Centralize legacy network TLS policy

docs/modernization/build-inventory.md

@@ -562,7 +562,10 @@ Known local toolchain state:
   work-directory collection policy before `pp_app_core` plans immediate
   collection export versus directory-picker stem export, and app-owned curl
   upload/download/license helpers consume the TLS policy instead of spelling
-  Android branches locally;
+  Android branches locally; retained `Asset::open_url`, `LogRemote::net_init`,
+  and cloud browse-dialog curl sites now consume the same default platform TLS
+  policy helper in `pp_platform_api` instead of spelling Android branches
+  locally;
   Windows
   live app execution now uses injected
   `WindowsPlatformServices` from
@@ -600,10 +603,11 @@ Known local toolchain state:
   upload, bulk upload, browse dialog, and download execution. It keeps those
   live paths on the `pp_app_core` `CloudServices` contract while the app-owned
   curl upload/download/license helpers now ask `PlatformServices` for TLS
-  verification policy. Legacy save-before-upload, progress/message UI, network
-  upload/download helper ownership, OpenGL context guarding, `NodeDialogCloud`,
-  project open, layer refresh, and action-history reset remain tracked by
-  `DEBT-0038`.
+  verification policy and retained dialog/network curl sites use the shared
+  default platform TLS helper. Legacy save-before-upload, progress/message UI,
+  network upload/download helper ownership, OpenGL context guarding,
+  `NodeDialogCloud`, project open, layer refresh, and action-history reset
+  remain tracked by `DEBT-0038`.
 - `pano_cli simulate-app-session` exposes `pp_app_core` project-open,
   app-close, save, save-as, save-version, and save-before-workflow decisions
   as JSON and is covered for clean, dirty, already-prompting, missing-canvas,