fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests

P0 — Broken functionality:
- Fix 12+ endpoints with wrong manager method signatures (email/calendar/file/routing)
- Fix email_manager.delete_email_user() missing domain arg
- Fix cell-link DNS forwarding wiped on every peer change (generate_corefile now
  accepts cell_links param; add/remove_cell_dns_forward no longer clobber the file)
- Fix Flask SECRET_KEY regenerating on every restart (persisted to DATA_DIR)
- Fix _next_peer_ip exhaustion returning 500 instead of 409
- Fix ConfigManager Caddyfile path (/app/config-caddy/)
- Fix UI double-add and wrong-key peer bugs in Peers.jsx / WireGuard.jsx
- Remove hardcoded credentials from Dashboard.jsx

P1 — Security:
- CSRF token validation on all POST/PUT/DELETE/PATCH to /api/* (double-submit pattern)
- enforce_auth: 503 only when users file readable but empty; never bypass on IOError
- WireGuard add_cell_peer: validate pubkey, name, endpoint against strict regexes
- DNS add_cell_dns_forward: validate IP and domain; reject injection chars
- DNS zone write: realpath containment + record content validation
- iptables comment /32 suffix prevents substring match deleting wrong peer rules
- is_local_request() trusts only loopback + 172.16.0.0/12 (Docker bridge)
- POST /api/containers: volume allow-list prevents arbitrary host mounts
- file_manager: bcrypt ($2b→$2y) for WebDAV; realpath containment in delete_user
- email/calendar: stop persisting plaintext passwords in user records
- routing_manager: validate IPs, networks, and interface names
- peer_registry: write peers.json at mode 0o600
- vault_manager: Fernet key file at mode 0o600
- CORS: lock down to explicit origin list
- domain/cell_name validation: reject newline, brace, semicolon injection chars

P2 — Architecture:
- Peer add: rollback registry entry if firewall rules fail post-add
- restart_service(): base class now calls _restart_container(); email and calendar
  managers call cell-mail / cell-radicale respectively
- email/calendar managers sync user list (no passwords) to cell_config.json
- Pending-restart flag cleared only after helper subprocess exits with code 0
- docker-compose.yml: add config-caddy volume to API container

P3 — Tests (854 → 1020):
- Fill test_email_endpoints.py, test_calendar_endpoints.py,
  test_network_endpoints.py, test_routing_endpoints.py
- New: test_peer_management_update.py, test_peer_management_edge_cases.py,
  test_input_validation.py, test_enforce_auth_configured.py,
  test_cell_link_dns.py, test_logs_endpoints.py, test_cells_endpoints.py,
  test_is_local_request_per_endpoint.py, test_caddy_routing.py
- E2E conftest: skip WireGuard suite when wg-quick absent
- Update existing tests to match fixed signatures and comment formats

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/test_firewall_manager.py

@@ -30,10 +30,12 @@ def _make_peer(ip, internet=True, services=None, peers=True):
 
 class TestPeerComment(unittest.TestCase):
     def test_dots_replaced_with_dashes(self):
-        self.assertEqual(firewall_manager._peer_comment('10.0.0.2'), 'pic-peer-10-0-0-2')
+        # Comment format now includes /32 suffix to prevent substring matches
+        # (e.g. pic-peer-10-0-0-1/32 is not a prefix of pic-peer-10-0-0-10/32)
+        self.assertEqual(firewall_manager._peer_comment('10.0.0.2'), 'pic-peer-10-0-0-2/32')
 
     def test_different_ip(self):
-        self.assertEqual(firewall_manager._peer_comment('192.168.1.100'), 'pic-peer-192-168-1-100')
+        self.assertEqual(firewall_manager._peer_comment('192.168.1.100'), 'pic-peer-192-168-1-100/32')
 
 
 # ---------------------------------------------------------------------------
@@ -115,6 +117,87 @@ class TestGenerateCorefile(unittest.TestCase):
         self.assertFalse(result)
 
