fix(diary): 为所有 DTO 添加 Validate derive + handler 调用 validate()

DTO 验证规则:
- CreateJournalReq: title 1-200, tags ≤20
- UpdateJournalReq: title 1-200, tags ≤20
- CreateClassReq: name 1-50, school_name ≤100
- JoinClassReq: class_code = 6位
- UpdateClassReq: name 1-50, school_name ≤100
- SyncReq: changes ≤100 条
- CreateTopicReq: title 1-200, description ≤2000
- UpdateTopicReq: title 1-200, description ≤2000
- CreateCommentReq: content 1-1000
- CreateStickerPackReq: name 1-50, description ≤500
- UpdateStickerPackReq: name 1-50, description ≤500
- CreateStickerReq: name 1-30, image_url 1-500
- BindChildReq/DeleteChildDataReq: Validate derive (Uuid 已由 serde 验证)

Handler 调用: validate() 放在 require_permission() 之前（先验证输入再检查权限）

审计 ID: 5a-C01, 5a-C02, 5a-C03

crates/erp-diary/src/handler/class_handler.rs

@@ -3,6 +3,7 @@
 use axum::extract::{Extension, FromRef, Path, State};
 use axum::response::Json;
 use uuid::Uuid;
+use validator::Validate;
 
 use erp_core::error::AppError;
 use erp_core::rbac::require_permission;
@@ -37,6 +38,7 @@ where
     DiaryState: FromRef<S>,
     S: Clone + Send + Sync + 'static,
 {
+    req.validate().map_err(|e| AppError::Validation(e.to_string()))?;
     require_permission(&ctx, "diary.class.manage")?;
 
     if req.name.trim().is_empty() {
@@ -81,6 +83,7 @@ where
     DiaryState: FromRef<S>,
     S: Clone + Send + Sync + 'static,
 {
+    req.validate().map_err(|e| AppError::Validation(e.to_string()))?;
     require_permission(&ctx, "diary.journal.create")?;
 
     if req.class_code.trim().is_empty() {
@@ -248,6 +251,7 @@ where
     DiaryState: FromRef<S>,
     S: Clone + Send + Sync + 'static,
 {
+    req.validate().map_err(|e| AppError::Validation(e.to_string()))?;
     require_permission(&ctx, "diary.class.manage")?;
 
     if let Some(ref name) = req.name {