commit 88cf6458d02b465b99497b4334964a94d4ba8048
Author: Olivier <olivier@raspot.in>
Date:   Sun May 17 09:19:19 2026 +0200

    Initial commit — Stupid Simple Network Inventory
    
    Application web d'inventaire réseau manuel avec FastAPI, Vue 3 et Docker.
    Inclut l'authentification JWT, la découverte ICMP, et la topologie en cards CSS.
    
    Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..fa58bbb
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,47 @@
+# Stupid Simple Network Inventory — environment variables
+# Copy this file to .env and fill in the values.
+# NEVER commit .env to version control.
+
+# ── JWT Secret ───────────────────────────────────────────────────────���──────
+# Required in production. If unset, a random key is auto-generated and stored
+# in db_data/secret_key.txt (0600 permissions). All sessions are invalidated
+# when this key changes (key rotation).
+#
+# Generate a strong secret:
+#   python3 -c "import secrets; print(secrets.token_hex(32))"
+# Or use a Docker secret (recommended for production).
+SECRET_KEY=
+
+# ── Initial admin password ──────────────────────────────────────────────────
+# Set this before the first run to bypass the admin/admin bootstrap.
+# When set: admin is created with this password and must_change_password=0.
+# When unset: admin is created with password "admin" and must_change_password=1
+#             (forced password change on first login).
+#
+# This variable is only read when the users table is empty (first run).
+# It has no effect on subsequent starts.
+INITIAL_ADMIN_PASSWORD=
+
+# ── CORS allowed origins ─────────────────────────────────────────────────────
+# Comma-separated list of allowed origins, or "*" for all (default).
+# The app is designed for same-origin access via the Nginx reverse proxy.
+# Restrict this if you expose the API to multiple origins.
+#
+# Examples:
+#   ALLOWED_ORIGINS=*                           (default — permissive)
+#   ALLOWED_ORIGINS=https://inventory.example.com
+#   ALLOWED_ORIGINS=https://a.example.com,https://b.example.com
+#   ALLOWED_ORIGINS=                            (empty — disables CORS headers)
+ALLOWED_ORIGINS=*
+
+# ── Container user IDs ───────────────────────────────────────────────────────
+# UID and GID used to run the backend process inside the container.
+# Must match the host user owning ./db_data/ to allow read/write on the
+# bind-mounted volume without root privileges.
+#
+# Get your values:  id -u && id -g
+# Then create the data directory before the first run:
+#   mkdir -p db_data
+#
+DOCKER_UID=1000
+DOCKER_GID=1000
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..78f2f4b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,71 @@
+# ── Secrets & données runtime ─────────────────────────────────────────────────
+# Ne JAMAIS committer : clés, mots de passe, base de données, tokens
+.env
+.env.local
+.env.*.local
+data/
+db_data/
+*.db
+*.db-journal
+*.db-shm
+*.db-wal
+secret_key.txt
+
+# ── Outils IA / sessions de développement ─────────────────────────────────────
+# Contiennent des IDs de session, permissions locales — pas de valeur pour le dépôt
+.claude/
+.agents/
+.codex/
+claude-session.txt
+.aider*
+
+# ── Python ────────────────────────────────────────────────────────────────────
+__pycache__/
+*.py[cod]
+*.pyo
+*.pyd
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+*.egg-info/
+dist/
+build/
+venv/
+.venv/
+env/
+pip-wheel-metadata/
+
+# ── Node / Frontend ───────────────────────────────────────────────────────────
+frontend/node_modules/
+frontend/dist/
+frontend/.vite/
+*.tsbuildinfo
+
+# ── Logs ─────────────────────────────────────────────────────────────────────
+*.log
+logs/
+npm-debug.log*
+
+# ── Certificats & clés PKI ───────────────────────────────────────────────────
+*.pem
+*.key
+*.crt
+*.p12
+*.pfx
+*.cer
+
+# ── IDE & éditeurs ────────────────────────────────────────────────────────────
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+.project
+.classpath
+
+# ── OS ────────────────────────────────────────────────────────────────────────
+.DS_Store
+.DS_Store?
+._*
+Thumbs.db
+Desktop.ini
diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000..549742c
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,207 @@
+# Stupid Simple Network Inventory — Agent Notes
+
+## Project Overview
+
+Web application for manual server/network inventory and logical network topology display.
+
+## Stack
+
+- Backend: FastAPI, Python 3.11, SQLAlchemy, SQLite
+- Frontend: Vue 3 + Vite
+- Topology view: CSS cards, no Cytoscape
+- Icons: `lucide-vue-next` for generic UI, `simple-icons` for brand logos
+- Reverse proxy: Nginx serves the frontend and proxies `/api/` to the backend
+- Runtime: Docker Compose
+
+## Run
+
+```bash
+docker compose up --build -d
+```
+
+Application URL: http://localhost:8080
+
+## Architecture
+
+- `backend/main.py`: FastAPI entry point + startup SQLite migrations (run before `create_all`)
+- `backend/database.py`: SQLAlchemy engine and sessions
+- `backend/models.py`: ORM models (User, Vlan, Device, DeviceInterface)
+- `backend/routers/auth.py`: JWT login, account update, token refresh — exports `get_current_user` for main.py
+- `backend/routers/vlans.py`: network CRUD
+- `backend/routers/devices.py`: device CRUD — assign fields explicitly, do not use `model_dump()` on Device
+- `backend/routers/discovery.py`: ICMP ping sweep + DNS PTR (`/scan`) + parallel ping (`/ping`)
+- `frontend/src/App.vue`: global layout and state + auth guard (shows LoginPage if not authenticated)
+- `frontend/src/api.js`: axios API calls (`vlansApi`, `devicesApi`, `discoveryApi`, `authApi`)
+- `frontend/src/auth.js`: reactive auth state (`isAuthenticated`, `currentUsername`, `setAuth`, `clearAuth`, `getToken`) — persisted in localStorage
+- `frontend/src/i18n.js`: i18n — `locale` (ref), `t(key)`, `tFmt(key, ...args)`, `setLocale(lang)`
+- `frontend/src/theme.js`: theme — `theme` (ref), `toggleTheme()`, applies/removes `html.dark` class
+- `frontend/src/brandIcons.js`: BRANDS array + `detectBrands(name, description)` — shared utility
+- `frontend/src/components/TopologyGraph.vue`: topology card layout, ping feature
+- `frontend/src/components/DeviceIcon.vue`: Lucide type icon (prop `typeOnly`) or brand logos
+- `frontend/src/components/DeviceManager.vue`: device CRUD + filter bar + search
+- `frontend/src/components/VlanManager.vue`: network CRUD (LANs + VLANs)
+- `frontend/src/components/DiscoveryModal.vue`: automatic discovery UI
+- `frontend/src/components/LoginPage.vue`: full-screen login form, emits `@login` with `{ token, username }`
+- `frontend/src/components/AccountModal.vue`: change username/password, emits `@updated` with new token
+
+## Data Model
+
+- `User`: `id`, `username` (unique), `hashed_password` (bcrypt), `must_change_password` (bool, default 0), `token_version` (int, default 1)
+- `Vlan`: `id`, `vlan_id` (nullable int — null = plain LAN), `name`, `cidr`, `color`
+- `Device`: `id`, `name`, `type`, `description`, `is_gateway`, `is_livebox`, `virt_type` (nullable), `url` (nullable)
+- `DeviceInterface`: `id`, `device_id`, `vlan_id` (nullable FK), `ip_address`, `name`, `is_upstream`
+
+## Authentication
+
+JWT HS256, **24-hour expiry**. Payload: `{ sub: username, ver: token_version, exp: ... }`. Secret key persisted in `data/secret_key.txt` (0600 permissions) or `SECRET_KEY` env var.
+
+Default credentials: `admin` / `admin` — seeded with `must_change_password=1` by `_migrate_users()` if the `users` table is empty. Set `INITIAL_ADMIN_PASSWORD` env var to skip this bootstrap.
+
+**Token invalidation**: password change increments `User.token_version`. `get_current_user` rejects tokens whose `ver` doesn't match → old sessions expire immediately.
+
+**must_change_password**: when `True`, business routers return 403 `"Password change required"`. The frontend shows a forced `<AccountModal :forced="true">` that blocks the app. `_migrate_force_admin_password_change()` sets this flag at startup if admin's password is still the default.
+
+**bcrypt compatibility**: `passlib 1.7.4` is incompatible with `bcrypt >= 4.0`. `requirements.txt` pins `bcrypt==3.2.2`. Do not upgrade `bcrypt` without also upgrading `passlib`.
+
+Business route groups protected via `dependencies=[Depends(require_password_changed)]` (wraps `get_current_user`). Auth router has no protection.
+
+Frontend auth guard in `App.vue`:
+- `!isAuthenticated` → `<LoginPage>`
+- `mustChangePassword` → `<AccountModal :forced="true">`
+- else → full app
+
+Template root is `<div class="app-root">` with `display: contents` — prevents Firefox autofill overlay `NotFoundError` on fragment comment nodes.
+
+## Device Types (18)
+
+`server`, `switch`, `router`, `nas`, `gateway`, `livebox`, `access_point`, `camera`, `temperature`, `sensor`, `hub`, `smart_plug`, `alarm`, `light`, `doorbell`, `desktop`, `laptop`, `other`
+
+## Device Fields
+
+### virt_type
+Form label: "Type d'environnement d'exécution". Values: `null`, `baremetal`, `lxc`, `qemu`.
+
+### url
+Optional web UI URL. Hidden in the form for `desktop` and `laptop` types. Displayed as a clickable link in the device card, and as a green "Link" tag on topology chips.
+
+When adding a new Device field: update `models.py`, add a startup migration in `main.py`, update `DeviceCreate` and `DeviceOut` in `routers/devices.py`, assign explicitly in `create_device` and `update_device`.
+
+## Networks (VlanManager)
+
+`vlan_id` is optional. Omitting it creates a plain LAN ("LAN" badge). Networks ordered: LANs first (NULL vlan_id), then VLANs by ascending ID.
+
+## Topology View
+
+`TopologyGraph.vue` uses CSS cards only.
+
+- Toolbar: Ping button with animated dot indicator + up/down count
+- WAN card: red, `is_livebox` devices
+- Gateway card: yellow, `is_gateway` devices
+- Network list: one full-width card per network, stacked vertically (flex-col); a device appears in every card matching its interfaces
+- Unassigned card: devices with no interface, not livebox, not gateway
+- Devices sorted by IP ascending; no-IP devices go last
+
+### Card layout
+
+All network cards are full width, stacked vertically. Inside each card, chips are arranged in a horizontal grid (`grid auto-fill, minmax(210px, 1fr)`), wrapping as needed. Card height grows with the number of chips. Single column below 600px.
+
+### Device chip structure
+
+```
+[chip-icon (type, Lucide)] [chip-body] [chip-tags]
+                            chip-name
+                            chip-sub: IP + iface + brand SVGs (11px)
+                                      chip-tags: Link | GW | LXC | VM + ping dot
+```
+
+- `chip-icon`: always the Lucide type icon (`type-only` prop)
+- Brand logos: small colored SVGs in `chip-sub`, no text label, `title` tooltip on hover
+- `tag-link`: green, clickable `<a>`, only if `device.url` is set
+- Ping dot: green (`ping-up`) or red (`ping-down`), shown after a ping run
+
+## DeviceIcon.vue
+
+Prop `typeOnly` (bool, default false):
+- `false`: show brand logos if detected, else Lucide — used in TopologyGraph chips
+- `true`: always show Lucide type icon — used in DeviceManager cards
+
+## Brand Icons (brandIcons.js)
+
+Central `detectBrands(name, description)` returns all matching brand icon objects from `simple-icons`.
+
+To check if a brand exists: `node -e "const si = require('./node_modules/simple-icons'); console.log(Object.keys(si).filter(k => k.toLowerCase().includes('name')))"`
+
+To add a brand: import `si<Name>` in `brandIcons.js`, add entry to `BRANDS` array.
+
+Supported brands: Proxmox, Docker, Synology, TrueNAS, Ubiquiti/UniFi, MikroTik, Cisco, TP-Link, ASUS, Netgear, pfSense, OPNsense, OpenWrt, Apache/Apache2, Traefik, MariaDB, Kubernetes/k3s, Debian, Ubuntu, Ansible, Dell, HP, Raspberry Pi, Arduino, KDE/Plasma, Excalidraw, Nextcloud, Paperless-NGX, Uptime Kuma, MkDocs, Jellyfin, Home Assistant, Philips Hue, Xiaomi.
+
+## DeviceManager Filter Bar
+
+Compact 28px bar combining:
+- Search input (name, description, IP — real-time, Escape to clear)
+- Type dropdown (multi-select, only present types)
+- Network dropdown (with color swatch)
+- Brand dropdown (with SVG icon, sorted alphabetically)
+- Virt dropdown (only if at least one device has a virt_type)
+
+All filters combine (AND between categories, OR within). "Clear" button + "X / total" counter when active.
+
+## Ping (discovery.py)
+
+`POST /api/discovery/ping` — parallel ICMP ping, 50 workers.
+- Body: `{ ips: ["1.2.3.4", ...] }`
+- Returns: `[{ ip, alive }, ...]`
+
+Device status: "up" if any of its IPs responds, "down" if all fail, no dot if no IPs.
+
+## SQLite Migrations (main.py)
+
+Idempotent startup migrations run before `create_all`:
+- `_migrate_vlan_nullable()`: recreates `vlans` to allow NULL `vlan_id`
+- `_migrate_device_virt_type()`: adds `virt_type VARCHAR` to `devices`
+- `_migrate_device_url()`: adds `url VARCHAR` to `devices`
+- `_migrate_users()`: creates the `users` table and seeds `admin`/`admin` if count is 0
+
+Pattern for new nullable column: check if column exists via `PRAGMA table_info`, run `ALTER TABLE … ADD COLUMN` if missing.
+
+## Discovery
+
+`POST /api/discovery/scan`: ICMP ping sweep + DNS PTR lookup. Max 1024 hosts/network, 100 workers. Needs `cap_add: NET_RAW` (already configured).
+
+## Theme (theme.js)
+
+`theme.js` exports `theme` (ref, `'light'`/`'dark'`) and `toggleTheme()`. Persisted in `localStorage('theme')`. Applies/removes `html.dark` class on `document.documentElement`.
+
+CSS variables are defined in `App.vue` global `<style>`:
+- `:root` — light theme
+- `html.dark` — dark theme
+
+Available variables: `--bg-page`, `--bg-card`, `--bg-card-hover`, `--bg-input`, `--bg-thead`, `--bg-chip`, `--bg-chip-hover`, `--border`, `--border-strong`, `--text-primary`, `--text-secondary`, `--text-muted`, `--text-faint`, `--chip-ip-bg`, `--chip-ip-color`, `--modal-overlay`, `--shadow-card`, `--shadow-modal`, `--shadow-drop`.
+
+**Rule**: all background/text/border colors in components must use these variables, not hardcoded hex. Exception: semantic fixed colors (type-specific chip icon colors, VLAN badge colors) stay as hex.
+
+Dark-mode overrides for scoped components must use `:global(html.dark .selector)` — the full selector must be inside the parentheses. `:global(html.dark) .selector` does NOT work (Vue's scoped CSS transformer does not follow descendant selectors after `:global()`).
+
+Toggle button (☾/☀) in sidebar footer.
+
+## i18n (i18n.js)
+
+`i18n.js` exports `locale` (ref), `t(key)`, `tFmt(key, ...args)`, `setLocale(lang)`. Persisted in `localStorage('locale')`, default `'fr'`.
+
+Supported languages: `fr`, `en`, `es`.
+
+**Rule**: all visible UI strings use `t('key')` — never hardcoded text in templates. `deviceTypes` in `DeviceManager` is a `computed` (not a const) so type labels react to locale changes.
+
+Language switcher pills (fr / en / es) in sidebar footer.
+
+## Favicon
+
+`frontend/public/favicon.svg` — SVG network graph icon (indigo #6366f1), same shape as sidebar logo. Linked in `index.html` as `<link rel="icon" type="image/svg+xml" href="/favicon.svg" />`.
+
+## Action Buttons (btn-icon)
+
+`.btn-icon` uses `background: var(--bg-chip)` and `color: var(--text-secondary)` for adequate contrast in both themes. Hover: `var(--border-strong)` / `var(--text-primary)`. Danger hover: `rgba(239,68,68,0.15)` (transparent red, theme-neutral).
+
+## Persistence
+
+Docker volume `db_data` → `/app/data/topology.db` and `/app/data/secret_key.txt`.
diff --git a/CLAUDE.md b/CLAUDE.md
new file mode 100644
index 0000000..265a9c9
--- /dev/null
+++ b/CLAUDE.md
@@ -0,0 +1,247 @@
+# Stupid Simple Network Inventory
+
+Application web d'inventaire manuel de serveurs et de génération de topologie réseau logique.
+
+## Stack technique
+
+- **Backend** : FastAPI (Python 3.11) + SQLAlchemy + SQLite
+- **Frontend** : Vue 3 + Vite (pas de Cytoscape — topologie en cards CSS)
+- **Icônes** : `lucide-vue-next` (UI générique) + `simple-icons` (logos de marques)
+- **Reverse proxy** : Nginx (sert le frontend et proxifie `/api/` vers le backend)
+- **Conteneurisation** : Docker Compose
+
+## Lancement
+
+```bash
+docker compose up --build -d
+```
+
+L'application est accessible sur **http://localhost:8080**
+
+## Architecture
+
+```
+topologie/
+├── docker-compose.yml
+├── backend/
+│   ├── Dockerfile           # Python 3.11-slim + iputils-ping (pour ICMP)
+│   ├── requirements.txt     # fastapi, sqlalchemy, dnspython, ...
+│   ├── main.py              # Point d'entrée FastAPI + migrations SQLite au démarrage
+│   ├── database.py          # SQLAlchemy engine + session
+│   ├── models.py            # Modèles ORM (Vlan, Device, DeviceInterface)
+│   └── routers/
+│       ├── vlans.py
+│       ├── devices.py
+│       └── discovery.py     # POST /api/discovery/scan + POST /api/discovery/ping
+└── frontend/
+    ├── Dockerfile           # Multi-stage: build Vite → Nginx
+    ├── nginx.conf           # Proxy /api/ → backend:8000
+    ├── index.html
+    ├── package.json
+    ├── vite.config.js
+    └── src/
+        ├── main.js
+        ├── App.vue           # Layout + état global (vlans, devices) + garde auth
+        ├── api.js            # Appels axios (vlansApi, devicesApi, discoveryApi, authApi)
+        ├── auth.js           # État auth : isAuthenticated, currentUsername, setAuth(), clearAuth()
+        ├── i18n.js           # Internationalisation : locale (ref), t(key), tFmt(key, ...args), setLocale()
+        ├── theme.js          # Thème : theme (ref), toggleTheme() — classe html.dark
+        ├── brandIcons.js     # Tableau BRANDS + fonction detectBrands() — partagé entre composants
+        └── components/
+            ├── TopologyGraph.vue   # Vue cards par réseau + ping statut
+            ├── DeviceIcon.vue      # Icône Lucide par type (prop typeOnly) ou logos marques
+            ├── DeviceManager.vue   # CRUD équipements + barre filtres/recherche
+            ├── VlanManager.vue     # CRUD réseaux (VLANs + LANs classiques)
+            ├── DiscoveryModal.vue  # Découverte auto : ping sweep + DNS PTR
+            ├── LoginPage.vue       # Page de connexion plein écran
+            └── AccountModal.vue    # Modale changement nom d'utilisateur / mot de passe
+```
+
+## Modèle de données
+
+- **User** : id, username (unique), hashed_password (bcrypt)
+- **Vlan** : id, vlan_id (int, nullable — null = LAN classique sans tag 802.1Q), name, cidr, color
+- **Device** : id, name, type, description, is_gateway, is_livebox, virt_type (nullable), url (nullable)
+- **DeviceInterface** : id, device_id, vlan_id (nullable), ip_address, name, is_upstream
+
+## Types d'équipements (18)
+
+`server`, `switch`, `router`, `nas`, `gateway`, `livebox`, `access_point`, `camera`, `temperature`, `sensor`, `hub`, `smart_plug`, `alarm`, `light`, `doorbell`, `desktop`, `laptop`, `other`
+
+## Champ virt_type (Device)
+
+Libellé dans le formulaire : "Type d'environnement d'exécution". Valeurs :
+- `null` — non précisé (défaut)
+- `baremetal` — serveur physique
+- `lxc` — conteneur LXC (tag bleu "LXC" dans la topologie)
+- `qemu` — VM QEMU/KVM (tag violet "VM" dans la topologie)
+
+## Champ url (Device)
+
+URL optionnelle d'accès à l'interface web de l'équipement. Non applicable aux types `desktop` et `laptop` (masqué dans le formulaire). Affiché comme lien cliquable dans la card équipement et comme tag "Link" vert sur les chips de topologie.
+
+## Réseaux (VlanManager.vue)
+
+`vlan_id` est optionnel. Si absent → réseau LAN classique (badge "LAN"). Si présent → VLAN 802.1Q (badge "VLAN X").
+Les réseaux sont triés : LANs en premier (vlan_id NULL), puis VLANs par ID croissant.
+
+## Topologie (TopologyGraph.vue)
+
+Pas de graphe Cytoscape. Layout en cards CSS :
+- **Barre d'outils** en haut : bouton Ping avec indicateur animé + compteur up/down
+- **Carte WAN** (rouge) — devices `is_livebox`
+- **Carte Passerelle** (jaune) — devices `is_gateway`
+- **Grille réseaux** — une card par réseau (LAN ou VLAN), chaque device apparaît dans toutes les cards de ses réseaux (multi-réseau natif)
+- **Zone non assigné** — devices sans interface réseau, ni livebox, ni gateway
+- **Tri** : devices triés par IP croissante dans chaque card
+
+### Layout des cards
+
+- **Cards pleine largeur**, empilées verticalement (flex-col) — toutes de la même largeur, hauteur variable selon le nombre de devices
+- Barre colorée en haut de chaque card (3px, couleur du réseau), bordures latérales neutres
+- Header : badge VLAN/LAN (pill colorée) + nom + CIDR inline + compteur de devices (pill)
+- **Chips en grille horizontale** (`grid auto-fill, minmax(210px, 1fr)`) à l'intérieur de chaque card — s'adaptent automatiquement au nombre de colonnes disponibles
+- Responsive : sous 600px, une seule colonne de chips
+
+### Device chip
+
+- Icône de type (Lucide) toujours dans le carré arrondi (28px) avec fond coloré
+- Nom (bold 12px) + IP (pill monospace) + nom d'interface (grisé) + logos de marques (SVG colorés 11px)
+- Tags à droite en colonne : **Link** (vert, cliquable — tag URL de l'équipement) / **GW** / **LXC** / **VM**
+- Dot de ping : vert (joignable) ou rouge (injoignable), affiché après un ping
+
+## Icônes (DeviceIcon.vue + brandIcons.js)
+
+La détection de marque est centralisée dans `brandIcons.js` (`detectBrands(name, description)`).
+
+`DeviceIcon.vue` accepte une prop `typeOnly` (booléen) :
+- `false` (défaut) : affiche les logos de marques si détectés, sinon icône Lucide — utilisé dans TopologyGraph
+- `true` : toujours l'icône Lucide par type — utilisé dans DeviceManager
+
+Dans **DeviceManager**, les logos de marques apparaissent comme badges colorés séparés (couleur officielle de la marque) dans les meta de la card.
+
+Dans **TopologyGraph**, les logos de marques apparaissent comme petits SVG 11px colorés dans `chip-sub`.
+
+Marques supportées via Simple Icons :
+Proxmox, Docker, Synology, TrueNAS, Ubiquiti/UniFi, MikroTik, Cisco, TP-Link, ASUS, Netgear, pfSense, OPNsense, OpenWrt, Apache/Apache2, Traefik, MariaDB, Kubernetes/k3s, Debian, Ubuntu, Ansible, Dell, HP, Raspberry Pi, Arduino, KDE/Plasma, Excalidraw, Nextcloud, Paperless-NGX, Uptime Kuma, MkDocs, Jellyfin, Home Assistant, Philips Hue, Xiaomi
+
+Pour ajouter une marque : vérifier avec `node -e "const si = require('./node_modules/simple-icons'); console.log(Object.keys(si).filter(k => k.toLowerCase().includes('nom')))"`, importer `si<Name>` dans `brandIcons.js`, ajouter une entrée dans BRANDS.
+
+Fallback : Lucide (icône par type d'équipement).
+
+## Vue Équipements (DeviceManager.vue)
+
+### Barre de filtres + recherche
+
+Barre compacte (28px) combinant :
+- **Champ de recherche** : filtre par nom, description ou IP en temps réel (Échap pour vider)
+- **Filtre Type** : dropdown multi-sélection, seuls les types présents dans les données
+- **Filtre Réseau** : dropdown avec pastille colorée par VLAN/LAN
+- **Filtre Marque** : dropdown avec icône SVG, trié alphabétiquement
+- **Filtre Virt** : dropdown, seulement si au moins un équipement a un virt_type
+
+Tous les filtres sont combinables (ET entre catégories, OU à l'intérieur). Bouton "Effacer" + compteur `X / total` si filtre actif.
+
+## Ping (discovery.py + TopologyGraph.vue)
+
+`POST /api/discovery/ping` — ping ICMP parallèle (50 workers).
+- Body : `{ ips: ["1.2.3.4", ...] }`
+- Retourne : `[{ ip, alive }, ...]`
+
+Dans la topologie : bouton "Ping" déclenche le ping de toutes les IPs connues. Un équipement est "up" si au moins une de ses IPs répond. Dot vert/rouge sur chaque chip.
+
+## Authentification (auth.py + auth.js)
+
+JWT HS256, **expiration 24h**. Payload : `{ sub: username, ver: token_version, exp: ... }`. Clé secrète dans `data/secret_key.txt` (permissions 0600, auto-générée) ou `SECRET_KEY` env var.
+
+**Compte par défaut** : `admin` / `admin` avec `must_change_password=1` — créé si la table `users` est vide. Définir `INITIAL_ADMIN_PASSWORD` pour un mot de passe personnalisé (sans changement forcé). La migration `_migrate_force_admin_password_change()` remet `must_change_password=1` si l'admin utilise encore le mot de passe bootstrap sur une base existante.
+
+**Invalidation de token** : le changement de mot de passe incrémente `User.token_version`. `get_current_user` rejette tout token dont `ver` ne correspond pas → invalidation immédiate des sessions précédentes.
+
+**Compatibilité bcrypt** : `passlib 1.7.4` est incompatible avec `bcrypt >= 4.0`. Le fichier `requirements.txt` épingle `bcrypt==3.2.2`. Ne pas mettre à jour `bcrypt` sans mettre à jour `passlib`.
+
+### Endpoints auth
+
+| Méthode | Chemin | Auth requise | Description |
+|---------|--------|:------------:|-------------|
+| POST | `/api/auth/login` | Non | Form → `{ access_token, token_type, username, must_change_password }` — 429 si rate-limited |
+| PUT | `/api/auth/account` | Oui (même si must_change) | `{ current_password, new_username?, new_password? }` → nouveau token + `must_change_password` |
+| GET | `/api/auth/me` | Oui | `{ username, must_change_password }` |
+
+Routeurs métier protégés via `dependencies=[Depends(require_password_changed)]` (= `get_current_user` + rejet 403 si `must_change_password=True`).
+
+### Côté frontend
+
+`auth.js` expose `isAuthenticated`, `currentUsername`, `mustChangePassword` (refs) et `setAuth(token, username, mustChange)`, `clearAuth()`, `getToken()`. Persisté dans `localStorage`.
+
+`App.vue` guard :
+- `!isAuthenticated` → `<LoginPage>`
+- `mustChangePassword` → `<AccountModal :forced="true">` (bloque l'application)
+- sinon → application complète
+
+Template enveloppé dans `<div class="app-root">` (un seul nœud racine) pour éviter le bug Firefox avec l'overlay d'autofill sur les fragments Vue (plusieurs nœuds racines). `.app-root` utilise `display: flex; flex-direction: column; min-height: 100vh` — ne pas revenir à `display: contents` (bug Firefox : les clics ne sont plus dispatché aux enfants après un remplacement du DOM à l'intérieur d'un élément `display: contents`).
+
+## Migrations SQLite (main.py)
+
+`main.py` exécute des migrations idempotentes au démarrage avant `create_all` :
+- `_migrate_vlan_nullable()` — recrée `vlans` sans contrainte NOT NULL sur `vlan_id`
+- `_migrate_device_virt_type()` — ajoute `virt_type` si absente
+- `_migrate_device_url()` — ajoute `url` si absente
+- `_migrate_users_must_change_password()` — ajoute `must_change_password` si absente
+- `_migrate_users_token_version()` — ajoute `token_version` si absente
+- `_migrate_force_admin_password_change()` — rattrapage : force must_change si admin utilise le mot de passe bootstrap
+- `_migrate_drop_links_table()` — supprime la table `links` (fonctionnalité retirée en phase 3)
+- `_migrate_users()` — crée `users` + compte admin si vide
+
+Pour toute nouvelle colonne nullable sur une table existante, ajouter une fonction de migration du même type.
+
+Quand on ajoute un champ à Device : mettre à jour `models.py`, ajouter la migration dans `main.py`, ajouter le champ dans `DeviceCreate` et `DeviceOut` dans `routers/devices.py`, l'assigner explicitement dans `create_device` et `update_device`.
+
+## Découverte automatique (DiscoveryModal.vue)
+
+`POST /api/discovery/scan` — ping sweep ICMP + lookup PTR DNS contre un serveur DNS configurable.
+- Max 1024 hôtes par VLAN, 100 workers concurrents
+- Retourne : ip, hostname, vlan_id, durée
+- Nécessite `cap_add: NET_RAW` sur le service backend (déjà configuré)
+
+## Thème (theme.js + App.vue)
+
+`frontend/src/theme.js` exporte `theme` (ref) et `toggleTheme()`.
+- Valeurs : `'light'` (défaut) / `'dark'`
+- Persisté dans `localStorage('theme')`
+- Applique / retire la classe `html.dark` via `watch`
+
+Les variables CSS sont définies dans le `<style>` global de `App.vue` :
+- `:root` — thème clair (`--bg-page: #F1F5F9`, `--bg-card: #ffffff`, `--text-primary: #0F172A`, ...)
+- `html.dark` — thème sombre (`--bg-page: #0F172A`, `--bg-card: #1E293B`, `--text-primary: #F1F5F9`, ...)
+
+Variables disponibles : `--bg-page`, `--bg-card`, `--bg-card-hover`, `--bg-input`, `--bg-thead`, `--bg-chip`, `--bg-chip-hover`, `--border`, `--border-strong`, `--text-primary`, `--text-secondary`, `--text-muted`, `--text-faint`, `--chip-ip-bg`, `--chip-ip-color`, `--modal-overlay`, `--shadow-card`, `--shadow-modal`, `--shadow-drop`.
+
+Bouton toggle (☾/☀) dans le footer de la sidebar.
+
+**Règle** : toutes les couleurs de fond/texte/bordure dans les composants doivent utiliser ces variables, pas des valeurs hex hardcodées.
+
+Exception : les couleurs sémantiques fixes (couleur des icônes par type d'équipement dans les chips, couleurs des badges VLAN) restent en hex car elles ne dépendent pas du thème.
+
+## Internationalisation (i18n.js)
+
+`frontend/src/i18n.js` exporte :
+- `locale` (ref) — langue active, persistée dans `localStorage('locale')`, défaut `'fr'`
+- `setLocale(lang)` — change la langue
+- `t(key)` — retourne la traduction, fallback `'fr'` puis la clé brute
+- `tFmt(key, ...args)` — idem avec interpolation `{0}`, `{1}`, ...
+
+Langues supportées : **français** (`fr`), **anglais** (`en`), **espagnol** (`es`).
+
+Sélecteur (pills `fr / en / es`) dans le footer de la sidebar.
+
+**Règle** : toutes les chaînes visibles dans l'UI passent par `t('key')` — jamais de texte hardcodé dans les templates. `deviceTypes` dans `DeviceManager` est un `computed` (pas une constante) pour réagir aux changements de locale.
+
+## Favicon
+
+`frontend/public/favicon.svg` — SVG indigo (#6366f1), même forme que le logo sidebar (graphe de nœuds réseau).
+Référencé dans `frontend/index.html` : `<link rel="icon" type="image/svg+xml" href="/favicon.svg" />`.
+
+## Données persistées
+
+Volume Docker `db_data` monté sur `/app/data/` → `topology.db` (SQLite)
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..0cf88fa
--- /dev/null
+++ b/README.md
@@ -0,0 +1,211 @@
+# Stupid Simple Network Inventory
+
+Self-hosted web application for manual network inventory and logical network topology visualisation.
+
+## Stack
+
+| Layer | Technology |
+|-------|-----------|
+| Backend | FastAPI + SQLAlchemy + SQLite (Python 3.11) |
+| Frontend | Vue 3 + Vite, served by Nginx |
+| Auth | JWT HS256, 24-hour expiry |
+| Runtime | Docker Compose |
+
+---
+
+## Quick start
+
+```bash
+# 1. Clone and enter the project
+git clone <repo> && cd topologie
+
+# 2. Create the data directory owned by the current user
+mkdir -p db_data
+
+# 3. Configure environment (required for correct bind-mount ownership)
+cp .env.example .env
+# Set DOCKER_UID / DOCKER_GID to match your host user:
+#   id -u && id -g
+# Set INITIAL_ADMIN_PASSWORD to avoid the admin/admin bootstrap.
+
+# 4. Build and start
+docker compose --env-file .env up --build -d
+
+# 5. Open the app
+open http://localhost:8080
+```
+
+### First login
+
+| Case | Credentials | Behaviour |
+|------|------------|-----------|
+| `INITIAL_ADMIN_PASSWORD` set | `admin` / `<your password>` | Normal login |
+| `INITIAL_ADMIN_PASSWORD` unset | `admin` / `admin` | Forced password change before accessing the app |
+
+---
+
+## Configuration
+
+All configuration is via environment variables. See `.env.example` for the full list with descriptions.
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `SECRET_KEY` | auto-generated | JWT signing key. Set explicitly in production. |
+| `INITIAL_ADMIN_PASSWORD` | _(empty)_ | Bootstrap admin password. If unset, `admin/admin` is used with forced change. |
+| `ALLOWED_ORIGINS` | `*` | CORS allowed origins (comma-separated). Set to your domain in production. |
+| `DOCKER_UID` / `DOCKER_GID` | `1000` | UID/GID for the backend process. Must match the host user owning `./db_data/`. |
+
+### Using .env with Docker Compose
+
+```bash
+cp .env.example .env
+# Edit .env — at minimum set DOCKER_UID, DOCKER_GID, INITIAL_ADMIN_PASSWORD
+docker compose --env-file .env up --build -d
+```
+
+---
+
+## Security
+
+### Secret management
+
+Two options depending on your security requirements.
+
+#### Option A — Auto-generated secret (recommended for single-node)
+
+Leave `SECRET_KEY` unset (or empty) in `.env`. On first start the backend generates a random 64-character hex key, writes it to `db_data/secret_key.txt` with permissions **0600**, and reuses it on every subsequent restart. The secret never appears in an environment variable, a compose file, or a log.
+
+```bash
+# .env — leave the line empty or remove it
+SECRET_KEY=
+```
+
+The only requirement is that `db_data/` is backed up (it already contains the database).
+
+#### Option B — Docker Compose file secret
+
+Stores the secret in a file on the host, outside version control, and mounts it into the container. The value never appears in an environment variable.
+
+```bash
+# Generate and store the secret outside the project directory
+mkdir -p ~/.secrets
+python3 -c "import secrets; print(secrets.token_hex(32))" > ~/.secrets/topologie_secret_key
+chmod 600 ~/.secrets/topologie_secret_key
+```
+
+Then uncomment the `secrets:` blocks in `docker-compose.yml` (see comments in that file) and remove `SECRET_KEY` from `.env`. Docker Compose merges the override automatically:
+
+```bash
+docker compose up -d
+```
+
+---
+
+### Key rotation
+
+To rotate the JWT secret (invalidates all active sessions):
+
+```bash
+# Option A — environment variable (recommended)
+# Set a new SECRET_KEY in your deployment config and restart
+
+# Option B — file rotation
+docker compose stop backend
+rm db_data/secret_key.txt
+docker compose start backend
+# All users will need to log in again
+```
+
+### HTTPS
+
+This application does not terminate TLS. For production use, place it behind a reverse proxy that handles HTTPS:
+
+```nginx
+# Example nginx reverse-proxy (external, on the host or a dedicated container)
+server {
+    listen 443 ssl;
+    server_name inventory.example.com;
+
+    ssl_certificate     /etc/letsencrypt/live/inventory.example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/inventory.example.com/privkey.pem;
+
+    location / {
+        proxy_pass http://127.0.0.1:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+```
+
+For local-only use, bind to loopback to prevent accidental LAN exposure:
+
+```yaml
+# docker-compose.override.yml
+services:
+  frontend:
+    ports:
+      - "127.0.0.1:8080:8080"
+```
+
+### Container hardening
+
+The containers run with reduced privileges:
+
+| Measure | Backend | Frontend |
+|---------|---------|----------|
+| Non-root user | `DOCKER_UID:DOCKER_GID` (host user) | `nginx` (UID 101) |
+| `cap_drop: ALL` | ✓ | ✓ |
+| `cap_add: NET_RAW` | ✓ (ping) | — |
+| `no-new-privileges` | — ¹ | ✓ |
+| Healthcheck | ✓ | ✓ |
+
+¹ Omitted on the backend: ping uses file capabilities (`cap_net_raw=ep`); `no-new-privileges` suppresses the file effective bit and would prevent the subprocess from acquiring `CAP_NET_RAW` in its effective set even though the parent holds it in its permitted set.
+
+---
+
+## Data persistence
+
+All data is stored in `./db_data/`:
+
+| File | Description |
+|------|-------------|
+| `topology.db` | SQLite database |
+| `secret_key.txt` | Auto-generated JWT secret (0600 permissions) |
+
+**Backup**: `cp -r db_data/ db_data.bak/`
+
+**Restore**: stop the stack, replace `db_data/`, restart.
+
+---
+
+## Development
+
+### Backend tests
+
+```bash
+cd backend
+pip install -r requirements.txt -r requirements-test.txt
+pytest tests/ -v
+```
+
+### Local dev (without Docker)
+
+```bash
+# Backend
+cd backend
+pip install -r requirements.txt
+uvicorn main:app --reload
+
+# Frontend (separate terminal)
+cd frontend
+npm install
+npm run dev   # Vite dev server on :5173, proxies /api/ to :8000
+```
+
+---
+
+## Architecture
+
+See [`docs/architecture.md`](docs/architecture.md) for the detailed request flow, Docker setup, and authentication model.
diff --git a/SECURITY_AUDIT_BASE.md b/SECURITY_AUDIT_BASE.md
new file mode 100644
index 0000000..4d70433
--- /dev/null
+++ b/SECURITY_AUDIT_BASE.md
@@ -0,0 +1,336 @@
+# Audit de securite de base
+
+Projet audite: Stupid Simple Network Inventory  
+Date: 2026-05-05  
+Referentiels: OWASP ASVS niveau 1, OWASP Top 10 2021  
+Mode: revue statique locale, sans attaque reelle, sans exploitation, sans correction applicative.
+
+## Synthese
+
+L'application est une SPA Vue exposee par Nginx, avec API FastAPI protegee par JWT pour les routeurs metier. Le modele d'exploitation precise est local, derriere un reverse-proxy. Dans ce modele, certains controles comme TLS, filtrage d'exposition et en-tetes HTTP peuvent legitimement etre portes par le reverse-proxy, mais doivent etre documentes et verifiables.
+
+Risque global estime: moyen en usage local derriere reverse-proxy correctement configure; eleve si le service est expose directement a un LAN non fiable ou a Internet. Le risque principal vient du bootstrap avec identifiants publics `admin/admin` si le changement n'est pas force avant exposition, de l'absence de limitation de tentatives, du stockage du JWT en `localStorage`, de la surface de scan reseau authentifiee et d'un manque de documentation du contrat de securite attendu cote reverse-proxy.
+
+## Perimetre lu
+
+- Documents: `CLAUDE.md`, `AGENTS.md`, `docs/*.md`
+- README: `README.md` absent
+- Config: `docker-compose.yml`, `backend/Dockerfile`, `frontend/Dockerfile`, `frontend/nginx.conf`, `frontend/vite.config.js`, `backend/requirements.txt`, `frontend/package.json`, `frontend/package-lock.json`
+- Backend: `backend/main.py`, `backend/database.py`, `backend/models.py`, `backend/routers/*.py`
+- Frontend: `frontend/src/**/*.js`, `frontend/src/**/*.vue`, `frontend/index.html`
+- `.env.example`: aucun fichier trouve
+
+## Points positifs
+
+- Les routeurs metier `vlans`, `devices`, `links`, `discovery` sont proteges par `Depends(get_current_user)` dans `backend/main.py:105-108`.
+- Les requetes SQL passent par SQLAlchemy ou par `text()` parametre pour les migrations; pas de concatenation SQL dangereuse observee dans les routes CRUD.
+- Le ping utilise `subprocess.run([...])` sans `shell=True` dans `backend/routers/discovery.py:42-46`, ce qui limite fortement l'injection de commande shell.
+- Les mots de passe sont haches avec bcrypt via passlib dans `backend/routers/auth.py:37`.
+- La cle JWT est generee aleatoirement au premier demarrage si `SECRET_KEY` est absent dans `backend/routers/auth.py:20-30`.
+- Les liens externes visibles utilisent `rel="noopener"` dans les composants principaux, ce qui reduit le risque de controle de la fenetre ouvrante.
+
+## Constats principaux
+
+### SEC-01 - Bootstrap administrateur `admin/admin` sans changement force
+
+Priorite: P0  
+OWASP: Top 10 A07 Identification and Authentication Failures, A04 Insecure Design  
+ASVS L1: authentification, gestion des secrets initiaux
+
+Fichiers:
+- `backend/main.py:63-86`
+- `CLAUDE.md` / `AGENTS.md` section Authentication
+- `docs/backend.md`, `docs/extending.md`
+
+La migration `_migrate_users()` cree automatiquement un compte `admin` avec mot de passe `admin` quand la table `users` est vide. Les documents indiquent explicitement ces identifiants comme mot de passe de depart a changer. Ce comportement est donc intentionnel, mais reste un ecart ASVS si l'application peut etre atteinte avant changement manuel: toute instance nouvellement demarree est accessible avec des identifiants publics jusqu'a cette action.
+
+Impact: compromission complete des donnees d'inventaire, utilisation de la fonctionnalite de scan reseau, modification/suppression d'equipements.
+
+Recommandation: conserver ce bootstrap seulement si l'application force le changement au premier login ou si la documentation exige explicitement une premiere connexion depuis localhost/reseau de confiance avant toute exposition. Variante plus robuste: exiger un mot de passe initial via variable d'environnement, fichier secret Docker, ou assistant de premier demarrage.
+
+### SEC-02 - Pas de limitation de tentatives de connexion
+
+Priorite: P1  
+OWASP: A07  
+ASVS L1: protections anti-automatisation de l'authentification
+
+Fichiers:
+- `backend/routers/auth.py:72-77`
+- `frontend/nginx.conf:1-16`
+
+`POST /api/auth/login` ne limite pas les tentatives par IP, par nom utilisateur ou par fenetre temporelle. Nginx ne definit pas non plus de `limit_req`. Une attaque par devinette de mot de passe devient praticable, surtout pendant la phase de bootstrap avant changement du mot de passe initial.
+
+Recommandation: ajouter une limitation cote API ou Nginx, journaliser les echecs, retourner des erreurs generiques et prevoir un delai progressif ou verrouillage temporaire.
+
+### SEC-03 - Politique de mot de passe insuffisante
+
+Priorite: P1  
+OWASP: A07  
+ASVS L1: qualite des secrets d'authentification
+
+Fichiers:
+- `backend/routers/auth.py:66-69`
+- `backend/routers/auth.py:80-95`
+- `frontend/src/components/AccountModal.vue`
+
+`new_password` est accepte s'il est non vide. Aucun minimum de longueur, aucune verification de mot de passe courant compromis/faible, et aucune validation de `new_username` ne sont appliquees cote serveur.
+
+Recommandation: definir une politique minimale cote serveur, par exemple longueur minimale robuste, refus des mots de passe evidents, normalisation/validation du nom utilisateur, messages d'erreur non enumerants.
+
+### SEC-04 - JWT persiste dans `localStorage`
+
+Priorite: P1  
+OWASP: A02 Cryptographic Failures, A07, A05 Security Misconfiguration  
+ASVS L1: protection des tokens de session
+
+Fichiers:
+- `frontend/src/auth.js:3-13`
+- `frontend/src/api.js:6-9`
+- `backend/routers/auth.py:41-43`
+
+Le token JWT est stocke dans `localStorage`. En cas de XSS ou d'extension navigateur compromise, le token est directement lisible. Le token dure 7 jours et ne contient pas de version de session permettant d'invalider les anciens tokens apres changement de mot de passe.
+
+Recommandation: preferer un cookie `HttpOnly`, `Secure`, `SameSite`, et ajouter une strategie d'expiration courte + renouvellement ou une version de session cote base. Si le mode bearer est conserve, reduire la duree de vie et ajouter une invalidation apres changement de mot de passe.
+
+### SEC-05 - CORS ouvert a toutes origines dans l'API interne
+
+Priorite: P2  
+OWASP: A05  
+ASVS L1: configuration HTTP securisee
+
+Fichiers:
+- `backend/main.py:97-102`
+- `docs/backend.md` indique que ce choix est intentionnel pour un outil LAN
+
+`allow_origins=["*"]`, `allow_methods=["*"]`, `allow_headers=["*"]` ouvrent l'API a toute origine. Dans le deploiement Compose actuel, le backend n'est pas publie directement et le navigateur passe par le Nginx frontend/reverse-proxy en meme origine, ce qui reduit fortement le risque pratique. Cela reste une configuration permissive a encadrer si un reverse-proxy externe expose `/api/` ou si l'auth evolue vers des cookies.
+
+Recommandation: soit supprimer CORS si l'API reste strictement interne et servie en meme origine par le reverse-proxy, soit configurer une liste d'origines explicites via environnement. Documenter le contrat attendu: backend non expose directement, `/api/` publie uniquement via le reverse-proxy.
+
+### SEC-06 - Surface de scan reseau et SSRF authentifiee
+
+Priorite: P1  
+OWASP: A10 SSRF, A04 Insecure Design  
+ASVS L1: validation des cibles reseau et limitation d'abus
+
+Fichiers:
+- `backend/routers/discovery.py:22-24`
+- `backend/routers/discovery.py:52-60`
+- `backend/routers/discovery.py:79-86`
+- `backend/routers/discovery.py:89-129`
+- `docker-compose.yml:4-5`
+
+Les endpoints `/api/discovery/scan` et `/api/discovery/ping` permettent a tout utilisateur authentifie de provoquer des connexions ICMP et DNS depuis le conteneur backend vers des cibles fournies par le client. `scan` limite chaque reseau a 1024 hotes, mais ne limite pas le nombre total de targets. `ping` n'a pas de limite de taille de liste ni de validation IP. Le serveur DNS est librement fourni.
+
+Impact: cartographie de reseaux accessibles depuis le conteneur, charge CPU/process, requetes DNS vers des serveurs arbitraires, usage comme outil de reconnaissance interne apres compromission d'un compte.
+
+Recommandation: valider toutes les IP/CIDR, limiter le nombre total d'adresses par requete, limiter la frequence, autoriser uniquement des plages configurees dans l'inventaire, restreindre les DNS autorises ou utiliser le resolv.conf du conteneur.
+
+### SEC-07 - Validation d'entree insuffisante sur les modeles metier
+
+Priorite: P1  
+OWASP: A03 Injection, A04, A05  
+ASVS L1: validation cote serveur
+
+Fichiers:
+- `backend/routers/devices.py:11-33`
+- `backend/routers/vlans.py:11-15`
+- `backend/routers/links.py:11-15`
+- `frontend/src/components/DeviceManager.vue:137`
+- `frontend/src/components/TopologyGraph.vue:35,56,104,142`
+
+Les schemas Pydantic acceptent des chaines libres sans bornes de longueur ni enums serveur. Exemples: `Device.type`, `virt_type`, `url`, `Vlan.cidr`, `Vlan.color`, `Link.link_type`, noms/descriptions/interfaces. Vue echappe correctement les interpolations texte, mais les URL sont reinjectees en `href` et l'API peut recevoir des valeurs qui ne passent pas par le formulaire HTML `type="url"`.
+
+Recommandation: ajouter des contraintes Pydantic strictes: longueurs maximales, enums pour types, validation IP/CIDR, validation couleur hex, URL seulement `http`/`https`, normalisation des chaines. Ajouter `rel="noreferrer noopener"` sur les liens externes.
+
+### SEC-08 - En-tetes de securite HTTP absents de la configuration fournie
+
+Priorite: P2  
+OWASP: A05  
+ASVS L1: durcissement navigateur
+
+Fichiers:
+- `frontend/nginx.conf:1-16`
+- `frontend/index.html`
+
+Le Nginx embarque ne configure pas d'en-tetes de securite: CSP, `X-Frame-Options` ou `frame-ancestors`, `X-Content-Type-Options`, `Referrer-Policy`, `Permissions-Policy`. Si un reverse-proxy frontal ajoute deja ces en-tetes, le risque est traite au niveau infrastructure; sinon, la configuration fournie reste incomplete.
+
+Recommandation: fournir une configuration de reference pour le reverse-proxy frontal, ou ajouter ces en-tetes dans `frontend/nginx.conf`. La decision doit eviter les doublons contradictoires et etre documentee.
+
+### SEC-09 - TLS delegue au reverse-proxy, contrat non documente
+
+Priorite: P2  
+OWASP: A02, A05  
+ASVS L1: protection des identifiants en transit
+
+Fichiers:
+- `docker-compose.yml:14-15`
+- `frontend/nginx.conf:1-2`
+- `docs/architecture.md`
+
+La configuration applicative expose HTTP sur `localhost:8080`. C'est coherent avec un service local derriere reverse-proxy, a condition que le reverse-proxy frontal termine TLS pour les acces non strictement locaux et que le backend/frontend Compose ne soient pas exposes directement sur un reseau non fiable.
+
+Recommandation: documenter clairement que TLS est une responsabilite du reverse-proxy frontal, fournir un exemple de configuration attendue et recommander un bind local (`127.0.0.1:8080:80`) lorsque l'application est consommee uniquement par le proxy local.
+
+### SEC-10 - Secret JWT persiste dans un bind mount projet, permissions faibles
+
+Priorite: P1  
+OWASP: A02, A05  
+ASVS L1: gestion des secrets
+
+Fichiers:
+- `backend/routers/auth.py:17-30`
+- `docker-compose.yml:6-7`
+- `docs/architecture.md`
+- `db_data/secret_key.txt` present localement, permissions observees `0644`
+
+La cle JWT est stockee dans `./db_data/secret_key.txt`, dans l'arborescence projet, avec permissions lisibles par d'autres utilisateurs locaux. Elle n'a pas ete lue pendant l'audit. Si cette cle fuit, des JWT valides peuvent etre forges jusqu'a rotation.
+
+Recommandation: utiliser `SECRET_KEY` depuis un secret Docker ou un fichier hors depot, fixer des permissions strictes, ajouter `db_data/` et fichiers secrets a l'exclusion VCS si necessaire, documenter la rotation.
+
+### SEC-11 - Conteneurs peu durcis
+
+Priorite: P2  
+OWASP: A05  
+ASVS L1: configuration de plateforme
+
+Fichiers:
+- `backend/Dockerfile:1-8`
+- `frontend/Dockerfile:8-11`
+- `docker-compose.yml:1-26`
+
+Les images ne definissent pas d'utilisateur non-root explicite. Compose n'ajoute pas `read_only`, `security_opt: no-new-privileges:true`, `cap_drop`, limites de ressources, healthchecks ou contraintes de filesystem. Le backend ajoute `NET_RAW`, necessaire au ping, mais sans reduction des autres capacites.
+
+Recommandation: executer les services avec utilisateur non-root, ajouter `cap_drop: [ALL]` puis `cap_add: [NET_RAW]` seulement pour backend, activer `no-new-privileges`, limiter ressources et rendre les FS readonly avec volumes temporaires explicites.
+
+### SEC-12 - Pas de journalisation securite/audit
+
+Priorite: P2  
+OWASP: A09 Security Logging and Monitoring Failures  
+ASVS L1: evenements de securite
+
+Fichiers:
+- `backend/routers/auth.py`
+- `backend/routers/devices.py`
+- `backend/routers/vlans.py`
+- `backend/routers/discovery.py`
+
+Les evenements sensibles ne sont pas journalises de maniere structuree: login reussi/echec, changement de compte, scans reseau, imports, suppressions. En cas d'incident, l'attribution et l'analyse seront limitees.
+
+Recommandation: ajouter des logs structures sans secrets, incluant utilisateur, endpoint, action, resultat, compteurs et IP client issue du proxy de confiance.
+
+### SEC-13 - Integrite relationnelle SQLite non enforcee
+
+Priorite: P2  
+OWASP: A04, A08  
+ASVS L1: integrite des donnees
+
+Fichiers:
+- `backend/database.py:6-9`
+- `backend/models.py`
+- `docs/data-model.md` signale explicitement que les FK SQLite ne sont pas enforcees
+
+Les `ForeignKey` SQLAlchemy ne suffisent pas sous SQLite sans `PRAGMA foreign_keys=ON` par connexion. L'application compense partiellement dans les routeurs, mais des incoherences restent possibles, par exemple via evolutions futures ou migrations.
+
+Recommandation: activer le pragma via event SQLAlchemy, verifier les comportements de suppression, ajouter des tests d'integrite.
