feat(phase3): add scripts, diagrams, and lint integration

- scripts/tag.sh: CalVer validation + dual-remote push
- scripts/changelog.sh: prepend release entry to CHANGELOG
- scripts/lint-public.sh: public IP, .env, and setup file checks
- sync.sh: run lint before push
- public/assets/: Mermaid diagrams for network topology, DNS chain, auth flow
- CLAUDE.md: update current phase to Phase 3

assets/auth-flow.md

@@ -0,0 +1,15 @@
+# Authentication Flow
+
+```mermaid
+sequenceDiagram
+  User->>Caddy: HTTPS request
+  Caddy->>Authentik: Forward auth check
+  Authentik-->>Caddy: 401 if unauthenticated
+  Caddy-->>User: Redirect to auth.lerkolabs.com
+  User->>Authentik: Login (OIDC or forward auth)
+  Authentik-->>User: Session cookie
+  User->>Caddy: HTTPS request + cookie
+  Caddy->>Authentik: Forward auth check
+  Authentik-->>Caddy: 200 OK
+  Caddy->>Service: Proxy request
+```

assets/dns-chain.md

@@ -0,0 +1,9 @@
+# DNS Resolution Chain
+
+```mermaid
+graph LR
+  D[Device] --> PH[Pi-hole\n10.2.0.11]
+  PH --> UB[pfSense Unbound\n10.x.0.1]
+  UB --> CF[Cloudflare\n1.1.1.1]
+  PH -- "*.lerkolabs.com" --> CADDY[Caddy\n10.2.0.20]
+```

assets/network-topology.md

@@ -0,0 +1,15 @@
+# Network Topology
+
+```mermaid
+graph TD
+  ONT[AT&T Fiber ONT] --> BGW[BGW320 IP Passthrough]
+  BGW --> PF[pfSense N100]
+  PF --> SW[Omada Switch]
+  SW --> MGMT[VLAN 1000 MGMT\n10.0.0.0/24]
+  SW --> LAN[VLAN 1010 LAN\n10.1.0.0/24]
+  SW --> HL[VLAN 1020 Homelab\n10.2.0.0/24]
+  SW --> GUEST[VLAN 1030 Guests\n10.3.0.0/24]
+  SW --> IOT[VLAN 1040 IoT\n10.4.0.0/24]
+  SW --> WFH[VLAN 1050 WFH\n10.5.0.0/24]
+  SW --> DMZ[VLAN 1 DMZ\n10.99.0.0/24]
+```