Audit /v0/metrics content; now unauthenticated cluster-wide

[bdchatham]

Problem

Surfaced by security cross-review on the TLS-removal refactor. kube-rbac-proxy --ignore-paths exposes the sidecar's /v0/healthz, /v0/livez, /v0/startupz, and /v0/metrics without TokenReview or SAR. With the refactor making the proxy always-on and reachable from any pod in the cluster (until #266 lands), /v0/metrics is a passive disclosure channel.

The other three are health endpoints with known-bounded response bodies. /v0/metrics may export validator pubkeys, peer IDs, signing latencies, or any data correlated with operator-keyring use.

Proposed scope

1. Enumerate exactly what the sidecar emits on /v0/metrics (sei-sidecar source).
2. If any field is sensitive (validator identity, signing-latency, peer-identity beyond what's already public on chain), either gate behind authz (/v0/metrics-internal) or move to a non-bypassed path.

Why deferred from refactor/seinode-drop-sidecar-tls

The bypass-paths set is unchanged by the refactor; the audit applies whether or not we did the TLS removal. Easier as a focused follow-up against the sei-sidecar codebase.

References

• refactor/seinode-drop-sidecar-tls
• internal/noderesource/noderesource.go bypassPaths()