audit: production safety fixes, cleanup, and documentation overhaul

CRITICAL fixes:
- Fix SQL injection in geoportal search (template literal in $queryRaw)
- Preserve enrichment data during GIS re-sync (upsert update explicit fields only)
- Fix ePay version race condition (advisory lock in transaction)
- Add requireAuth() to compress-pdf and unlock routes (were unauthenticated)
- Remove hardcoded Stirling PDF API key (env vars now required)

IMPORTANT fixes:
- Add admin role check on registratura debug-sequences endpoint
- Fix reserved slot race condition with advisory lock in transaction
- Use SSO identity in close-guard-dialog instead of hardcoded "Utilizator"
- Storage DELETE catches only P2025 (not found), re-throws real errors
- Add onDelete: SetNull for GisFeature → GisSyncRun relation
- Move portal-only users to PORTAL_ONLY_USERS env var
- Add security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
- Add periodic cleanup for eTerra/ePay session caches and progress store
- Log warning when ePay dataDocument is missing (expiry fallback)

Cleanup:
- Delete orphaned rgi-test page (1086 lines, unregistered, inaccessible)
- Delete legacy/ folder (5 files, unreferenced from src/)
- Remove unused ensureBucketExists() from minio-client.ts

Documentation:
- Optimize CLAUDE.md: 464 → 197 lines (moved per-module details to docs/)
- Create docs/ARCHITECTURE-QUICK.md (80 lines: data flow, deps, env vars)
- Create docs/MODULE-MAP.md (140 lines: entry points, API routes, cross-deps)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/ARCHITECTURE-QUICK.md

@@ -0,0 +1,80 @@
+# ArchiTools — Architecture Quick Reference
+
+## Data Flow
+
+```
+Browser → Traefik (tools.beletage.ro) → Next.js :3000
+                                          ├── App Router (pages)
+                                          ├── API Routes (/api/*)
+                                          │     ├── Prisma → PostgreSQL + PostGIS
+                                          │     ├── MinIO (file storage)
+                                          │     ├── eTerra ANCPI (external GIS API)
+                                          │     └── Brevo SMTP (email notifications)
+                                          └── Auth: NextAuth → Authentik OIDC
+```
+
+## Module Dependencies
+
+```
+registratura ←→ address-book    (bidirectional: contacts + reverse lookup)
+parcel-sync  →  geoportal       (map components reuse)
+geoportal    →  PostGIS          (spatial queries, vector tiles)
+parcel-sync  →  eTerra API       (external: ANCPI cadastral data)
+parcel-sync  →  ePay API         (external: ANCPI CF extract ordering)
+parcel-sync  →  MinIO            (CF extract PDF storage)
+notifications → registratura     (deadline digest data)
+all modules  → core/storage      (KeyValueStore via Prisma)
+all modules  → core/auth         (Authentik SSO session)
+```
+
+## Critical API Routes (Write Operations)
+
+| Route                              | Method | What it does                        | Auth      |
+| ---------------------------------- | ------ | ----------------------------------- | --------- |
+| `/api/storage`                     | PUT/DELETE | KeyValueStore CRUD               | Middleware |
+| `/api/registratura`                | POST/PUT/DELETE | Registry entries + audit      | Middleware + Bearer |
+| `/api/registratura/reserved`       | POST   | Reserve future registry slots       | Middleware |
+| `/api/registratura/debug-sequences`| POST/PATCH | Reset sequence counters        | Admin only |
+| `/api/vault`                       | PUT/DELETE | Encrypted vault entries          | Middleware |
+| `/api/address-book`                | PUT/DELETE | Contact CRUD                     | Middleware + Bearer |
+| `/api/eterra/sync-background`      | POST   | Start GIS sync job                  | Middleware |
+| `/api/eterra/uats`                 | POST/PATCH | UAT management + county refresh | Middleware |
+| `/api/ancpi/order`                 | POST   | ePay CF extract order               | Middleware |
+| `/api/notifications/digest`        | POST   | Trigger email digest                | Bearer    |
+| `/api/notifications/preferences`   | PUT    | User notification prefs             | Middleware |
+| `/api/compress-pdf/*`              | POST   | PDF compression/unlock              | requireAuth |
+
+## Storage Architecture
+
+```
+KeyValueStore (Prisma)          GisFeature (PostGIS)           MinIO
+├── namespace: module-id        ├── layerId + objectId         ├── bucket: tools
+├── key: entity UUID            ├── geometry (GeoJSON)         ├── bucket: ancpi-cf
+└── value: JSON blob            ├── enrichment (JSONB)         └── PDF files
+                                └── geom (native PostGIS)
+```
+
+## Auth Flow
+
+```
+User → /auth/signin → Authentik OIDC → callback → NextAuth session
+  ├── Middleware: checks JWT token, redirects if unauthenticated
+  ├── Portal-only users: env PORTAL_ONLY_USERS → redirected to /portal
+  └── API routes excluded from middleware: use requireAuth() or Bearer token
+```
+
+## Environment Variables (Critical)
+
+| Var                    | Required | Used by                    |
+| ---------------------- | -------- | -------------------------- |
+| `DATABASE_URL`         | Yes      | Prisma                     |
+| `NEXTAUTH_SECRET`      | Yes      | NextAuth JWT               |
+| `NEXTAUTH_URL`         | Yes      | Auth redirects             |
+| `ENCRYPTION_SECRET`    | Yes      | Password Vault AES-256     |
+| `STIRLING_PDF_URL`     | Yes      | PDF compression/unlock     |
+| `STIRLING_PDF_API_KEY` | Yes      | Stirling PDF auth          |
+| `NOTIFICATION_CRON_SECRET` | Yes  | Digest endpoint Bearer     |
+| `MINIO_*`              | Yes      | MinIO connection           |
+| `ANCPI_*`              | For ePay | ePay CF ordering           |
+| `ILOVEPDF_PUBLIC_KEY`  | Optional | Cloud PDF compression      |
+| `PORTAL_ONLY_USERS`    | Optional | Comma-separated usernames  |