Complete tasks 1-5: UI cleanup, pie chart fix, log path allowlist, activation hardening

Task 1: Remove ActiveBansSection from JailsPage
- Delete buildBanColumns, fmtTimestamp, ActiveBansSection
- Remove Dialog/Delete/Dismiss imports, ActiveBan type
- Update JSDoc to reflect three sections

Task 2: Remove JailDistributionChart from Dashboard
- Delete import and JSX block from DashboardPage.tsx

Task 3: Fix transparent pie chart (TopCountriesPieChart)
- Add Cell import and per-slice <Cell fill={slice.fill}> children inside <Pie>
- Suppress @typescript-eslint/no-deprecated (recharts v3 types)

Task 4: Allow /config/log as safe log prefix
- Add '/config/log' to _SAFE_LOG_PREFIXES in config_service.py
- Update error message to list both allowed directories

Task 5: Block jail activation on missing filter/logpath
- activate_jail refuses to proceed when filter/logpath issues found
- ActivateJailDialog treats all validation issues as blocking
- Trigger immediate _run_probe after activation in config router
- /api/health now reports fail2ban online/offline from cached probe
- Add TestActivateJailBlocking tests; fix existing tests to mock validation

backend/tests/test_routers/test_config.py

@@ -742,6 +742,32 @@ class TestActivateJail:
         ).post("/api/config/jails/sshd/activate", json={})
         assert resp.status_code == 401
 
+    async def test_200_with_active_false_on_missing_logpath(self, config_client: AsyncClient) -> None:
+        """POST .../activate returns 200 with active=False when the service blocks due to missing logpath."""
+        from app.models.config import JailActivationResponse
+
+        blocked_response = JailActivationResponse(
+            name="airsonic-auth",
+            active=False,
+            fail2ban_running=True,
+            validation_warnings=["logpath: log file '/var/log/airsonic/airsonic.log' not found"],
+            message="Jail 'airsonic-auth' cannot be activated: log file '/var/log/airsonic/airsonic.log' not found",
+        )
+        with patch(
+            "app.routers.config.config_file_service.activate_jail",
+            AsyncMock(return_value=blocked_response),
+        ):
+            resp = await config_client.post(
+                "/api/config/jails/airsonic-auth/activate", json={}
+            )
+
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["active"] is False
+        assert data["fail2ban_running"] is True
+        assert "cannot be activated" in data["message"]
+        assert len(data["validation_warnings"]) == 1
+
 
 # ---------------------------------------------------------------------------
 # POST /api/config/jails/{name}/deactivate

backend/tests/test_services/test_config_file_service.py

@@ -434,7 +434,7 @@ class TestListInactiveJails:
 class TestActivateJail:
     async def test_activates_known_inactive_jail(self, tmp_path: Path) -> None:
         _write(tmp_path / "jail.conf", JAIL_CONF)
-        from app.models.config import ActivateJailRequest
+        from app.models.config import ActivateJailRequest, JailValidationResult
 
         req = ActivateJailRequest()
         with (
@@ -447,6 +447,10 @@ class TestActivateJail:
                 "app.services.config_file_service._probe_fail2ban_running",
                 new=AsyncMock(return_value=True),
             ),
+            patch(
+                "app.services.config_file_service._validate_jail_config_sync",
+                return_value=JailValidationResult(jail_name="apache-auth", valid=True),
+            ),
         ):
             mock_js.reload_all = AsyncMock()
             result = await activate_jail(str(tmp_path), "/fake.sock", "apache-auth", req)
@@ -492,7 +496,7 @@ class TestActivateJail:
 
     async def test_writes_overrides_to_local_file(self, tmp_path: Path) -> None:
         _write(tmp_path / "jail.conf", JAIL_CONF)
-        from app.models.config import ActivateJailRequest
+        from app.models.config import ActivateJailRequest, JailValidationResult
 
         req = ActivateJailRequest(bantime="2h", maxretry=3)
         with (
@@ -505,6 +509,10 @@ class TestActivateJail:
                 "app.services.config_file_service._probe_fail2ban_running",
                 new=AsyncMock(return_value=True),
             ),
+            patch(
+                "app.services.config_file_service._validate_jail_config_sync",
+                return_value=JailValidationResult(jail_name="apache-auth", valid=True),
+            ),
         ):
             mock_js.reload_all = AsyncMock()
             await activate_jail(str(tmp_path), "/fake.sock", "apache-auth", req)
@@ -2512,7 +2520,7 @@ class TestActivateJailReloadArgs:
     async def test_activate_passes_include_jails(self, tmp_path: Path) -> None:
         """activate_jail must pass include_jails=[name] to reload_all."""
         _write(tmp_path / "jail.conf", JAIL_CONF)
-        from app.models.config import ActivateJailRequest
+        from app.models.config import ActivateJailRequest, JailValidationResult
 
         req = ActivateJailRequest()
         with (
@@ -2525,6 +2533,10 @@ class TestActivateJailReloadArgs:
                 "app.services.config_file_service._probe_fail2ban_running",
                 new=AsyncMock(return_value=True),
             ),
+            patch(
+                "app.services.config_file_service._validate_jail_config_sync",
+                return_value=JailValidationResult(jail_name="apache-auth", valid=True),
+            ),
         ):
             mock_js.reload_all = AsyncMock()
             await activate_jail(str(tmp_path), "/fake.sock", "apache-auth", req)
@@ -2538,7 +2550,7 @@ class TestActivateJailReloadArgs:
     ) -> None:
         """activate_jail returns active=True when the jail appears in post-reload names."""
         _write(tmp_path / "jail.conf", JAIL_CONF)
-        from app.models.config import ActivateJailRequest
+        from app.models.config import ActivateJailRequest, JailValidationResult
 
