refactor: fix all P0/P1/P2 bugs and architecture issues

Bug fixes (from bugs/ directory):

- Fix cross-module DB queries in 9 modules (homework, grades, parent, diagnostic, elective, proctoring, notifications, scheduling, classes) by routing through data-access functions

- Fix shared/lib <-> auth circular dependency via new session.ts module

- Fix divide-by-zero guard in grades data-access

- Fix audit export data truncation (paginated fetch for full datasets)

- Fix missing transactions in homework grading and elective lottery

- Fix missing revalidatePath in course-plans actions

- Fix frontend permission checks using requirePermission instead of requireAuth

- Fix dashboard role routing using session.user.roles

- Fix student auth pattern (migrate getDemoStudentUser to users module)

- Fix ActionState return type handling in components

Code quality fixes:

- Remove 60+ as type assertions (replace with type guards)

- Remove non-null assertions (use optional chaining or explicit checks)

- Convert dynamic imports to static imports (grades, diagnostic)

- Add React.cache() wrapping for read functions

- Parallelize independent queries with Promise.all

- Add explicit return types to 30+ arrow functions

- Replace any with unknown + type guards

- Fix import type for type-only imports

- Add Zod validation schemas for classes and diagnostic modules

- Extract duplicate code (normalizeRoleName, normalizeBcryptHash, logger IP extraction)

- Add console.error to silent catch blocks

- Fix permission naming consistency (exam:proctor_read -> exam:proctor:read)

Architecture doc sync:

- Update 004_architecture_impact_map.md and 005_architecture_data.json

- Update management-modules-audit.md for P0-7 cross-module fix

Moved deleted proctoring event route to deletes/ folder.

src/app/(dashboard)/announcements/page.tsx

@@ -1,9 +1,12 @@
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { getAnnouncements } from "@/modules/announcements/data-access"
 import { AnnouncementList } from "@/modules/announcements/components/announcement-list"
 
 export const dynamic = "force-dynamic"
 
 export default async function AnnouncementsPage() {
+  await requirePermission(Permissions.ANNOUNCEMENT_READ)
   const announcements = await getAnnouncements({ status: "published" })
 
   return (

src/app/(dashboard)/dashboard/page.tsx

@@ -1,6 +1,5 @@
 import { redirect } from "next/navigation"
 import { auth } from "@/auth"
-import { Permissions } from "@/shared/types/permissions"
 
 export const dynamic = "force-dynamic"
 
@@ -8,11 +7,10 @@ export default async function DashboardPage() {
   const session = await auth()
   if (!session?.user) redirect("/login")
 
-  const permissions = session.user.permissions ?? []
   const roles = session.user.roles ?? []
 
-  if (permissions.includes(Permissions.SCHOOL_MANAGE)) redirect("/admin/dashboard")
-  if (permissions.includes(Permissions.HOMEWORK_SUBMIT) && !permissions.includes(Permissions.EXAM_CREATE)) redirect("/student/dashboard")
+  if (roles.includes("admin")) redirect("/admin/dashboard")
+  if (roles.includes("student")) redirect("/student/dashboard")
   if (roles.includes("parent")) redirect("/parent/dashboard")
   redirect("/teacher/dashboard")
 }

src/app/(dashboard)/management/grade/classes/page.tsx

@@ -1,13 +1,14 @@
-import { auth } from "@/auth"
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { getGradeManagedClasses, getManagedGrades, getTeacherOptions } from "@/modules/classes/data-access"
 import { GradeClassesClient } from "@/modules/classes/components/grade-classes-view"
 
 export const dynamic = "force-dynamic"
 
 export default async function GradeClassesPage() {
-  const session = await auth()
-  const userId = session?.user?.id ?? ""
-  
+  const ctx = await requirePermission(Permissions.GRADE_MANAGE)
+  const userId = ctx.userId
+
   const [classes, teachers, managedGrades] = await Promise.all([
     getGradeManagedClasses(userId),
     getTeacherOptions(),

