fix(backend): harden runtime config and verification access

backend/unified-api/src/app.js

@@ -6,10 +6,12 @@ import { errorHandler, notFoundHandler } from './middleware/error-handler.js';
 import { healthRouter } from './routes/health.js';
 import { createAuthRouter } from './routes/auth.js';
 import { createProxyRouter } from './routes/proxy.js';
+import { assertSafeRuntimeConfig } from './lib/runtime-safety.js';
 
 const logger = pino({ level: process.env.LOG_LEVEL || 'info' });
 
 export function createApp(options = {}) {
+  assertSafeRuntimeConfig();
   const app = express();
 
   app.use(requestContext);

backend/unified-api/src/lib/runtime-safety.js

@@ -0,0 +1,35 @@
+function runtimeEnvName() {
+  return `${process.env.APP_ENV || process.env.NODE_ENV || ''}`.trim().toLowerCase();
+}
+
+function isProtectedEnv() {
+  return ['staging', 'prod', 'production'].includes(runtimeEnvName());
+}
+
+export function assertSafeRuntimeConfig() {
+  if (!isProtectedEnv()) {
+    return;
+  }
+
+  const errors = [];
+
+  if (process.env.AUTH_BYPASS === 'true') {
+    errors.push('AUTH_BYPASS must be disabled');
+  }
+
+  if (!process.env.CORE_API_BASE_URL) {
+    errors.push('CORE_API_BASE_URL is required');
+  }
+
+  if (!process.env.COMMAND_API_BASE_URL) {
+    errors.push('COMMAND_API_BASE_URL is required');
+  }
+
+  if (!process.env.QUERY_API_BASE_URL) {
+    errors.push('QUERY_API_BASE_URL is required');
+  }
+
+  if (errors.length > 0) {
+    throw new Error(`Unsafe unified-api runtime config for ${runtimeEnvName()}: ${errors.join('; ')}`);
+  }
+}