fix(API): use truthy check for READ_ONLY in /diagnostics handler

TheLastCicada · TheLastCicada · commit 56e22b3185f1 · 2026-05-13T10:27:56.000-07:00
The diagnostics route handler used strict === true while the rest of
middleware uses truthy checks (|| false). A non-boolean truthy config
value (e.g. 1, "true") would bypass the read-only protection and
serve the full response with sensitive fields.
diff --git a/src/middleware.js b/src/middleware.js
@@ -532,7 +532,7 @@ app.get('/diagnostics', async (req, res) => {
   try {
     const configV1 = getConfig();
     const configV2 = getConfigV2();
-    const readOnly = configV2.READ_ONLY === true || configV1.READ_ONLY === true;
+    const readOnly = !!(configV2.READ_ONLY || configV1.READ_ONLY);
     const { getDiagnosticsResponse } = await import('./routes/diagnostics.js');
     const result = await getDiagnosticsResponse({ readOnly });
     return res.status(200).json(result);
