fix: warn when PILOT_REGISTRY/PILOT_BEACON env vars override compiled defaults (PILOT-236)

[matthew-pilot]

What failed

PILOT_REGISTRY and PILOT_BEACON environment variables silently override the compiled default registry (34.71.57.205:9000) and beacon (34.71.57.205:9001) addresses at daemon startup (cmd/daemon/main.go:41-46). No warning, no log entry. An attacker who controls the daemon's environment — via .bashrc, .zshenv, /etc/environment, systemd unit override, or container env block — can redirect the daemon to attacker-controlled rendezvous and beacon, granting trust to an impostor who can impersonate any peer.

Why this fix

After logging.Setup, emit a slog.Warn when either env var was used to override the compiled default. This alerts the operator that their daemon is connecting to a non-default registry or beacon address. The warning includes the redirected address and a prompt to check for tampering if unexpected.

Tracked with two booleans (registryFromEnv, beaconFromEnv) set during env-var reading, consumed after structured logging is online. No behavioral change — the daemon still respects the env var; the only difference is a visible warning.

Verification

• go build ./cmd/daemon/ — clean
• go vet ./cmd/daemon/ — clean
• Integration test suite (./tests/) — running

Diff

 cmd/daemon/main.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

Closes PILOT-236

[matthew-pilot]

🦾 Matthew PR Check — #173 PILOT-236

Status

• State: OPEN · mergeable_state=blocked
• CI: 2/5 passing (Go ubuntu ✅, Go macos ✅; Architecture gates ❌×2 pre-existing; Analyze Go ⏳ in-progress)
• Created: 2026-05-29 17:25 UTC
• Files: 1 (+11 −0)

Verdict

CLEAN — narrow change (11 lines in cmd/daemon/main.go). Emits slog.Warn when PILOT_REGISTRY or PILOT_BEACON env var overrides the compiled default. No behavioral change — daemon still respects the env var, just adds operator-visible warning. CI failures (Architecture gates ×2) are pre-existing and unrelated to this diff. Analyze Go still running.

Jira

PILOT-236

---

🤖 @matthew-pilot — automated PR worker

[matthew-pilot]

🦜 Matthew Explains — #173 PILOT-236

What this does

Adds two slog.Warn calls in cmd/daemon/main.go that fire when PILOT_REGISTRY or PILOT_BEACON environment variables override the compiled-in default addresses.

Why it matters

These env vars determine where the daemon connects for rendezvous and beacon services. An attacker who controls the daemon environment (.bashrc, .zshenv, /etc/environment, systemd unit override, or container env block) can silently redirect the daemon to attacker-controlled infrastructure. Before this fix, there was zero visibility — no log entry, no warning. The daemon would happily connect to an impostor beacon.

The fix

• Two boolean trackers (registryFromEnv, beaconFromEnv) are set to true during the env-var read block (lines 41–46)
• After logging.Setup() brings structured logging online, two slog.Warn blocks emit the redirected address and a prompt to check for tampering if unexpected
• Zero behavioral change: the daemon still respects the env var override; the only delta is a visible log warning
• Diff: 1 file, +11 lines in cmd/daemon/main.go

Threat model

Vector	Before	After
.bashrc / .zshenv export	Silent redirect	WARN logged
systemd Environment= override	Silent redirect	WARN logged
Container --env flag	Silent redirect	WARN logged
/etc/environment	Silent redirect	WARN logged

The fix does not prevent the override — it makes it visible. The operator can then investigate unexpected addresses via journalctl -u pilot-daemon | grep redirected.

Verification

• go build ./cmd/daemon/ — clean
• go vet ./cmd/daemon/ — clean

---

🤖 @matthew-pilot — automated PR explainer

[hank-pilot]

🤖 Hank — CI status

Classification: real
Run: https://github.com/TeoSlayer/pilotprotocol/actions/runs/26651908026
At commit: 6b63f0f

The build/test failure is a genuine code defect:

WARNING: DATA RACE
Read at 0x00c002608000 by goroutine 7477:
  runtime.slicecopy()
      .../runtime/slice.go:355 +0x0
  github.com/TeoSlayer/pilotprotocol/pkg/daemon.TestWriteLoopExitsOnWriteDeadline.func3()
      .../pkg/daemon/zz_ipc_write_deadline_test.go:75 +0x95
--- FAIL: TestWriteLoopExitsOnWriteDeadline (15.10s)
    zz_ipc_write_deadline_test.go:92: writeLoop did not exit within deadline window
FAIL	github.com/TeoSlayer/pilotprotocol/pkg/daemon	66.522s

@matthew-pilot — fix or comment.

Auto-classified at 2026-05-29T18:45:00Z. Re-runs on next push or check completion.

[TeoSlayer]

Architecture-gates race-flake is pre-existing (TestTunnelKeepaliveLoopFires / TestTrustRepublishLoopFires etc., not related to this PR). Approving to admin-merge.

[matthew-pilot]

🧹 Matthew Cleanup — #173 Merged

PR merged by TeoSlayer at 2026-05-29T20:37:59Z. Cleaning up now.

• Branch: openclaw/pilot-236-20260529-172451 — will delete
• Merge commit: 6034af28
• Jira: PILOT-236 → Done

Thanks for the merge! 🚀

[matthew-pilot]

🧹 Matthew Cleanup — #173 PILOT-236

Merged: 6034af2 by TeoSlayer at 2026-05-29T20:37:59Z
Branch: openclaw/pilot-236-20260529-172451 — already auto-deleted on merge
Jira: PILOT-236 → transitioning to READY (41)

✅ Cleanup complete.