refactor(grades,diagnostic): 成绩和学情诊断模块审计修复

P0-1: 10 个页面补充 requirePermission 权限校验
P0-2: diagnostic/data-access-reports.ts 移除直查 users 表，改用 getUserNamesByIds
P0-3: 新增 grade/grades/diagnostic 三组 i18n 翻译文件（zh-CN/en）
P0-4: 新增 /management/grade 重定向页面

P1-2: 抽取 toNumber/normalize/buildScopeClassFilter 到 lib/grade-utils.ts
P1-3: 为 12 个 Action 新增 Zod safeParse 校验（schema.ts +12 查询 schema）
P1-4: 修复 as 断言违规，改用类型守卫函数

P2-2: 移除 diagnostic 组件中 Tailwind 任意值

同步更新架构图文档 004 和 005

src/app/(dashboard)/teacher/diagnostic/class/[classId]/page.tsx

@@ -1,7 +1,8 @@
 import type { JSX } from "react"
 import { notFound } from "next/navigation"
 import { Stethoscope } from "lucide-react"
-import { getAuthContext } from "@/shared/lib/auth-guard"
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { getClassMasterySummary } from "@/modules/diagnostic/data-access"
 import { ClassDiagnosticView } from "@/modules/diagnostic/components/class-diagnostic-view"
 
@@ -13,7 +14,7 @@ export default async function ClassDiagnosticPage({
   params: Promise<{ classId: string }>
 }): Promise<JSX.Element> {
   const { classId } = await params
-  const ctx = await getAuthContext()
+  const ctx = await requirePermission(Permissions.DIAGNOSTIC_READ)
 
   // DataScope 校验：教师只能查看所教班级，学生/家长不可访问
   if (ctx.dataScope.type === "class_taught" && !ctx.dataScope.classIds.includes(classId)) {