fix: patch P0 security vulnerabilities and critical UX issues across 6 modules

Security: Add admin/layout.tsx auth guard; Add requirePermission() to 12 admin pages

Dashboard: Fix StudentStatsGrid rendering; Fix teacher greeting; Add loading/error boundaries; Fix col-span; Add metadata

Announcements: Fix audience filtering; Add user detail page; Trigger notifications on publish; Pass classes data; Add loading.tsx

Messages: Implement soft delete; Add unread badge with polling; Add notification dropdown polling; Add keyword search; Add quiet hours DND

Management: Add loading/error for 9 admin routes; Fix admin-classes-view to use Select for school/grade

Profile/Settings: Add loading/error; Fix parent role routing; Create ParentSettingsView; Integrate AiProviderSettingsCard; Add Tab URL persistence; Add logout confirm; Add avatar; Fix Progress arbitrary class

Schema: Add senderDeletedAt/receiverDeletedAt to messages; Add quietHours to notificationPreferences; Add uniqueIndex import

Docs: Update architecture docs 004/005

src/modules/messaging/actions.ts

@@ -18,11 +18,13 @@ import {
   markMessageAsRead,
   deleteMessage,
   getRecipients,
+  getUnreadMessageCount,
 } from "./data-access"
 import {
   getNotifications,
   markNotificationAsRead,
   markAllNotificationsAsRead,
+  getUnreadNotificationCount,
 } from "@/modules/notifications/data-access"
 import {
   getNotificationPreferences,
@@ -129,7 +131,7 @@ export async function deleteMessageAction(messageId: string): Promise<ActionStat
 }
 
 export async function getMessagesAction(
-  params: { type: MessageType; page?: number; pageSize?: number }
+  params: { type: MessageType; page?: number; pageSize?: number; keyword?: string }
 ): Promise<ActionState<{ items: Message[]; total: number; page: number; pageSize: number; totalPages: number }>> {
   try {
     const ctx = await requirePermission(Permissions.MESSAGE_READ)
@@ -179,6 +181,30 @@ export async function getRecipientsAction(): Promise<ActionState<RecipientOption
   }
 }
 
+export async function getUnreadMessageCountAction(): Promise<ActionState<number>> {
+  try {
+    const ctx = await requirePermission(Permissions.MESSAGE_READ)
+    const count = await getUnreadMessageCount(ctx.userId)
+    return { success: true, data: count }
+  } catch (e) {
+    if (e instanceof PermissionDeniedError) return { success: false, message: e.message }
+    if (e instanceof Error) return { success: false, message: e.message }
+    return { success: false, message: "Unexpected error" }
+  }
+}
+
+export async function getUnreadNotificationCountAction(): Promise<ActionState<number>> {
+  try {
+    const ctx = await requirePermission(Permissions.MESSAGE_READ)
+    const count = await getUnreadNotificationCount(ctx.userId)
+    return { success: true, data: count }
+  } catch (e) {
+    if (e instanceof PermissionDeniedError) return { success: false, message: e.message }
+    if (e instanceof Error) return { success: false, message: e.message }
+    return { success: false, message: "Unexpected error" }
+  }
+}
+
 export async function getNotificationsAction(
   params?: { page?: number; pageSize?: number; unreadOnly?: boolean }
 ): Promise<ActionState<{ items: Notification[]; total: number; page: number; pageSize: number; totalPages: number }>> {
@@ -242,6 +268,13 @@ export async function updateNotificationPreferencesAction(
 
     // 从 FormData 中解析布尔值（checkbox 提交 "on" 或不提交）
     const parseBool = (key: string): boolean => formData.get(key) === "on"
+    // 从 FormData 中解析时间字符串（"HH:mm"），空字符串转为 null
+    const parseTime = (key: string): string | null => {
+      const v = formData.get(key)
+      if (typeof v !== "string") return null
+      const trimmed = v.trim()
+      return trimmed.length > 0 ? trimmed : null
+    }
 
     const parsed = UpdateNotificationPreferencesSchema.safeParse({
       emailEnabled: parseBool("emailEnabled"),
@@ -252,6 +285,9 @@ export async function updateNotificationPreferencesAction(
       announcementNotifications: parseBool("announcementNotifications"),
       messageNotifications: parseBool("messageNotifications"),
       attendanceNotifications: parseBool("attendanceNotifications"),
+      quietHoursEnabled: parseBool("quietHoursEnabled"),
+      quietHoursStart: parseTime("quietHoursStart"),
+      quietHoursEnd: parseTime("quietHoursEnd"),
     })
 
     if (!parsed.success) {