feat(auth): add org/dept/position management, user page, and Phase 2 completion

Complete Phase 2 identity & authentication module:
- Organization CRUD with tree structure (parent_id + materialized path)
- Department CRUD nested under organizations with tree support
- Position CRUD nested under departments
- User management page with table, create/edit modal, role assignment
- Organization architecture page with 3-panel tree layout
- Frontend API layer for orgs/depts/positions
- Sidebar navigation updated with organization menu item
- Fix parse_ttl edge case for strings ending in 'd' (e.g. "invalid")

crates/erp-auth/src/handler/mod.rs

@@ -1,3 +1,4 @@
 pub mod auth_handler;
+pub mod org_handler;
 pub mod role_handler;
 pub mod user_handler;

crates/erp-auth/src/handler/org_handler.rs

@@ -0,0 +1,326 @@
+use axum::Extension;
+use axum::extract::{FromRef, Path, State};
+use axum::response::Json;
+use validator::Validate;
+
+use erp_core::error::AppError;
+use erp_core::types::{ApiResponse, TenantContext};
+use uuid::Uuid;
+
+use crate::auth_state::AuthState;
+use crate::dto::{
+    CreateDepartmentReq, CreateOrganizationReq, CreatePositionReq, DepartmentResp,
+    OrganizationResp, PositionResp, UpdateDepartmentReq, UpdateOrganizationReq, UpdatePositionReq,
+};
+use crate::middleware::rbac::require_permission;
+use crate::service::dept_service::DeptService;
+use crate::service::org_service::OrgService;
+use crate::service::position_service::PositionService;
+
+// --- Organization handlers ---
+
+/// GET /api/v1/organizations
+///
+/// List all organizations within the current tenant as a nested tree.
+/// Requires the `organization.list` permission.
+pub async fn list_organizations<S>(
+    State(state): State<AuthState>,
+    Extension(ctx): Extension<TenantContext>,
+) -> Result<Json<ApiResponse<Vec<OrganizationResp>>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "organization.list")?;
+
+    let tree = OrgService::get_tree(ctx.tenant_id, &state.db).await?;
+    Ok(Json(ApiResponse::ok(tree)))
+}
+
+/// POST /api/v1/organizations
+///
+/// Create a new organization within the current tenant.
+/// Requires the `organization.create` permission.
+pub async fn create_organization<S>(
+    State(state): State<AuthState>,
+    Extension(ctx): Extension<TenantContext>,
+    Json(req): Json<CreateOrganizationReq>,
+) -> Result<Json<ApiResponse<OrganizationResp>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "organization.create")?;
+
+    req.validate()
+        .map_err(|e| AppError::Validation(e.to_string()))?;
+
+    let org = OrgService::create(
+        ctx.tenant_id,
+        ctx.user_id,
+        &req,
+        &state.db,
+        &state.event_bus,
+    )
+    .await?;
+
+    Ok(Json(ApiResponse::ok(org)))
+}
+
+/// PUT /api/v1/organizations/{id}
+///
+/// Update editable organization fields (name, code, sort_order).
+/// Requires the `organization.update` permission.
+pub async fn update_organization<S>(
+    State(state): State<AuthState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(id): Path<Uuid>,
+    Json(req): Json<UpdateOrganizationReq>,
+) -> Result<Json<ApiResponse<OrganizationResp>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "organization.update")?;
+
+    let org = OrgService::update(id, ctx.tenant_id, ctx.user_id, &req, &state.db).await?;
+    Ok(Json(ApiResponse::ok(org)))
+}
+
+/// DELETE /api/v1/organizations/{id}
+///
+/// Soft-delete an organization by ID.
+/// Requires the `organization.delete` permission.
+pub async fn delete_organization<S>(
+    State(state): State<AuthState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(id): Path<Uuid>,
+) -> Result<Json<ApiResponse<()>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "organization.delete")?;
+
+    OrgService::delete(id, ctx.tenant_id, ctx.user_id, &state.db, &state.event_bus).await?;
+
+    Ok(Json(ApiResponse {
+        success: true,
+        data: None,
+        message: Some("组织已删除".to_string()),
+    }))
+}
+
+// --- Department handlers ---
+
+/// GET /api/v1/organizations/{org_id}/departments
+///
+/// List all departments for an organization as a nested tree.
+/// Requires the `department.list` permission.
+pub async fn list_departments<S>(
+    State(state): State<AuthState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(org_id): Path<Uuid>,
+) -> Result<Json<ApiResponse<Vec<DepartmentResp>>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "department.list")?;
+
+    let tree = DeptService::list_tree(org_id, ctx.tenant_id, &state.db).await?;
+    Ok(Json(ApiResponse::ok(tree)))
+}
+
+/// POST /api/v1/organizations/{org_id}/departments
+///
+/// Create a new department under the specified organization.
