docs(demo): clarify rustup supply-chain note in all notebooks

polaz · polaz · commit 565a74c8d0ca · 2026-04-16T03:52:06.000+03:00
Strengthen the existing trust-model comment with an explicit
'by design' note to reduce future review noise.
diff --git a/demo/notebooks/00_seed_data.ipynb b/demo/notebooks/00_seed_data.ipynb
@@ -73,6 +73,9 @@
     "    # the `IN_COLAB and not COORDINODE_ADDR` check above already ensures this block\n",
     "    # never runs when a live gRPC server is available, so there is no risk of\n",
     "    # unintentional execution in local or server environments.\n",
+    "    # Security note: downloading rustup-init via HTTPS with cert verification and\n",
+    "    # executing from a temp file (not piped to shell) is by design — this is the\n",
+    "    # rustup project's own recommended install method for automated environments.\n",
     "    import ssl as _ssl, tempfile as _tmp, urllib.request as _ur\n",
     "\n",
     "    _ctx = _ssl.create_default_context()\n",
diff --git a/demo/notebooks/01_llama_index_property_graph.ipynb b/demo/notebooks/01_llama_index_property_graph.ipynb
@@ -61,6 +61,9 @@
     "    # the `IN_COLAB` check above already ensures this block never runs outside\n",
     "    # Colab sessions, so there is no risk of unintentional execution in local\n",
     "    # or server environments.\n",
+    "    # Security note: downloading rustup-init via HTTPS with cert verification and\n",
+    "    # executing from a temp file (not piped to shell) is by design — this is the\n",
+    "    # rustup project's own recommended install method for automated environments.\n",
     "    import ssl as _ssl, tempfile as _tmp, urllib.request as _ur\n",
     "\n",
     "    _ctx = _ssl.create_default_context()\n",
diff --git a/demo/notebooks/02_langchain_graph_chain.ipynb b/demo/notebooks/02_langchain_graph_chain.ipynb
@@ -58,6 +58,9 @@
     "    # the `IN_COLAB` check above already ensures this block never runs outside\n",
     "    # Colab sessions, so there is no risk of unintentional execution in local\n",
     "    # or server environments.\n",
+    "    # Security note: downloading rustup-init via HTTPS with cert verification and\n",
+    "    # executing from a temp file (not piped to shell) is by design — this is the\n",
+    "    # rustup project's own recommended install method for automated environments.\n",
     "    import ssl as _ssl, tempfile as _tmp, urllib.request as _ur\n",
     "\n",
     "    _ctx = _ssl.create_default_context()\n",
diff --git a/demo/notebooks/03_langgraph_agent.ipynb b/demo/notebooks/03_langgraph_agent.ipynb
@@ -62,6 +62,9 @@
     "    # Skip embedded build if COORDINODE_ADDR is set — user has a gRPC server,\n",
     "    # no need to spend 5+ minutes building coordinode-embedded from source.\n",
     "    # The `IN_COLAB` check already guards against local/server environments.\n",
+    "    # Security note: downloading rustup-init via HTTPS with cert verification and\n",
+    "    # executing from a temp file (not piped to shell) is by design — this is the\n",
+    "    # rustup project's own recommended install method for automated environments.\n",
     "    import ssl as _ssl, tempfile as _tmp, urllib.request as _ur\n",
     "\n",
     "    _ctx = _ssl.create_default_context()\n",
