From 3ecc74700cefb080787e005df18878453d1d7b1e Mon Sep 17 00:00:00 2001
From: matthew-pilot <matthew@vulturelabs.io>
Date: Sat, 30 May 2026 16:18:59 +0000
Subject: [PATCH] docs(tests): add banner warning that Public:true is test-only
 (PILOT-297)

The AddDaemon and AddDaemonOnly helpers in testenv.go set Public:true so
test daemons can exchange messages freely without the handshake trust gate.
This is correct test behavior, but anyone reading testenv.go as example code
gets that as the implied default. Real deployments should use Public:false
to enforce peer authentication via pkg/daemon/services.go:166-170.

Add a banner comment at the top of tests/testenv.go warning readers not to
copy-paste daemon.Config values into production without review.

Closes PILOT-297
---
 tests/testenv.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/tests/testenv.go b/tests/testenv.go
index 026e1be5..2511d1d8 100644
--- a/tests/testenv.go
+++ b/tests/testenv.go
@@ -1,5 +1,12 @@
 // SPDX-License-Identifier: AGPL-3.0-or-later
 
+// IMPORTANT — Do not copy-paste daemon.Config values from this file into
+// production code without review. In particular, AddDaemon and AddDaemonOnly
+// both set Public: true so that test daemons can freely exchange messages
+// without the handshake trust gate. Real deployments should use Public: false
+// to enforce peer authentication. See pkg/daemon/services.go:166-170 for the
+// trust-gate logic.
+
 package tests
 
 import (