Implement connectivity store services (wireguard-ext, openvpn-client, tor)

- ConnectivityManager: move config dirs to data_dir/services/<id>/config so
  Docker can bind-mount them into store-service containers (Docker resolves
  bind-mount paths on the host, not inside the API container).  Add
  _migrate_legacy_configs to copy existing files from the old config_dir
  location on first boot.

- manifest_validator: add allow_host_network parameter to
  validate_rendered_compose.  When True, waives the external-network
  requirement, permits network_mode: host, and allows devices: — all needed
  by VPN/Tor containers that must share the host network namespace to create
  tun/wg interfaces.  Non-host services are unaffected.

- service_composer: read requires_host_network from the manifest and pass
  allow_host_network=True to validate_rendered_compose for connectivity
  services.

- Tests: update file-path assertions to new data_dir layout; add
  TestMigrateLegacyConfigs, TestValidateRenderedComposeHostNetwork, and
  two TestWriteCompose cases for the host-network path.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/service_composer.py

@@ -158,8 +158,13 @@ class ServiceComposer:
         # Validate before any file I/O so a bad template never touches disk.
         # Pass the resolved data_dir so that bind mounts created by ${PIC_DATA_DIR}
         # substitution are allowed; all other absolute paths are still rejected.
+        # Connectivity services (wireguard-ext, openvpn-client, tor) set
+        # requires_host_network: true in their manifest to opt into network_mode: host.
+        allow_host_network = bool(manifest.get('requires_host_network'))
         ok, errs = validate_rendered_compose(
-            content, allowed_data_dir=str(Path(self.data_dir).resolve())
+            content,
+            allowed_data_dir=str(Path(self.data_dir).resolve()),
+            allow_host_network=allow_host_network,
         )
         if not ok:
             raise ValueError(