Multi-role members, round detail UI overhaul, dashboard jury progress, and submit bug fix

- Add roles UserRole[] to User model with migration + backfill from existing role column
- Update auth JWT/session to propagate roles array with [role] fallback for stale tokens
- Update tRPC hasRole() middleware and add userHasRole() helper for inline role checks
- Update ~15 router inline checks and ~13 DB queries to use roles array
- Add updateRoles admin mutation with SUPER_ADMIN guard and priority-based primary role
- Add role switcher UI in admin sidebar and role-nav for multi-role users
- Remove redundant stats cards from round detail, add window dates to header banner
- Merge Members section into JuryProgressTable with inline cap editor and remove buttons
- Reorder round detail assignments tab: Progress > Score Dist > Assignments > Coverage > Jury Group
- Make score distribution fill full vertical height, reassignment history always open
- Add per-juror progress bars to admin dashboard ActiveRoundPanel for EVALUATION rounds
- Fix evaluation submit bug: use isSubmitting state instead of startMutation.isPending

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/lib/auth.ts

@@ -54,6 +54,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
               email: true,
               name: true,
               role: true,
+              roles: true,
               status: true,
               inviteTokenExpiresAt: true,
             },
@@ -95,6 +96,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
             email: user.email,
             name: user.name,
             role: user.role,
+            roles: user.roles.length ? user.roles : [user.role],
             mustSetPassword: true,
           }
         }
@@ -120,6 +122,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
             email: true,
             name: true,
             role: true,
+            roles: true,
             status: true,
             passwordHash: true,
             mustSetPassword: true,
@@ -183,6 +186,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
           email: user.email,
           name: user.name,
           role: user.role,
+          roles: user.roles.length ? user.roles : [user.role],
           mustSetPassword: user.mustSetPassword,
         }
       },
@@ -195,6 +199,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
       if (user) {
         token.id = user.id as string
         token.role = user.role as UserRole
+        token.roles = user.roles?.length ? user.roles : [user.role as UserRole]
         token.mustSetPassword = user.mustSetPassword
       }
 
@@ -202,10 +207,11 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
       if (trigger === 'update') {
         const dbUser = await prisma.user.findUnique({
           where: { id: token.id as string },
-          select: { role: true, mustSetPassword: true },
+          select: { role: true, roles: true, mustSetPassword: true },
         })
         if (dbUser) {
           token.role = dbUser.role
+          token.roles = dbUser.roles.length ? dbUser.roles : [dbUser.role]
           token.mustSetPassword = dbUser.mustSetPassword
         }
       }
@@ -216,6 +222,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
       if (token && session.user) {
         session.user.id = token.id as string
         session.user.role = token.role as UserRole
+        session.user.roles = (token.roles as UserRole[]) ?? [token.role as UserRole]
         session.user.mustSetPassword = token.mustSetPassword as boolean | undefined
       }
       return session
@@ -231,6 +238,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
             passwordHash: true,
             mustSetPassword: true,
             role: true,
+            roles: true,
           },
         })
 
@@ -250,6 +258,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
         if (dbUser) {
           user.id = dbUser.id
           user.role = dbUser.role
+          user.roles = dbUser.roles.length ? dbUser.roles : [dbUser.role]
           user.mustSetPassword = dbUser.mustSetPassword || !dbUser.passwordHash
         }
       }
@@ -309,7 +318,9 @@ export async function requireAuth() {
 // Helper to require specific role(s)
 export async function requireRole(...roles: UserRole[]) {
   const session = await requireAuth()
-  if (!roles.includes(session.user.role)) {
+  // Use roles array, fallback to [role] for stale JWT tokens
+  const userRoles = session.user.roles?.length ? session.user.roles : [session.user.role]
+  if (!roles.some(r => userRoles.includes(r))) {
     throw new Error('Forbidden')
   }
   return session