feat(v1.100 PR-26): code-D post-restore evidence record (§39.3 / §48.6 lock) (#517)

* feat(v1.100 PR-26-code-D): post-restore evidence record (§39.3 / §48.6 lock)

PR-26-code-D — restore verification / evidence hardening, slice D.
Adds the structured post-restore evidence-record writer per §39.3
+ §48.6 operator lock. Recording-only — does NOT re-run PR-24
decisions, rebuild TargetAuthority, or add validator/module-health
probes (operator design call).

Authority:
- PR #512 / contract.md Part IV §§37-50
- PR #513 / §51 lock record
- PR #514 / code-A merge 4e98ff5
- PR #515 / code-B merge 45fc63e
- PR #516 / code-C merge 6d8386d
- §39 Q1 BLOCKING evidence rows
- §39.3 evidence-record file requirement
- §46 CI gate requirements
- §48.6 (operator-locked at this commit's open):
    - path:    /var/lib/nftban/state/restore-evidence/
    - filename: restore-evidence-<UTC-RFC3339-basic>-<short-random>.json
    - schema:   1.0.0
    - writer helper: writeRestoreEvidenceRecord(ctx, exec, record)
    - path constant: restoreEvidenceDir
- §51.5-A2 (read-only typed introspection outside mutation cap)

Files added (2):

cmd/nftban-installer/restore_evidence.go
- Constants:
    restoreEvidenceSchemaVersion  = "1.0.0"
    restoreEvidenceDir            = "/var/lib/nftban/state/restore-evidence"
    restoreEvidenceFilenamePrefix = "restore-evidence-"
    restoreEvidenceMode           = 0o640
    restoreEvidenceDirMode        = 0o750
- Schema types: RestoreEvidenceRecord (schema_version, timestamp_utc,
  mode, phase, target, result, verification, history_gate, warnings) +
  the 4 nested structs.
- Sentinels: ErrEvidenceWriteFailed, ErrEvidenceNilExecutor,
  ErrEvidenceNilRecord.
- writeRestoreEvidenceRecord — the SINGLE helper. MkdirAll, marshal,
  WriteFileAtomic. Filename: prefix + UTC RFC3339-basic stamp +
  "-" + 8-hex random suffix + ".json".
- buildRestoreEvidenceRecord — recording-only assembler. Sources:
  target.Kind/FirewallType/Panel, execRes.Terminal/Stage/VerifyResult,
  exec.NftTableExists for emergency + nftban tables, detect.SSHPortWithSource.
  No re-derivation; no Probe / Decide / DetectPanel calls.
- evidenceShortRandom — crypto/rand-backed 8-hex suffix to avoid
  same-second filename collisions.

cmd/nftban-installer/restore_evidence_test.go
- 10 tests:
    1. WriteRestoreEvidence_HappyPath — filename pattern + single write
    2. WriteRestoreEvidence_RoundTripsJSON — schema_version + mode +
       phase + history_gate flags
    3. WriteRestoreEvidence_NilExecutor — defensive guard
    4. WriteRestoreEvidence_NilRecord — defensive guard
    5. WriteRestoreEvidence_OnlyHelperWritesUnderEvidenceDir_FileScan —
       single-WriteFileAtomic invariant
    6. WriteRestoreEvidence_NoForbiddenSurfaces_FileScan —
       recording-only invariant pin
    7. BuildRestoreEvidenceRecord_RecordedPriorHappy — full happy
       path with ss-listener SSH port resolution
    8. BuildRestoreEvidenceRecord_NftbanTablesPresent_Recorded —
       post-mutation kernel observation
    9. BuildRestoreEvidenceRecord_AuthorityClassDivergenceWarning —
       ObservedAuthority diverging from AuthorityExternal surfaces
       in warnings
    10. RestoreEvidenceConstants_LockPin — §48.6 path/version/prefix
        pinned exactly

Files modified (4):

internal/installer/detect/ssh.go
- Added detect.SSHPortWithSource (read-only). Same 4-source priority
  chain as detect.SSHPort but also returns the source name (ss /
  sshd_config / state / config) — required by the §48.6 schema's
  ssh_port_source enum. Per §51.5-A2 outside the mutation cap.

