fix: DNS first-install — split-horizon zone creation + CoreDNS inode bind-mount

VPN clients got dns_probe_finished_bad_config / couldn't resolve any domain
after first setup because:

1. complete_setup() never wrote the split-horizon DNS zone for non-LAN modes;
   SetupManager now accepts network_manager as an optional 3rd constructor
   param, and complete_setup() calls
   self.network_manager.update_split_horizon_zone(effective_domain, wg_ip,
   primary_domain) for pic_ngo/cell_to_cell modes.

2. generate_corefile() used a tmp-file + os.replace pattern; the Corefile is
   a Docker FILE bind-mount, so os.replace orphaned the inode and CoreDNS
   never saw config updates.  Fixed by truncating and rewriting in place
   (open with 'w', seek(0), truncate()), preserving the inode CoreDNS holds.

api/managers.py passes network_manager into SetupManager.
Tests: new mock_network_manager fixture, 2 setup-zone tests, 1 inode
regression test in test_firewall_manager.py.
Verified live on pic1.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

api/managers.py

@@ -107,7 +107,8 @@ egress_manager = EgressManager(
 )
 service_store_manager.egress_manager = egress_manager
 
-setup_manager = SetupManager(config_manager=config_manager, auth_manager=auth_manager)
+setup_manager = SetupManager(config_manager=config_manager, auth_manager=auth_manager,
+                             network_manager=network_manager)
 
 # Service logger configuration
 _service_log_configs = {