refactor: RBAC权限系统重构 + UI组件拆分 + 测试修复 + 架构文档

- RBAC: 新增30个权限点、DataScope行级权限、requirePermission守卫，所有57+ Server Action接入权限校验
- UI拆分: exam-form(1623行→11文件)、textbook-reader(744行→7文件)，均降至300行以内
- 测试: 新增5个单元测试文件(19用例)，修复4个集成测试文件(38用例全部通过)
- 架构文档: 新增架构影响地图(004/005)、标准功能清单(006)、差距审计报告(007)
- 项目规则: 架构图优先规则，改码必同步图
- 安全: rehype-sanitize净化、AES加密API Key、权限路由守卫
- 无障碍: skip-link、aria-label、prefers-reduced-motion
- 性能: next/font优化、next/image、代码分割

tests/integration/proxy-guard.test.ts

@@ -1,45 +1,60 @@
 import { describe, expect, it, vi } from "vitest"
 
-vi.mock("@/auth", () => ({
-  auth: (handler: (req: unknown) => unknown) => handler,
+const { getTokenMock } = vi.hoisted(() => ({
+  getTokenMock: vi.fn(),
 }))
 
-import proxy from "@/proxy"
+vi.mock("next-auth/jwt", () => ({
+  getToken: getTokenMock,
+}))
 
-type SessionRole = "admin" | "teacher" | "student" | "parent"
+import { middleware } from "@/proxy"
 
-const createRequest = (pathname: string, role?: SessionRole) => ({
+const createRequest = (pathname: string) => ({
   nextUrl: {
     pathname,
     clone: () => new URL(`http://localhost${pathname}`),
   },
-  auth: role ? { user: { role } } : null,
   url: `http://localhost${pathname}`,
 })
 
 describe("proxy route guard", () => {
   it("redirects unauthenticated requests to login with callback", async () => {
-    const response = await proxy(createRequest("/teacher/dashboard") as never)
+    getTokenMock.mockResolvedValue(null)
+    const response = await middleware(createRequest("/teacher/dashboard") as never)
     expect(response.status).toBe(307)
     const location = response.headers.get("location") ?? ""
     expect(location).toContain("/login")
-    expect(location).toContain("callbackUrl=%2Fteacher%2Fdashboard")
+    expect(location).toContain("callbackUrl=")
+    expect(decodeURIComponent(location)).toContain("/teacher/dashboard")
   })
 
-  it("redirects student away from admin routes", async () => {
-    const response = await proxy(createRequest("/admin/dashboard", "student") as never)
+  it("redirects user without school:manage permission away from admin routes", async () => {
+    getTokenMock.mockResolvedValue({
+      permissions: ["homework:submit"],
+      roles: ["student"],
+    })
+    const response = await middleware(createRequest("/admin/dashboard") as never)
     expect(response.status).toBe(307)
     expect(response.headers.get("location")).toContain("/student/dashboard")
   })
 
-  it("redirects parent away from management routes", async () => {
-    const response = await proxy(createRequest("/management/grade/insights", "parent") as never)
+  it("redirects user without grade:manage permission away from management routes", async () => {
+    getTokenMock.mockResolvedValue({
+      permissions: ["exam:read"],
+      roles: ["parent"],
+    })
+    const response = await middleware(createRequest("/management/grade/insights") as never)
     expect(response.status).toBe(307)
     expect(response.headers.get("location")).toContain("/parent/dashboard")
   })
 
-  it("allows teacher access to management routes", async () => {
-    const response = await proxy(createRequest("/management/grade/insights", "teacher") as never)
+  it("allows user with grade:manage permission to access management routes", async () => {
+    getTokenMock.mockResolvedValue({
+      permissions: ["exam:read", "grade:manage"],
+      roles: ["teacher"],
+    })
+    const response = await middleware(createRequest("/management/grade/insights") as never)
     expect(response.status).toBe(200)
     expect(response.headers.get("location")).toBeNull()
   })