feat(P2): 实现质量保障类5项功能(无障碍/视觉回归/通知渠道/漏洞扫描/灾备)

## 新增功能

### 1. 屏幕阅读器兼容性增强（a11y）
- 无障碍工具库：src/shared/lib/a11y.ts
- aria-live Hook：src/shared/hooks/use-aria-live.ts
- a11y 组件：skip-link/visually-hidden/focus-trap/aria-status
- 增强 UI：table.tsx 系统性 ARIA role，dialog.tsx aria-modal
- 审计文档：docs/accessibility/a11y-audit.md（WCAG 2.1 AA 清单）

### 2. 视觉回归测试
- 测试套件：tests/visual/（homepage + 3 个 dashboard）
- 3 视口（desktop/tablet/mobile）× 2 主题（light/dark）
- 动态元素遮罩，避免误报
- playwright.config.ts 新增 visual-chromium 项目
- 文档：docs/testing/visual-regression.md

### 3. 短信/微信推送渠道集成
- 新模块：src/modules/notifications/
- 4 个渠道：SMS（阿里云/腾讯云）、WeChat（公众号）、Email（SMTP）、In-App
- 分发器按用户偏好并行多渠道发送
- 外部 SDK 动态 import，Mock 模式开发可用
- 文档：docs/notifications/channels.md

### 4. 漏洞扫描 CI 集成
- CI security-scan job：npm audit + Snyk + Trivy FS + OWASP ZAP
- 独立工作流 security.yml：每周一深度扫描 + 容器镜像扫描
- 配置：suppressions.json + .trivyignore
- 本地脚本：security-scan.sh/ps1
- 文档：docs/security/scanning.md（SLA 分级）

### 5. 灾备方案
- 脚本：backup-verify/backup-offsite-sync/dr-drill/failover/health-check
- CI 增强：备份后校验+异地同步，每周灾备演练
- 独立工作流 dr-drill.yml：每周一凌晨 4 点自动演练
- 文档：docs/dr/dr-plan.md（RTO 4h/RPO 24h）+ dr-runbook.md（6 故障场景）

