PR26.5: source-install payload completeness

[itcmsgr]

Summary

Closes the dns2 install-evidence finding (2026-04-30) where --mode=install --source reached StateDegraded with three named assertion failures:

Assertion	Why it failed	Now closed by
systemd_execstart_paths_ok	8 unit ExecStart paths referenced unstaged files	new shell categories + retired-unit removal
systemd_payload_inventory_ok	6 nftban-owned paths referenced but not in inventory	extended defaultInventoryPaths
panel_survival_ok	LoadPanelConfig("directadmin") couldn't find conf.d	new panels staging category

PR26.5 makes the source-install path complete: every shipped systemd unit's ExecStart resolves to a staged file, and every panel's canonical conf.d is staged for panel_loader.LoadPanelConfig.

Scope (operator-locked)

• ✅ source-install payload completeness only
• ❌ no takeover-preservation work (PR26.6)
• ❌ no CSF binary handling (PR26.6)
• ❌ no cPanel/Plesk adapter (PR26.7+)
• ❌ no shell decommission, parser rewrite, restore changes, firewall mutation, destructive dns2 retry

What landed

internal/installer/payload/payload.go::buildEntries

• New shell-payload categories:
  • cli/lib/nftban/exporters/*.sh → /usr/lib/nftban/exporters/
  • cli/lib/nftban/cron/*.sh → /usr/lib/nftban/cron/
  • scripts/*.sh → /usr/lib/nftban/scripts/
  • install/helpers/*.sh → /usr/lib/nftban/helpers/ (joins existing cli/lib/nftban/helpers/)
• New panels category — 8 single-file entries (directadmin, cpanel, plesk, cyberpanel, cwp, interworx, vesta, generic) → /etc/nftban/conf.d/panels/<name>/main.conf (policyConfigNoReplace).

install/systemd/ (retired unit files removed)

• nftban-api.service, nftban-ui.service, nftban-ui-auth.service, nftban-ui-auth.socket — all reference binaries the project no longer builds (retired v1.100.1b.A GOTH PR-D4 stage 1, already removed by packaging on RPM/DEB upgrade). Source-install path now matches.

internal/installer/validate/assertions.go::defaultInventoryPaths

• Extended with the 5 shell-payload destinations referenced by remaining units, so systemd_payload_inventory_ok doesn't false-flag legitimate staged shell payload as "unknown".

Tests (3 new in payload_test.go)

• TestStageAll_AllUnitNftbanOwnedExecStartPathsStaged_PR26_5 — walks every install/systemd/*.service, parses ExecStart, asserts every nftban-owned destination is in mock.WrittenFiles. The dns2 reproducer.
• TestStageAll_AllPanelConfDStaged_PR26_5 — asserts every shipped panel's main.conf reaches /etc/nftban/conf.d/panels/<name>/main.conf.
• TestStageAll_PR26_5_NewShellCategoriesStaged — regression guard pinning the four destinations that failed on dns2 (exporter, cron, scripts, helpers).

Lab proof (lab2, Ubuntu 24.04, go1.22.2)

Branch base: bfe6eac9 (origin/main, post-PR26.4).

go vet ./internal/installer/payload/... ./internal/installer/validate/... ./cmd/nftban-installer/...
  → clean

go test -v ./internal/installer/payload/...
  → all PR26.5 tests PASS; full file PASS

go test ./...
  → 66 packages PASS, 0 FAIL

Staging output during the integration tests:

payload: category=binaries     wrote=4   skipped=0  failed=0
payload: category=cli-bin      wrote=8   skipped=0  failed=0
payload: category=configs      wrote=29  skipped=0  failed=0
payload: category=data         wrote=5   skipped=0  failed=0
payload: category=docs         wrote=1   skipped=1  failed=0
payload: category=logrotate    wrote=2   skipped=0  failed=0
payload: category=panels       wrote=8   skipped=0  failed=0   ← NEW
payload: category=polkit       wrote=3   skipped=0  failed=0
payload: category=shell        wrote=210 skipped=0  failed=0   ← grew (exporters/cron/scripts/install.helpers)
payload: category=systemd      wrote=50  skipped=0  failed=0   ← shrunk by 4 retired units
payload: category=templates    wrote=0   skipped=1  failed=0
payload: category=version      wrote=1   skipped=0  failed=0

