fix: architecture audit — security, atomicity, broken endpoints, test coverage

Sprint 1 — Security & correctness:
- Restore all 10 commented-out is_local_request() checks (vault, containers, images, volumes)
- Fix XFF spoofing: only trust the LAST X-Forwarded-For entry (Caddy's append), not all
- Require prefix length in wireguard.address (was accepting bare IPs like 10.0.0.1)
- Validate service_access list in add_peer (valid: calendar/files/mail/webdav)
- Fix dhcp/reservations POST/DELETE: unpack mac/ip/hostname from body (was passing dict as positional arg)
- Fix network/test POST: remove spurious data arg (test_connectivity takes no args)
- Fix remove_peer: clear iptables rules and regenerate DNS ACLs on deletion (was leaving stale rules)
- Fix CoreDNS reload: SIGHUP → SIGUSR1 (SIGHUP kills the process; SIGUSR1 triggers reload plugin)
- Remove local.{domain} block from Corefile template (local.zone doesn't exist, caused log spam)
- Fix routing_manager._remove_nat_rule: targeted -D instead of flushing entire POSTROUTING chain

Sprint 2 — State consistency:
- Atomic config writes in config_manager, ip_utils, firewall_manager, network_manager
  (write to .tmp → fsync → os.replace, prevents truncated files on kill)
- backup_config: now also backs up Caddyfile, Corefile, .env, DNS zone files
- restore_config: restores all of the above so config stays consistent after restore

Sprint 3 — Dead code / documentation:
- Remove CellManager instantiation from app startup (was never called, double-instantiated all managers)
- Document routing_manager scope (targets host, not cell-wireguard; methods not called by any active route)

Sprint 4 — Test infrastructure:
- Add tests/conftest.py with shared tmp_dir, tmp_config_dir, tmp_data_dir, flask_client fixtures
- Add tests/test_config_validation.py: 400 paths for ip_range, port, wireguard.address validation
- Add tests/test_ip_utils_caddyfile.py: 14 tests for write_caddyfile (was completely untested)
- Expand test_app_misc.py: 7 new is_local_request tests covering XFF spoofing and cell-network IPs
- Add --cov-fail-under=70 to make test-coverage
- Add pre-commit hook that runs pytest before every commit

414 tests pass (was 372).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/firewall_manager.py

@@ -276,14 +276,16 @@ def generate_corefile(peers: List[Dict[str, Any]], corefile_path: str = COREFILE
 }}
 
 {primary_zone_block}
-local.{domain} {{
-    file /data/local.zone
-    log
-}}
 """
+        # local.{domain} block intentionally omitted: /data/local.zone does not exist
+        # and CoreDNS logs errors on every reload for a missing zone file.
         os.makedirs(os.path.dirname(corefile_path), exist_ok=True)
-        with open(corefile_path, 'w') as f:
+        tmp_path = corefile_path + '.tmp'
+        with open(tmp_path, 'w') as f:
             f.write(corefile)
+            f.flush()
+            os.fsync(f.fileno())
+        os.replace(tmp_path, corefile_path)
 
         logger.info(f"Wrote Corefile to {corefile_path}")
         return True
@@ -293,13 +295,13 @@ local.{domain} {{
 
 
 def reload_coredns() -> bool:
-    """Send SIGHUP to CoreDNS container to reload config."""
+    """Signal CoreDNS to reload its config. SIGUSR1 triggers the reload plugin; SIGHUP kills the process."""
     try:
-        result = _run(['docker', 'kill', '--signal=SIGHUP', 'cell-dns'], check=False)
+        result = _run(['docker', 'kill', '--signal=SIGUSR1', 'cell-dns'], check=False)
         if result.returncode == 0:
-            logger.info("Sent SIGHUP to cell-dns")
+            logger.info("Sent SIGUSR1 to cell-dns (reload)")
             return True
-        logger.warning(f"SIGHUP to cell-dns failed: {result.stderr.strip()}")
+        logger.warning(f"SIGUSR1 to cell-dns failed: {result.stderr.strip()}")
         return False
     except Exception as e:
         logger.error(f"reload_coredns: {e}")