fix: remove vendorCode from vendor API paths

Vendor API endpoints use JWT authentication, not URL path parameters.
The vendorCode should only be used for page URLs (navigation), not API calls.

Fixed API paths in 10 vendor JS files:
- analytics.js, customers.js, inventory.js, notifications.js
- order-detail.js, orders.js, products.js, profile.js
- settings.js, team.js

Added architecture rule JS-014 to prevent this pattern from recurring.
Added validation check _check_vendor_api_paths to validate_architecture.py.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

scripts/validate_architecture.py

@@ -2865,6 +2865,9 @@ class ArchitectureValidator:
             # JS-013: Check that components overriding init() call parent init
             self._check_parent_init_call(file_path, content, lines)
 
+            # JS-014: Check that vendor API calls don't include vendorCode in path
+            self._check_vendor_api_paths(file_path, content, lines)
+
     def _check_platform_settings_usage(
         self, file_path: Path, content: str, lines: list[str]
     ):
@@ -3051,6 +3054,55 @@ class ArchitectureValidator:
                         )
                         break
 
+    def _check_vendor_api_paths(
+        self, file_path: Path, content: str, lines: list[str]
+    ):
+        """
+        JS-014: Check that vendor API calls don't include vendorCode in path.
+
+        Vendor API endpoints use JWT token authentication, NOT URL path parameters.
+        The vendorCode is only used for page URLs (navigation), not API calls.
+
+        Incorrect: apiClient.get(`/vendor/${this.vendorCode}/orders`)
+        Correct:   apiClient.get(`/vendor/orders`)
+
+        Exceptions (these DO use vendorCode in path):
+        - /vendor/{vendor_code} (public vendor info)
+        - /vendor/{vendor_code}/content-pages (public content)
+        """
+        # Only check vendor JS files
+        if "/vendor/js/" not in str(file_path):
+            return
+
+        # Pattern to match apiClient calls with vendorCode in the path
+        # Matches patterns like:
+        #   apiClient.get(`/vendor/${this.vendorCode}/
+        #   apiClient.post(`/vendor/${vendorCode}/
+        #   apiClient.put(`/vendor/${this.vendorCode}/
+        #   apiClient.delete(`/vendor/${this.vendorCode}/
+        pattern = r"apiClient\.(get|post|put|delete|patch)\s*\(\s*[`'\"]\/vendor\/\$\{(?:this\.)?vendorCode\}\/"
+
+        for i, line in enumerate(lines, 1):
+            if re.search(pattern, line):
+                # Check if this is an allowed exception
+                # content-pages uses vendorCode for public content access
+                is_exception = (
+                    "/content-pages" in line
+                    or "content-page" in file_path.name
+                )
+
+                if not is_exception:
+                    self._add_violation(
+                        rule_id="JS-014",
+                        rule_name="Vendor API calls must not include vendorCode in path",
+                        severity=Severity.ERROR,
+                        file_path=file_path,
+                        line_number=i,
+                        message="Vendor API endpoints use JWT authentication, not URL path parameters",
+                        context=line.strip()[:100],
+                        suggestion="Remove vendorCode from path: /vendor/orders instead of /vendor/${this.vendorCode}/orders",
+                    )
+
     def _validate_templates(self, target_path: Path):
         """Validate template patterns"""
         print("📄 Validating templates...")