Fix Phase 1 permission sync: route push via cell-wireguard + DNAT receive

cell-api has no route to remote WG tunnel IPs — only cell-wireguard does.
Fix _push_permissions_to_remote() to use 'docker exec cell-wireguard curl'
so outbound sync HTTP traverses the WG tunnel from the right namespace.

On the receive side, add ensure_cell_api_dnat() which installs three
iptables rules inside cell-wireguard on startup:
  - PREROUTING DNAT: wg0:3000 → cell-api:3000 (Docker bridge IP)
  - POSTROUTING MASQUERADE: so cell-api's reply routes back via wg0
  - FORWARD ACCEPT: allow the wg0→eth0 forwarded traffic

Called from _apply_startup_enforcement() so rules survive container restarts.
Tests updated to mock subprocess.run instead of urllib.request.urlopen.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/firewall_manager.py

@@ -298,6 +298,51 @@ def apply_all_cell_rules(cell_links: List[Dict[str, Any]]) -> None:
         apply_cell_rules(name, subnet, inbound)
 
 
+def ensure_cell_api_dnat() -> bool:
+    """DNAT wg0:3000 → cell-api:3000 inside cell-wireguard.
+
+    Remote cells push permission updates over the WireGuard tunnel to our
+    wg0 interface on port 3000. Since cell-api only listens on the Docker
+    bridge, we need a DNAT rule inside cell-wireguard's namespace to forward
+    that traffic. Called on every startup so rules survive container restarts.
+    """
+    try:
+        r = _run(['docker', 'inspect', '--format',
+                  '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}',
+                  'cell-api'], check=False)
+        api_ip = r.stdout.strip()
+        if not api_ip:
+            logger.warning('ensure_cell_api_dnat: cell-api container not found or no IP')
+            return False
+
+        dnat_check = ['-t', 'nat', '-C', 'PREROUTING', '-i', 'wg0', '-p', 'tcp',
+                      '--dport', '3000', '-j', 'DNAT', '--to-destination', f'{api_ip}:3000']
+        dnat_add   = ['-t', 'nat', '-A', 'PREROUTING', '-i', 'wg0', '-p', 'tcp',
+                      '--dport', '3000', '-j', 'DNAT', '--to-destination', f'{api_ip}:3000']
+        if _wg_exec(['iptables'] + dnat_check).returncode != 0:
+            _wg_exec(['iptables'] + dnat_add)
+
+        masq_check = ['-t', 'nat', '-C', 'POSTROUTING', '-o', 'eth0', '-d', api_ip,
+                      '-p', 'tcp', '--dport', '3000', '-j', 'MASQUERADE']
+        masq_add   = ['-t', 'nat', '-A', 'POSTROUTING', '-o', 'eth0', '-d', api_ip,
+                      '-p', 'tcp', '--dport', '3000', '-j', 'MASQUERADE']
+        if _wg_exec(['iptables'] + masq_check).returncode != 0:
+            _wg_exec(['iptables'] + masq_add)
+
+        fwd_check = ['-C', 'FORWARD', '-i', 'wg0', '-o', 'eth0',
+                     '-p', 'tcp', '--dport', '3000', '-j', 'ACCEPT']
+        fwd_add   = ['-I', 'FORWARD', '-i', 'wg0', '-o', 'eth0',
+                     '-p', 'tcp', '--dport', '3000', '-j', 'ACCEPT']
+        if _wg_exec(['iptables'] + fwd_check).returncode != 0:
+            _wg_exec(['iptables'] + fwd_add)
+
+        logger.info(f'ensure_cell_api_dnat: wg0:3000 → {api_ip}:3000')
+        return True
+    except Exception as e:
+        logger.error(f'ensure_cell_api_dnat: {e}')
+        return False
+
+
 # ---------------------------------------------------------------------------
 # DNS ACL (CoreDNS Corefile generation)
 # ---------------------------------------------------------------------------