fix(daemon): warn when PILOT_REGISTRY/PILOT_BEACON env vars override compiled defaults (PILOT-236) (#173)

PILOT_REGISTRY and PILOT_BEACON env vars silently override compiled
defaults at startup with no log entry or warning. An attacker who
controls the daemon's environment can redirect registry/beacon to
attacker-controlled endpoints, granting trust to an imposter network.

This adds a slog.Warn log entry after logging setup when either env
var overrides the compiled default, alerting the operator that the
daemon is connecting to a non-default registry or beacon address.

Closes PILOT-236

Author: matthew-pilot

cmd/daemon/main.go

@@ -38,12 +38,16 @@ var version = "dev"
 func main() {
 	configPath := flag.String("config", "", "path to config file (JSON)")
 	registryDefault := "34.71.57.205:9000"
+	registryFromEnv := false
 	if v := os.Getenv("PILOT_REGISTRY"); v != "" {
 		registryDefault = v
+		registryFromEnv = true
 	}
 	beaconDefault := "34.71.57.205:9001"
+	beaconFromEnv := false
 	if v := os.Getenv("PILOT_BEACON"); v != "" {
 		beaconDefault = v
+		beaconFromEnv = true
 	}
 	registryAddr := flag.String("registry", registryDefault, "registry server address (or $PILOT_REGISTRY)")
 	beaconAddr := flag.String("beacon", beaconDefault, "beacon server address (or $PILOT_BEACON)")
@@ -138,6 +142,13 @@ func main() {
 
 	logging.Setup(*logLevel, *logFormat)
 
+	if registryFromEnv {
+		slog.Warn("PILOT_REGISTRY env var overrides compiled default — registry address redirected to " + *registryAddr + ". If this is unexpected, check the daemon's environment for tampering.")
+	}
+	if beaconFromEnv {
+		slog.Warn("PILOT_BEACON env var overrides compiled default — beacon address redirected to " + *beaconAddr + ". If this is unexpected, check the daemon's environment for tampering.")
+	}
+
 	d := daemon.New(daemon.Config{
 		RegistryAddr:          *registryAddr,
 		BeaconAddr:            *beaconAddr,