feat(rebuild): v1.96 PR-05 — module restore truth + post-restore verification

Add post-module-restore verification step between steps 8-12 and POST
validation. Closes the silent daemon-dependent module restoration gap.

Verification checks (Level 1+2 per contract):
- DDoS: nft list chain ip nftban nftban_ddos_filter
- Portscan: nft list chain ip nftban nftban_portscan
- BotGuard: nft list chain ip nftban nftban_botguard

If a module reported RESTORE_OK but its chain is missing from kernel,
result is downgraded to RESTORE_INCOMPLETE. This prevents false
PROTECTED when module enable command returned 0 but the chain was
not actually created (daemon dependency failure).

Level 3 (activation evidence) is not checked here — requires traffic
and produces WARNING only, not DEGRADED (per contract tightening #3).

Contract: V196_REBUILD_RECOVERY_CONTRACT.md §8
INV-RR-007: Module restore failure is surfaced, not silent

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: itcmsgr

cli/lib/nftban/cli/cmd_firewall.sh

@@ -1496,6 +1496,48 @@ _firewall_rebuild_core() {
         [[ "$quiet" == "false" ]] && echo "  Consumed .rpmnew and rendered into live config" || true
     fi
 
+    # ─────────────────────────────────────────────────────────────────────────
+    # v1.96: Post-module-restore verification (INV-RR-007)
+    # Level 1: Structure presence (chains + sets exist in kernel)
+    # Level 2: Wiring correctness (jumps in correct anchor positions)
+    # Level 3 deferred — requires traffic (WARNING only if missing)
+    # ─────────────────────────────────────────────────────────────────────────
+    if declare -f _rebuild_classify_module_result &>/dev/null; then
+        [[ "$quiet" == "false" ]] && echo ""
+        [[ "$quiet" == "false" ]] && echo "  [VERIFY] Module restore verification..."
+
+        # DDoS: check for ddos helper chain in ip nftban
+        if [[ "$_ddos_enabled" == "true" && "$_REBUILD_MODULE_DDOS" == "$MR_OK" ]]; then
+            if nft list chain ip nftban nftban_ddos_filter &>/dev/null; then
+                # Level 1+2: chain exists and is reachable (nft validates jump targets)
+                [[ "$quiet" == "false" ]] && echo "    DDoS: chain verified (Level 1+2)"
+            else
+                _rebuild_classify_module_result "ddos" "$MR_INCOMPLETE"
+                [[ "$quiet" == "false" ]] && echo "    DDoS: chain MISSING after enable (downgraded to INCOMPLETE)"
+            fi
+        fi
+
+        # Portscan: check for portscan helper chain
+        if [[ "$_portscan_enabled" == "true" && "$_REBUILD_MODULE_PORTSCAN" == "$MR_OK" ]]; then
+            if nft list chain ip nftban nftban_portscan &>/dev/null; then
+                [[ "$quiet" == "false" ]] && echo "    Portscan: chain verified (Level 1+2)"
+            else
+                _rebuild_classify_module_result "portscan" "$MR_INCOMPLETE"
+                [[ "$quiet" == "false" ]] && echo "    Portscan: chain MISSING after enable (downgraded to INCOMPLETE)"
+            fi
+        fi
+
+        # BotGuard: check for botguard helper chain
+        if _firewall_botguard_is_enabled 2>/dev/null && [[ "$_REBUILD_MODULE_BOTGUARD" == "$MR_OK" ]]; then
+            if nft list chain ip nftban nftban_botguard &>/dev/null; then
+                [[ "$quiet" == "false" ]] && echo "    BotGuard: chain verified (Level 1+2)"
+            else
+                _rebuild_classify_module_result "botguard" "$MR_INCOMPLETE"
+                [[ "$quiet" == "false" ]] && echo "    BotGuard: chain MISSING after enable (downgraded to INCOMPLETE)"
+            fi
+        fi
+    fi
+
     # v1.78.0: POST-REBUILD VALIDATION — Compare with PRE state
     [[ "$quiet" == "false" ]] && echo ""
     [[ "$quiet" == "false" ]] && echo "  [POST] Validating post-rebuild state..."