fix: wireguard_port identity change and check_port_open verification

Bug 1 — port not propagated to wg0.conf:
  The identity update path (wireguard_port via PUT /api/config) was calling
  wireguard_manager.update_config() which only saves to a JSON file via
  BaseServiceManager. wg0.conf was never updated, so after a container
  restart the WireGuard interface would still listen on the old port.
  Fix: call apply_config() instead — it writes ListenPort into wg0.conf.

Bug 2 — check_port_open ignored configured port:
  check_port_open() checked for 'listening port' in wg show output but
  never compared it against the configured port. A port-mismatch (e.g.
  after config change but before restart) would return True — misleading.
  Fix: require 'listening port: {configured_port}' to match exactly.

Tests added:
  - test_check_port_open_wrong_port_returns_false
  - test_check_port_open_explicit_port_matches
  - test_check_port_open_explicit_port_mismatch
  - test_wireguard_port_identity_change_calls_apply_config
  - test_wireguard_port_same_value_does_not_call_apply_config

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/app.py

@@ -778,7 +778,7 @@ def update_config():
                 _wg_svc = config_manager.configs.get('wireguard', {})
                 _wg_svc['port'] = new_wg
                 config_manager.update_service_config('wireguard', _wg_svc)
-                wireguard_manager.update_config({'port': new_wg})
+                wireguard_manager.apply_config({'port': new_wg})
                 port_changed_containers.add('wireguard')
                 port_change_messages.append(f'wireguard_port: {old_wg} → {new_wg}')
 

api/wireguard_manager.py

@@ -538,15 +538,16 @@ class WireGuardManager(BaseServiceManager):
                 pass
         return ip
 
-    def check_port_open(self, port: int = DEFAULT_PORT) -> bool:
-        """Check if WireGuard is running and listening on the UDP port."""
-        # Primary: check if wg0 interface is up (means port IS listening)
+    def check_port_open(self, port: int = None) -> bool:
+        """Check if WireGuard is running and listening on the configured UDP port."""
+        configured_port = port if port is not None else self._get_configured_port()
+        # Primary: verify wg0 is up AND listening on the configured port
         try:
             result = subprocess.run(
                 ['docker', 'exec', 'cell-wireguard', 'wg', 'show', 'wg0'],
                 capture_output=True, text=True, timeout=5,
             )
-            if result.returncode == 0 and 'listening port' in result.stdout.lower():
+            if result.returncode == 0 and f'listening port: {configured_port}' in result.stdout.lower():
                 return True
         except Exception:
             pass