feat(v1.100 PR-26-code-B): typed executor.ServiceUnmask + executor.Rename + raw-Run policy tightening (#515)

PR-26-code-B — restore verification / evidence hardening, slice B.
Executor hardening per §43 lock + §51.5-A2 invariant. CSF restore
A.1 + A.3 migrate from raw Run("systemctl","unmask",…) +
Run("mv",…) indirections to typed executor methods.

Authority:
- PR #512 / contract.md Part IV §§37-50
- PR #513 / §51 lock record (§51.5-A2: read-only typed introspection
  is outside the mutation cap; this commit's ServiceUnmask + Rename
  ARE mutation surfaces, but already enumerated by §44 row 2)
- PR #514 / code-A merge 4e98ff5
- §43 executor hardening
- §46 CI gate requirements
- §51 code-B authorization

Behavior delta:
- Before: A.1 used exec.Run("systemctl","unmask",csfServiceUnit) wrapped
  by helper unmaskCSFService; A.3 used exec.Run("mv",old,new) wrapped
  by helper renameAtomicViaExec.
- After: A.1 uses m.exec.ServiceUnmask(csfServiceUnit); A.3 uses
  m.exec.Rename(csfBinaryDisabled, csfBinary). Both helpers REMOVED.
  Mutation surface is unchanged in operational meaning; the typed
  call shape lets the CI gate enforce per-call discipline at the
  symbol level instead of via fragile Run-arg parsing.

Files changed (6):

internal/installer/executor/executor.go
- Executor interface gains:
    ServiceUnmask(unit string) error  // inverse of ServiceMask
    Rename(oldpath, newpath string) error  // atomic same-FS rename
- Header doc updated to list both new methods.

internal/installer/executor/real.go
- RealExecutor.ServiceUnmask runs systemctl unmask via Run with the
  same typed error wrapping pattern as ServiceMask.
- RealExecutor.Rename calls os.Rename directly (consistent with
  WriteFileAtomic's existing os.Rename usage). No process spawn.

internal/installer/executor/mock.go
- MockExecutor.ServiceUnmask records ("systemctl","unmask",unit) and
  returns m.ServiceUnmaskErr (nil by default).
- MockExecutor.Rename records ("rename",oldpath,newpath), returns
  m.RenameErr if non-nil; otherwise simulates the rename in the
  in-memory Files map.
- New error-injection fields: ServiceUnmaskErr, RenameErr — mirror
  the RunResults exit-code injection pattern.

cmd/nftban-installer/restore_deps_csf.go
- Helpers unmaskCSFService and renameAtomicViaExec REMOVED. Replaced
  by a comment block documenting the §43.2 lock.
- A.1 call site: m.exec.ServiceUnmask(csfServiceUnit).
- A.3 call site: m.exec.Rename(csfBinaryDisabled, csfBinary).
- No raw Run("systemctl","unmask",…) and no raw Run("mv",…) remain.
- Log messages preserved; error wrapping (ErrCSFRestoreUnmaskFailed
  + ErrCSFRestoreBinaryRestoreFailed) preserved.

cmd/nftban-installer/restore_deps_csf_test.go
- buildCSFFixture: unmaskFailsExit injects mock.ServiceUnmaskErr;
  mvBinaryFailsExit injects mock.RenameErr (the previous
  RunResults-based simulation is removed; the OnCommand callback
  that simulated the rename in the Files map is also removed —
  Mock.Rename does that natively now).
- TestCSFMutate_4B3csf_A3_* tests updated: assertions move from
  CommandCalled("mv", …) to CommandCalled("rename", …) because
  Mock.Rename records "rename", not "mv".
- HappyPath_NoOutOfTargetMutation allow-list and OrderingPin
  expected sequences updated: A.3's recorded shape becomes
  ("rename", oldpath, newpath) instead of ("mv", oldpath, newpath).
- Seven new TestCSFMutate_PR26B_* tests added:
    1. A1_ServiceUnmaskOnlyCSFService — pins ServiceUnmask called
       only on csf.service
    2. A3_RenameOnlyCSFBinaryRestore — pins Rename called only with
       (csf.disabled → csf)
    3. NoRawSystemctlUnmaskRun_FileScan — pins no raw
       Run("systemctl","unmask",…) remains in production source
    4. NoRawMvRun_FileScan — pins no raw Run("mv",…) remains
    5. A1_UnmaskFailure_TypedErrorPreserved — error contract
       preserved through the migration
    6. A3_RenameFailure_TypedErrorPreserved — same for A.3
    7. RemovedHelpersGone_FileScan — pins removal of the
       unmaskCSFService and renameAtomicViaExec function definitions

