Fix security, transaction, and badge issues from final review

- Validate file URLs against S3 prefix in messages route (Fix 1)
- Guard attachment hrefs with https:// check in QuestionThread and QuestionSplitView (Fix 2)
- Wrap message create + updatedAt bump in prisma.$transaction (Fix 3)
- Add questionsBadge count query to curator layout for admin branch (Fix 4)
- Fire-and-forget email sends with void Promise.all (Fix 5)
- Wrap req.json() calls in try/catch returning 400 on parse failure (Fix 6)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/app/api/questions/route.ts

@@ -53,7 +53,12 @@ export async function POST(req: NextRequest) {
     return NextResponse.json({ error: "Forbidden" }, { status: 403 });
   }
 
-  const body = await req.json();
+  let body: unknown;
+  try {
+    body = await req.json();
+  } catch {
+    return NextResponse.json({ error: "Invalid JSON" }, { status: 400 });
+  }
   const { title, text, courseId } = body as {
     title: string;
     text: string;
@@ -82,7 +87,7 @@ export async function POST(req: NextRequest) {
     where: { role: { in: ["admin", "curator"] } },
     select: { email: true, name: true },
   });
-  await Promise.all(
+  void Promise.all(
     staff.map((s) =>
       sendQuestionCreatedEmail(s.email, s.name, session.user.name, title.trim())
     )