release script

Task 2: rename 'Failures:' label to 'Failed Attempts:' and update tooltip
to 'Total failed authentication attempts currently tracked by fail2ban
across all active jails' — more accurate than 'Currently failing IPs'.

Task 3: move <ServerHealthSection /> to the top of ServerTab so users
see connectivity status before scrolling through all settings fields.

.gitignore

@@ -105,6 +105,7 @@ Docker/fail2ban-dev-config/**
 !Docker/fail2ban-dev-config/fail2ban/jail.d/bangui-sim.conf
 !Docker/fail2ban-dev-config/fail2ban/jail.d/bangui-access.conf
 !Docker/fail2ban-dev-config/fail2ban/jail.d/blocklist-import.conf
+!Docker/fail2ban-dev-config/fail2ban/jail.local
 
 # ── Misc ──────────────────────────────────────
 *.log

Docker/Dockerfile.backend

@@ -10,7 +10,7 @@
 # ──────────────────────────────────────────────────────────────
 
 # ── Stage 1: build dependencies ──────────────────────────────
-FROM python:3.12-slim AS builder
+FROM docker.io/library/python:3.12-slim AS builder
 
 WORKDIR /build
 
@@ -28,7 +28,7 @@ RUN pip install --no-cache-dir --upgrade pip \
     && pip install --no-cache-dir .
 
 # ── Stage 2: runtime image ───────────────────────────────────
-FROM python:3.12-slim AS runtime
+FROM docker.io/library/python:3.12-slim AS runtime
 
 LABEL maintainer="BanGUI" \
       description="BanGUI backend — fail2ban web management API"

Docker/Dockerfile.frontend

@@ -10,7 +10,7 @@
 # ──────────────────────────────────────────────────────────────
 
 # ── Stage 1: install & build ─────────────────────────────────
-FROM node:22-alpine AS builder
+FROM docker.io/library/node:22-alpine AS builder
 
 WORKDIR /build
 
@@ -23,7 +23,7 @@ COPY frontend/ /build/
 RUN npm run build
 
 # ── Stage 2: serve with nginx ────────────────────────────────
-FROM nginx:1.27-alpine AS runtime
+FROM docker.io/library/nginx:1.27-alpine AS runtime
 
 LABEL maintainer="BanGUI" \
       description="BanGUI frontend — fail2ban web management UI"

Docker/VERSION

@@ -0,0 +1 @@
+v0.9.4

Docker/check_ban_status.sh

@@ -2,7 +2,7 @@
 # ──────────────────────────────────────────────────────────────
 #  check_ban_status.sh
 #
-#  Queries the bangui-sim jail inside the running fail2ban
+#  Queries the manual-Jail jail inside the running fail2ban
 #  container and optionally unbans a specific IP.
 #
 #  Usage:
@@ -17,7 +17,7 @@
 set -euo pipefail
 
 readonly CONTAINER="bangui-fail2ban-dev"
-readonly JAIL="bangui-sim"
+readonly JAIL="manual-Jail"
 
 # ── Helper: run a fail2ban-client command inside the container ─
 f2b() {

Docker/compose.prod.yml

@@ -37,6 +37,11 @@ services:
       timeout: 5s
       start_period: 15s
       retries: 3
+    # NOTE: The fail2ban-config volume must be pre-populated with the following files:
+    #   • fail2ban/jail.conf (or jail.d/*.conf) with the DEFAULT section containing:
+    #     banaction = iptables-allports[lockingopt="-w 5"]
+    #   This prevents xtables lock contention errors when multiple jails start in parallel.
+    #   See https://fail2ban.readthedocs.io/en/latest/development/environment.html
 
   # ── Backend (FastAPI + uvicorn) ─────────────────────────────
   backend:

Docker/docker-compose.yml

@@ -0,0 +1,73 @@
+version: '3.8'
+services:
+  fail2ban:
+    image: lscr.io/linuxserver/fail2ban:latest
+    container_name: fail2ban
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    network_mode: host
+    environment:
+      - PUID=1011
+      - PGID=1001
+      - TZ=Etc/UTC
+      - VERBOSITY=-vv #optional
+      
+    volumes:
+      - /server/server_fail2ban/config:/config
+      - /server/server_fail2ban/fail2ban-run:/var/run/fail2ban
+      - /var/log:/var/log
+      - /server/server_nextcloud/config/nextcloud.log:/remotelogs/nextcloud/nextcloud.log:ro #optional
+      - /server/server_nginx/data/logs:/remotelogs/nginx:ro #optional
+      - /server/server_gitea/log/gitea.log:/remotelogs/gitea/gitea.log:ro #optional
+      
+
+      #- /path/to/homeassistant/log:/remotelogs/homeassistant:ro #optional
+      #- /path/to/unificontroller/log:/remotelogs/unificontroller:ro #optional
+      #- /path/to/vaultwarden/log:/remotelogs/vaultwarden:ro #optional
+    restart: unless-stopped
+
+  backend:
+      image: git.lpl-mind.de/lukas.pupkalipinski/bangui/backend:latest
+      container_name: bangui-backend
+      restart: unless-stopped
+      depends_on:
+        fail2ban:
+          condition: service_started
+      environment:
+        - PUID=1011
+        - PGID=1001
+        - BANGUI_DATABASE_PATH=/data/bangui.db
+        - BANGUI_FAIL2BAN_SOCKET=/var/run/fail2ban/fail2ban.sock
+        - BANGUI_FAIL2BAN_CONFIG_DIR=/config/fail2ban
+        - BANGUI_LOG_LEVEL=info
+        - BANGUI_SESSION_SECRET=${BANGUI_SESSION_SECRET:?Set BANGUI_SESSION_SECRET}
+        - BANGUI_TIMEZONE=${BANGUI_TIMEZONE:-UTC}
+      volumes:
+        - /server/server_fail2ban/bangui-data:/data
+        - /server/server_fail2ban/fail2ban-run:/var/run/fail2ban:ro
+        - /server/server_fail2ban/config:/config:rw
+      expose:
+        - "8000"
+      networks:
+        - bangui-net
+  
+    # ── Frontend (nginx serving built SPA + API proxy) ──────────
+  frontend:
+    image: git.lpl-mind.de/lukas.pupkalipinski/bangui/frontend:latest
+    container_name: bangui-frontend
+    restart: unless-stopped
+    environment:
+      - PUID=1011
+      - PGID=1001
+    ports:
+      - "${BANGUI_PORT:-8080}:80"
+    depends_on:
+      backend:
+        condition: service_started
+    networks:
+      - bangui-net
+  
+networks:
+  bangui-net:
+    name: bangui-net

Docker/fail2ban-dev-config/README.md

@@ -2,7 +2,7 @@
 
 This directory contains the fail2ban configuration and supporting scripts for a
 self-contained development test environment. A simulation script writes fake
-authentication-failure log lines, fail2ban detects them via the `bangui-sim`
+authentication-failure log lines, fail2ban detects them via the `manual-Jail`
 jail, and bans the offending IP — giving a fully reproducible ban/unban cycle
 without a real service.
 
@@ -71,14 +71,14 @@ Chains steps 1–3 automatically with appropriate sleep intervals.
 
 | File | Purpose |
 |------|---------|
-| `fail2ban/filter.d/bangui-sim.conf` | Defines the `failregex` that matches simulation log lines |
-| `fail2ban/jail.d/bangui-sim.conf` | Jail settings: `maxretry=3`, `bantime=60s`, `findtime=120s` |
+| `fail2ban/filter.d/manual-Jail.conf` | Defines the `failregex` that matches simulation log lines |
+| `fail2ban/jail.d/manual-Jail.conf` | Jail settings: `maxretry=3`, `bantime=60s`, `findtime=120s` |
 | `Docker/logs/auth.log` | Log file written by the simulation script (host path) |
 
 Inside the container the log file is mounted at `/remotelogs/bangui/auth.log`
 (see `fail2ban/paths-lsio.conf` — `remote_logs_path = /remotelogs`).
 
-To change sensitivity, edit `fail2ban/jail.d/bangui-sim.conf`:
+To change sensitivity, edit `fail2ban/jail.d/manual-Jail.conf`:
 
 ```ini
 maxretry = 3    # failures before a ban
@@ -108,14 +108,14 @@ Test the regex manually:
 
 ```bash
 docker exec bangui-fail2ban-dev \
-    fail2ban-regex /remotelogs/bangui/auth.log bangui-sim
+    fail2ban-regex /remotelogs/bangui/auth.log manual-Jail
 ```
 
 The output should show matched lines. If nothing matches, check that the log
 lines match the corresponding `failregex` pattern:
 
 ```
-# bangui-sim (auth log):
+# manual-Jail (auth log):
 YYYY-MM-DD HH:MM:SS bangui-auth: authentication failure from <IP>
 ```
 
@@ -132,7 +132,7 @@ sudo modprobe ip_tables
 ### IP not banned despite enough failures
 
 Check whether the source IP falls inside the `ignoreip` range defined in
-`fail2ban/jail.d/bangui-sim.conf`:
+`fail2ban/jail.d/manual-Jail.conf`:
 
 ```ini
 ignoreip = 127.0.0.0/8 ::1 172.16.0.0/12

Docker/fail2ban-dev-config/fail2ban/filter.d/manual-Jail.conf

@@ -3,6 +3,7 @@
 #
 #  Matches lines written by Docker/simulate_failed_logins.sh
 #  Format: <timestamp> bangui-auth: authentication failure from <HOST>
+#  Jail: manual-Jail
 # ──────────────────────────────────────────────────────────────
 
 [Definition]

Docker/fail2ban-dev-config/fail2ban/jail.d/blocklist-import.conf

@@ -20,7 +20,6 @@ maxretry   = 1
 findtime   = 1d
 # Block imported IPs for one week.
 bantime    = 1w
-banaction  = iptables-allports
 
 # Never ban the Docker bridge network or localhost.
 ignoreip   = 127.0.0.0/8 ::1 172.16.0.0/12

Docker/fail2ban-dev-config/fail2ban/jail.d/manual-Jail.conf

@@ -5,16 +5,15 @@
 #  for lines produced by Docker/simulate_failed_logins.sh.
 # ──────────────────────────────────────────────────────────────
 
-[bangui-sim]
+[manual-Jail]
 
 enabled    = true
-filter     = bangui-sim
+filter     = manual-Jail
 logpath    = /remotelogs/bangui/auth.log
 backend    = polling
 maxretry   = 3
 findtime   = 120
 bantime    = 60
-banaction  = iptables-allports
 
 # Never ban localhost, the Docker bridge network, or the host machine.
 ignoreip   = 127.0.0.0/8 ::1 172.16.0.0/12

Docker/fail2ban-dev-config/fail2ban/jail.local

@@ -0,0 +1,6 @@
+# Local overrides — not overwritten by the container init script.
+# Provides banaction so all jails can resolve %(action_)s interpolation.
+
+[DEFAULT]
+banaction = iptables-multiport
+banaction_allports = iptables-allports

Docker/release.sh

@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+#
+# Bump the project version and push images to the registry.
+#
+# Usage:
+#   ./release.sh
+#
+# The current version is stored in VERSION (next to this script).
+# You will be asked whether to bump major, minor, or patch.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+VERSION_FILE="${SCRIPT_DIR}/VERSION"
+
+# ---------------------------------------------------------------------------
+# Read current version
+# ---------------------------------------------------------------------------
+if [[ ! -f "${VERSION_FILE}" ]]; then
+    echo "0.0.0" > "${VERSION_FILE}"
+fi
+
+CURRENT="$(cat "${VERSION_FILE}")"
+# Strip leading 'v' for arithmetic
+VERSION="${CURRENT#v}"
+
+IFS='.' read -r MAJOR MINOR PATCH <<< "${VERSION}"
+
+echo "============================================"
+echo " BanGUI — Release"
+echo " Current version: v${MAJOR}.${MINOR}.${PATCH}"
+echo "============================================"
+echo ""
+echo "How would you like to bump the version?"
+echo "  1) patch  (v${MAJOR}.${MINOR}.${PATCH} → v${MAJOR}.${MINOR}.$((PATCH + 1)))"
+echo "  2) minor  (v${MAJOR}.${MINOR}.${PATCH} → v${MAJOR}.$((MINOR + 1)).0)"
+echo "  3) major  (v${MAJOR}.${MINOR}.${PATCH} → v$((MAJOR + 1)).0.0)"
+echo ""
+read -rp "Enter choice [1/2/3]: " CHOICE
+
+case "${CHOICE}" in
+    1) NEW_TAG="v${MAJOR}.${MINOR}.$((PATCH + 1))" ;;
+    2) NEW_TAG="v${MAJOR}.$((MINOR + 1)).0" ;;
+    3) NEW_TAG="v$((MAJOR + 1)).0.0" ;;
+    *)
+        echo "Invalid choice. Aborting." >&2
+        exit 1
+        ;;
+esac
+
+echo ""
+echo "New version: ${NEW_TAG}"
+read -rp "Confirm? [y/N]: " CONFIRM
+if [[ ! "${CONFIRM}" =~ ^[yY]$ ]]; then
+    echo "Aborted."
+    exit 0
+fi
+
+# ---------------------------------------------------------------------------
+# Write new version
+# ---------------------------------------------------------------------------
+echo "${NEW_TAG}" > "${VERSION_FILE}"
+echo "Version file updated → ${VERSION_FILE}"
+
+# Keep frontend/package.json in sync so __APP_VERSION__ matches Docker/VERSION.
+FRONT_VERSION="${NEW_TAG#v}"
+FRONT_PKG="${SCRIPT_DIR}/../frontend/package.json"
+sed -i "s/\"version\": \"[^\"]*\"/\"version\": \"${FRONT_VERSION}\"/" "${FRONT_PKG}"
+echo "frontend/package.json version updated → ${FRONT_VERSION}"
+
+# ---------------------------------------------------------------------------
+# Git tag
+# ---------------------------------------------------------------------------
+cd "${SCRIPT_DIR}/.."
+git add Docker/VERSION frontend/package.json
+git commit -m "chore: release ${NEW_TAG}"
+git tag -a "${NEW_TAG}" -m "Release ${NEW_TAG}"
+git push origin HEAD
+git push origin "${NEW_TAG}"
+echo "Git tag ${NEW_TAG} created and pushed."
+
+# ---------------------------------------------------------------------------
+# Push
+# ---------------------------------------------------------------------------
+bash "${SCRIPT_DIR}/push.sh" "${NEW_TAG}"
+bash "${SCRIPT_DIR}/push.sh"

Docker/simulate_failed_logins.sh

@@ -3,7 +3,7 @@
 #  simulate_failed_logins.sh
 #
 #  Writes synthetic authentication-failure log lines to a file
-#  that matches the bangui-sim fail2ban filter.
+#  that matches the manual-Jail fail2ban filter.
 #
 #  Usage:
 #    bash Docker/simulate_failed_logins.sh [COUNT] [SOURCE_IP] [LOG_FILE]
@@ -13,7 +13,7 @@
 #    SOURCE_IP: 192.168.100.99
 #    LOG_FILE : Docker/logs/auth.log       (relative to repo root)
 #
-#  Log line format (must match bangui-sim failregex exactly):
+#  Log line format (must match manual-Jail failregex exactly):
 #    YYYY-MM-DD HH:MM:SS bangui-auth: authentication failure from <IP>
 # ──────────────────────────────────────────────────────────────
 

Docs/Tasks.md

@@ -4,97 +4,56 @@ This document breaks the entire BanGUI project into development stages, ordered
 
 ---
 
-## Task 1 — Move "Configuration" to the Last Position in the Sidebar ✅ DONE
+## Open Issues
 
-**Summary:** Moved the `Configuration` entry in `NAV_ITEMS` to the last position in `frontend/src/layouts/MainLayout.tsx`.
+### ~~1. Dashboard — Version Tag Mismatch~~ ✅ Done
 
-**File:** `frontend/src/layouts/MainLayout.tsx`
+**Implemented:**
+- `frontend/vite.config.ts`: reads `package.json#version` at build time and injects it as the global `__APP_VERSION__` via Vite `define`.
+- `frontend/src/vite-env.d.ts`: adds `declare const __APP_VERSION__: string` so TypeScript knows about the global.
+- `frontend/src/layouts/MainLayout.tsx`: renders `BanGUI v{__APP_VERSION__}` in the sidebar footer when expanded (hidden when collapsed).
+- `frontend/src/components/ServerStatusBar.tsx`: tooltip changed from `"fail2ban version"` to `"fail2ban daemon version"`.
+- `Docker/release.sh`: after bumping `VERSION`, also updates `frontend/package.json#version` via `sed` to keep them in sync.
+- `frontend/package.json`: version bumped from `0.9.0` to `0.9.3` to match `Docker/VERSION`.
+- Tests added: `src/components/__tests__/ServerStatusBar.test.tsx`, `src/layouts/__tests__/MainLayout.test.tsx`.
 
-The `NAV_ITEMS` array (around line 183) defines the sidebar menu order. Currently the order is: Dashboard, World Map, Jails, **Configuration**, History, Blocklists. Move the Configuration entry so it is the **last** element in the array. The resulting order must be:
+**Problem:** The `ServerStatusBar` component on the Dashboard displays `v{status.version}`, which is the **fail2ban daemon version** (e.g. `v1.1.0`). The BanGUI application version lives in `Docker/VERSION` (e.g. `v0.9.3`) and is unrelated to the fail2ban version. Users see a version number they don't recognise and assume it reflects the BanGUI release.
 
-1. Dashboard
-2. World Map
-3. Jails
-4. History
-5. Blocklists
-6. Configuration
+**Goal:** Make the distinction clear and expose the BanGUI application version.
 
-Only the position in the array changes. Do not modify the label, path, or icon of any item.
+**Suggested approach:**
+1. Inject the BanGUI app version at build time — add a `define` entry in `frontend/vite.config.ts` that reads the `version` field from `frontend/package.json` (e.g. `__APP_VERSION__`). Keep `frontend/package.json` and `Docker/VERSION` in sync (update the release script `Docker/release.sh` or `Makefile` to write `package.json#version` from `VERSION`).
+2. Show the BanGUI version in the sidebar footer inside `MainLayout.tsx` (collapsed view: show only when expanded, or via tooltip). This is the natural place for an "about" version tag.
+3. Update the fail2ban version tooltip in `ServerStatusBar.tsx` from the generic `"fail2ban version"` to something like `"fail2ban daemon version"` so the two are no longer visually indistinguishable.
+
+**Files:** `frontend/vite.config.ts`, `frontend/package.json`, `Docker/VERSION`, `Docker/release.sh`, `frontend/src/layouts/MainLayout.tsx`, `frontend/src/components/ServerStatusBar.tsx`.
 
 ---
 
-## Task 2 — Auto-Recovery When Jail Activation Fails ✅ DONE
+### ~~2. Dashboard — Improve "Failures" Tooltip~~ ✅ Done
 
-**Summary:** Added `recovered: bool | None` field to `JailActivationResponse` model. Implemented `_restore_local_file_sync` and `_rollback_activation_async` helpers. Updated `activate_jail` to back up the original `.local` file, roll back on any post-write failure (reload error, health-check failure, or jail not starting), and return `recovered=True/False`. Updated `ActivateJailDialog.tsx` to show warning/critical banners based on the `recovered` field. Added 3 new backend tests covering all rollback scenarios.
+**Implemented:** In `frontend/src/components/ServerStatusBar.tsx`, changed the `Failures:` label to `Failed Attempts:` and updated the tooltip from `"Currently failing IPs"` to `"Total failed authentication attempts currently tracked by fail2ban across all active jails"`. Updated `ServerStatusBar.test.tsx` to assert the new label text.
 
-**Context:** When a user activates a jail via `POST /api/config/jails/{name}/activate`, the backend writes `enabled = true` to `jail.d/{name}.local` and then reloads fail2ban. If the new configuration is invalid or the server crashes after reload, fail2ban stays broken and all jails go offline. The system must automatically recover by rolling back the change and restarting fail2ban.
+**Problem:** The `ServerStatusBar` shows a "Failures: 42" counter with the tooltip `"Currently failing IPs"`. In fail2ban terminology *failures* are individual **failed authentication attempts** tracked in the fail2ban DB, not the number of unique IPs that failed. The current wording is ambiguous and misleading — users may think it means broken connections or error states.
 
-### Backend Changes
+**Goal:** Replace the tooltip with accurate, self-explanatory wording.
 
-**File:** `backend/app/services/config_file_service.py` — `activate_jail()` method (around line 1086)
+**Suggested fix:** Change the `Tooltip` content for the Failures stat in `ServerStatusBar.tsx` from `"Currently failing IPs"` to something like `"Total failed authentication attempts currently tracked by fail2ban across all active jails"`. Additionally, consider renaming the label from `"Failures:"` to `"Failed Attempts:"` to match the tooltip language.
 
-Wrap the reload-and-verify sequence in error handling that performs a rollback on failure:
-
-1. **Before writing** the `.local` override file, check whether a `.local` file for that jail already exists. If it does, read and keep its content in memory as a backup. If it does not exist, remember that no file existed.
-2. **Write** the override file with `enabled = true` (existing logic).
-3. **Reload** fail2ban via `jail_service.reload_all()` (existing logic).
-4. **Health-check / verify** that fail2ban is responsive and the jail appears in the active list (existing logic).
-5. **If any step after the write fails** (reload error, health-check timeout, jail not appearing):
-   - **Rollback the config**: restore the original `.local` file content (or delete the file if it did not exist before).
-   - **Restart fail2ban**: call `jail_service.reload_all()` again so fail2ban recovers with the old configuration.
-   - **Health-check again** to confirm fail2ban is back.
-   - Return an appropriate error response (HTTP 502 or 500) with a message that explains the activation failed **and** the system was recovered. Include a field `recovered: true` in the JSON body so the frontend can display a recovery notice.
-6. If rollback itself fails, return an error with `recovered: false` so the frontend can display a critical alert.
-
-**File:** `backend/app/routers/config.py` — `activate_jail` endpoint (around line 584)
-
-Propagate the `recovered` field in the error response. No extra logic is needed in the router if the service already raises an appropriate exception or returns a result object with the recovery status.
-
-### Frontend Changes
-
-**File:** `frontend/src/components/config/JailsTab.tsx` (or wherever the activate mutation result is handled)
-
-When the activation API call returns an error:
-- If `recovered` is `true`, show a warning banner/toast: *"Activation of jail '{name}' failed. The server has been automatically recovered."*
-- If `recovered` is `false`, show a critical error banner/toast: *"Activation of jail '{name}' failed and automatic recovery was unsuccessful. Manual intervention is required."*
-
-### Tests
-
-Add or extend tests in `backend/tests/test_services/test_config_file_service.py`:
-
-- **test_activate_jail_rollback_on_reload_failure**: Mock `jail_service.reload_all()` to raise on the first call (activation reload) and succeed on the second call (recovery reload). Assert the `.local` file is restored to its original content and the response indicates `recovered: true`.
-- **test_activate_jail_rollback_on_health_check_failure**: Mock the health check to fail after reload. Assert rollback and recovery.
-- **test_activate_jail_rollback_failure**: Mock both the activation reload and the recovery reload to fail. Assert the response indicates `recovered: false`.
+**Files:** `frontend/src/components/ServerStatusBar.tsx`.
 
