matrix/authentik: remove orphaned Matrix OAuth2 app + provider (post-tuwunel)

The migration left a UI-managed (not TF) Authentik OIDC app orphaned — tuwunel
uses native password auth, so nothing consumed it. Deleted application `matrix`
+ OAuth2 provider pk=6 via the Authentik API (user-confirmed). Drop the stale
Matrix rows from the SSO reference tables and update the plan's residual list.

Doc-only [ci skip].

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

docs/architecture/authentication.md

@@ -102,7 +102,6 @@ Authentik provides OIDC for 10 applications:
 | Kubernetes | OIDC (public client) | K8s API authentication (kubectl / kubelogin CLI) |
 | Kubernetes Dashboard | OIDC (confidential) | Built for dashboard SSO — currently **idle** (apiserver OIDC blocked; dashboard uses forward-auth + token-paste) |
 | Linkwarden | OIDC | Bookmark manager SSO |
-| Matrix | OIDC | ⚠️ Legacy/orphaned — Synapse→tuwunel migration 2026-06-08; tuwunel uses native password auth, OIDC SSO not wired |
 | Wrongmove | OIDC | Real estate app SSO |
 
 ### Kubernetes API authentication (OIDC) — CURRENTLY NON-FUNCTIONAL

docs/plans/2026-06-08-matrix-synapse-to-tuwunel-plan.md

@@ -48,9 +48,10 @@ RocksDB dir.
 
 ## Residual / follow-up items (flagged to user)
 
-- **Authentik Matrix OAuth2 app is now orphaned** — tuwunel uses native password
-  auth (OIDC SSO not wired). Harmless; can be removed from the authentik stack
-  later if desired.
+- **Authentik Matrix OAuth2 app — REMOVED 2026-06-08** (user-confirmed). It was
+  UI-managed (NOT in the authentik TF stack), so it was deleted via the Authentik
+  API: application `matrix` + OAuth2 provider `pk=6`. tuwunel uses native password
+  auth, so nothing consumed it.
 - **Pre-existing drift in `stacks/vault`**: `vault_jwt_auth_backend.oidc` shows a
   `tune` diff (explicit `768h` default/max lease TTLs being dropped). This
   predates this migration and was **not** applied. Resolve separately.