Comprehensive platform review: security fixes, query optimization, UI improvements, and code cleanup

Security (Critical/High):
- Fix path traversal bypass in local storage provider (path.resolve + prefix check)
- Fix timing-unsafe HMAC comparison (crypto.timingSafeEqual)
- Add auth + ownership checks to email API routes (verify-credentials, change-password)
- Remove hardcoded secret key fallback in local storage provider
- Add production credential check for MinIO (fail loudly if not set)
- Remove DB error details from health check response
- Add stricter rate limiting on application submissions (5/hour)
- Add rate limiting on email availability check (anti-enumeration)
- Change getAIAssignmentJobStatus to adminProcedure
- Block dangerous file extensions on upload
- Reduce project list max perPage from 5000 to 200

Query Optimization:
- Optimize analytics getProjectRankings with select instead of full includes
- Fix N+1 in mentor.getSuggestions (batch findMany instead of loop)
- Use _count for files instead of fetching full file records in project list
- Switch to bulk notifications in assignment and user bulk operations
- Batch filtering upserts (25 per transaction instead of all at once)

UI/UX:
- Replace Inter font with Montserrat in public layout (brand consistency)
- Use Logo component in public layout instead of placeholder
- Create branded 404 and error pages
- Make admin rounds table responsive with mobile card layout
- Fix notification bell paths to be role-aware
- Replace hardcoded slate colors with semantic tokens in admin sidebar
- Force light mode (dark mode untested)
- Adjust CardTitle default size
- Improve muted-foreground contrast for accessibility (A11Y)
- Move profile form state initialization to useEffect

Code Quality:
- Extract shared toProjectWithRelations to anonymization.ts (removed 3 duplicates)
- Remove dead code: getObjectInfo, isValidImageSize, unused batch tag functions, debug logs
- Remove unused twilio dependency
- Remove redundant email index from schema
- Add actual storage object deletion when file records are deleted
- Wrap evaluation submit + assignment update in
- Add comprehensive platform review document

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/server/routers/file.ts

@@ -1,7 +1,7 @@
 import { z } from 'zod'
 import { TRPCError } from '@trpc/server'
 import { router, protectedProcedure, adminProcedure } from '../trpc'
-import { getPresignedUrl, generateObjectKey, BUCKET_NAME } from '@/lib/minio'
+import { getPresignedUrl, generateObjectKey, deleteObject, BUCKET_NAME } from '@/lib/minio'
 
 export const fileRouter = router({
   /**
@@ -83,6 +83,16 @@ export const fileRouter = router({
       })
     )
     .mutation(async ({ ctx, input }) => {
+      // Block dangerous file extensions
+      const dangerousExtensions = ['.exe', '.sh', '.bat', '.cmd', '.ps1', '.php', '.jsp', '.cgi', '.dll', '.msi']
+      const ext = input.fileName.toLowerCase().slice(input.fileName.lastIndexOf('.'))
+      if (dangerousExtensions.includes(ext)) {
+        throw new TRPCError({
+          code: 'BAD_REQUEST',
+          message: `File type "${ext}" is not allowed`,
+        })
+      }
+
       const bucket = BUCKET_NAME
       const objectKey = generateObjectKey(input.projectId, input.fileName)
 
@@ -147,8 +157,14 @@ export const fileRouter = router({
         where: { id: input.id },
       })
 
-      // Note: Actual MinIO deletion could be done here or via background job
-      // For now, we just delete the database record
+      // Delete actual storage object (best-effort, don't fail the operation)
+      try {
+        if (file.bucket && file.objectKey) {
+          await deleteObject(file.bucket, file.objectKey)
+        }
+      } catch (error) {
+        console.error(`[File] Failed to delete storage object ${file.objectKey}:`, error)
+      }
 
       // Audit log
       await ctx.prisma.auditLog.create({