Phase 5: extended connectivity — WireGuard ext, OpenVPN, Tor exit routing

- ConnectivityManager: per-peer exit routing via iptables fwmark/policy tables
  (wg_ext=0x10/t110, openvpn=0x20/t120, tor=0x30/t130)
- Dedicated PIC_CONNECTIVITY chains (mangle+nat), kill-switch FORWARD DROP
- Config upload with sanitization: strips PostUp/PostDown and OVpn script dirs
- Peer exit_via field added to peer registry (backward-compat, default=default)
- 7 Flask routes at /api/connectivity/*
- Connectivity.jsx: 693-line frontend with exit cards, peer assignment table
- 72 new tests for ConnectivityManager (72 passing)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

webui/src/services/api.js

@@ -328,6 +328,17 @@ export const setupAPI = {
   complete: (payload) => api.post('/api/setup/complete', payload),
 };
 
+// Connectivity / Exit Routing API
+export const connectivityAPI = {
+  getStatus: () => api.get('/api/connectivity/status'),
+  listExits: () => api.get('/api/connectivity/exits'),
+  uploadWireguard: (conf_text) => api.post('/api/connectivity/exits/wireguard', { conf_text }),
+  uploadOpenvpn: (ovpn_text, name = 'default') => api.post('/api/connectivity/exits/openvpn', { ovpn_text, name }),
+  applyRoutes: () => api.post('/api/connectivity/exits/apply'),
+  getPeerExits: () => api.get('/api/connectivity/peers'),
+  setPeerExit: (peer_name, exit_via) => api.put(`/api/connectivity/peers/${peer_name}/exit`, { exit_via }),
+};
+
 // Container Management API
 export const containerAPI = {
   // Containers