fix(v1.100 PR-23): replace PR-22-era auto-elevate gate with PR-23 consent-refusal gates

The uninstall canonization workflow had a gate asserting that
`--mode=uninstall` without --dry-run auto-elevates to dry-run and exits 0.
That was the correct PR-22 behaviour but is a contract violation under
PR-23 — the auto-elevate shim was removed and the correct post-PR-23
behaviour is an explicit refusal demanding --dry-run OR --confirm-mutation.

Replace the single obsolete gate with two PR-23 gates:

- G3-UN-CONSENT-REQUIRED: bare `--mode=uninstall` must exit non-zero
  with a message mentioning the two-flag choice, touch NOTHING on disk.
- G3-UN-CONSENT-BOTH-FLAGS: `--mode=uninstall --dry-run --confirm-mutation`
  must also refuse with a "mutually exclusive" message.

Together these enforce the consent model at the CLI surface:
  neither → refused
  dry-run → observational
  confirm-mutation → apply
  both → refused

No code changes — CI gate update only.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: itcmsgr

.github/workflows/ci-uninstall-canonization.yml

@@ -398,36 +398,65 @@ jobs:
           echo "G3-UN-PLAN-RENDERS PASS — all mandatory contract-language elements present"
 
       # ------------------------------------------------------------------
-      # G3-UN-PLAN-RENDERS negative path — invoking --mode=uninstall
-      # WITHOUT --dry-run must still not mutate. The flags validator
-      # forces --dry-run on in PR-22; this confirms that elevation works.
+      # G3-UN-CONSENT-REQUIRED (PR-23) — --mode=uninstall with NEITHER
+      # --dry-run NOR --confirm-mutation must REFUSE explicitly (exit
+      # non-zero) and touch NOTHING. This replaces the PR-22-era
+      # "auto-elevate" gate: the shim was removed in PR-23, and the
+      # correct post-PR-23 behaviour for this bare invocation is a
+      # hard refusal.
       # ------------------------------------------------------------------
-      - name: G3-UN-PLAN-RENDERS — no-mutation even without explicit dry-run
+      - name: G3-UN-CONSENT-REQUIRED — --mode=uninstall without consent flag refuses
         shell: bash
         run: |
           set -Eeuo pipefail
-          # PR-22A boundary repair: the earlier gate only snapshot
-          # /etc/nftban + /usr/lib/nftban + /usr/sbin/nftban*. It did
-          # NOT cover /var/lib/nftban/ — the exact directory that leaked
-          # three writes in PR #480. The snapshot now includes all
-          # three protected trees. No exceptions.
           before=$(find /etc/nftban /usr/lib/nftban /usr/sbin/nftban* /var/lib/nftban -type f 2>/dev/null | sort | xargs -r sha256sum 2>/dev/null | sort || true)
           set +e
-          sudo ./bin/nftban-installer --mode=uninstall \
-              --state-dir=/var/lib/nftban/state 2>&1 | tee /tmp/uninstall-implicit.out
-          rc=${PIPESTATUS[0]}
+          out=$(sudo ./bin/nftban-installer --mode=uninstall \
+              --state-dir=/var/lib/nftban/state 2>&1)
+          rc=$?
           set -e
+          echo "$out"
           after=$(find /etc/nftban /usr/lib/nftban /usr/sbin/nftban* /var/lib/nftban -type f 2>/dev/null | sort | xargs -r sha256sum 2>/dev/null | sort || true)
           if [[ "$before" != "$after" ]]; then
-            echo "::error::PR-22 contract violation — --mode=uninstall touched protected filesystem"
+            echo "::error::G3-UN-CONSENT-REQUIRED FAIL — refused run touched protected filesystem"
             diff <(echo "$before") <(echo "$after") || true
             exit 1
           fi
-          if [[ "$rc" -ne 0 ]]; then
-            echo "::error::--mode=uninstall (no explicit dry-run) must exit 0 in PR-22 scope"
+          if [[ "$rc" -eq 0 ]]; then
+            echo "::error::G3-UN-CONSENT-REQUIRED FAIL — bare --mode=uninstall exited 0, must REFUSE"
+            exit 1
+          fi
+          if ! echo "$out" | grep -qE "requires exactly one of --dry-run OR --confirm-mutation"; then
+            echo "::error::G3-UN-CONSENT-REQUIRED FAIL — refusal message did not mention the two-flag choice"
+            exit 1
+          fi
+          echo "G3-UN-CONSENT-REQUIRED PASS — bare --mode=uninstall refused cleanly, no filesystem changes"
+
+      # ------------------------------------------------------------------
+      # G3-UN-CONSENT-BOTH-FLAGS (PR-23) — --mode=uninstall with BOTH
+      # --dry-run AND --confirm-mutation must also refuse. The two
+      # flags are semantically incompatible; accepting both would be
+      # a silent contract drift.
+      # ------------------------------------------------------------------
+      - name: G3-UN-CONSENT-BOTH-FLAGS — --dry-run + --confirm-mutation refuses
+        shell: bash
+        run: |
+          set -Eeuo pipefail
+          set +e
+          out=$(sudo ./bin/nftban-installer --mode=uninstall --dry-run --confirm-mutation \
+              --state-dir=/var/lib/nftban/state 2>&1)
+          rc=$?
+          set -e
+          echo "$out"
+          if [[ "$rc" -eq 0 ]]; then
+            echo "::error::G3-UN-CONSENT-BOTH-FLAGS FAIL — passing both flags exited 0, must REFUSE"
+            exit 1
+          fi
+          if ! echo "$out" | grep -qE "mutually exclusive"; then
+            echo "::error::G3-UN-CONSENT-BOTH-FLAGS FAIL — refusal message did not mention mutual exclusion"
             exit 1
           fi
-          echo "G3-UN-PLAN-RENDERS no-mutation PASS — no files changed under /etc/nftban, /usr/lib/nftban, /usr/sbin/nftban*, /var/lib/nftban"
+          echo "G3-UN-CONSENT-BOTH-FLAGS PASS — both-flag combination refused"
 
       # ------------------------------------------------------------------
       # G3-UN-HISTORY-PURITY — regression guard for audit finding A.3.