refactor: migrate vendor APIs to token-based context and consolidate architecture

## Vendor-in-Token Architecture (Complete Migration)
- Migrate all vendor API endpoints from require_vendor_context() to token_vendor_id
- Update permission dependencies to extract vendor from JWT token
- Add vendor exceptions: VendorAccessDeniedException, VendorOwnerOnlyException,
  InsufficientVendorPermissionsException
- Shop endpoints retain require_vendor_context() for URL-based detection
- Add AUTH-004 architecture rule enforcing vendor context patterns
- Fix marketplace router missing /marketplace prefix

## Exception Pattern Fixes (API-003/API-004)
- Services raise domain exceptions, endpoints let them bubble up
- Add code_quality and content_page exception modules
- Move business logic from endpoints to services (admin, auth, content_page)
- Fix exception handling in admin, shop, and vendor endpoints

## Tailwind CSS Consolidation
- Consolidate CSS to per-area files (admin, vendor, shop, platform)
- Remove shared/cdn-fallback.html and shared/css/tailwind.min.css
- Update all templates to use area-specific Tailwind output files
- Remove Node.js config (package.json, postcss.config.js, tailwind.config.js)

## Documentation & Cleanup
- Update vendor-in-token-architecture.md with completed migration status
- Update architecture-rules.md with new rules
- Move migration docs to docs/development/migration/
- Remove duplicate/obsolete documentation files
- Merge pytest.ini settings into pyproject.toml

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

app/services/admin_service.py

@@ -21,13 +21,17 @@ from sqlalchemy.orm import Session, joinedload
 from app.exceptions import (
     AdminOperationException,
     CannotModifySelfException,
+    UserCannotBeDeletedException,
     UserNotFoundException,
+    UserRoleChangeException,
     UserStatusChangeException,
     ValidationException,
     VendorAlreadyExistsException,
     VendorNotFoundException,
     VendorVerificationException,
 )
+from app.exceptions.auth import UserAlreadyExistsException
+from middleware.auth import AuthManager
 from models.database.company import Company
 from models.database.marketplace_import_job import MarketplaceImportJob
 from models.database.user import User
@@ -97,6 +101,244 @@ class AdminService:
                 reason="Database update failed",
             )
 
