feat: add comprehensive E2E test suite (Playwright + WireGuard + API)

Adds tests/e2e/ with three layers of E2E coverage:
- API layer (tests/e2e/api/): unauthenticated access, admin endpoints,
  peer endpoints, access control enforcement — 24 tests
- Playwright UI (tests/e2e/ui/): login flows, admin navigation, peer
  dashboard/services, role-based ACL, password change — 60+ tests
- WireGuard connectivity (tests/e2e/wg/): tunnel up/down, DNS resolution
  through VPN, service ACL enforcement via iptables, full-tunnel routing
Shared helpers: PicAPIClient, WGInterface, playwright_login, cleanup.
Makefile targets: test-e2e-api, test-e2e-ui, test-e2e-wg, test-e2e.
Adds scripts/reset_admin_password.py for test bootstrap.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/e2e/wg/test_wg_basic.py

@@ -0,0 +1,28 @@
+import pytest
+import subprocess
+
+pytestmark = pytest.mark.wg
+
+
+def test_wg_connect_and_ping_server(connected_peer):
+    """Scenario 25+26: create peer, connect, ping server VPN IP."""
+    iface = connected_peer['iface']
+    assert iface.up, "WireGuard interface should be up"
+    assert iface.is_connected('10.0.0.1'), "Server VPN IP 10.0.0.1 should be reachable via WireGuard"
+
+
+def test_wg_peer_has_assigned_ip(connected_peer):
+    """Verify the assigned peer IP is routed correctly."""
+    peer_ip = connected_peer['ip']
+    result = subprocess.run(['ip', 'addr', 'show'], capture_output=True, text=True)
+    assert peer_ip in result.stdout, f"Peer IP {peer_ip} should be assigned to the WG interface"
+
+
+def test_wg_disconnect_removes_route(connected_peer):
+    """Scenario 29: after disconnect, VPN IP is not reachable."""
+    iface = connected_peer['iface']
+    iface.bring_down()
+    result = subprocess.run(['ping', '-c', '1', '-W', '2', '10.0.0.1'],
+                            capture_output=True, timeout=5)
+    # After disconnect, ping should fail
+    assert result.returncode != 0, "VPN IP should not be reachable after disconnect"