fix: applicant portal — document uploads, round filtering, auth hardening

Fix round-specific document uploads (submittedAt no longer blocks uploads),
add view/download buttons for existing files, enforce active-round-only for
uploads/deletes. Harden auth layout and set-password page. Filter applicant
portal rounds by award track membership.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/app/(auth)/layout.tsx

@@ -19,13 +19,14 @@ export default async function AuthLayout({
   // Redirect logged-in users to their dashboard
   // But NOT if they still need to set their password
   if (session?.user && !session.user.mustSetPassword) {
-    // Verify user still exists in DB (handles deleted accounts with stale sessions)
+    // Verify user still exists in DB and check onboarding status
     const dbUser = await prisma.user.findUnique({
       where: { id: session.user.id },
-      select: { id: true },
+      select: { id: true, onboardingCompletedAt: true },
     })
 
     if (dbUser) {
+
       const role = session.user.role
       if (role === 'SUPER_ADMIN' || role === 'PROGRAM_ADMIN') {
         redirect('/admin')

src/app/(auth)/set-password/page.tsx

@@ -36,17 +36,9 @@ export default function SetPasswordPage() {
       setIsSuccess(true)
       // Update the session to reflect the password has been set
       await updateSession()
-      // Redirect after a short delay
+      // Redirect after a short delay — all roles go to onboarding first
       setTimeout(() => {
-        if (session?.user?.role === 'JURY_MEMBER') {
-          router.push('/jury')
-        } else if (session?.user?.role === 'SUPER_ADMIN' || session?.user?.role === 'PROGRAM_ADMIN') {
-          router.push('/admin')
-        } else if (session?.user?.role === 'APPLICANT') {
-          router.push('/onboarding')
-        } else {
-          router.push('/')
-        }
+        router.push('/onboarding')
       }, 2000)
     },
     onError: (err) => {