fix(ppsk): embedded PPSKs update via WLAN config, not /rest/ppsk

Embedded PPSKs live inside the parent WLAN's private_preshared_keys
array — they have no controller-side _id and the synthetic emb_<hash>
we generate locally isn't a real REST id. Hitting /rest/ppsk/emb_xxx
returns HTTP 400/503, which is what the GUEST PPSK rotation was
failing on at the scheduled 3pm run.

* New UnifiApiClient::updateEmbeddedPpsk($wlanId, $oldPass, $newPass):
  GETs /rest/wlanconf/{wlanId}, finds the matching entry in
  private_preshared_keys by current passphrase, swaps the value while
  preserving whichever field name the controller uses (x_passphrase /
  password / passphrase), and PUTs the whole WLAN object back.
* RotatePasswords detects emb_-prefixed unifi_ids and routes through
  the embedded path. The synthetic id is rederived from the new
  passphrase so the DB row stays addressable.
* WifiController::ppskUpdate (manual modal save) does the same — this
  is why manual edits sometimes appeared to succeed but the controller
  side actually rejected them.

Verified live against the GUEST PPSK on 10.81.0.1.
v1.5.5.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/Console/RotatePasswords.php

@@ -76,8 +76,16 @@ class RotatePasswords extends Command
             foreach ($ppskQuery->get() as $ppsk) {
                 $newPass = $passwords[array_rand($passwords)];
                 try {
-                    $unifi->updatePpsk($ppsk->unifi_id, ['x_passphrase' => $newPass]);
-                    $ppsk->update(['x_passphrase' => $newPass]);
+                    if (str_starts_with((string) $ppsk->unifi_id, 'emb_')) {
+                        // Embedded PPSK: update inside the parent WLAN object.
+                        // Synthetic ID is derived from the new passphrase, so update it too.
+                        $unifi->updateEmbeddedPpsk($ppsk->wlan_id, $ppsk->x_passphrase, $newPass);
+                        $newUid = 'emb_' . substr(hash('sha256', $ppsk->wlan_id . ':' . $newPass), 0, 32);
+                        $ppsk->update(['x_passphrase' => $newPass, 'unifi_id' => $newUid]);
+                    } else {
+                        $unifi->updatePpsk($ppsk->unifi_id, ['x_passphrase' => $newPass]);
+                        $ppsk->update(['x_passphrase' => $newPass]);
+                    }
                     $rotatedPpsks[] = $ppsk->name;
                 } catch (\Throwable $e) {
                     $this->error("Failed to rotate PPSK \"{$ppsk->name}\": {$e->getMessage()}");