chore(v1.100.1b.D2): GOTH docs/repo cleanup — closes the removal track (#503)

* chore(v1.100.1b.D2): cli/lib core — drop GOTH UI health checks + FHS entry

Removes the UI/auth health check + FHS spec entries that became orphan
after 1.100.1b.A retired the Web GUI surface.

cli/lib/nftban/core/nftban_health.sh:
  - drop nftban_health_check_gui call site from main check loop
  - drop matching export
  - drop nftban-ui.service from optional_services[]
  - drop /usr/lib/nftban/bin/nftban-ui + nftban-ui-auth from
    optional_binaries[] (now empty array)
  - drop nftban-ui from optional_bins[]

cli/lib/nftban/core/nftban_health_checks_integrations.sh:
  - delete nftban_health_check_gui() function in full (199 lines)
    The function inspected /usr/sbin/nftban-ui binary, GUI service
    state, /run/nftban-ui auth socket dir, /run/nftban-ui/auth.sock,
    nftban-ui-auth.service — every target deleted in earlier C2 work.
  - drop matching export
  - update header purpose comment (drop "gui" from list)

cli/lib/nftban/core/nftban_health_checks_security.sh:
  - drop nftban-ui.service from systemd-analyze key_services list

cli/lib/nftban/core/nftban_fhs_spec.sh:
  - drop /run/nftban-ui from NFTBAN_FHS_DIRECTORIES (was the auth
    socket directory; no longer created by tmpfiles after C2 removed
    the staging entry).

cli/lib/nftban/exporters/:
  - delete nftban_exporter_gui_cache.sh in full — generated UI-only
    cache files (traffic_history.json, dropped_by_country.json,
    dropped_by_port.json) that the retired Web GUI consumed.
  - drop the matching source + generate_gui_cache_files call from
    nftban_unified_exporter_collect.sh (the only sourcing site).

Verified on lab2: go build ./... clean, go test ./internal/... all
pass with etc/ shipped, go mod tidy no-op, bash -n clean on all
edited shell files.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(v1.100.1b.D2): cli/lib JSON registries — drop UI surface entries

Removes registry entries that referenced the retired Web GUI surface.

cli/lib/nftban/data/fhs_directories.json:
  - drop /run/nftban-ui directory entry (the GUI/API runtime socket
    directory; no longer created by any installer/tmpfiles path).

cli/lib/nftban/data/config-schema.json:
  - drop NFTBAN_UI_BIN property
  - drop NFTBAN_AUTH_BIN property
  - drop NFTBAN_SERVICE_UI property

cli/lib/nftban/data/reports-registry.json:
  - drop the "api" channel entry (depended on nftban-ui.service for
    its base_endpoint /api/v1/; no daemon serves this endpoint
    anymore after the Web GUI retirement).

Verified: all 3 JSON files parse clean (json.load).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(v1.100.1b.D2): CI workflows — drop obsolete templ + libpam steps

After 1.100.1b.B/C1/C2 deleted all .templ files, _templ.go generated
files, msteinert/pam/v2 imports, and PAM-using packages, the
templ-install + libpam0g-dev apt-install steps in CI workflows are
pure dead steps.

Verified: zero .templ / _templ.go / "C" / msteinert/pam references
remain in tree (across cmd/, internal/, pkg/).

Removed steps:
  - ci-go.yml: templ install/generate/verify + libpam0g-dev install
  - build-packages.yml: templ install + libpam0g-dev install
  - ci-smoke.yml: templ install/generate + libpam0g-dev (kept
    nftables, jq)
  - codeql.yml: templ install/generate + libpam0g-dev install
  - secure-go.yml: templ install/generate + libpam0g-dev install
  - osv-scanner.yml: libpam0g-dev install + matching comment
  - project-health.yml: templ install/generate + libpam0g-dev (kept
    shellcheck/shfmt/yamllint/jq/devscripts/nftables)
  - release.yml: libpam0g-dev install + 2 decommission comments
  - slsa-go-releaser.yml: 3 decommission comments
  - ci-runtime-truth.yml: refresh templ-stub comments to reflect
    CGO-required (not templ-required) reasoning

CGO build flags preserved (still required transitively by
nftban-core + nftband; verified by go build ./... on lab2).

Also: CHANGELOG entry under [Unreleased] documenting D as the closing
phase of the GOTH/UI removal track.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(v1.100.1b.D2): FHS YAML + tmpfiles — close the regenerator gap

CI Policy Gates fired on PR #503 because:
- build/fhs-spec.yaml is the source-of-truth that drives
  build/generate-fhs-outputs.sh
- I had manually pre-edited the generated outputs (fhs_directories.json
  and nftban_fhs_spec.sh) to drop /run/nftban-ui, but missed the YAML
  source — so the regenerator was emitting the entry back.
- This commit removes /run/nftban-ui from the YAML and runs the
  regenerator, which also drops the matching tmpfiles directive
  (d /run/nftban-ui 0755 root nftban -).

Net mechanical fallout of 1.100.1b.D2 (parallel to the go mod tidy
convergence fixes on PRs #500 / #501).