## 验证
- npx tsc --noEmit：0 错误
- npm run lint：0 错误 0 警告

scripts/security-scan.sh

@@ -0,0 +1,133 @@
+#!/bin/bash
+# 本地安全扫描脚本 (Linux/macOS)
+# 用法: ./scripts/security-scan.sh
+# 功能: npm audit + Trivy 文件系统扫描,输出彩色报告
+# 退出码: 0=无高危漏洞, 1=存在高危漏洞
+
+set -uo pipefail
+
+# 颜色定义
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+CYAN='\033[0;36m'
+NC='\033[0m' # No Color
+
+PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$PROJECT_ROOT"
+
+HAS_HIGH=0
+
+print_header() {
+    echo -e "${CYAN}================================================${NC}"
+    echo -e "${CYAN}  $1${NC}"
+    echo -e "${CYAN}================================================${NC}"
+}
+
+print_ok()    { echo -e "${GREEN}[PASS]${NC} $1"; }
+print_warn()  { echo -e "${YELLOW}[WARN]${NC} $1"; }
+print_err()   { echo -e "${RED}[FAIL]${NC} $1"; HAS_HIGH=1; }
+print_info()  { echo -e "${BLUE}[INFO]${NC} $1"; }
+
+# 检查命令是否存在
+command_exists() {
+    command -v "$1" >/dev/null 2>&1
+}
+
+print_header "本地安全扫描"
+print_info "项目目录: $PROJECT_ROOT"
+echo ""
+
+# ------------------------------------------------
+# 1. npm audit
+# ------------------------------------------------
+print_header "1/2 npm audit (依赖审计)"
+
+if ! command_exists npm; then
+    print_err "未检测到 npm,请先安装 Node.js"
+    exit 1
+fi
+
+npm audit --json > /tmp/audit-report.json 2>/dev/null || true
+
+if [ -f /tmp/audit-report.json ]; then
+    # 提取漏洞计数(需要 jq)
+    if command_exists jq; then
+        CRITICAL=$(jq -r '.metadata.vulnerabilities.critical // 0' /tmp/audit-report.json)
+        HIGH=$(jq -r '.metadata.vulnerabilities.high // 0' /tmp/audit-report.json)
+        MODERATE=$(jq -r '.metadata.vulnerabilities.moderate // 0' /tmp/audit-report.json)
+        LOW=$(jq -r '.metadata.vulnerabilities.low // 0' /tmp/audit-report.json)
+
+        echo -e "  critical: ${RED}${CRITICAL}${NC}  high: ${RED}${HIGH}${NC}  moderate: ${YELLOW}${MODERATE}${NC}  low: ${GREEN}${LOW}${NC}"
+
+        if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
+            print_err "npm audit 发现 critical/high 漏洞"
+        else
+            print_ok "npm audit 无 critical/high 漏洞"
+        fi
+    else
+        print_warn "未安装 jq,跳过漏洞计数,显示原始报告"
+        npm audit --audit-level=moderate || print_warn "npm audit 发现漏洞"
+    fi
+
+    # 保存报告到项目根目录
+    cp /tmp/audit-report.json "$PROJECT_ROOT/audit-report.json"
+    print_info "报告已保存: audit-report.json"
+else
+    print_warn "npm audit 未生成报告"
+fi
+echo ""
+
+# ------------------------------------------------
+# 2. Trivy 文件系统扫描
+# ------------------------------------------------
+print_header "2/2 Trivy FS Scan (文件系统扫描)"
+
+if ! command_exists trivy; then
+    print_warn "未检测到 trivy,跳过文件系统扫描"
+    print_info "安装 Trivy: https://aquasecurity.github.io/trivy/latest/getting-started/installation/"
+else
+    TRIVY_REPORT="$PROJECT_ROOT/trivy-fs-report.json"
+    if trivy fs --format json --output "$TRIVY_REPORT" --exit-code 0 . >/dev/null 2>&1; then
+        print_ok "Trivy 扫描完成"
+    else
+        print_warn "Trivy 扫描返回非零状态(可能存在漏洞)"
+    fi
+
+    if [ -f "$TRIVY_REPORT" ] && command_exists jq; then
+        TOTAL=$(jq -r '[.Results[]?.Vulnerabilities[]?] | length' "$TRIVY_REPORT" 2>/dev/null || echo "0")
+        CRITICAL=$(jq -r '[.Results[]?.Vulnerabilities[]? | select(.Severity=="CRITICAL")] | length' "$TRIVY_REPORT" 2>/dev/null || echo "0")
+        HIGH=$(jq -r '[.Results[]?.Vulnerabilities[]? | select(.Severity=="HIGH")] | length' "$TRIVY_REPORT" 2>/dev/null || echo "0")
+        MEDIUM=$(jq -r '[.Results[]?.Vulnerabilities[]? | select(.Severity=="MEDIUM")] | length' "$TRIVY_REPORT" 2>/dev/null || echo "0")
+        LOW=$(jq -r '[.Results[]?.Vulnerabilities[]? | select(.Severity=="LOW")] | length' "$TRIVY_REPORT" 2>/dev/null || echo "0")
+
+        echo -e "  总计: ${TOTAL}  critical: ${RED}${CRITICAL}${NC}  high: ${RED}${HIGH}${NC}  medium: ${YELLOW}${MEDIUM}${NC}  low: ${GREEN}${LOW}${NC}"
+
+        if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
+            print_err "Trivy 发现 critical/high 漏洞"
+        else
+            print_ok "Trivy 无 critical/high 漏洞"
+        fi
+        print_info "报告已保存: trivy-fs-report.json"
+    fi
+
+    # 输出表格视图
+    echo ""
+    print_info "Trivy 表格视图:"
+    trivy fs --format table --exit-code 0 . || true
+fi
+echo ""
+
+# ------------------------------------------------
+# 汇总
+# ------------------------------------------------
+print_header "扫描汇总"
+if [ "$HAS_HIGH" -eq 0 ]; then
+    print_ok "未发现高危漏洞 (exit 0)"
+    exit 0
+else
+    print_err "发现高危漏洞,请尽快处理 (exit 1)"
+    echo -e "  ${BLUE}SLA:${NC} critical 24h / high 7d / medium 30d / low 90d"
+    exit 1
+fi