itcmsgr
diff --git a/‎.github/slsa/nftban-ui-auth.yml‎
Lines changed: 0 additions & 36 deletions b/‎.github/slsa/nftban-ui-auth.yml‎
Lines changed: 0 additions & 36 deletions
diff --git a/‎.github/slsa/nftban-ui.yml‎
Lines changed: 0 additions & 34 deletions b/‎.github/slsa/nftban-ui.yml‎
Lines changed: 0 additions & 34 deletions
diff --git a/‎.github/workflows/build-packages.yml‎
Lines changed: 6 additions & 6 deletions b/‎.github/workflows/build-packages.yml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎.github/workflows/ci-go.yml‎
Lines changed: 4 additions & 3 deletions b/‎.github/workflows/ci-go.yml‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 11 additions & 17 deletions b/‎.github/workflows/release.yml‎
Lines changed: 11 additions & 17 deletions
diff --git a/‎.github/workflows/slsa-go-releaser.yml‎
Lines changed: 10 additions & 36 deletions b/‎.github/workflows/slsa-go-releaser.yml‎
Lines changed: 10 additions & 36 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 35 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 35 additions & 0 deletions
@@ -110,7 +110,7 @@ jobs:
       - name: Validate binaries are real ELF files
         run: |
           echo "Validating Go binaries..."
-          for binary in bin/nftban-core bin/nftband bin/nftban-ui bin/nftban-ui-auth bin/nftban-installer; do
+          for binary in bin/nftban-core bin/nftband bin/nftban-installer; do
             if [[ -f "$binary" ]]; then
               file_type=$(file -b "$binary")
               if [[ "$file_type" != *"ELF"* ]]; then
@@ -210,7 +210,7 @@ jobs:
               cd /tmp/rpm-check
               rpm2cpio "$GITHUB_WORKSPACE/$rpm" | cpio -idmv 2>/dev/null
 
-              for binary in usr/lib/nftban/bin/nftban-core usr/lib/nftban/bin/nftband usr/lib/nftban/bin/nftban-ui usr/lib/nftban/bin/nftban-ui-auth usr/lib/nftban/bin/nftban-installer; do
+              for binary in usr/lib/nftban/bin/nftban-core usr/lib/nftban/bin/nftband usr/lib/nftban/bin/nftban-installer; do
                 if [[ -f "$binary" ]]; then
                   file_type=$(file -b "$binary")
                   if [[ "$file_type" != *"ELF"* ]]; then
@@ -318,7 +318,7 @@ jobs:
               ar x "$GITHUB_WORKSPACE/$deb"
               tar -xf data.tar.* 2>/dev/null || tar -xf data.tar.xz 2>/dev/null || tar -xf data.tar.gz 2>/dev/null
 
-              for binary in usr/lib/nftban/bin/nftban-core usr/lib/nftban/bin/nftband usr/lib/nftban/bin/nftban-ui usr/lib/nftban/bin/nftban-ui-auth usr/lib/nftban/bin/nftban-installer; do
+              for binary in usr/lib/nftban/bin/nftban-core usr/lib/nftban/bin/nftband usr/lib/nftban/bin/nftban-installer; do
                 if [[ -f "$binary" ]]; then
                   file_type=$(file -b "$binary")
                   if [[ "$file_type" != *"ELF"* ]]; then
@@ -647,7 +647,7 @@ jobs:
           # Get source binary hashes (the canonical reference)
           echo "=== Source Binary Hashes (Reference) ==="
           declare -A SOURCE_HASHES
-          for binary in nftband nftban-core nftban-ui nftban-ui-auth nftban-installer; do
+          for binary in nftband nftban-core nftban-installer; do
             if [[ -f "source-binaries/$binary" ]]; then
               hash=$(sha256sum "source-binaries/$binary" | cut -d' ' -f1)
               SOURCE_HASHES[$binary]="$hash"
@@ -670,7 +670,7 @@ jobs:
             cd /tmp/rpm-extract
             rpm2cpio "$GITHUB_WORKSPACE/$rpm" | cpio -idmv 2>/dev/null
 
-            for binary in nftband nftban-core nftban-ui nftban-ui-auth nftban-installer; do
+            for binary in nftband nftban-core nftban-installer; do
               pkg_binary="usr/lib/nftban/bin/$binary"
               if [[ -f "$pkg_binary" ]]; then
                 pkg_hash=$(sha256sum "$pkg_binary" | cut -d' ' -f1)
@@ -704,7 +704,7 @@ jobs:
             ar x "$GITHUB_WORKSPACE/$deb"
             tar -xf data.tar.* 2>/dev/null || tar -xf data.tar.xz 2>/dev/null || tar -xf data.tar.gz 2>/dev/null || true
 
