feat: add optional TCP check to scan to filter proxy-ARP false positives

Some gateways (e.g. UniFi) respond to ICMP for every IP in a subnet via
proxy-ARP, spoofing the source IP so the existing ICMP guard cannot help.
A secondary TCP probe (ports 22, 80, 443, 8080, 8443) distinguishes real
hosts (RST/connect on closed ports) from ghost IPs (gateway drops SYN →
timeout). The check is opt-in (disabled by default) to avoid missing
devices whose firewall DROPs all probed ports.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/components/DiscoveryModal.vue

@@ -55,6 +55,14 @@
             </div>
           </div>
 
+          <div class="field field-toggle">
+            <label class="toggle-row">
+              <input type="checkbox" v-model="tcpCheck" class="toggle-checkbox" />
+              <span class="toggle-label">{{ t('tcpCheckLabel') }}</span>
+            </label>
+            <div class="input-hint">{{ t('tcpCheckHint') }}</div>
+          </div>
+
           <div v-if="configError" class="error-box">{{ configError }}</div>
         </div>
 
@@ -177,6 +185,7 @@ const emit = defineEmits(['close', 'refresh'])
 
 const step           = ref('config')
 const dnsServer      = ref('192.168.1.16')
+const tcpCheck       = ref(false)
 const selectedVlanIds = ref([])
 const results        = ref([])
 const selectedIps    = ref([])
@@ -259,6 +268,7 @@ async function startScan() {
     const resp = await discoveryApi.scan({
       dns_server: dnsServer.value.trim(),
       targets,
+      tcp_check: tcpCheck.value,
     })
     results.value = resp.data.hosts
     scanMeta.value = { total_scanned: resp.data.total_scanned, duration_s: resp.data.duration_s }
@@ -410,6 +420,12 @@ code.ip { font-family: monospace; font-size: 13px; color: var(--text-primary); }
 .status.new      { background: #DBEAFE; color: #1D4ED8; }
 .status.existing { background: var(--bg-page); color: var(--text-faint); }
 
+.field-toggle { border: 1.5px solid var(--border); border-radius: 10px; padding: 12px; }
+.toggle-row { display: flex; align-items: center; gap: 10px; cursor: pointer; }
+.toggle-checkbox { width: 16px; height: 16px; flex-shrink: 0; cursor: pointer; accent-color: #3B82F6; }
+.toggle-label { font-size: 13px; font-weight: 700; color: var(--text-secondary); }
+.field-toggle .input-hint { margin-top: 6px; margin-bottom: 0; }
+
 .warn-box {
   background: #FFFBEB; border: 1.5px solid #FCD34D; border-radius: 8px;
   padding: 12px; font-size: 13px; color: #92400E;

frontend/src/i18n.js

@@ -128,6 +128,8 @@ const LANGS = {
     scanAddresses: 'adresses sur',
     scanVlans: 'VLAN(s)',
     scanNote: 'Chaque hôte est pingé puis interrogé en DNS.',
+    tcpCheckLabel: 'Vérification TCP (anti proxy-ARP)',
+    tcpCheckHint: 'Sonde chaque hôte sur les ports 22, 80, 443, 8080, 8443. Élimine les faux positifs UniFi/proxy-ARP, mais peut rater les équipements sans port TCP ouvert (smartphones, PC tout firewall, etc.).',
     hostsFound: 'hôte(s) découvert(s)',
     addressesScanned: 'adresses scannées',
     newHosts: 'nouveaux',
@@ -285,6 +287,8 @@ const LANGS = {
     scanAddresses: 'addresses on',
     scanVlans: 'VLAN(s)',
     scanNote: 'Each host is pinged then queried via DNS.',
+    tcpCheckLabel: 'TCP check (anti proxy-ARP)',
+    tcpCheckHint: 'Probes each host on ports 22, 80, 443, 8080, 8443. Eliminates UniFi/proxy-ARP false positives, but may miss devices with no open TCP port (smartphones, fully-firewalled PCs, etc.).',
     hostsFound: 'host(s) found',
     addressesScanned: 'addresses scanned',
     newHosts: 'new',
@@ -441,6 +445,8 @@ const LANGS = {
     scanAddresses: 'direcciones en',
     scanVlans: 'VLAN(s)',
     scanNote: 'Cada host es pingado y luego consultado en DNS.',
+    tcpCheckLabel: 'Verificación TCP (anti proxy-ARP)',
+    tcpCheckHint: 'Sondea cada host en los puertos 22, 80, 443, 8080, 8443. Elimina falsos positivos UniFi/proxy-ARP, pero puede omitir equipos sin puerto TCP abierto (smartphones, PC con firewall total, etc.).',
     hostsFound: 'host(s) descubierto(s)',
     addressesScanned: 'direcciones escaneadas',
     newHosts: 'nuevos',