2d3d-ro/CLAUDE.md

# 2d3d-ro

Web project for Beletage SRL.

## Development

```bash
npm run dev    # Development server
npm run build  # Production build
npm run lint   # Lint check
```

## Deploy

Deployed via Gitea → Portainer webhook or manual `git pull` on server.

## Infrastructure Quick Reference

| Server | IP | Role | SSH |
|--------|-----|------|-----|
| satra | 10.10.10.166 | Docker host, all services | `ssh satra` (bulibasa) |
| proxy | 10.10.10.199 | Traefik reverse proxy | `ssh proxy` (bulibasa) |
| shop | 10.10.10.84 | WordPress, Supabase | `ssh shop` (dnz) |
| ai | 10.10.10.85 | Claude Code workstation | local |
| DC | 10.10.10.2 | DNS, Hyper-V host | RDP only |

## Key Services

- **Gitea:** https://git.beletage.ro (gitadmin)
- **Traefik:** on proxy, dynamic configs at /opt/traefik/dynamic/
- **Authentik SSO:** https://auth.beletage.ro (v2025.2.4)
- **Infisical:** https://infisical.beletage.ro
- **Portainer:** https://portainer.beletage.ro

## Network

- LAN: 10.10.10.0/24, VPN: 10.10.20.0/24
- Public IP: 90.84.225.195 (Sophos firewall)
- DNS: *.beletage.ro → 90.84.225.195 → Traefik
- Cloudflare: avizero.ro

## Secrets Policy

- **NEVER** echo, print, or log secret values
- Use `get-secret <NAME>` helper to fetch on-demand from Infisical
- Available secrets: GITEA_TOKEN, CLOUDFLARE_API_TOKEN, CPANEL_TOKEN, BREVO_SMTP_*

## Work Rules

- One change at a time — verify each before the next
- Backup before any destructive operation
- Use `cat <<'EOF' | sudo tee` for remote file creation
- Re-read files before editing — never edit from stale memory
- After edits, verify the change applied correctly

## Code Quality

- Run type-check/lint after every edit before reporting success
- Don't add features beyond what's asked
- Match complexity to what the task actually requires