docs(v1.100 PR-25): contract — append §§16-29 PR-25 execution contract

Appends the PR-25 execution contract to internal/installer/restore/
contract.md as a new "PART II — PR-25 execution contract" section
(§§16-29). This is the doc-only first PR of the PR-25 two-PR split,
mirroring the PR-24 PR #493 → PR #494 pattern. The implementation
PR opens in a separate branch after this one merges.

Origin:
The contract is a faithful normalization of the locked Q1-Q5
design decisions (recorded 2026-04-20 during PR-24 freeze Day 0
via the §12 protocol: Stage 1 scope classification + Stage 2
five-field answer + LOCK/REVISE/REJECT review). The v0 staging
sheet (memory/project_pr25_contract_sheet_v0.md) was reviewed and
locked 2026-04-27 prior to opening this PR.

Locked rule applied: "Normalize, do not expand."

Every clause in §§16-29 traces back to a Q1-Q5 lock or to V1100
contract §8. No design decisions were made in this PR.

Section map:
- §16 Purpose
- §17 Scope (Option A) + 2 named invariants
- §18 TargetAuthority concretization (Q2)
- §19 StateRestoreDecided downstream meaning (Q3)
- §20 Panel-auto target consistency (Q4)
- §21 Post-restore verification split (Q5)
- §22 State terminals + exit codes (candidates)
- §23 Execution shape (V1100 §8 ordered)
- §24 Inputs PR-25 may consume
- §25 Forbidden behaviors (consolidated)
- §26 Cross-lock consistency
- §27 What this contract does NOT contain (intentional)
- §28 Merge-blocking real-host matrix (code phase)
- §29 Reviewer checklist (code phase)

Verified live code anchors (2026-04-27):
- knownFirewallType set {ufw, firewalld, iptables, csf} at
  internal/installer/uninstall/prior.go:278-284
- writeHistory gate excluding cfg.mode == "restore" at
  cmd/nftban-installer/main.go:132
- Exit-code constants ExitCommitted=0/ExitFatal=4/ExitRefused=5/
  ExitIntentRequired=6 at internal/installer/state/machine.go:149-155

§1-§15 (PR-24 decision contract) are untouched.

Out of scope (locked):
- No code in this PR. PR-25 implementation is the next PR
  (feat/v1.100-pr25-restore-execution).
- No expansion of Q1-Q5 lock content.
- PR-26 contract stays out of scope.

Lifecycle completion lane (PR-25..PR-30) remains explicitly OPEN
but is now mid-re-entry: contract is the first deliberate step.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: itcmsgr

