Check jail.local state and warn user if it is not fail2ban-UI managed, disable automatic jail.local migration because it is only testing

internal/fail2ban/connector_agent.go

@@ -443,11 +443,31 @@ func (ac *AgentConnector) UpdateDefaultSettings(ctx context.Context, settings co
 	return ac.put(ctx, "/v1/jails/default-settings", payload, nil)
 }
 
+// CheckJailLocalIntegrity implements Connector.
+func (ac *AgentConnector) CheckJailLocalIntegrity(ctx context.Context) (bool, bool, error) {
+	var result struct {
+		Exists      bool `json:"exists"`
+		HasUIAction bool `json:"hasUIAction"`
+	}
+	if err := ac.get(ctx, "/v1/jails/check-integrity", &result); err != nil {
+		// If the agent does not implement this endpoint, assume OK
+		if strings.Contains(err.Error(), "404") || strings.Contains(err.Error(), "not found") {
+			return false, false, nil
+		}
+		return false, false, fmt.Errorf("failed to check jail.local integrity on %s: %w", ac.server.Name, err)
+	}
+	return result.Exists, result.HasUIAction, nil
+}
+
 // EnsureJailLocalStructure implements Connector.
 func (ac *AgentConnector) EnsureJailLocalStructure(ctx context.Context) error {
-	// Call agent API endpoint to ensure jail.local structure
-	// If the endpoint doesn't exist, we'll need to implement it on the agent side
-	// For now, we'll try calling it and handle the error gracefully
+	// Safety: if jail.local exists but is not managed by Fail2ban-UI,
+	// it belongs to the user; never overwrite it.
+	if exists, hasUI, err := ac.CheckJailLocalIntegrity(ctx); err == nil && exists && !hasUI {
+		config.DebugLog("jail.local on agent server %s exists but is not managed by Fail2ban-UI -- skipping overwrite", ac.server.Name)
+		return nil
+	}
+
 	return ac.post(ctx, "/v1/jails/ensure-structure", nil, nil)
 }