+
+### SEC-14 - Gestion des dependances et supply chain incomplete
+
+Priorite: P2  
+OWASP: A06 Vulnerable and Outdated Components, A08 Software and Data Integrity Failures  
+ASVS L1: composants connus et maintenus
+
+Fichiers:
+- `backend/requirements.txt`
+- `frontend/package.json:9-19`
+- `frontend/package-lock.json`
+- `frontend/Dockerfile:3-6`
+
+Les dependances sont epinglees cote Python, mais il n'y a pas de workflow SCA documente. Cote frontend, `package.json` utilise des ranges `^`, et le Dockerfile lance `npm install` au lieu de `npm ci`, ce qui reduit la reproductibilite. `cytoscape` reste declare alors que les notes disent que la topologie n'utilise plus Cytoscape.
+
+Recommandation: utiliser `npm ci`, supprimer les dependances inutilisees, ajouter `pip-audit`/`npm audit` ou equivalent CI, documenter la procedure d'upgrade passlib/bcrypt.
+
+### SEC-15 - Import JSON sans schema ni limite de taille
+
+Priorite: P2  
+OWASP: A04, A05  
+ASVS L1: validation des donnees importees
+
+Fichiers:
+- `frontend/src/App.vue:191-208`
+- routes CRUD backend appelees ensuite
+
+L'import JSON parse tout le fichier cote navigateur, puis cree des VLANs/devices en boucle sans validation de schema dedie ni limite de taille/quantite. Les erreurs de creation sont ignorees avec `.catch(() => {})`, ce qui peut masquer des imports partiels ou incoherents.
+
+Recommandation: definir un schema d'import, limiter taille et nombre d'elements, afficher un bilan d'erreurs, et s'appuyer sur les validations serveur renforcees.
+
+### SEC-16 - `v-html` inutile dans la navigation
+
+Priorite: P3  
+OWASP: A03 XSS, defense in depth  
+ASVS L1: sortie encodee
+
+Fichiers:
+- `frontend/src/App.vue:24`
+- `frontend/src/App.vue` tableau `tabs`
+
+`v-html` est utilise pour afficher des icones de navigation depuis des constantes locales. Le risque actuel est faible car les valeurs ne viennent pas de l'utilisateur, mais l'usage de HTML injecte est inutile et peut devenir dangereux lors d'une future evolution.
+
+Recommandation: remplacer par du texte, des composants d'icones ou une interpolation normale.
+
+### SEC-17 - Endpoint health public minimal
+
+Priorite: P3  
+OWASP: A05  
+ASVS L1: exposition minimale
+
+Fichiers:
+- `backend/main.py:111-113`
+- `docs/backend.md`
+
+`GET /api/health` est public. Dans un modele local derriere reverse-proxy, c'est acceptable pour un healthcheck minimal. Il ne divulgue que `{"status":"ok"}`; risque faible. Il doit simplement rester minimal et ne pas exposer version, configuration ou details d'erreur.
+
+Recommandation: conserver public si necessaire au healthcheck, documenter cette decision, et s'assurer que le reverse-proxy ne l'expose pas avec plus d'information que necessaire.
+
+### SEC-18 - Documentation de securite et configuration d'environnement incompletes
+
+Priorite: P2  
+OWASP: A05, A04  
+ASVS L1: configuration securisee documentee
+
+Fichiers:
+- `README.md` absent
+- aucun `.env.example`
+- `CLAUDE.md`, `AGENTS.md`, `docs/*.md`
+
+Les fichiers de notes de developpement sont riches, mais il manque un README utilisateur et un `.env.example` pour documenter `SECRET_KEY`, origines CORS si conservees, URL publique du reverse-proxy, modele TLS delegue, creation du compte initial et durcissement production/local.
+
+Recommandation: ajouter une documentation securite minimale et un exemple d'environnement sans secrets reels.
+
+## Ecarts avec CLAUDE.md / AGENTS.md
+
+- `README.md` est absent alors que le perimetre demande sa revue. Les informations equivalentes sont dans `CLAUDE.md`, `AGENTS.md` et `docs/`.
+- Aucun `.env.example` n'est present, alors que `SECRET_KEY` est supporte par le code.
+- `CLAUDE.md` et `AGENTS.md` documentent le compte de bootstrap `admin/admin`; ce n'est pas un ecart fonctionnel, mais cela doit etre accompagne d'un changement force ou d'une consigne de non-exposition avant changement pour satisfaire une posture ASVS L1.
+- `docs/backend.md` indique que CORS ouvert est intentionnel pour un outil LAN. Avec un backend interne derriere reverse-proxy, le risque est reduit; il faut surtout documenter que le backend ne doit pas etre publie directement.
+- `AGENTS.md` indique que les routeurs sont proteges; c'est vrai pour les routeurs metier. `GET /api/health` reste public et doit rester explicitement assume.
+- Les notes disent "no Cytoscape", mais `frontend/package.json` garde `cytoscape` dans les dependances.
+
+## Couverture OWASP Top 10
+
+| Categorie | Evaluation |
+|---|---|
+| A01 Broken Access Control | Pas de multi-utilisateur/role. Routeurs metier proteges. Risque residuel faible a moyen via compte compromis. |
+| A02 Cryptographic Failures | JWT en localStorage, TLS delegue au reverse-proxy a documenter, secret en bind mount lisible localement. |
+| A03 Injection | SQL/commande correctement limites; validation URL/CSS/strings a renforcer; `v-html` inutile. |
+| A04 Insecure Design | Bootstrap `admin/admin` a encadrer, scan reseau authentifie, absence de politique session/password. |
+| A05 Security Misconfiguration | CORS permissif pour API interne, headers HTTP a porter par le proxy ou Nginx embarque, conteneurs peu durcis, health public minimal. |
+| A06 Vulnerable and Outdated Components | Pas de SCA ni politique d'upgrade; `npm install`; dependance inutilisee. |
+| A07 Identification and Authentication Failures | Bootstrap `admin/admin` sans changement force, pas de rate limit, politique password faible. |
+| A08 Software and Data Integrity Failures | Build frontend non reproductible strictement; FK SQLite non enforcees; imports JSON peu controles. |
+| A09 Logging and Monitoring Failures | Logs securite absents. |
+| A10 SSRF | Discovery permet ping/DNS vers cibles fournies par utilisateur authentifie. |
+
+## References
+
+- OWASP ASVS: https://owasp.org/www-project-application-security-verification-standard/
+- OWASP Top 10 2021: https://owasp.org/Top10/2021/
diff --git a/SECURITY_DECISIONS.md b/SECURITY_DECISIONS.md
new file mode 100644
index 0000000..56212d8
--- /dev/null
+++ b/SECURITY_DECISIONS.md
@@ -0,0 +1,124 @@
+# Security Decisions
+
+Decisions, trade-offs, and documented limitations for Stupid Simple Network Inventory.
+
+---
+
+## JWT in localStorage vs HttpOnly cookie
+
+**Decision**: keep JWT in `localStorage` + Bearer token.
+
+**Rationale**: migrating to HttpOnly cookies requires changes to the Nginx config (cookie proxying, SameSite handling), the FastAPI auth flow, and all frontend API calls. The added complexity is disproportionate for a self-hosted LAN tool. The risk is mitigated by:
+- 24-hour token expiry (reduced from 7 days)
+- `token_version` invalidation: password change immediately revokes all prior tokens
+- The application is designed for trusted LAN use, not public internet exposure
+
+**Assumption**: the deployment is behind a trusted proxy or on a private network where XSS is the primary concern and is partially mitigated by the LAN context.
+
+**Future**: if the app ever needs public internet exposure, migrating to `HttpOnly; Secure; SameSite=Strict` cookies should be the first priority.
+
+---
+
+## Token versioning instead of a session store
+
+**Decision**: `token_version` integer column on `User`, incremented on password change.
+
+**Rationale**: no Redis, no external session store. A single integer per user provides immediate token invalidation with zero dependencies. The version is included in the JWT payload (`ver` field) and validated on every request.
+
+**Trade-off**: revocation is per-user, not per-token. Logging out one device still lets other devices use their tokens until the common password is changed. This is acceptable for a single-user or small-team tool.
+
+**Limitation**: `ver` absent from old tokens is treated as `ver=1` for backward compatibility. Existing valid tokens (before `token_version` was added) will therefore continue to work until the user changes their password.
+
+---
+
+## no-new-privileges absent from backend container
+
+**Decision**: omit `security_opt: no-new-privileges:true` for the backend service.
+
+**Rationale**: the discovery feature uses `subprocess.run(["ping", ...])`. In `iputils-ping` on Debian, the ping binary has the file capability `cap_net_raw=ep`. For a non-root process to execute ping successfully, the `execve` call must be allowed to promote capabilities from the file's permitted set. `no-new-privileges` blocks this promotion, breaking the ping feature.
+
+**Alternatives considered**:
+- Ambient capabilities (Linux 4.3+): would require modifying the entrypoint to `prctl(PR_CAP_AMBIENT_RAISE, ...)` before exec. Adds complexity with no meaningful security gain for this threat model.
+- SUID ping: `no-new-privileges` also blocks SUID.
+- Replace subprocess ping with a Python ICMP implementation: significant refactor out of scope.
+
+**Mitigations in place**: `cap_drop: ALL` + `cap_add: NET_RAW DAC_OVERRIDE` limits the container to only the capabilities needed. `DAC_OVERRIDE` is required because the `db_data/` bind-mount is owned by the host user; root without it cannot create SQLite journal files in that directory. Both capabilities are in Docker's default set, so this is a net reduction from a standard container.
+
+---
+
+## CORS default to `*`
+
+**Decision**: `ALLOWED_ORIGINS` defaults to `"*"` for backward compatibility.
+
+**Rationale**: the application is designed for same-origin access via Nginx (browser → Nginx → FastAPI), so CORS headers are not required for normal operation. However, changing the default to empty (no CORS) would silently break integrations where users access the API from a different origin. The default `"*"` maintains existing behavior while making it configurable.
+
+**Production recommendation**: set `ALLOWED_ORIGINS=` (empty) if the backend is only accessed through the Nginx proxy, or set it to the specific domain if cross-origin access is needed.
+
+---
+
+## In-memory rate limiting
+
+**Decision**: Python `dict[str, list[float]]` protected by `threading.Lock`, no Redis.
+
+**Rationale**: Redis adds operational complexity (another service, volume, potential failure mode). For a single-process Uvicorn deployment behind Nginx, in-memory rate limiting is sufficient. The Nginx `limit_req` module provides the primary protection at the network edge; the Python layer adds defense-in-depth.
+
+**Limitations**:
+- State is lost on container restart (acceptable: a restart already breaks all active sessions).
+- Does not work across multiple workers. Uvicorn defaults to a single worker; if scaled, the Nginx layer remains effective.
+- IP tracking sees the Nginx container's IP (Docker internal), not the real client IP, unless `X-Real-IP` is forwarded to the backend. The Nginx `limit_req` uses the real client IP correctly.
+
+---
+
+## APP_UID / APP_GID build args
+
+**Decision**: configurable container UID/GID via build args, defaulting to 1000.
+
+**Rationale**: the backend bind-mounts `./db_data:/app/data`. For the non-root container user to write to this directory, the container UID must match the host directory owner. On most Linux systems, the first non-root user is UID 1000. The build args allow customisation without Dockerfile changes.
+
+**Alternative**: use an entrypoint that `chown`s the directory at runtime (current implementation via `entrypoint.sh`). This ensures compatibility regardless of UID mismatch, at the cost of a brief root execution before dropping to `appuser`.
+
+---
+
+## nginx-unprivileged for frontend container
+
+**Decision**: use `nginxinc/nginx-unprivileged:alpine` as the frontend base image.
+
+**Rationale**: the standard `nginx:alpine` image requires `CAP_CHOWN` and `CAP_SETUID` at startup — the master process (root) chowns temp directories and forks workers as `nginx` user (UID 101). With `cap_drop: ALL`, both syscalls fail. Two alternative approaches were tried and abandoned:
+- `USER nginx` in the Dockerfile: BusyBox `sed` does not support `\s` in basic regex mode, so the PID path substitution silently failed; the entrypoint scripts also need root.
+- `gosu appuser` in the backend: `CAP_SETUID` is dropped, so `gosu` cannot switch UIDs.
+
+`nginxinc/nginx-unprivileged:alpine` is maintained by nginx Inc. and pre-configures nginx to run entirely as UID 101 without needing `CAP_CHOWN` or `CAP_SETUID`. The entire process tree (master + workers) runs as nginx, making `cap_drop: ALL` compatible with zero extra capabilities on the frontend.
+
+**Trade-off**: adds a dependency on a third-party image (`nginxinc/nginx-unprivileged`) instead of the official `nginx` image. The image is maintained by nginx Inc. itself, so the trust model is equivalent.
+
+---
+
+## ping and NET_RAW capability
+
+**Decision**: retain `cap_add: NET_RAW` on the backend container.
+
+**Rationale**: the discovery feature (`/api/discovery/ping`, `/api/discovery/scan`) uses ICMP ping, which requires `CAP_NET_RAW`. This is the minimum capability needed and is explicitly documented. The capability is dropped from the frontend container which has no need for it.
+
+---
+
+## SQLite without foreign key enforcement
+
+**Status**: known limitation, not addressed in this phase.
+
+SQLite does not enforce foreign keys by default. Enabling `PRAGMA foreign_keys=ON` per connection via a SQLAlchemy event was out of scope for this phase. The application code manually handles cascades (explicit DELETE before device removal). This is documented in SEC-FIX-013 as a future fix.
+
+---
+
+## Future security improvements (not scheduled)
+
+| ID | Topic |
+|----|-------|
+| SEC-FIX-006 | Scope discovery scan to inventory CIDRs, validate IPs |
+| SEC-FIX-007 | Pydantic field constraints on business models |
+| SEC-FIX-008 | HTTP security headers (CSP, X-Content-Type-Options, etc.) |
+| SEC-FIX-009 | Document TLS / reverse-proxy contract more explicitly |
+| SEC-FIX-012 | Structured audit logging |
+| SEC-FIX-013 | SQLite foreign key enforcement |
+| SEC-FIX-014 | `npm audit` / `pip-audit` in CI |
+| SEC-FIX-015 | Import JSON schema validation and size limits |
+| SEC-FIX-016 | Remove `v-html` from App.vue |
diff --git a/SECURITY_DECISIONS_PHASE3.md b/SECURITY_DECISIONS_PHASE3.md
new file mode 100644
index 0000000..ed57cad
--- /dev/null
+++ b/SECURITY_DECISIONS_PHASE3.md
@@ -0,0 +1,108 @@
+# Security Decisions — Phase 3
+
+Date: 2026-05-06
+
+Ce document enregistre les arbitrages pris lors de la phase 3, les alternatives écartées et les limitations acceptées.
+
+---
+
+## SEC-FIX-006 — Cap global discovery
+
+**Décision** : `MAX_HOSTS_TOTAL = 4096` (4 × /22).
+
+**Alternatives écartées** :
+- Cap par nombre de targets : ne bloque pas 1 seul /11 découpé en CIDRs /22.
+- Cap plus bas (1024 global) : trop restrictif pour les déploiements multi-VLAN légitimes.
+
+**Limitation** : le cap s'applique à la requête, pas à l'utilisateur ou à la session. Un utilisateur authentifié peut lancer N requêtes consécutives. Mitigation acceptable : l'endpoint est protégé par authentification et nécessite `CAP_NET_RAW`.
+
+---
+
+## SEC-FIX-007 — Validation Pydantic : périmètre choisi
+
+**Décision** : validateurs sur les champs à domaine fini (type, virt_type, couleur, CIDR, IP, URL). Pas de validation sur `description` au-delà d'une longueur max.
+
+**Alternatives écartées** :
+- Liste noire de caractères dans `name`/`description` : SQLAlchemy paramétrise toutes les requêtes → pas de risque SQL injection. La liste noire ajouterait une friction sans gain de sécurité.
+- Validation de `vlan_id` contre les VLANs existants dans l'interface (unicité déjà enforced en base).
+
+**Limite acceptée** : `name` peut contenir des caractères Unicode arbitraires — ce n'est pas un vecteur d'injection dans ce contexte (pas de rendu HTML côté serveur, pas de shell).
+
+---
+
+## SEC-FIX-008 — Content-Security-Policy
+
+**Décision** : `style-src 'self' 'unsafe-inline'` conservé.
+
+**Pourquoi** : Vue 3 utilise des attributs `style=""` inline (ex: `style="display:none"` pour `v-show`, styles dynamiques sur les chips de couleur VLAN). Ces attributs sont contrôlés par `style-src`. Supprimer `'unsafe-inline'` casserait l'app sans migration vers CSS classes ou nonces.
+
+**Alternative écartée** : nonces CSP pour les styles inline — Vite ne génère pas de nonces en production, nécessiterait un middleware serveur dynamique incompatible avec Nginx statique.
+
+**Décision** : `frame-ancestors 'none'` + `X-Frame-Options: DENY` — redondant mais nécessaire pour les navigateurs qui n'implémentent pas CSP `frame-ancestors`.
+
+---
+
+## SEC-FIX-012 — Logs d'audit : format et activation
+
+**Décision** : JSON one-line via `logging.getLogger("audit")`, stdout.
+
+**Pourquoi** : stdlib uniquement, pas de dépendance (structlog, loguru écartes). Docker collecte stdout. Le format JSON permet le parsing par Loki/ELK sans transformation.
+
+**Activation** : uvicorn hérite de la config logging Python. Pour filtrer uniquement les événements d'audit : `--log-config` ou configuration Python logging dans main.py (non ajouté : hors périmètre de cette phase).
+
+**Limitation** : les logs ne sont pas persistants entre redémarrages sans volume dédié ou système de log externe. Acceptable pour un déploiement self-hosted.
+
+---
+
+## SEC-FIX-013 — PRAGMA foreign_keys=ON
+
+**Décision** : listener sur l'événement `connect` de SQLAlchemy — s'applique à toutes les connexions, y compris les connexions de test.
+
+**Attention** : la migration `_migrate_vlan_nullable()` dans `main.py` désactive temporairement `PRAGMA foreign_keys=OFF` pour recréer la table vlans. Elle le réactive ensuite. Ce pattern est correct car le listener ne s'applique qu'à la connexion DBAPI sous-jacente, pas aux connexions SQLAlchemy qui wrappent.
+
+**Conséquence sur SEC-FIX-017** : avec `foreign_keys=ON`, la table `links` (qui référençait `devices`) aurait bloqué les `DELETE` sur les équipements. C'est la raison pour laquelle `_migrate_drop_links_table()` est exécutée au démarrage.
+
+---
+
+## SEC-FIX-015 — Limite import JSON côté frontend uniquement
+
+**Décision** : limite de taille appliquée uniquement côté frontend (JavaScript, avant `file.text()`).
+
+**Limitation connue** : cette protection est bypassable par un appel direct à l'API. Cependant :
+- L'endpoint d'import JSON (`/api/devices/`, `/api/vlans/`) est protégé par authentification.
+- FastAPI/uvicorn a une limite de corps par défaut (1 Mo via Starlette). Pour les requêtes individuelles, la validation Pydantic rejette les données invalides.
+- La protection frontend couvre 99% des cas d'usage (import via UI).
+
+**Alternative écartée** : limite de taille côté Nginx (`client_max_body_size`) — le scan de découverte et l'import sont deux flux différents ; limiter globalement pourrait bloquer des scans légitimes. Une limite fine par endpoint nécessiterait une configuration Nginx complexe.
+
+---
+
+## SEC-FIX-016 — v-html
+
+**Décision** : les icônes de navigation (■ ◆ ▣) sont des caractères Unicode hardcodés dans le `computed`. Pas de source externe, pas de traduction, pas d'interpolation.
+
+**Risque résiduel** : nul — les caractères Unicode passent par `{{ }}` qui échappe automatiquement.
+
+---
+
+## SEC-FIX-017 — Table `links` : DROP vs conservation
+
+**Décision** : DROP de la table `links` via `_migrate_drop_links_table()` au démarrage.
+
+**Pourquoi** : avec `PRAGMA foreign_keys=ON` (SEC-FIX-013), la table `links` (FK → `devices.id` sans ON DELETE CASCADE) aurait bloqué toute suppression d'équipement ayant des liens. Conserver la table sans le code applicatif pour la maintenir est une dette technique et un risque opérationnel.
+
+**Données perdues** : les liens existants en base sont supprimés de façon irréversible. Acceptable car la fonctionnalité est retirée de l'interface — les données ne sont plus accessibles ni maintenables.
+
+**Alternative écartée** : ajouter ON DELETE CASCADE sur la table existante. Aurait préservé les données mais complexifié la migration SQLite (pas d'ALTER CONSTRAINT) et laissé une table orpheline indéfiniment.
+
+---
+
+## Points restants non traités en Phase 3
+
+| ID | Raison du report |
+|----|-----------------|
+| SEC-FIX-009 | Couvert : documentation TLS/HTTPS dans README (phases 2/3) |
+| SEC-FIX-014 | Couvert : cytoscape supprimé en phase 2/3 |
+| Audit log configuration fine | Hors périmètre — nécessite une décision d'infrastructure (Loki, ELK, etc.) |
+| `no-new-privileges` backend | Contrainte technique inhérente à `cap_net_raw=ep` pour ping (documenté) |
+| Rate limiting multi-worker | Mitigation en place via Nginx `limit_req` |
diff --git a/SECURITY_FIXES_APPLIED.md b/SECURITY_FIXES_APPLIED.md
new file mode 100644
index 0000000..018db8c
--- /dev/null
+++ b/SECURITY_FIXES_APPLIED.md
@@ -0,0 +1,128 @@
+# Security Fixes Applied
+
+Date: 2026-05-06
+
+## P0-001 — SEC-FIX-001 : Changement de mot de passe obligatoire au premier login
+
+### Problème
+Le compte admin par défaut utilisait `admin`/`admin`. N'importe qui ayant accès au port 8080 pouvait se connecter.
+
+### Changements
+
+**`backend/models.py`**
+- Colonne `must_change_password BOOLEAN NOT NULL DEFAULT 0` ajoutée sur `User`.
+
+**`backend/main.py`**
+- Nouvelle migration idempotente `_migrate_users_must_change_password()` — `ALTER TABLE users ADD COLUMN must_change_password BOOLEAN NOT NULL DEFAULT 0` si absente.
+- `_migrate_users()` : support de la variable d'environnement `INITIAL_ADMIN_PASSWORD`.
+  - Si définie → mot de passe fourni, `must_change_password = 0`.
+  - Sinon → mot de passe `admin`, `must_change_password = 1` (changement forcé au premier login).
+- Routeurs `vlans`, `devices`, `links`, `discovery` protégés par `require_password_changed` au lieu de `get_current_user`.
+
+**`backend/routers/auth.py`**
+- Dépendance `require_password_changed` : retourne 403 `"Password change required"` si `must_change_password = 1`.
+- `TokenOut` enrichi du champ `must_change_password: bool`.
+- `login()` retourne `must_change_password`.
+- `update_account()` passe `must_change_password` à `False` après changement de mot de passe réussi.
+- `GET /me` retourne `must_change_password`.
+
+**`frontend/src/auth.js`**
+- Ref `_mustChange` persistée dans `localStorage('auth_mustchange')`.
+- `mustChangePassword` computed exporté.
+- `setAuth(token, username, mustChange)` / `clearAuth()` mis à jour.
+
+**`frontend/src/App.vue`**
+- Branche `v-else-if="mustChangePassword"` : affiche `<AccountModal :forced="true">` avant l'application.
+- `onLogin` et `onAccountUpdated` propagent le flag ; `loadAll` n'est appelé que si `mustChangePassword` est faux.
+- `onMounted` conditionnel sur `!mustChangePassword.value`.
+
+**`frontend/src/components/AccountModal.vue`**
+- Prop `forced` (Boolean, défaut `false`) :
+  - Masque le bouton ✕ et le bouton Annuler.
+  - Empêche la fermeture par clic sur l'overlay.
+  - Affiche une bannière d'avertissement.
+  - Rend le champ "Nouveau mot de passe" obligatoire.
+
+**`frontend/src/i18n.js`**
+- Clés ajoutées (fr/en/es) : `mustChangePasswordWarning`, `newPasswordRequired`.
+
+### Utilisation
+
+```yaml
+# docker-compose.yml — optionnel
+environment:
+  - INITIAL_ADMIN_PASSWORD=MonMotDePasseSecurisé
+```
+
+Sans cette variable, le premier login avec `admin`/`admin` force immédiatement le changement de mot de passe.
+
+---
+
+## P1-001 — SEC-FIX-002 : Rate limiting sur POST /api/auth/login
+
+### Problème
+Aucune limitation du nombre de tentatives de connexion — brute-force possible.
+
+### Changements
+
+**`frontend/rate_limit.conf`** (nouveau)
+- `limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;`
+
+**`frontend/Dockerfile`**
+- `COPY rate_limit.conf /etc/nginx/conf.d/00_rate_limit.conf` — chargé en premier (ordre alphabétique).
+
+**`frontend/nginx.conf`**
+- Location spécifique `= /api/auth/login` avec `limit_req zone=login burst=5 nodelay` et `limit_req_status 429`.
+
+**`backend/routers/auth.py`**
+- Rate limiting in-memory (sans dépendance externe) :
+  - **Par IP** : 20 tentatives / 60 s
+  - **Par username** : 10 tentatives / 900 s (15 min)
+  - Compteurs réinitialisés après login réussi.
+- `login()` extrait l'IP via `Request.client.host`.
+- Retourne HTTP 429 `"Too many attempts, try again later"`.
+
+**`frontend/src/components/LoginPage.vue`**
+- Gère le status 429 → affiche `t('tooManyAttempts')`.
+
+**`frontend/src/i18n.js`**
+- Clé ajoutée : `tooManyAttempts`.
+
+---
+
+## P1-002 — SEC-FIX-003 : Validation serveur des entrées sur PUT /api/auth/account
+
+### Problème
+Aucune validation sur `new_username` et `new_password` — mots de passe vides ou noms d'utilisateurs invalides acceptés.
+
+### Changements
+
+**`backend/routers/auth.py`**
+- `_validate_new_password(password)` : min 8 caractères, au moins une lettre et un chiffre. Lève 400 avec code `password_too_short` ou `password_too_weak`.
+- `_validate_new_username(username)` : `[a-zA-Z0-9._-]{1,64}`. Lève 400 avec code `username_invalid`.
+- `update_account()` appelle ces fonctions avant modification.
+
+**`frontend/src/components/AccountModal.vue`**
+- Validation client miroir (évite un aller-retour réseau pour les cas évidents).
+- Mapping des codes d'erreur backend → clés i18n : `password_too_short`, `password_too_weak`, `username_invalid`.
+
+**`frontend/src/i18n.js`**
+- Clés ajoutées (fr/en/es) : `passwordTooShort`, `passwordTooWeak`, `usernameInvalid`.
+
+---
+
+## Fichiers modifiés
+
+| Fichier | Fixes |
+|---------|-------|
+| `backend/models.py` | P0-001 |
+| `backend/main.py` | P0-001 |
+| `backend/routers/auth.py` | P0-001, P1-001, P1-002 |
+| `frontend/rate_limit.conf` | P1-001 (nouveau) |
+| `frontend/Dockerfile` | P1-001 |
+| `frontend/nginx.conf` | P1-001 |
+| `frontend/src/auth.js` | P0-001 |
+| `frontend/src/i18n.js` | P0-001, P1-001, P1-002 |
+| `frontend/src/App.vue` | P0-001 |
+| `frontend/src/components/LoginPage.vue` | P0-001, P1-001 |
+| `frontend/src/components/AccountModal.vue` | P0-001, P1-002 |
diff --git a/SECURITY_FIXES_APPLIED_PHASE2.md b/SECURITY_FIXES_APPLIED_PHASE2.md
new file mode 100644
index 0000000..114f53f
--- /dev/null
+++ b/SECURITY_FIXES_APPLIED_PHASE2.md
@@ -0,0 +1,210 @@
+# Security Fixes Applied — Phase 2
+
+Date: 2026-05-06
+
+## SEC-FIX-001 — Bootstrap admin et rattrapage des bases existantes
+
+### Problème résiduel (après phase 1)
+La migration `_migrate_users_must_change_password()` ajoutait la colonne avec `DEFAULT 0`. Un compte admin existant avec le mot de passe par défaut "admin" n'était donc pas forcé à changer.
+
+### Corrections appliquées
+
+**`backend/main.py`**
+- Nouvelle migration `_migrate_users_token_version()` — ajout de `token_version INTEGER NOT NULL DEFAULT 1` si absente.
+- Nouvelle migration `_migrate_force_admin_password_change()` : vérifie si l'admin a `must_change_password=0` et si son hash correspond au mot de passe "admin". Si oui, pose `must_change_password=1`. Idempotent, s'exécute à chaque démarrage.
+- `_migrate_users()` : mise à jour pour inclure `token_version` dans le CREATE TABLE initial.
+- Ordre de démarrage mis à jour : `_migrate_users_token_version()` puis `_migrate_force_admin_password_change()` avant `_migrate_users()`.
+
+**`backend/tests/conftest.py`** (nouveau)
+- Configure `DATABASE_URL` vers une base temporaire avant tout import applicatif.
+- `SECRET_KEY` fixé pour les tests.
+
+**`backend/tests/test_auth.py`** (nouveau)
+- Tests SEC-FIX-001 : base vide (must_change=1), CRUD bloqué avant changement, CRUD autorisé après, rattrapage admin existant, admin avec mot de passe personnalisé non touché, `INITIAL_ADMIN_PASSWORD`.
+- Tests SEC-FIX-004 : ancien token rejeté après changement, nouveau token valide, backward compat token sans `ver`, token avec mauvaise version.
+- Tests SEC-FIX-003 : validation mot de passe (trop court, sans chiffre, sans lettre, valide), username (invalide, trop long, valide), mauvais mot de passe courant.
+- Tests SEC-FIX-002 : rate limit IP (429), rate limit username (429), reset après login réussi.
+
+**`backend/requirements-test.txt`** (nouveau)
+- `pytest>=7.4`, `httpx>=0.25`.
+
+---
+
+## SEC-FIX-004 — Invalidation de session après changement de mot de passe
+
+### Problème
+JWT valable 7 jours, pas d'invalidation après changement de mot de passe.
+
+### Corrections appliquées
+
+**`backend/models.py`**
+- Colonne `token_version = Column(Integer, nullable=False, default=1, server_default="1")` ajoutée à `User`.
+
+**`backend/routers/auth.py`**
+- `TOKEN_EXPIRE_HOURS = 24` (réduit de 7 jours à 24 heures).
+- `create_token(username, version)` : payload inclut `{ ver: version }`.
+- `get_current_user` : vérifie `payload["ver"] == user.token_version`. Rejette avec 401 si différent. Rétrocompatibilité : `ver` absent dans le payload est traité comme `ver=1`.
+- `update_account` : incrémente `current_user.token_version` lors d'un changement de mot de passe.
+- `login` : transmet `user.token_version` au `create_token`.
+
+---
+
+## SEC-FIX-005 — CORS configurable
+
+### Problème
+`allow_origins=["*"]` hardcodé.
+
+### Corrections appliquées
+
+**`backend/main.py`**
+- Lecture de `ALLOWED_ORIGINS` env var (défaut `"*"` pour rétrocompatibilité).
+- `""` désactive le middleware CORS (même origine via proxy).
+- Valeur CSV : liste d'origines explicites.
+
+**`.env.example`** (nouveau)
+- Documentation de `ALLOWED_ORIGINS` avec exemples.
+
+---
+
+## SEC-FIX-010 — Sécurisation du secret JWT
+
+### Problème
+`secret_key.txt` créé sans permissions restrictives. Pas de `.gitignore`.
+
+### Corrections appliquées
+
+**`backend/routers/auth.py`**
+- Création du fichier secret via `os.open(..., os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)` pour imposer des permissions 0600 dès la création (owner read/write uniquement).
+
+**`.gitignore`** (nouveau)
+- Ignore `db_data/`, `*.db`, `.env`, `__pycache__/`, `node_modules/`, etc.
+
+---
+
+## SEC-FIX-011 — Durcissement des conteneurs
+
+### Problème
+Conteneurs lancés en root sans contraintes de capabilities ni healthchecks.
+
+### Corrections appliquées (Phase 2 initiale)
+
+**`frontend/Dockerfile`**
+- `npm install` → `npm ci` (build reproductible, respecte le lockfile).
+- Image de base finale : `nginxinc/nginx-unprivileged:alpine` — nginx s'exécute entièrement en UID 101 sans nécessiter `CAP_CHOWN` ni `CAP_SETUID`. Compatible avec `cap_drop: ALL`.
+- `EXPOSE 8080` (port non-privilégié, correspondant à la config nginx).
+
+**`frontend/nginx.conf`**
+- `listen 80` → `listen 8080` (port non-privilégié, ne nécessite pas CAP_NET_BIND_SERVICE).
+
+**`docker-compose.yml`**
+- `frontend` : `cap_drop: ALL`, `security_opt: no-new-privileges:true`, port `8080:8080`, healthcheck wget, `depends_on: backend: condition: service_healthy`.
+- Suppression de la section `volumes: db_data:` (bind mount, pas de volume nommé).
+
+**Approches abandonnées (Phase 2 initiale)**
+- `gosu` + `appuser` pour le backend : `cap_drop: ALL` supprime `CAP_SETUID` → `gosu` ne peut pas changer d'utilisateur depuis le processus uvicorn après démarrage.
+
+### Correction complémentaire — backend non-root via `user:` Compose
+
+**Problème résiduel** : le backend tournait en UID 0 (root) faute de mécanisme interne pour changer d'utilisateur. La capability `DAC_OVERRIDE` avait été ajoutée comme contournement (accès en écriture au bind-mount), mais les fichiers `db_data/` étaient créés root:root sur l'hôte.
+
+**Solution** : la directive `user:` de Docker Compose démarre le processus directement sous l'UID/GID cible, sans nécessiter `CAP_SETUID` ni gosu.
+
+**`docker-compose.yml`**
+- `backend` : ajout de `user: "${DOCKER_UID:-1000}:${DOCKER_GID:-1000}"`.
+- `cap_add` : suppression de `DAC_OVERRIDE` (inutile — le processus est propriétaire du bind-mount).
+- `cap_add` conserve `NET_RAW` (ICMP ping).
+- `no-new-privileges` reste omis : ping utilise les file capabilities (`cap_net_raw=ep`) ; `no-new-privileges` supprime le bit effective du fichier, empêchant le sous-processus d'acquérir `CAP_NET_RAW` dans son ensemble effectif même si le parent le détient dans son ensemble permis.
+
+**`.env.example`**
+- `DOCKER_UID` / `DOCKER_GID` documentés avec procédure `id -u && id -g` et instruction `mkdir -p db_data`.
+
+**`README.md`**
+- Quick start : `docker compose --env-file .env up --build -d`.
+- Configuration : `APP_UID`/`APP_GID` remplacés par `DOCKER_UID`/`DOCKER_GID`.
+- Container hardening : table mise à jour (`DOCKER_UID:DOCKER_GID`), note `no-new-privileges` précisée.
+
+---
+
+## SEC-FIX-018 — Documentation
+
+### Corrections appliquées
+
+**`README.md`** (nouveau)
+- Quick start, configuration, sécurité (HTTPS, rotation de clé, durcissement conteneurs), persistance des données, développement.
+
+**`.env.example`** (nouveau)
+- `SECRET_KEY`, `INITIAL_ADMIN_PASSWORD`, `ALLOWED_ORIGINS`, `APP_UID`/`APP_GID` documentés avec exemples.
+
+**`docs/backend.md`**
+- Routeurs protégés : `get_current_user` → `require_password_changed`.
+- Contrat login : ajout `must_change_password`.
+- Contrat account : codes d'erreur normalisés.
+- Modèle `User` : ajout `must_change_password`, `token_version`.
+- Section Auth : mise à jour expiry, payload, invalidation, rate limiting.
+- Section Migrations : ordre complet, description `_migrate_force_admin_password_change`.
+
+**`docs/architecture.md`**
+- Section Auth : schéma mis à jour (`mustChangePassword`, `AccountModal :forced`).
+- Section Docker Compose : non-root, cap_drop, suppression volume nommé.
+
+**`CLAUDE.md`**
+- Section Authentification : 24h, `token_version`, `must_change_password`, guard App.vue, `INITIAL_ADMIN_PASSWORD`.
+- Section Migrations : liste complète des 7 migrations.
+
+**`AGENTS.md`**
+- Section Authentication : réécriture complète.
+- Data Model : `User` mis à jour.
+
+---
+
+## Fichiers modifiés
+
+| Fichier | Fixes |
+|---------|-------|
+| `backend/database.py` | Support `DATABASE_URL` pour tests |
+| `backend/models.py` | SEC-FIX-004 (`token_version`) |
+| `backend/main.py` | SEC-FIX-001 (rattrapage), SEC-FIX-004 (migration), SEC-FIX-005 (CORS) |
+| `backend/routers/auth.py` | SEC-FIX-004 (versioning), SEC-FIX-010 (0600), expiry 24h |
+| `backend/Dockerfile` | SEC-FIX-011 (cap_drop, DAC_OVERRIDE) |
+| `backend/requirements-test.txt` | Tests (nouveau) |
+| `backend/tests/__init__.py` | Tests (nouveau) |
+| `backend/tests/conftest.py` | Tests (nouveau) |
+| `backend/tests/test_auth.py` | Tests SEC-FIX-001, 002, 003, 004 (nouveau) |
+| `frontend/Dockerfile` | SEC-FIX-011 (nginxinc/nginx-unprivileged, npm ci) |
+| `frontend/nginx.conf` | SEC-FIX-011 (port 8080) |
+| `docker-compose.yml` | SEC-FIX-011 (cap_drop, healthchecks) |
+| `.gitignore` | SEC-FIX-010 (nouveau) |
+| `.env.example` | SEC-FIX-005, SEC-FIX-010, SEC-FIX-018 (nouveau) |
+| `README.md` | SEC-FIX-018 (nouveau) |
+| `docs/backend.md` | SEC-FIX-018 |
+| `docs/architecture.md` | SEC-FIX-018 |
+| `CLAUDE.md` | SEC-FIX-018 |
+| `AGENTS.md` | SEC-FIX-018 |
+
+---
+
+## Risques couverts
+
+| Risque | Avant | Après |
+|--------|-------|-------|
+| Bootstrap admin/admin sur instance existante | Non corrigé | `_migrate_force_admin_password_change()` force le changement au prochain démarrage |
+| JWT valable 7 jours après compromission | Oui | 24h + invalidation immédiate par `token_version` |
+| CORS permissif | Hardcodé `*` | Configurable via `ALLOWED_ORIGINS`, défaut `*` rétrocompatible |
+| Secret JWT lisible (permissions) | Mode par défaut (0644 ou plus) | 0600 dès la création |
+| Secrets dans le dépôt | Pas de `.gitignore` | `db_data/`, `.env`, `*.db` ignorés |
+| Process frontend root | Oui (nginx master + workers en root) | `nginxinc/nginx-unprivileged` — tout le process tree en UID 101 |
+| Process backend root | Oui | `user: DOCKER_UID:DOCKER_GID` — process = utilisateur hôte, fichiers `db_data/` non root-owned |
+| Capabilities superflues | Aucun cap_drop | `cap_drop: ALL` sur les deux conteneurs ; backend ajoute `NET_RAW` uniquement |
+| `DAC_OVERRIDE` exposée | Oui (contournement root) | Supprimée — inutile avec non-root propriétaire du bind-mount |
+| Pas de healthchecks | Aucun | Ajoutés sur les deux services |
+| Build frontend non reproductible | `npm install` | `npm ci` |
+
+---
+
+## Limitations restantes
+
+- JWT stocké en `localStorage` (pas de cookie HttpOnly) — mitigation : expiry 24h + token versioning.
+- Rate limiting backend en mémoire (perdu au redémarrage, ne se partage pas entre workers) — mitigation : Nginx `limit_req` couvre le cas multi-worker.
+- `no-new-privileges` absent du backend : `no-new-privileges` supprime le bit effective des file capabilities ; le sous-processus ping ne peut pas acquérir `CAP_NET_RAW` dans son ensemble effectif même si le parent le détient en permis. Mitigation : le processus tourne désormais sous un UID non-privilégié.
+- Politique de mot de passe minimale (`password1` passe) — pas de liste noire de mots de passe communs.
+- Pas de logs structurés d'audit (SEC-FIX-012 non traité dans cette phase).
diff --git a/SECURITY_FIXES_APPLIED_PHASE3.md b/SECURITY_FIXES_APPLIED_PHASE3.md
new file mode 100644
index 0000000..ca02a1d
--- /dev/null
+++ b/SECURITY_FIXES_APPLIED_PHASE3.md
@@ -0,0 +1,199 @@
+# Security Fixes Applied — Phase 3
+
+Date: 2026-05-06
+
+## SEC-FIX-006 — Validation des entrées discovery
+
+### Problème
+- `dns_server` acceptait n'importe quelle chaîne (risque d'injection dans le résolveur DNS)
+- `/api/discovery/ping` acceptait n'importe quelle chaîne comme IP (transmise au sous-processus ping)
+- Plusieurs targets pouvaient contourner le cap de 1024 : 5 × /22 = 5110 hôtes
+
+### Corrections appliquées
+
+**`backend/routers/discovery.py`**
+- `ScanRequest.dns_server` : `field_validator` qui appelle `ipaddress.ip_address(v)` — rejette toute valeur non-IP (422)
+- `PingRequest.ips` : `field_validator` qui valide chaque IP — rejette toute entrée malformée avant d'appeler le sous-processus (422)
+- `MAX_HOSTS_TOTAL = 4096` : cap global sur la somme des hôtes de tous les targets — rejette si dépassé (400)
+
+---
+
+## SEC-FIX-007 — Validation Pydantic métier
+
+### Problème
+Aucun validator sur les schémas métier : valeurs hors-domaine, CIDR invalides, couleurs arbitraires, URLs arbitraires, IPs invalides, types inconnus acceptés silencieusement.
+
+### Corrections appliquées
+
+**`backend/routers/vlans.py`**
+- `vlan_id` : 1–4094 (norme 802.1Q)
+- `name` : non vide, max 100 caractères (strip)
+- `cidr` : `ipaddress.ip_network(strict=False)` si non vide
+- `color` : regex `^#[0-9a-fA-F]{6}$`
+
+**`backend/routers/devices.py`**
+- `name` : non vide, max 100 caractères (strip)
+- `description` : max 500 caractères
+- `type` : enum des 18 types valides
+- `virt_type` : enum `{null, baremetal, lxc, qemu}`
+- `url` : `urlparse` — schéma `http`/`https` + netloc non vide
+- `InterfaceCreate.name` : non vide, max 50 caractères
+- `InterfaceCreate.ip_address` : `ipaddress.ip_address(v)` si non vide
+
+Toutes les erreurs de validation retournent 422 (comportement standard FastAPI/Pydantic).
+
+---
+
+## SEC-FIX-008 — En-têtes HTTP sécurité Nginx
+
+### Problème
+Aucun en-tête de sécurité HTTP : pas de CSP, pas de protection contre le MIME sniffing ou le framing.
+
+### Corrections appliquées
+
+**`frontend/nginx.conf`**
+```
+X-Content-Type-Options: nosniff
+X-Frame-Options: DENY
+Referrer-Policy: strict-origin-when-cross-origin
+Permissions-Policy: camera=(), microphone=(), geolocation=()
+Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; font-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self';
+```
+
+Tous les en-têtes utilisent le flag `always` pour s'appliquer aussi aux réponses d'erreur.
+
+---
+
+## SEC-FIX-009 — Documentation TLS/HTTPS
+
+### Statut : CORRIGÉ EN PHASE 2/3
+
+Documentation ajoutée au `README.md` lors de la session précédente :
+- Section HTTPS avec exemple nginx reverse-proxy complet
+- `docker-compose.override.yml` pour limiter l'exposition au loopback
+
+---
+
+## SEC-FIX-012 — Logs d'audit structurés
+
+### Problème
+Aucune trace des événements d'authentification : connexions, échecs, changements de mot de passe.
+
+### Corrections appliquées
+
+**`backend/routers/auth.py`**
+- Logger stdlib `logging.getLogger("audit")` — aucune dépendance supplémentaire
+- Helper `_log_audit(event, **kw)` : émet une ligne JSON `{"event": ..., "ts": ..., ...}`
+- Événements loggés :
+  - `auth.login.success` — username, ip
+  - `auth.login.failure` — username, ip
+  - `auth.login.rate_limited` — ip, username (si disponible), reason (`ip` | `username`)
+  - `auth.token_rejected` — username, reason (`user_not_found` | `version_mismatch`)
+  - `auth.account.password_changed` — username
+  - `auth.account.username_changed` — old_username, new_username
+  - `auth.account.bad_password` — username
+
+Activation dans Docker via la config de logging uvicorn (stdout par défaut).
+
+---
+
+## SEC-FIX-013 — PRAGMA foreign_keys=ON
+
+### Problème
+SQLite désactive les contraintes de clés étrangères par défaut. Les suppressions en cascade ne sont pas enforced.
+
+### Corrections appliquées
+
+**`backend/database.py`**
+```python
+@event.listens_for(Engine, "connect")
+def _set_sqlite_pragma(dbapi_conn, _record):
+    if isinstance(dbapi_conn, sqlite3.Connection):
+        cursor = dbapi_conn.cursor()
+        cursor.execute("PRAGMA foreign_keys=ON")
+        cursor.close()
+```
+
+Le listener s'exécute sur chaque nouvelle connexion SQLite, y compris les connexions de test.
+
+---
+
+## SEC-FIX-014 — Dépendance `cytoscape` non utilisée
+
+### Statut : CORRIGÉ EN PHASE 2
+
+`cytoscape` supprimé de `frontend/package.json` lors de la session précédente.
+
+---
+
+## SEC-FIX-015 — Import JSON sans limite de taille ni validation de schéma
+
+### Problème
+Un fichier JSON de plusieurs gigaoctets pouvait être chargé en mémoire. Aucune validation du schéma avant traitement.
+
+### Corrections appliquées
+
+**`frontend/src/App.vue`**
+- Vérification `file.size > 5 * 1024 * 1024` avant `file.text()` — rejette avec message localisé
+- Validation de schéma :
+  - Le JSON doit être un objet (pas un tableau, pas null)
+  - `vlans` et `devices`, si présents, doivent être des tableaux
+
+**`frontend/src/i18n.js`**
+- Clé `importTooLarge` ajoutée (fr, en, es)
+
+---
+
+## SEC-FIX-016 — `v-html` dans App.vue
+
+### Problème
+`v-html` utilisé pour injecter des entités HTML (`&#9632;`, `&#9670;`, `&#9635;`) dans les boutons de navigation. Risque XSS si la source venait à être dynamique.
+
+### Corrections appliquées
+
+**`frontend/src/App.vue`**
+- Entités HTML remplacées par leurs équivalents Unicode directs (`■`, `◆`, `▣`)
+- `v-html="tab.icon"` remplacé par `{{ tab.icon }}` (interpolation texte — échappe automatiquement)
+
+---
+
+## SEC-FIX-017 — Nettoyage du code orphelin Links (backend)
+
+### Problème
+La vue Liens avait été retirée du frontend en phase 2/3, mais le backend conservait :
+- `backend/routers/links.py` — router toujours enregistré dans main.py
+- `class Link` dans `models.py` — ORM orphelin
+- Référence explicite à `models.Link` dans `delete_device` (devices.py)
+- La table `links` en base — avec FK vers `devices`, ce qui bloquerait les suppressions d'équipements avec `PRAGMA foreign_keys=ON`
+
+### Corrections appliquées
+
+**`backend/routers/links.py`** — Supprimé
+
+**`backend/models.py`** — Classe `Link` supprimée
+
+**`backend/routers/devices.py`** — Suppression de la requête `db.query(models.Link).filter(...).delete()` dans `delete_device`
+
+**`backend/main.py`**
+- Import `links` retiré
+- `app.include_router(links.router, ...)` retiré
+- Nouvelle migration `_migrate_drop_links_table()` : DROP TABLE links si elle existe (avec `PRAGMA foreign_keys=OFF/ON` pour éviter les erreurs FK pendant la migration)
+
+---
+
+## Fichiers modifiés
+
+| Fichier | Fix(es) |
+|---------|---------|
+| `backend/database.py` | SEC-FIX-013 |
+| `backend/models.py` | SEC-FIX-017 |
+| `backend/main.py` | SEC-FIX-017 |
+| `backend/routers/auth.py` | SEC-FIX-012 |
+| `backend/routers/vlans.py` | SEC-FIX-007 |
+| `backend/routers/devices.py` | SEC-FIX-007, SEC-FIX-017 |
+| `backend/routers/discovery.py` | SEC-FIX-006 |
+| `backend/routers/links.py` | SEC-FIX-017 (supprimé) |
+| `backend/tests/test_validation.py` | Tests SEC-FIX-006, 007, 013, 017 (nouveau) |
+| `frontend/nginx.conf` | SEC-FIX-008 |
+| `frontend/src/App.vue` | SEC-FIX-015, SEC-FIX-016 |
+| `frontend/src/i18n.js` | SEC-FIX-015 |
diff --git a/SECURITY_FIX_PLAN_FOR_CLAUDE.md b/SECURITY_FIX_PLAN_FOR_CLAUDE.md
new file mode 100644
index 0000000..ec53cdb
--- /dev/null
+++ b/SECURITY_FIX_PLAN_FOR_CLAUDE.md
@@ -0,0 +1,183 @@
+# Plan d'action securite pour Claude Code
+
+Objectif: corriger les ecarts de securite de base identifies dans `SECURITY_AUDIT_BASE.md`, sans refonte fonctionnelle inutile. Chaque tache est atomique et doit etre livree avec tests.
+
+## SEC-FIX-001
+
+Priorite: P0  
+Fichier(s) a modifier: `backend/main.py`, `backend/routers/auth.py`, `docker-compose.yml`, `.env.example`, `CLAUDE.md`, `AGENTS.md`, `docs/backend.md`, `docs/extending.md`  
+Probleme: compte de bootstrap `admin/admin` cree automatiquement au premier demarrage, sans changement force.  
+Correction attendue: conserver le bootstrap seulement si un changement de mot de passe est force au premier login. Variante plus robuste: remplacer le mot de passe fixe par une initialisation sure via variable `INITIAL_ADMIN_PASSWORD` ou secret Docker obligatoire si aucun utilisateur n'existe.  
+Risque couvert: compromission immediate d'une instance neuve.  
+Critere d'acceptation: une base vide peut creer `admin/admin` uniquement avec un etat `must_change_password`; tant que le mot de passe n'est pas change, seuls les endpoints necessaires au changement de compte sont accessibles. Si l'option `INITIAL_ADMIN_PASSWORD` est retenue, `admin/admin` n'est plus cree.  
+Tests recommandes: test unitaire de `_migrate_users()`; test premier login `admin/admin` redirige vers changement obligatoire; test acces CRUD refuse avant changement; test acces CRUD autorise apres changement.
+
+## SEC-FIX-002
+
+Priorite: P1  
+Fichier(s) a modifier: `backend/routers/auth.py`, `backend/rate_limit.py` (nouveau si necessaire), `frontend/nginx.conf`, `backend/requirements.txt`  
+Probleme: aucune limitation de tentatives sur `/api/auth/login`.  
+Correction attendue: ajouter une limitation par IP et par username avec fenetre temporelle, ou configurer `limit_req` Nginx plus une protection API. Les erreurs doivent rester generiques.  
+Risque couvert: bruteforce et credential stuffing.  
+Critere d'acceptation: apres N echecs rapproches, les tentatives suivantes recoivent une reponse de limitation temporaire; une connexion legitime fonctionne apres expiration de la fenetre.  
+Tests recommandes: tests API simulant echecs successifs, reset apres fenetre, non-enumeration des comptes.
+
+## SEC-FIX-003
+
+Priorite: P1  
+Fichier(s) a modifier: `backend/routers/auth.py`, `frontend/src/components/AccountModal.vue`, `frontend/src/i18n.js`  
+Probleme: `new_password` et `new_username` ne sont pas valides robustement cote serveur.  
+Correction attendue: imposer une longueur minimale de mot de passe, refuser les mots de passe evidents, borner/normaliser le username, retourner des messages localisables.  
+Risque couvert: prise de compte par mot de passe faible et donnees auth incoherentes.  
+Critere d'acceptation: les mots de passe trop courts/faibles sont refuses cote API; le frontend affiche une erreur claire; les usernames invalides sont refuses.  
+Tests recommandes: tests API pour password vide, court, faible, valide; username vide, trop long, caracteres invalides, doublon.
+
+## SEC-FIX-004
+
+Priorite: P1  
+Fichier(s) a modifier: `backend/routers/auth.py`, `backend/models.py`, `backend/main.py`, `frontend/src/auth.js`, `frontend/src/api.js`, `frontend/src/components/LoginPage.vue`, `frontend/src/components/AccountModal.vue`, `frontend/nginx.conf`  
+Probleme: JWT stocke en `localStorage`, duree 7 jours, pas d'invalidation apres changement de mot de passe.  
+Correction attendue: migrer vers cookie `HttpOnly`, `Secure`, `SameSite=Lax` ou `Strict`; ajouter version de session/token dans la base; invalider les anciens tokens apres changement de mot de passe. Si cookie impossible immediatement, reduire l'expiration et ajouter une version de session.  
+Risque couvert: vol/rejeu de token apres XSS ou poste compromis.  
+Critere d'acceptation: le token n'est plus lisible par JavaScript dans le mode cible; un changement de mot de passe invalide les tokens precedents; logout supprime la session/cookie.  
+Tests recommandes: tests login/me/logout, changement de mot de passe puis ancien token refuse, verification flags `Set-Cookie`.
+
+## SEC-FIX-005
+
+Priorite: P2  
+Fichier(s) a modifier: `backend/main.py`, `.env.example`, `docker-compose.yml`, `docs/backend.md`  
+Probleme: CORS ouvert a toutes origines alors que l'application est prevue en local derriere reverse-proxy.  
