Phases 3 & 4: Complete data access architecture migration

Phase 3 — eliminated ApplicationDbContext from all non-exempt controllers,
routing all data access through IUnitOfWork. Added IPlainRepository<T> for
the four platform entities (Announcement, BannedIp, DashboardTip, ReleaseNote)
that intentionally don't extend BaseEntity and therefore can't use the
constrained IRepository<T>. Added permanent-exception comments to the 18
controllers that legitimately retain direct DbContext access (Identity infra,
cross-tenant platform ops, bulk streaming exports).

Phase 4 — added EnforceDataAccessArchitecture() to Program.cs, a startup
gate that reflects over every Controller subclass and throws at boot if any
non-exempt controller injects ApplicationDbContext. The app cannot start with
a violation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/PowderCoating.UnitTests/DepositsControllerTests.cs

@@ -290,8 +290,7 @@ public class DepositsControllerTests
         var controller = new DepositsController(
             uow,
             userManager.Object,
-            Mock.Of<ILogger<DepositsController>>(),
-            context);
+            Mock.Of<ILogger<DepositsController>>());
 
         controller.ControllerContext = new ControllerContext
         {