docs: bring all docs current with this session's changes

Update README, QUICKSTART, wiki, service-developer-guide, and CLAUDE.md for:
optional store services (email/calendar/files), sshuttle+proxy egress exits,
provider-aware Network Services/DNS overview, DHCP/dnsmasq removal, split-horizon
VPN DNS, container hardening (slim images, unprivileged WireGuard, webui port 8080,
pinned ntp/coredns), installer changes (host NTP, PIC_DEBUG, clean output, systemd),
and the backup overhaul (full secrets coverage + optional passphrase encryption).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

docs/service-developer-guide.md

@@ -30,7 +30,7 @@ A PIC service is a Docker container (or a set of containers) that plugs into the
 - Which paths to include in automated backups
 - Which outbound network interfaces the service is allowed to use
 
-All PIC services are **store services** — optional packages installed by the cell admin from the `pic-services` catalog. PIC downloads the manifest, renders a per-service Docker Compose file, and starts the containers. The core PIC stack (DNS, DHCP, NTP, WireGuard, Caddy, API, WebUI) runs independently of any installed services.
+All PIC services are **store services** — optional packages installed by the cell admin from the `pic-services` catalog. PIC downloads the manifest, renders a per-service Docker Compose file, and starts the containers. The core PIC stack (DNS, NTP, WireGuard, Caddy, API, WebUI) runs independently of any installed services.
 
 The email, calendar, and files services (in `pic-services/services/`) are the reference implementations and show the full feature set. The `ServiceRegistry` in `api/service_registry.py` is the single source of truth for all installed services. `CaddyManager`, the backup system, and the peer services endpoint all read from it rather than from hardcoded lists.
 
@@ -218,12 +218,12 @@ Required when `has_egress` is `true`. Declares which outbound network interfaces
 | `default` | string | The interface selected when the admin has not changed anything. |
 | `allowed` | array of strings | The complete set of interfaces the admin can choose from. |
 
-Valid interface identifiers: `default`, `wireguard_ext`, `openvpn`, `tor`.
+Valid interface identifiers: `default`, `wireguard_ext`, `openvpn`, `tor`, `sshuttle`, `proxy`.
 
 ```json
 "egress": {
   "default": "default",
-  "allowed": ["default", "wireguard_ext", "openvpn", "tor"]
+  "allowed": ["default", "wireguard_ext", "openvpn", "tor", "sshuttle", "proxy"]
 }
 ```
 
@@ -549,9 +549,11 @@ The valid values for `egress.allowed` and what they mean:
 | Value | Path |
 |---|---|
 | `default` | Default route through the cell's WAN interface (no VPN). |
-| `wireguard_ext` | Traffic leaves through `wg_ext0` (fwmark `0x10`, table 110). |
-| `openvpn` | Traffic leaves through `tun0` (fwmark `0x20`, table 120). |
-| `tor` | Traffic is redirected to the Tor transparent proxy on port 9040 (fwmark `0x30`, table 130). |
+| `wireguard_ext` | Traffic leaves through `wg_ext0` (fwmark `0x10`, table 110). Requires the `wireguard-ext` store service. |
+| `openvpn` | Traffic leaves through `tun0` (fwmark `0x20`, table 120). Requires the `openvpn-client` store service. |
+| `tor` | Traffic is redirected to the Tor transparent proxy on port 9040 (fwmark `0x30`, table 130). Requires the `tor` store service. |
+| `sshuttle` | Traffic is redirected to the sshuttle transparent proxy on port 12300 (fwmark `0x40`, table 140). Requires the `sshuttle` store service. |
+| `proxy` | Traffic is redirected to the redsocks transparent proxy on port 12345 (fwmark `0x50`, table 150). Requires the `proxy` store service. |
 
 List only the interfaces that make sense for your service in `allowed`. The `default` value is used when the admin has not changed anything. Always include `default` in `allowed` so the admin has a way to use the normal path.