docs: remove admin SPA references and update production URLs

The admin SPA (apps/admin/) has been retired. Its functionality now lives in apps/app/ under /platform/* routes for super_admin users. Updated all documentation to reflect: 2 SPAs instead of 3, removed FRONTEND_ADMIN_URL/port 5173 references, changed production URL from app.crewli.app to crewli.app. Retired admin-specific security audit findings (A13-2, A13-4, A13-5, A13-7) and APPS-01 backlog item. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 08:21:44 +02:00
parent 2933d957a6
commit 945e22f322
13 changed files with 102 additions and 168 deletions
--- a/.cursor/ARCHITECTURE.md
+++ b/.cursor/ARCHITECTURE.md
@@ -10,16 +10,16 @@
 │                              INTERNET                                   │
 └─────────────────────────────────────────────────────────────────────────┘
                                    │
-        ┌───────────────────────────┼───────────────────────────┐
-        │                           │                           │
-        ▼                           ▼                           ▼
-┌───────────────┐           ┌───────────────┐           ┌───────────────┐
-│  Admin SPA    │           │  Organizer    │           │  Portal SPA   │
-│  (Super Admin)│           │  SPA (Main)   │           │  (External)   │
-│  :5173        │           │  :5174        │           │  :5175        │
-└───────┬───────┘           └───────┬───────┘           └───────┬───────┘
-        │                           │                           │
-        └───────────────────────────┼───────────────────────────┘
+                    ┌───────────────┼───────────────┐
+                    │                               │
+                    ▼                               ▼
+            ┌───────────────┐               ┌───────────────┐
+            │  Organizer +  │               │  Portal SPA   │
+            │  Admin SPA    │               │  (External)   │
+            │  :5174        │               │  :5175        │
+            └───────┬───────┘               └───────┬───────┘
+                    │                               │
+                    └───────────────┼───────────────┘
                                    │ CORS + Sanctum tokens
                                    ▼
                        ┌───────────────────────┐
@@ -38,32 +38,17 @@
            └───────────┘   └───────────┘   └───────────┘
 ```

-**Golden Rule:** Laravel is exclusively a JSON REST API. No Blade views, no Mix, no Inertia. Every response is `application/json`. Vue handles ALL UI via three SPAs.
+**Golden Rule:** Laravel is exclusively a JSON REST API. No Blade views, no Mix, no Inertia. Every response is `application/json`. Vue handles ALL UI via two SPAs.

 ---

 ## Applications

-### Admin Dashboard (`apps/admin/`)
-
-**Purpose**: Super Admin platform management.
-
-**Users**: Platform owner only (super_admin role).
-
-**Features**:
- Organisation management (CRUD, billing status)
- Platform user management
- Global settings
-
-**Vuexy Version**: `typescript-version/full-version`
-
---
-
 ### Organizer App (`apps/app/`)

-**Purpose**: Main application for event management per organisation.
+**Purpose**: Main application for event management per organisation. Also serves as the platform admin interface for `super_admin` users via `/platform/*` routes.

-**Users**: Organisation Admins, Event Managers, Staff Coordinators, Artist Managers, Volunteer Coordinators.
+**Users**: Organisation Admins, Event Managers, Staff Coordinators, Artist Managers, Volunteer Coordinators, Super Admins (platform management via `/platform/*`).

 **Features**:
 - Event lifecycle management (Draft through Closed)
@@ -77,6 +62,7 @@
 - Form builder with conditional logic
 - Supplier & production management
 - Reporting & insights
+- Platform admin: organisation management, billing, platform users (`/platform/*` routes, `super_admin` only)

 **Vuexy Version**: `typescript-version/full-version` (customized navigation)

@@ -424,15 +410,14 @@ POST       /portal/production-request

 ## Security & CORS

-Three frontend origins in `config/cors.php` (via env):
+Two frontend origins in `config/cors.php` (via env):

 | App | Dev URL | Env Variable |
 |-----|---------|--------------|
-| Admin | `http://localhost:5173` | `FRONTEND_ADMIN_URL` |
 | App | `http://localhost:5174` | `FRONTEND_APP_URL` |
 | Portal | `http://localhost:5175` | `FRONTEND_PORTAL_URL` |

-Production (registered domain **crewli.app**): API `https://api.crewli.app` (`APP_URL`); SPAs `https://admin.crewli.app`, `https://app.crewli.app`, `https://portal.crewli.app` via the same env keys. Frontends use `VITE_API_URL=https://api.crewli.app/api/v1`. `SANCTUM_STATEFUL_DOMAINS` = comma-separated SPA hostnames only (e.g. `admin.crewli.app,app.crewli.app,portal.crewli.app`). **`crewli.nl`** is reserved for a future marketing site only — not used for this application stack.
+Production (registered domain **crewli.app**): API `https://api.crewli.app` (`APP_URL`); SPAs `https://crewli.app`, `https://portal.crewli.app` via the same env keys. Frontends use `VITE_API_URL=https://api.crewli.app/api/v1`. `SANCTUM_STATEFUL_DOMAINS` = comma-separated SPA hostnames only (e.g. `crewli.app,portal.crewli.app`). **`crewli.nl`** is reserved for a future marketing site only — not used for this application stack.

