feat: Networks-Members für bridge/bond + System-Rules-Card + Theme-Revert

* Migration 0011: members JSONB für network_interfaces. Bridge/bond
  brauchen ≥1 Member (NOT VALID-Constraint, schont bestehende Rows).
  vlan/wireguard/ethernet ignorieren das Feld.
* Backend-Validation pro Typ: vlan→parent+vlan_id, bridge/bond→members,
  ethernet/wireguard→keins. Repo serialisiert via JSONB.
* Form Networks: Members-Multi-Select für bridge/bond, Composition-
  Spalte zeigt vlan-tag bzw. Member-Liste.
* Firewall-Rules-Tab zeigt jetzt SystemRulesCard ganz oben — Anti-
  Lockout (SSH/443), stateful baseline, default-deny-Erklärung.
* Theme-Tokens 1:1 mail-gateway: fontSize 13, controlHeight 34
  (vorher zu dichtes 12/28). Density kommt vom DataTable size="small".
* Makefile publish-amd64 lädt jetzt auch edgeguard-ui_*_all.deb und
  edgeguard_*_all.deb hoch (vorher nur api).
* Version 1.0.0 → 1.0.3.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

management-ui/src/i18n/locales/de/common.json

@@ -80,6 +80,16 @@
       "comment": "Kommentar",
       "add": "NAT-Regel hinzufügen", "edit": "NAT-Regel bearbeiten",
       "deleteConfirm": "Diese NAT-Regel wirklich löschen?"
+    },
+    "sys": {
+      "title": "System-Regeln (immer aktiv)",
+      "chain": "Chain", "match": "Match", "action": "Aktion", "note": "Hinweis",
+      "policy": "Default-Policy",
+      "policyValue": "Eingang DROP — alles muss explizit erlaubt werden.",
+      "order": "Auswertung",
+      "orderValue": "System-Regeln zuerst, danach Operator-Regeln top-down (priority asc, first-match).",
+      "lockout": "Anti-Lockout",
+      "lockoutValue": "SSH (22) und Management-UI (443) sind immer erreichbar — können auch vom Operator nicht versehentlich gesperrt werden."
     }
   },
   "networks": {
@@ -91,8 +101,15 @@
     "name": "Name",
     "type": "Typ",
     "parent": "Parent-Interface",
+    "selectParent": "Parent wählen",
     "vlan": "VLAN",
     "vlanId": "VLAN-ID",
+    "composition": "Zusammensetzung",
+    "members": "Member-Interfaces",
+    "selectMembers": "Physische Interfaces wählen",
+    "membersRequired": "Mindestens ein Member-Interface erforderlich",
+    "membersHintBridge": "Eine Bridge bündelt mehrere physische Ports auf L2 — typisch zwei Ports für einen Software-Switch.",
+    "membersHintBond": "Ein Bond aggregiert mehrere physische Ports zu einem logischen Link (LACP / active-backup).",
     "role": "Rolle",
     "mtu": "MTU",
     "active": "Aktiv",

management-ui/src/i18n/locales/en/common.json

@@ -80,6 +80,16 @@
       "comment": "Comment",
       "add": "Add NAT rule", "edit": "Edit NAT rule",
       "deleteConfirm": "Really delete this NAT rule?"
+    },
+    "sys": {
+      "title": "System rules (always active)",
+      "chain": "Chain", "match": "Match", "action": "Action", "note": "Note",
+      "policy": "Default policy",
+      "policyValue": "Input DROP — everything must be explicitly allowed.",
+      "order": "Evaluation",
+      "orderValue": "System rules first, then operator rules top-down (priority asc, first-match).",
+      "lockout": "Anti-lockout",
+      "lockoutValue": "SSH (22) and the management UI (443) are always reachable — even the operator can't accidentally lock themselves out."
     }
   },
   "networks": {
@@ -94,6 +104,12 @@
     "selectParent": "Select parent",
     "vlan": "VLAN",
     "vlanId": "VLAN ID",
+    "composition": "Composition",
+    "members": "Member interfaces",
+    "selectMembers": "Select physical interfaces",
+    "membersRequired": "At least one member interface is required",
+    "membersHintBridge": "A bridge joins multiple physical ports at L2 — typically two ports for a software switch.",
+    "membersHintBond": "A bond aggregates multiple physical ports into one logical link (LACP / active-backup).",
     "role": "Role",
     "mtu": "MTU",
     "active": "Active",