refactor: RBAC权限系统重构 + UI组件拆分 + 测试修复 + 架构文档

- RBAC: 新增30个权限点、DataScope行级权限、requirePermission守卫，所有57+ Server Action接入权限校验
- UI拆分: exam-form(1623行→11文件)、textbook-reader(744行→7文件)，均降至300行以内
- 测试: 新增5个单元测试文件(19用例)，修复4个集成测试文件(38用例全部通过)
- 架构文档: 新增架构影响地图(004/005)、标准功能清单(006)、差距审计报告(007)
- 项目规则: 架构图优先规则，改码必同步图
- 安全: rehype-sanitize净化、AES加密API Key、权限路由守卫
- 无障碍: skip-link、aria-label、prefers-reduced-motion
- 性能: next/font优化、next/image、代码分割

src/app/(dashboard)/dashboard/page.tsx

@@ -1,6 +1,6 @@
 import { redirect } from "next/navigation"
 import { auth } from "@/auth"
-import { getUserProfile } from "@/modules/users/data-access"
+import { Permissions } from "@/shared/types/permissions"
 
 export const dynamic = "force-dynamic"
 
@@ -8,14 +8,11 @@ export default async function DashboardPage() {
   const session = await auth()
   if (!session?.user) redirect("/login")
 
-  const userId = String(session.user.id ?? "").trim()
-  if (!userId) redirect("/login")
-  const profile = await getUserProfile(userId)
-  if (!profile) redirect("/login")
-  const role = profile.role || "student"
+  const permissions = session.user.permissions ?? []
+  const roles = session.user.roles ?? []
 
-  if (role === "admin") redirect("/admin/dashboard")
-  if (role === "student") redirect("/student/dashboard")
-  if (role === "parent") redirect("/parent/dashboard")
+  if (permissions.includes(Permissions.SCHOOL_MANAGE)) redirect("/admin/dashboard")
+  if (permissions.includes(Permissions.HOMEWORK_SUBMIT) && !permissions.includes(Permissions.EXAM_CREATE)) redirect("/student/dashboard")
+  if (roles.includes("parent")) redirect("/parent/dashboard")
   redirect("/teacher/dashboard")
 }

src/app/(dashboard)/layout.tsx

@@ -9,8 +9,11 @@ export default function DashboardLayout({
 }) {
   return (
     <SidebarProvider sidebar={<AppSidebar />}>
+      <a href="#main-content" className="sr-only focus:not-sr-only focus:absolute focus:z-50 focus:p-4 focus:bg-background focus:text-foreground focus:border focus:border-border focus:rounded-md focus:m-2">
+        Skip to main content
+      </a>
       <SiteHeader />
-      <main className="flex-1 overflow-auto p-6">
+      <main id="main-content" className="flex-1 overflow-auto p-6">
         {children}
       </main>
     </SidebarProvider>

src/app/(dashboard)/profile/page.tsx

@@ -9,6 +9,7 @@ import { StudentTodayScheduleCard } from "@/modules/dashboard/components/student
 import { StudentUpcomingAssignmentsCard } from "@/modules/dashboard/components/student-dashboard/student-upcoming-assignments-card"
 import { getStudentDashboardGrades, getStudentHomeworkAssignments } from "@/modules/homework/data-access"
 import { getUserProfile } from "@/modules/users/data-access"
+import { Permissions } from "@/shared/types/permissions"
 import { Badge } from "@/shared/components/ui/badge"
 import { Button } from "@/shared/components/ui/button"
 import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/shared/components/ui/card"
@@ -42,9 +43,9 @@ export default async function ProfilePage() {
       redirect("/login")
   }
 
-  const role = userProfile.role || "student"
-  const isStudent = role === "student"
-  const isTeacher = role === "teacher"
+  const permissions = session.user.permissions ?? []
+  const isStudent = permissions.includes(Permissions.HOMEWORK_SUBMIT) && !permissions.includes(Permissions.EXAM_CREATE)
+  const isTeacher = permissions.includes(Permissions.EXAM_CREATE)
 
   const studentData =
     isStudent

src/app/(dashboard)/settings/page.tsx

@@ -5,6 +5,7 @@ import { AdminSettingsView } from "@/modules/settings/components/admin-settings-
 import { StudentSettingsView } from "@/modules/settings/components/student-settings-view"
 import { TeacherSettingsView } from "@/modules/settings/components/teacher-settings-view"
 import { getUserProfile } from "@/modules/users/data-access"
+import { Permissions } from "@/shared/types/permissions"
 
 export const dynamic = "force-dynamic"
 
