Phases 3 & 4: Complete data access architecture migration

Phase 3 — eliminated ApplicationDbContext from all non-exempt controllers,
routing all data access through IUnitOfWork. Added IPlainRepository<T> for
the four platform entities (Announcement, BannedIp, DashboardTip, ReleaseNote)
that intentionally don't extend BaseEntity and therefore can't use the
constrained IRepository<T>. Added permanent-exception comments to the 18
controllers that legitimately retain direct DbContext access (Identity infra,
cross-tenant platform ops, bulk streaming exports).

Phase 4 — added EnforceDataAccessArchitecture() to Program.cs, a startup
gate that reflects over every Controller subclass and throws at boot if any
non-exempt controller injects ApplicationDbContext. The app cannot start with
a violation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

CLAUDE.md

@@ -126,7 +126,9 @@ Company Admin (seed): demo@powdercoatinglogix.com / CompanyAdmin123!
 
 > **`ApplicationDbContext` is NEVER injected into a controller.**
 > All data access in controllers goes through `IUnitOfWork`. No exceptions outside the list below.
-> Full rationale and migration roadmap: `docs/DATA_ACCESS_ARCHITECTURE.md`
+> **This rule is enforced at startup:** `EnforceDataAccessArchitecture()` in `Program.cs` scans all
+> controllers at boot and throws if any non-exempt controller injects `ApplicationDbContext`.
+> Full rationale and permanent exceptions list: `docs/DATA_ACCESS_ARCHITECTURE.md`
 
 ### Three tiers — use the right one: