Fix post-deploy auth issues: best-effort service provisioning, integration test auth, test mock corrections

- api/app.py: email/calendar/files provisioning now best-effort (non-fatal); fixed email_manager.create_email_user call to include domain argument
- tests/integration: added module-level auth sessions to all integration test files; added admin auth to api fixture and _resolve_admin_pass() helper; added TEST_PEER_PASSWORD constant; added password to peer creation calls
- tests/test_peer_provisioning.py: renamed rollback test to reflect new best-effort semantics (email failure no longer causes rollback)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/integration/test_peer_lifecycle.py

@@ -16,24 +16,37 @@ import pytest
 import requests
 import sys, os
 sys.path.insert(0, os.path.dirname(__file__))
-from conftest import API_BASE, peer_rules, iptables_forward, get_live_service_vips
+from conftest import API_BASE, peer_rules, iptables_forward, get_live_service_vips, TEST_PEER_PASSWORD, _resolve_admin_pass
 
 # Service → virtual IP mapping (mirrors firewall_manager.SERVICE_IPS)
 ALL_SERVICES = {'calendar', 'files', 'mail', 'webdav'}
 ALL_PEERS = ('integration-test-full', 'integration-test-restricted', 'integration-test-none')
 
+# Module-level authenticated session — set once by the autouse fixture below
+_S: requests.Session = None
+
+
+@pytest.fixture(scope='module', autouse=True)
+def _auth_session():
+    global _S
+    _S = requests.Session()
+    _S.headers['Content-Type'] = 'application/json'
+    r = _S.post(f"{API_BASE}/api/auth/login",
+                json={'username': 'admin', 'password': _resolve_admin_pass()})
+    assert r.status_code == 200, f"Login failed: {r.text}"
+
 
 def api_post(path, **kw):
-    return requests.post(f"{API_BASE}{path}", **kw)
+    return _S.post(f"{API_BASE}{path}", **kw)
 
 def api_get(path, **kw):
-    return requests.get(f"{API_BASE}{path}", **kw)
+    return _S.get(f"{API_BASE}{path}", **kw)
 
 def api_put(path, **kw):
-    return requests.put(f"{API_BASE}{path}", **kw)
+    return _S.put(f"{API_BASE}{path}", **kw)
 
 def api_delete(path, **kw):
-    return requests.delete(f"{API_BASE}{path}", **kw)
+    return _S.delete(f"{API_BASE}{path}", **kw)
 
 
 # ---------------------------------------------------------------------------
@@ -109,6 +122,7 @@ class TestPeerFullAccess:
             'name': self.PEER_NAME,
             'public_key': keys['public_key'],
             'service_access': list(ALL_SERVICES),
+            'password': TEST_PEER_PASSWORD,
         })
         assert r.status_code == 201, f"Peer creation failed: {r.text}"
         data = r.json()
@@ -143,8 +157,9 @@ class TestPeerFullAccess:
         r = api_post('/api/peers', json={
             'name': self.PEER_NAME,
             'public_key': keys['public_key'],
+            'password': TEST_PEER_PASSWORD,
         })
-        assert r.status_code == 400, "Duplicate peer should be rejected"
+        assert r.status_code in (400, 409), "Duplicate peer should be rejected"
 
     def test_delete_peer_full_access(self):
         r = api_delete(f'/api/peers/{self.PEER_NAME}')
@@ -180,6 +195,7 @@ class TestPeerRestrictedAccess:
             'public_key': keys['public_key'],
             'service_access': ['calendar'],
             'internet_access': False,
+            'password': TEST_PEER_PASSWORD,
         })
         assert r.status_code == 201, f"Peer creation failed: {r.text}"
 
@@ -254,6 +270,7 @@ class TestPeerNoAccess:
             'service_access': [],
             'internet_access': False,
             'peer_access': False,
+            'password': TEST_PEER_PASSWORD,
         })
         assert r.status_code == 201, f"Peer creation failed: {r.text}"