fix: remove vendorCode from vendor API paths

Vendor API endpoints use JWT authentication, not URL path parameters.
The vendorCode should only be used for page URLs (navigation), not API calls.

Fixed API paths in 10 vendor JS files:
- analytics.js, customers.js, inventory.js, notifications.js
- order-detail.js, orders.js, products.js, profile.js
- settings.js, team.js

Added architecture rule JS-014 to prevent this pattern from recurring.
Added validation check _check_vendor_api_paths to validate_architecture.py.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

static/vendor/js/orders.js

@@ -185,7 +185,7 @@ function vendorOrders() {
                     params.append('date_to', this.filters.date_to);
                 }
 
-                const response = await apiClient.get(`/vendor/${this.vendorCode}/orders?${params.toString()}`);
+                const response = await apiClient.get(`/vendor/orders?${params.toString()}`);
 
                 this.orders = response.orders || [];
                 this.pagination.total = response.total || 0;
@@ -273,7 +273,7 @@ function vendorOrders() {
 
             this.saving = true;
             try {
-                await apiClient.put(`/vendor/${this.vendorCode}/orders/${this.selectedOrder.id}/status`, {
+                await apiClient.put(`/vendor/orders/${this.selectedOrder.id}/status`, {
                     status: this.newStatus
                 });
 
@@ -423,7 +423,7 @@ function vendorOrders() {
                 let successCount = 0;
                 for (const orderId of this.selectedOrders) {
                     try {
-                        await apiClient.put(`/vendor/${this.vendorCode}/orders/${orderId}/status`, {
+                        await apiClient.put(`/vendor/orders/${orderId}/status`, {
                             status: this.bulkStatus
                         });
                         successCount++;