CHANGELOG.md

@@ -11,6 +11,44 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [Unreleased] - v1.100 PR-25 contract sheet (doc only)
+
+Appends the PR-25 execution contract to `internal/installer/restore/contract.md` as a new "PART II — PR-25 execution contract" section (§§16–29). This is the doc-only first PR of the PR-25 two-PR split (mirrors the PR-24 PR #493 → PR #494 pattern). The implementation PR opens in a separate branch after this one merges.
+
+### Origin
+
+The contract is a faithful normalization of the **locked Q1–Q5 design decisions** recorded 2026-04-20 during PR-24 freeze Day 0 via the §12 protocol (Stage 1 scope classification + Stage 2 five-field answer + LOCK/REVISE/REJECT review). The v0 staging sheet (`memory/project_pr25_contract_sheet_v0.md`) was reviewed and locked 2026-04-27 prior to opening this PR.
+
+### Locked rule applied
+
+> *"Normalize, do not expand."*
+
+Every clause in §§16–29 traces back to a Q1–Q5 lock or to V1100 contract §8. No design decisions were made in this PR. Items intentionally absent (final state-terminal names, final exit-code integers, test fixture matrix, real-host evidence plan, CI gate expansion plan, concrete `IsRestoreExecuted` signature, the PanelType→firewall mapping body) are documented in §27 as code-phase work.
+
+### What changed
+
+- `internal/installer/restore/contract.md` — appended §§16–29 (PR-25 execution contract) after §15 and before "Amendment history"; §1–§15 (PR-24 decision contract) untouched. New "PART II" header marks the boundary. Amendment history gains a 2026-04-27 v2 entry documenting the append + verified code anchors.
+
+### Verified code anchors (2026-04-27)
+
+| Lock reference | Verified at |
+|---|---|
+| `knownFirewallType` set `{ufw, firewalld, iptables, csf}` | `internal/installer/uninstall/prior.go:278-284` |
+| writeHistory gate excluding `cfg.mode == "restore"` | `cmd/nftban-installer/main.go:132` |
+| Exit-code constants `ExitCommitted=0`, `ExitFatal=4`, `ExitRefused=5`, `ExitIntentRequired=6` | `internal/installer/state/machine.go:149-155` |
+
+All three live in surfaces that were fenced under the PR-24 freeze and remained untouched throughout the GOTH removal + SF-1 + repo hygiene stabilization train.
+
+### Out of scope (locked)
+
+- **No code in this PR.** PR-25 implementation (Go types, execution engine, inline safety interlock, state terminals, tests, CI gate update) is the *next* PR (`feat/v1.100-pr25-restore-execution`) and opens only after this contract PR merges.
+- **No expansion** of Q1–Q5 lock content.
+- PR-26 contract content stays out of scope (defined by PR-26's own seed work).
+
+Lifecycle completion lane (PR-25..PR-30) remains explicitly **OPEN** but is now mid-re-entry: contract is the first deliberate step.
+
+---
+
 ## [Unreleased] - v1.100.3e Repo hygiene Phase A slice 1e (H-07 + H-08)
 
 Closes audit findings **H-07** (STATUS.md version drift) and **H-08** (README.md badge version drift). Both displayed visible-version strings that no longer matched `/VERSION` (1.98.2). STATUS.md claimed v1.89.0 (-9 minor versions); README badge pinned 1.95.0 (-3 patches).

internal/installer/restore/contract.md

@@ -332,6 +332,303 @@ Four new gates in the `G4-RESTORE-*` namespace:
 
