feat(v1.99 PR-16): update trigger → lifecycle/rebuild integration (G3-U1..U4)

[itcmsgr]

Summary

First PR in the v1.99 Update Engine Canonization track. Establishes the contract + first wiring layer so that nftban update is treated as a bounded state transition through the lifecycle engine, not a parallel installer.

Draft — depends on v1.98.2 tag (already shipped as of this PR), and a companion-spec review pass before landing.

Architecture constraint (INV-U-001)

Update is a bounded trigger into the rebuild/lifecycle pipeline.
No separate update-only staging/validation/switch logic. Apply work lands in PR-18 and reuses existing rebuild semantics.

The plan rendered by --dry-run prints this reminder so operators see the architectural model, not just the outcome.

Scope of this PR (explicit)

In scope — closes G3-U1..U4

Gate	What this PR does
G3-U1 lifecycle entry	nftban-installer --mode=upgrade --dry-run routes to runUpdateDryRun; installer binary header records mode=upgrade
G3-U2 version detection	update.DetectVersions reads /usr/lib/nftban/VERSION (current) + <sourceDir>/VERSION (target). Package-install target detection deferred to PR-17.
G3-U3 --dry-run correctness	runUpdateDryRun renders plan, persists plan JSON to state dir for audit, exits 0/1. No mutation of /etc/nftban/**.
G3-U4 preflight enforcement	update.Preflight runs five checks P-1..P-5. Critical failures flip plan.Warnings; warning-severity failures stay informational.

Out of scope (explicit)

• No shell update path deletion (PR-21)
• No update apply logic (PR-18)
• No package-install target detection (PR-17)
• No uninstall / config-registry / hardening work

What landed

New package internal/installer/update/

• preflight.go — 5 preconditions P-1 authority, P-2 service, P-3 artifact, P-4 nft dep, P-5 stale-state warning
• plan.go — Plan struct + DetectVersions + BuildPlan + Render + JSON round-trip. Schema version 1.99.0.
• update_test.go — 14 tests covering happy path + each preflight failure mode + version detection edge cases + JSON schema contract

Installer binary

• cmd/nftban-installer/update_dryrun.go — new orchestrator; reuses phaseDetect, then runs Preflight + DetectVersions + BuildPlan, renders + persists JSON
• cmd/nftban-installer/main.go — dispatch: --mode=upgrade + --dry-run → runUpdateDryRun

CI gate (new, blocking)

• .github/workflows/ci-update-canonization.yml — matrix Ubuntu 24.04 + AlmaLinux 9. Enforces G3-U1/U2/U3/U4. Future sub-gates (G3-U5..U17 + P-1/P-2/P-3 + G3-U-REBUILD-PARITY) added incrementally by PR-17..PR-21 per spec.

Specs

• V1.90_AUDIT_WIKI_CODE/V199_PR16_UPDATE_TRIGGER_SPEC.md (draft)
• V1.90_AUDIT_WIKI_CODE/G3_UPDATE_GATE_SPEC.md (v1.99 rev)

Both live in the internal planning tree — not mirrored into this repo.

Test plan

• Go unit tests for update.Preflight + DetectVersions + BuildPlan
• ci-update-canonization.yml runs on this PR (G3-U1..U4)
• Manual lab run: sudo ./bin/nftban-installer --mode=upgrade --dry-run --source --source-dir=\$PWD on Ubuntu 24.04 + AlmaLinux 9
• Review pass on PR-16 spec before un-drafting

Follow-ups

PR	Gate sub-section
PR-17	package-install target detection (G3-U4 deepen)
PR-18	update apply reuses rebuild (G3-U5..U10)
PR-19	update validation (G3-U11..U13)
PR-20	update logging (G3-U15..U17)
PR-21	remove shell update paths + parity gates

🤖 Generated with Claude Code

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	34e114876b0b11c390a56381ad16ebd13914f8d5	🟢 5.7	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-go	d35c59abb061a4a6fb18e82ac0862c26744d6ab5	🟢 5.7	Details Check Score Reason Maintained 🟢 6 7 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 6 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• .github/workflows/ci-update-canonization.yml