matrix/authentik: remove orphaned Matrix OAuth2 app + provider (post-tuwunel)

The migration left a UI-managed (not TF) Authentik OIDC app orphaned — tuwunel
uses native password auth, so nothing consumed it. Deleted application `matrix`
+ OAuth2 provider pk=6 via the Authentik API (user-confirmed). Drop the stale
Matrix rows from the SSO reference tables and update the plan's residual list.

Doc-only [ci skip].

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

docs/plans/2026-06-08-matrix-synapse-to-tuwunel-plan.md

@@ -48,9 +48,10 @@ RocksDB dir.
 
 ## Residual / follow-up items (flagged to user)
 
-- **Authentik Matrix OAuth2 app is now orphaned** — tuwunel uses native password
-  auth (OIDC SSO not wired). Harmless; can be removed from the authentik stack
-  later if desired.
+- **Authentik Matrix OAuth2 app — REMOVED 2026-06-08** (user-confirmed). It was
+  UI-managed (NOT in the authentik TF stack), so it was deleted via the Authentik
+  API: application `matrix` + OAuth2 provider `pk=6`. tuwunel uses native password
+  auth, so nothing consumed it.
 - **Pre-existing drift in `stacks/vault`**: `vault_jwt_auth_backend.oidc` shows a
   `tune` diff (explicit `768h` default/max lease TTLs being dropped). This
   predates this migration and was **not** applied. Resolve separately.