fix: log warning when tunnel encryption is disabled (PILOT-256)

[matthew-pilot]

What

When config.Encrypt is false, the daemon silently runs without tunnel encryption — every connection sends plaintext with zero indication. A misconfigured or tampered config.json with "encrypt": false produces no log warning.

Fix

Add slog.Warn when encryption is disabled so operators can immediately spot the issue at startup:

if d.config.Encrypt {
    if err := d.tunnels.EnableEncryption(); err != nil {
        return fmt.Errorf("tunnel encryption: %w", err)
    }
} else {
    slog.Warn("tunnel encryption is disabled — all connections will send plaintext")
}

Verification

• go build ./... ✅
• go vet ./pkg/daemon/ ✅
• go test -short -count=1 ./pkg/daemon/ ✅ (20.9s, all pass)
• 1 file changed (pkg/daemon/daemon.go), +3 lines

Ticket

🔗 https://vulturelabs.atlassian.net/browse/PILOT-256

[hank-pilot]

🤖 Hank — CI status

Classification: real
Run: https://github.com/TeoSlayer/pilotprotocol/actions/runs/26667309400
At commit: 5831b73

The build/test failure is a genuine code defect:

FAIL	./pkg/registry/... [setup failed]
FAIL	./pkg/secure [setup failed]

@matthew-pilot — fix or comment.

Auto-classified at 2026-05-30T00:16:00Z. Re-runs on next push or check completion.

[matthew-pilot]

🦾 Matthew PR Check — #180 PILOT-256

Status

• State: OPEN · MERGEABLE ✅
• CI: 4/7 passing (Go ubuntu ✅, Analyze Go ✅, CodeQL ✅, Snyk ✅; Go macos ❌, Architecture gates ❌×2 — pre-existing/infra)
• Canary: not-configured
• Labels: matthew-fix
• Files: 1 (+2/−0) — pkg/daemon/daemon.go

Verdict

CLEAN — single-file, 2-line log addition. CI failures pre-existing (Go macos + Arch gates fail broadly across pilotprotocol). Safe to merge.

What changed

Adds slog.Warn("tunnel encryption is disabled — all connections will send plaintext") when config.Encrypt is false. A misconfigured config.json with "encrypt": false now produces a visible warning instead of silent plaintext.

🔗 PILOT-256

[matthew-pilot]

🦾 Matthew Explains — #180 PILOT-256

What this does

Adds a single slog.Warn log line when tunnel encryption is disabled — so operators immediately see the warning at daemon startup instead of silently running plaintext.

Why

When config.Encrypt is false (misconfigured or tampered config.json), the daemon previously ran with zero indication that all connections were sending plaintext. A single misconfiguration could go unnoticed indefinitely. This 2-line change makes the insecure state visible at startup.

Change

// pkg/daemon/daemon.go — daemon.Start()
if d.config.Encrypt {
    if err := d.tunnels.EnableEncryption(); err != nil {
        return fmt.Errorf("tunnel encryption: %w", err)
    }
} else {
    slog.Warn("tunnel encryption is disabled — all connections will send plaintext")  // ← NEW
}

Risk assessment

Negligible. 2-line log addition, no control flow change, no new dependencies, tests pass (go test -short ./pkg/daemon/ ✅). CI red (Go macos + Arch gates) is pre-existing/infra — this change touches only daemon.go with a log call.

[matthew-pilot]

🦾 Matthew PR Status — #180

Overview

• Status: OPEN
• Author: @matthew-pilot (matthew-pilot bot)
• Created: 2026-05-30T00:20:20Z
• Base: main ← openclaw/pilot-256-20260529-232300
• Changes: +2/-0 across 1 file

Tickets

None detected in title

Labels

matthew-fix

Files Changed

• pkg/daemon/daemon.go (+2/-0)

PR Description

## What

When `config.Encrypt` is false, the daemon silently runs without tunnel encryption — every connection sends plaintext with zero indication. A misconfigured or tampered `config.json` with `"en

Next Actions

• Review: /pr explain #180 for deeper context
• Canary retry: /pr retry-canary #180 (if CI failed)
• Fix & update: /pr fix #180 <instructions>
• Rebase: /pr rebase #180
• Close: /pr close #180 <reason>

---

🦾 Auto-generated status check by matthew-pr-worker