fix: disable public flask debug by default

[ethever]

Summary

• Fixes [SECURITY] Public Flask entrypoints enable debug mode by default #4810
• Gates standalone public Flask debug mode behind FLASK_DEBUG so 0.0.0.0 entrypoints do not default to Werkzeug debug mode
• Adds an AST regression test for public app.run calls with debug=True

Validation

• git diff --check origin/main...HEAD
• python3 -m py_compile bcos_directory.py bridge/bridge_api.py contributor_registry.py explorer/app.py keeper_explorer.py security_test_payment_widget.py tests/test_public_flask_debug_defaults.py
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --no-project --with pytest --with flask python -m pytest tests/test_public_flask_debug_defaults.py -q
• python3 tools/bcos_spdx_check.py --base-ref origin/main

Bounty

Wallet: b3a58f80a97bae5e2b438894aa85600cb0c066RTC

[github-actions]

Welcome to RustChain! Thanks for your first pull request.

Before we review, please make sure:

• Your PR has a BCOS-L1 or BCOS-L2 label
• New code files include an SPDX license header
• You've tested your changes against the live node

Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150)

A maintainer will review your PR soon. Thanks for contributing!

[ethever]

Checklist for #4810:

• Default debug mode is off for standalone Flask entrypoints bound to 0.0.0.0.
• Local development can still opt in with FLASK_DEBUG=1.
• Added tests/test_public_flask_debug_defaults.py to prevent new public debug=True defaults.
• Validation commands are listed in the PR body.

Bounty wallet: b3a58f80a97bae5e2b438894aa85600cb0c066RTC

[ethever]

Closing this because it duplicates older open fixes for #4810 (#4859 and #4843). I found those in the full open PR list after opening this PR, so this should not be considered a payout candidate.