Security (Critical/High):
- Fix path traversal bypass in local storage provider (path.resolve + prefix check)
- Fix timing-unsafe HMAC comparison (crypto.timingSafeEqual)
- Add auth + ownership checks to email API routes (verify-credentials, change-password)
- Remove hardcoded secret key fallback in local storage provider
- Add production credential check for MinIO (fail loudly if not set)
- Remove DB error details from health check response
- Add stricter rate limiting on application submissions (5/hour)
- Add rate limiting on email availability check (anti-enumeration)
- Change getAIAssignmentJobStatus to adminProcedure
- Block dangerous file extensions on upload
- Reduce project list max perPage from 5000 to 200
Query Optimization:
- Optimize analytics getProjectRankings with select instead of full includes
- Fix N+1 in mentor.getSuggestions (batch findMany instead of loop)
- Use _count for files instead of fetching full file records in project list
- Switch to bulk notifications in assignment and user bulk operations
- Batch filtering upserts (25 per transaction instead of all at once)
UI/UX:
- Replace Inter font with Montserrat in public layout (brand consistency)
- Use Logo component in public layout instead of placeholder
- Create branded 404 and error pages
- Make admin rounds table responsive with mobile card layout
- Fix notification bell paths to be role-aware
- Replace hardcoded slate colors with semantic tokens in admin sidebar
- Force light mode (dark mode untested)
- Adjust CardTitle default size
- Improve muted-foreground contrast for accessibility (A11Y)
- Move profile form state initialization to useEffect
Code Quality:
- Extract shared toProjectWithRelations to anonymization.ts (removed 3 duplicates)
- Remove dead code: getObjectInfo, isValidImageSize, unused batch tag functions, debug logs
- Remove unused twilio dependency
- Remove redundant email index from schema
- Add actual storage object deletion when file records are deleted
- Wrap evaluation submit + assignment update in
- Add comprehensive platform review document
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Build and Push Docker Image / build (push) Successful in 14m3sDetails
Major cleanup and schema migration:
- Remove unused dynamic form builder system (ApplicationForm, ApplicationFormField, etc.)
- Complete migration from RoundProject junction table to direct Project.roundId
- Add sortOrder and entryNotificationType fields to Round model
- Add country field to User model for mentor matching
- Enhance onboarding with profile photo and country selection steps
- Fix all TypeScript errors related to roundProjects references
- Remove unused libraries (@radix-ui/react-toast, embla-carousel-react, vaul)
Files removed:
- admin/forms/* pages and related components
- admin/onboarding/* pages
- applicationForm.ts and onboarding.ts routers
- Dynamic form builder Prisma models and enums
Schema changes:
- Removed ApplicationForm, ApplicationFormField, OnboardingStep, ApplicationFormSubmission, SubmissionFile models
- Removed FormFieldType and SpecialFieldType enums
- Added Round.sortOrder, Round.entryNotificationType
- Added User.country
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Build and Push Docker Image / build (push) Successful in 8m58sDetails
- Email settings: Add separate sender display name field
- Rounds page: Drag-and-drop reordering with visible order numbers
- Round creation: Auto-assign projects to filtering rounds, auto-activate if voting started
- Round detail: Fix incorrect "voting period ended" message for draft rounds
- Projects page: Add delete option with confirmation dialog
- AI filtering: Add configurable batch size and parallel request settings
- Filtering results: Fix duplicate criteria display
- Add seed scripts for notification settings and MOPC onboarding form
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Build and Push Docker Image / build (push) Successful in 8m45sDetails
- Fix rounds list showing 0 projects by adding _count to program.list query
- Fix round reordering by using correct cache invalidation params
- Fix finalizeResults to auto-advance passed projects to next round
- Fix member list not updating after add/remove by invalidating user.list
- Fix invitation link error page by correcting path from /auth-error to /error
- Add /apply, /verify, /error to public paths in auth config
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Build and Push Docker Image / build (push) Successful in 8m16sDetails
Projects now exist at the program level instead of being locked to a
single round. A new RoundProject join table enables many-to-many
relationships with per-round status tracking. Rounds have sortOrder
for configurable progression paths.
- Add RoundProject model, programId on Project, sortOrder on Round
- Migration preserves existing data (roundId -> RoundProject entries)
- Update all routers to query through RoundProject join
- Add assign/remove/advance/reorder round endpoints
- Add Assign, Advance, Remove Projects dialogs on round detail page
- Add round reorder controls (up/down arrows) on rounds list
- Show all rounds on project detail page
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Build and Push Docker Image / build (push) Successful in 8m33sDetails
Change program selectors and display labels from full program name
to "2026 Edition" format across admin, jury, mentor, observer, and
public pages. Selector labels changed from "Program" to "Edition".
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Build and Push Docker Image / build (push) Successful in 7m57sDetails
- Add delete procedure to round tRPC router with cascade and audit log
- Add delete option to rounds list dropdown menu
- Show confirmation dialog with project/assignment counts before deletion
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Build and Push Docker Image / build (push) Failing after 10sDetails
Full Next.js 15 platform with tRPC, Prisma, PostgreSQL, NextAuth.
Includes production Dockerfile (multi-stage, port 7600), docker-compose
with registry-based image pull, Gitea Actions CI workflow, nginx config
for portal.monaco-opc.com, deployment scripts, and DEPLOYMENT.md guide.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Matt