feat: Task 4 — paginated banned-IPs section on jail detail page

Backend:
- Add JailBannedIpsResponse Pydantic model (ban.py)
- Add get_jail_banned_ips() service: server-side pagination, optional
  IP substring search, geo enrichment on page slice only (jail_service.py)
- Add GET /api/jails/{name}/banned endpoint with page/page_size/search
  query params, 400/404/502 error handling (routers/jails.py)
- 23 new tests: 13 service tests + 10 router tests (all passing)

Frontend:
- Add JailBannedIpsResponse TS interface (types/jail.ts)
- Add jailBanned endpoint helper (api/endpoints.ts)
- Add fetchJailBannedIps() API function (api/jails.ts)
- Add BannedIpsSection component: Fluent UI DataGrid, debounced search
  (300 ms), prev/next pagination, page-size dropdown, per-row unban
  button, loading spinner, empty state, error MessageBar (BannedIpsSection.tsx)
- Mount BannedIpsSection in JailDetailPage between stats and patterns
- 12 new Vitest tests for BannedIpsSection (all passing)

backend/app/models/ban.py

@@ -306,3 +306,30 @@ class BansByJailResponse(BaseModel):
         description="Jails ordered by ban count descending.",
     )
     total: int = Field(..., ge=0, description="Total ban count in the selected window.")
+
+
+# ---------------------------------------------------------------------------
+# Jail-specific paginated bans
+# ---------------------------------------------------------------------------
+
+
+class JailBannedIpsResponse(BaseModel):
+    """Paginated response for ``GET /api/jails/{name}/banned``.
+
+    Contains only the current page of active ban entries for a single jail,
+    geo-enriched exclusively for the page slice to avoid rate-limit issues.
+    """
+
+    model_config = ConfigDict(strict=True)
+
+    items: list[ActiveBan] = Field(
+        default_factory=list,
+        description="Active ban entries for the current page.",
+    )
+    total: int = Field(
+        ...,
+        ge=0,
+        description="Total matching entries (after applying the search filter).",
+    )
+    page: int = Field(..., ge=1, description="Current page number (1-based).")
+    page_size: int = Field(..., ge=1, description="Number of items per page.")

backend/app/routers/jails.py

@@ -4,6 +4,7 @@ Provides CRUD and control operations for fail2ban jails:
 
 * ``GET  /api/jails``                     — list all jails
 * ``GET  /api/jails/{name}``              — full detail for one jail
+* ``GET  /api/jails/{name}/banned``       — paginated currently-banned IPs for one jail
 * ``POST /api/jails/{name}/start``        — start a jail
 * ``POST /api/jails/{name}/stop``         — stop a jail
 * ``POST /api/jails/{name}/idle``         — toggle idle mode
@@ -23,6 +24,7 @@ from typing import Annotated
 from fastapi import APIRouter, Body, HTTPException, Path, Request, status
 
 from app.dependencies import AuthDep
+from app.models.ban import JailBannedIpsResponse
 from app.models.jail import (
     IgnoreIpRequest,
     JailCommandResponse,
@@ -540,3 +542,74 @@ async def toggle_ignore_self(
         raise _conflict(str(exc)) from exc
     except Fail2BanConnectionError as exc:
         raise _bad_gateway(exc) from exc
+
+
+# ---------------------------------------------------------------------------
+# Currently banned IPs (paginated)
+# ---------------------------------------------------------------------------
+
+
+@router.get(
+    "/{name}/banned",
+    response_model=JailBannedIpsResponse,
+    summary="Return paginated currently-banned IPs for a single jail",
+)
+async def get_jail_banned_ips(
+    request: Request,
+    _auth: AuthDep,
+    name: _NamePath,
+    page: int = 1,
+    page_size: int = 25,
+    search: str | None = None,
+) -> JailBannedIpsResponse:
+    """Return a paginated list of IPs currently banned by a specific jail.
+
+    The full ban list is fetched from the fail2ban socket, filtered by the
+    optional *search* substring, sliced to the requested page, and then
+    geo-enriched exclusively for that page slice.
+
+    Args:
+        request: Incoming request (used to access ``app.state``).
+        _auth: Validated session — enforces authentication.
+        name: Jail name.
+        page: 1-based page number (default 1, min 1).
+        page_size: Items per page (default 25, max 100).
+        search: Optional case-insensitive substring filter on the IP address.
+
+    Returns:
+        :class:`~app.models.ban.JailBannedIpsResponse` with the paginated bans.
+
+    Raises:
+        HTTPException: 400 when *page* or *page_size* are out of range.
+        HTTPException: 404 when the jail does not exist.
+        HTTPException: 502 when fail2ban is unreachable.
+    """
+    if page < 1:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="page must be >= 1.",
+        )
+    if not (1 <= page_size <= 100):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="page_size must be between 1 and 100.",
+        )
+
+    socket_path: str = request.app.state.settings.fail2ban_socket
+    http_session = getattr(request.app.state, "http_session", None)
+    app_db = getattr(request.app.state, "db", None)
+
+    try:
+        return await jail_service.get_jail_banned_ips(
+            socket_path=socket_path,
+            jail_name=name,
+            page=page,
+            page_size=page_size,
+            search=search,
+            http_session=http_session,
+            app_db=app_db,
+        )
+    except JailNotFoundError:
+        raise _not_found(name) from None
+    except Fail2BanConnectionError as exc:
+        raise _bad_gateway(exc) from exc

