From ba9b7171568a7cd0ab2c48bc03a5317b99820f4d Mon Sep 17 00:00:00 2001
From: matthew-pilot <matthew@vulturelabs.io>
Date: Sat, 30 May 2026 21:59:12 +0000
Subject: [PATCH] fix: warn when compat-mode silently flips registry-trust to
 system (PILOT-312)

When -transport=compat is selected without an explicit -registry-trust,
the trust store silently flips from 'pinned' (the default) to 'system'
(Let's Encrypt). Operators selecting compat for single-port operation
may not realize they're now trusting every CA in the OS root store.

Add a slog.Warn matching the existing pattern for PILOT_REGISTRY and
PILOT_BEACON env-var override warnings.
---
 cmd/daemon/main.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cmd/daemon/main.go b/cmd/daemon/main.go
index 08d5811f..5f194a21 100644
--- a/cmd/daemon/main.go
+++ b/cmd/daemon/main.go
@@ -137,6 +137,7 @@ func main() {
 		if !explicit["registry-trust"] {
 			v := "system"
 			registryTrust = &v
+			slog.Warn("compat-mode registry-trust defaulted to 'system' (Let's Encrypt validation). Override with -registry-trust=pinned if using pinned certificates (supply -registry-fingerprint).")
 		}
 	}