feat(v1.100 PR-23): uninstall mutation phase 1 — authority release core

First bounded uninstall mutation path. Replaces the PR-22 auto-elevate
shim with explicit consent (--dry-run XOR --confirm-mutation) and adds
the kernel + service authority-release sequence. Per locked contract
seed: authority release ONLY, no filesystem deletion, no external
firewall restoration, no purge matrix.

## Scope (locked 2026-04-20; approved corrections 2026-04-20)

- ✅ Kernel: flush + delete ip nftban / ip6 nftban tables
- ✅ Service: stop + disable + mask nftband.service
- ✅ Safety: emergency SSH injection before mutation, removal after
- ✅ End-state validation before emergency teardown

**Not in scope** (scope-lock enforced):
- ❌ NO filesystem artifact deletion
- ❌ NO .conf.local read/write
- ❌ NO external firewall restoration (PR-24)
- ❌ NO purge vs remove matrix (PR-25)
- ❌ NO post-verify gate beyond step 9 (PR-26)
- ❌ NO uninstall-history schema (tracked as follow-up — Option A locked)

## Consent model

`--mode=uninstall` now requires exactly ONE of:

  --dry-run          : observational plan (unchanged from PR-22)
  --confirm-mutation : authority release core (PR-23 new)

Passing neither is refused. Passing both is refused. This replaces
the PR-22 auto-elevate shim that PR-P2-5 (G3-UN-SHIM-LOCK) was
designed to force into removal at PR-23 time — the gate's
shim_present flips 0 at the same commit mutation_present flips 1.

## Classifier — new AmbiguityKind field (purely additive)

`ClassifyResult.Ambiguity` sub-classifies AuthorityAmbiguous so Apply
can distinguish recoverable from blocking ambiguity without re-
deriving host signals:

  AmbiguityNone              : State != Ambiguous (invariant)
  AmbiguityOrphanNFTBan      : partial nftban + NO external
                              → RECOVERABLE — Apply proceeds via
                                emergency-SSH path to clean up
  AmbiguityConflictExternal  : full nftban + external, OR
                              partial nftban + external, OR
                              multiple externals active
                              → BLOCKING — Apply refuses

Consumers read the classifier output rather than re-probing (prevents
the divergent-interpretation drift that the audits kept flagging).

## Mutation sequence (10 explicit steps in uninstall/apply.go)

 1. Inject emergency SSH safety table (switchop.InjectEmergencySSH)
 2. Stop nftband.service (prevent it fighting kernel mutation)
 3. Flush ip nftban
 4. Flush ip6 nftban (skip if absent)
 5. Delete ip nftban
 6. Delete ip6 nftban (skip if absent)
 7. Disable nftband.service
 8. Mask nftband.service (prevent accidental restart)
 9. Validate end-state:
      - no ip/ip6 nftban table
      - nftband.service not active
      - emergency SSH table STILL PRESENT (correction 2 — step 10
        is what removes it, not step 9)
10. Remove emergency SSH (warn-only on failure)

## Failure mapping (explicit, not implicit)

| Step | Kernel state after | Terminal state |
|------|-------------------|----------------|
|  1   | untouched         | StateFailedNoFirewall |
|  2   | untouched         | log warn, continue |
| 3-6  | partial cleanup   | StateUninstallFailedRelease |
| 7-8  | kernel released   | StateDegraded |
|  9   | end-state wrong   | StateUninstallFailedRelease |
| 10   | released + warn   | StateUninstallReleased |
| all  | AuthorityNone     | StateUninstallReleased |

Every failure branch has a declared post-state; no silent partial
success; no silent fallback.

## New state machine terminals

- StateUninstallReleased      : success; ExitCode → ExitCommitted (0)
- StateUninstallFailedRelease : mutation started but incomplete;
                                ExitCode → ExitFailed (2)

Both IsApplyTerminal() return true. History write guard in main.go
ALSO excludes cfg.mode=="uninstall" so these states never land in
update-history.json (Option A — see below).