src/app/(dashboard)/management/grade/insights/page.tsx

@@ -1,3 +1,4 @@
+import { requireAuth } from "@/shared/lib/auth-guard"
 import { getTeacherIdForMutations } from "@/modules/classes/data-access"
 import { getGradeHomeworkInsights } from "@/modules/classes/data-access"
 import { getGradesForStaff } from "@/modules/school/data-access"
@@ -23,6 +24,7 @@ const getParam = (params: SearchParams, key: string) => {
 const fmt = (v: number | null, digits = 1) => (typeof v === "number" && Number.isFinite(v) ? v.toFixed(digits) : "-")
 
 export default async function TeacherGradeInsightsPage({ searchParams }: { searchParams: Promise<SearchParams> }) {
+  await requireAuth()
   const params = await searchParams
   const gradeId = getParam(params, "gradeId")
 

src/app/(dashboard)/profile/page.tsx

@@ -1,7 +1,7 @@
 import Link from "next/link"
 import { redirect } from "next/navigation"
 
-import { auth } from "@/auth"
+import { requireAuth } from "@/shared/lib/auth-guard"
 import { getStudentClasses, getStudentSchedule, getTeacherClasses, getTeacherTeachingSubjects } from "@/modules/classes/data-access"
 import { StudentGradesCard } from "@/modules/dashboard/components/student-dashboard/student-grades-card"
 import { StudentStatsGrid } from "@/modules/dashboard/components/student-dashboard/student-stats-grid"
@@ -33,17 +33,16 @@ const formatDate = (date: Date | null) => {
 }
 
 export default async function ProfilePage() {
-  const session = await auth()
-  if (!session?.user) redirect("/login")
+  const ctx = await requireAuth()
 
-  const userId = String(session.user.id ?? "").trim()
+  const userId = ctx.userId
   const userProfile = await getUserProfile(userId)
 
   if (!userProfile) {
       redirect("/login")
   }
 
-  const permissions = session.user.permissions ?? []
+  const permissions = ctx.permissions
   const isStudent = permissions.includes(Permissions.HOMEWORK_SUBMIT) && !permissions.includes(Permissions.EXAM_CREATE)
   const isTeacher = permissions.includes(Permissions.EXAM_CREATE)
 

src/app/(dashboard)/settings/page.tsx

@@ -1,6 +1,6 @@
 import { redirect } from "next/navigation"
 
-import { auth } from "@/auth"
+import { requireAuth } from "@/shared/lib/auth-guard"
 import { AdminSettingsView } from "@/modules/settings/components/admin-settings-view"
 import { StudentSettingsView } from "@/modules/settings/components/student-settings-view"
 import { TeacherSettingsView } from "@/modules/settings/components/teacher-settings-view"
@@ -11,15 +11,14 @@ import { Permissions } from "@/shared/types/permissions"
 export const dynamic = "force-dynamic"
 
 export default async function SettingsPage() {
-  const session = await auth()
-  if (!session?.user) redirect("/login")
+  const ctx = await requireAuth()
 
-  const userId = String(session.user.id ?? "").trim()
+  const userId = ctx.userId
   const userProfile = await getUserProfile(userId)
 
   if (!userProfile) redirect("/login")
 
-  const permissions = session.user.permissions ?? []
+  const permissions = ctx.permissions
   const notificationPrefs = await getNotificationPreferences(userId)
 
   if (permissions.includes(Permissions.SETTINGS_ADMIN)) {

src/app/(dashboard)/settings/security/page.tsx

@@ -1,7 +1,6 @@
-import { redirect } from "next/navigation"
 import { Lock } from "lucide-react"
 
-import { auth } from "@/auth"
+import { requireAuth } from "@/shared/lib/auth-guard"
 import { PasswordChangeForm } from "@/modules/settings/components/password-change-form"
 import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/shared/components/ui/card"
 