-            for binary in nftband nftban-core nftban-ui nftban-ui-auth nftban-installer; do
+            for binary in nftband nftban-core nftban-installer; do
               pkg_binary="usr/lib/nftban/bin/$binary"
               if [[ -f "$pkg_binary" ]]; then
                 pkg_hash=$(sha256sum "$pkg_binary" | cut -d' ' -f1)
 
@@ -103,16 +103,17 @@ jobs:
         run: |
           mkdir -p bin
           go build -trimpath -o bin/nftban-core ./cmd/nftban-core
-          go build -trimpath -o bin/nftban-ui ./cmd/nftban-ui
-          go build -trimpath -o bin/nftban-ui-auth ./cmd/nftban-ui-auth
+          # nftban-ui + nftban-ui-auth: removed from shipped binary list per
+          # v1.100.1b.A (GOTH PR-D4 stage 1 — stop shipping). Source trees
+          # remain in repo and are still compiled by `go build ./...` above.
           go build -trimpath -o bin/nftband ./cmd/nftband
           go build -trimpath -o bin/nftban-validate ./cmd/nftban-validate
 
       - name: Verify binaries
         run: |
           echo "=== Built binaries ==="
           ls -lh bin/
-          for binary in nftban-core nftband nftban-ui nftban-ui-auth nftban-validate; do
+          for binary in nftban-core nftband nftban-validate; do
             file bin/$binary
             TYPE=$(file -b bin/$binary)
             if [[ ! "$TYPE" =~ ELF ]]; then
 
@@ -366,10 +366,11 @@ jobs:
           # Copy all DEB packages
           find all-packages -name "*.deb" -exec cp {} dist/packages/ \;
 
-          # Copy raw Go binaries that SLSA can't build (require CGO/PAM)
-          # NOTE: nftban-core and nftban-ui are built by SLSA workflow with provenance
+          # Copy raw Go binaries that SLSA can't build (require CGO)
+          # NOTE: nftban-core is built by SLSA workflow with provenance.
+          # nftban-ui + nftban-ui-auth removed in v1.100.1b.A (GOTH PR-D4 stage 1).
           if [ -d "all-packages" ]; then
-            for binary in nftband nftban-ui-auth; do
+            for binary in nftband; do
               if [ -f "all-packages/${binary}" ]; then
                 cp "all-packages/${binary}" "dist/packages/${binary}-linux-amd64"
                 chmod +x "dist/packages/${binary}-linux-amd64"
@@ -397,7 +398,6 @@ jobs:
             "nftban-debian12-amd64.deb"
             "nftban-debian13-amd64.deb"
             "nftband-linux-amd64"
-            "nftban-ui-auth-linux-amd64"
             "SHA256SUMS"
             "SHA256SUMS.build"
             "MANIFEST.txt"
@@ -416,9 +416,7 @@ jobs:
             "${ASSETS_TO_REPLACE[@]}"
             "RELEASE_NOTES.md"
             "nftban-core-linux-amd64"
-            "nftban-ui-linux-amd64"
             "nftban-core-linux-amd64.intoto.jsonl"
-            "nftban-ui-linux-amd64.intoto.jsonl"
           )
 
           CURRENT_ASSETS=$(gh release view "$VERSION" --json assets --jq '.assets[].name' 2>/dev/null || echo "")
@@ -440,7 +438,7 @@ jobs:
           # Generate checksums for all packages and binaries
           shopt -s nullglob
           packages=(*.rpm *.deb)
-          binaries=(nftban-core-linux-amd64 nftband-linux-amd64 nftban-ui-linux-amd64 nftban-ui-auth-linux-amd64)
+          binaries=(nftban-core-linux-amd64 nftband-linux-amd64)
 
           # Combine all files that exist
           all_files=()
@@ -645,14 +643,14 @@ jobs:
         # - Include SHA256SUMS.build as ground truth reference
         # - verify-release job will: download with retry, verify checksums,
         #   generate final SHA256SUMS, then publish the release
-        # NOTE: nftban-core and nftban-ui are uploaded by SLSA workflow with provenance
+        # NOTE: nftban-core is uploaded by SLSA workflow with provenance.
+        # nftban-ui + nftban-ui-auth removed in v1.100.1b.A (GOTH PR-D4 stage 1).
         uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         with:
           files: |
             dist/packages/*.rpm
             dist/packages/*.deb
             dist/packages/nftband-linux-amd64
-            dist/packages/nftban-ui-auth-linux-amd64
             dist/packages/SHA256SUMS.build
             dist/packages/MANIFEST.txt
             dist/packages/VERIFY.txt
@@ -710,7 +708,6 @@ jobs:
             "nftban-ubuntu22.04-amd64.deb"
             "nftban-ubuntu24.04-amd64.deb"
             "nftband-linux-amd64"
-            "nftban-ui-auth-linux-amd64"
             "SHA256SUMS.build"
           )
 
@@ -748,13 +745,10 @@ jobs:
               echo ""
               echo "::error::Failed to download all assets after $MAX_ATTEMPTS attempts"
               echo "Missing assets: ${MISSING[*]}"
-              # Allow missing optional assets (nftban-ui-auth may not exist)
-              REQUIRED_MISSING=0
+              # All listed assets are required after v1.100.1b.A (no optional UI binaries left).
+              REQUIRED_MISSING="${#MISSING[@]}"
               for m in "${MISSING[@]}"; do
-                case "$m" in
-                  nftban-ui-auth-linux-amd64) echo "  WARN: $m is optional (SLSA-built)" ;;
-                  *) echo "  FATAL: $m is required!"; REQUIRED_MISSING=$((REQUIRED_MISSING + 1)) ;;
-                esac
+                echo "  FATAL: $m is required!"
               done
               if [ "$REQUIRED_MISSING" -gt 0 ]; then
                 exit 1
@@ -768,7 +762,7 @@ jobs:
 
           # Also try SLSA-built binaries (optional — uploaded by separate workflow)
           cd "$GITHUB_WORKSPACE"
-          for slsa_asset in "nftban-core-linux-amd64" "nftban-ui-linux-amd64"; do
+          for slsa_asset in "nftban-core-linux-amd64"; do
             gh release download "$VERSION" -p "$slsa_asset" -D /tmp/release-verify --clobber 2>/dev/null && \
               echo "Downloaded SLSA asset: $slsa_asset" || true
           done
 
@@ -14,11 +14,11 @@
 #
 # Builds:
 #   - nftban-core (main CLI for firewall operations)
-#   - nftban-ui (web GUI server)
 #
-# NOTE: nftban-ui-auth is excluded - requires PAM headers (libpam-dev) which
-# are not available in SLSA's hermetic build environment. It's built via
-# the regular release.yml workflow instead.
+# NOTE (v1.100.1b.A): nftban-ui + nftban-ui-auth removed from shipped
+# artifact set per GOTH PR-D4 stage 1. SLSA build coverage now scoped
+# to nftban-core only. Source trees for the UI surface remain in repo
+# but are not built or published.
 #
 # COORDINATION: This workflow runs AFTER Release Packages completes to avoid
 # race conditions when uploading assets to the same GitHub release.
@@ -91,30 +91,12 @@ jobs:
       upload-tag-name: ${{ needs.get-tag.outputs.tag }}
 
   # ============================================================================
-  # Job 2: Build nftban-ui with SLSA provenance
+  # Job 2: Assemble all artifacts and upload to release
   # ============================================================================
-  build-nftban-ui:
-    name: Build nftban-ui (SLSA3)
-    needs: get-tag
-    permissions:
-      id-token: write
-      contents: write
-      actions: read
-    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v2.1.0
-    with:
-      go-version: "1.25"
-      config-file: .github/slsa/nftban-ui.yml
-      evaluated-envs: "VERSION:${{ needs.get-tag.outputs.tag }}"
-      # Upload provenance directly to release (fixes workflow_run trigger skip)
-      upload-tag-name: ${{ needs.get-tag.outputs.tag }}
-
-  # ============================================================================
-  # Job 3: Assemble all artifacts and upload to release
-  # ============================================================================
-  # NOTE: nftban-ui-auth excluded - requires PAM headers not available in SLSA
+  # NOTE (v1.100.1b.A): nftban-ui + nftban-ui-auth removed — GOTH PR-D4 stage 1.
   assemble-release:
     name: Assemble Release Artifacts
-    needs: [get-tag, build-nftban-core, build-nftban-ui]
+    needs: [get-tag, build-nftban-core]
     runs-on: ubuntu-latest
     # Run for workflow_run (after Release Packages) but not for manual dispatch
     if: ${{ github.event_name == 'workflow_run' }}
@@ -134,17 +116,9 @@ jobs:
           name: ${{ needs.build-nftban-core.outputs.go-provenance-name }}
           path: dist/
 
-      - name: Download nftban-ui artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: ${{ needs.build-nftban-ui.outputs.go-binary-name }}
-          path: dist/
-
-      - name: Download nftban-ui provenance
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: ${{ needs.build-nftban-ui.outputs.go-provenance-name }}
-          path: dist/
+      # nftban-ui artifact + provenance downloads removed in v1.100.1b.A
+      # (GOTH PR-D4 stage 1 — stop shipping). nftban-ui no longer built
+      # by SLSA pipeline.
 
       - name: List artifacts
         run: ls -la dist/
 
@@ -11,6 +11,41 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [Unreleased] - v1.100.1b.A GOTH PR-D4 stage 1 (stop shipping nftban-ui + nftban-ui-auth)
+
+### Changed (operator-impacting)
+
+- **`nftban-ui` (Web GUI server) and `nftban-ui-auth` (PAM auth daemon) are no longer shipped.** New releases under v1.100.1b.A and later do not include these binaries, their systemd units, or their SLSA provenance artifacts.
+- **Existing installs receive automatic cleanup on upgrade.** Transitional postinst/prerm hooks (DEB) and `%pre` scriptlet (RPM) stop, disable, mask, and remove any prior `nftban-ui.service`, `nftban-ui-auth.service`, `nftban-ui-auth.socket` units, plus the `/usr/sbin/nftban-ui` and `/usr/libexec/nftban-ui-auth` binaries and `/run/nftban-ui` runtime directory.
+- **PAM development headers are no longer a build requirement** for the standard `nftban` package (only `nftban-ui-auth` consumed PAM, and it is no longer built).
+
+### Removed from build / packaging / release pipeline
+
+- `.github/workflows/ci-go.yml`: nftban-ui + nftban-ui-auth build/verify entries removed.
+- `.github/workflows/build-packages.yml`: nftban-ui + nftban-ui-auth removed from binary inventory loops.
+- `.github/workflows/slsa-go-releaser.yml`: `build-nftban-ui` job removed; assemble-release no longer downloads nftban-ui artifacts.
+- `.github/slsa/nftban-ui.yml` and `.github/slsa/nftban-ui-auth.yml`: deleted.
+- `.github/workflows/release.yml`: nftban-ui + nftban-ui-auth removed from binary copy step, asset-replacement list, expected-package list, expected-asset list, SHA256SUMS.build binary list, draft-release upload list, and SLSA download retry loop.
+- `build.sh`: `build_gui`, `build_ui_auth`, `generate_templ` functions removed; `gui` and `ui-auth` subcommands now error with explanation; PAM headers prerequisite check removed; `nftban-ui` and `nftban-ui-auth` removed from `go mod tidy` loop.
+- `packaging/build_nftban.sh`: RPM `%install` no longer installs the binaries or systemd unit files; RPM `%files` no longer references them; DEB build helper drops the equivalent installs. RPM `%pre` and DEB prerm now also disable + mask + remove orphaned unit files transitionally.
+- `packaging/deb/postinst`: `/usr/sbin/nftban-ui` removed from chown/chmod loop.
+- `packaging/deb/prerm`: extended transitional cleanup (disable + mask + remove unit files + delete orphaned binaries).
+- `install/download-binaries.sh`: nftban-ui + nftban-ui-auth removed from fetch, install, verify, and SLSA-provenance check loops.
+- `install/verify_installation.sh`: optional checks for `/usr/sbin/nftban-ui`, `nftban-ui.service`, `nftban-ui-auth.socket` removed.
+
+### Notes
+
+- Source trees under `cmd/nftban-ui/`, `cmd/nftban-ui-auth/`, `internal/ui/`, `internal/auth/`, `internal/session/`, `internal/authproto/` are **intentionally retained** in the repo at this stage. They will be removed in a separate later release (v1.100.1b.B). They still compile via `go build ./...` and their unit tests still run, but the binaries are no longer published.
+- Cross-cutting shell + Go references to the UI surface (87 in `cli/lib/`, 13 in `internal/installer/`, 14 in `internal/nftbanconf/`, 6 in `internal/api/`) are **also intentionally retained** at this stage. They will be cleaned up in v1.100.1b.C.
+- Documentation references (`docs/ARCHITECTURE.md`, `CONTRIBUTING.md`, `docs/REPRODUCIBLE_BUILDS.md`, `SECURITY.md`, `docs/systemd/UNITS.md`, `docs/systemd/TIMERS.md`) are not edited in this release; deferred to v1.100.1b.D.
+- Lifecycle completion work (PR-25 restore execution, PR-26 verification gate, PR-27-30 maintenance) remains explicitly **open** and is not affected by this release.
+
+### Why a transitional approach
+
+A hard removal would orphan running services on prior-version hosts (operators with active `nftban-ui.service` would get it left behind after upgrade). The transitional approach disables, masks, and removes the unit files via the package's own upgrade hooks, so the post-upgrade state is clean even though the new package no longer carries those artifacts.
+
+---
+
 ## [Unreleased] - v1.100.1a CLI jail surgical rename
 
 ### Changed