fix: switch tcp_check mode to TCP-only instead of ICMP+TCP

Previously tcp_check required both ICMP and TCP to pass. This caused
two failure modes: hosts with ICMP rate-limiting under scan load were
missed (ICMP fails → TCP never tried), and the AND logic was confusing.

In TCP-only mode, proxy-ARP gateways are still filtered out because
they never spoof TCP replies. Hosts with rate-limited ICMP (e.g. some
WiFi APs during a full /24 sweep) are now correctly detected via TCP.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/routers/discovery.py

@@ -115,10 +115,15 @@ def _tcp_check(ip: str) -> bool:
 
 
 def _scan_one(ip: str, dns_server: str, vlan_id: int, cidr: str, tcp_check: bool = False) -> Optional[DiscoveredHost]:
-    if not _ping(ip):
-        return None
-    if tcp_check and not _tcp_check(ip):
-        return None
+    if tcp_check:
+        # TCP-only mode: bypasses ICMP entirely.
+        # Proxy-ARP gateways never spoof TCP replies, so ghost IPs are filtered
+        # without ICMP. Also catches hosts whose ICMP is rate-limited under load.
+        if not _tcp_check(ip):
+            return None
+    else:
+        if not _ping(ip):
+            return None
     hostname = _ptr_lookup(ip, dns_server) if dns_server else None
     return DiscoveredHost(ip=ip, hostname=hostname, vlan_id=vlan_id, cidr=cidr)