add security fixes, port hardening, and expanded QA coverage

Security fixes:
- Replace debug=True with env-driven FLASK_DEBUG in app.py
- Add _safe_path helper and path-traversal protection to all 6 file routes
  in file_manager.py
- Add peer_name regex and input validation (public_key, name, endpoint_ip)
  in wireguard_manager.py
- Stop returning private key from GET /api/wireguard/keys; return only
  public_key + has_private_key boolean
- Fix is_local_request() XFF bypass by checking remote_addr only, ignoring
  X-Forwarded-For
- Remove duplicate get_all_configs / get_config_summary methods from
  config_manager.py

DevOps:
- Bind 6 internal service ports to 127.0.0.1 in docker-compose.yml
  (radicale, webdav, api, webui, rainloop, filegator)
- Move WebDAV credentials to env vars (WEBDAV_USER, WEBDAV_PASS)
- Pin flask, flask-cors, requests, cryptography, docker to secure minimum
  versions in requirements.txt

QA (560 tests, 0 failures):
- tests/test_wireguard_endpoints.py: 18 new endpoint tests
- tests/test_file_endpoints.py: 24 new endpoint tests incl. path traversal
- tests/test_container_manager.py: expanded from 2 to 30 tests
- tests/test_config_backup_restore_http.py: 25 new tests (new file)
- tests/test_config_apply.py: 9 new tests (new file)

Docs:
- Rewrite README.md with accurate architecture, ports, env vars, security notes
- Rewrite QUICKSTART.md with verified commands

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.yml

@@ -122,7 +122,7 @@ services:
     image: tomsquest/docker-radicale:latest
     container_name: cell-radicale
     ports:
-      - "${RADICALE_PORT:-5232}:5232"
+      - "127.0.0.1:${RADICALE_PORT:-5232}:5232"
     volumes:
       - ./config/radicale:/etc/radicale
       - ./data/radicale:/data
@@ -141,11 +141,11 @@ services:
     image: bytemark/webdav:latest
     container_name: cell-webdav
     ports:
-      - "${WEBDAV_PORT:-8080}:80"
+      - "127.0.0.1:${WEBDAV_PORT:-8080}:80"
     environment:
       - AUTH_TYPE=Basic
-      - USERNAME=admin
-      - PASSWORD=admin123
+      - USERNAME=${WEBDAV_USER:-admin}
+      - PASSWORD=${WEBDAV_PASS}
     volumes:
       - ./data/files:/var/lib/dav
     restart: unless-stopped
@@ -193,7 +193,7 @@ services:
     build: ./api
     container_name: cell-api
     ports:
-      - "${API_PORT:-3000}:3000"
+      - "127.0.0.1:${API_PORT:-3000}:3000"
     volumes:
       - ./data/api:/app/data
       - ./data/dns:/app/data/dns
@@ -223,7 +223,7 @@ services:
     build: ./webui
     container_name: cell-webui
     ports:
-      - "${WEBUI_PORT:-8081}:80"
+      - "127.0.0.1:${WEBUI_PORT:-8081}:80"
     restart: unless-stopped
     networks:
       cell-network:
@@ -243,7 +243,7 @@ services:
       cell-network:
         ipv4_address: ${RAINLOOP_IP:-172.20.0.12}
     ports:
-      - "${RAINLOOP_PORT:-8888}:8888"
+      - "127.0.0.1:${RAINLOOP_PORT:-8888}:8888"
     volumes:
       - ./data/rainloop:/rainloop/data
     logging:
@@ -261,7 +261,7 @@ services:
       cell-network:
         ipv4_address: ${FILEGATOR_IP:-172.20.0.13}
     ports:
-      - "${FILEGATOR_PORT:-8082}:8080"
+      - "127.0.0.1:${FILEGATOR_PORT:-8082}:8080"
     volumes:
       - ./data/filegator:/var/www/filegator/private
     logging: