fix(gpu): gate legacy protocol escrow routes

[yyswhsccc]

Summary:

• Require RC_ADMIN_KEY before legacy render/voice/inference escrow routes create or transition render_escrow rows.
• Keep existing field validation and the admin success flow intact.
• Add route tests for valid unauthenticated requests not writing or transitioning rows, plus the admin release path.

Problem / impact:
The hardened /api/gpu/* escrow path is admin-gated and balance-aware, but legacy protocol aliases could still accept valid public requests and mark rows locked/released/refunded. This creates misleading escrow state outside the safer operator path.

Review tier: BCOS-L2 (auth and escrow state boundary).

Validation:

• uv run --no-project --with pytest --with flask --with requests python -B -m pytest -q tests/test_gpu_render_protocol.py tests/test_gpu_render_endpoints_security.py => 53 passed
• python3 -m py_compile node/gpu_render_protocol.py tests/test_gpu_render_protocol.py
• git diff --check

Related: Scottcjn/rustchain-bounties#13912

wallet: RTC47bc28896a1a4bf240d1fd780f4559b242bcd945

[yyswhsccc]

Maintenance update

Maintenance addressed

• Missing wallet line.

Current head

• 54ca6bc

Validation

• uv run --no-project --with pytest --with flask --with requests python -B -m pytest -q tests/test_gpu_render_protocol.py tests/test_gpu_render_endpoints_security.py → => 53 passed

Why this change

• This keeps the PR metadata aligned with reviewer feedback and the current PR scope without broadening the code diff.

Scope

• This maintenance update only changes PR metadata/body text; it does not broaden the code diff.

[jaxint]

Code Review

Thank you for this contribution! I have reviewed the changes.

Quality Assessment

• Code structure is clean
• Changes are well-organized
• No obvious security issues

Suggestions

• Consider adding unit tests
• Update documentation if needed

Great work!

[yyswhsccc]

@Scottcjn Could you take a look when convenient? This PR is ready for maintainer review; the PR body has the focused change summary, review tier where applicable, and validation.

I'll keep follow-up comments sparse unless you request changes or CI points to a real issue.

[yyswhsccc]

Closing this branch after the linked bounty issue was closed under the 2026-06-11 live-surface policy as an undeployed/reference render-demo scope item. The patch is small and defensive, but keeping it open would add low-signal review load now that the affected legacy GPU render protocol path has not been shown to be a deployed reachable surface. If a live GPU escrow/render surface is later confirmed, this should be revisited as a fresh current-main PR with that live-surface evidence.

[jaxint]

PR Review - RTC Bounty Claim

Wallet: AhqbFaPBPLMMiaLDzA9WhQcyvv4hMxiteLhPk3NhG1iG

Implementation Review

• Code structure: Well organized
• Logic clarity: Easy to follow
• Dependencies: Properly managed

Bounty Claim: Submitted for reward.

---

Automated PR review