feat: harden cron auth with zero-trust HMAC validation

apps/web/src/app/api/cron/cleanup-orphaned-files/route.ts

@@ -2,7 +2,7 @@ import { findOrphanedFileRecords, deleteFileRecords } from '@pagespace/lib/compl
 import { db } from '@pagespace/db';
 import { createDriveServiceToken } from '@pagespace/lib';
 import { NextResponse } from 'next/server';
-import { validateCronRequest } from '@/lib/auth/cron-auth';
+import { validateSignedCronRequest } from '@/lib/auth/cron-auth';
 import type { ServiceScope } from '@pagespace/lib';
 
 const PROCESSOR_URL = process.env.PROCESSOR_URL || 'http://processor:3003';
@@ -16,15 +16,10 @@ const FILE_DELETE_SCOPES: ServiceScope[] = ['files:delete'];
  * 1. Calls processor service to delete physical file + cache
  * 2. Deletes the DB record
  *
- * Authentication:
- * - Primary: CRON_SECRET Bearer token (timing-safe comparison)
- * - Defense-in-depth: internal network origin check
- *
- * Trigger via:
- * curl -H "Authorization: Bearer $CRON_SECRET" http://localhost:3000/api/cron/cleanup-orphaned-files
+ * Authentication: HMAC-signed request with X-Cron-Timestamp, X-Cron-Nonce, X-Cron-Signature headers.
  */
 export async function GET(request: Request) {
-  const authError = validateCronRequest(request);
+  const authError = validateSignedCronRequest(request);
   if (authError) {
     return authError;
   }

apps/web/src/app/api/cron/purge-ai-usage-logs/route.ts

@@ -1,6 +1,6 @@
 import { anonymizeAiUsageContent, purgeAiUsageLogs } from '@pagespace/lib';
 import { NextResponse } from 'next/server';
-import { validateCronRequest } from '@/lib/auth/cron-auth';
+import { validateSignedCronRequest } from '@/lib/auth/cron-auth';
 
 /**
  * Cron endpoint to anonymize and purge old AI usage logs.
@@ -11,11 +11,10 @@ import { validateCronRequest } from '@/lib/auth/cron-auth';
  *
  * This preserves recent analytics while enforcing data retention limits.
  *
- * Trigger via:
- * curl -H "Authorization: Bearer $CRON_SECRET" http://localhost:3000/api/cron/purge-ai-usage-logs
+ * Authentication: HMAC-signed request with X-Cron-Timestamp, X-Cron-Nonce, X-Cron-Signature headers.
  */
 export async function GET(request: Request) {
-  const authError = validateCronRequest(request);
+  const authError = validateSignedCronRequest(request);
   if (authError) {
     return authError;
   }

apps/web/src/app/api/cron/purge-deleted-messages/route.ts

@@ -1,5 +1,5 @@
 import { NextResponse } from 'next/server';
-import { validateCronRequest } from '@/lib/auth/cron-auth';
+import { validateSignedCronRequest } from '@/lib/auth/cron-auth';
 import { chatMessageRepository } from '@/lib/repositories/chat-message-repository';
 import { globalConversationRepository } from '@/lib/repositories/global-conversation-repository';
 
@@ -9,11 +9,10 @@ import { globalConversationRepository } from '@/lib/repositories/global-conversa
  * Removes rows that have been soft-deleted (isActive=false) for longer than
  * 30 days, permanently freeing storage.
  *
- * Trigger via:
- * curl -H "Authorization: Bearer $CRON_SECRET" http://localhost:3000/api/cron/purge-deleted-messages
+ * Authentication: HMAC-signed request with X-Cron-Timestamp, X-Cron-Nonce, X-Cron-Signature headers.
  */
 export async function GET(request: Request) {
-  const authError = validateCronRequest(request);
+  const authError = validateSignedCronRequest(request);
   if (authError) {
     return authError;
   }

apps/web/src/app/api/cron/retention-cleanup/route.ts

@@ -1,7 +1,7 @@
 import { runRetentionCleanup } from '@pagespace/lib/compliance/retention/retention-engine';
 import { db } from '@pagespace/db';
 import { NextResponse } from 'next/server';
-import { validateCronRequest } from '@/lib/auth/cron-auth';
+import { validateSignedCronRequest } from '@/lib/auth/cron-auth';
 
 /**
  * Cron endpoint to run data retention cleanup across all tables with expiresAt columns.
@@ -11,15 +11,10 @@ import { validateCronRequest } from '@/lib/auth/cron-auth';
  * drive_backups (unpinned), drive_invitations (pending), page_permissions,
  * and ai_usage_logs.
  *
- * Authentication:
- * - Primary: CRON_SECRET Bearer token (timing-safe comparison)
- * - Defense-in-depth: internal network origin check
- *
- * Trigger via:
- * curl -H "Authorization: Bearer $CRON_SECRET" http://localhost:3000/api/cron/retention-cleanup
+ * Authentication: HMAC-signed request with X-Cron-Timestamp, X-Cron-Nonce, X-Cron-Signature headers.
  */
 export async function GET(request: Request) {
-  const authError = validateCronRequest(request);
+  const authError = validateSignedCronRequest(request);
   if (authError) {
     return authError;
   }

apps/web/src/app/api/cron/verify-audit-chain/route.ts

@@ -1,18 +1,17 @@
 import { verifySecurityAuditChain } from '@pagespace/lib';
 import { NextResponse } from 'next/server';
-import { validateCronRequest } from '@/lib/auth/cron-auth';
+import { validateSignedCronRequest } from '@/lib/auth/cron-auth';
 
 /**
  * Cron endpoint to verify the security audit log hash chain integrity.
  *
  * Detects tampering in the security audit log by recomputing each entry's
  * hash and verifying chain links. Logs a SECURITY ALERT if the chain is broken.
  *
- * Trigger via:
- * curl -H "Authorization: Bearer $CRON_SECRET" http://localhost:3000/api/cron/verify-audit-chain
+ * Authentication: HMAC-signed request with X-Cron-Timestamp, X-Cron-Nonce, X-Cron-Signature headers.
  */
 export async function GET(request: Request) {
-  const authError = validateCronRequest(request);
+  const authError = validateSignedCronRequest(request);
   if (authError) {
     return authError;
   }