fix: full-tunnel default, real host routing table, peer config tunnel mode

- WireGuard default changed to full tunnel (0.0.0.0/0) — all peer traffic
  routes through PIC server so internet latency matches server's clean 41ms
- UI tunnel toggle now defaults to Full tunnel
- API /peers/config accepts allowed_ips param so UI toggle wires through
- Routing page reads real host routes via /proc/1/net/route (pid: host)
  instead of mock data; shows ens18/192.168.31.1 correctly
- Add iproute2 + util-linux to API Dockerfile

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.yml

@@ -157,6 +157,7 @@ services:
       - ./config/api:/app/config
       - ./config/wireguard:/app/config/wireguard
       - /var/run/docker.sock:/var/run/docker.sock
+    pid: host
     restart: unless-stopped
     networks:
       cell-network: