Summary

• Add runtime log.warning in TPPConnection, TPPTokenConnection, and CloudConnection constructors when http_request_kwargs['verify'] is False
• Flip four shipped examples so the CA-bundle path (verify="/path-to/bundle.pem") is the active line and verify=False is relegated to a clearly-labelled lab-only comment

Finding

CWE-295 (Improper Certificate Validation) / CWE-1188 (Insecure Default)

All three connection classes (connection_tpp.py, connection_tpp_token.py, connection_cloud.py) splatted **self._http_request_kwargs into every requests call with no guard on the verify key. Four shipped examples (examples/get_cert.py, examples/tpp/get_cert_tpp_token.py, examples/ssh_certificates/get_cert_ssh.py, examples/ssh_certificates/get_cert_ssh_service.py) set verify=False as the active code path, so consumers copying them verbatim sent Venafi credentials, session tokens, and private-key material over TLS sessions with no server-certificate validation.

Remediation

• SDK guard (detective): After the timeout normalisation block in each constructor, check http_request_kwargs.get('verify') is False and emit a WARNING-level log message. Uses is False so CA-bundle strings and the absent-key default (None) are not flagged.
• Example flip: The trust-bundle variant is now the live line; verify=False is moved to a # Lab/testing only — DO NOT use in production comment.

Verification

• 7 files changed: 3 SDK sources + 4 examples
• python -m py_compile passes on all modified files
• Warning guard: http_request_kwargs.get('verify') is False is branch-free and evaluated immediately after the dict is guaranteed non-None
• No new imports, no API signature changes
• Pre-existing test failures (ModuleNotFoundError: No module named 'six') are an unrelated environment issue unaffected by this change