         req = ActivateJailRequest()
         with (
@@ -2551,6 +2563,10 @@ class TestActivateJailReloadArgs:
                 "app.services.config_file_service._probe_fail2ban_running",
                 new=AsyncMock(return_value=True),
             ),
+            patch(
+                "app.services.config_file_service._validate_jail_config_sync",
+                return_value=JailValidationResult(jail_name="apache-auth", valid=True),
+            ),
         ):
             mock_js.reload_all = AsyncMock()
             result = await activate_jail(
@@ -2570,7 +2586,7 @@ class TestActivateJailReloadArgs:
         start the jail even though the reload command succeeded.
         """
         _write(tmp_path / "jail.conf", JAIL_CONF)
-        from app.models.config import ActivateJailRequest
+        from app.models.config import ActivateJailRequest, JailValidationResult
 
         req = ActivateJailRequest()
         # Pre-reload: jail not running.  Post-reload: still not running (boot failed).
@@ -2585,6 +2601,10 @@ class TestActivateJailReloadArgs:
                 "app.services.config_file_service._probe_fail2ban_running",
                 new=AsyncMock(return_value=True),
             ),
+            patch(
+                "app.services.config_file_service._validate_jail_config_sync",
+                return_value=JailValidationResult(jail_name="apache-auth", valid=True),
+            ),
         ):
             mock_js.reload_all = AsyncMock()
             result = await activate_jail(
@@ -2830,3 +2850,100 @@ class TestRollbackJail:
                 str(tmp_path), "/fake.sock", "../evil", ["fail2ban-client", "start"]
             )
 
+
+# ---------------------------------------------------------------------------
+# activate_jail — blocking on missing filter / logpath (Task 5)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+class TestActivateJailBlocking:
+    """activate_jail must refuse to proceed when validation finds critical issues."""
+
+    async def test_activate_jail_blocked_when_logpath_missing(self, tmp_path: Path) -> None:
+        """activate_jail returns active=False if _validate_jail_config_sync reports a missing logpath."""
+        from app.models.config import ActivateJailRequest, JailValidationIssue, JailValidationResult
+
+        _write(tmp_path / "jail.conf", JAIL_CONF)
+        req = ActivateJailRequest()
+        missing_issue = JailValidationIssue(field="logpath", message="log file '/var/log/missing.log' not found")
+        validation = JailValidationResult(jail_name="apache-auth", valid=False, issues=[missing_issue])
+
+        with (
+            patch(
+                "app.services.config_file_service._get_active_jail_names",
+                new=AsyncMock(return_value=set()),
+            ),
+            patch(
+                "app.services.config_file_service._validate_jail_config_sync",
+                return_value=validation,
+            ),
+            patch("app.services.config_file_service.jail_service") as mock_js,
+        ):
+            mock_js.reload_all = AsyncMock()
+            result = await activate_jail(str(tmp_path), "/fake.sock", "apache-auth", req)
+
+        assert result.active is False
+        assert result.fail2ban_running is True
+        assert "cannot be activated" in result.message
+        mock_js.reload_all.assert_not_awaited()
+
+    async def test_activate_jail_blocked_when_filter_missing(self, tmp_path: Path) -> None:
+        """activate_jail returns active=False if a filter file is missing."""
+        from app.models.config import ActivateJailRequest, JailValidationIssue, JailValidationResult
+
+        _write(tmp_path / "jail.conf", JAIL_CONF)
+        req = ActivateJailRequest()
+        filter_issue = JailValidationIssue(field="filter", message="filter file 'sshd.conf' not found")
+        validation = JailValidationResult(jail_name="sshd", valid=False, issues=[filter_issue])
+
+        with (
+            patch(
+                "app.services.config_file_service._get_active_jail_names",
+                new=AsyncMock(return_value=set()),
+            ),
+            patch(
+                "app.services.config_file_service._validate_jail_config_sync",
+                return_value=validation,
+            ),
+            patch("app.services.config_file_service.jail_service") as mock_js,
+        ):
+            mock_js.reload_all = AsyncMock()
+            result = await activate_jail(str(tmp_path), "/fake.sock", "sshd", req)
+
+        assert result.active is False
+        assert result.fail2ban_running is True
+        assert "cannot be activated" in result.message
+        mock_js.reload_all.assert_not_awaited()
+
+    async def test_activate_jail_proceeds_when_only_regex_warnings(self, tmp_path: Path) -> None:
+        """activate_jail proceeds normally when only non-blocking (failregex) warnings exist."""
+        from app.models.config import ActivateJailRequest, JailValidationIssue, JailValidationResult
+
+        _write(tmp_path / "jail.conf", JAIL_CONF)
+        req = ActivateJailRequest()
+        advisory_issue = JailValidationIssue(field="failregex", message="no failregex defined")
+        # valid=True but with a non-blocking advisory issue
+        validation = JailValidationResult(jail_name="apache-auth", valid=True, issues=[advisory_issue])
+
+        with (
+            patch(
+                "app.services.config_file_service._get_active_jail_names",
+                new=AsyncMock(side_effect=[set(), {"apache-auth"}]),
+            ),
+            patch(
+                "app.services.config_file_service._validate_jail_config_sync",
+                return_value=validation,
+            ),
+            patch("app.services.config_file_service.jail_service") as mock_js,
+            patch(
+                "app.services.config_file_service._probe_fail2ban_running",
+                new=AsyncMock(return_value=True),
+            ),
+        ):
+            mock_js.reload_all = AsyncMock()
+            result = await activate_jail(str(tmp_path), "/fake.sock", "apache-auth", req)
+
+        assert result.active is True
+        mock_js.reload_all.assert_awaited_once()
+