@@ -17,11 +18,9 @@ export default async function SettingsPage() {
 
   if (!userProfile) redirect("/login")
 
-  const role = userProfile.role || "student"
+  const permissions = session.user.permissions ?? []
 
-  if (role === "admin") return <AdminSettingsView user={userProfile} />
-  if (role === "student") return <StudentSettingsView user={userProfile} />
-  if (role === "teacher") return <TeacherSettingsView user={userProfile} />
-
-  redirect("/dashboard")
+  if (permissions.includes(Permissions.SETTINGS_ADMIN)) return <AdminSettingsView user={userProfile} />
+  if (permissions.includes(Permissions.HOMEWORK_SUBMIT) && !permissions.includes(Permissions.EXAM_CREATE)) return <StudentSettingsView user={userProfile} />
+  return <TeacherSettingsView user={userProfile} />
 }

src/app/(dashboard)/teacher/exams/all/page.tsx

@@ -8,6 +8,7 @@ import { ExamDataTable } from "@/modules/exams/components/exam-data-table"
 import { examColumns } from "@/modules/exams/components/exam-columns"
 import { ExamFilters } from "@/modules/exams/components/exam-filters"
 import { getExams } from "@/modules/exams/data-access"
+import { getAuthContext } from "@/shared/lib/auth-guard"
 import { FileText, PlusCircle } from "lucide-react"
 
 type SearchParams = { [key: string]: string | string[] | undefined }
@@ -19,6 +20,7 @@ const getParam = (params: SearchParams, key: string) => {
 
 async function ExamsResults({ searchParams }: { searchParams: Promise<SearchParams> }) {
   const params = await searchParams
+  const { dataScope } = await getAuthContext()
 
   const q = getParam(params, "q")
   const status = getParam(params, "status")
@@ -28,6 +30,7 @@ async function ExamsResults({ searchParams }: { searchParams: Promise<SearchPara
     q,
     status,
     difficulty,
+    scope: dataScope,
   })
 
   const hasFilters = Boolean(q || (status && status !== "all") || (difficulty && difficulty !== "all"))

src/app/(dashboard)/teacher/homework/assignments/create/page.tsx

@@ -2,12 +2,14 @@ import { HomeworkAssignmentForm } from "@/modules/homework/components/homework-a
 import { getExams } from "@/modules/exams/data-access"
 import { getTeacherClasses } from "@/modules/classes/data-access"
 import { EmptyState } from "@/shared/components/ui/empty-state"
+import { getAuthContext } from "@/shared/lib/auth-guard"
 import { FileQuestion } from "lucide-react"
 
 export const dynamic = "force-dynamic"
 
 export default async function CreateHomeworkAssignmentPage() {
-  const [exams, classes] = await Promise.all([getExams({}), getTeacherClasses()])
+  const { dataScope } = await getAuthContext()
+  const [exams, classes] = await Promise.all([getExams({ scope: dataScope }), getTeacherClasses()])
   const options = exams.map((e) => ({ id: e.id, title: e.title }))
 
   return (

src/app/globals.css

@@ -166,6 +166,20 @@
   }
 }
 
+/* Reduced Motion */
+@layer base {
+  @media (prefers-reduced-motion: reduce) {
+    *,
+    *::before,
+    *::after {
+      animation-duration: 0.01ms !important;
+      animation-iteration-count: 1 !important;
+      transition-duration: 0.01ms !important;
+      scroll-behavior: auto !important;
+    }
+  }
+}
+
 /* Base Styles */
 @layer base {
   * {

src/app/layout.tsx

@@ -1,4 +1,5 @@
 import type { Metadata } from "next";
+import { Inter } from "next/font/google";
 import { ThemeProvider } from "@/shared/components/theme-provider";
 import { Toaster } from "@/shared/components/ui/sonner";
 import { NuqsAdapter } from 'nuqs/adapters/next/app'
@@ -6,6 +7,12 @@ import { AuthSessionProvider } from "@/shared/components/auth-session-provider"
 import { OnboardingGate } from "@/shared/components/onboarding-gate"
 import "./globals.css";
 
+const inter = Inter({
+  subsets: ["latin"],
+  display: "swap",
+  variable: "--font-inter",
+});
+
 export const metadata: Metadata = {
   title: "Next_Edu - K12 智慧教务系统",
   description: "Enterprise Grade K12 Education Management System",
@@ -19,7 +26,7 @@ export default function RootLayout({
   return (
     <html lang="en" suppressHydrationWarning>
       <body
-        className={`antialiased`}
+        className={`${inter.variable} antialiased font-sans`}
         suppressHydrationWarning
       >
         <ThemeProvider