feat: systematic functional audit — fix 18 issues across Phase A/B

Phase A (P1 production blockers): - A1: Apply IP rate limiting to public routes (login/refresh) - A2: Publish domain events for workflow instance state transitions (completed/suspended/resumed/terminated) via outbox pattern - A3: Replace hardcoded nil UUID default tenant with dynamic DB lookup - A4: Add GET /api/v1/audit-logs query endpoint with pagination - A5: Enhance CORS wildcard warning for production environments Phase B (P2 functional gaps): - B1: Remove dead erp-common crate (zero references in codebase) - B2: Refactor 5 settings pages to use typed API modules instead of direct client calls; create api/themes.ts; delete dead errors.ts - B3: Add resume/suspend buttons to InstanceMonitor page - B4: Remove unused EventHandler trait from erp-core - B5: Handle task.completed events in message module (send notifications) - B6: Wire TimeoutChecker as 60s background task - B7: Auto-skip ServiceTask nodes instead of crashing the process - B8: Remove empty register_routes() from ErpModule trait and modules
2026-04-12 15:22:28 +08:00
parent 685df5e458
commit 14f431efff
34 changed files with 785 additions and 304 deletions
--- a/crates/erp-workflow/src/service/instance_service.rs
+++ b/crates/erp-workflow/src/service/instance_service.rs
@@ -312,6 +312,27 @@ impl InstanceService {
            .await
            .map_err(|e| WorkflowError::Validation(e.to_string()))?;

+        // 发布状态变更领域事件（通过 outbox 模式，由 relay 广播）
+        let event_type = format!("process_instance.{}", to_status);
+        let event_id = Uuid::now_v7();
+        let now = Utc::now();
+        let outbox_event = erp_core::entity::domain_event::ActiveModel {
+            id: Set(event_id),
+            tenant_id: Set(tenant_id),
+            event_type: Set(event_type),
+            payload: Set(Some(serde_json::json!({ "instance_id": id, "changed_by": operator_id }))),
+            correlation_id: Set(Some(Uuid::now_v7())),
+            status: Set("pending".to_string()),
+            attempts: Set(0),
+            last_error: Set(None),
+            created_at: Set(now),
+            published_at: Set(None),
+        };
+        match outbox_event.insert(db).await {
+            Ok(_) => {}
+            Err(e) => tracing::warn!(error = %e, "领域事件持久化失败"),
+        }
+
        let action = format!("process_instance.{}", to_status);
        audit_service::record(
            AuditLog::new(tenant_id, Some(operator_id), action, "process_instance")