security: round 4 — frontend hardening (deps, XSS, cookie security)

Vulnerable dependencies upgraded:
- Backend: league/commonmark >=2.8.2 (HTML injection bypass),
  phpunit/phpunit >=11.5.50, laravel/tinker (psysh LPE)
- Frontend: axios 1.13→1.15 (SSRF + metadata exfiltration),
  @casl/ability updated (prototype pollution)
- Removed swiper from all 3 apps (prototype pollution CVE,
  only used in Vuexy demo pages)

XSS vectors removed:
- Deleted Vuexy demo pages with v-html rendering API data:
  help-center/article, academy/course-details
- Deleted all front-pages (landing, pricing, checkout, payment) —
  Vuexy marketing template, not Crewli business logic
- Deleted swiper demo components and views
- Fixed admin main.ts: replaced innerHTML with template literal
  with safe DOM construction using textContent

Cookie security:
- Added SameSite=Strict and Secure flags to admin cookie defaults

Cleanup:
- Removed swiper SCSS from all 3 apps
- Removed swiper custom element config from all 3 vite configs
- Portal localStorage cleanup verified: reset() clears all keys,
  called on both explicit logout and 401 interceptor

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/admin/vite.config.ts

@@ -29,13 +29,7 @@ export default defineConfig({
         root.insert('/apps/email/:label', '/src/pages/apps/email/index.vue')
       },
     }),
-    vue({
-      template: {
-        compilerOptions: {
-          isCustomElement: tag => tag === 'swiper-container' || tag === 'swiper-slide',
-        },
-      },
-    }),
+    vue(),
     VueDevTools(),
     vueJsx(),