- Rename buttons to "Scan Credentials", right-align in flex container
- Remove header gap in wizard, move Target IP above form fields
- Fix config panel stuck on first credential with {#key} block
- Hide Update button in compact form mode (wizard saves locally)
- Replace Docker inline form in AdvancedStep with CTA to wizard
- Add field grouping (group property on FieldDefinition) with InfoCard
- DockerProxy fields grouped into Connection and TLS cards
- Dynamic footer CTA shows unsaved credential count
- Don't prefill 127.0.0.1 for DockerProxy unless navigating from Advanced

- Move title/description into ListManager label/helpText props
- Matches ServicesForm pattern (no standalone header above ListConfigEditor)
- Eliminates double-padding from header div + ListConfigEditor p-6

- Replace setQueryData with invalidateQueries in service delete mutations
  so paginated query cache updates correctly after deletion
- Add onDelete prop to ServiceEditModal with delete button in footer
- Wire up onDelete from parent Tab to modal for: Groups, Subnets,
  Networks, Services, Discovery, and Credentials (close modal on delete)

- CredentialForm accepts form prop instead of creating its own
- compact mode: seed IP field, no form tag/footer/name/type selector
- standard mode: full form with submit, name, type selector, footer
- All fields use form.Field with validators (removes fieldErrors)
- fieldPrefix prop for wizard namespacing (credentials[0].fields.x)
- Delete CredentialConfigPanel (CredentialForm handles both contexts)
- CredentialEditModal creates form, passes to CredentialForm
- CredentialWizardStep uses CredentialForm compact=true

- ListConfigEditor: use relative+absolute positioning for scroll
  containment instead of relying on unbroken flex height chain
- CredentialWizardStep: replace $effect form sync with explicit
  syncFormDefaults() calls in add/remove handlers to avoid
  effect_update_depth_exceeded
- CreateDaemonModal: separate wizard (flex fill) from other steps
  (overflow-auto with padding)

- Remove name uniqueness check from create/bulk_create credential endpoints
- Add onSubmit validators alongside onBlur so TanStack validateAllFields('submit') works
- Skip PEM validation when field is in filepath mode (not inline)
- Move credential modal save/delete buttons to GenericModal footer snippet
- Replace seed IP field with segmented control (IP Address / Daemon Host)
- Fix credential naming: type-only default, IP when entered, daemon name for localhost

- Adds proper padding and border styling matching other modals

- Use display value (not JSON wrapper) for secretpathorinline/pathorinline validation
- Empty optional fields now correctly skip all format validation
- Add modal-footer wrapper to credential modal footer snippet

- Move id/created_at/set_id/set_created_at from Storable to Entity trait,
  enabling junction tables without id/created_at columns to impl Storable
- Add SqlValue::OptionalUuidVec for interface_ids in junction tables
- Create typed NetworkCredential + HostCredential junction table storages
  using Storable + GenericPostgresStorage instead of raw SQL
- Replace all raw sqlx::query calls in credentials/service.rs with
  junction storage delegates (zero raw SQL remaining in credentials/)
- Replace set_seed_ips/clear_seed_ips raw SQL with load-modify-update
  through CrudService
- Extract types/mod.rs (860 lines) into secrets.rs, fields.rs, metadata.rs
  submodules with pub use re-exports preserving the public API
- Reorder snmp/types.rs: core types, banner/metadata, legacy section, tests
- Mark legacy daemon codepaths (pre-v0.15.0) with section headers and docs

- Add EnumIter derive to strum-generated CredentialTypeDiscriminants
- Move to_credential_type(), HasId, EntityMetadataProvider, and
  TypeMetadataProvider impls from CredentialType/CredentialTypeVariant
  to CredentialTypeDiscriminants
- Delete hand-maintained CredentialTypeVariant enum (was a duplicate)
- Update service.rs and generate-fixtures.rs callers

- Add 14 unit tests for credential mapping pure functions:
  credential_ids, collect_credential_ids, is_enabled,
  get_credential_for_ip, is_localhost
- Fix misleading bulk create docstring: validation is atomic
  but individual creates are sequential