After this commit, regenerator output matches committed state
(verified locally: ./build/generate-fhs-outputs.sh is a no-op).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: itcmsgr

.github/workflows/build-packages.yml

@@ -93,14 +93,6 @@ jobs:
         with:
           go-version: '1.25'
 
-      - name: Install build dependencies
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y libpam0g-dev
-
-      - name: Install templ code generator
-        run: go install github.com/a-h/templ/cmd/templ@v0.3.977
-
       - name: Build binaries
         run: |
           chmod +x build.sh

.github/workflows/ci-go.yml

@@ -5,16 +5,12 @@
 # Purpose: Go code validation, build verification, and test execution
 #
 # Checks:
-#   - templ code generation (up to date)
 #   - go mod tidy (dependencies clean)
 #   - go vet (semantic analysis)
 #   - go build (all packages + named binaries)
 #   - go test -race (unit + integration tests with race detector)
 #   - Binary verification (ELF type, minimum size)
 #   - CLI structure validation
-#
-# Note: This merges the former go-check + build-verify jobs into one,
-#       eliminating duplicate Go/templ/libpam setup (~1 min saved).
 # =============================================================================
 
 name: Go Build & Test
@@ -43,9 +39,6 @@ jobs:
         with:
           go-version: '1.25'
 
-      - name: Install build dependencies
-        run: sudo apt-get update && sudo apt-get install -y libpam0g-dev
-
       - name: Cache Go modules
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.3.0
         with:
@@ -55,19 +48,6 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: ${{ runner.os }}-go-
 
-      - name: Install templ
-        run: go install github.com/a-h/templ/cmd/templ@v0.3.977
-
-      - name: Generate templ files
-        run: $(go env GOPATH)/bin/templ generate
-
-      - name: Verify templ generated files are committed
-        run: |
-          git diff --exit-code -- '*_templ.go' || {
-            echo "::error::Generated *_templ.go files are out of date. Run 'templ generate' and commit."
-            exit 1
-          }
-
       # B80-8: Schema drift gate. Regenerate Go schema from canonical shell
       # source and fail if the committed schema_generated.go differs.
       - name: Verify Go schema matches canonical shell schema
@@ -103,9 +83,6 @@ jobs:
         run: |
           mkdir -p bin
           go build -trimpath -o bin/nftban-core ./cmd/nftban-core
-          # nftban-ui + nftban-ui-auth: removed from shipped binary list per
-          # v1.100.1b.A (GOTH PR-D4 stage 1 — stop shipping). Source trees
-          # remain in repo and are still compiled by `go build ./...` above.
           go build -trimpath -o bin/nftband ./cmd/nftband
           go build -trimpath -o bin/nftban-validate ./cmd/nftban-validate
 

.github/workflows/ci-runtime-truth.yml

@@ -87,11 +87,11 @@ jobs:
         run: |
           set -Eeuo pipefail
           mkdir -p bin
-          # templ generation is required for nftban-core but not for validate/installer.
-          # For this gate we only need the binaries on the critical path.
+          # For this gate we only need the binaries on the critical path
+          # (validator + installer). nftban-core/nftband are stubbed below
+          # to keep this job CGO-free.
           go build -trimpath -o bin/nftban-validate ./cmd/nftban-validate/
           go build -trimpath -o bin/nftban-installer ./cmd/nftban-installer/
-          # Minimal nftban-core stub is provided if templ is absent — skip.
           test -x bin/nftban-validate
           test -x bin/nftban-installer
 
@@ -104,7 +104,7 @@ jobs:
                            /usr/lib/nftban/health /etc/nftban /etc/logrotate.d
           sudo cp bin/nftban-validate /usr/lib/nftban/bin/nftban-validate
           sudo cp bin/nftban-installer /usr/lib/nftban/bin/nftban-installer
-          # Stub the Go-backed binaries whose full build requires templ so
+          # Stub the CGO-required binaries (nftban-core + nftband) so
           # VerifyInventory's required-files check passes. We only need
           # existence, not functionality, for the post-install assertion.
           sudo install -m 0755 /bin/true /usr/lib/nftban/bin/nftban-core

.github/workflows/ci-smoke.yml

@@ -43,13 +43,7 @@ jobs:
       - name: Install system dependencies
         run: |
           sudo apt-get update -qq
-          sudo apt-get install -y nftables jq libpam0g-dev
-
-      - name: Install templ
-        run: go install github.com/a-h/templ/cmd/templ@v0.3.977
-
-      - name: Generate templ files
-        run: $(go env GOPATH)/bin/templ generate
+          sudo apt-get install -y nftables jq
 
       - name: Build CLI binary
         run: go build -trimpath -o bin/nftban-core ./cmd/nftban-core/

.github/workflows/codeql.yml

@@ -50,9 +50,6 @@ jobs:
         with:
           go-version: '1.25'
 
-      - name: Install build dependencies
-        run: sudo apt-get update && sudo apt-get install -y libpam0g-dev
-
       - name: Cache Go modules
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.3.0
         with:
@@ -62,12 +59,6 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: ${{ runner.os }}-go-
 