Reproducer

The TestStageAll_AllUnitNftbanOwnedExecStartPathsStaged_PR26_5 test would have caught the dns2 finding. Pre-PR26.5, that test fails with:

ExecStart destination not staged: /usr/lib/nftban/exporters/nftban_unified_exporter.sh  (referenced by: nftban-unified-exporter.service)
ExecStart destination not staged: /usr/lib/nftban/cron/maintenance.sh  (referenced by: nftban-maintenance.service)
ExecStart destination not staged: /usr/lib/nftban/scripts/nftban-soak-check.sh  (referenced by: nftban-soak.service)
ExecStart destination not staged: /usr/lib/nftban/helpers/firewall-init-with-delay.sh  (referenced by: nftban-firewall-init.service)
ExecStart destination not staged: /usr/sbin/nftban-api  (referenced by: nftban-api.service)
ExecStart destination not staged: /usr/libexec/nftban-ui-auth  (referenced by: nftban-ui-auth.service)
ExecStart destination not staged: /usr/sbin/nftban-ui  (referenced by: nftban-ui.service)

Post-PR26.5, all green.

Test plan

• go vet clean on lab2
• go test ./internal/installer/payload/... green on lab2 (3 new PR26.5 tests + full file)
• go test ./... green on lab2 (66 packages, 0 fail)
• CI green
• Auditor on-PR review

Followups (NOT in this PR)

• PR26.6 — preserve non-nftban authority assets during takeover (TAKEOVER-PRESERVES-NON-NFTBAN-AUTHORITY-001) — covers nft safety tables, external firewall binaries, config trees, recovery paths
• PR26.7 — cPanel adapter via panel_loader (uses the panels staging now in place)
• PR26.8 — Plesk adapter
• Hygiene — services.EnablePanel legacy "non-fatal" warning alignment (PANEL-ENABLE-LEGACY-WARNING-001)

🤖 Generated with Claude Code

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[itcmsgr]

Auditor option 1 applied — 7062c202

Exact test fixture fix

Added seedStubBuiltBinaries(t, mock, repoRoot) helper in internal/installer/payload/payload_test.go. Populates bin/{nftban-core,nftband,nftban-validate,nftban-installer} with stub byte-strings in the mock so the staging copy-or-skip succeeds on CI runners that lack prebuilt binaries.

Helper called from all 3 PR26.5 tests for environment consistency.

Production code: UNCHANGED

The fix is fixture-only. Diff: internal/installer/payload/payload_test.go +31 lines. No edits to payload.go, assertions.go, buildEntries, defaultInventoryPaths, or any production-side path.

Lab proof — explicit CI-condition reproducer

On lab2 with bin/ deleted (simulates CI runner state):

rm -rf /root/nftban-src/bin
go vet ./internal/installer/payload/...                                 → clean
go test -count=1 -v -run "PR26_5" ./internal/installer/payload/...      → all 3 PASS
go test -count=1 ./...                                                  → 66 packages PASS, 0 FAIL

Pre-fix on the same bin/-deleted state: TestStageAll_AllUnitNftbanOwnedExecStartPathsStaged_PR26_5 failed on /usr/lib/nftban/bin/nftban-core and /usr/lib/nftban/bin/nftband — same failure CI showed. Post-fix: all 3 tests pass.

Test discipline preserved

• Test 1 (the failing one) still asserts every nftban-owned ExecStart from every shipped unit is in mock.WrittenFiles
• /usr/lib/nftban/bin/* paths are NOT filtered out — they remain in the assertion set
• The seed adds source files; the staging contract still has to copy them
• The dns2 reproducer power is preserved: pre-PR26.5 staging table still fails this test (the missing exporter/cron/scripts/helpers entries were the actual bug, not the binary stubs)

Hard exclusions still preserved

• No takeover preservation work
• No CSF binary handling
• No cPanel/Plesk adapters
• No shell decommission
• No parser rewrite
• No restore changes
• No firewall mutation
• No destructive dns2 retry

Status

• ✅ Fix pushed
• 🔄 Awaiting CI on 7062c202
• 🔄 Requesting auditor final GO when CI is green

🤖 Generated with Claude Code