 ---
 
-## Task 3 — Match Pie Chart Slice Colors to Country Label Font Colors ✅ DONE
+### ~~3. Config → Server Tab — Move "Service Health" to Top~~ ✅ Done
 
-**Summary:** Updated `legendFormatter` in `TopCountriesPieChart.tsx` to return `React.ReactNode` instead of `string`, using `<span style={{ color: entry.color }}>` to colour each legend label to match its pie slice. Imported `LegendPayload` from `recharts/types/component/DefaultLegendContent`.
+**Implemented:** In `frontend/src/components/config/ServerTab.tsx`, moved `<ServerHealthSection />` from the end of the JSX return to be the first element rendered inside the tab container, before all settings fields.
 
-**Context:** The dashboard's Top Countries pie chart (`frontend/src/components/TopCountriesPieChart.tsx`) uses a color palette from `frontend/src/utils/chartTheme.ts` for the pie slices. The country names displayed in the legend next to the chart currently use the default text color. They should instead use the **same color as their corresponding pie slice**.
+**Problem:** In the Config page → Server tab, the `Service Health` panel (`ServerHealthSection`) is rendered at the bottom of the tab, after all settings sections (log level, log target, DB purge settings, map thresholds, reload/restart buttons). This means users must scroll past all editable fields to check service connectivity status, even though the health status is the most critical piece of context — it indicates whether the server is reachable at all.
 
-### Changes
+**Goal:** Move the `<ServerHealthSection />` block to the **top** of the `ServerTab` render output, before any settings fields.
 
-**File:** `frontend/src/components/TopCountriesPieChart.tsx`
+**Suggested fix:** In `frontend/src/components/config/ServerTab.tsx`, move the `{/* Service Health & Log Viewer section */}` block (currently at the end of the JSX return around line 415) to be the first section rendered inside the tab container.
 
-In the `<Legend>` component (rendered by Recharts), the `formatter` prop already receives the legend entry value. Apply a custom renderer so each country name is rendered with its matching slice color as the **font color**. The Recharts `<Legend>` accepts a `formatter` function whose second argument is the entry object containing the `color` property. Use that color to wrap the text in a `<span>` with `style={{ color: entry.color }}`. Example:
-
-```tsx
-formatter={(value: string, entry: LegendPayload) => {
-  const slice = slices.find((s) => s.name === value);
-  if (slice == null || total === 0) return value;
-  const pct = ((slice.value / total) * 100).toFixed(1);
-  return (
-    <span style={{ color: entry.color }}>
-      {value} ({pct}%)
-    </span>
-  );
-}}
-```
-
-Make sure the `formatter` return type is `ReactNode` (not `string`). Import the Recharts `Payload` type if needed: `import type { Payload } from "recharts/types/component/DefaultLegendContent"` . Adjust the import path to match the Recharts version in the project.
-
-Do **not** change the pie slice colors themselves — only the country label font color must match the slice it corresponds to.
+**Files:** `frontend/src/components/config/ServerTab.tsx`.
 
 ---

backend/app/config.py

@@ -85,4 +85,4 @@ def get_settings() -> Settings:
         A validated :class:`Settings` object. Raises :class:`pydantic.ValidationError`
         if required keys are absent or values fail validation.
     """
-    return Settings()  # type: ignore[call-arg]  # pydantic-settings populates required fields from env vars
+    return Settings()  # pydantic-settings populates required fields from env vars

backend/app/main.py

@@ -49,6 +49,7 @@ from app.routers import (
 )
 from app.tasks import blocklist_import, geo_cache_flush, geo_re_resolve, health_check
 from app.utils.fail2ban_client import Fail2BanConnectionError, Fail2BanProtocolError
+from app.utils.jail_config import ensure_jail_configs
 
 # ---------------------------------------------------------------------------
 # Ensure the bundled fail2ban package is importable from fail2ban-master/
@@ -137,7 +138,13 @@ async def _lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
 
     log.info("bangui_starting_up", database_path=settings.database_path)
 
+    # --- Ensure required jail config files are present ---
+    ensure_jail_configs(Path(settings.fail2ban_config_dir) / "jail.d")
+
     # --- Application database ---
+    db_path: Path = Path(settings.database_path)
+    db_path.parent.mkdir(parents=True, exist_ok=True)
+    log.debug("database_directory_ensured", directory=str(db_path.parent))
     db: aiosqlite.Connection = await aiosqlite.connect(settings.database_path)
     db.row_factory = aiosqlite.Row
     await init_db(db)
@@ -320,17 +327,15 @@ class SetupRedirectMiddleware(BaseHTTPMiddleware):
         if path.startswith("/api") and not getattr(
             request.app.state, "_setup_complete_cached", False
         ):
-            db: aiosqlite.Connection | None = getattr(request.app.state, "db", None)
-            if db is not None:
-                from app.services import setup_service  # noqa: PLC0415
+            from app.services import setup_service  # noqa: PLC0415
 
-                if await setup_service.is_setup_complete(db):
-                    request.app.state._setup_complete_cached = True
-                else:
-                    return RedirectResponse(
-                        url="/api/setup",
-                        status_code=status.HTTP_307_TEMPORARY_REDIRECT,
-                    )
+            db: aiosqlite.Connection | None = getattr(request.app.state, "db", None)
+            if db is None or not await setup_service.is_setup_complete(db):
+                return RedirectResponse(
+                    url="/api/setup",
+                    status_code=status.HTTP_307_TEMPORARY_REDIRECT,
+                )
+            request.app.state._setup_complete_cached = True
 
         return await call_next(request)
 

backend/app/models/config.py

@@ -807,6 +807,14 @@ class InactiveJail(BaseModel):
             "inactive jails that appear in this list."
         ),
     )
+    has_local_override: bool = Field(
+        default=False,
+        description=(
+            "``True`` when a ``jail.d/{name}.local`` file exists for this jail. "
+            "Only meaningful for inactive jails; indicates that a cleanup action "
+            "is available."
+        ),
+    )
 
 
 class InactiveJailListResponse(BaseModel):

backend/app/routers/config.py

@@ -40,9 +40,12 @@ from __future__ import annotations
 import datetime
 from typing import Annotated
 
+import structlog
 from fastapi import APIRouter, HTTPException, Path, Query, Request, status
 
 from app.dependencies import AuthDep
+
+log: structlog.stdlib.BoundLogger = structlog.get_logger()
 from app.models.config import (
     ActionConfig,
     ActionCreateRequest,
@@ -97,6 +100,7 @@ from app.services.config_service import (
     ConfigValidationError,
     JailNotFoundError,
 )
+from app.services.jail_service import JailOperationError
 from app.tasks.health_check import _run_probe
 from app.utils.fail2ban_client import Fail2BanConnectionError
 
@@ -357,15 +361,88 @@ async def reload_fail2ban(
         _auth: Validated session.
 
     Raises:
+        HTTPException: 409 when fail2ban reports the reload failed.
         HTTPException: 502 when fail2ban is unreachable.
     """
     socket_path: str = request.app.state.settings.fail2ban_socket
     try:
         await jail_service.reload_all(socket_path)
+    except JailOperationError as exc:
+        raise HTTPException(
+            status_code=status.HTTP_409_CONFLICT,
+            detail=f"fail2ban reload failed: {exc}",
+        ) from exc
     except Fail2BanConnectionError as exc:
         raise _bad_gateway(exc) from exc
 
 
+# Restart endpoint
+# ---------------------------------------------------------------------------
+
+
+@router.post(
+    "/restart",
+    status_code=status.HTTP_204_NO_CONTENT,
+    summary="Restart the fail2ban service",
+)
+async def restart_fail2ban(
+    request: Request,
+    _auth: AuthDep,
+) -> None:
+    """Trigger a full fail2ban service restart.
+
+    Stops the fail2ban daemon via the Unix domain socket, then starts it
+    again using the configured ``fail2ban_start_command``.  After starting,
+    probes the socket for up to 10 seconds to confirm the daemon came back
+    online.
+
+    Args:
+        request: Incoming request.
+        _auth: Validated session.
+
+    Raises:
+        HTTPException: 409 when fail2ban reports the stop command failed.
+        HTTPException: 502 when fail2ban is unreachable for the stop command.
+        HTTPException: 503 when fail2ban does not come back online within
+            10 seconds after being started.  Check the fail2ban log for
+            initialisation errors.  Use
+            ``POST /api/config/jails/{name}/rollback`` if a specific jail
+            is suspect.
+    """
+    socket_path: str = request.app.state.settings.fail2ban_socket
+    start_cmd: str = request.app.state.settings.fail2ban_start_command
+    start_cmd_parts: list[str] = start_cmd.split()
+
+    # Step 1: stop the daemon via socket.
+    try:
+        await jail_service.restart(socket_path)
+    except JailOperationError as exc:
+        raise HTTPException(
+            status_code=status.HTTP_409_CONFLICT,
+            detail=f"fail2ban stop command failed: {exc}",
+        ) from exc
+    except Fail2BanConnectionError as exc:
+        raise _bad_gateway(exc) from exc
+
+    # Step 2: start the daemon via subprocess.
+    await config_file_service.start_daemon(start_cmd_parts)
+
+    # Step 3: probe the socket until fail2ban is responsive or the budget expires.
+    fail2ban_running: bool = await config_file_service.wait_for_fail2ban(
+        socket_path, max_wait_seconds=10.0
+    )
+    if not fail2ban_running:
+        raise HTTPException(
+            status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
+            detail=(
+                "fail2ban was stopped but did not come back online within 10 seconds. "
+                "Check the fail2ban log for initialisation errors. "
+                "Use POST /api/config/jails/{name}/rollback if a specific jail is suspect."
+            ),
+        )
+    log.info("fail2ban_restarted")
+
+
 # ---------------------------------------------------------------------------
 # Regex tester (stateless)
 # ---------------------------------------------------------------------------
@@ -721,6 +798,60 @@ async def deactivate_jail(
     return result
 
 
+@router.delete(
+    "/jails/{name}/local",
+    status_code=status.HTTP_204_NO_CONTENT,
+    summary="Delete the jail.d override file for an inactive jail",
+)
+async def delete_jail_local_override(
+    request: Request,
+    _auth: AuthDep,
+    name: _NamePath,
+) -> None:
+    """Remove the ``jail.d/{name}.local`` override file for an inactive jail.
+
+    This endpoint is the clean-up action for inactive jails that still carry
+    a ``.local`` override file (e.g. one written with ``enabled = false`` by a
+    previous deactivation).  The file is deleted without modifying fail2ban's
+    running state, since the jail is already inactive.
+
+    Args:
+        request: FastAPI request object.
+        _auth: Validated session.
+        name: Name of the jail whose ``.local`` file should be removed.
+
+    Raises:
+        HTTPException: 400 if *name* contains invalid characters.
+        HTTPException: 404 if *name* is not found in any config file.
+        HTTPException: 409 if the jail is currently active.
+        HTTPException: 500 if the file cannot be deleted.
+        HTTPException: 502 if fail2ban is unreachable.
+    """
+    config_dir: str = request.app.state.settings.fail2ban_config_dir
+    socket_path: str = request.app.state.settings.fail2ban_socket
+
+    try:
+        await config_file_service.delete_jail_local_override(
+            config_dir, socket_path, name
+        )
+    except JailNameError as exc:
+        raise _bad_request(str(exc)) from exc
+    except JailNotFoundInConfigError:
+        raise _not_found(name) from None
+    except JailAlreadyActiveError:
+        raise HTTPException(
+            status_code=status.HTTP_409_CONFLICT,
+            detail=f"Jail {name!r} is currently active; deactivate it first.",
+        ) from None
+    except ConfigWriteError as exc:
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail=f"Failed to delete config override: {exc}",
+        ) from exc
+    except Fail2BanConnectionError as exc:
+        raise _bad_gateway(exc) from exc
+
+
 # ---------------------------------------------------------------------------
 # Jail validation & rollback endpoints (Task 3)
 # ---------------------------------------------------------------------------

backend/app/routers/file_config.py

@@ -14,8 +14,8 @@ Endpoints:
 * ``GET  /api/config/filters/{name}/parsed``        — parse a filter file into a structured model
 * ``PUT  /api/config/filters/{name}/parsed``        — update a filter file from a structured model
 * ``GET  /api/config/actions``                     — list all action files
-* ``GET  /api/config/actions/{name}``              — get one action file (with content)
-* ``PUT  /api/config/actions/{name}``              — update an action file
+* ``GET  /api/config/actions/{name}/raw``          — get one action file (raw content)
+* ``PUT  /api/config/actions/{name}/raw``          — update an action file (raw content)
 * ``POST /api/config/actions``                     — create a new action file
 * ``GET  /api/config/actions/{name}/parsed``        — parse an action file into a structured model
 * ``PUT  /api/config/actions/{name}/parsed``        — update an action file from a structured model
@@ -460,7 +460,7 @@ async def list_action_files(
 
 
 @router.get(
-    "/actions/{name}",
+    "/actions/{name}/raw",
     response_model=ConfFileContent,
     summary="Return an action definition file with its content",
 )
@@ -496,7 +496,7 @@ async def get_action_file(
 
 
 @router.put(
-    "/actions/{name}",
+    "/actions/{name}/raw",
     status_code=status.HTTP_204_NO_CONTENT,
     summary="Update an action definition file",
 )

backend/app/services/config_file_service.py

@@ -55,6 +55,7 @@ from app.models.config import (
     RollbackResponse,
 )
 from app.services import conffile_parser, jail_service
+from app.services.jail_service import JailNotFoundError as JailNotFoundError
 from app.utils.fail2ban_client import Fail2BanClient, Fail2BanConnectionError
 
 log: structlog.stdlib.BoundLogger = structlog.get_logger()
@@ -428,6 +429,7 @@ def _build_inactive_jail(
     name: str,
     settings: dict[str, str],
     source_file: str,
+    config_dir: Path | None = None,
 ) -> InactiveJail:
     """Construct an :class:`~app.models.config.InactiveJail` from raw settings.
 
@@ -435,6 +437,8 @@ def _build_inactive_jail(
         name: Jail section name.
         settings: Merged key→value dict (DEFAULT values already applied).
         source_file: Path of the file that last defined this section.
+        config_dir: Absolute path to the fail2ban configuration directory, used
+            to check whether a ``jail.d/{name}.local`` override file exists.
 
     Returns:
         Populated :class:`~app.models.config.InactiveJail`.
@@ -512,6 +516,11 @@ def _build_inactive_jail(
         bantime_escalation=bantime_escalation,
         source_file=source_file,
         enabled=enabled,
+        has_local_override=(
+            (config_dir / "jail.d" / f"{name}.local").is_file()
+            if config_dir is not None
+            else False
+        ),
     )
 
 
@@ -739,7 +748,7 @@ async def _probe_fail2ban_running(socket_path: str) -> bool:
         return False
 
 
-async def _wait_for_fail2ban(
+async def wait_for_fail2ban(
     socket_path: str,
     max_wait_seconds: float = 10.0,
     poll_interval: float = 2.0,
@@ -763,7 +772,7 @@ async def _wait_for_fail2ban(
     return False
 
 
-async def _start_daemon(start_cmd_parts: list[str]) -> bool:
+async def start_daemon(start_cmd_parts: list[str]) -> bool:
     """Start the fail2ban daemon using *start_cmd_parts*.
 
     Uses :func:`asyncio.create_subprocess_exec` (no shell interpretation)
@@ -1110,7 +1119,7 @@ async def list_inactive_jails(
             continue
 
         source = source_files.get(jail_name, config_dir)
-        inactive.append(_build_inactive_jail(jail_name, settings, source))
+        inactive.append(_build_inactive_jail(jail_name, settings, source, Path(config_dir)))
 
     log.info(
         "inactive_jails_listed",
@@ -1231,6 +1240,30 @@ async def activate_jail(
     # ---------------------------------------------------------------------- #
     try:
         await jail_service.reload_all(socket_path, include_jails=[name])
+    except JailNotFoundError as exc:
+        # Jail configuration is invalid (e.g. missing logpath that prevents
+        # fail2ban from loading the jail). Roll back and provide a specific error.
+        log.warning(
+            "reload_after_activate_failed_jail_not_found",
+            jail=name,
+            error=str(exc),
+        )
+        recovered = await _rollback_activation_async(
+            config_dir, name, socket_path, original_content
+        )
+        return JailActivationResponse(
+            name=name,
+            active=False,
+            fail2ban_running=False,
+            recovered=recovered,
+            validation_warnings=warnings,
+            message=(
+                f"Jail {name!r} activation failed: {str(exc)}. "
+                "Check that all logpath files exist and are readable. "
+                "The configuration was "
+                + ("automatically recovered." if recovered else "not recovered — manual intervention is required.")
+            ),
+        )
     except Exception as exc:  # noqa: BLE001
         log.warning("reload_after_activate_failed", jail=name, error=str(exc))
         recovered = await _rollback_activation_async(
@@ -1444,6 +1477,57 @@ async def deactivate_jail(
     )
 
 
+async def delete_jail_local_override(
+    config_dir: str,
+    socket_path: str,
+    name: str,
+) -> None:
+    """Delete the ``jail.d/{name}.local`` override file for an inactive jail.
+
+    This is the clean-up action shown in the config UI when an inactive jail
+    still has a ``.local`` override file (e.g. ``enabled = false``).  The
+    file is deleted outright; no fail2ban reload is required because the jail
+    is already inactive.
+
+    Args:
+        config_dir: Absolute path to the fail2ban configuration directory.
+        socket_path: Path to the fail2ban Unix domain socket.
+        name: Name of the jail whose ``.local`` file should be removed.
+
+    Raises:
+        JailNameError: If *name* contains invalid characters.
+        JailNotFoundInConfigError: If *name* is not defined in any config file.
+        JailAlreadyActiveError: If the jail is currently active (refusing to
+            delete the live config file).
+        ConfigWriteError: If the file cannot be deleted.
+    """
+    _safe_jail_name(name)
+
+    loop = asyncio.get_event_loop()
+    all_jails, _source_files = await loop.run_in_executor(
+        None, _parse_jails_sync, Path(config_dir)
+    )
+
+    if name not in all_jails:
+        raise JailNotFoundInConfigError(name)
+
+    active_names = await _get_active_jail_names(socket_path)
+    if name in active_names:
+        raise JailAlreadyActiveError(name)
+
+    local_path = Path(config_dir) / "jail.d" / f"{name}.local"
+    try:
+        await loop.run_in_executor(
+            None, lambda: local_path.unlink(missing_ok=True)
+        )
+    except OSError as exc:
+        raise ConfigWriteError(
+            f"Failed to delete {local_path}: {exc}"
+        ) from exc
+
+    log.info("jail_local_override_deleted", jail=name, path=str(local_path))
+
+
 async def validate_jail_config(
     config_dir: str,
     name: str,
@@ -1516,11 +1600,11 @@ async def rollback_jail(
     log.info("jail_rolled_back_disabled", jail=name)
 
     # Attempt to start the daemon.
-    started = await _start_daemon(start_cmd_parts)
+    started = await start_daemon(start_cmd_parts)
     log.info("jail_rollback_start_attempted", jail=name, start_ok=started)
 
     # Wait for the socket to come back.
-    fail2ban_running = await _wait_for_fail2ban(
+    fail2ban_running = await wait_for_fail2ban(
         socket_path, max_wait_seconds=10.0, poll_interval=2.0
     )
 

backend/app/services/jail_service.py

@@ -43,6 +43,13 @@ _SOCKET_TIMEOUT: float = 10.0
 # ensures only one reload stream is in-flight at a time.
 _reload_all_lock: asyncio.Lock = asyncio.Lock()
 
+# Capability detection for optional fail2ban transmitter commands (backend, idle).
+# These commands are not supported in all fail2ban versions. Caching the result
+# avoids sending unsupported commands every polling cycle and spamming the
+# fail2ban log with "Invalid command" errors.
+_backend_cmd_supported: bool | None = None
+_backend_cmd_lock: asyncio.Lock = asyncio.Lock()
+
 # ---------------------------------------------------------------------------
 # Custom exceptions
 # ---------------------------------------------------------------------------
@@ -185,6 +192,51 @@ async def _safe_get(
         return default
 
 
+async def _check_backend_cmd_supported(
+    client: Fail2BanClient,
+    jail_name: str,
+) -> bool:
+    """Detect whether the fail2ban daemon supports optional ``get ... backend`` command.
+
+    Some fail2ban versions (e.g. LinuxServer.io container) do not implement the
+    optional ``get <jail> backend`` and ``get <jail> idle`` transmitter sub-commands.
+    This helper probes the daemon once and caches the result to avoid repeated
+    "Invalid command" errors in the fail2ban log.
+
+    Uses double-check locking to minimize lock contention in concurrent polls.
+
+    Args:
+        client: The :class:`~app.utils.fail2ban_client.Fail2BanClient` to use.
+        jail_name: Name of any jail to use for the probe command.
+
+    Returns:
+        ``True`` if the command is supported, ``False`` otherwise.
+        Once determined, the result is cached and reused for all jails.
+    """
+    global _backend_cmd_supported
+
+    # Fast path: return cached result if already determined.
+    if _backend_cmd_supported is not None:
+        return _backend_cmd_supported
+
+    # Slow path: acquire lock and probe the command once.
+    async with _backend_cmd_lock:
+        # Double-check idiom: another coroutine may have probed while we waited.
+        if _backend_cmd_supported is not None:
+            return _backend_cmd_supported
+
+        # Probe: send the command and catch any exception.
+        try:
+            _ok(await client.send(["get", jail_name, "backend"]))
+            _backend_cmd_supported = True
+            log.debug("backend_cmd_supported_detected")
+        except Exception:
+            _backend_cmd_supported = False
+            log.debug("backend_cmd_unsupported_detected")
+
+        return _backend_cmd_supported
+
+
 # ---------------------------------------------------------------------------
 # Public API — Jail listing & detail
 # ---------------------------------------------------------------------------
@@ -238,7 +290,11 @@ async def _fetch_jail_summary(
     """Fetch and build a :class:`~app.models.jail.JailSummary` for one jail.
 
