fix(backend): harden runtime config and verification access

backend/query-api/src/lib/runtime-safety.js

@@ -0,0 +1,17 @@
+function runtimeEnvName() {
+  return `${process.env.APP_ENV || process.env.NODE_ENV || ''}`.trim().toLowerCase();
+}
+
+function isProtectedEnv() {
+  return ['staging', 'prod', 'production'].includes(runtimeEnvName());
+}
+
+export function assertSafeRuntimeConfig() {
+  if (!isProtectedEnv()) {
+    return;
+  }
+
+  if (process.env.AUTH_BYPASS === 'true') {
+    throw new Error(`Unsafe query-api runtime config for ${runtimeEnvName()}: AUTH_BYPASS must be disabled`);
+  }
+}