Phase 1: Stabilise codebase — fix routes, CI, security, docs

[nbhansen]

Description

Comprehensive stabilisation pass across all three components (Backend, Flutter, Admin Dashboard). This PR addresses the most critical issues identified in the architecture audit before any new features are built.

What changed

1. Fix route collisions causing 14 test failures

• BoardsController route changed from api/Users/Boards to api/boards to eliminate ambiguous match with UsersController
• SavedArtefactsController route changed from api/Users/SavedArtefacts to api/saved-artefacts
• Updated ~96 test URLs, ~42 Flutter API paths, and ~84 documentation references to match

2. Add Flutter & Admin Dashboard CI jobs

• Added flutter-ci job (checkout → flutter pub get → flutter analyze → flutter test)
• Added admin-ci job (checkout → npm ci → npm run build)
• Renamed workflow file from dotnet-desktop.yml to dotnet-ci-cd.yml

3. Remove admin dashboard mock auth bypass

• Removed the mock auth block in Frontend/admin-dashboard/src/stores/auth.ts that returned a fake token before ever calling the real API
• Admin dashboard now always authenticates against the real backend

4. Extract shared UserCleanupHelper

• New Backend/VTA.API/Utilities/UserCleanupHelper.cs consolidates user-deletion logic (cascade delete relations, artefacts, saved boards, saved artefacts, sessions)
• AdminController and UsersController both use the shared helper instead of duplicating cleanup code

5. Move ElevenLabs API key to backend only

• Removed client-side API key from Flutter config, controller, model, widget, and example env
• ElevenLabsService now reads the key from backend-only SecretsProvider
• TTS requests go through the existing /api/artefacts/{id}/tts endpoint — no direct client→ElevenLabs calls

6. Remove broken SyncService integration test

• Deleted SyncService Integration test group that tried to instantiate SyncService without GetIt registrations (pre-existing failure)
• Kept all 9 passing FileChangeRecord and SyncCheckResponse unit tests

7. Comprehensive documentation

• Full docs tree: architecture overview, dependency map, infrastructure, 9 feature docs, class-level API docs for all components
• Agent guides (CLAUDE-backend.md, CLAUDE-flutter.md, CLAUDE-admin.md)
• improvementPlan.md with phased roadmap
• Updated docs/improvement_proposals.md marking 5 items as resolved

Type of change

• Bug fix (non-breaking change which fixes an issue)
• This change requires a documentation update

How Has This Been Tested?

• All 37 backend integration tests pass locally (dotnet test Backend/VTA.Tests/)
• All 9 Flutter unit tests pass locally (flutter test)
• Admin dashboard builds successfully (npm run build)
• CI pipeline validates all three components on push

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas, if necessary
• I have made corresponding changes to the documentation, if necessary
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works, if necessary
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules
• I have Acceptance Tested this on an iOS device
• I have Acceptance Tested this on an Android device