     Sends the ``status``, ``get ... bantime``, ``findtime``, ``maxretry``,
-    ``backend``, and ``idle`` commands in parallel.
+    ``backend``, and ``idle`` commands in parallel (if supported).
+
+    The ``backend`` and ``idle`` commands are optional and not supported in
+    all fail2ban versions. If not supported, this function will not send them
+    to avoid spamming the fail2ban log with "Invalid command" errors.
 
     Args:
         client: Shared :class:`~app.utils.fail2ban_client.Fail2BanClient`.
@@ -247,15 +303,38 @@ async def _fetch_jail_summary(
     Returns:
         A :class:`~app.models.jail.JailSummary` populated from the responses.
     """
-    _r = await asyncio.gather(
+    # Check whether optional backend/idle commands are supported.
+    # This probe happens once per session and is cached to avoid repeated
+    # "Invalid command" errors in the fail2ban log.
+    backend_cmd_is_supported = await _check_backend_cmd_supported(client, name)
+
+    # Build the gather list based on command support.
+    gather_list: list[Any] = [
         client.send(["status", name, "short"]),
         client.send(["get", name, "bantime"]),
         client.send(["get", name, "findtime"]),
         client.send(["get", name, "maxretry"]),
-        client.send(["get", name, "backend"]),
-        client.send(["get", name, "idle"]),
-        return_exceptions=True,
-    )
+    ]
+
+    if backend_cmd_is_supported:
+        # Commands are supported; send them for real values.
+        gather_list.extend([
+            client.send(["get", name, "backend"]),
+            client.send(["get", name, "idle"]),
+        ])
+        uses_backend_backend_commands = True
+    else:
+        # Commands not supported; return default values without sending.
+        async def _return_default(value: Any) -> tuple[int, Any]:
+            return (0, value)
+
+        gather_list.extend([
+            _return_default("polling"),  # backend default
+            _return_default(False),      # idle default
+        ])
+        uses_backend_backend_commands = False
+
+    _r = await asyncio.gather(*gather_list, return_exceptions=True)
     status_raw: Any = _r[0]
     bantime_raw: Any = _r[1]
     findtime_raw: Any = _r[2]
@@ -569,7 +648,10 @@ async def reload_all(
         exclude_jails: Jail names to remove from the start stream.
 
     Raises:
-        JailOperationError: If fail2ban reports the operation failed.
+        JailNotFoundError: If a jail in *include_jails* does not exist or
+            its configuration is invalid (e.g. missing logpath).
+        JailOperationError: If fail2ban reports the operation failed for
+            a different reason.
         ~app.utils.fail2ban_client.Fail2BanConnectionError: If the socket
             cannot be reached.
     """
@@ -593,9 +675,43 @@ async def reload_all(
             _ok(await client.send(["reload", "--all", [], stream]))
             log.info("all_jails_reloaded")
         except ValueError as exc:
+            # Detect UnknownJailException (missing or invalid jail configuration)
+            # and re-raise as JailNotFoundError for better error specificity.
+            if _is_not_found_error(exc):
+                # Extract the jail name from include_jails if available.
+                jail_name = include_jails[0] if include_jails else "unknown"
+                raise JailNotFoundError(jail_name) from exc
             raise JailOperationError(str(exc)) from exc
 
 
+async def restart(socket_path: str) -> None:
+    """Stop the fail2ban daemon via the Unix socket.
+
+    Sends ``["stop"]`` to the fail2ban daemon, which calls ``server.quit()``
+    on the daemon side and tears down all jails.  The caller is responsible
+    for starting the daemon again (e.g. via ``fail2ban-client start``).
+
+    Note:
+        ``["restart"]`` is a *client-side* orchestration command that is not
+        handled by the fail2ban server transmitter — sending it to the socket
+        raises ``"Invalid command"`` in the daemon.
+
+    Args:
+        socket_path: Path to the fail2ban Unix domain socket.
+
+    Raises:
+        JailOperationError: If fail2ban reports the stop command failed.
+        ~app.utils.fail2ban_client.Fail2BanConnectionError: If the socket
+            cannot be reached.
+    """
+    client = Fail2BanClient(socket_path=socket_path, timeout=_SOCKET_TIMEOUT)
+    try:
+        _ok(await client.send(["stop"]))
+        log.info("fail2ban_stopped_for_restart")
+    except ValueError as exc:
+        raise JailOperationError(str(exc)) from exc
+
+
 # ---------------------------------------------------------------------------
 # Public API — Ban / Unban
 # ---------------------------------------------------------------------------

backend/app/utils/jail_config.py

@@ -0,0 +1,93 @@
+"""Utilities for ensuring required fail2ban jail configuration files exist.
+
+BanGUI requires two custom jails — ``manual-Jail`` and ``blocklist-import``
+— to be present in the fail2ban ``jail.d`` directory.  This module provides
+:func:`ensure_jail_configs` which checks each of the four files
+(``*.conf`` template + ``*.local`` override) and creates any that are missing
+with the correct default content.
+"""
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+import structlog
+
+if TYPE_CHECKING:
+    from pathlib import Path
+
+log: structlog.stdlib.BoundLogger = structlog.get_logger()
+
+# ---------------------------------------------------------------------------
+# Default file contents
+# ---------------------------------------------------------------------------
+
+_MANUAL_JAIL_CONF = """\
+[manual-Jail]
+
+enabled    = false
+filter     = manual-Jail
+logpath    = /remotelogs/bangui/auth.log
+backend    = polling
+maxretry   = 3
+findtime   = 120
+bantime    = 60
+ignoreip   = 127.0.0.0/8 ::1 172.16.0.0/12
+"""
+
+_MANUAL_JAIL_LOCAL = """\
+[manual-Jail]
+enabled    = true
+"""
+
+_BLOCKLIST_IMPORT_CONF = """\
+[blocklist-import]
+
+enabled    = false
+filter     =
+logpath    = /dev/null
+backend    = auto
+maxretry   = 1
+findtime   = 1d
+bantime    = 1w
+ignoreip   = 127.0.0.0/8 ::1 172.16.0.0/12
+"""
+
+_BLOCKLIST_IMPORT_LOCAL = """\
+[blocklist-import]
+enabled    = true
+"""
+
+# ---------------------------------------------------------------------------
+# File registry: (filename, default_content)
+# ---------------------------------------------------------------------------
+
+_JAIL_FILES: list[tuple[str, str]] = [
+    ("manual-Jail.conf", _MANUAL_JAIL_CONF),
+    ("manual-Jail.local", _MANUAL_JAIL_LOCAL),
+    ("blocklist-import.conf", _BLOCKLIST_IMPORT_CONF),
+    ("blocklist-import.local", _BLOCKLIST_IMPORT_LOCAL),
+]
+
+
+def ensure_jail_configs(jail_d_path: Path) -> None:
+    """Ensure the required fail2ban jail configuration files exist.
+
+    Checks for ``manual-Jail.conf``, ``manual-Jail.local``,
+    ``blocklist-import.conf``, and ``blocklist-import.local`` inside
+    *jail_d_path*.  Any file that is missing is created with its default
+    content.  Existing files are **never** overwritten.
+
+    Args:
+        jail_d_path: Path to the fail2ban ``jail.d`` directory.  Will be
+            created (including all parents) if it does not already exist.
+    """
+    jail_d_path.mkdir(parents=True, exist_ok=True)
+
+    for filename, default_content in _JAIL_FILES:
+        file_path = jail_d_path / filename
+        if file_path.exists():
+            log.debug("jail_config_already_exists", path=str(file_path))
+        else:
+            file_path.write_text(default_content, encoding="utf-8")
+            log.info("jail_config_created", path=str(file_path))

backend/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "bangui-backend"
-version = "0.1.0"
+version = "0.9.0"
 description = "BanGUI backend — fail2ban web management interface"
 requires-python = ">=3.12"
 dependencies = [

backend/tests/test_routers/test_config.py

@@ -370,6 +370,124 @@ class TestReloadFail2ban:
 
         assert resp.status_code == 204
 
+    async def test_502_when_fail2ban_unreachable(self, config_client: AsyncClient) -> None:
+        """POST /api/config/reload returns 502 when fail2ban socket is unreachable."""
+        from app.utils.fail2ban_client import Fail2BanConnectionError
+
+        with patch(
+            "app.routers.config.jail_service.reload_all",
+            AsyncMock(side_effect=Fail2BanConnectionError("no socket", "/fake.sock")),
+        ):
+            resp = await config_client.post("/api/config/reload")
+
+        assert resp.status_code == 502
+
+    async def test_409_when_reload_operation_fails(self, config_client: AsyncClient) -> None:
+        """POST /api/config/reload returns 409 when fail2ban reports a reload error."""
+        from app.services.jail_service import JailOperationError
+
+        with patch(
+            "app.routers.config.jail_service.reload_all",
+            AsyncMock(side_effect=JailOperationError("reload rejected")),
+        ):
+            resp = await config_client.post("/api/config/reload")
+
+        assert resp.status_code == 409
+
+
+# ---------------------------------------------------------------------------
+# POST /api/config/restart
+# ---------------------------------------------------------------------------
+
+
+class TestRestartFail2ban:
+    """Tests for ``POST /api/config/restart``."""
+
+    async def test_204_on_success(self, config_client: AsyncClient) -> None:
+        """POST /api/config/restart returns 204 when fail2ban restarts cleanly."""
+        with (
+            patch(
+                "app.routers.config.jail_service.restart",
+                AsyncMock(return_value=None),
+            ),
+            patch(
+                "app.routers.config.config_file_service.start_daemon",
+                AsyncMock(return_value=True),
+            ),
+            patch(
+                "app.routers.config.config_file_service.wait_for_fail2ban",
+                AsyncMock(return_value=True),
+            ),
+        ):
+            resp = await config_client.post("/api/config/restart")
+
+        assert resp.status_code == 204
+
+    async def test_503_when_fail2ban_does_not_come_back(self, config_client: AsyncClient) -> None:
+        """POST /api/config/restart returns 503 when fail2ban does not come back online."""
+        with (
+            patch(
+                "app.routers.config.jail_service.restart",
+                AsyncMock(return_value=None),
+            ),
+            patch(
+                "app.routers.config.config_file_service.start_daemon",
+                AsyncMock(return_value=True),
+            ),
+            patch(
+                "app.routers.config.config_file_service.wait_for_fail2ban",
+                AsyncMock(return_value=False),
+            ),
+        ):
+            resp = await config_client.post("/api/config/restart")
+
+        assert resp.status_code == 503
+
+    async def test_409_when_stop_command_fails(self, config_client: AsyncClient) -> None:
+        """POST /api/config/restart returns 409 when fail2ban rejects the stop command."""
+        from app.services.jail_service import JailOperationError
+
+        with patch(
+            "app.routers.config.jail_service.restart",
+            AsyncMock(side_effect=JailOperationError("stop failed")),
+        ):
+            resp = await config_client.post("/api/config/restart")
+
+        assert resp.status_code == 409
+
+    async def test_502_when_fail2ban_unreachable(self, config_client: AsyncClient) -> None:
+        """POST /api/config/restart returns 502 when fail2ban socket is unreachable."""
+        from app.utils.fail2ban_client import Fail2BanConnectionError
+
+        with patch(
+            "app.routers.config.jail_service.restart",
+            AsyncMock(side_effect=Fail2BanConnectionError("no socket", "/fake.sock")),
+        ):
+            resp = await config_client.post("/api/config/restart")
+
+        assert resp.status_code == 502
+
+    async def test_start_daemon_called_after_stop(self, config_client: AsyncClient) -> None:
+        """start_daemon is called after a successful stop."""
+        mock_start = AsyncMock(return_value=True)
+        with (
+            patch(
+                "app.routers.config.jail_service.restart",
+                AsyncMock(return_value=None),
+            ),
+            patch(
+                "app.routers.config.config_file_service.start_daemon",
+                mock_start,
+            ),
+            patch(
+                "app.routers.config.config_file_service.wait_for_fail2ban",
+                AsyncMock(return_value=True),
+            ),
+        ):
+            await config_client.post("/api/config/restart")
+
+        mock_start.assert_awaited_once()
+
 
 # ---------------------------------------------------------------------------
 # POST /api/config/regex-test

backend/tests/test_routers/test_file_config.py

@@ -377,6 +377,102 @@ class TestCreateActionFile:
         assert resp.json()["name"] == "myaction"
 
 
+# ---------------------------------------------------------------------------
+# GET /api/config/actions/{name}/raw
+# ---------------------------------------------------------------------------
+
+
+class TestGetActionFileRaw:
+    """Tests for ``GET /api/config/actions/{name}/raw``."""
+
+    async def test_200_returns_content(self, file_config_client: AsyncClient) -> None:
+        with patch(
+            "app.routers.file_config.file_config_service.get_action_file",
+            AsyncMock(return_value=_conf_file_content("iptables")),
+        ):
+            resp = await file_config_client.get("/api/config/actions/iptables/raw")
+
+        assert resp.status_code == 200
+        assert resp.json()["name"] == "iptables"
+
+    async def test_404_not_found(self, file_config_client: AsyncClient) -> None:
+        with patch(
+            "app.routers.file_config.file_config_service.get_action_file",
+            AsyncMock(side_effect=ConfigFileNotFoundError("missing")),
+        ):
+            resp = await file_config_client.get("/api/config/actions/missing/raw")
+
+        assert resp.status_code == 404
+
+    async def test_503_on_config_dir_error(
+        self, file_config_client: AsyncClient
+    ) -> None:
+        with patch(
+            "app.routers.file_config.file_config_service.get_action_file",
+            AsyncMock(side_effect=ConfigDirError("no dir")),
+        ):
+            resp = await file_config_client.get("/api/config/actions/iptables/raw")
+
+        assert resp.status_code == 503
+
+
+# ---------------------------------------------------------------------------
+# PUT /api/config/actions/{name}/raw
+# ---------------------------------------------------------------------------
+
+
+class TestUpdateActionFileRaw:
+    """Tests for ``PUT /api/config/actions/{name}/raw``."""
+
+    async def test_204_on_success(self, file_config_client: AsyncClient) -> None:
+        with patch(
+            "app.routers.file_config.file_config_service.write_action_file",
+            AsyncMock(return_value=None),
+        ):
+            resp = await file_config_client.put(
+                "/api/config/actions/iptables/raw",
+                json={"content": "[Definition]\nactionban = iptables -I INPUT -s <ip> -j DROP\n"},
+            )
+
+        assert resp.status_code == 204
+
+    async def test_400_write_error(self, file_config_client: AsyncClient) -> None:
+        with patch(
+            "app.routers.file_config.file_config_service.write_action_file",
+            AsyncMock(side_effect=ConfigFileWriteError("disk full")),
+        ):
+            resp = await file_config_client.put(
+                "/api/config/actions/iptables/raw",
+                json={"content": "x"},
+            )
+
+        assert resp.status_code == 400
+
+    async def test_404_not_found(self, file_config_client: AsyncClient) -> None:
+        with patch(
+            "app.routers.file_config.file_config_service.write_action_file",
+            AsyncMock(side_effect=ConfigFileNotFoundError("missing")),
+        ):
+            resp = await file_config_client.put(
+                "/api/config/actions/missing/raw",
+                json={"content": "x"},
+            )
+
+        assert resp.status_code == 404
+
+    async def test_400_invalid_name(self, file_config_client: AsyncClient) -> None:
+        with patch(
+            "app.routers.file_config.file_config_service.write_action_file",
+            AsyncMock(side_effect=ConfigFileNameError("bad/../name")),
+        ):
+            resp = await file_config_client.put(
+                "/api/config/actions/escape/raw",
+                json={"content": "x"},
+            )
+
+        assert resp.status_code == 400
+
+
 # ---------------------------------------------------------------------------
 # POST /api/config/jail-files
 # ---------------------------------------------------------------------------

backend/tests/test_routers/test_setup.py

@@ -3,7 +3,7 @@
 from __future__ import annotations
 
 from pathlib import Path
-from unittest.mock import patch
+from unittest.mock import AsyncMock, MagicMock, patch
 
 import aiosqlite
 import pytest
@@ -11,7 +11,7 @@ from httpx import ASGITransport, AsyncClient
 
 from app.config import Settings
 from app.db import init_db
-from app.main import create_app
+from app.main import _lifespan, create_app
 
 # ---------------------------------------------------------------------------
 # Shared setup payload
@@ -286,3 +286,151 @@ class TestSetupCompleteCaching:
         # Cache was warm — is_setup_complete must not have been called.
         assert call_count == 0
 
+
+# ---------------------------------------------------------------------------
+# Task 0.1 — Lifespan creates the database parent directory (Task 0.1)
+# ---------------------------------------------------------------------------
+
+
+class TestLifespanDatabaseDirectoryCreation:
+    """App lifespan creates the database parent directory when it does not exist."""
+
+    async def test_creates_nested_database_directory(self, tmp_path: Path) -> None:
+        """Lifespan creates intermediate directories for the database path.
+
+        Verifies that a deeply-nested database path is handled correctly —
+        the parent directories are created before ``aiosqlite.connect`` is
+        called so the app does not crash on a fresh volume.
+        """
+        nested_db = tmp_path / "deep" / "nested" / "bangui.db"
+        assert not nested_db.parent.exists()
+
+        settings = Settings(
+            database_path=str(nested_db),
+            fail2ban_socket="/tmp/fake.sock",
+            session_secret="test-lifespan-mkdir-secret",
+            session_duration_minutes=60,
+            timezone="UTC",
+            log_level="debug",
+        )
+        app = create_app(settings=settings)
+
+        mock_scheduler = MagicMock()
+        mock_scheduler.start = MagicMock()
+        mock_scheduler.shutdown = MagicMock()
+
+        with (
+            patch("app.services.geo_service.init_geoip"),
+            patch(
+                "app.services.geo_service.load_cache_from_db",
+                new=AsyncMock(return_value=None),
+            ),
+            patch("app.tasks.health_check.register"),
+            patch("app.tasks.blocklist_import.register"),
+            patch("app.tasks.geo_cache_flush.register"),
+            patch("app.tasks.geo_re_resolve.register"),
+            patch("app.main.AsyncIOScheduler", return_value=mock_scheduler),
+            patch("app.main.ensure_jail_configs"),
+        ):
+            async with _lifespan(app):
+                assert nested_db.parent.exists(), (
+                    "Expected lifespan to create database parent directory"
+                )
+
+    async def test_existing_database_directory_is_not_an_error(
+        self, tmp_path: Path
+    ) -> None:
+        """Lifespan does not raise when the database directory already exists.
+
+        ``mkdir(exist_ok=True)`` must be used so that re-starts on an existing
+        volume do not fail.
+        """
+        db_path = tmp_path / "bangui.db"
+        # tmp_path already exists — this simulates a pre-existing volume.
+
+        settings = Settings(
+            database_path=str(db_path),
+            fail2ban_socket="/tmp/fake.sock",
+            session_secret="test-lifespan-exist-ok-secret",
+            session_duration_minutes=60,
+            timezone="UTC",
+            log_level="debug",
+        )
+        app = create_app(settings=settings)
+
+        mock_scheduler = MagicMock()
+        mock_scheduler.start = MagicMock()
+        mock_scheduler.shutdown = MagicMock()
+
+        with (
+            patch("app.services.geo_service.init_geoip"),
+            patch(
+                "app.services.geo_service.load_cache_from_db",
+                new=AsyncMock(return_value=None),
+            ),
+            patch("app.tasks.health_check.register"),
+            patch("app.tasks.blocklist_import.register"),
+            patch("app.tasks.geo_cache_flush.register"),
+            patch("app.tasks.geo_re_resolve.register"),
+            patch("app.main.AsyncIOScheduler", return_value=mock_scheduler),
+            patch("app.main.ensure_jail_configs"),
+        ):
+            # Should not raise FileExistsError or similar.
+            async with _lifespan(app):
+                assert tmp_path.exists()
+
+
+# ---------------------------------------------------------------------------
+# Task 0.2 — Middleware redirects when app.state.db is None
+# ---------------------------------------------------------------------------
+
+
+class TestSetupRedirectMiddlewareDbNone:
+    """SetupRedirectMiddleware redirects when the database is not yet available."""
+
+    async def test_redirects_to_setup_when_db_not_set(self, tmp_path: Path) -> None:
+        """A ``None`` db on app.state causes a 307 redirect to ``/api/setup``.
+
+        Simulates the race window where a request arrives before the lifespan
+        has finished initialising the database connection.
+        """
+        settings = Settings(
+            database_path=str(tmp_path / "bangui.db"),
+            fail2ban_socket="/tmp/fake_fail2ban.sock",
+            session_secret="test-db-none-secret",
+            session_duration_minutes=60,
+            timezone="UTC",
+            log_level="debug",
+        )
+        app = create_app(settings=settings)
+        # Deliberately do NOT set app.state.db to simulate startup not complete.
+
+        transport = ASGITransport(app=app)
+        async with AsyncClient(
+            transport=transport, base_url="http://test"
+        ) as ac:
+            response = await ac.get("/api/auth/login", follow_redirects=False)
+
+        assert response.status_code == 307
+        assert response.headers["location"] == "/api/setup"
+
+    async def test_health_reachable_when_db_not_set(self, tmp_path: Path) -> None:
+        """Health endpoint is always reachable even when db is not initialised."""
+        settings = Settings(
+            database_path=str(tmp_path / "bangui.db"),
+            fail2ban_socket="/tmp/fake_fail2ban.sock",
+            session_secret="test-db-none-health-secret",
+            session_duration_minutes=60,
+            timezone="UTC",
+            log_level="debug",
+        )
+        app = create_app(settings=settings)
+
+        transport = ASGITransport(app=app)
+        async with AsyncClient(
+            transport=transport, base_url="http://test"
+        ) as ac:
+            response = await ac.get("/api/health")
+
+        assert response.status_code == 200
+

backend/tests/test_services/test_config_file_service.py

@@ -21,6 +21,7 @@ from app.services.config_file_service import (
     activate_jail,
     deactivate_jail,
     list_inactive_jails,
+    rollback_jail,
 )
 
