release: v1.95.0 — smoke/selftest split + G20 CI gate (#455)

release: v1.95.0 — smoke/selftest split + G20 CI gate

Author: itcmsgr

.github/workflows/ci-architecture.yml

@@ -357,7 +357,7 @@ jobs:
       # G8-1/G8-2/G8-3 run as Go tests (already in ci-go.yml via go test ./...)
       # G8-4 is a runtime smoke test — skips gracefully in CI (no validator binary)
       - name: Module smoke test (G8-4)
-        run: bash cli/lib/nftban/tests/test_module_smoke.sh
+        run: bash cli/lib/nftban/tests/test_module_selftest.sh
 
       # =====================================================================
       # v1.86 B86-4: Contract Enforcement — Legacy Regression Blockers

.github/workflows/ci-smoke.yml

@@ -98,3 +98,29 @@ jobs:
 
       - name: Smoke test — fhs verify
         run: nftban fhs verify 2>&1 | head -20 || true
+
+      - name: "G20 Smoke Gate — registry-driven smoke"
+        run: |
+          # Run Go registry-driven smoke. CI environment will SKIP daemon/module
+          # checks (no systemd, no live daemon) — that's correct behavior.
+          # FAIL on: runtime errors, contract violations, malformed output.
+          SMOKE_OUTPUT=$(bin/nftban-core smoke --json 2>&1) || true
+          echo "$SMOKE_OUTPUT"
+
+          # Validate JSON parseable
+          if ! echo "$SMOKE_OUTPUT" | jq empty 2>/dev/null; then
+            echo "::error::G20 Smoke Gate: smoke --json output is not valid JSON"
+            exit 1
+          fi
+
+          # Check for FAIL or INTERNAL_ERROR
+          FAIL_COUNT=$(echo "$SMOKE_OUTPUT" | jq -r '.summary.fail // 0')
+          if [ "$FAIL_COUNT" != "0" ]; then
+            echo "::error::G20 Smoke Gate: $FAIL_COUNT test(s) FAILED"
+            echo "$SMOKE_OUTPUT" | jq '.tests[] | select(.status == "FAIL")'
+            exit 1
+          fi
+
+          PASS_COUNT=$(echo "$SMOKE_OUTPUT" | jq -r '.summary.pass // 0')
+          SKIP_COUNT=$(echo "$SMOKE_OUTPUT" | jq -r '.summary.skip // 0')
+          echo "G20 Smoke Gate: PASS ($PASS_COUNT pass, $SKIP_COUNT skip, 0 fail)"

.github/workflows/secure-go.yml

@@ -95,7 +95,7 @@ jobs:
         run: go install github.com/securego/gosec/v2/cmd/gosec@v2.22.0
 
       - name: Run gosec (SARIF)
-        run: $(go env GOPATH)/bin/gosec -fmt sarif -out gosec.sarif ./... || true
+        run: $(go env GOPATH)/bin/gosec -nosec -fmt sarif -out gosec.sarif ./... || true
 
       - name: Fix gosec SARIF relationships
         run: |

CONTRIBUTING.md

@@ -66,7 +66,7 @@ Please read our [Code of Conduct](.github/CODE_OF_CONDUCT.md) before contributin
 1. Fork the repository
 2. Create a feature branch: `git checkout -b feature/your-feature`
 3. Make your changes
-4. Run tests: `nftban smoke`
+4. Run smoke tests: `nftban smoke` (non-destructive) or `nftban selftest` (lab/deep validation)
 5. Commit with clear messages
 6. Push and create a PR
 
@@ -312,9 +312,12 @@ wip
 ### Running Tests
 
 ```bash
-# Quick smoke test
+# Non-destructive smoke (safe for CI, routine checks)
 nftban smoke
 
+# Extended system validation (includes controlled state changes — ban/unban lifecycle, whitelist tests)
+nftban selftest
+
 # Full test suite
 ./tests/test_all_commands.sh
 
@@ -327,7 +330,7 @@ go test ./...
 
 ### Test Before PR
 
-1. All commands work: `nftban smoke`
+1. Smoke tests pass: `nftban smoke` (non-destructive, CI-safe)
 2. ShellCheck passes (warnings OK)
 3. Go builds without errors
 4. No regressions in existing functionality

README.md

@@ -2,9 +2,9 @@
 
 **Linux Intrusion Prevention System & nftables Firewall Manager**
 
-[![Version](https://img.shields.io/badge/version-1.83.1-blue)](https://github.com/itcmsgr/nftban/releases)
+[![Version](https://img.shields.io/badge/version-1.95.0-blue)](https://github.com/itcmsgr/nftban/releases)
 [![License: MPL 2.0](https://img.shields.io/badge/License-MPL%202.0-brightgreen.svg)](https://opensource.org/licenses/MPL-2.0)
-[![Go](https://img.shields.io/badge/Go-1.24-00ADD8.svg)](https://go.dev/)
+[![Go](https://img.shields.io/badge/Go-1.25-00ADD8.svg)](https://go.dev/)
 [![FHS Compliant](https://img.shields.io/badge/FHS-Compliant-success)]()
 
 ### CI/CD Status

VERSION

@@ -1 +1 @@
-1.94.0
+1.95.0