+Correction attendue: documenter que le backend reste interne et que le navigateur accede a `/api/` en meme origine via reverse-proxy. Supprimer CORS si inutile, ou ajouter `ALLOWED_ORIGINS` configurable pour les cas ou une origine externe est necessaire.  
+Risque couvert: publication accidentelle de l'API interne ou configuration dangereuse si l'auth migre vers cookies.  
+Critere d'acceptation: le mode recommande n'expose pas directement le backend; la doc explique quand CORS est necessaire; si `ALLOWED_ORIGINS` est ajoute, une origine non autorisee ne recoit pas d'en-tetes CORS permissifs.  
+Tests recommandes: test API avec headers `Origin` autorisee/non autorisee si CORS conserve; verification de la configuration Compose/reverse-proxy documentee.
+
+## SEC-FIX-006
+
+Priorite: P1  
+Fichier(s) a modifier: `backend/routers/discovery.py`, `frontend/src/components/DiscoveryModal.vue`, `frontend/src/api.js`, `frontend/src/i18n.js`  
+Probleme: `/scan` et `/ping` acceptent des cibles arbitraires et insuffisamment limitees.  
+Correction attendue: valider `ips` avec `ipaddress.ip_address`, valider `dns_server`, limiter le nombre total d'IP par requete, limiter le nombre de targets, autoriser uniquement les CIDR presents en base ou explicitement configures, ajouter rate limit.  
+Risque couvert: SSRF/reconnaissance interne et deni de service par surcharge de scans.  
+Critere d'acceptation: IP/CIDR/DNS invalides refuses; targets hors perimetre refusees; total d'adresses plafonne; les scans legitimes de VLAN configures fonctionnent.  
+Tests recommandes: tests API `ping` liste vide, liste trop grande, IP invalide, IP valide; tests `scan` CIDR trop large, target hors inventaire, DNS invalide, cas nominal.
+
+## SEC-FIX-007
+
+Priorite: P1  
+Fichier(s) a modifier: `backend/routers/devices.py`, `backend/routers/vlans.py`, `backend/routers/links.py`, `frontend/src/components/DeviceManager.vue`, `frontend/src/components/VlanManager.vue`, `frontend/src/components/TopologyGraph.vue`, `frontend/src/i18n.js`  
+Probleme: schemas metier trop permissifs.  
+Correction attendue: ajouter contraintes Pydantic v2: `Field(max_length=...)`, enums/Literal pour device type, virt type et link type, validation IP/CIDR, couleur hex, URL `http/https` uniquement. Ajouter `rel="noreferrer noopener"` sur liens externes.  
+Risque couvert: XSS via URL dangereuse, donnees incoherentes, injection future, DoS par champs enormes.  
+Critere d'acceptation: l'API refuse les valeurs hors enum, URL non http/https, CIDR/IP/couleur invalides et champs trop longs; l'UI affiche les erreurs.  
+Tests recommandes: tests API par champ invalide/valide; tests frontend de rendu lien externe avec `noreferrer`.
+
+## SEC-FIX-008
+
+Priorite: P2  
+Fichier(s) a modifier: `frontend/nginx.conf`, `frontend/index.html`, `frontend/src/App.vue` si ajustements CSP necessaires  
+Probleme: absence d'en-tetes de securite navigateur dans la configuration fournie; ils peuvent etre portes par le reverse-proxy frontal.  
+Correction attendue: fournir une configuration de reference reverse-proxy ou ajouter dans `frontend/nginx.conf` une CSP minimale, `X-Content-Type-Options: nosniff`, `Referrer-Policy`, `Permissions-Policy`, et protection anti-framing via CSP `frame-ancestors` ou `X-Frame-Options`.  
+Risque couvert: impact XSS, clickjacking, sniffing MIME, fuite referrer.  
+Critere d'acceptation: les en-tetes sont presents sur `/` et assets; l'application build fonctionne sans violation CSP critique.  
+Tests recommandes: `curl -I` sur `/`; test navigateur console sans erreurs CSP bloquantes; build Vite.
+
+## SEC-FIX-009
+
+Priorite: P2  
+Fichier(s) a modifier: `docker-compose.yml`, `frontend/nginx.conf`, `docs/architecture.md`, `.env.example`  
+Probleme: TLS est delegue au reverse-proxy, mais le contrat de deploiement n'est pas documente.  
+Correction attendue: documenter explicitement que le mode actuel est local derriere reverse-proxy; fournir un exemple de deploiement derriere reverse-proxy TLS; recommander le bind `127.0.0.1:8080:80` si seul le proxy local doit consommer l'application.  
+Risque couvert: interception d'identifiants et tokens sur reseau non fiable.  
+Critere d'acceptation: la documentation exige HTTPS au niveau reverse-proxy pour tout acces non local; un exemple utilisable indique les variables et headers proxy necessaires; Compose n'encourage pas une exposition directe involontaire.  
+Tests recommandes: revue doc; test login via reverse proxy TLS si un profil est ajoute.
+
+## SEC-FIX-010
+
+Priorite: P1  
+Fichier(s) a modifier: `backend/routers/auth.py`, `docker-compose.yml`, `.gitignore`, `.env.example`, `docs/architecture.md`  
+Probleme: `data/secret_key.txt` est dans un bind mount projet et peut etre lisible localement.  
+Correction attendue: charger `SECRET_KEY` depuis secret Docker ou env obligatoire en production; creer les fichiers generes avec permissions `0600`; ignorer `db_data/`; documenter rotation de cle.  
+Risque couvert: fuite de cle JWT et forge de tokens.  
+Critere d'acceptation: nouveau fichier secret cree en `0600`; `db_data/` ignore; production documentee avec secret externe; absence de secret reel dans exemples.  
+Tests recommandes: test unitaire ou integration verifiant permissions; verification `.gitignore`; demarrage avec `SECRET_KEY`.
+
+## SEC-FIX-011
+
+Priorite: P2  
+Fichier(s) a modifier: `backend/Dockerfile`, `frontend/Dockerfile`, `docker-compose.yml`  
+Probleme: conteneurs lances sans durcissement explicite.  
+Correction attendue: executer backend et frontend en non-root si compatible, ajouter `cap_drop: [ALL]`, garder `NET_RAW` uniquement backend, `security_opt: no-new-privileges:true`, healthchecks, limites ressources, filesystem readonly avec volumes temporaires necessaires.  
+Risque couvert: impact accru en cas de compromission de conteneur.  
+Critere d'acceptation: les services demarrent et fonctionnent avec utilisateur non-root et privileges reduits; ping reste fonctionnel si active.  
+Tests recommandes: `docker compose up --build -d`, test login/CRUD/ping, verification `docker compose ps`, inspection utilisateur/capabilities.
+
+## SEC-FIX-012
+
+Priorite: P2  
+Fichier(s) a modifier: `backend/routers/auth.py`, `backend/routers/devices.py`, `backend/routers/vlans.py`, `backend/routers/links.py`, `backend/routers/discovery.py`, `frontend/nginx.conf`  
+Probleme: absence de logs securite structures.  
+Correction attendue: journaliser login reussi/echec, changement username/password, scans, imports/creates/deletes, erreurs de validation et rate limits, sans jamais logger mots de passe/tokens.  
+Risque couvert: detection et investigation insuffisantes.  
+Critere d'acceptation: chaque evenement sensible produit un log structure avec action, resultat, username, IP client fiable, compteurs utiles.  
+Tests recommandes: tests API capturant logs; verification absence de secrets dans logs.
+
+## SEC-FIX-013
+
+Priorite: P2  
+Fichier(s) a modifier: `backend/database.py`, `backend/models.py`, `backend/routers/devices.py`, `backend/routers/vlans.py`, `backend/routers/links.py`  
+Probleme: SQLite n'enforce pas les foreign keys.  
+Correction attendue: activer `PRAGMA foreign_keys=ON` sur chaque connexion via event SQLAlchemy; ajuster cascades/ondelete si necessaire.  
+Risque couvert: incoherence et corruption logique des donnees.  
+Critere d'acceptation: creation d'une interface avec `device_id` inexistant echoue; suppression VLAN/device conserve le comportement fonctionnel attendu.  
+Tests recommandes: tests DB d'integrite FK; tests suppression VLAN/device/link.
+
+## SEC-FIX-014
+
+Priorite: P2  
+Fichier(s) a modifier: `frontend/Dockerfile`, `frontend/package.json`, `frontend/package-lock.json`, `backend/requirements.txt`, documentation CI  
+Probleme: supply chain incomplete, `npm install`, dependance `cytoscape` inutilisee.  
+Correction attendue: remplacer `npm install` par `npm ci`; supprimer `cytoscape` si vraiment inutilise; ajouter scripts/documentation pour `npm audit` et audit Python; conserver compatibilite passlib/bcrypt.  
+Risque couvert: composants vulnerables/obsoletes et builds non reproductibles.  
+Critere d'acceptation: build Docker frontend utilise le lockfile; dependances inutilisees supprimees; procedure SCA documentee.  
+Tests recommandes: `docker compose build frontend`; `npm run build`; audit dependances dans CI ou local.
+
+## SEC-FIX-015
+
+Priorite: P2  
+Fichier(s) a modifier: `frontend/src/App.vue`, `backend/routers/devices.py`, `backend/routers/vlans.py`, `frontend/src/i18n.js`  
+Probleme: import JSON sans schema, limites ni bilan d'erreurs.  
+Correction attendue: limiter taille fichier/nombre d'objets, valider structure avant import, afficher un resume des erreurs, ne pas ignorer silencieusement les echecs.  
+Risque couvert: deni de service local, import incoherent, donnees dangereuses passant par CRUD.  
+Critere d'acceptation: fichier trop gros refuse; schema invalide refuse; import partiel affiche les erreurs; import valide fonctionne.  
+Tests recommandes: tests frontend unitaires pour parsing/validation; tests manuels import valide/invalide/gros.
+
+## SEC-FIX-016
+
+Priorite: P3  
+Fichier(s) a modifier: `frontend/src/App.vue`  
+Probleme: `v-html` utilise pour des icones statiques de navigation.  
+Correction attendue: remplacer par interpolation texte ou composants d'icones sans HTML injecte.  
+Risque couvert: reduction defense-in-depth du risque XSS futur.  
+Critere d'acceptation: aucun `v-html` ne reste dans `App.vue`; les icones de navigation s'affichent toujours.  
+Tests recommandes: `rg "v-html" frontend/src`; test visuel rapide.
+
+## SEC-FIX-017
+
+Priorite: P3  
+Fichier(s) a modifier: `backend/main.py`, `frontend/nginx.conf`, `docker-compose.yml`, `docs/backend.md`  
+Probleme: `/api/health` est public; c'est acceptable pour un healthcheck local/reverse-proxy mais doit rester assume.  
+Correction attendue: documenter que l'endpoint est volontairement public et minimal, ou le restreindre au reverse-proxy si souhaite. Ne pas exposer d'informations de version.  
+Risque couvert: exposition inutile d'informations de disponibilite si le proxy publie trop largement les endpoints internes.  
+Critere d'acceptation: decision documentee; endpoint ne retourne toujours aucun detail sensible; si restreint, le healthcheck Compose/reverse-proxy fonctionne.  
+Tests recommandes: `curl /api/health` selon mode attendu; test healthcheck Docker.
+
+## SEC-FIX-018
+
+Priorite: P2  
+Fichier(s) a modifier: `README.md`, `.env.example`, `CLAUDE.md`, `AGENTS.md`, `docs/architecture.md`, `docs/backend.md`  
+Probleme: documentation securite et configuration d'environnement incompletes.  
+Correction attendue: ajouter README et `.env.example` sans secrets reels; documenter `SECRET_KEY`, `INITIAL_ADMIN_PASSWORD`, `ALLOWED_ORIGINS`, TLS, stockage des donnees, rotation de cle, sauvegarde/restauration et profil dev/prod.  
+Risque couvert: mauvaises configurations deployees par defaut.  
+Critere d'acceptation: un nouvel operateur peut deployer sans identifiants par defaut ni secret genere dans le depot; les differences dev/prod sont explicites.  
+Tests recommandes: revue doc; demarrage Compose avec variables de `.env.example` adaptees.
diff --git a/SECURITY_REVIEW_AFTER_FIXES.md b/SECURITY_REVIEW_AFTER_FIXES.md
new file mode 100644
index 0000000..41a33c6
--- /dev/null
+++ b/SECURITY_REVIEW_AFTER_FIXES.md
@@ -0,0 +1,310 @@
+# Revue securite apres corrections
+
+Date: 2026-05-06  
+Base de comparaison: `SECURITY_AUDIT_BASE.md`, `SECURITY_FIX_PLAN_FOR_CLAUDE.md`, `SECURITY_FIXES_APPLIED.md` et code actuel.  
+Mode: revue statique locale, sans exploitation. Aucun fichier applicatif n'a ete modifie.
+
+## Synthese
+
+Les corrections declarees dans `SECURITY_FIXES_APPLIED.md` sont presentes dans le code pour les trois premiers sujets: changement force au premier login, rate limiting du login, validation minimale du changement de compte. Elles reduisent le risque principal de bootstrap et de bruteforce.
+
+La correction SEC-FIX-001 reste partielle pour les installations deja creees avant la migration: l'ajout de colonne met `must_change_password` a `0` par defaut. Dans la base locale observee, l'utilisateur `admin` a `must_change_password=0`. Si ce compte utilise encore l'ancien mot de passe public, il ne sera pas force a changer. La documentation est egalement en retard sur le code: plusieurs fichiers decrivent encore `get_current_user` comme dependance des routeurs metier et ne documentent pas le nouveau flux `must_change_password`.
+
+Verification effectuee:
+- Parsing Python par AST: OK, 9 fichiers parses.
+- Build frontend Vite vers `/tmp/topologie-vite-build`: OK.
+- Aucun test automatise dedie n'a ete trouve dans `backend` ou `frontend`.
+
+## SEC-FIX-001 - Changement de mot de passe obligatoire au premier login
+
+Statut: partiellement corrige
+
+Preuve dans le code:
+- `backend/models.py:6-12` ajoute `User.must_change_password`.
+- `backend/main.py:78-110` cree `admin` avec `must_change_password=1` si `INITIAL_ADMIN_PASSWORD` est absent, et `0` si la variable est fournie.
+- `backend/main.py:130-133` protege les routeurs metier avec `Depends(require_password_changed)`.
+- `backend/routers/auth.py:97-100` refuse les routeurs proteges avec 403 si le changement est requis.
+- `backend/routers/auth.py:149-172` remet `must_change_password` a `False` apres changement de mot de passe.
+- `frontend/src/App.vue:3-11` affiche `AccountModal` forcee avant l'application si `mustChangePassword` est vrai.
+- `frontend/src/components/AccountModal.vue:93-97` exige un nouveau mot de passe cote client en mode force.
+
+Risque restant:
+- `backend/main.py:63-75` ajoute la colonne aux bases existantes avec `DEFAULT 0`; les comptes deja presents ne sont donc pas forces a changer.
+- La base locale contient `admin|0` pour `must_change_password`.
+- `docker-compose.yml` ne montre pas `INITIAL_ADMIN_PASSWORD`; `.env.example` est absent.
+- `AGENTS.md`, `CLAUDE.md` et `docs/backend.md` decrivent encore l'ancien modele `Depends(get_current_user)` ou l'ancien contrat de login.
+
+Recommandation finale:
+- Ajouter une migration de rattrapage explicite pour les anciennes bases, ou documenter une commande de remediation obligatoire.
+- Documenter `INITIAL_ADMIN_PASSWORD`, `must_change_password` et `require_password_changed` dans `AGENTS.md`, `CLAUDE.md`, `docs/*` et `.env.example`.
+- Ajouter un test couvrant base vide, base existante et acces CRUD avant/apres changement.
+
+## SEC-FIX-002 - Rate limiting sur POST /api/auth/login
+
+Statut: corrige
+
+Preuve dans le code:
+- `frontend/rate_limit.conf:1` definit `limit_req_zone`.
+- `frontend/Dockerfile:10-11` copie `nginx.conf` et `rate_limit.conf`.
+- `frontend/nginx.conf:6-13` applique `limit_req zone=login burst=5 nodelay` et retourne 429 sur `/api/auth/login`.
+- `backend/routers/auth.py:43-76` implemente un rate limit in-memory par username et par IP.
+- `backend/routers/auth.py:132-146` applique ces controles avant verification du mot de passe.
+- `frontend/src/components/LoginPage.vue:69-74` affiche un message dedie sur 429.
+
+Risque restant:
+- Le rate limit backend est en memoire: il est perdu au redemarrage et se fragmente avec plusieurs workers/process.
+- `Request.client.host` voit souvent l'adresse du proxy Nginx, pas le client final; le controle IP backend peut donc devenir global derriere proxy. Le controle Nginx compense dans le deploiement Compose fourni.
+- Les compteurs IP backend ne sont pas remis a zero apres login reussi.
+- Aucun test automatise de fenetre, expiration ou non-enumeration n'a ete trouve.
+
+Recommandation finale:
+- Conserver le controle Nginx et soit documenter que le backend ne doit pas etre expose directement, soit gerer proprement `X-Forwarded-For` depuis un proxy de confiance.
+- Ajouter des tests API pour echecs successifs, expiration de fenetre et succes apres expiration.
+
+## SEC-FIX-003 - Validation serveur des entrees sur PUT /api/auth/account
+
+Statut: partiellement corrige
+
+Preuve dans le code:
+- `backend/routers/auth.py:103-117` valide username et mot de passe.
+- `backend/routers/auth.py:157-165` applique ces validations avant modification.
+- `frontend/src/components/AccountModal.vue:91-117` applique une validation miroir.
+- `frontend/src/i18n.js:160-165`, `310-315`, `460-465` contient les messages localises.
+
+Risque restant:
+- La politique mot de passe reste minimale: `password1` ou `admin123` respectent la regle lettre+chiffre et longueur 8.
+- `AccountUpdate` accepte les champs optionnels sans contraintes Pydantic; la robustesse depend des validations manuelles.
+- Les erreurs `Username already taken` et `Current password is incorrect` ne sont pas sous forme de codes stables et restent moins homogenes que les nouveaux codes.
+- Aucun test API dedie n'a ete trouve.
+
+Recommandation finale:
+- Renforcer la politique avec une liste de mots de passe evidents/refuses et des contraintes Pydantic (`Field`, `StringConstraints`) en plus des helpers.
+- Normaliser/trim le username avant comparaison et stockage.
+- Ajouter des tests pour mot de passe faible evident, username invalide, doublon et cas valide.
+
+## SEC-FIX-004 - JWT localStorage, expiration et invalidation
+
+Statut: non corrige
+
+Preuve dans le code:
+- `frontend/src/auth.js:3-17` stocke toujours le JWT dans `localStorage`.
+- `frontend/src/api.js:6-9` continue d'envoyer un bearer token lu par JavaScript.
+- `backend/routers/auth.py:38-80` conserve une expiration de 7 jours et un payload `{sub, exp}` sans version de session.
+- `backend/routers/auth.py:162-168` change le mot de passe sans invalider les tokens deja emis.
+
+Risque restant:
+- Vol/rejeu de JWT en cas de XSS, extension compromise ou poste compromis.
+- Ancien token toujours valide apres changement de mot de passe jusqu'a expiration.
+
+Recommandation finale:
+- Migrer vers cookie `HttpOnly`, `Secure`, `SameSite` ou, a minima, ajouter `session_version`/`token_version` en base et reduire l'expiration.
+
+## SEC-FIX-005 - CORS configurable ou supprime
+
+Statut: non corrige
+
+Preuve dans le code:
+- `backend/main.py:122-127` conserve `allow_origins=["*"]`, `allow_methods=["*"]`, `allow_headers=["*"]`.
+- `.env.example` est absent.
+
+Risque restant:
+- Configuration permissive si le backend est publie directement ou si l'auth migre vers cookies.
+
+Recommandation finale:
+- Supprimer CORS en mode meme origine ou ajouter `ALLOWED_ORIGINS` explicite.
+- Documenter que le backend doit rester interne.
+
+## SEC-FIX-006 - Encadrement discovery scan/ping
+
+Statut: non corrige
+
+Preuve dans le code:
+- `backend/routers/discovery.py:72-86` accepte `ips: list[str]` sans validation IP ni limite de taille.
+- `backend/routers/discovery.py:89-129` valide seulement le format CIDR et limite chaque reseau a 1024 hotes, mais pas le total de targets ni le perimetre autorise.
+- `backend/routers/discovery.py:52-60` accepte un serveur DNS fourni librement.
+
+Risque restant:
+- Reconnaissance reseau authentifiee, surcharge CPU/process et DNS arbitraire.
+
+Recommandation finale:
+- Valider IP/CIDR/DNS, plafonner le total par requete, autoriser seulement les CIDR d'inventaire ou une allowlist, et ajouter rate limit.
+
+## SEC-FIX-007 - Validation stricte des modeles metier
+
+Statut: non corrige
+
+Preuve dans le code:
+- `backend/routers/devices.py:11-33`, `backend/routers/vlans.py:11-15`, `backend/routers/links.py:11-15` utilisent encore des `str` libres sans bornes, enums ni validation URL/IP/CIDR/couleur.
+- Les liens externes ont `rel="noopener"` mais pas `noreferrer`: `frontend/src/components/DeviceManager.vue:137`, `frontend/src/components/TopologyGraph.vue:35`, `56`, `104`, `142`.
+
+Risque restant:
+- Donnees incoherentes, champs enormes, URL dangereuses et surface XSS future.
+
+Recommandation finale:
+- Ajouter contraintes Pydantic v2, enums serveur, validation URL `http/https`, IP/CIDR et couleur hex.
+- Remplacer `rel="noopener"` par `rel="noreferrer noopener"`.
+
+## SEC-FIX-008 - En-tetes de securite HTTP
+
+Statut: non corrige
+
+Preuve dans le code:
+- `frontend/nginx.conf:1-25` ne definit pas CSP, `X-Content-Type-Options`, `Referrer-Policy`, `Permissions-Policy`, `X-Frame-Options` ou `frame-ancestors`.
+- La seule configuration ajoutee concerne `limit_req`: `frontend/nginx.conf:6-8`.
+
+Risque restant:
+- Durcissement navigateur absent dans la configuration fournie.
+
+Recommandation finale:
+- Ajouter les en-tetes dans Nginx ou fournir une configuration reverse-proxy de reference verifiee.
+
+## SEC-FIX-009 - Contrat TLS/reverse-proxy
+
+Statut: non corrige
+
+Preuve dans le code:
+- `docker-compose.yml:14-15` expose toujours `"8080:80"` sur toutes les interfaces.
+- Aucune `.env.example` ni documentation de bind local/reverse proxy TLS n'a ete ajoutee.
+
+Risque restant:
+- Exposition HTTP involontaire sur un LAN non fiable avec interception d'identifiants/tokens.
+
+Recommandation finale:
+- Documenter HTTPS obligatoire hors local et recommander `127.0.0.1:8080:80` pour un proxy local.
+- Fournir un exemple reverse-proxy TLS.
+
+## SEC-FIX-010 - Gestion du secret JWT
+
+Statut: non corrige
+
+Preuve dans le code:
+- `backend/routers/auth.py:20-33` cree toujours `data/secret_key.txt` via `open(..., "w")` sans permissions explicites.
+- `docker-compose.yml:6-7` monte toujours `./db_data:/app/data`.
+- `.gitignore` et `.env.example` sont absents.
+
+Risque restant:
+- Fuite locale de cle JWT et forge de tokens jusqu'a rotation.
+
+Recommandation finale:
+- Creer le fichier avec permissions `0600`, ignorer `db_data/`, documenter rotation et supporter un secret Docker/env obligatoire en production.
+
+## SEC-FIX-011 - Durcissement conteneurs
+
+Statut: non corrige
+
+Preuve dans le code:
+- `backend/Dockerfile:1-8` et `frontend/Dockerfile:8-12` ne definissent pas d'utilisateur non-root.
+- `docker-compose.yml:1-20` ne definit pas `cap_drop`, `security_opt`, `read_only`, limites ressources ni healthchecks.
+
+Risque restant:
+- Impact augmente en cas de compromission d'un conteneur.
+
+Recommandation finale:
+- Passer en non-root, ajouter `cap_drop: [ALL]`, garder `NET_RAW` seulement pour le backend, ajouter `no-new-privileges`, healthchecks et volumes temporaires explicites.
+
+## SEC-FIX-012 - Logs securite structures
+
+Statut: non corrige
+
+Preuve dans le code:
+- Aucun logging structure n'est present dans `backend/routers/auth.py`, `devices.py`, `vlans.py`, `links.py` ou `discovery.py`.
+
+Risque restant:
+- Investigation limitee en cas d'incident: login, scans, suppressions et rate limits ne sont pas tracables.
+
+Recommandation finale:
+- Ajouter logs structures sans secrets pour authentification, changements de compte, CRUD, scans et rate limits.
+
+## SEC-FIX-013 - Foreign keys SQLite
+
+Statut: non corrige
+
+Preuve dans le code:
+- `backend/database.py:7-10` cree l'engine sans event SQLAlchemy pour `PRAGMA foreign_keys=ON`.
+- Les `ForeignKey` restent declares dans `backend/models.py`, mais SQLite ne les enforce pas sans pragma par connexion.
+
+Risque restant:
+- Incoherences relationnelles possibles via evolutions futures, migrations ou erreurs applicatives.
+
+Recommandation finale:
+- Activer `PRAGMA foreign_keys=ON` via event SQLAlchemy et tester suppressions/creation d'interfaces/liens invalides.
+
+## SEC-FIX-014 - Supply chain et builds reproductibles
+
+Statut: non corrige
+
+Preuve dans le code:
+- `frontend/Dockerfile:3-4` utilise toujours `npm install` au lieu de `npm ci`.
+- `frontend/package.json` contient encore `cytoscape`.
+- Aucune procedure d'audit dependances n'a ete ajoutee.
+
+Risque restant:
+- Builds moins reproductibles et dependances inutiles/vulnerables plus difficiles a suivre.
+
+Recommandation finale:
+- Utiliser `npm ci`, supprimer `cytoscape` s'il est inutilise, documenter `npm audit` et l'audit Python en conservant le pin `bcrypt==3.2.2`.
+
+## SEC-FIX-015 - Import JSON borne et valide
+
+Statut: non corrige
+
+Preuve dans le code:
+- `frontend/src/App.vue:198-220` lit le fichier complet, parse sans schema, importe en boucle et ignore silencieusement les erreurs par `.catch(() => {})`.
+
+Risque restant:
+- Import incoherent, erreurs masquees et deni de service local par fichier volumineux.
+
+Recommandation finale:
+- Ajouter limite de taille, validation de schema, compteur d'erreurs et retour utilisateur detaille.
+
+## SEC-FIX-016 - Suppression de v-html
+
+Statut: non corrige
+
+Preuve dans le code:
+- `frontend/src/App.vue:30` utilise encore `v-html="tab.icon"`.
+
+Risque restant:
+- Risque XSS defense-in-depth si une future icone devient dynamique ou non controlee.
+
+Recommandation finale:
+- Remplacer par texte, composants d'icones ou SVG statique sans `v-html`.
+
+## SEC-FIX-017 - Endpoint health public documente ou restreint
+
+Statut: partiellement corrige
+
+Preuve dans le code:
+- `backend/main.py:136-138` expose toujours `/api/health` publiquement avec seulement `{"status": "ok"}`, sans detail sensible.
+- La decision de securite n'est pas documentee dans les fichiers lus.
+
+Risque restant:
+- Exposition inutile d'information de disponibilite si le proxy publie trop largement l'API.
+
+Recommandation finale:
+- Documenter explicitement que l'endpoint est public et minimal, ou le restreindre au proxy/healthcheck.
+
+## SEC-FIX-018 - Documentation securite et environnement
+
+Statut: non corrige
+
+Preuve dans le code:
+- `README.md` et `.env.example` sont absents.
+- `AGENTS.md:66`, `CLAUDE.md:171` et `docs/backend.md:5-12` decrivent encore les routeurs metier avec `get_current_user` au lieu de `require_password_changed`.
+- `docs/backend.md:28-36` ne reflete pas le nouveau champ `must_change_password` ni les erreurs de validation.
+
+Risque restant:
+- Operateur guide par une documentation obsolete, avec configuration dev/prod et secrets insuffisamment explicites.
+
+Recommandation finale:
+- Ajouter `README.md` et `.env.example`, puis mettre a jour `AGENTS.md`, `CLAUDE.md` et `docs/*` pour `INITIAL_ADMIN_PASSWORD`, `SECRET_KEY`, CORS, TLS, rotation de cle, sauvegarde/restauration et profils dev/prod.
+
+## Conclusion
+
+Les trois corrections declarees sont globalement integrees, mais seules SEC-FIX-002 peut etre consideree corrigee avec des risques residuels acceptables pour le mode Compose actuel. SEC-FIX-001 et SEC-FIX-003 restent partielles. Les autres taches du plan ne sont pas encore appliquees.
+
+Priorite recommandee:
+1. Corriger la migration/strategie de rattrapage pour les comptes existants `admin`.
+2. Mettre a jour la documentation et ajouter `.env.example`.
+3. Ajouter des tests API pour auth, rate limit et changement force.
+4. Continuer les corrections P1 restantes: JWT/session, discovery, validation metier et secret JWT.
diff --git a/SECURITY_REVIEW_PHASE2.md b/SECURITY_REVIEW_PHASE2.md
new file mode 100644
index 0000000..148f1b1
--- /dev/null
+++ b/SECURITY_REVIEW_PHASE2.md
@@ -0,0 +1,196 @@
+# Revue securite Phase 2
+
+Date: 2026-05-06  
+Base: `SECURITY_REVIEW_AFTER_FIXES.md`, `SECURITY_FIXES_APPLIED_PHASE2.md`, code actuel.  
+Mode: revue statique locale + builds + controles cibles en conteneur. Aucun fichier applicatif n'a ete modifie.
+
+## Synthese
+
+Les corrections Phase 2 principales sont bien presentes dans le code actuel: rattrapage admin utilisant encore `admin`, `token_version` JWT, expiration 24h, CORS configurable, creation des nouvelles cles JWT en `0600`, build frontend reproductible via `npm ci`, conteneurs Compose avec privileges reduits, et documentation globalement enrichie.
+
+Deux points importants restent a corriger:
+
+- La suite de tests Phase 2 n'est pas reproductible telle que declaree: `backend/requirements-test.txt` laisse installer `httpx>=0.28`, incompatible avec le `TestClient` de Starlette utilise par FastAPI 0.104.1.
+- SEC-FIX-010 ne corrige que les nouvelles creations de `secret_key.txt`; un fichier existant cree avant Phase 2 avec des permissions trop larges est relu tel quel, sans `chmod 0600`.
+
+Verification executee:
+
+- `npm run build` dans `frontend`: OK.
+- `docker compose build`: OK.
+- Controles conteneur: backend sous UID/GID `1000:1000`, frontend sous UID `101`, ping OK avec `cap_drop: ALL` + `cap_add: NET_RAW`, secret auto-genere en `0600`, bootstrap admin OK, rattrapage admin existant OK.
+- `pytest -q tests` avec `requirements-test.txt` actuel: ECHEC, incompatibilite `httpx`.
+- `pytest -q tests` avec `pytest>=7.4` et `httpx<0.28`: OK, 21 tests passes.
+
+## Verification des corrections Phase 2
+
+### SEC-FIX-001 - Bootstrap admin et rattrapage des bases existantes
+
+Statut: corrige
+
+Preuves:
+
+- `backend/main.py:65-77` ajoute `must_change_password` aux bases existantes.
+- `backend/main.py:80-92` ajoute `token_version`.
+- `backend/main.py:95-111` force `must_change_password=1` si `admin` utilise encore le mot de passe bootstrap `admin`.
+- `backend/main.py:114-146` cree une base neuve avec `admin/admin` + `must_change_password=1`, ou avec `INITIAL_ADMIN_PASSWORD` + `must_change_password=0`.
+- `backend/main.py:179-183` protege les routeurs metier via `require_password_changed`.
+- Controle conteneur: base neuve -> `admin 1 1`; ancienne base admin/admin avec `must_change_password=0` -> `must_change_password=1`; admin avec mot de passe personnalise -> non modifie.
+
+Point de vigilance:
+
+- `SECURITY_FIXES_APPLIED_PHASE2.md` dit que `_migrate_force_admin_password_change()` s'execute avant `_migrate_users()`. C'est vrai dans le code (`backend/main.py:149-155`) et correct pour les bases existantes. Pour une base neuve, le rattrapage ne s'applique pas car la table n'existe pas encore; le cas est couvert par `_migrate_users()`.
+
+### SEC-FIX-004 - Invalidation de session apres changement de mot de passe
+
+Statut: corrige
+
+Preuves:
+
+- `backend/models.py:13` ajoute `User.token_version`.
+- `backend/routers/auth.py:44` reduit l'expiration JWT a 24 heures.
+- `backend/routers/auth.py:84-90` inclut `ver` dans le JWT.
+- `backend/routers/auth.py:93-107` rejette un token dont `ver` differe de `user.token_version`.
+- `backend/routers/auth.py:175-180` incremente `token_version` lors d'un changement de mot de passe.
+- Les tests d'invalidation passent quand la dependance `httpx` est pinnee correctement.
+
+Limite restante:
+
+- Le JWT reste stocke dans `localStorage` (`frontend/src/auth.js:3-17`) et lu par JavaScript (`frontend/src/api.js:6-9`). Phase 2 reduit la duree et invalide les anciennes sessions, mais ne supprime pas le risque de vol de token en cas de XSS.
+
+### SEC-FIX-005 - CORS configurable
+
+Statut: corrige avec risque residuel de configuration
+
+Preuves:
+
+- `backend/main.py:163-177` lit `ALLOWED_ORIGINS`, supporte `*`, chaine vide, ou CSV d'origines.
+- `.env.example:25-35` documente la variable.
+
+Risque residuel:
+
+- Le defaut reste permissif: `ALLOWED_ORIGINS=*` dans `.env.example:35` et `docker-compose.yml:18`. C'est retrocompatible, mais une installation exposee directement garde CORS ouvert si l'operateur ne change rien.
+
+### SEC-FIX-010 - Secret JWT
+
+Statut: partiellement corrige
+
+Preuves:
+
+- `backend/routers/auth.py:31-38` cree les nouveaux secrets via `os.open(..., 0o600)`.
+- Controle conteneur: secret auto-genere avec mode `0o600`.
+- `.gitignore:1-8` ignore `db_data/`, `*.db`, `.env`.
+
+Risque restant:
+
+- `backend/routers/auth.py:27-28` lit un fichier existant sans verifier ni corriger ses permissions. Une installation ayant deja cree `db_data/secret_key.txt` avant Phase 2 avec un mode trop large conserve ce mode apres mise a jour.
+
+Recommandation:
+
+- Sur chargement du fichier, appliquer ou au minimum verifier `chmod 0600`.
+- Documenter une remediation explicite: `chmod 600 db_data/secret_key.txt`.
+
+### SEC-FIX-011 - Durcissement conteneurs
+
+Statut: corrige pour le chemin Docker Compose fourni
+
+Preuves:
+
+- `docker-compose.yml:4-8` lance le backend sous `DOCKER_UID:DOCKER_GID`, avec `cap_drop: ALL` et `cap_add: NET_RAW` uniquement.
+- `docker-compose.yml:35-41` ajoute un healthcheck backend.
+- `docker-compose.yml:45-62` lance le frontend sur `8080`, avec `cap_drop: ALL`, `no-new-privileges` et healthcheck.
+- `frontend/Dockerfile:4` utilise `npm ci`.
+- `frontend/Dockerfile:8-12` utilise `nginxinc/nginx-unprivileged:alpine`.
+- `frontend/nginx.conf:2` ecoute sur `8080`.
+- Controle conteneur: backend `uid=1000 gid=1000`; frontend `uid=101(nginx)`; ping `127.0.0.1` OK avec la configuration de capabilities.
+
+Limites:
+
+- `backend/Dockerfile` ne definit pas `USER`; le non-root depend de Compose. Un lancement direct de l'image backend sans `--user` tournera en root.
+- Le backend n'a pas `no-new-privileges`, par choix documente pour conserver le fonctionnement de `ping`.
+
+## Regressions et nouveaux risques
+
+### R1 - Tests Phase 2 non reproductibles avec `requirements-test.txt`
+
+Severite: moyenne
+
+`backend/requirements-test.txt:1-2` contient:
+
+```text
+pytest>=7.4
+httpx>=0.25
+```
+
+Dans le conteneur backend actuel, cela installe un `httpx` recent. Resultat: tous les tests utilisant `TestClient(app)` echouent avec:
+
+```text
+TypeError: Client.__init__() got an unexpected keyword argument 'app'
+```
+
+Cause: incompatibilite entre Starlette/FastAPI du projet et `httpx>=0.28`, qui a retire le raccourci `app=`.
+
+Verification:
+
+- Avec `requirements-test.txt` actuel: 1 failed, 20 errors.
+- Avec `httpx<0.28`: 21 passed.
+
+Correction recommandee:
+
+- Pinner `httpx<0.28` dans `backend/requirements-test.txt`, ou mettre a jour FastAPI/Starlette de maniere controlee.
+
+### R2 - Option Docker secret probablement fragile avec backend non-root
+
+Severite: moyenne
+
+`docker-compose.yml:31-34` documente une option de secret montee vers `/app/data/secret_key.txt` avec `mode: 0400`, pendant que le backend tourne sous `DOCKER_UID:DOCKER_GID` (`docker-compose.yml:4`). Selon le comportement exact de Docker Compose et du proprietaire du fichier source, un secret root-owned en `0400` peut devenir illisible par le backend non-root au demarrage.
+
+Correction recommandee:
+
+- Tester explicitement cette variante.
+- Si elle est conservee, specifier `uid`/`gid` compatibles quand Compose le permet, ou supporter une variable `SECRET_KEY_FILE` pointant vers un chemin de secret lisible par l'utilisateur applicatif.
+
+### R3 - Nouvelles cles protegees, anciennes cles non remediées
+
+Severite: moyenne
+
+Voir SEC-FIX-010. Le risque est particulierement important pour les installations deja deployees avant Phase 2, c'est-a-dire precisement le cas traite par les migrations de rattrapage admin.
+
+## Incoherences documentation / code
+
+- `docs/extending.md:70-71` recommande encore `dependencies=[Depends(get_current_user)]` pour un nouveau routeur. Le code actuel doit utiliser `require_password_changed` pour les routeurs metier.
+- `docs/backend.md:5-12` dit "four router groups" mais l'extrait montre `vlans`, `devices`, `discovery` et omet `links`, pourtant enregistre dans `backend/main.py:182`.
+- `docs/frontend.md:48-55` documente `linksApi`, mais `frontend/src/api.js` n'exporte pas `linksApi`.
+- `docs/frontend.md:31` documente `setAuth(token, username)` alors que le code actuel attend `setAuth(token, username, mustChange)` (`frontend/src/auth.js:11`).
+- `docs/frontend.md:114-121` decrit un guard `v-else` direct et des callbacks sans `mustChangePassword`; le code actuel a la branche forcee `AccountModal` (`frontend/src/App.vue:3-11`) et propage `mustChangePassword` (`frontend/src/App.vue:145-153`).
+- `docs/architecture.md:54-57` dit encore que le stage final frontend est `nginx:alpine`; le code utilise `nginxinc/nginx-unprivileged:alpine` (`frontend/Dockerfile:8`).
+- `docs/architecture.md:62-67` liste une sequence de demarrage backend obsolete et omet les migrations `_migrate_users_must_change_password`, `_migrate_users_token_version`, `_migrate_force_admin_password_change`.
+- `AGENTS.md:207` parle d'un "Docker volume `db_data`"; le Compose actuel utilise un bind mount `./db_data:/app/data` (`docker-compose.yml:10-11`).
+- `.env.example:5` contient un caractere corrompu dans le commentaire de section. Impact faible, mais a nettoyer.
+- `SECURITY_FIXES_APPLIED_PHASE2.md` garde des traces de l'approche abandonnee (`APP_UID`/`APP_GID`, `DAC_OVERRIDE`, mentions backend Dockerfile) alors que le code final utilise `DOCKER_UID`/`DOCKER_GID` via Compose et a supprime `DAC_OVERRIDE`.
+
+## Points herites confirmes ouverts
+
+Ces points etaient deja signales dans `SECURITY_REVIEW_AFTER_FIXES.md` et restent ouverts dans le code actuel:
+
+| ID | Etat actuel |
+|---|---|
+| SEC-FIX-006 | Discovery: `PingRequest.ips` non borne (`backend/routers/discovery.py:72-85`), DNS libre (`backend/routers/discovery.py:52-60`), limite par reseau mais pas limite totale multi-target (`backend/routers/discovery.py:93-107`). |
+| SEC-FIX-007 | Validation metier faible: champs libres dans `devices.py`, `vlans.py`, `links.py`; URL/IP/CIDR/couleur/type non contraints cote serveur. Les `rel="noreferrer noopener"` sont en revanche corriges dans les liens frontend. |
+| SEC-FIX-008 | En-tetes HTTP de securite absents dans `frontend/nginx.conf`: pas de CSP, `X-Content-Type-Options`, `Referrer-Policy`, `Permissions-Policy`, ni politique frame. |
+| SEC-FIX-009 | Le Compose expose encore `8080:8080` sur toutes les interfaces par defaut (`docker-compose.yml:45-46`). README documente HTTPS et bind loopback, mais ce n'est pas le defaut. |
+| SEC-FIX-012 | Pas de logs d'audit structures dans les routeurs backend. |
+| SEC-FIX-013 | SQLite foreign keys non forcees par connexion: pas d'event SQLAlchemy `PRAGMA foreign_keys=ON` dans `backend/database.py`. |
+| SEC-FIX-014 | `cytoscape` a ete supprime de `frontend/package.json`, mais reste dans `frontend/package-lock.json:12` et dans le `node_modules` local comme dependance extraneous. Le lockfile doit etre regenere, et aucun audit dependances automatise n'est documente/integre. |
+| SEC-FIX-015 | Import JSON frontend sans limite de taille ni schema, erreurs ignorees par `.catch(() => {})` (`frontend/src/App.vue:190-207`). |
+| SEC-FIX-016 | `v-html` reste present pour les icones d'onglet (`frontend/src/App.vue:30`). Les valeurs sont hardcodees localement (`frontend/src/App.vue:139-143`), donc risque XSS faible aujourd'hui, mais surface inutile. |
+
+## Conclusion
+
+Phase 2 corrige effectivement les risques prioritaires annonces autour du bootstrap admin, de l'invalidation JWT, du CORS configurable, du secret JWT pour nouvelles installations et du durcissement Compose.
+
+Avant de considerer Phase 2 comme stabilisee, corriger en priorite:
+
+1. `backend/requirements-test.txt`: pinner `httpx<0.28` ou mettre a jour FastAPI/Starlette.
+2. Remediation des permissions des secrets existants (`chmod 0600` au chargement ou migration).
+3. Clarification/test de l'option Docker secret avec backend non-root.
+4. Mise a jour des incoherences docs/code listees ci-dessus.
diff --git a/backend/Dockerfile b/backend/Dockerfile
new file mode 100644
index 0000000..7dc3fd9
--- /dev/null
+++ b/backend/Dockerfile
@@ -0,0 +1,14 @@
+FROM python:3.11-slim
+WORKDIR /app
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends iputils-ping \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY . .
+RUN mkdir -p data
+
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]
diff --git a/backend/database.py b/backend/database.py
new file mode 100644
index 0000000..c0b5580
--- /dev/null
+++ b/backend/database.py
@@ -0,0 +1,35 @@
+import sqlite3
+
+from sqlalchemy import create_engine, event
+from sqlalchemy.engine import Engine
+from sqlalchemy.orm import sessionmaker, declarative_base
+import os
+
+os.makedirs("data", exist_ok=True)
+
+_DATABASE_URL = os.environ.get("DATABASE_URL", "sqlite:///./data/topology.db")
+
+engine = create_engine(
+    _DATABASE_URL,
+    connect_args={"check_same_thread": False}
+)
+
+
+@event.listens_for(Engine, "connect")
+def _set_sqlite_pragma(dbapi_conn, _record):
+    if isinstance(dbapi_conn, sqlite3.Connection):
+        cursor = dbapi_conn.cursor()
+        cursor.execute("PRAGMA foreign_keys=ON")
+        cursor.close()
+
+
+SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
+Base = declarative_base()
+
+
+def get_db():
+    db = SessionLocal()
+    try:
+        yield db
+    finally:
+        db.close()
diff --git a/backend/main.py b/backend/main.py
new file mode 100644
index 0000000..ccd7728
--- /dev/null
+++ b/backend/main.py
@@ -0,0 +1,201 @@
+import os
+
+from fastapi import Depends, FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+from sqlalchemy import text
+from database import engine, Base
+from routers import vlans, devices, discovery
+from routers.auth import router as auth_router, get_current_user, require_password_changed
+
+
+def _migrate_vlan_nullable():
+    """Make vlans.vlan_id nullable (SQLite can't ALTER COLUMN, so recreate)."""
+    with engine.connect() as conn:
+        if not conn.execute(text(
+            "SELECT name FROM sqlite_master WHERE type='table' AND name='vlans'"
+        )).fetchone():
+            return
+        cols = conn.execute(text("PRAGMA table_info(vlans)")).fetchall()
+        if not any(row[1] == 'vlan_id' and row[3] == 1 for row in cols):
+            return
+        conn.execute(text("PRAGMA foreign_keys=OFF"))
+        conn.execute(text("""
+            CREATE TABLE vlans_new (
+                id      INTEGER NOT NULL PRIMARY KEY,
+                vlan_id INTEGER UNIQUE,
+                name    VARCHAR NOT NULL,
+                cidr    VARCHAR,
+                color   VARCHAR
+            )
+        """))
+        conn.execute(text("INSERT INTO vlans_new SELECT id, vlan_id, name, cidr, color FROM vlans"))
+        conn.execute(text("DROP TABLE vlans"))
+        conn.execute(text("ALTER TABLE vlans_new RENAME TO vlans"))
+        conn.commit()
+        conn.execute(text("PRAGMA foreign_keys=ON"))
+        conn.commit()
+
+
+def _migrate_device_virt_type():
+    """Ajoute la colonne virt_type sur devices si absente."""
+    with engine.connect() as conn:
+        if not conn.execute(text(
+            "SELECT name FROM sqlite_master WHERE type='table' AND name='devices'"
+        )).fetchone():
+            return
+        cols = [row[1] for row in conn.execute(text("PRAGMA table_info(devices)")).fetchall()]
+        if 'virt_type' not in cols:
+            conn.execute(text("ALTER TABLE devices ADD COLUMN virt_type VARCHAR"))
+            conn.commit()
+
+
+def _migrate_device_url():
+    """Ajoute la colonne url sur devices si absente."""
+    with engine.connect() as conn:
+        if not conn.execute(text(
+            "SELECT name FROM sqlite_master WHERE type='table' AND name='devices'"
+        )).fetchone():
+            return
+        cols = [row[1] for row in conn.execute(text("PRAGMA table_info(devices)")).fetchall()]
+        if 'url' not in cols:
+            conn.execute(text("ALTER TABLE devices ADD COLUMN url VARCHAR"))
+            conn.commit()
+
+
+def _migrate_users_must_change_password():
+    """Ajoute la colonne must_change_password sur users si absente."""
+    with engine.connect() as conn:
+        if not conn.execute(text(
+            "SELECT name FROM sqlite_master WHERE type='table' AND name='users'"
+        )).fetchone():
+            return
+        cols = [row[1] for row in conn.execute(text("PRAGMA table_info(users)")).fetchall()]
+        if 'must_change_password' not in cols:
+            conn.execute(text(
+                "ALTER TABLE users ADD COLUMN must_change_password BOOLEAN NOT NULL DEFAULT 0"
+            ))
+            conn.commit()
+
+
+def _migrate_users_token_version():
+    """Ajoute la colonne token_version sur users si absente."""
+    with engine.connect() as conn:
+        if not conn.execute(text(
+            "SELECT name FROM sqlite_master WHERE type='table' AND name='users'"
+        )).fetchone():
+            return
+        cols = [row[1] for row in conn.execute(text("PRAGMA table_info(users)")).fetchall()]
+        if 'token_version' not in cols:
+            conn.execute(text(
+                "ALTER TABLE users ADD COLUMN token_version INTEGER NOT NULL DEFAULT 1"
+            ))
+            conn.commit()
+
+
+def _migrate_force_admin_password_change():
+    """Force must_change_password=1 pour admin utilisant encore le mot de passe bootstrap."""
+    from passlib.context import CryptContext
+    pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+    with engine.connect() as conn:
+        if not conn.execute(text(
+            "SELECT name FROM sqlite_master WHERE type='table' AND name='users'"
+        )).fetchone():
+            return
+        row = conn.execute(text(
+            "SELECT hashed_password FROM users WHERE username='admin' AND must_change_password=0"
+        )).fetchone()
+        if row and pwd_context.verify("admin", row[0]):
+            conn.execute(text(
+                "UPDATE users SET must_change_password=1 WHERE username='admin'"
+            ))
+            conn.commit()
+
+
+def _migrate_users():
+    """Crée la table users et le compte admin par défaut si absents."""
+    from passlib.context import CryptContext
+    pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+    initial_password = os.environ.get("INITIAL_ADMIN_PASSWORD", "")
+    with engine.connect() as conn:
+        table_exists = conn.execute(text(
+            "SELECT name FROM sqlite_master WHERE type='table' AND name='users'"
+        )).fetchone()
+        if not table_exists:
+            conn.execute(text("""
+                CREATE TABLE users (
+                    id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+                    username VARCHAR NOT NULL UNIQUE,
+                    hashed_password VARCHAR NOT NULL,
+                    must_change_password BOOLEAN NOT NULL DEFAULT 0,
+                    token_version INTEGER NOT NULL DEFAULT 1
+                )
+            """))
+            conn.commit()
+        count = conn.execute(text("SELECT COUNT(*) FROM users")).fetchone()[0]
+        if count == 0:
+            if initial_password:
+                hashed = pwd_context.hash(initial_password)
+                must_change = 0
+            else:
+                hashed = pwd_context.hash("admin")
+                must_change = 1
+            conn.execute(
+                text("INSERT INTO users (username, hashed_password, must_change_password) VALUES ('admin', :h, :m)"),
+                {"h": hashed, "m": must_change},
+            )
+            conn.commit()
+
+
+def _migrate_drop_links_table():
+    """Supprime la table links (fonctionnalité retirée en phase 3). Idempotent."""
+    with engine.connect() as conn:
+        conn.execute(text("PRAGMA foreign_keys=OFF"))
+        if conn.execute(text(
+            "SELECT name FROM sqlite_master WHERE type='table' AND name='links'"
+        )).fetchone():
+            conn.execute(text("DROP TABLE links"))
+            conn.commit()
+        conn.execute(text("PRAGMA foreign_keys=ON"))
+        conn.commit()
+
+
+_migrate_vlan_nullable()
+_migrate_device_virt_type()
+_migrate_device_url()
+_migrate_users_must_change_password()
+_migrate_users_token_version()
+_migrate_force_admin_password_change()
+_migrate_drop_links_table()
+_migrate_users()
+Base.metadata.create_all(bind=engine)
+
+app = FastAPI(title="Network Topology Manager")
+
+# CORS — configurable via ALLOWED_ORIGINS env var (comma-separated).
+# Default "*" for backward compatibility in a behind-proxy deployment.
+# Production: set ALLOWED_ORIGINS="" to disable, or "https://yourdomain.com".
