feat: anti-cheat + presence panel + projector view

Refinement pass on top of the validated v1.2 base.

Hardening / quick fixes
- Caddyfile.tpl: CSP / HSTS / X-Frame / Referrer-Policy / Permissions-Policy,
  1 MiB request body cap, X-Forwarded-For pass-through; stock-Caddy compatible.
- auth.py: STUDENT_MAX_AGE 1y -> 30d.
- bootstrap.sh: stage 5 prepends `git config --add safe.directory` so the
  re-bootstrap path no longer 'detected dubious ownership' faults.
- admin.js: drop the misleading `closedPayload?.state || session.state`
  shim; state derives from session only.

Anti-cheat
- New `student_events` audit table; new POST /api/session/{sid}/event for
  blur / visibility_hidden / focus / visibility_visible. quiz.js debounces
  events at 1.5s and uses sendBeacon for visibility_hidden so the event
  survives a navigation. Counts surface in admin presence + CSV export.
- First-claim-wins on join: add_participant raises DuplicateStudentId on
  PK violation; route returns 409 + records a duplicate_join audit event
  with attempted name + IP + UA. Admin dashboard surfaces a per-row red
  badge for hits on real participants and a top-of-page alert for orphan
  attempts.
- DELETE /admin/api/students/{id} as the recovery hatch: clears the
  participant + submissions, kicks active WS sockets so a stale cookie
  cannot continue submitting. quiz.js surfaces the FastAPI detail message
  in the join form so users see the 'already in use' guidance.

Presence panel
- New presence_update WS message; in-process presence map keyed on
  student_id tracks ws_count + last_seen_ms. Admin dashboard renders
  per-student rows: connected/idle/dropped dot, blur+hidden+duplicate
  badges, 'answered current Q' tick, and a clear-student button.

Projector view (public, read-only)
- /projector/?sid=..., GET /api/session/{sid}/projector, WS
  /ws/projector/{sid}. Single self-contained projector_state snapshot
  pushed on every state change. Public leaderboard strips student_id;
  QR rendered server-side as data: URL (CSP-compliant).
- Includes per-Q answer histogram, 8-bucket response-time distribution,
  10-bucket score distribution.
- static/projector.{html,css,js}: editorial-broadside design — masthead,
  registration crosses, conic-gradient countdown ring, SVG stepped-area
  score distribution with median tick, leaderboard row-stagger. Inherits
  light/dark tokens from style.css; honours prefers-reduced-motion. No
  scroll at 1366x768 / 1920x1080 / 3440x1440.

Tests
- tests/test_anti_cheat.py: blur logging + CSV count, unknown-kind 422,
  unauthenticated event 401, duplicate-join 409 + audit, admin
  clear-student happy + 404, server-side submit lockout regression.
- tests/test_projector.py: snapshot shape, leaderboard student_id
  redaction, WS push on state change, 404 for unknown sid, page redirect
  when no sid.
- Existing tests updated for the new presence_update snapshot frame +
  CSV header columns + first-claim-wins refusal of re-key.

57/57 pytest green; smoke-tested locally end-to-end.

app/routes_admin.py

@@ -9,12 +9,8 @@ single canonical session whose id is `Settings.default_session_id`.
 
 from __future__ import annotations
 
-import base64
-from io import BytesIO
 from pathlib import Path
 
-import qrcode
-import qrcode.image.svg
 from fastapi import APIRouter, HTTPException, Request, Response, WebSocket
 from fastapi.responses import FileResponse, PlainTextResponse
 
@@ -23,7 +19,7 @@ from app.config import Settings
 from app.csv_export import export_session_csv
 from app.models import AdminLoginRequest
 from app.rate_limit import TokenBucket, client_ip
-from app.room import RoomManager
+from app.room import RoomManager, _qr_data_url
 
 
 def router(settings: Settings, rooms: RoomManager) -> APIRouter:
@@ -94,6 +90,22 @@ def router(settings: Settings, rooms: RoomManager) -> APIRouter:
         await rooms.reset(sid)
         return {"ok": True}
 
+    @api.delete("/admin/api/students/{student_id}")
+    async def admin_clear_student(student_id: str, request: Request):
+        # Recovery hatch for first-claim-wins: if a student lost their
+        # cookie or their id was hijacked, the instructor can free the
+        # slot here. Removes the participant + all of their submissions
+        # and kicks any active WS for that id; the legitimate student
+        # then re-joins via the normal flow.
+        require_admin(request)
+        sid = rooms.canonical_sid or settings.default_session_id
+        if not await rooms.session_exists(sid):
+            raise HTTPException(status_code=503, detail="Session is not initialised")
+        removed = await rooms.clear_student(sid, student_id)
+        if not removed:
+            raise HTTPException(status_code=404, detail="No such student in session")
+        return {"ok": True}
+
     @api.get("/admin/api/csv")
     async def csv_download(request: Request):
         require_admin(request)
@@ -115,11 +127,3 @@ def router(settings: Settings, rooms: RoomManager) -> APIRouter:
         await rooms.instructor_ws(websocket, sid)
 
     return api
-
-
-def _qr_data_url(value: str) -> str:
-    image = qrcode.make(value, image_factory=qrcode.image.svg.SvgPathImage)
-    buf = BytesIO()
-    image.save(buf)
-    encoded = base64.b64encode(buf.getvalue()).decode("ascii")
-    return f"data:image/svg+xml;base64,{encoded}"