fix: cross-cell routing for split-tunnel peers

Three related fixes for split-tunnel peers that need to reach connected cells:

1. apply_peer_rules/apply_all_peer_rules now accept wg_subnet (actual local VPN
   subnet) and cell_subnets (connected cells' vpn_subnets) parameters instead of
   hardcoding 10.0.0.0/24. All callers (startup, add_peer, update_peer,
   apply-enforcement endpoint) pass the real values.

2. Explicit ACCEPT rules are inserted in FORWARD for each connected cell's
   subnet so split-tunnel peers (internet_access=False) can still reach
   connected cells via the wg0→wg0 path.

3. apply_ip_range in network_manager now loads cell_links.json and passes it
   to generate_corefile(), fixing a race where the bootstrap DNS thread could
   overwrite the Corefile and wipe cross-cell DNS forwarding zones on startup.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/app.py

@@ -308,7 +308,14 @@ def _apply_startup_enforcement():
         peers = peer_registry.list_peers()
         cell_links = cell_link_manager.list_connections()
         firewall_manager.reconcile_stale_peer_rules(peers)
-        firewall_manager.apply_all_peer_rules(peers)
+        import ipaddress as _ipa
+        try:
+            _wg_addr = wireguard_manager._get_configured_address()
+            _wg_subnet = str(_ipa.ip_network(_wg_addr, strict=False)) if _wg_addr else '10.0.0.0/24'
+        except Exception:
+            _wg_subnet = '10.0.0.0/24'
+        _cell_subnets = [l['vpn_subnet'] for l in cell_links if l.get('vpn_subnet')]
+        firewall_manager.apply_all_peer_rules(peers, wg_subnet=_wg_subnet, cell_subnets=_cell_subnets)
         firewall_manager.apply_all_cell_rules(cell_links)
         firewall_manager.ensure_cell_api_dnat()
         # Embed DNAT rules in PostUp so they survive WireGuard interface restarts,