[bug] Enforce authorization on RpcConnectRemote authorities

[sizumita]

Affected component

imagod

Summary

RpcConnectRemote currently accepts any remote authority as long as the caller presents a valid manager_auth_proof. Unlike ResolveInvocationTarget / RpcInvokeRemote, it does not enforce is_binding_allowed(...) or any equivalent authority allowlist.

Steps to reproduce

1. Start a service/runner that is registered with the manager.
2. Send ControlRequest::RpcConnectRemote with a valid runner_id and manager_auth_proof.
3. Use an arbitrary authority such as rpc://host:port that is not covered by any binding.
4. Observe that the manager probes the authority and records the connection.

Expected behavior

The manager should reject remote connection attempts unless the source service is explicitly allowed to reach that remote authority.

Actual behavior

RpcConnectRemote validates manager auth, then immediately probes and inserts the remote connection without checking service bindings or any remote authority allowlist.

Version

3f1c39e

Environment

other

Resource impact (optional)

unknown

Additional context

Evidence:

• crates/imagod-control/src/service_supervisor/manager_control.rs:288
• crates/imagod-control/src/service_supervisor/manager_control.rs:323

Comparison point:

• crates/imagod-control/src/service_supervisor/manager_control.rs:257 enforces is_binding_allowed(...) for service-to-service resolution.

Suggested direction:

• Require binding-based authorization or an explicit remote authority allowlist at connect time.
• Keep the behavior fail-closed before probing or persisting the remote connection.