feat: add authentication and authorization system

Backend:
- AuthManager (api/auth_manager.py): server-side user store with bcrypt
  password hashing, account lockout after 5 failed attempts (15 min),
  and atomic file writes
- AuthRoutes (api/auth_routes.py): Blueprint at /api/auth/* — login,
  logout, me, change-password, admin reset-password, list-users
- app.py: register auth_bp blueprint; add enforce_auth before_request
  hook (401 for unauthenticated, 403 for wrong role; only active when
  auth store has users so pre-auth tests remain green); instantiate
  AuthManager; update POST /api/peers to require password >= 10 chars
  and auto-provision email + calendar + files + auth accounts with full
  rollback on any failure; extend DELETE /api/peers to tear down all
  four service accounts; add /api/peer/dashboard and /api/peer/services
  peer-scoped routes; fix is_local_request to also trust the last
  X-Forwarded-For entry appended by the reverse proxy (Caddy)
- Role-based access: admin for /api/* (except /api/auth/* which is
  public and /api/peer/* which is peer-only)
- setup_cell.py: generate and print initial admin password, store in
  .admin_initial_password with 0600 permissions; cleaned up on first
  admin login

Frontend:
- AuthContext.jsx: React context with login/logout/me state and Axios
  interceptor for automatic 401 redirect
- PrivateRoute.jsx: route guard component
- Login.jsx: login page with error handling and must-change-password
  redirect
- AccountSettings.jsx: change-password form for any authenticated user
- PeerDashboard.jsx: peer-role landing page (IP, service list)
- MyServices.jsx: peer service links page
- App.jsx, Sidebar.jsx: AuthContext integration, logout button,
  PrivateRoute wrappers, peer-role routing
- Peers.jsx, WireGuard.jsx, api.js: auth-aware API calls

Tests: 100 new auth tests all pass (test_auth_manager, test_auth_routes,
test_route_protection, test_peer_provisioning). Fix pre-existing test
failures: update WireGuard test keys to valid 44-char base64 format
(test_wireguard_manager, test_peer_wg_integration), add password field
and service manager mocks to test_api_endpoints peer tests, add auth
helpers to conftest.py. Full suite: 845 passed, 0 failures.

Fixed: .admin_initial_password security cleanup on bootstrap, username
minimum length (3 chars enforced by USERNAME_RE regex)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

scripts/setup_cell.py

@@ -225,6 +225,59 @@ def _read_existing_ip_range() -> str:
         return None
 
 
+def ensure_session_secret():
+    path = os.path.join(ROOT, 'data', 'api', '.session_secret')
+    if os.path.exists(path):
+        print('[EXISTS]  data/api/.session_secret')
+        return
+    secret = os.urandom(64)
+    os.makedirs(os.path.dirname(path), exist_ok=True)
+    with open(path, 'wb') as f:
+        f.write(secret)
+    os.chmod(path, 0o600)
+    print('[CREATED] data/api/.session_secret')
+
+
+def bootstrap_admin_password():
+    import secrets as _secrets
+    users_file = os.path.join(ROOT, 'data', 'api', 'auth_users.json')
+    init_pw_file = os.path.join(ROOT, 'data', 'api', '.admin_initial_password')
+
+    # Idempotent: don't overwrite if admin already exists.
+    if os.path.exists(users_file):
+        try:
+            with open(users_file) as f:
+                users = json.loads(f.read() or '[]')
+            if any(u.get('role') == 'admin' for u in users):
+                print('[EXISTS]  admin user — skipping password generation')
+                return
+        except Exception:
+            pass
+
+    if not os.path.exists(users_file):
+        os.makedirs(os.path.dirname(users_file), exist_ok=True)
+        with open(users_file, 'w') as f:
+            f.write('[]')
+        os.chmod(users_file, 0o600)
+
+    password = os.environ.get('ADMIN_PASSWORD') or _secrets.token_urlsafe(18)
+
+    with open(init_pw_file, 'w') as f:
+        f.write(password)
+    os.chmod(init_pw_file, 0o600)
+
+    print()
+    print('=' * 62)
+    print('  ADMIN PASSWORD (shown once - save it before starting PIC):')
+    print(f'    username : admin')
+    print(f'    password : {password}')
+    print('=' * 62)
+    print(f'  Also saved to: data/api/.admin_initial_password')
+    print('  (Delete that file after noting the password.)')
+    print('=' * 62)
+    print()
+
+
 def main():
     cell_name = os.environ.get('CELL_NAME', 'mycell')
     domain = os.environ.get('CELL_DOMAIN', 'cell')
@@ -248,6 +301,8 @@ def main():
     write_cell_config(cell_name, domain, wg_port)
     write_compose_env(ip_range)
     write_caddy_config(ip_range, cell_name, domain)
+    ensure_session_secret()
+    bootstrap_admin_password()
 
     print()
     print('--- Setup complete! Run: make start ---')