SSO authentication now anchors account identity on the provider-issued sub claim rather than the user display name. Existing accounts are linked transparently on first login after upgrade. If a display name collision occurs with another SSO user's account, the email address is used as the account name instead.
Schema deletions are now rejected when a generic is still referenced by another node's inherit_from, and partial schema writes are rolled back if loading the updated schema fails. (#8988)
Fix branch name display in event details popover for branch deletion events.
Fix check messages overflowing outside their container in proposed changes.