From 775508d0f4bbd081338537cd5a158da137e8a9b4 Mon Sep 17 00:00:00 2001
From: matthew-pilot <matthew@vulturelabs.io>
Date: Fri, 29 May 2026 23:25:06 +0000
Subject: [PATCH] fix: log warning when tunnel encryption is disabled
 (PILOT-256)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When config.Encrypt is false, the daemon silently ran without
encryption — every connection sent plaintext. Add slog.Warn
so a misconfigured or tampered config is flagged at startup.
---
 pkg/daemon/daemon.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkg/daemon/daemon.go b/pkg/daemon/daemon.go
index 099eba10..f142e8e1 100644
--- a/pkg/daemon/daemon.go
+++ b/pkg/daemon/daemon.go
@@ -666,6 +666,8 @@ func (d *Daemon) Start() error {
 		if err := d.tunnels.EnableEncryption(); err != nil {
 			return fmt.Errorf("tunnel encryption: %w", err)
 		}
+	} else {
+		slog.Warn("tunnel encryption is disabled — all connections will send plaintext")
 	}
 
 	// 2b. Wire the event bus into the tunnel layer BEFORE starting the