fix: gate mutual and same-network auto-trust on registryBound (PILOT-228)

handshake.go

@@ -625,8 +625,10 @@ func (hm *Manager) handleRequest(stream coreapi.Stream, msg *HandshakeMsg, regis
 	}
 
 	// Check if we have an outgoing request to this peer (mutual handshake)
-	if _, ok := hm.outgoing[peerNodeID]; ok {
-		// Mutual! Auto-approve
+	// SEC-038: mutual auto-trust is gated on registryBound so a peer
+	// cannot claim any NodeID with their own keypair and slip into trust.
+	if _, ok := hm.outgoing[peerNodeID]; ok && registryBound {
+		// Mutual! Auto-approve (registry confirmed pubkey binding)
 		delete(hm.outgoing, peerNodeID)
 		hm.markTrustedLocked(peerNodeID, &TrustRecord{
 			NodeID:     peerNodeID,
@@ -652,7 +654,9 @@ func (hm *Manager) handleRequest(stream coreapi.Stream, msg *HandshakeMsg, regis
 	}
 
 	// Check if peers are on the same network (network trust)
-	if hm.sameNetwork(peerNodeID) {
+	// SEC-038: same-network auto-trust is gated on registryBound so a
+	// peer cannot claim any NodeID with their own keypair and slip into trust.
+	if hm.sameNetwork(peerNodeID) && registryBound {
 		hm.markTrustedLocked(peerNodeID, &TrustRecord{
 			NodeID:     peerNodeID,
 			PublicKey:  msg.PublicKey,

zz_ceiling_more_test.go

@@ -36,7 +36,7 @@ func TestHandleRequest_SameNetworkDirectPathAutoApproves(t *testing.T) {
 		NodeID:    99,
 		PublicKey: "peer-99-key",
 		Timestamp: time.Now().Unix(),
-	}, false)
+	}, true) // registryBound=true: peer's pubkey was confirmed by the registry
 
 	hm.mu.RLock()
 	rec, trusted := hm.trusted[99]

zz_handshake_accept_request_test.go

@@ -104,7 +104,7 @@ func TestHandleRequestMutualAutoApprovesAndMarksMutual(t *testing.T) {
 		PublicKey: "peer-99-key",
 		Timestamp: time.Now().Unix(),
 	}
-	hm.handleRequest(nil, msg, false)
+	hm.handleRequest(nil, msg, true) // registryBound=true: peer is verified by registry
 
 	hm.mu.RLock()
 	rec, ok := hm.trusted[99]