fix(cron): allow quoted URL in github auth-header allowlist

The github-pr-workflow skill wraps the URL in double-quotes ('curl -H ... "https://api.github.com/..."'), which the original allowlist regex (\s+https://api...) did not match. Without this, the bundled github-pr-workflow skill is still blocked at every cron tick despite #22605's fix landing for the bare-URL form. Make the leading quote optional and add a regression test pinning both single- and double-quoted forms.
2026-05-22 05:22:09 +00:00 · 2026-05-09 09:06:20 -07:00 · 2026-05-09 09:06:20 -07:00 · b6ff96c057
commit b6ff96c057
parent 691778a08b
2 changed files with 12 additions and 1 deletions
--- a/tools/cronjob_tools.py
+++ b/tools/cronjob_tools.py
@ -73,7 +73,7 @@ def _scan_cron_prompt(prompt: str) -> str:
    """Scan a cron prompt for critical threats. Returns error string if blocked, else empty."""
    github_auth_header = re.search(
        rf'curl\s+[^\n]*(?:-H|--header)\s+["\']Authorization:\s*token\s+{_CRON_SECRET_VAR_RE}["\']'
-        r'\s+https://api\.github\.com(?:/|\b)',
+        r'\s+["\']?https://api\.github\.com(?:/|\b)',
        prompt,
        re.IGNORECASE,
    )