initial: split from gov-agreg — vreau.digital standalone platform

Moved from gov-agreg/src/pages/achizitii/* to root (drop prefix).
- 22 pages migrated, 127 files total
- All internal links: /achizitii/X → /X (176 occurrences fixed)
- AchizitiiLayout subnav rewritten: /X paths, top-right link to vreaudigital.ro hub
- BaseLayout new (vreau.digital branding, OG tags, site URL)
- astro.config.mjs: site https://vreau.digital, server output (was static)
- docker-compose: port 5096 (vreaudigital is 5095), container vreau-digital
- deploy.sh: paths /opt/vreau-digital, log /var/log/vreau-digital-deploy.log

Backend shared with gov-agreg:
- PostgreSQL satra (same schemas: seap, firms, anaf, anre, ...)
- Photon, Martin tiles
- Infisical /vreaudigital path (DATABASE_URL etc. shared)

build: PASS (npx astro check 0 errors, npm run build 5s vite + 10s server)

services/seap-scraper/cron/enrich-anaf.sh

@@ -0,0 +1,82 @@
+#!/bin/bash
+# Daily delta enrichment from ANAF webservicesp v9.
+# Runs the tsx script inside a node:22-alpine container so satra doesn't
+# need node installed at host level. DATABASE_URL is fetched fresh from
+# Infisical and passed via --env-file (mode 600, deleted right after the
+# container starts) — never on the docker run command line.
+#
+# Tier selection: pass TIER=daily|full|bulk as env (default: daily).
+# Concurrency: pass ANAF_CONCURRENCY=N (default: 2).
+#
+# Idempotent. Safe to run from cron.
+
+set -euo pipefail
+
+TIER="${TIER:-daily}"
+ANAF_CONCURRENCY="${ANAF_CONCURRENCY:-2}"
+LOG=/var/log/vreaudigital-anaf.log
+
+log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG"; }
+
+log "=== ANAF enrichment started (tier=$TIER, concurrency=$ANAF_CONCURRENCY) ==="
+
+# Bail if a previous run is still going — daily/full tier should always
+# finish well under 24h, so a still-running container means trouble.
+if docker ps --filter name=vreaudigital-anaf --format '{{.Names}}' | grep -q '^vreaudigital-anaf$'; then
+  log "WARN: vreaudigital-anaf already running, skipping this tick"
+  exit 0
+fi
+docker rm -f vreaudigital-anaf 2>/dev/null || true
+
+# ── Fetch DATABASE_URL via Infisical Machine Identity ──
+source /opt/vreaudigital/.infisical-mi
+TOKEN=$(infisical login --method=universal-auth \
+  --domain="$INFISICAL_API_URL" \
+  --client-id="$INFISICAL_CLIENT_ID" \
+  --client-secret="$INFISICAL_CLIENT_SECRET" \
+  --silent --plain)
+
+umask 077
+ENVF=$(mktemp /tmp/.vreaudigital-env.XXXXXX)
+DBURL=$(infisical secrets get DATABASE_URL \
+  --domain="$INFISICAL_API_URL" \
+  --projectId="$INFISICAL_PROJECT_ID" \
+  --env="$INFISICAL_ENV" --path="$INFISICAL_PATH" \
+  --token="$TOKEN" --plain --silent)
+echo "DATABASE_URL=$DBURL" > "$ENVF"
+unset DBURL TOKEN
+
+# ── Launch detached docker container ──
+cd /opt/vreaudigital/services/seap-scraper
+
+# Make sure node_modules exists (first run on a fresh host).
+if [ ! -d node_modules/tsx ]; then
+  log "Installing seap-scraper deps..."
+  docker run --rm -v "$(pwd):/work" -w /work --user "$(id -u):$(id -g)" \
+    node:22-alpine npm install --omit=optional 2>&1 | tee -a "$LOG" >/dev/null
+fi
+
+CID=$(docker run -d \
+  --name vreaudigital-anaf \
+  --network host \
+  --env-file "$ENVF" \
+  -v "$(pwd):/work" \
+  -w /work \
+  --user "$(id -u):$(id -g)" \
+  --restart no \
+  node:22-alpine \
+  npx tsx src/enrich-anaf.ts --concurrency="$ANAF_CONCURRENCY" --tier="$TIER")
+log "container started: $CID"
+
+# Daemon has read --env-file by the time `docker run -d` returns.
+sleep 3
+rm -f "$ENVF"
+log "envfile cleaned"
+
+# Wait synchronously so systemd Type=oneshot accurately captures runtime.
+docker wait vreaudigital-anaf >/dev/null
+EXIT_CODE=$(docker inspect -f '{{.State.ExitCode}}' vreaudigital-anaf 2>/dev/null || echo "?")
+docker logs vreaudigital-anaf 2>&1 | tail -5 | tee -a "$LOG"
+log "=== ANAF enrichment done (exit=$EXIT_CODE) ==="
+
+exit "$EXIT_CODE"