docs: document DoubleZero agent managed config on both switches

Inventories what the DZ agent controls (tunnels, ACLs, VRFs, BGP,
route-maps, loopbacks) so we don't accidentally modify objects that
the agent will silently overwrite. Includes a "safe to modify" section
listing our own relay infrastructure.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/doublezero-agent-managed-config.md

@@ -0,0 +1,80 @@
+# DoubleZero Agent — Managed Configuration
+
+The `doublezero-agent` daemon runs on both mia-sw01 and was-sw01. It manages
+GRE tunnels, ACLs, BGP neighbors, and route-maps via EOS config sessions
+(named `doublezero-agent-<timestamp>`). It periodically creates pending
+sessions and commits them, overwriting any manual changes to the objects
+it manages.
+
+**Do NOT modify any of the items listed below.** The agent will silently
+overwrite your changes.
+
+## mia-sw01
+
+### Tunnel interfaces (all DZ-managed)
+
+| Interface  | Description     | VRF     | Peer            | ACL                          |
+|------------|-----------------|---------|-----------------|------------------------------|
+| Tunnel500  | USER-UCAST-500  | vrf1    | 186.233.184.235 | SEC-USER-500-IN              |
+| Tunnel501  | USER-MCAST-501  | default | 186.233.185.50  | SEC-USER-SUB-MCAST-IN        |
+| Tunnel502  | USER-UCAST-502  | vrf1    | 155.138.213.71  | SEC-USER-502-IN              |
+| Tunnel503  | USER-MCAST-503  | default | 155.138.213.71  | SEC-USER-PUB-MCAST-IN        |
+| Tunnel504  | (empty)         |         |                 |                              |
+| Tunnel505  | USER-UCAST-505  | vrf1    | 186.233.185.50  | SEC-USER-505-IN              |
+| Tunnel506  | (exists)        |         |                 |                              |
+
+### ACLs (DZ-managed — do NOT modify)
+
+- `SEC-DIA-IN` — ingress ACL on Et1/1 (bogon/RFC1918 filter)
+- `SEC-USER-500-IN` — ingress ACL on Tunnel500
+- `SEC-USER-502-IN` — ingress ACL on Tunnel502
+- `SEC-USER-505-IN` — ingress ACL on Tunnel505
+- `SEC-USER-SUB-MCAST-IN` — ingress ACL on Tunnel501
+- `SEC-USER-PUB-MCAST-IN` — ingress ACL on Tunnel503
+- `SEC-USER-MCAST-BOUNDARY-501-OUT` — multicast boundary on Tunnel501
+- `SEC-USER-MCAST-BOUNDARY-503-OUT` — multicast boundary on Tunnel503
+
+### VRF (DZ-managed)
+
+- `vrf1` — used by Tunnel500, Tunnel502, Tunnel505 (unicast tunnels)
+- `ip route vrf vrf1 0.0.0.0/0 egress-vrf default Ethernet4/1 172.16.1.188`
+
+### BGP (DZ-managed)
+
+- `router bgp 65342` — iBGP mesh with DZ fabric switches (ny7, sea001, ld4, etc.)
+- BGP neighbors on tunnel link IPs (169.254.x.x) with `RM-USER-*` route-maps
+- All `RM-USER-*-IN` and `RM-USER-*-OUT` route-maps
+
+### Loopbacks (DZ-managed)
+
+- `Loopback255`, `Loopback256` — BGP update sources for iBGP mesh
+
+## was-sw01
+
+### ACLs (DZ-managed)
+
+- `SEC-DIA-IN` — ingress ACL on Et1/1
+- `SEC-USER-PUB-MCAST-IN`
+- `SEC-USER-SUB-MCAST-IN`
+
+### Daemons
+
+- `doublezero-agent` — config management
+- `doublezero-telemetry` — metrics (writes to influxdb `doublezero-mainnet-beta`)
+
+## Safe to modify (NOT managed by DZ agent)
+
+### mia-sw01
+
+- `Tunnel100` — our dedicated validator relay tunnel (VRF relay)
+- `SEC-VALIDATOR-100-IN` — our ACL on Tunnel100
+- `Loopback101` — tunnel source IP (209.42.167.137)
+- VRF `relay` — our outbound isolation VRF
+- `ip route 137.239.194.65/32 egress-vrf relay 169.254.100.1`
+- `ip route vrf relay 0.0.0.0/0 egress-vrf default 172.16.1.188`
+- Backbone `Ethernet4/1` — physical interface, not DZ-managed
+
+### was-sw01
+
+- `ip route 137.239.194.65/32 172.16.1.189` — our static route
+- Backbone `Ethernet4/1` — physical interface, not DZ-managed