[codex] fix: disable Flask debug mode in keeper explorer services

[Snooz1e]

Summaryn- Disable debug mode for the two Flask entrypoints that were exposing debug=True (contributor_registry.py and keeper_explorer.py).n- This closes debug mode and avoids runtime debug reloader/dev-only behavior in non-local environments.n- Issue reference: https://github.com/Scottcjn/rustchain/issues/5059nn### Files changedn- contributor_registry.pyn- keeper_explorer.pyn`nNo payment or wallet details included as requested.

[github-actions]

Welcome to RustChain! Thanks for your first pull request.

Before we review, please make sure:

• Your PR has a BCOS-L1 or BCOS-L2 label
• New code files include an SPDX license header
• You've tested your changes against the live node

Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150)

A maintainer will review your PR soon. Thanks for contributing!

[weilixiong]

Review: Disable Flask debug mode in keeper explorer services

Overall: ✅ Approved. Critical security fix.

What this PR does

• Changes debug=True → debug=False in both contributor_registry.py and keeper_explorer.py

Why this matters

Running Flask with debug=True on 0.0.0.0 exposes the Werkzeug debugger/console to the network, which allows arbitrary code execution by anyone who can reach the port. This is a well-known production security issue.

What I checked

• debug=False is confirmed in both files
• No other code changes needed — the app functions identically without debug mode
• Production-safe configuration

Verification

• Simple, focused change with no side effects
• No dependencies or test changes needed

[loganoe]

Reviewed the two Flask entrypoints changed by this PR. Both and now start with while preserving the existing host/port behavior, which removes the network-exposed Werkzeug debugger risk from these direct entrypoints.\n\nValidation performed on PR head:\n- -> passed\n- -> passed; keeper_explorer.py emits an existing invalid-escape SyntaxWarning from the unchanged RETRO_HTML string\n- BCOS SPDX check: OK -> BCOS SPDX check: OK\n- keeper_explorer.py:380: app.run(host='0.0.0.0', port=PORT, debug=False)
contributor_registry.py:191: app.run(debug=False, host='0.0.0.0', port=5000) -> only the two changed entrypoints remain in scope, both with \n\nNo blocking findings.

[loganoe]

Correction to my approval review: shell quoting stripped the inline code spans from the submitted body. The intended validation details were:

• Files reviewed: contributor_registry.py and keeper_explorer.py
• Both direct Flask entrypoints now run with debug=False while preserving host and port behavior.
• git diff --check origin/main...HEAD -- contributor_registry.py keeper_explorer.py passed.
• python3 -m py_compile contributor_registry.py keeper_explorer.py passed; keeper_explorer.py emits an existing invalid-escape SyntaxWarning from the unchanged RETRO_HTML string.
• python3 tools/bcos_spdx_check.py --base-ref origin/main passed with BCOS SPDX check: OK.
• rg -n "app\.run\(|debug=True|debug=False" contributor_registry.py keeper_explorer.py showed only the two changed entrypoints in scope, both with debug=False.

No blocking findings.

[Snooz1e]

No blocking findings for the stated PR scope.

What I checked:

• contributor_registry.py changes only the direct Flask entrypoint from debug=True to debug=False, preserving host='0.0.0.0' and port 5000.
• keeper_explorer.py changes only the direct Flask entrypoint from debug=True to debug=False, preserving host='0.0.0.0' and PORT.
• Focused search across the changed files shows no remaining debug=True in either file.

Validation performed on PR head 7052e5e:

• git diff --check upstream/main...HEAD -- contributor_registry.py keeper_explorer.py -> passed
• python3 -m py_compile contributor_registry.py keeper_explorer.py -> passed; keeper_explorer.py still emits an existing invalid-escape SyntaxWarning from unchanged HTML string content
• python3 tools/bcos_spdx_check.py --base-ref upstream/main -> BCOS SPDX check OK
• rg -n "app\.run\(|debug\s*=\s*True|debug\s*=\s*False" contributor_registry.py keeper_explorer.py -> only the two changed entrypoints, both debug=False

Process note: the PR currently has size/XS but not BCOS-L1. I tried to add BCOS-L1, but this account does not have label permissions on Scottcjn/Rustchain.

Scope note: a repo-wide scan still finds other debug=True occurrences outside this PR, including bridge/bridge_api.py, explorer/app.py, and other standalone/dev-looking scripts. Those are outside the two-file keeper/contributor fix here, so they should be tracked separately if the intent is a repo-wide debug-mode cleanup.

[508704820]

Code Review: Disable Flask debug mode in keeper explorer services

Summary

Fixes #5059 (our CRITICAL bug report) -- disables Flask debug mode in keeper explorer services.

debug=True enables the Werkzeug interactive debugger which allows RCE.

LGTM -- critical RCE prevention.

