refactor: migrate vendor APIs to token-based context and consolidate architecture

## Vendor-in-Token Architecture (Complete Migration)
- Migrate all vendor API endpoints from require_vendor_context() to token_vendor_id
- Update permission dependencies to extract vendor from JWT token
- Add vendor exceptions: VendorAccessDeniedException, VendorOwnerOnlyException,
  InsufficientVendorPermissionsException
- Shop endpoints retain require_vendor_context() for URL-based detection
- Add AUTH-004 architecture rule enforcing vendor context patterns
- Fix marketplace router missing /marketplace prefix

## Exception Pattern Fixes (API-003/API-004)
- Services raise domain exceptions, endpoints let them bubble up
- Add code_quality and content_page exception modules
- Move business logic from endpoints to services (admin, auth, content_page)
- Fix exception handling in admin, shop, and vendor endpoints

## Tailwind CSS Consolidation
- Consolidate CSS to per-area files (admin, vendor, shop, platform)
- Remove shared/cdn-fallback.html and shared/css/tailwind.min.css
- Update all templates to use area-specific Tailwind output files
- Remove Node.js config (package.json, postcss.config.js, tailwind.config.js)

## Documentation & Cleanup
- Update vendor-in-token-architecture.md with completed migration status
- Update architecture-rules.md with new rules
- Move migration docs to docs/development/migration/
- Remove duplicate/obsolete documentation files
- Merge pytest.ini settings into pyproject.toml

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

scripts/validate_architecture.py

@@ -381,6 +381,25 @@ class ArchitectureValidator:
             print("⏭️  Not an admin template, skipping extends check")
             return
 
+        # Check for standalone marker in template (first 5 lines)
+        # Supports: {# standalone #}, {# noqa: TPL-001 #}, <!-- standalone -->
+        first_lines = "\n".join(lines[:5]).lower()
+        if "standalone" in first_lines or "noqa: tpl-001" in first_lines:
+            print("⏭️  Template marked as standalone, skipping extends check")
+            return
+
+        # Check exclusion patterns for TPL-001
+        # These are templates that intentionally don't extend admin/base.html
+        tpl_001_exclusions = [
+            "login.html",  # Standalone login page
+            "errors/",  # Error pages extend errors/base.html
+            "test-",  # Test templates
+        ]
+        for exclusion in tpl_001_exclusions:
+            if exclusion in file_path_str:
+                print(f"⏭️  Template matches exclusion pattern '{exclusion}', skipping")
+                return
+
         # TPL-001: Check for extends
         has_extends = any(
             "{% extends" in line and "admin/base.html" in line for line in lines
@@ -395,7 +414,7 @@ class ArchitectureValidator:
                 line_number=1,
                 message="Admin template does not extend admin/base.html",
                 context=file_path.name,
-                suggestion="Add {% extends 'admin/base.html' %} at the top",
+                suggestion="Add {% extends 'admin/base.html' %} at the top, or add {# standalone #} if intentional",
             )
 
     def _validate_api_endpoints(self, target_path: Path):
@@ -535,26 +554,44 @@ class ArchitectureValidator:
     def _check_endpoint_authentication(
         self, file_path: Path, content: str, lines: list[str]
     ):
-        """API-004: Check authentication on endpoints"""
+        """API-004: Check authentication on endpoints
+
+        Automatically skips:
+        - Auth endpoint files (*/auth.py) - login/logout are intentionally public
+        - Endpoints marked with '# public' comment
+        """
         rule = self._get_rule("API-004")
         if not rule:
             return
 
+        # Skip auth endpoint files entirely - they are intentionally public
+        file_path_str = str(file_path)
+        if file_path_str.endswith("/auth.py") or file_path_str.endswith("\\auth.py"):
+            return
+
         # This is a warning-level check
         # Look for endpoints without Depends(get_current_*)
         for i, line in enumerate(lines, 1):
             if "@router." in line and (
                 "post" in line or "put" in line or "delete" in line
             ):
-                # Check next 5 lines for auth
+                # Check next 15 lines for auth or public marker
+                # (increased from 5 to handle multi-line decorators and long function signatures)
                 has_auth = False
-                for j in range(i, min(i + 5, len(lines))):
-                    if "Depends(get_current_" in lines[j]:
+                is_public = False
+                context_lines = lines[i - 1 : i + 15]  # Include line before decorator
+
+                for ctx_line in context_lines:
+                    if "Depends(get_current_" in ctx_line:
                         has_auth = True
                         break
+                    # Check for public endpoint markers
+                    if "# public" in ctx_line.lower() or "# noqa: api-004" in ctx_line.lower():
+                        is_public = True
+                        break
 
-                if not has_auth and "include_in_schema=False" not in " ".join(
-                    lines[i : i + 5]
+                if not has_auth and not is_public and "include_in_schema=False" not in " ".join(
+                    lines[i : i + 15]
                 ):
                     self._add_violation(
                         rule_id="API-004",
@@ -564,7 +601,7 @@ class ArchitectureValidator:
                         line_number=i,
                         message="Endpoint may be missing authentication",
                         context=line.strip(),
-                        suggestion="Add Depends(get_current_user) or similar if endpoint should be protected",
+                        suggestion="Add Depends(get_current_user) or mark as '# public' if intentionally unauthenticated",
                     )
 
     def _validate_service_layer(self, target_path: Path):
@@ -816,14 +853,37 @@ class ArchitectureValidator:
         template_files = list(target_path.glob("app/templates/admin/**/*.html"))
         self.result.files_checked += len(template_files)
 
+        # TPL-001 exclusion patterns
+        tpl_001_exclusions = [
+            "login.html",  # Standalone login page
+            "errors/",  # Error pages extend errors/base.html
+            "test-",  # Test templates
+        ]
+
         for file_path in template_files:
             # Skip base template and partials
             if "base.html" in file_path.name or "partials" in str(file_path):
                 continue
 
+            file_path_str = str(file_path)
+
+            # Check exclusion patterns
+            skip = False
+            for exclusion in tpl_001_exclusions:
+                if exclusion in file_path_str:
+                    skip = True
+                    break
+            if skip:
+                continue
+
             content = file_path.read_text()
             lines = content.split("\n")
 
+            # Check for standalone marker in template (first 5 lines)
+            first_lines = "\n".join(lines[:5]).lower()
+            if "standalone" in first_lines or "noqa: tpl-001" in first_lines:
+                continue
+
             # TPL-001: Check for extends
             has_extends = any(
                 "{% extends" in line and "admin/base.html" in line for line in lines
@@ -838,7 +898,7 @@ class ArchitectureValidator:
                     line_number=1,
                     message="Admin template does not extend admin/base.html",
                     context=file_path.name,
-                    suggestion="Add {% extends 'admin/base.html' %} at the top",
+                    suggestion="Add {% extends 'admin/base.html' %} at the top, or add {# standalone #} if intentional",
                 )
 
     def _get_rule(self, rule_id: str) -> dict[str, Any]: