Skip to content

chore(v1.100.1b.D2): GOTH docs/repo cleanup — closes the removal track#503

Merged
itcmsgr merged 4 commits intomainfrom
chore/v1.100.1b.D-goth-docs-cleanup
Apr 27, 2026
Merged

chore(v1.100.1b.D2): GOTH docs/repo cleanup — closes the removal track#503
itcmsgr merged 4 commits intomainfrom
chore/v1.100.1b.D-goth-docs-cleanup

Conversation

@itcmsgr
Copy link
Copy Markdown
Owner

@itcmsgr itcmsgr commented Apr 26, 2026

Summary

D2 of the locked D1 + D2 split. Final phase of the GOTH/UI removal sequence (A → B → C1 → C2 → D).

D1 (wiki narrative cleanup) was published separately to `nftban.wiki` (commit `39ab975` — direct push, no PR mechanism on wiki).

D2 (this PR) cleans up the runtime-touching code paths and JSON registries that referenced the retired Web GUI surface, plus obsolete CI workflow steps that no longer have any consumer.

Locked principle (per user 2026-04-26):

If a file exists solely for the retired GOTH/UI surface, carveout = delete.
If a file serves mixed responsibilities, carve out only the UI parts.

Commit sequence (3 commits)

Commit Subsystem Net
`bd17d67f` cli/lib core (UI health check + FHS spec + GUI cache exporter) -619 lines
`3ff86e41` cli/lib JSON registries (3 files) -37 lines
`9c25ae2b` CI workflows + CHANGELOG +63 / -86
Total 20 files -679 lines

What changed

Operator-impacting

  • `nftban_health_check_gui()` removed entirely (199 lines). `nftban health` no longer reports a stale Web GUI row.
  • `nftban-ui.service` health snapshot row + `/usr/lib/nftban/bin/nftban-ui` binary check: dropped.

Files deleted (existed solely for retired GOTH/UI)

  • `cli/lib/nftban/exporters/nftban_exporter_gui_cache.sh` — generated UI-only cache files for the retired Web GUI. Single sourcing site in `nftban_unified_exporter_collect.sh` is also removed.

JSON registries surgically cleaned

  • `fhs_directories.json`: drop `/run/nftban-ui` entry
  • `config-schema.json`: drop `NFTBAN_UI_BIN`, `NFTBAN_AUTH_BIN`, `NFTBAN_SERVICE_UI` properties
  • `reports-registry.json`: drop `api` channel entry (depended on nftban-ui.service)

FHS spec + security

  • `nftban_fhs_spec.sh`: drop `/run/nftban-ui` FHS directory entry
  • `nftban_health_checks_security.sh`: drop `nftban-ui.service` from systemd-analyze key-services list

CI workflows — obsolete templ + libpam steps removed

After C1+C2 deleted all `.templ` files, `_templ.go` generated files, `msteinert/pam/v2` imports, and PAM-using packages, these steps in CI workflows became pure dead steps. Verified zero `.templ` / `_templ.go` / `"C"` / `msteinert/pam` references remain in tree.

Touched: `ci-go`, `build-packages`, `ci-smoke`, `codeql`, `secure-go`, `osv-scanner`, `project-health`, `release`, `slsa-go-releaser`, `ci-runtime-truth`.

CGO build flags preserved (still required transitively by nftban-core + nftband).

Out of scope (locked)

  • docs/ in main repo — per user lock "we don't keep docs we keep ../wiki", D does not touch docs/. Wiki cleanup was handled in D1 (separate wiki repo).
  • Lifecycle completion lane (PR-25..PR-30): remains explicitly OPEN.

Pre-push verification (lab2)

  • ✅ `go build ./...` clean
  • ✅ `go test ./internal/...` all pass (with etc/ shipped — distroconf tests need it)
  • ✅ `go mod tidy` no-op (md5 match local vs lab2)
  • ✅ `bash -n` clean on all edited shell files
  • ✅ `json.load` clean on all 3 JSON files
  • ✅ `yaml.safe_load` clean on all 10 edited workflow YAMLs

Test plan

  • CI Build & Test (Go) PASS — note: this PR removes the templ-install + libpam0g-dev steps; first run is the smoke test that confirms they were truly obsolete
  • CI Build Docker Image PASS
  • CI Build RPM (el9 + el10) PASS
  • CI Build DEB (debian12/13 + ubuntu22/24) PASS
  • CI Test DEB install × 4 PASS
  • CI Test RPM install × 4 PASS
  • CI CLI Smoke Test PASS
  • CI Runtime Truth × 2 PASS
  • CodeQL, Semgrep, OSV, gosec, govulncheck, Trivy PASS
  • ShellCheck (×2) + Shell Quality + Docs Quality PASS
  • No new red checks vs main

🤖 Generated with Claude Code

itcmsgr and others added 3 commits April 27, 2026 01:00
@itcmsgr @claude
chore(v1.100.1b.D2): cli/lib core — drop GOTH UI health checks + FHS …
bd17d67 
…entry

Removes the UI/auth health check + FHS spec entries that became orphan
after 1.100.1b.A retired the Web GUI surface.

cli/lib/nftban/core/nftban_health.sh:
  - drop nftban_health_check_gui call site from main check loop
  - drop matching export
  - drop nftban-ui.service from optional_services[]
  - drop /usr/lib/nftban/bin/nftban-ui + nftban-ui-auth from
    optional_binaries[] (now empty array)
  - drop nftban-ui from optional_bins[]

cli/lib/nftban/core/nftban_health_checks_integrations.sh:
  - delete nftban_health_check_gui() function in full (199 lines)
    The function inspected /usr/sbin/nftban-ui binary, GUI service
    state, /run/nftban-ui auth socket dir, /run/nftban-ui/auth.sock,
    nftban-ui-auth.service — every target deleted in earlier C2 work.
  - drop matching export
  - update header purpose comment (drop "gui" from list)

cli/lib/nftban/core/nftban_health_checks_security.sh:
  - drop nftban-ui.service from systemd-analyze key_services list

cli/lib/nftban/core/nftban_fhs_spec.sh:
  - drop /run/nftban-ui from NFTBAN_FHS_DIRECTORIES (was the auth
    socket directory; no longer created by tmpfiles after C2 removed
    the staging entry).

cli/lib/nftban/exporters/:
  - delete nftban_exporter_gui_cache.sh in full — generated UI-only
    cache files (traffic_history.json, dropped_by_country.json,
    dropped_by_port.json) that the retired Web GUI consumed.
  - drop the matching source + generate_gui_cache_files call from
    nftban_unified_exporter_collect.sh (the only sourcing site).

Verified on lab2: go build ./... clean, go test ./internal/... all
pass with etc/ shipped, go mod tidy no-op, bash -n clean on all
edited shell files.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@itcmsgr @claude
chore(v1.100.1b.D2): cli/lib JSON registries — drop UI surface entries
3ff86e4 
Removes registry entries that referenced the retired Web GUI surface.

cli/lib/nftban/data/fhs_directories.json:
  - drop /run/nftban-ui directory entry (the GUI/API runtime socket
    directory; no longer created by any installer/tmpfiles path).

cli/lib/nftban/data/config-schema.json:
  - drop NFTBAN_UI_BIN property
  - drop NFTBAN_AUTH_BIN property
  - drop NFTBAN_SERVICE_UI property

cli/lib/nftban/data/reports-registry.json:
  - drop the "api" channel entry (depended on nftban-ui.service for
    its base_endpoint /api/v1/; no daemon serves this endpoint
    anymore after the Web GUI retirement).

Verified: all 3 JSON files parse clean (json.load).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@itcmsgr @claude
chore(v1.100.1b.D2): CI workflows — drop obsolete templ + libpam steps
9c25ae2 
After 1.100.1b.B/C1/C2 deleted all .templ files, _templ.go generated
files, msteinert/pam/v2 imports, and PAM-using packages, the
templ-install + libpam0g-dev apt-install steps in CI workflows are
pure dead steps.

Verified: zero .templ / _templ.go / "C" / msteinert/pam references
remain in tree (across cmd/, internal/, pkg/).

Removed steps:
  - ci-go.yml: templ install/generate/verify + libpam0g-dev install
  - build-packages.yml: templ install + libpam0g-dev install
  - ci-smoke.yml: templ install/generate + libpam0g-dev (kept
    nftables, jq)
  - codeql.yml: templ install/generate + libpam0g-dev install
  - secure-go.yml: templ install/generate + libpam0g-dev install
  - osv-scanner.yml: libpam0g-dev install + matching comment
  - project-health.yml: templ install/generate + libpam0g-dev (kept
    shellcheck/shfmt/yamllint/jq/devscripts/nftables)
  - release.yml: libpam0g-dev install + 2 decommission comments
  - slsa-go-releaser.yml: 3 decommission comments
  - ci-runtime-truth.yml: refresh templ-stub comments to reflect
    CGO-required (not templ-required) reasoning

CGO build flags preserved (still required transitively by
nftban-core + nftband; verified by go build ./... on lab2).

Also: CHANGELOG entry under [Unreleased] documenting D as the closing
phase of the GOTH/UI removal track.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 26, 2026
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@itcmsgr @claude
chore(v1.100.1b.D2): FHS YAML + tmpfiles — close the regenerator gap
357c967 
CI Policy Gates fired on PR #503 because:
- build/fhs-spec.yaml is the source-of-truth that drives
  build/generate-fhs-outputs.sh
- I had manually pre-edited the generated outputs (fhs_directories.json
  and nftban_fhs_spec.sh) to drop /run/nftban-ui, but missed the YAML
  source — so the regenerator was emitting the entry back.
- This commit removes /run/nftban-ui from the YAML and runs the
  regenerator, which also drops the matching tmpfiles directive
  (d /run/nftban-ui 0755 root nftban -).

Net mechanical fallout of 1.100.1b.D2 (parallel to the go mod tidy
convergence fixes on PRs #500 / #501).

After this commit, regenerator output matches committed state
(verified locally: ./build/generate-fhs-outputs.sh is a no-op).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@itcmsgr itcmsgr merged commit cc4cf10 into main Apr 27, 2026
49 checks passed
@itcmsgr itcmsgr deleted the chore/v1.100.1b.D-goth-docs-cleanup branch April 27, 2026 15:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@itcmsgr