refactor: fix all P0/P1/P2 bugs and architecture issues

Bug fixes (from bugs/ directory):

- Fix cross-module DB queries in 9 modules (homework, grades, parent, diagnostic, elective, proctoring, notifications, scheduling, classes) by routing through data-access functions

- Fix shared/lib <-> auth circular dependency via new session.ts module

- Fix divide-by-zero guard in grades data-access

- Fix audit export data truncation (paginated fetch for full datasets)

- Fix missing transactions in homework grading and elective lottery

- Fix missing revalidatePath in course-plans actions

- Fix frontend permission checks using requirePermission instead of requireAuth

- Fix dashboard role routing using session.user.roles

- Fix student auth pattern (migrate getDemoStudentUser to users module)

- Fix ActionState return type handling in components

Code quality fixes:

- Remove 60+ as type assertions (replace with type guards)

- Remove non-null assertions (use optional chaining or explicit checks)

- Convert dynamic imports to static imports (grades, diagnostic)

- Add React.cache() wrapping for read functions

- Parallelize independent queries with Promise.all

- Add explicit return types to 30+ arrow functions

- Replace any with unknown + type guards

- Fix import type for type-only imports

- Add Zod validation schemas for classes and diagnostic modules

- Extract duplicate code (normalizeRoleName, normalizeBcryptHash, logger IP extraction)

- Add console.error to silent catch blocks

- Fix permission naming consistency (exam:proctor_read -> exam:proctor:read)

Architecture doc sync:

- Update 004_architecture_impact_map.md and 005_architecture_data.json

- Update management-modules-audit.md for P0-7 cross-module fix

Moved deleted proctoring event route to deletes/ folder.

src/app/(dashboard)/management/grade/classes/page.tsx

@@ -1,13 +1,14 @@
-import { auth } from "@/auth"
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { getGradeManagedClasses, getManagedGrades, getTeacherOptions } from "@/modules/classes/data-access"
 import { GradeClassesClient } from "@/modules/classes/components/grade-classes-view"
 
 export const dynamic = "force-dynamic"
 
 export default async function GradeClassesPage() {
-  const session = await auth()
-  const userId = session?.user?.id ?? ""
-  
+  const ctx = await requirePermission(Permissions.GRADE_MANAGE)
+  const userId = ctx.userId
+
   const [classes, teachers, managedGrades] = await Promise.all([
     getGradeManagedClasses(userId),
     getTeacherOptions(),

src/app/(dashboard)/management/grade/insights/page.tsx

@@ -1,3 +1,4 @@
+import { requireAuth } from "@/shared/lib/auth-guard"
 import { getTeacherIdForMutations } from "@/modules/classes/data-access"
 import { getGradeHomeworkInsights } from "@/modules/classes/data-access"
 import { getGradesForStaff } from "@/modules/school/data-access"
@@ -23,6 +24,7 @@ const getParam = (params: SearchParams, key: string) => {
 const fmt = (v: number | null, digits = 1) => (typeof v === "number" && Number.isFinite(v) ? v.toFixed(digits) : "-")
 
 export default async function TeacherGradeInsightsPage({ searchParams }: { searchParams: Promise<SearchParams> }) {
+  await requireAuth()
   const params = await searchParams
   const gradeId = getParam(params, "gradeId")