+_allowed_origins_env = os.environ.get("ALLOWED_ORIGINS", "*")
+if _allowed_origins_env.strip() == "*":
+    _origins = ["*"]
+elif _allowed_origins_env.strip() == "":
+    _origins = []
+else:
+    _origins = [o.strip() for o in _allowed_origins_env.split(",") if o.strip()]
+
+if _origins:
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origins=_origins,
+        allow_methods=["*"],
+        allow_headers=["*"],
+    )
+
+app.include_router(auth_router, prefix="/api/auth", tags=["auth"])
+app.include_router(vlans.router,      prefix="/api/vlans",      tags=["vlans"],      dependencies=[Depends(require_password_changed)])
+app.include_router(devices.router,    prefix="/api/devices",    tags=["devices"],    dependencies=[Depends(require_password_changed)])
+app.include_router(discovery.router,  prefix="/api/discovery",  tags=["discovery"],  dependencies=[Depends(require_password_changed)])
+
+
+@app.get("/api/health")
+def health():
+    return {"status": "ok"}
diff --git a/backend/models.py b/backend/models.py
new file mode 100644
index 0000000..264dd55
--- /dev/null
+++ b/backend/models.py
@@ -0,0 +1,58 @@
+from sqlalchemy import Column, Integer, String, Boolean, ForeignKey
+from sqlalchemy.orm import relationship
+from database import Base
+
+
+class User(Base):
+    __tablename__ = "users"
+
+    id = Column(Integer, primary_key=True, index=True)
+    username = Column(String, unique=True, nullable=False)
+    hashed_password = Column(String, nullable=False)
+    must_change_password = Column(Boolean, nullable=False, default=False, server_default="0")
+    token_version = Column(Integer, nullable=False, default=1, server_default="1")
+
+
+class Vlan(Base):
+    __tablename__ = "vlans"
+
+    id = Column(Integer, primary_key=True, index=True)
+    vlan_id = Column(Integer, unique=True, nullable=True)
+    name = Column(String, nullable=False)
+    cidr = Column(String, nullable=True, default="")
+    color = Column(String, default="#4A90D9")
+
+    interfaces = relationship("DeviceInterface", back_populates="vlan")
+
+
+class Device(Base):
+    __tablename__ = "devices"
+
+    id = Column(Integer, primary_key=True, index=True)
+    name = Column(String, nullable=False)
+    type = Column(String, default="other")
+    description = Column(String, default="")
+    is_gateway = Column(Boolean, default=False)
+    is_livebox = Column(Boolean, default=False)
+    virt_type  = Column(String, nullable=True)
+    url        = Column(String, nullable=True)
+
+    interfaces = relationship(
+        "DeviceInterface", back_populates="device", cascade="all, delete-orphan"
+    )
+
+
+class DeviceInterface(Base):
+    __tablename__ = "device_interfaces"
+
+    id = Column(Integer, primary_key=True, index=True)
+    device_id = Column(Integer, ForeignKey("devices.id"), nullable=False)
+    vlan_id = Column(Integer, ForeignKey("vlans.id"), nullable=True)
+    ip_address = Column(String, nullable=True, default="")
+    name = Column(String, default="eth0")
+    is_upstream = Column(Boolean, default=False)
+
+    device = relationship("Device", back_populates="interfaces")
+    vlan = relationship("Vlan", back_populates="interfaces")
+
+
diff --git a/backend/requirements-test.txt b/backend/requirements-test.txt
new file mode 100644
index 0000000..ab7351d
--- /dev/null
+++ b/backend/requirements-test.txt
@@ -0,0 +1,2 @@
+pytest>=7.4
+httpx>=0.25
diff --git a/backend/requirements.txt b/backend/requirements.txt
new file mode 100644
index 0000000..e78d5a6
--- /dev/null
+++ b/backend/requirements.txt
@@ -0,0 +1,9 @@
+fastapi==0.104.1
+uvicorn[standard]==0.24.0
+sqlalchemy==2.0.23
+pydantic==2.5.0
+python-multipart==0.0.6
+dnspython==2.4.2
+python-jose[cryptography]==3.3.0
+passlib[bcrypt]==1.7.4
+bcrypt==3.2.2
diff --git a/backend/routers/__init__.py b/backend/routers/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/backend/routers/auth.py b/backend/routers/auth.py
new file mode 100644
index 0000000..2a66ad3
--- /dev/null
+++ b/backend/routers/auth.py
@@ -0,0 +1,218 @@
+import json
+import logging
+import os
+import re
+import secrets
+import time
+import threading
+from datetime import datetime, timedelta, timezone
+
+from fastapi import APIRouter, Depends, HTTPException, Request
+from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
+from jose import JWTError, jwt
+from passlib.context import CryptContext
+from pydantic import BaseModel
+from sqlalchemy.orm import Session
+
+from database import get_db
+from models import User
+
+router = APIRouter()
+
+_SECRET_KEY_FILE = "data/secret_key.txt"
+_audit = logging.getLogger("audit")
+
+
+def _log_audit(event: str, **kw) -> None:
+    _audit.info(json.dumps({"event": event, "ts": datetime.now(timezone.utc).isoformat(), **kw}))
+
+
+def _load_secret_key() -> str:
+    env = os.environ.get("SECRET_KEY")
+    if env:
+        return env
+    if os.path.exists(_SECRET_KEY_FILE):
+        return open(_SECRET_KEY_FILE).read().strip()
+    key = secrets.token_hex(32)
+    os.makedirs(os.path.dirname(_SECRET_KEY_FILE), exist_ok=True)
+    # Create with owner-only permissions (0600) to prevent other users from reading the key
+    fd = os.open(_SECRET_KEY_FILE, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
+    try:
+        with os.fdopen(fd, "w") as f:
+            f.write(key)
+    except Exception:
+        os.close(fd)
+        raise
+    return key
+
+
+SECRET_KEY = _load_secret_key()
+ALGORITHM = "HS256"
+TOKEN_EXPIRE_HOURS = 24
+
+pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/auth/login")
+
+# --- Rate limiting ---
+_login_attempts: dict[str, list[float]] = {}   # username → timestamps
+_ip_attempts:    dict[str, list[float]] = {}   # ip       → timestamps
+_rate_lock = threading.Lock()
+_USERNAME_WINDOW = 900   # 15 min
+_USERNAME_MAX    = 10
+_IP_WINDOW       = 60    # 1 min
+_IP_MAX          = 20
+
+
+def _check_username_rate_limit(username: str) -> None:
+    now = time.time()
+    with _rate_lock:
+        attempts = [t for t in _login_attempts.get(username, []) if now - t < _USERNAME_WINDOW]
+        if len(attempts) >= _USERNAME_MAX:
+            raise HTTPException(status_code=429, detail="Too many attempts, try again later")
+        attempts.append(now)
+        _login_attempts[username] = attempts
+
+
+def _check_ip_rate_limit(ip: str) -> None:
+    now = time.time()
+    with _rate_lock:
+        attempts = [t for t in _ip_attempts.get(ip, []) if now - t < _IP_WINDOW]
+        if len(attempts) >= _IP_MAX:
+            raise HTTPException(status_code=429, detail="Too many attempts, try again later")
+        attempts.append(now)
+        _ip_attempts[ip] = attempts
+
+
+def _clear_login_attempts(username: str) -> None:
+    with _rate_lock:
+        _login_attempts.pop(username, None)
+
+
+def create_token(username: str, version: int) -> str:
+    expire = datetime.now(timezone.utc) + timedelta(hours=TOKEN_EXPIRE_HOURS)
+    return jwt.encode(
+        {"sub": username, "ver": version, "exp": expire},
+        SECRET_KEY,
+        algorithm=ALGORITHM,
+    )
+
+
+def get_current_user(token: str = Depends(oauth2_scheme), db: Session = Depends(get_db)) -> User:
+    try:
+        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+        username: str = payload.get("sub")
+        token_ver: int = payload.get("ver", 1)
+        if not username:
+            raise HTTPException(status_code=401, detail="Invalid token")
+    except JWTError:
+        raise HTTPException(status_code=401, detail="Invalid token", headers={"WWW-Authenticate": "Bearer"})
+    user = db.query(User).filter(User.username == username).first()
+    if not user:
+        _log_audit("auth.token_rejected", username=username, reason="user_not_found")
+        raise HTTPException(status_code=401, detail="User not found")
+    if (user.token_version or 1) != token_ver:
+        _log_audit("auth.token_rejected", username=username, reason="version_mismatch")
+        raise HTTPException(status_code=401, detail="Session expired, please log in again")
+    return user
+
+
+def require_password_changed(current_user: User = Depends(get_current_user)) -> User:
+    if current_user.must_change_password:
+        raise HTTPException(status_code=403, detail="Password change required")
+    return current_user
+
+
+# --- Validation helpers ---
+_USERNAME_RE = re.compile(r"^[a-zA-Z0-9._-]{1,64}$")
+
+
+def _validate_new_password(password: str) -> None:
+    if len(password) < 8:
+        raise HTTPException(status_code=400, detail="password_too_short")
+    if not re.search(r"[a-zA-Z]", password) or not re.search(r"[0-9]", password):
+        raise HTTPException(status_code=400, detail="password_too_weak")
+
+
+def _validate_new_username(username: str) -> None:
+    if not _USERNAME_RE.match(username):
+        raise HTTPException(status_code=400, detail="username_invalid")
+
+
+class TokenOut(BaseModel):
+    access_token: str
+    token_type: str
+    username: str
+    must_change_password: bool = False
+
+
+class AccountUpdate(BaseModel):
+    current_password: str
+    new_username: str | None = None
+    new_password: str | None = None
+
+
+@router.post("/login", response_model=TokenOut)
+def login(request: Request, form: OAuth2PasswordRequestForm = Depends(), db: Session = Depends(get_db)):
+    client_ip = request.client.host if request.client else "unknown"
+    try:
+        _check_ip_rate_limit(client_ip)
+    except HTTPException:
+        _log_audit("auth.login.rate_limited", ip=client_ip, reason="ip")
+        raise
+    try:
+        _check_username_rate_limit(form.username)
+    except HTTPException:
+        _log_audit("auth.login.rate_limited", ip=client_ip, username=form.username, reason="username")
+        raise
+    user = db.query(User).filter(User.username == form.username).first()
+    if not user or not pwd_context.verify(form.password, user.hashed_password):
+        _log_audit("auth.login.failure", username=form.username, ip=client_ip)
+        raise HTTPException(status_code=401, detail="Incorrect username or password")
+    _clear_login_attempts(form.username)
+    _log_audit("auth.login.success", username=user.username, ip=client_ip)
+    return {
+        "access_token": create_token(user.username, user.token_version or 1),
+        "token_type": "bearer",
+        "username": user.username,
+        "must_change_password": bool(user.must_change_password),
+    }
+
+
+@router.put("/account", response_model=TokenOut)
+def update_account(
+    data: AccountUpdate,
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+):
+    if not pwd_context.verify(data.current_password, current_user.hashed_password):
+        _log_audit("auth.account.bad_password", username=current_user.username)
+        raise HTTPException(status_code=400, detail="Current password is incorrect")
+    if data.new_username and data.new_username != current_user.username:
+        _validate_new_username(data.new_username)
+        if db.query(User).filter(User.username == data.new_username).first():
+            raise HTTPException(status_code=400, detail="Username already taken")
+        old_username = current_user.username
+        current_user.username = data.new_username
+        _log_audit("auth.account.username_changed", old_username=old_username, new_username=data.new_username)
+    if data.new_password:
+        _validate_new_password(data.new_password)
+        current_user.hashed_password = pwd_context.hash(data.new_password)
+        current_user.must_change_password = False
+        # Invalidate all previously issued tokens by bumping the version
+        current_user.token_version = (current_user.token_version or 1) + 1
+        _log_audit("auth.account.password_changed", username=current_user.username)
+    db.commit()
+    return {
+        "access_token": create_token(current_user.username, current_user.token_version or 1),
+        "token_type": "bearer",
+        "username": current_user.username,
+        "must_change_password": bool(current_user.must_change_password),
+    }
+
+
+@router.get("/me")
+def get_me(current_user: User = Depends(get_current_user)):
+    return {
+        "username": current_user.username,
+        "must_change_password": bool(current_user.must_change_password),
+    }
diff --git a/backend/routers/devices.py b/backend/routers/devices.py
new file mode 100644
index 0000000..7dc08c0
--- /dev/null
+++ b/backend/routers/devices.py
@@ -0,0 +1,176 @@
+import ipaddress
+import re
+from typing import Optional, List
+from urllib.parse import urlparse
+
+from fastapi import APIRouter, Depends, HTTPException
+from pydantic import BaseModel, field_validator
+from sqlalchemy.orm import Session
+
+from database import get_db
+import models
+
+router = APIRouter()
+
+_VALID_TYPES = {
+    "server", "switch", "router", "nas", "gateway", "livebox", "access_point",
+    "camera", "temperature", "sensor", "hub", "smart_plug", "alarm", "light",
+    "doorbell", "desktop", "laptop", "other",
+}
+_VALID_VIRT_TYPES = {None, "baremetal", "lxc", "qemu"}
+
+
+class InterfaceCreate(BaseModel):
+    name: str = "eth0"
+    ip_address: Optional[str] = ""
+    vlan_id: Optional[int] = None
+    is_upstream: bool = False
+
+    @field_validator("name")
+    @classmethod
+    def _name(cls, v: str) -> str:
+        v = v.strip()
+        if not v:
+            raise ValueError("Interface name cannot be empty")
+        if len(v) > 50:
+            raise ValueError("Interface name too long (max 50 characters)")
+        return v
+
+    @field_validator("ip_address")
+    @classmethod
+    def _ip(cls, v: Optional[str]) -> Optional[str]:
+        if v:
+            try:
+                ipaddress.ip_address(v)
+            except ValueError:
+                raise ValueError(f"Invalid IP address: {v!r}")
+        return v
+
+
+class InterfaceOut(InterfaceCreate):
+    id: int
+    device_id: int
+
+    model_config = {"from_attributes": True}
+
+
+class DeviceCreate(BaseModel):
+    name: str
+    type: str = "other"
+    description: str = ""
+    is_gateway: bool = False
+    is_livebox: bool = False
+    virt_type: Optional[str] = None
+    url: Optional[str] = None
+    interfaces: List[InterfaceCreate] = []
+
+    @field_validator("name")
+    @classmethod
+    def _name(cls, v: str) -> str:
+        v = v.strip()
+        if not v:
+            raise ValueError("name cannot be empty")
+        if len(v) > 100:
+            raise ValueError("name too long (max 100 characters)")
+        return v
+
+    @field_validator("description")
+    @classmethod
+    def _description(cls, v: str) -> str:
+        if len(v) > 500:
+            raise ValueError("description too long (max 500 characters)")
+        return v
+
+    @field_validator("type")
+    @classmethod
+    def _type(cls, v: str) -> str:
+        if v not in _VALID_TYPES:
+            raise ValueError(f"Invalid type: {v!r}. Must be one of: {sorted(_VALID_TYPES)}")
+        return v
+
+    @field_validator("virt_type")
+    @classmethod
+    def _virt_type(cls, v: Optional[str]) -> Optional[str]:
+        if v not in _VALID_VIRT_TYPES:
+            raise ValueError(f"Invalid virt_type: {v!r}. Must be one of: baremetal, lxc, qemu")
+        return v
+
+    @field_validator("url")
+    @classmethod
+    def _url(cls, v: Optional[str]) -> Optional[str]:
+        if v:
+            parsed = urlparse(v)
+            if parsed.scheme not in ("http", "https") or not parsed.netloc:
+                raise ValueError("url must be a valid http or https URL")
+        return v
+
+
+class DeviceOut(BaseModel):
+    id: int
+    name: str
+    type: str
+    description: str
+    is_gateway: bool
+    is_livebox: bool
+    virt_type: Optional[str] = None
+    url: Optional[str] = None
+    interfaces: List[InterfaceOut] = []
+
+    model_config = {"from_attributes": True}
+
+
+@router.get("/", response_model=List[DeviceOut])
+def list_devices(db: Session = Depends(get_db)):
+    return db.query(models.Device).order_by(models.Device.name).all()
+
+
+@router.post("/", response_model=DeviceOut)
+def create_device(device: DeviceCreate, db: Session = Depends(get_db)):
+    db_device = models.Device(
+        name=device.name,
+        type=device.type,
+        description=device.description,
+        is_gateway=device.is_gateway,
+        is_livebox=device.is_livebox,
+        virt_type=device.virt_type,
+        url=device.url,
+    )
+    db.add(db_device)
+    db.flush()
+    for iface in device.interfaces:
+        db.add(models.DeviceInterface(device_id=db_device.id, **iface.model_dump()))
+    db.commit()
+    db.refresh(db_device)
+    return db_device
+
+
+@router.put("/{device_id}", response_model=DeviceOut)
+def update_device(device_id: int, device: DeviceCreate, db: Session = Depends(get_db)):
+    db_device = db.query(models.Device).filter(models.Device.id == device_id).first()
+    if not db_device:
+        raise HTTPException(status_code=404, detail="Équipement introuvable")
+    db_device.name = device.name
+    db_device.type = device.type
+    db_device.description = device.description
+    db_device.is_gateway = device.is_gateway
+    db_device.is_livebox = device.is_livebox
+    db_device.virt_type = device.virt_type
+    db_device.url = device.url
+    db.query(models.DeviceInterface).filter(
+        models.DeviceInterface.device_id == device_id
+    ).delete()
+    for iface in device.interfaces:
+        db.add(models.DeviceInterface(device_id=device_id, **iface.model_dump()))
+    db.commit()
+    db.refresh(db_device)
+    return db_device
+
+
+@router.delete("/{device_id}")
+def delete_device(device_id: int, db: Session = Depends(get_db)):
+    db_device = db.query(models.Device).filter(models.Device.id == device_id).first()
+    if not db_device:
+        raise HTTPException(status_code=404, detail="Équipement introuvable")
+    db.delete(db_device)
+    db.commit()
+    return {"ok": True}
diff --git a/backend/routers/discovery.py b/backend/routers/discovery.py
new file mode 100644
index 0000000..d5f7e3c
--- /dev/null
+++ b/backend/routers/discovery.py
@@ -0,0 +1,156 @@
+import ipaddress
+import subprocess
+import time
+from concurrent.futures import ThreadPoolExecutor, as_completed
+from typing import Optional
+
+import dns.resolver
+import dns.reversename
+from fastapi import APIRouter, HTTPException
+from pydantic import BaseModel, field_validator
+
+router = APIRouter()
+
+MAX_HOSTS_PER_TARGET = 1024   # refuse les /21 et plus larges
+MAX_HOSTS_TOTAL      = 4096   # cap global sur l'ensemble des targets
+
+
+class ScanTarget(BaseModel):
+    vlan_id: int
+    cidr: str
+
+
+class ScanRequest(BaseModel):
+    dns_server: str = "8.8.8.8"
+    targets: list[ScanTarget]
+
+    @field_validator("dns_server")
+    @classmethod
+    def _dns_server(cls, v: str) -> str:
+        try:
+            ipaddress.ip_address(v)
+        except ValueError:
+            raise ValueError(f"dns_server must be a valid IP address, got: {v!r}")
+        return v
+
+
+class DiscoveredHost(BaseModel):
+    ip: str
+    hostname: Optional[str] = None
+    vlan_id: int
+    cidr: str
+
+
+class ScanResponse(BaseModel):
+    hosts: list[DiscoveredHost]
+    total_scanned: int
+    duration_s: float
+
+
+def _ping(ip: str) -> bool:
+    try:
+        r = subprocess.run(
+            ["ping", "-c", "1", "-W", "1", ip],
+            capture_output=True,
+            timeout=3,
+        )
+        return r.returncode == 0
+    except Exception:
+        return False
+
+
+def _ptr_lookup(ip: str, nameserver: str) -> Optional[str]:
+    try:
+        resolver = dns.resolver.Resolver(configure=False)
+        resolver.nameservers = [nameserver]
+        resolver.timeout = 1
+        resolver.lifetime = 2
+        rev = dns.reversename.from_address(ip)
+        ans = resolver.resolve(rev, "PTR")
+        return str(ans[0]).rstrip(".")
+    except Exception:
+        return None
+
+
+def _scan_one(ip: str, dns_server: str, vlan_id: int, cidr: str) -> Optional[DiscoveredHost]:
+    if not _ping(ip):
+        return None
+    hostname = _ptr_lookup(ip, dns_server)
+    return DiscoveredHost(ip=ip, hostname=hostname, vlan_id=vlan_id, cidr=cidr)
+
+
+class PingRequest(BaseModel):
+    ips: list[str]
+
+    @field_validator("ips")
+    @classmethod
+    def _ips(cls, v: list[str]) -> list[str]:
+        for ip in v:
+            try:
+                ipaddress.ip_address(ip)
+            except ValueError:
+                raise ValueError(f"Invalid IP address: {ip!r}")
+        return v
+
+
+class PingResult(BaseModel):
+    ip: str
+    alive: bool
+
+
+@router.post("/ping", response_model=list[PingResult])
+def ping_many(req: PingRequest):
+    if not req.ips:
+        return []
+    with ThreadPoolExecutor(max_workers=50) as pool:
+        futures = {pool.submit(_ping, ip): ip for ip in req.ips}
+        results = [PingResult(ip=futures[f], alive=f.result()) for f in as_completed(futures)]
+    return results
+
+
+@router.post("/scan", response_model=ScanResponse)
+def scan(req: ScanRequest):
+    tasks: list[tuple[str, str, int, str]] = []
+
+    for t in req.targets:
+        try:
+            net = ipaddress.ip_network(t.cidr, strict=False)
+        except ValueError:
+            raise HTTPException(400, f"CIDR invalide : {t.cidr}")
+
+        hosts = list(net.hosts())
+        if len(hosts) > MAX_HOSTS_PER_TARGET:
+            raise HTTPException(
+                400,
+                f"Réseau {t.cidr} trop large ({len(hosts)} hôtes). "
+                f"Maximum par target : {MAX_HOSTS_PER_TARGET} hôtes (/22 ou plus petit).",
+            )
+        for ip in hosts:
+            tasks.append((str(ip), req.dns_server, t.vlan_id, t.cidr))
+
+    if not tasks:
+        raise HTTPException(400, "Aucune cible à scanner.")
+
+    if len(tasks) > MAX_HOSTS_TOTAL:
+        raise HTTPException(
+            400,
+            f"Trop d'hôtes au total ({len(tasks)}). Maximum global : {MAX_HOSTS_TOTAL}.",
+        )
+
+    t0 = time.time()
+    results: list[DiscoveredHost] = []
+
+    with ThreadPoolExecutor(max_workers=100) as pool:
+        futures = [pool.submit(_scan_one, *args) for args in tasks]
+        for f in as_completed(futures):
+            host = f.result()
+            if host:
+                results.append(host)
+
+    results.sort(key=lambda h: ipaddress.ip_address(h.ip))
+
+    return ScanResponse(
+        hosts=results,
+        total_scanned=len(tasks),
+        duration_s=round(time.time() - t0, 1),
+    )
diff --git a/backend/routers/vlans.py b/backend/routers/vlans.py
new file mode 100644
index 0000000..db343ef
--- /dev/null
+++ b/backend/routers/vlans.py
@@ -0,0 +1,102 @@
+import ipaddress
+import re
+from typing import Optional, List
+
+from fastapi import APIRouter, Depends, HTTPException
+from pydantic import BaseModel, field_validator
+from sqlalchemy import nullsfirst
+from sqlalchemy.orm import Session
+
+from database import get_db
+import models
+
+router = APIRouter()
+
+_COLOR_RE = re.compile(r"^#[0-9a-fA-F]{6}$")
+
+
+class VlanCreate(BaseModel):
+    vlan_id: Optional[int] = None
+    name: str
+    cidr: Optional[str] = ""
+    color: str = "#4A90D9"
+
+    @field_validator("vlan_id")
+    @classmethod
+    def _vlan_id(cls, v: Optional[int]) -> Optional[int]:
+        if v is not None and not (1 <= v <= 4094):
+            raise ValueError("vlan_id must be between 1 and 4094")
+        return v
+
+    @field_validator("name")
+    @classmethod
+    def _name(cls, v: str) -> str:
+        v = v.strip()
+        if not v:
+            raise ValueError("name cannot be empty")
+        if len(v) > 100:
+            raise ValueError("name too long (max 100 characters)")
+        return v
+
+    @field_validator("cidr")
+    @classmethod
+    def _cidr(cls, v: Optional[str]) -> Optional[str]:
+        if v:
+            try:
+                ipaddress.ip_network(v, strict=False)
+            except ValueError:
+                raise ValueError(f"Invalid CIDR notation: {v!r}")
+        return v
+
+    @field_validator("color")
+    @classmethod
+    def _color(cls, v: str) -> str:
+        if not _COLOR_RE.match(v):
+            raise ValueError("color must be a 6-digit hex color (e.g. #4A90D9)")
+        return v
+
+
+class VlanOut(VlanCreate):
+    id: int
+
+    model_config = {"from_attributes": True}
+
+
+@router.get("/", response_model=List[VlanOut])
+def list_vlans(db: Session = Depends(get_db)):
+    return db.query(models.Vlan).order_by(nullsfirst(models.Vlan.vlan_id)).all()
+
+
+@router.post("/", response_model=VlanOut)
+def create_vlan(vlan: VlanCreate, db: Session = Depends(get_db)):
+    if vlan.vlan_id is not None:
+        existing = db.query(models.Vlan).filter(models.Vlan.vlan_id == vlan.vlan_id).first()
+        if existing:
+            raise HTTPException(status_code=400, detail=f"VLAN {vlan.vlan_id} existe déjà")
+    db_vlan = models.Vlan(**vlan.model_dump())
+    db.add(db_vlan)
+    db.commit()
+    db.refresh(db_vlan)
+    return db_vlan
+
+
+@router.put("/{vlan_pk}", response_model=VlanOut)
+def update_vlan(vlan_pk: int, vlan: VlanCreate, db: Session = Depends(get_db)):
+    db_vlan = db.query(models.Vlan).filter(models.Vlan.id == vlan_pk).first()
+    if not db_vlan:
+        raise HTTPException(status_code=404, detail="VLAN introuvable")
+    for k, v in vlan.model_dump().items():
+        setattr(db_vlan, k, v)
+    db.commit()
+    db.refresh(db_vlan)
+    return db_vlan
+
+
+@router.delete("/{vlan_pk}")
+def delete_vlan(vlan_pk: int, db: Session = Depends(get_db)):
+    db_vlan = db.query(models.Vlan).filter(models.Vlan.id == vlan_pk).first()
+    if not db_vlan:
+        raise HTTPException(status_code=404, detail="VLAN introuvable")
+    db.delete(db_vlan)
+    db.commit()
+    return {"ok": True}
diff --git a/backend/tests/__init__.py b/backend/tests/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/backend/tests/conftest.py b/backend/tests/conftest.py
new file mode 100644
index 0000000..df51903
--- /dev/null
+++ b/backend/tests/conftest.py
@@ -0,0 +1,12 @@
+"""
+Configures a fresh in-memory SQLite database for every test session.
+DATABASE_URL must be set before any app module is imported.
+"""
+import os
+import tempfile
+
+# Must be set before importing database or main
+_tmpdb = tempfile.NamedTemporaryFile(suffix=".db", delete=False)
+_tmpdb.close()
+os.environ["DATABASE_URL"] = f"sqlite:///{_tmpdb.name}"
+os.environ.setdefault("SECRET_KEY", "test-only-secret-key-not-for-production")
diff --git a/backend/tests/test_auth.py b/backend/tests/test_auth.py
new file mode 100644
index 0000000..a6e8798
--- /dev/null
+++ b/backend/tests/test_auth.py
@@ -0,0 +1,335 @@
+"""
+Tests de sécurité pour l'authentification.
+
+Couvre :
+- SEC-FIX-001 : bootstrap admin, rattrapage admin existant, blocage CRUD avant changement
+- SEC-FIX-002 : rate limiting login
+- SEC-FIX-003 : validation mot de passe et username
+- SEC-FIX-004 : invalidation de token après changement de mot de passe
+"""
+import pytest
+from fastapi.testclient import TestClient
+from sqlalchemy import text
+
+import sys, os
+sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+
+# conftest.py sets DATABASE_URL before this import
+from database import engine, Base
+from main import (
+    app,
+    _migrate_users_must_change_password,
+    _migrate_users_token_version,
+    _migrate_force_admin_password_change,
+    _migrate_users,
+)
+
+
+# ---------------------------------------------------------------------------
+# Fixtures
+# ---------------------------------------------------------------------------
+
+@pytest.fixture(autouse=True)
+def reset_db():
+    """Fresh schema + seeded admin for each test."""
+    Base.metadata.drop_all(bind=engine)
+    Base.metadata.create_all(bind=engine)
+    _migrate_users_must_change_password()
+    _migrate_users_token_version()
+    _migrate_users()
+    yield
+    Base.metadata.drop_all(bind=engine)
+
+
+@pytest.fixture(autouse=True)
+def reset_rate_limits():
+    """Remet à zéro les compteurs de rate limiting entre chaque test."""
+    from routers.auth import _ip_attempts, _login_attempts, _rate_lock
+    with _rate_lock:
+        _ip_attempts.clear()
+        _login_attempts.clear()
+    yield
+    with _rate_lock:
+        _ip_attempts.clear()
+        _login_attempts.clear()
+
+
+@pytest.fixture
+def client():
+    return TestClient(app, raise_server_exceptions=True)
+
+
+def _login(client, username="admin", password="admin"):
+    return client.post(
+        "/api/auth/login",
+        data={"username": username, "password": password},
+    )
+
+
+def _auth_headers(token):
+    return {"Authorization": f"Bearer {token}"}
+
+
+# ---------------------------------------------------------------------------
+# SEC-FIX-001 — Bootstrap et rattrapage
+# ---------------------------------------------------------------------------
+
+class TestBootstrap:
+    def test_fresh_db_admin_must_change_password(self, client):
+        """Nouvelle base : admin créé avec must_change_password=1."""
+        r = _login(client)
+        assert r.status_code == 200
+        data = r.json()
+        assert data["must_change_password"] is True
+        assert data["username"] == "admin"
+
+    def test_crud_blocked_before_password_change(self, client):
+        """CRUD refusé (403) tant que must_change_password est vrai."""
+        token = _login(client).json()["access_token"]
+        r = client.get("/api/vlans/", headers=_auth_headers(token))
+        assert r.status_code == 403
+        assert r.json()["detail"] == "Password change required"
+
+    def test_crud_allowed_after_password_change(self, client):
+        """CRUD autorisé après changement de mot de passe."""
+        token = _login(client).json()["access_token"]
+        r = client.put(
+            "/api/auth/account",
+            json={"current_password": "admin", "new_password": "SecurePass1"},
+            headers=_auth_headers(token),
+        )
+        assert r.status_code == 200
+        new_token = r.json()["access_token"]
+        assert r.json()["must_change_password"] is False
+        r2 = client.get("/api/vlans/", headers=_auth_headers(new_token))
+        assert r2.status_code == 200
+
+    def test_migration_forces_existing_admin_with_default_password(self, client):
+        """Rattrapage : admin existant avec must_change_password=0 et password 'admin' est forcé."""
+        # Simuler une ancienne base : admin avec must_change_password=0
+        with engine.connect() as conn:
+            conn.execute(text("UPDATE users SET must_change_password=0 WHERE username='admin'"))
+            conn.commit()
+        # La migration de rattrapage doit remettre must_change_password=1
+        _migrate_force_admin_password_change()
+        r = _login(client)
+        assert r.status_code == 200
+        assert r.json()["must_change_password"] is True
+
+    def test_migration_does_not_touch_admin_with_custom_password(self, client):
+        """Rattrapage : admin avec mot de passe personnalisé et must_change_password=0 n'est pas touché."""
+        from passlib.context import CryptContext
+        pwd = CryptContext(schemes=["bcrypt"], deprecated="auto")
+        with engine.connect() as conn:
+            conn.execute(text(
+                "UPDATE users SET hashed_password=:h, must_change_password=0 WHERE username='admin'"
+            ), {"h": pwd.hash("CustomPass9")})
+            conn.commit()
+        _migrate_force_admin_password_change()
+        r = client.post("/api/auth/login", data={"username": "admin", "password": "CustomPass9"})
+        assert r.status_code == 200
+        assert r.json()["must_change_password"] is False
+
+    def test_initial_admin_password_env_var(self, monkeypatch):
+        """Avec INITIAL_ADMIN_PASSWORD, must_change_password=0."""
+        monkeypatch.setenv("INITIAL_ADMIN_PASSWORD", "EnvPass42")
+        Base.metadata.drop_all(bind=engine)
+        Base.metadata.create_all(bind=engine)
+        _migrate_users_must_change_password()
+        _migrate_users_token_version()
+        _migrate_users()
+        with TestClient(app) as c:
+            r = c.post("/api/auth/login", data={"username": "admin", "password": "EnvPass42"})
+        assert r.status_code == 200
+        assert r.json()["must_change_password"] is False
+
+
+# ---------------------------------------------------------------------------
+# SEC-FIX-004 — Invalidation de token après changement de mot de passe
+# ---------------------------------------------------------------------------
+
+class TestTokenInvalidation:
+    def test_old_token_rejected_after_password_change(self, client):
+        """L'ancien token est invalide après changement de mot de passe."""
+        # Forcer must_change_password=0 pour pouvoir tester le CRUD
+        with engine.connect() as conn:
+            conn.execute(text("UPDATE users SET must_change_password=0 WHERE username='admin'"))
+            conn.commit()
+        old_token = _login(client).json()["access_token"]
+        # Changer le mot de passe → invalide old_token
+        client.put(
+            "/api/auth/account",
+            json={"current_password": "admin", "new_password": "NewPass99"},
+            headers=_auth_headers(old_token),
+        )
+        r = client.get("/api/vlans/", headers=_auth_headers(old_token))
+        assert r.status_code == 401
+
+    def test_new_token_valid_after_password_change(self, client):
+        """Le nouveau token fonctionne après changement de mot de passe."""
+        with engine.connect() as conn:
+            conn.execute(text("UPDATE users SET must_change_password=0 WHERE username='admin'"))
+            conn.commit()
+        old_token = _login(client).json()["access_token"]
+        r = client.put(
+            "/api/auth/account",
+            json={"current_password": "admin", "new_password": "NewPass99"},
+            headers=_auth_headers(old_token),
+        )
+        new_token = r.json()["access_token"]
+        r2 = client.get("/api/vlans/", headers=_auth_headers(new_token))
+        assert r2.status_code == 200
+
+    def test_token_without_version_accepted_for_backward_compat(self, client):
+        """Token sans champ 'ver' (ancien format) est accepté : ver absent → ver=1 par défaut."""
+        from jose import jwt as jose_jwt
+        from routers.auth import SECRET_KEY, ALGORITHM
+        from datetime import datetime, timedelta, timezone
+        expire = datetime.now(timezone.utc) + timedelta(hours=1)
+        old_format_token = jose_jwt.encode(
+            {"sub": "admin", "exp": expire},
+            SECRET_KEY,
+            algorithm=ALGORITHM,
+        )
+        with engine.connect() as conn:
+            conn.execute(text("UPDATE users SET must_change_password=0 WHERE username='admin'"))
+            conn.commit()
+        r = client.get("/api/auth/me", headers=_auth_headers(old_format_token))
+        assert r.status_code == 200
+
+    def test_token_with_wrong_version_rejected(self, client):
+        """Token avec version incorrecte est rejeté."""
+        from jose import jwt as jose_jwt
+        from routers.auth import SECRET_KEY, ALGORITHM
+        from datetime import datetime, timedelta, timezone
+        expire = datetime.now(timezone.utc) + timedelta(hours=1)
+        bad_token = jose_jwt.encode(
+            {"sub": "admin", "ver": 999, "exp": expire},
+            SECRET_KEY,
+            algorithm=ALGORITHM,
+        )
+        r = client.get("/api/auth/me", headers=_auth_headers(bad_token))
+        assert r.status_code == 401
+
+
+# ---------------------------------------------------------------------------
+# SEC-FIX-003 — Validation mot de passe et username
+# ---------------------------------------------------------------------------
+
+class TestValidation:
+    def _get_valid_token(self, client):
+        """Retourne un token valide (must_change_password forcé à 0)."""
+        with engine.connect() as conn:
+            conn.execute(text("UPDATE users SET must_change_password=0 WHERE username='admin'"))
+            conn.commit()
+        return _login(client).json()["access_token"]
+
+    def test_password_too_short_rejected(self, client):
+        token = self._get_valid_token(client)
+        r = client.put(
+            "/api/auth/account",
+            json={"current_password": "admin", "new_password": "Short1"},
+            headers=_auth_headers(token),
+        )
+        assert r.status_code == 400
+        assert r.json()["detail"] == "password_too_short"
+
+    def test_password_no_digit_rejected(self, client):
+        token = self._get_valid_token(client)
+        r = client.put(
+            "/api/auth/account",
+            json={"current_password": "admin", "new_password": "OnlyLetters"},
+            headers=_auth_headers(token),
+        )
+        assert r.status_code == 400
+        assert r.json()["detail"] == "password_too_weak"
+
+    def test_password_no_letter_rejected(self, client):
+        token = self._get_valid_token(client)
+        r = client.put(
+            "/api/auth/account",
+            json={"current_password": "admin", "new_password": "12345678"},
+            headers=_auth_headers(token),
+        )
+        assert r.status_code == 400
+        assert r.json()["detail"] == "password_too_weak"
+
+    def test_valid_password_accepted(self, client):
+        token = self._get_valid_token(client)
+        r = client.put(
+            "/api/auth/account",
+            json={"current_password": "admin", "new_password": "ValidPass1"},
+            headers=_auth_headers(token),
+        )
+        assert r.status_code == 200
+
+    def test_username_invalid_chars_rejected(self, client):
+        token = self._get_valid_token(client)
+        r = client.put(
+            "/api/auth/account",
+            json={"current_password": "admin", "new_username": "bad user!"},
+            headers=_auth_headers(token),
+        )
+        assert r.status_code == 400
+        assert r.json()["detail"] == "username_invalid"
+
+    def test_username_too_long_rejected(self, client):
+        token = self._get_valid_token(client)
+        r = client.put(
+            "/api/auth/account",
+            json={"current_password": "admin", "new_username": "a" * 65},
+            headers=_auth_headers(token),
+        )
+        assert r.status_code == 400
+        assert r.json()["detail"] == "username_invalid"
+
+    def test_valid_username_accepted(self, client):
+        token = self._get_valid_token(client)
+        r = client.put(
+            "/api/auth/account",
+            json={"current_password": "admin", "new_username": "admin_user.1"},
+            headers=_auth_headers(token),
+        )
+        assert r.status_code == 200
+
+    def test_wrong_current_password_rejected(self, client):
+        token = self._get_valid_token(client)
+        r = client.put(
+            "/api/auth/account",
+            json={"current_password": "wrong", "new_password": "NewPass1!"},
+            headers=_auth_headers(token),
+        )
+        assert r.status_code == 400
+
+
+# ---------------------------------------------------------------------------
+# SEC-FIX-002 — Rate limiting
+# ---------------------------------------------------------------------------
+
+class TestRateLimit:
+    def test_ip_rate_limit_triggers_429(self, client):
+        """Après trop de tentatives par IP, le login retourne 429."""
+        from routers.auth import _ip_attempts, _rate_lock, _IP_MAX
+        with _rate_lock:
+            _ip_attempts["testclient"] = [__import__("time").time()] * _IP_MAX
+        r = _login(client)
+        assert r.status_code == 429
+
+    def test_username_rate_limit_triggers_429(self, client):
+        """Après trop de tentatives par username, le login retourne 429."""
+        from routers.auth import _login_attempts, _rate_lock, _USERNAME_MAX
+        with _rate_lock:
+            _login_attempts["admin"] = [__import__("time").time()] * _USERNAME_MAX
+        r = _login(client)
+        assert r.status_code == 429
+
+    def test_successful_login_clears_username_attempts(self, client):
+        """Login réussi remet à zéro le compteur username."""
+        from routers.auth import _login_attempts, _rate_lock
+        with engine.connect() as conn:
+            conn.execute(text("UPDATE users SET must_change_password=0 WHERE username='admin'"))
+            conn.commit()
+        r = _login(client)
+        assert r.status_code == 200
+        with _rate_lock:
+            assert "admin" not in _login_attempts
diff --git a/backend/tests/test_validation.py b/backend/tests/test_validation.py
new file mode 100644
index 0000000..27c99d5
--- /dev/null
+++ b/backend/tests/test_validation.py
@@ -0,0 +1,245 @@
+"""
+Tests de validation — Phase 3
+
+Couvre :
+- SEC-FIX-006 : validation des entrées discovery (dns_server, ips, cap global)
+- SEC-FIX-007 : validators Pydantic sur VlanCreate et DeviceCreate
+- SEC-FIX-013 : PRAGMA foreign_keys=ON (test indirect via FK constraint)
+- SEC-FIX-017 : suppression code orphelin Links (endpoint /api/links inexistant)
+"""
+import pytest
+from fastapi.testclient import TestClient
+from sqlalchemy import text
+
+import sys, os
+sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+
+from database import engine, Base
+from main import app, _migrate_users_must_change_password, _migrate_users_token_version, _migrate_users
+
+
+# ---------------------------------------------------------------------------
+# Fixtures
+# ---------------------------------------------------------------------------
+
+@pytest.fixture(autouse=True)
+def reset_db():
+    Base.metadata.drop_all(bind=engine)
+    Base.metadata.create_all(bind=engine)
+    _migrate_users_must_change_password()
+    _migrate_users_token_version()
+    _migrate_users()
+    yield
+    Base.metadata.drop_all(bind=engine)
+
+
+@pytest.fixture(autouse=True)
+def reset_rate_limits():
+    from routers.auth import _ip_attempts, _login_attempts, _rate_lock
+    with _rate_lock:
+        _ip_attempts.clear()
+        _login_attempts.clear()
+    yield
+    with _rate_lock:
+        _ip_attempts.clear()
+        _login_attempts.clear()
+
+
+@pytest.fixture
+def client():
+    return TestClient(app, raise_server_exceptions=True)
+
+
+def _get_token(client):
+    """Retourne un token admin valide avec must_change_password=0."""
+    with engine.connect() as conn:
+        conn.execute(text("UPDATE users SET must_change_password=0 WHERE username='admin'"))
+        conn.commit()
+    r = client.post("/api/auth/login", data={"username": "admin", "password": "admin"})
+    return r.json()["access_token"]
+
+
+def _auth(token):
+    return {"Authorization": f"Bearer {token}"}
+
+
+# ---------------------------------------------------------------------------
+# SEC-FIX-007 — Validation VlanCreate
+# ---------------------------------------------------------------------------
+
+class TestVlanValidation:
+    def test_vlan_id_out_of_range_rejected(self, client):
+        token = _get_token(client)
+        r = client.post("/api/vlans/", json={"name": "Test", "vlan_id": 0}, headers=_auth(token))
+        assert r.status_code == 422
+
+    def test_vlan_id_max_boundary_rejected(self, client):
+        token = _get_token(client)
+        r = client.post("/api/vlans/", json={"name": "Test", "vlan_id": 4095}, headers=_auth(token))
+        assert r.status_code == 422
+
+    def test_vlan_id_valid_accepted(self, client):
+        token = _get_token(client)
+        r = client.post("/api/vlans/", json={"name": "Test", "vlan_id": 100, "color": "#AABBCC"}, headers=_auth(token))
+        assert r.status_code == 200
+
+    def test_vlan_empty_name_rejected(self, client):
+        token = _get_token(client)
+        r = client.post("/api/vlans/", json={"name": "   "}, headers=_auth(token))
+        assert r.status_code == 422
+
+    def test_vlan_invalid_cidr_rejected(self, client):
+        token = _get_token(client)
+        r = client.post("/api/vlans/", json={"name": "Test", "cidr": "not-a-cidr"}, headers=_auth(token))
+        assert r.status_code == 422
+
+    def test_vlan_valid_cidr_accepted(self, client):
+        token = _get_token(client)
+        r = client.post("/api/vlans/", json={"name": "Test", "cidr": "192.168.1.0/24", "color": "#AABBCC"}, headers=_auth(token))
+        assert r.status_code == 200
+
+    def test_vlan_invalid_color_rejected(self, client):
+        token = _get_token(client)
+        r = client.post("/api/vlans/", json={"name": "Test", "color": "blue"}, headers=_auth(token))
+        assert r.status_code == 422
+
+    def test_vlan_valid_color_accepted(self, client):
+        token = _get_token(client)
+        r = client.post("/api/vlans/", json={"name": "Test", "color": "#1a2B3c"}, headers=_auth(token))
+        assert r.status_code == 200
+
+
+# ---------------------------------------------------------------------------
+# SEC-FIX-007 — Validation DeviceCreate
+# ---------------------------------------------------------------------------
+
+class TestDeviceValidation:
+    def test_invalid_type_rejected(self, client):
+        token = _get_token(client)
+        r = client.post("/api/devices/", json={"name": "srv", "type": "supercomputer"}, headers=_auth(token))
+        assert r.status_code == 422
+
+    def test_valid_type_accepted(self, client):
+        token = _get_token(client)
+        r = client.post("/api/devices/", json={"name": "srv", "type": "server"}, headers=_auth(token))
+        assert r.status_code == 200
+
+    def test_invalid_virt_type_rejected(self, client):
+        token = _get_token(client)
+        r = client.post("/api/devices/", json={"name": "srv", "virt_type": "docker"}, headers=_auth(token))
+        assert r.status_code == 422
+
+    def test_valid_virt_type_accepted(self, client):
+        token = _get_token(client)
+        r = client.post("/api/devices/", json={"name": "srv", "virt_type": "lxc"}, headers=_auth(token))
+        assert r.status_code == 200
+
+    def test_invalid_url_rejected(self, client):
+        token = _get_token(client)
+        r = client.post("/api/devices/", json={"name": "srv", "url": "ftp://bad"}, headers=_auth(token))
+        assert r.status_code == 422
+
+    def test_valid_url_accepted(self, client):
+        token = _get_token(client)
+        r = client.post("/api/devices/", json={"name": "srv", "url": "https://192.168.1.1:8006"}, headers=_auth(token))
+        assert r.status_code == 200
+
+    def test_empty_name_rejected(self, client):
+        token = _get_token(client)
+        r = client.post("/api/devices/", json={"name": ""}, headers=_auth(token))
+        assert r.status_code == 422
+
+    def test_invalid_interface_ip_rejected(self, client):
+        token = _get_token(client)
+        r = client.post("/api/devices/", json={
+            "name": "srv",
+            "interfaces": [{"name": "eth0", "ip_address": "not-an-ip"}]
+        }, headers=_auth(token))
+        assert r.status_code == 422
+
+    def test_valid_interface_ip_accepted(self, client):
+        token = _get_token(client)
+        r = client.post("/api/devices/", json={
+            "name": "srv",
+            "interfaces": [{"name": "eth0", "ip_address": "10.0.0.1"}]
+        }, headers=_auth(token))
+        assert r.status_code == 200
+
+
+# ---------------------------------------------------------------------------
+# SEC-FIX-006 — Validation discovery
+# ---------------------------------------------------------------------------
+
+class TestDiscoveryValidation:
+    def test_invalid_dns_server_rejected(self, client):
+        token = _get_token(client)
+        r = client.post("/api/discovery/scan", json={
+            "dns_server": "not-an-ip",
+            "targets": [{"vlan_id": 1, "cidr": "192.168.1.0/24"}]
+        }, headers=_auth(token))
+        assert r.status_code == 422
+
+    def test_invalid_ping_ip_rejected(self, client):
+        token = _get_token(client)
+        r = client.post("/api/discovery/ping", json={"ips": ["1.2.3.4", "bad-ip"]}, headers=_auth(token))
+        assert r.status_code == 422
+
+    def test_valid_ping_ips_accepted(self, client):
+        token = _get_token(client)
+        r = client.post("/api/discovery/ping", json={"ips": []}, headers=_auth(token))
+        assert r.status_code == 200
+
+    def test_scan_oversized_cidr_rejected(self, client):
+        token = _get_token(client)
+        r = client.post("/api/discovery/scan", json={
+            "dns_server": "8.8.8.8",
+            "targets": [{"vlan_id": 1, "cidr": "10.0.0.0/8"}]
+        }, headers=_auth(token))
+        assert r.status_code == 400
+
+    def test_scan_global_cap_rejected(self, client):
+        """Plusieurs targets dont le total dépasse MAX_HOSTS_TOTAL."""
+        token = _get_token(client)
+        r = client.post("/api/discovery/scan", json={
+            "dns_server": "8.8.8.8",
+            "targets": [
+                {"vlan_id": 1, "cidr": "10.0.0.0/22"},   # 1022 hôtes
+                {"vlan_id": 2, "cidr": "10.1.0.0/22"},   # 1022 hôtes
+                {"vlan_id": 3, "cidr": "10.2.0.0/22"},   # 1022 hôtes
+                {"vlan_id": 4, "cidr": "10.3.0.0/22"},   # 1022 hôtes
+                {"vlan_id": 5, "cidr": "10.4.0.0/22"},   # 1022 hôtes → total > 4096
+            ]
+        }, headers=_auth(token))
+        assert r.status_code == 400
+        assert "total" in r.json()["detail"].lower()
+
+
+# ---------------------------------------------------------------------------
+# SEC-FIX-017 — Endpoint /api/links absent
+# ---------------------------------------------------------------------------
+
+class TestLinksEndpointRemoved:
+    def test_links_list_returns_404(self, client):
+        """Le routeur /api/links a été supprimé en phase 3."""
+        token = _get_token(client)
+        r = client.get("/api/links/", headers=_auth(token))
+        assert r.status_code == 404
+
+    def test_links_create_returns_404(self, client):
+        token = _get_token(client)
+        r = client.post("/api/links/", json={
+            "source_device_id": 1, "target_device_id": 2, "link_type": "trunk"
+        }, headers=_auth(token))
+        assert r.status_code == 404
+
+
+# ---------------------------------------------------------------------------
+# SEC-FIX-013 — PRAGMA foreign_keys=ON
+# ---------------------------------------------------------------------------
+
+class TestForeignKeys:
+    def test_foreign_keys_pragma_is_on(self):
+        """Vérifie que PRAGMA foreign_keys=ON est actif sur chaque connexion."""
+        with engine.connect() as conn:
+            result = conn.execute(text("PRAGMA foreign_keys")).fetchone()
+            assert result[0] == 1
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..29e72ac
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,71 @@
+services:
+  backend:
+    build: ./backend
+    user: "${DOCKER_UID:-1000}:${DOCKER_GID:-1000}"
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_RAW  # required for ICMP ping (discovery feature)
+    # no-new-privileges omitted: ping relies on file capabilities (cap_net_raw=ep).
+    volumes:
+      - ./db_data:/app/data
+    restart: unless-stopped
+    networks:
+      - internal
+    environment:
+      - SECRET_KEY=${SECRET_KEY}
+      - INITIAL_ADMIN_PASSWORD=${INITIAL_ADMIN_PASSWORD}
+      - ALLOWED_ORIGINS=${ALLOWED_ORIGINS:-*}
+    # ── Docker secret alternative for SECRET_KEY ─────────────────────────────
+    # Instead of passing SECRET_KEY via environment, you can mount a secret file.
+    # The backend reads data/secret_key.txt when SECRET_KEY env var is unset.
+    #
+    # 1. Generate the secret:
+    #      python3 -c "import secrets; print(secrets.token_hex(32))" \
+    #        > ~/.secrets/topologie_secret_key
+    #      chmod 600 ~/.secrets/topologie_secret_key
+    #
+    # 2. Uncomment the blocks below and the top-level `secrets:` section,
+    #    then remove SECRET_KEY from .env.
+    #
+    #secrets:
+    #  - source: secret_key
+    #    target: /app/data/secret_key.txt
+    #    mode: 0400
+    healthcheck:
+      test: ["CMD", "python", "-c",
+             "import urllib.request; urllib.request.urlopen('http://localhost:8000/api/health')"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 15s
+
+  frontend:
+    build: ./frontend
+    ports:
+      - "8080:8080"
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges:true
+    depends_on:
+      backend:
+        condition: service_healthy
+    restart: unless-stopped
+    networks:
+      - internal
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://localhost:8080/"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+
+networks:
+  internal:
+    driver: bridge
+
+# ── Docker secret (uncomment to use — see backend service above) ─────────────
+#secrets:
+#  secret_key:
+#    file: ~/.secrets/topologie_secret_key
diff --git a/docs/architecture.md b/docs/architecture.md
new file mode 100644
index 0000000..cbee789
--- /dev/null
+++ b/docs/architecture.md
@@ -0,0 +1,103 @@
+# Architecture
+
+## Overview
+
+Stupid Simple Network Inventory is a self-hosted web application for manual network inventory and logical topology visualisation. There is no auto-discovery of topology — only ICMP reachability scanning. All data is entered manually.
+
+## Request Flow
+
+```
+Browser
+  │
+  │  HTTP :8080
+  ▼
+┌─────────────────────────────────────┐
+│  Nginx (frontend container)         │
+│  serves /usr/share/nginx/html       │
+│                                     │
+│  location /api/ → proxy_pass        │
+│           http://backend:8000/api/  │
+└──────────────────┬──────────────────┘
+                   │  HTTP :8000 (Docker internal network)
+                   ▼
+┌─────────────────────────────────────┐
+│  FastAPI (backend container)        │
+│  uvicorn 0.0.0.0:8000               │
+│                                     │
+│  /app/data/ (bind mount)            │
+│    topology.db  ← SQLite            │
+│    secret_key.txt ← JWT secret      │
+└─────────────────────────────────────┘
+```
+
+## Docker Compose
+
+Two services defined in `docker-compose.yml`:
+
+| Resource | Type | Notes |
+|----------|------|-------|
+| `backend` | service | Python 3.11-slim, runs as `DOCKER_UID:DOCKER_GID` (host user), `cap_drop: ALL`, `cap_add: NET_RAW` |
+| `frontend` | service | Multi-stage (Vite → `nginxinc/nginx-unprivileged`), UID 101, `cap_drop: ALL`, `no-new-privileges`, exposes `:8080` |
+
+`./db_data:/app/data` is a bind mount. The backend process runs with the same UID/GID as the host user owning `./db_data/` (set via `DOCKER_UID`/`DOCKER_GID` in `.env`). Pre-create the directory before the first run: `mkdir -p db_data`.
+
+Both containers share an internal Docker bridge network (`internal`). The browser never communicates directly with the backend — all API traffic goes through Nginx.
+
+## Build Pipeline
+
+**Backend** (`backend/Dockerfile`):
+1. `python:3.11-slim` base
+2. Install `iputils-ping` (required for ICMP subprocess calls)
+3. `pip install -r requirements.txt`
+4. Start with `uvicorn main:app --host 0.0.0.0 --port 8000`
+
+**Frontend** (`frontend/Dockerfile`):
+1. Stage 1: `node:20-alpine` — runs `vite build`, outputs to `/app/dist`
+2. Stage 2: `nginx:alpine` — copies `/app/dist` to `/usr/share/nginx/html`, copies `nginx.conf`
+
+## Startup Sequence (backend)
+
+`main.py` runs synchronously at import time before the ASGI app is created:
+
+1. `_migrate_vlan_nullable()` — idempotent DDL fix for vlans table
+2. `_migrate_device_virt_type()` — adds column if missing
+3. `_migrate_device_url()` — adds column if missing
+4. `_migrate_users()` — creates users table + seeds admin account
+5. `Base.metadata.create_all(bind=engine)` — creates any missing tables
+6. FastAPI app instance created, routers registered
+
+This ordering ensures migrations never run against an uninitialised schema.
+
+## Authentication Architecture
+
+```
+LoginPage.vue
+  │  POST /api/auth/login (form-urlencoded)
+  │  ← { access_token, token_type, username, must_change_password }
+  │
+  ▼
+auth.js (setAuth)
+  stores token + username + mustChangePassword in localStorage
+  ─────────────────────────────────────────────────────────────
+  isAuthenticated    (computed ref) ← App.vue reads this
+  mustChangePassword (computed ref) ← App.vue shows AccountModal :forced when true
+  getToken() ← api.js reads this per request
+
+App.vue template guard:
+  !isAuthenticated     → <LoginPage>
+  mustChangePassword   → <AccountModal :forced="true">  (blocks the app)
+  else                 → full application
+
+api.js (axios interceptor)
+  every request → Authorization: Bearer <token>
+  every 401 response (if token existed) → clearAuth() + reload
+```
+
+The JWT payload is `{ sub: username, ver: token_version, exp: <24h> }`, signed with HS256.
