Add domain conflict validation when changing domain or accepting heal invite

Two gaps allowed a cell to take a domain already in use by a connected cell:

1. PUT /api/config domain change: added check against cell_link_manager's
   connected cells list before saving — returns 409 if the new domain
   collides with any connected cell's domain.

2. accept_invite healing path: a remote cell changing its domain via a
   re-invite was not validated against other connected cells' domains.
   Now calls _check_invite_conflicts(invite, exclude_cell=name) before
   applying any change.

Also: the healing path now detects domain changes (alongside dns_ip/
vpn_subnet/endpoint), updates the stored domain, and refreshes the DNS
forward rule when the domain changes.

Tests: 3 new domain-conflict tests in test_config_validation.py;
3 new accept_invite healing tests in test_cell_link_manager.py.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/routes/config.py

@@ -158,6 +158,13 @@ def update_config():
                 return jsonify({'error': 'domain must be 255 characters or fewer'}), 400
             if not _DOMAIN_RE.match(v):
                 return jsonify({'error': 'Invalid domain: use only letters, digits, hyphens, dots'}), 400
+            from app import cell_link_manager as _clm
+            for _link in _clm.list_connections():
+                if _link.get('domain') == v:
+                    return jsonify({'error': (
+                        f"Domain {v!r} is already used by connected cell "
+                        f"'{_link['cell_name']}' — each cell must use a unique domain"
+                    )}), 409
 
         if 'ip_range' in identity_updates:
             _rfc1918 = [