@@ -12,8 +11,7 @@ export const metadata = {
 }
 
 export default async function SecuritySettingsPage() {
-  const session = await auth()
-  if (!session?.user) redirect("/login")
+  await requireAuth()
 
   return (
     <div className="flex h-full flex-col gap-8 p-8">

src/app/(dashboard)/student/dashboard/page.tsx

@@ -1,6 +1,7 @@
 import { StudentDashboard } from "@/modules/dashboard/components/student-dashboard/student-dashboard-view"
 import { getStudentClasses, getStudentSchedule } from "@/modules/classes/data-access"
-import { getDemoStudentUser, getStudentDashboardGrades, getStudentHomeworkAssignments } from "@/modules/homework/data-access"
+import { getStudentDashboardGrades, getStudentHomeworkAssignments } from "@/modules/homework/data-access"
+import { getCurrentStudentUser } from "@/modules/users/data-access"
 import { EmptyState } from "@/shared/components/ui/empty-state"
 import { Inbox } from "lucide-react"
 
@@ -12,7 +13,7 @@ const toWeekday = (d: Date): 1 | 2 | 3 | 4 | 5 | 6 | 7 => {
 }
 
 export default async function StudentDashboardPage() {
-  const student = await getDemoStudentUser()
+  const student = await getCurrentStudentUser()
   if (!student) {
     return (
       <div className="flex h-full flex-col items-center justify-center">

src/app/(dashboard)/student/elective/page.tsx

@@ -1,31 +1,13 @@
-import { auth } from "@/auth"
-import { Inbox } from "lucide-react"
+import { getAuthContext } from "@/shared/lib/auth-guard"
 
 import { getAvailableCoursesForStudent, getStudentSelections } from "@/modules/elective/data-access-selections"
 import { StudentSelectionView } from "@/modules/elective/components/student-selection-view"
-import { EmptyState } from "@/shared/components/ui/empty-state"
 
 export const dynamic = "force-dynamic"
 
 export default async function StudentElectivePage() {
-  const session = await auth()
-  const studentId = String(session?.user?.id ?? "")
-
-  if (!studentId) {
-    return (
-      <div className="flex h-full flex-col space-y-8 p-8">
-        <div>
-          <h2 className="text-2xl font-bold tracking-tight">Elective Courses</h2>
-          <p className="text-muted-foreground">Browse and select elective courses.</p>
-        </div>
-        <EmptyState
-          title="Sign in required"
-          description="Please sign in to view elective courses."
-          icon={Inbox}
-        />
-      </div>
-    )
-  }
+  const ctx = await getAuthContext()
+  const studentId = ctx.userId
 
   const [availableCourses, mySelections] = await Promise.all([
     getAvailableCoursesForStudent(studentId),

src/app/(dashboard)/student/learning/assignments/[assignmentId]/page.tsx

@@ -1,6 +1,7 @@
 import { notFound } from "next/navigation"
 
-import { getDemoStudentUser, getStudentHomeworkTakeData } from "@/modules/homework/data-access"
+import { getStudentHomeworkTakeData } from "@/modules/homework/data-access"
+import { getCurrentStudentUser } from "@/modules/users/data-access"
 import { HomeworkTakeView } from "@/modules/homework/components/homework-take-view"
 import { HomeworkReviewView } from "@/modules/homework/components/student-homework-review-view"
 import { formatDate } from "@/shared/lib/utils"
@@ -13,7 +14,7 @@ export default async function StudentAssignmentTakePage({
   params: Promise<{ assignmentId: string }>
 }) {
   const { assignmentId } = await params
-  const student = await getDemoStudentUser()
+  const student = await getCurrentStudentUser()
   if (!student) return notFound()
 
   const data = await getStudentHomeworkTakeData(assignmentId, student.id)

src/app/(dashboard)/student/learning/assignments/page.tsx

@@ -5,7 +5,8 @@ import { Badge } from "@/shared/components/ui/badge"
 import { Button } from "@/shared/components/ui/button"
 import { Card, CardContent, CardHeader, CardTitle } from "@/shared/components/ui/card"
 import { formatDate } from "@/shared/lib/utils"
-import { getDemoStudentUser, getStudentHomeworkAssignments } from "@/modules/homework/data-access"
+import { getStudentHomeworkAssignments } from "@/modules/homework/data-access"
+import { getCurrentStudentUser } from "@/modules/users/data-access"
 import { Inbox } from "lucide-react"
 
