feat: add utoipa path annotations to all API handlers and wire OpenAPI spec

- Add #[utoipa::path] annotations to all 70+ handler functions across
  auth, config, workflow, and message modules
- Add IntoParams/ToSchema derives to Pagination, PaginatedResponse, ApiResponse
  in erp-core, and MessageQuery/TemplateQuery in erp-message
- Collect all module paths into OpenAPI spec via AuthApiDoc, ConfigApiDoc,
  WorkflowApiDoc, MessageApiDoc structs in erp-server main.rs
- Update openapi_spec handler to merge all module specs
- The /docs/openapi.json endpoint now returns complete API documentation
  with all endpoints, request/response schemas, and security requirements

crates/erp-auth/src/handler/role_handler.rs

@@ -13,6 +13,18 @@ use crate::service::permission_service::PermissionService;
 use crate::service::role_service::RoleService;
 use erp_core::rbac::require_permission;
 
+#[utoipa::path(
+    get,
+    path = "/api/v1/roles",
+    params(Pagination),
+    responses(
+        (status = 200, description = "成功", body = ApiResponse<PaginatedResponse<RoleResp>>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "角色管理"
+)]
 /// GET /api/v1/roles
 ///
 /// List roles within the current tenant with pagination.
@@ -43,6 +55,18 @@ where
     })))
 }
 
+#[utoipa::path(
+    post,
+    path = "/api/v1/roles",
+    request_body = CreateRoleReq,
+    responses(
+        (status = 200, description = "创建成功", body = ApiResponse<RoleResp>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "角色管理"
+)]
 /// POST /api/v1/roles
 ///
 /// Create a new role within the current tenant.
@@ -75,6 +99,19 @@ where
     Ok(Json(ApiResponse::ok(role)))
 }
 
+#[utoipa::path(
+    get,
+    path = "/api/v1/roles/{id}",
+    params(("id" = Uuid, Path, description = "角色ID")),
+    responses(
+        (status = 200, description = "成功", body = ApiResponse<RoleResp>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+        (status = 404, description = "角色不存在"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "角色管理"
+)]
 /// GET /api/v1/roles/:id
 ///
 /// Fetch a single role by ID within the current tenant.
@@ -94,6 +131,20 @@ where
     Ok(Json(ApiResponse::ok(role)))
 }
 
+#[utoipa::path(
+    put,
+    path = "/api/v1/roles/{id}",
+    params(("id" = Uuid, Path, description = "角色ID")),
+    request_body = UpdateRoleReq,
+    responses(
+        (status = 200, description = "更新成功", body = ApiResponse<RoleResp>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+        (status = 404, description = "角色不存在"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "角色管理"
+)]
 /// PUT /api/v1/roles/:id
 ///
 /// Update editable role fields (name, description).
@@ -123,6 +174,19 @@ where
     Ok(Json(ApiResponse::ok(role)))
 }
 
+#[utoipa::path(
+    delete,
+    path = "/api/v1/roles/{id}",
+    params(("id" = Uuid, Path, description = "角色ID")),
+    responses(
+        (status = 200, description = "角色已删除"),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+        (status = 404, description = "角色不存在"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "角色管理"
+)]
 /// DELETE /api/v1/roles/:id
 ///
 /// Soft-delete a role by ID within the current tenant.
@@ -148,6 +212,20 @@ where
     }))
 }
 
+#[utoipa::path(
+    post,
+    path = "/api/v1/roles/{id}/permissions",
+    params(("id" = Uuid, Path, description = "角色ID")),
+    request_body = AssignPermissionsReq,
+    responses(
+        (status = 200, description = "权限分配成功"),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+        (status = 404, description = "角色不存在"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "角色管理"
+)]
 /// POST /api/v1/roles/:id/permissions
 ///
 /// Replace all permission assignments for a role.
@@ -180,6 +258,19 @@ where
     }))
 }
 
+#[utoipa::path(
+    get,
+    path = "/api/v1/roles/{id}/permissions",
+    params(("id" = Uuid, Path, description = "角色ID")),
+    responses(
+        (status = 200, description = "成功", body = ApiResponse<Vec<PermissionResp>>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+        (status = 404, description = "角色不存在"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "角色管理"
+)]
 /// GET /api/v1/roles/:id/permissions
 ///
 /// Fetch all permissions assigned to a role.
@@ -199,6 +290,17 @@ where
     Ok(Json(ApiResponse::ok(perms)))
 }
 
+#[utoipa::path(
+    get,
+    path = "/api/v1/permissions",
+    responses(
+        (status = 200, description = "成功", body = ApiResponse<Vec<PermissionResp>>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "权限管理"
+)]
 /// GET /api/v1/permissions
 ///
 /// List all permissions within the current tenant.