No one offered anything about this, so I will reply to my own question with information that I have gathered.

First, Arista takes "security" seriously.  They recommend putting the management interface into a special VRF.  This causes the IP address to be hidden from normal SNMP queries -- even if they run against the management interface!

Their solution is to use a special credential:  <community_string>@<vrf> when polling sensitive information.  I have tested this and there is not much that comes from this type of polling other than the IP address of the management interface.

Discovery, of course, does not seem to be able to use multiple credentials for the same device, especially during one discovery pattern.  Perhaps there is an enhancement idea in this.

Apparently there is some logic in the reconciliation engine that causes the IP address for a CI to be updated if the IP address in the payload does not appear in the IP address list elsewhere in the payload.  On the surface this makes sense, but (in network) there are times when devices are managed with IP addresses that they do not contain, such as in environments that use Network Address Translation (NAT).  I will not chase that rabbit here.

My choices seemed to be these:

1. Create a pattern that removes ALL IP addresses from the device

2. Create a pattern that injects the missing management IP address.  This can work because of these assumptions:

1. The management interface is always called Management1

2. The address of the management interface is very likely to be the IP address that was used to find the device.

I took the second route because there was value in retaining the IP addressing in the device.

The implementation turned out not to be all that hard after some study of table support in the pattern language.  I probably did not do it right, but here is what I did:

a. I cloned the Network Switch pattern to create my own

b. I cloned the SNMP Identify pattern library to create my own.  (This is much harder than it should be)

c. I altered my copy of the Network Switch pattern so it would use my copy of SNMP Identify instead of the standard one.

d. I altered my copy of the SNMP Identify pattern by adding new steps between the existing steps that processed the IP address table.  After the addresses are collected, my new steps make a copy of the table, transform it by changing everything to my desired value, and then remove any duplicate records.  This new table is then added to the standard table and the "normal" logic continues.  To keep the madness to a minimum, I put an "OID matching" precondition on all of my new steps so they will only run against an Arista device.

e. I created a classifier for these devices that launches my own pattern, and I linked this to my collection of Arista OIDs.

The good news is that this seems to work.  The bad news is that I have a new pattern to support from now on, and there are portions of it that are difficult to manage in a DEV-UAT-PROD environment.  For instance, there is NO support right now for library patterns in update sets.  You cannot even export them to XML.  The only way I know how to copy them from system to system is to start a new one on the target system and save it (so it gets put into the pattern table and started NDL is attached) and then open it up and copy/paste the NDL that I want.

This approach seems to work, but it did not "correct" any incorrect addressing on existing CIs.  I had to manually fix them.  Afterwards, my pattern worked -- it added the management address to the list, and the reconciliation stopped clobbering the IP address in each CI.

Long post, but someone might be interested some day...

GLH