[critical] Durability pull merges unscoped, unprovenanced peer-asserted components

[mbertschler]

Summary

The durability metadata pull merges peer-asserted vector components into the local destination_run_ids table with almost no scoping, and the merged rows later gate squirrel offload (deletion). A compromised or buggy peer holding a valid token can therefore make the local node believe content is durable on a destination it cannot itself observe — and then offload deletes the local copy.

Where

• sync/durability.go — pullDurability / validateComponent (checks only: destination non-empty, origin a valid node name, run > 0)
• store/destination_run_ids.go — UpsertDestinationRunID (monotonic merge, no source tagging)
• offload/gate.go — reads ListDestinationRunIDs with no per-source distinction

Scenario

A volume requires ["nas", "offsite"]. Only the NAS pushes to offsite, so the laptop's only evidence about offsite is the post-sync pull from the NAS. A compromised NAS returns a component {Destination: "offsite", OriginNode: <laptop>, OriginRun: >= current} for every origin. The laptop merges it; the gate's offsite vector now "covers" everything; squirrel offload deletes local bytes that exist only on the compromised NAS.

Because the merge is keyed purely by destination name and is monotonic, a peer can also inflate a component for a target the laptop verifies itself (e.g. nas) above the laptop's own verified value — corrupting directly-verified evidence.

Fix shape

Consistent with the trusted-peer design stance, contain the blast radius:

1. In pullDurability, drop any component whose destination is not a peer-only target named in this volume's offload_requires (and never accept a component for a destination the local node syncs directly — those advance only via local verified AdvanceDestinationVector).
2. Record pulled evidence tagged with the asserting peer (a source column / separate table), so the gate can weigh it as a distinct, revocable class and the audit trail can answer "which evidence gated this offload" (currently pulled vs locally-verified rows are indistinguishable).

This was flagged at PR #99 review time as inherent to the trusted-peer model; the audit traced it to a concrete data-loss chain, so it warrants the scoping fix now that offload_requires exists.

Adversarial audit of offload-v1 (auditor C C-1, auditor D F7b).

[mbertschler]

Status after the overnight fixes (offload-v1):

• The exploitable gating concern (a peer making the laptop offload content durable only on a destination it can't observe) was closed by offload: make the durability gate sound (freshness + method provenance + snapshot-pinned advance) #120's freshness condition — a peer-relayed target only gates when pulled origin-space freshness covers the content, and a relayed target with no pulled evidence refuses (fail-closed).
• The pull-scoping hygiene half landed in sync: scope durability pull to the volume's accepted destinations #123: the durability pull now drops (and counts) components/freshness for destinations outside the volume's offload_requires ∪ sync_to, so a peer can't pollute the local vector with arbitrary destination names.

Residual still open (this issue stays open): provenance tagging — recording WHICH peer asserted each pulled component, so the audit trail can answer 'what evidence gated this offload' and a compromised peer's assertions can be revoked without rewinding the live vector. This needs a source-peer column on destination_run_ids (a migration) and is audit-hardening rather than an exploitable hole, so it was deliberately deferred for review rather than rushed overnight.