chore(v1.100.1b.D2): GOTH docs/repo cleanup — closes the removal track

.github/workflows/build-packages.yml

@@ -93,14 +93,6 @@ jobs:
         with:
           go-version: '1.25'
 
-      - name: Install build dependencies
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y libpam0g-dev
-
-      - name: Install templ code generator
-        run: go install github.com/a-h/templ/cmd/templ@v0.3.977
-
       - name: Build binaries
         run: |
           chmod +x build.sh

.github/workflows/ci-go.yml

@@ -5,16 +5,12 @@
 # Purpose: Go code validation, build verification, and test execution
 #
 # Checks:
-#   - templ code generation (up to date)
 #   - go mod tidy (dependencies clean)
 #   - go vet (semantic analysis)
 #   - go build (all packages + named binaries)
 #   - go test -race (unit + integration tests with race detector)
 #   - Binary verification (ELF type, minimum size)
 #   - CLI structure validation
-#
-# Note: This merges the former go-check + build-verify jobs into one,
-#       eliminating duplicate Go/templ/libpam setup (~1 min saved).
 # =============================================================================
 
 name: Go Build & Test
@@ -43,9 +39,6 @@ jobs:
         with:
           go-version: '1.25'
 
-      - name: Install build dependencies
-        run: sudo apt-get update && sudo apt-get install -y libpam0g-dev
-
       - name: Cache Go modules
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.3.0
         with:
@@ -55,19 +48,6 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: ${{ runner.os }}-go-
 
-      - name: Install templ
-        run: go install github.com/a-h/templ/cmd/templ@v0.3.977
-
-      - name: Generate templ files
-        run: $(go env GOPATH)/bin/templ generate
-
-      - name: Verify templ generated files are committed
-        run: |
-          git diff --exit-code -- '*_templ.go' || {
-            echo "::error::Generated *_templ.go files are out of date. Run 'templ generate' and commit."
-            exit 1
-          }
-
       # B80-8: Schema drift gate. Regenerate Go schema from canonical shell
       # source and fail if the committed schema_generated.go differs.
       - name: Verify Go schema matches canonical shell schema
@@ -103,9 +83,6 @@ jobs:
         run: |
           mkdir -p bin
           go build -trimpath -o bin/nftban-core ./cmd/nftban-core
-          # nftban-ui + nftban-ui-auth: removed from shipped binary list per
-          # v1.100.1b.A (GOTH PR-D4 stage 1 — stop shipping). Source trees
-          # remain in repo and are still compiled by `go build ./...` above.
           go build -trimpath -o bin/nftband ./cmd/nftband
           go build -trimpath -o bin/nftban-validate ./cmd/nftban-validate
 

.github/workflows/ci-runtime-truth.yml

@@ -87,11 +87,11 @@ jobs:
         run: |
           set -Eeuo pipefail
           mkdir -p bin
-          # templ generation is required for nftban-core but not for validate/installer.
-          # For this gate we only need the binaries on the critical path.
+          # For this gate we only need the binaries on the critical path
+          # (validator + installer). nftban-core/nftband are stubbed below
+          # to keep this job CGO-free.
           go build -trimpath -o bin/nftban-validate ./cmd/nftban-validate/
           go build -trimpath -o bin/nftban-installer ./cmd/nftban-installer/
-          # Minimal nftban-core stub is provided if templ is absent — skip.
           test -x bin/nftban-validate
           test -x bin/nftban-installer
 
@@ -104,7 +104,7 @@ jobs:
                            /usr/lib/nftban/health /etc/nftban /etc/logrotate.d
           sudo cp bin/nftban-validate /usr/lib/nftban/bin/nftban-validate
           sudo cp bin/nftban-installer /usr/lib/nftban/bin/nftban-installer
-          # Stub the Go-backed binaries whose full build requires templ so
+          # Stub the CGO-required binaries (nftban-core + nftband) so
           # VerifyInventory's required-files check passes. We only need
           # existence, not functionality, for the post-install assertion.
           sudo install -m 0755 /bin/true /usr/lib/nftban/bin/nftban-core

.github/workflows/ci-smoke.yml

@@ -43,13 +43,7 @@ jobs:
       - name: Install system dependencies
         run: |
           sudo apt-get update -qq
-          sudo apt-get install -y nftables jq libpam0g-dev
-
-      - name: Install templ
-        run: go install github.com/a-h/templ/cmd/templ@v0.3.977
-
-      - name: Generate templ files
-        run: $(go env GOPATH)/bin/templ generate
+          sudo apt-get install -y nftables jq
 
       - name: Build CLI binary
         run: go build -trimpath -o bin/nftban-core ./cmd/nftban-core/

.github/workflows/codeql.yml

@@ -50,9 +50,6 @@ jobs:
         with:
           go-version: '1.25'
 
-      - name: Install build dependencies
-        run: sudo apt-get update && sudo apt-get install -y libpam0g-dev
-
       - name: Cache Go modules
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.3.0
         with:
@@ -62,12 +59,6 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: ${{ runner.os }}-go-
 
-      - name: Install templ
-        run: go install github.com/a-h/templ/cmd/templ@v0.3.977
-
-      - name: Generate templ files
-        run: $(go env GOPATH)/bin/templ generate
-
       - name: Initialize CodeQL
         uses: github/codeql-action/init@f5c2471be782132e47a6e6f9c725e56730d6e9a3 # v3.32.3
         with:

.github/workflows/osv-scanner.yml

@@ -50,9 +50,6 @@ jobs:
         with:
           go-version: '1.25'
 
-      - name: Install build dependencies
-        run: sudo apt-get update -qq && sudo apt-get install -y libpam0g-dev
-
       - name: Install OSV-Scanner
         run: |
           curl -sSfL https://github.com/google/osv-scanner/releases/download/v2.3.3/osv-scanner_linux_amd64 -o osv-scanner
@@ -62,7 +59,6 @@ jobs:
       - name: Run OSV-Scanner
         run: |
           # Scan go.mod in lockfile mode
-          # Go + libpam0g-dev installed so govulncheck call analysis can compile
           # Config: osv-scanner.toml suppresses stdlib CVEs (patched by Go toolchain)
           # Exit 0 = clean, Exit 1 = vulnerabilities found, Exit 128 = scan error
           ./osv-scanner scan --config=osv-scanner.toml --lockfile=go.mod \

.github/workflows/project-health.yml

@@ -45,15 +45,9 @@ jobs:
       - name: Install linters & tools
         run: |
           sudo apt-get update
-          sudo apt-get install -y shellcheck shfmt yamllint jq devscripts nftables libpam0g-dev
+          sudo apt-get install -y shellcheck shfmt yamllint jq devscripts nftables
           npm i -g markdownlint-cli2@0.17.2
 
-      - name: Install templ
-        run: go install github.com/a-h/templ/cmd/templ@v0.3.977
-
-      - name: Generate templ files
-        run: $(go env GOPATH)/bin/templ generate
-
       - name: Run health check
         run: .github/ci/health_check.sh
 

.github/workflows/release.yml

@@ -59,9 +59,6 @@ jobs:
         with:
           go-version: '1.25'
 
-      - name: Install build dependencies
-        run: sudo apt-get update && sudo apt-get install -y libpam0g-dev
-
       - name: Build binaries
         run: |
           chmod +x build.sh
@@ -368,7 +365,6 @@ jobs:
 
           # Copy raw Go binaries that SLSA can't build (require CGO)
           # NOTE: nftban-core is built by SLSA workflow with provenance.
-          # nftban-ui + nftban-ui-auth removed in v1.100.1b.A (GOTH PR-D4 stage 1).
           if [ -d "all-packages" ]; then
             for binary in nftband; do
               if [ -f "all-packages/${binary}" ]; then
@@ -644,7 +640,6 @@ jobs:
         # - verify-release job will: download with retry, verify checksums,
         #   generate final SHA256SUMS, then publish the release
         # NOTE: nftban-core is uploaded by SLSA workflow with provenance.
-        # nftban-ui + nftban-ui-auth removed in v1.100.1b.A (GOTH PR-D4 stage 1).
         uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         with:
           files: |

.github/workflows/secure-go.yml

@@ -54,9 +54,6 @@ jobs:
         with:
           go-version: '1.25'
 
-      - name: Install build dependencies
-        run: sudo apt-get update && sudo apt-get install -y libpam0g-dev
-
       - name: Cache Go build
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.3.0
         with:
@@ -66,12 +63,6 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: ${{ runner.os }}-go-
 
-      - name: Install templ
-        run: go install github.com/a-h/templ/cmd/templ@v0.3.977
-
-      - name: Generate templ files
-        run: $(go env GOPATH)/bin/templ generate
-
       - name: Verify modules tidy
         run: |
           go mod tidy