cmd/nftban-installer/restore_decide.go
- runRestoreExecutionFromProceed gains a Step D (between Execute
  and Transition):
    1. buildRestoreEvidenceRecord(target, execRes)
    2. writeRestoreEvidenceRecord(ctx, exec, rec, log)
- §48.6 downgrade rule: if evidence-write fails AFTER a successful
  StateRestoreExecuted, downgrade to StateRestoreDegraded
  (state.machine.go:152 already supports this terminal). The state
  model supports the downgrade; no contract amendment needed.
- Operator-facing log line on Degraded now includes the evidence-
  write failure reason.
- No state-machine / exit-code / history-gate change. main.go:132
  mode-gate untouched.

cmd/nftban-installer/restore_decide_test.go
- TestRunRestoreExecutionFromProceed_FakeDeps_HappyPath_PersistsExecuted
  + 4 other dispatcher tests updated: pass executor.NewMockExecutor()
  instead of nil so the new evidence-write step succeeds and the
  terminal stays at StateRestoreExecuted (fake happy path). The 3
  tests that pass nil exec via _ = runRestoreExecutionFromProceed
  do not assert on sf.State so they still pass under the downgrade.

.github/workflows/ci-restore-canonization.yml
- New gate G4-RESTORE-EVIDENCE-RECORD (§46). Structural — pins the
  named-constant + single-helper invariant:
    * restore_evidence.go declares restoreEvidenceDir,
      restoreEvidenceSchemaVersion, restoreEvidenceFilenamePrefix
      verbatim + locked values
    * restore_evidence.go declares writeRestoreEvidenceRecord +
      buildRestoreEvidenceRecord + RestoreEvidenceRecord struct
    * exactly ONE WriteFileAtomic call in restore_evidence.go
      (the single-helper invariant — locked by §48.6)
    * forbidden-symbol scan: restore.Decide /
      restore.PlanFromDecision / uninstall.Probe / detect.DetectPanel
      / writeHistory / update-history.json / mutation primitives /
      direct OS bypass (recording-only invariant)
    * dispatcher (restore_decide.go) calls BOTH
      writeRestoreEvidenceRecord AND buildRestoreEvidenceRecord
      (proves evidence is consumed, not just imported)
- §46.1 line-skipping discipline applied (production-code-only,
  comment-stripped).

Recording-only invariant (operator design call) honored:
- No restore.Decide / restore.PlanFromDecision calls
- No uninstall.Probe call
- No detect.DetectPanel call (only detect.SSHPortWithSource —
  read-only typed introspection)
- No validator full-sweep / module-health probe
- No update-history.json write (§19.2 layer 4 / main.go:132 retained)
- No new mutation primitive

Constraints honored (per operator scope):

IN:
- evidence record type + schema ✓ (§48.6 lock)
- evidence writer helper ✓ (single helper writeRestoreEvidenceRecord)
- production write after restore execution path ✓ (dispatcher Step D)
- structural CI gate G4-RESTORE-EVIDENCE-RECORD ✓
- tests proving all writes stay under restoreEvidenceDir ✓
- tests proving update-history is untouched ✓ (HistoryGate flags +
  no writeHistory references in evidence module)

OUT:
- destructive soak (PR-26-code-E)
- A.4 cron changes (already shipped in code-C)
- executor new mutation methods (Stat is read-only, shipped in code-C)
- iptables introspection (Option B lock)
- main.go history gate changes (untouched)
- state/exit-code changes — only the existing StateRestoreDegraded
  is consumed, no new state added
- repo hygiene / UX / GOTH / metrics / module cleanup

Verified on lab2 (Ubuntu 24.04, go1.22.2):
- go build ./... clean
- go test ./... PASS (full repo, 64 packages)
- go test -race -count=1 cmd + restore + state + switchop + detect PASS
- go vet ./... clean
- go mod tidy no-op
- 10 new TestWriteRestoreEvidence_* / TestBuildRestoreEvidenceRecord_* /
  TestRestoreEvidenceConstants_LockPin tests all PASS
- existing 5 dispatcher fake-deps tests updated + still PASS
- All 3 G4 gates (NO-OUT-OF-TARGET / CRON-MANIFEST-INTEGRITY /
  EVIDENCE-RECORD) local replay: FAIL=0

Awaiting auditor pass before push.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(v1.100 PR-26-code-D): add 5 dispatcher-level evidence-failure semantics tests (auditor checkpoint)

Auditor focused-audit on 849b372 flagged that PR-26-code-D's Step D
introduces a real operator-visible terminal transition:

  StateRestoreExecuted + evidence write failure → StateRestoreDegraded

The 10 unit tests already covered the writer + builder + recording
invariants but did NOT pin the dispatcher-level downgrade semantics.
This commit adds 5 dispatcher-level tests to close that gap.