## History representation (Option A locked 2026-04-20)

update-history.json has install-centric status vocabulary
(success / install_fail / verify_fail). None truthfully represents
uninstall success. Rather than lie (record as "success") or
over-engineer (add schema values / new file) inside PR-23, skip
entirely:

  main.go writeHistory guard now reads:
    if !cfg.dryRun && cfg.mode != "uninstall" && IsApplyTerminal(state)

Forensic trail for uninstall events is /var/log/nftban/installer.log
(structured step-by-step audit).

A dedicated uninstall-history schema is tracked as an explicit
follow-up item in contract.md. Not a PR-24 blocker; a truthfulness
gap until resolved.

## Files

- internal/installer/uninstall/authority.go     — AmbiguityKind + field
- internal/installer/uninstall/apply.go (NEW)   — Apply orchestrator
- internal/installer/uninstall/apply_test.go(N) — 7 tests (happy +
                                                  emergency-inject-fail +
                                                  flush-mid-fail +
                                                  mask-fail positive
                                                  control + orphan-
                                                  cleanup +
                                                  ipv6-absent-skip +
                                                  step-9 invariant;
                                                  step-9-residual marked
                                                  Skip pending mock-hook
                                                  infrastructure)
- internal/installer/uninstall/uninstall_test.go — AmbiguityKind tests
- internal/installer/state/machine.go           — new terminals
- internal/installer/state/machine_test.go      — terminal mappings
- cmd/nftban-installer/flags.go                 — shim removal +
                                                  --confirm-mutation
- cmd/nftban-installer/main.go                  — routing + history gate
- cmd/nftban-installer/uninstall_apply.go (NEW) — dispatcher
- internal/installer/uninstall/contract.md      — PR-23 contract doc
- .github/workflows/ci-uninstall-canonization.yml
                                                — G3-UN-NO-MUTATION
                                                  narrowed to exclude
                                                  apply.go (legitimate
                                                  mutation surface)

## CI gate interaction

- G3-UN-SHIM-LOCK: shim_present=0 + mutation_present=1 → PASS (post-
  PR-23 state). This is the coupling PR-P2-5 was designed to enforce.
- G3-UN-NO-MUTATION: scope narrowed with `grep -vE '/apply\.go$'` so
  the dry-run observational surface remains mutation-free while
  apply.go is exempt from the forbidden-pattern list.
- G3-EXEC-TRACE: unchanged; wraps only the dry-run invocation, not the
  new confirm-mutation path.
- G3-KS-SNAPSHOT: unchanged; dry-run-scoped.
- G3-UN-PLAN-RENDERS: unchanged; covers only the dry-run render.

The mutation-path gates (real-host evidence of correct authority
release) are documented in the PR body as a merge blocker per
reviewer checklist §9 — to be captured on lab2 + lab4 before merge.

Refs: V1100_LIFECYCLE_COMPLETION_CONTRACT.md §13 (frozen 2026-04-19)
      internal/installer/uninstall/contract.md §"PR-23 authority
      release — landed contract"
Authorization: locked PR-23 contract seed + reviewer checklist
(2026-04-20) with approved corrections (AmbiguityKind split +
step-9 emergency-still-present invariant + Option A history)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: itcmsgr

.github/workflows/ci-uninstall-canonization.yml

@@ -194,15 +194,29 @@ jobs:
             echo "G3-UN-SHIM-LOCK PASS — neither shim nor uninstall mutation present"
           fi
 
-      - name: G3-UN-NO-MUTATION — structural audit of uninstall package
+      - name: G3-UN-NO-MUTATION — structural audit of uninstall observational scope
         shell: bash
         run: |
           set -Eeuo pipefail
-          # Narrow search scope to PR-22's claim surface.
+          # Narrow search scope to the OBSERVATIONAL uninstall surface.
+          #
+          # PR-23 introduced the one legitimate uninstall mutation path
+          # (internal/installer/uninstall/apply.go — the authority
+          # release orchestrator). That file is explicitly excluded
+          # from this grep scope because it MUST contain the kernel +
+          # service mutation calls the release sequence performs.
+          #
+          # G3-UN-SHIM-LOCK (separate gate in this workflow) is the
+          # invariant that ensures apply.go's mutation cannot coexist
+          # with the auto-elevate shim. G3-EXEC-TRACE (all 3 workflows)
+          # catches forbidden mutators at the dry-run path's syscall
+          # layer. Together those three gates cover the "no mutation
+          # during dry-run + mutation only in the sanctioned apply
+          # file" contract.
           files=$(find \
             internal/installer/uninstall \
             cmd/nftban-installer/uninstall_dryrun.go \
-            -type f -name '*.go' 2>/dev/null || true)
+            -type f -name '*.go' 2>/dev/null | grep -vE '/apply\.go$' || true)
           if [[ -z "$files" ]]; then
             echo "::error::G3-UN-NO-MUTATION: uninstall scope files not found"
             exit 1

