Add a services display field to the hosts DataControls, enabling
users to filter and search hosts by service name (e.g., show all
hosts running SSH). Uses useServicesCacheQuery to read services
from TanStack Query cache without additional API calls. Follows
the existing tags array field pattern.

Closes #499

- Add OpenPorts to default hide_service_categories (frontend + backend)
- Add HostVirtualization to default hide_edge_types (frontend + backend)
- Remove hard-coded HostVirtualization filter from BaseTopologyViewer so
  users can toggle visibility via the Options panel

Extend DisplayFieldConfig with opt-in sortable/groupable flags so
client-side-only pages can participate in DataControls sort/group
dropdowns without requiring backend OrderField enums.

- Add sortable/groupable to DisplayFieldConfig, isDisplayField guard
- Update DataControls groupableFields/sortableFields derived values
- Add network_id field to discoveryFields with network name lookup
- Add created_at and sortable/groupable flags across Shares,
  Scheduled/Historical Discoveries, Daemon API Keys, Networks, Users

Discovery metadata (Vec<DiscoveryMetadata>) grew unboundedly — one entry
prepended per entity per scan with no pruning, bloating the source JSONB
column over time.

- Add MAX_DISCOVERY_METADATA_ENTRIES constant (10) in entities.rs
- Add EntitySource::cap_metadata() helper to truncate after merge
- Apply cap at host upsert (hosts/service.rs) and service upsert
  (services/service.rs) — the only two accumulation points
- Subnets and groups don't accumulate metadata, so no changes needed
- Existing oversized entries will be pruned on next discovery scan

Replace scattered one-off modal triggers (?auth_modal, sessionStorage.showDaemonSetup,
showBillingPlanModal store) with a unified ?modal=<name>&id=<id>&tab=<tab> system.

- Add modal-registry store with openModal/closeModal/setModalTab/initModalFromUrl
- Add name/entityId props to GenericModal for automatic URL sync on open/close/tab
- Wire 18 modal wrappers with name prop forwarded to GenericModal
- Add $effect watchers in 14 parent tabs to open modals from URL state
- Replace auth_modal backend param with modal=settings
- Replace sessionStorage.showDaemonSetup with ?modal=create-daemon URL param
- Remove showBillingPlanModal store, use openModal('billing-plan') everywhere
- Add navigateWithModal() helper for onboarding flow

- Fix Brevo event mapping: extract FirstDiscoveryCompleted
  to own handler, remove incorrect track_event from
  FirstTopologyRebuild, add first_daemon_registered event
- Add 5 email templates: discovery guide (free/paid),
  topology ready, plan limit approaching/reached
- Add PlanLimitNotifications with threshold-crossing
  detection (80% approaching, 100% reached) for
  hosts, networks, seats
- Wire via EventBus: EmailService subscribes to entity
  creation (plan limits) and telemetry (onboarding emails)
- Add plan_limit_notifications JSONB column to orgs table

- Consolidate 4 networks into 2 (Headquarters 30 hosts, Data Center 20 hosts)
- Add Proxmox VM virtualization (7 VMs across 3 hypervisors)
- Add Docker container virtualization (8 containers across 2 Docker hosts)
- Docker hosts have dual interfaces (eth0 + docker0 on DockerBridge)
- HQ 48-port switch + DC 24-port switch with bidirectional LLDP
- 6 network-scoped groups (3 HQ, 3 DC)
- Adjusted daemons, API keys, discoveries for 2-network layout

File was tracked despite being in .gitignore. Remove from index
so worktrees don't inherit stale test plans via merge conflicts.

# Conflicts:
#	TASK.md

# Conflicts:
#	TASK.md

# Conflicts:
#	TASK.md

# Conflicts:
#	TASK.md

# Conflicts:
#	TASK.md

Replaced direct Neighbor::Host reference on switch port 6 with deferred
NeighborUpdate. Added IfEntry for unifi-ap-lobby so bidirectional LLDP
link resolves after all hosts exist. Removed unused Neighbor import.

- Remove closeModal() from all 15 entity tab $effect watchers; it was
  clearing the URL immediately after being set (both on deep-link and
  normal click). Add !showModal guards to prevent re-triggering.

- Read modalState.tab in GenericModal open-transition so URL-specified
  tabs (e.g. ?modal=settings&tab=billing) are applied before syncing
  back, fixing the stale-default-tab issue.

