fix: address CodeRabbit review feedback

jeanfbrito · jeanfbrito · commit 96fbdcae6dfe · 2026-03-30T17:52:47.000-03:00
- Align settings precedence: read both override files and let appAsar
  win, matching the merge order in data.ts
- Use getCACertificates() (no arg) to preserve NODE_EXTRA_CA_CERTS
  alongside system and bundled CAs
- Clarify doc wording for app ASAR override location
diff --git a/docs/corporate-certificate-configuration.md b/docs/corporate-certificate-configuration.md
@@ -69,7 +69,7 @@ This setting defaults to `false`. When both this and system CAs are active, a wa
 | **macOS** | `~/Library/Application Support/Rocket.Chat/overridden-settings.json` |
 | **Linux** | `~/.config/Rocket.Chat/overridden-settings.json` |
 
-Settings can also be placed at the app ASAR level (outside the app bundle) for system-wide deployment by administrators.
+Settings can also be placed alongside `app.asar` (outside the ASAR archive) for system-wide deployment by administrators.
 
 ## Related
 
diff --git a/src/systemCertificates.ts b/src/systemCertificates.ts
@@ -24,22 +24,22 @@ const readUseSystemCertificatesSetting = (): boolean => {
     ),
   ];
 
+  let enabled = true;
   for (const filePath of locations) {
     try {
       const content = fs.readFileSync(filePath, 'utf8');
       const json = JSON.parse(content);
       if (json && typeof json === 'object' && 'useSystemCertificates' in json) {
-        return (
+        enabled =
           json.useSystemCertificates !== false &&
-          String(json.useSystemCertificates).toLowerCase() !== 'false'
-        );
+          String(json.useSystemCertificates).toLowerCase() !== 'false';
       }
     } catch {
       // File doesn't exist or is invalid — continue to next location
     }
   }
 
-  return true;
+  return enabled;
 };
 
 export const applySystemCertificates = (): void => {
@@ -61,8 +61,8 @@ export const applySystemCertificates = (): void => {
       return;
     }
 
-    const bundledCerts = tls.getCACertificates('bundled');
-    tls.setDefaultCACertificates([...systemCerts, ...bundledCerts]);
+    const defaultCerts = tls.getCACertificates();
+    tls.setDefaultCACertificates([...defaultCerts, ...systemCerts]);
 
     status = { applied: true, certCount: systemCerts.length };
     logger.info(
