feat: enhanced CRD support for Karpenter, KEDA, and Gateway API (#169)

* feat: add enhanced CRD support for Karpenter, KEDA, and Gateway API

- Karpenter: topology (NodePool → NodeClaim → Node → Pod), detail
  renderers, smart table columns, AI context summaries
- KEDA: topology (ScaledObject → Deployment), detail renderers for
  ScaledObject/ScaledJob, smart table columns, AI context summaries
- Gateway API: GatewayClass topology node, GatewayClass → Gateway edges
- Dynamic cache warmup for all new CRDs
- Fix resource browser custom columns not showing for CRD kinds
  (normalizeKindToPlural handles singular/plural URL mismatch,
  stale default column detection in localStorage)
- Documentation with integration screenshots

* fix: widen HPA nodes and use short display names in topology

HorizontalPodAutoscaler nodes were too narrow (160x48) causing text
overflow. Widened to 280x56 to match other workload nodes. Also use
displayKind() for all node kind labels so long names like
HorizontalPodAutoscaler render as "HPA" and PersistentVolumeClaim as
"PVC".

Update cert-manager topology screenshot to show full ACME lifecycle
chain (Certificate → CertificateRequest → Order → Challenge).

* feat: expand CRD support with new renderers, topology nodes, and bug fixes

Add detailed renderers for Karpenter EC2NodeClass, KEDA TriggerAuth,
GRPCRoute, and a shared SimpleRouteRenderer for TCPRoute/TLSRoute.
Expand topology graph with Node, NodeClass, and GatewayClass nodes.
Enhance AI context summaries for all new CRD types.

Fix namespace filter incorrectly dropping cluster-scoped resources
(NodePool/NodeClaim), settings race condition on concurrent PUTs,
Certificate-to-Issuer edge semantics, and silenced error in
GatewayClass-to-Gateway edge creation.

* chore: apply go 1.26 modernization fixes

Range-over-int and go:fix inline idioms.

* docs: update CRD integrations to reflect current support

EC2NodeClass, TriggerAuthentication, Gateway API routes, and
SealedSecrets all have richer support than previously documented.

fix: handle TLS ServerName mismatch for AKS Hubble Relay (#173) (#175)

AKS with Azure-managed Cilium uses certificates with SAN
*.hubble-relay.cilium.io, which doesn't match the default
hubble-relay.<ns>.svc.cluster.local ServerName. When TLS fails,
probe the server cert to discover the actual SAN and retry.

Closes #173

fix(desktop): persist theme and favorites across restarts (#174)

* fix(desktop): persist theme and favorites across restarts

Desktop app uses Port: 0 which assigns a random OS port each launch.
Since localStorage is origin-scoped, user preferences (theme, pinned
resource kinds) were lost on every restart. Add server-side settings
file at ~/.radar/settings.json and sync frontend state via REST API.

* fix(desktop): detect Linux dark theme and fix window maximize

Query xdg-desktop-portal D-Bus interface to detect system color scheme
on Linux and set GTK_THEME so WebKitGTK's prefers-color-scheme works on
GNOME 42+. Add Wails Linux options with ProgramName and GPU policy
OnDemand (fixes default Never when Linux is nil). Set MaxWidth/MaxHeight
to 7680x4320 to prevent Wails auto-detection from constraining window
sizing on Wayland.

* fix(desktop): merge settings on PUT to prevent data loss

PUT /api/settings was decoding into a fresh struct, so saving theme
would zero out pinnedKinds and vice versa. Now decodes into the
existing settings so only provided fields are overwritten.

Also add console.warn logging to frontend catch blocks and backend
settings.Load() for non-NotExist errors to aid debugging.

deps(go): bump golang.org/x/term from 0.39.0 to 0.40.0 (#165)

Bumps [golang.org/x/term](https://github.com/golang/term) from 0.39.0 to 0.40.0.
- [Commits](golang/term@v0.39.0...v0.40.0)

---
updated-dependencies:
- dependency-name: golang.org/x/term
  dependency-version: 0.40.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

fix(desktop): switch Linux build to webkit2gtk 4.1

Fedora 43 removed webkit2gtk4.0 entirely, making the .rpm package
uninstallable. Switch to webkit2gtk 4.1 which is available on all
current distros (Ubuntu 22.04+, Fedora 42+).

fix: show helpful install hint when metrics-server is missing (#152)

Instead of the generic "Metrics unavailable" text, the dashboard now
detects whether metrics-server is installed and shows a tooltip with
platform-specific install instructions (minikube, EKS, GKE/AKS, etc.).

Adds metricsServerAvailable field to the dashboard API response so the
frontend can distinguish "not installed" from "starting up".

Add goroutine leak profiler support (#157)

Add goroutineleak pprof handler and GOEXPERIMENT build arg in Dockerfile.
Build with --build-arg GOEXPERIMENT=goroutineleakprofile to enable.

fix: terminal resize race condition and desktop port-forward open but…

…ton (#155)

Terminal exec sessions were stuck at 80 columns because the frontend's
resize message was silently dropped by the backend. The resize channel
(buffer=1) was still holding the initial 80x24 size when the frontend
sent actual dimensions — K8s API connect is slower than local WebSocket.
Fix: drain stale size before pushing new one.

Frontend side: doFit() now sends resize to WebSocket when connected, and
ws.onopen calls doFit() so the first message has correct dimensions.

Also fix window.open() in desktop app (Wails webview) — use the Wails
runtime BrowserOpenURL for port-forward "Open" button and GitHub star
fallback link.

Closes #153

feat: add force delete option for stuck resources (#82)

* feat: add force delete option for stuck resources

Adds a force delete option that sets GracePeriodSeconds=0, useful for
resources stuck with finalizers or pending deletion.

- Backend: Add force param to DeleteResource that bypasses grace period
- Frontend: Add checkbox in delete confirmation dialog
- Button label changes to "Force Delete" when enabled

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: improve force delete error handling and UX

- Handle finalizer patch errors: return 403 on RBAC failure instead of
  silently degrading, log other patch errors
- Return 409 Conflict (not 500) when resource is stuck in Terminating
- Add logging before 500 errors on delete handler
- Update checkbox label to mention finalizer stripping
- Extract shared ForceDeleteConfirmDialog component

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

feat: add first-class Trivy Operator support (#140)

Add dedicated support for 10 Trivy Operator CRD types: VulnerabilityReport,
ConfigAuditReport, ExposedSecretReport, RbacAssessmentReport,
ClusterRbacAssessmentReport, ClusterComplianceReport, SbomReport,
ClusterSbomReport, InfraAssessmentReport, ClusterInfraAssessmentReport.

Backend: auto-discover and warm up Trivy CRDs in dynamic cache, exclude
all 10 types from topology graph to prevent high-cardinality node flooding.

Frontend: 5 new dedicated renderers with severity bars, sortable finding
tables, and shared alert banners. Table cell components for all report
types with proper severity coloring. Utility functions extracted into
resource-utils-trivy.ts. Existing CRD utilities (Argo, Flux, cert-manager)
also extracted into dedicated files for consistency.

AlertBanner component refactored from inline patterns across 12 existing
renderers into a shared reusable component in drawer-components.tsx.