fix: add X-Forwarded-For WG IP to peer-sync push curl command

MASQUERADE rewrites the source IP of forwarded packets from
the cell's WG address (10.0.x.1) to cell-wireguard's bridge
IP (172.20.x.9).  The peer-sync endpoint authenticates callers
by checking that the source IP is inside a known cell's vpn_subnet,
so MASQUERADE caused all pushes to fail with 403.

Fix: _push_permissions_to_remote() now calls _local_wg_ip() to
get the local wg0 address and passes it as X-Forwarded-For.
_authenticate_peer_cell() already supports XFF for exactly this
proxying scenario.  Also adds a test verifying the header is present
in the constructed curl command.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/cell_link_manager.py

@@ -98,6 +98,27 @@ class CellLinkManager:
         keys = self.wireguard_manager.get_keys()
         return {'cell_name': cell_name, 'public_key': keys.get('public_key', '')}
 
+    def _local_wg_ip(self) -> Optional[str]:
+        """Return the local cell-wireguard wg0 IP (e.g. '10.0.0.1').
+
+        Used to set X-Forwarded-For so the remote peer-sync endpoint can
+        authenticate us by VPN subnet even after MASQUERADE changes the
+        apparent source to the Docker bridge IP.
+        """
+        try:
+            r = subprocess.run(
+                ['docker', 'exec', 'cell-wireguard',
+                 'ip', 'addr', 'show', 'wg0'],
+                capture_output=True, text=True, timeout=5
+            )
+            for line in r.stdout.splitlines():
+                line = line.strip()
+                if line.startswith('inet '):
+                    return line.split()[1].split('/')[0]
+        except Exception:
+            pass
+        return None
+
     def _push_permissions_to_remote(self, link: Dict[str, Any],
                                     from_cell: str,
                                     from_public_key: str) -> Dict[str, Any]:
@@ -130,11 +151,22 @@ class CellLinkManager:
         payload = json.dumps(body)
         endpoint = url.rstrip('/') + '/api/cells/peer-sync/permissions'
 
+        # Determine local WG IP so the remote can authenticate us by source subnet.
+        # MASQUERADE rewrites source to cell-wireguard's eth0 IP (172.20.x.x), which
+        # is NOT in the cell's vpn_subnet.  Passing the true WG IP in X-Forwarded-For
+        # lets _authenticate_peer_cell() find the matching cell link.
+        local_wg_ip = self._local_wg_ip()
+        xff_header = f'X-Forwarded-For: {local_wg_ip}' if local_wg_ip else None
+
         cmd = [
             'docker', 'exec', 'cell-wireguard',
             'curl', '-s', '-o', '/dev/null', '-w', '%{http_code}',
             '-X', 'POST',
             '-H', 'Content-Type: application/json',
+        ]
+        if xff_header:
+            cmd += ['-H', xff_header]
+        cmd += [
             '-d', payload,
             '--max-time', str(_PUSH_TIMEOUT),
             '--connect-timeout', '3',