Phase 4: service store — manifest validation, install/remove, Store UI

- ServiceStoreManager: manifest allowlist (git.pic.ngo/roof/*), volume
  denylist, ACCEPT-only iptables rules, ${SERVICE_IP}-only dest_ip
- IP allocator: pool 172.20.0.20-254, skips CONTAINER_OFFSETS VIPs
- Compose overlay: docker-compose.services.yml auto-included via DCF
- Flask blueprint at /api/store: list, install, remove, refresh
- Store.jsx: full install/remove UI with spinners and toast notifications
- 95 new unit tests for ServiceStoreManager (all passing)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

webui/src/services/api.js

@@ -288,6 +288,16 @@ export const cellLinkAPI = {
   getServices: () => api.get('/api/cells/services'),
 };
 
+// Service Store API
+export const storeAPI = {
+  listServices: () => api.get('/api/store/services'),
+  getManifest: (id) => api.get(`/api/store/services/${id}/manifest`),
+  installService: (id) => api.post(`/api/store/services/${id}/install`),
+  removeService: (id, purge = false) => api.delete(`/api/store/services/${id}`, { params: { purge } }),
+  listInstalled: () => api.get('/api/store/installed'),
+  refreshIndex: () => api.post('/api/store/refresh'),
+};
+
 // Health check
 export const healthAPI = {
   check: () => api.get('/health'),