docs: remove admin SPA references and update production URLs

The admin SPA (apps/admin/) has been retired. Its functionality now
lives in apps/app/ under /platform/* routes for super_admin users.
Updated all documentation to reflect: 2 SPAs instead of 3, removed
FRONTEND_ADMIN_URL/port 5173 references, changed production URL from
app.crewli.app to crewli.app. Retired admin-specific security audit
findings (A13-2, A13-4, A13-5, A13-7) and APPS-01 backlog item.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.cursor/ARCHITECTURE.md

@@ -10,16 +10,16 @@
 │                              INTERNET                                   │
 └─────────────────────────────────────────────────────────────────────────┘
                                     │
-        ┌───────────────────────────┼───────────────────────────┐
-        │                           │                           │
-        ▼                           ▼                           ▼
-┌───────────────┐           ┌───────────────┐           ┌───────────────┐
-│  Admin SPA    │           │  Organizer    │           │  Portal SPA   │
-│  (Super Admin)│           │  SPA (Main)   │           │  (External)   │
-│  :5173        │           │  :5174        │           │  :5175        │
-└───────┬───────┘           └───────┬───────┘           └───────┬───────┘
-        │                           │                           │
-        └───────────────────────────┼───────────────────────────┘
+                    ┌───────────────┼───────────────┐
+                    │                               │
+                    ▼                               ▼
+            ┌───────────────┐               ┌───────────────┐
+            │  Organizer +  │               │  Portal SPA   │
+            │  Admin SPA    │               │  (External)   │
+            │  :5174        │               │  :5175        │
+            └───────┬───────┘               └───────┬───────┘
+                    │                               │
+                    └───────────────┼───────────────┘
                                     │ CORS + Sanctum tokens
                                     ▼
                         ┌───────────────────────┐
@@ -38,32 +38,17 @@
             └───────────┘   └───────────┘   └───────────┘
 ```
 
-**Golden Rule:** Laravel is exclusively a JSON REST API. No Blade views, no Mix, no Inertia. Every response is `application/json`. Vue handles ALL UI via three SPAs.
+**Golden Rule:** Laravel is exclusively a JSON REST API. No Blade views, no Mix, no Inertia. Every response is `application/json`. Vue handles ALL UI via two SPAs.
 
 ---
 
 ## Applications
 
-### Admin Dashboard (`apps/admin/`)
-
-**Purpose**: Super Admin platform management.
-
-**Users**: Platform owner only (super_admin role).
-
-**Features**:
-- Organisation management (CRUD, billing status)
-- Platform user management
-- Global settings
-
-**Vuexy Version**: `typescript-version/full-version`
-
----
-
 ### Organizer App (`apps/app/`)
 
-**Purpose**: Main application for event management per organisation.
+**Purpose**: Main application for event management per organisation. Also serves as the platform admin interface for `super_admin` users via `/platform/*` routes.
 
-**Users**: Organisation Admins, Event Managers, Staff Coordinators, Artist Managers, Volunteer Coordinators.
+**Users**: Organisation Admins, Event Managers, Staff Coordinators, Artist Managers, Volunteer Coordinators, Super Admins (platform management via `/platform/*`).
 
 **Features**:
 - Event lifecycle management (Draft through Closed)
@@ -77,6 +62,7 @@
 - Form builder with conditional logic
 - Supplier & production management
 - Reporting & insights
+- Platform admin: organisation management, billing, platform users (`/platform/*` routes, `super_admin` only)
 
 **Vuexy Version**: `typescript-version/full-version` (customized navigation)
 
@@ -424,15 +410,14 @@ POST       /portal/production-request
 
 ## Security & CORS
 
-Three frontend origins in `config/cors.php` (via env):
+Two frontend origins in `config/cors.php` (via env):
 
 | App | Dev URL | Env Variable |
 |-----|---------|--------------|
-| Admin | `http://localhost:5173` | `FRONTEND_ADMIN_URL` |
 | App | `http://localhost:5174` | `FRONTEND_APP_URL` |
 | Portal | `http://localhost:5175` | `FRONTEND_PORTAL_URL` |
 
-Production (registered domain **crewli.app**): API `https://api.crewli.app` (`APP_URL`); SPAs `https://admin.crewli.app`, `https://app.crewli.app`, `https://portal.crewli.app` via the same env keys. Frontends use `VITE_API_URL=https://api.crewli.app/api/v1`. `SANCTUM_STATEFUL_DOMAINS` = comma-separated SPA hostnames only (e.g. `admin.crewli.app,app.crewli.app,portal.crewli.app`). **`crewli.nl`** is reserved for a future marketing site only — not used for this application stack.
+Production (registered domain **crewli.app**): API `https://api.crewli.app` (`APP_URL`); SPAs `https://crewli.app`, `https://portal.crewli.app` via the same env keys. Frontends use `VITE_API_URL=https://api.crewli.app/api/v1`. `SANCTUM_STATEFUL_DOMAINS` = comma-separated SPA hostnames only (e.g. `crewli.app,portal.crewli.app`). **`crewli.nl`** is reserved for a future marketing site only — not used for this application stack.
 
 ---