 ---
 
+# PART II — PR-25 execution contract
+
+> **Boundary rule (locked):** PR-24 decides. PR-25 executes. PR-25 may never reinterpret PR-24.
+>
+> Sections §16–§29 below are normative for PR-25 only. They do not modify §1–§15.
+
+## 16. Purpose (PR-25)
+
+PR-25 is the **execution** counterpart of PR-24's decision engine.
+
+| Phase | Owner |
+|---|---|
+| Decision (PROCEED / REFUSE / REQUIRE_EXPLICIT_INTENT) | PR-24 (§§1–15 above; merged, soak-validated) |
+| Execution (mutate kernel + service run-state to fulfil the authorized decision) | **PR-25 (§§16–29 below)** |
+| Post-restore verification gate | PR-26 (separate scope) |
+
+## 17. Scope — Option A: restore execution only (locked, Q1)
+
+PR-25 is **restore execution only**. Bundled purge / remove / artifact-cleanup semantics are EXPLICITLY excluded.
+
+### 17.1 Permitted (PR-25 may do)
+
+- Kernel `nft` mutations within the authorized target's surface
+- Service **run-state** changes: `start` / `stop` of `nftband.service` and the target-native firewall service (`ufw` / `firewalld` / `iptables` / `csf` per §20)
+- Emergency-SSH safety net: insertion before mutation, removal after inline verification (§21)
+- New execution-outcome state terminals + exit codes (§22)
+
+### 17.2 Forbidden (PR-25 may NOT do)
+
+| Forbidden surface | Why excluded |
+|---|---|
+| `enable` / `disable` policy mutation | INV-PR25-STATIC-SERVICE-LIFECYCLE |
+| `mask` / `unmask` | Same |
+| Unit-file mutation | Same |
+| Cross-target service orchestration | Authority-isolation invariant |
+| Filesystem artifact cleanup | Q1 forbidden — deferred to a future purge contract |
+| `.conf.local` policy mutation | Operator-content surface; not lifecycle |
+| History-schema changes | Stability of decision-record layer |
+| `--purge` flag semantics | Q1 forbidden |
+| Post-restore verification gate | Q5-B → PR-26 |
+| Panel-auto target-identity *resolution* | Q4 — execution-time mapping only |
+| Shell wrapper code | Implementation surface choice |
+
+### 17.3 Scope-bounding invariants (named, locked)
+
+- **INV-PR25-AUTHORITY-IMMUTABILITY**: `TargetAuthority` resolved by PR-24 PROCEED is unchanged across the entire PR-25 execution window. No mid-flight re-resolution.
+- **INV-PR25-STATIC-SERVICE-LIFECYCLE**: PR-25 makes no change to systemd unit policy, enable/disable state beyond run-state, or unit files.
+
+## 18. TargetAuthority concretization (locked, Q2)
+
+`TargetAuthority` is a struct with **unexported fields** and read-only accessors. Construction is constrained to one of three paths.
+
+### 18.1 Type definition (canonical)
+
+```go
+type TargetAuthorityKind string
+
+const (
+    TargetAuthorityKindNone          TargetAuthorityKind = ""              // zero value
+    TargetAuthorityKindRecordedPrior TargetAuthorityKind = "recorded_prior"
+    TargetAuthorityKindPanelNative   TargetAuthorityKind = "panel_native"
+)
+
+type TargetAuthority struct {
+    kind         TargetAuthorityKind   // unexported
+    firewallType string                // unexported
+    panel        detect.PanelType      // unexported
+}
+
+// Read-only accessors
+func (t TargetAuthority) Kind() TargetAuthorityKind
+func (t TargetAuthority) FirewallType() string
+func (t TargetAuthority) Panel() detect.PanelType
+
+// Per-Kind constructors
+func TargetNone() TargetAuthority
+func TargetRecordedPrior(firewallType string) (TargetAuthority, error)
+func TargetPanelNative(panel detect.PanelType) (TargetAuthority, error)
+```
+
+### 18.2 Construction paths
+
+| Kind | Reachable via | Validation |
+|---|---|---|
+| `None` | `TargetNone()` OR zero value `TargetAuthority{}` (equivalent and intentional) | n/a |
+| `RecordedPrior` | ONLY `TargetRecordedPrior(firewallType)` | `firewallType ∈ knownFirewallType` set defined at `internal/installer/uninstall/prior.go:278-284`: `{ufw, firewalld, iptables, csf}` |
+| `PanelNative` | ONLY `TargetPanelNative(panel)` | `panel ≠ detect.PanelNone` |
+
+### 18.3 Payload invariants (per Kind)
+
+| Kind | Required fields shape |
+|---|---|
+| `None` | `firewallType=""`, `panel=PanelNone` |
+| `RecordedPrior` | `firewallType ∈ known set`, `panel=PanelNone` |