 # ---------------------------------------------------------------------------
@@ -289,6 +290,28 @@ class TestBuildInactiveJail:
         jail = _build_inactive_jail("active-jail", settings, "/etc/fail2ban/jail.conf")
         assert jail.enabled is True
 
+    def test_has_local_override_absent(self, tmp_path: Path) -> None:
+        """has_local_override is False when no .local file exists."""
+        jail = _build_inactive_jail(
+            "sshd", {}, "/etc/fail2ban/jail.d/sshd.conf", config_dir=tmp_path
+        )
+        assert jail.has_local_override is False
+
+    def test_has_local_override_present(self, tmp_path: Path) -> None:
+        """has_local_override is True when jail.d/{name}.local exists."""
+        local = tmp_path / "jail.d" / "sshd.local"
+        local.parent.mkdir(parents=True, exist_ok=True)
+        local.write_text("[sshd]\nenabled = false\n")
+        jail = _build_inactive_jail(
+            "sshd", {}, "/etc/fail2ban/jail.d/sshd.conf", config_dir=tmp_path
+        )
+        assert jail.has_local_override is True
+
+    def test_has_local_override_no_config_dir(self) -> None:
+        """has_local_override is False when config_dir is not provided."""
+        jail = _build_inactive_jail("sshd", {}, "/etc/fail2ban/jail.conf")
+        assert jail.has_local_override is False
+
 
 # ---------------------------------------------------------------------------
 # _write_local_override_sync
@@ -424,6 +447,121 @@ class TestListInactiveJails:
         assert "sshd" in names
         assert "apache-auth" in names
 
+    async def test_has_local_override_true_when_local_file_exists(
+        self, tmp_path: Path
+    ) -> None:
+        """has_local_override is True for a jail whose jail.d .local file exists."""
+        _write(tmp_path / "jail.conf", JAIL_CONF)
+        local = tmp_path / "jail.d" / "apache-auth.local"
+        local.parent.mkdir(parents=True, exist_ok=True)
+        local.write_text("[apache-auth]\nenabled = false\n")
+        with patch(
+            "app.services.config_file_service._get_active_jail_names",
+            new=AsyncMock(return_value=set()),
+        ):
+            result = await list_inactive_jails(str(tmp_path), "/fake.sock")
+        jail = next(j for j in result.jails if j.name == "apache-auth")
+        assert jail.has_local_override is True
+
+    async def test_has_local_override_false_when_no_local_file(
+        self, tmp_path: Path
+    ) -> None:
+        """has_local_override is False when no jail.d .local file exists."""
+        _write(tmp_path / "jail.conf", JAIL_CONF)
+        with patch(
+            "app.services.config_file_service._get_active_jail_names",
+            new=AsyncMock(return_value=set()),
+        ):
+            result = await list_inactive_jails(str(tmp_path), "/fake.sock")
+        jail = next(j for j in result.jails if j.name == "apache-auth")
+        assert jail.has_local_override is False
+
+
+# ---------------------------------------------------------------------------
+# delete_jail_local_override
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+class TestDeleteJailLocalOverride:
+    """Tests for :func:`~app.services.config_file_service.delete_jail_local_override`."""
+
+    async def test_deletes_local_file(self, tmp_path: Path) -> None:
+        """delete_jail_local_override removes the jail.d/.local file."""
+        from app.services.config_file_service import delete_jail_local_override
+
+        _write(tmp_path / "jail.conf", JAIL_CONF)
+        local = tmp_path / "jail.d" / "apache-auth.local"
+        local.parent.mkdir(parents=True, exist_ok=True)
+        local.write_text("[apache-auth]\nenabled = false\n")
+
+        with patch(
+            "app.services.config_file_service._get_active_jail_names",
+            new=AsyncMock(return_value=set()),
+        ):
+            await delete_jail_local_override(str(tmp_path), "/fake.sock", "apache-auth")
+
+        assert not local.exists()
+
+    async def test_no_error_when_local_file_missing(self, tmp_path: Path) -> None:
+        """delete_jail_local_override succeeds silently when no .local file exists."""
+        from app.services.config_file_service import delete_jail_local_override
+
+        _write(tmp_path / "jail.conf", JAIL_CONF)
+        with patch(
+            "app.services.config_file_service._get_active_jail_names",
+            new=AsyncMock(return_value=set()),
+        ):
+            # Must not raise even though there is no .local file.
+            await delete_jail_local_override(str(tmp_path), "/fake.sock", "apache-auth")
+
+    async def test_raises_jail_not_found(self, tmp_path: Path) -> None:
+        """delete_jail_local_override raises JailNotFoundInConfigError for unknown jail."""
+        from app.services.config_file_service import (
+            JailNotFoundInConfigError,
+            delete_jail_local_override,
+        )
+
+        _write(tmp_path / "jail.conf", JAIL_CONF)
+        with (
+            patch(
+                "app.services.config_file_service._get_active_jail_names",
+                new=AsyncMock(return_value=set()),
+            ),
+            pytest.raises(JailNotFoundInConfigError),
+        ):
+            await delete_jail_local_override(str(tmp_path), "/fake.sock", "nonexistent")
+
+    async def test_raises_jail_already_active(self, tmp_path: Path) -> None:
+        """delete_jail_local_override raises JailAlreadyActiveError when jail is running."""
+        from app.services.config_file_service import (
+            JailAlreadyActiveError,
+            delete_jail_local_override,
+        )
+
+        _write(tmp_path / "jail.conf", JAIL_CONF)
+        local = tmp_path / "jail.d" / "sshd.local"
+        local.parent.mkdir(parents=True, exist_ok=True)
+        local.write_text("[sshd]\nenabled = false\n")
+        with (
+            patch(
+                "app.services.config_file_service._get_active_jail_names",
+                new=AsyncMock(return_value={"sshd"}),
+            ),
+            pytest.raises(JailAlreadyActiveError),
+        ):
+            await delete_jail_local_override(str(tmp_path), "/fake.sock", "sshd")
+
+    async def test_raises_jail_name_error(self, tmp_path: Path) -> None:
+        """delete_jail_local_override raises JailNameError for invalid jail names."""
+        from app.services.config_file_service import (
+            JailNameError,
+            delete_jail_local_override,
+        )
+
+        with pytest.raises(JailNameError):
+            await delete_jail_local_override(str(tmp_path), "/fake.sock", "../evil")
+
 
 # ---------------------------------------------------------------------------
 # activate_jail
@@ -3110,4 +3248,272 @@ class TestActivateJailRollback:
         assert result.active is False
         assert result.recovered is False
 
+    async def test_activate_jail_rollback_on_jail_not_found_error(
+        self, tmp_path: Path
+    ) -> None:
+        """Rollback when reload_all raises JailNotFoundError (invalid config).
+
+        When fail2ban cannot create a jail due to invalid configuration
+        (e.g., missing logpath), it raises UnknownJailException which becomes
+        JailNotFoundError. This test verifies proper handling and rollback.
+
+        Expects:
+        - The .local file is restored to its original content.
+        - The response indicates recovered=True.
+        - The error message mentions the logpath issue.
+        """
+        from app.models.config import ActivateJailRequest, JailValidationResult
+        from app.services.jail_service import JailNotFoundError
+
+        _write(tmp_path / "jail.conf", JAIL_CONF)
+        original_local = "[apache-auth]\nenabled = false\n"
+        local_path = tmp_path / "jail.d" / "apache-auth.local"
+        local_path.parent.mkdir(parents=True, exist_ok=True)
+        local_path.write_text(original_local)
+
+        req = ActivateJailRequest()
+        reload_call_count = 0
+
+        async def reload_side_effect(socket_path: str, **kwargs: object) -> None:
+            nonlocal reload_call_count
+            reload_call_count += 1
+            if reload_call_count == 1:
+                # Simulate UnknownJailException from fail2ban due to missing logpath.
+                raise JailNotFoundError("apache-auth")
+            # Recovery reload succeeds.
+
+        with (
+            patch(
+                "app.services.config_file_service._get_active_jail_names",
+                new=AsyncMock(return_value=set()),
+            ),
+            patch("app.services.config_file_service.jail_service") as mock_js,
+            patch(
+                "app.services.config_file_service._probe_fail2ban_running",
+                new=AsyncMock(return_value=True),
+            ),
+            patch(
+                "app.services.config_file_service._validate_jail_config_sync",
+                return_value=JailValidationResult(
+                    jail_name="apache-auth", valid=True
+                ),
+            ),
+        ):
+            mock_js.reload_all = AsyncMock(side_effect=reload_side_effect)
+            mock_js.JailNotFoundError = JailNotFoundError
+            result = await activate_jail(
+                str(tmp_path), "/fake.sock", "apache-auth", req
+            )
+
+        assert result.active is False
+        assert result.recovered is True
+        assert local_path.read_text() == original_local
+        # Verify the error message mentions logpath issues.
+        assert "logpath" in result.message.lower() or "check that all logpath" in result.message.lower()
+
+    async def test_activate_jail_rollback_deletes_file_when_no_prior_local(
+        self, tmp_path: Path
+    ) -> None:
+        """Rollback deletes the .local file when none existed before activation.
+
+        When a jail had no .local override before activation, activate_jail
+        creates one with enabled = true. If reload then crashes, rollback must
+        delete that file (leaving the jail in the same state as before the
+        activation attempt).
+
+        Expects:
+        - The .local file is absent after rollback.
+        - The response indicates recovered=True.
+        """
+        from app.models.config import ActivateJailRequest, JailValidationResult
+
+        _write(tmp_path / "jail.conf", JAIL_CONF)
+        (tmp_path / "jail.d").mkdir(parents=True, exist_ok=True)
+        local_path = tmp_path / "jail.d" / "apache-auth.local"
+        # No .local file exists before activation.
+        assert not local_path.exists()
+
+        req = ActivateJailRequest()
+        reload_call_count = 0
+
+        async def reload_side_effect(socket_path: str, **kwargs: object) -> None:
+            nonlocal reload_call_count
+            reload_call_count += 1
+            if reload_call_count == 1:
+                raise RuntimeError("fail2ban crashed")
+            # Recovery reload succeeds.
+
+        with (
+            patch(
+                "app.services.config_file_service._get_active_jail_names",
+                new=AsyncMock(return_value=set()),
+            ),
+            patch("app.services.config_file_service.jail_service") as mock_js,
+            patch(
+                "app.services.config_file_service._probe_fail2ban_running",
+                new=AsyncMock(return_value=True),
+            ),
+            patch(
+                "app.services.config_file_service._validate_jail_config_sync",
+                return_value=JailValidationResult(
+                    jail_name="apache-auth", valid=True
+                ),
+            ),
+        ):
+            mock_js.reload_all = AsyncMock(side_effect=reload_side_effect)
+            result = await activate_jail(
+                str(tmp_path), "/fake.sock", "apache-auth", req
+            )
+
+        assert result.active is False
+        assert result.recovered is True
+        assert not local_path.exists()
+
+
+# ---------------------------------------------------------------------------
+# rollback_jail
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+class TestRollbackJail:
+    """Integration tests for :func:`~app.services.config_file_service.rollback_jail`."""
+
+    async def test_local_file_written_enabled_false(self, tmp_path: Path) -> None:
+        """rollback_jail writes enabled=false to jail.d/{name}.local before any socket call."""
+        (tmp_path / "jail.d").mkdir()
+
+        with (
+            patch(
+                "app.services.config_file_service.start_daemon",
+                AsyncMock(return_value=True),
+            ),
+            patch(
+                "app.services.config_file_service.wait_for_fail2ban",
+                AsyncMock(return_value=True),
+            ),
+            patch(
+                "app.services.config_file_service._get_active_jail_names",
+                AsyncMock(return_value={"sshd"}),
+            ),
+        ):
+            await rollback_jail(str(tmp_path), "/fake.sock", "sshd", ["fail2ban-client", "start"])
+
+        local = tmp_path / "jail.d" / "sshd.local"
+        assert local.is_file(), "jail.d/sshd.local must be written"
+        content = local.read_text()
+        assert "enabled = false" in content
+
+    async def test_start_command_invoked_via_subprocess(self, tmp_path: Path) -> None:
+        """rollback_jail invokes the daemon start command via start_daemon, not via socket."""
+        mock_start = AsyncMock(return_value=True)
+
+        with (
+            patch("app.services.config_file_service.start_daemon", mock_start),
+            patch(
+                "app.services.config_file_service.wait_for_fail2ban",
+                AsyncMock(return_value=True),
+            ),
+            patch(
+                "app.services.config_file_service._get_active_jail_names",
+                AsyncMock(return_value={"other"}),
+            ),
+        ):
+            await rollback_jail(
+                str(tmp_path), "/fake.sock", "sshd", ["fail2ban-client", "start"]
+            )
+
+        mock_start.assert_awaited_once_with(["fail2ban-client", "start"])
+
+    async def test_fail2ban_running_reflects_socket_probe_not_subprocess_exit(
+        self, tmp_path: Path
+    ) -> None:
+        """fail2ban_running in the response reflects the socket probe result.
+
+        Even when start_daemon returns True (subprocess exit 0), if the socket
+        probe returns False the response must report fail2ban_running=False.
+        """
+        with (
+            patch(
+                "app.services.config_file_service.start_daemon",
+                AsyncMock(return_value=True),
+            ),
+            patch(
+                "app.services.config_file_service.wait_for_fail2ban",
+                AsyncMock(return_value=False),  # socket still unresponsive
+            ),
+        ):
+            result = await rollback_jail(
+                str(tmp_path), "/fake.sock", "sshd", ["fail2ban-client", "start"]
+            )
+
+        assert result.fail2ban_running is False
+
+    async def test_active_jails_zero_when_fail2ban_not_running(
+        self, tmp_path: Path
+    ) -> None:
+        """active_jails is 0 in the response when fail2ban_running is False."""
+        with (
+            patch(
+                "app.services.config_file_service.start_daemon",
+                AsyncMock(return_value=False),
+            ),
+            patch(
+                "app.services.config_file_service.wait_for_fail2ban",
+                AsyncMock(return_value=False),
+            ),
+        ):
+            result = await rollback_jail(
+                str(tmp_path), "/fake.sock", "sshd", ["fail2ban-client", "start"]
+            )
+
+        assert result.active_jails == 0
+
+    async def test_active_jails_count_from_socket_when_running(
+        self, tmp_path: Path
+    ) -> None:
+        """active_jails reflects the actual jail count from the socket when fail2ban is up."""
+        with (
+            patch(
+                "app.services.config_file_service.start_daemon",
+                AsyncMock(return_value=True),
+            ),
+            patch(
+                "app.services.config_file_service.wait_for_fail2ban",
+                AsyncMock(return_value=True),
+            ),
+            patch(
+                "app.services.config_file_service._get_active_jail_names",
+                AsyncMock(return_value={"sshd", "nginx", "apache-auth"}),
+            ),
+        ):
+            result = await rollback_jail(
+                str(tmp_path), "/fake.sock", "sshd", ["fail2ban-client", "start"]
+            )
+
+        assert result.active_jails == 3
+
+    async def test_fail2ban_down_at_start_still_succeeds_file_write(
+        self, tmp_path: Path
+    ) -> None:
+        """rollback_jail writes the local file even when fail2ban is down at call time."""
+        # fail2ban is down: start_daemon fails and wait_for_fail2ban returns False.
+        with (
+            patch(
+                "app.services.config_file_service.start_daemon",
+                AsyncMock(return_value=False),
+            ),
+            patch(
+                "app.services.config_file_service.wait_for_fail2ban",
+                AsyncMock(return_value=False),
+            ),
+        ):
+            result = await rollback_jail(
+                str(tmp_path), "/fake.sock", "sshd", ["fail2ban-client", "start"]
+            )
+
+        local = tmp_path / "jail.d" / "sshd.local"
+        assert local.is_file(), "local file must be written even when fail2ban is down"
+        assert result.disabled is True
+        assert result.fail2ban_running is False
 

backend/tests/test_services/test_jail_service.py

@@ -184,10 +184,90 @@ class TestListJails:
         with patch("app.services.jail_service.Fail2BanClient", _FailClient), pytest.raises(Fail2BanConnectionError):
             await jail_service.list_jails(_SOCKET)
 
+    async def test_backend_idle_commands_unsupported(self) -> None:
+        """list_jails handles unsupported backend and idle commands gracefully.
 
-# ---------------------------------------------------------------------------
-# get_jail
-# ---------------------------------------------------------------------------
+        When the fail2ban daemon does not support get ... backend/idle commands,
+        list_jails should not send them, avoiding "Invalid command" errors in the
+        fail2ban log.
+        """
+        # Reset the capability cache to test detection.
+        jail_service._backend_cmd_supported = None
+
+        responses = {
+            "status": _make_global_status("sshd"),
+            "status|sshd|short": _make_short_status(),
+            # Capability probe: get backend fails (command not supported).
+            "get|sshd|backend": (1, Exception("Invalid command (no get action or not yet implemented)")),
+            # Subsequent gets should still work.
+            "get|sshd|bantime": (0, 600),
+            "get|sshd|findtime": (0, 600),
+            "get|sshd|maxretry": (0, 5),
+        }
+        with _patch_client(responses):
+            result = await jail_service.list_jails(_SOCKET)
+
+        # Verify the result uses the default values for backend and idle.
+        jail = result.jails[0]
+        assert jail.backend == "polling"  # default
+        assert jail.idle is False  # default
+        # Capability should now be cached as False.
+        assert jail_service._backend_cmd_supported is False
+
+    async def test_backend_idle_commands_supported(self) -> None:
+        """list_jails detects and sends backend/idle commands when supported."""
+        # Reset the capability cache to test detection.
+        jail_service._backend_cmd_supported = None
+
+        responses = {
+            "status": _make_global_status("sshd"),
+            "status|sshd|short": _make_short_status(),
+            # Capability probe: get backend succeeds.
+            "get|sshd|backend": (0, "systemd"),
+            # All other commands.
+            "get|sshd|bantime": (0, 600),
+            "get|sshd|findtime": (0, 600),
+            "get|sshd|maxretry": (0, 5),
+            "get|sshd|idle": (0, True),
+        }
+        with _patch_client(responses):
+            result = await jail_service.list_jails(_SOCKET)
+
+        # Verify real values are returned.
+        jail = result.jails[0]
+        assert jail.backend == "systemd"  # real value
+        assert jail.idle is True  # real value
+        # Capability should now be cached as True.
+        assert jail_service._backend_cmd_supported is True
+
+    async def test_backend_idle_commands_cached_after_first_probe(self) -> None:
+        """list_jails caches capability result and reuses it across polling cycles."""
+        # Reset the capability cache.
+        jail_service._backend_cmd_supported = None
+
+        responses = {
+            "status": _make_global_status("sshd, nginx"),
+            # Probes happen once per polling cycle (for the first jail listed).
+            "status|sshd|short": _make_short_status(),
+            "status|nginx|short": _make_short_status(),
+            # Capability probe: backend is unsupported.
+            "get|sshd|backend": (1, Exception("Invalid command")),
+            # Subsequent jails do not trigger another probe; they use cached result.
+            # (The mock doesn't have get|nginx|backend because it shouldn't be called.)
+            "get|sshd|bantime": (0, 600),
+            "get|sshd|findtime": (0, 600),
+            "get|sshd|maxretry": (0, 5),
+            "get|nginx|bantime": (0, 600),
+            "get|nginx|findtime": (0, 600),
+            "get|nginx|maxretry": (0, 5),
+        }
+        with _patch_client(responses):
+            result = await jail_service.list_jails(_SOCKET)
+
+        # Both jails should return default values (cached result is False).
+        for jail in result.jails:
+            assert jail.backend == "polling"
+            assert jail.idle is False
 
 
 class TestGetJail:
@@ -339,6 +419,55 @@ class TestJailControls:
                 _SOCKET, include_jails=["new"], exclude_jails=["old"]
             )
 
