Comprehensive platform review: security fixes, query optimization, UI improvements, and code cleanup

Security (Critical/High):
- Fix path traversal bypass in local storage provider (path.resolve + prefix check)
- Fix timing-unsafe HMAC comparison (crypto.timingSafeEqual)
- Add auth + ownership checks to email API routes (verify-credentials, change-password)
- Remove hardcoded secret key fallback in local storage provider
- Add production credential check for MinIO (fail loudly if not set)
- Remove DB error details from health check response
- Add stricter rate limiting on application submissions (5/hour)
- Add rate limiting on email availability check (anti-enumeration)
- Change getAIAssignmentJobStatus to adminProcedure
- Block dangerous file extensions on upload
- Reduce project list max perPage from 5000 to 200

Query Optimization:
- Optimize analytics getProjectRankings with select instead of full includes
- Fix N+1 in mentor.getSuggestions (batch findMany instead of loop)
- Use _count for files instead of fetching full file records in project list
- Switch to bulk notifications in assignment and user bulk operations
- Batch filtering upserts (25 per transaction instead of all at once)

UI/UX:
- Replace Inter font with Montserrat in public layout (brand consistency)
- Use Logo component in public layout instead of placeholder
- Create branded 404 and error pages
- Make admin rounds table responsive with mobile card layout
- Fix notification bell paths to be role-aware
- Replace hardcoded slate colors with semantic tokens in admin sidebar
- Force light mode (dark mode untested)
- Adjust CardTitle default size
- Improve muted-foreground contrast for accessibility (A11Y)
- Move profile form state initialization to useEffect

Code Quality:
- Extract shared toProjectWithRelations to anonymization.ts (removed 3 duplicates)
- Remove dead code: getObjectInfo, isValidImageSize, unused batch tag functions, debug logs
- Remove unused twilio dependency
- Remove redundant email index from schema
- Add actual storage object deletion when file records are deleted
- Wrap evaluation submit + assignment update in
- Add comprehensive platform review document

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/components/shared/notification-bell.tsx

@@ -3,6 +3,7 @@
 import { useState } from 'react'
 import Link from 'next/link'
 import type { Route } from 'next'
+import { usePathname } from 'next/navigation'
 import { trpc } from '@/lib/trpc/client'
 import { cn, formatRelativeTime } from '@/lib/utils'
 import { Button } from '@/components/ui/button'
@@ -207,6 +208,18 @@ function NotificationItem({
 export function NotificationBell() {
   const [filter, setFilter] = useState<'all' | 'unread'>('all')
   const [open, setOpen] = useState(false)
+  const pathname = usePathname()
+
+  // Derive the role-based path prefix from the current route
+  const pathPrefix = pathname.startsWith('/admin')
+    ? '/admin'
+    : pathname.startsWith('/jury')
+      ? '/jury'
+      : pathname.startsWith('/mentor')
+        ? '/mentor'
+        : pathname.startsWith('/observer')
+          ? '/observer'
+          : ''
 
   const { data: countData } = trpc.notification.getUnreadCount.useQuery(
     undefined,
@@ -277,7 +290,7 @@ export function NotificationBell() {
               </Button>
             )}
             <Button variant="ghost" size="icon" asChild>
-              <Link href={'/admin/settings' as Route}>
+              <Link href={`${pathPrefix}/settings` as Route}>
                 <Settings className="h-4 w-4" />
                 <span className="sr-only">Notification settings</span>
               </Link>
@@ -342,7 +355,7 @@ export function NotificationBell() {
         {notifications.length > 0 && (
           <div className="p-2 border-t bg-muted/30">
             <Button variant="ghost" className="w-full" asChild>
-              <Link href={'/admin/notifications' as Route}>View all notifications</Link>
+              <Link href={`${pathPrefix}/notifications` as Route}>View all notifications</Link>
             </Button>
           </div>
         )}