-      - name: Install templ
-        run: go install github.com/a-h/templ/cmd/templ@v0.3.977
-
-      - name: Generate templ files
-        run: $(go env GOPATH)/bin/templ generate
-
       - name: Initialize CodeQL
         uses: github/codeql-action/init@f5c2471be782132e47a6e6f9c725e56730d6e9a3 # v3.32.3
         with:

.github/workflows/osv-scanner.yml

@@ -50,9 +50,6 @@ jobs:
         with:
           go-version: '1.25'
 
-      - name: Install build dependencies
-        run: sudo apt-get update -qq && sudo apt-get install -y libpam0g-dev
-
       - name: Install OSV-Scanner
         run: |
           curl -sSfL https://github.com/google/osv-scanner/releases/download/v2.3.3/osv-scanner_linux_amd64 -o osv-scanner
@@ -62,7 +59,6 @@ jobs:
       - name: Run OSV-Scanner
         run: |
           # Scan go.mod in lockfile mode
-          # Go + libpam0g-dev installed so govulncheck call analysis can compile
           # Config: osv-scanner.toml suppresses stdlib CVEs (patched by Go toolchain)
           # Exit 0 = clean, Exit 1 = vulnerabilities found, Exit 128 = scan error
           ./osv-scanner scan --config=osv-scanner.toml --lockfile=go.mod \

.github/workflows/project-health.yml

@@ -45,15 +45,9 @@ jobs:
       - name: Install linters & tools
         run: |
           sudo apt-get update
-          sudo apt-get install -y shellcheck shfmt yamllint jq devscripts nftables libpam0g-dev
+          sudo apt-get install -y shellcheck shfmt yamllint jq devscripts nftables
           npm i -g markdownlint-cli2@0.17.2
 
-      - name: Install templ
-        run: go install github.com/a-h/templ/cmd/templ@v0.3.977
-
-      - name: Generate templ files
-        run: $(go env GOPATH)/bin/templ generate
-
       - name: Run health check
         run: .github/ci/health_check.sh
 

.github/workflows/release.yml

@@ -59,9 +59,6 @@ jobs:
         with:
           go-version: '1.25'
 
-      - name: Install build dependencies
-        run: sudo apt-get update && sudo apt-get install -y libpam0g-dev
-
       - name: Build binaries
         run: |
           chmod +x build.sh
@@ -368,7 +365,6 @@ jobs:
 
           # Copy raw Go binaries that SLSA can't build (require CGO)
           # NOTE: nftban-core is built by SLSA workflow with provenance.
-          # nftban-ui + nftban-ui-auth removed in v1.100.1b.A (GOTH PR-D4 stage 1).
           if [ -d "all-packages" ]; then
             for binary in nftband; do
               if [ -f "all-packages/${binary}" ]; then
@@ -644,7 +640,6 @@ jobs:
         # - verify-release job will: download with retry, verify checksums,
         #   generate final SHA256SUMS, then publish the release
         # NOTE: nftban-core is uploaded by SLSA workflow with provenance.
-        # nftban-ui + nftban-ui-auth removed in v1.100.1b.A (GOTH PR-D4 stage 1).
         uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         with:
           files: |

.github/workflows/secure-go.yml

@@ -54,9 +54,6 @@ jobs:
         with:
           go-version: '1.25'
 
-      - name: Install build dependencies
-        run: sudo apt-get update && sudo apt-get install -y libpam0g-dev
-
       - name: Cache Go build
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.3.0
         with:
@@ -66,12 +63,6 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: ${{ runner.os }}-go-
 
-      - name: Install templ
-        run: go install github.com/a-h/templ/cmd/templ@v0.3.977
-
-      - name: Generate templ files
-        run: $(go env GOPATH)/bin/templ generate
-
       - name: Verify modules tidy
         run: |
           go mod tidy

.github/workflows/slsa-go-releaser.yml

@@ -15,11 +15,6 @@
 # Builds:
 #   - nftban-core (main CLI for firewall operations)
 #
-# NOTE (v1.100.1b.A): nftban-ui + nftban-ui-auth removed from shipped
-# artifact set per GOTH PR-D4 stage 1. SLSA build coverage now scoped
-# to nftban-core only. Source trees for the UI surface remain in repo
-# but are not built or published.
-#
 # COORDINATION: This workflow runs AFTER Release Packages completes to avoid
 # race conditions when uploading assets to the same GitHub release.
 # =============================================================================
@@ -93,7 +88,6 @@ jobs:
   # ============================================================================
   # Job 2: Assemble all artifacts and upload to release
   # ============================================================================
-  # NOTE (v1.100.1b.A): nftban-ui + nftban-ui-auth removed — GOTH PR-D4 stage 1.
   assemble-release:
     name: Assemble Release Artifacts
     needs: [get-tag, build-nftban-core]
@@ -116,10 +110,6 @@ jobs:
           name: ${{ needs.build-nftban-core.outputs.go-provenance-name }}
           path: dist/
 
-      # nftban-ui artifact + provenance downloads removed in v1.100.1b.A
-      # (GOTH PR-D4 stage 1 — stop shipping). nftban-ui no longer built
-      # by SLSA pipeline.
-
       - name: List artifacts
         run: ls -la dist/