refactor: migrate vendor APIs to token-based context and consolidate architecture

## Vendor-in-Token Architecture (Complete Migration)
- Migrate all vendor API endpoints from require_vendor_context() to token_vendor_id
- Update permission dependencies to extract vendor from JWT token
- Add vendor exceptions: VendorAccessDeniedException, VendorOwnerOnlyException,
  InsufficientVendorPermissionsException
- Shop endpoints retain require_vendor_context() for URL-based detection
- Add AUTH-004 architecture rule enforcing vendor context patterns
- Fix marketplace router missing /marketplace prefix

## Exception Pattern Fixes (API-003/API-004)
- Services raise domain exceptions, endpoints let them bubble up
- Add code_quality and content_page exception modules
- Move business logic from endpoints to services (admin, auth, content_page)
- Fix exception handling in admin, shop, and vendor endpoints

## Tailwind CSS Consolidation
- Consolidate CSS to per-area files (admin, vendor, shop, platform)
- Remove shared/cdn-fallback.html and shared/css/tailwind.min.css
- Update all templates to use area-specific Tailwind output files
- Remove Node.js config (package.json, postcss.config.js, tailwind.config.js)

## Documentation & Cleanup
- Update vendor-in-token-architecture.md with completed migration status
- Update architecture-rules.md with new rules
- Move migration docs to docs/development/migration/
- Remove duplicate/obsolete documentation files
- Merge pytest.ini settings into pyproject.toml

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

.architecture-rules.yaml

@@ -95,10 +95,28 @@ api_endpoint_rules:
     description: |
       Protected endpoints must use Depends() for authentication.
       Use get_current_user, get_current_admin, etc.
+
+      Auto-excluded files:
+      - */auth.py - Authentication endpoints (login, logout, register) are intentionally public
+
+      Public endpoint markers (place on line before or after decorator):
+      - # public - Descriptive marker for intentionally unauthenticated endpoints
+      - # noqa: API-004 - Standard noqa style to suppress warning
+
+      Example:
+        # public - Stripe webhook receives external callbacks
+        @router.post("/webhook/stripe")
+        def stripe_webhook(request: Request):
+            ...
     pattern:
       file_pattern: "app/api/v1/**/*.py"
       required_if_not_public:
         - "Depends(get_current_"
+      auto_exclude_files:
+        - "*/auth.py"
+      public_markers:
+        - "# public"
+        - "# noqa: api-004"
 
   - id: "API-005"
     name: "Multi-tenant endpoints must scope queries to vendor_id"
@@ -466,11 +484,30 @@ template_rules:
   - id: "TPL-001"
     name: "Admin templates must extend admin/base.html"
     severity: "error"
-    description: "All admin templates must extend the base template for consistency"
+    description: |
+      All admin templates must extend the base template for consistency.
+
+      Auto-excluded files:
+      - login.html - Standalone login page (no sidebar/navigation)
+      - errors/*.html - Error pages extend errors/base.html instead
+      - test-*.html - Test/development templates
+
+      Standalone template markers (place in first 5 lines):
+      - {# standalone #} - Mark template as intentionally standalone
+      - {# noqa: TPL-001 #} - Standard noqa style to suppress error
+      - <!-- standalone --> - HTML comment style
     pattern:
       file_pattern: "app/templates/admin/**/*.html"
       required_patterns:
         - "{% extends ['\"]admin/base\\.html['\"] %}"
+      auto_exclude_files:
+        - "login.html"
+        - "errors/"
+        - "test-"
+      standalone_markers:
+        - "{# standalone #}"
+        - "{# noqa: tpl-001 #}"
+        - "<!-- standalone -->"
       exceptions:
         - "base.html"
         - "partials/"
@@ -660,6 +697,37 @@ auth_rules:
       file_pattern: "app/services/auth_service.py"
       required: "bcrypt"
 
+  - id: "AUTH-004"
+    name: "Vendor context pattern - use appropriate dependency for endpoint type"
+    severity: "error"
+    description: |
+      Two vendor context patterns exist - use the appropriate one:
+
+      1. SHOP ENDPOINTS (public, no authentication required):
+         - Use: vendor: Vendor = Depends(require_vendor_context())
+         - Vendor is detected from URL/subdomain/domain
+         - File pattern: app/api/v1/shop/**/*.py
+         - Mark as public with: # public
+
+      2. VENDOR API ENDPOINTS (authenticated):
+         - Use: current_user.token_vendor_id from JWT token
+         - Or use permission dependencies: require_vendor_permission(), require_vendor_owner
+         - These dependencies get vendor from token and set request.state.vendor
+         - File pattern: app/api/v1/vendor/**/*.py
+
+      DEPRECATED for vendor APIs:
+         - require_vendor_context() - only for shop endpoints
+         - getattr(request.state, "vendor", None) without permission dependency
+
+      See: docs/backend/vendor-in-token-architecture.md
+    pattern:
+      file_pattern: "app/api/v1/vendor/**/*.py"
+      anti_patterns:
+        - "require_vendor_context\\(\\)"
+      file_pattern: "app/api/v1/shop/**/*.py"
+      required_patterns:
+        - "require_vendor_context\\(\\)|# public"
+
 # ============================================================================
 # CODE QUALITY RULES
 # ============================================================================