refactor: RBAC权限系统重构 + UI组件拆分 + 测试修复 + 架构文档

- RBAC: 新增30个权限点、DataScope行级权限、requirePermission守卫，所有57+ Server Action接入权限校验
- UI拆分: exam-form(1623行→11文件)、textbook-reader(744行→7文件)，均降至300行以内
- 测试: 新增5个单元测试文件(19用例)，修复4个集成测试文件(38用例全部通过)
- 架构文档: 新增架构影响地图(004/005)、标准功能清单(006)、差距审计报告(007)
- 项目规则: 架构图优先规则，改码必同步图
- 安全: rehype-sanitize净化、AES加密API Key、权限路由守卫
- 无障碍: skip-link、aria-label、prefers-reduced-motion
- 性能: next/font优化、next/image、代码分割

tests/integration/dashboard-routing.test.ts

@@ -2,7 +2,6 @@ import { beforeEach, describe, expect, it, vi } from "vitest"
 
 const mocks = vi.hoisted(() => ({
   authMock: vi.fn(),
-  getUserProfileMock: vi.fn(),
   redirectMock: vi.fn((target: string) => {
     throw new Error(`REDIRECT:${target}`)
   }),
@@ -12,10 +11,6 @@ vi.mock("@/auth", () => ({
   auth: mocks.authMock,
 }))
 
-vi.mock("@/modules/users/data-access", () => ({
-  getUserProfile: mocks.getUserProfileMock,
-}))
-
 vi.mock("next/navigation", () => ({
   redirect: mocks.redirectMock,
 }))
@@ -35,33 +30,36 @@ describe("dashboard route dispatcher", () => {
     await expect(DashboardPage()).rejects.toThrow("REDIRECT:/login")
   })
 
-  it("redirects to login when user profile is missing", async () => {
-    mocks.authMock.mockResolvedValue({ user: { id: "u_1" } })
-    mocks.getUserProfileMock.mockResolvedValue(null)
+  it("redirects to login when user is missing", async () => {
+    mocks.authMock.mockResolvedValue({ user: null })
     await expect(DashboardPage()).rejects.toThrow("REDIRECT:/login")
   })
 
-  it("redirects admin to admin dashboard", async () => {
-    mocks.authMock.mockResolvedValue({ user: { id: "u_admin" } })
-    mocks.getUserProfileMock.mockResolvedValue({ role: "admin" })
+  it("redirects admin (school:manage) to admin dashboard", async () => {
+    mocks.authMock.mockResolvedValue({
+      user: { id: "u_admin", roles: ["admin"], permissions: ["school:manage"] },
+    })
     await expect(DashboardPage()).rejects.toThrow("REDIRECT:/admin/dashboard")
   })
 
-  it("redirects student to student dashboard", async () => {
-    mocks.authMock.mockResolvedValue({ user: { id: "u_student" } })
-    mocks.getUserProfileMock.mockResolvedValue({ role: "student" })
+  it("redirects student (homework:submit without exam:create) to student dashboard", async () => {
+    mocks.authMock.mockResolvedValue({
+      user: { id: "u_student", roles: ["student"], permissions: ["homework:submit"] },
+    })
     await expect(DashboardPage()).rejects.toThrow("REDIRECT:/student/dashboard")
   })
 
   it("redirects parent to parent dashboard", async () => {
-    mocks.authMock.mockResolvedValue({ user: { id: "u_parent" } })
-    mocks.getUserProfileMock.mockResolvedValue({ role: "parent" })
+    mocks.authMock.mockResolvedValue({
+      user: { id: "u_parent", roles: ["parent"], permissions: ["exam:read"] },
+    })
     await expect(DashboardPage()).rejects.toThrow("REDIRECT:/parent/dashboard")
   })
 
-  it("falls back to student dashboard when role is unknown", async () => {
-    mocks.authMock.mockResolvedValue({ user: { id: "u_teacher" } })
-    mocks.getUserProfileMock.mockResolvedValue({ role: "" })
-    await expect(DashboardPage()).rejects.toThrow("REDIRECT:/student/dashboard")
+  it("redirects teacher (with exam:create) to teacher dashboard", async () => {
+    mocks.authMock.mockResolvedValue({
+      user: { id: "u_teacher", roles: ["teacher"], permissions: ["exam:create", "exam:read"] },
+    })
+    await expect(DashboardPage()).rejects.toThrow("REDIRECT:/teacher/dashboard")
   })
 })