fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests

P0 — Broken functionality:
- Fix 12+ endpoints with wrong manager method signatures (email/calendar/file/routing)
- Fix email_manager.delete_email_user() missing domain arg
- Fix cell-link DNS forwarding wiped on every peer change (generate_corefile now
  accepts cell_links param; add/remove_cell_dns_forward no longer clobber the file)
- Fix Flask SECRET_KEY regenerating on every restart (persisted to DATA_DIR)
- Fix _next_peer_ip exhaustion returning 500 instead of 409
- Fix ConfigManager Caddyfile path (/app/config-caddy/)
- Fix UI double-add and wrong-key peer bugs in Peers.jsx / WireGuard.jsx
- Remove hardcoded credentials from Dashboard.jsx

P1 — Security:
- CSRF token validation on all POST/PUT/DELETE/PATCH to /api/* (double-submit pattern)
- enforce_auth: 503 only when users file readable but empty; never bypass on IOError
- WireGuard add_cell_peer: validate pubkey, name, endpoint against strict regexes
- DNS add_cell_dns_forward: validate IP and domain; reject injection chars
- DNS zone write: realpath containment + record content validation
- iptables comment /32 suffix prevents substring match deleting wrong peer rules
- is_local_request() trusts only loopback + 172.16.0.0/12 (Docker bridge)
- POST /api/containers: volume allow-list prevents arbitrary host mounts
- file_manager: bcrypt ($2b→$2y) for WebDAV; realpath containment in delete_user
- email/calendar: stop persisting plaintext passwords in user records
- routing_manager: validate IPs, networks, and interface names
- peer_registry: write peers.json at mode 0o600
- vault_manager: Fernet key file at mode 0o600
- CORS: lock down to explicit origin list
- domain/cell_name validation: reject newline, brace, semicolon injection chars

P2 — Architecture:
- Peer add: rollback registry entry if firewall rules fail post-add
- restart_service(): base class now calls _restart_container(); email and calendar
  managers call cell-mail / cell-radicale respectively
- email/calendar managers sync user list (no passwords) to cell_config.json
- Pending-restart flag cleared only after helper subprocess exits with code 0
- docker-compose.yml: add config-caddy volume to API container

P3 — Tests (854 → 1020):
- Fill test_email_endpoints.py, test_calendar_endpoints.py,
  test_network_endpoints.py, test_routing_endpoints.py
- New: test_peer_management_update.py, test_peer_management_edge_cases.py,
  test_input_validation.py, test_enforce_auth_configured.py,
  test_cell_link_dns.py, test_logs_endpoints.py, test_cells_endpoints.py,
  test_is_local_request_per_endpoint.py, test_caddy_routing.py
- E2E conftest: skip WireGuard suite when wg-quick absent
- Update existing tests to match fixed signatures and comment formats

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/routing_manager.py

@@ -224,6 +224,22 @@ class RoutingManager(BaseServiceManager):
     
     def add_exit_node(self, peer_name: str, peer_ip: str, allowed_domains: List[str] = None) -> bool:
         """Add exit node configuration"""
+        # Validation — peer_ip flows into `ip route add default via <peer_ip>`; argv
+        # injection / shell-meta in name would reach iptables/ip via _apply_exit_node.
+        if not isinstance(peer_name, str) or not re.match(r'^[a-zA-Z0-9_.-]{1,64}$', peer_name):
+            logger.error(f"add_exit_node: invalid peer_name {peer_name!r}")
+            return {'success': False, 'error': f'invalid input: peer_name {peer_name!r}'}
+        try:
+            ipaddress.ip_address(peer_ip)
+        except (ValueError, TypeError):
+            logger.error(f"add_exit_node: invalid peer_ip {peer_ip!r}")
+            return {'success': False, 'error': f'invalid input: peer_ip {peer_ip!r}'}
+        if allowed_domains is not None:
+            if not isinstance(allowed_domains, list):
+                return {'success': False, 'error': 'invalid input: allowed_domains must be a list'}
+            for d in allowed_domains:
+                if not isinstance(d, str) or not re.match(r'^[a-zA-Z0-9][a-zA-Z0-9.-]{0,252}$', d):
+                    return {'success': False, 'error': f'invalid input: domain {d!r}'}
         try:
             rules = self._load_rules()
             
@@ -251,6 +267,23 @@ class RoutingManager(BaseServiceManager):
     def add_bridge_route(self, source_peer: str, target_peer: str, 
                         allowed_networks: List[str]) -> bool:
         """Add bridge route between peers"""
+        # source_peer is a name label; target_peer flows into iptables `-d` so must be
+        # an IP/CIDR. allowed_networks flows into iptables `-s` so must all be CIDRs.
+        if not isinstance(source_peer, str) or not re.match(r'^[a-zA-Z0-9_.-]{1,64}$', source_peer):
+            logger.error(f"add_bridge_route: invalid source_peer {source_peer!r}")
+            return {'success': False, 'error': f'invalid input: source_peer {source_peer!r}'}
+        try:
+            ipaddress.ip_network(target_peer, strict=False)
+        except (ValueError, TypeError):
+            logger.error(f"add_bridge_route: invalid target_peer {target_peer!r}")
+            return {'success': False, 'error': f'invalid input: target_peer must be IP/CIDR, got {target_peer!r}'}
+        if not isinstance(allowed_networks, list) or not allowed_networks:
+            return {'success': False, 'error': 'invalid input: allowed_networks must be a non-empty list'}
+        for n in allowed_networks:
+            try:
+                ipaddress.ip_network(n, strict=False)
+            except (ValueError, TypeError):
+                return {'success': False, 'error': f'invalid input: network {n!r}'}
         try:
             rules = self._load_rules()
             
@@ -279,6 +312,22 @@ class RoutingManager(BaseServiceManager):
     def add_split_route(self, network: str, exit_peer: str, 
                        fallback_peer: str = None) -> bool:
         """Add split routing rule"""
+        # network flows into `ip route add <network>`; exit_peer flows into `via <exit_peer>`.
+        try:
+            ipaddress.ip_network(network, strict=False)
+        except (ValueError, TypeError):
+            logger.error(f"add_split_route: invalid network {network!r}")
+            return {'success': False, 'error': f'invalid input: network {network!r}'}
+        try:
+            ipaddress.ip_address(exit_peer)
+        except (ValueError, TypeError):
+            logger.error(f"add_split_route: invalid exit_peer {exit_peer!r}")
+            return {'success': False, 'error': f'invalid input: exit_peer must be an IP, got {exit_peer!r}'}
+        if fallback_peer is not None:
+            try:
+                ipaddress.ip_address(fallback_peer)
+            except (ValueError, TypeError):
+                return {'success': False, 'error': f'invalid input: fallback_peer must be an IP, got {fallback_peer!r}'}
         try:
             rules = self._load_rules()