- Add ExternalService variant to AuthMethod and AuthenticatedEntity enums
- Add generic IsExternalService<T> permission with Prometheus/Grafana markers
- Add IP restriction config via SCANOPY_EXTERNAL_SERVICE_<NAME>_ALLOWED_IPS
- Move metrics endpoint from /metrics to /api/metrics
- Add dedicated rate limiter for external services (60 req/min)
- Requires X-Service-Name header for service identification

Breaking changes:
- Metrics route changed from /metrics to /api/metrics
- New required header: X-Service-Name: prometheus

- Pass context to getLabel() so service names are correctly resolved
- Add tag label searching to match interface/port info
- Filter out "Unclaimed Open Ports" services from binding dropdown

- Create lightweight TopologyRebuildRequest type with only required fields
  (network_id, options, nodes, edges) instead of full Topology
- Update rebuild and refresh handlers to use new request type
- Update frontend mutations to send minimal payload
- Reduces payload size from MBs to KBs for large networks

Co-Authored-By: Claude Opus 4.5 <[email protected]>

- Change icon fallback logic from || to explicit length check
- When hostServices is empty, getIconComponent(undefined) returns
  HelpCircle (truthy), preventing Host icon fallback from triggering
- Now explicitly checks hostServices.length > 0 before looking up
  service icon, falling back to Host icon otherwise

- Split StorableEntity trait into Storable (base) and Entity (domain)
- Junction tables (GroupBinding, EntityTag, etc.) now only impl Storable
- Domain entities impl Entity which extends Storable
- Add is_entity_taggable() as single source of truth for tagging
- Add taggability validation to tag assignment handlers
- Add entity_name_singular/plural methods to Entity trait
- Fix topology OpenAPI tag to use "topologies" plural
- Remove junction table variants from Entity enum
- Move entity_tags to tags/entity_tags.rs
- Move group_bindings to groups/group_bindings.rs

When hosts/services are grouped (e.g., by "Virtualized By") and paginated,
groups would appear/disappear across pages because items were returned in
default order. This fix adds server-side ordering support so that grouped
items are sorted by the group field, keeping groups contiguous.

Backend:
- Add JOIN support to EntityFilter for complex ordering fields
- Add HostOrderField and ServiceOrderField enums with SQL expressions
- Add group_by, order_by, order_direction query params to list endpoints
- Register enum schemas in OpenAPI for TypeScript type generation

Frontend:
- Add onOrderChange callback to DataControls for order state changes
- Wire up HostTab and ServiceTab to pass ordering to their queries
- Map frontend field keys to backend enum values

- New users must verify email before logging in
- OIDC users are auto-verified (provider already verifies)
- Self-hosted without email service auto-verifies users
- Migrated password reset tokens from in-memory to database
- Added /verify-email page with resend functionality
- Added 60-second rate limiting on resend endpoint
- Token expiration: 24h for verification, 1h for password reset
- Existing users grandfathered as verified via migration

- fix bridge interface selection: require IP in target subnet when looking
  up interface by MAC, prevents selecting eth0 (no IP) over br0 (has IP)
  when they share the same MAC in bonded bridge setups
- add macvlan/ipvlan Docker network support: allow these drivers in
  docker network discovery instead of filtering them out
- add MacVlan and IpVlan SubnetType variants with proper metadata
- add --interface CLI arg to restrict daemon to specific interfaces
- add config namespacing by --name for multi-daemon instance deployments
- add [email protected] systemd template for multi-instance support

AppShell now checks email_verified status and redirects
unverified users to /verify-email regardless of how they
access the app.