fix: disable public Flask debug by default

bcos_directory.py

@@ -482,4 +482,5 @@ def serve_dist(filename):
 if __name__ == '__main__':
     init_db()
     load_projects_from_json()
-    app.run(debug=True, host='0.0.0.0', port=5000)
+    debug = os.environ.get("FLASK_DEBUG", "").lower() in {"1", "true", "yes", "on"}
+    app.run(debug=debug, host='0.0.0.0', port=5000)

bridge/bridge_api.py

@@ -621,4 +621,5 @@ def register_bridge_routes(app: Flask):
     app = Flask(__name__)
     register_bridge_routes(app)
     print("Bridge dev server on http://0.0.0.0:8096")
-    app.run(host="0.0.0.0", port=8096, debug=True)
+    debug = os.environ.get("FLASK_DEBUG", "").lower() in {"1", "true", "yes", "on"}
+    app.run(host="0.0.0.0", port=8096, debug=debug)

contributor_registry.py

@@ -188,4 +188,5 @@ def approve_contributor(username):
 if __name__ == '__main__':
     if not os.path.exists(DB_PATH):
         init_db()
-    app.run(debug=True, host='0.0.0.0', port=5000)
+    debug = os.environ.get("FLASK_DEBUG", "").lower() in {"1", "true", "yes", "on"}
+    app.run(debug=debug, host='0.0.0.0', port=5000)

explorer/app.py

@@ -1,4 +1,5 @@
 from flask import Flask, render_template, jsonify
+import os
 import requests
 import json
 from datetime import datetime
@@ -134,4 +135,5 @@ def internal_error(error):
     return render_template('500.html'), 500
 
 if __name__ == '__main__':
-    app.run(host='0.0.0.0', port=5000, debug=True)
+    debug = os.environ.get("FLASK_DEBUG", "").lower() in {"1", "true", "yes", "on"}
+    app.run(host='0.0.0.0', port=5000, debug=debug)

keeper_explorer.py

@@ -377,4 +377,5 @@ def faucet_drip():
 if __name__ == '__main__':
     import hashlib # needed for mock hash
     print(f"[*] Starting Fossil-Punk Keeper Explorer on port {PORT}...")
-    app.run(host='0.0.0.0', port=PORT, debug=True)
+    debug = os.environ.get("FLASK_DEBUG", "").lower() in {"1", "true", "yes", "on"}
+    app.run(host='0.0.0.0', port=PORT, debug=debug)

security_test_payment_widget.py

@@ -272,4 +272,5 @@ def admin_login():
 if __name__ == '__main__':
     if not os.path.exists(DB_PATH):
         init_db()
-    app.run(debug=True, host='0.0.0.0', port=5000)
+    debug = os.environ.get("FLASK_DEBUG", "").lower() in {"1", "true", "yes", "on"}
+    app.run(debug=debug, host='0.0.0.0', port=5000)

tests/test_public_flask_debug.py

@@ -0,0 +1,51 @@
+# SPDX-License-Identifier: MIT
+import ast
+from pathlib import Path
+
+
+PUBLIC_FLASK_ENTRYPOINTS = [
+    "bcos_directory.py",
+    "bridge/bridge_api.py",
+    "contributor_registry.py",
+    "explorer/app.py",
+    "keeper_explorer.py",
+    "security_test_payment_widget.py",
+]
+
+
+def _literal_keyword(call: ast.Call, keyword_name: str):
+    for keyword in call.keywords:
+        if keyword.arg == keyword_name:
+            return keyword.value
+    return None
+
+
+def _is_app_run(call: ast.Call) -> bool:
+    return (
+        isinstance(call.func, ast.Attribute)
+        and call.func.attr == "run"
+        and isinstance(call.func.value, ast.Name)
+        and call.func.value.id == "app"
+    )
+
+
+def test_public_flask_entrypoints_do_not_hardcode_debug_true():
+    repo_root = Path(__file__).resolve().parents[1]
+
+    for relative_path in PUBLIC_FLASK_ENTRYPOINTS:
+        source_path = repo_root / relative_path
+        tree = ast.parse(source_path.read_text(encoding="utf-8"), filename=relative_path)
+
+        for node in ast.walk(tree):
+            if not isinstance(node, ast.Call) or not _is_app_run(node):
+                continue
+
+            host = _literal_keyword(node, "host")
+            debug = _literal_keyword(node, "debug")
+
+            binds_public_interface = isinstance(host, ast.Constant) and host.value == "0.0.0.0"
+            hardcodes_debug_true = isinstance(debug, ast.Constant) and debug.value is True
+
+            assert not (
+                binds_public_interface and hardcodes_debug_true
+            ), f"{relative_path} binds 0.0.0.0 with debug=True"