fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests

P0 — Broken functionality:
- Fix 12+ endpoints with wrong manager method signatures (email/calendar/file/routing)
- Fix email_manager.delete_email_user() missing domain arg
- Fix cell-link DNS forwarding wiped on every peer change (generate_corefile now
  accepts cell_links param; add/remove_cell_dns_forward no longer clobber the file)
- Fix Flask SECRET_KEY regenerating on every restart (persisted to DATA_DIR)
- Fix _next_peer_ip exhaustion returning 500 instead of 409
- Fix ConfigManager Caddyfile path (/app/config-caddy/)
- Fix UI double-add and wrong-key peer bugs in Peers.jsx / WireGuard.jsx
- Remove hardcoded credentials from Dashboard.jsx

P1 — Security:
- CSRF token validation on all POST/PUT/DELETE/PATCH to /api/* (double-submit pattern)
- enforce_auth: 503 only when users file readable but empty; never bypass on IOError
- WireGuard add_cell_peer: validate pubkey, name, endpoint against strict regexes
- DNS add_cell_dns_forward: validate IP and domain; reject injection chars
- DNS zone write: realpath containment + record content validation
- iptables comment /32 suffix prevents substring match deleting wrong peer rules
- is_local_request() trusts only loopback + 172.16.0.0/12 (Docker bridge)
- POST /api/containers: volume allow-list prevents arbitrary host mounts
- file_manager: bcrypt ($2b→$2y) for WebDAV; realpath containment in delete_user
- email/calendar: stop persisting plaintext passwords in user records
- routing_manager: validate IPs, networks, and interface names
- peer_registry: write peers.json at mode 0o600
- vault_manager: Fernet key file at mode 0o600
- CORS: lock down to explicit origin list
- domain/cell_name validation: reject newline, brace, semicolon injection chars

P2 — Architecture:
- Peer add: rollback registry entry if firewall rules fail post-add
- restart_service(): base class now calls _restart_container(); email and calendar
  managers call cell-mail / cell-radicale respectively
- email/calendar managers sync user list (no passwords) to cell_config.json
- Pending-restart flag cleared only after helper subprocess exits with code 0
- docker-compose.yml: add config-caddy volume to API container

P3 — Tests (854 → 1020):
- Fill test_email_endpoints.py, test_calendar_endpoints.py,
  test_network_endpoints.py, test_routing_endpoints.py
- New: test_peer_management_update.py, test_peer_management_edge_cases.py,
  test_input_validation.py, test_enforce_auth_configured.py,
  test_cell_link_dns.py, test_logs_endpoints.py, test_cells_endpoints.py,
  test_is_local_request_per_endpoint.py, test_caddy_routing.py
- E2E conftest: skip WireGuard suite when wg-quick absent
- Update existing tests to match fixed signatures and comment formats

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

webui/src/pages/Dashboard.jsx

@@ -24,9 +24,9 @@ function Dashboard({ isOnline }) {
   const { domain = 'cell', cell_name = 'mycell' } = useConfig();
   const SERVICES = [
     { name: 'Cell Home', url: `http://${cell_name}.${domain}`,   desc: 'Main UI — no login needed' },
-    { name: 'Calendar',  url: `http://calendar.${domain}`,       desc: 'Login: your WireGuard username' },
-    { name: 'Files',     url: `http://files.${domain}`,          desc: 'Login: admin / admin123' },
-    { name: 'Webmail',   url: `http://mail.${domain}`,           desc: 'Login: admin@rainloop.net / 12345' },
+    { name: 'Calendar',  url: `http://calendar.${domain}`,       desc: 'Use your configured account credentials' },
+    { name: 'Files',     url: `http://files.${domain}`,          desc: 'Use your configured account credentials' },
+    { name: 'Webmail',   url: `http://mail.${domain}`,           desc: 'Use your configured account credentials' },
   ];
   const [cellStatus, setCellStatus] = useState(null);
   const [servicesStatus, setServicesStatus] = useState(null);

webui/src/pages/Peers.jsx

@@ -191,13 +191,6 @@ PersistentKeepalive = ${peer.persistent_keepalive || 25}`;
         password: formData.password,
       };
       const addResult = await peerRegistryAPI.addPeer(peerData);
-      const assignedIp = addResult.data?.ip;
-      await wireguardAPI.addPeer({
-        name: formData.name,
-        public_key: publicKey,
-        allowed_ips: assignedIp ? `${assignedIp}/32` : `${peerData.ip}/32`,
-        persistent_keepalive: formData.persistent_keepalive,
-      });
 
       if (formData.create_calendar) {
         try {
@@ -268,7 +261,7 @@ PersistentKeepalive = ${peer.persistent_keepalive || 25}`;
   const handleRemovePeer = async (peerName) => {
     if (!window.confirm(`Remove peer "${peerName}"?`)) return;
     try {
-      await Promise.all([peerRegistryAPI.removePeer(peerName), wireguardAPI.removePeer({ name: peerName })]);
+      await peerRegistryAPI.removePeer(peerName);
       fetchPeers();
       showToast(`Peer "${peerName}" removed.`);
     } catch { showToast('Failed to remove peer', 'error'); }

webui/src/pages/WireGuard.jsx

@@ -66,26 +66,29 @@ function WireGuard() {
       const peersData = peersResponse.data || [];
       const wireguardPeers = wireguardResponse.data || [];
       
-      // Create a map of WireGuard peers by name for quick lookup
+      // Create a map of WireGuard peers by public_key for quick lookup
       const wireguardMap = {};
       wireguardPeers.forEach(peer => {
-        wireguardMap[peer.name] = peer;
+        if (peer.public_key) wireguardMap[peer.public_key] = peer;
       });
-      
+
       // Merge the data
-      const mergedPeers = peersData.map(peer => ({
-        ...peer,
-        ...wireguardMap[peer.peer || peer.name],
-        name: peer.peer || peer.name,
-        status: 'Online', // For now, assume all peers are online
-        type: 'WireGuard',
-        // Preserve important fields that might be overwritten
-        private_key: peer.private_key,
-        server_public_key: peer.server_public_key,
-        server_endpoint: peer.server_endpoint,
-        allowed_ips: peer.allowed_ips || wireguardMap[peer.peer || peer.name]?.AllowedIPs || '0.0.0.0/0',
-        persistent_keepalive: peer.persistent_keepalive || wireguardMap[peer.peer || peer.name]?.PersistentKeepalive || 25
-      }));
+      const mergedPeers = peersData.map(peer => {
+        const wgEntry = wireguardMap[peer.public_key] || {};
+        return {
+          ...peer,
+          ...wgEntry,
+          // Registry fields always win over wg0.conf fields for name/keys/endpoint
+          name: peer.peer || peer.name,
+          type: 'WireGuard',
+          private_key: peer.private_key,
+          server_public_key: peer.server_public_key,
+          server_endpoint: peer.server_endpoint,
+          public_key: peer.public_key,
+          allowed_ips: peer.allowed_ips || wgEntry.allowed_ips || '0.0.0.0/0',
+          persistent_keepalive: peer.persistent_keepalive || wgEntry.persistent_keepalive || 25,
+        };
+      });
       
       // Load all peer statuses in one call (keyed by public_key)
       let liveStatuses = {};