee number + PIN auth

- Add employeeNumber and pinHash fields to users table
- POST /auth/pin-login: takes combined code (4-digit employee# + 4-digit PIN)
- POST /auth/set-pin: employee sets their own PIN (requires full auth)
- DELETE /auth/pin: remove PIN
- Lock screen with numpad, auto-submits on 8 digits, visual dot separator
- POS uses its own auth token separate from admin session
- Admin "POS" link clears admin session before navigating
- /pos route has no auth guard — lock screen is the auth
- API client uses POS token when available, admin token otherwise
- Auto-lock timer reads pos_lock_timeout from app_config (default 15 min)
- Lock button in POS top bar, shows current cashier name

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

packages/admin/src/routes/pos.tsx

@@ -1,14 +1,7 @@
-import { createFileRoute, redirect } from '@tanstack/react-router'
-import { useAuthStore } from '@/stores/auth.store'
+import { createFileRoute } from '@tanstack/react-router'
 import { POSRegister } from '@/components/pos/pos-register'
 
 export const Route = createFileRoute('/pos')({
-  beforeLoad: () => {
-    const { token } = useAuthStore.getState()
-    if (!token) {
-      throw redirect({ to: '/login' })
-    }
-  },
   component: POSPage,
 })