fix: security hardening + performance refactoring (code review batch 1)

- IDOR fix: deliberation vote now verifies juryMemberId === ctx.user.id
- Rate limiting: tRPC middleware (100/min), AI endpoints (5/hr), auth IP-based (10/15min)
- 6 compound indexes added to Prisma schema
- N+1 eliminated in processRoundClose (batch updateMany/createMany)
- N+1 eliminated in batchCheckRequirementsAndTransition (3 batch queries)
- Service extraction: juror-reassignment.ts (578 lines)
- Dead code removed: award.ts, cohort.ts, decision.ts (680 lines)
- 35 bare catch blocks replaced across 16 files
- Fire-and-forget async calls fixed
- Notification false positive bug fixed

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/server/routers/assignmentPolicy.ts

@@ -41,8 +41,8 @@ export const assignmentPolicyRouter = router({
               role: member.role,
               policy,
             }
-          } catch {
-            // Member may not be linked to this round's jury group
+          } catch (err) {
+            console.error('[AssignmentPolicy] Failed to resolve member context:', err)
             return null
           }
         }),
@@ -103,8 +103,8 @@ export const assignmentPolicyRouter = router({
               remaining: policy.remainingCapacity,
             })
           }
-        } catch {
-          // Skip members that can't be resolved
+        } catch (err) {
+          console.error('[AssignmentPolicy] Failed to evaluate policy for member:', err)
         }
       }