+    async def test_reload_all_unknown_jail_raises_jail_not_found(self) -> None:
+        """reload_all detects UnknownJailException and raises JailNotFoundError.
+
+        When fail2ban cannot load a jail due to invalid configuration (e.g.,
+        missing logpath), it raises UnknownJailException during reload. This
+        test verifies that reload_all detects this and re-raises as
+        JailNotFoundError instead of the generic JailOperationError.
+        """
+        with _patch_client(
+            {
+                "status": _make_global_status("sshd"),
+                "reload|--all|[]|[['start', 'airsonic-auth'], ['start', 'sshd']]": (
+                    1,
+                    Exception("UnknownJailException('airsonic-auth')"),
+                ),
+            }
+        ), pytest.raises(jail_service.JailNotFoundError) as exc_info:
+            await jail_service.reload_all(
+                _SOCKET, include_jails=["airsonic-auth"]
+            )
+        assert exc_info.value.name == "airsonic-auth"
+
+    async def test_restart_sends_stop_command(self) -> None:
+        """restart() sends the ['stop'] command to the fail2ban socket."""
+        with _patch_client({"stop": (0, None)}):
+            await jail_service.restart(_SOCKET)  # should not raise
+
+    async def test_restart_operation_error_raises(self) -> None:
+        """restart() raises JailOperationError when fail2ban rejects the stop."""
+        with _patch_client({"stop": (1, Exception("cannot stop"))}), pytest.raises(
+            JailOperationError
+        ):
+            await jail_service.restart(_SOCKET)
+
+    async def test_restart_connection_error_propagates(self) -> None:
+        """restart() propagates Fail2BanConnectionError when socket is unreachable."""
+
+        class _FailClient:
+            def __init__(self, **_kw: Any) -> None:
+                self.send = AsyncMock(
+                    side_effect=Fail2BanConnectionError("no socket", _SOCKET)
+                )
+
+        with (
+            patch("app.services.jail_service.Fail2BanClient", _FailClient),
+            pytest.raises(Fail2BanConnectionError),
+        ):
+            await jail_service.restart(_SOCKET)
+
     async def test_start_not_found_raises(self) -> None:
         """start_jail raises JailNotFoundError for unknown jail."""
         with _patch_client({"start|ghost": (1, Exception("Unknown jail: 'ghost'"))}), pytest.raises(JailNotFoundError):

backend/tests/test_utils/test_jail_config.py

@@ -0,0 +1,134 @@
+"""Tests for app.utils.jail_config.ensure_jail_configs."""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+from app.utils.jail_config import (
+    _BLOCKLIST_IMPORT_CONF,
+    _BLOCKLIST_IMPORT_LOCAL,
+    _MANUAL_JAIL_CONF,
+    _MANUAL_JAIL_LOCAL,
+    ensure_jail_configs,
+)
+
+# ---------------------------------------------------------------------------
+# Expected filenames
+# ---------------------------------------------------------------------------
+
+_MANUAL_CONF = "manual-Jail.conf"
+_MANUAL_LOCAL = "manual-Jail.local"
+_BLOCKLIST_CONF = "blocklist-import.conf"
+_BLOCKLIST_LOCAL = "blocklist-import.local"
+
+_ALL_FILES = [_MANUAL_CONF, _MANUAL_LOCAL, _BLOCKLIST_CONF, _BLOCKLIST_LOCAL]
+
+_CONTENT_MAP: dict[str, str] = {
+    _MANUAL_CONF: _MANUAL_JAIL_CONF,
+    _MANUAL_LOCAL: _MANUAL_JAIL_LOCAL,
+    _BLOCKLIST_CONF: _BLOCKLIST_IMPORT_CONF,
+    _BLOCKLIST_LOCAL: _BLOCKLIST_IMPORT_LOCAL,
+}
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+
+def _read(jail_d: Path, filename: str) -> str:
+    return (jail_d / filename).read_text(encoding="utf-8")
+
+
+# ---------------------------------------------------------------------------
+# Tests: ensure_jail_configs
+# ---------------------------------------------------------------------------
+
+
+class TestEnsureJailConfigs:
+    def test_all_missing_creates_all_four(self, tmp_path: Path) -> None:
+        """All four files are created when the directory is empty."""
+        jail_d = tmp_path / "jail.d"
+        ensure_jail_configs(jail_d)
+
+        for name in _ALL_FILES:
+            assert (jail_d / name).exists(), f"{name} should have been created"
+            assert _read(jail_d, name) == _CONTENT_MAP[name]
+
+    def test_all_missing_creates_correct_content(self, tmp_path: Path) -> None:
+        """Each created file has exactly the expected default content."""
+        jail_d = tmp_path / "jail.d"
+        ensure_jail_configs(jail_d)
+
+        # .conf files must set enabled = false
+        for conf_file in (_MANUAL_CONF, _BLOCKLIST_CONF):
+            content = _read(jail_d, conf_file)
+            assert "enabled    = false" in content
+
+        # .local files must set enabled = true and nothing else
+        for local_file in (_MANUAL_LOCAL, _BLOCKLIST_LOCAL):
+            content = _read(jail_d, local_file)
+            assert "enabled    = true" in content
+
+    def test_all_present_overwrites_nothing(self, tmp_path: Path) -> None:
+        """Existing files are never overwritten."""
+        jail_d = tmp_path / "jail.d"
+        jail_d.mkdir()
+
+        sentinel = "# EXISTING CONTENT — must not be replaced\n"
+        for name in _ALL_FILES:
+            (jail_d / name).write_text(sentinel, encoding="utf-8")
+
+        ensure_jail_configs(jail_d)
+
+        for name in _ALL_FILES:
+            assert _read(jail_d, name) == sentinel, (
+                f"{name} should not have been overwritten"
+            )
+
+    def test_only_local_files_missing_creates_only_locals(
+        self, tmp_path: Path
+    ) -> None:
+        """Only the .local files are created when the .conf files already exist."""
+        jail_d = tmp_path / "jail.d"
+        jail_d.mkdir()
+
+        sentinel = "# pre-existing conf\n"
+        for conf_file in (_MANUAL_CONF, _BLOCKLIST_CONF):
+            (jail_d / conf_file).write_text(sentinel, encoding="utf-8")
+
+        ensure_jail_configs(jail_d)
+
+        # .conf files must remain unchanged
+        for conf_file in (_MANUAL_CONF, _BLOCKLIST_CONF):
+            assert _read(jail_d, conf_file) == sentinel
+
+        # .local files must have been created with correct content
+        for local_file, expected in (
+            (_MANUAL_LOCAL, _MANUAL_JAIL_LOCAL),
+            (_BLOCKLIST_LOCAL, _BLOCKLIST_IMPORT_LOCAL),
+        ):
+            assert (jail_d / local_file).exists(), f"{local_file} should have been created"
+            assert _read(jail_d, local_file) == expected
+
+    def test_creates_jail_d_directory_if_missing(self, tmp_path: Path) -> None:
+        """The jail.d directory is created automatically when absent."""
+        jail_d = tmp_path / "nested" / "jail.d"
+        assert not jail_d.exists()
+        ensure_jail_configs(jail_d)
+        assert jail_d.is_dir()
+
+    def test_idempotent_on_repeated_calls(self, tmp_path: Path) -> None:
+        """Calling ensure_jail_configs twice does not alter any file."""
+        jail_d = tmp_path / "jail.d"
+        ensure_jail_configs(jail_d)
+
+        # Record content after first call
+        first_pass = {name: _read(jail_d, name) for name in _ALL_FILES}
+
+        ensure_jail_configs(jail_d)
+
+        for name in _ALL_FILES:
+            assert _read(jail_d, name) == first_pass[name], (
+                f"{name} changed on second call"
+            )

frontend/package.json

@@ -1,7 +1,7 @@
 {
   "name": "bangui-frontend",
   "private": true,
-  "version": "0.1.0",
+  "version": "0.9.4",
   "description": "BanGUI frontend — fail2ban web management interface",
   "type": "module",
   "scripts": {

frontend/src/api/auth.ts

@@ -7,22 +7,16 @@
 
 import { api } from "./client";
 import { ENDPOINTS } from "./endpoints";
-import type { LoginRequest, LoginResponse, LogoutResponse } from "../types/auth";
-import { sha256Hex } from "../utils/crypto";
+import type { LoginResponse, LogoutResponse } from "../types/auth";
 
 /**
  * Authenticate with the master password.
  *
- * The password is SHA-256 hashed client-side before transmission so that
- * the plaintext never leaves the browser.  The backend bcrypt-verifies the
- * received hash against the stored bcrypt(sha256) digest.
- *
  * @param password - The master password entered by the user.
  * @returns The login response containing the session token.
  */
 export async function login(password: string): Promise<LoginResponse> {
-  const body: LoginRequest = { password: await sha256Hex(password) };
-  return api.post<LoginResponse>(ENDPOINTS.authLogin, body);
+  return api.post<LoginResponse>(ENDPOINTS.authLogin, { password });
 }
 
 /**

frontend/src/api/config.ts

@@ -39,10 +39,8 @@ import type {
   LogPreviewResponse,
   MapColorThresholdsResponse,
   MapColorThresholdsUpdate,
-  PendingRecovery,
   RegexTestRequest,
   RegexTestResponse,
-  RollbackResponse,
   ServerSettingsResponse,
   ServerSettingsUpdate,
   JailFileConfig,
@@ -88,7 +86,7 @@ export async function updateGlobalConfig(
 }
 
 // ---------------------------------------------------------------------------
-// Reload
+// Reload and Restart
 // ---------------------------------------------------------------------------
 
 export async function reloadConfig(
@@ -96,6 +94,11 @@ export async function reloadConfig(
   await post<undefined>(ENDPOINTS.configReload, undefined);
 }
 
+export async function restartFail2Ban(
+): Promise<void> {
+  await post<undefined>(ENDPOINTS.configRestart, undefined);
+}
+
 // ---------------------------------------------------------------------------
 // Regex tester
 // ---------------------------------------------------------------------------
@@ -260,14 +263,14 @@ export async function fetchActionFiles(): Promise<ConfFilesResponse> {
 }
 
 export async function fetchActionFile(name: string): Promise<ConfFileContent> {
-  return get<ConfFileContent>(ENDPOINTS.configAction(name));
+  return get<ConfFileContent>(ENDPOINTS.configActionRaw(name));
 }
 
 export async function updateActionFile(
   name: string,
   req: ConfFileUpdateRequest
 ): Promise<void> {
-  await put<undefined>(ENDPOINTS.configAction(name), req);
+  await put<undefined>(ENDPOINTS.configActionRaw(name), req);
 }
 
 export async function createActionFile(
@@ -547,6 +550,18 @@ export async function deactivateJail(
   );
 }
 
+/**
+ * Delete the ``jail.d/{name}.local`` override file for an inactive jail.
+ *
+ * Only valid when the jail is **not** currently active.  Use this to clean up
+ * leftover ``.local`` files after a jail has been fully deactivated.
+ *
+ * @param name - The jail name.
+ */
+export async function deleteJailLocalOverride(name: string): Promise<void> {
+  await del<undefined>(ENDPOINTS.configJailLocalOverride(name));
+}
+
 // ---------------------------------------------------------------------------
 // fail2ban log viewer (Task 2)
 // ---------------------------------------------------------------------------
@@ -588,21 +603,3 @@ export async function validateJailConfig(
 ): Promise<JailValidationResult> {
   return post<JailValidationResult>(ENDPOINTS.configJailValidate(name), undefined);
 }
-
-/**
- * Fetch the pending crash-recovery record, if any.
- *
- * Returns null when fail2ban is healthy and no recovery is pending.
- */
-export async function fetchPendingRecovery(): Promise<PendingRecovery | null> {
-  return get<PendingRecovery | null>(ENDPOINTS.configPendingRecovery);
-}
-
-/**
- * Rollback a bad jail — disables it and attempts to restart fail2ban.
- *
- * @param name - Name of the jail to disable.
- */
-export async function rollbackJail(name: string): Promise<RollbackResponse> {
-  return post<RollbackResponse>(ENDPOINTS.configJailRollback(name), undefined);
-}

frontend/src/api/endpoints.ts

@@ -71,13 +71,13 @@ export const ENDPOINTS = {
     `/config/jails/${encodeURIComponent(name)}/activate`,
   configJailDeactivate: (name: string): string =>
     `/config/jails/${encodeURIComponent(name)}/deactivate`,
+  configJailLocalOverride: (name: string): string =>
+    `/config/jails/${encodeURIComponent(name)}/local`,
   configJailValidate: (name: string): string =>
     `/config/jails/${encodeURIComponent(name)}/validate`,
-  configJailRollback: (name: string): string =>
-    `/config/jails/${encodeURIComponent(name)}/rollback`,
-  configPendingRecovery: "/config/pending-recovery" as string,
   configGlobal: "/config/global",
   configReload: "/config/reload",
+  configRestart: "/config/restart",
   configRegexTest: "/config/regex-test",
   configPreviewLog: "/config/preview-log",
   configMapColorThresholds: "/config/map-color-thresholds",
@@ -104,6 +104,7 @@ export const ENDPOINTS = {
     `/config/jails/${encodeURIComponent(jailName)}/action/${encodeURIComponent(actionName)}`,
   configActions: "/config/actions",
   configAction: (name: string): string => `/config/actions/${encodeURIComponent(name)}`,
+  configActionRaw: (name: string): string => `/config/actions/${encodeURIComponent(name)}/raw`,
   configActionParsed: (name: string): string =>
     `/config/actions/${encodeURIComponent(name)}/parsed`,
 

frontend/src/components/ServerStatusBar.tsx

@@ -109,7 +109,7 @@ export function ServerStatusBar(): React.JSX.Element {
       {/* Version                                                          */}
       {/* ---------------------------------------------------------------- */}
       {status?.version != null && (
-        <Tooltip content="fail2ban version" relationship="description">
+        <Tooltip content="fail2ban daemon version" relationship="description">
           <Text size={200} className={styles.statValue}>
             v{status.version}
           </Text>
@@ -139,9 +139,9 @@ export function ServerStatusBar(): React.JSX.Element {
             </div>
           </Tooltip>
 
-          <Tooltip content="Currently failing IPs" relationship="description">
+          <Tooltip content="Total failed authentication attempts currently tracked by fail2ban across all active jails" relationship="description">
             <div className={styles.statGroup}>
-              <Text size={200}>Failures:</Text>
+              <Text size={200}>Failed Attempts:</Text>
               <Text size={200} className={styles.statValue}>
                 {status.total_failures}
               </Text>

frontend/src/components/SetupGuard.tsx

@@ -33,9 +33,9 @@ export function SetupGuard({ children }: SetupGuardProps): React.JSX.Element {
         if (!cancelled) setStatus(res.completed ? "done" : "pending");
       })
       .catch((): void => {
-        // If the check fails, optimistically allow through — the backend will
-        // redirect API calls to /api/setup anyway.
-        if (!cancelled) setStatus("done");
+        // A failed check conservatively redirects to /setup — a crashed
+        // backend cannot serve protected routes anyway.
+        if (!cancelled) setStatus("pending");
       });
     return (): void => {
       cancelled = true;

frontend/src/components/__tests__/ServerStatusBar.test.tsx

@@ -0,0 +1,153 @@
+/**
+ * Tests for the ServerStatusBar component.
+ *
+ * Covers loading state, online / offline rendering, and correct tooltip
+ * wording that distinguishes the fail2ban daemon version from the BanGUI
+ * application version.
+ */
+
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { render, screen } from "@testing-library/react";
+import { FluentProvider, webLightTheme } from "@fluentui/react-components";
+import { ServerStatusBar } from "../ServerStatusBar";
+
+// ---------------------------------------------------------------------------
+// Mock useServerStatus so tests never touch the network.
+// ---------------------------------------------------------------------------
+
+vi.mock("../../hooks/useServerStatus");
+
+import { useServerStatus } from "../../hooks/useServerStatus";
+
+const mockedUseServerStatus = vi.mocked(useServerStatus);
+
+function renderBar(): void {
+  render(
+    <FluentProvider theme={webLightTheme}>
+      <ServerStatusBar />
+    </FluentProvider>,
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("ServerStatusBar", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("shows a spinner while the initial load is in progress", () => {
+    mockedUseServerStatus.mockReturnValue({
+      status: null,
+      loading: true,
+      error: null,
+      refresh: vi.fn(),
+    });
+    renderBar();
+    // The status-area spinner is labelled "Checking\u2026".
+    expect(screen.getByText("Checking\u2026")).toBeInTheDocument();
+  });
+
+  it("renders an Online badge when the server is reachable", () => {
+    mockedUseServerStatus.mockReturnValue({
+      status: {
+        online: true,
+        version: "1.1.0",
+        active_jails: 3,
+        total_bans: 10,
+        total_failures: 5,
+      },
+      loading: false,
+      error: null,
+      refresh: vi.fn(),
+    });
+    renderBar();
+    expect(screen.getByText("Online")).toBeInTheDocument();
+  });
+
+  it("renders an Offline badge when the server is unreachable", () => {
+    mockedUseServerStatus.mockReturnValue({
+      status: {
+        online: false,
+        version: null,
+        active_jails: 0,
+        total_bans: 0,
+        total_failures: 0,
+      },
+      loading: false,
+      error: null,
+      refresh: vi.fn(),
+    });
+    renderBar();
+    expect(screen.getByText("Offline")).toBeInTheDocument();
+  });
+
+  it("displays the daemon version string when available", () => {
+    mockedUseServerStatus.mockReturnValue({
+      status: {
+        online: true,
+        version: "1.2.3",
+        active_jails: 1,
+        total_bans: 0,
+        total_failures: 0,
+      },
+      loading: false,
+      error: null,
+      refresh: vi.fn(),
+    });
+    renderBar();
+    expect(screen.getByText("v1.2.3")).toBeInTheDocument();
+  });
+
+  it("does not render the version element when version is null", () => {
+    mockedUseServerStatus.mockReturnValue({
+      status: {
+        online: false,
+        version: null,
+        active_jails: 0,
+        total_bans: 0,
+        total_failures: 0,
+      },
+      loading: false,
+      error: null,
+      refresh: vi.fn(),
+    });
+    renderBar();
+    // No version string should appear in the document.
+    expect(screen.queryByText(/^v\d/)).not.toBeInTheDocument();
+  });
+
+  it("shows jail / ban / failure counts when the server is online", () => {
+    mockedUseServerStatus.mockReturnValue({
+      status: {
+        online: true,
+        version: "1.0.0",
+        active_jails: 4,
+        total_bans: 21,
+        total_failures: 99,
+      },
+      loading: false,
+      error: null,
+      refresh: vi.fn(),
+    });
+    renderBar();
+    expect(screen.getByText("4")).toBeInTheDocument();
+    expect(screen.getByText("21")).toBeInTheDocument();
+    expect(screen.getByText("99")).toBeInTheDocument();
+    // Verify the "Failed Attempts:" label (renamed from "Failures:").
+    expect(screen.getByText("Failed Attempts:")).toBeInTheDocument();
+  });
+
+  it("renders an error message when the status fetch fails", () => {
+    mockedUseServerStatus.mockReturnValue({
+      status: null,
+      loading: false,
+      error: "Network error",
+      refresh: vi.fn(),
+    });
+    renderBar();
+    expect(screen.getByText("Network error")).toBeInTheDocument();
+  });
+});

frontend/src/components/__tests__/SetupGuard.test.tsx

@@ -0,0 +1,77 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { render, screen, waitFor } from "@testing-library/react";
+import { MemoryRouter, Routes, Route } from "react-router-dom";
+import { FluentProvider, webLightTheme } from "@fluentui/react-components";
+import { SetupGuard } from "../SetupGuard";
+
+// Mock the setup API module so tests never hit a real network.
+vi.mock("../../api/setup", () => ({
+  getSetupStatus: vi.fn(),
+}));
+
+import { getSetupStatus } from "../../api/setup";
+
+const mockedGetSetupStatus = vi.mocked(getSetupStatus);
+
+function renderGuard() {
+  return render(
+    <FluentProvider theme={webLightTheme}>
+      <MemoryRouter initialEntries={["/dashboard"]}>
+        <Routes>
+          <Route
+            path="/dashboard"
+            element={
+              <SetupGuard>
+                <div data-testid="protected-content">Protected</div>
+              </SetupGuard>
+            }
+          />
+          <Route
+            path="/setup"
+            element={<div data-testid="setup-page">Setup Page</div>}
+          />
+        </Routes>
+      </MemoryRouter>
+    </FluentProvider>,
+  );
+}
+
+describe("SetupGuard", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("shows a spinner while the setup status is loading", () => {
+    // getSetupStatus resolves eventually — spinner should show immediately.
+    mockedGetSetupStatus.mockReturnValue(new Promise(() => {}));
+    renderGuard();
+    expect(screen.getByRole("progressbar")).toBeInTheDocument();
+  });
+
+  it("renders children when setup is complete", async () => {
+    mockedGetSetupStatus.mockResolvedValue({ completed: true });
+    renderGuard();
+    await waitFor(() => {
+      expect(screen.getByTestId("protected-content")).toBeInTheDocument();
+    });
+  });
+
+  it("redirects to /setup when setup is not complete", async () => {
+    mockedGetSetupStatus.mockResolvedValue({ completed: false });
+    renderGuard();
+    await waitFor(() => {
+      expect(screen.getByTestId("setup-page")).toBeInTheDocument();
+    });
+    expect(screen.queryByTestId("protected-content")).not.toBeInTheDocument();
+  });
+
+  it("redirects to /setup when the API call fails", async () => {
+    // Task 0.3: a failed check must redirect to /setup, not allow through.
+    mockedGetSetupStatus.mockRejectedValue(new Error("Network error"));
+    renderGuard();
+    await waitFor(() => {
+      expect(screen.getByTestId("setup-page")).toBeInTheDocument();
+    });
+    expect(screen.queryByTestId("protected-content")).not.toBeInTheDocument();
+  });
+});

frontend/src/components/common/RecoveryBanner.tsx

@@ -1,136 +0,0 @@
-/**
- * RecoveryBanner — full-width warning shown when fail2ban stopped responding
- * shortly after a jail was activated (indicating the new jail config may be
- * invalid).
- *
- * Polls ``GET /api/config/pending-recovery`` every 10 seconds and renders a
- * dismissible ``MessageBar`` when an unresolved crash record is present.
- * The "Disable & Restart" button calls the rollback endpoint to disable the
- * offending jail and attempt to restart fail2ban.
- */
-
-import { useCallback, useEffect, useRef, useState } from "react";
-import {
-  Button,
-  MessageBar,
-  MessageBarActions,
-  MessageBarBody,
-  MessageBarTitle,
-  Spinner,
-  tokens,
-} from "@fluentui/react-components";
-import { useNavigate } from "react-router-dom";
-import { fetchPendingRecovery, rollbackJail } from "../../api/config";
-import type { PendingRecovery } from "../../types/config";
-
-const POLL_INTERVAL_MS = 10_000;
-
-// ---------------------------------------------------------------------------
-// Component
-// ---------------------------------------------------------------------------
-
-/**
- * Recovery banner that polls for pending crash-recovery records.
- *
- * Mount this once at the layout level so it is visible across all pages
- * while a recovery is pending.
- *
- * @returns A MessageBar element, or null when nothing is pending.
- */
-export function RecoveryBanner(): React.JSX.Element | null {
-  const navigate = useNavigate();
-  const [pending, setPending] = useState<PendingRecovery | null>(null);
-  const [rolling, setRolling] = useState(false);
-  const [rollbackError, setRollbackError] = useState<string | null>(null);
-  const timerRef = useRef<ReturnType<typeof setInterval> | null>(null);
-
-  const poll = useCallback((): void => {
-    fetchPendingRecovery()
-      .then((record) => {
-        // Hide the banner once fail2ban has recovered on its own.
-        if (record?.recovered) {
-          setPending(null);
-        } else {
-          setPending(record);
-        }
-      })
-      .catch(() => { /* ignore network errors — will retry */ });
-  }, []);
-
-  // Start polling on mount.
-  useEffect(() => {
-    poll();
-    timerRef.current = setInterval(poll, POLL_INTERVAL_MS);
-    return (): void => {
-      if (timerRef.current !== null) clearInterval(timerRef.current);
-    };
-  }, [poll]);
-
-  const handleRollback = useCallback((): void => {
-    if (!pending || rolling) return;
-    setRolling(true);
-    setRollbackError(null);
-    rollbackJail(pending.jail_name)
-      .then(() => {
-        setPending(null);
-      })
-      .catch((err: unknown) => {
-        const msg = err instanceof Error ? err.message : String(err);
-        setRollbackError(msg);
-      })
-      .finally(() => {
-        setRolling(false);
-      });
-  }, [pending, rolling]);
-
-  const handleViewDetails = useCallback((): void => {
-    navigate("/config");
-  }, [navigate]);
-
-  if (pending === null) return null;
-
-  return (
-    <div
-      style={{
-        flexShrink: 0,
-        paddingLeft: tokens.spacingHorizontalM,
-        paddingRight: tokens.spacingHorizontalM,
-        paddingTop: tokens.spacingVerticalXS,
-        paddingBottom: tokens.spacingVerticalXS,
-      }}
-      role="alert"
-    >
-      <MessageBar intent="error">
-        <MessageBarBody>
-          <MessageBarTitle>fail2ban Stopped After Jail Activation</MessageBarTitle>
-          fail2ban stopped responding after activating jail{" "}
-          <strong>{pending.jail_name}</strong>. The jail&apos;s configuration
-          may be invalid.
-          {rollbackError && (
-            <div style={{ marginTop: tokens.spacingVerticalXS, color: tokens.colorStatusDangerForeground1 }}>
-              Rollback failed: {rollbackError}
-            </div>
-          )}
-        </MessageBarBody>
-        <MessageBarActions>
-          <Button
-            appearance="primary"
-            size="small"
-            icon={rolling ? <Spinner size="tiny" /> : undefined}
-            disabled={rolling}
-            onClick={handleRollback}
-          >
-            {rolling ? "Disabling…" : "Disable & Restart"}
-          </Button>
-          <Button
-            appearance="secondary"
-            size="small"
-            onClick={handleViewDetails}
-          >
-            View Logs
-          </Button>
-        </MessageBarActions>
-      </MessageBar>
-    </div>
-  );
-}