.github/workflows/slsa-go-releaser.yml

@@ -15,11 +15,6 @@
 # Builds:
 #   - nftban-core (main CLI for firewall operations)
 #
-# NOTE (v1.100.1b.A): nftban-ui + nftban-ui-auth removed from shipped
-# artifact set per GOTH PR-D4 stage 1. SLSA build coverage now scoped
-# to nftban-core only. Source trees for the UI surface remain in repo
-# but are not built or published.
-#
 # COORDINATION: This workflow runs AFTER Release Packages completes to avoid
 # race conditions when uploading assets to the same GitHub release.
 # =============================================================================
@@ -93,7 +88,6 @@ jobs:
   # ============================================================================
   # Job 2: Assemble all artifacts and upload to release
   # ============================================================================
-  # NOTE (v1.100.1b.A): nftban-ui + nftban-ui-auth removed — GOTH PR-D4 stage 1.
   assemble-release:
     name: Assemble Release Artifacts
     needs: [get-tag, build-nftban-core]
@@ -116,10 +110,6 @@ jobs:
           name: ${{ needs.build-nftban-core.outputs.go-provenance-name }}
           path: dist/
 
-      # nftban-ui artifact + provenance downloads removed in v1.100.1b.A
-      # (GOTH PR-D4 stage 1 — stop shipping). nftban-ui no longer built
-      # by SLSA pipeline.
-
       - name: List artifacts
         run: ls -la dist/
 

CHANGELOG.md

@@ -11,6 +11,63 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [Unreleased] - v1.100.1b.D GOTH docs/repo cleanup (closes the removal track)
+
+Final phase of the GOTH/UI removal sequence (A → B → C1 → C2 → **D**). Cleans up the runtime-touching code paths and JSON registries that referenced the retired Web GUI surface, plus obsolete CI workflow steps that no longer have any consumer.
+
+Wiki narrative cleanup was published separately to `nftban.wiki` (commit `39ab975`).
+
+### Removed (operator-impacting)
+
+- **`nftban health gui` health check**: deprecated function `nftban_health_check_gui()` removed entirely from `cli/lib/nftban/core/nftban_health_checks_integrations.sh` along with its dispatcher call site in `nftban_health.sh`. The health check inspected the retired `nftban-ui` binary, service, auth socket, and socket-directory permissions — all of which are gone.
+- **`nftban-ui.service` health snapshot row**: dropped from `nftban_health.sh` `optional_services[]` and `optional_bins[]` arrays. `nftban health` no longer reports a stale "Web GUI not installed" row.
+
+### Removed (files)
+
+- `cli/lib/nftban/exporters/nftban_exporter_gui_cache.sh` — generated UI-only cache files (`traffic_history.json`, `dropped_by_country.json`, `dropped_by_port.json`) that the retired Web GUI consumed. The single sourcing site in `nftban_unified_exporter_collect.sh` is also removed.
+
+### Removed (JSON registries)
+
+- `cli/lib/nftban/data/fhs_directories.json`: dropped `/run/nftban-ui` directory entry.
+- `cli/lib/nftban/data/config-schema.json`: dropped `NFTBAN_UI_BIN`, `NFTBAN_AUTH_BIN`, `NFTBAN_SERVICE_UI` schema entries.
+- `cli/lib/nftban/data/reports-registry.json`: dropped `api` channel entry (depended on `nftban-ui.service`).
+
+### Removed (FHS spec + security check)
+
+- `cli/lib/nftban/core/nftban_fhs_spec.sh`: dropped `/run/nftban-ui` `NFTBAN_FHS_DIRECTORIES` entry.
+- `cli/lib/nftban/core/nftban_health_checks_security.sh`: dropped `nftban-ui.service` from systemd-analyze key-services list.
+
+### Removed (CI workflows — obsolete templ + libpam steps)
+
+After C1+C2 removed all `.templ` files, `_templ.go` generated files, `msteinert/pam/v2` imports, and PAM-using packages, the templ-install and `libpam0g-dev` apt-install steps in CI workflows are pure dead steps (verified: zero `.templ` / `_templ.go` / `"C"` / `msteinert/pam` references remain in tree).
+
+Removed steps from:
+- `.github/workflows/ci-go.yml` — templ install/generate/verify + libpam0g-dev install
+- `.github/workflows/build-packages.yml` — templ install + libpam0g-dev install
+- `.github/workflows/ci-smoke.yml` — templ install/generate + libpam0g-dev (kept nftables, jq)
+- `.github/workflows/codeql.yml` — templ install/generate + libpam0g-dev install
+- `.github/workflows/secure-go.yml` — templ install/generate + libpam0g-dev install
+- `.github/workflows/osv-scanner.yml` — libpam0g-dev install
+- `.github/workflows/project-health.yml` — templ install/generate + libpam0g-dev (kept shellcheck, shfmt, yamllint, jq, devscripts, nftables)
+- `.github/workflows/release.yml` — libpam0g-dev install
+- Decommission comments in `release.yml`, `slsa-go-releaser.yml`, `ci-runtime-truth.yml`
+
+CGO build flags are preserved (still required for nftban-core/nftband transitively).
+
+### Notes
+
+This release closes the GOTH/UI removal track. From this point forward, no shipped binary, no built artifact, no health check, no JSON registry entry, no CI build step, and no wiki page references the retired Web GUI surface in active form. Historical references survive only in the dedicated `archive/` wiki pages and the CHANGELOG entries for stages A → D.
+
+Out of scope (lifecycle completion lane — explicitly **OPEN**):
+- PR-25 restore execution
+- PR-26 verification gate
+- PR-27 logrotate unified config
+- PR-28 missing log rotation
+- PR-29 GeoIP validator freshness
+- PR-30 timer alignment
+
+---
+
 ## [Unreleased] - v1.100.1b.C2 GOTH cross-cutting prune
 
