refactor: fix all P0/P1/P2 bugs and architecture issues

Bug fixes (from bugs/ directory):

- Fix cross-module DB queries in 9 modules (homework, grades, parent, diagnostic, elective, proctoring, notifications, scheduling, classes) by routing through data-access functions

- Fix shared/lib <-> auth circular dependency via new session.ts module

- Fix divide-by-zero guard in grades data-access

- Fix audit export data truncation (paginated fetch for full datasets)

- Fix missing transactions in homework grading and elective lottery

- Fix missing revalidatePath in course-plans actions

- Fix frontend permission checks using requirePermission instead of requireAuth

- Fix dashboard role routing using session.user.roles

- Fix student auth pattern (migrate getDemoStudentUser to users module)

- Fix ActionState return type handling in components

Code quality fixes:

- Remove 60+ as type assertions (replace with type guards)

- Remove non-null assertions (use optional chaining or explicit checks)

- Convert dynamic imports to static imports (grades, diagnostic)

- Add React.cache() wrapping for read functions

- Parallelize independent queries with Promise.all

- Add explicit return types to 30+ arrow functions

- Replace any with unknown + type guards

- Fix import type for type-only imports

- Add Zod validation schemas for classes and diagnostic modules

- Extract duplicate code (normalizeRoleName, normalizeBcryptHash, logger IP extraction)

- Add console.error to silent catch blocks

- Fix permission naming consistency (exam:proctor_read -> exam:proctor:read)

Architecture doc sync:

- Update 004_architecture_impact_map.md and 005_architecture_data.json

- Update management-modules-audit.md for P0-7 cross-module fix

Moved deleted proctoring event route to deletes/ folder.

src/modules/notifications/actions.ts

@@ -11,14 +11,12 @@
  * 班级通知按教师所教班级过滤，确保教师只能给自己班级发通知。
  */
 
-import { eq } from "drizzle-orm"
-
-import { db } from "@/shared/db"
-import { classEnrollments, classes } from "@/shared/db/schema"
 import { PermissionDeniedError, requirePermission } from "@/shared/lib/auth-guard"
 import { Permissions } from "@/shared/types/permissions"
 import type { ActionState } from "@/shared/types/action-state"
 
+import { getClassExists, getStudentIdsByClassId } from "@/modules/classes/data-access"
+
 import { sendNotification, sendBatchNotifications } from "./dispatcher"
 import type { NotificationPayload, ChannelSendResult } from "./types"
 
@@ -79,36 +77,29 @@ export async function sendClassNotificationAction(
       }
     }
 
-    // 查询班级所有学生
-    const [classRow] = await db
-      .select({ id: classes.id })
-      .from(classes)
-      .where(eq(classes.id, classId))
-      .limit(1)
-
-    if (!classRow) {
+    // 校验班级是否存在
+    const classExists = await getClassExists(classId)
+    if (!classExists) {
       return { success: false, message: "Class not found" }
     }
 
-    const enrollments = await db
-      .select({ studentId: classEnrollments.studentId })
-      .from(classEnrollments)
-      .where(eq(classEnrollments.classId, classId))
+    // 查询班级所有学生
+    const studentIds = await getStudentIdsByClassId(classId)
 
-    if (enrollments.length === 0) {
+    if (studentIds.length === 0) {
       return { success: true, message: "No students in this class", data: [] }
     }
 
     // 构造每个学生的通知负载
-    const payloads: NotificationPayload[] = enrollments.map((e) => ({
+    const payloads: NotificationPayload[] = studentIds.map((studentId) => ({
       ...payload,
-      userId: e.studentId,
+      userId: studentId,
     }))
 
     const results = await sendBatchNotifications(payloads)
     return {
       success: true,
-      message: `Notification sent to ${enrollments.length} students`,
+      message: `Notification sent to ${studentIds.length} students`,
       data: results,
     }
   } catch (e) {