{
  "contract_id": "yeffai_pre_installation_ufw_inactive_security_review_contract",
  "version": "v1",
  "created_at": "2026-06-30T16:50:03Z",
  "status": "MISSING",
  "risk_id": "UFW_INACTIVE",
  "severity": "SECURITY_REVIEW_BEFORE_PUBLIC_EXPOSURE",
  "observed": "Status: inactive",
  "source": "/home/yeff/public_html/devon/canon/execution/state/yeffai_post_reboot_readiness_audit_latest.json",
  "remote_mutation_allowed": "NO",
  "installation_command_allowed": "NO",
  "installation_started": "NO",
  "meaning": "UFW is installed but inactive. This does not block local package baseline contracting, but it must be handled before any public service exposure or open network surface.",
  "required_before_public_exposure": [
    "define allowed inbound ports",
    "define SSH safety rule",
    "define service exposure policy",
    "define rollback/recovery if firewall locks access",
    "verify active firewall status after any firewall mutation"
  ],
  "validation_rule": {
    "pass": "PASS only after a dedicated firewall/security contract validates intended exposure.",
    "fail": "FAIL if public services are exposed while firewall review remains unresolved.",
    "missing": "MISSING until firewall/security posture is contracted."
  },
  "failure_rule": "Do not expose public services before security review is resolved.",
  "rollback_rule": "No remote rollback in this contract because it is local review only.",
  "ui_visibility_rule": "Render as security review item tied to baseline decision, not as install blocker."
}
