chore(deploy): single-host deploy config — drop apps/portal build, retire portal.crewli.app

deploy.sh referenced apps/portal which was deleted in WS-3 PR-B1; the
script has been broken in main since that merge (npm run build
-w apps/portal would fail). Collapse to a single-app build.

Changes:
- deploy.sh: replace dual-build block (build app + portal, verify both
  dist/) with single-app build (build app, verify dist/index.html)
- deploy/nginx/csp-portal.conf: deleted (content was identical to
  csp-spa.conf — verified before removal)
- deploy/README.md: replace "Portal (portal.crewli.app)" server-block
  section with "Legacy portal redirect" — a 301 server block
  template that redirects portal.crewli.app → crewli.app preserving
  the request URI. Notes that DNS retirement is a separate ops task

Out of scope: actually retiring the portal.crewli.app DNS record
(operational, tracked separately).

bash -n deploy.sh: clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

deploy.sh

@@ -93,18 +93,13 @@ else
     echo "→ package-lock.json unchanged — skipping npm ci"
 fi
 
-echo "→ Building frontend assets (apps/app + apps/portal)..."
-# Explicit per-workspace build to avoid silent single-app builds
+echo "→ Building frontend assets (apps/app)..."
 npm run build -w apps/app
-npm run build -w apps/portal
 
-# Verify both dist folders exist and are non-empty
-for app in app portal; do
-    if [ ! -f "apps/$app/dist/index.html" ]; then
-        echo "❌ Build failed: apps/$app/dist/index.html missing"
-        exit 1
-    fi
-done
+if [ ! -f "apps/app/dist/index.html" ]; then
+    echo "❌ Build failed: apps/app/dist/index.html missing"
+    exit 1
+fi
 
 # ──────────────────────────────────────────
 # 5. Run migrations

deploy/README.md

@@ -28,18 +28,26 @@ server {
 }
 ```
 
-### Portal (portal.crewli.app)
+### Legacy portal redirect (portal.crewli.app)
+
+Pre-WS-3 (April 2026), Crewli ran a separate portal SPA at
+`portal.crewli.app`. The dual-SPA was consolidated into a single
+workspace; the legacy host should redirect 301 → `crewli.app`:
+
 ```nginx
 server {
     server_name portal.crewli.app;
+    listen 443 ssl;
+    # ... TLS config from DirectAdmin / Let's Encrypt ...
 
-    include /path/to/deploy/nginx/security-headers.conf;
-    include /path/to/deploy/nginx/csp-portal.conf;
-
-    # ... rest of config
+    return 301 https://crewli.app$request_uri;
 }
 ```
 
+DNS retirement of `portal.crewli.app` is a separate operational task
+tracked outside this repo. Until DNS is repointed, this redirect
+handles any stale links.
+
 ## CSP Rollout Process
 
 1. Start with `Content-Security-Policy-Report-Only` (uncomment in `csp-spa.conf`)

deploy/nginx/csp-portal.conf

@@ -1,4 +0,0 @@
-# CSP for portal.crewli.app
-# Same policy as SPA but with stricter connect-src since portal
-# should only talk to the API.
-add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://api.crewli.app; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;