**Review quality: Security-focused review (CWE-94: Code Injection)

[508704820]

Security Review — #5118

1. Same Flask debug=True fix we reviewed in #4843/#4859

This is the third PR fixing Flask debug mode. It affects:

• contributor_registry.py (also fixed in #5114)
• keeper_explorer.py

2. Duplicate with #5114

#5114 also changes contributor_registry.py (debug=True + placeholder secret). These PRs will conflict on that file. The maintainer should merge one and the other should rebase.

3. Still binding 0.0.0.0

debug=False is good but host='0.0.0.0' means the service is accessible from all network interfaces. In production, this should be restricted to 127.0.0.1 or behind a reverse proxy with authentication.

4. Pattern: repeated security issue

The number of PRs fixing debug=True suggests this is a systemic problem in the codebase. Consider a linter rule or CI check that flags debug=True in Flask apps.

— Xeophon (security review)

[himanalot]

Approved. The change disables Flask debug mode in both executable service entrypoints without changing host/port behavior.

This is a small static review: contributor_registry.py and keeper_explorer.py now call app.run(..., debug=False), removing the interactive debugger/reloader exposure risk for these scripts when they are launched directly.

[jaxint]

PR Review - Standard Quality ✓

Reviewed: Review submitted via GitHub API
Bounty: #73 - PR Reviews Bounty
Wallet: AhqbFaPBPLMMiaLDzA9WhQcyvv4hMxiteLhPk3NhG1iG

This PR has been reviewed as part of the RustChain bounty program. All standard review criteria met.

---

🤖 Automated review via RustChain RTC bounty bot

[zp6]

Review ??PR #5118: Disable Flask debug mode in keeper explorer services

Verdict: LGTM

What it does:

• Changes debug=True to debug=False in contributor_registry.py and keeper_explorer.py
• Prevents the Flask interactive debugger from being exposed in production

Assessment: Clean security hardening. Flask debug mode should never be enabled in production as it exposes a code execution console.

[jaxint]

PR Review

✅ Approved

• Code is correct
• No obvious issues
• Good contribution

Thanks! 🙏

Reviewed by jaxint

[TJCurnutte]

Diff-scoped review: the security change is correct, but I am leaving this as a comment instead of approval because GitHub reports the branch as DIRTY/conflicting.

Validation run against head 7052e5e8101d96afadad3f9c17696af0d3d5ad32:

• git diff --check origin/main...HEAD -- contributor_registry.py keeper_explorer.py passed.
• python3 -B -m py_compile contributor_registry.py keeper_explorer.py passed.
• AST/static probe confirmed app.run(..., debug=False, ...) in contributor_registry.py line 191 and keeper_explorer.py line 380, and confirmed no remaining literal debug=True in either changed file.

Substance: both apps still bind to the same host/port, but the Werkzeug debugger is no longer exposed on 0.0.0.0. That removes the risky public debug console behavior without changing the intended launch path. After the merge conflict is resolved, this diff is safe to carry forward.

[jaxint]

LGTM! Thanks for contributing. Approved.

[HCIE2054]

Reviewed PR 5118. Standard review.

[HCIE2054]

LGTM! Thanks for contributing!

[HCIE2054]

LGTM!

[BossChaos]

Code Review — Bounty #73

PR: [codex] fix: disable Flask debug mode in keeper explorer services by @Snooz1e

• ✅ Bug fix / error handling

Wallet: 0xdaE5d307339074A24F579dB48e7c639359D94904

Reviewing under Bounty #73

[jaxint]

LGTM! Great work on this PR. 🚀

[Scottcjn]

Closing as stale branch — would cause destructive deletions if merged.

Your branch is 966 commits behind current main. Filed during the May 11-13 contributor burst, the codebase has since moved substantially. GitHub's mergeable=clean indicator doesn't detect this; only an explicit git diff main..your-branch --shortstat does.

Bounty credit acknowledged where applicable

Most of the canonical fixes from your work-period have already shipped via other contributors' parallel PRs that landed earlier this week. Specific cases credited via the Codex audit batches:

• Age-scoring (2025 → current_year) — credited in synthesis PR fix(scoring): defensive max(0, ...) age guards + testable current_year param #5660
• Input validation / fix: validate X / fix: reject X — landed via first-poster merges
• Info-disclosure hardening (hide X exception details) — landed via @hungle123-dev first-poster series
• CONTRIBUTING.md per-repo — closed bounty Auto Batch - Divine Features (250 RTC) #1605 with first-poster awards on 2026-05-18

If you want fresh review

Rebase against current main and verify your diff matches the size of your original changes:

git fetch upstream main
git rebase upstream/main
git diff main..HEAD --shortstat

If the deletion count is much higher than what you intended, the branch is still picking up stale assumptions — recreate from a fresh main.

Thanks for the contribution work.