+| `PanelNative` | `firewallType=""`, `panel ≠ PanelNone` |
+
+### 18.4 Closed-enum discipline
+
+- `Kind` enum is closed at the type level. Adding a variant requires §12-style review.
+- Default branch in any `Kind` switch MUST `panic` at runtime.
+- No exported mutators. Post-construction immutability is by type design — not enforced by CI/linter (acknowledged limit).
+
+## 19. StateRestoreDecided downstream meaning (locked, Q3)
+
+### 19.1 Semantic rule
+
+> *"Exit code 0 from `--mode=restore` with `StateRestoreDecided` is a policy-handoff outcome only. It is NOT evidence that any restoration mutation has been executed."*
+
+### 19.2 Four enforcement layers
+
+| Layer | What | Where |
+|---|---|---|
+| 1 — Type-level distinctness (narrow) | `StateRestoreDecided` is a distinct constant; PR-25 execution-terminals are **separate** constants. Prevents equality-based confusion only. | `internal/installer/state/machine.go` |
+| 2 — API-level disambiguation (PR-25, optional) | `IsRestoreExecuted(s State) bool` helper. Returns true ONLY for execution-terminals. Never true for `StateRestoreDecided`. | new helper alongside `IsApplyTerminal` |
+| 3 — Contract-level documentation | Consumer-facing rule added to `state/machine.go` comment + this document. Covers the exit-code-misread class. | (this section) |
+| 4 — Defensive gate (already landed) | `cfg.mode == "restore"` excluded from history-write at `cmd/nftban-installer/main.go:132`. | (existing) |
+
+### 19.3 Consumer rule
+
+Consumers MUST NOT use `sf.State == StateRestoreDecided` to infer that restoration execution has occurred.
+
+### 19.4 Exit code discipline
+
+PR-25 execution terminals MUST carry distinct exit codes, **separate from** the existing constants at `internal/installer/state/machine.go:149-155`:
+
+- `ExitCommitted = 0`
+- `ExitFatal = 4`
+- `ExitRefused = 5`
+- `ExitIntentRequired = 6`
+
+New PR-25 exit codes are allocated from the next available integers.
+
+## 20. Panel-auto target consistency (locked, Q4)
+
+When `TargetAuthority.Kind == PanelNative`, PR-25 execution resolves the firewall via a **static explicit mapping**:
+
+```
+target_firewall = mapping[TargetAuthority.Panel()]
+```
+
+### 20.1 Mapping properties
+
+- **Static, compile-time.** Shipped with PR-25 code as a const map or exhaustive switch.
+- **Key type:** `detect.PanelType`.
+- **Output validation rule:** mapped value MUST be a member of `knownFirewallType` (the same set used in §18.2).
+- **Not required to be exhaustive** over all `detect.PanelType` values.
+
+### 20.2 Ambiguity resolution
+
+| Case | PR-25 behavior |
+|---|---|
+| Panel ∈ mapping | Execute the mapped firewall |
+| Panel ∉ mapping | **REFUSE before any mutation.** Transition to PR-25 execution-failure terminal (see §22). |
+
+### 20.3 Forbidden fallbacks
+
+- **No fallback** to a default firewall on unmapped panel.
+- **No fallback** to recorded-prior `FirewallType` (structurally empty by §18.3 invariant when Kind=PanelNative; AND contractually forbidden to consult).
+- **No heuristic**, **no runtime discovery**, **no config-driven mapping**.
+
+### 20.4 Boundary with PR-24
+
+§20 is **execution-time** resolution. PR-24 decision-time behavior is NOT modified.
+
+## 21. Post-restore verification — split (locked, Q5)
+
+### 21.1 PR-25 — INLINE VERIFICATION = safety interlock, NOT a gate
+
+- **Purpose:** Prove enough about the mutation outcome to *truthfully set the execution-terminal state* AND *safely remove the safety net*.
+- **Scope rule:** Minimum-sufficient checks for terminal-state + safety-net removal decisions.
+- **Coverage:** seed skeleton §11's first three assertions only:
+  - Target firewall is active
+  - nftban authority class is correct (post-mutation)
+  - Safety-net removal is safe to proceed with
+- **Timing:** Runs WHILE the safety net is still present.
+- **Classification:** **safety interlock**, not a verification gate.
+
+### 21.2 PR-26 — POST-RESTORE VERIFICATION GATE (scope-expanded, NOT in this contract)
+
+PR-26 contract content is defined by PR-26's own contract seed work, NOT by §21.
+
+What §21 records about PR-26:
+- PR-26 is **scope-expanded** from V1100 contract §8's "post-uninstall verification" / G3-UN-VERIFY to also cover post-restore outcomes.
+- PR-26 has its own verification-outcome terminals and exit codes.
+- PR-26 has its own operator-invokable CLI surface (PR-26 scope, NOT §21).
+- PR-26 is **scope-expanded, not replaced, renumbered, or split**.
+
+### 21.3 Hard invariant
+
+PR-25 MUST NOT remove the safety net until inline verification (§21.1) passes. (V1100 contract §8 step 5.)
+
+### 21.4 PR-25 must NOT implement the gate
+
+PR-25 implements only §21.1. The full gate is PR-26's contract scope.
+
+## 22. State terminals + exit codes (PR-25 introduces)
+
+Concrete names are open in the lock — confirmed candidate set, finalized in code phase:
+
+| Candidate name | Meaning | Exit code |
+|---|---|---|
+| `StateRestoreExecuted` | Full mutation completed AND inline verification passed AND safety net removed | next available |
+| `StateRestoreFailedExecution` | Mutation failed mid-flight; safety net still present; system rolled to known-safe state | next |
+| `StateRestoreDegraded` | Mutation completed but inline verification flagged a soft-fail condition; safety net removed under explicit policy | next |
+| `StateRestoreFailedVerification` | Mutation completed but inline verification hard-failed; safety net retained; explicit operator action required | next |
+
+Constraints:
+- All four MUST be NEW constants distinct from `StateRestoreDecided` (§19.2 layer 1).
+- Exit codes MUST be distinct from `ExitCommitted=0` / `ExitFatal=4` / `ExitRefused=5` / `ExitIntentRequired=6`.
+- `IsRestoreExecuted(s)` (§19.2 layer 2) returns true for `StateRestoreExecuted` and `StateRestoreDegraded`; false for the other two AND for `StateRestoreDecided`.
+
+Final names + final integers chosen during the code phase.
+
+## 23. Execution shape (V1100 §8, ordered)
+
+PR-25 execution proceeds in this exact ordered sequence:
+
+1. **Preflight target validation** — confirm authority resolution still satisfies invariants (§18.3 payload invariants); confirm `knownFirewallType` membership (RecordedPrior); confirm panel mapping resolves (PanelNative). Refuse here is non-mutating.
+2. **Safety net insertion** — emergency-SSH allow rule before any other mutation.
+3. **Minimal target-specific execution** — kernel nft mutations + service run-state changes for the authorized target only. No cross-target traffic.
+4. **Verification while safety net still present** — inline checks per §21.1.
+5. **Safety net removal only after verification passes** — hard gate, no exceptions.
+6. **Terminal state set truthfully** — pick the execution-success or execution-failure terminal that matches step-4 outcome; emit the corresponding exit code.
+
+## 24. Inputs PR-25 may consume
+
+- **PR-24 output** — decision MUST be `PROCEED`. `REFUSE` / `REQUIRE_EXPLICIT_INTENT` → PR-25 does not run.
+- **Resolved target identity** — `TargetAuthority` of `Kind=RecordedPrior` (with `firewallType`) OR `Kind=PanelNative` (with `panel`). `Kind=None` → PR-25 does not run.
+- **Current classifier state** — must still be compatible at runtime (preflight at §23 step 1).
+- **Prior record** — only as already reduced/approved by the PR-24 path. PR-25 does not re-reduce.
+
+PR-25 may **NOT** consume:
+- Any signal that re-derives `TargetAuthority` (locked by INV-PR25-AUTHORITY-IMMUTABILITY).
+- Operator config beyond what was already authorized by PR-24.
+
+## 25. Forbidden behaviors (consolidated)
+
+- No execution if PR-24 ≠ `PROCEED`.
+- No target inference beyond what PR-24 authorized.
+- No reinterpretation of `StateRestoreDecided` as success.
+- No silent fallback between targets.
+- No "try restore, then rebuild nftban if fails" pattern.
+- No hidden purge/remove unless explicitly in scope (it isn't).
+- No history-schema redesign unless separately approved.
+- No mutation outside the declared target surface.
+- No mid-flight `TargetAuthority` re-resolution.
+- No verification beyond §21.1 inline checks (gate is PR-26).
+- No safety-net removal before inline verification passes.
+
+## 26. Cross-lock consistency
+
