refactor: P0-3/5/6 解耦修复 - 循环依赖/通知分发/课表写入口

P0-3: 修复 shared/lib <-> auth 循环依赖
- audit-logger.ts, change-logger.ts, auth-guard.ts, classes/data-access.ts
  改用动态 import("@/auth") 打破静态模块级循环依赖
- shared/lib 不再静态导入 @/auth

P0-5: messaging 改用 notifications dispatcher
- messaging/actions.ts 的 sendMessageAction 改用 sendNotification
  替代直接调用 createNotification
- 用户通知偏好(SMS/微信/邮件/站内)现在被正确尊重

P0-6: 统一 classSchedule 写入口到 scheduling/data-access
- 新增 insertClassScheduleItem/updateClassScheduleItemById/
  deleteClassScheduleItemById/replaceClassSchedule 统一写入函数
- classes/data-access.ts 的三个 schedule 写入函数委托给 scheduling
- scheduling/actions.ts 的 applyAutoScheduleAction 改用 replaceClassSchedule
- 移除 scheduling/actions.ts 中不再使用的 classSchedule/createId 导入

验证: tsc --noEmit 0 errors, npm run lint 0 errors

src/shared/lib/auth-guard.ts

@@ -1,4 +1,3 @@
-import { auth } from "@/auth"
 import type { Permission, DataScope, AuthContext } from "@/shared/types/permissions"
 import { db } from "@/shared/db"
 import {
@@ -16,12 +15,22 @@ export class PermissionDeniedError extends Error {
   }
 }
 
+/**
+ * Get the current session without creating a static circular dependency
+ * on @/auth (which itself imports from @/shared/lib/*).
+ * Dynamic import breaks the module-level cycle.
+ */
+async function getCurrentSession() {
+  const { auth } = await import("@/auth")
+  return auth()
+}
+
 /**
  * Get the full authentication context for the current user.
  * Throws if not authenticated.
  */
 export async function getAuthContext(): Promise<AuthContext> {
-  const session = await auth()
+  const session = await getCurrentSession()
   const userId = session?.user?.id
   if (!userId) throw new PermissionDeniedError("auth_required")