 ### Removed (operator-impacting)

build/fhs-spec.yaml

@@ -746,13 +746,6 @@ directories:
       created_by: tmpfiles
       note: "Managed by tmpfiles only - do not use RuntimeDirectory= in units to avoid conflict"
 
-    - path: /run/nftban-ui
-      mode: "0755"
-      owner: root
-      group: nftban
-      description: "GUI/API runtime socket directory"
-      created_by: tmpfiles
-
   # ---------------------------------------------------------------------------
   # Shared Data (root:root, 755) - Read-only application data
   # ---------------------------------------------------------------------------

cli/lib/nftban/core/nftban_fhs_spec.sh

@@ -148,7 +148,6 @@ nftban_fhs_load_spec() {
     NFTBAN_FHS_DIRECTORIES["/var/cache/nftban"]="0755|nftban|nftban|Cache files"
     NFTBAN_FHS_DIRECTORIES["/var/cache/nftban/health"]="0750|nftban|nftban|Health check status cache"
     NFTBAN_FHS_DIRECTORIES["/run/nftban"]="0755|nftban|nftban|Runtime data (PID files, sockets)"
-    NFTBAN_FHS_DIRECTORIES["/run/nftban-ui"]="0755|root|nftban|GUI/API runtime socket directory"
 
     # Shared Directories
     NFTBAN_FHS_DIRECTORIES["/usr/share/nftban"]="0755|root|root|Shared application data"

cli/lib/nftban/core/nftban_health.sh

@@ -247,13 +247,9 @@ nftban_health_verify_installation() {
     local -a optional_services=(
         "nftban-login-monitor.service"
         "nftban-suricata.service"
-        "nftban-ui.service"
     )
 
-    local -a optional_binaries=(
-        "/usr/lib/nftban/bin/nftban-ui"
-        "/usr/lib/nftban/bin/nftban-ui-auth"
-    )
+    local -a optional_binaries=()
 
     local svc_ok=0
     local svc_missing=0
@@ -309,7 +305,6 @@ nftban_health_verify_installation() {
     # shellcheck disable=SC2034  # Reserved for optional binary checks
     local -a optional_bins=(
         "nftban-core"
-        "nftban-ui"
         "suricata"
     )
 
@@ -548,7 +543,6 @@ nftban_health_check_all() {
     nftban_health_check_portscan_prefix 2>/dev/null || { ((warnings++)) || true; }
     nftban_health_check_v030_helpers 2>/dev/null || true
     nftban_health_check_bash_completion 2>/dev/null || true
-    nftban_health_check_gui 2>/dev/null || true
     nftban_health_check_pro 2>/dev/null || true
 
     # Auto-heal if requested
@@ -636,7 +630,6 @@ export -f nftban_health_check_rbl
 export -f nftban_health_check_botguard
 export -f nftban_health_check_tunnel
 export -f nftban_health_check_timers
-export -f nftban_health_check_gui
 export -f nftban_health_check_fhs
 export -f nftban_health_check_nft_schema
 export -f nftban_health_check_polkit