+The secret is loaded from `data/secret_key.txt` (auto-generated on first run, permissions 0600) or `SECRET_KEY` env var.
+
+Password change invalidates previous tokens immediately via `token_version` bump.
+
+## Persistence
+
+All state is in SQLite at `./db_data/topology.db`. There is no caching layer, no background jobs, no message queue. The only writable files at runtime are `topology.db` and `secret_key.txt`, both in the bind-mounted `./db_data/` directory on the host.
diff --git a/docs/backend.md b/docs/backend.md
new file mode 100644
index 0000000..1d32e73
--- /dev/null
+++ b/docs/backend.md
@@ -0,0 +1,273 @@
+# Backend Reference
+
+## Entry Point — `main.py`
+
+FastAPI application. Four router groups protected by `require_password_changed` (which implies `get_current_user` + rejects users with `must_change_password=True`).
+
+```python
+app.include_router(auth_router,    prefix="/api/auth",      tags=["auth"])
+app.include_router(vlans.router,   prefix="/api/vlans",     dependencies=[Depends(require_password_changed)])
+app.include_router(devices.router, prefix="/api/devices",   dependencies=[Depends(require_password_changed)])
+app.include_router(discovery.router, prefix="/api/discovery", dependencies=[Depends(require_password_changed)])
+```
+
+`GET /api/health` returns `{"status": "ok"}` — public, intentionally minimal (no sensitive detail).
+
+**CORS**: controlled by the `ALLOWED_ORIGINS` environment variable (default `"*"`). Set to your domain in production or leave empty to disable CORS headers (same-origin via proxy).
+
+---
+
+## API Endpoints
+
+### Auth — `/api/auth`
+
+#### `POST /api/auth/login`
+- **Auth**: None
+- **Content-Type**: `application/x-www-form-urlencoded`
+- **Body**: `username=<str>&password=<str>`
+- **Response**: `{ access_token: str, token_type: "bearer", username: str, must_change_password: bool }`
+- **Errors**: 401 if credentials invalid, 429 if rate-limited (IP or username)
+
+#### `PUT /api/auth/account`
+- **Auth**: Bearer token (works even when `must_change_password=True`)
+- **Body** (JSON): `{ current_password: str, new_username?: str, new_password?: str }`
+- **Response**: `{ access_token: str, token_type: "bearer", username: str, must_change_password: bool }` (new token)
+- **Errors**: 400 `"Current password is incorrect"`, 400 `"Username already taken"`, 400 `"password_too_short"`, 400 `"password_too_weak"`, 400 `"username_invalid"`
+- **Note**: changing the password bumps `token_version`, invalidating all previously issued tokens.
+
+#### `GET /api/auth/me`
+- **Auth**: Bearer token
+- **Response**: `{ username: str, must_change_password: bool }`
+
+---
+
+### VLANs — `/api/vlans`
+
+All endpoints require auth.
+
+#### `GET /api/vlans/`
+Returns all networks sorted: LANs first (NULL `vlan_id`), then VLANs ascending by `vlan_id`.
+
+```json
+[{ "id": 1, "vlan_id": null, "name": "LAN", "cidr": "192.168.1.0/24", "color": "#4A90D9" }]
+```
+
+#### `POST /api/vlans/`
+Creates a network. `vlan_id` is optional — omit for a plain LAN.
+
+#### `PUT /api/vlans/{id}`
+Full replacement of a network record.
+
+#### `DELETE /api/vlans/{id}`
+Deletes the network. SQLAlchemy cascades: associated `DeviceInterface` rows will lose their `vlan_id` FK (set to NULL, since the column is nullable).
+
+---
+
+### Devices — `/api/devices`
+
+All endpoints require auth.
+
+#### `GET /api/devices/`
+Returns all devices with their interfaces, ordered by name.
+
+```json
+[{
+  "id": 1,
+  "name": "proxmox-01",
+  "type": "server",
+  "description": "Proxmox hypervisor",
+  "is_gateway": false,
+  "is_livebox": false,
+  "virt_type": "baremetal",
+  "url": "https://proxmox.local:8006",
+  "interfaces": [
+    { "id": 1, "device_id": 1, "vlan_id": 2, "ip_address": "192.168.10.5", "name": "eth0", "is_upstream": false }
+  ]
+}]
+```
+
+#### `POST /api/devices/`
+Creates device with its interfaces in a single transaction (`flush` + batch insert + `commit`).
+
+#### `PUT /api/devices/{id}`
+Replaces the device and its interfaces: existing interfaces are deleted, new ones inserted.
+
+#### `DELETE /api/devices/{id}`
+Deletes device and its interfaces (cascade via SQLAlchemy `delete-orphan`).
+
+**Important**: when adding a new field to `Device`, update all four of: `models.py`, `_migrate_*` in `main.py`, `DeviceCreate`/`DeviceOut` in `routers/devices.py`, and the explicit assignments in `create_device` / `update_device`. Do not rely on `**model_dump()` to populate the ORM object — it will silently drop new fields.
+
+---
+
+### Discovery — `/api/discovery`
+
+All endpoints require auth.
+
+#### `POST /api/discovery/ping`
+Parallel ICMP ping of a list of IPs, 50 concurrent workers.
+
+```json
+// Request
+{ "ips": ["192.168.1.1", "192.168.1.2"] }
+
+// Response
+[{ "ip": "192.168.1.1", "alive": true }, { "ip": "192.168.1.2", "alive": false }]
+```
+
+Uses `subprocess.run(["ping", "-c", "1", "-W", "1", ip])`. Requires `cap_add: NET_RAW` on the container (already configured in `docker-compose.yml`).
+
+#### `POST /api/discovery/scan`
+Ping sweep + DNS PTR reverse lookup for one or more CIDR ranges.
+
+```json
+// Request
+{
+  "dns_server": "192.168.1.1",
+  "targets": [
+    { "vlan_id": 1, "cidr": "192.168.1.0/24" }
+  ]
+}
+
+// Response
+{
+  "hosts": [{ "ip": "192.168.1.5", "hostname": "nas.local", "vlan_id": 1, "cidr": "192.168.1.0/24" }],
+  "total_scanned": 254,
+  "duration_s": 3.2
+}
+```
+
+Maximum 1024 hosts per target (rejects /21 and wider). 100 concurrent workers. DNS queries use `dnspython` with a 1s timeout.
+
+---
+
+## Database — `database.py`
+
+```python
+engine = create_engine("sqlite:///./data/topology.db", connect_args={"check_same_thread": False})
+SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
+Base = declarative_base()
+
+def get_db():          # FastAPI dependency
+    db = SessionLocal()
+    try:
+        yield db
+    finally:
+        db.close()
+```
+
+`check_same_thread=False` is required for SQLite under a multi-threaded ASGI server. The `data/` directory is created at module import time.
+
+---
+
+## Models — `models.py`
+
+### User
+```python
+class User(Base):
+    __tablename__ = "users"
+    id                   = Column(Integer, primary_key=True)
+    username             = Column(String, unique=True, nullable=False)
+    hashed_password      = Column(String, nullable=False)
+    must_change_password = Column(Boolean, nullable=False, default=False, server_default="0")
+    token_version        = Column(Integer, nullable=False, default=1, server_default="1")
+```
+
+`must_change_password`: set to `True` when admin is bootstrapped with the default password. Clears to `False` on successful `PUT /api/auth/account` with a new password.
+
+`token_version`: incremented on every password change. Included in JWT payload as `ver`. A token is rejected if its `ver` differs from the current `token_version`.
+
+### Vlan
+```python
+class Vlan(Base):
+    __tablename__ = "vlans"
+    id      = Column(Integer, primary_key=True)
+    vlan_id = Column(Integer, unique=True, nullable=True)   # NULL = plain LAN
+    name    = Column(String, nullable=False)
+    cidr    = Column(String, nullable=True, default="")
+    color   = Column(String, default="#4A90D9")
+    interfaces = relationship("DeviceInterface", back_populates="vlan")
+```
+
+### Device
+```python
+class Device(Base):
+    __tablename__ = "devices"
+    id          = Column(Integer, primary_key=True)
+    name        = Column(String, nullable=False)
+    type        = Column(String, default="other")
+    description = Column(String, default="")
+    is_gateway  = Column(Boolean, default=False)
+    is_livebox  = Column(Boolean, default=False)
+    virt_type   = Column(String, nullable=True)   # null | baremetal | lxc | qemu
+    url         = Column(String, nullable=True)
+    interfaces  = relationship("DeviceInterface", back_populates="device", cascade="all, delete-orphan")
+```
+
+### DeviceInterface
+```python
+class DeviceInterface(Base):
+    __tablename__ = "device_interfaces"
+    id         = Column(Integer, primary_key=True)
+    device_id  = Column(Integer, ForeignKey("devices.id"), nullable=False)
+    vlan_id    = Column(Integer, ForeignKey("vlans.id"), nullable=True)
+    ip_address = Column(String, nullable=True, default="")
+    name       = Column(String, default="eth0")
+    is_upstream = Column(Boolean, default=False)
+```
+
+---
+
+## Auth — `routers/auth.py`
+
+Key details for maintainers:
+
+- **Secret key**: loaded from `data/secret_key.txt` (auto-generated with `secrets.token_hex(32)`, permissions 0600) or `SECRET_KEY` env var. Same Docker volume as the database — survives restarts. See README for rotation procedure.
+- **Token**: HS256 JWT, payload `{ sub: username, ver: token_version, exp: utcnow + 24h }`.
+- **Token invalidation**: changing the password increments `User.token_version`. `get_current_user` rejects any token whose `ver` differs from the DB value → immediate invalidation of all old sessions on password change.
+- **Password hashing**: `passlib.CryptContext` with `bcrypt`. `requirements.txt` pins `bcrypt==3.2.2` because `passlib 1.7.4` is incompatible with `bcrypt >= 4.0`.
+- **`get_current_user`**: validates JWT + token version. Returns the `User` ORM object, or raises 401.
+- **`require_password_changed`**: wraps `get_current_user`, raises 403 if `must_change_password=True`. Used as the dependency for all business routers.
+- **Rate limiting**: 20 attempts/IP/60s and 10 attempts/username/15min (in-memory). Complemented by Nginx `limit_req` (10 req/min per IP, burst 5) on the login endpoint.
+
+---
+
+## Migrations — `main.py`
+
+All migration functions follow this idempotent pattern:
+
+```python
+def _migrate_example():
+    with engine.connect() as conn:
+        # 1. Bail out if table doesn't exist yet
+        if not conn.execute(text("SELECT name FROM sqlite_master WHERE type='table' AND name='table_name'")).fetchone():
+            return
+        # 2. Check if work is needed
+        cols = [row[1] for row in conn.execute(text("PRAGMA table_info(table_name)")).fetchall()]
+        if 'new_column' not in cols:
+            conn.execute(text("ALTER TABLE table_name ADD COLUMN new_column VARCHAR"))
+            conn.commit()
+```
+
+For table recreation (when SQLite cannot ALTER COLUMN), the pattern is:
+1. Create `table_new` with the desired schema
+2. `INSERT INTO table_new SELECT ... FROM table`
+3. `DROP TABLE table`
+4. `ALTER TABLE table_new RENAME TO table`
+5. Wrap in `PRAGMA foreign_keys=OFF/ON`
+
+Always call `conn.commit()` explicitly — SQLAlchemy 2.0 does not auto-commit DDL on SQLite.
+
+The `_migrate_users()` function has a two-phase check: table existence, then `COUNT(*) = 0` for seeding. This handles the edge case where `create_all` created the table empty before the migration ran.
+
+`_migrate_force_admin_password_change()` is the "catch-up" migration for existing installations: if the admin account uses the default bootstrap password ("admin") and `must_change_password=0`, it sets `must_change_password=1`. This runs at every startup and is idempotent.
+
+**Startup call order** (as of phase 3):
+1. `_migrate_vlan_nullable()`
+2. `_migrate_device_virt_type()`
+3. `_migrate_device_url()`
+4. `_migrate_users_must_change_password()`
+5. `_migrate_users_token_version()`
+6. `_migrate_force_admin_password_change()`
+7. `_migrate_drop_links_table()` — drops the `links` table if it exists (feature removed in phase 3)
+8. `_migrate_users()`
+9. `Base.metadata.create_all(bind=engine)`
diff --git a/docs/data-model.md b/docs/data-model.md
new file mode 100644
index 0000000..9365769
--- /dev/null
+++ b/docs/data-model.md
@@ -0,0 +1,124 @@
+# Data Model
+
+## Schema Overview
+
+```
+users
+  id PK
+  username UNIQUE NOT NULL
+  hashed_password NOT NULL
+
+vlans
+  id PK
+  vlan_id UNIQUE NULL          ← NULL = plain LAN (no 802.1Q tag)
+  name NOT NULL
+  cidr NULL
+  color NULL
+
+devices
+  id PK
+  name NOT NULL
+  type
+  description
+  is_gateway BOOL
+  is_livebox BOOL
+  virt_type NULL               ← null | baremetal | lxc | qemu
+  url NULL
+
+device_interfaces
+  id PK
+  device_id FK → devices.id NOT NULL
+  vlan_id FK → vlans.id NULL   ← NULL = no network assignment
+  ip_address NULL
+  name
+  is_upstream BOOL
+
+links
+  id PK
+  source_device_id FK → devices.id NOT NULL
+  target_device_id FK → devices.id NOT NULL
+  link_type
+  description
+```
+
+## Relationships
+
+- `Device` 1 → N `DeviceInterface` (cascade delete-orphan)
+- `Vlan` 1 → N `DeviceInterface` (nullable FK — deleting a VLAN sets `vlan_id` to NULL on its interfaces)
+- `Link` references `Device` twice (source, target) — links are deleted explicitly in `delete_device` before removing the device
+
+## Key Design Decisions
+
+### `vlan_id` is nullable
+
+A network with `vlan_id = NULL` is a plain LAN without 802.1Q tagging. This allows modelling both tagged and untagged networks in the same table. The UI distinguishes them with "LAN" vs "VLAN X" badges.
+
+The `vlans` table was originally created with `vlan_id NOT NULL`. The migration `_migrate_vlan_nullable()` recreates it (SQLite cannot `ALTER COLUMN`).
+
+### Interfaces as a separate table
+
+A device can belong to multiple networks simultaneously. The `device_interfaces` table is a join table with extra attributes (IP, name, is_upstream). A device appears in every topology card that corresponds to one of its interfaces.
+
+### `is_gateway` and `is_livebox`
+
+These boolean flags drive the special WAN and Gateway cards in the topology view. They are independent of network membership — a gateway device can also have interfaces in various VLANs.
+
+### No foreign key enforcement at the SQLite level
+
+SQLAlchemy's `ForeignKey` declarations define the schema, but SQLite does not enforce FK constraints unless `PRAGMA foreign_keys=ON` is set per-connection. The application does not enable this pragma, so referential integrity is maintained by application logic (explicit deletes in the routers).
+
+## SQLite Migrations
+
+Migrations are idempotent Python functions that run at startup before `Base.metadata.create_all`. They check for the presence of columns or tables before acting, so they are safe to run on every container start.
+
+Pattern for adding a nullable column:
+```python
+def _migrate_my_column():
+    with engine.connect() as conn:
+        if not conn.execute(text(
+            "SELECT name FROM sqlite_master WHERE type='table' AND name='devices'"
+        )).fetchone():
+            return
+        cols = [row[1] for row in conn.execute(text("PRAGMA table_info(devices)")).fetchall()]
+        if 'my_column' not in cols:
+            conn.execute(text("ALTER TABLE devices ADD COLUMN my_column VARCHAR"))
+            conn.commit()
+```
+
+## Device Types
+
+18 valid values for `devices.type`:
+
+| Value | Description |
+|-------|-------------|
+| `server` | Physical or virtual server |
+| `switch` | Network switch |
+| `router` | Network router |
+| `nas` | Network-attached storage |
+| `gateway` | Internet gateway / firewall |
+| `livebox` | ISP-provided box (WAN) |
+| `access_point` | Wi-Fi access point |
+| `camera` | IP camera |
+| `temperature` | Temperature sensor |
+| `sensor` | Generic sensor |
+| `hub` | Network hub |
+| `smart_plug` | Smart power plug |
+| `alarm` | Alarm system |
+| `light` | Smart light |
+| `doorbell` | Smart doorbell |
+| `desktop` | Desktop computer |
+| `laptop` | Laptop computer |
+| `other` | Anything else |
+
+`url` is hidden in the device form for `desktop` and `laptop` — these types have no web UI.
+
+## Virtualisation Types
+
+`devices.virt_type` valid values:
+
+| Value | Display | Badge |
+|-------|---------|-------|
+| `null` | (not shown) | — |
+| `baremetal` | Bare metal | — |
+| `lxc` | LXC container | blue "LXC" |
+| `qemu` | QEMU/KVM VM | purple "VM" |
diff --git a/docs/extending.md b/docs/extending.md
new file mode 100644
index 0000000..d1d4f7b
--- /dev/null
+++ b/docs/extending.md
@@ -0,0 +1,185 @@
+# Extending the Application
+
+## Add a Field to `Device`
+
+Every new Device field requires changes in four places. Missing any one of them will cause data loss or silent failures.
+
+### 1. `backend/models.py`
+
+Add the column to the `Device` class:
+
+```python
+my_field = Column(String, nullable=True)
+```
+
+### 2. `backend/main.py`
+
+Add an idempotent migration function and call it before `Base.metadata.create_all`:
+
+```python
+def _migrate_device_my_field():
+    with engine.connect() as conn:
+        if not conn.execute(text(
+            "SELECT name FROM sqlite_master WHERE type='table' AND name='devices'"
+        )).fetchone():
+            return
+        cols = [row[1] for row in conn.execute(text("PRAGMA table_info(devices)")).fetchall()]
+        if 'my_field' not in cols:
+            conn.execute(text("ALTER TABLE devices ADD COLUMN my_field VARCHAR"))
+            conn.commit()
+
+# Add the call at the bottom of the startup sequence:
+_migrate_device_my_field()
+```
+
+### 3. `backend/routers/devices.py`
+
+Add to both Pydantic models:
+
+```python
+class DeviceCreate(BaseModel):
+    my_field: Optional[str] = None
+
+class DeviceOut(BaseModel):
+    my_field: Optional[str] = None
+```
+
+Then assign explicitly in both `create_device` and `update_device`:
+
+```python
+db_device = models.Device(
+    ...
+    my_field=device.my_field,
+)
+```
+
+Do **not** use `**device.model_dump()` to populate the ORM object — it silently ignores any field not present in the constructor keyword args.
+
+### 4. Frontend
+
+Add the field to the device form in `DeviceManager.vue` and display it where needed (chip in `TopologyGraph.vue`, card in `DeviceManager.vue`). Add any new i18n keys to all three locales in `i18n.js`.
+
+---
+
+## Add a New API Route Group
+
+1. Create `backend/routers/myrouter.py` following the pattern of `vlans.py` or `devices.py`.
+2. Import and register in `backend/main.py`:
+   ```python
+   from routers import myrouter
+   app.include_router(myrouter.router, prefix="/api/myroutes", tags=["myroutes"],
+                      dependencies=[Depends(get_current_user)])
+   ```
+3. Add the corresponding API object in `frontend/src/api.js`:
+   ```javascript
+   export const myApi = {
+     list:   ()         => http.get('/myroutes/'),
+     create: (data)     => http.post('/myroutes/', data),
+     remove: (id)       => http.delete(`/myroutes/${id}`),
+   }
+   ```
+
+---
+
+## Add a New i18n Key
+
+1. Open `frontend/src/i18n.js`.
+2. Add the key to all three locale objects (`fr`, `en`, `es`).
+3. Use `t('myKey')` in the template.
+
+For interpolation:
+```javascript
+// i18n.js
+fr: { myMsg: "Il y a {0} équipements dans {1}" }
+
+// template
+{{ tFmt('myMsg', devices.length, vlan.name) }}
+```
+
+---
+
+## Add a Language
+
+1. In `frontend/src/i18n.js`, add a new locale object with all existing keys translated.
+2. Add the language code to the valid values type/comment.
+3. In `App.vue`, add a pill button to the language switcher:
+   ```html
+   <button :class="{ active: locale === 'de' }" @click="setLocale('de')">de</button>
+   ```
+
+---
+
+## Add a Brand Icon
+
+Supported brands are detected by keyword-matching device name and description.
+
+1. Find the Simple Icons export name:
+   ```bash
+   cd frontend
+   node -e "const si = require('./node_modules/simple-icons'); console.log(Object.keys(si).filter(k => k.toLowerCase().includes('yourterm')))"
+   ```
+2. In `frontend/src/brandIcons.js`, import the icon:
+   ```javascript
+   import { siYourbrand } from 'simple-icons'
+   ```
+3. Add an entry to the `BRANDS` array:
+   ```javascript
+   {
+     id: 'yourbrand',
+     name: 'YourBrand',
+     keywords: ['yourbrand', 'alternate-name'],
+     hex: siYourbrand.hex,
+     path: siYourbrand.path,
+   }
+   ```
+
+`keywords` are matched case-insensitively against the device `name` and `description` fields.
+
+---
+
+## Add a Vue Component
+
+1. Create `frontend/src/components/MyComponent.vue` using `<script setup>` syntax.
+2. Use CSS custom properties for all colors (see `docs/frontend.md` for the variable list).
+3. Use `t('key')` for all visible strings — never hardcode text.
+4. For dark-mode scoped overrides, put the full selector inside `:global()`:
+   ```css
+   :global(html.dark .my-component) { background: #1E293B; }
+   ```
+5. Import and use in `App.vue` or the relevant parent component.
+
+---
+
+## Change the Default Admin Password
+
+The admin account is seeded by `_migrate_users()` only when the `users` table is empty. To reset credentials on a running instance, use the account settings modal in the UI (sidebar footer → account icon).
+
+To reset programmatically (e.g., locked out):
+
+```bash
+docker compose exec backend python3 -c "
+from database import engine
+from sqlalchemy import text
+from passlib.context import CryptContext
+pwd = CryptContext(schemes=['bcrypt'], deprecated='auto')
+with engine.connect() as conn:
+    conn.execute(text(\"UPDATE users SET hashed_password=:h WHERE username='admin'\"), {'h': pwd.hash('newpassword')})
+    conn.commit()
+"
+```
+
+---
+
+## Upgrade Dependencies
+
+### Backend Python packages
+
+Check for passlib/bcrypt compatibility before upgrading:
+- `passlib 1.7.4` requires `bcrypt < 4.0` — see `requirements.txt` for the pin.
+- If upgrading passlib, verify the new version supports the installed bcrypt before removing the pin.
+
+### Frontend npm packages
+
+`simple-icons` has breaking changes between major versions (icon names and SVG paths change). Pin the major version in `package.json` and test brand detection after upgrading.
+
+`lucide-vue-next` is generally backwards-compatible but icons are occasionally renamed or removed.
diff --git a/docs/frontend.md b/docs/frontend.md
new file mode 100644
index 0000000..d6670c1
--- /dev/null
+++ b/docs/frontend.md
@@ -0,0 +1,262 @@
+# Frontend Reference
+
+## Stack
+
+- **Vue 3** (Composition API, `<script setup>`)
+- **Vite 5** (build + dev server)
+- **Axios** (HTTP client)
+- **lucide-vue-next** (generic UI icons)
+- **simple-icons** (brand logos as inline SVG)
+
+No Pinia, no Vue Router (single page, tab switching via reactive state in `App.vue`).
+
+---
+
+## Module Inventory
+
+### `src/main.js`
+Minimal entry point: creates the Vue app and mounts it to `#app`.
+
+---
+
+### `src/auth.js`
+
+Reactive authentication state. All consuming components import from here — there is no Vuex/Pinia store.
+
+```javascript
+// Exports
+isAuthenticated  // computed ref<boolean> — true if token is present
+currentUsername  // computed ref<string | null>
+
+setAuth(token, username)   // stores in reactive refs + localStorage
+clearAuth()                // clears refs + localStorage
+getToken()                 // returns raw token string (used by api.js interceptor)
+```
+
+State is initialised from `localStorage` at module load, so auth survives page refreshes.
+
+---
+
+### `src/api.js`
+
+Thin axios wrapper. All requests go to `/api` (relative URL, proxied by Nginx).
+
+**Request interceptor**: injects `Authorization: Bearer <token>` if `getToken()` is non-null.
+
+**Response interceptor**: on 401, calls `clearAuth()` and reloads the page — but only if a token was present (avoids an infinite reload loop if the login endpoint itself returns 401).
+
+```javascript
+// Named exports
+authApi     // login, updateAccount, me
+vlansApi    // list, create, update, remove
+devicesApi  // list, create, update, remove
+linksApi    // list, create, remove
+discoveryApi // scan, ping
+```
+
+`authApi.login` sends `application/x-www-form-urlencoded` (required by FastAPI's `OAuth2PasswordRequestForm`). All other calls use JSON.
+
+---
+
+### `src/i18n.js`
+
+Simple key-based i18n, no external library.
+
+```javascript
+// Exports
+locale      // ref<'fr'|'en'|'es'> — persisted in localStorage, default 'fr'
+setLocale(lang)
+t(key)      // returns translation, fallback to 'fr', then raw key
+tFmt(key, ...args)  // t() with {0}, {1}, ... interpolation
+```
+
+Translations are plain objects keyed by locale code. To add a key: add it to all three locale objects. To add a language: add a new locale object and add the code to the switcher pills in `App.vue`.
+
+**Rule**: every visible string in a template must use `t('key')`. Never hardcode text.
+
+---
+
+### `src/theme.js`
+
+```javascript
+// Exports
+theme        // ref<'light'|'dark'> — persisted in localStorage, default 'light'
+toggleTheme()
+```
+
+Applies/removes the `html.dark` class on `document.documentElement`. All dark-mode styling is driven by CSS custom properties defined in `App.vue`'s global `<style>`.
+
+---
+
+### `src/brandIcons.js`
+
+```javascript
+// Exports
+BRANDS            // array of { id, name, keywords[], hex, path }
+detectBrands(name, description)  // returns BRANDS entries matching the device
+```
+
+`detectBrands` is a pure function — it takes name and description strings and returns all matching brand objects. It is called in both `DeviceIcon.vue` and `DeviceManager.vue`.
+
+To add a brand:
+1. Check the `simple-icons` export name: `node -e "const si = require('./node_modules/simple-icons'); console.log(Object.keys(si).filter(k => k.toLowerCase().includes('yourterm')))"`
+2. Import `si<Name>` from `simple-icons`
+3. Add an entry to `BRANDS`: `{ id: 'yourbrand', name: 'YourBrand', keywords: ['keyword1', 'keyword2'], hex: si<Name>.hex, path: si<Name>.path }`
+
+---
+
+## Component Inventory
+
+### `App.vue`
+
+Global layout and state. Single-file, no sub-layouts.
+
+**Auth guard**: `v-if="!isAuthenticated"` renders `<LoginPage>`, `v-else` renders the main layout. The template is wrapped in `<div class="app-root">` (`display: flex; flex-direction: column; min-height: 100vh`) — single root node to prevent a Firefox autofill overlay bug on Vue fragment comment nodes. Do **not** use `display: contents` here: Firefox fails to update click hit-testing after a child replacement inside a `display: contents` element, causing buttons to be unclickable after login.
+
+**Global state** (reactive refs at the top of `<script setup>`):
+- `vlans` — array loaded from `GET /api/vlans/`
+- `devices` — array loaded from `GET /api/devices/`
+- `activeTab` — `'topology' | 'devices' | 'vlans'`
+
+**Auth functions**: `onLogin({ token, username })`, `onAccountUpdated({ token, username })`, `logout()` — all call `setAuth`/`clearAuth` from `auth.js`.
+
+**CSS variables** are defined here in the global (non-scoped) `<style>` block:
+- `:root` — light theme
+- `html.dark` — dark theme overrides
+
+---
+
+### `LoginPage.vue`
+
+Full-screen centered login card. No router navigation — it is shown/hidden by `App.vue`'s auth guard.
+
+**Props**: none  
+**Emits**: `login` with payload `{ token: string, username: string }`
+
+Calls `authApi.login(username, password)`. On success, emits the token. On failure, shows a localised error message.
+
+---
+
+### `AccountModal.vue`
+
+Modal for changing username and/or password.
+
+**Props**: none (reads `currentUsername` directly from `auth.js`)  
+**Emits**: `close`, `updated` with payload `{ token: string, username: string }`
+
+Fields: new username (optional), new password (optional), confirm password (shown only when new password is typed), current password (always required).
+
+Calls `authApi.updateAccount({ current_password, new_username?, new_password? })`. On success, emits the new token so `App.vue` can refresh auth state.
+
+---
+
+### `TopologyGraph.vue`
+
+Topology view. CSS cards only — no SVG, no Cytoscape.
+
+**Props**: `vlans[]`, `devices[]`  
+**Emits**: none (read-only view)
+
+**Layout**:
+```
+toolbar (Ping button + up/down counter)
+├── WAN card (is_livebox devices)
+├── Gateway card (is_gateway devices)
+├── [one card per network, sorted: LANs first then VLANs ascending]
+└── Unassigned card (no interface, not livebox, not gateway)
+```
+
+Inside each card, devices are sorted by IP address ascending. Devices with no IP go last. A device appears in every card that matches one of its interfaces.
+
+Each device is rendered as a **chip** — a compact tile with:
+- Left: type icon (Lucide, always, `typeOnly` prop)
+- Center: name + IP pill + interface name + brand SVG logos (11px)
+- Right tags column: Link (green, `<a>`) | GW | LXC | VM | ping dot
+
+**Ping**: `POST /api/discovery/ping` with all known IPs. Populates `pingResults` reactive map `{ ip → alive }`. A device is "up" if any of its IPs maps to `alive: true`.
+
+**Dark mode CSS**: scoped styles use `:global(html.dark .special-wan)` etc. The full selector must be inside `:global()` — Vue's scoped CSS transformer does not resolve descendant selectors after the closing parenthesis.
+
+---
+
+### `DeviceIcon.vue`
+
+**Props**: `device` (object with `name`, `description`, `type`), `typeOnly` (boolean, default false)
+
+- `typeOnly: false` — shows brand SVG logo(s) if `detectBrands()` finds a match, else falls back to the Lucide type icon. Used in topology chips.
+- `typeOnly: true` — always shows the Lucide type icon. Used in DeviceManager cards.
+
+Lucide icon is selected by a `type → component` map covering all 18 device types.
+
+---
+
+### `DeviceManager.vue`
+
+CRUD view for devices. Presented as a card list.
+
+**Props**: `vlans[]`, `devices[]`  
+**Emits**: `refresh` (triggers parent reload of both vlans and devices)
+
+**Filter bar** (28px height):
+- Free-text search (name, description, IP) — cleared by Escape
+- Type multi-select (only types present in data)
+- Network dropdown (color swatch + name)
+- Brand dropdown (SVG icon + name, alphabetical)
+- Virt dropdown (only shown if at least one device has a `virt_type`)
+
+Filters combine with AND across categories, OR within. Active filter shows `X / total` counter and a "Clear" button.
+
+`deviceTypes` is a `computed` (not a constant) so labels re-render on locale change.
+
+**Form**: inline panel (not a modal). Supports add and edit. Interfaces are managed as a sub-list within the same form.
+
+---
+
+### `VlanManager.vue`
+
+CRUD view for networks (VLANs and plain LANs).
+
+**Props**: `vlans[]`  
+**Emits**: `refresh`
+
+`vlan_id` is optional. If omitted, the network is a plain LAN (badge "LAN"). If provided, it is a VLAN (badge "VLAN X"). Color picker included. CIDR is a free-text field with no validation.
+
+---
+
+### `DiscoveryModal.vue`
+
+Auto-discovery modal: ping sweep + DNS PTR lookup.
+
+**Props**: `vlans[]`  
+**Emits**: `close`, `import(hosts[])` — parent handles inserting discovered hosts
+
+Lets the user select VLANs to scan and configure the DNS server. Shows progress and results. Discovered hosts can be selectively imported.
+
+---
+
+## CSS Conventions
+
+All background, text, and border colors use CSS custom properties from `App.vue`:
+
+```
+--bg-page, --bg-card, --bg-card-hover, --bg-input
+--bg-thead, --bg-chip, --bg-chip-hover
+--border, --border-strong
+--text-primary, --text-secondary, --text-muted, --text-faint
+--chip-ip-bg, --chip-ip-color
+--modal-overlay, --shadow-card, --shadow-modal, --shadow-drop
+```
+
+**Exceptions** (hardcoded hex is acceptable):
+- Device type icon colors in chips (semantic, theme-independent)
+- VLAN badge background colors
+- Auth feedback colors (`#EF4444` red, `#15803D` green) with dark overrides via `:global(html.dark .class)`
+
+**Dark-mode scoped override syntax**:
+```css
+/* CORRECT */
+:global(html.dark .my-component .child) { color: red; }
+
+/* WRONG — Vue does not resolve descendants after :global() closing paren */
+:global(html.dark) .my-component .child { color: red; }
+```
diff --git a/docs/index.md b/docs/index.md
new file mode 100644
index 0000000..a6a3bc5
--- /dev/null
+++ b/docs/index.md
@@ -0,0 +1,22 @@
+# Documentation
+
+## Contents
+
+- [architecture.md](architecture.md) — System overview, Docker setup, request flow, startup sequence
+- [backend.md](backend.md) — All API endpoints, ORM models, auth system, migration patterns
+- [frontend.md](frontend.md) — Vue 3 module inventory, component reference, CSS conventions
+- [data-model.md](data-model.md) — Database schema, relationships, device types, migration patterns
+- [extending.md](extending.md) — Cookbooks: add a device field, API route, i18n key, brand icon, component
+
+## Quick Reference
+
+| Task | File |
+|------|------|
+| Add a field to Device | [extending.md → Add a Field to Device](extending.md#add-a-field-to-device) |
+| Add an API endpoint | [extending.md → Add a New API Route Group](extending.md#add-a-new-api-route-group) |
+| Add a translation key | [extending.md → Add a New i18n Key](extending.md#add-a-new-i18n-key) |
+| Add a brand icon | [extending.md → Add a Brand Icon](extending.md#add-a-brand-icon) |
+| Reset admin password | [extending.md → Change the Default Admin Password](extending.md#change-the-default-admin-password) |
+| API endpoint reference | [backend.md → API Endpoints](backend.md#api-endpoints) |
+| CSS variables list | [frontend.md → CSS Conventions](frontend.md#css-conventions) |
+| Database schema | [data-model.md → Schema Overview](data-model.md#schema-overview) |
diff --git a/frontend/Dockerfile b/frontend/Dockerfile
new file mode 100644
index 0000000..52b69cf
--- /dev/null
+++ b/frontend/Dockerfile
@@ -0,0 +1,12 @@
+FROM node:20-alpine AS build
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+COPY . .
+RUN npm run build
+
+FROM nginxinc/nginx-unprivileged:alpine
+COPY --from=build /app/dist /usr/share/nginx/html
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+COPY rate_limit.conf /etc/nginx/conf.d/00_rate_limit.conf
+EXPOSE 8080
diff --git a/frontend/index.html b/frontend/index.html
new file mode 100644
index 0000000..42da77a
--- /dev/null
+++ b/frontend/index.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html lang="fr">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
+  <title>Stupid Simple Network Inventory</title>
+</head>
+<body>
+  <div id="app"></div>
+  <script type="module" src="/src/main.js"></script>
+</body>
+</html>
diff --git a/frontend/nginx.conf b/frontend/nginx.conf
new file mode 100644
index 0000000..bf03ea5
--- /dev/null
+++ b/frontend/nginx.conf
@@ -0,0 +1,41 @@
+server {
+    listen 8080;
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # ── Security headers ─────────────────────────────────────────────────────
+    add_header X-Content-Type-Options    "nosniff"                          always;
+    add_header X-Frame-Options           "DENY"                             always;
+    add_header Referrer-Policy           "strict-origin-when-cross-origin"  always;
+    add_header Permissions-Policy        "camera=(), microphone=(), geolocation=()" always;
+
+    # CSP for a Vue 3 / Vite SPA:
+    #   - script-src 'self' + hash   : Vite bundles (self) + one Vite-generated inline
+    #     script (modulepreload fallback in index.html, stable hash across builds)
+    #   - style-src 'self' 'unsafe-inline' : inline style="" attributes used by Vue
+    #   - img-src 'self' data:       : SVG/PNG assets + possible data URIs
+    #   - connect-src 'self'         : API calls to /api/ (same origin via proxy)
+    #   - object-src 'none'          : no plugins
+    #   - frame-ancestors 'none'     : prevents embedding in iframes (replaces X-Frame-Options for CSP-aware browsers)
+    add_header Content-Security-Policy  "default-src 'self'; script-src 'self' 'sha256-ZswfTY7H35rbv8WC7NXBoiC7WNu86vSzCDChNWwZZDM='; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; font-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self';" always;
+
+    location = /api/auth/login {
+        limit_req zone=login burst=5 nodelay;
+        limit_req_status 429;
+        proxy_pass http://backend:8000/api/auth/login;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_read_timeout 60s;
+    }
+
+    location /api/ {
+        proxy_pass http://backend:8000/api/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_read_timeout 60s;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+}
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
new file mode 100644
index 0000000..3d3754b
--- /dev/null
+++ b/frontend/package-lock.json
@@ -0,0 +1,1524 @@
+{
+  "name": "network-topology",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "network-topology",
+      "version": "1.0.0",
+      "dependencies": {
+        "axios": "^1.6.2",
+        "cytoscape": "^3.28.1",
+        "lucide-vue-next": "^0.460.0",
+        "simple-icons": "^13.0.0",
+        "vue": "^3.3.8"
+      },
+      "devDependencies": {
+        "@vitejs/plugin-vue": "^4.5.0",
+        "vite": "^5.0.0"
+      }
+    },
+    "node_modules/@babel/helper-string-parser": {
+      "version": "7.27.1",
+      "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz",
+      "integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-validator-identifier": {
+      "version": "7.28.5",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.28.5.tgz",
+      "integrity": "sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/parser": {
+      "version": "7.29.3",
+      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.3.tgz",
+      "integrity": "sha512-b3ctpQwp+PROvU/cttc4OYl4MzfJUWy6FZg+PMXfzmt/+39iHVF0sDfqay8TQM3JA2EUOyKcFZt75jWriQijsA==",
+      "license": "MIT",
+      "dependencies": {
+        "@babel/types": "^7.29.0"
+      },
+      "bin": {
+        "parser": "bin/babel-parser.js"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/@babel/types": {
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.0.tgz",
+      "integrity": "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==",
+      "license": "MIT",
+      "dependencies": {
+        "@babel/helper-string-parser": "^7.27.1",
+        "@babel/helper-validator-identifier": "^7.28.5"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@esbuild/aix-ppc64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.21.5.tgz",
+      "integrity": "sha512-1SDgH6ZSPTlggy1yI6+Dbkiz8xzpHJEVAlF/AM1tHPLsf5STom9rwtjE4hKAF20FfXXNTFqEYXyJNWh1GiZedQ==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "aix"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/android-arm": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.21.5.tgz",
+      "integrity": "sha512-vCPvzSjpPHEi1siZdlvAlsPxXl7WbOVUBBAowWug4rJHb68Ox8KualB+1ocNvT5fjv6wpkX6o/iEpbDrf68zcg==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/android-arm64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.21.5.tgz",
+      "integrity": "sha512-c0uX9VAUBQ7dTDCjq+wdyGLowMdtR/GoC2U5IYk/7D1H1JYC0qseD7+11iMP2mRLN9RcCMRcjC4YMclCzGwS/A==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/android-x64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.21.5.tgz",
+      "integrity": "sha512-D7aPRUUNHRBwHxzxRvp856rjUHRFW1SdQATKXH2hqA0kAZb1hKmi02OpYRacl0TxIGz/ZmXWlbZgjwWYaCakTA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/darwin-arm64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.21.5.tgz",
+      "integrity": "sha512-DwqXqZyuk5AiWWf3UfLiRDJ5EDd49zg6O9wclZ7kUMv2WRFr4HKjXp/5t8JZ11QbQfUS6/cRCKGwYhtNAY88kQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/darwin-x64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.21.5.tgz",
+      "integrity": "sha512-se/JjF8NlmKVG4kNIuyWMV/22ZaerB+qaSi5MdrXtd6R08kvs2qCN4C09miupktDitvh8jRFflwGFBQcxZRjbw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/freebsd-arm64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.21.5.tgz",
+      "integrity": "sha512-5JcRxxRDUJLX8JXp/wcBCy3pENnCgBR9bN6JsY4OmhfUtIHe3ZW0mawA7+RDAcMLrMIZaf03NlQiX9DGyB8h4g==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/freebsd-x64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.21.5.tgz",
+      "integrity": "sha512-J95kNBj1zkbMXtHVH29bBriQygMXqoVQOQYA+ISs0/2l3T9/kj42ow2mpqerRBxDJnmkUDCaQT/dfNXWX/ZZCQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/linux-arm": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.21.5.tgz",
+      "integrity": "sha512-bPb5AHZtbeNGjCKVZ9UGqGwo8EUu4cLq68E95A53KlxAPRmUyYv2D6F0uUI65XisGOL1hBP5mTronbgo+0bFcA==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/linux-arm64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.21.5.tgz",
+      "integrity": "sha512-ibKvmyYzKsBeX8d8I7MH/TMfWDXBF3db4qM6sy+7re0YXya+K1cem3on9XgdT2EQGMu4hQyZhan7TeQ8XkGp4Q==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/linux-ia32": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.21.5.tgz",
+      "integrity": "sha512-YvjXDqLRqPDl2dvRODYmmhz4rPeVKYvppfGYKSNGdyZkA01046pLWyRKKI3ax8fbJoK5QbxblURkwK/MWY18Tg==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/linux-loong64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.21.5.tgz",
+      "integrity": "sha512-uHf1BmMG8qEvzdrzAqg2SIG/02+4/DHB6a9Kbya0XDvwDEKCoC8ZRWI5JJvNdUjtciBGFQ5PuBlpEOXQj+JQSg==",
+      "cpu": [
+        "loong64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/linux-mips64el": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.21.5.tgz",
+      "integrity": "sha512-IajOmO+KJK23bj52dFSNCMsz1QP1DqM6cwLUv3W1QwyxkyIWecfafnI555fvSGqEKwjMXVLokcV5ygHW5b3Jbg==",
+      "cpu": [
+        "mips64el"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/linux-ppc64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.21.5.tgz",
+      "integrity": "sha512-1hHV/Z4OEfMwpLO8rp7CvlhBDnjsC3CttJXIhBi+5Aj5r+MBvy4egg7wCbe//hSsT+RvDAG7s81tAvpL2XAE4w==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/linux-riscv64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.21.5.tgz",
+      "integrity": "sha512-2HdXDMd9GMgTGrPWnJzP2ALSokE/0O5HhTUvWIbD3YdjME8JwvSCnNGBnTThKGEB91OZhzrJ4qIIxk/SBmyDDA==",
+      "cpu": [
+        "riscv64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/linux-s390x": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.21.5.tgz",
+      "integrity": "sha512-zus5sxzqBJD3eXxwvjN1yQkRepANgxE9lgOW2qLnmr8ikMTphkjgXu1HR01K4FJg8h1kEEDAqDcZQtbrRnB41A==",
+      "cpu": [
+        "s390x"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/linux-x64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.21.5.tgz",
+      "integrity": "sha512-1rYdTpyv03iycF1+BhzrzQJCdOuAOtaqHTWJZCWvijKD2N5Xu0TtVC8/+1faWqcP9iBCWOmjmhoH94dH82BxPQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/netbsd-x64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.21.5.tgz",
+      "integrity": "sha512-Woi2MXzXjMULccIwMnLciyZH4nCIMpWQAs049KEeMvOcNADVxo0UBIQPfSmxB3CWKedngg7sWZdLvLczpe0tLg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/openbsd-x64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.21.5.tgz",
+      "integrity": "sha512-HLNNw99xsvx12lFBUwoT8EVCsSvRNDVxNpjZ7bPn947b8gJPzeHWyNVhFsaerc0n3TsbOINvRP2byTZ5LKezow==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/sunos-x64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.21.5.tgz",
+      "integrity": "sha512-6+gjmFpfy0BHU5Tpptkuh8+uw3mnrvgs+dSPQXQOv3ekbordwnzTVEb4qnIvQcYXq6gzkyTnoZ9dZG+D4garKg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "sunos"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/win32-arm64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.21.5.tgz",
+      "integrity": "sha512-Z0gOTd75VvXqyq7nsl93zwahcTROgqvuAcYDUr+vOv8uHhNSKROyU961kgtCD1e95IqPKSQKH7tBTslnS3tA8A==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/win32-ia32": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.21.5.tgz",
+      "integrity": "sha512-SWXFF1CL2RVNMaVs+BBClwtfZSvDgtL//G/smwAc5oVK/UPu2Gu9tIaRgFmYFFKrmg3SyAjSrElf0TiJ1v8fYA==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/win32-x64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.21.5.tgz",
+      "integrity": "sha512-tQd/1efJuzPC6rCFwEvLtci/xNFcTZknmXs98FYDfGE4wP9ClFV98nyKrzJKVPMhdDnjzLhdUyMX4PsQAPjwIw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@jridgewell/sourcemap-codec": {
+      "version": "1.5.5",
+      "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.5.tgz",
+      "integrity": "sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==",
+      "license": "MIT"
+    },
+    "node_modules/@rollup/rollup-android-arm-eabi": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.60.2.tgz",
+      "integrity": "sha512-dnlp69efPPg6Uaw2dVqzWRfAWRnYVb1XJ8CyyhIbZeaq4CA5/mLeZ1IEt9QqQxmbdvagjLIm2ZL8BxXv5lH4Yw==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ]
+    },
+    "node_modules/@rollup/rollup-android-arm64": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.60.2.tgz",
+      "integrity": "sha512-OqZTwDRDchGRHHm/hwLOL7uVPB9aUvI0am/eQuWMNyFHf5PSEQmyEeYYheA0EPPKUO/l0uigCp+iaTjoLjVoHg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ]
+    },
