Phase 4: service store — manifest validation, install/remove, Store UI

- ServiceStoreManager: manifest allowlist (git.pic.ngo/roof/*), volume
  denylist, ACCEPT-only iptables rules, ${SERVICE_IP}-only dest_ip
- IP allocator: pool 172.20.0.20-254, skips CONTAINER_OFFSETS VIPs
- Compose overlay: docker-compose.services.yml auto-included via DCF
- Flask blueprint at /api/store: list, install, remove, refresh
- Store.jsx: full install/remove UI with spinners and toast notifications
- 95 new unit tests for ServiceStoreManager (all passing)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/managers.py

@@ -60,6 +60,15 @@ setup_manager = SetupManager(config_manager=config_manager, auth_manager=auth_ma
 caddy_manager = CaddyManager(config_manager=config_manager, data_dir=DATA_DIR, config_dir=CONFIG_DIR)
 ddns_manager = DDNSManager(config_manager=config_manager, data_dir=DATA_DIR, config_dir=CONFIG_DIR)
 
+from service_store_manager import ServiceStoreManager
+service_store_manager = ServiceStoreManager(
+    config_manager=config_manager,
+    caddy_manager=caddy_manager,
+    container_manager=container_manager,
+    data_dir=DATA_DIR,
+    config_dir=CONFIG_DIR,
+)
+
 # Service logger configuration
 _service_log_configs = {
     'network':   {'level': 'INFO', 'formatter': 'json', 'console': False},
@@ -93,7 +102,7 @@ __all__ = [
     'email_manager', 'calendar_manager', 'file_manager',
     'routing_manager', 'vault_manager', 'container_manager',
     'cell_link_manager', 'auth_manager', 'setup_manager', 'caddy_manager',
-    'ddns_manager',
+    'ddns_manager', 'service_store_manager',
     'firewall_manager', 'EventType',
     'DATA_DIR', 'CONFIG_DIR',
 ]