frontend/src/components/common/__tests__/RecoveryBanner.test.tsx

@@ -1,141 +0,0 @@
-/**
- * Tests for RecoveryBanner (Task 3).
- */
-
-import { describe, it, expect, vi, beforeEach } from "vitest";
-import { render, screen, waitFor } from "@testing-library/react";
-import userEvent from "@testing-library/user-event";
-import { FluentProvider, webLightTheme } from "@fluentui/react-components";
-import { MemoryRouter } from "react-router-dom";
-import { RecoveryBanner } from "../RecoveryBanner";
-import type { PendingRecovery } from "../../../types/config";
-
-// ---------------------------------------------------------------------------
-// Mocks
-// ---------------------------------------------------------------------------
-
-vi.mock("../../../api/config", () => ({
-  fetchPendingRecovery: vi.fn(),
-  rollbackJail: vi.fn(),
-}));
-
-import { fetchPendingRecovery, rollbackJail } from "../../../api/config";
-
-const mockFetchPendingRecovery = vi.mocked(fetchPendingRecovery);
-const mockRollbackJail = vi.mocked(rollbackJail);
-
-// ---------------------------------------------------------------------------
-// Fixtures
-// ---------------------------------------------------------------------------
-
-const pendingRecord: PendingRecovery = {
-  jail_name: "sshd",
-  activated_at: "2024-01-01T12:00:00Z",
-  detected_at: "2024-01-01T12:00:30Z",
-  recovered: false,
-};
-
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-
-function renderBanner() {
-  return render(
-    <FluentProvider theme={webLightTheme}>
-      <MemoryRouter>
-        <RecoveryBanner />
-      </MemoryRouter>
-    </FluentProvider>,
-  );
-}
-
-// ---------------------------------------------------------------------------
-// Tests
-// ---------------------------------------------------------------------------
-
-describe("RecoveryBanner", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-  });
-
-  it("renders nothing when pending recovery is null", async () => {
-    mockFetchPendingRecovery.mockResolvedValue(null);
-
-    renderBanner();
-
-    await waitFor(() => {
-      expect(mockFetchPendingRecovery).toHaveBeenCalled();
-    });
-
-    expect(screen.queryByRole("alert")).not.toBeInTheDocument();
-  });
-
-  it("renders warning when there is an unresolved pending recovery", async () => {
-    mockFetchPendingRecovery.mockResolvedValue(pendingRecord);
-
-    renderBanner();
-
-    await waitFor(() => {
-      expect(screen.getByText(/fail2ban stopped responding after activating jail/i)).toBeInTheDocument();
-    });
-
-    expect(screen.getByText(/sshd/i)).toBeInTheDocument();
-    expect(screen.getByRole("button", { name: /disable & restart/i })).toBeInTheDocument();
-    expect(screen.getByRole("button", { name: /view logs/i })).toBeInTheDocument();
-  });
-
-  it("hides the banner when recovery is marked as recovered", async () => {
-    const recoveredRecord: PendingRecovery = { ...pendingRecord, recovered: true };
-    mockFetchPendingRecovery.mockResolvedValue(recoveredRecord);
-
-    renderBanner();
-
-    await waitFor(() => {
-      expect(mockFetchPendingRecovery).toHaveBeenCalled();
-    });
-
-    expect(screen.queryByRole("alert")).not.toBeInTheDocument();
-  });
-
-  it("calls rollbackJail and hides banner on successful rollback", async () => {
-    mockFetchPendingRecovery.mockResolvedValue(pendingRecord);
-    mockRollbackJail.mockResolvedValue({
-      jail_name: "sshd",
-      disabled: true,
-      fail2ban_running: true,
-      active_jails: 0,
-      message: "Rolled back.",
-    });
-
-    renderBanner();
-
-    await waitFor(() => {
-      expect(screen.getByRole("button", { name: /disable & restart/i })).toBeInTheDocument();
-    });
-
-    await userEvent.click(
-      screen.getByRole("button", { name: /disable & restart/i }),
-    );
-
-    expect(mockRollbackJail).toHaveBeenCalledWith("sshd");
-  });
-
-  it("shows rollback error when rollbackJail fails", async () => {
-    mockFetchPendingRecovery.mockResolvedValue(pendingRecord);
-    mockRollbackJail.mockRejectedValue(new Error("Connection refused"));
-
-    renderBanner();
-
-    await waitFor(() => {
-      expect(screen.getByRole("button", { name: /disable & restart/i })).toBeInTheDocument();
-    });
-
-    await userEvent.click(
-      screen.getByRole("button", { name: /disable & restart/i }),
-    );
-
-    await waitFor(() => {
-      expect(screen.getByText(/rollback failed/i)).toBeInTheDocument();
-    });
-  });
-});

frontend/src/components/config/ActivateJailDialog.tsx

@@ -5,12 +5,8 @@
  * findtime, maxretry, port and logpath.  Calls the activate endpoint on
  * confirmation and propagates the result via callbacks.
  *
- * Task 3 additions:
- *  - Runs pre-activation validation when the dialog opens and displays any
- *    warnings or blocking errors before the user confirms.
- *  - Extended spinner text during the post-reload probe phase.
- *  - Calls `onCrashDetected` when the activation response signals that
- *    fail2ban stopped responding after the reload.
+ * Runs pre-activation validation when the dialog opens and displays any
+ * warnings or blocking errors before the user confirms.
  */
 
 import { useEffect, useState } from "react";
@@ -52,11 +48,6 @@ export interface ActivateJailDialogProps {
   onClose: () => void;
   /** Called after the jail has been successfully activated. */
   onActivated: () => void;
-  /**
-   * Called when fail2ban stopped responding after the jail was activated.
-   * The recovery banner will surface this to the user.
-   */
-  onCrashDetected?: () => void;
 }
 
 // ---------------------------------------------------------------------------
@@ -77,7 +68,6 @@ export function ActivateJailDialog({
   open,
   onClose,
   onActivated,
-  onCrashDetected,
 }: ActivateJailDialogProps): React.JSX.Element {
   const [bantime, setBantime] = useState("");
   const [findtime, setFindtime] = useState("");
@@ -173,9 +163,6 @@ export function ActivateJailDialog({
           setValidationWarnings(result.validation_warnings);
         }
         resetForm();
-        if (!result.fail2ban_running) {
-          onCrashDetected?.();
-        }
         onActivated();
       })
       .catch((err: unknown) => {
@@ -339,9 +326,10 @@ export function ActivateJailDialog({
                 style={{ marginTop: tokens.spacingVerticalS }}
               >
                 <MessageBarBody>
-                  <MessageBarTitle>Activation Failed — System Recovered</MessageBarTitle>
-                  Activation of jail &ldquo;{jail.name}&rdquo; failed. The server
-                  has been automatically recovered.
+                  <MessageBarTitle>Activation Failed — Configuration Rolled Back</MessageBarTitle>
+                  The configuration for jail &ldquo;{jail.name}&rdquo; has been
+                  rolled back to its previous state and fail2ban is running
+                  normally. Review the configuration and try activating again.
                 </MessageBarBody>
               </MessageBar>
             )}
@@ -351,10 +339,12 @@ export function ActivateJailDialog({
                 style={{ marginTop: tokens.spacingVerticalS }}
               >
                 <MessageBarBody>
-                  <MessageBarTitle>Activation Failed — Manual Intervention Required</MessageBarTitle>
-                  Activation of jail &ldquo;{jail.name}&rdquo; failed and
-                  automatic recovery was unsuccessful. Manual intervention is
-                  required.
+                  <MessageBarTitle>Activation Failed — Rollback Unsuccessful</MessageBarTitle>
+                  Activation of jail &ldquo;{jail.name}&rdquo; failed and the
+                  automatic rollback did not complete. The file{" "}
+                  <code>jail.d/{jail.name}.local</code> may still contain{" "}
+                  <code>enabled = true</code>. Check the fail2ban logs, correct
+                  the file manually, and restart fail2ban.
                 </MessageBarBody>
               </MessageBar>
             )}

frontend/src/components/config/GlobalTab.tsx

@@ -1,142 +0,0 @@
-/**
- * GlobalTab — global fail2ban settings editor.
- *
- * Provides form fields for log level, log target, database purge age,
- * and database max matches.
- */
-
-import { useEffect, useMemo, useState } from "react";
-import {
-  Field,
-  Input,
-  MessageBar,
-  MessageBarBody,
-  Select,
-  Spinner,
-} from "@fluentui/react-components";
-import type { GlobalConfigUpdate } from "../../types/config";
-import { useGlobalConfig } from "../../hooks/useConfig";
-import { useAutoSave } from "../../hooks/useAutoSave";
-import { AutoSaveIndicator } from "./AutoSaveIndicator";
-import { useConfigStyles } from "./configStyles";
-
-/** Available fail2ban log levels in descending severity order. */
-const LOG_LEVELS = ["CRITICAL", "ERROR", "WARNING", "NOTICE", "INFO", "DEBUG"];
-
-/**
- * Tab component for editing global fail2ban configuration.
- *
- * @returns JSX element.
- */
-export function GlobalTab(): React.JSX.Element {
-  const styles = useConfigStyles();
-  const { config, loading, error, updateConfig } = useGlobalConfig();
-  const [logLevel, setLogLevel] = useState("");
-  const [logTarget, setLogTarget] = useState("");
-  const [dbPurgeAge, setDbPurgeAge] = useState("");
-  const [dbMaxMatches, setDbMaxMatches] = useState("");
-
-  // Sync local state when config loads for the first time.
-  useEffect(() => {
-    if (config && logLevel === "") {
-      setLogLevel(config.log_level);
-      setLogTarget(config.log_target);
-      setDbPurgeAge(String(config.db_purge_age));
-      setDbMaxMatches(String(config.db_max_matches));
-    }
-    // Only run on first config load.
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [config]);
-
-  const effectiveLogLevel = logLevel || config?.log_level || "";
-  const effectiveLogTarget = logTarget || config?.log_target || "";
-  const effectiveDbPurgeAge =
-    dbPurgeAge || (config ? String(config.db_purge_age) : "");
-  const effectiveDbMaxMatches =
-    dbMaxMatches || (config ? String(config.db_max_matches) : "");
-
-  const updatePayload = useMemo<GlobalConfigUpdate>(() => {
-    const update: GlobalConfigUpdate = {};
-    if (effectiveLogLevel) update.log_level = effectiveLogLevel;
-    if (effectiveLogTarget) update.log_target = effectiveLogTarget;
-    if (effectiveDbPurgeAge)
-      update.db_purge_age = Number(effectiveDbPurgeAge);
-    if (effectiveDbMaxMatches)
-      update.db_max_matches = Number(effectiveDbMaxMatches);
-    return update;
-  }, [effectiveLogLevel, effectiveLogTarget, effectiveDbPurgeAge, effectiveDbMaxMatches]);
-
-  const { status: saveStatus, errorText: saveErrorText, retry: retrySave } =
-    useAutoSave(updatePayload, updateConfig);
-
-  if (loading) return <Spinner label="Loading global config…" />;
-  if (error)
-    return (
-      <MessageBar intent="error">
-        <MessageBarBody>{error}</MessageBarBody>
-      </MessageBar>
-    );
-
-  return (
-    <div>
-      <div className={styles.sectionCard}>
-        <AutoSaveIndicator
-          status={saveStatus}
-          errorText={saveErrorText}
-          onRetry={retrySave}
-        />
-        <div className={styles.fieldRow}>
-          <Field label="Log Level">
-            <Select
-              value={effectiveLogLevel}
-              onChange={(_e, d) => {
-                setLogLevel(d.value);
-              }}
-            >
-              {LOG_LEVELS.map((l) => (
-                <option key={l} value={l}>
-                  {l}
-                </option>
-              ))}
-            </Select>
-          </Field>
-          <Field label="Log Target">
-            <Input
-              value={effectiveLogTarget}
-              placeholder="STDOUT / /var/log/fail2ban.log"
-              onChange={(_e, d) => {
-                setLogTarget(d.value);
-              }}
-            />
-          </Field>
-        </div>
-        <div className={styles.fieldRow}>
-          <Field
-            label="DB Purge Age (s)"
-            hint="Ban records older than this are removed from the fail2ban database."
-          >
-            <Input
-              type="number"
-              value={effectiveDbPurgeAge}
-              onChange={(_e, d) => {
-                setDbPurgeAge(d.value);
-              }}
-            />
-          </Field>
-          <Field
-            label="DB Max Matches"
-            hint="Maximum number of log-line matches stored per ban record."
-          >
-            <Input
-              type="number"
-              value={effectiveDbMaxMatches}
-              onChange={(_e, d) => {
-                setDbMaxMatches(d.value);
-              }}
-            />
-          </Field>
-        </div>
-      </div>
-    </div>
-  );
-}

frontend/src/components/config/JailsTab.tsx

@@ -35,6 +35,7 @@ import { ApiError } from "../../api/client";
 import {
   addLogPath,
   deactivateJail,
+  deleteJailLocalOverride,
   deleteLogPath,
   fetchInactiveJails,
   fetchJailConfigFileContent,
@@ -573,7 +574,7 @@ function JailConfigDetail({
         </div>
       )}
 
-      {readOnly && (onActivate !== undefined || onValidate !== undefined) && (
+      {readOnly && (onActivate !== undefined || onValidate !== undefined || onDeactivate !== undefined) && (
         <div style={{ marginTop: tokens.spacingVerticalM, display: "flex", gap: tokens.spacingHorizontalS, flexWrap: "wrap" }}>
           {onValidate !== undefined && (
             <Button
@@ -585,6 +586,15 @@ function JailConfigDetail({
               {validating ? "Validating…" : "Validate Config"}
             </Button>
           )}
+          {onDeactivate !== undefined && (
+            <Button
+              appearance="secondary"
+              icon={<LockOpen24Regular />}
+              onClick={onDeactivate}
+            >
+              Deactivate Jail
+            </Button>
+          )}
           {onActivate !== undefined && (
             <Button
               appearance="primary"
@@ -618,8 +628,8 @@ function JailConfigDetail({
 interface InactiveJailDetailProps {
   jail: InactiveJail;
   onActivate: () => void;
-  /** Whether to show and call onCrashDetected on activation crash. */
-  onCrashDetected?: () => void;
+  /** Called when the user requests removal of the .local override file. */
+  onDeactivate?: () => void;
 }
 
 /**
@@ -636,6 +646,7 @@ interface InactiveJailDetailProps {
 function InactiveJailDetail({
   jail,
   onActivate,
+  onDeactivate,
 }: InactiveJailDetailProps): React.JSX.Element {
   const styles = useConfigStyles();
   const [validating, setValidating] = useState(false);
@@ -729,6 +740,7 @@ function InactiveJailDetail({
         onSave={async () => { /* read-only — never called */ }}
         readOnly
         onActivate={onActivate}
+        onDeactivate={jail.has_local_override ? onDeactivate : undefined}
         onValidate={handleValidate}
         validating={validating}
       />
@@ -746,12 +758,7 @@ function InactiveJailDetail({
  *
  * @returns JSX element.
  */
-export interface JailsTabProps {
-  /** Called when fail2ban stopped responding after a jail was activated. */
-  onCrashDetected?: () => void;
-}
-
-export function JailsTab({ onCrashDetected }: JailsTabProps = {}): React.JSX.Element {
+export function JailsTab(): React.JSX.Element {
   const styles = useConfigStyles();
   const { jails, loading, error, refresh, updateJail } =
     useJailConfigs();
@@ -786,6 +793,15 @@ export function JailsTab({ onCrashDetected }: JailsTabProps = {}): React.JSX.Ele
       .catch(() => { /* non-critical — list refreshes on next load */ });
   }, [refresh, loadInactive]);
 
+  const handleDeactivateInactive = useCallback((name: string): void => {
+    deleteJailLocalOverride(name)
+      .then(() => {
+        setSelectedName(null);
+        loadInactive();
+      })
+      .catch(() => { /* non-critical — list refreshes on next load */ });
+  }, [loadInactive]);
+
   const handleActivated = useCallback((): void => {
     setActivateTarget(null);
     setSelectedName(null);
@@ -882,15 +898,21 @@ export function JailsTab({ onCrashDetected }: JailsTabProps = {}): React.JSX.Ele
         >
           {selectedActiveJail !== undefined ? (
             <JailConfigDetail
+              key={selectedActiveJail.name}
               jail={selectedActiveJail}
               onSave={updateJail}
               onDeactivate={() => { handleDeactivate(selectedActiveJail.name); }}
             />
           ) : selectedInactiveJail !== undefined ? (
             <InactiveJailDetail
+              key={selectedInactiveJail.name}
               jail={selectedInactiveJail}
               onActivate={() => { setActivateTarget(selectedInactiveJail); }}
-              onCrashDetected={onCrashDetected}
+              onDeactivate={
+                selectedInactiveJail.has_local_override
+                  ? (): void => { handleDeactivateInactive(selectedInactiveJail.name); }
+                  : undefined
+              }
             />
           ) : null}
         </ConfigListDetail>
@@ -901,7 +923,6 @@ export function JailsTab({ onCrashDetected }: JailsTabProps = {}): React.JSX.Ele
         open={activateTarget !== null}
         onClose={() => { setActivateTarget(null); }}
         onActivated={handleActivated}
-        onCrashDetected={onCrashDetected}
       />
 