+/// Requires the `department.create` permission.
+pub async fn create_department<S>(
+    State(state): State<AuthState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(org_id): Path<Uuid>,
+    Json(req): Json<CreateDepartmentReq>,
+) -> Result<Json<ApiResponse<DepartmentResp>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "department.create")?;
+
+    req.validate()
+        .map_err(|e| AppError::Validation(e.to_string()))?;
+
+    let dept = DeptService::create(
+        org_id,
+        ctx.tenant_id,
+        ctx.user_id,
+        &req,
+        &state.db,
+        &state.event_bus,
+    )
+    .await?;
+
+    Ok(Json(ApiResponse::ok(dept)))
+}
+
+/// PUT /api/v1/departments/{id}
+///
+/// Update editable department fields (name, code, manager_id, sort_order).
+/// Requires the `department.update` permission.
+pub async fn update_department<S>(
+    State(state): State<AuthState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(id): Path<Uuid>,
+    Json(req): Json<UpdateDepartmentReq>,
+) -> Result<Json<ApiResponse<DepartmentResp>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "department.update")?;
+
+    let dept = DeptService::update(
+        id,
+        ctx.tenant_id,
+        ctx.user_id,
+        &req.name,
+        &req.code,
+        &req.manager_id,
+        &req.sort_order,
+        &state.db,
+    )
+    .await?;
+    Ok(Json(ApiResponse::ok(dept)))
+}
+
+/// DELETE /api/v1/departments/{id}
+///
+/// Soft-delete a department by ID.
+/// Requires the `department.delete` permission.
+pub async fn delete_department<S>(
+    State(state): State<AuthState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(id): Path<Uuid>,
+) -> Result<Json<ApiResponse<()>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "department.delete")?;
+
+    DeptService::delete(id, ctx.tenant_id, ctx.user_id, &state.db, &state.event_bus).await?;
+
+    Ok(Json(ApiResponse {
+        success: true,
+        data: None,
+        message: Some("部门已删除".to_string()),
+    }))
+}
+
+// --- Position handlers ---
+
+/// GET /api/v1/departments/{dept_id}/positions
+///
+/// List all positions for a department.
+/// Requires the `position.list` permission.
+pub async fn list_positions<S>(
+    State(state): State<AuthState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(dept_id): Path<Uuid>,
+) -> Result<Json<ApiResponse<Vec<PositionResp>>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "position.list")?;
+
+    let positions = PositionService::list(dept_id, ctx.tenant_id, &state.db).await?;
+    Ok(Json(ApiResponse::ok(positions)))
+}
+
+/// POST /api/v1/departments/{dept_id}/positions
+///
+/// Create a new position under the specified department.
+/// Requires the `position.create` permission.
+pub async fn create_position<S>(
+    State(state): State<AuthState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(dept_id): Path<Uuid>,
+    Json(req): Json<CreatePositionReq>,
+) -> Result<Json<ApiResponse<PositionResp>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "position.create")?;
+
+    req.validate()
+        .map_err(|e| AppError::Validation(e.to_string()))?;
+
+    let pos = PositionService::create(
+        dept_id,
+        ctx.tenant_id,
+        ctx.user_id,
+        &req,
+        &state.db,
+        &state.event_bus,
+    )
+    .await?;
+
+    Ok(Json(ApiResponse::ok(pos)))
+}
+
+/// PUT /api/v1/positions/{id}
+///
+/// Update editable position fields (name, code, level, sort_order).
+/// Requires the `position.update` permission.
+pub async fn update_position<S>(
+    State(state): State<AuthState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(id): Path<Uuid>,
+    Json(req): Json<UpdatePositionReq>,
+) -> Result<Json<ApiResponse<PositionResp>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "position.update")?;
+
+    let pos = PositionService::update(
+        id,
+        ctx.tenant_id,
+        ctx.user_id,
+        &req.name,
+        &req.code,
+        &req.level,
+        &req.sort_order,
+        &state.db,
+    )
+    .await?;
+    Ok(Json(ApiResponse::ok(pos)))
+}
+
+/// DELETE /api/v1/positions/{id}
+///
+/// Soft-delete a position by ID.
+/// Requires the `position.delete` permission.
+pub async fn delete_position<S>(
+    State(state): State<AuthState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(id): Path<Uuid>,
+) -> Result<Json<ApiResponse<()>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "position.delete")?;
+
+    PositionService::delete(id, ctx.tenant_id, ctx.user_id, &state.db, &state.event_bus).await?;
+
+    Ok(Json(ApiResponse {
+        success: true,
+        data: None,
+        message: Some("岗位已删除".to_string()),
+    }))
+}