feat(v1.99 PR-18): seed apply orchestration contract

This commit establishes the PR-18 contract BEFORE any implementation code
lands. Per user directive, PR-18 is judged by call-path purity, not by
"it works in happy path."

Pinned sentence (repeated in PR body + contract file + package doc):

  "PR-18 is orchestration-only: update apply may invoke the existing
   rebuild/lifecycle authority, but may not implement any independent
   apply, mutation, recovery, validation, or authority-taking behavior."

Contents:
  - Call graph (runUpdateApply → firewall_rebuild → validator → recovery)
  - Canonical entry points PR-18 orchestrates (never reimplements)
  - 8 forbidden patterns (automatic NO-GO)
  - Explicit stop condition: new apply/mutation/recovery/authority
    logic → STOP and split to new PR

No code, no behaviour change. This is the contract layer; step 1
(tests/proof skeleton) lands in the next commit, step 2 (minimal
orchestration wiring) after that.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: itcmsgr

internal/installer/update/apply_contract.md

@@ -0,0 +1,85 @@
+# PR-18 — Update Apply Orchestration Contract
+
+**Status:** Draft — READY FOR IMPLEMENTATION (under strict contract enforcement)
+**Scope:** G3-U5 .. G3-U10
+**Pinned invariants:** INV-U-001 / INV-U-002 / INV-U-003
+
+---
+
+## Single-sentence contract
+
+> PR-18 is orchestration-only: update apply may invoke the existing
+> rebuild/lifecycle authority, but may not implement any independent apply,
+> mutation, recovery, validation, or authority-taking behavior.
+
+---
+
+## Call graph (critical proof surface)
+
+```
+runUpdateApply  (new — orchestration only)
+     │
+     ├── update.Preflight              (existing — read-only, PR-16/PR-17)
+     ├── exec.Run("nftban", "firewall", "rebuild")
+     │        │
+     │        └── firewall_rebuild     (existing — shell, cli/lib/nftban/cli/cmd_firewall.sh:1070)
+     │             │
+     │             ├── _firewall_rebuild_core
+     │             ├── nftban_rebuild_recovery.sh  (existing — recovery)
+     │             └── rebuild/marker.go            (existing — classification)
+     │
+     ├── exec.Run("nftban-validate")   (existing — validator gate)
+     │
+     └── sf.Transition(...)            (existing — lifecycle state machine)
+```
+
+**No new mutation path.**
+**No new validator path.**
+**No new recovery path.**
+**No new authority path.**
+
+---
+
+## Canonical entry points PR-18 orchestrates (never reimplements)
+
+| Phase | Canonical entry | Owner |
+|---|---|---|
+| Preflight | `update.Preflight(exec, log, origin)` | PR-16 + PR-17 |
+| Target detection | `update.DetectVersions(exec, sourceDir, origin, log)` | PR-16 + PR-17 |
+| Recovery planning | `update.BuildRecoveryPlan(exec)` | PR-17 |
+| **Rebuild execution** | `nftban firewall rebuild` → `firewall_rebuild` | v1.96 (shell) |
+| **Recovery** | `_rebuild_*` family in `nftban_rebuild_recovery.sh` | v1.96 (shell) |
+| **Validator gate** | `nftban-validate --json` | v1.78+ (Go) |
+| **State transition** | `sf.Transition(State, Phase, reason)` | v1.73+ (installer) |
+
+PR-21 will migrate `firewall_rebuild` to Go and delete the shell layer.
+PR-18 must not pre-empt that migration — orchestrate the shell path today.
+
+---
+
+## Forbidden patterns (automatic NO-GO on PR-18)
+
+1. New `exec.Run("nft", ...)` call in `runUpdateApply` (nft only via rebuild)
+2. New `exec.WriteFile(...)` call that targets anything under `/etc/nftban/` or `/usr/lib/nftban/`
+3. New authority-classification call outside `authority.Classify` (which lives upstream of rebuild)
+4. New `systemctl` call that stops/starts external firewalls (UFW/firewalld/iptables)
+5. New rollback mechanism — any failure must delegate to `firewall_rebuild`'s own recovery
+6. Any path where `nftban-validate` is NOT called after apply
+7. Any path where `.conf.local` files are opened in write mode
+8. Any retry/loop/fallback logic that could mask a rebuild failure
+
+CI enforces 1-5 via a call-path audit step; 6-8 via behavioural tests.
+
+---
+
+## Stop condition
+
+If implementation pressure appears that requires any of:
+
+- new apply logic
+- bypass of rebuild
+- direct config mutation
+- custom recovery
+- custom authority handling
+
+→ **STOP PR-18 immediately.** Split that work into a separate design/audit PR. Do NOT solve it inside PR-18.