cmd/nftban-installer/flags.go

@@ -58,6 +58,16 @@ type config struct {
 	// behind an explicit default-off flag. Operators that relied on the
 	// prior behaviour must now pass --panel-auto-takeover.
 	panelAutoTakeover bool // --panel-auto-takeover: allow panel presence to auto-approve takeover (default OFF)
+	// v1.100 PR-23: --confirm-mutation replaces the PR-22 auto-elevate
+	// shim. --mode=uninstall now requires exactly one of:
+	//   --dry-run          (observational plan)
+	//   --confirm-mutation (authority release core)
+	// Passing neither is refused; passing both is refused. This
+	// eliminates the "safe by default" UX drift that the PR-22 scaffold
+	// had to temporarily tolerate. The G3-UN-SHIM-LOCK CI gate catches
+	// any regression that reintroduces an auto-elevate path while the
+	// mutation code is present.
+	confirmMutation bool // --confirm-mutation: authorize uninstall authority release (PR-23)
 }
 
 func parseFlags() *config {
@@ -87,6 +97,8 @@ func parseFlags() *config {
 	flag.BoolVar(&cfg.restorePriorAuthority, "restore-prior-authority", false, "Restore pre-install external firewall authority. Requires recorded prior-authority record. Plan-only in PR-22.")
 	// v1.100 PR-22B: explicit panel-auto-takeover gate (see config field doc).
 	flag.BoolVar(&cfg.panelAutoTakeover, "panel-auto-takeover", false, "Allow control-panel presence to auto-approve takeover of conflicting firewalls. Default OFF. Set explicitly to preserve pre-PR-22B behaviour.")
+	// v1.100 PR-23: --confirm-mutation — explicit uninstall mutation entry.
+	flag.BoolVar(&cfg.confirmMutation, "confirm-mutation", false, "Authorize uninstall authority release (real kernel + service mutation). Required for --mode=uninstall without --dry-run. Mutually exclusive with --dry-run.")
 
 	flag.Parse()
 