       <CreateJailDialog

frontend/src/components/config/MapTab.tsx

@@ -1,212 +0,0 @@
-/**
- * MapTab — world map color threshold configuration editor.
- *
- * Allows the user to set the low / medium / high ban-count thresholds
- * that drive country fill colors on the World Map page.
- */
-
-import { useCallback, useEffect, useMemo, useState } from "react";
-import {
-  Field,
-  Input,
-  MessageBar,
-  MessageBarBody,
-  Skeleton,
-  SkeletonItem,
-  Text,
-  tokens,
-} from "@fluentui/react-components";
-import { ApiError } from "../../api/client";
-import {
-  fetchMapColorThresholds,
-  updateMapColorThresholds,
-} from "../../api/config";
-import type { MapColorThresholdsResponse, MapColorThresholdsUpdate } from "../../types/config";
-import { useAutoSave } from "../../hooks/useAutoSave";
-import { AutoSaveIndicator } from "./AutoSaveIndicator";
-import { useConfigStyles } from "./configStyles";
-
-// ---------------------------------------------------------------------------
-// Inner form — only mounted after data is loaded.
-// ---------------------------------------------------------------------------
-
-interface MapFormProps {
-  initial: MapColorThresholdsResponse;
-}
-
-function MapForm({ initial }: MapFormProps): React.JSX.Element {
-  const styles = useConfigStyles();
-  const [thresholdHigh, setThresholdHigh] = useState(String(initial.threshold_high));
-  const [thresholdMedium, setThresholdMedium] = useState(String(initial.threshold_medium));
-  const [thresholdLow, setThresholdLow] = useState(String(initial.threshold_low));
-
-  const high = Number(thresholdHigh);
-  const medium = Number(thresholdMedium);
-  const low = Number(thresholdLow);
-
-  const validationError = useMemo<string | null>(() => {
-    if (isNaN(high) || isNaN(medium) || isNaN(low))
-      return "All thresholds must be valid numbers.";
-    if (high <= 0 || medium <= 0 || low <= 0)
-      return "All thresholds must be positive integers.";
-    if (!(high > medium && medium > low))
-      return "Thresholds must satisfy: high > medium > low.";
-    return null;
-  }, [high, medium, low]);
-
-  // Only pass a new payload to useAutoSave when all values are valid.
-  const [validPayload, setValidPayload] = useState<MapColorThresholdsUpdate>({
-    threshold_high: initial.threshold_high,
-    threshold_medium: initial.threshold_medium,
-    threshold_low: initial.threshold_low,
-  });
-
-  useEffect(() => {
-    if (validationError !== null) return;
-    setValidPayload({ threshold_high: high, threshold_medium: medium, threshold_low: low });
-  }, [high, medium, low, validationError]);
-
-  const saveThresholds = useCallback(
-    async (payload: MapColorThresholdsUpdate): Promise<void> => {
-      await updateMapColorThresholds(payload);
-    },
-    [],
-  );
-
-  const { status: saveStatus, errorText: saveErrorText, retry: retrySave } =
-    useAutoSave(validPayload, saveThresholds);
-
-  return (
-    <div>
-      <div className={styles.sectionCard}>
-        <Text as="h3" size={500} weight="semibold" block>
-          Map Color Thresholds
-        </Text>
-        <Text
-          as="p"
-          size={300}
-          className={styles.infoText}
-          block
-          style={{ marginBottom: tokens.spacingVerticalM }}
-        >
-          Configure the ban count thresholds that determine country fill colors on
-          the World Map. Countries with zero bans remain transparent. Colors
-          smoothly interpolate between thresholds.
-        </Text>
-
-        <div style={{ marginBottom: tokens.spacingVerticalS }}>
-          <AutoSaveIndicator
-            status={validationError ? "idle" : saveStatus}
-            errorText={saveErrorText}
-            onRetry={retrySave}
-          />
-        </div>
-
-        {validationError && (
-          <MessageBar intent="error" style={{ marginBottom: tokens.spacingVerticalS }}>
-            <MessageBarBody>{validationError}</MessageBarBody>
-          </MessageBar>
-        )}
-
-        <div className={styles.fieldRowThree}>
-          <Field label="Low Threshold (Green)" required>
-            <Input
-              type="number"
-              value={thresholdLow}
-              onChange={(_, d) => {
-                setThresholdLow(d.value);
-              }}
-              min={1}
-            />
-          </Field>
-          <Field label="Medium Threshold (Yellow)" required>
-            <Input
-              type="number"
-              value={thresholdMedium}
-              onChange={(_, d) => {
-                setThresholdMedium(d.value);
-              }}
-              min={1}
-            />
-          </Field>
-          <Field label="High Threshold (Red)" required>
-            <Input
-              type="number"
-              value={thresholdHigh}
-              onChange={(_, d) => {
-                setThresholdHigh(d.value);
-              }}
-              min={1}
-            />
-          </Field>
-        </div>
-
-        <Text
-          as="p"
-          size={200}
-          className={styles.infoText}
-          style={{ marginTop: tokens.spacingVerticalS }}
-        >
-          • 1 to {thresholdLow}: Light green → Full green
-          <br />• {thresholdLow} to {thresholdMedium}: Green → Yellow
-          <br />• {thresholdMedium} to {thresholdHigh}: Yellow → Red
-          <br />• {thresholdHigh}+: Solid red
-        </Text>
-      </div>
-    </div>
-  );
-}
-
-// ---------------------------------------------------------------------------
-// Outer loader component.
-// ---------------------------------------------------------------------------
-
-/**
- * Tab component for editing world-map ban-count color thresholds.
- *
- * @returns JSX element.
- */
-export function MapTab(): React.JSX.Element {
-  const [thresholds, setThresholds] = useState<MapColorThresholdsResponse | null>(null);
-  const [loadError, setLoadError] = useState<string | null>(null);
-
-  const load = useCallback(async (): Promise<void> => {
-    try {
-      const data = await fetchMapColorThresholds();
-      setThresholds(data);
-    } catch (err) {
-      setLoadError(
-        err instanceof ApiError ? err.message : "Failed to load map color thresholds",
-      );
-    }
-  }, []);
-
-  useEffect(() => {
-    void load();
-  }, [load]);
-
-  if (!thresholds && !loadError) {
-    return (
-      <Skeleton aria-label="Loading map settings…">
-        <div style={{ display: "grid", gridTemplateColumns: "1fr 1fr 1fr", gap: 8 }}>
-          <SkeletonItem size={32} />
-          <SkeletonItem size={32} />
-          <SkeletonItem size={32} />
-        </div>
-      </Skeleton>
-    );
-  }
-
-  if (loadError)
-    return (
-      <MessageBar intent="error">
-        <MessageBarBody>{loadError}</MessageBarBody>
-      </MessageBar>
-    );
-
-  if (!thresholds) return <></>;
-
-  return <MapForm initial={thresholds} />;
-}
-
-

frontend/src/components/config/ServerHealthSection.tsx

@@ -1,12 +1,12 @@
 /**
- * LogTab — fail2ban log viewer and service health panel.
+ * ServerHealthSection — service health panel and log viewer for ServerTab.
  *
  * Renders two sections:
  *  1. **Service Health panel** — shows online/offline state, version, active
  *     jail count, total bans, total failures, log level, and log target.
  *  2. **Log viewer** — displays the tail of the fail2ban daemon log file with
  *     toolbar controls for line count, substring filter, manual refresh, and
- *     optional auto-refresh.  Log lines are color-coded by severity.
+ *     optional auto-refresh. Log lines are color-coded by severity.
  */
 
 import {
@@ -167,13 +167,11 @@ function detectSeverity(line: string): "error" | "warning" | "debug" | "default"
 // ---------------------------------------------------------------------------
 
 /**
- * Log tab component for the Configuration page.
- *
- * Shows fail2ban service health and a live log viewer with refresh controls.
+ * Server health panel and log viewer section for ServerTab.
  *
  * @returns JSX element.
  */
-export function LogTab(): React.JSX.Element {
+export function ServerHealthSection(): React.JSX.Element {
   const configStyles = useConfigStyles();
   const styles = useStyles();
 
@@ -317,10 +315,8 @@ export function LogTab(): React.JSX.Element {
     logData != null && logData.total_lines > logData.lines.length;
 
   return (
-    <div>
-      {/* ------------------------------------------------------------------ */}
-      {/* Service Health Panel                                                 */}
-      {/* ------------------------------------------------------------------ */}
+    <>
+      {/* Service Health Panel */}
       <div className={configStyles.sectionCard}>
         <div style={{ display: "flex", alignItems: "center", gap: tokens.spacingHorizontalM }}>
           <DocumentBulletList24Regular />
@@ -384,9 +380,7 @@ export function LogTab(): React.JSX.Element {
         )}
       </div>
 
-      {/* ------------------------------------------------------------------ */}
-      {/* Log Viewer                                                           */}
-      {/* ------------------------------------------------------------------ */}
+      {/* Log Viewer */}
       <div className={configStyles.sectionCard}>
         <div style={{ display: "flex", alignItems: "center", gap: tokens.spacingHorizontalM, marginBottom: tokens.spacingVerticalM }}>
           <Text weight="semibold" size={400}>
@@ -513,6 +507,6 @@ export function LogTab(): React.JSX.Element {
           </>
         )}
       </div>
-    </div>
+    </>
   );
 }

frontend/src/components/config/ServerTab.tsx

@@ -2,10 +2,12 @@
  * ServerTab — fail2ban server-level settings editor.
  *
  * Provides form fields for live server settings (log level, log target,
- * DB purge age, DB max matches) and a "Flush Logs" action button.
+ * DB purge age, DB max matches), action buttons (flush logs, reload fail2ban,
+ * restart fail2ban), world map color threshold configuration, and service
+ * health + log viewer.
  */
 
-import { useCallback, useMemo, useState } from "react";
+import { useCallback, useEffect, useMemo, useState } from "react";
 import {
   Button,
   Field,
@@ -15,16 +17,25 @@ import {
   Select,
   Skeleton,
   SkeletonItem,
+  Text,
   tokens,
 } from "@fluentui/react-components";
 import {
   DocumentArrowDown24Regular,
+  ArrowSync24Regular,
 } from "@fluentui/react-icons";
 import { ApiError } from "../../api/client";
-import type { ServerSettingsUpdate } from "../../types/config";
+import type { ServerSettingsUpdate, MapColorThresholdsResponse, MapColorThresholdsUpdate } from "../../types/config";
 import { useServerSettings } from "../../hooks/useConfig";
 import { useAutoSave } from "../../hooks/useAutoSave";
+import {
+  fetchMapColorThresholds,
+  updateMapColorThresholds,
+  reloadConfig,
+  restartFail2Ban,
+} from "../../api/config";
 import { AutoSaveIndicator } from "./AutoSaveIndicator";
+import { ServerHealthSection } from "./ServerHealthSection";
 import { useConfigStyles } from "./configStyles";
 
 /** Available fail2ban log levels in descending severity order. */
@@ -46,6 +57,17 @@ export function ServerTab(): React.JSX.Element {
   const [flushing, setFlushing] = useState(false);
   const [msg, setMsg] = useState<{ text: string; ok: boolean } | null>(null);
 
+  // Reload/Restart state
+  const [isReloading, setIsReloading] = useState(false);
+  const [isRestarting, setIsRestarting] = useState(false);
+
+  // Map color thresholds
+  const [mapThresholds, setMapThresholds] = useState<MapColorThresholdsResponse | null>(null);
+  const [mapThresholdHigh, setMapThresholdHigh] = useState("");
+  const [mapThresholdMedium, setMapThresholdMedium] = useState("");
+  const [mapThresholdLow, setMapThresholdLow] = useState("");
+  const [mapLoadError, setMapLoadError] = useState<string | null>(null);
+
   const effectiveLogLevel = logLevel || settings?.log_level || "";
   const effectiveLogTarget = logTarget || settings?.log_target || "";
   const effectiveDbPurgeAge =
@@ -83,6 +105,99 @@ export function ServerTab(): React.JSX.Element {
     }
   }, [flush]);
 
+  const handleReload = useCallback(async () => {
+    setIsReloading(true);
+    setMsg(null);
+    try {
+      await reloadConfig();
+      setMsg({ text: "fail2ban reloaded successfully", ok: true });
+    } catch (err: unknown) {
+      setMsg({
+        text: err instanceof ApiError ? err.message : "Reload failed.",
+        ok: false,
+      });
+    } finally {
+      setIsReloading(false);
+    }
+  }, []);
+
+  const handleRestart = useCallback(async () => {
+    setIsRestarting(true);
+    setMsg(null);
+    try {
+      await restartFail2Ban();
+      setMsg({ text: "fail2ban restart initiated", ok: true });
+    } catch (err: unknown) {
+      setMsg({
+        text: err instanceof ApiError ? err.message : "Restart failed.",
+        ok: false,
+      });
+    } finally {
+      setIsRestarting(false);
+    }
+  }, []);
+
+  // Load map color thresholds on mount.
+  const loadMapThresholds = useCallback(async (): Promise<void> => {
+    try {
+      const data = await fetchMapColorThresholds();
+      setMapThresholds(data);
+      setMapThresholdHigh(String(data.threshold_high));
+      setMapThresholdMedium(String(data.threshold_medium));
+      setMapThresholdLow(String(data.threshold_low));
+      setMapLoadError(null);
+    } catch (err) {
+      setMapLoadError(
+        err instanceof ApiError ? err.message : "Failed to load map color thresholds",
+      );
+    }
+  }, []);
+
+  useEffect(() => {
+    void loadMapThresholds();
+  }, [loadMapThresholds]);
+
+  // Map threshold validation and auto-save.
+  const mapHigh = Number(mapThresholdHigh);
+  const mapMedium = Number(mapThresholdMedium);
+  const mapLow = Number(mapThresholdLow);
+
+  const mapValidationError = useMemo<string | null>(() => {
+    if (!mapThresholds) return null;
+    if (isNaN(mapHigh) || isNaN(mapMedium) || isNaN(mapLow))
+      return "All thresholds must be valid numbers.";
+    if (mapHigh <= 0 || mapMedium <= 0 || mapLow <= 0)
+      return "All thresholds must be positive integers.";
+    if (!(mapHigh > mapMedium && mapMedium > mapLow))
+      return "Thresholds must satisfy: high > medium > low.";
+    return null;
+  }, [mapHigh, mapMedium, mapLow, mapThresholds]);
+
+  const [mapValidPayload, setMapValidPayload] = useState<MapColorThresholdsUpdate>({
+    threshold_high: mapThresholds?.threshold_high ?? 0,
+    threshold_medium: mapThresholds?.threshold_medium ?? 0,
+    threshold_low: mapThresholds?.threshold_low ?? 0,
+  });
+
+  useEffect(() => {
+    if (mapValidationError !== null || !mapThresholds) return;
+    setMapValidPayload({
+      threshold_high: mapHigh,
+      threshold_medium: mapMedium,
+      threshold_low: mapLow,
+    });
+  }, [mapHigh, mapMedium, mapLow, mapValidationError, mapThresholds]);
+
+  const saveMapThresholds = useCallback(
+    async (payload: MapColorThresholdsUpdate): Promise<void> => {
+      await updateMapColorThresholds(payload);
+    },
+    [],
+  );
+
+  const { status: mapSaveStatus, errorText: mapSaveErrorText, retry: retryMapSave } =
+    useAutoSave(mapValidPayload, saveMapThresholds);
+
   if (loading) {
     return (
       <Skeleton aria-label="Loading server settings…">
@@ -104,6 +219,10 @@ export function ServerTab(): React.JSX.Element {
 
   return (
     <div>
+      {/* Service Health & Log Viewer section — shown first so users can
+          immediately see whether fail2ban is reachable before editing settings. */}
+      <ServerHealthSection />
+
       <div className={styles.sectionCard}>
         <div style={{ marginBottom: tokens.spacingVerticalS }}>
           <AutoSaveIndicator
@@ -154,7 +273,10 @@ export function ServerTab(): React.JSX.Element {
           </Field>
         </div>
         <div className={styles.fieldRow}>
-          <Field label="DB Purge Age (s)">
+          <Field
+            label="DB Purge Age (s)"
+            hint="Ban records older than this are removed from the fail2ban database."
+          >
             <Input
               type="number"
               value={effectiveDbPurgeAge}
@@ -163,7 +285,10 @@ export function ServerTab(): React.JSX.Element {
               }}
             />
           </Field>
-          <Field label="DB Max Matches">
+          <Field
+            label="DB Max Matches"
+            hint="Maximum number of log-line matches stored per ban record."
+          >
             <Input
               type="number"
               value={effectiveDbMaxMatches}
@@ -182,6 +307,22 @@ export function ServerTab(): React.JSX.Element {
           >
             {flushing ? "Flushing…" : "Flush Logs"}
           </Button>
+          <Button
+            appearance="secondary"
+            icon={<ArrowSync24Regular />}
+            disabled={isReloading}
+            onClick={() => void handleReload()}
+          >
+            {isReloading ? "Reloading…" : "Reload fail2ban"}
+          </Button>
+          <Button
+            appearance="secondary"
+            icon={<ArrowSync24Regular />}
+            disabled={isRestarting}
+            onClick={() => void handleRestart()}
+          >
+            {isRestarting ? "Restarting…" : "Restart fail2ban"}
+          </Button>
         </div>
         {msg && (
           <MessageBar intent={msg.ok ? "success" : "error"}>
@@ -189,6 +330,92 @@ export function ServerTab(): React.JSX.Element {
           </MessageBar>
         )}
       </div>
+
+      {/* Map Color Thresholds section */}
+      {mapLoadError ? (
+        <div className={styles.sectionCard}>
+          <MessageBar intent="error">
+            <MessageBarBody>{mapLoadError}</MessageBarBody>
+          </MessageBar>
+        </div>
+      ) : mapThresholds ? (
+        <div className={styles.sectionCard}>
+          <Text as="h3" size={500} weight="semibold" block>
+            Map Color Thresholds
+          </Text>
+          <Text
+            as="p"
+            size={300}
+            className={styles.infoText}
+            block
+            style={{ marginBottom: tokens.spacingVerticalM }}
+          >
+            Configure the ban count thresholds that determine country fill colors on
+            the World Map. Countries with zero bans remain transparent. Colors
+            smoothly interpolate between thresholds.
+          </Text>
+
+          <div style={{ marginBottom: tokens.spacingVerticalS }}>
+            <AutoSaveIndicator
+              status={mapValidationError ? "idle" : mapSaveStatus}
+              errorText={mapSaveErrorText}
+              onRetry={retryMapSave}
+            />
+          </div>
+
+          {mapValidationError && (
+            <MessageBar intent="error" style={{ marginBottom: tokens.spacingVerticalS }}>
+              <MessageBarBody>{mapValidationError}</MessageBarBody>
+            </MessageBar>
+          )}
+
+          <div className={styles.fieldRowThree}>
+            <Field label="Low Threshold (Green)" required>
+              <Input
+                type="number"
+                value={mapThresholdLow}
+                onChange={(_, d) => {
+                  setMapThresholdLow(d.value);
+                }}
+                min={1}
+              />
+            </Field>
+            <Field label="Medium Threshold (Yellow)" required>
+              <Input
+                type="number"
+                value={mapThresholdMedium}
+                onChange={(_, d) => {
+                  setMapThresholdMedium(d.value);
+                }}
+                min={1}
+              />
+            </Field>
+            <Field label="High Threshold (Red)" required>
+              <Input
+                type="number"
+                value={mapThresholdHigh}
+                onChange={(_, d) => {
+                  setMapThresholdHigh(d.value);
+                }}
+                min={1}
+              />
+            </Field>
+          </div>
+
+          <Text
+            as="p"
+            size={200}
+            className={styles.infoText}
+            style={{ marginTop: tokens.spacingVerticalS }}
+          >
+            • 1 to {mapThresholdLow}: Light green → Full green
+            <br />• {mapThresholdLow} to {mapThresholdMedium}: Green → Yellow
+            <br />• {mapThresholdMedium} to {mapThresholdHigh}: Yellow → Red
+            <br />• {mapThresholdHigh}+: Solid red
+          </Text>
+        </div>
+      ) : null}
+
     </div>
   );
 }

frontend/src/components/config/__tests__/ActivateJailDialog.test.tsx

@@ -6,7 +6,6 @@
  *  - "Activate" button is enabled when validation passes.
  *  - Dialog stays open and shows an error when the backend returns active=false.
  *  - `onActivated` is called and dialog closes when backend returns active=true.
- *  - `onCrashDetected` is called when fail2ban_running is false after activation.
  */
 
 import { describe, it, expect, vi, beforeEach } from "vitest";
@@ -55,6 +54,7 @@ const baseJail: InactiveJail = {
   bantime_escalation: null,
   source_file: "/config/fail2ban/jail.d/airsonic-auth.conf",
   enabled: false,
+  has_local_override: false,
 };
 
 /** Successful activation response. */
@@ -98,7 +98,6 @@ interface DialogProps {
   open?: boolean;
   onClose?: () => void;
   onActivated?: () => void;
-  onCrashDetected?: () => void;
 }
 
 function renderDialog({
@@ -106,7 +105,6 @@ function renderDialog({
   open = true,
   onClose = vi.fn(),
   onActivated = vi.fn(),
-  onCrashDetected = vi.fn(),
 }: DialogProps = {}) {
   return render(
     <FluentProvider theme={webLightTheme}>
@@ -115,7 +113,6 @@ function renderDialog({
         open={open}
         onClose={onClose}
         onActivated={onActivated}
-        onCrashDetected={onCrashDetected}
       />
     </FluentProvider>,
   );
@@ -202,28 +199,4 @@ describe("ActivateJailDialog", () => {
       expect(onActivated).toHaveBeenCalledOnce();
     });
   });
-
-  it("calls onCrashDetected when fail2ban_running is false after activation", async () => {
-    mockValidateJailConfig.mockResolvedValue(validationPassed);
-    mockActivateJail.mockResolvedValue({
-      ...successResponse,
-      fail2ban_running: false,
-    });
-
-    const onActivated = vi.fn();
-    const onCrashDetected = vi.fn();
-    renderDialog({ onActivated, onCrashDetected });
-
-    await waitFor(() => {
-      expect(screen.queryByText(/validating configuration/i)).not.toBeInTheDocument();
-    });
-
-    const activateBtn = screen.getByRole("button", { name: /^activate$/i });
-    await userEvent.click(activateBtn);
-
-    await waitFor(() => {
-      expect(onCrashDetected).toHaveBeenCalledOnce();
-    });
-    expect(onActivated).toHaveBeenCalledOnce();
-  });
 });

