[Enhancement] Admin plane: Orphaned method AdminIptablesController::delete() — POST /iptables/delete route removed 2026-05-30

Area: Admin plane (audit p12) · Surface: POST /admin/iptables/delete (removed) · Dimension: dead-code · Severity: minor

The live iptables viewer (AdminIptablesController::index) is deliberately read-only ("nomodify"). The companion delete() handler — which mutates ip_bans and touches the kernel-sync marker — has no route and no form pointing at it. It is unreachable dead code, and a non-trivial one (it performs a destructive DELETE).

Evidence

routes.php:1897 records the removal: "// POST /iptables/delete removed 2026-05-30 — viewer is read-only (\"nomodify\")."  Method still present: platform/src/Controllers/AdminIptablesController.php:83 `public function delete(): void` (executes DELETE FROM ip_bans at line 129).  Grep proof of no route + no form posting to it:
$ grep -nE 'AdminIptablesController@delete' src/routes.php  → (empty)
$ grep -rn 'iptables/delete' src/ templates/  → only the docblock at AdminIptablesController.php:71 and the removal comment at routes.php:1897; no <form action> anywhere.

Suggested fix. Delete AdminIptablesController::delete() (lines 83+) since the viewer is permanently read-only. Removing dead destructive handlers also shrinks the attack surface.

Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.