feat(P2): 实现质量保障类5项功能(无障碍/视觉回归/通知渠道/漏洞扫描/灾备)

## 新增功能 ### 1. 屏幕阅读器兼容性增强（a11y） - 无障碍工具库：src/shared/lib/a11y.ts - aria-live Hook：src/shared/hooks/use-aria-live.ts - a11y 组件：skip-link/visually-hidden/focus-trap/aria-status - 增强 UI：table.tsx 系统性 ARIA role，dialog.tsx aria-modal - 审计文档：docs/accessibility/a11y-audit.md（WCAG 2.1 AA 清单） ### 2. 视觉回归测试 - 测试套件：tests/visual/（homepage + 3 个 dashboard） - 3 视口（desktop/tablet/mobile）× 2 主题（light/dark） - 动态元素遮罩，避免误报 - playwright.config.ts 新增 visual-chromium 项目 - 文档：docs/testing/visual-regression.md ### 3. 短信/微信推送渠道集成 - 新模块：src/modules/notifications/ - 4 个渠道：SMS（阿里云/腾讯云）、WeChat（公众号）、Email（SMTP）、In-App - 分发器按用户偏好并行多渠道发送 - 外部 SDK 动态 import，Mock 模式开发可用 - 文档：docs/notifications/channels.md ### 4. 漏洞扫描 CI 集成 - CI security-scan job：npm audit + Snyk + Trivy FS + OWASP ZAP - 独立工作流 security.yml：每周一深度扫描 + 容器镜像扫描 - 配置：suppressions.json + .trivyignore - 本地脚本：security-scan.sh/ps1 - 文档：docs/security/scanning.md（SLA 分级） ### 5. 灾备方案 - 脚本：backup-verify/backup-offsite-sync/dr-drill/failover/health-check - CI 增强：备份后校验+异地同步，每周灾备演练 - 独立工作流 dr-drill.yml：每周一凌晨 4 点自动演练 - 文档：docs/dr/dr-plan.md（RTO 4h/RPO 24h）+ dr-runbook.md（6 故障场景） ## 验证 - npx tsc --noEmit：0 错误 - npm run lint：0 错误 0 警告
2026-06-17 20:18:29 +08:00
parent b86255f0ea
commit 6585e10c6f
53 changed files with 7491 additions and 37 deletions
--- a/src/modules/notifications/actions.ts
+++ b/src/modules/notifications/actions.ts
@@ -0,0 +1,119 @@
+"use server"
+
+/**
+ * 通知 Server Actions
+ *
+ * - sendNotificationAction: 发送通知给指定用户（需要 MESSAGE_SEND 权限）
+ * - sendClassNotificationAction: 发送班级通知（教师权限，按班级查询学生后批量发送）
+ *
+ * 权限说明:
+ * 项目无独立 NOTIFICATION_SEND 权限点，复用 MESSAGE_SEND（教师/管理员/年级主任均拥有）。
+ * 班级通知按教师所教班级过滤，确保教师只能给自己班级发通知。
+ */
+
+import { eq } from "drizzle-orm"
+
+import { db } from "@/shared/db"
+import { classEnrollments, classes } from "@/shared/db/schema"
+import { PermissionDeniedError, requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
+import type { ActionState } from "@/shared/types/action-state"
+
+import { sendNotification, sendBatchNotifications } from "./dispatcher"
+import type { NotificationPayload, ChannelSendResult } from "./types"
+
+/**
+ * 发送通知给指定用户。
+ *
+ * @param payload 通知负载（payload.userId 为接收人）
+ */
+export async function sendNotificationAction(
+  payload: NotificationPayload
+): Promise<ActionState<ChannelSendResult[]>> {
+  try {
+    await requirePermission(Permissions.MESSAGE_SEND)
+
+    if (!payload.userId || !payload.title || !payload.content) {
+      return { success: false, message: "Missing required fields: userId, title, content" }
+    }
+
+    const results = await sendNotification(payload)
+    const allSuccess = results.every((r) => r.success)
+    return {
+      success: allSuccess,
+      message: allSuccess ? "Notification sent" : "Some channels failed",
+      data: results,
+    }
+  } catch (e) {
+    if (e instanceof PermissionDeniedError) return { success: false, message: e.message }
+    if (e instanceof Error) return { success: false, message: e.message }
+    return { success: false, message: "Unexpected error" }
+  }
+}
+
+/**
+ * 发送班级通知（批量发送给班级所有学生）。
+ *
+ * 教师只能给自己所教班级发送通知（通过 dataScope 校验）。
+ *
+ * @param classId 班级 ID
+ * @param payload 通知负载模板（payload.userId 会被覆盖为每个学生的 userId）
+ */
+export async function sendClassNotificationAction(
+  classId: string,
+  payload: Omit<NotificationPayload, "userId">
+): Promise<ActionState<ChannelSendResult[][]>> {
+  try {
+    const ctx = await requirePermission(Permissions.MESSAGE_SEND)
+
+    if (!classId || !payload.title || !payload.content) {
+      return { success: false, message: "Missing required fields: classId, title, content" }
+    }
+
+    // 权限校验: 教师只能给自己所教班级发通知；管理员可发任意班级
+    if (ctx.dataScope.type !== "all") {
+      const allowedClassIds =
+        ctx.dataScope.type === "class_taught" ? ctx.dataScope.classIds : []
+      if (!allowedClassIds.includes(classId)) {
+        return { success: false, message: "You can only send notifications to your own classes" }
+      }
+    }
+
+    // 查询班级所有学生
+    const [classRow] = await db
+      .select({ id: classes.id })
+      .from(classes)
+      .where(eq(classes.id, classId))
+      .limit(1)
+
+    if (!classRow) {
+      return { success: false, message: "Class not found" }
+    }
+
+    const enrollments = await db
+      .select({ studentId: classEnrollments.studentId })
+      .from(classEnrollments)
+      .where(eq(classEnrollments.classId, classId))
+
+    if (enrollments.length === 0) {
+      return { success: true, message: "No students in this class", data: [] }
+    }
+
+    // 构造每个学生的通知负载
+    const payloads: NotificationPayload[] = enrollments.map((e) => ({
+      ...payload,
+      userId: e.studentId,
+    }))
+
+    const results = await sendBatchNotifications(payloads)
+    return {
+      success: true,
+      message: `Notification sent to ${enrollments.length} students`,
+      data: results,
+    }
+  } catch (e) {
+    if (e instanceof PermissionDeniedError) return { success: false, message: e.message }
+    if (e instanceof Error) return { success: false, message: e.message }
+    return { success: false, message: "Unexpected error" }
+  }
+}