Harden rule health checks

tests/test_integration.sh

@@ -85,10 +85,14 @@ export PERSIST_FIXTURE_LOG
 
 # shellcheck source=lib/common.sh
 source "${ROOT_DIR}/lib/common.sh"
+# shellcheck source=lib/storage.sh
+source "${ROOT_DIR}/lib/storage.sh"
 # shellcheck source=lib/persist.sh
 source "${ROOT_DIR}/lib/persist.sh"
 # shellcheck source=lib/iptables_ops.sh
 source "${ROOT_DIR}/lib/iptables_ops.sh"
+# shellcheck source=lib/rules_mgr.sh
+source "${ROOT_DIR}/lib/rules_mgr.sh"
 
 uuid_v4=$("${ROOT_DIR}/iptables-forward.sh" --batch add tcp 65432 127.0.0.1 22 4 'integration-v4')
 assert_contains "$(iptables-save)" "MGMT:${uuid_v4}" 'IPv4 rule should appear in iptables-save output'
@@ -96,9 +100,19 @@ assert_contains "$("${ROOT_DIR}/iptables-forward.sh" --batch list)" "uuid=${uuid
 assert_file_contains "${PERSIST_RULES_V4}" "MGMT:${uuid_v4}" 'persist save should write IPv4 rules snapshot'
 assert_file_contains "${PERSIST_FIXTURE_LOG}" 'persist-fixture.sh save' 'adding a rule should call persist save'
 
+iptables -t nat -D PREROUTING \
+  -p tcp --dport 65432 \
+  -j DNAT --to-destination 127.0.0.1:22 \
+  -m comment --comment "MGMT:${uuid_v4}"
+list_output=$(cmd_list 0)
+[[ ${list_output} =~ [[:space:]]![[:space:]] ]] || fail 'partial runtime loss should show degraded health in cmd_list'
+
+persist_reload
+list_output=$(cmd_list 0)
+[[ ${list_output} =~ [[:space:]]✓[[:space:]] ]] || fail 'persist_reload should restore healthy status in cmd_list'
+
 ipt_remove_rule "${uuid_v4}" tcp 65432 127.0.0.1 22 4
 assert_status 1 "$(status_of grep -F "MGMT:${uuid_v4}" <(iptables-save))" 'manual runtime removal should clear managed IPv4 rule'
-
 persist_reload
 assert_file_contains "${PERSIST_FIXTURE_LOG}" 'persist-fixture.sh reload' 'persist_reload should call persistence wrapper'
 assert_contains "$(iptables-save)" "MGMT:${uuid_v4}" 'persist_reload should restore IPv4 rule from snapshot'

tests/test_rules_unit.sh

@@ -60,11 +60,22 @@ reset_mock_state() {
 
 reset_mock_state
 uuid_v4=$(cmd_add_batch tcp 8080 127.0.0.1 80 4 'web service')
+line_v4=$(storage_get "${uuid_v4}")
 assert_eq '1' "$(storage_count)" 'cmd_add_batch should persist one rule'
 assert_eq '3' "$(grep -Ec '^iptables ' "${IPTABLES_MOCK_LOG}")" 'tcp/ipv4 add should emit three iptables commands'
-assert_contains "$(storage_get "${uuid_v4}")" "uuid=${uuid_v4}" 'stored line should contain generated uuid'
+assert_contains "${line_v4}" "uuid=${uuid_v4}" 'stored line should contain generated uuid'
 assert_eq '1' "$(grep -Ec 'persist-mock\.sh save' "${PERSIST_MOCK_LOG}")" 'successful add should trigger persist_save'
 assert_contains "$(ipt_find_by_uuid "${uuid_v4}")" "MGMT:${uuid_v4}" 'ipt_find_by_uuid should locate saved mock rules'
+assert_eq '✓' "$(rule_health_mark "${line_v4}")" 'healthy runtime rule should show ok marker'
+
+"${IPTABLES_BIN}" -t nat -D PREROUTING \
+  -p tcp --dport 8080 \
+  -j DNAT --to-destination 127.0.0.1:80 \
+  -m comment --comment "MGMT:${uuid_v4}"
+assert_contains "$(ipt_find_by_uuid "${uuid_v4}")" "MGMT:${uuid_v4}" 'partial runtime loss should still leave uuid-tagged rules'
+assert_eq '!' "$(rule_health_mark "${line_v4}")" 'partial runtime loss should mark rule unhealthy'
+list_output=$(cmd_list 0)
+[[ ${list_output} =~ [[:space:]]![[:space:]] ]] || fail 'cmd_list should expose degraded health marker'
 
 reset_mock_state
 uuid_both=$(cmd_add_batch both 5353 '127.0.0.1,::1' 53 both 'dual stack dns')