fix: WG address change now queues pending restart + heals cell connections

Three issues fixed together:

1. WireGuard address changes now go through the pending-restart queue
   (shown in the UI banner) instead of restarting cell-wireguard immediately.
   Only private_key changes still restart immediately; address and port
   changes both defer to the user-initiated Apply flow.  Previously the
   address change was silently applied and never appeared in Settings →
   Pending Configuration.

2. When the WG address changes, the API spawns a background thread that
   pushes the updated invite to all connected cells (over LAN, before the
   WG tunnel is back up).  This lets remote cells automatically update
   their dns_ip, AllowedIPs, and CoreDNS forwarding rules without manual
   re-pairing.

3. accept_invite now handles the "already connected but changed" case:
   if the remote cell re-sends an invite with a different dns_ip, vpn_subnet
   or endpoint, we update the stored link, the WG AllowedIPs, and the
   CoreDNS forward rule in place — no delete/re-add required.  Previously
   the endpoint was ignored and returned the stale record unchanged.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/routes/config.py

@@ -359,6 +359,37 @@ def update_config():
                 port_changed_containers.add('wireguard')
                 port_change_messages.append(f'wireguard_port: {old_wg} → {new_wg}')
 
+        # WireGuard address change — queue a wireguard container restart and push
+        # the updated invite to all connected cells so they can update their
+        # dns_ip, vpn_subnet, and WG AllowedIPs without manual re-pairing.
+        _wg_address_changed = (
+            'wireguard' in data
+            and isinstance(data.get('wireguard'), dict)
+            and 'address' in data['wireguard']
+            and data['wireguard']['address'] != old_svc_configs.get('wireguard', {}).get('address', '')
+        )
+        if _wg_address_changed:
+            _new_addr = data['wireguard']['address']
+            _old_addr = old_svc_configs.get('wireguard', {}).get('address', '(unknown)')
+            port_changed_containers.add('wireguard')
+            port_change_messages.append(f'wireguard address: {_old_addr} → {_new_addr}')
+            # Push updated invite to connected cells in the background so they can
+            # heal their dns_ip / AllowedIPs without any manual action.
+            def _push_cell_invites():
+                import time as _time
+                _time.sleep(3)  # brief wait to let wg0.conf settle
+                try:
+                    from app import cell_link_manager as _clm
+                    for _link in _clm.list_connections():
+                        try:
+                            _clm._push_invite_to_remote(_link)
+                            logger.info(f"Pushed updated invite to cell '{_link['cell_name']}' after address change")
+                        except Exception as _e:
+                            logger.warning(f"Post-address-change invite push to '{_link.get('cell_name')}' failed: {_e}")
+                except Exception as _e:
+                    logger.warning(f"_push_cell_invites failed: {_e}")
+            threading.Thread(target=_push_cell_invites, daemon=True).start()
+
         if port_changed_containers:
             env_file = os.environ.get('COMPOSE_ENV_FILE', '/app/.env.compose')
             _ip_range = config_manager.configs.get('_identity', {}).get(