feat(v1.100 PR-26): code-A target-specific restore verification predicate

cmd/nftban-installer/restore_decide.go

@@ -274,7 +274,22 @@ func runRestoreExecutionFromProceed(
 	// values come from the PR-24 path the planner already used —
 	// the dispatcher does NOT re-probe or re-detect them, per
 	// INV-PR25-AUTHORITY-IMMUTABILITY (§17.3) + §33 E.7.
-	deps := newRestoreDeps(exec, log, priorRec, panel)
+	//
+	// PR-26-code-A: also resolve firewallType from the target so the
+	// inline-verify dep's safety predicate is target-specific (§51.3
+	// Option B + §51.4 firewallType plumbing). For Kind=RecordedPrior
+	// the value is on the TargetAuthority directly; for Kind=PanelNative
+	// the value comes from the static §20 panel mapping
+	// (restore.ResolvePanelFirewall). No precomputed targetUnit drift
+	// — we pass the raw firewallType identity.
+	resolvedFirewallType, ftErr := resolveFirewallTypeForDeps(target)
+	if ftErr != nil {
+		log.Error("restore execute: firewallType resolution failed: %v", ftErr)
+		_ = sf.Transition(state.StateRestoreFailedExecution, state.PhaseDetect, ftErr.Error())
+		log.Result("[NFTBan] restore execution: FAILED at firewallType resolution — %s", ftErr.Error())
+		return sf.State.ExitCode()
+	}
+	deps := newRestoreDeps(exec, log, priorRec, panel, resolvedFirewallType)
 
 	// Step C — Execute the §23 six-step sequence.
 	execRes := restore.Execute(ctx, target, deps)
@@ -302,3 +317,4 @@ func runRestoreExecutionFromProceed(
 
 	return sf.State.ExitCode()
 }
+

cmd/nftban-installer/restore_decide_test.go

@@ -349,6 +349,7 @@ func withFakeDeps(t *testing.T, fake *fakeDispatcherDeps) {
 		_ *logging.Logger,
 		_ *uninstall.PriorRecord,
 		_ detect.PanelType,
+		_ string, // PR-26-code-A: firewallType plumbing — fakes ignore it.
 	) restore.ExecuteDeps {
 		return restore.ExecuteDeps{
 			Preflight:    fake,
@@ -575,10 +576,11 @@ func readSelfRestoreDecide() (string, error) {
 // recordingFactoryCall captures one call to the deps factory so tests
 // can assert exactly which evidence reached it.
 type recordingFactoryCall struct {
-	exec     executor.Executor
-	log      *logging.Logger
-	priorRec *uninstall.PriorRecord
-	panel    detect.PanelType
+	exec         executor.Executor
+	log          *logging.Logger
+	priorRec     *uninstall.PriorRecord
+	panel        detect.PanelType
+	firewallType string // PR-26-code-A: §51.4 plumbing
 }
 
 // withFakeDepsRecordingEvidence swaps newRestoreDeps with a factory
@@ -594,12 +596,14 @@ func withFakeDepsRecordingEvidence(t *testing.T, fake *fakeDispatcherDeps) *[]re
 		log *logging.Logger,
 		priorRec *uninstall.PriorRecord,
 		panel detect.PanelType,
+		firewallType string,
 	) restore.ExecuteDeps {
 		calls = append(calls, recordingFactoryCall{
-			exec:     exec,
-			log:      log,
-			priorRec: priorRec,
-			panel:    panel,
+			exec:         exec,
+			log:          log,
+			priorRec:     priorRec,
+			panel:        panel,
+			firewallType: firewallType,
 		})
 		return restore.ExecuteDeps{
 			Preflight:    fake,