feat: add comprehensive E2E test suite (Playwright + WireGuard + API)

Adds tests/e2e/ with three layers of E2E coverage:
- API layer (tests/e2e/api/): unauthenticated access, admin endpoints,
  peer endpoints, access control enforcement — 24 tests
- Playwright UI (tests/e2e/ui/): login flows, admin navigation, peer
  dashboard/services, role-based ACL, password change — 60+ tests
- WireGuard connectivity (tests/e2e/wg/): tunnel up/down, DNS resolution
  through VPN, service ACL enforcement via iptables, full-tunnel routing
Shared helpers: PicAPIClient, WGInterface, playwright_login, cleanup.
Makefile targets: test-e2e-api, test-e2e-ui, test-e2e-wg, test-e2e.
Adds scripts/reset_admin_password.py for test bootstrap.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/e2e/helpers/admin_password.py

@@ -0,0 +1,16 @@
+import os
+
+
+def resolve_admin_password() -> str:
+    p = os.environ.get('PIC_ADMIN_PASS', '').strip()
+    if p:
+        return p
+    candidate = os.path.normpath(
+        os.path.join(os.path.dirname(__file__), '..', '..', '..', 'data', 'api', '.admin_initial_password')
+    )
+    if os.path.exists(candidate):
+        return open(candidate).read().strip()
+    raise RuntimeError(
+        "Admin password unknown. Set PIC_ADMIN_PASS env var or run: "
+        "make reset-test-admin-pass PIC_TEST_ADMIN_PASS=<password>"
+    )

tests/e2e/helpers/api_client.py

@@ -0,0 +1,24 @@
+import requests
+
+
+class PicAPIClient:
+    def __init__(self, base_url: str):
+        self.base = base_url
+        self.s = requests.Session()
+        self.s.headers['Content-Type'] = 'application/json'
+
+    def login(self, username: str, password: str) -> dict:
+        r = self.s.post(f"{self.base}/api/auth/login", json={'username': username, 'password': password})
+        r.raise_for_status()
+        return r.json()
+
+    def logout(self):
+        self.s.post(f"{self.base}/api/auth/logout")
+
+    def me(self) -> dict:
+        return self.s.get(f"{self.base}/api/auth/me").json()
+
+    def get(self, path, **kw): return self.s.get(f"{self.base}{path}", **kw)
+    def post(self, path, **kw): return self.s.post(f"{self.base}{path}", **kw)
+    def put(self, path, **kw): return self.s.put(f"{self.base}{path}", **kw)
+    def delete(self, path, **kw): return self.s.delete(f"{self.base}{path}", **kw)

tests/e2e/helpers/cleanup.py

@@ -0,0 +1,9 @@
+def delete_e2e_peers(admin_client, prefix='e2etest-'):
+    r = admin_client.get('/api/peers')
+    if r.status_code != 200:
+        return
+    peers = r.json()
+    for p in peers:
+        name = p.get('peer') or p.get('name', '')
+        if name.startswith(prefix):
+            admin_client.delete(f'/api/peers/{name}')

tests/e2e/helpers/playwright_login.py

@@ -0,0 +1,19 @@
+from playwright.sync_api import Page
+
+
+def do_login(page: Page, webui_base: str, username: str, password: str):
+    """Navigate to /login, fill credentials, submit, and wait until we leave /login."""
+    page.goto(f"{webui_base}/login")
+    page.wait_for_load_state('networkidle')
+    page.fill('input[autocomplete="username"]', username)
+    page.fill('input[autocomplete="current-password"]', password)
+    page.click('button[type="submit"]')
+    page.wait_for_url(lambda url: '/login' not in url, timeout=10000)
+
+
+def do_logout(page: Page, webui_base: str):
+    """Click the 'Sign out' button in the desktop sidebar and wait for redirect to /login."""
+    # The desktop sidebar renders a button with text "Sign out"; the mobile sidebar
+    # also has one.  Use first() to avoid a strict-mode error when both are mounted.
+    page.locator('button:has-text("Sign out")').first.click()
+    page.wait_for_url(lambda url: '/login' in url, timeout=5000)

tests/e2e/helpers/wg_runner.py

@@ -0,0 +1,56 @@
+import os
+import subprocess
+import secrets
+import tempfile
+from pathlib import Path
+
+
+class WGInterface:
+    def __init__(self, config_path: str, iface_name: str):
+        self.config_path = config_path
+        self.iface_name = iface_name
+        self.up = False
+
+    def bring_up(self, timeout=30):
+        subprocess.run(['sudo', 'wg-quick', 'up', self.config_path],
+                       check=True, timeout=timeout, capture_output=True, text=True)
+        self.up = True
+
+    def bring_down(self):
+        if self.up:
+            subprocess.run(['sudo', 'wg-quick', 'down', self.config_path],
+                           check=False, timeout=15, capture_output=True)
+            self.up = False
+
+    def is_connected(self, server_ip='10.0.0.1', timeout=5) -> bool:
+        result = subprocess.run(
+            ['ping', '-c', '1', '-W', str(timeout), server_ip],
+            capture_output=True, timeout=timeout + 2
+        )
+        return result.returncode == 0
+
+
+def build_wg_config(private_key: str, peer_ip: str, server_pubkey: str,
+                     server_endpoint: str, server_port: int = 51820,
+                     allowed_ips: str = '10.0.0.0/24',
+                     dns: str = '10.0.0.1') -> str:
+    return (
+        f"[Interface]\n"
+        f"PrivateKey = {private_key}\n"
+        f"Address = {peer_ip}/32\n"
+        f"DNS = {dns}\n\n"
+        f"[Peer]\n"
+        f"PublicKey = {server_pubkey}\n"
+        f"Endpoint = {server_endpoint}:{server_port}\n"
+        f"AllowedIPs = {allowed_ips}\n"
+        f"PersistentKeepalive = 25\n"
+    )
+
+
+def cleanup_stale_e2e_interfaces():
+    """Remove any leftover pic-e2e-* interfaces from previous failed runs."""
+    result = subprocess.run(['ip', 'link', 'show'], capture_output=True, text=True)
+    for line in result.stdout.splitlines():
+        if 'pic-e2e-' in line:
+            iface = line.split(':')[1].strip().split('@')[0]
+            subprocess.run(['sudo', 'ip', 'link', 'delete', iface], capture_output=True)