fix(vpn): sync WireGuard server key on startup; fix DNS zone cell_name/SOA; fix peer status UI

- API key store was out of sync with wg0.conf: get_keys() generated a random
  phantom key instead of reading the actual WireGuard server key, so all peer
  configs had the wrong PublicKey and could never handshake. Fixed by writing
  correct raw-bytes key files at deploy time and adding _sync_wg_keys() to API
  startup so the store auto-syncs from wg0.conf on every restart.

- apply_domain() fell back silently when zone file had no $ORIGIN directive;
  now also parses the SOA MNAME as the old-domain fallback.

- apply_cell_name() only replaced the hostname if old_name matched literally
  in the zone file; now auto-detects the actual hostname (non-service A record)
  so a stale zone (mycell vs dev) is corrected on next config apply.

- DNS zone file corrected: SOA pic.ngo. admin.pic.ngo., mycell → dev.

- WireGuard UI: add 30s auto-poll for peer statuses; fix "peers currently
  connected" counter to show online/total instead of total count.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/app.py

@@ -297,7 +297,16 @@ def _recover_pending_apply():
 
 _recover_pending_apply()
 
+
+def _sync_wg_keys():
+    try:
+        wireguard_manager._sync_keys_from_conf()
+    except Exception as e:
+        logger.warning(f"WireGuard key sync failed (non-fatal): {e}")
+
+
 # Run in background so startup isn't blocked waiting on docker exec
+threading.Thread(target=_sync_wg_keys, daemon=True).start()
 threading.Thread(target=_apply_startup_enforcement, daemon=True).start()
 threading.Thread(target=_bootstrap_dns, daemon=True).start()