Add location-aware DNS suffix auto-switch for LBOOK

LBOOK is domain-joined to intern.beletage.ro, so the AD suffix was searched first for every single-label name. Off the office LAN, home names like home-ws were tried as home-ws.intern.beletage.ro, routed by NRPT to the AD DNS over VPN, stalling ~11s on timeout before falling back to .lan — slow RDP to home hosts.

scripts/dns-location-suffix.ps1 sets the global suffix search order from the physical NIC subnet (Sophos TAP excluded): intern-first on the office LAN (10.10.10.x / 10.10.40.x), lan-first everywhere else. install-dns-location-task.ps1 registers it as a SYSTEM scheduled task triggered on network-connect (NetworkProfile 10000) and logon; verify-dns-location-task.ps1 reads it back (the task is not queryable unelevated). Also adds .claude/settings.json allowlisting read-only network diagnostics.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.claude/settings.json

@@ -0,0 +1,18 @@
+{
+  "permissions": {
+    "allow": [
+      "PowerShell(Get-NetAdapter)",
+      "PowerShell(Get-NetAdapter *)",
+      "PowerShell(Get-NetRoute *)",
+      "PowerShell(Get-VpnConnection)",
+      "PowerShell(Get-VpnConnection *)",
+      "PowerShell(Get-NetIPAddress *)",
+      "PowerShell(ipconfig /all)",
+      "PowerShell(klist)",
+      "PowerShell(klist *)",
+      "PowerShell(Clear-DnsClientCache)",
+      "PowerShell(ipconfig /flushdns)",
+      "Bash(pdftotext *)"
+    ]
+  }
+}