refactor: RBAC权限系统重构 + UI组件拆分 + 测试修复 + 架构文档

- RBAC: 新增30个权限点、DataScope行级权限、requirePermission守卫，所有57+ Server Action接入权限校验
- UI拆分: exam-form(1623行→11文件)、textbook-reader(744行→7文件)，均降至300行以内
- 测试: 新增5个单元测试文件(19用例)，修复4个集成测试文件(38用例全部通过)
- 架构文档: 新增架构影响地图(004/005)、标准功能清单(006)、差距审计报告(007)
- 项目规则: 架构图优先规则，改码必同步图
- 安全: rehype-sanitize净化、AES加密API Key、权限路由守卫
- 无障碍: skip-link、aria-label、prefers-reduced-motion
- 性能: next/font优化、next/image、代码分割

src/app/(dashboard)/dashboard/page.tsx

@@ -1,6 +1,6 @@
 import { redirect } from "next/navigation"
 import { auth } from "@/auth"
-import { getUserProfile } from "@/modules/users/data-access"
+import { Permissions } from "@/shared/types/permissions"
 
 export const dynamic = "force-dynamic"
 
@@ -8,14 +8,11 @@ export default async function DashboardPage() {
   const session = await auth()
   if (!session?.user) redirect("/login")
 
-  const userId = String(session.user.id ?? "").trim()
-  if (!userId) redirect("/login")
-  const profile = await getUserProfile(userId)
-  if (!profile) redirect("/login")
-  const role = profile.role || "student"
+  const permissions = session.user.permissions ?? []
+  const roles = session.user.roles ?? []
 
-  if (role === "admin") redirect("/admin/dashboard")
-  if (role === "student") redirect("/student/dashboard")
-  if (role === "parent") redirect("/parent/dashboard")
+  if (permissions.includes(Permissions.SCHOOL_MANAGE)) redirect("/admin/dashboard")
+  if (permissions.includes(Permissions.HOMEWORK_SUBMIT) && !permissions.includes(Permissions.EXAM_CREATE)) redirect("/student/dashboard")
+  if (roles.includes("parent")) redirect("/parent/dashboard")
   redirect("/teacher/dashboard")
 }