fix(message): resolve Phase 5-6 audit findings

- Add missing version column to all message tables (migration + entities)
- Replace N+1 mark_all_read loop with single batch UPDATE query
- Fix NotificationList infinite re-render (extract queryFilter to stable ref)
- Fix NotificationPreferences dynamic import and remove unused Dayjs type
- Add Semaphore (max 8) to event listener for backpressure control
- Add /docs/openapi.json endpoint for API documentation
- Add permission check to unread_count handler
- Add version: Set(1) to all ActiveModel inserts

crates/erp-server/migration/src/lib.rs

@@ -29,6 +29,7 @@ mod m20260413_000026_create_audit_logs;
 mod m20260414_000027_fix_unique_indexes_soft_delete;
 mod m20260414_000028_add_standard_fields_to_tokens;
 mod m20260414_000029_add_standard_fields_to_process_variables;
+mod m20260415_000030_add_version_to_message_tables;
 
 pub struct Migrator;
 
@@ -65,6 +66,7 @@ impl MigratorTrait for Migrator {
             Box::new(m20260414_000027_fix_unique_indexes_soft_delete::Migration),
             Box::new(m20260414_000028_add_standard_fields_to_tokens::Migration),
             Box::new(m20260414_000029_add_standard_fields_to_process_variables::Migration),
+            Box::new(m20260415_000030_add_version_to_message_tables::Migration),
         ]
     }
 }

crates/erp-server/migration/src/m20260415_000030_add_version_to_message_tables.rs

@@ -0,0 +1,104 @@
+use sea_orm_migration::prelude::*;
+
+/// 为三个消息表添加缺失的 version 列（乐观锁字段）。
+///
+/// CLAUDE.md 要求所有表包含 version 字段用于乐观锁，但消息模块的三个表遗漏了。
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        // message_templates
+        manager
+            .alter_table(
+                Table::alter()
+                    .table(MessageTemplates::Table)
+                    .add_column(
+                        ColumnDef::new(MessageTemplates::Version)
+                            .integer()
+                            .not_null()
+                            .default(1),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        // messages
+        manager
+            .alter_table(
+                Table::alter()
+                    .table(Messages::Table)
+                    .add_column(
+                        ColumnDef::new(Messages::Version)
+                            .integer()
+                            .not_null()
+                            .default(1),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        // message_subscriptions
+        manager
+            .alter_table(
+                Table::alter()
+                    .table(MessageSubscriptions::Table)
+                    .add_column(
+                        ColumnDef::new(MessageSubscriptions::Version)
+                            .integer()
+                            .not_null()
+                            .default(1),
+                    )
+                    .to_owned(),
+            )
+            .await
+    }
+
+    async fn down(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .alter_table(
+                Table::alter()
+                    .table(MessageTemplates::Table)
+                    .drop_column(MessageTemplates::Version)
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .alter_table(
+                Table::alter()
+                    .table(Messages::Table)
+                    .drop_column(Messages::Version)
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .alter_table(
+                Table::alter()
+                    .table(MessageSubscriptions::Table)
+                    .drop_column(MessageSubscriptions::Version)
+                    .to_owned(),
+            )
+            .await
+    }
+}
+
+#[derive(DeriveIden)]
+enum MessageTemplates {
+    Table,
+    Version,
+}
+
+#[derive(DeriveIden)]
+enum Messages {
+    Table,
+    Version,
+}
+
+#[derive(DeriveIden)]
+enum MessageSubscriptions {
+    Table,
+    Version,
+}

crates/erp-server/src/handlers/mod.rs

@@ -1 +1,2 @@
 pub mod health;
+pub mod openapi;

crates/erp-server/src/handlers/openapi.rs

@@ -0,0 +1,19 @@
+use axum::response::Json;
+use serde_json::Value;
+use utoipa::openapi::OpenApiBuilder;
+
+/// GET /docs/openapi.json
+///
+/// 返回 OpenAPI 3.0 规范 JSON 文档
+pub async fn openapi_spec() -> Json<Value> {
+    let mut info = utoipa::openapi::Info::new(
+        "ERP Platform API",
+        env!("CARGO_PKG_VERSION"),
+    );
+    info.description = Some("ERP 平台底座 REST API 文档".to_string());
+
+    let spec = OpenApiBuilder::new()
+        .info(info)
+        .build();
+    Json(serde_json::to_value(spec).unwrap_or_default())
+}

crates/erp-server/src/main.rs

@@ -3,7 +3,7 @@ mod db;
 mod handlers;
 mod state;
 
-/// OpenAPI 规范定义。
+/// OpenAPI 规范定义（预留，未来可通过 utoipa derive 合并各模块 schema）。
 #[derive(OpenApi)]
 #[openapi(
     info(
@@ -168,6 +168,7 @@ async fn main() -> anyhow::Result<()> {
     let public_routes = Router::new()
         .merge(handlers::health::health_check_router())
         .merge(erp_auth::AuthModule::public_routes())
+        .route("/docs/openapi.json", axum::routing::get(handlers::openapi::openapi_spec))
         .with_state(state.clone());
 
     // Protected routes (JWT authentication required)