feat: add utoipa path annotations to all API handlers and wire OpenAPI spec

- Add #[utoipa::path] annotations to all 70+ handler functions across
  auth, config, workflow, and message modules
- Add IntoParams/ToSchema derives to Pagination, PaginatedResponse, ApiResponse
  in erp-core, and MessageQuery/TemplateQuery in erp-message
- Collect all module paths into OpenAPI spec via AuthApiDoc, ConfigApiDoc,
  WorkflowApiDoc, MessageApiDoc structs in erp-server main.rs
- Update openapi_spec handler to merge all module specs
- The /docs/openapi.json endpoint now returns complete API documentation
  with all endpoints, request/response schemas, and security requirements

crates/erp-auth/src/handler/org_handler.rs

@@ -19,6 +19,17 @@ use erp_core::rbac::require_permission;
 
 // --- Organization handlers ---
 
+#[utoipa::path(
+    get,
+    path = "/api/v1/organizations",
+    responses(
+        (status = 200, description = "成功", body = ApiResponse<Vec<OrganizationResp>>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "组织管理"
+)]
 /// GET /api/v1/organizations
 ///
 /// List all organizations within the current tenant as a nested tree.
@@ -37,6 +48,18 @@ where
     Ok(Json(ApiResponse::ok(tree)))
 }
 
+#[utoipa::path(
+    post,
+    path = "/api/v1/organizations",
+    request_body = CreateOrganizationReq,
+    responses(
+        (status = 200, description = "创建成功", body = ApiResponse<OrganizationResp>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "组织管理"
+)]
 /// POST /api/v1/organizations
 ///
 /// Create a new organization within the current tenant.
@@ -67,6 +90,20 @@ where
     Ok(Json(ApiResponse::ok(org)))
 }
 
+#[utoipa::path(
+    put,
+    path = "/api/v1/organizations/{id}",
+    params(("id" = Uuid, Path, description = "组织ID")),
+    request_body = UpdateOrganizationReq,
+    responses(
+        (status = 200, description = "更新成功", body = ApiResponse<OrganizationResp>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+        (status = 404, description = "组织不存在"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "组织管理"
+)]
 /// PUT /api/v1/organizations/{id}
 ///
 /// Update editable organization fields (name, code, sort_order).
@@ -87,6 +124,19 @@ where
     Ok(Json(ApiResponse::ok(org)))
 }
 
+#[utoipa::path(
+    delete,
+    path = "/api/v1/organizations/{id}",
+    params(("id" = Uuid, Path, description = "组织ID")),
+    responses(
+        (status = 200, description = "组织已删除"),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+        (status = 404, description = "组织不存在"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "组织管理"
+)]
 /// DELETE /api/v1/organizations/{id}
 ///
 /// Soft-delete an organization by ID.
@@ -113,6 +163,18 @@ where
 
 // --- Department handlers ---
 
+#[utoipa::path(
+    get,
+    path = "/api/v1/organizations/{org_id}/departments",
+    params(("org_id" = Uuid, Path, description = "组织ID")),
+    responses(
+        (status = 200, description = "成功", body = ApiResponse<Vec<DepartmentResp>>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "组织管理"
+)]
 /// GET /api/v1/organizations/{org_id}/departments
 ///
 /// List all departments for an organization as a nested tree.
@@ -132,6 +194,19 @@ where
     Ok(Json(ApiResponse::ok(tree)))
 }
 
+#[utoipa::path(
+    post,
+    path = "/api/v1/organizations/{org_id}/departments",
+    params(("org_id" = Uuid, Path, description = "组织ID")),
+    request_body = CreateDepartmentReq,
+    responses(
+        (status = 200, description = "创建成功", body = ApiResponse<DepartmentResp>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "组织管理"
+)]
 /// POST /api/v1/organizations/{org_id}/departments
 ///
 /// Create a new department under the specified organization.
@@ -164,6 +239,20 @@ where
     Ok(Json(ApiResponse::ok(dept)))
 }
 
+#[utoipa::path(
+    put,
+    path = "/api/v1/departments/{id}",
+    params(("id" = Uuid, Path, description = "部门ID")),
+    request_body = UpdateDepartmentReq,
+    responses(
+        (status = 200, description = "更新成功", body = ApiResponse<DepartmentResp>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+        (status = 404, description = "部门不存在"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "组织管理"
+)]
 /// PUT /api/v1/departments/{id}
 ///
 /// Update editable department fields (name, code, manager_id, sort_order).
@@ -184,6 +273,19 @@ where
     Ok(Json(ApiResponse::ok(dept)))
 }
 
+#[utoipa::path(
+    delete,
+    path = "/api/v1/departments/{id}",
+    params(("id" = Uuid, Path, description = "部门ID")),
+    responses(
+        (status = 200, description = "部门已删除"),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+        (status = 404, description = "部门不存在"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "组织管理"
+)]
 /// DELETE /api/v1/departments/{id}
 ///
 /// Soft-delete a department by ID.
@@ -210,6 +312,18 @@ where
 
 // --- Position handlers ---
 
+#[utoipa::path(
+    get,
+    path = "/api/v1/departments/{dept_id}/positions",
+    params(("dept_id" = Uuid, Path, description = "部门ID")),
+    responses(
+        (status = 200, description = "成功", body = ApiResponse<Vec<PositionResp>>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "组织管理"
+)]
 /// GET /api/v1/departments/{dept_id}/positions
 ///
 /// List all positions for a department.
@@ -229,6 +343,19 @@ where
     Ok(Json(ApiResponse::ok(positions)))
 }
 
+#[utoipa::path(
+    post,
+    path = "/api/v1/departments/{dept_id}/positions",
+    params(("dept_id" = Uuid, Path, description = "部门ID")),
+    request_body = CreatePositionReq,
+    responses(
+        (status = 200, description = "创建成功", body = ApiResponse<PositionResp>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "组织管理"
+)]
 /// POST /api/v1/departments/{dept_id}/positions
 ///
 /// Create a new position under the specified department.
@@ -261,6 +388,20 @@ where
     Ok(Json(ApiResponse::ok(pos)))
 }
 
+#[utoipa::path(
+    put,
+    path = "/api/v1/positions/{id}",
+    params(("id" = Uuid, Path, description = "岗位ID")),
+    request_body = UpdatePositionReq,
+    responses(
+        (status = 200, description = "更新成功", body = ApiResponse<PositionResp>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+        (status = 404, description = "岗位不存在"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "组织管理"
+)]
 /// PUT /api/v1/positions/{id}
 ///
 /// Update editable position fields (name, code, level, sort_order).
@@ -281,6 +422,19 @@ where
     Ok(Json(ApiResponse::ok(pos)))
 }
 
+#[utoipa::path(
+    delete,
+    path = "/api/v1/positions/{id}",
+    params(("id" = Uuid, Path, description = "岗位ID")),
+    responses(
+        (status = 200, description = "岗位已删除"),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+        (status = 404, description = "岗位不存在"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "组织管理"
+)]
 /// DELETE /api/v1/positions/{id}
 ///
 /// Soft-delete a position by ID.