Tests added:

cmd/nftban-installer/restore_decide_test.go

  1. PR26D_ExecutedPlusEvidenceFail_DowngradesToDegraded
     fake deps return StateRestoreExecuted; writeFailExec wrapper
     forces evidence WriteFileAtomic to fail. Asserts:
     - sf.State == StateRestoreDegraded (downgrade fires)
     - exit code == StateRestoreDegraded.ExitCode()
     - sf.State != StateRestoreExecuted (no false claim)
     Note: sf.FailureReason stays empty by design (Transition only
     populates FailureReason on .IsFailed() states; Degraded is
     success-with-warnings). The downgrade reason surfaces via
     log.Result, which is the authoritative operator channel for
     Degraded outcomes.

  2. PR26D_FailedExecutionPlusEvidenceFail_TerminalPreserved
     fake.mutateErr forces FailedExecution; writeFailExec forces
     evidence-write failure. Asserts:
     - sf.State == StateRestoreFailedExecution (terminal preserved)
     - exit == StateRestoreFailedExecution.ExitCode()
     Evidence failure is warning-only on non-Executed terminals.

  3. PR26D_FailedVerificationPlusEvidenceFail_TerminalPreserved
     fake.activeRet=false forces inline-verify SafeToRemove=false →
     FailedVerification; writeFailExec forces evidence-write fail.
     Asserts terminal + exit code unchanged from FailedVerification.

  4. PR26D_ExecutedPlusEvidenceOk_PreservesExecuted
     Plain MockExecutor (writes succeed). Asserts:
     - sf.State == StateRestoreExecuted (no downgrade on clean write)
     - exit == StateRestoreExecuted.ExitCode()
     - exactly one file written under restoreEvidenceDir
     - no writes outside restoreEvidenceDir

  5. PR26D_NoUpdateHistoryWrite_FileScan
     File-scan against restore_decide.go. Strips line-leading // per
     §46.1; asserts no production-code reference to writeHistory(
     or update-history.json. Pins the §19.2 layer-4 invariant stays
     untouched after PR-26-code-D adds Step D.

writeFailExec wrapper (test-only):
  Wraps *executor.MockExecutor and overrides only WriteFileAtomic
  to fail. Avoids changing the production MockExecutor; uses the
  same composition pattern as flakyCSFActiveExec (introduced in
  PR-25 4B-3-csf for analogous test purposes).

Verified on lab2 (Ubuntu 24.04, go1.22.2):
- go build ./... clean
- go test ./cmd/nftban-installer/... PASS
- 5 new TestRunRestoreExecutionFromProceed_PR26D_* /
  TestDispatcher_PR26D_* tests all PASS
- go test -race -count=1 cmd + restore + state PASS
- existing PR-25 + PR-26-code-A/B/C tests still PASS

No production code change. No CI workflow change. No contract
amendment needed. Restore semantics from §48.6 lock + §19.2 layer-4
invariant are both now structurally pinned by tests.

Awaiting auditor sign-off + push signal.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: itcmsgr

.github/workflows/ci-restore-canonization.yml

@@ -549,6 +549,130 @@ jobs:
 
           echo "G4-RESTORE-CRON-MANIFEST-INTEGRITY PASS — writer + reader structurally consume the shared sha256 + manifest API"
 
