diff --git a/deploy.sh b/deploy.sh
index da56da5e..29df22a7 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -93,18 +93,13 @@ else
     echo "→ package-lock.json unchanged — skipping npm ci"
 fi
 
-echo "→ Building frontend assets (apps/app + apps/portal)..."
-# Explicit per-workspace build to avoid silent single-app builds
+echo "→ Building frontend assets (apps/app)..."
 npm run build -w apps/app
-npm run build -w apps/portal
 
-# Verify both dist folders exist and are non-empty
-for app in app portal; do
-    if [ ! -f "apps/$app/dist/index.html" ]; then
-        echo "❌ Build failed: apps/$app/dist/index.html missing"
-        exit 1
-    fi
-done
+if [ ! -f "apps/app/dist/index.html" ]; then
+    echo "❌ Build failed: apps/app/dist/index.html missing"
+    exit 1
+fi
 
 # ──────────────────────────────────────────
 # 5. Run migrations
diff --git a/deploy/README.md b/deploy/README.md
index c60c9d13..310f0379 100644
--- a/deploy/README.md
+++ b/deploy/README.md
@@ -28,18 +28,26 @@ server {
 }
 ```
 
-### Portal (portal.crewli.app)
+### Legacy portal redirect (portal.crewli.app)
+
+Pre-WS-3 (April 2026), Crewli ran a separate portal SPA at
+`portal.crewli.app`. The dual-SPA was consolidated into a single
+workspace; the legacy host should redirect 301 → `crewli.app`:
+
 ```nginx
 server {
     server_name portal.crewli.app;
+    listen 443 ssl;
+    # ... TLS config from DirectAdmin / Let's Encrypt ...
 
-    include /path/to/deploy/nginx/security-headers.conf;
-    include /path/to/deploy/nginx/csp-portal.conf;
-
-    # ... rest of config
+    return 301 https://crewli.app$request_uri;
 }
 ```
 
+DNS retirement of `portal.crewli.app` is a separate operational task
+tracked outside this repo. Until DNS is repointed, this redirect
+handles any stale links.
+
 ## CSP Rollout Process
 
 1. Start with `Content-Security-Policy-Report-Only` (uncomment in `csp-spa.conf`)
diff --git a/deploy/nginx/csp-portal.conf b/deploy/nginx/csp-portal.conf
deleted file mode 100644
index 256eac5c..00000000
--- a/deploy/nginx/csp-portal.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-# CSP for portal.crewli.app
-# Same policy as SPA but with stricter connect-src since portal
-# should only talk to the API.
-add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://api.crewli.app; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;