docs: keep public RustChain TLS verification enabled

[iamdinhthuan]

Fixes #5618.

Related bounty: Scottcjn/rustchain-bounties#71
Payout/miner id if accepted: iamdinhthuan

Summary

• replace public https://rustchain.org curl -k examples with strict-TLS curl -fsS examples
• remove verify=False from Python requests examples for the public RustChain hostname
• keep private/self-signed node guidance scoped to explicit CA-bundle verification
• add a regression test that scans the public docs for future insecure public-host TLS examples

Duplicate and Safety Checks

• Duplicate search found no open PR already fixing [SECURITY] Docs tell users to disable TLS verification for rustchain.org #5618's docs-wide curl -k / verify=False public-host guidance.
• Broad adjacent hits were not duplicates: docs: add API error handling examples #5487 adds a separate API examples file, fix: use rustchain.org for SDK public defaults #5580 changes SDK defaults, docs: update wRTC bridge links #5590 changes bridge links, and fix: show Windows attestation failures #5576 covers Windows diagnostics.
• No private tokens, API keys, wallet credentials, authenticated endpoints, transfers, withdrawals, payout movement, profile edits, stars, reactions, or secret material were used.

Validation

• python3 -B -m pytest -q tests/test_miner_checklist.py tests/test_postman_collection_validator.py tests/test_public_docs_tls_examples.py --tb=short -> 10 passed in 0.07s
• git diff --check HEAD~1..HEAD -> passed
• python3 tools/bcos_spdx_check.py --base-ref origin/main -> BCOS SPDX check: OK
• rg -n "curl -[A-Za-z]*k[A-Za-z]*.*https://rustchain\\.org|verify=False" README.md docs/API.md docs/README.md docs/zh-CN/README.md -> no matches
• curl -fsS --max-time 15 -o /tmp/rustchain-health.json -w '%{http_code}\n' https://rustchain.org/health -> 200
• curl -fsS --max-time 15 -o /tmp/rustchain-miners.json -w '%{http_code}\n' https://rustchain.org/api/miners -> 200
• curl -fsS --max-time 15 -o /tmp/rustchain-balance.json -w '%{http_code}\n' 'https://rustchain.org/wallet/balance?miner_id=iamdinhthuan' -> 200

[iamdinhthuan]

CI note after opening: the test job fails during full-suite collection before running the docs regression because the runner is missing baseline dependencies:

ModuleNotFoundError: No module named 'aiohttp'
ModuleNotFoundError: No module named 'flask_cors'
ModuleNotFoundError: No module named 'matplotlib'

This PR only changes docs plus tests/test_public_docs_tls_examples.py. The focused validation from the PR body still passes locally:

python3 -B -m pytest -q tests/test_miner_checklist.py tests/test_postman_collection_validator.py tests/test_public_docs_tls_examples.py --tb=short
10 passed in 0.07s

I am not bundling dependency packaging changes into this docs fix because that is a separate baseline CI issue.

[TJCurnutte]

Approved. This fixes the security-relevant docs drift from #5618: public https://rustchain.org examples no longer teach users to disable certificate verification, while the private/self-signed-node guidance is scoped to an explicit CA bundle instead of verify=False.

Validation run locally on head b25852b8e1dbdddbedc726b517063a9f76c3f727:

• git diff --check origin/main...HEAD passed.
• python3 -B -m py_compile tests/test_public_docs_tls_examples.py passed.
• python3 -B -m pytest -q tests/test_miner_checklist.py tests/test_postman_collection_validator.py tests/test_public_docs_tls_examples.py --tb=short passed with 11 passed in 0.48s.
• python3 tools/bcos_spdx_check.py --base-ref origin/main returned BCOS SPDX check: OK.
• Custom scan across the 49 changed files found 311 insecure public-host TLS examples on origin/main and 0 after this PR. The scan covered curl ... -k / --insecure against https://rustchain.org, Python requests.*(... verify=False ...) blocks for https://rustchain.org, and public-host self-signed/verify=False labeling.
• Live strict-TLS probes with curl -fsS --max-time 20 returned HTTP 200 for https://rustchain.org/health, https://rustchain.org/api/miners, and https://rustchain.org/wallet/balance?miner_id=iamdinhthuan.

The broad docs sweep is justified here because the regression test now prevents the specific public-host TLS anti-pattern from reappearing across Markdown/HTML docs. I did not see runtime auth, transfer, withdrawal, or payout code paths changed in this PR.

[HCIE2054]

LGTM!

[jaxint]

LGTM! Great work on this PR. 🚀

[Auren-Innovation]

Code Review: PR #5619

Title: docs: keep public RustChain TLS verification enabled
Review Type: Documentation
Recommended Reward: 5-8 RTC

---

Summary

Documentation update emphasizing TLS verification best practices.

Critical

None.

Warning

None.

Suggestion

• Consider adding brief rationale for why TLS verification should remain enabled
• Could include troubleshooting tips for common TLS issues

Verdict

Approve - Documentation improvement promotes security best practices.

---

Review by Herr Amano | 2026-05-18

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[Auren-Innovation]

💰 Wallet Address for Bounty Rewards

miner_id:

Verification:
{"amount_i64":0,"amount_rtc":0.0,"miner_id":"herr-amano"}

Please transfer rewards to this address.

---

Wallet address added by Herr Amano

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[Scottcjn]

Closing as stale branch — would cause destructive deletions if merged.

Your branch was filed roughly 155 commits behind current main. Since then, many overlapping fixes from other contributors have landed via parallel PRs. GitHub's mergeable=clean indicator only catches text-level conflicts — it doesn't detect "this branch is so old that merging would silently delete code that landed after it was filed."

Bounty credit acknowledged

If your fix addressed a real bug, the canonical version has very likely already shipped via a parallel contributor's PR over the past two weeks. Specific cases covered by today's audit:

• Age-scoring (2025 → current_year fixes) — credited in synthesis PR fix(scoring): defensive max(0, ...) age guards + testable current_year param #5660 (Co-Authored-By: saim256, slashdevcorpse, galpetame, ethever, junn-dev)
• Auth strengthening (admin-key gating, signed wallet/OTC actions) — landed via earlier merges this week
• Input validation (fix: validate X, fix: reject X) — landed via merged contributor first-posters
• CWE-209 info-disclosure hardening (hide X exception details) — landed via @hungle123-dev first-poster PRs
• CONTRIBUTING.md per-repo — closed bounty Auto Batch - Divine Features (250 RTC) #1605 with first-poster awards on 2026-05-18

If you want fresh review

Rebase against current main and verify your diff shows roughly the size of the changes you originally made:

git fetch upstream main
git rebase upstream/main
git diff main..HEAD --shortstat

If the deletion count is significantly higher than what you added, the branch is still picking up stale assumptions — recreate from a fresh main.

Thanks for the contribution work this week.