Backs the new consolidated Edition tab on /admin/settings.
getEditionSettings returns a merged view of Program-level fields
(defaultAttendeeCap, visaStatusVisibleToMembers) plus LIVE_FINAL round
config (attendeeEditCutoffHours, confirmationWindowHours, with
sensible defaults). Round-derived values are null when the round
doesn't exist yet.
updateEditionSettings is partial — only supplied fields are written.
Round config writes merge into the existing configJson so other keys
are preserved. Audit-logged as PROGRAM_EDITION_SETTINGS_UPDATE.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds VisaStatus enum, VisaApplication model 1:1 with AttendingMember
(cascade-delete), and Program.visaStatusVisibleToMembers Boolean
toggle. The model intentionally stores process metadata only — status,
optional nationality, key dates, free-text notes. Sensitive documents
(passport scans, invitation letters, decision papers) continue to flow
over email and are never persisted in the platform.
Migration is purely additive: CREATE TYPE / CREATE TABLE / ADD COLUMN /
ADD FK. No DROP / ALTER on existing data.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a PROJECT_TEAM recipient type to the message router (resolver
returns team members + project lead) and an "Email Team" button on
the admin project detail page that opens a self-contained dialog
matching the look of /admin/messages: subject, body (pre-filled
with "Hello [Project Title] team,\n\n"), live HTML preview iframe,
"Send test to me" + "Send to N" actions.
The composer reuses the existing message.previewEmail and
message.send tRPC procedures end-to-end — no parallel email
infrastructure introduced.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Surfaces every MentoringConfigSchema field on the round Config tab:
- Adds "Mentoring Request Window" card with mentoringRequestDeadlineDays
numeric input (1-90 days, default 14) and passThroughIfNoRequest toggle
(default ON; OFF holds projects PENDING until manual mentor assignment).
- Adds inline help-text for the Eligibility dropdown explaining each
option's effect on auto-PASS behavior.
- Hides the General Settings card on MENTORING rounds (it only renders
Advancement Targets, which don't apply to a pass-through round).
- Relaxes the Launch Readiness "File requirements set" gate for MENTORING
rounds without filePromotionEnabled + a target window — file requirements
only matter when files will be promoted to a downstream submission window.
Spec: docs/superpowers/specs/2026-04-28-mentor-round-readiness-design.md §A
Plan: docs/superpowers/plans/2026-04-28-pr3-mentoring-config-completeness.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bundle backend security (HMAC-signed upload tokens, server-built
objectKeys, mentor-or-team-member auth) with the actual file UI
that didn't exist yet (Files tab placeholder, file-promotion-panel
mock array, and applicant-side gap).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Step-by-step plan for §E. Single-procedure change to filter
getOnboardingContext memberships by linked-round type, plus a
new test file covering review-only, LIVE_FINAL-only, and mixed
group cases.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
After review, two additions to the multi-role UX section:
1. Replace static-priority post-login redirect with context-aware
"go where the work is" via new user.getDefaultDashboard() — a
juror+observer landing during an active jury round goes to /jury
even though observer has no work; falls back to static priority
when no role has actionable work.
2. Standardize the role switcher's location across all dashboards.
Extract shared useRoleSwitcher hook + new RoleSwitcherPill that
renders in the top-right of every layout, including admin (which
currently puts switching in the bottom-left sidebar pill).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
15 TDD-style tasks covering the round-scoping bug fixes for
getProjectDetail and getProjectRankings, the per-round toggle, the
side-panel deeper display, the shared score explainer dialog, and the
decimal display audit.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Captures the per-round toggle, side-panel deeper display, "How scores
are calculated" explainer dialog, and the cross-round contamination
fixes for getProjectDetail and getProjectRankings.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Fix special award FK crash: replace 4x raw auditLog.create with logAudit() helper
- Add updateSubmissionWindow + deleteSubmissionWindow mutations to round router
- Add per-round analytics (_count, juryGroup) to competition.getById
- Remove redundant acceptedCategories from intake config
- Rewrite submission window manager with full CRUD, all fields, date pickers
- Add round scheduling card (open/close dates) to round detail page
- Add project count, assignment count, jury group to round list cards
- Visual redesign: pipeline view, brand colors, progress bars, enhanced cards
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace Pipeline/Stage system with Competition/Round architecture.
New schema: Competition, Round (7 types), JuryGroup, AssignmentPolicy,
ProjectRoundState, DeliberationSession, ResultLock, SubmissionWindow.
New services: round-engine, round-assignment, deliberation, result-lock,
submission-manager, competition-context, ai-prompt-guard.
Full admin/jury/applicant/mentor UI rewrite. AI prompt hardening with
structured prompts, retry logic, and injection detection. All legacy
pipeline/stage code removed. 4 new migrations + seed aligned.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Create wizard config types, utilities, and defaults (wizard-config.ts)
- Add admin apply settings page with drag-and-drop step ordering, dropdown
option management, feature toggles, welcome message customization, and
custom field builder with select/multiselect options editor
- Build dynamic apply wizard component with animated step transitions,
mobile-first responsive design, and config-driven form validation
- Update step components to accept dynamic config (categories, ocean issues,
field visibility, feature flags)
- Replace hardcoded enum validation with string-based validation for
admin-configurable dropdown values, with safe enum casting at storage layer
- Add wizard template system (model, router, admin UI) with built-in
MOPC Classic preset
- Add program wizard config CRUD procedures to program router
- Update application router getConfig to return wizardConfig, submit handler
to store custom field data in metadataJson
- Add edition-based apply page, project pool page, and supporting routers
- Fix CSS (invalid sm:fixed-none), Enter key handler (skip textarea),
safe area insets for notched phones, buildStepsArray field visibility
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Security (Critical/High):
- Fix path traversal bypass in local storage provider (path.resolve + prefix check)
- Fix timing-unsafe HMAC comparison (crypto.timingSafeEqual)
- Add auth + ownership checks to email API routes (verify-credentials, change-password)
- Remove hardcoded secret key fallback in local storage provider
- Add production credential check for MinIO (fail loudly if not set)
- Remove DB error details from health check response
- Add stricter rate limiting on application submissions (5/hour)
- Add rate limiting on email availability check (anti-enumeration)
- Change getAIAssignmentJobStatus to adminProcedure
- Block dangerous file extensions on upload
- Reduce project list max perPage from 5000 to 200
Query Optimization:
- Optimize analytics getProjectRankings with select instead of full includes
- Fix N+1 in mentor.getSuggestions (batch findMany instead of loop)
- Use _count for files instead of fetching full file records in project list
- Switch to bulk notifications in assignment and user bulk operations
- Batch filtering upserts (25 per transaction instead of all at once)
UI/UX:
- Replace Inter font with Montserrat in public layout (brand consistency)
- Use Logo component in public layout instead of placeholder
- Create branded 404 and error pages
- Make admin rounds table responsive with mobile card layout
- Fix notification bell paths to be role-aware
- Replace hardcoded slate colors with semantic tokens in admin sidebar
- Force light mode (dark mode untested)
- Adjust CardTitle default size
- Improve muted-foreground contrast for accessibility (A11Y)
- Move profile form state initialization to useEffect
Code Quality:
- Extract shared toProjectWithRelations to anonymization.ts (removed 3 duplicates)
- Remove dead code: getObjectInfo, isValidImageSize, unused batch tag functions, debug logs
- Remove unused twilio dependency
- Remove redundant email index from schema
- Add actual storage object deletion when file records are deleted
- Wrap evaluation submit + assignment update in
- Add comprehensive platform review document
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add AIUsageLog table migration for token tracking
- Fix GPT-5 temperature parameter (not supported, like o-series)
- Add usesNewTokenParam() and supportsTemperature() functions
- Add GPT-5+ category to model selection UI
- Update model sorting to show GPT-5+ first
GPT-5 and newer models use max_completion_tokens and don't support
custom temperature values, similar to reasoning models.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add complete definitions section (GDPR terms, AI-specific terms)
- Document Monaco Law 1.565 (Dec 2024) and new APDP authority
- List all joint controllers (IUM, Oceanographic Institute, etc.)
- Detail all personal data categories processed
- Document legal bases with Legitimate Interests Assessments
- Add complete data subject rights procedures
- Document server location (Austria, EU) and EU data residency for OpenAI
- Add security measures, encryption standards, backup procedures
- Include Data Protection Impact Assessments
- Add breach notification procedures with timelines
- Document OpenAI as subprocessor with DPA and ZDR details
- Add compliance checklists and audit procedures
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
For rounds with roundType=FILTERING, the filtering controls (run button,
stats, finalize) are now shown directly on the round detail page instead
of requiring navigation to a separate /filtering page. Rules configuration
and results review still link to their dedicated pages for detailed work.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Full Next.js 15 platform with tRPC, Prisma, PostgreSQL, NextAuth.
Includes production Dockerfile (multi-stage, port 7600), docker-compose
with registry-based image pull, Gitea Actions CI workflow, nginx config
for portal.monaco-opc.com, deployment scripts, and DEPLOYMENT.md guide.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