+    "node_modules/@rollup/rollup-darwin-arm64": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.60.2.tgz",
+      "integrity": "sha512-UwRE7CGpvSVEQS8gUMBe1uADWjNnVgP3Iusyda1nSRwNDCsRjnGc7w6El6WLQsXmZTbLZx9cecegumcitNfpmA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ]
+    },
+    "node_modules/@rollup/rollup-darwin-x64": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.60.2.tgz",
+      "integrity": "sha512-gjEtURKLCC5VXm1I+2i1u9OhxFsKAQJKTVB8WvDAHF+oZlq0GTVFOlTlO1q3AlCTE/DF32c16ESvfgqR7343/g==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ]
+    },
+    "node_modules/@rollup/rollup-freebsd-arm64": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.60.2.tgz",
+      "integrity": "sha512-Bcl6CYDeAgE70cqZaMojOi/eK63h5Me97ZqAQoh77VPjMysA/4ORQBRGo3rRy45x4MzVlU9uZxs8Uwy7ZaKnBw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ]
+    },
+    "node_modules/@rollup/rollup-freebsd-x64": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.60.2.tgz",
+      "integrity": "sha512-LU+TPda3mAE2QB0/Hp5VyeKJivpC6+tlOXd1VMoXV/YFMvk/MNk5iXeBfB4MQGRWyOYVJ01625vjkr0Az98OJQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-arm-gnueabihf": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.60.2.tgz",
+      "integrity": "sha512-2QxQrM+KQ7DAW4o22j+XZ6RKdxjLD7BOWTP0Bv0tmjdyhXSsr2Ul1oJDQqh9Zf5qOwTuTc7Ek83mOFaKnodPjg==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-arm-musleabihf": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.60.2.tgz",
+      "integrity": "sha512-TbziEu2DVsTEOPif2mKWkMeDMLoYjx95oESa9fkQQK7r/Orta0gnkcDpzwufEcAO2BLBsD7mZkXGFqEdMRRwfw==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-arm64-gnu": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.60.2.tgz",
+      "integrity": "sha512-bO/rVDiDUuM2YfuCUwZ1t1cP+/yqjqz+Xf2VtkdppefuOFS2OSeAfgafaHNkFn0t02hEyXngZkxtGqXcXwO8Rg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-arm64-musl": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.60.2.tgz",
+      "integrity": "sha512-hr26p7e93Rl0Za+JwW7EAnwAvKkehh12BU1Llm9Ykiibg4uIr2rbpxG9WCf56GuvidlTG9KiiQT/TXT1yAWxTA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-loong64-gnu": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.60.2.tgz",
+      "integrity": "sha512-pOjB/uSIyDt+ow3k/RcLvUAOGpysT2phDn7TTUB3n75SlIgZzM6NKAqlErPhoFU+npgY3/n+2HYIQVbF70P9/A==",
+      "cpu": [
+        "loong64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-loong64-musl": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-musl/-/rollup-linux-loong64-musl-4.60.2.tgz",
+      "integrity": "sha512-2/w+q8jszv9Ww1c+6uJT3OwqhdmGP2/4T17cu8WuwyUuuaCDDJ2ojdyYwZzCxx0GcsZBhzi3HmH+J5pZNXnd+Q==",
+      "cpu": [
+        "loong64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-ppc64-gnu": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.60.2.tgz",
+      "integrity": "sha512-11+aL5vKheYgczxtPVVRhdptAM2H7fcDR5Gw4/bTcteuZBlH4oP9f5s9zYO9aGZvoGeBpqXI/9TZZihZ609wKw==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-ppc64-musl": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-musl/-/rollup-linux-ppc64-musl-4.60.2.tgz",
+      "integrity": "sha512-i16fokAGK46IVZuV8LIIwMdtqhin9hfYkCh8pf8iC3QU3LpwL+1FSFGej+O7l3E/AoknL6Dclh2oTdnRMpTzFQ==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-riscv64-gnu": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.60.2.tgz",
+      "integrity": "sha512-49FkKS6RGQoriDSK/6E2GkAsAuU5kETFCh7pG4yD/ylj9rKhTmO3elsnmBvRD4PgJPds5W2PkhC82aVwmUcJ7A==",
+      "cpu": [
+        "riscv64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-riscv64-musl": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.60.2.tgz",
+      "integrity": "sha512-mjYNkHPfGpUR00DuM1ZZIgs64Hpf4bWcz9Z41+4Q+pgDx73UwWdAYyf6EG/lRFldmdHHzgrYyge5akFUW0D3mQ==",
+      "cpu": [
+        "riscv64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-s390x-gnu": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.60.2.tgz",
+      "integrity": "sha512-ALyvJz965BQk8E9Al/JDKKDLH2kfKFLTGMlgkAbbYtZuJt9LU8DW3ZoDMCtQpXAltZxwBHevXz5u+gf0yA0YoA==",
+      "cpu": [
+        "s390x"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-x64-gnu": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.60.2.tgz",
+      "integrity": "sha512-UQjrkIdWrKI626Du8lCQ6MJp/6V1LAo2bOK9OTu4mSn8GGXIkPXk/Vsp4bLHCd9Z9Iz2OTEaokUE90VweJgIYQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-x64-musl": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.60.2.tgz",
+      "integrity": "sha512-bTsRGj6VlSdn/XD4CGyzMnzaBs9bsRxy79eTqTCBsA8TMIEky7qg48aPkvJvFe1HyzQ5oMZdg7AnVlWQSKLTnw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-openbsd-x64": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-openbsd-x64/-/rollup-openbsd-x64-4.60.2.tgz",
+      "integrity": "sha512-6d4Z3534xitaA1FcMWP7mQPq5zGwBmGbhphh2DwaA1aNIXUu3KTOfwrWpbwI4/Gr0uANo7NTtaykFyO2hPuFLg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ]
+    },
+    "node_modules/@rollup/rollup-openharmony-arm64": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.60.2.tgz",
+      "integrity": "sha512-NetAg5iO2uN7eB8zE5qrZ3CSil+7IJt4WDFLcC75Ymywq1VZVD6qJ6EvNLjZ3rEm6gB7XW5JdT60c6MN35Z85Q==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openharmony"
+      ]
+    },
+    "node_modules/@rollup/rollup-win32-arm64-msvc": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.60.2.tgz",
+      "integrity": "sha512-NCYhOotpgWZ5kdxCZsv6Iudx0wX8980Q/oW4pNFNihpBKsDbEA1zpkfxJGC0yugsUuyDZ7gL37dbzwhR0VI7pQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ]
+    },
+    "node_modules/@rollup/rollup-win32-ia32-msvc": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.60.2.tgz",
+      "integrity": "sha512-RXsaOqXxfoUBQoOgvmmijVxJnW2IGB0eoMO7F8FAjaj0UTywUO/luSqimWBJn04WNgUkeNhh7fs7pESXajWmkg==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ]
+    },
+    "node_modules/@rollup/rollup-win32-x64-gnu": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.60.2.tgz",
+      "integrity": "sha512-qdAzEULD+/hzObedtmV6iBpdL5TIbKVztGiK7O3/KYSf+HIzU257+MX1EXJcyIiDbMAqmbwaufcYPvyRryeZtA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ]
+    },
+    "node_modules/@rollup/rollup-win32-x64-msvc": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.60.2.tgz",
+      "integrity": "sha512-Nd/SgG27WoA9e+/TdK74KnHz852TLa94ovOYySo/yMPuTmpckK/jIF2jSwS3g7ELSKXK13/cVdmg1Z/DaCWKxA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ]
+    },
+    "node_modules/@types/estree": {
+      "version": "1.0.8",
+      "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz",
+      "integrity": "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@vitejs/plugin-vue": {
+      "version": "4.6.2",
+      "resolved": "https://registry.npmjs.org/@vitejs/plugin-vue/-/plugin-vue-4.6.2.tgz",
+      "integrity": "sha512-kqf7SGFoG+80aZG6Pf+gsZIVvGSCKE98JbiWqcCV9cThtg91Jav0yvYFC9Zb+jKetNGF6ZKeoaxgZfND21fWKw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": "^14.18.0 || >=16.0.0"
+      },
+      "peerDependencies": {
+        "vite": "^4.0.0 || ^5.0.0",
+        "vue": "^3.2.25"
+      }
+    },
+    "node_modules/@vue/compiler-core": {
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.5.33.tgz",
+      "integrity": "sha512-3PZLQwFw4Za3TC8t0FvTy3wI16Kt+pmwcgNZca4Pj9iWL2E72a/gZlpBtAJvEdDMdCxdG/qq0C7PN0bsJuv0Rw==",
+      "license": "MIT",
+      "dependencies": {
+        "@babel/parser": "^7.29.2",
+        "@vue/shared": "3.5.33",
+        "entities": "^7.0.1",
+        "estree-walker": "^2.0.2",
+        "source-map-js": "^1.2.1"
+      }
+    },
+    "node_modules/@vue/compiler-dom": {
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.5.33.tgz",
+      "integrity": "sha512-PXq0yrfCLzzL07rbXO4awtXY1Z06LG2eu6Adg3RJFa/j3Cii217XxxLXG22N330gw7GmALCY0Z8RgXEviwgpjA==",
+      "license": "MIT",
+      "dependencies": {
+        "@vue/compiler-core": "3.5.33",
+        "@vue/shared": "3.5.33"
+      }
+    },
+    "node_modules/@vue/compiler-sfc": {
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-sfc/-/compiler-sfc-3.5.33.tgz",
+      "integrity": "sha512-UTUvRO9cY+rROrx/pvN9P5Z7FgA6QGfokUCfhQE4EnmUj3rVnK+CHI0LsEO1pg+I7//iRYMUfcNcCPe7tg0CoA==",
+      "license": "MIT",
+      "dependencies": {
+        "@babel/parser": "^7.29.2",
+        "@vue/compiler-core": "3.5.33",
+        "@vue/compiler-dom": "3.5.33",
+        "@vue/compiler-ssr": "3.5.33",
+        "@vue/shared": "3.5.33",
+        "estree-walker": "^2.0.2",
+        "magic-string": "^0.30.21",
+        "postcss": "^8.5.10",
+        "source-map-js": "^1.2.1"
+      }
+    },
+    "node_modules/@vue/compiler-ssr": {
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.5.33.tgz",
+      "integrity": "sha512-IErjYdnj1qIupG5xxiVIYiiRvDhGWV4zuh/RCrwfYpuL+HWQzeU6lCk/nF9r7olWMnjKxCAkOctT2qFWFkzb1A==",
+      "license": "MIT",
+      "dependencies": {
+        "@vue/compiler-dom": "3.5.33",
+        "@vue/shared": "3.5.33"
+      }
+    },
+    "node_modules/@vue/reactivity": {
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.5.33.tgz",
+      "integrity": "sha512-p8UfIqyIhb0rYGlSgSBV+lPhF2iUSBcRy7enhTmPqKWadHy9kcOFYF1AejYBP9P+avnd3OBbD49DU4pLWX/94A==",
+      "license": "MIT",
+      "dependencies": {
+        "@vue/shared": "3.5.33"
+      }
+    },
+    "node_modules/@vue/runtime-core": {
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/@vue/runtime-core/-/runtime-core-3.5.33.tgz",
+      "integrity": "sha512-UpFF45RI9//a7rvq7RdOQblb4tup7hHG9QsmIrxkFQLzQ7R8/iNQ5LE15NhLZ1/WcHMU2b47u6P33CPUelHyIQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@vue/reactivity": "3.5.33",
+        "@vue/shared": "3.5.33"
+      }
+    },
+    "node_modules/@vue/runtime-dom": {
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/@vue/runtime-dom/-/runtime-dom-3.5.33.tgz",
+      "integrity": "sha512-IOxMsAOwquhfITgmOgaPYl7/j8gKUxUFoflRc+u4LxyD3+783xne8vNta1PONVCvCV9A0w7hkyEepINDqfO0tw==",
+      "license": "MIT",
+      "dependencies": {
+        "@vue/reactivity": "3.5.33",
+        "@vue/runtime-core": "3.5.33",
+        "@vue/shared": "3.5.33",
+        "csstype": "^3.2.3"
+      }
+    },
+    "node_modules/@vue/server-renderer": {
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/@vue/server-renderer/-/server-renderer-3.5.33.tgz",
+      "integrity": "sha512-0xylq/8/h44lVG0pZFknv1XIdEgymq2E9n59uTWJBG+dIgiT0TMCSsxrN7nO16Z0MU0MPjFcguBbZV8Itk52Hw==",
+      "license": "MIT",
+      "dependencies": {
+        "@vue/compiler-ssr": "3.5.33",
+        "@vue/shared": "3.5.33"
+      },
+      "peerDependencies": {
+        "vue": "3.5.33"
+      }
+    },
+    "node_modules/@vue/shared": {
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.5.33.tgz",
+      "integrity": "sha512-5vR2QIlmaLG77Ygd4pMP6+SGQ5yox9VhtnbDWTy9DzMzdmeLxZ1QqxrywEZ9sa1AVubfIJyaCG3ytyWU81ufcQ==",
+      "license": "MIT"
+    },
+    "node_modules/asynckit": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz",
+      "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==",
+      "license": "MIT"
+    },
+    "node_modules/axios": {
+      "version": "1.16.0",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.16.0.tgz",
+      "integrity": "sha512-6hp5CwvTPlN2A31g5dxnwAX0orzM7pmCRDLnZSX772mv8WDqICwFjowHuPs04Mc8deIld1+ejhtaMn5vp6b+1w==",
+      "license": "MIT",
+      "dependencies": {
+        "follow-redirects": "^1.16.0",
+        "form-data": "^4.0.5",
+        "proxy-from-env": "^2.1.0"
+      }
+    },
+    "node_modules/call-bind-apply-helpers": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz",
+      "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/combined-stream": {
+      "version": "1.0.8",
+      "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz",
+      "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==",
+      "license": "MIT",
+      "dependencies": {
+        "delayed-stream": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/csstype": {
+      "version": "3.2.3",
+      "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.2.3.tgz",
+      "integrity": "sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ==",
+      "license": "MIT"
+    },
+    "node_modules/cytoscape": {
+      "version": "3.33.3",
+      "resolved": "https://registry.npmjs.org/cytoscape/-/cytoscape-3.33.3.tgz",
+      "integrity": "sha512-Gej7U+OKR+LZ8kvX7rb2HhCYJ0IhvEFsnkud4SB1PR+BUY/TsSO0dmOW59WEVLu51b1Rm+gQRKoz4bLYxGSZ2g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10"
+      }
+    },
+    "node_modules/delayed-stream": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
+      "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.4.0"
+      }
+    },
+    "node_modules/dunder-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
+      "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "gopd": "^1.2.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/entities": {
+      "version": "7.0.1",
+      "resolved": "https://registry.npmjs.org/entities/-/entities-7.0.1.tgz",
+      "integrity": "sha512-TWrgLOFUQTH994YUyl1yT4uyavY5nNB5muff+RtWaqNVCAK408b5ZnnbNAUEWLTCpum9w6arT70i1XdQ4UeOPA==",
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=0.12"
+      },
+      "funding": {
+        "url": "https://github.com/fb55/entities?sponsor=1"
+      }
+    },
+    "node_modules/es-define-property": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
+      "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-errors": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
+      "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-object-atoms": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz",
+      "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-set-tostringtag": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz",
+      "integrity": "sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.6",
+        "has-tostringtag": "^1.0.2",
+        "hasown": "^2.0.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/esbuild": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.21.5.tgz",
+      "integrity": "sha512-mg3OPMV4hXywwpoDxu3Qda5xCKQi+vCTZq8S9J/EpkhB2HzKXq4SNFZE3+NK93JYxc8VMSep+lOUSC/RVKaBqw==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "bin": {
+        "esbuild": "bin/esbuild"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "optionalDependencies": {
+        "@esbuild/aix-ppc64": "0.21.5",
+        "@esbuild/android-arm": "0.21.5",
+        "@esbuild/android-arm64": "0.21.5",
+        "@esbuild/android-x64": "0.21.5",
+        "@esbuild/darwin-arm64": "0.21.5",
+        "@esbuild/darwin-x64": "0.21.5",
+        "@esbuild/freebsd-arm64": "0.21.5",
+        "@esbuild/freebsd-x64": "0.21.5",
+        "@esbuild/linux-arm": "0.21.5",
+        "@esbuild/linux-arm64": "0.21.5",
+        "@esbuild/linux-ia32": "0.21.5",
+        "@esbuild/linux-loong64": "0.21.5",
+        "@esbuild/linux-mips64el": "0.21.5",
+        "@esbuild/linux-ppc64": "0.21.5",
+        "@esbuild/linux-riscv64": "0.21.5",
+        "@esbuild/linux-s390x": "0.21.5",
+        "@esbuild/linux-x64": "0.21.5",
+        "@esbuild/netbsd-x64": "0.21.5",
+        "@esbuild/openbsd-x64": "0.21.5",
+        "@esbuild/sunos-x64": "0.21.5",
+        "@esbuild/win32-arm64": "0.21.5",
+        "@esbuild/win32-ia32": "0.21.5",
+        "@esbuild/win32-x64": "0.21.5"
+      }
+    },
+    "node_modules/estree-walker": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-2.0.2.tgz",
+      "integrity": "sha512-Rfkk/Mp/DL7JVje3u18FxFujQlTNR2q6QfMSMB7AvCBx91NGj/ba3kCfza0f6dVDbw7YlRf/nDrn7pQrCCyQ/w==",
+      "license": "MIT"
+    },
+    "node_modules/follow-redirects": {
+      "version": "1.16.0",
+      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz",
+      "integrity": "sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==",
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://github.com/sponsors/RubenVerborgh"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=4.0"
+      },
+      "peerDependenciesMeta": {
+        "debug": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/form-data": {
+      "version": "4.0.5",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz",
+      "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==",
+      "license": "MIT",
+      "dependencies": {
+        "asynckit": "^0.4.0",
+        "combined-stream": "^1.0.8",
+        "es-set-tostringtag": "^2.1.0",
+        "hasown": "^2.0.2",
+        "mime-types": "^2.1.12"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/fsevents": {
+      "version": "2.3.3",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
+      "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
+    "node_modules/function-bind": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
+      "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-intrinsic": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz",
+      "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.2",
+        "es-define-property": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "es-object-atoms": "^1.1.1",
+        "function-bind": "^1.1.2",
+        "get-proto": "^1.0.1",
+        "gopd": "^1.2.0",
+        "has-symbols": "^1.1.0",
+        "hasown": "^2.0.2",
+        "math-intrinsics": "^1.1.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz",
+      "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==",
+      "license": "MIT",
+      "dependencies": {
+        "dunder-proto": "^1.0.1",
+        "es-object-atoms": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/gopd": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
+      "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-symbols": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz",
+      "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-tostringtag": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.2.tgz",
+      "integrity": "sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==",
+      "license": "MIT",
+      "dependencies": {
+        "has-symbols": "^1.0.3"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/hasown": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.3.tgz",
+      "integrity": "sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==",
+      "license": "MIT",
+      "dependencies": {
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/lucide-vue-next": {
+      "version": "0.460.0",
+      "resolved": "https://registry.npmjs.org/lucide-vue-next/-/lucide-vue-next-0.460.0.tgz",
+      "integrity": "sha512-IhM1tm3gPhc3u6RagNra4W6Oe48Mz0l3fAJzk0oSLzsRQqt3WU3XiX5ngRyjIs8fzCtvgzu7fC6Qk7XVhS00DQ==",
+      "license": "ISC",
+      "peerDependencies": {
+        "vue": ">=3.0.1"
+      }
+    },
+    "node_modules/magic-string": {
+      "version": "0.30.21",
+      "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.21.tgz",
+      "integrity": "sha512-vd2F4YUyEXKGcLHoq+TEyCjxueSeHnFxyyjNp80yg0XV4vUhnDer/lvvlqM/arB5bXQN5K2/3oinyCRyx8T2CQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/sourcemap-codec": "^1.5.5"
+      }
+    },
+    "node_modules/math-intrinsics": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
+      "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/mime-db": {
+      "version": "1.52.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
+      "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/mime-types": {
+      "version": "2.1.35",
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
+      "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-db": "1.52.0"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/nanoid": {
+      "version": "3.3.12",
+      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.12.tgz",
+      "integrity": "sha512-ZB9RH/39qpq5Vu6Y+NmUaFhQR6pp+M2Xt76XBnEwDaGcVAqhlvxrl3B2bKS5D3NH3QR76v3aSrKaF/Kiy7lEtQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "bin": {
+        "nanoid": "bin/nanoid.cjs"
+      },
+      "engines": {
+        "node": "^10 || ^12 || ^13.7 || ^14 || >=15.0.1"
+      }
+    },
+    "node_modules/picocolors": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
+      "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==",
+      "license": "ISC"
+    },
+    "node_modules/postcss": {
+      "version": "8.5.13",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.13.tgz",
+      "integrity": "sha512-qif0+jGGZoLWdHey3UFHHWP0H7Gbmsk8T5VEqyYFbWqPr1XqvLGBbk/sl8V5exGmcYJklJOhOQq1pV9IcsiFag==",
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/postcss/"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/postcss"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "nanoid": "^3.3.11",
+        "picocolors": "^1.1.1",
+        "source-map-js": "^1.2.1"
+      },
+      "engines": {
+        "node": "^10 || ^12 || >=14"
+      }
+    },
+    "node_modules/proxy-from-env": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-2.1.0.tgz",
+      "integrity": "sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/rollup": {
+      "version": "4.60.2",
+      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.60.2.tgz",
+      "integrity": "sha512-J9qZyW++QK/09NyN/zeO0dG/1GdGfyp9lV8ajHnRVLfo/uFsbji5mHnDgn/qYdUHyCkM2N+8VyspgZclfAh0eQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/estree": "1.0.8"
+      },
+      "bin": {
+        "rollup": "dist/bin/rollup"
+      },
+      "engines": {
+        "node": ">=18.0.0",
+        "npm": ">=8.0.0"
+      },
+      "optionalDependencies": {
+        "@rollup/rollup-android-arm-eabi": "4.60.2",
+        "@rollup/rollup-android-arm64": "4.60.2",
+        "@rollup/rollup-darwin-arm64": "4.60.2",
+        "@rollup/rollup-darwin-x64": "4.60.2",
+        "@rollup/rollup-freebsd-arm64": "4.60.2",
+        "@rollup/rollup-freebsd-x64": "4.60.2",
+        "@rollup/rollup-linux-arm-gnueabihf": "4.60.2",
+        "@rollup/rollup-linux-arm-musleabihf": "4.60.2",
+        "@rollup/rollup-linux-arm64-gnu": "4.60.2",
+        "@rollup/rollup-linux-arm64-musl": "4.60.2",
+        "@rollup/rollup-linux-loong64-gnu": "4.60.2",
+        "@rollup/rollup-linux-loong64-musl": "4.60.2",
+        "@rollup/rollup-linux-ppc64-gnu": "4.60.2",
+        "@rollup/rollup-linux-ppc64-musl": "4.60.2",
+        "@rollup/rollup-linux-riscv64-gnu": "4.60.2",
+        "@rollup/rollup-linux-riscv64-musl": "4.60.2",
+        "@rollup/rollup-linux-s390x-gnu": "4.60.2",
+        "@rollup/rollup-linux-x64-gnu": "4.60.2",
+        "@rollup/rollup-linux-x64-musl": "4.60.2",
+        "@rollup/rollup-openbsd-x64": "4.60.2",
+        "@rollup/rollup-openharmony-arm64": "4.60.2",
+        "@rollup/rollup-win32-arm64-msvc": "4.60.2",
+        "@rollup/rollup-win32-ia32-msvc": "4.60.2",
+        "@rollup/rollup-win32-x64-gnu": "4.60.2",
+        "@rollup/rollup-win32-x64-msvc": "4.60.2",
+        "fsevents": "~2.3.2"
+      }
+    },
+    "node_modules/simple-icons": {
+      "version": "13.21.0",
+      "resolved": "https://registry.npmjs.org/simple-icons/-/simple-icons-13.21.0.tgz",
+      "integrity": "sha512-LI5pVJPBv6oc79OMsffwb6kEqnmB8P1Cjg1crNUlhsxPETQ5UzbCKQdxU+7MW6+DD1qfPkla/vSKlLD4IfyXpQ==",
+      "license": "CC0-1.0",
+      "engines": {
+        "node": ">=0.12.18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/simple-icons"
+      }
+    },
+    "node_modules/source-map-js": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz",
+      "integrity": "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==",
+      "license": "BSD-3-Clause",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/vite": {
+      "version": "5.4.21",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-5.4.21.tgz",
+      "integrity": "sha512-o5a9xKjbtuhY6Bi5S3+HvbRERmouabWbyUcpXXUA1u+GNUKoROi9byOJ8M0nHbHYHkYICiMlqxkg1KkYmm25Sw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "esbuild": "^0.21.3",
+        "postcss": "^8.4.43",
+        "rollup": "^4.20.0"
+      },
+      "bin": {
+        "vite": "bin/vite.js"
+      },
+      "engines": {
+        "node": "^18.0.0 || >=20.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/vitejs/vite?sponsor=1"
+      },
+      "optionalDependencies": {
+        "fsevents": "~2.3.3"
+      },
+      "peerDependencies": {
+        "@types/node": "^18.0.0 || >=20.0.0",
+        "less": "*",
+        "lightningcss": "^1.21.0",
+        "sass": "*",
+        "sass-embedded": "*",
+        "stylus": "*",
+        "sugarss": "*",
+        "terser": "^5.4.0"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        },
+        "less": {
+          "optional": true
+        },
+        "lightningcss": {
+          "optional": true
+        },
+        "sass": {
+          "optional": true
+        },
+        "sass-embedded": {
+          "optional": true
+        },
+        "stylus": {
+          "optional": true
+        },
+        "sugarss": {
+          "optional": true
+        },
+        "terser": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/vue": {
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.33.tgz",
+      "integrity": "sha512-1AgChhx5w3ALgT4oK3acm2Es/7jyZhWSVUfs3rOBlGQC0rjEDkS7G4lWlJJGGNQD+BV3reCwbQrOe1mPNwKHBQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@vue/compiler-dom": "3.5.33",
+        "@vue/compiler-sfc": "3.5.33",
+        "@vue/runtime-dom": "3.5.33",
+        "@vue/server-renderer": "3.5.33",
+        "@vue/shared": "3.5.33"
+      },
+      "peerDependencies": {
+        "typescript": "*"
+      },
+      "peerDependenciesMeta": {
+        "typescript": {
+          "optional": true
+        }
+      }
+    }
+  }
+}
diff --git a/frontend/package.json b/frontend/package.json
new file mode 100644
index 0000000..03e54ad
--- /dev/null
+++ b/frontend/package.json
@@ -0,0 +1,19 @@
+{
+  "name": "network-topology",
+  "version": "1.0.0",
+  "scripts": {
+    "dev": "vite",
+    "build": "vite build",
+    "preview": "vite preview"
+  },
+  "dependencies": {
+    "vue": "^3.3.8",
+    "axios": "^1.6.2",
+"lucide-vue-next": "^0.460.0",
+    "simple-icons": "^13.0.0"
+  },
+  "devDependencies": {
+    "@vitejs/plugin-vue": "^4.5.0",
+    "vite": "^5.0.0"
+  }
+}
diff --git a/frontend/public/favicon.svg b/frontend/public/favicon.svg
new file mode 100644
index 0000000..d8fd8d5
--- /dev/null
+++ b/frontend/public/favicon.svg
@@ -0,0 +1,11 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="#6366f1" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+  <circle cx="12" cy="12" r="3"/>
+  <circle cx="4" cy="6" r="2"/>
+  <circle cx="20" cy="6" r="2"/>
+  <circle cx="4" cy="18" r="2"/>
+  <circle cx="20" cy="18" r="2"/>
+  <line x1="6" y1="6" x2="10" y2="11"/>
+  <line x1="18" y1="6" x2="14" y2="11"/>
+  <line x1="6" y1="18" x2="10" y2="13"/>
+  <line x1="18" y1="18" x2="14" y2="13"/>
+</svg>
diff --git a/frontend/rate_limit.conf b/frontend/rate_limit.conf
new file mode 100644
index 0000000..aadcf71
--- /dev/null
+++ b/frontend/rate_limit.conf
@@ -0,0 +1 @@
+limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;
diff --git a/frontend/src/App.vue b/frontend/src/App.vue
new file mode 100644
index 0000000..c50a804
--- /dev/null
+++ b/frontend/src/App.vue
@@ -0,0 +1,477 @@
+<template>
+  <div class="app-root">
+  <LoginPage v-if="!isAuthenticated" @login="onLogin" />
+
+  <AccountModal
+    v-else-if="mustChangePassword"
+    :forced="true"
+    @updated="onAccountUpdated"
+  />
+
+  <div v-else class="layout">
+    <aside class="sidebar">
+      <div class="logo">
+        <svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+          <circle cx="12" cy="12" r="3"/><circle cx="4" cy="6" r="2"/><circle cx="20" cy="6" r="2"/>
+          <circle cx="4" cy="18" r="2"/><circle cx="20" cy="18" r="2"/>
+          <line x1="6" y1="6" x2="10" y2="11"/><line x1="18" y1="6" x2="14" y2="11"/>
+          <line x1="6" y1="18" x2="10" y2="13"/><line x1="18" y1="18" x2="14" y2="13"/>
+        </svg>
+        <span>Stupid Simple Network Inventory</span>
+      </div>
+
+      <nav>
+        <button
+          v-for="tab in tabs"
+          :key="tab.id"
+          :class="['nav-btn', { active: view === tab.id }]"
+          @click="view = tab.id"
+        >
+          <span class="nav-icon">{{ tab.icon }}</span>
+          {{ tab.label }}
+        </button>
+      </nav>
+
+      <div class="discovery-btn-wrap">
+        <button class="btn-discovery" @click="showDiscovery = true">
+          {{ t('discovery') }}
+        </button>
+      </div>
+
+      <div class="sidebar-footer">
+        <div class="stats">
+          <div class="stat">
+            <span class="stat-val">{{ vlans.length }}</span>
+            <span class="stat-lbl">{{ t('statsNetworks') }}</span>
+          </div>
+          <div class="stat">
+            <span class="stat-val">{{ devices.length }}</span>
+            <span class="stat-lbl">{{ t('statsDevices') }}</span>
+          </div>
+        </div>
+        <button class="btn-export" @click="exportJson">{{ t('exportJson') }}</button>
+        <label class="btn-export">
+          {{ t('importJson') }}
+          <input type="file" accept=".json" @change="importJson" style="display:none" />
+        </label>
+
+        <!-- Contrôles thème + langue -->
+        <div class="settings-row">
+          <button class="settings-btn" @click="toggleTheme" :title="theme === 'dark' ? t('lightTheme') : t('darkTheme')">
+            {{ theme === 'dark' ? '☀' : '☾' }}
+          </button>
+          <div class="lang-switcher">
+            <button
+              v-for="lang in langs"
+              :key="lang"
+              class="lang-btn"
+              :class="{ active: locale === lang }"
+              @click="setLocale(lang)"
+            >{{ lang }}</button>
+          </div>
+        </div>
+
+        <!-- Compte utilisateur -->
+        <div class="user-row">
+          <button class="user-btn" @click="showAccount = true" :title="t('accountSettings')">
+            <svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5">
+              <circle cx="12" cy="8" r="4"/><path d="M4 20c0-4 3.6-7 8-7s8 3 8 7"/>
+            </svg>
+            <span class="user-name">{{ currentUsername }}</span>
+          </button>
+          <button class="logout-btn" @click="logout" :title="t('logout')">
+            <svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5">
+              <path d="M9 21H5a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h4"/>
+              <polyline points="16 17 21 12 16 7"/><line x1="21" y1="12" x2="9" y2="12"/>
+            </svg>
+          </button>
+        </div>
+      </div>
+    </aside>
+
+    <main class="main-content">
+      <div v-if="error" class="toast-error">{{ error }}</div>
+      <DiscoveryModal
+        v-if="showDiscovery"
+        :vlans="vlans"
+        :devices="devices"
+        @close="showDiscovery = false"
+        @refresh="loadAll"
+      />
+      <AccountModal
+        v-if="showAccount"
+        @close="showAccount = false"
+        @updated="onAccountUpdated"
+      />
+      <TopologyGraph
+        v-if="view === 'topology'"
+        :devices="devices"
+        :vlans="vlans"
+      />
+      <VlanManager v-if="view === 'vlans'" :vlans="vlans" @refresh="loadAll" />
+      <DeviceManager v-if="view === 'devices'" :devices="devices" :vlans="vlans" @refresh="loadAll" />
+    </main>
+  </div>
+  </div>
+</template>
+
+<script setup>
+import { ref, computed, onMounted } from 'vue'
+import { vlansApi, devicesApi } from './api.js'
+import { t, locale, setLocale } from './i18n.js'
+import { theme, toggleTheme } from './theme.js'
+import { isAuthenticated, currentUsername, mustChangePassword, setAuth, clearAuth } from './auth.js'
+import TopologyGraph from './components/TopologyGraph.vue'
+import VlanManager from './components/VlanManager.vue'
+import DeviceManager from './components/DeviceManager.vue'
+import DiscoveryModal from './components/DiscoveryModal.vue'
+import LoginPage from './components/LoginPage.vue'
+import AccountModal from './components/AccountModal.vue'
+
+const view = ref('topology')
+const vlans = ref([])
+const devices = ref([])
+const error = ref('')
+const showDiscovery = ref(false)
+const showAccount = ref(false)
+const langs = ['fr', 'en', 'es']
+
+const tabs = computed(() => [
+  { id: 'topology', label: t('tabTopology'), icon: '■' },
+  { id: 'vlans',    label: t('tabNetworks'), icon: '◆' },
+  { id: 'devices',  label: t('tabDevices'),  icon: '▣' },
+])
+
+function onLogin({ token, username, mustChangePassword: mcp }) {
+  setAuth(token, username, mcp)
+  if (!mcp) loadAll()
+}
+
+function onAccountUpdated({ token, username, mustChangePassword: mcp }) {
+  setAuth(token, username, mcp || false)
+  if (!mcp) loadAll()
+}
+
+function logout() {
+  clearAuth()
+}
+
+async function loadAll() {
+  try {
+    const [v, d] = await Promise.all([
+      vlansApi.list(),
+      devicesApi.list(),
+    ])
+    vlans.value = v.data
+    devices.value = d.data
+  } catch (e) {
+    if (e.response?.status !== 401) {
+      showError(t('loadError') + (e.response?.data?.detail || e.message))
+    }
+  }
+}
+
+function showError(msg) {
+  error.value = msg
+  setTimeout(() => { error.value = '' }, 4000)
+}
+
+function exportJson() {
+  const data = JSON.stringify({ vlans: vlans.value, devices: devices.value }, null, 2)
+  const blob = new Blob([data], { type: 'application/json' })
+  const url = URL.createObjectURL(blob)
+  const a = document.createElement('a')
+  a.href = url
+  a.download = `topology-${new Date().toISOString().slice(0, 10)}.json`
+  a.click()
+  URL.revokeObjectURL(url)
+}
+
+async function importJson(e) {
+  const file = e.target.files[0]
+  if (!file) return
+  if (file.size > 5 * 1024 * 1024) {
+    showError(t('importTooLarge'))
+    e.target.value = ''
+    return
+  }
+  try {
+    const text = await file.text()
+    const data = JSON.parse(text)
+    if (typeof data !== 'object' || Array.isArray(data) || data === null)
+      throw new Error('Invalid format: expected a JSON object')
+    if (data.vlans !== undefined && !Array.isArray(data.vlans))
+      throw new Error('Invalid format: vlans must be an array')
+    if (data.devices !== undefined && !Array.isArray(data.devices))
+      throw new Error('Invalid format: devices must be an array')
+    for (const vlan of (data.vlans || [])) {
+      await vlansApi.create({ vlan_id: vlan.vlan_id, name: vlan.name, cidr: vlan.cidr, color: vlan.color }).catch(() => {})
+    }
+    await loadAll()
+    const refreshedVlans = vlans.value
+    for (const device of (data.devices || [])) {
+      const ifaces = (device.interfaces || []).map(i => {
+        const matchedVlan = refreshedVlans.find(v => v.vlan_id === (data.vlans || []).find(ov => ov.id === i.vlan_id)?.vlan_id)
+        return { ...i, vlan_id: matchedVlan?.id || null }
+      })
+      await devicesApi.create({ ...device, interfaces: ifaces }).catch(() => {})
+    }
+    await loadAll()
+    e.target.value = ''
+  } catch (err) {
+    showError(t('importFailed') + err.message)
+  }
+}
+
+onMounted(() => {
+  if (isAuthenticated.value && !mustChangePassword.value) loadAll()
+})
+</script>
+
+<style>
+*, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+button { cursor: pointer; font-family: inherit; }
+input, select, textarea { font-family: inherit; }
+
+/* ── CSS variables — light (default) ───────────────────────────────────── */
+:root {
+  --bg-page:        #F1F5F9;
+  --bg-card:        #ffffff;
+  --bg-card-hover:  #F8FAFC;
+  --bg-input:       #ffffff;
+  --bg-thead:       #F8FAFC;
+  --bg-chip:        #F8FAFC;
+  --bg-chip-hover:  #F1F5F9;
+  --border:         #E2E8F0;
+  --border-strong:  #CBD5E1;
+  --text-primary:   #0F172A;
+  --text-secondary: #475569;
+  --text-muted:     #64748B;
+  --text-faint:     #94A3B8;
+  --chip-ip-bg:     #E2E8F0;
+  --chip-ip-color:  #475569;
+  --modal-overlay:  rgba(0,0,0,0.4);
+  --shadow-card:    0 1px 4px rgba(0,0,0,0.07);
+  --shadow-modal:   0 20px 60px rgba(0,0,0,0.2);
+  --shadow-drop:    0 8px 24px rgba(0,0,0,0.12);
+}
+
+/* ── CSS variables — dark ───────────────────────────────────────────────── */
+html.dark {
+  --bg-page:        #0F172A;
+  --bg-card:        #1E293B;
+  --bg-card-hover:  #263548;
+  --bg-input:       #1E293B;
+  --bg-thead:       #162032;
+  --bg-chip:        #263548;
+  --bg-chip-hover:  #2D3F55;
+  --border:         #334155;
+  --border-strong:  #475569;
+  --text-primary:   #F1F5F9;
+  --text-secondary: #94A3B8;
+  --text-muted:     #64748B;
+  --text-faint:     #475569;
+  --chip-ip-bg:     #334155;
+  --chip-ip-color:  #94A3B8;
+  --modal-overlay:  rgba(0,0,0,0.65);
+  --shadow-card:    0 1px 4px rgba(0,0,0,0.3);
+  --shadow-modal:   0 20px 60px rgba(0,0,0,0.5);
+  --shadow-drop:    0 8px 24px rgba(0,0,0,0.4);
+}
+
+body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background: var(--bg-page); }
+</style>
+
+<style scoped>
+.app-root {
+  display: flex;
+  flex-direction: column;
+  min-height: 100vh;
+}
+
+.layout {
+  display: flex;
+  height: 100vh;
+  overflow: hidden;
+}
+
+.sidebar {
+  width: 200px;
+  min-width: 200px;
+  background: #1E293B;
+  color: #CBD5E1;
+  display: flex;
+  flex-direction: column;
+  padding: 0;
+  overflow: hidden;
+}
+
+html.dark .sidebar { background: #020617; }
+
+.logo {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  padding: 20px 16px;
+  color: #F8FAFC;
+  font-weight: 700;
+  font-size: 15px;
+  border-bottom: 1px solid #334155;
+}
+
+nav {
+  flex: 1;
+  padding: 12px 8px;
+  display: flex;
+  flex-direction: column;
+  gap: 4px;
+}
+
+.nav-btn {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  width: 100%;
+  padding: 10px 12px;
+  background: transparent;
+  color: #94A3B8;
+  border: none;
+  border-radius: 8px;
+  font-size: 14px;
+  text-align: left;
+  transition: all 0.15s;
+}
+.nav-btn:hover { background: #334155; color: #F1F5F9; }
+.nav-btn.active { background: #3B82F6; color: #fff; font-weight: 600; }
+.nav-icon { font-size: 12px; }
+
+.sidebar-footer {
+  padding: 12px;
+  border-top: 1px solid #334155;
+  display: flex;
+  flex-direction: column;
+  gap: 8px;
+}
+
+.stats {
+  display: flex;
+  justify-content: space-around;
+  margin-bottom: 4px;
+}
+.stat {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+}
+.stat-val { font-size: 18px; font-weight: 700; color: #F8FAFC; }
+.stat-lbl { font-size: 10px; color: #64748B; }
+
+.discovery-btn-wrap { padding: 8px; }
+.btn-discovery {
+  display: block; width: 100%;
+  padding: 10px 8px; background: #1D4ED8; color: #fff;
+  border: none; border-radius: 8px; font-size: 13px; font-weight: 600;
+  cursor: pointer; transition: background 0.15s; text-align: center;
+}
+.btn-discovery:hover { background: #2563EB; }
+
+.btn-export {
+  display: block;
+  width: 100%;
+  padding: 8px;
+  background: #334155;
+  color: #CBD5E1;
+  border: none;
+  border-radius: 6px;
+  font-size: 12px;
+  text-align: center;
+  cursor: pointer;
+  transition: background 0.15s;
+}
+.btn-export:hover { background: #475569; color: #F8FAFC; }
+
+.settings-row {
+  display: flex;
+  align-items: center;
+  gap: 6px;
+  margin-top: 2px;
+}
+
+.settings-btn {
+  width: 28px; height: 28px;
+  background: #334155; color: #CBD5E1;
+  border: none; border-radius: 6px;
+  font-size: 14px; flex-shrink: 0;
+  display: flex; align-items: center; justify-content: center;
+}
+.settings-btn:hover { background: #475569; color: #F8FAFC; }
+
+.lang-switcher {
+  display: flex;
+  gap: 3px;
+  flex: 1;
+}
+.lang-btn {
+  flex: 1;
+  padding: 4px 0;
+  background: #334155; color: #94A3B8;
+  border: none; border-radius: 5px;
+  font-size: 11px; font-weight: 600; text-transform: uppercase;
+  cursor: pointer; transition: all 0.15s;
+}
+.lang-btn:hover { background: #475569; color: #F8FAFC; }
+.lang-btn.active { background: #3B82F6; color: #fff; }
+
+/* ── User row ───────────────────────────────────────────────────────────── */
+.user-row {
+  display: flex;
+  align-items: center;
+  gap: 4px;
+  border-top: 1px solid #334155;
+  padding-top: 8px;
+}
+
+.user-btn {
+  flex: 1; min-width: 0;
+  display: flex; align-items: center; gap: 6px;
+  padding: 6px 8px;
+  background: #334155; color: #94A3B8;
+  border: none; border-radius: 6px;
+  font-size: 12px; text-align: left;
+  cursor: pointer; transition: all 0.15s;
+  overflow: hidden;
+}
+.user-btn:hover { background: #475569; color: #F8FAFC; }
+.user-name {
+  overflow: hidden; text-overflow: ellipsis; white-space: nowrap;
+}
+
+.logout-btn {
+  width: 28px; height: 28px; flex-shrink: 0;
+  display: flex; align-items: center; justify-content: center;
+  background: #334155; color: #94A3B8;
+  border: none; border-radius: 6px;
+  cursor: pointer; transition: all 0.15s;
+}
+.logout-btn:hover { background: #7F1D1D; color: #FCA5A5; }
+
+.main-content {
+  flex: 1;
+  overflow: hidden;
+  position: relative;
+}
+
+.toast-error {
+  position: absolute;
+  top: 16px;
+  left: 50%;
+  transform: translateX(-50%);
+  background: #EF4444;
+  color: #fff;
+  padding: 10px 20px;
+  border-radius: 8px;
+  z-index: 1000;
+  font-size: 14px;
+  box-shadow: 0 4px 12px rgba(0,0,0,0.2);
+}
+</style>
diff --git a/frontend/src/api.js b/frontend/src/api.js
new file mode 100644
index 0000000..d65c10f
--- /dev/null
+++ b/frontend/src/api.js
@@ -0,0 +1,51 @@
+import axios from 'axios'
+import { getToken, clearAuth } from './auth.js'
+
+const http = axios.create({ baseURL: '/api' })
+
+http.interceptors.request.use(config => {
+  const token = getToken()
+  if (token) config.headers.Authorization = `Bearer ${token}`
+  return config
+})
+
+http.interceptors.response.use(
+  res => res,
+  err => {
+    if (err.response?.status === 401 && getToken()) {
+      clearAuth()
+      window.location.reload()
+    }
+    return Promise.reject(err)
+  }
+)
+
+export const authApi = {
+  login: (username, password) => {
+    const form = new URLSearchParams()
+    form.append('username', username)
+    form.append('password', password)
+    return http.post('/auth/login', form)
+  },
+  updateAccount: (data) => http.put('/auth/account', data),
+  me: () => http.get('/auth/me'),
+}
+
+export const vlansApi = {
+  list:   ()           => http.get('/vlans/'),
+  create: (data)       => http.post('/vlans/', data),
+  update: (id, data)   => http.put(`/vlans/${id}`, data),
+  remove: (id)         => http.delete(`/vlans/${id}`),
+}
+
+export const devicesApi = {
+  list:   ()           => http.get('/devices/'),
+  create: (data)       => http.post('/devices/', data),
+  update: (id, data)   => http.put(`/devices/${id}`, data),
+  remove: (id)         => http.delete(`/devices/${id}`),
+}
+
+export const discoveryApi = {
+  scan: (data) => http.post('/discovery/scan', data),
+  ping: (ips)  => http.post('/discovery/ping', { ips }),
+}
diff --git a/frontend/src/auth.js b/frontend/src/auth.js
new file mode 100644
index 0000000..3d8a2c4
--- /dev/null
+++ b/frontend/src/auth.js
@@ -0,0 +1,31 @@
+import { ref, computed } from 'vue'
+
+const _token     = ref(localStorage.getItem('auth_token')     || null)
+const _username  = ref(localStorage.getItem('auth_username')  || null)
+const _mustChange = ref(localStorage.getItem('auth_mustchange') === 'true')
+
+export const isAuthenticated    = computed(() => !!_token.value)
+export const currentUsername    = computed(() => _username.value)
+export const mustChangePassword = computed(() => _mustChange.value)
+
+export function setAuth(token, username, mustChange = false) {
+  _token.value     = token
+  _username.value  = username
+  _mustChange.value = mustChange
+  localStorage.setItem('auth_token',     token)
+  localStorage.setItem('auth_username',  username)
+  localStorage.setItem('auth_mustchange', String(mustChange))
+}
+
+export function clearAuth() {
+  _token.value     = null
+  _username.value  = null
+  _mustChange.value = false
+  localStorage.removeItem('auth_token')
+  localStorage.removeItem('auth_username')
+  localStorage.removeItem('auth_mustchange')
+}
+
+export function getToken() {
+  return _token.value
+}
diff --git a/frontend/src/brandIcons.js b/frontend/src/brandIcons.js
new file mode 100644
index 0000000..3b3e83a
--- /dev/null
+++ b/frontend/src/brandIcons.js
@@ -0,0 +1,87 @@
+import {
+  siProxmox, siDocker,
+  siSynology, siTruenas,
+  siUbiquiti, siMikrotik, siCisco, siTplink, siAsus, siNetgear, siPfsense, siOpnsense, siOpenwrt,
+  siApache, siTraefikproxy,
+  siMariadb,
+  siKubernetes,
+  siDebian, siUbuntu,
+  siAnsible,
+  siDell, siHp,
+  siRaspberrypi, siArduino,
+  siNextcloud, siPaperlessngx, siUptimekuma, siMaterialformkdocs,
+  siJellyfin, siHomeassistant, siPhilipshue, siXiaomi,
+  siExcalidraw,
+  siKde,
+} from 'simple-icons'
+
+// Ordre : du plus spécifique au plus générique pour éviter les faux positifs.
