feat(diary): 数据层 + 班级系统 (Phase F1 + B3)

Flutter 数据层 (Phase F1):
- journal_entry.dart: 日记数据模型 (Mood/Weather/tags/version)
- journal_element.dart: 元素模型 (text/image/sticker/handwriting_ref/tape)
- school_class.dart: 班级模型
- user_settings.dart: 用户设置 (主题/画笔/字号)
- isar_database.dart: Isar 初始化
- api_client.dart: Dio + JWT注入 + 离线感知 + 401处理
- journal_repository.dart: 抽象接口 + InMemory实现 (乐观锁)
- sync_engine.dart: WiFi同步 + 操作队列 + 重试(5次) + 快照持久化

Rust 班级系统 (Phase B3):
- class_service.rs: 创建班级(6位码) + 加入班级 + 成员管理
- topic_service.rs: 老师布置主题 + 主题列表
- comment_service.rs: 老师点评 + 评语列表
- class_handler.rs: 5个API端点 + 权限守卫
- topic_handler.rs: 2个API端点
- comment_handler.rs: 2个API端点
- dto.rs: 新增5个DTO (ClassMemberResp/CreateTopicReq/TopicResp/CreateCommentReq/CommentResp)
- 6条新路由注册

验证: cargo check 通过, 433测试全绿, flutter analyze 1 warning

crates/erp-diary/src/handler/class_handler.rs

@@ -0,0 +1,191 @@
+// 班级 API 处理器 — 创建班级、加入班级、查询班级
+
+use axum::extract::{Extension, FromRef, Path, State};
+use axum::response::Json;
+use uuid::Uuid;
+
+use erp_core::error::AppError;
+use erp_core::rbac::require_permission;
+use erp_core::types::{ApiResponse, TenantContext};
+
+use crate::dto::{ClassMemberResp, ClassResp, CreateClassReq, JoinClassReq};
+use crate::service::class_service::ClassService;
+use crate::state::DiaryState;
+
+#[utoipa::path(
+    post,
+    path = "/api/v1/diary/classes",
+    request_body = CreateClassReq,
+    responses(
+        (status = 200, description = "创建成功", body = ApiResponse<ClassResp>),
+        (status = 400, description = "验证失败"),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "班级管理"
+)]
+/// POST /api/v1/diary/classes
+///
+/// 创建班级。需要 `diary.class.manage` 权限（老师角色）。
+pub async fn create_class<S>(
+    State(state): State<DiaryState>,
+    Extension(ctx): Extension<TenantContext>,
+    Json(req): Json<CreateClassReq>,
+) -> Result<Json<ApiResponse<ClassResp>>, AppError>
+where
+    DiaryState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "diary.class.manage")?;
+
+    if req.name.trim().is_empty() {
+        return Err(AppError::Validation("班级名称不能为空".to_string()));
+    }
+
+    let resp = ClassService::create_class(
+        ctx.tenant_id,
+        ctx.user_id,
+        req.name,
+        req.school_name,
+        &state.db,
+        &state.event_bus,
+    )
+    .await?;
+
+    Ok(Json(ApiResponse::ok(resp)))
+}
+
+#[utoipa::path(
+    post,
+    path = "/api/v1/diary/classes/join",
+    request_body = JoinClassReq,
+    responses(
+        (status = 200, description = "加入成功", body = ApiResponse<ClassResp>),
+        (status = 400, description = "班级码无效或已过期"),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "班级管理"
+)]
+/// POST /api/v1/diary/classes/join
+///
+/// 通过班级码加入班级。需要 `diary.journal.create` 权限（学生使用此权限加入）。
+pub async fn join_class<S>(
+    State(state): State<DiaryState>,
+    Extension(ctx): Extension<TenantContext>,
+    Json(req): Json<JoinClassReq>,
+) -> Result<Json<ApiResponse<ClassResp>>, AppError>
+where
+    DiaryState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "diary.journal.create")?;
+
+    if req.class_code.trim().is_empty() {
+        return Err(AppError::Validation("班级码不能为空".to_string()));
+    }
+
+    let resp = ClassService::join_class(
+        ctx.tenant_id,
+        ctx.user_id,
+        req.class_code,
+        None, // 昵称暂不通过此接口传递
+        &state.db,
+        &state.event_bus,
+    )
+    .await?;
+
+    Ok(Json(ApiResponse::ok(resp)))
+}
+
+#[utoipa::path(
+    get,
+    path = "/api/v1/diary/classes/{id}",
+    params(("id" = Uuid, Path, description = "班级ID")),
+    responses(
+        (status = 200, description = "成功", body = ApiResponse<ClassResp>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+        (status = 404, description = "班级不存在"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "班级管理"
+)]
+/// GET /api/v1/diary/classes/:id
+///
+/// 获取班级详情。需要 `diary.journal.read` 权限。
+pub async fn get_class<S>(
+    State(state): State<DiaryState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(id): Path<Uuid>,
+) -> Result<Json<ApiResponse<ClassResp>>, AppError>
+where
+    DiaryState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "diary.journal.read")?;
+
+    let resp = ClassService::get_class(ctx.tenant_id, id, &state.db).await?;
+    Ok(Json(ApiResponse::ok(resp)))
+}
+
+#[utoipa::path(
+    get,
+    path = "/api/v1/diary/classes/{id}/members",
+    params(("id" = Uuid, Path, description = "班级ID")),
+    responses(
+        (status = 200, description = "成功", body = ApiResponse<Vec<ClassMemberResp>>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+        (status = 404, description = "班级不存在"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "班级管理"
+)]
+/// GET /api/v1/diary/classes/:id/members
+///
+/// 获取班级成员列表。需要 `diary.journal.read` 权限。
+pub async fn list_members<S>(
+    State(state): State<DiaryState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(id): Path<Uuid>,
+) -> Result<Json<ApiResponse<Vec<ClassMemberResp>>>, AppError>
+where
+    DiaryState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "diary.journal.read")?;
+
+    let resp = ClassService::list_members(ctx.tenant_id, id, &state.db).await?;
+    Ok(Json(ApiResponse::ok(resp)))
+}
+
+#[utoipa::path(
+    get,
+    path = "/api/v1/diary/classes/my",
+    responses(
+        (status = 200, description = "成功", body = ApiResponse<Vec<ClassResp>>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "班级管理"
+)]
+/// GET /api/v1/diary/classes/my
+///
+/// 获取当前用户加入的所有班级。需要 `diary.journal.read` 权限。
+pub async fn my_classes<S>(
+    State(state): State<DiaryState>,
+    Extension(ctx): Extension<TenantContext>,
+) -> Result<Json<ApiResponse<Vec<ClassResp>>>, AppError>
+where
+    DiaryState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "diary.journal.read")?;
+
+    let resp = ClassService::my_classes(ctx.tenant_id, ctx.user_id, &state.db).await?;
+    Ok(Json(ApiResponse::ok(resp)))
+}