- Change tab hiding from class:hidden (display:none) to h-0/overflow-hidden
  so position:fixed modals inside inactive tabs can still render. Removes
  need for a brittle modal→tab mapping.

- Add TEST_PLAN.json for manual test coverage.

…oup-sort-pages', 'service-filtering', 'generic-modal-deeplinks', 'onboarding-emails' and 'demo-data-overhaul' into dev

- GenericModal: call onOpen() before URL tab override so parent's
  resetForm() runs first, then deep-link tab takes precedence
- DaemonTab: remove closeModal() when daemons exist to prevent
  clearing modal state before page-level tab switch can read it

- GenericModal: clear URL params on close transition (isOpen goes false)
  so form-submit close paths don't leave stale ?modal params that
  trigger the $effect watcher to reopen the modal
- DaemonTab: remove daemonsData.length === 0 guard so ?modal=create-daemon
  always opens the modal, not only during onboarding

…-hardening' into dev

…change

- Update i18n strings to say "Update password" instead of "Update email
  and password" since email changes use a separate flow now
- Replace raw <input> in email change form with TanStack Form + TextInput
  component, matching login/register form patterns
- Add email validator to email change field

Logs across the full flow to diagnose double-rebuild issue:
- Frontend: options store changes, rebuild/refresh request options,
  SSE responses, and query cache updates
- Backend: rebuild handler options/services, subscriber fast path,
  and SSE stream output

The TanStack migration dropped the debounced PUT that synced option
changes to the server. In auto mode, changing options (like toggling
hide_service_categories) had no effect until the next discovery event.
Restore the behavior with a debounced rebuild on option store changes.

- A3 free/paid: add Docker discovery list item to both variants
- A5 topology ready: add quick interaction tips (drag, inspect, export)

- Check billing_enabled from cached server config
- Render <a> to scanopy.net/pricing for self-hosted instances
- Keep existing modal behavior for cloud instances
- Add external flag to analytics event for non-billing path

- Update svelte, @sveltejs/kit, eslint 10, typescript-eslint, and
  related packages to fix Dependabot alerts (XSS, DoS, minimatch ReDoS)
- Pin prettier to ~3.6.2 for svelte plugin compatibility
- Add svelte override to deduplicate across dependency tree
- Add job-level permissions: contents: read to CI workflow files
  (ui-ci, server-ci, daemon-ci, pr_dev_only) for CodeQL compliance
- Fix new eslint 10 lint errors (no-useless-assignment, unused import)

- Broaden checkout/trial lifecycle gate to include Free plan orgs
  (was only triggering for plan=None, missing cloud orgs on Free)
- Add plan_status to PlanChanged event metadata so Brevo handler
  can sync both plan_type and plan_status in one event
- Publish PlanChanged event after subscription deletion downgrades
  org to Free, ensuring Brevo shows plan_type=Free, plan_status=active
- Set plan_type in checkout_started Brevo handler (was only setting
  plan_status)

Currently translated at 27.0% (256 of 948 strings)

Translation: Scanopy/scanopy
Translate-URL: https://hosted.weblate.org/projects/scanopy/scanopy/de/

Translations update from Hosted Weblate

--frozen-lockfile is a Yarn option; npm ci enforces lockfile by default.

- Send confirmation email when trial transitions to active paid subscription
- Send usage summary with line-item breakdown on recurring invoice.paid
- Add format_cents and format_invoice_period helpers for email rendering
- Update trial started email CTA to link to billing settings
- Add billing contact line to usage summary template
- Use line item period (not invoice-level period) for accurate service dates

- Add computed has_password field to User API response
- Hide "Current Password" in credentials form for OIDC-only users
- Unify login error message to prevent auth method enumeration
- Add current_password verification to email change handler
- Block email change for OIDC-linked accounts

- Replace single-form modal with tabbed wizard: Setup, API Key, Install, Advanced
- Add Linux install method sub-toggle (Binary / Docker Compose)
- Add collapsible sections with descriptions in Advanced tab
- Disable Advanced tab until Install step is reached
- Hide heartbeat interval for non-DaemonPoll daemons
- Reorder advanced sections: Docker/Network Discovery first
- Add contextual docs links (Multi-VLAN, Macvlan, Docker Proxy, config reference)
- Add FreeBSD/OpenBSD support request buttons (PostHog-gated)
- Update daemon config help text for clarity
- Sync Rust clap descriptions with frontend i18n

picomatch version mismatch (2.3.1 vs 4.0.3) was causing npm ci
to fail during Docker builds.