.github/workflows/ci-restore-canonization.yml
- G4-RESTORE-EXEC-NO-OUT-OF-TARGET strengthened per §43.4 + §46.1:
    * \bexec\.ServiceUnmask\( REMOVED from forbidden list (now the
      authorized typed method for A.1).
    * Added forbidden patterns for raw Run("systemctl",…) with any
      mutating verb (start/stop/enable/disable/mask/unmask/restart/
      reload/daemon-reload). Read-only Run("systemctl","is-enabled",…)
      remains authorized.
    * Added forbidden pattern for raw Run("mv",…). Typed Rename is
      the only authorized atomic-rename path.
    * §46.1 line-skipping discipline applied: gate strips
      line-leading "//" comments before pattern matching, preventing
      the false-positive class that broke Policy Gates on PR #511.
    * Header rewritten to reflect the post-PR-26-code-B authorized
      mutation set (typed ServiceUnmask / typed Rename; no raw Run
      for mutating systemctl verbs or mv).

Constraints honored (per §51.6 + operator scope):

IN scope:
- typed executor.ServiceUnmask ✓
- typed executor.Rename ✓
- migration of CSF restore A.1 + A.3 to typed methods ✓
- raw Run policy tightening (CI gate) ✓
- G4-RESTORE-EXEC-NO-OUT-OF-TARGET strengthened ✓

OUT of scope (and untouched):
- cron backup / A.4 (PR-26-code-C)
- destructive soak (PR-26-code-E)
- IptablesRuleExists / iptables introspection (Option B lock)
- target-specific predicate changes (already done in code-A)
- inline verification behavior changes
- restore decision lattice
- TargetAuthority / planner
- main.go history gate
- state machine / exit codes
- contract.md
- repo hygiene / UX / GOTH / metrics / module cleanup

Verified on lab2 (Ubuntu 24.04, go1.22.2):
- go build ./... clean
- go test ./cmd/nftban-installer/... ./internal/installer/restore/... ./internal/installer/state/... ./internal/installer/executor/... PASS
- go test ./... PASS (full suite)
- go test -race -count=1 ./cmd/nftban-installer ./internal/installer/restore/... ./internal/installer/state/... PASS
- go vet (cmd + restore + state + executor) clean
- go mod tidy no-op
- 7 new TestCSFMutate_PR26B_* tests all PASS
- Local replay of strengthened G4-RESTORE-EXEC-NO-OUT-OF-TARGET gate:
  FAIL=0 against the migrated restore_deps_csf.go (only authorized
  NftDeleteTable("ip","nftban") + NftDeleteTable("ip6","nftban")
  calls; no raw mutating Run, no os.* bypass, no
  custombuild/iptables/rebuild/purge symbols).

