[P0-1][CRITICAL] Replace MD5 password hashing with PBKDF2

[cct08311github]

Login uses bare Utils.GetMD5String(password) - unsalted MD5. Vulnerable to rainbow table attacks. Fails CISSP/SOC2 compliance.

Fix

• Add PasswordHashHelper with PBKDF2 (ASP.NET Core Identity PasswordHasher)
• Transparent verify-and-upgrade migration on login
• Apply across all demo projects: AccountController, DataContext, FrameworkUserVM, ChangePasswordVM, FrameworkUserImportVM, FrameworkTenantVM
• Mark Utils.GetMD5String [Obsolete]
• Fix GetMD5Stream memory bomb
• DB migration: ALTER TABLE FrameworkUser ALTER COLUMN Password NVARCHAR(256)

Risk: Medium | Effort: 2-3 days

[cct08311github]

Implemented across commits:

• 174d5ded: PasswordHashHelper.cs (PBKDF2 via Microsoft.Extensions.Identity.Core)
• 87afa12e: Password column StringLength 32→256
• 95ab3615: DoLogin integrated with PasswordHashHelper + auto-rehash on MD5 upgrade
• 22535e0e: Test assertions updated
• 666f93f8: Unit tests for PasswordHashHelper
• 3de758a8: All 5 demo projects migrated (MD5 → PBKDF2)

CI: ✅ passing