fix: remove spoofable user-agent fallback in documentation drift auth

[Akshita-2307]

The documentation drift internal endpoint fell back to checking user-agent for 'vercel-cron' when ANALYSIS_RUNNER_SECRET was not configured. User-agent headers are caller-controlled and easily spoofed. Now rejects all requests in production when the secret is missing.

Closes #1541

Summary by CodeRabbit

• Bug Fixes
  • Updated drift detection endpoint authentication validation. Now returns a 401 error when required authentication configuration is missing in production environments, replacing previous fallback behavior.

[vercel]

Someone is attempting to deploy a commit to the Nisshchaya's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

📝 Walkthrough

Walkthrough

The documentation drift internal endpoint's authentication fallback is hardened. When ANALYSIS_RUNNER_SECRET is unconfigured in production, requests now receive an explicit 401 Unauthorized response instead of being accepted if the user-agent header contains vercel-cron.

Changes

Production Fallback Authentication

Layer / File(s)	Summary
Production fallback authentication hardening app/api/internal/documentation-drift/route.ts	When ANALYSIS_RUNNER_SECRET is missing, production deployments now reject requests with 401 Unauthorized instead of accepting spoofable vercel-cron user-agent headers. Non-production environments are unaffected.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• nisshchayarathi/gitverse-nextjs#1509: Both PRs modify app/api/internal/documentation-drift/route.ts authentication logic—fix(security): remove query parameter authentication for analysis runner secret (#1496) #1509 restricts secret auth to the x-analysis-runner-secret header and preserves the "no secret → Vercel cron" fallback, while this PR changes that fallback to reject in production with 401 when ANALYSIS_RUNNER_SECRET is unset.
• nisshchayarathi/gitverse-nextjs#1138: Both PRs remove reliance on the vercel-cron User-Agent as a fallback for ANALYSIS_RUNNER_SECRET in internal endpoint authorization across different routes.
• nisshchayarathi/gitverse-nextjs#1240: Both PRs fail closed when ANALYSIS_RUNNER_SECRET is missing in production, removing the vercel-cron user-agent exception and tightening bearer/secret-based authorization.

Suggested labels

security, bug, critical, level:intermediate

Poem

🐰 A secret lost calls for caution's might,
No more user-agents in production's night.
Vercel cron spoofs fade to 401,
Auth gates harden—security's won! 🔐

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR only removes the user-agent fallback but does not fully implement the required authentication improvements: constant-time auth helpers, Authorization Bearer support, and comprehensive unit tests are missing.	Complete remaining requirements from issue #1541: implement constant-time authentication helpers, add Bearer token support, and add comprehensive unit tests for valid/invalid auth paths.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main security fix: removing the spoofable user-agent fallback from documentation drift authentication.
Out of Scope Changes check	✅ Passed	All changes are directly related to the security fix described in issue #1541; no out-of-scope modifications were introduced.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🎉 Thanks for your contribution, @Akshita-2307!

Your PR has passed our automated GSSoC quality checks. Here's a quick summary:

Check	Status
PR description	✅ Provided
PR title	✅ Meaningful
Linked issue	✅ Found
Change size	✅ Looks good (6 lines across 1 file(s))

A maintainer will review your PR soon. Please be patient and available for feedback. 💪

GSSoC'26 automation · Maintainer: @nisshchayarathi

[github-actions]

🎉 Thanks for your contribution, @Akshita-2307!

Your PR has passed our automated GSSoC quality checks. Here's a quick summary:

Check	Status
PR description	✅ Provided
PR title	✅ Meaningful
Linked issue	✅ Found
Change size	✅ Looks good (6 lines across 1 file(s))

A maintainer will review your PR soon. Please be patient and available for feedback. 💪

GSSoC'26 automation · Maintainer: @nisshchayarathi

[coderabbitai]

🧹 Nitpick comments (1)

app/api/internal/documentation-drift/route.ts (1)

38-40: ⚡ Quick win

Consider using a generic error message to avoid configuration disclosure.

The explicit message "ANALYSIS_RUNNER_SECRET not configured" confirms to potential attackers that the secret environment variable is missing. Since this is an internal endpoint that shouldn't be exposed, a generic "Unauthorized" message is safer—log the specific reason server-side instead.

🔒 Proposed fix

     if (process.env.NODE_ENV === "production") {
+      console.error("[DocumentationDrift] ANALYSIS_RUNNER_SECRET not configured in production");
-      return NextResponse.json({ error: "Unauthorized - ANALYSIS_RUNNER_SECRET not configured" }, { status: 401 });
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
     }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/api/internal/documentation-drift/route.ts` around lines 38 - 40, The
response in the NODE_ENV production check currently returns a detailed message
revealing "ANALYSIS_RUNNER_SECRET not configured"; change the HTTP response in
that conditional (the NextResponse.json return) to a generic message such as {
error: "Unauthorized" } with status 401, and move the detailed reason into a
server-side log (use your existing logger or console.error) so the specific
missing-config detail is not sent to clients; update the conditional around
process.env.NODE_ENV and the NextResponse.json return in route.ts accordingly
and add a server-side log entry explaining the missing ANALYSIS_RUNNER_SECRET.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@app/api/internal/documentation-drift/route.ts`:
- Around line 38-40: The response in the NODE_ENV production check currently
returns a detailed message revealing "ANALYSIS_RUNNER_SECRET not configured";
change the HTTP response in that conditional (the NextResponse.json return) to a
generic message such as { error: "Unauthorized" } with status 401, and move the
detailed reason into a server-side log (use your existing logger or
console.error) so the specific missing-config detail is not sent to clients;
update the conditional around process.env.NODE_ENV and the NextResponse.json
return in route.ts accordingly and add a server-side log entry explaining the
missing ANALYSIS_RUNNER_SECRET.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 8487d626-e4a6-467d-8145-cd9224040dc8

📥 Commits

Reviewing files that changed from the base of the PR and between 63ecb90 and b701d1b.

📒 Files selected for processing (1)

• app/api/internal/documentation-drift/route.ts