Initial scaffold

CLAUDE.md

@@ -0,0 +1,60 @@
+# 2d3d-ro
+
+Web project for Beletage SRL.
+
+## Development
+
+```bash
+npm run dev    # Development server
+npm run build  # Production build
+npm run lint   # Lint check
+```
+
+## Deploy
+
+Deployed via Gitea → Portainer webhook or manual `git pull` on server.
+
+## Infrastructure Quick Reference
+
+| Server | IP | Role | SSH |
+|--------|-----|------|-----|
+| satra | 10.10.10.166 | Docker host, all services | `ssh satra` (bulibasa) |
+| proxy | 10.10.10.199 | Traefik reverse proxy | `ssh proxy` (bulibasa) |
+| shop | 10.10.10.84 | WordPress, Supabase | `ssh shop` (dnz) |
+| ai | 10.10.10.85 | Claude Code workstation | local |
+| DC | 10.10.10.2 | DNS, Hyper-V host | RDP only |
+
+## Key Services
+
+- **Gitea:** https://git.beletage.ro (gitadmin)
+- **Traefik:** on proxy, dynamic configs at /opt/traefik/dynamic/
+- **Authentik SSO:** https://auth.beletage.ro (v2025.2.4)
+- **Infisical:** https://infisical.beletage.ro
+- **Portainer:** https://portainer.beletage.ro
+
+## Network
+
+- LAN: 10.10.10.0/24, VPN: 10.10.20.0/24
+- Public IP: 90.84.225.195 (Sophos firewall)
+- DNS: *.beletage.ro → 90.84.225.195 → Traefik
+- Cloudflare: avizero.ro
+
+## Secrets Policy
+
+- **NEVER** echo, print, or log secret values
+- Use `get-secret <NAME>` helper to fetch on-demand from Infisical
+- Available secrets: GITEA_TOKEN, CLOUDFLARE_API_TOKEN, CPANEL_TOKEN, BREVO_SMTP_*
+
+## Work Rules
+
+- One change at a time — verify each before the next
+- Backup before any destructive operation
+- Use `cat <<'EOF' | sudo tee` for remote file creation
+- Re-read files before editing — never edit from stale memory
+- After edits, verify the change applied correctly
+
+## Code Quality
+
+- Run type-check/lint after every edit before reporting success
+- Don't add features beyond what's asked
+- Match complexity to what the task actually requires