- Shell script (tools/docker-proxy-test-env.sh) to expose local Docker
  socket on TCP via nginx reverse proxy, with optional mTLS support
- Remote setup guide (tools/docker-proxy-remote-setup.md) covering
  Portainer, Proxmox, and generic Linux Docker API exposure
- Follows snmp-test-env.sh patterns: color output, dep checks, up/down/status

…tions

- Detailed current state analysis with line references across unified.rs, network.rs, docker.rs, types/mod.rs, mapping.rs, definitions.rs, patterns.rs
- Proposed trait-based integration model with DiscoveryIntegration trait and IntegrationCategory enum
- Three discovery phases: daemon host, network scan (with post-scan integrations), controller
- SNMP exception analysis: must remain inline due to remote subnet discovery and MAC enrichment
- Remote Docker design: parameterize by target IP, trigger via service matching + credential lookup
- Future integration examples: Ubiquiti, Proxmox, vSphere, SSH, Aruba
- 5-phase implementation plan with dependency graph

- Cost-based progress model: integrations declare estimated_seconds_per_host,
  progress tracks completed vs total estimated seconds, recalculates after ARP
- Integration context/result types: HostIntegrationContext, ControllerIntegrationContext,
  HostIntegrationResult with HostEnrichment and DiscoveredHost
- Integration registry: static dispatch via CredentialTypeDiscriminants match,
  credential extraction from CredentialMapping<CredentialQueryPayload>
- Error handling: per-integration timeouts, fail-and-continue isolation,
  cancellation token contract
- Entity creation ownership: integrations return data, phase runner creates entities
- Updated open questions: removed answered ones, added light scan mode and
  cost calibration questions

- Docker containers are services on the host, not separate hosts
  (docker.rs sets host.id = daemon host_id, services carry
  ServiceVirtualization::Docker)
- Remove EntityDiscovery category — Docker is HostEnrichment
- Replace DiscoveredHost in HostIntegrationResult with additional_services
- Keep ControllerDiscoveredDevice for controller results (those DO create hosts)
- Add 'Relationship to Existing Discovery Traits' section: existing
  RunsDiscovery/DiscoversNetworkedEntities/CreatesDiscoveredEntities stay
  as orchestration layer, new DiscoveryIntegration is plugin layer
- Detail what stays, what changes, what's deleted, what's reused from Docker

- Replace hardcoded `localhost` with override IP from credential
  mapping, fixing IPv6 DNS resolution hitting wrong process
- IPv6 addresses wrapped in brackets for URL format
- Default credential (no override) falls back to 127.0.0.1
- discover_create_subnets now uses resolve_docker_proxy() instead
  of reading AppConfig directly, so subnet discovery also respects
  credential-based Docker proxy config
- Add tracing to resolve_docker_proxy for debugging proxy resolution

- Drop IntegrationCategory enum (HostEnrichment, Controller, ScanEnrichment)
- Replace with IntegrationPhase (PerHost, Controller) — only scheduling matters
- Single IntegrationResult type: integrations populate what they need
  (host fields, services, ports, interfaces, if_entries, discovered_devices)
- Single IntegrationContext with Optional per-host fields
- Single execute() method replaces discover_for_host/discover_as_controller
- Update all sections: dispatch flow, progress model, registry, error handling,
  future examples, existing trait analysis, implementation plan

Filter raw socket ports (9100-9107) from the service matching port
list when probe_raw_socket_ports is disabled, matching the existing
filtering in scan_endpoints(). Previously, port-only patterns like
JetDirect would match on these ports even though endpoint probing
was skipped, causing services like Prometheus Node Exporter to be
misidentified as JetDirect printers.

Updated the description to reflect the automatic nature of network documentation and improved clarity.

Move daemon-prompt auto-open logic from individual registration paths
into +page.svelte. Shows when org has OrgCreated but not
FirstDaemonRegistered and no daemons exist. Works for all auth
methods (email, OIDC) without each path needing to know about it.