 
+# ---------------------------------------------------------------------------
+# generate_corefile with cell_links
+# ---------------------------------------------------------------------------
+
+class TestGenerateCorefileWithCellLinks(unittest.TestCase):
+    def setUp(self):
+        self.tmp = tempfile.mkdtemp()
+        self.path = os.path.join(self.tmp, 'Corefile')
+
+    def tearDown(self):
+        shutil.rmtree(self.tmp)
+
+    def _content(self):
+        return open(self.path).read()
+
+    def test_cell_links_none_produces_no_forwarding_stanzas(self):
+        """Default (None) produces no extra forwarding blocks beyond the primary zone."""
+        firewall_manager.generate_corefile([], self.path, cell_links=None)
+        content = self._content()
+        # The only 'forward' line should be the default internet forwarder
+        forward_lines = [l for l in content.splitlines() if 'forward' in l]
+        self.assertEqual(len(forward_lines), 1)
+        self.assertIn('8.8.8.8', forward_lines[0])
+
+    def test_cell_links_empty_list_produces_no_extra_stanzas(self):
+        """An empty cell_links list produces no extra forwarding blocks."""
+        firewall_manager.generate_corefile([], self.path, cell_links=[])
+        content = self._content()
+        forward_lines = [l for l in content.splitlines() if 'forward' in l]
+        self.assertEqual(len(forward_lines), 1)
+        self.assertIn('8.8.8.8', forward_lines[0])
+
+    def test_single_cell_link_produces_forwarding_block(self):
+        """One cell link produces one forwarding stanza with correct domain and dns_ip."""
+        cell_links = [{'domain': 'remote.cell', 'dns_ip': '10.1.0.1'}]
+        firewall_manager.generate_corefile([], self.path, cell_links=cell_links)
+        content = self._content()
+        self.assertIn('remote.cell {', content)
+        self.assertIn('forward . 10.1.0.1', content)
+        self.assertIn('cache', content)
+
+    def test_multiple_cell_links_produce_multiple_forwarding_blocks(self):
+        """Multiple cell links produce one stanza each."""
+        cell_links = [
+            {'domain': 'alpha.cell', 'dns_ip': '10.1.0.1'},
+            {'domain': 'beta.cell',  'dns_ip': '10.2.0.1'},
+        ]
+        firewall_manager.generate_corefile([], self.path, cell_links=cell_links)
+        content = self._content()
+        self.assertIn('alpha.cell {', content)
+        self.assertIn('forward . 10.1.0.1', content)
+        self.assertIn('beta.cell {', content)
+        self.assertIn('forward . 10.2.0.1', content)
+
+    def test_cell_links_do_not_overwrite_peer_acls(self):
+        """Cell link stanzas are appended; peer ACLs in the primary zone survive."""
+        peers = [_make_peer('10.0.0.3', services=['calendar'])]
+        cell_links = [{'domain': 'other.cell', 'dns_ip': '10.99.0.1'}]
+        firewall_manager.generate_corefile(peers, self.path, cell_links=cell_links)
+        content = self._content()
+        self.assertIn('block net 10.0.0.3/32', content)
+        self.assertIn('other.cell {', content)
+        self.assertIn('forward . 10.99.0.1', content)
+
+    def test_link_with_missing_domain_is_skipped(self):
+        """A cell_link entry with no domain key is silently skipped."""
+        cell_links = [{'dns_ip': '10.1.0.1'}]  # no 'domain'
+        firewall_manager.generate_corefile([], self.path, cell_links=cell_links)
+        content = self._content()
+        # Only the default internet forwarder
+        forward_lines = [l for l in content.splitlines() if 'forward' in l]
+        self.assertEqual(len(forward_lines), 1)
+
+    def test_link_with_missing_dns_ip_is_skipped(self):
+        """A cell_link entry with no dns_ip key is silently skipped."""
+        cell_links = [{'domain': 'nope.cell'}]  # no 'dns_ip'
+        firewall_manager.generate_corefile([], self.path, cell_links=cell_links)
+        content = self._content()
+        self.assertNotIn('nope.cell', content)
+
+
 # ---------------------------------------------------------------------------
 # apply_peer_rules — iptables call verification
 # ---------------------------------------------------------------------------
@@ -227,8 +310,8 @@ class TestClearPeerRules(unittest.TestCase):
             '*filter\n'
             ':INPUT ACCEPT [0:0]\n'
             ':FORWARD ACCEPT [0:0]\n'
-            '-A FORWARD -s 10.0.0.2 -m comment --comment pic-peer-10-0-0-2 -j ACCEPT\n'
-            '-A FORWARD -s 10.0.0.3 -m comment --comment pic-peer-10-0-0-3 -j DROP\n'
+            '-A FORWARD -s 10.0.0.2 -m comment --comment "pic-peer-10-0-0-2/32" -j ACCEPT\n'
+            '-A FORWARD -s 10.0.0.3 -m comment --comment "pic-peer-10-0-0-3/32" -j DROP\n'
             'COMMIT\n'
         )
         restored = []
@@ -252,8 +335,8 @@ class TestClearPeerRules(unittest.TestCase):
 
         self.assertEqual(len(restored), 1)
         restored_content = restored[0]
-        self.assertNotIn('pic-peer-10-0-0-2', restored_content)
-        self.assertIn('pic-peer-10-0-0-3', restored_content)
+        self.assertNotIn('pic-peer-10-0-0-2/32', restored_content)
+        self.assertIn('pic-peer-10-0-0-3/32', restored_content)
 
     def test_no_op_when_no_matching_rules(self):
         save_output = '*filter\n:FORWARD ACCEPT [0:0]\nCOMMIT\n'