+const BRANDS = [
+  // Hyperviseurs / virtualisation
+  { kw: ['proxmox', 'pve'],                               icon: siProxmox },
+  { kw: ['docker'],                                       icon: siDocker },
+
+  // NAS
+  { kw: ['synology', 'dsm'],                              icon: siSynology },
+  { kw: ['truenas', 'freenas'],                           icon: siTruenas },
+
+  // Réseau
+  { kw: ['ubiquiti', 'unifi', 'usg', 'udm'],             icon: siUbiquiti },
+  { kw: ['mikrotik', 'routeros'],                         icon: siMikrotik },
+  { kw: ['cisco'],                                        icon: siCisco },
+  { kw: ['tp-link', 'tplink', 'tp link'],                icon: siTplink },
+  { kw: ['asus'],                                         icon: siAsus },
+  { kw: ['netgear'],                                      icon: siNetgear },
+  { kw: ['pfsense'],                                      icon: siPfsense },
+  { kw: ['opnsense'],                                     icon: siOpnsense },
+  { kw: ['openwrt'],                                      icon: siOpenwrt },
+
+  // Serveurs web / proxy
+  { kw: ['apache', 'apache2', 'httpd'],                   icon: siApache },
+  { kw: ['traefik'],                                      icon: siTraefikproxy },
+
+  // Bases de données
+  { kw: ['mariadb', 'maria db'],                          icon: siMariadb },
+
+  // Orchestration
+  { kw: ['kubernetes', 'k8s', 'kubectl', 'k3s'],          icon: siKubernetes },
+
+  // OS / distros
+  { kw: ['debian'],                                       icon: siDebian },
+  { kw: ['ubuntu'],                                       icon: siUbuntu },
+
+  // Automatisation
+  { kw: ['ansible'],                                      icon: siAnsible },
+
+  // Serveurs
+  { kw: ['dell', 'idrac', 'poweredge'],                   icon: siDell },
+  { kw: ['proliant', 'ilo', 'hewlett'],                   icon: siHp },
+
+  // SBC / DIY
+  { kw: ['raspberry', 'raspberrypi', 'rpi', 'raspi'],     icon: siRaspberrypi },
+  { kw: ['arduino'],                                      icon: siArduino },
+
+  // Environnements de bureau
+  { kw: ['kde', 'plasma', 'kde desktop'],                 icon: siKde },
+
+  // Outils
+  { kw: ['excalidraw'],                                   icon: siExcalidraw },
+
+  // Productivité / self-hosted
+  { kw: ['nextcloud'],                                    icon: siNextcloud },
+  { kw: ['paperless', 'paperless-ng', 'paperless-ngx'],  icon: siPaperlessngx },
+  { kw: ['uptime-kuma', 'uptimekuma', 'uptime kuma'],    icon: siUptimekuma },
+  { kw: ['mkdocs', 'material for mkdocs'],               icon: siMaterialformkdocs },
+
+  // Médias / domotique
+  { kw: ['jellyfin'],                                     icon: siJellyfin },
+  { kw: ['homeassistant', 'home assistant', 'hassio', 'hass'], icon: siHomeassistant },
+  { kw: ['philips hue', 'hue bridge', 'hue hub'],         icon: siPhilipshue },
+  { kw: ['xiaomi', 'mi home', 'yeelight'],                icon: siXiaomi },
+]
+
+export function detectBrands(name, description) {
+  const text = ((name || '') + ' ' + (description || '')).toLowerCase()
+  if (!text.trim()) return []
+  return BRANDS.filter(b => b.kw.some(kw => text.includes(kw))).map(b => b.icon)
+}
diff --git a/frontend/src/components/AccountModal.vue b/frontend/src/components/AccountModal.vue
new file mode 100644
index 0000000..0486261
--- /dev/null
+++ b/frontend/src/components/AccountModal.vue
@@ -0,0 +1,279 @@
+<template>
+  <div class="modal-overlay" @click.self="forced ? null : $emit('close')">
+    <div class="modal">
+      <div class="modal-header">
+        <h2>{{ t('accountSettings') }}</h2>
+        <button v-if="!forced" class="close-btn" @click="$emit('close')">✕</button>
+      </div>
+
+      <div class="modal-body">
+        <div v-if="forced" class="forced-warning">
+          {{ t('mustChangePasswordWarning') }}
+        </div>
+
+        <p class="current-user">{{ t('loginUsername') }} : <strong>{{ currentUsername }}</strong></p>
+
+        <div class="section-title">{{ t('newUsername') }}</div>
+        <div class="field">
+          <input
+            v-model="newUsername"
+            type="text"
+            :placeholder="currentUsername"
+            autocomplete="username"
+          />
+        </div>
+
+        <div class="section-title">
+          {{ t('newPassword') }}
+          <span v-if="forced" class="required-star">*</span>
+        </div>
+        <div class="field">
+          <input
+            v-model="newPassword"
+            type="password"
+            :placeholder="forced ? '' : t('leaveBlankToKeep')"
+            autocomplete="new-password"
+          />
+        </div>
+
+        <template v-if="newPassword || forced">
+          <div class="section-title">{{ t('confirmPassword') }}</div>
+          <div class="field">
+            <input
+              v-model="confirmPassword"
+              type="password"
+              autocomplete="new-password"
+            />
+          </div>
+        </template>
+
+        <div class="section-title">{{ t('currentPassword') }} *</div>
+        <div class="field">
+          <input
+            v-model="currentPassword"
+            type="password"
+            autocomplete="current-password"
+            required
+          />
+        </div>
+
+        <p v-if="errorMsg" class="error-msg">{{ errorMsg }}</p>
+        <p v-if="successMsg" class="success-msg">{{ successMsg }}</p>
+      </div>
+
+      <div class="modal-footer">
+        <button v-if="!forced" class="btn-cancel" @click="$emit('close')">{{ t('cancel') }}</button>
+        <button class="btn-save" :disabled="saving" @click="save">
+          {{ saving ? '…' : t('save') }}
+        </button>
+      </div>
+    </div>
+  </div>
+</template>
+
+<script setup>
+import { ref } from 'vue'
+import { authApi } from '../api.js'
+import { t } from '../i18n.js'
+import { currentUsername } from '../auth.js'
+
+const props = defineProps({ forced: { type: Boolean, default: false } })
+const emit = defineEmits(['close', 'updated'])
+
+const newUsername     = ref('')
+const newPassword     = ref('')
+const confirmPassword = ref('')
+const currentPassword = ref('')
+const errorMsg        = ref('')
+const successMsg      = ref('')
+const saving          = ref(false)
+
+const _USERNAME_RE = /^[a-zA-Z0-9._-]{1,64}$/
+
+function _validateClient() {
+  if (props.forced && !newPassword.value) {
+    errorMsg.value = t('newPasswordRequired')
+    return false
+  }
+  if (newUsername.value && !_USERNAME_RE.test(newUsername.value)) {
+    errorMsg.value = t('usernameInvalid')
+    return false
+  }
+  if (newPassword.value) {
+    if (newPassword.value.length < 8) {
+      errorMsg.value = t('passwordTooShort')
+      return false
+    }
+    if (!/[a-zA-Z]/.test(newPassword.value) || !/[0-9]/.test(newPassword.value)) {
+      errorMsg.value = t('passwordTooWeak')
+      return false
+    }
+    if (newPassword.value !== confirmPassword.value) {
+      errorMsg.value = t('passwordMismatch')
+      return false
+    }
+  }
+  return true
+}
+
+async function save() {
+  errorMsg.value  = ''
+  successMsg.value = ''
+
+  if (!currentPassword.value) {
+    errorMsg.value = t('currentPassword') + ' ' + t('loginPassword').toLowerCase()
+    return
+  }
+  if (!_validateClient()) return
+  if (!newUsername.value && !newPassword.value) return
+
+  saving.value = true
+  try {
+    const payload = { current_password: currentPassword.value }
+    if (newUsername.value) payload.new_username = newUsername.value
+    if (newPassword.value) payload.new_password = newPassword.value
+    const { data } = await authApi.updateAccount(payload)
+    successMsg.value = t('accountUpdated')
+    emit('updated', {
+      token: data.access_token,
+      username: data.username,
+      mustChangePassword: data.must_change_password || false,
+    })
+    newUsername.value = ''
+    newPassword.value = ''
+    confirmPassword.value = ''
+    currentPassword.value = ''
+  } catch (e) {
+    const detail = e.response?.data?.detail || ''
+    const MAP = {
+      'Current password is incorrect': 'wrongPassword',
+      'password_too_short':            'passwordTooShort',
+      'password_too_weak':             'passwordTooWeak',
+      'username_invalid':              'usernameInvalid',
+    }
+    errorMsg.value = t(MAP[detail] || 'saveError')
+  } finally {
+    saving.value = false
+  }
+}
+</script>
+
+<style scoped>
+.modal-overlay {
+  position: fixed; inset: 0;
+  background: var(--modal-overlay);
+  display: flex; align-items: center; justify-content: center;
+  z-index: 1000;
+}
+
+.modal {
+  background: var(--bg-card);
+  border: 1.5px solid var(--border);
+  border-radius: 14px;
+  width: 100%;
+  max-width: 420px;
+  box-shadow: var(--shadow-modal);
+  display: flex;
+  flex-direction: column;
+}
+
+.modal-header {
+  display: flex; align-items: center; justify-content: space-between;
+  padding: 18px 20px 14px;
+  border-bottom: 1px solid var(--border);
+}
+.modal-header h2 { font-size: 16px; font-weight: 700; color: var(--text-primary); }
+
+.close-btn {
+  background: none; border: none; font-size: 16px;
+  color: var(--text-muted); cursor: pointer; line-height: 1;
+}
+.close-btn:hover { color: var(--text-primary); }
+
+.modal-body {
+  padding: 20px;
+  display: flex;
+  flex-direction: column;
+  gap: 8px;
+}
+
+.forced-warning {
+  font-size: 13px;
+  color: #92400E;
+  background: #FEF3C7;
+  border: 1px solid #FCD34D;
+  border-radius: 8px;
+  padding: 10px 12px;
+  margin-bottom: 4px;
+}
+
+:global(html.dark .forced-warning) {
+  background: #2D2000;
+  border-color: #5C4200;
+  color: #FCD34D;
+}
+
+.required-star { color: #EF4444; margin-left: 2px; }
+
+.current-user {
+  font-size: 13px;
+  color: var(--text-secondary);
+  margin-bottom: 8px;
+}
+.current-user strong { color: var(--text-primary); }
+
+.section-title {
+  font-size: 12px;
+  font-weight: 600;
+  color: var(--text-muted);
+  margin-top: 4px;
+}
+
+.field input {
+  width: 100%;
+  padding: 8px 11px;
+  border: 1.5px solid var(--border);
+  border-radius: 7px;
+  font-size: 13px;
+  background: var(--bg-input);
+  color: var(--text-primary);
+  outline: none;
+  transition: border-color 0.15s;
+}
+.field input:focus { border-color: #3B82F6; }
+
+.error-msg {
+  font-size: 12px; color: #EF4444;
+  background: #FEF2F2; border: 1px solid #FECACA;
+  border-radius: 6px; padding: 7px 10px;
+}
+.success-msg {
+  font-size: 12px; color: #15803D;
+  background: #F0FDF4; border: 1px solid #BBF7D0;
+  border-radius: 6px; padding: 7px 10px;
+}
+
+:global(html.dark .error-msg)   { background: #2A1515; border-color: #3D1F1F; }
+:global(html.dark .success-msg) { background: #0F2D1A; border-color: #1A4D2A; color: #4ADE80; }
+
+.modal-footer {
+  display: flex; justify-content: flex-end; gap: 8px;
+  padding: 14px 20px;
+  border-top: 1px solid var(--border);
+}
+
+.btn-cancel {
+  padding: 7px 16px; background: var(--bg-chip);
+  color: var(--text-secondary); border: 1.5px solid var(--border);
+  border-radius: 7px; font-size: 13px; cursor: pointer;
+}
+.btn-cancel:hover { background: var(--bg-chip-hover); }
+
+.btn-save {
+  padding: 7px 18px; background: #3B82F6;
+  color: #fff; border: none; border-radius: 7px;
+  font-size: 13px; font-weight: 600; cursor: pointer;
+}
+.btn-save:hover:not(:disabled) { background: #2563EB; }
+.btn-save:disabled { opacity: 0.6; cursor: default; }
+</style>
diff --git a/frontend/src/components/DeviceIcon.vue b/frontend/src/components/DeviceIcon.vue
new file mode 100644
index 0000000..562f391
--- /dev/null
+++ b/frontend/src/components/DeviceIcon.vue
@@ -0,0 +1,83 @@
+<template>
+  <!-- Simple Icons : logos des marques détectées (chips de topologie) -->
+  <span v-if="!typeOnly && brandIcons.length > 0" class="brand-icons">
+    <svg
+      v-for="icon in brandIcons"
+      :key="icon.title"
+      :width="size"
+      :height="size"
+      viewBox="0 0 24 24"
+      xmlns="http://www.w3.org/2000/svg"
+      fill="currentColor"
+      aria-hidden="true"
+    >
+      <path :d="icon.path" />
+    </svg>
+  </span>
+
+  <!-- Lucide : icône générique par type -->
+  <component
+    v-else
+    :is="lucideIcon"
+    :size="size"
+    :stroke-width="1.75"
+    aria-hidden="true"
+  />
+</template>
+
+<script setup>
+import { computed } from 'vue'
+import {
+  Server, Network, Wifi, Database, Globe, GitFork,
+  Camera, Thermometer, Gauge, House, PlugZap, ShieldAlert,
+  Lightbulb, BellRing, Antenna, Monitor, Laptop, Box,
+} from 'lucide-vue-next'
+import { detectBrands } from '../brandIcons.js'
+
+const props = defineProps({
+  deviceType:  { type: String,  default: 'other' },
+  isGateway:   { type: Boolean, default: false },
+  isLivebox:   { type: Boolean, default: false },
+  name:        { type: String,  default: '' },
+  description: { type: String,  default: '' },
+  size:        { type: Number,  default: 18 },
+  typeOnly:    { type: Boolean, default: false },
+})
+
+const brandIcons = computed(() => detectBrands(props.name, props.description))
+
+const LUCIDE_MAP = {
+  server:       Server,
+  switch:       Network,
+  router:       Wifi,
+  nas:          Database,
+  gateway:      GitFork,
+  livebox:      Globe,
+  camera:       Camera,
+  temperature:  Thermometer,
+  sensor:       Gauge,
+  hub:          House,
+  smart_plug:   PlugZap,
+  alarm:        ShieldAlert,
+  light:        Lightbulb,
+  doorbell:     BellRing,
+  access_point: Antenna,
+  desktop:      Monitor,
+  laptop:       Laptop,
+  other:        Box,
+}
+
+const lucideIcon = computed(() => {
+  if (props.isLivebox) return Globe
+  if (props.isGateway) return GitFork
+  return LUCIDE_MAP[props.deviceType] || Box
+})
+</script>
+
+<style scoped>
+.brand-icons {
+  display: inline-flex;
+  align-items: center;
+  gap: 3px;
+}
+</style>
diff --git a/frontend/src/components/DeviceManager.vue b/frontend/src/components/DeviceManager.vue
new file mode 100644
index 0000000..aa099f8
--- /dev/null
+++ b/frontend/src/components/DeviceManager.vue
@@ -0,0 +1,689 @@
+<template>
+  <div class="page">
+    <div class="page-header">
+      <h1>{{ t('devices') }}</h1>
+      <button class="btn-primary" @click="openAdd">{{ t('addDevice') }}</button>
+    </div>
+
+    <div v-if="props.devices.length === 0" class="empty">
+      {{ t('noDevicesConfigured') }}
+    </div>
+
+    <template v-else>
+      <!-- Barre de filtres -->
+      <div class="filter-bar">
+        <div class="search-wrap">
+          <span class="search-icon">⌕</span>
+          <input
+            v-model="search"
+            class="search-input"
+            type="text"
+            :placeholder="t('searchPlaceholder')"
+            @keydown.escape="search = ''"
+          />
+          <button v-if="search" class="search-clear" @click="search = ''">✕</button>
+        </div>
+        <div v-if="usedTypes.length > 1" class="filter-group" @mousedown.stop>
+          <button class="filter-btn" :class="{ active: filterTypes.length }" @click="toggleDrop('types')">
+            {{ t('filterType') }}
+            <span v-if="filterTypes.length" class="filter-count">{{ filterTypes.length }}</span>
+            <span class="filter-chevron">▾</span>
+          </button>
+          <div v-if="openDrop === 'types'" class="filter-drop">
+            <label v-for="t2 in usedTypes" :key="t2.value" class="filter-opt">
+              <input type="checkbox" :value="t2.value" v-model="filterTypes" />
+              {{ t2.label }}
+            </label>
+          </div>
+        </div>
+
+        <div v-if="usedVlans.length > 0" class="filter-group" @mousedown.stop>
+          <button class="filter-btn" :class="{ active: filterVlans.length }" @click="toggleDrop('vlans')">
+            {{ t('filterNetwork') }}
+            <span v-if="filterVlans.length" class="filter-count">{{ filterVlans.length }}</span>
+            <span class="filter-chevron">▾</span>
+          </button>
+          <div v-if="openDrop === 'vlans'" class="filter-drop">
+            <label v-for="v in usedVlans" :key="v.id" class="filter-opt">
+              <input type="checkbox" :value="v.id" v-model="filterVlans" />
+              <span class="vlan-dot" :style="{ background: v.color }"></span>
+              {{ v.vlan_id != null ? 'VLAN ' + v.vlan_id + ' — ' : 'LAN — ' }}{{ v.name }}
+            </label>
+          </div>
+        </div>
+
+        <div v-if="availableBrands.length > 0" class="filter-group" @mousedown.stop>
+          <button class="filter-btn" :class="{ active: filterBrands.length }" @click="toggleDrop('brands')">
+            {{ t('filterBrand') }}
+            <span v-if="filterBrands.length" class="filter-count">{{ filterBrands.length }}</span>
+            <span class="filter-chevron">▾</span>
+          </button>
+          <div v-if="openDrop === 'brands'" class="filter-drop">
+            <label v-for="b in availableBrands" :key="b.title" class="filter-opt">
+              <input type="checkbox" :value="b.title" v-model="filterBrands" />
+              <svg width="13" height="13" viewBox="0 0 24 24" fill="currentColor" aria-hidden="true">
+                <path :d="b.path" />
+              </svg>
+              {{ b.title }}
+            </label>
+          </div>
+        </div>
+
+        <div v-if="usedVirts.length > 0" class="filter-group" @mousedown.stop>
+          <button class="filter-btn" :class="{ active: filterVirts.length }" @click="toggleDrop('virts')">
+            {{ t('filterVirt') }}
+            <span v-if="filterVirts.length" class="filter-count">{{ filterVirts.length }}</span>
+            <span class="filter-chevron">▾</span>
+          </button>
+          <div v-if="openDrop === 'virts'" class="filter-drop">
+            <label v-for="vt in usedVirts" :key="vt" class="filter-opt">
+              <input type="checkbox" :value="vt" v-model="filterVirts" />
+              {{ virtLabelFor(vt) }}
+            </label>
+          </div>
+        </div>
+
+        <template v-if="hasActiveFilters">
+          <button class="filter-reset" @click="resetFilters">{{ t('clearFilters') }}</button>
+          <span class="filter-results">{{ sortedDevices.length }} / {{ props.devices.length }}</span>
+        </template>
+      </div>
+
+      <div v-if="sortedDevices.length === 0" class="empty">
+        {{ t('noDevicesFiltered') }}
+      </div>
+
+      <div v-else class="devices-grid">
+        <div v-for="device in sortedDevices" :key="device.id" class="device-card">
+          <div class="device-header">
+            <div class="device-icon" :class="iconClass(device)">
+              <DeviceIcon
+                :device-type="device.type"
+                :is-gateway="device.is_gateway"
+                :is-livebox="device.is_livebox"
+                :name="device.name"
+                :description="device.description"
+                :size="20"
+                type-only
+              />
+            </div>
+            <div class="device-info">
+              <div class="device-name">{{ device.name }}</div>
+              <div class="device-meta">
+                <span class="badge" :class="'badge-' + device.type">{{ typeLabel(device.type) }}</span>
+                <span v-if="device.is_gateway" class="badge badge-gateway">{{ t('badgeGateway') }}</span>
+                <span v-if="device.is_livebox" class="badge badge-livebox">{{ t('badgeLivebox') }}</span>
+                <span v-if="device.virt_type" class="badge badge-virt" :class="'badge-virt-' + device.virt_type">{{ virtLabelFor(device.virt_type) }}</span>
+                <span
+                  v-for="brand in detectBrands(device.name, device.description)"
+                  :key="brand.title"
+                  class="badge-brand"
+                  :title="brand.title"
+                  :style="{ background: '#' + brand.hex }"
+                >
+                  <svg width="11" height="11" viewBox="0 0 24 24" fill="currentColor" aria-hidden="true">
+                    <path :d="brand.path" />
+                  </svg>
+                  {{ brand.title }}
+                </span>
+              </div>
+            </div>
+            <div class="device-actions">
+              <button class="btn-icon" @click="openEdit(device)" :title="t('save')">✎</button>
+              <button class="btn-icon danger" @click="remove(device)" :title="t('clearFilters')">✕</button>
+            </div>
+          </div>
+          <div v-if="device.description" class="device-desc">{{ device.description }}</div>
+          <a v-if="device.url" :href="device.url" target="_blank" rel="noreferrer noopener" class="device-url">{{ device.url }}</a>
+          <div v-if="device.interfaces.length" class="interfaces">
+            <div v-for="iface in device.interfaces" :key="iface.id" class="iface">
+              <span class="iface-name">{{ iface.name }}</span>
+              <span v-if="iface.ip_address" class="iface-ip">{{ iface.ip_address }}</span>
+              <span v-if="iface.vlan_id" class="iface-vlan" :style="{ background: vlanColor(iface.vlan_id) }">
+                {{ vlanLabel(iface.vlan_id) }}
+              </span>
+              <span v-if="iface.is_upstream" class="iface-upstream">↑ WAN</span>
+            </div>
+          </div>
+        </div>
+      </div>
+    </template>
+
+    <div v-if="showForm" class="modal-overlay" @click.self="showForm = false">
+      <div class="modal">
+        <h2>{{ editing ? t('editDevice') : t('newDevice') }}</h2>
+        <form @submit.prevent="save">
+          <div class="fields-row">
+            <div class="field">
+              <label>{{ t('fieldName') }}</label>
+              <input v-model="form.name" type="text" required placeholder="ex: srv-web-01" />
+            </div>
+            <div class="field">
+              <label>{{ t('fieldType') }}</label>
+              <select v-model="form.type">
+                <option v-for="dtype in deviceTypes" :key="dtype.value" :value="dtype.value">{{ dtype.label }}</option>
+              </select>
+            </div>
+          </div>
+          <div class="field">
+            <label>{{ t('fieldDescription') }}</label>
+            <textarea v-model="form.description" rows="2" :placeholder="t('descPlaceholder')"></textarea>
+          </div>
+          <div class="checkboxes">
+            <label class="checkbox">
+              <input type="checkbox" v-model="form.is_gateway" />
+              <span>{{ t('isGateway') }}</span>
+            </label>
+            <label class="checkbox">
+              <input type="checkbox" v-model="form.is_livebox" />
+              <span>{{ t('isLivebox') }}</span>
+            </label>
+          </div>
+          <div v-if="!['desktop','laptop'].includes(form.type)" class="field">
+            <label>{{ t('accessUrl') }}</label>
+            <input v-model="form.url" type="url" placeholder="https://192.168.1.1" />
+          </div>
+
+          <div class="field">
+            <label>{{ t('runtimeType') }}</label>
+            <select v-model="form.virt_type">
+              <option :value="null">{{ t('notSpecified') }}</option>
+              <option value="baremetal">{{ t('baremetal') }}</option>
+              <option value="lxc">{{ t('lxcContainer') }}</option>
+              <option value="qemu">{{ t('vmQemu') }}</option>
+            </select>
+          </div>
+
+          <div class="interfaces-section">
+            <div class="interfaces-header">
+              <strong>{{ t('networkInterfaces') }}</strong>
+              <button type="button" class="btn-add-iface" @click="addInterface">{{ t('addInterface') }}</button>
+            </div>
+            <div v-if="form.interfaces.length === 0" class="iface-empty">
+              {{ t('noInterface') }}
+            </div>
+            <div v-for="(iface, idx) in form.interfaces" :key="idx" class="iface-row">
+              <input v-model="iface.name" type="text" placeholder="eth0" class="iface-input" />
+              <input v-model="iface.ip_address" type="text" placeholder="IP" class="iface-input wide" />
+              <select v-model="iface.vlan_id" class="iface-select">
+                <option :value="null">— VLAN</option>
+                <option v-for="v in props.vlans" :key="v.id" :value="v.id">
+                  {{ v.vlan_id != null ? 'VLAN ' + v.vlan_id : 'LAN' }} — {{ v.name }}
+                </option>
+              </select>
+              <label class="iface-upstream">
+                <input type="checkbox" v-model="iface.is_upstream" />
+                <span>WAN</span>
+              </label>
+              <button type="button" class="btn-rm-iface" @click="removeInterface(idx)">✕</button>
+            </div>
+          </div>
+
+          <div class="modal-actions">
+            <button type="button" class="btn-secondary" @click="showForm = false">{{ t('cancel') }}</button>
+            <button type="submit" class="btn-primary">{{ editing ? t('save') : t('create') }}</button>
+          </div>
+        </form>
+      </div>
+    </div>
+  </div>
+</template>
+
+<script setup>
+import { ref, reactive, computed, onMounted, onUnmounted } from 'vue'
+import { devicesApi } from '../api.js'
+import DeviceIcon from './DeviceIcon.vue'
+import { detectBrands } from '../brandIcons.js'
+import { t, tFmt } from '../i18n.js'
+
+const props = defineProps({ devices: Array, vlans: Array })
+
+function ipToInt(ip) {
+  if (!ip) return Infinity
+  const p = ip.split('.').map(Number)
+  return p.length === 4 ? (p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3]) >>> 0 : Infinity
+}
+
+function deviceFirstIp(device) {
+  for (const iface of device.interfaces) {
+    if (iface.ip_address) return iface.ip_address
+  }
+  return ''
+}
+
+// ── Recherche + Filtres ───────────────────────────────────────────────────────
+const search       = ref('')
+const filterTypes  = ref([])
+const filterVlans  = ref([])
+const filterBrands = ref([])
+const filterVirts  = ref([])
+const openDrop     = ref(null)
+
+function toggleDrop(name) {
+  openDrop.value = openDrop.value === name ? null : name
+}
+
+function closeDropdown() { openDrop.value = null }
+onMounted(() => document.addEventListener('mousedown', closeDropdown))
+onUnmounted(() => document.removeEventListener('mousedown', closeDropdown))
+
+const hasActiveFilters = computed(() =>
+  search.value.trim() ||
+  filterTypes.value.length + filterVlans.value.length +
+  filterBrands.value.length + filterVirts.value.length > 0
+)
+
+function resetFilters() {
+  search.value   = ''
+  filterTypes.value  = []
+  filterVlans.value  = []
+  filterBrands.value = []
+  filterVirts.value  = []
+}
+
+const deviceTypes = computed(() => [
+  { value: 'server',       label: t('typeServer') },
+  { value: 'switch',       label: t('typeSwitch') },
+  { value: 'router',       label: t('typeRouter') },
+  { value: 'nas',          label: t('typeNas') },
+  { value: 'gateway',      label: t('typeGateway') },
+  { value: 'livebox',      label: t('typeLivebox') },
+  { value: 'camera',       label: t('typeCamera') },
+  { value: 'temperature',  label: t('typeTemperature') },
+  { value: 'sensor',       label: t('typeSensor') },
+  { value: 'hub',          label: t('typeHub') },
+  { value: 'smart_plug',   label: t('typeSmartPlug') },
+  { value: 'alarm',        label: t('typeAlarm') },
+  { value: 'light',        label: t('typeLight') },
+  { value: 'doorbell',     label: t('typeDoorbell') },
+  { value: 'access_point', label: t('typeAccessPoint') },
+  { value: 'desktop',      label: t('typeDesktop') },
+  { value: 'laptop',       label: t('typeLaptop') },
+  { value: 'other',        label: t('typeOther') },
+])
+
+const usedTypes = computed(() => {
+  const used = new Set(props.devices.map(d => d.type))
+  return deviceTypes.value.filter(t2 => used.has(t2.value))
+})
+
+const usedVlans = computed(() => {
+  const usedIds = new Set(
+    props.devices.flatMap(d => d.interfaces.map(i => i.vlan_id).filter(id => id != null))
+  )
+  return props.vlans.filter(v => usedIds.has(v.id))
+})
+
+const availableBrands = computed(() => {
+  const seen = new Map()
+  for (const d of props.devices) {
+    for (const b of detectBrands(d.name, d.description)) {
+      if (!seen.has(b.title)) seen.set(b.title, b)
+    }
+  }
+  return [...seen.values()].sort((a, b) => a.title.localeCompare(b.title))
+})
+
+const usedVirts = computed(() => {
+  const vts = new Set(props.devices.map(d => d.virt_type).filter(Boolean))
+  return ['baremetal', 'lxc', 'qemu'].filter(v => vts.has(v))
+})
+
+const filteredDevices = computed(() => {
+  const q = search.value.trim().toLowerCase()
+  return props.devices.filter(d => {
+    if (q) {
+      const inName = d.name.toLowerCase().includes(q)
+      const inDesc = (d.description || '').toLowerCase().includes(q)
+      const inIp   = d.interfaces.some(i => (i.ip_address || '').includes(q))
+      if (!inName && !inDesc && !inIp) return false
+    }
+    if (filterTypes.value.length && !filterTypes.value.includes(d.type)) return false
+    if (filterVlans.value.length && !d.interfaces.some(i => filterVlans.value.includes(i.vlan_id))) return false
+    if (filterBrands.value.length) {
+      const dBrands = detectBrands(d.name, d.description).map(b => b.title)
+      if (!filterBrands.value.some(b => dBrands.includes(b))) return false
+    }
+    if (filterVirts.value.length && !filterVirts.value.includes(d.virt_type)) return false
+    return true
+  })
+})
+
+const sortedDevices = computed(() =>
+  [...filteredDevices.value].sort((a, b) => ipToInt(deviceFirstIp(a)) - ipToInt(deviceFirstIp(b)))
+)
+
+const emit = defineEmits(['refresh'])
+
+const showForm = ref(false)
+const editing  = ref(null)
+const form = reactive({
+  name: '', type: 'server', description: '',
+  is_gateway: false, is_livebox: false, virt_type: null, url: null, interfaces: []
+})
+
+function typeLabel(type) {
+  return deviceTypes.value.find(d => d.value === type)?.label || type
+}
+
+function virtLabelFor(vt) {
+  const map = { baremetal: t('virtBaremetal'), lxc: t('virtLxc'), qemu: t('virtQemu') }
+  return map[vt] || ''
+}
+
+function iconClass(device) {
+  if (device.is_livebox) return 'icon-livebox'
+  if (device.is_gateway) return 'icon-gateway'
+  return 'icon-' + device.type
+}
+
+function vlanColor(vlanId) {
+  return props.vlans.find(v => v.id === vlanId)?.color || '#94A3B8'
+}
+
+function vlanLabel(vlanId) {
+  const v = props.vlans.find(v => v.id === vlanId)
+  if (!v) return '?'
+  return v.vlan_id != null ? `VLAN ${v.vlan_id}` : 'LAN'
+}
+
+function openAdd() {
+  editing.value = null
+  Object.assign(form, { name: '', type: 'server', description: '', is_gateway: false, is_livebox: false, virt_type: null, url: null, interfaces: [] })
+  showForm.value = true
+}
+
+function openEdit(device) {
+  editing.value = device
+  Object.assign(form, {
+    name: device.name,
+    type: device.type,
+    description: device.description,
+    is_gateway: device.is_gateway,
+    is_livebox: device.is_livebox,
+    virt_type: device.virt_type || null,
+    url: device.url || null,
+    interfaces: device.interfaces.map(i => ({ ...i }))
+  })
+  showForm.value = true
+}
+
+function addInterface() {
+  form.interfaces.push({ name: 'eth' + form.interfaces.length, ip_address: '', vlan_id: null, is_upstream: false })
+}
+
+function removeInterface(idx) {
+  form.interfaces.splice(idx, 1)
+}
+
+async function save() {
+  try {
+    if (editing.value) {
+      await devicesApi.update(editing.value.id, form)
+    } else {
+      await devicesApi.create(form)
+    }
+    showForm.value = false
+    emit('refresh')
+  } catch (e) {
+    alert(e.response?.data?.detail || t('saveError'))
+  }
+}
+
+async function remove(device) {
+  if (!confirm(`Supprimer ${tFmt('confirmDeleteDevice', device.name)}`)) return
+  try {
+    await devicesApi.remove(device.id)
+    emit('refresh')
+  } catch (e) {
+    alert(e.response?.data?.detail || t('deleteError'))
+  }
+}
+</script>
+
+<style scoped>
+.page { height: 100vh; overflow-y: auto; background: var(--bg-page); padding: 32px; }
+.page-header { display: flex; justify-content: space-between; align-items: center; margin-bottom: 20px; }
+h1 { font-size: 22px; font-weight: 700; color: var(--text-primary); }
+
+.btn-primary {
+  padding: 9px 18px; background: #3B82F6; color: #fff;
+  border: none; border-radius: 8px; font-size: 14px; font-weight: 600; cursor: pointer;
+}
+.btn-primary:hover { background: #2563EB; }
+.btn-secondary {
+  padding: 9px 18px; background: var(--border); color: var(--text-secondary);
+  border: none; border-radius: 8px; font-size: 14px; font-weight: 500; cursor: pointer;
+}
+.btn-secondary:hover { background: var(--border-strong); }
+
+.empty { padding: 48px; text-align: center; color: var(--text-faint); font-size: 15px; }
+
+/* ── Barre de filtres ─────────────────────────────────────────────────────── */
+.filter-bar {
+  display: flex; align-items: center; gap: 6px;
+  margin-bottom: 16px; flex-wrap: wrap;
+}
+
+.search-wrap { position: relative; display: flex; align-items: center; }
+.search-icon {
+  position: absolute; left: 8px; font-size: 15px; color: var(--text-faint);
+  pointer-events: none; line-height: 1;
+}
+.search-input {
+  height: 28px; padding: 0 28px 0 26px;
+  border: 1.5px solid var(--border); border-radius: 8px;
+  font-size: 12px; color: var(--text-primary); background: var(--bg-input);
+  width: 160px; outline: none;
+}
+.search-input:focus { border-color: #3B82F6; }
+.search-input::placeholder { color: var(--text-faint); }
+.search-clear {
+  position: absolute; right: 6px;
+  background: none; border: none; font-size: 11px; color: var(--text-faint);
+  cursor: pointer; padding: 0; line-height: 1;
+}
+.search-clear:hover { color: var(--text-secondary); }
+
+.filter-group { position: relative; }
+
+.filter-btn {
+  display: inline-flex; align-items: center; gap: 4px;
+  padding: 0 10px; height: 28px;
+  background: var(--bg-input); border: 1.5px solid var(--border);
+  border-radius: 8px; font-size: 12px; font-weight: 600; color: var(--text-secondary);
+  cursor: pointer; white-space: nowrap;
+}
+.filter-btn:hover { border-color: var(--border-strong); background: var(--bg-card-hover); }
+.filter-btn.active { background: #EFF6FF; border-color: #93C5FD; color: #1D4ED8; }
+
+.filter-count {
+  background: #3B82F6; color: #fff;
+  border-radius: 10px; padding: 0 5px;
+  font-size: 10px; font-weight: 700; line-height: 16px;
+}
+.filter-chevron { font-size: 9px; opacity: 0.5; }
+
+.filter-drop {
+  position: absolute; top: calc(100% + 4px); left: 0; z-index: 50;
+  background: var(--bg-card); border: 1.5px solid var(--border); border-radius: 10px;
+  padding: 6px; min-width: 190px; max-height: 260px; overflow-y: auto;
+  box-shadow: var(--shadow-drop);
+}
+
+.filter-opt {
+  display: flex; align-items: center; gap: 8px;
+  padding: 5px 8px; border-radius: 6px; cursor: pointer;
+  font-size: 12px; color: var(--text-primary); white-space: nowrap; user-select: none;
+}
+.filter-opt:hover { background: var(--bg-page); }
+.filter-opt input[type="checkbox"] { cursor: pointer; width: 13px; height: 13px; flex-shrink: 0; }
+
+.vlan-dot { width: 10px; height: 10px; border-radius: 50%; flex-shrink: 0; }
+
+.filter-reset {
+  display: inline-flex; align-items: center;
+  padding: 0 10px; height: 28px;
+  background: #FEE2E2; color: #B91C1C;
+  border: none; border-radius: 8px; font-size: 12px; font-weight: 600; cursor: pointer;
+}
+.filter-reset:hover { background: #FECACA; }
+
+.filter-results { font-size: 12px; color: var(--text-faint); font-weight: 500; }
+
+/* ── Grille équipements ───────────────────────────────────────────────────── */
+.devices-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fill, minmax(320px, 1fr));
+  gap: 16px;
+}
+
+.device-card {
+  background: var(--bg-card); border-radius: 12px; padding: 16px;
+  box-shadow: var(--shadow-card); border: 1.5px solid var(--border);
+}
+
+.device-header { display: flex; align-items: flex-start; gap: 12px; }
+.device-icon {
+  width: 40px; height: 40px; border-radius: 10px;
+  display: flex; align-items: center; justify-content: center;
+  font-size: 20px; flex-shrink: 0;
+}
+.icon-livebox      { background: #FEE2E2; color: #B91C1C; }
+.icon-gateway      { background: #FEF3C7; color: #92400E; }
+.icon-server       { background: #DBEAFE; color: #1D4ED8; }
+.icon-switch       { background: #D1FAE5; color: #065F46; }
+.icon-router       { background: #FFEDD5; color: #C2410C; }
+.icon-nas          { background: #EDE9FE; color: #6D28D9; }
+.icon-camera       { background: #E0F2FE; color: #0369A1; }
+.icon-temperature  { background: #F0F9FF; color: #0284C7; }
+.icon-sensor       { background: #ECFCCB; color: #3F6212; }
+.icon-hub          { background: #EEF2FF; color: #3730A3; }
+.icon-smart_plug   { background: #FFF7ED; color: #C2410C; }
+.icon-alarm        { background: #FEF2F2; color: #B91C1C; }
+.icon-light        { background: #FEFCE8; color: #854D0E; }
+.icon-doorbell     { background: #FDF4FF; color: #7E22CE; }
+.icon-access_point { background: #CCFBF1; color: #0F766E; }
+.icon-desktop      { background: #E0E7FF; color: #4338CA; }
+.icon-laptop       { background: #DCFCE7; color: #15803D; }
+.icon-other        { background: #F1F5F9; color: #475569; }
+
+.device-info { flex: 1; min-width: 0; }
+.device-name { font-weight: 700; font-size: 15px; color: var(--text-primary); }
+.device-meta { display: flex; flex-wrap: wrap; gap: 4px; margin-top: 4px; }
+
+.badge {
+  font-size: 11px; font-weight: 600; padding: 2px 8px;
+  border-radius: 20px; color: #fff;
+}
+.badge-server      { background: #3B82F6; }
+.badge-switch      { background: #10B981; }
+.badge-router      { background: #F97316; }
+.badge-nas         { background: #8B5CF6; }
+.badge-gateway     { background: #6366F1; }
+.badge-livebox     { background: #EF4444; }
+.badge-camera      { background: #0284C7; }
+.badge-temperature { background: #0EA5E9; }
+.badge-sensor      { background: #65A30D; }
+.badge-hub         { background: #4F46E5; }
+.badge-smart_plug  { background: #EA580C; }
+.badge-alarm       { background: #DC2626; }
+.badge-light       { background: #CA8A04; }
+.badge-doorbell    { background: #A21CAF; }
+.badge-access_point { background: #14B8A6; }
+.badge-desktop     { background: #4F46E5; }
+.badge-laptop      { background: #16A34A; }
+.badge-other       { background: #94A3B8; }
+.badge-virt            { background: #1E293B; }
+.badge-virt-baremetal  { background: #475569; }
+.badge-virt-lxc        { background: #0369A1; }
+.badge-virt-qemu       { background: #7C3AED; }
+
+.badge-brand {
+  display: inline-flex; align-items: center; gap: 4px;
+  font-size: 11px; font-weight: 600; padding: 2px 7px;
+  border-radius: 20px; color: #fff;
+}
+
+.device-actions { display: flex; gap: 6px; flex-shrink: 0; }
+.btn-icon {
+  width: 28px; height: 28px; border: none; border-radius: 6px;
+  background: var(--bg-chip); color: var(--text-secondary); font-size: 14px; cursor: pointer;
+  display: flex; align-items: center; justify-content: center;
+}
+.btn-icon:hover { background: var(--border-strong); color: var(--text-primary); }
+.btn-icon.danger:hover { background: rgba(239,68,68,0.15); color: #EF4444; }
+
+.device-desc { font-size: 13px; color: var(--text-muted); margin-top: 8px; padding-top: 8px; border-top: 1px solid var(--border); }
+.device-url {
+  display: inline-block; margin-top: 6px;
+  font-size: 12px; color: #3B82F6; font-family: monospace;
+  text-decoration: none; word-break: break-all;
+}
+.device-url:hover { text-decoration: underline; }
+
+.interfaces { margin-top: 10px; display: flex; flex-direction: column; gap: 4px; }
+.iface { display: flex; align-items: center; gap: 6px; flex-wrap: wrap; font-size: 12px; }
+.iface-name { font-weight: 600; color: var(--text-secondary); font-family: monospace; }
+.iface-ip { color: var(--text-muted); font-family: monospace; }
+.iface-vlan {
+  color: #fff; padding: 1px 7px; border-radius: 12px;
+  font-weight: 600; font-size: 11px;
+}
+.iface-upstream { color: #F97316; font-weight: 600; font-size: 11px; }
+
+/* ── Modal ────────────────────────────────────────────────────────────────── */
+.modal-overlay {
+  position: fixed; inset: 0; background: var(--modal-overlay);
+  display: flex; align-items: center; justify-content: center; z-index: 100;
+}
+.modal {
+  background: var(--bg-card); border-radius: 16px; padding: 28px;
+  width: 600px; max-width: 95vw; max-height: 90vh; overflow-y: auto;
+  box-shadow: var(--shadow-modal);
+}
+.modal h2 { font-size: 18px; font-weight: 700; color: var(--text-primary); margin-bottom: 20px; }
+
+.fields-row { display: grid; grid-template-columns: 1fr 1fr; gap: 12px; }
+.field { margin-bottom: 14px; }
+.field label { display: block; font-size: 13px; font-weight: 600; color: var(--text-secondary); margin-bottom: 5px; }
+.field input[type="text"],
+.field input[type="url"],
+.field input[type="number"],
+.field select,
+.field textarea {
+  width: 100%; padding: 9px 12px; border: 1.5px solid var(--border);
+  border-radius: 8px; font-size: 14px; color: var(--text-primary);
+  background: var(--bg-input); box-sizing: border-box;
+}
+.field input:focus, .field select:focus, .field textarea:focus {
+  outline: none; border-color: #3B82F6;
+}
+
+.checkboxes { display: flex; gap: 20px; margin-bottom: 16px; }
+.checkbox { display: flex; align-items: center; gap: 8px; cursor: pointer; font-size: 14px; color: var(--text-secondary); }
+.checkbox input { width: 16px; height: 16px; cursor: pointer; }
+
+.interfaces-section { border: 1.5px solid var(--border); border-radius: 10px; padding: 14px; margin-bottom: 14px; }
+.interfaces-header { display: flex; justify-content: space-between; align-items: center; margin-bottom: 10px; }
+.interfaces-header strong { font-size: 13px; color: var(--text-secondary); }
+.btn-add-iface {
+  padding: 5px 12px; background: #EFF6FF; color: #3B82F6;
+  border: 1.5px solid #BFDBFE; border-radius: 6px; font-size: 13px; font-weight: 600; cursor: pointer;
+}
+.btn-add-iface:hover { background: #DBEAFE; }
+.iface-empty { font-size: 13px; color: var(--text-faint); text-align: center; padding: 8px 0; }
+
+.iface-row { display: flex; align-items: center; gap: 8px; margin-bottom: 8px; flex-wrap: wrap; }
+.iface-input { padding: 7px 10px; border: 1.5px solid var(--border); border-radius: 6px; font-size: 13px; width: 80px; background: var(--bg-input); color: var(--text-primary); }
+.iface-input.wide { width: 130px; }
+.iface-select { padding: 7px 10px; border: 1.5px solid var(--border); border-radius: 6px; font-size: 13px; background: var(--bg-input); color: var(--text-primary); }
+.iface-upstream { display: flex; align-items: center; gap: 4px; font-size: 12px; color: var(--text-muted); cursor: pointer; }
+.btn-rm-iface {
+  width: 26px; height: 26px; border: none; border-radius: 6px;
+  background: #FEE2E2; color: #EF4444; font-size: 14px; cursor: pointer;
+}
+.btn-rm-iface:hover { background: #FECACA; }
+
+.modal-actions { display: flex; gap: 10px; justify-content: flex-end; margin-top: 20px; }
+</style>
diff --git a/frontend/src/components/DiscoveryModal.vue b/frontend/src/components/DiscoveryModal.vue
new file mode 100644
index 0000000..1d85b52
--- /dev/null
+++ b/frontend/src/components/DiscoveryModal.vue
@@ -0,0 +1,437 @@
+<template>
+  <div class="modal-overlay" @click.self="$emit('close')">
+    <div class="modal">
+
+      <!-- Header -->
+      <div class="modal-header">
+        <div class="header-title">
+          <span class="header-icon">🔍</span>
+          <h2>{{ t('autoDiscovery') }}</h2>
+        </div>
+        <button class="close-btn" @click="$emit('close')">✕</button>
+      </div>
+
+      <!-- ── Step 1 : Configuration ── -->
+      <template v-if="step === 'config'">
+        <div class="modal-body">
+
+          <div class="field">
+            <label>{{ t('dnsServer') }}</label>
+            <div class="input-hint">{{ t('dnsHint') }}</div>
+            <input v-model="dnsServer" type="text" placeholder="192.168.1.16" />
+          </div>
+
+          <div class="field">
+            <label>{{ t('vlansToScan') }}</label>
+            <div class="input-hint">{{ t('vlansHint') }}</div>
+
+            <div v-if="scanableVlans.length === 0" class="warn-box">
+              {{ t('noCidrWarning') }}
+            </div>
+
+            <div class="vlan-checklist">
+              <label
+                v-for="vlan in props.vlans"
+                :key="vlan.id"
+                class="vlan-check"
+                :class="{ disabled: !vlan.cidr }"
+              >
+                <input
+                  type="checkbox"
+                  :value="vlan.id"
+                  v-model="selectedVlanIds"
+                  :disabled="!vlan.cidr"
+                />
+                <div class="vlan-check-body">
+                  <span class="vlan-badge" :style="{ background: vlan.color }">VLAN {{ vlan.vlan_id }}</span>
+                  <span class="vlan-check-name">{{ vlan.name }}</span>
+                  <code v-if="vlan.cidr" class="vlan-check-cidr">{{ vlan.cidr }}</code>
+                  <span v-else class="no-cidr">{{ t('noCidr') }}</span>
+                  <span v-if="vlan.cidr" class="host-count">
+                    (~{{ hostCount(vlan.cidr) }} hôtes)
+                  </span>
+                </div>
+              </label>
+            </div>
+          </div>
+
+          <div v-if="configError" class="error-box">{{ configError }}</div>
+        </div>
+
+        <div class="modal-footer">
+          <button class="btn-secondary" @click="$emit('close')">{{ t('cancel') }}</button>
+          <button
+            class="btn-primary"
+            :disabled="selectedVlanIds.length === 0"
+            @click="startScan"
+          >
+            {{ t('startDiscovery') }}
+          </button>
+        </div>
+      </template>
+
+      <!-- ── Step 2 : Scan en cours ── -->
+      <template v-if="step === 'scanning'">
+        <div class="modal-body scanning-body">
+          <div class="spinner"></div>
+          <p class="scan-msg">{{ t('scanning') }}</p>
+          <p class="scan-detail">
+            {{ totalToScan }} {{ t('scanAddresses') }} {{ selectedVlanIds.length }} {{ t('scanVlans') }}
+          </p>
+          <p class="scan-note">{{ t('scanNote') }}</p>
+        </div>
+      </template>
+
+      <!-- ── Step 3 : Résultats ── -->
+      <template v-if="step === 'results'">
+        <div class="modal-body">
+
+          <div class="results-summary">
+            <span class="summary-found">{{ results.length }} {{ t('hostsFound') }}</span>
+            <span class="summary-meta">
+              {{ t('scanAddresses') }} {{ scanMeta.total_scanned }} {{ t('addressesScanned') }}
+              — {{ scanMeta.duration_s }}s
+            </span>
+            <span v-if="newCount > 0" class="summary-new">{{ newCount }} {{ t('newHosts') }}</span>
+          </div>
+
+          <div v-if="results.length === 0" class="empty-results">
+            {{ t('noHosts') }}
+          </div>
+
+          <div v-else class="results-table-wrap">
+            <table class="results-table">
+              <thead>
+                <tr>
+                  <th>
+                    <input type="checkbox" @change="toggleAll" :checked="allNewSelected" />
+                  </th>
+                  <th>{{ t('colIp') }}</th>
+                  <th>{{ t('colDns') }}</th>
+                  <th>VLAN</th>
+                  <th>{{ t('colStatus') }}</th>
+                </tr>
+              </thead>
+              <tbody>
+                <tr
+                  v-for="host in results"
+                  :key="host.ip"
+                  :class="{ 'row-existing': isExisting(host.ip) }"
+                >
+                  <td>
+                    <input
+                      type="checkbox"
+                      :value="host.ip"
+                      v-model="selectedIps"
+                      :disabled="isExisting(host.ip)"
+                    />
+                  </td>
+                  <td><code class="ip">{{ host.ip }}</code></td>
+                  <td class="hostname">
+                    <span v-if="host.hostname">{{ shortHostname(host.hostname) }}</span>
+                    <span v-else class="no-dns">—</span>
+                  </td>
+                  <td>
+                    <span class="vlan-badge sm" :style="{ background: vlanColor(host.vlan_id) }">
+                      VLAN {{ vlanNum(host.vlan_id) }}
+                    </span>
+                  </td>
+                  <td>
+                    <span v-if="isExisting(host.ip)" class="status existing">{{ t('statusExisting') }}</span>
+                    <span v-else class="status new">{{ t('statusNew') }}</span>
+                  </td>
+                </tr>
+              </tbody>
+            </table>
+          </div>
+
+          <div v-if="importError" class="error-box">{{ importError }}</div>
+        </div>
+
+        <div class="modal-footer">
+          <button class="btn-secondary" @click="step = 'config'">{{ t('newScan') }}</button>
+          <button
+            class="btn-primary"
+            :disabled="selectedIps.length === 0 || importing"
+            @click="doImport"
+          >
+            {{ importing ? t('importingBtn') : `${t('importBtn')} (${selectedIps.length})` }}
+          </button>
+        </div>
+      </template>
+
+    </div>
+  </div>
+</template>
+
+<script setup>
+import { ref, computed } from 'vue'
+import { devicesApi, discoveryApi } from '../api.js'
+import { t } from '../i18n.js'
+
+const props = defineProps({
+  vlans:   { type: Array, default: () => [] },
+  devices: { type: Array, default: () => [] },
+})
+const emit = defineEmits(['close', 'refresh'])
+
+const step           = ref('config')
+const dnsServer      = ref('192.168.1.16')
+const selectedVlanIds = ref([])
+const results        = ref([])
+const selectedIps    = ref([])
+const scanMeta       = ref({ total_scanned: 0, duration_s: 0 })
+const configError    = ref('')
+const importError    = ref('')
+const importing      = ref(false)
+
+const scanableVlans = computed(() => props.vlans.filter(v => v.cidr))
+
+const existingIps = computed(() => {
+  const ips = new Set()
+  for (const d of props.devices)
+    for (const i of d.interfaces)
+      if (i.ip_address) ips.add(i.ip_address.trim())
+  return ips
+})
+
+const totalToScan = computed(() => {
+  let n = 0
+  for (const id of selectedVlanIds.value) {
+    const vlan = props.vlans.find(v => v.id === id)
+    if (vlan?.cidr) n += hostCount(vlan.cidr)
+  }
+  return n
+})
+
+const newCount = computed(() =>
+  results.value.filter(h => !isExisting(h.ip)).length
+)
+
+const allNewSelected = computed(() => {
+  const newHosts = results.value.filter(h => !isExisting(h.ip))
+  return newHosts.length > 0 && newHosts.every(h => selectedIps.value.includes(h.ip))
+})
+
+function hostCount(cidr) {
+  try {
+    const parts = cidr.split('/')
+    const prefix = parseInt(parts[1])
+    if (prefix >= 31) return 0
+    return Math.pow(2, 32 - prefix) - 2
+  } catch { return 0 }
+}
+
+function isExisting(ip) { return existingIps.value.has(ip) }
+function vlanColor(vlanId) { return props.vlans.find(v => v.id === vlanId)?.color || '#94A3B8' }
+function vlanNum(vlanId) { return props.vlans.find(v => v.id === vlanId)?.vlan_id || '?' }
+function shortHostname(fqdn) { return fqdn.split('.')[0] }
+
+function toggleAll(e) {
+  if (e.target.checked) {
+    selectedIps.value = results.value.filter(h => !isExisting(h.ip)).map(h => h.ip)
+  } else {
+    selectedIps.value = []
+  }
+}
+
+async function startScan() {
+  configError.value = ''
+  if (!dnsServer.value.trim()) {
+    configError.value = t('dnsRequired')
+    return
+  }
+  if (selectedVlanIds.value.length === 0) {
+    configError.value = t('selectVlan')
+    return
+  }
+
+  const targets = selectedVlanIds.value.map(id => {
+    const vlan = props.vlans.find(v => v.id === id)
+    return { vlan_id: id, cidr: vlan.cidr }
+  })
+
+  step.value = 'scanning'
+  results.value = []
+  selectedIps.value = []
+
+  try {
+    const resp = await discoveryApi.scan({
+      dns_server: dnsServer.value.trim(),
+      targets,
+    })
+    results.value = resp.data.hosts
+    scanMeta.value = { total_scanned: resp.data.total_scanned, duration_s: resp.data.duration_s }
+    selectedIps.value = results.value.filter(h => !isExisting(h.ip)).map(h => h.ip)
+    step.value = 'results'
+  } catch (e) {
+    configError.value = e.response?.data?.detail || t('scanError')
+    step.value = 'config'
+  }
+}
+
+async function doImport() {
+  importing.value = true
+  importError.value = ''
+  const toImport = results.value.filter(h => selectedIps.value.includes(h.ip) && !isExisting(h.ip))
+
+  try {
+    for (const host of toImport) {
+      const name = host.hostname ? shortHostname(host.hostname) : host.ip
+      await devicesApi.create({
+        name,
+        type: 'server',
+        description: host.hostname || '',
+        is_gateway: false,
+        is_livebox: false,
+        interfaces: [{
+          name: 'eth0',
+          ip_address: host.ip,
+          vlan_id: host.vlan_id,
+          is_upstream: false,
+        }],
+      })
+    }
+    emit('refresh')
+    emit('close')
+  } catch (e) {
+    importError.value = e.response?.data?.detail || t('importError')
+  } finally {
+    importing.value = false
+  }
+}
+</script>
+
+<style scoped>
+.modal-overlay {
+  position: fixed; inset: 0;
+  background: var(--modal-overlay);
+  display: flex; align-items: center; justify-content: center;
+  z-index: 200;
+}
+.modal {
+  background: var(--bg-card); border-radius: 18px;
+  width: 680px; max-width: 96vw; max-height: 88vh;
+  display: flex; flex-direction: column;
+  box-shadow: var(--shadow-modal);
+  overflow: hidden;
+}
+
+.modal-header {
+  display: flex; align-items: center; justify-content: space-between;
+  padding: 20px 24px; border-bottom: 1px solid var(--border); flex-shrink: 0;
+}
+.header-title { display: flex; align-items: center; gap: 10px; }
+.header-icon { font-size: 22px; }
+h2 { font-size: 18px; font-weight: 700; color: var(--text-primary); }
+.close-btn {
+  width: 30px; height: 30px; border: none; border-radius: 8px;
+  background: var(--bg-page); color: var(--text-muted); font-size: 14px; cursor: pointer;
+}
+.close-btn:hover { background: var(--border); }
+
+.modal-body { padding: 24px; overflow-y: auto; flex: 1; }
+
+.field { margin-bottom: 20px; }
+.field label { display: block; font-size: 13px; font-weight: 700; color: var(--text-secondary); margin-bottom: 4px; }
+.input-hint { font-size: 12px; color: var(--text-faint); margin-bottom: 8px; }
+.field input[type="text"] {
+  width: 100%; padding: 9px 12px; border: 1.5px solid var(--border);
+  border-radius: 8px; font-size: 14px; color: var(--text-primary); background: var(--bg-input);
+}
+.field input:focus { outline: none; border-color: #3B82F6; }
+
+.vlan-checklist { display: flex; flex-direction: column; gap: 8px; }
+.vlan-check {
+  display: flex; align-items: center; gap: 12px;
+  padding: 10px 12px; border: 1.5px solid var(--border); border-radius: 10px;
+  cursor: pointer; transition: border-color 0.15s;
+}
+.vlan-check:hover:not(.disabled) { border-color: #93C5FD; background: var(--bg-card-hover); }
+.vlan-check.disabled { opacity: 0.5; cursor: not-allowed; }
+.vlan-check input[type="checkbox"] { width: 16px; height: 16px; flex-shrink: 0; cursor: pointer; }
+.vlan-check-body { display: flex; align-items: center; gap: 8px; flex-wrap: wrap; }
+.vlan-badge {
+  color: #fff; font-size: 11px; font-weight: 800;
+  padding: 2px 9px; border-radius: 20px;
