refactor: RBAC权限系统重构 + UI组件拆分 + 测试修复 + 架构文档

- RBAC: 新增30个权限点、DataScope行级权限、requirePermission守卫，所有57+ Server Action接入权限校验
- UI拆分: exam-form(1623行→11文件)、textbook-reader(744行→7文件)，均降至300行以内
- 测试: 新增5个单元测试文件(19用例)，修复4个集成测试文件(38用例全部通过)
- 架构文档: 新增架构影响地图(004/005)、标准功能清单(006)、差距审计报告(007)
- 项目规则: 架构图优先规则，改码必同步图
- 安全: rehype-sanitize净化、AES加密API Key、权限路由守卫
- 无障碍: skip-link、aria-label、prefers-reduced-motion
- 性能: next/font优化、next/image、代码分割

src/app/(dashboard)/settings/page.tsx

@@ -5,6 +5,7 @@ import { AdminSettingsView } from "@/modules/settings/components/admin-settings-
 import { StudentSettingsView } from "@/modules/settings/components/student-settings-view"
 import { TeacherSettingsView } from "@/modules/settings/components/teacher-settings-view"
 import { getUserProfile } from "@/modules/users/data-access"
+import { Permissions } from "@/shared/types/permissions"
 
 export const dynamic = "force-dynamic"
 
@@ -17,11 +18,9 @@ export default async function SettingsPage() {
 
   if (!userProfile) redirect("/login")
 
-  const role = userProfile.role || "student"
+  const permissions = session.user.permissions ?? []
 
-  if (role === "admin") return <AdminSettingsView user={userProfile} />
-  if (role === "student") return <StudentSettingsView user={userProfile} />
-  if (role === "teacher") return <TeacherSettingsView user={userProfile} />
-
-  redirect("/dashboard")
+  if (permissions.includes(Permissions.SETTINGS_ADMIN)) return <AdminSettingsView user={userProfile} />
+  if (permissions.includes(Permissions.HOMEWORK_SUBMIT) && !permissions.includes(Permissions.EXAM_CREATE)) return <StudentSettingsView user={userProfile} />
+  return <TeacherSettingsView user={userProfile} />
 }