release: v1.98.2 — runtime correctness patch (R-1 + R-2 + R-3 + G-CI-1)#472
Merged
release: v1.98.2 — runtime correctness patch (R-1 + R-2 + R-3 + G-CI-1)#472
Conversation
Narrow patch release closing the three correctness follow-ups surfaced by the v1.98.1 operational audit. No new modules, no lifecycle or API surface changes. R-1 (issue #469) — nftban validate exit code: Derive shell exit from max(error-count, validator rc, .status ∈ {down,degraded}). Fixes "misleading success" where Status: ERROR coexisted with exit 0. Contract documented in --help. R-2 (issue #470) — nftban health check bash trap: Wrap validator command substitution in an if/assignment; capture rc + stderr; render bounded DOWN diagnostic with non-zero exit. Replaces ERR-trap crash at cmd_health.sh:417. R-3 (issue #463) — installer payload truth: Tag payload entries by category (binaries/shell/configs/systemd/ polkit/logrotate/docs/version). Emit INFO-level per-category summary. Add payload.VerifyInventory() + payload_inventory_ok assertion in validate.RunAssertions. The assertion blocks COMMITTED when required canonical destinations are absent — this is the check that would have caught the missing VERSION file before v1.98.1 tag. G-CI-1 — Runtime Truth Gate (ci-runtime-truth.yml): Matrix Ubuntu 24.04 + AlmaLinux 9. Seven sub-gates G1-G7 covering the three Rs plus source-install parity, idempotency, and package non-regression. Blocking on merge. VERSION 1.98.1 → 1.98.2; FHS spec regenerated. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
…r deps Three post-CI-review fixes for PR #472: 1. R-1/R-2 bash if/assignment rc bug (CRITICAL): `if ! var=$(cmd); then rc=$?; fi` captures $?=0 inside the then-block because the ASSIGNMENT's own exit code is 0 (assignment succeeded), not the command substitution's exit. This caused G2 to report "health returned 0 while validator was broken" even though the code intended to return 2. Correct idiom: `var=$(cmd) || rc=$?` which captures the actual command exit without triggering the ERR trap. Applied to both cmd_health.sh (R-2) and nftban_ip_and_stats.sh (R-1). 2. revalidate tests: healthyMock now seeds payload inventory: RunAssertions gained payload_inventory_ok in v1.98.2 R-3. The revalidate_test.go healthyMock doesn't seed inventory paths, so every post-R-3 test run fails on "15 missing" paths. Fix: call seedCompletePayloadInventory from healthyMock so happy-path stays happy. Failure-path tests still work because they only care about AllPassed being false, not which assertion failed. 3. CI workflow fixes for ci-runtime-truth.yml: - AlmaLinux 9 container: drop `coreutils` from dnf install (conflicts with preinstalled coreutils-single on minimal image). - G4: drop dry-run attempt (install.sh is a 13-line bootstrap with no --dry-run mode); use structural check against Go source only. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…gosec G304 Three follow-ups to get PR #472 CI fully green: 1. G5 gate — stage nftban-installer binary and provide /bin/true stubs for nftban-core + nftband. VerifyInventory requires all four binaries at /usr/lib/nftban/bin/; the workflow built nftban-installer but never copied it, and nftban-core/nftband aren't built in this job (they need templ and the full daemon build pipeline). Stubs satisfy the existence check without pulling in templ. 2. gosec G304 annotation on dirIsEmpty: os.Open(dir) flagged as "Potential file inclusion via variable." The caller VerifyInventory only ever passes canonical FHS paths from a hardcoded list — no user-controlled input, no traversal surface. Added #nosec G304. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Inline annotation form is what gosec recognizes in this repo's configuration — the preceding-comment form didn't suppress the warning. No behavior change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ttern The inline #nosec G304 alone did not satisfy the gosec check in CI. Existing G304 suppressions in internal/botguard/* use the same idiom: filepath.Clean(path) wrap + inline #nosec comment. Adopting it here. Behaviour is unchanged — canonical FHS paths are already clean, Clean() is a no-op for them. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Narrow patch release closing the three correctness follow-ups surfaced by the v1.98.1 operational audit.
nftban validateexit code now derives from max(error-count, validator rc,.status ∈ {down,degraded}). Fixes "misleading success" whereStatus: ERRORcoexisted with exit 0.nftban health checkno longer crashes via bash trap under validator failure. Wraps validator command-substitution with explicit rc capture + bounded DOWN diagnostic.payload_inventory_okassertion invalidate.RunAssertionsblocksCOMMITTEDwhen required canonical destinations are absent (VERSION, nftables.conf, logrotate, shell payload dirs). This is the check that would have caught the v1.98.1 P0 before tag..github/workflows/ci-runtime-truth.ymlenforces the contract. Matrix Ubuntu 24.04 + AlmaLinux 9. Seven sub-gates G1–G7.No new modules, no lifecycle or API surface changes. VERSION 1.98.1 → 1.98.2, FHS spec regenerated.
Closes #463, closes #469, closes #470.
Test plan
TestRunAssertions_PayloadInventoryMissingreproduces v1.98.1 P0 and catches itTestRunAssertions_*still pass with seeded payload inventory🤖 Generated with Claude Code