Description
## Problem
`POST /api/v1/air/provision` regenerates the WireGuard keypair every time it is called, even for peers that already exist in mesh.yaml. Combined with `auto_apply: true`, this silently breaks WireGuard connectivity for existing peers.
This caused repeated key mismatches during the Brussels hub migration — every `hub apply` or hydracluster provision call triggered a new keypair.
## Fix
Make the endpoint truly idempotent: if the peer already exists in mesh.yaml, return the existing config (with the existing private key) instead of generating a new keypair. Only generate a new keypair when the peer is genuinely new.
## Files
- Hydraguard repo: air provision handler