Awaiting auditor pass before push.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: itcmsgr

.github/workflows/ci-restore-canonization.yml

@@ -263,31 +263,35 @@ jobs:
       # ------------------------------------------------------------------
       # G4-RESTORE-EXEC-NO-OUT-OF-TARGET — closed mutation surface in
       # the cmd/-side restore-execution code. Per Amendment 1 §31 / §32,
-      # the only authorized mutations on the CSF restore path are:
+      # the authorized mutations on the CSF restore path are:
       #
-      #   - Run("systemctl", "unmask", "csf.service")          A.1
-      #   - ServiceEnable("csf.service")                       A.2
-      #   - Run("mv", "/usr/sbin/csf.disabled",
-      #               "/usr/sbin/csf")                         A.3
-      #   - ServiceStart("csf.service")                        A.5
-      #   - ServiceStop("nftband.service")                     A.6
-      #   - NftDeleteTable("ip", "nftban")                     A.7
-      #   - NftDeleteTable("ip6", "nftban")                    A.7
+      #   - exec.ServiceUnmask("csf.service")                  A.1 (typed; PR-26-code-B)
+      #   - exec.ServiceEnable("csf.service")                  A.2
+      #   - exec.Rename("/usr/sbin/csf.disabled",
+      #                 "/usr/sbin/csf")                       A.3 (typed; PR-26-code-B)
+      #   - exec.ServiceStart("csf.service")                   A.5
+      #   - exec.ServiceStop("nftband.service")                A.6
+      #   - exec.NftDeleteTable("ip", "nftban")                A.7
+      #   - exec.NftDeleteTable("ip6", "nftban")               A.7
       #
-      # The gate's job is forbidden-symbol coverage at the call-expression
-      # level. Per-call argument enforcement (which unit is started, which
-      # path is renamed) is delegated to the in-Go runtime tests in
-      # restore_deps_csf_test.go (TestCSFMutate_4B3csf_A1_NoUnmaskOfOtherServices,
+      # PR-26-code-B (§43) promoted A.1 + A.3 from raw `Run("systemctl",
+      # "unmask", …)` and `Run("mv", …)` to the typed methods listed
+      # above. The gate's old `\bexec\.ServiceUnmask\(` forbid is
+      # therefore REMOVED, and explicit raw-Run forbids replace it.
+      #
+      # The gate's job is forbidden-symbol coverage. Per-call argument
+      # enforcement (which unit is started, which path is renamed) is
+      # delegated to the in-Go runtime tests in restore_deps_csf_test.go
+      # (TestCSFMutate_4B3csf_A1_NoUnmaskOfOtherServices,
       # …_A2_EnableOnlyCSFService, …_A5_StartsOnlyCSFService,
-      # …_A6_StopsOnlyNftband_AfterCSFStarts,
-      # …_HappyPath_NoOutOfTargetMutation) which assert against
-      # MockExecutor with full Go-level type information. Trying to
-      # reproduce that in shell regex on identifier arguments
-      # (csfServiceUnit, oldpath/newpath) gives false confidence.
+      # …_A6_StopsOnlyNftband_AfterCSFStarts, …_HappyPath_NoOutOfTargetMutation,
+      # TestCSFMutate_PR26B_A1_ServiceUnmaskOnlyCSFService,
+      # TestCSFMutate_PR26B_A3_RenameOnlyCSFBinaryRestore).
       #
-      # Forbidden patterns are call-expression-anchored (\bexec\.) so
-      # they catch real call sites and skip prose / error messages /
-      # comments / const definitions.
+      # §46.1 line-skipping discipline: the gate scans only the
+      # production file (no _test.go), and skips line-leading "//"
+      # comments to avoid the false-positive class that hit Policy
+      # Gates on PR #511.
       # ------------------------------------------------------------------
       - name: G4-RESTORE-EXEC-NO-OUT-OF-TARGET — restore_deps_csf.go closed mutation surface
         shell: bash
@@ -300,23 +304,24 @@ jobs:
             exit 1
           fi
 
