fix: applicant portal — document uploads, round filtering, auth hardening

Fix round-specific document uploads (submittedAt no longer blocks uploads),
add view/download buttons for existing files, enforce active-round-only for
uploads/deletes. Harden auth layout and set-password page. Filter applicant
portal rounds by award track membership.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/server/routers/applicant.ts

@@ -20,6 +20,16 @@ function generateInviteToken(): string {
   return crypto.randomBytes(32).toString('hex')
 }
 
+/** Check if a project has been rejected in any round (based on ProjectRoundState, not Project.status) */
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+async function isProjectRejected(prisma: any, projectId: string): Promise<boolean> {
+  const rejected = await prisma.projectRoundState.findFirst({
+    where: { projectId, state: 'REJECTED' },
+    select: { id: true },
+  })
+  return !!rejected
+}
+
 export const applicantRouter = router({
   /**
    * Get submission info for an applicant (by round slug)
@@ -276,6 +286,11 @@ export const applicantRouter = router({
         })
       }
 
+      // Block rejected projects from uploading
+      if (await isProjectRejected(ctx.prisma, input.projectId)) {
+        throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. Uploads are no longer permitted.' })
+      }
+
       // If uploading against a requirement, validate mime type and size
       if (input.requirementId) {
         const requirement = await ctx.prisma.fileRequirement.findUnique({
@@ -303,21 +318,29 @@ export const applicantRouter = router({
 
       let isLate = false
 
-      // Can't upload if already submitted
-      if (project.submittedAt && !isLate) {
+      // Can't upload if already submitted — but only for initial application edits.
+      // Round-specific uploads (business plan, video for later rounds) are allowed
+      // as long as the round is active.
+      if (project.submittedAt && !input.roundId) {
         throw new TRPCError({
           code: 'BAD_REQUEST',
           message: 'Cannot modify a submitted project',
         })
       }
 
-      // Fetch round name for storage path (if uploading against a round)
+      // Fetch round info and verify it's active
       let roundName: string | undefined
       if (input.roundId) {
         const round = await ctx.prisma.round.findUnique({
           where: { id: input.roundId },
-          select: { name: true },
+          select: { name: true, status: true },
         })
+        if (round && round.status !== 'ROUND_ACTIVE') {
+          throw new TRPCError({
+            code: 'BAD_REQUEST',
+            message: 'This round is closed. Documents can no longer be uploaded.',
+          })
+        }
         roundName = round?.name
       }
 
@@ -385,6 +408,11 @@ export const applicantRouter = router({
         })
       }
 
+      // Block rejected projects
+      if (await isProjectRejected(ctx.prisma, input.projectId)) {
+        throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. File changes are no longer permitted.' })
+      }
+
       const { projectId, roundId, isLate, requirementId, ...fileData } = input
 
       // Delete existing file: by requirementId if provided, otherwise by fileType
@@ -459,14 +487,33 @@ export const applicantRouter = router({
         })
       }
 
-      // Can't delete if project is submitted
-      if (file.project.submittedAt) {
+      // Block rejected projects
+      if (await isProjectRejected(ctx.prisma, file.project.id)) {
+        throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. File changes are no longer permitted.' })
+      }
+
+      // Can't delete initial application files after submission
+      if (file.project.submittedAt && !file.roundId) {
         throw new TRPCError({
           code: 'BAD_REQUEST',
           message: 'Cannot modify a submitted project',
         })
       }
 
+      // Round-specific files can only be deleted while the round is active
+      if (file.roundId) {
+        const round = await ctx.prisma.round.findUnique({
+          where: { id: file.roundId },
+          select: { status: true },
+        })
+        if (round && round.status !== 'ROUND_ACTIVE') {
+          throw new TRPCError({
+            code: 'BAD_REQUEST',
+            message: 'This round is closed. Documents can no longer be modified.',
+          })
+        }
+      }
+
       await ctx.prisma.projectFile.delete({
         where: { id: input.fileId },
       })
@@ -809,6 +856,11 @@ export const applicantRouter = router({
         })
       }
 
+      // Block rejected projects
+      if (await isProjectRejected(ctx.prisma, input.projectId)) {
+        throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. Team changes are no longer permitted.' })
+      }
+
       // Check if already a team member
       const existingMember = await ctx.prisma.teamMember.findFirst({
         where: {
@@ -1020,6 +1072,11 @@ export const applicantRouter = router({
         })
       }
 
+      // Block rejected projects
+      if (await isProjectRejected(ctx.prisma, input.projectId)) {
+        throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. Team changes are no longer permitted.' })
+      }
+
       // Can't remove the original submitter
       if (project.submittedByUserId === input.userId) {
         throw new TRPCError({
@@ -1234,7 +1291,7 @@ export const applicantRouter = router({
       }
     }
 
-    const isRejected = currentStatus === 'REJECTED'
+    const isRejected = await isProjectRejected(ctx.prisma, project.id)
     const hasWonAward = project.wonAwards.length > 0
 
     // Build timeline
@@ -1382,9 +1439,10 @@ export const applicantRouter = router({
         isTeamLead,
         userRole: userMembership?.role || (project.submittedByUserId === ctx.user.id ? 'LEAD' : null),
       },
-      openRounds,
+      openRounds: isRejected ? [] : openRounds,
       timeline,
       currentStatus,
+      isRejected,
       hasPassedIntake: !!passedIntake,
       isIntakeOpen: !!activeIntakeRound,
       logoUrl,
@@ -1442,9 +1500,12 @@ export const applicantRouter = router({
             select: { configJson: true },
           })
         : []
+      const navProjectRejected = await isProjectRejected(ctx.prisma, project.id)
       hasEvaluationRounds = closedEvalRounds.some((r) => {
         const parsed = EvaluationConfigSchema.safeParse(r.configJson)
-        return parsed.success && parsed.data.applicantVisibility.enabled
+        if (!parsed.success || !parsed.data.applicantVisibility.enabled) return false
+        if (parsed.data.applicantVisibility.hideFromRejected && navProjectRejected) return false
+        return true
       })
     }
 
@@ -1746,11 +1807,16 @@ export const applicantRouter = router({
       }>
     }> = []
 
+    const projectIsRejected = await isProjectRejected(ctx.prisma, project.id)
+
     for (let i = 0; i < evalRounds.length; i++) {
       const round = evalRounds[i]
       const parsed = EvaluationConfigSchema.safeParse(round.configJson)
       if (!parsed.success || !parsed.data.applicantVisibility.enabled) continue
 
+      // Skip this round if hideFromRejected is on and the project has been rejected
+      if (parsed.data.applicantVisibility.hideFromRejected && projectIsRejected) continue
+
       const vis = parsed.data.applicantVisibility
 
       // Get evaluations via assignments — NEVER select userId or user relation
@@ -1991,6 +2057,11 @@ export const applicantRouter = router({
         throw new TRPCError({ code: 'FORBIDDEN', message: 'You are not a member of this project' })
       }
 
+      // Block rejected projects
+      if (await isProjectRejected(ctx.prisma, input.projectId)) {
+        throw new TRPCError({ code: 'FORBIDDEN', message: 'Your project has been rejected. Logo changes are no longer permitted.' })
+      }
+
       return getImageUploadUrl(
         input.projectId,
         input.fileName,