+    def list_users(
+        self,
+        db: Session,
+        page: int = 1,
+        per_page: int = 10,
+        search: str | None = None,
+        role: str | None = None,
+        is_active: bool | None = None,
+    ) -> tuple[list[User], int, int]:
+        """
+        Get paginated list of users with filtering.
+
+        Returns:
+            Tuple of (users, total_count, total_pages)
+        """
+        import math
+
+        query = db.query(User)
+
+        # Apply filters
+        if search:
+            search_term = f"%{search.lower()}%"
+            query = query.filter(
+                or_(
+                    User.username.ilike(search_term),
+                    User.email.ilike(search_term),
+                    User.first_name.ilike(search_term),
+                    User.last_name.ilike(search_term),
+                )
+            )
+
+        if role:
+            query = query.filter(User.role == role)
+
+        if is_active is not None:
+            query = query.filter(User.is_active == is_active)
+
+        # Get total count
+        total = query.count()
+        pages = math.ceil(total / per_page) if total > 0 else 1
+
+        # Apply pagination
+        skip = (page - 1) * per_page
+        users = query.order_by(User.created_at.desc()).offset(skip).limit(per_page).all()
+
+        return users, total, pages
+
+    def create_user(
+        self,
+        db: Session,
+        email: str,
+        username: str,
+        password: str,
+        first_name: str | None = None,
+        last_name: str | None = None,
+        role: str = "customer",
+        current_admin_id: int | None = None,
+    ) -> User:
+        """
+        Create a new user.
+
+        Raises:
+            UserAlreadyExistsException: If email or username already exists
+        """
+        # Check if email exists
+        if db.query(User).filter(User.email == email).first():
+            raise UserAlreadyExistsException("Email already registered", field="email")
+
+        # Check if username exists
+        if db.query(User).filter(User.username == username).first():
+            raise UserAlreadyExistsException("Username already taken", field="username")
+
+        # Create user
+        auth_manager = AuthManager()
+        user = User(
+            email=email,
+            username=username,
+            hashed_password=auth_manager.hash_password(password),
+            first_name=first_name,
+            last_name=last_name,
+            role=role,
+            is_active=True,
+        )
+        db.add(user)
+        db.commit()
+        db.refresh(user)
+
+        logger.info(f"Admin {current_admin_id} created user {user.username}")
+        return user
+
+    def get_user_details(self, db: Session, user_id: int) -> User:
+        """
+        Get user with relationships loaded.
+
+        Raises:
+            UserNotFoundException: If user not found
+        """
+        user = (
+            db.query(User)
+            .options(joinedload(User.owned_companies), joinedload(User.vendor_memberships))
+            .filter(User.id == user_id)
+            .first()
+        )
+
+        if not user:
+            raise UserNotFoundException(str(user_id))
+
+        return user
+
+    def update_user(
+        self,
+        db: Session,
+        user_id: int,
+        current_admin_id: int,
+        email: str | None = None,
+        username: str | None = None,
+        first_name: str | None = None,
+        last_name: str | None = None,
+        role: str | None = None,
+        is_active: bool | None = None,
+    ) -> User:
+        """
+        Update user information.
+
+        Raises:
+            UserNotFoundException: If user not found
+            UserAlreadyExistsException: If email/username already taken
+            UserRoleChangeException: If trying to change own admin role
+        """
+        user = self._get_user_by_id_or_raise(db, user_id)
+
+        # Prevent changing own admin status
+        if user.id == current_admin_id and role and role != "admin":
+            raise UserRoleChangeException(
+                user_id=user_id,
+                current_role=user.role,
+                target_role=role,
+                reason="Cannot change your own admin role",
+            )
+
+        # Check email uniqueness if changing
+        if email and email != user.email:
+            if db.query(User).filter(User.email == email).first():
+                raise UserAlreadyExistsException("Email already registered", field="email")
+
+        # Check username uniqueness if changing
+        if username and username != user.username:
+            if db.query(User).filter(User.username == username).first():
+                raise UserAlreadyExistsException("Username already taken", field="username")
+
+        # Update fields
+        if email is not None:
+            user.email = email
+        if username is not None:
+            user.username = username
+        if first_name is not None:
+            user.first_name = first_name
+        if last_name is not None:
+            user.last_name = last_name
+        if role is not None:
+            user.role = role
+        if is_active is not None:
+            user.is_active = is_active
+
+        user.updated_at = datetime.now(UTC)
+        db.commit()
+        db.refresh(user)
+
+        logger.info(f"Admin {current_admin_id} updated user {user.username}")
+        return user
+
+    def delete_user(self, db: Session, user_id: int, current_admin_id: int) -> str:
+        """
+        Delete a user.
+
+        Raises:
+            UserNotFoundException: If user not found
+            CannotModifySelfException: If trying to delete yourself
+            UserCannotBeDeletedException: If user owns companies
+        """
+        user = (
+            db.query(User)
+            .options(joinedload(User.owned_companies))
+            .filter(User.id == user_id)
+            .first()
+        )
+
+        if not user:
+            raise UserNotFoundException(str(user_id))
+
+        # Prevent deleting yourself
+        if user.id == current_admin_id:
+            raise CannotModifySelfException(user_id, "delete account")
+
+        # Prevent deleting users who own companies
+        if user.owned_companies:
+            raise UserCannotBeDeletedException(
+                user_id=user_id,
+                reason=f"User owns {len(user.owned_companies)} company(ies). Transfer ownership first.",
+                owned_count=len(user.owned_companies),
+            )
+
+        username = user.username
+        db.delete(user)
+        db.commit()
+
+        logger.info(f"Admin {current_admin_id} deleted user {username}")
+        return f"User {username} deleted successfully"
+
+    def search_users(
+        self,
+        db: Session,
+        query: str,
+        limit: int = 10,
+    ) -> list[dict]:
+        """
+        Search users by username or email.
+
+        Used for autocomplete in ownership transfer.
+        """
+        search_term = f"%{query.lower()}%"
+        users = (
+            db.query(User)
+            .filter(or_(User.username.ilike(search_term), User.email.ilike(search_term)))
+            .limit(limit)
+            .all()
+        )
+
+        return [
+            {
+                "id": user.id,
+                "username": user.username,
+                "email": user.email,
+                "is_active": user.is_active,
+            }
+            for user in users
+        ]
+
     # ============================================================================
     # VENDOR MANAGEMENT
     # ============================================================================