- Add pendingRebuilds sentinel to track user-initiated rebuilds
- In manual mode, skip applyFullUpdate for is_stale=false SSE messages
  when cached topology has conflicts (preserves conflict badge)
- Allow full update when resolving a pending rebuild or refresh
- Replace hardcoded border classes with .card component class in
  BaseTopologyViewer for theme-aware styling

- Port fixture generation from integration test into standalone binary
  following the generate-error-codes pattern
- Support --output-dir flag for Docker builds where output path differs
- Restructure Dockerfile: Rust builds first, generates fixtures, then
  UI builder copies them via COPY --from=rust-builder
- Update Makefile and CI workflow to use cargo run --bin generate-fixtures

- Remove persistent floating cookie gear icon after consent
- Add external trigger API (openCookieSettings) for programmatic access
- Add Cookie Preferences section to Account Settings, gated on needs_cookie_consent
- Gate "No credit card required" text to Cloud-only deployments
- Add i18n keys (common_manage, settings_account_cookiePreferencesDesc) in all locales

- Invert verification default: endpoints allow unverified users by
  default, use RequireVerified<P> for sensitive endpoints
- Remove login block for unverified users (can log in immediately)
- Add AuthEmailVerificationRequired error code with i18n support
- Apply RequireVerified to: invites, API keys, billing portal,
  shares (create/update), user mgmt (admin update/delete)
- Add daemon limit for unverified orgs (1 daemon allowed)
- Auto-verify invited users (invite link proves email ownership)
- Replace hard redirect to /verify-email with dismissable banner
- Remove EMAIL_NOT_VERIFIED error handling from login page
- Remove verification redirect from onboarding flow

…builds

…tyling

…cted features

… for non-Cloud

- Remove dismiss button from verification banner (not dismissable)
- Remove sticky/z-50 so banner pushes down content instead of overlapping
- Revert RequireVerified on GET endpoints for invites and API keys
  so list/read requests don't fail on page load for unverified users

Formatting changes from make generate-types.

- Onboarding rebuild effect fired regardless of autoRebuild setting,
  wiping conflict state when navigating to topology page
- Skip onboarding rebuild in manual mode so user controls when
  rebuilds happen
- Revert speculative SSE race condition fix (no evidence it occurs)

- Check sending_done in ARP receiver Ok path, not just timeout path.
  On bridge interfaces, continuous LAN traffic prevents timeout from
  firing, so the receiver never exits and the pipeline hangs forever.
- Add 5-minute hard max lifetime to ARP receiver as defense-in-depth
- Add 10-minute timeout to ARP forwarder threads as safety net
- Fix progress calculation when channel closes with zero batches,
  use host-level progress instead of staying stuck at 30%
- Fix cidr_to_mac to preserve valid MACs when multiple interfaces
  share a subnet (e.g. br0 + shim-br0)
- Add 6-hour global discovery timeout to prevent infinite hangs
- Add diagnostic logging at channel close transition
- Allow any-size interfaced subnets (ARP is lightweight), restrict
  only non-interfaced subnets to /16 (port scanning is expensive)

- Extract cookie options UI into CookieSettingsPanel component
- CookieConsent banner uses the panel for its settings modal
- AccountTab renders the panel as a subView (no modal flash)
- Back button navigates to main settings view seamlessly

- Replace 3 Discovery sidebar items (Sessions, Scheduled, History)
  with 1 entry using internal sub-tabs
- Replace Daemons parent+child with 1 entry using sub-tabs
- Add reusable ContentSubTabs component for horizontal tab bar
- Preserve all hash URLs, deep linking, and permission gating

…load

…tion

…faces

…ns sidebar tabs

Without this, Docker transfers the entire repo including backend/target/
(~60GB+), causing builds to fail or timeout.

…builds

- Replace raw div styling with InfoCard variant="compact"
- Matches card style used throughout settings views

When a trialing user switches to Free, the subscription gets
cancel_at_period_end=true. Stripe still fires trial_will_end webhook
3 days before expiry — skip the email in that case.

- Invite button: disabled with "Please verify email to invite users"
- API key create: disabled with "Please verify email to create an API key"
- Share button: disabled with "Please verify email to share topology"
Uses the same tooltip action from the billing plan modal.

- Remove the tally.so community submission globe link
- Add title="Export" to ExportButton
- Add title="Share" to share button (both verified and unverified states)
- Clean up unused Globe import and topology_submitToCommunity i18n import

- Rename sidebar label from "Discovery" to "Scans" to avoid
  redundancy under the "Discover" section header
- Show green notification dot on sidebar Scans icon when a
  discovery session is actively running
- Show matching dot on Sessions sub-tab via new notifications
  prop on ContentSubTabs

…cted features

The EmptyState component had a second Create button that was not
disabled for unverified users.

…cted features

…ns sidebar tabs

- Add loading spinner to OIDC provider buttons on login/register
- Convert background images from PNG to WebP (778KB → 44KB each)
- Update oidc.toml.example with issuer URL guidance
- Fix workflow whitespace