chore: remove admin SPA and update to two-app production setup

Remove apps/admin/ entirely — platform admin functionality now lives
in apps/app/ under /platform/* routes for super_admin users.

Production URL scheme changed:
- Organizer app: crewli.app (was app.crewli.app)
- Portal: portal.crewli.app (unchanged)
- API: api.crewli.app (unchanged)
- admin.crewli.app and app.crewli.app retired

Backend:
- Removed FRONTEND_ADMIN_URL config and admin cookie (crewli_admin_token)
  from SetAuthCookie, CookieBearerToken, cors.php, app.php
- Updated .env and .env.example (two origins, no port 5173)
- Updated cookie test: admin origin test → unknown origin fallback test

Infrastructure:
- Makefile: removed admin target
- deploy/nginx: updated CSP comment, removed admin vhost
- Updated README.md, CLAUDE.md, and all dev-docs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/tests/Feature/Security/HttpOnlyCookieAuthTest.php

@@ -79,17 +79,17 @@ final class HttpOnlyCookieAuthTest extends TestCase
         $this->assertEquals('strict', strtolower($cookie->getSameSite()));
     }
 
-    public function test_login_sets_admin_cookie_for_admin_origin(): void
+    public function test_login_sets_app_cookie_for_unknown_origin(): void
     {
         $user = User::factory()->create();
 
         $response = $this->postJson('/api/v1/auth/login', [
             'email' => $user->email,
             'password' => 'password',
-        ], ['Origin' => 'http://localhost:5173']);
+        ], ['Origin' => 'http://localhost:9999']);
 
         $response->assertOk();
-        $response->assertCookie('crewli_admin_token');
+        $response->assertCookie('crewli_app_token');
     }
 
     public function test_login_sets_portal_cookie_for_portal_origin(): void