 ---

--- a/.cursor/instructions.md
+++ b/.cursor/instructions.md
@@ -20,8 +20,7 @@ Crewli is a multi-tenant SaaS platform for professional event and festival manag
 | Component | Technology | Location | Port |
 |-----------|------------|----------|------|
 | API | Laravel 12 + Sanctum + Spatie Permission | `api/` | 8000 |
-| Admin (Super Admin) | Vue 3 + Vuexy (full) | `apps/admin/` | 5173 |
-| Organizer App (Main) | Vue 3 + Vuexy (full) | `apps/app/` | 5174 |
+| Organizer + Admin App (Main) | Vue 3 + Vuexy (full) | `apps/app/` | 5174 |
 | Portal (External) | Vue 3 + Vuexy (stripped) | `apps/portal/` | 5175 |
 | Database | MySQL 8 | Docker | 3306 |
 | Cache / Queues | Redis | Docker | 6379 |
@@ -205,8 +204,7 @@ make services-stop  # Stop services
 ### Development Servers
 ```bash
 make api            # Laravel on :8000
-make admin          # Admin SPA on :5173
-make app            # Organizer SPA on :5174
+make app            # Organizer + Admin SPA on :5174
 make portal         # Portal SPA on :5175
 ```

--- a/.cursor/rules/001_workspace.mdc
+++ b/.cursor/rules/001_workspace.mdc
@@ -123,8 +123,7 @@ crewli/
 | Service | URL | Env Variable |
 |---------|-----|--------------|
 | API | `http://localhost:8000/api/v1` | - |
-| Admin SPA | `http://localhost:5173` | `FRONTEND_ADMIN_URL` |
-| Organizer SPA | `http://localhost:5174` | `FRONTEND_APP_URL` |
+| Organizer + Admin SPA | `http://localhost:5174` | `FRONTEND_APP_URL` |
 | Portal SPA | `http://localhost:5175` | `FRONTEND_PORTAL_URL` |
 | MySQL | `localhost:3306` | - |
 | Redis | `localhost:6379` | - |
@@ -137,12 +136,11 @@ crewli/
 | Service | URL | Env variable |
 |---------|-----|--------------|
 | API | `https://api.crewli.app` | `APP_URL` |
-| Admin SPA | `https://admin.crewli.app` | `FRONTEND_ADMIN_URL` |
-| Organizer SPA | `https://app.crewli.app` | `FRONTEND_APP_URL` |
+| Organizer + Admin SPA | `https://crewli.app` | `FRONTEND_APP_URL` |
 | Portal SPA | `https://portal.crewli.app` | `FRONTEND_PORTAL_URL` |

 ### CORS
-Three frontend origins configured in `config/cors.php` via env variables. Each Vite dev server gets its own port for CORS isolation. In production, set the same env vars to the `https://…` origins above (see `api/.env.example`).
+Two frontend origins configured in `config/cors.php` via env variables. Each Vite dev server gets its own port for CORS isolation. In production, set the same env vars to the `https://...` origins above (see `api/.env.example`).

 ## Git Conventions

--- a/.cursor/rules/101_vue.mdc
+++ b/.cursor/rules/101_vue.mdc
@@ -18,15 +18,12 @@ alwaysApply: true

 ## App-Specific Rules

-### `apps/admin/` (Super Admin)
- Full Vuexy template unchanged (sidebar, dark mode, customizer)
- Minimal modifications needed
-
-### `apps/app/` (Organizer - Main App)
+### `apps/app/` (Organizer + Platform Admin - Main App)
 - Sidebar nav customized for Crewli structure
 - Remove Vuexy demo/customizer components
 - Full Vuetify component usage
 - 90% of development work happens here
+- Super admin functionality under `/platform/*` routes for `super_admin` users

 ### `apps/portal/` (External Portal)
 - Stripped Vuexy: no sidebar, no customizer, no dark mode toggle
--- a/.cursor/rules/102_multi_tenancy.mdc
+++ b/.cursor/rules/102_multi_tenancy.mdc
@@ -189,14 +189,13 @@ class PortalTokenMiddleware
 ```php
 // config/cors.php
 'allowed_origins' => [
-    env('FRONTEND_ADMIN_URL', 'http://localhost:5173'),
    env('FRONTEND_APP_URL', 'http://localhost:5174'),
    env('FRONTEND_PORTAL_URL', 'http://localhost:5175'),
 ],
 'supports_credentials' => true,
 ```

-Production example (subdomains on **crewli.app**): `FRONTEND_ADMIN_URL=https://admin.crewli.app`, `FRONTEND_APP_URL=https://app.crewli.app`, `FRONTEND_PORTAL_URL=https://portal.crewli.app`, and `SANCTUM_STATEFUL_DOMAINS=admin.crewli.app,app.crewli.app,portal.crewli.app`.
+Production example (subdomains on **crewli.app**): `FRONTEND_APP_URL=https://crewli.app`, `FRONTEND_PORTAL_URL=https://portal.crewli.app`, and `SANCTUM_STATEFUL_DOMAINS=crewli.app,portal.crewli.app`.

 ## Shift Claiming & Approval Flow