@@ -146,32 +158,29 @@ func parseFlags() *config {
 				fmt.Fprintln(os.Stderr, "       it has no effect on remove mode and cannot be passed alone.")
 				os.Exit(state.ExitFatal)
 			}
-			// v1.100 PR-22: uninstall mode is accepted; current release
-			// is detect + dry-run plan only. Mutation phases land in
-			// PR-23+.
+			// v1.100 PR-23: auto-elevate shim REMOVED. The operator must
+			// explicitly choose between:
 			//
-			// Audit C regression guard: when PR-23+ adds real mutation,
-			// this auto-elevation block MUST be removed or changed to
-			// REFUSE rather than silently elevate. Leaving it in place
-			// would teach operators that --mode=uninstall is "safe by
-			// default" — then PR-23 would change that meaning without
-			// an audit prompt. Tracked in the PR-22 contract doc:
-			// internal/installer/uninstall/contract.md (audit C regression
-			// note).
-			if !cfg.dryRun {
-				fmt.Fprintln(os.Stderr, "╔══════════════════════════════════════════════════════════════════════╗")
-				fmt.Fprintln(os.Stderr, "║  --mode=uninstall: NO MUTATION WILL OCCUR (v1.100 PR-22 scope)       ║")
-				fmt.Fprintln(os.Stderr, "║                                                                      ║")
-				fmt.Fprintln(os.Stderr, "║  PR-22 ships detect + dry-run plan only. This invocation is being   ║")
-				fmt.Fprintln(os.Stderr, "║  auto-elevated to --dry-run. Nothing will be removed, no authority  ║")
-				fmt.Fprintln(os.Stderr, "║  released, no service disabled, no file deleted.                    ║")
-				fmt.Fprintln(os.Stderr, "║                                                                      ║")
-				fmt.Fprintln(os.Stderr, "║  When PR-23+ adds mutation, this auto-elevation will be removed.    ║")
-				fmt.Fprintln(os.Stderr, "║  At that point, --mode=uninstall will mutate unless --dry-run is    ║")
-				fmt.Fprintln(os.Stderr, "║  explicitly passed. Do not build operational habits around this     ║")
-				fmt.Fprintln(os.Stderr, "║  PR-22 safety-by-default behaviour.                                 ║")
-				fmt.Fprintln(os.Stderr, "╚══════════════════════════════════════════════════════════════════════╝")
-				cfg.dryRun = true
+			//   --dry-run          : observational plan (zero mutation)
+			//   --confirm-mutation : authority release core (real kernel
+			//                        + service mutation)
+			//
+			// Passing neither is refused. Passing both is refused. This
+			// replaces the PR-22 scaffold-era "safe by default" UX with
+			// explicit consent, closing the audit-C regression seam. The
+			// G3-UN-SHIM-LOCK CI gate verifies no auto-elevate path
+			// coexists with uninstall mutation code.
+			if !cfg.dryRun && !cfg.confirmMutation {
+				fmt.Fprintln(os.Stderr, "error: --mode=uninstall requires exactly one of --dry-run OR --confirm-mutation")
+				fmt.Fprintln(os.Stderr, "       --dry-run          : render the release plan, make no changes")
+				fmt.Fprintln(os.Stderr, "       --confirm-mutation : release nftban authority (real kernel + service mutation)")
+				fmt.Fprintln(os.Stderr, "       explicit consent is required — silent default behaviour was removed in PR-23.")
+				os.Exit(state.ExitFatal)
+			}
+			if cfg.dryRun && cfg.confirmMutation {
+				fmt.Fprintln(os.Stderr, "error: --dry-run and --confirm-mutation are mutually exclusive")
+				fmt.Fprintln(os.Stderr, "       one asks for a plan; the other authorises mutation. Pick one.")
+				os.Exit(state.ExitFatal)
 			}
 			return cfg
 		}
@@ -217,6 +226,14 @@ func parseFlags() *config {
 		os.Exit(state.ExitFatal)
 	}
 
+	// PR-23: --confirm-mutation has no meaning outside --mode=uninstall.
+	// Reject explicitly so operators don't get a silent no-op or a
+	// nonsense interaction with install/upgrade takeover semantics.
+	if cfg.confirmMutation && cfg.mode != "uninstall" {
+		fmt.Fprintln(os.Stderr, "error: --confirm-mutation is only valid with --mode=uninstall")
+		os.Exit(state.ExitFatal)
+	}
+
 	// --source is mutually exclusive with packaging-origin flags.
 	if cfg.source && (cfg.rpm || cfg.deb) {
 		fmt.Fprintln(os.Stderr, "error: --source cannot be combined with --rpm or --deb")

cmd/nftban-installer/main.go

@@ -112,15 +112,16 @@ func main() {
 	//
 	// PR-22B boundary repair: history writes are gated on an explicit
 	// allowlist of apply-terminal states AND the absence of --dry-run.
-	// This replaces the earlier mode-name heuristic with a structural
-	// predicate — dry-runs, intermediate states, and planning-terminal
-	// states (e.g. StateUninstallPlanning) never produce history entries.
 	//
-	// Audit finding F (history / audit-trail truth): update dry-runs used
-	// to be recorded as install_fail because StateDetectComplete has no
-	// "success" mapping; now they are not recorded at all. Automation that
-	// consumes update-history.json is no longer polluted by preview runs.
-	if !cfg.dryRun && state.IsApplyTerminal(sf.State) {
+	// PR-23 extension (Option A locked 2026-04-20): uninstall mode is
+	// ALSO excluded. update-history.json has an install-centric status
+	// vocabulary (success / install_fail / verify_fail) that cannot
+	// truthfully represent uninstall success without misrepresenting
+	// it as an install-success. A dedicated uninstall-history schema
+	// is an explicit pre-PR-24 (or parallel) follow-up item; until
+	// that lands, uninstall events are forensically visible only in
+	// the installer log, and update-history.json stays clean of them.
+	if !cfg.dryRun && cfg.mode != "uninstall" && state.IsApplyTerminal(sf.State) {
 		writeHistory(sf, cfg, previousVersion, hostname, log)
 	}
 