+          # §46.1 production-only scan: build a comment-stripped view
+          # so doc-comment lines never trip the forbidden-pattern grep.
+          stripped=$(grep -vE '^[[:space:]]*//' "$target" || true)
+
           # Forbidden: out-of-Amendment-1 mutation surface. Each pattern
           # is anchored to a call expression (\bexec\. or similar) so
-          # legitimate doc strings, error messages, and const
-          # definitions don't false-match.
+          # legitimate string literals don't false-match. Doc comments
+          # are already excluded by the line-leading // strip above.
           forbidden_patterns=(
-            # Service-policy mutations (mask/disable/unmask-typed/daemon-reload).
-            # The csf restore path uses Run("systemctl","unmask",csf.service)
-            # for A.1; the typed exec.ServiceUnmask method is forbidden so
-            # we don't accidentally land on a future executor surface that
-            # bypasses the audit trail.
+            # Service-policy mutations (mask/disable/daemon-reload) are
+            # forbidden by Amendment 1 §34. ServiceUnmask is no longer
+            # forbidden — PR-26-code-B promoted it to authorized typed
+            # method for A.1.
             '\bexec\.ServiceMask\('
             '\bexec\.ServiceDisable\('
-            '\bexec\.ServiceUnmask\('
             '\bexec\.DaemonReload\('
-            # Filesystem-mutation primitives — A.4 cron-restore is a
-            # soft-skip in 4B-3-csf; any WriteFileAtomic in this file is
-            # therefore an out-of-scope mutation.
+            # Filesystem-mutation primitives. A.4 cron-restore is a
+            # soft-skip; any WriteFileAtomic here is out of scope.
             '\bexec\.WriteFileAtomic\('
             # Direct OS bypass (must route through the executor).
             '"os/exec"'
@@ -326,6 +331,22 @@ jobs:
             '\bos\.WriteFile\('
             '\bos\.Create\('
             '\bsyscall\.'
+            # PR-26-code-B raw-Run policy tightening (§43.3): mutating
+            # systemctl verbs MUST go through their typed methods.
+            # Read-only `Run("systemctl", "is-enabled", …)` and similar
+            # probes remain authorized.
+            'Run\("systemctl",[[:space:]]*"start"'
+            'Run\("systemctl",[[:space:]]*"stop"'
+            'Run\("systemctl",[[:space:]]*"enable"'
+            'Run\("systemctl",[[:space:]]*"disable"'
+            'Run\("systemctl",[[:space:]]*"mask"'
+            'Run\("systemctl",[[:space:]]*"unmask"'
+            'Run\("systemctl",[[:space:]]*"restart"'
+            'Run\("systemctl",[[:space:]]*"reload"'
+            'Run\("systemctl",[[:space:]]*"daemon-reload"'
+            # Raw mv via Run is forbidden — typed exec.Rename is the
+            # only authorized atomic-rename surface.
+            'Run\("mv"\b'
             # DirectAdmin custombuild rewrite forbidden (§34).
             '\bcustombuild\b'
             '"build set csf"'
@@ -343,8 +364,11 @@ jobs:
 
           fail=0
           for pat in "${forbidden_patterns[@]}"; do
-            if grep -nE "$pat" "$target" 2>/dev/null; then
+            if echo "$stripped" | grep -nE "$pat" >/dev/null 2>&1; then
+              # Re-grep against the original file (with line numbers)
+              # so the error message points at the right line.
               echo "::error::G4-RESTORE-EXEC-NO-OUT-OF-TARGET: forbidden call expression matching '$pat' found in $target"
+              grep -nE "$pat" "$target" || true
               fail=1
             fi
           done
@@ -354,8 +378,8 @@ jobs:
           # NftDeleteTable's args in the production code ARE literal
           # quoted strings (no constants), so this allow-list pin works
           # cleanly without identifier resolution. Per-unit / per-path
-          # enforcement for systemctl + mv is delegated to the Go runtime
-          # tests against MockExecutor.
+          # enforcement for systemctl + Rename is delegated to the Go
+          # runtime tests against MockExecutor.
           while IFS= read -r line; do
             args=$(echo "$line" | grep -oE 'NftDeleteTable\([^)]*\)' || true)
             if [[ -n "$args" ]]; then
@@ -368,7 +392,7 @@ jobs:
                   ;;
               esac
             fi
-          done < <(grep -n 'NftDeleteTable(' "$target" || true)
+          done < <(echo "$stripped" | grep -n 'NftDeleteTable(' || true)
 
           if [[ "$fail" -ne 0 ]]; then
             echo "::error::Amendment 1 §30 / §34 violation — restore_deps_csf.go must contain only the closed §31/§32 mutation surface."