 export const dynamic = "force-dynamic"
@@ -39,7 +40,7 @@ const getActionVariant = (status: string): "default" | "secondary" | "outline" =
 const isAnswered = (status: string) => status === "submitted" || status === "graded"
 
 export default async function StudentAssignmentsPage() {
-  const student = await getDemoStudentUser()
+  const student = await getCurrentStudentUser()
 
   if (!student) {
     return (

src/app/(dashboard)/student/learning/courses/page.tsx

@@ -1,14 +1,14 @@
 import { Inbox } from "lucide-react"
 
 import { getStudentClasses } from "@/modules/classes/data-access"
-import { getDemoStudentUser } from "@/modules/homework/data-access"
+import { getCurrentStudentUser } from "@/modules/users/data-access"
 import { StudentCoursesView } from "@/modules/student/components/student-courses-view"
 import { EmptyState } from "@/shared/components/ui/empty-state"
 
 export const dynamic = "force-dynamic"
 
 export default async function StudentCoursesPage() {
-  const student = await getDemoStudentUser()
+  const student = await getCurrentStudentUser()
   if (!student) {
     return (
       <div className="flex h-full flex-col space-y-8 p-8">

src/app/(dashboard)/student/learning/textbooks/[id]/page.tsx

@@ -6,7 +6,7 @@ import { getTextbookById, getChaptersByTextbookId, getKnowledgePointsByTextbookI
 import { TextbookReader } from "@/modules/textbooks/components/textbook-reader"
 import { Badge } from "@/shared/components/ui/badge"
 import { EmptyState } from "@/shared/components/ui/empty-state"
-import { getDemoStudentUser } from "@/modules/homework/data-access"
+import { getCurrentStudentUser } from "@/modules/users/data-access"
 
 export const dynamic = "force-dynamic"
 
@@ -15,7 +15,7 @@ export default async function StudentTextbookDetailPage({
 }: {
   params: Promise<{ id: string }>
 }) {
-  const student = await getDemoStudentUser()
+  const student = await getCurrentStudentUser()
   if (!student) {
     return (
       <div className="h-full flex-1 flex-col space-y-8 p-8 md:flex">

src/app/(dashboard)/student/learning/textbooks/page.tsx

@@ -3,7 +3,7 @@ import { BookOpen, Inbox } from "lucide-react"
 import { getTextbooks } from "@/modules/textbooks/data-access"
 import { TextbookCard } from "@/modules/textbooks/components/textbook-card"
 import { TextbookFilters } from "@/modules/textbooks/components/textbook-filters"
-import { getDemoStudentUser } from "@/modules/homework/data-access"
+import { getCurrentStudentUser } from "@/modules/users/data-access"
 import { EmptyState } from "@/shared/components/ui/empty-state"
 
 export const dynamic = "force-dynamic"
@@ -20,7 +20,7 @@ export default async function StudentTextbooksPage({
 }: {
   searchParams: Promise<SearchParams>
 }) {
-  const [student, sp] = await Promise.all([getDemoStudentUser(), searchParams])
+  const [student, sp] = await Promise.all([getCurrentStudentUser(), searchParams])
 
   if (!student) {
     return (

src/app/(dashboard)/student/schedule/page.tsx

@@ -1,7 +1,7 @@
 import { Inbox } from "lucide-react"
 
 import { getStudentClasses, getStudentSchedule } from "@/modules/classes/data-access"
-import { getDemoStudentUser } from "@/modules/homework/data-access"
+import { getCurrentStudentUser } from "@/modules/users/data-access"
 import { StudentScheduleFilters } from "@/modules/student/components/student-schedule-filters"
 import { StudentScheduleView } from "@/modules/student/components/student-schedule-view"
 import { EmptyState } from "@/shared/components/ui/empty-state"
@@ -15,7 +15,7 @@ export default async function StudentSchedulePage({
 }: {
   searchParams: Promise<SearchParams>
 }) {
-  const student = await getDemoStudentUser()
+  const student = await getCurrentStudentUser()
   if (!student) {
     return (
       <div className="flex h-full flex-col space-y-8 p-8">