backend/app/services/jail_service.py

@@ -18,7 +18,7 @@ from typing import Any
 
 import structlog
 
-from app.models.ban import ActiveBan, ActiveBanListResponse
+from app.models.ban import ActiveBan, ActiveBanListResponse, JailBannedIpsResponse
 from app.models.config import BantimeEscalation
 from app.models.jail import (
     Jail,
@@ -862,6 +862,120 @@ def _parse_ban_entry(entry: str, jail: str) -> ActiveBan | None:
         return None
 
 
+# ---------------------------------------------------------------------------
+# Public API — Jail-specific paginated bans
+# ---------------------------------------------------------------------------
+
+#: Maximum allowed page size for :func:`get_jail_banned_ips`.
+_MAX_PAGE_SIZE: int = 100
+
+
+async def get_jail_banned_ips(
+    socket_path: str,
+    jail_name: str,
+    page: int = 1,
+    page_size: int = 25,
+    search: str | None = None,
+    http_session: Any | None = None,
+    app_db: Any | None = None,
+) -> JailBannedIpsResponse:
+    """Return a paginated list of currently banned IPs for a single jail.
+
+    Fetches the full ban list from the fail2ban socket, applies an optional
+    substring search filter on the IP, paginates server-side, and geo-enriches
+    **only** the current page slice to stay within rate limits.
+
+    Args:
+        socket_path: Path to the fail2ban Unix domain socket.
+        jail_name: Name of the jail to query.
+        page: 1-based page number (default 1).
+        page_size: Items per page; clamped to :data:`_MAX_PAGE_SIZE` (default 25).
+        search: Optional case-insensitive substring filter applied to IP addresses.
+        http_session: Optional shared :class:`aiohttp.ClientSession` for geo
+            enrichment via :func:`~app.services.geo_service.lookup_batch`.
+        app_db: Optional BanGUI application database for persistent geo cache.
+
+    Returns:
+        :class:`~app.models.ban.JailBannedIpsResponse` with the paginated bans.
+
+    Raises:
+        JailNotFoundError: If *jail_name* is not a known active jail.
+        ~app.utils.fail2ban_client.Fail2BanConnectionError: If the socket is
+            unreachable.
+    """
+    from app.services import geo_service  # noqa: PLC0415
+
+    # Clamp page_size to the allowed maximum.
+    page_size = min(page_size, _MAX_PAGE_SIZE)
+
+    client = Fail2BanClient(socket_path=socket_path, timeout=_SOCKET_TIMEOUT)
+
+    # Verify the jail exists.
+    try:
+        _ok(await client.send(["status", jail_name, "short"]))
+    except ValueError as exc:
+        if _is_not_found_error(exc):
+            raise JailNotFoundError(jail_name) from exc
+        raise
+
+    # Fetch the full ban list for this jail.
+    try:
+        raw_result = _ok(await client.send(["get", jail_name, "banip", "--with-time"]))
+    except (ValueError, TypeError):
+        raw_result = []
+
+    ban_list: list[str] = raw_result or []
+
+    # Parse all entries.
+    all_bans: list[ActiveBan] = []
+    for entry in ban_list:
+        ban = _parse_ban_entry(str(entry), jail_name)
+        if ban is not None:
+            all_bans.append(ban)
+
+    # Apply optional substring search filter (case-insensitive).
+    if search:
+        search_lower = search.lower()
+        all_bans = [b for b in all_bans if search_lower in b.ip.lower()]
+
+    total = len(all_bans)
+
+    # Slice the requested page.
+    start = (page - 1) * page_size
+    page_bans = all_bans[start : start + page_size]
+
+    # Geo-enrich only the page slice.
+    if http_session is not None and page_bans:
+        page_ips = [b.ip for b in page_bans]
+        try:
+            geo_map = await geo_service.lookup_batch(page_ips, http_session, db=app_db)
+        except Exception:  # noqa: BLE001
+            log.warning("jail_banned_ips_geo_failed", jail=jail_name)
+            geo_map = {}
+        enriched_page: list[ActiveBan] = []
+        for ban in page_bans:
+            geo = geo_map.get(ban.ip)
+            if geo is not None:
+                enriched_page.append(ban.model_copy(update={"country": geo.country_code}))
+            else:
+                enriched_page.append(ban)
+        page_bans = enriched_page
+
+    log.info(
+        "jail_banned_ips_fetched",
+        jail=jail_name,
+        total=total,
+        page=page,
+        page_size=page_size,
+    )
+    return JailBannedIpsResponse(
+        items=page_bans,
+        total=total,
+        page=page,
+        page_size=page_size,
+    )
+
+
 async def _enrich_bans(
     bans: list[ActiveBan],
     geo_enricher: Any,