feat: impersonation system, semi-finalist detail page, tRPC resilience

- Add super-admin impersonation: "Login As" from user list, red banner
  with "Return to Admin", audit logged start/end, nested impersonation
  blocked, onboarding gate skipped during impersonation
- Fix semi-finalist stats: check latest terminal state (not any PASSED),
  use passwordHash OR status=ACTIVE for activation check
- Add /admin/semi-finalists detail page with search, category/status filters
- Add account_reminder_days setting to notifications tab
- Add tRPC resilience: retry on 503/HTML responses, custom fetch detects
  nginx error pages, exponential backoff (2s/4s/8s)
- Reduce dashboard polling intervals (60s stats, 30s activity, 120s semi)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/app/(mentor)/layout.tsx

@@ -12,16 +12,16 @@ export default async function MentorLayout({
 }) {
   const session = await requireRole('MENTOR', 'PROGRAM_ADMIN', 'SUPER_ADMIN')
 
-  // Check if user has completed onboarding (for mentors)
+  // Check if user has completed onboarding (for mentors, skip during impersonation)
+  const isImpersonating = !!session.user.impersonating
   const userRoles = session.user.roles?.length ? session.user.roles : [session.user.role]
-  if (userRoles.includes('MENTOR') && !userRoles.some(r => r === 'SUPER_ADMIN' || r === 'PROGRAM_ADMIN')) {
+  if (!isImpersonating && userRoles.includes('MENTOR') && !userRoles.some(r => r === 'SUPER_ADMIN' || r === 'PROGRAM_ADMIN')) {
     const user = await prisma.user.findUnique({
       where: { id: session.user.id },
       select: { onboardingCompletedAt: true },
     })
 
     if (!user) {
-      // User was deleted — session is stale, send to login
       redirect('/login')
     }