fix: security hardening — block self-registration, SSE auth, audit logging fixes

Security fixes:
- Block self-registration via magic link (PrismaAdapter createUser throws)
- Magic links only sent to existing ACTIVE users (prevents enumeration)
- signIn callback rejects non-existent users (defense-in-depth)
- Change schema default role from JURY_MEMBER to APPLICANT
- Add authentication to live-voting SSE stream endpoint
- Fix false FILE_OPENED/FILE_DOWNLOADED audit events on page load
  (remove purpose from eagerly pre-fetched URL queries)

Bug fixes:
- Fix impersonation skeleton screen on applicant dashboard
- Fix onboarding redirect loop in auth layout

Observer dashboard redesign (Steps 1-6):
- Clickable round pipeline with selected round highlighting
- Round-type-specific dashboard panels (intake, filtering, evaluation,
  submission, mentoring, live final, deliberation)
- Enhanced activity feed with server-side humanization
- Previous round comparison section
- New backend queries for round-specific analytics

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/server/routers/logo.ts

@@ -1,6 +1,6 @@
 import { z } from 'zod'
 import { TRPCError } from '@trpc/server'
-import { router, adminProcedure } from '../trpc'
+import { router, adminProcedure, protectedProcedure } from '../trpc'
 import { generateLogoKey, type StorageProviderType } from '@/lib/storage'
 import {
   getImageUploadUrl,
@@ -110,9 +110,9 @@ export const logoRouter = router({
     }),
 
   /**
-   * Get a project's logo URL
+   * Get a project's logo URL (any authenticated user — logos are public display data)
    */
-  getUrl: adminProcedure
+  getUrl: protectedProcedure
     .input(z.object({ projectId: z.string() }))
     .query(async ({ ctx, input }) => {
       return getImageUrl(ctx.prisma, logoConfig, input.projectId)