crates/erp-diary/src/handler/comment_handler.rs

@@ -0,0 +1,90 @@
+// 评语 API 处理器 — 老师点评学生日记
+
+use axum::extract::{Extension, FromRef, Path, State};
+use axum::response::Json;
+use uuid::Uuid;
+
+use erp_core::error::AppError;
+use erp_core::rbac::require_permission;
+use erp_core::types::{ApiResponse, TenantContext};
+
+use crate::dto::{CommentResp, CreateCommentReq};
+use crate::service::comment_service::CommentService;
+use crate::state::DiaryState;
+
+#[utoipa::path(
+    post,
+    path = "/api/v1/diary/journals/{journal_id}/comments",
+    params(("journal_id" = Uuid, Path, description = "日记ID")),
+    request_body = CreateCommentReq,
+    responses(
+        (status = 200, description = "点评成功", body = ApiResponse<CommentResp>),
+        (status = 400, description = "验证失败或内容安全检查未通过"),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+        (status = 404, description = "日记不存在"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "评语管理"
+)]
+/// POST /api/v1/diary/journals/:journal_id/comments
+///
+/// 老师点评日记。需要 `diary.comment.write` 权限。
+pub async fn create_comment<S>(
+    State(state): State<DiaryState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(journal_id): Path<Uuid>,
+    Json(req): Json<CreateCommentReq>,
+) -> Result<Json<ApiResponse<CommentResp>>, AppError>
+where
+    DiaryState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "diary.comment.write")?;
+
+    if req.content.trim().is_empty() {
+        return Err(AppError::Validation("评语内容不能为空".to_string()));
+    }
+
+    let resp = CommentService::create_comment(
+        ctx.tenant_id,
+        ctx.user_id,
+        journal_id,
+        req.content,
+        &state.db,
+        &state.event_bus,
+    )
+    .await?;
+
+    Ok(Json(ApiResponse::ok(resp)))
+}
+
+#[utoipa::path(
+    get,
+    path = "/api/v1/diary/journals/{journal_id}/comments",
+    params(("journal_id" = Uuid, Path, description = "日记ID")),
+    responses(
+        (status = 200, description = "成功", body = ApiResponse<Vec<CommentResp>>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "评语管理"
+)]
+/// GET /api/v1/diary/journals/:journal_id/comments
+///
+/// 获取日记评语列表。需要 `diary.journal.read` 权限。
+pub async fn list_comments<S>(
+    State(state): State<DiaryState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(journal_id): Path<Uuid>,
+) -> Result<Json<ApiResponse<Vec<CommentResp>>>, AppError>
+where
+    DiaryState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "diary.journal.read")?;
+
+    let resp = CommentService::list_comments(ctx.tenant_id, journal_id, &state.db).await?;
+    Ok(Json(ApiResponse::ok(resp)))
+}