frontend/src/components/config/__tests__/LogTab.test.tsx

@@ -1,189 +0,0 @@
-/**
- * Tests for the LogTab component (Task 2).
- */
-
-import { describe, it, expect, vi, beforeEach } from "vitest";
-import { render, screen, waitFor } from "@testing-library/react";
-import userEvent from "@testing-library/user-event";
-import { FluentProvider, webLightTheme } from "@fluentui/react-components";
-import { LogTab } from "../LogTab";
-import type { Fail2BanLogResponse, ServiceStatusResponse } from "../../../types/config";
-
-// ---------------------------------------------------------------------------
-// Mocks
-// ---------------------------------------------------------------------------
-
-vi.mock("../../../api/config", () => ({
-  fetchFail2BanLog: vi.fn(),
-  fetchServiceStatus: vi.fn(),
-}));
-
-import { fetchFail2BanLog, fetchServiceStatus } from "../../../api/config";
-
-const mockFetchLog = vi.mocked(fetchFail2BanLog);
-const mockFetchStatus = vi.mocked(fetchServiceStatus);
-
-// ---------------------------------------------------------------------------
-// Fixtures
-// ---------------------------------------------------------------------------
-
-const onlineStatus: ServiceStatusResponse = {
-  online: true,
-  version: "1.0.2",
-  jail_count: 3,
-  total_bans: 12,
-  total_failures: 5,
-  log_level: "INFO",
-  log_target: "/var/log/fail2ban.log",
-};
-
-const offlineStatus: ServiceStatusResponse = {
-  online: false,
-  version: null,
-  jail_count: 0,
-  total_bans: 0,
-  total_failures: 0,
-  log_level: "UNKNOWN",
-  log_target: "UNKNOWN",
-};
-
-const logResponse: Fail2BanLogResponse = {
-  log_path: "/var/log/fail2ban.log",
-  lines: [
-    "2025-01-01 12:00:00 INFO  sshd Found 1.2.3.4",
-    "2025-01-01 12:00:01 WARNING sshd Too many failures",
-    "2025-01-01 12:00:02 ERROR  fail2ban something went wrong",
-  ],
-  total_lines: 1000,
-  log_level: "INFO",
-  log_target: "/var/log/fail2ban.log",
-};
-
-const nonFileLogResponse: Fail2BanLogResponse = {
-  ...logResponse,
-  log_target: "STDOUT",
-  lines: [],
-};
-
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-
-function renderTab() {
-  return render(
-    <FluentProvider theme={webLightTheme}>
-      <LogTab />
-    </FluentProvider>,
-  );
-}
-
-// ---------------------------------------------------------------------------
-// Tests
-// ---------------------------------------------------------------------------
-
-describe("LogTab", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-  });
-
-  it("shows a spinner while loading", () => {
-    // Never resolves during this test.
-    mockFetchStatus.mockReturnValue(new Promise(() => undefined));
-    mockFetchLog.mockReturnValue(new Promise(() => undefined));
-
-    renderTab();
-
-    expect(screen.getByText(/loading log viewer/i)).toBeInTheDocument();
-  });
-
-  it("renders the health panel with Running badge when online", async () => {
-    mockFetchStatus.mockResolvedValue(onlineStatus);
-    mockFetchLog.mockResolvedValue(logResponse);
-
-    renderTab();
-
-    await waitFor(() => { expect(screen.queryByText(/loading log viewer/i)).toBeNull(); });
-
-    expect(screen.getByText("Running")).toBeInTheDocument();
-    expect(screen.getByText("1.0.2")).toBeInTheDocument();
-    expect(screen.getByText("3")).toBeInTheDocument(); // active jails
-    expect(screen.getByText("12")).toBeInTheDocument(); // total bans
-  });
-
-  it("renders the Offline badge and warning when fail2ban is down", async () => {
-    mockFetchStatus.mockResolvedValue(offlineStatus);
-    mockFetchLog.mockRejectedValue(new Error("not running"));
-
-    renderTab();
-
-    await waitFor(() => { expect(screen.queryByText(/loading log viewer/i)).toBeNull(); });
-
-    expect(screen.getByText("Offline")).toBeInTheDocument();
-    expect(screen.getByText(/not running or unreachable/i)).toBeInTheDocument();
-  });
-
-  it("renders log lines in the log viewer", async () => {
-    mockFetchStatus.mockResolvedValue(onlineStatus);
-    mockFetchLog.mockResolvedValue(logResponse);
-
-    renderTab();
-
-    await waitFor(() => {
-      expect(screen.getByText(/2025-01-01 12:00:00 INFO/)).toBeInTheDocument();
-    });
-
-    expect(screen.getByText(/2025-01-01 12:00:01 WARNING/)).toBeInTheDocument();
-    expect(screen.getByText(/2025-01-01 12:00:02 ERROR/)).toBeInTheDocument();
-  });
-
-  it("shows a non-file target info banner when log_target is STDOUT", async () => {
-    mockFetchStatus.mockResolvedValue(onlineStatus);
-    mockFetchLog.mockResolvedValue(nonFileLogResponse);
-
-    renderTab();
-
-    await waitFor(() => {
-      expect(screen.getByText(/fail2ban is logging to/i)).toBeInTheDocument();
-    });
-
-    expect(screen.getByText(/STDOUT/)).toBeInTheDocument();
-    expect(screen.queryByText(/Refresh/)).toBeNull();
-  });
-
-  it("shows empty state when no lines match the filter", async () => {
-    mockFetchStatus.mockResolvedValue(onlineStatus);
-    mockFetchLog.mockResolvedValue({ ...logResponse, lines: [] });
-
-    renderTab();
-
-    await waitFor(() => {
-      expect(screen.getByText(/no log entries found/i)).toBeInTheDocument();
-    });
-  });
-
-  it("shows truncation notice when total_lines > lines.length", async () => {
-    mockFetchStatus.mockResolvedValue(onlineStatus);
-    mockFetchLog.mockResolvedValue({ ...logResponse, lines: logResponse.lines, total_lines: 1000 });
-
-    renderTab();
-
-    await waitFor(() => {
-      expect(screen.getByText(/showing last/i)).toBeInTheDocument();
-    });
-  });
-
-  it("calls fetchFail2BanLog again on Refresh button click", async () => {
-    mockFetchStatus.mockResolvedValue(onlineStatus);
-    mockFetchLog.mockResolvedValue(logResponse);
-
-    const user = userEvent.setup();
-    renderTab();
-
-    await waitFor(() => { expect(screen.getByText(/Refresh/)).toBeInTheDocument(); });
-
-    const refreshBtn = screen.getByRole("button", { name: /refresh/i });
-    await user.click(refreshBtn);
-
-    await waitFor(() => { expect(mockFetchLog).toHaveBeenCalledTimes(2); });
-  });
-});

frontend/src/components/config/index.ts

@@ -30,16 +30,14 @@ export { ExportTab } from "./ExportTab";
 export { FilterForm } from "./FilterForm";
 export type { FilterFormProps } from "./FilterForm";
 export { FiltersTab } from "./FiltersTab";
-export { GlobalTab } from "./GlobalTab";
 export { JailFilesTab } from "./JailFilesTab";
 export { JailFileForm } from "./JailFileForm";
 export { JailsTab } from "./JailsTab";
-export { LogTab } from "./LogTab";
-export { MapTab } from "./MapTab";
 export { RawConfigSection } from "./RawConfigSection";
 export type { RawConfigSectionProps } from "./RawConfigSection";
 export { RegexList } from "./RegexList";
 export type { RegexListProps } from "./RegexList";
 export { RegexTesterTab } from "./RegexTesterTab";
 export { ServerTab } from "./ServerTab";
+export { ServerHealthSection } from "./ServerHealthSection";
 export { useConfigStyles } from "./configStyles";

frontend/src/layouts/MainLayout.tsx

@@ -33,7 +33,6 @@ import { NavLink, Outlet, useNavigate } from "react-router-dom";
 import { useAuth } from "../providers/AuthProvider";
 import { useServerStatus } from "../hooks/useServerStatus";
 import { useBlocklistStatus } from "../hooks/useBlocklist";
-import { RecoveryBanner } from "../components/common/RecoveryBanner";
 
 // ---------------------------------------------------------------------------
 // Styles
@@ -146,6 +145,16 @@ const useStyles = makeStyles({
     padding: tokens.spacingVerticalS,
     flexShrink: 0,
   },
+  versionText: {
+    display: "block",
+    color: tokens.colorNeutralForeground4,
+    fontSize: "11px",
+    paddingLeft: tokens.spacingHorizontalS,
+    paddingRight: tokens.spacingHorizontalS,
+    paddingBottom: tokens.spacingVerticalXS,
+    whiteSpace: "nowrap",
+    overflow: "hidden",
+  },
 
   // Main content
   main: {
@@ -302,6 +311,11 @@ export function MainLayout(): React.JSX.Element {
 
         {/* Footer — Logout */}
         <div className={styles.sidebarFooter}>
+          {!collapsed && (
+            <Text className={styles.versionText}>
+              BanGUI v{__APP_VERSION__}
+            </Text>
+          )}
           <Tooltip
             content={collapsed ? "Sign out" : ""}
             relationship="label"
@@ -336,8 +350,6 @@ export function MainLayout(): React.JSX.Element {
             </MessageBar>
           </div>
         )}
-        {/* Recovery banner — shown when fail2ban crashed after a jail activation */}
-        <RecoveryBanner />
         {/* Blocklist import error warning — shown when the last scheduled import had errors */}
         {blocklistHasErrors && (
           <div className={styles.warningBar} role="alert">

frontend/src/layouts/__tests__/MainLayout.test.tsx

@@ -0,0 +1,78 @@
+/**
+ * Tests for the MainLayout component.
+ *
+ * Covers:
+ * - BanGUI application version displayed in the footer when the sidebar is expanded.
+ * - Version text hidden when the sidebar is collapsed.
+ * - Navigation items rendered correctly.
+ */
+
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { render, screen } from "@testing-library/react";
+import userEvent from "@testing-library/user-event";
+import { MemoryRouter } from "react-router-dom";
+import { FluentProvider, webLightTheme } from "@fluentui/react-components";
+import { MainLayout } from "../../layouts/MainLayout";
+
+// ---------------------------------------------------------------------------
+// Mocks
+// ---------------------------------------------------------------------------
+
+vi.mock("../../providers/AuthProvider", () => ({
+  useAuth: () => ({ logout: vi.fn() }),
+}));
+
+vi.mock("../../hooks/useServerStatus", () => ({
+  useServerStatus: () => ({
+    status: { online: true, version: "1.0.0", active_jails: 1, total_bans: 0, total_failures: 0 },
+    loading: false,
+    error: null,
+    refresh: vi.fn(),
+  }),
+}));
+
+vi.mock("../../hooks/useBlocklist", () => ({
+  useBlocklistStatus: () => ({ hasErrors: false }),
+}));
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function renderLayout(): void {
+  render(
+    <FluentProvider theme={webLightTheme}>
+      <MemoryRouter initialEntries={["/"]}>
+        <MainLayout />
+      </MemoryRouter>
+    </FluentProvider>,
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("MainLayout", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("renders the navigation sidebar", () => {
+    renderLayout();
+    expect(screen.getByRole("navigation", { name: "Main navigation" })).toBeInTheDocument();
+  });
+
+  it("shows the BanGUI version in the sidebar footer when expanded", () => {
+    renderLayout();
+    // __APP_VERSION__ is stubbed to "0.0.0-test" via vitest.config.ts define.
+    expect(screen.getByText("BanGUI v0.0.0-test")).toBeInTheDocument();
+  });
+
+  it("hides the BanGUI version text when the sidebar is collapsed", async () => {
+    renderLayout();
+    const toggleButton = screen.getByRole("button", { name: /collapse sidebar/i });
+    await userEvent.click(toggleButton);
+    expect(screen.queryByText("BanGUI v0.0.0-test")).not.toBeInTheDocument();
+  });
+});

frontend/src/pages/ConfigPage.tsx

@@ -8,9 +8,7 @@
  *   Jails        — per-jail config accordion with inline editing
  *   Filters      — structured filter.d form editor
  *   Actions      — structured action.d form editor
- *   Global       — global fail2ban settings (log level, DB config)
- *   Server       — server-level settings + flush logs
- *   Map          — map color threshold configuration
+ *   Server       — server-level settings, map thresholds, service health + log viewer
  *   Regex Tester — live pattern tester
  *   Export       — raw file editors for jail, filter, and action files
  */
@@ -20,10 +18,7 @@ import { Tab, TabList, Text, makeStyles, tokens } from "@fluentui/react-componen
 import {
   ActionsTab,
   FiltersTab,
-  GlobalTab,
   JailsTab,
-  LogTab,
-  MapTab,
   RegexTesterTab,
   ServerTab,
 } from "../components/config";
@@ -58,11 +53,8 @@ type TabValue =
   | "jails"
   | "filters"
   | "actions"
-  | "global"
   | "server"
-  | "map"
-  | "regex"
-  | "log";
+  | "regex";
 
 export function ConfigPage(): React.JSX.Element {
   const styles = useStyles();
@@ -89,22 +81,16 @@ export function ConfigPage(): React.JSX.Element {
         <Tab value="jails">Jails</Tab>
         <Tab value="filters">Filters</Tab>
         <Tab value="actions">Actions</Tab>
-        <Tab value="global">Global</Tab>
         <Tab value="server">Server</Tab>
-        <Tab value="map">Map</Tab>
         <Tab value="regex">Regex Tester</Tab>
-        <Tab value="log">Log</Tab>
       </TabList>
 
       <div className={styles.tabContent} key={tab}>
         {tab === "jails" && <JailsTab />}
         {tab === "filters" && <FiltersTab />}
         {tab === "actions" && <ActionsTab />}
-        {tab === "global" && <GlobalTab />}
         {tab === "server" && <ServerTab />}
-        {tab === "map" && <MapTab />}
         {tab === "regex" && <RegexTesterTab />}
-        {tab === "log" && <LogTab />}
       </div>
     </div>
   );

frontend/src/pages/SetupPage.tsx

@@ -22,7 +22,6 @@ import { useNavigate } from "react-router-dom";
 import type { ChangeEvent, FormEvent } from "react";
 import { ApiError } from "../api/client";
 import { getSetupStatus, submitSetup } from "../api/setup";
-import { sha256Hex } from "../utils/crypto";
 
 // ---------------------------------------------------------------------------
 // Styles
@@ -101,20 +100,36 @@ export function SetupPage(): React.JSX.Element {
   const styles = useStyles();
   const navigate = useNavigate();
 
+  const [checking, setChecking] = useState(true);
   const [values, setValues] = useState<FormValues>(DEFAULT_VALUES);
   const [errors, setErrors] = useState<Partial<Record<keyof FormValues, string>>>({});
   const [apiError, setApiError] = useState<string | null>(null);
   const [submitting, setSubmitting] = useState(false);
 
   // Redirect to /login if setup has already been completed.
+  // Show a full-screen spinner while the check is in flight to prevent
+  // the form from flashing before the redirect fires.
   useEffect(() => {
+    let cancelled = false;
     getSetupStatus()
       .then((res) => {
-        if (res.completed) navigate("/login", { replace: true });
+        if (!cancelled) {
+          if (res.completed) {
+            navigate("/login", { replace: true });
+          } else {
+            setChecking(false);
+          }
+        }
       })
       .catch(() => {
-        /* ignore — stay on setup page */
+        // Failed check: the backend may still be starting up. Stay on this
+        // page so the user can attempt setup once the backend is ready.
+        console.warn("SetupPage: setup status check failed — rendering setup form");
+        if (!cancelled) setChecking(false);
       });
+    return (): void => {
+      cancelled = true;
+    };
   }, [navigate]);
 
   // ---------------------------------------------------------------------------
@@ -161,11 +176,8 @@ export function SetupPage(): React.JSX.Element {
 
     setSubmitting(true);
     try {
-      // Hash the password client-side before transmission — the plaintext
-      // never leaves the browser.  The backend bcrypt-hashes the received hash.
-      const hashedPassword = await sha256Hex(values.masterPassword);
       await submitSetup({
-        master_password: hashedPassword,
+        master_password: values.masterPassword,
         database_path: values.databasePath,
         fail2ban_socket: values.fail2banSocket,
         timezone: values.timezone,
@@ -187,6 +199,21 @@ export function SetupPage(): React.JSX.Element {
   // Render
   // ---------------------------------------------------------------------------
 
+  if (checking) {
+    return (
+      <div
+        style={{
+          display: "flex",
+          justifyContent: "center",
+          alignItems: "center",
+          minHeight: "100vh",
+        }}
+      >
+        <Spinner size="large" label="Loading…" />
+      </div>
+    );
+  }
+
   return (
     <div className={styles.root}>
       <div className={styles.card}>

frontend/src/pages/__tests__/ConfigPage.test.tsx

@@ -9,9 +9,7 @@ vi.mock("../../components/config", () => ({
   JailsTab: () => <div data-testid="jails-tab">JailsTab</div>,
   FiltersTab: () => <div data-testid="filters-tab">FiltersTab</div>,
   ActionsTab: () => <div data-testid="actions-tab">ActionsTab</div>,
-  GlobalTab: () => <div data-testid="global-tab">GlobalTab</div>,
   ServerTab: () => <div data-testid="server-tab">ServerTab</div>,
-  MapTab: () => <div data-testid="map-tab">MapTab</div>,
   RegexTesterTab: () => <div data-testid="regex-tab">RegexTesterTab</div>,
   ExportTab: () => <div data-testid="export-tab">ExportTab</div>,
 }));
@@ -45,12 +43,6 @@ describe("ConfigPage", () => {
     expect(screen.getByTestId("actions-tab")).toBeInTheDocument();
   });
 
-  it("switches to Global tab when Global tab is clicked", () => {
-    renderPage();
-    fireEvent.click(screen.getByRole("tab", { name: /global/i }));
-    expect(screen.getByTestId("global-tab")).toBeInTheDocument();
-  });
-
   it("switches to Server tab when Server tab is clicked", () => {
     renderPage();
     fireEvent.click(screen.getByRole("tab", { name: /server/i }));

frontend/src/pages/__tests__/SetupPage.test.tsx

@@ -0,0 +1,83 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { render, screen, waitFor } from "@testing-library/react";
+import { MemoryRouter, Routes, Route } from "react-router-dom";
+import { FluentProvider, webLightTheme } from "@fluentui/react-components";
+import { SetupPage } from "../SetupPage";
+
+// Mock the setup API so tests never hit a real network.
+vi.mock("../../api/setup", () => ({
+  getSetupStatus: vi.fn(),
+  submitSetup: vi.fn(),
+}));
+
+import { getSetupStatus } from "../../api/setup";
+
+const mockedGetSetupStatus = vi.mocked(getSetupStatus);
+
+function renderPage() {
+  return render(
+    <FluentProvider theme={webLightTheme}>
+      <MemoryRouter initialEntries={["/setup"]}>
+        <Routes>
+          <Route path="/setup" element={<SetupPage />} />
+          <Route
+            path="/login"
+            element={<div data-testid="login-page">Login</div>}
+          />
+        </Routes>
+      </MemoryRouter>
+    </FluentProvider>,
+  );
+}
+
+describe("SetupPage", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("shows a full-screen spinner while the setup status check is in flight", () => {
+    // getSetupStatus never resolves — spinner should be visible immediately.
+    mockedGetSetupStatus.mockReturnValue(new Promise(() => {}));
+    renderPage();
+    expect(screen.getByRole("progressbar")).toBeInTheDocument();
+    // Form should NOT be visible yet.
+    expect(
+      screen.queryByRole("heading", { name: /bangui setup/i }),
+    ).not.toBeInTheDocument();
+  });
+
+  it("renders the setup form once the status check resolves (not complete)", async () => {
+    // Task 0.4: form must not flash before the check resolves.
+    mockedGetSetupStatus.mockResolvedValue({ completed: false });
+    renderPage();
+    await waitFor(() => {
+      expect(
+        screen.getByRole("heading", { name: /bangui setup/i }),
+      ).toBeInTheDocument();
+    });
+    // Spinner should be gone.
+    expect(screen.queryByRole("progressbar")).not.toBeInTheDocument();
+  });
+
+  it("redirects to /login when setup is already complete", async () => {
+    mockedGetSetupStatus.mockResolvedValue({ completed: true });
+    renderPage();
+    await waitFor(() => {
+      expect(screen.getByTestId("login-page")).toBeInTheDocument();
+    });
+  });
+
+  it("renders the form and logs a warning when the status check fails", async () => {
+    // Task 0.4: catch block must log a warning and keep the form visible.
+    const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+    mockedGetSetupStatus.mockRejectedValue(new Error("Connection refused"));
+    renderPage();
+    await waitFor(() => {
+      expect(
+        screen.getByRole("heading", { name: /bangui setup/i }),
+      ).toBeInTheDocument();
+    });
+    expect(warnSpy).toHaveBeenCalledOnce();
+    warnSpy.mockRestore();
+  });
+});

frontend/src/types/config.ts

@@ -524,6 +524,11 @@ export interface InactiveJail {
   source_file: string;
   /** Effective ``enabled`` value — always ``false`` for inactive jails. */
   enabled: boolean;
+  /**
+   * True when a ``jail.d/{name}.local`` override file exists for this jail.
+   * Indicates that a "Deactivate Jail" cleanup action is available.
+   */
+  has_local_override: boolean;
 }
 
 export interface InactiveJailListResponse {
@@ -581,20 +586,6 @@ export interface JailValidationResult {
   issues: JailValidationIssue[];
 }
 
-/**
- * Recorded when fail2ban stops responding shortly after a jail activation.
- * Surfaced by `GET /api/config/pending-recovery`.
- */
-export interface PendingRecovery {
-  jail_name: string;
-  /** ISO-8601 datetime string. */
-  activated_at: string;
-  /** ISO-8601 datetime string. */
-  detected_at: string;
-  /** True once fail2ban comes back online after the crash. */
-  recovered: boolean;
-}
-
 /** Response from `POST /api/config/jails/{name}/rollback`. */
 export interface RollbackResponse {
   jail_name: string;

frontend/src/utils/chartTheme.ts

@@ -30,7 +30,12 @@ import { tokens } from "@fluentui/react-components";
 export function resolveFluentToken(tokenValue: string): string {
   const match = /var\((--[^,)]+)/.exec(tokenValue);
   if (match == null || match[1] == null) return tokenValue;
-  const resolved = getComputedStyle(document.documentElement)
+
+  // FluentProvider injects CSS custom properties on its own wrapper <div>,
+  // not on :root. Query that element so we resolve actual colour values.
+  const el =
+    document.querySelector(".fui-FluentProvider") ?? document.documentElement;
+  const resolved = getComputedStyle(el)
     .getPropertyValue(match[1])
     .trim();
   return resolved !== "" ? resolved : tokenValue;

frontend/src/utils/crypto.ts

@@ -1,23 +0,0 @@
-/**
- * Client-side cryptography utilities.
- *
- * Uses the browser-native SubtleCrypto API so no third-party bundle is required.
- */
-
-/**
- * Return the SHA-256 hex digest of `input`.
- *
- * Hashing passwords before transmission means the plaintext never leaves the
- * browser, even when HTTPS is not enforced in a development environment.
- * The backend then applies bcrypt on top of the received hash.
- *
- * @param input - The string to hash (e.g. the master password).
- * @returns Lowercase hex-encoded SHA-256 digest.
- */
-export async function sha256Hex(input: string): Promise<string> {
-  const data = new TextEncoder().encode(input);
-  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
-  return Array.from(new Uint8Array(hashBuffer))
-    .map((b) => b.toString(16).padStart(2, "0"))
-    .join("");
-}

frontend/src/vite-env.d.ts

@@ -7,3 +7,6 @@ interface ImportMetaEnv {
 interface ImportMeta {
   readonly env: ImportMetaEnv;
 }
+
+/** BanGUI application version — injected at build time via Vite define. */
+declare const __APP_VERSION__: string;

frontend/vite.config.ts

@@ -1,10 +1,19 @@
 import { defineConfig } from "vite";
 import react from "@vitejs/plugin-react";
 import { resolve } from "path";
+import { readFileSync } from "node:fs";
+
+const pkg = JSON.parse(
+  readFileSync(resolve(__dirname, "package.json"), "utf-8"),
+) as { version: string };
 
 // https://vitejs.dev/config/
 export default defineConfig({
   plugins: [react()],
+  define: {
+    /** BanGUI application version injected at build time from package.json. */
+    __APP_VERSION__: JSON.stringify(pkg.version),
+  },
   resolve: {
     alias: {
       "@": resolve(__dirname, "src"),

frontend/vitest.config.ts

@@ -4,6 +4,10 @@ import { resolve } from "path";
 
 export default defineConfig({
   plugins: [react()],
+  define: {
+    /** Stub app version for tests — mirrors the vite.config.ts define. */
+    __APP_VERSION__: JSON.stringify("0.0.0-test"),
+  },
   resolve: {
     alias: {
       "@": resolve(__dirname, "src"),