feat(P2): 实现质量保障类5项功能(无障碍/视觉回归/通知渠道/漏洞扫描/灾备)

## 新增功能

### 1. 屏幕阅读器兼容性增强（a11y）
- 无障碍工具库：src/shared/lib/a11y.ts
- aria-live Hook：src/shared/hooks/use-aria-live.ts
- a11y 组件：skip-link/visually-hidden/focus-trap/aria-status
- 增强 UI：table.tsx 系统性 ARIA role，dialog.tsx aria-modal
- 审计文档：docs/accessibility/a11y-audit.md（WCAG 2.1 AA 清单）

### 2. 视觉回归测试
- 测试套件：tests/visual/（homepage + 3 个 dashboard）
- 3 视口（desktop/tablet/mobile）× 2 主题（light/dark）
- 动态元素遮罩，避免误报
- playwright.config.ts 新增 visual-chromium 项目
- 文档：docs/testing/visual-regression.md

### 3. 短信/微信推送渠道集成
- 新模块：src/modules/notifications/
- 4 个渠道：SMS（阿里云/腾讯云）、WeChat（公众号）、Email（SMTP）、In-App
- 分发器按用户偏好并行多渠道发送
- 外部 SDK 动态 import，Mock 模式开发可用
- 文档：docs/notifications/channels.md

### 4. 漏洞扫描 CI 集成
- CI security-scan job：npm audit + Snyk + Trivy FS + OWASP ZAP
- 独立工作流 security.yml：每周一深度扫描 + 容器镜像扫描
- 配置：suppressions.json + .trivyignore
- 本地脚本：security-scan.sh/ps1
- 文档：docs/security/scanning.md（SLA 分级）

### 5. 灾备方案
- 脚本：backup-verify/backup-offsite-sync/dr-drill/failover/health-check
- CI 增强：备份后校验+异地同步，每周灾备演练
- 独立工作流 dr-drill.yml：每周一凌晨 4 点自动演练
- 文档：docs/dr/dr-plan.md（RTO 4h/RPO 24h）+ dr-runbook.md（6 故障场景）

## 验证
- npx tsc --noEmit：0 错误
- npm run lint：0 错误 0 警告

.gitea/workflows/dr-drill.yml

@@ -0,0 +1,124 @@
+name: DR Drill
+
+on:
+  schedule:
+    - cron: "0 4 * * 1"  # 每周一凌晨 4 点
+  workflow_dispatch:       # 支持手动触发
+    inputs:
+      backup_file:
+        description: '指定备份文件(可选,留空使用最新备份)'
+        required: false
+        default: ''
+      no_cleanup:
+        description: '演练后不清理测试数据库'
+        required: false
+        type: boolean
+        default: false
+
+jobs:
+  dr-drill:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install MySQL client
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y -qq mysql-client
+
+      - name: Prepare backup directory
+        run: mkdir -p backups docs/dr/reports
+
+      - name: Download latest backup artifact (if no backup file specified)
+        if: github.event.inputs.backup_file == ''
+        uses: actions/download-artifact@v3
+        with:
+          name: db-backup
+          path: backups/
+        continue-on-error: true
+
+      - name: Run database backup (if no artifact available)
+        if: steps.download.outcome == 'failure' || true
+        env:
+          DATABASE_URL: ${{ secrets.DATABASE_URL }}
+          BACKUP_DIR: ./backups
+        run: |
+          if [ -z "$(ls -A backups/db_backup_*.sql.gz 2>/dev/null)" ]; then
+            echo "No backup artifact found, creating fresh backup..."
+            chmod +x scripts/backup-db.sh
+            ./scripts/backup-db.sh
+          else
+            echo "Using existing backup artifact"
+          fi
+
+      - name: Run disaster recovery drill
+        env:
+          DATABASE_URL: ${{ secrets.DATABASE_URL }}
+          BACKUP_DIR: ./backups
+          DR_DRILL_TEST_DB: next_edu_dr_drill
+        run: |
+          chmod +x scripts/dr-drill.sh
+          ARGS=""
+          if [ -n "${{ github.event.inputs.backup_file }}" ]; then
+            ARGS="$ARGS --backup ${{ github.event.inputs.backup_file }}"
+          fi
+          if [ "${{ github.event.inputs.no_cleanup }}" = "true" ]; then
+            ARGS="$ARGS --no-cleanup"
+          fi
+          ./scripts/dr-drill.sh $ARGS
+
+      - name: Upload drill report
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: dr-drill-report-${{ github.run_id }}
+          path: docs/dr/reports/
+          retention-days: 90
+
+      - name: Notify operations team (on failure)
+        if: failure()
+        env:
+          WEBHOOK_URL: ${{ secrets.DR_NOTIFICATION_WEBHOOK }}
+          SMTP_HOST: ${{ secrets.SMTP_HOST }}
+        run: |
+          echo "DR Drill failed! Notifying operations team..."
+          # Webhook 通知(如果配置)
+          if [ -n "$WEBHOOK_URL" ]; then
+            curl -X POST "$WEBHOOK_URL" \
+              -H "Content-Type: application/json" \
+              -d "{
+                \"text\": \"⚠️ DR Drill Failed\",
+                \"attachments\": [{
+                  \"color\": \"danger\",
+                  \"fields\": [
+                    {\"title\": \"Repository\", \"value\": \"${{ github.repository }}\", \"short\": true},
+                    {\"title\": \"Run ID\", \"value\": \"${{ github.run_id }}\", \"short\": true},
+                    {\"title\": \"Triggered By\", \"value\": \"${{ github.actor }}\", \"short\": true},
+                    {\"title\": \"Time\", \"value\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\", \"short\": true},
+                    {\"title\": \"Action\", \"value\": \"Check workflow logs and report artifact\", \"short\": false}
+                  ]
+                }]
+              }" || echo "WARN: Webhook notification failed"
+          else
+            echo "INFO: DR_NOTIFICATION_WEBHOOK not set, skipping webhook notification"
+          fi
+          # 邮件通知(如果配置 SMTP)
+          if [ -n "$SMTP_HOST" ]; then
+            echo "INFO: SMTP notification would be sent (configure in production)"
+          fi
+
+      - name: Summary
+        if: always()
+        run: |
+          echo "=== DR Drill Workflow Summary ==="
+          echo "Run ID: ${{ github.run_id }}"
+          echo "Triggered by: ${{ github.actor }}"
+          echo "Status: ${{ job.status }}"
+          echo "Report: Check dr-drill-report-${{ github.run_id }} artifact"
+          echo ""
+          if [ -f docs/dr/reports/dr_drill_*.md ]; then
+            echo "Latest drill report:"
+            cat docs/dr/reports/dr_drill_*.md | head -50
+          fi