@@ -156,11 +157,18 @@ func run(ctx context.Context, exec executor.Executor, sf *state.StateFile, cfg *
 	if cfg.repair {
 		return runRepair(ctx, exec, sf, log)
 	}
-	// v1.100 PR-22 (uninstall scaffold): uninstall-mode short-circuits
-	// to authority classify + prior-record probe + plan render. No
-	// mutation code exists in this release; mutation phases land in
-	// PR-23+. flags.go forces --dry-run for --mode=uninstall in PR-22.
+	// v1.100 PR-22 / PR-23 uninstall dispatch.
+	//
+	// flags.go validation (PR-23) guarantees exactly ONE of dryRun
+	// or confirmMutation is true for --mode=uninstall, so this two-
+	// branch routing is exhaustive:
+	//
+	//   --mode=uninstall --dry-run          → observational plan
+	//   --mode=uninstall --confirm-mutation → authority release (PR-23)
 	if cfg.mode == "uninstall" {
+		if cfg.confirmMutation {
+			return runUninstallApply(ctx, exec, sf, cfg, log)
+		}
 		return runUninstallDryRun(ctx, exec, sf, cfg, log)
 	}
 	// v1.99 PR-16 (G3-U1/U2/U3/U4): update-mode dry-run short-circuits to

cmd/nftban-installer/uninstall_apply.go

@@ -0,0 +1,138 @@
+// =============================================================================
+// NFTBan v1.100 PR-23 — Uninstall Apply Dispatcher
+// =============================================================================
+// SPDX-License-Identifier: MPL-2.0
+// meta:name="nftban-installer-uninstall-apply"
+// meta:type="cmd"
+// meta:owner="Antonios Voulvoulis <contact@nftban.com>"
+// meta:created_date="2026-04-20"
+// meta:description="--mode=uninstall --confirm-mutation dispatcher: preflight + Apply + state transition"
+// meta:inventory.files="cmd/nftban-installer/uninstall_apply.go"
+// meta:inventory.binaries=""
+// meta:inventory.env_vars=""
+// meta:inventory.config_files=""
+// meta:inventory.systemd_units="nftband.service"
+// meta:inventory.network=""
+// meta:inventory.privileges="root"
+// =============================================================================
+//
+// This dispatcher is the ONLY entry into uninstall mutation. Reached
+// only when:
+//
+//   cfg.mode             == "uninstall"  AND
+//   cfg.confirmMutation  == true         AND
+//   cfg.dryRun           == false
+//
+// (flags.go rejects any other combination at parse time.)
+//
+// Responsibilities:
+//
+//   1. Detect SSH port (reused from install-side detect package).
+//   2. Classify current authority (via uninstall.Classify).
+//   3. Preflight refusal for non-recoverable states; proceed for
+//      AuthorityNFTBan or recoverable AuthorityAmbiguous+OrphanNFTBan.
+//   4. Invoke uninstall.Apply for the mutation sequence.
+//   5. Transition the state file to the Apply result's terminal state.
+//
+// Emergency SSH: Apply handles the entire inject/validate/remove cycle
+// internally. The dispatcher never touches the kernel directly.
+//
+// History: intentionally NOT written for uninstall mode. main.go's
+// writeHistory guard excludes cfg.mode=="uninstall" (Option A locked
+// 2026-04-20). Uninstall events are forensically visible only in the
+// installer log until a dedicated uninstall-history schema lands in a
+// later PR.
+//
+// =============================================================================
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/itcmsgr/nftban/internal/installer/detect"
+	"github.com/itcmsgr/nftban/internal/installer/executor"
+	"github.com/itcmsgr/nftban/internal/installer/logging"
+	"github.com/itcmsgr/nftban/internal/installer/state"