cmd/nftban-installer/restore_deps_csf.go

@@ -182,32 +182,13 @@ func isCSFServiceMasked(exec executor.Executor) bool {
 	return strings.TrimSpace(res.Stdout) == "masked"
 }
 
-// unmaskCSFService runs systemctl unmask via the executor abstraction.
-// The Executor interface does not expose a typed ServiceUnmask method
-// (only ServiceMask). Routing the inverse through Run is the chosen
-// in-scope option for 4B-3-csf — it stays inside cmd/ and uses the
-// existing executor seam without expanding the interface mid-PR.
-func unmaskCSFService(exec executor.Executor) error {
-	res := exec.Run("systemctl", "unmask", csfServiceUnit)
-	if res.ExitCode != 0 {
-		return fmt.Errorf("systemctl unmask %s: %s", csfServiceUnit, strings.TrimSpace(res.Stderr))
-	}
-	return nil
-}
-
-// renameAtomicViaExec performs an atomic rename via the executor's
-// Run("mv", ...) — same-filesystem mv is atomic at the syscall level.
-// The Executor interface does not expose a Rename method; routing
-// through Run keeps the surface inside the executor abstraction. The
-// direct stdlib rename API (in the os package) is forbidden by the
-// file-scan and intentionally not used here.
-func renameAtomicViaExec(exec executor.Executor, oldpath, newpath string) error {
-	res := exec.Run("mv", oldpath, newpath)
-	if res.ExitCode != 0 {
-		return fmt.Errorf("mv %s -> %s: %s", oldpath, newpath, strings.TrimSpace(res.Stderr))
-	}
-	return nil
-}
+// (PR-26-code-B / §43.2 lock — the prior unmaskCSFService and
+// renameAtomicViaExec helper functions are removed. Both routed
+// through the raw `Run("systemctl","unmask",…)` and `Run("mv",…)`
+// indirections that PR-26-code-B closes by promoting the operations
+// to typed `executor.ServiceUnmask` and `executor.Rename` methods.
+// The §31 A.1 + A.3 call sites in mutateToCSFTarget call those typed
+// methods directly — no thin wrapper is needed.)
 
 // =============================================================================
 // mutateToCSFTarget — the §31/§32 entry point invoked by
@@ -292,7 +273,7 @@ func mutateToCSFTarget(ctx context.Context, m *productionMutationDep) error {
 		if m.log != nil {
 			m.log.Info("restore csf: A.1 unmasking %s", csfServiceUnit)
 		}
-		if err := unmaskCSFService(m.exec); err != nil {
+		if err := m.exec.ServiceUnmask(csfServiceUnit); err != nil {
 			return fmt.Errorf("%w: %v", ErrCSFRestoreUnmaskFailed, err)
 		}
 	} else if m.log != nil {
@@ -317,7 +298,7 @@ func mutateToCSFTarget(ctx context.Context, m *productionMutationDep) error {
 		if m.log != nil {
 			m.log.Info("restore csf: A.3 renaming %s -> %s", csfBinaryDisabled, csfBinary)
 		}
-		if err := renameAtomicViaExec(m.exec, csfBinaryDisabled, csfBinary); err != nil {
+		if err := m.exec.Rename(csfBinaryDisabled, csfBinary); err != nil {
 			return fmt.Errorf("%w: %v", ErrCSFRestoreBinaryRestoreFailed, err)
 		}
 	} else if m.log != nil {