- Fix has_ssl check to require all three SSL fields (cert, key, chain)
  in both local and remote Docker proxy paths, with partial-SSL warning
- Change default Docker proxy port from 2376 to 2375 (non-TLS common case)
- Update credential form help text for port and TLS fields
- Add per-container progress reporting during Docker discovery to prevent
  5-minute stall timeout, using Arc<AtomicU8> + tokio::select! poller
- Cap docker phase progress at 99% (true 100% from session completion)
- Add custom serde deserializers for Option<FileOrInline> and
  Option<SecretValue> that normalize empty inline values to None
- Fix frontend buildCredentialType() to normalize empty parsed
  pathorinline/secretpathorinline values to null
- Fix target_ips not cleared for host-assigned credentials by decoupling
  clearing logic from the existing_cred_ids skip

Restructure the Discovery modal from Details/Targets/Credentials/Speed/Schedule
to Details/Targets/Credentials/Detection/Performance/Schedule:

- Move host_naming_fallback from Targets to Details (display preference, not a target)
- Move probe_raw_socket_ports, full_scan_interval, force_full_scan from Speed
  to new Detection tab (scan scope, not speed)
- Rename Speed to Performance (rates, concurrency, retries only)
- Remove scan_local_docker_socket toggle (redundant with daemon-level
  enable_local_docker_socket flag and DockerProxy credentials)
- Update should_run_docker_phase() to check local socket availability
  instead of reading the removed toggle
- Show scan mode (full/light) on discovery session cards
- Put performance number fields side by side instead of stacked
- Group full_scan_interval and force_full_scan into a shared card

- Upgrade @inlang/paraglide-js 2.9.0 → 2.15.1 (fixes kysely SQL injection alerts)
- Upgrade bollard 0.19.4 → 0.20.2 and testcontainers 0.25.0 → 0.27.2 (fixes astral-tokio-tar alert)
- Migrate bollard API: secret → models, PortTypeEnum → PortSummaryTypeEnum, exposed_ports HashMap → Vec

The @ in the i18n string bled into the generated paraglide JSDoc
comment, causing svelte-check to parse it as a JSDoc tag and fail.

- Delete tags first so ON DELETE CASCADE cleans up all entity_tags
  automatically, eliminating ~185 per-entity DELETE queries
- Use storage().delete_by_filter() directly instead of service-level
  delete_all_for_org which loops per-entity for tag removal and events
- Add explicit deletes for child entities (interfaces, ports, services,
  bindings, if_entries, groups, subnets) instead of relying on FK cascades
- Reduces re-populate from ~240 to ~22 DB round-trips, well within
  the 30s Kamal proxy timeout on Neon

Restore request-level timeout on endpoint probe .send() calls.
Commit 2555860 changed .timeout() to .connect_timeout() to allow
body streaming past the deadline, but this removed the timeout from
the header-wait phase. Non-HTTP services (e.g. Chromecast on port
8009) that accept TCP but never send HTTP headers block .send()
indefinitely, stalling the entire deep scan and preventing discovery
from completing.

Wrap .send().await in tokio::time::timeout(SCAN_TIMEOUT) at both
call sites (scanner.rs network endpoints, docker.rs container
endpoints). Body streaming retains its own deadline via
read_response_body_until_deadline.

- Switch to host-based time estimation once ARP completes: uses actual
  per-host completion time (TCP + endpoints + SNMP + host creation)
  instead of TCP batch speed, which underestimates on light scans
- Fall back to batch-based estimation during ARP phase
- Add 3 attempts (2 retries) for Docker proxy probes in deep_scan_host
  with 2s delay between attempts

Dev

- Add missing 'credentials' case in handleNext() so Next button advances
- Add disabled state to credentials tab in create mode stepper
- Bump furthestReached thresholds for detection/performance/schedule
  tabs to account for credentials step in Unified discoveries
- Remove 8 unused i18n keys flagged by tests

Bumps the npm_and_yarn group with 1 update in the /ui directory: [picomatch](https://github.com/micromatch/picomatch).


Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

---
updated-dependencies:
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>