+	"github.com/itcmsgr/nftban/internal/installer/uninstall"
+)
+
+// runUninstallApply orchestrates the PR-23 authority release path.
+// Returns the process exit code derived from the final state.
+func runUninstallApply(_ context.Context, exec executor.Executor, sf *state.StateFile, _ *config, log *logging.Logger) int {
+	log.Info("uninstall apply starting (mode=uninstall, confirm-mutation=true)")
+
+	// 1. SSH port — needed for the emergency SSH safety table.
+	sshPort, sshErr := detect.SSHPort(exec, log)
+	if sshErr != nil {
+		log.Error("uninstall apply: SSH port detection failed: %v", sshErr)
+		_ = sf.Transition(state.StateFailedSSH, state.PhaseDetect,
+			"SSH port detection failed: "+sshErr.Error())
+		return sf.State.ExitCode()
+	}
+	log.Detect("ssh", "port", fmt.Sprintf("%d", sshPort))
+	sf.SSHPort = sshPort
+
+	// 2. Classify authority.
+	auth := uninstall.Classify(exec, log)
+	log.Info("uninstall apply: authority=%s ambiguity=%s external=%s",
+		auth.State, auth.Ambiguity, auth.External)
+
+	// 3. Preflight decision table.
+	proceed := false
+	var refuseReason string
+	switch {
+	case auth.State == uninstall.AuthorityNFTBan:
+		proceed = true
+	case auth.State == uninstall.AuthorityAmbiguous && auth.Ambiguity == uninstall.AmbiguityOrphanNFTBan:
+		// PR-23 correction 1 (locked 2026-04-20): recoverable ambiguity.
+		// Orphan nftban kernel/service artifacts with no external
+		// authority observable — Apply proceeds via the emergency-SSH-
+		// injected cleanup path.
+		log.Info("uninstall apply: recoverable ambiguity (orphan_nftban) — proceeding with cleanup")
+		proceed = true
+	case auth.State == uninstall.AuthorityAmbiguous && auth.Ambiguity == uninstall.AmbiguityConflictExternal:
+		refuseReason = "authority is ambiguous (external firewall conflict); operator must resolve before uninstall mutation can proceed"
+	case auth.State == uninstall.AuthorityExternal:
+		refuseReason = "nftban is not authoritative (" + auth.External + " appears to own the firewall); nothing to release"
+	case auth.State == uninstall.AuthorityNone:
+		refuseReason = "no firewall authority detected; nothing to release"
+	default:
+		refuseReason = "unknown authority state: " + string(auth.State)
+	}
+
+	if !proceed {
+		log.Error("uninstall apply: preflight REFUSED — %s", refuseReason)
+		fmt.Fprintln(os.Stderr, "uninstall apply: preflight refused — "+refuseReason)
+		_ = sf.Transition(state.StateFailedAbort, state.PhaseDetect, refuseReason)
+		return sf.State.ExitCode()
+	}
+
+	// 4. Apply the mutation sequence.
+	result := uninstall.Apply(exec, &uninstall.ApplyConfig{SSHPort: sshPort}, log)
+
+	// 5. Persist terminal state. sf.Transition returns a non-nil error
+	// for failure states (so phase runners halt); here we ignore that
+	// signal because the dispatcher IS the halt point.
+	_ = sf.Transition(result.State, state.PhaseSwitch, result.Reason)
+
+	// Step-by-step evidence log for operator forensics + CI real-host
+	// evidence capture. Every step is logged regardless of outcome.
+	log.Info("uninstall apply: %d steps executed:", len(result.Steps))
+	for i, s := range result.Steps {
+		verdict := "ok"
+		if !s.Success {
+			verdict = "FAIL"
+		}
+		log.Info("  step %d %-28s %s  %s", i+1, s.Name, verdict, s.Detail)
+	}
+
+	if result.State == state.StateUninstallReleased {
+		log.Result("[NFTBan] uninstall: authority released; nftban is no longer authoritative on this host")
+	} else {
+		log.Result("[NFTBan] uninstall: %s — %s", result.State, result.Reason)
+	}
+
+	return sf.State.ExitCode()
+}

