fix: reconcile webhook-managed configs and make disable_p2p more intelligent

[KKRainbow]

Summary

This PR addresses two issues that surfaced in webhook-managed deployments and P2P connection policy handling.

1. Reconcile webhook-managed network configs as an exact desired set instead of only upserting a single config.
2. Make disable_p2p disable proactive direct connections without breaking relay-based connectivity or need_p2p exceptions.

Changes

easytier-web: reconcile webhook-managed configs by revision

• Extend webhook validation response handling from a single optional network_config to:
  • managed_network_configs: Vec<ManagedNetworkConfig>
  • config_revision: String
• Track the last applied webhook config revision in session state and only reconcile when the revision changes.
• Reconcile managed network configs as an exact set:
  • upsert all desired configs
  • delete stale configs that are no longer present in the webhook response
• Normalize incoming webhook configs so each managed config has a stable instance_id and default instance_name.
• Update network-on-start cleanup logic so it also reacts when the desired local config set changes, not only on the first successful heartbeat.

easytier-web: scope network config uniqueness by device

• Change DB upsert conflict handling from network_instance_id only to (user_id, device_id, network_instance_id).
• Scope delete and state update operations by both user_id and device_id.
• Add a migration to rebuild user_running_network_configs with a unique index on (user_id, device_id, network_instance_id).

This prevents the same network_instance_id from different devices under the same user from overwriting each other.

easytier: make disable_p2p more precise

• Add disable_p2p to PeerFeatureFlag and propagate it from runtime flags into advertised peer feature flags.
• Refine P2P eligibility checks so they consider both sides:
  • local disable_p2p
  • local need_p2p
  • remote disable_p2p
  • remote need_p2p
• Keep direct connector / TCP hole punch / UDP hole punch services running even when local disable_p2p=true, so the node can still serve peers that explicitly require P2P.
• Restrict proactive direct-connection attempts instead of globally shutting down the P2P subsystem.

The resulting policy is:

• ordinary peers do not proactively establish P2P with peers that advertise disable_p2p
• a node with disable_p2p=true does not proactively open P2P to ordinary peers
• need_p2p still works as an explicit opt-in override for both directions
• relay connectivity remains available when P2P is disabled

Tests

Added / updated tests for:

• webhook-managed config reconciliation
• per-device network config scoping in DB
• disable_p2p policy helper logic
• three-node behavior covering:
  • disable_p2p still allowing connections to need_p2p peers
  • ordinary nodes not proactively connecting to disable_p2p peers

Validation

Passed locally:

• cargo test -p easytier-web reconcile_managed_network_configs_upserts_and_deletes_exact_set
• cargo test -p easytier-web test_user_network_config_same_instance_id_is_scoped_by_device
• cargo test -p easytier disable_p2p
  • unit test connector::tests::disable_p2p_only_allows_need_p2p_exceptions passed
  • the two new three-node integration tests require the local netns test environment and failed here with easytier/src/common/netns.rs:44 (No such file or directory)

Why this matters

Without the webhook reconciliation changes, webhook-managed nodes can retain stale infra configs or fail to converge cleanly when the webhook changes the desired config set.

Without the disable_p2p policy changes, setting disable_p2p is too coarse-grained: it prevents useful exception cases and also shuts down server-side capability that other peers may still need. This PR narrows the behavior so disable_p2p means "do not proactively build ordinary P2P links" instead of "disable all direct-connect handling globally".

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.