feat: add comprehensive E2E test suite (Playwright + WireGuard + API)

Adds tests/e2e/ with three layers of E2E coverage:
- API layer (tests/e2e/api/): unauthenticated access, admin endpoints,
  peer endpoints, access control enforcement — 24 tests
- Playwright UI (tests/e2e/ui/): login flows, admin navigation, peer
  dashboard/services, role-based ACL, password change — 60+ tests
- WireGuard connectivity (tests/e2e/wg/): tunnel up/down, DNS resolution
  through VPN, service ACL enforcement via iptables, full-tunnel routing
Shared helpers: PicAPIClient, WGInterface, playwright_login, cleanup.
Makefile targets: test-e2e-api, test-e2e-ui, test-e2e-wg, test-e2e.
Adds scripts/reset_admin_password.py for test bootstrap.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/e2e/helpers/playwright_login.py

@@ -0,0 +1,19 @@
+from playwright.sync_api import Page
+
+
+def do_login(page: Page, webui_base: str, username: str, password: str):
+    """Navigate to /login, fill credentials, submit, and wait until we leave /login."""
+    page.goto(f"{webui_base}/login")
+    page.wait_for_load_state('networkidle')
+    page.fill('input[autocomplete="username"]', username)
+    page.fill('input[autocomplete="current-password"]', password)
+    page.click('button[type="submit"]')
+    page.wait_for_url(lambda url: '/login' not in url, timeout=10000)
+
+
+def do_logout(page: Page, webui_base: str):
+    """Click the 'Sign out' button in the desktop sidebar and wait for redirect to /login."""
+    # The desktop sidebar renders a button with text "Sign out"; the mobile sidebar
+    # also has one.  Use first() to avoid a strict-mode error when both are mounted.
+    page.locator('button:has-text("Sign out")').first.click()
+    page.wait_for_url(lambda url: '/login' in url, timeout=5000)