feat: add comprehensive E2E test suite (Playwright + WireGuard + API)

Adds tests/e2e/ with three layers of E2E coverage:
- API layer (tests/e2e/api/): unauthenticated access, admin endpoints,
  peer endpoints, access control enforcement — 24 tests
- Playwright UI (tests/e2e/ui/): login flows, admin navigation, peer
  dashboard/services, role-based ACL, password change — 60+ tests
- WireGuard connectivity (tests/e2e/wg/): tunnel up/down, DNS resolution
  through VPN, service ACL enforcement via iptables, full-tunnel routing
Shared helpers: PicAPIClient, WGInterface, playwright_login, cleanup.
Makefile targets: test-e2e-api, test-e2e-ui, test-e2e-wg, test-e2e.
Adds scripts/reset_admin_password.py for test bootstrap.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/e2e/helpers/api_client.py

@@ -0,0 +1,24 @@
+import requests
+
+
+class PicAPIClient:
+    def __init__(self, base_url: str):
+        self.base = base_url
+        self.s = requests.Session()
+        self.s.headers['Content-Type'] = 'application/json'
+
+    def login(self, username: str, password: str) -> dict:
+        r = self.s.post(f"{self.base}/api/auth/login", json={'username': username, 'password': password})
+        r.raise_for_status()
+        return r.json()
+
+    def logout(self):
+        self.s.post(f"{self.base}/api/auth/logout")
+
+    def me(self) -> dict:
+        return self.s.get(f"{self.base}/api/auth/me").json()
+
+    def get(self, path, **kw): return self.s.get(f"{self.base}{path}", **kw)
+    def post(self, path, **kw): return self.s.post(f"{self.base}{path}", **kw)
+    def put(self, path, **kw): return self.s.put(f"{self.base}{path}", **kw)
+    def delete(self, path, **kw): return self.s.delete(f"{self.base}{path}", **kw)