+- **§17 narrow scope × §21 split** → PR-25 stays execution-only; gate-level verification stays in PR-26 → scope integrity preserved.
+- **§18 type safety × §20 panel resolution** → `FirewallType` structurally empty for `PanelNative` (§18.3 invariant) AND forbidden to consult (§20.3 contract) → no accidental cross-variant authority leak.
+- **§17 authority-resolution immutability × §19 decision-vs-execution boundary** → `TargetAuthority` set once by PR-24, read-only by PR-25 → no reinterpretation across the boundary.
+- **§19 rollback coupling × §21 inline safety interlock** → inline verification gates safety-net removal → prevents "remove before prove" rollback failure that would corrupt §19's decision-execution distinction.
+
+## 27. What this contract does NOT contain (intentional, not omission)
+
+- Final state-terminal names + final integer exit codes (§22 candidates only)
+- Test fixture matrix (parallels PR-24's exhaustive matrix; produced during code phase)
+- Real-host evidence plan (§28 below names hosts; the matrix itself is code-phase work)
+- CI gate expansion plan (minimal beyond what's already in `ci-restore-canonization.yml`; specifics emerge in code phase)
+- Concrete `IsRestoreExecuted` signature (helper is locked as §19.2 layer 2 optional API)
+- The PanelType → firewall mapping itself (locked as static; concrete map content is code-phase work)
+
+These are intentionally absent. **Expansion would violate the locked rule "no expansion beyond Q1–Q5".**
+
+## 28. Merge-blocking real-host matrix (PR-25 code-phase)
+
+| Host | OS / family | Required evidence |
+|---|---|---|
+| `lab2` | Ubuntu 24.04 / DEB | DEB execution path: at least one `RecordedPrior` case |
+| `lab4` | AlmaLinux 9 / RPM | RPM execution path: at least one `RecordedPrior` case |
+| (TBD) | panel host (cPanel / DA / Plesk) | At least one `PanelNative` case if in scope at code phase |
+
+Evidence plan is code-phase work; this section names the hosts only.
+
+## 29. Reviewer checklist (merge-blocking, PR-25 code-phase only)
+
+- [ ] §18.1 type definition matches verbatim; no exported mutators.
+- [ ] §18.2 construction paths exhaustive; no fourth path exists.
+- [ ] §18.3 payload invariants enforced in constructors.
+- [ ] §18.4 default-branch panic present in every `Kind` switch.
+- [ ] §19.2 layer 1 — execution terminals are NEW constants, not aliases.
+- [ ] §19.2 layer 4 — `main.go:132` writeHistory gate untouched.
+- [ ] §19.4 — new exit codes distinct from existing 0/4/5/6.
+- [ ] §20.1 mapping is static (not config-driven, not runtime-discovered).
+- [ ] §20.3 — no fallback paths exist anywhere in execution code.
+- [ ] §21.1 inline verification covers exactly the three assertions; nothing more.
+- [ ] §21.3 hard invariant — no code path removes safety net before §21.1 returns success.
+- [ ] §23 execution sequence respected exactly; no reordering.
+- [ ] §25 forbidden behaviors all absent from code.
+- [ ] §28 real-host evidence captured for at least lab2 + lab4.
+- [ ] CI gate updated minimally (no scope expansion beyond restore-execution surface).
+
+---
+
 ## Amendment history
 
 - **2026-04-20 v1 (seed)** — first committed seed. Lattice v2 + three locked corrections:
@@ -343,3 +640,5 @@ Four new gates in the `G4-RESTORE-*` namespace:
   2. `§6` Group 4 precedence clarifier added: 4.1 / 4.2 match on prior state for flags {`none`, `--restore`}; 4.3 matches `--panel-auto-takeover` regardless of prior.
 
   Neither edit changes lattice behavior (§5 precedence already produces the correct outcome).
+
+- **2026-04-27 v2 (PR-25 contract append)** — appends Part II (§§16–29: PR-25 execution contract). Faithful normalization of the locked Q1–Q5 design decisions (recorded 2026-04-20 during PR-24 freeze Day 0) following the locked "no expansion beyond Q1–Q5" rule. Sections §1–§15 are untouched. Verified live-code anchors at `internal/installer/uninstall/prior.go:278-284` (knownFirewallType set), `cmd/nftban-installer/main.go:132` (writeHistory gate), `internal/installer/state/machine.go:149-155` (existing exit-code constants). Doc-only commit; no code changes in this PR. Code phase opens in a separate PR after this one merges.