+}
+.vlan-badge.sm { font-size: 10px; padding: 1px 7px; }
+.vlan-check-name { font-size: 14px; font-weight: 600; color: var(--text-primary); }
+.vlan-check-cidr { font-size: 12px; color: var(--text-muted); font-family: monospace; background: var(--bg-page); padding: 1px 5px; border-radius: 4px; }
+.no-cidr { font-size: 12px; color: var(--text-faint); font-style: italic; }
+.host-count { font-size: 12px; color: var(--text-faint); }
+
+.scanning-body {
+  display: flex; flex-direction: column; align-items: center;
+  justify-content: center; padding: 60px 24px; gap: 16px;
+}
+.spinner {
+  width: 48px; height: 48px; border-radius: 50%;
+  border: 4px solid var(--border); border-top-color: #3B82F6;
+  animation: spin 0.8s linear infinite;
+}
+@keyframes spin { to { transform: rotate(360deg); } }
+.scan-msg { font-size: 18px; font-weight: 700; color: var(--text-primary); }
+.scan-detail { font-size: 14px; color: var(--text-muted); }
+.scan-note { font-size: 12px; color: var(--text-faint); }
+
+.results-summary {
+  display: flex; align-items: center; gap: 10px;
+  margin-bottom: 16px; flex-wrap: wrap;
+}
+.summary-found { font-size: 16px; font-weight: 700; color: var(--text-primary); }
+.summary-meta { font-size: 13px; color: var(--text-muted); }
+.summary-new {
+  background: #D1FAE5; color: #065F46;
+  font-size: 12px; font-weight: 700; padding: 2px 10px; border-radius: 20px;
+}
+
+.empty-results { text-align: center; padding: 32px; color: var(--text-faint); font-size: 15px; }
+
+.results-table-wrap { overflow-x: auto; border: 1.5px solid var(--border); border-radius: 10px; }
+.results-table { width: 100%; border-collapse: collapse; }
+.results-table thead { background: var(--bg-thead); }
+.results-table th {
+  padding: 10px 12px; text-align: left;
+  font-size: 11px; font-weight: 700; color: var(--text-muted);
+  text-transform: uppercase; letter-spacing: 0.05em;
+}
+.results-table td { padding: 10px 12px; font-size: 13px; border-top: 1px solid var(--border); color: var(--text-primary); }
+.results-table tr:hover td { background: var(--bg-card-hover); }
+.row-existing td { opacity: 0.5; }
+
+code.ip { font-family: monospace; font-size: 13px; color: var(--text-primary); }
+.hostname { color: #1D4ED8; font-weight: 600; }
+.no-dns { color: var(--text-faint); }
+
+.status {
+  font-size: 11px; font-weight: 700; padding: 2px 9px; border-radius: 20px;
+}
+.status.new      { background: #DBEAFE; color: #1D4ED8; }
+.status.existing { background: var(--bg-page); color: var(--text-faint); }
+
+.warn-box {
+  background: #FFFBEB; border: 1.5px solid #FCD34D; border-radius: 8px;
+  padding: 12px; font-size: 13px; color: #92400E;
+}
+.error-box {
+  background: #FEF2F2; border: 1.5px solid #FCA5A5; border-radius: 8px;
+  padding: 12px; font-size: 13px; color: #B91C1C; margin-top: 12px;
+}
+
+.modal-footer {
+  padding: 16px 24px; border-top: 1px solid var(--border);
+  display: flex; justify-content: flex-end; gap: 10px; flex-shrink: 0;
+}
+.btn-primary {
+  padding: 9px 20px; background: #3B82F6; color: #fff;
+  border: none; border-radius: 8px; font-size: 14px; font-weight: 600; cursor: pointer;
+}
+.btn-primary:hover:not(:disabled) { background: #2563EB; }
+.btn-primary:disabled { opacity: 0.45; cursor: not-allowed; }
+.btn-secondary {
+  padding: 9px 20px; background: var(--bg-page); color: var(--text-secondary);
+  border: none; border-radius: 8px; font-size: 14px; font-weight: 500; cursor: pointer;
+}
+.btn-secondary:hover { background: var(--border); }
+</style>
diff --git a/frontend/src/components/LoginPage.vue b/frontend/src/components/LoginPage.vue
new file mode 100644
index 0000000..2640282
--- /dev/null
+++ b/frontend/src/components/LoginPage.vue
@@ -0,0 +1,175 @@
+<template>
+  <div class="login-page">
+    <div class="login-card">
+      <div class="login-logo">
+        <svg width="32" height="32" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+          <circle cx="12" cy="12" r="3"/><circle cx="4" cy="6" r="2"/><circle cx="20" cy="6" r="2"/>
+          <circle cx="4" cy="18" r="2"/><circle cx="20" cy="18" r="2"/>
+          <line x1="6" y1="6" x2="10" y2="11"/><line x1="18" y1="6" x2="14" y2="11"/>
+          <line x1="6" y1="18" x2="10" y2="13"/><line x1="18" y1="18" x2="14" y2="13"/>
+        </svg>
+        <span>Stupid Simple Network Inventory</span>
+      </div>
+
+      <h2 class="login-title">{{ t('loginTitle') }}</h2>
+
+      <form @submit.prevent="submit" class="login-form">
+        <div class="field">
+          <label>{{ t('loginUsername') }}</label>
+          <input
+            v-model="username"
+            type="text"
+            autocomplete="username"
+            autofocus
+            required
+          />
+        </div>
+        <div class="field">
+          <label>{{ t('loginPassword') }}</label>
+          <input
+            v-model="password"
+            type="password"
+            autocomplete="current-password"
+            required
+          />
+        </div>
+
+        <p v-if="errorMsg" class="login-error">{{ errorMsg }}</p>
+
+        <button type="submit" class="login-btn" :disabled="loading">
+          {{ loading ? '…' : t('loginBtn') }}
+        </button>
+      </form>
+    </div>
+  </div>
+</template>
+
+<script setup>
+import { ref } from 'vue'
+import { authApi } from '../api.js'
+import { t } from '../i18n.js'
+
+const emit = defineEmits(['login'])
+
+const username = ref('')
+const password = ref('')
+const errorMsg = ref('')
+const loading  = ref(false)
+
+async function submit() {
+  errorMsg.value = ''
+  loading.value  = true
+  try {
+    const { data } = await authApi.login(username.value, password.value)
+    emit('login', {
+      token: data.access_token,
+      username: data.username,
+      mustChangePassword: data.must_change_password || false,
+    })
+  } catch (e) {
+    if (e.response?.status === 429) {
+      errorMsg.value = t('tooManyAttempts')
+    } else {
+      errorMsg.value = t('loginError')
+    }
+  } finally {
+    loading.value = false
+  }
+}
+</script>
+
+<style scoped>
+.login-page {
+  min-height: 100vh;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  background: var(--bg-page);
+}
+
+.login-card {
+  background: var(--bg-card);
+  border: 1.5px solid var(--border);
+  border-radius: 16px;
+  padding: 40px 36px;
+  width: 100%;
+  max-width: 380px;
+  box-shadow: var(--shadow-modal);
+}
+
+.login-logo {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  color: #3B82F6;
+  font-weight: 700;
+  font-size: 14px;
+  margin-bottom: 28px;
+}
+
+.login-title {
+  font-size: 20px;
+  font-weight: 700;
+  color: var(--text-primary);
+  margin-bottom: 24px;
+}
+
+.login-form {
+  display: flex;
+  flex-direction: column;
+  gap: 16px;
+}
+
+.field {
+  display: flex;
+  flex-direction: column;
+  gap: 6px;
+}
+
+.field label {
+  font-size: 13px;
+  font-weight: 600;
+  color: var(--text-secondary);
+}
+
+.field input {
+  padding: 9px 12px;
+  border: 1.5px solid var(--border);
+  border-radius: 8px;
+  font-size: 14px;
+  background: var(--bg-input);
+  color: var(--text-primary);
+  outline: none;
+  transition: border-color 0.15s;
+}
+.field input:focus { border-color: #3B82F6; }
+
+.login-error {
+  font-size: 13px;
+  color: #EF4444;
+  background: #FEF2F2;
+  border: 1px solid #FECACA;
+  border-radius: 6px;
+  padding: 8px 12px;
+}
+
+:global(html.dark) .login-error {
+  background: #2A1515;
+  border-color: #3D1F1F;
+}
+
+.login-btn {
+  margin-top: 4px;
+  padding: 10px;
+  background: #3B82F6;
+  color: #fff;
+  border: none;
+  border-radius: 8px;
+  font-size: 14px;
+  font-weight: 600;
+  cursor: pointer;
+  transition: background 0.15s;
+}
+.login-btn:hover:not(:disabled) { background: #2563EB; }
+.login-btn:disabled { opacity: 0.6; cursor: default; }
+</style>
diff --git a/frontend/src/components/TopologyGraph.vue b/frontend/src/components/TopologyGraph.vue
new file mode 100644
index 0000000..21b5ed7
--- /dev/null
+++ b/frontend/src/components/TopologyGraph.vue
@@ -0,0 +1,518 @@
+<template>
+  <div class="topology-page">
+
+    <!-- Barre d'outils -->
+    <div class="topo-toolbar">
+      <button class="ping-btn" :class="{ pinging }" :disabled="pinging" @click="pingAll">
+        <span class="ping-btn-dot" :class="pingBtnDotClass"></span>
+        {{ pinging ? t('pinging') : pingDone ? t('refreshPing') : t('ping') }}
+      </button>
+      <span v-if="pingDone && !pinging" class="ping-summary">
+        {{ pingUpCount }} ↑ &nbsp; {{ pingDownCount }} ↓
+      </span>
+    </div>
+
+    <!-- Cartes spéciales en haut : WAN et Passerelle -->
+    <div v-if="liveboxDevices.length || gatewayDevices.length" class="special-row">
+
+      <div v-if="liveboxDevices.length" class="special-card special-wan">
+        <div class="special-header">
+          <span class="special-icon">🌐</span>
+          <span class="special-title">{{ t('wan') }}</span>
+        </div>
+        <div class="special-body">
+          <div v-for="d in liveboxDevices" :key="d.id" class="device-chip chip-livebox">
+            <span class="chip-icon"><DeviceIcon :device-type="d.type" :is-livebox="d.is_livebox" :is-gateway="d.is_gateway" :name="d.name" :description="d.description" :size="16" type-only /></span>
+            <div class="chip-body">
+              <span class="chip-name">{{ d.name }}</span>
+              <div class="chip-sub">
+                <span v-for="iface in d.interfaces" :key="iface.id">
+                  <code v-if="iface.ip_address" class="chip-ip">{{ iface.ip_address }}</code>
+                </span>
+                <svg v-for="b in detectBrands(d.name, d.description)" :key="b.title" width="11" height="11" viewBox="0 0 24 24" fill="currentColor" class="chip-brand-icon" :title="b.title" :style="{ color: '#' + b.hex }"><path :d="b.path" /></svg>
+              </div>
+            </div>
+            <a v-if="d.url" :href="d.url" target="_blank" rel="noreferrer noopener" class="chip-tag tag-link" :title="t('openWebUI')">Link</a>
+            <span v-if="pingStatus[d.id]" class="ping-dot" :class="'ping-' + pingStatus[d.id]" :title="pingStatus[d.id] === 'up' ? t('reachable') : t('unreachable')"></span>
+          </div>
+        </div>
+      </div>
+
+      <div v-if="gatewayDevices.length" class="special-card special-gw">
+        <div class="special-header">
+          <span class="special-icon">⬡</span>
+          <span class="special-title">{{ t('gateway') }}</span>
+        </div>
+        <div class="special-body">
+          <div v-for="d in gatewayDevices" :key="d.id" class="device-chip chip-gateway">
+            <span class="chip-icon"><DeviceIcon :device-type="d.type" :is-livebox="d.is_livebox" :is-gateway="d.is_gateway" :name="d.name" :description="d.description" :size="16" type-only /></span>
+            <div class="chip-body">
+              <span class="chip-name">{{ d.name }}</span>
+              <div class="chip-sub">
+                <span v-if="d.description" class="chip-iface">{{ d.description }}</span>
+                <svg v-for="b in detectBrands(d.name, d.description)" :key="b.title" width="11" height="11" viewBox="0 0 24 24" fill="currentColor" class="chip-brand-icon" :title="b.title" :style="{ color: '#' + b.hex }"><path :d="b.path" /></svg>
+              </div>
+            </div>
+            <a v-if="d.url" :href="d.url" target="_blank" rel="noreferrer noopener" class="chip-tag tag-link" :title="t('openWebUI')">Link</a>
+            <span v-if="pingStatus[d.id]" class="ping-dot" :class="'ping-' + pingStatus[d.id]" :title="pingStatus[d.id] === 'up' ? t('reachable') : t('unreachable')"></span>
+          </div>
+        </div>
+      </div>
+
+    </div>
+
+    <!-- Grille des réseaux -->
+    <div class="vlan-grid">
+      <div
+        v-for="vlan in props.vlans"
+        :key="vlan.id"
+        class="vlan-card"
+        :style="{ '--vlan-color': vlan.color }"
+      >
+        <div class="vlan-header">
+          <div class="vlan-id-badge">{{ vlan.vlan_id != null ? 'VLAN ' + vlan.vlan_id : 'LAN' }}</div>
+          <div class="vlan-meta">
+            <span class="vlan-name">{{ vlan.name }}</span>
+            <code v-if="vlan.cidr" class="vlan-cidr">{{ vlan.cidr }}</code>
+          </div>
+          <span class="vlan-count">{{ vlanMembers(vlan.id).length }}</span>
+        </div>
+
+        <div class="vlan-body">
+          <div v-if="vlanMembers(vlan.id).length === 0" class="empty-vlan">
+            {{ t('noDevice') }}
+          </div>
+          <div
+            v-for="item in vlanMembers(vlan.id)"
+            :key="item.device.id"
+            class="device-chip"
+            :class="'chip-' + chipRole(item.device)"
+          >
+            <span class="chip-icon">
+              <DeviceIcon :device-type="item.device.type" :is-livebox="item.device.is_livebox" :is-gateway="item.device.is_gateway" :name="item.device.name" :description="item.device.description" :size="16" type-only />
+            </span>
+            <div class="chip-body">
+              <span class="chip-name">{{ item.device.name }}</span>
+              <div class="chip-sub">
+                <code v-if="item.ip" class="chip-ip">{{ item.ip }}</code>
+                <span v-if="item.ifaceName" class="chip-iface">{{ item.ifaceName }}</span>
+                <svg v-for="b in detectBrands(item.device.name, item.device.description)" :key="b.title" width="11" height="11" viewBox="0 0 24 24" fill="currentColor" class="chip-brand-icon" :title="b.title" :style="{ color: '#' + b.hex }"><path :d="b.path" /></svg>
+              </div>
+            </div>
+            <div class="chip-tags">
+              <span v-if="pingStatus[item.device.id]" class="ping-dot" :class="'ping-' + pingStatus[item.device.id]" :title="pingStatus[item.device.id] === 'up' ? t('reachable') : t('unreachable')"></span>
+              <a v-if="item.device.url" :href="item.device.url" target="_blank" rel="noreferrer noopener" class="chip-tag tag-link" :title="t('openWebUI')">Link</a>
+              <span v-if="item.device.is_gateway" class="chip-tag tag-gw">GW</span>
+              <span v-if="item.device.virt_type === 'lxc'" class="chip-tag tag-lxc">LXC</span>
+              <span v-if="item.device.virt_type === 'qemu'" class="chip-tag tag-vm">VM</span>
+            </div>
+          </div>
+        </div>
+      </div>
+
+      <!-- Zone non assigné -->
+      <div
+        v-if="untaggedDevices.length"
+        class="vlan-card untagged"
+      >
+        <div class="vlan-header">
+          <div class="vlan-id-badge untagged-badge">—</div>
+          <div class="vlan-meta">
+            <span class="vlan-name">{{ t('unassigned') }}</span>
+          </div>
+          <span class="vlan-count">{{ untaggedDevices.length }}</span>
+        </div>
+        <div class="vlan-body">
+          <div
+            v-for="d in untaggedDevices"
+            :key="d.id"
+            class="device-chip"
+            :class="'chip-' + chipRole(d)"
+          >
+            <span class="chip-icon">
+              <DeviceIcon :device-type="d.type" :is-livebox="d.is_livebox" :is-gateway="d.is_gateway" :name="d.name" :description="d.description" :size="16" type-only />
+            </span>
+            <div class="chip-body">
+              <span class="chip-name">{{ d.name }}</span>
+              <div class="chip-sub">
+                <span v-if="d.description" class="chip-iface">{{ d.description }}</span>
+                <svg v-for="b in detectBrands(d.name, d.description)" :key="b.title" width="11" height="11" viewBox="0 0 24 24" fill="currentColor" class="chip-brand-icon" :title="b.title" :style="{ color: '#' + b.hex }"><path :d="b.path" /></svg>
+              </div>
+            </div>
+            <a v-if="d.url" :href="d.url" target="_blank" rel="noreferrer noopener" class="chip-tag tag-link" :title="t('openWebUI')">Link</a>
+            <span v-if="pingStatus[d.id]" class="ping-dot" :class="'ping-' + pingStatus[d.id]" :title="pingStatus[d.id] === 'up' ? t('reachable') : t('unreachable')"></span>
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <div v-if="props.vlans.length === 0 && props.devices.length === 0" class="empty-state">
+      <div class="empty-icon">⬡</div>
+      <p>{{ t('noDevices') }}</p>
+      <p class="empty-hint">{{ t('noDevicesHint') }}</p>
+    </div>
+
+  </div>
+</template>
+
+<script setup>
+import { computed, ref } from 'vue'
+import DeviceIcon from './DeviceIcon.vue'
+import { detectBrands } from '../brandIcons.js'
+import { discoveryApi } from '../api.js'
+import { t } from '../i18n.js'
+
+function ipToInt(ip) {
+  if (!ip) return Infinity
+  const p = ip.split('.').map(Number)
+  return p.length === 4 ? (p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3]) >>> 0 : Infinity
+}
+
+const props = defineProps({
+  devices: { type: Array, default: () => [] },
+  vlans:   { type: Array, default: () => [] },
+})
+
+const liveboxDevices = computed(() => props.devices.filter(d => d.is_livebox))
+const gatewayDevices = computed(() => props.devices.filter(d => d.is_gateway))
+
+function vlanMembers(vlanId) {
+  const result = []
+  for (const device of props.devices) {
+    const iface = device.interfaces.find(i => i.vlan_id === vlanId)
+    if (iface) {
+      result.push({
+        device,
+        ip: iface.ip_address || '',
+        ifaceName: iface.name || '',
+      })
+    }
+  }
+  return result.sort((a, b) => ipToInt(a.ip) - ipToInt(b.ip))
+}
+
+const untaggedDevices = computed(() =>
+  props.devices.filter(d => {
+    if (d.is_livebox || d.is_gateway) return false
+    return !d.interfaces.some(i => i.vlan_id)
+  }).sort((a, b) => ipToInt(a.interfaces[0]?.ip_address) - ipToInt(b.interfaces[0]?.ip_address))
+)
+
+function chipRole(device) {
+  if (device.is_livebox) return 'livebox'
+  if (device.is_gateway) return 'gateway'
+  return device.type || 'other'
+}
+
+// ── Ping ──────────────────────────────────────────────────────────────────────
+const pingStatus = ref({})
+const pinging    = ref(false)
+const pingDone   = ref(false)
+
+const pingUpCount   = computed(() => Object.values(pingStatus.value).filter(s => s === 'up').length)
+const pingDownCount = computed(() => Object.values(pingStatus.value).filter(s => s === 'down').length)
+const pingBtnDotClass = computed(() => {
+  if (pinging.value) return 'dot-pinging'
+  if (!pingDone.value) return 'dot-idle'
+  return pingDownCount.value > 0 ? 'dot-warn' : 'dot-ok'
+})
+
+async function pingAll() {
+  const ipToDevices = {}
+  for (const d of props.devices) {
+    for (const i of d.interfaces) {
+      if (i.ip_address) {
+        if (!ipToDevices[i.ip_address]) ipToDevices[i.ip_address] = []
+        ipToDevices[i.ip_address].push(d.id)
+      }
+    }
+  }
+  const ips = Object.keys(ipToDevices)
+  if (!ips.length) return
+
+  pinging.value = true
+  try {
+    const { data } = await discoveryApi.ping(ips)
+    const next = {}
+    for (const { ip, alive } of data) {
+      for (const id of (ipToDevices[ip] || [])) {
+        if (alive || next[id] !== 'up') next[id] = alive ? 'up' : 'down'
+      }
+    }
+    pingStatus.value = next
+    pingDone.value = true
+  } finally {
+    pinging.value = false
+  }
+}
+</script>
+
+<style scoped>
+.topology-page {
+  height: 100vh;
+  overflow-y: auto;
+  background: var(--bg-page);
+  padding: 24px;
+  display: flex;
+  flex-direction: column;
+  gap: 20px;
+}
+
+/* ── Toolbar ─────────────────────────────────────────────────────────────── */
+.topo-toolbar {
+  display: flex; align-items: center; gap: 10px;
+}
+
+.ping-btn {
+  display: inline-flex; align-items: center; gap: 7px;
+  padding: 5px 14px; height: 30px;
+  background: var(--bg-card); border: 1.5px solid var(--border);
+  border-radius: 8px; font-size: 12px; font-weight: 600; color: var(--text-secondary);
+  cursor: pointer;
+}
+.ping-btn:hover:not(:disabled) { border-color: var(--border-strong); background: var(--bg-card-hover); }
+.ping-btn:disabled { opacity: 0.6; cursor: default; }
+.ping-btn.pinging { border-color: #93C5FD; color: #1D4ED8; }
+
+.ping-btn-dot {
+  width: 8px; height: 8px; border-radius: 50%; flex-shrink: 0;
+}
+.dot-idle    { background: #CBD5E1; }
+.dot-pinging { background: #60A5FA; animation: pulse 1s infinite; }
+.dot-ok      { background: #22C55E; }
+.dot-warn    { background: #F97316; }
+
+@keyframes pulse {
+  0%, 100% { opacity: 1; }
+  50%       { opacity: 0.3; }
+}
+
+.ping-summary { font-size: 12px; color: var(--text-muted); }
+
+/* ── Dot ping ────────────────────────────────────────────────────────────── */
+.ping-dot {
+  width: 8px; height: 8px; border-radius: 50%; flex-shrink: 0;
+}
+.ping-up   { background: #22C55E; }
+.ping-down { background: #EF4444; }
+
+/* ── Cartes spéciales (WAN + Passerelle) ─────────────────────────────────── */
+.special-row {
+  display: flex;
+  gap: 16px;
+  flex-wrap: wrap;
+}
+
+.special-card {
+  background: var(--bg-card);
+  border-radius: 12px;
+  border: 1.5px solid;
+  overflow: hidden;
+  box-shadow: var(--shadow-card);
+  min-width: 220px;
+  flex: 1;
+}
+.special-wan { border-color: #FCA5A5; }
+.special-gw  { border-color: #FCD34D; }
+
+.special-header {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  padding: 8px 14px;
+  font-size: 12px;
+  font-weight: 700;
+  letter-spacing: 0.04em;
+  text-transform: uppercase;
+}
+.special-wan .special-header { background: #FEF2F2; color: #B91C1C; border-bottom: 1px solid #FECACA; }
+.special-gw  .special-header { background: #FFFBEB; color: #92400E; border-bottom: 1px solid #FDE68A; }
+
+:global(html.dark .special-wan) { border-color: #7F1D1D; }
+:global(html.dark .special-gw)  { border-color: #78350F; }
+:global(html.dark .special-wan .special-header) { background: #2A1515; color: #FCA5A5; border-bottom-color: #3D1F1F; }
+:global(html.dark .special-gw  .special-header) { background: #2A200A; color: #FCD34D; border-bottom-color: #3D3010; }
+
+.special-body {
+  padding: 8px;
+  display: flex;
+  flex-direction: column;
+  gap: 4px;
+}
+
+/* ── Grille des réseaux ──────────────────────────────────────────────────── */
+.vlan-grid {
+  display: flex;
+  flex-direction: column;
+  gap: 12px;
+}
+
+/* ── Card réseau ─────────────────────────────────────────────────────────── */
+.vlan-card {
+  background: var(--bg-card);
+  border-radius: 12px;
+  border: 1.5px solid var(--border);
+  border-top: 3px solid var(--vlan-color, #CBD5E1);
+  overflow: hidden;
+  box-shadow: var(--shadow-card);
+}
+.vlan-card.untagged {
+  --vlan-color: #CBD5E1;
+  border-style: dashed;
+  border-top-style: solid;
+}
+
+.vlan-header {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  padding: 10px 14px;
+  background: var(--bg-thead);
+  border-bottom: 1px solid var(--border);
+}
+
+.vlan-id-badge {
+  background: var(--vlan-color, #CBD5E1);
+  color: #fff;
+  font-size: 11px;
+  font-weight: 800;
+  padding: 2px 9px;
+  border-radius: 20px;
+  white-space: nowrap;
+  letter-spacing: 0.03em;
+}
+.untagged-badge { background: #94A3B8; }
+
+.vlan-meta {
+  flex: 1;
+  min-width: 0;
+  display: flex;
+  align-items: baseline;
+  gap: 8px;
+}
+.vlan-name {
+  font-size: 13px;
+  font-weight: 700;
+  color: var(--text-primary);
+  white-space: nowrap;
+  overflow: hidden;
+  text-overflow: ellipsis;
+}
+.vlan-cidr {
+  font-size: 11px;
+  color: var(--text-faint);
+  font-family: monospace;
+  white-space: nowrap;
+}
+
+.vlan-count {
+  font-size: 13px;
+  font-weight: 700;
+  color: var(--vlan-color, #CBD5E1);
+  background: color-mix(in srgb, var(--vlan-color) 10%, transparent);
+  border-radius: 20px;
+  padding: 1px 8px;
+  min-width: 24px;
+  text-align: center;
+}
+
+.vlan-body {
+  padding: 10px;
+  display: grid;
+  grid-template-columns: repeat(auto-fill, minmax(210px, 1fr));
+  gap: 6px;
+}
+
+@media (max-width: 600px) {
+  .vlan-body { grid-template-columns: 1fr; }
+}
+
+.empty-vlan {
+  font-size: 12px;
+  color: var(--text-faint);
+  text-align: center;
+  padding: 16px 0;
+  font-style: italic;
+  grid-column: 1 / -1;
+}
+
+/* ── Device chip ─────────────────────────────────────────────────────────── */
+.device-chip {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  padding: 7px 10px;
+  border-radius: 8px;
+  background: var(--bg-chip);
+  border: 1px solid var(--border);
+  transition: background 0.12s, box-shadow 0.12s;
+}
+.device-chip:hover {
+  background: var(--bg-chip-hover);
+  box-shadow: var(--shadow-card);
+}
+
+.chip-icon {
+  width: 28px; height: 28px;
+  border-radius: 7px; flex-shrink: 0;
+  display: flex; align-items: center; justify-content: center;
+}
+
+.chip-server      .chip-icon { background: #DBEAFE; color: #1D4ED8; }
+.chip-nas         .chip-icon { background: #EDE9FE; color: #6D28D9; }
+.chip-switch      .chip-icon { background: #D1FAE5; color: #065F46; }
+.chip-router      .chip-icon { background: #FFEDD5; color: #C2410C; }
+.chip-access_point .chip-icon { background: #CCFBF1; color: #0F766E; }
+.chip-gateway     .chip-icon { background: #FEF3C7; color: #B45309; }
+.chip-livebox     .chip-icon { background: #FEE2E2; color: #B91C1C; }
+.chip-camera      .chip-icon { background: #E0F2FE; color: #0369A1; }
+.chip-temperature .chip-icon { background: #F0F9FF; color: #0284C7; }
+.chip-sensor      .chip-icon { background: #ECFCCB; color: #3F6212; }
+.chip-hub         .chip-icon { background: #EEF2FF; color: #3730A3; }
+.chip-smart_plug  .chip-icon { background: #FFF7ED; color: #C2410C; }
+.chip-alarm       .chip-icon { background: #FEF2F2; color: #B91C1C; }
+.chip-light       .chip-icon { background: #FEFCE8; color: #854D0E; }
+.chip-doorbell    .chip-icon { background: #FDF4FF; color: #7E22CE; }
+.chip-desktop     .chip-icon { background: #E0E7FF; color: #4338CA; }
+.chip-laptop      .chip-icon { background: #DCFCE7; color: #15803D; }
+.chip-other       .chip-icon { background: #F1F5F9; color: #64748B; }
+
+.chip-body { flex: 1; min-width: 0; }
+.chip-name {
+  font-size: 12px; font-weight: 600; color: var(--text-primary);
+  white-space: nowrap; overflow: hidden; text-overflow: ellipsis; display: block;
+}
+.chip-sub {
+  display: flex; align-items: center; gap: 5px; margin-top: 1px; flex-wrap: wrap;
+}
+.chip-brand-icon { display: inline-block; flex-shrink: 0; opacity: 0.85; }
+.chip-ip {
+  font-size: 11px; color: var(--chip-ip-color);
+  font-family: monospace; background: var(--chip-ip-bg);
+  padding: 0px 4px; border-radius: 3px;
+}
+.chip-iface {
+  font-size: 10px; color: var(--text-faint);
+  font-family: monospace; white-space: nowrap; overflow: hidden; text-overflow: ellipsis;
+}
+
+.chip-tags { display: flex; flex-direction: column; gap: 2px; flex-shrink: 0; }
+.chip-tag {
+  font-size: 9px; font-weight: 800; padding: 1px 5px;
+  border-radius: 4px; text-align: center; letter-spacing: 0.03em;
+}
+.tag-gw   { background: #FEF3C7; color: #B45309; }
+.tag-lxc  { background: #DBEAFE; color: #1D4ED8; }
+.tag-vm   { background: #EDE9FE; color: #6D28D9; }
+.tag-link { background: #F0FDF4; color: #15803D; text-decoration: none; }
+.tag-link:hover { background: #DCFCE7; }
+
+/* ── Empty state ─────────────────────────────────────────────────────────── */
+.empty-state {
+  flex: 1; display: flex; flex-direction: column;
+  align-items: center; justify-content: center; color: var(--text-faint);
+}
+.empty-icon { font-size: 64px; margin-bottom: 16px; opacity: 0.3; }
+.empty-state p { font-size: 16px; margin-bottom: 6px; }
+.empty-hint { font-size: 13px; color: var(--text-faint); }
+</style>
diff --git a/frontend/src/components/VlanManager.vue b/frontend/src/components/VlanManager.vue
new file mode 100644
index 0000000..ff2e6f1
--- /dev/null
+++ b/frontend/src/components/VlanManager.vue
@@ -0,0 +1,221 @@
+<template>
+  <div class="page">
+    <div class="page-header">
+      <h1>{{ t('networks') }}</h1>
+      <button class="btn-primary" @click="openAdd">{{ t('addNetwork') }}</button>
+    </div>
+
+    <div v-if="props.vlans.length === 0" class="empty">
+      {{ t('noNetworksConfigured') }}
+    </div>
+
+    <div class="table-wrap" v-else>
+      <table>
+        <thead>
+          <tr>
+            <th>{{ t('colType') }}</th>
+            <th>{{ t('colName') }}</th>
+            <th>{{ t('colSubnet') }}</th>
+            <th>{{ t('colColor') }}</th>
+            <th>{{ t('colActions') }}</th>
+          </tr>
+        </thead>
+        <tbody>
+          <tr v-for="vlan in props.vlans" :key="vlan.id">
+            <td>
+              <span class="badge-vlan" :style="{ background: vlan.color }">
+                {{ vlan.vlan_id != null ? vlan.vlan_id : 'LAN' }}
+              </span>
+            </td>
+            <td>{{ vlan.name }}</td>
+            <td><code>{{ vlan.cidr || '—' }}</code></td>
+            <td>
+              <div class="color-preview" :style="{ background: vlan.color }"></div>
+            </td>
+            <td class="actions">
+              <button class="btn-icon" @click="openEdit(vlan)" title="✎">✎</button>
+              <button class="btn-icon danger" @click="remove(vlan)" title="✕">✕</button>
+            </td>
+          </tr>
+        </tbody>
+      </table>
+    </div>
+
+    <div v-if="showForm" class="modal-overlay" @click.self="showForm = false">
+      <div class="modal">
+        <h2>{{ editing ? t('editNetwork') : t('newNetwork') }}</h2>
+        <form @submit.prevent="save">
+          <div class="field">
+            <label>{{ t('vlanId') }} <span class="optional">{{ t('vlanIdHint') }}</span></label>
+            <input v-model="form.vlan_id" type="number" placeholder="ex: 10" />
+          </div>
+          <div class="field">
+            <label>{{ t('fieldName') }}</label>
+            <input v-model="form.name" type="text" required placeholder="ex: Serveurs" />
+          </div>
+          <div class="field">
+            <label>{{ t('subnet') }}</label>
+            <input v-model="form.cidr" type="text" :placeholder="t('subnetPlaceholder')" />
+          </div>
+          <div class="field">
+            <label>{{ t('color') }}</label>
+            <div class="color-row">
+              <input v-model="form.color" type="color" />
+              <span>{{ form.color }}</span>
+              <div class="color-presets">
+                <div
+                  v-for="c in presetColors"
+                  :key="c"
+                  class="preset"
+                  :style="{ background: c }"
+                  @click="form.color = c"
+                ></div>
+              </div>
+            </div>
+          </div>
+          <div class="modal-actions">
+            <button type="button" class="btn-secondary" @click="showForm = false">{{ t('cancel') }}</button>
+            <button type="submit" class="btn-primary">{{ editing ? t('save') : t('create') }}</button>
+          </div>
+        </form>
+      </div>
+    </div>
+  </div>
+</template>
+
+<script setup>
+import { ref, reactive } from 'vue'
+import { vlansApi } from '../api.js'
+import { t, tFmt } from '../i18n.js'
+
+const props = defineProps({ vlans: Array })
+const emit = defineEmits(['refresh'])
+
+const showForm = ref(false)
+const editing = ref(null)
+const form = reactive({ vlan_id: '', name: '', cidr: '', color: '#4A90D9' })
+
+const presetColors = [
+  '#3B82F6', '#10B981', '#F59E0B', '#EF4444', '#8B5CF6',
+  '#EC4899', '#14B8A6', '#F97316', '#6366F1', '#84CC16'
+]
+
+function openAdd() {
+  editing.value = null
+  Object.assign(form, { vlan_id: '', name: '', cidr: '', color: '#4A90D9' })
+  showForm.value = true
+}
+
+function openEdit(vlan) {
+  editing.value = vlan
+  Object.assign(form, {
+    vlan_id: vlan.vlan_id != null ? String(vlan.vlan_id) : '',
+    name: vlan.name,
+    cidr: vlan.cidr || '',
+    color: vlan.color
+  })
+  showForm.value = true
+}
+
+async function save() {
+  const payload = {
+    ...form,
+    vlan_id: form.vlan_id !== '' ? Number(form.vlan_id) : null
+  }
+  try {
+    if (editing.value) {
+      await vlansApi.update(editing.value.id, payload)
+    } else {
+      await vlansApi.create(payload)
+    }
+    showForm.value = false
+    emit('refresh')
+  } catch (e) {
+    alert(e.response?.data?.detail || t('saveError'))
+  }
+}
+
+async function remove(vlan) {
+  const label = vlan.vlan_id != null ? `VLAN ${vlan.vlan_id} — ${vlan.name}` : `LAN ${vlan.name}`
+  if (!confirm(`Supprimer ${tFmt('confirmDeleteNetwork', label)}`)) return
+  try {
+    await vlansApi.remove(vlan.id)
+    emit('refresh')
+  } catch (e) {
+    alert(e.response?.data?.detail || t('deleteError'))
+  }
+}
+</script>
+
+<style scoped>
+.page { height: 100vh; overflow-y: auto; background: var(--bg-page); padding: 32px; }
+.page-header { display: flex; justify-content: space-between; align-items: center; margin-bottom: 24px; }
+h1 { font-size: 22px; font-weight: 700; color: var(--text-primary); }
+
+.btn-primary {
+  padding: 9px 18px; background: #3B82F6; color: #fff;
+  border: none; border-radius: 8px; font-size: 14px; font-weight: 600; transition: background 0.15s;
+}
+.btn-primary:hover { background: #2563EB; }
+.btn-secondary {
+  padding: 9px 18px; background: var(--border); color: var(--text-secondary);
+  border: none; border-radius: 8px; font-size: 14px; font-weight: 500;
+}
+.btn-secondary:hover { background: var(--border-strong); }
+
+.empty { padding: 48px; text-align: center; color: var(--text-faint); font-size: 15px; }
+
+.table-wrap { background: var(--bg-card); border-radius: 12px; box-shadow: var(--shadow-card); overflow: hidden; }
+table { width: 100%; border-collapse: collapse; }
+thead { background: var(--bg-thead); }
+th { padding: 12px 16px; text-align: left; font-size: 12px; font-weight: 600; color: var(--text-muted); text-transform: uppercase; letter-spacing: 0.05em; }
+td { padding: 14px 16px; font-size: 14px; color: var(--text-primary); border-top: 1px solid var(--border); }
+tr:hover td { background: var(--bg-card-hover); }
+
+.badge-vlan {
+  display: inline-flex; align-items: center; justify-content: center;
+  min-width: 36px; padding: 2px 8px; border-radius: 20px;
+  color: #fff; font-weight: 700; font-size: 13px;
+}
+code { background: var(--bg-page); padding: 2px 6px; border-radius: 4px; font-size: 13px; color: var(--text-secondary); }
+.color-preview { width: 24px; height: 24px; border-radius: 6px; border: 2px solid rgba(0,0,0,0.1); }
+
+.actions { display: flex; gap: 8px; }
+.btn-icon {
+  width: 30px; height: 30px; border: none; border-radius: 6px;
+  background: var(--bg-chip); color: var(--text-secondary); font-size: 15px;
+  display: flex; align-items: center; justify-content: center; transition: all 0.15s;
+}
+.btn-icon:hover { background: var(--border-strong); color: var(--text-primary); }
+.btn-icon.danger:hover { background: rgba(239,68,68,0.15); color: #EF4444; }
+
+.modal-overlay {
+  position: fixed; inset: 0; background: var(--modal-overlay);
+  display: flex; align-items: center; justify-content: center; z-index: 100;
+}
+.modal {
+  background: var(--bg-card); border-radius: 16px; padding: 28px;
+  width: 440px; max-width: 95vw; box-shadow: var(--shadow-modal);
+}
+.modal h2 { font-size: 18px; font-weight: 700; color: var(--text-primary); margin-bottom: 20px; }
+
+.field { margin-bottom: 16px; }
+.field label { display: block; font-size: 13px; font-weight: 600; color: var(--text-secondary); margin-bottom: 6px; }
+.optional { font-weight: 400; color: var(--text-faint); font-size: 12px; }
+.field input[type="text"],
+.field input[type="number"] {
+  width: 100%; padding: 9px 12px; border: 1.5px solid var(--border);
+  border-radius: 8px; font-size: 14px; color: var(--text-primary); background: var(--bg-input);
+  transition: border-color 0.15s;
+}
+.field input:focus { outline: none; border-color: #3B82F6; }
+
+.color-row { display: flex; align-items: center; gap: 12px; }
+.color-row input[type="color"] { width: 40px; height: 36px; border: none; border-radius: 6px; cursor: pointer; padding: 0; }
+.color-row span { font-size: 13px; color: var(--text-muted); font-family: monospace; }
+.color-presets { display: flex; gap: 6px; flex-wrap: wrap; }
+.preset { width: 20px; height: 20px; border-radius: 4px; cursor: pointer; transition: transform 0.1s; }
+.preset:hover { transform: scale(1.2); }
+
+.modal-actions { display: flex; gap: 10px; justify-content: flex-end; margin-top: 24px; }
+</style>
diff --git a/frontend/src/i18n.js b/frontend/src/i18n.js
new file mode 100644
index 0000000..a965c13
--- /dev/null
+++ b/frontend/src/i18n.js
@@ -0,0 +1,477 @@
+import { ref } from 'vue'
+
+export const locale = ref(localStorage.getItem('locale') || 'fr')
+
+export function setLocale(lang) {
+  locale.value = lang
+  localStorage.setItem('locale', lang)
+}
+
+const LANGS = {
+  fr: {
+    // Sidebar / App
+    tabTopology: 'Topologie',
+    tabNetworks: 'Réseaux',
+    tabDevices: 'Équipements',
+    discovery: '🔍 Découverte auto',
+    statsNetworks: 'Réseaux',
+    statsDevices: 'Équip.',
+    exportJson: '⬇ Export JSON',
+    importJson: '⬆ Import JSON',
+    loadError: 'Erreur de chargement : ',
+    importFailed: 'Import échoué : ',
+    importTooLarge: 'Fichier trop volumineux (max 5 Mo).',
+    // TopologyGraph
+    ping: 'Ping',
+    pinging: 'Ping en cours…',
+    refreshPing: 'Rafraîchir le ping',
+    wan: 'Internet / WAN',
+    gateway: 'Passerelle inter-VLAN',
+    unassigned: 'Non assigné',
+    noDevice: 'Aucun équipement',
+    noDevices: 'Aucun équipement à afficher.',
+    noDevicesHint: 'Commencez par créer des réseaux et des équipements.',
+    reachable: 'Joignable',
+    unreachable: 'Injoignable',
+    openWebUI: "Ouvrir l'interface web",
+    // DeviceManager
+    devices: 'Équipements',
+    addDevice: '+ Ajouter un équipement',
+    noDevicesConfigured: 'Aucun équipement configuré. Commencez par en ajouter un.',
+    searchPlaceholder: 'Nom, IP…',
+    filterType: 'Type',
+    filterNetwork: 'Réseau',
+    filterBrand: 'Marque',
+    filterVirt: 'Virt',
+    clearFilters: '✕ Effacer',
+    noDevicesFiltered: 'Aucun équipement ne correspond aux filtres sélectionnés.',
+    editDevice: "Modifier l'équipement",
+    newDevice: 'Nouvel équipement',
+    fieldName: 'Nom *',
+    fieldType: 'Type *',
+    fieldDescription: 'Description',
+    isGateway: 'Passerelle inter-VLAN',
+    isLivebox: 'Livebox / Box FAI',
+    accessUrl: "URL d'accès",
+    runtimeType: "Type d'environnement d'exécution",
+    notSpecified: '— Non précisé',
+    baremetal: 'Bare-metal',
+    lxcContainer: 'Conteneur LXC',
+    vmQemu: 'VM QEMU/KVM',
+    networkInterfaces: 'Interfaces réseau',
+    addInterface: '+ Interface',
+    noInterface: 'Aucune interface configurée',
+    cancel: 'Annuler',
+    save: 'Enregistrer',
+    create: 'Créer',
+    badgeGateway: 'Passerelle',
+    badgeLivebox: 'Livebox',
+    confirmDeleteDevice: '{0} et tous ses liens ?',
+    confirmDeleteNetwork: '{0} ?',
+    saveError: 'Erreur lors de la sauvegarde',
+    deleteError: 'Erreur lors de la suppression',
+    descPlaceholder: 'Rôle, OS, notes…',
+    // Device types
+    typeServer: 'Serveur',
+    typeSwitch: 'Switch',
+    typeRouter: 'Routeur',
+    typeNas: 'NAS',
+    typeGateway: 'Passerelle',
+    typeLivebox: 'Livebox',
+    typeCamera: 'Caméra IP',
+    typeTemperature: 'Sonde température/humidité',
+    typeSensor: 'Capteur (mouvement, ouverture…)',
+    typeHub: 'Hub domotique',
+    typeSmartPlug: 'Prise connectée',
+    typeAlarm: 'Alarme / Détecteur',
+    typeLight: 'Éclairage connecté',
+    typeDoorbell: 'Sonnette / Interphone',
+    typeAccessPoint: 'Borne WiFi / Access Point',
+    typeDesktop: 'Ordinateur fixe',
+    typeLaptop: 'Ordinateur portable',
+    typeOther: 'Autre',
+    virtBaremetal: 'Bare-metal',
+    virtLxc: 'LXC',
+    virtQemu: 'VM QEMU',
+    // VlanManager
+    networks: 'Réseaux',
+    addNetwork: '+ Ajouter un réseau',
+    noNetworksConfigured: 'Aucun réseau configuré. Commencez par en créer un.',
+    colType: 'Type',
+    colName: 'Nom',
+    colSubnet: 'Sous-réseau',
+    colColor: 'Couleur',
+    colActions: 'Actions',
+    editNetwork: 'Modifier le réseau',
+    newNetwork: 'Nouveau réseau',
+    vlanId: 'ID VLAN',
+    vlanIdHint: '(laisser vide pour LAN classique)',
+    subnet: 'Sous-réseau CIDR',
+    color: 'Couleur',
+    subnetPlaceholder: 'ex: 192.168.10.0/24',
+    // DiscoveryModal
+    autoDiscovery: 'Découverte automatique',
+    dnsServer: 'Serveur DNS',
+    dnsHint: 'Le reverse DNS sera interrogé sur ce serveur pour résoudre les noms.',
+    vlansToScan: 'VLANs à scanner',
+    vlansHint: 'Seuls les VLANs avec un sous-réseau CIDR configuré peuvent être scannés.',
+    noCidrWarning: "Aucun VLAN n'a de CIDR configuré. Renseignez-les dans l'onglet VLANs.",
+    noCidr: 'pas de CIDR',
+    startDiscovery: 'Lancer la découverte',
+    scanning: 'Scan en cours…',
+    scanAddresses: 'adresses sur',
+    scanVlans: 'VLAN(s)',
+    scanNote: 'Chaque hôte est pingé puis interrogé en DNS.',
+    hostsFound: 'hôte(s) découvert(s)',
+    addressesScanned: 'adresses scannées',
+    newHosts: 'nouveaux',
+    noHosts: 'Aucun hôte actif trouvé sur les plages sélectionnées.',
+    colIp: 'IP',
+    colDns: 'Nom (DNS)',
+    colStatus: 'Statut',
+    statusExisting: 'Déjà présent',
+    statusNew: 'Nouveau',
+    newScan: 'Nouveau scan',
+    importingBtn: 'Import…',
+    importBtn: 'Importer',
+    dnsRequired: 'Veuillez renseigner un serveur DNS.',
+    selectVlan: 'Sélectionnez au moins un VLAN.',
+    importError: "Erreur lors de l'import.",
+    scanError: 'Erreur lors du scan.',
+    // Theme / Lang
+    lightTheme: 'Thème clair',
+    darkTheme: 'Thème sombre',
+    // Auth
+    loginTitle: 'Connexion',
+    loginUsername: 'Nom d\'utilisateur',
+    loginPassword: 'Mot de passe',
+    loginBtn: 'Se connecter',
+    loginError: 'Identifiants incorrects.',
+    logout: 'Déconnexion',
+    accountSettings: 'Paramètres du compte',
+    currentPassword: 'Mot de passe actuel',
+    newUsername: 'Nouveau nom d\'utilisateur',
+    newPassword: 'Nouveau mot de passe',
+    confirmPassword: 'Confirmer le mot de passe',
+    leaveBlankToKeep: 'Laisser vide pour ne pas modifier',
+    passwordMismatch: 'Les mots de passe ne correspondent pas.',
+    accountUpdated: 'Compte mis à jour.',
+    wrongPassword: 'Mot de passe actuel incorrect.',
+    mustChangePasswordWarning: 'Pour des raisons de sécurité, vous devez changer votre mot de passe avant de continuer.',
+    newPasswordRequired: 'Un nouveau mot de passe est requis.',
+    passwordTooShort: 'Le mot de passe doit contenir au moins 8 caractères.',
+    passwordTooWeak: 'Le mot de passe doit contenir au moins une lettre et un chiffre.',
+    usernameInvalid: "Le nom d'utilisateur ne peut contenir que des lettres, chiffres, . _ - (1 à 64 caractères).",
+    tooManyAttempts: 'Trop de tentatives, réessayez plus tard.',
+  },
+
+  en: {
+    tabTopology: 'Topology',
+    tabNetworks: 'Networks',
+    tabDevices: 'Devices',
+    discovery: '🔍 Auto discovery',
+    statsNetworks: 'Networks',
+    statsDevices: 'Devices',
+    exportJson: '⬇ Export JSON',
+    importJson: '⬆ Import JSON',
+    loadError: 'Loading error: ',
+    importFailed: 'Import failed: ',
+    importTooLarge: 'File too large (max 5 MB).',
+    ping: 'Ping',
+    pinging: 'Pinging…',
+    refreshPing: 'Refresh ping',
+    wan: 'Internet / WAN',
+    gateway: 'Inter-VLAN Gateway',
+    unassigned: 'Unassigned',
+    noDevice: 'No devices',
+    noDevices: 'No devices to display.',
+    noDevicesHint: 'Start by creating networks and devices.',
+    reachable: 'Reachable',
+    unreachable: 'Unreachable',
+    openWebUI: 'Open web interface',
+    devices: 'Devices',
+    addDevice: '+ Add device',
+    noDevicesConfigured: 'No devices configured. Start by adding one.',
+    searchPlaceholder: 'Name, IP…',
+    filterType: 'Type',
+    filterNetwork: 'Network',
+    filterBrand: 'Brand',
+    filterVirt: 'Virt',
+    clearFilters: '✕ Clear',
+    noDevicesFiltered: 'No devices match the selected filters.',
+    editDevice: 'Edit device',
+    newDevice: 'New device',
+    fieldName: 'Name *',
+    fieldType: 'Type *',
+    fieldDescription: 'Description',
+    isGateway: 'Inter-VLAN gateway',
+    isLivebox: 'ISP Box / Router',
+    accessUrl: 'Access URL',
+    runtimeType: 'Runtime environment',
+    notSpecified: '— Not specified',
+    baremetal: 'Bare-metal',
+    lxcContainer: 'LXC container',
+    vmQemu: 'VM QEMU/KVM',
+    networkInterfaces: 'Network interfaces',
+    addInterface: '+ Interface',
+    noInterface: 'No interface configured',
+    cancel: 'Cancel',
+    save: 'Save',
+    create: 'Create',
+    badgeGateway: 'Gateway',
+    badgeLivebox: 'ISP Box',
+    confirmDeleteDevice: '{0} and all its links?',
+    confirmDeleteNetwork: '{0}?',
+    saveError: 'Error while saving',
+    deleteError: 'Error while deleting',
+    descPlaceholder: 'Role, OS, notes…',
+    typeServer: 'Server',
+    typeSwitch: 'Switch',
+    typeRouter: 'Router',
+    typeNas: 'NAS',
+    typeGateway: 'Gateway',
+    typeLivebox: 'ISP Box',
+    typeCamera: 'IP Camera',
+    typeTemperature: 'Temperature/humidity sensor',
+    typeSensor: 'Sensor (motion, door…)',
+    typeHub: 'Home automation hub',
+    typeSmartPlug: 'Smart plug',
+    typeAlarm: 'Alarm / Detector',
+    typeLight: 'Smart light',
+    typeDoorbell: 'Doorbell / Intercom',
+    typeAccessPoint: 'WiFi Access Point',
+    typeDesktop: 'Desktop computer',
+    typeLaptop: 'Laptop',
+    typeOther: 'Other',
+    virtBaremetal: 'Bare-metal',
+    virtLxc: 'LXC',
+    virtQemu: 'VM QEMU',
+    networks: 'Networks',
+    addNetwork: '+ Add network',
+    noNetworksConfigured: 'No networks configured. Start by creating one.',
+    colType: 'Type',
+    colName: 'Name',
+    colSubnet: 'Subnet',
+    colColor: 'Color',
+    colActions: 'Actions',
+    editNetwork: 'Edit network',
+    newNetwork: 'New network',
+    vlanId: 'VLAN ID',
+    vlanIdHint: '(leave empty for plain LAN)',
+    subnet: 'CIDR subnet',
+    color: 'Color',
+    subnetPlaceholder: 'e.g. 192.168.10.0/24',
+    autoDiscovery: 'Auto discovery',
+    dnsServer: 'DNS server',
+    dnsHint: 'Reverse DNS will be queried on this server to resolve hostnames.',
+    vlansToScan: 'VLANs to scan',
+    vlansHint: 'Only VLANs with a configured CIDR subnet can be scanned.',
+    noCidrWarning: 'No VLAN has a CIDR configured. Set them in the Networks tab.',
+    noCidr: 'no CIDR',
+    startDiscovery: 'Start discovery',
+    scanning: 'Scanning…',
+    scanAddresses: 'addresses on',
+    scanVlans: 'VLAN(s)',
+    scanNote: 'Each host is pinged then queried via DNS.',
+    hostsFound: 'host(s) found',
+    addressesScanned: 'addresses scanned',
+    newHosts: 'new',
+    noHosts: 'No active hosts found on the selected ranges.',
+    colIp: 'IP',
+    colDns: 'Name (DNS)',
+    colStatus: 'Status',
+    statusExisting: 'Already present',
+    statusNew: 'New',
+    newScan: 'New scan',
+    importingBtn: 'Importing…',
+    importBtn: 'Import',
+    dnsRequired: 'Please enter a DNS server.',
+    selectVlan: 'Select at least one VLAN.',
+    importError: 'Error during import.',
+    scanError: 'Error during scan.',
+    lightTheme: 'Light theme',
+    darkTheme: 'Dark theme',
+    // Auth
+    loginTitle: 'Sign in',
+    loginUsername: 'Username',
+    loginPassword: 'Password',
+    loginBtn: 'Sign in',
+    loginError: 'Incorrect credentials.',
+    logout: 'Logout',
+    accountSettings: 'Account settings',
+    currentPassword: 'Current password',
+    newUsername: 'New username',
+    newPassword: 'New password',
+    confirmPassword: 'Confirm password',
+    leaveBlankToKeep: 'Leave blank to keep unchanged',
+    passwordMismatch: 'Passwords do not match.',
+    accountUpdated: 'Account updated.',
+    wrongPassword: 'Current password is incorrect.',
+    mustChangePasswordWarning: 'For security reasons, you must change your password before continuing.',
+    newPasswordRequired: 'A new password is required.',
+    passwordTooShort: 'Password must be at least 8 characters.',
+    passwordTooWeak: 'Password must contain at least one letter and one digit.',
+    usernameInvalid: 'Username may only contain letters, digits, . _ - (1 to 64 characters).',
+    tooManyAttempts: 'Too many attempts, please try again later.',
+  },
+
+  es: {
+    tabTopology: 'Topología',
+    tabNetworks: 'Redes',
+    tabDevices: 'Equipos',
+    discovery: '🔍 Descubrimiento auto',
+    statsNetworks: 'Redes',
+    statsDevices: 'Equipos',
+    exportJson: '⬇ Exportar JSON',
+    importJson: '⬆ Importar JSON',
+    loadError: 'Error de carga: ',
+    importFailed: 'Importación fallida: ',
+    importTooLarge: 'Archivo demasiado grande (máx 5 MB).',
+    ping: 'Ping',
+    pinging: 'Ping en curso…',
+    refreshPing: 'Actualizar ping',
+    wan: 'Internet / WAN',
+    gateway: 'Pasarela inter-VLAN',
+    unassigned: 'Sin asignar',
+    noDevice: 'Sin equipos',
+    noDevices: 'No hay equipos que mostrar.',
+    noDevicesHint: 'Empiece creando redes y equipos.',
+    reachable: 'Alcanzable',
+    unreachable: 'No alcanzable',
+    openWebUI: 'Abrir interfaz web',
+    devices: 'Equipos',
+    addDevice: '+ Añadir equipo',
+    noDevicesConfigured: 'No hay equipos configurados. Empiece añadiendo uno.',
+    searchPlaceholder: 'Nombre, IP…',
+    filterType: 'Tipo',
+    filterNetwork: 'Red',
+    filterBrand: 'Marca',
+    filterVirt: 'Virt',
+    clearFilters: '✕ Borrar',
+    noDevicesFiltered: 'Ningún equipo coincide con los filtros seleccionados.',
+    editDevice: 'Editar equipo',
+    newDevice: 'Nuevo equipo',
+    fieldName: 'Nombre *',
+    fieldType: 'Tipo *',
+    fieldDescription: 'Descripción',
+    isGateway: 'Pasarela inter-VLAN',
+    isLivebox: 'Router / Box ISP',
+    accessUrl: 'URL de acceso',
+    runtimeType: 'Entorno de ejecución',
+    notSpecified: '— No especificado',
+    baremetal: 'Bare-metal',
+    lxcContainer: 'Contenedor LXC',
+    vmQemu: 'VM QEMU/KVM',
+    networkInterfaces: 'Interfaces de red',
+    addInterface: '+ Interfaz',
+    noInterface: 'Sin interfaces configuradas',
+    cancel: 'Cancelar',
+    save: 'Guardar',
+    create: 'Crear',
+    badgeGateway: 'Pasarela',
+    badgeLivebox: 'Router ISP',
+    confirmDeleteDevice: '{0} y todos sus enlaces?',
+    confirmDeleteNetwork: '{0}?',
+    saveError: 'Error al guardar',
+    deleteError: 'Error al eliminar',
+    descPlaceholder: 'Rol, SO, notas…',
+    typeServer: 'Servidor',
+    typeSwitch: 'Switch',
+    typeRouter: 'Router',
+    typeNas: 'NAS',
+    typeGateway: 'Pasarela',
+    typeLivebox: 'Router ISP',
+    typeCamera: 'Cámara IP',
+    typeTemperature: 'Sonda de temperatura/humedad',
+    typeSensor: 'Sensor (movimiento, apertura…)',
+    typeHub: 'Hub domótico',
+    typeSmartPlug: 'Enchufe inteligente',
+    typeAlarm: 'Alarma / Detector',
+    typeLight: 'Iluminación inteligente',
+    typeDoorbell: 'Timbre / Portero',
+    typeAccessPoint: 'Punto de acceso WiFi',
+    typeDesktop: 'Ordenador de sobremesa',
+    typeLaptop: 'Portátil',
+    typeOther: 'Otro',
+    virtBaremetal: 'Bare-metal',
+    virtLxc: 'LXC',
+    virtQemu: 'VM QEMU',
+    networks: 'Redes',
+    addNetwork: '+ Añadir red',
+    noNetworksConfigured: 'No hay redes configuradas. Empiece creando una.',
+    colType: 'Tipo',
+    colName: 'Nombre',
+    colSubnet: 'Subred',
+    colColor: 'Color',
+    colActions: 'Acciones',
+    editNetwork: 'Editar red',
+    newNetwork: 'Nueva red',
+    vlanId: 'ID de VLAN',
+    vlanIdHint: '(dejar vacío para LAN simple)',
+    subnet: 'Subred CIDR',
+    color: 'Color',
+    subnetPlaceholder: 'ej: 192.168.10.0/24',
+    autoDiscovery: 'Descubrimiento automático',
+    dnsServer: 'Servidor DNS',
+    dnsHint: 'El DNS inverso será consultado en este servidor para resolver nombres.',
+    vlansToScan: 'VLANs a escanear',
+    vlansHint: 'Solo los VLANs con subred CIDR configurada pueden escanearse.',
+    noCidrWarning: 'Ninguna VLAN tiene CIDR configurado. Configúrelo en la pestaña Redes.',
+    noCidr: 'sin CIDR',
+    startDiscovery: 'Iniciar descubrimiento',
+    scanning: 'Escaneo en curso…',
+    scanAddresses: 'direcciones en',
+    scanVlans: 'VLAN(s)',
+    scanNote: 'Cada host es pingado y luego consultado en DNS.',
+    hostsFound: 'host(s) descubierto(s)',
+    addressesScanned: 'direcciones escaneadas',
+    newHosts: 'nuevos',
+    noHosts: 'No se encontraron hosts activos en los rangos seleccionados.',
+    colIp: 'IP',
+    colDns: 'Nombre (DNS)',
+    colStatus: 'Estado',
+    statusExisting: 'Ya presente',
+    statusNew: 'Nuevo',
+    newScan: 'Nuevo escaneo',
+    importingBtn: 'Importando…',
+    importBtn: 'Importar',
+    dnsRequired: 'Por favor ingrese un servidor DNS.',
+    selectVlan: 'Seleccione al menos una VLAN.',
+    importError: 'Error durante la importación.',
+    scanError: 'Error durante el escaneo.',
+    lightTheme: 'Tema claro',
+    darkTheme: 'Tema oscuro',
+    // Auth
+    loginTitle: 'Iniciar sesión',
+    loginUsername: 'Nombre de usuario',
+    loginPassword: 'Contraseña',
+    loginBtn: 'Iniciar sesión',
+    loginError: 'Credenciales incorrectas.',
+    logout: 'Cerrar sesión',
+    accountSettings: 'Configuración de cuenta',
+    currentPassword: 'Contraseña actual',
+    newUsername: 'Nuevo nombre de usuario',
+    newPassword: 'Nueva contraseña',
+    confirmPassword: 'Confirmar contraseña',
+    leaveBlankToKeep: 'Dejar en blanco para no cambiar',
+    passwordMismatch: 'Las contraseñas no coinciden.',
+    accountUpdated: 'Cuenta actualizada.',
+    wrongPassword: 'La contraseña actual es incorrecta.',
+    mustChangePasswordWarning: 'Por razones de seguridad, debe cambiar su contraseña antes de continuar.',
+    newPasswordRequired: 'Se requiere una nueva contraseña.',
+    passwordTooShort: 'La contraseña debe tener al menos 8 caracteres.',
+    passwordTooWeak: 'La contraseña debe contener al menos una letra y un número.',
+    usernameInvalid: 'El nombre de usuario solo puede contener letras, dígitos, . _ - (1 a 64 caracteres).',
+    tooManyAttempts: 'Demasiados intentos, inténtelo de nuevo más tarde.',
+  },
+}
+
+export function t(key) {
+  return LANGS[locale.value]?.[key] ?? LANGS['fr'][key] ?? key
+}
+
+export function tFmt(key, ...args) {
+  let str = LANGS[locale.value]?.[key] ?? LANGS['fr'][key] ?? key
+  args.forEach((arg, i) => { str = str.replace(`{${i}}`, arg) })
+  return str
+}
diff --git a/frontend/src/main.js b/frontend/src/main.js
new file mode 100644
index 0000000..1d4acd7
--- /dev/null
+++ b/frontend/src/main.js
@@ -0,0 +1,3 @@
+import { createApp } from 'vue'
+import App from './App.vue'
+createApp(App).mount('#app')
diff --git a/frontend/src/theme.js b/frontend/src/theme.js
new file mode 100644
index 0000000..2932886
--- /dev/null
+++ b/frontend/src/theme.js
@@ -0,0 +1,18 @@
+import { ref, watch } from 'vue'
+
+export const theme = ref(localStorage.getItem('theme') || 'light')
+
+function apply(t) {
+  document.documentElement.classList.toggle('dark', t === 'dark')
+}
+
+apply(theme.value)
+
+watch(theme, (t) => {
+  localStorage.setItem('theme', t)
+  apply(t)
+})
+
+export function toggleTheme() {
+  theme.value = theme.value === 'dark' ? 'light' : 'dark'
+}
diff --git a/frontend/vite.config.js b/frontend/vite.config.js
new file mode 100644
index 0000000..e8217ad
--- /dev/null
+++ b/frontend/vite.config.js
@@ -0,0 +1,18 @@
+import { defineConfig } from 'vite'
+import vue from '@vitejs/plugin-vue'
+
+export default defineConfig({
+  plugins: [vue()],
+  build: {
+    modulePreload: { polyfill: false },
+  },
+  server: {
+    host: true,
+    proxy: {
+      '/api': {
+        target: 'http://backend:8000',
+        changeOrigin: true,
+      }
+    }
+  }
+})