chore: initial repo setup with baseline config backup

- Pull current config from router (OpenWRT 24.10.2)
- Add backup, safe-apply, and push-all scripts
- Add CLAUDE.md with workflow rules and context
- Add network-map.md with current topology and planned VLANs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

scripts/backup.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+# Pull current router config into config/ and commit if there are changes.
+set -euo pipefail
+
+ROUTER="${ROUTER:-openwrt}"
+CONFIGS=(dhcp dropbear firewall network system wireless)
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CONFIG_DIR="$SCRIPT_DIR/../config"
+
+echo "Pulling config from $ROUTER..."
+for f in "${CONFIGS[@]}"; do
+  ssh "$ROUTER" "cat /etc/config/$f" > "$CONFIG_DIR/$f"
+  echo "  $f"
+done
+
+cd "$SCRIPT_DIR/.."
+if git diff --quiet && git diff --cached --quiet; then
+  echo "No changes — config is up to date."
+else
+  echo ""
+  git diff --stat config/
+  echo ""
+  read -rp "Commit these changes? [y/N] " answer
+  if [[ "${answer,,}" == "y" ]]; then
+    git add config/
+    git commit -m "backup: pull config from router $(date '+%Y-%m-%d %H:%M')"
+    echo "Committed."
+  fi
+fi

scripts/push-all.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+# Push ALL config files to router and reload.
+# WARNING: Use safe-apply.sh for individual risky changes (network, firewall, wireless).
+# This script is for bulk pushes of low-risk configs (dhcp, system, dropbear).
+set -euo pipefail
+
+ROUTER="${ROUTER:-openwrt}"
+CONFIGS=(dhcp dropbear firewall network system wireless)
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CONFIG_DIR="$SCRIPT_DIR/../config"
+
+echo "WARNING: This will push all configs and reload. Use safe-apply.sh for network/firewall changes."
+read -rp "Continue? [y/N] " answer
+[[ "${answer,,}" == "y" ]] || exit 0
+
+for f in "${CONFIGS[@]}"; do
+  echo "  pushing $f..."
+  ssh "$ROUTER" "cat > /etc/config/$f" < "$CONFIG_DIR/$f"
+done
+
+ssh "$ROUTER" "uci commit && reload_config"
+echo "Done."

scripts/safe-apply.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+# Push a single config file to the router with an automatic revert safety net.
+#
+# Usage: ./safe-apply.sh <config-name> [revert-minutes]
+#   config-name:    e.g. "network", "wireless", "firewall"
+#   revert-minutes: how long before auto-revert fires (default: 5)
+#
+# The router will automatically reboot (and revert to its saved config) after
+# REVERT_MINS minutes unless you explicitly confirm the change is working.
+# On confirmation, the pending reboot is cancelled and the config is committed.
+
+set -euo pipefail
+
+CONFIG_NAME="${1:-}"
+REVERT_MINS="${2:-5}"
+ROUTER="${ROUTER:-openwrt}"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CONFIG_FILE="$SCRIPT_DIR/../config/$CONFIG_NAME"
+
+if [[ -z "$CONFIG_NAME" ]]; then
+  echo "Usage: $0 <config-name> [revert-minutes]"
+  exit 1
+fi
+
+if [[ ! -f "$CONFIG_FILE" ]]; then
+  echo "Error: $CONFIG_FILE not found."
+  exit 1
+fi
+
+echo "==> Staging auto-revert in ${REVERT_MINS} minutes on router..."
+ssh "$ROUTER" "echo 'reboot' | at now + ${REVERT_MINS} minutes 2>/dev/null || { sleep ${REVERT_MINS}m && reboot; } &"
+
+echo "==> Pushing $CONFIG_NAME..."
+ssh "$ROUTER" "cat > /etc/config/$CONFIG_NAME" < "$CONFIG_FILE"
+
+echo "==> Reloading service..."
+case "$CONFIG_NAME" in
+  network)   ssh "$ROUTER" "/etc/init.d/network restart" ;;
+  wireless)  ssh "$ROUTER" "/etc/init.d/network restart" ;;
+  firewall)  ssh "$ROUTER" "/etc/init.d/firewall restart" ;;
+  dhcp)      ssh "$ROUTER" "/etc/init.d/dnsmasq restart" ;;
+  *)         ssh "$ROUTER" "uci commit && reload_config" ;;
+esac
+
+echo ""
+echo "Config applied. You have ${REVERT_MINS} minutes to confirm."
+echo "Test your connection, then come back here."
+echo ""
+read -rp "Is everything working? Confirm to cancel revert [y/N] " answer
+
+if [[ "${answer,,}" == "y" ]]; then
+  ssh "$ROUTER" "kill \$(atq 2>/dev/null | awk '{print \$1}' | xargs -I{} at -l {} 2>/dev/null | grep -l reboot | xargs) 2>/dev/null; killall -q sleep 2>/dev/null || true"
+  ssh "$ROUTER" "uci commit"
+  echo "Confirmed. Revert cancelled, config committed on router."
+else
+  echo "Reverting — router will reboot in remaining window."
+fi