internal/installer/state/machine.go

@@ -44,6 +44,36 @@ const (
 	// the planning state so the scope-boundary block in plan output
 	// remains literally true: no phase beyond Planning exists yet.
 	StateUninstallPlanning InstallState = "UNINSTALL_PLANNING"
+
+	// StateUninstallReleased is the terminal success state for v1.100
+	// PR-23's uninstall mutation (authority release core). Reached
+	// after:
+	//   - kernel nftban tables flushed + deleted
+	//   - nftband.service stopped, disabled, masked
+	//   - end-state validation passed (no nftban authority remaining)
+	//   - emergency SSH table cleanly removed
+	//
+	// IsApplyTerminal() returns true for this state so downstream
+	// lifecycle consumers see it as a completed apply outcome.
+	// ExitCode() maps to ExitCommitted (0) — the operator asked for
+	// uninstall and got it. However, the uninstall-history
+	// representation is intentionally SKIPPED for this state in PR-23
+	// (Option A locked 2026-04-20): update-history.json cannot
+	// truthfully represent uninstall success under its install-centric
+	// schema, and the separate-schema work is explicitly deferred to a
+	// later PR. writeHistory is gated on cfg.mode != "uninstall" in
+	// main.go, so this state does NOT produce a history entry.
+	StateUninstallReleased InstallState = "UNINSTALL_RELEASED"
+
+	// StateUninstallFailedRelease is the terminal failure state for
+	// PR-23 when mutation started but did not complete cleanly. The
+	// emergency SSH table may still be present (over-permissive SSH
+	// is the deliberate fallback — losing SSH on a failure is a worse
+	// outcome than a temporary permissive rule). Operator must
+	// investigate kernel + service state and either retry or manually
+	// resolve. IsApplyTerminal() returns true; ExitCode() maps to
+	// ExitFailed (2).
+	StateUninstallFailedRelease InstallState = "UNINSTALL_FAILED_RELEASE"
 )
 
 // Phase represents a named installer phase.
@@ -97,7 +127,16 @@ func (s InstallState) IsApplyTerminal() bool {
 		StateFailedRender,
 		StateFailedRebuild,
 		StateFailedNoFirewall,
-		StateFailedTakeover:
+		StateFailedTakeover,
+		// PR-23: uninstall terminal states represent completed apply
+		// outcomes too. IsApplyTerminal participates in the
+		// history-write gate, but the uninstall-history Option A lock
+		// means main.go's writeHistory call additionally excludes
+		// cfg.mode=="uninstall" — so these states here are marked
+		// apply-terminal for lifecycle-bridge consumers without
+		// triggering install-centric history representation.
+		StateUninstallReleased,
+		StateUninstallFailedRelease:
 		return true
 	}
 	return false
@@ -113,7 +152,9 @@ func IsApplyTerminal(s InstallState) bool { return s.IsApplyTerminal() }
 func (s InstallState) IsFailed() bool {
 	switch s {
 	case StateFailedSSH, StateFailedAbort, StateFailedRender,
-		StateFailedRebuild, StateFailedNoFirewall, StateFailedTakeover:
+		StateFailedRebuild, StateFailedNoFirewall, StateFailedTakeover,
+		// PR-23 uninstall failure terminal.
+		StateUninstallFailedRelease:
 		return true
 	}
 	return false
@@ -129,6 +170,12 @@ func (s InstallState) ExitCode() int {
 	switch s {
 	case StateCommitted:
 		return ExitCommitted
+	// PR-23: uninstall success maps to ExitCommitted too. The operator
+	// asked for uninstall and got it; the process exit code reflects
+	// operation success, not install-specific success. Install-history
+	// semantics are kept distinct via the writeHistory mode guard.
+	case StateUninstallReleased:
+		return ExitCommitted
 	case StateDegraded:
 		return ExitDegraded
 	case StateFailedAbort: