a1c293028a
project.list previously gated only JURY_MEMBER to assigned projects; APPLICANT, MENTOR, OBSERVER, AUDIENCE, AWARD_MASTER fell through with full access to every project across every program (team-member PII, files, mentor identities). project.get had the same flaw. Now: SUPER_ADMIN/PROGRAM_ADMIN see all (existing); OBSERVER/AWARD_MASTER see all (these roles exist for cross-program oversight); JURY_MEMBER sees only their assignments; MENTOR sees only their mentorAssignments; APPLICANT sees only their team's projects; AUDIENCE sees nothing. For users holding multiple roles, the access check uses an OR over the applicable relationships (e.g. a mentor who is also an applicant sees both their mentor projects and their team projects). Existing admin/jury/mentor UIs continue to work because their access paths are still satisfied. Audience users were not expected to use project.list in the first place; they now correctly receive an empty list rather than the full database. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>