+      # ------------------------------------------------------------------
+      # G4-RESTORE-EVIDENCE-RECORD (PR-26-code-D / §46) — structural
+      # pin on the post-restore evidence-record writer.
+      #
+      # The §39.3 + §48.6 lock requires that ALL evidence-record file
+      # writes route through a SINGLE helper using a NAMED CONSTANT
+      # for the destination directory. This gate structurally
+      # enforces:
+      #
+      #   - cmd/nftban-installer/restore_evidence.go declares the
+      #     restoreEvidenceDir constant verbatim and sets its value
+      #     to /var/lib/nftban/state/restore-evidence
+      #   - the file declares the writeRestoreEvidenceRecord helper
+      #     and the schema_version constant set to "1.0.0"
+      #   - the file contains exactly ONE WriteFileAtomic call (the
+      #     call inside the single helper)
+      #   - the file does NOT reference update-history.json,
+      #     uninstall.Probe, restore.Decide, restore.PlanFromDecision,
+      #     detect.DetectPanel, or any mutation primitive
+      #     (recording-only invariant per §39.3)
+      #   - the dispatcher (cmd/nftban-installer/restore_decide.go)
+      #     calls writeRestoreEvidenceRecord — i.e. evidence is
+      #     actually consumed, not just imported
+      #
+      # §46.1 discipline: production-code-only, comment-stripped.
+      # ------------------------------------------------------------------
+      - name: G4-RESTORE-EVIDENCE-RECORD — single-helper structural pin
+        shell: bash
+        run: |
+          set -Eeuo pipefail
+
+          ev=cmd/nftban-installer/restore_evidence.go
+          dispatcher=cmd/nftban-installer/restore_decide.go
+
+          for f in "$ev" "$dispatcher"; do
+            if [[ ! -f "$f" ]]; then
+              echo "::error::G4-RESTORE-EVIDENCE-RECORD: $f not found"
+              exit 1
+            fi
+          done
+
+          ev_src=$(grep -vE '^[[:space:]]*//' "$ev" || true)
+          disp_src=$(grep -vE '^[[:space:]]*//' "$dispatcher" || true)
+
+          fail=0
+
+          # ---- Required symbols in the evidence module ---------------
+          ev_required=(
+            'restoreEvidenceDir[[:space:]]+=[[:space:]]+"/var/lib/nftban/state/restore-evidence"'
+            'restoreEvidenceSchemaVersion[[:space:]]+=[[:space:]]+"1\.0\.0"'
+            'restoreEvidenceFilenamePrefix[[:space:]]+=[[:space:]]+"restore-evidence-"'
+            'func writeRestoreEvidenceRecord\('
+            'func buildRestoreEvidenceRecord\('
+            'type RestoreEvidenceRecord struct'
+          )
+          for pat in "${ev_required[@]}"; do
+            if ! echo "$ev_src" | grep -qE "$pat"; then
+              echo "::error::G4-RESTORE-EVIDENCE-RECORD: $ev missing required symbol matching '$pat'"
+              fail=1
+            fi
+          done
+
+          # ---- Single-helper invariant -------------------------------
+          # Exactly one WriteFileAtomic call in the evidence module —
+          # the one inside writeRestoreEvidenceRecord. Anything else
+          # is a violation of the §46 single-helper lock.
+          wfa_count=$(echo "$ev_src" | grep -cE '\bWriteFileAtomic\(' || true)
+          if [[ "$wfa_count" -ne 1 ]]; then
+            echo "::error::G4-RESTORE-EVIDENCE-RECORD: $ev contains $wfa_count WriteFileAtomic calls; want exactly 1 (single-helper invariant)"
+            fail=1
+          fi
+
+          # ---- Forbidden recording-only-violation symbols -----------
+          ev_forbidden=(
+            'restore\.Decide\('
+            'restore\.PlanFromDecision\('
+            'uninstall\.Probe\('
+            'detect\.DetectPanel\('
+            'writeHistory\('
+            'update-history\.json'
+            '\bexec\.ServiceStart\('
+            '\bexec\.ServiceStop\('
+            '\bexec\.ServiceEnable\('
+            '\bexec\.ServiceDisable\('
+            '\bexec\.ServiceMask\('
+            '\bexec\.ServiceUnmask\('
+            '\bexec\.NftDeleteTable\('
+            '\bexec\.NftAddElement\('
+            '\bexec\.DaemonReload\('
+            '\bexec\.Rename\('
+            '"os/exec"'
+            '\bexec\.Command\('
+            '\bos\.Rename\('
+            '\bos\.Remove\('
+            '\bos\.WriteFile\('
+            '\bos\.Create\('
+            '\bsyscall\.'
+          )
+          for pat in "${ev_forbidden[@]}"; do
+            if echo "$ev_src" | grep -qE "$pat"; then
+              echo "::error::G4-RESTORE-EVIDENCE-RECORD: $ev contains forbidden pattern '$pat' (recording-only invariant)"
+              fail=1
+            fi
+          done
+
+          # ---- Dispatcher consumption pin ----------------------------
+          # The dispatcher MUST call writeRestoreEvidenceRecord — proves
+          # evidence is consumed, not just imported.
+          if ! echo "$disp_src" | grep -qE '\bwriteRestoreEvidenceRecord\('; then
+            echo "::error::G4-RESTORE-EVIDENCE-RECORD: $dispatcher does not call writeRestoreEvidenceRecord"
+            fail=1
+          fi
+          if ! echo "$disp_src" | grep -qE '\bbuildRestoreEvidenceRecord\('; then
+            echo "::error::G4-RESTORE-EVIDENCE-RECORD: $dispatcher does not call buildRestoreEvidenceRecord"
+            fail=1
+          fi
+
+          if [[ "$fail" -ne 0 ]]; then
+            echo "::error::§39.3 / §46 / §48.6 violation — restore evidence-record writer not structurally enforced."
+            exit 1
+          fi
+
+          echo "G4-RESTORE-EVIDENCE-RECORD PASS — writer + dispatcher structurally consume the single evidence helper"
+
   restore-canonization-summary:
     name: Restore Canonization summary
     runs-on: ubuntu-24.04

