diff --git a/src/app/api/admin/company-coverage/route.ts b/src/app/api/admin/company-coverage/route.ts index 043b858..d8712cb 100644 --- a/src/app/api/admin/company-coverage/route.ts +++ b/src/app/api/admin/company-coverage/route.ts @@ -1,5 +1,6 @@ import { NextRequest, NextResponse } from 'next/server'; import { createClient } from '@/lib/supabase/server'; +import { createAdminClient } from '@/lib/supabase/admin'; import { hybridAI } from '@/lib/ai/hybridRouter'; // ─── Pen name rotation ──────────────────────────────────────────────────────── @@ -110,7 +111,12 @@ export async function GET(request: NextRequest) { // ─── POST ───────────────────────────────────────────────────────────────────── export async function POST(request: NextRequest) { try { - const supabase = await createClient(); + // Cron bypass: scheduled scans send x-cron-secret and run with service-role + // privileges (RLS bypass) so the scan can read/write admin-protected tables. + const cronSecret = request.headers.get('x-cron-secret'); + const isCron = + !!process.env.CRON_SECRET && cronSecret === process.env.CRON_SECRET; + const supabase = isCron ? createAdminClient() : await createClient(); const body = await request.json(); const { action } = body;