fix(smoke): V1 compat shim + V3 G20 CI gate — audit violations fixed

itcmsgr · claude · itcmsgr · commit 0803fb01c2ce · 2026-04-17T00:25:02.000+03:00
V1 (HIGH): Old smoke subcommands (run, lifecycle, verify, etc.) now
print migration message directing to `nftban selftest`. Prevents
silent breakage for operators upgrading from v1.94.

V3 (MEDIUM): G20 Smoke Gate wired into ci-smoke.yml. Runs
nftban-core smoke --json, validates JSON, fails on FAIL count &gt; 0.
SKIPs (expected in CI — no daemon/systemd) do not cause failure.

Ref: V195_SMOKE_SELFTEST_AUDIT.md

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/ci-smoke.yml b/.github/workflows/ci-smoke.yml
@@ -98,3 +98,29 @@ jobs:
 
       - name: Smoke test — fhs verify
         run: nftban fhs verify 2>&1 | head -20 || true
+
+      - name: "G20 Smoke Gate — registry-driven smoke"
+        run: |
+          # Run Go registry-driven smoke. CI environment will SKIP daemon/module
+          # checks (no systemd, no live daemon) — that's correct behavior.
+          # FAIL on: runtime errors, contract violations, malformed output.
+          SMOKE_OUTPUT=$(bin/nftban-core smoke --json 2>&1) || true
+          echo "$SMOKE_OUTPUT"
+
+          # Validate JSON parseable
+          if ! echo "$SMOKE_OUTPUT" | jq empty 2>/dev/null; then
+            echo "::error::G20 Smoke Gate: smoke --json output is not valid JSON"
+            exit 1
+          fi
+
+          # Check for FAIL or INTERNAL_ERROR
+          FAIL_COUNT=$(echo "$SMOKE_OUTPUT" | jq -r '.summary.fail // 0')
+          if [ "$FAIL_COUNT" != "0" ]; then
+            echo "::error::G20 Smoke Gate: $FAIL_COUNT test(s) FAILED"
+            echo "$SMOKE_OUTPUT" | jq '.tests[] | select(.status == "FAIL")'
+            exit 1
+          fi
+
+          PASS_COUNT=$(echo "$SMOKE_OUTPUT" | jq -r '.summary.pass // 0')
+          SKIP_COUNT=$(echo "$SMOKE_OUTPUT" | jq -r '.summary.skip // 0')
+          echo "G20 Smoke Gate: PASS ($PASS_COUNT pass, $SKIP_COUNT skip, 0 fail)"
diff --git a/cli/lib/nftban/cli/cmd_smoke.sh b/cli/lib/nftban/cli/cmd_smoke.sh
@@ -44,6 +44,19 @@ readonly CMD_SMOKE_LOADED=1
 # =============================================================================
 
 nftban_cmd_smoke() {
+    # v1.95 compatibility shim: old destructive subcommands moved to selftest
+    case "${1:-}" in
+        run|test|quick|all|detailed|lifecycle|verify|config|configs|check|orphans|stats|trace)
+            echo "NOTE: 'nftban smoke $1' was moved to 'nftban selftest' in v1.95." >&2
+            echo "" >&2
+            echo "  nftban smoke    = non-destructive system verification (CI-safe)" >&2
+            echo "  nftban selftest = extended validation with controlled state changes" >&2
+            echo "" >&2
+            echo "Run instead:  nftban selftest $*" >&2
+            return 1
+            ;;
+    esac
+
     local core_bin="${NFTBAN_CORE_BIN:-${NFTBAN_LIB_DIR}/bin/nftban-core}"
 
     if [[ ! -x "$core_bin" ]]; then