cmd/nftban-installer/restore_decide.go

@@ -300,19 +300,44 @@ func runRestoreExecutionFromProceed(
 	if execRes.Err != nil {
 		reason = execRes.Err.Error()
 	}
-	_ = sf.Transition(execRes.Terminal, state.PhaseDetect, reason)
 
-	// Step D — Operator-facing output reflects the executed terminal.
-	switch execRes.Terminal {
+	// Step D — PR-26-code-D evidence record. Recording-only; no
+	// re-derivation of TargetAuthority, no PR-24 re-decision, no
+	// validator/module-health probe, no update-history write
+	// (§19.2 layer 4 / main.go:132 mode-gate retained).
+	//
+	// The §48.6 lock requires that, if evidence-write fails AFTER a
+	// successful StateRestoreExecuted, we MUST NOT claim "executed"
+	// without recording the evidence. The state model already
+	// supports StateRestoreDegraded (state/machine.go:152) so we
+	// downgrade the terminal in that case.
+	finalTerminal := execRes.Terminal
+	finalReason := reason
+	rec := buildRestoreEvidenceRecord(exec, log, target, execRes)
+	evidenceErr := writeRestoreEvidenceRecord(ctx, exec, rec, log)
+	if evidenceErr != nil {
+		log.Warn("restore evidence: write failed: %v", evidenceErr)
+		if execRes.Terminal == state.StateRestoreExecuted {
+			finalTerminal = state.StateRestoreDegraded
+			finalReason = "restore executed but evidence-write failed: " + evidenceErr.Error()
+			log.Warn("restore evidence: downgrading StateRestoreExecuted -> StateRestoreDegraded — successful restore cannot claim executed without recorded evidence")
+		}
+	}
+
+	_ = sf.Transition(finalTerminal, state.PhaseDetect, finalReason)
+
+	// Step E — Operator-facing output reflects the (possibly
+	// downgraded) terminal.
+	switch finalTerminal {
 	case state.StateRestoreExecuted:
 		log.Result("[NFTBan] restore execution: COMPLETED — authorized restore is in effect")
 	case state.StateRestoreDegraded:
-		log.Result("[NFTBan] restore execution: COMPLETED with warnings — review inline-verify result")
+		log.Result("[NFTBan] restore execution: COMPLETED with warnings — %s", finalReason)
 	case state.StateRestoreFailedExecution:
-		log.Result("[NFTBan] restore execution: FAILED at %s — %s", execRes.Stage, reason)
+		log.Result("[NFTBan] restore execution: FAILED at %s — %s", execRes.Stage, finalReason)
 	case state.StateRestoreFailedVerification:
 		log.Result("[NFTBan] restore execution: FAILED VERIFICATION at %s — safety net retained — %s",
-			execRes.Stage, reason)
+			execRes.Stage, finalReason)
 	}
 
 	return sf.State.ExitCode()