refactor: migrate vendor APIs to token-based context and consolidate architecture

## Vendor-in-Token Architecture (Complete Migration)
- Migrate all vendor API endpoints from require_vendor_context() to token_vendor_id
- Update permission dependencies to extract vendor from JWT token
- Add vendor exceptions: VendorAccessDeniedException, VendorOwnerOnlyException,
  InsufficientVendorPermissionsException
- Shop endpoints retain require_vendor_context() for URL-based detection
- Add AUTH-004 architecture rule enforcing vendor context patterns
- Fix marketplace router missing /marketplace prefix

## Exception Pattern Fixes (API-003/API-004)
- Services raise domain exceptions, endpoints let them bubble up
- Add code_quality and content_page exception modules
- Move business logic from endpoints to services (admin, auth, content_page)
- Fix exception handling in admin, shop, and vendor endpoints

## Tailwind CSS Consolidation
- Consolidate CSS to per-area files (admin, vendor, shop, platform)
- Remove shared/cdn-fallback.html and shared/css/tailwind.min.css
- Update all templates to use area-specific Tailwind output files
- Remove Node.js config (package.json, postcss.config.js, tailwind.config.js)

## Documentation & Cleanup
- Update vendor-in-token-architecture.md with completed migration status
- Update architecture-rules.md with new rules
- Move migration docs to docs/development/migration/
- Remove duplicate/obsolete documentation files
- Merge pytest.ini settings into pyproject.toml

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

app/api/v1/shop/auth.py

@@ -16,14 +16,20 @@ This prevents:
 
 import logging
 
-from fastapi import APIRouter, Depends, HTTPException, Request, Response
+from fastapi import APIRouter, Depends, Request, Response
 from pydantic import BaseModel
 from sqlalchemy.orm import Session
 
 from app.core.database import get_db
 from app.core.environment import should_use_secure_cookies
+from app.exceptions import VendorNotFoundException
 from app.services.customer_service import customer_service
-from models.schema.auth import UserLogin
+from models.schema.auth import (
+    LogoutResponse,
+    PasswordResetRequestResponse,
+    PasswordResetResponse,
+    UserLogin,
+)
 from models.schema.customer import CustomerRegister, CustomerResponse
 
 router = APIRouter()
@@ -62,10 +68,7 @@ def register_customer(
     vendor = getattr(request.state, "vendor", None)
 
     if not vendor:
-        raise HTTPException(
-            status_code=404,
-            detail="Vendor not found. Please access via vendor domain/subdomain/path.",
-        )
+        raise VendorNotFoundException("context", identifier_type="subdomain")
 
     logger.debug(
         f"[SHOP_API] register_customer for vendor {vendor.subdomain}",
@@ -122,10 +125,7 @@ def customer_login(
     vendor = getattr(request.state, "vendor", None)
 
     if not vendor:
-        raise HTTPException(
-            status_code=404,
-            detail="Vendor not found. Please access via vendor domain/subdomain/path.",
-        )
+        raise VendorNotFoundException("context", identifier_type="subdomain")
 
     logger.debug(
         f"[SHOP_API] customer_login for vendor {vendor.subdomain}",
@@ -199,7 +199,7 @@ def customer_login(
     )
 
 
-@router.post("/auth/logout")
+@router.post("/auth/logout", response_model=LogoutResponse)
 def customer_logout(request: Request, response: Response):
     """
     Customer logout for current vendor.
@@ -245,10 +245,10 @@ def customer_logout(request: Request, response: Response):
 
     logger.debug(f"Deleted customer_token cookie (path={cookie_path})")
 
-    return {"message": "Logged out successfully"}
+    return LogoutResponse(message="Logged out successfully")
 
 
-@router.post("/auth/forgot-password")
+@router.post("/auth/forgot-password", response_model=PasswordResetRequestResponse)
 def forgot_password(request: Request, email: str, db: Session = Depends(get_db)):
     """
     Request password reset for customer.
@@ -263,10 +263,7 @@ def forgot_password(request: Request, email: str, db: Session = Depends(get_db))
     vendor = getattr(request.state, "vendor", None)
 
     if not vendor:
-        raise HTTPException(
-            status_code=404,
-            detail="Vendor not found. Please access via vendor domain/subdomain/path.",
-        )
+        raise VendorNotFoundException("context", identifier_type="subdomain")
 
     logger.debug(
         f"[SHOP_API] forgot_password for vendor {vendor.subdomain}",
@@ -285,12 +282,12 @@ def forgot_password(request: Request, email: str, db: Session = Depends(get_db))
 
     logger.info(f"Password reset requested for {email} (vendor: {vendor.subdomain})")
 
-    return {
-        "message": "If an account exists with this email, a password reset link has been sent."
-    }
+    return PasswordResetRequestResponse(
+        message="If an account exists with this email, a password reset link has been sent."
+    )
 
 
-@router.post("/auth/reset-password")
+@router.post("/auth/reset-password", response_model=PasswordResetResponse)
 def reset_password(
     request: Request, reset_token: str, new_password: str, db: Session = Depends(get_db)
 ):
@@ -307,10 +304,7 @@ def reset_password(
     vendor = getattr(request.state, "vendor", None)
 
     if not vendor:
-        raise HTTPException(
-            status_code=404,
-            detail="Vendor not found. Please access via vendor domain/subdomain/path.",
-        )
+        raise VendorNotFoundException("context", identifier_type="subdomain")
 
     logger.debug(
         f"[SHOP_API] reset_password for vendor {vendor.subdomain}",
@@ -329,6 +323,6 @@ def reset_password(
 
     logger.info(f"Password reset completed (vendor: {vendor.subdomain})")
 
-    return {
-        "message": "Password reset successfully. You can now log in with your new password."
-    }
+    return PasswordResetResponse(
+        message="Password reset successfully. You can now log in with your new password."
+    )