crates/erp-diary/src/handler/mod.rs

@@ -2,3 +2,6 @@
 
 pub mod journal_handler;
 pub mod sync_handler;
+pub mod class_handler;
+pub mod topic_handler;
+pub mod comment_handler;

crates/erp-diary/src/handler/topic_handler.rs

@@ -0,0 +1,90 @@
+// 主题布置 API 处理器 — 老师布置/查询主题
+
+use axum::extract::{Extension, FromRef, Path, State};
+use axum::response::Json;
+use uuid::Uuid;
+
+use erp_core::error::AppError;
+use erp_core::rbac::require_permission;
+use erp_core::types::{ApiResponse, TenantContext};
+
+use crate::dto::{CreateTopicReq, TopicResp};
+use crate::service::topic_service::TopicService;
+use crate::state::DiaryState;
+
+#[utoipa::path(
+    post,
+    path = "/api/v1/diary/classes/{class_id}/topics",
+    params(("class_id" = Uuid, Path, description = "班级ID")),
+    request_body = CreateTopicReq,
+    responses(
+        (status = 200, description = "布置成功", body = ApiResponse<TopicResp>),
+        (status = 400, description = "验证失败"),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+        (status = 404, description = "班级不存在"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "主题布置"
+)]
+/// POST /api/v1/diary/classes/:class_id/topics
+///
+/// 布置日记主题。需要 `diary.topic.assign` 权限（老师角色）。
+pub async fn assign_topic<S>(
+    State(state): State<DiaryState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(class_id): Path<Uuid>,
+    Json(req): Json<CreateTopicReq>,
+) -> Result<Json<ApiResponse<TopicResp>>, AppError>
+where
+    DiaryState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "diary.topic.assign")?;
+
+    if req.title.trim().is_empty() {
+        return Err(AppError::Validation("主题标题不能为空".to_string()));
+    }
+
+    let resp = TopicService::assign_topic(
+        ctx.tenant_id,
+        ctx.user_id,
+        class_id,
+        &req,
+        &state.db,
+        &state.event_bus,
+    )
+    .await?;
+
+    Ok(Json(ApiResponse::ok(resp)))
+}
+
+#[utoipa::path(
+    get,
+    path = "/api/v1/diary/classes/{class_id}/topics",
+    params(("class_id" = Uuid, Path, description = "班级ID")),
+    responses(
+        (status = 200, description = "成功", body = ApiResponse<Vec<TopicResp>>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "主题布置"
+)]
+/// GET /api/v1/diary/classes/:class_id/topics
+///
+/// 获取班级主题列表。需要 `diary.journal.read` 权限。
+pub async fn list_topics<S>(
+    State(state): State<DiaryState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(class_id): Path<Uuid>,
+) -> Result<Json<ApiResponse<Vec<TopicResp>>>, AppError>
+where
+    DiaryState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "diary.journal.read")?;
+
+    let resp = TopicService::list_topics(ctx.tenant_id, class_id, &state.db).await?;
+    Ok(Json(ApiResponse::ok(resp)))
+}