Gantry: 6 - Repository input validation

[vpatelsj]

Scope

Add coord peer authorization telemetry and an enforcement gate.

Problem

The coord server knows the remote libp2p peer ID but does not authorize it against membership. Transfer is plain HTTP and remains NetworkPolicy-only; this issue is intentionally scoped to coord.

Evidence:

• internal/gantry/coord/coord.go:289
• internal/gantry/coord/coord.go:493
• internal/gantry/transfer/transfer.go:161

Changes

• Add coord peer authorization in observe-only mode by default.
• Compare str.Conn().RemotePeer().String() with Node.PeerID values from members.Snapshot().
• Treat members.Snapshot() as telemetry input, not an authoritative security oracle.
• Document behavior for stale membership, empty peer IDs, peer-ID rotation, bootstrap peers, and informer lag.
• Add p2p_coord_unauthorized_peer_total and structured logs for misses.
• Add coord_peer_authz_enforce defaulting to false.
• If enforcement is false, serve the request after recording the metric. If true, reject before dispatching the request.
• Enforcement readiness criteria: at least one full DaemonSet rollout with zero unexpected unauthorized hits, tests for peer-ID rotation and informer lag, and operator confirmation that bootstrap traffic does not generate false positives.

Tests

• Unauthorized remote peer increments p2p_coord_unauthorized_peer_total and is served in observe-only mode.
• Unauthorized remote peer is rejected when coord_peer_authz_enforce=true.
• Stale membership, empty peer ID, rotated peer ID, and bootstrap scenarios do not produce unreviewed enforcement behavior.