feat: add error reporting token validation and update documentation

api/report-error.js

@@ -1,6 +1,7 @@
 const MAX_BODY_SIZE = 10000
 const MAX_TEXT = 900
 const MAX_FIELD = 120
+const AUTH_HEADER = 'x-error-report-token'
 
 function isPlainObject(value) {
     return Boolean(value) && typeof value === 'object' && !Array.isArray(value)
@@ -57,11 +58,26 @@ module.exports = async function handler(req, res) {
     }
 
     const webhookUrl = process.env.DISCORD_WEBHOOK_URL
+    const authToken = process.env.ERROR_REPORT_TOKEN
+
     if (!webhookUrl) {
         res.status(500).json({ error: 'Webhook not configured' })
         return
     }
 
+    if (!authToken) {
+        res.status(500).json({ error: 'Reporting token not configured' })
+        return
+    }
+
+    const providedHeader = req.headers?.[AUTH_HEADER]
+    const providedToken = Array.isArray(providedHeader) ? providedHeader[0] : providedHeader
+
+    if (!providedToken || providedToken !== authToken) {
+        res.status(401).json({ error: 'Unauthorized' })
+        return
+    }
+
     let body
     try {
         body = await readJsonBody(req)

docs/error-reporting.md

@@ -1,17 +1,18 @@
 # Error Reporting API
 
 ## What it does
-Accepts structured error reports and forwards them to Discord in a clean format.
+Accepts structured error reports and forwards them to Discord in a clean format. Submissions require a shared secret header so random users cannot spam your webhook.
 
 ## How to use
-- Set `DISCORD_WEBHOOK_URL` in your environment.
+- Set `DISCORD_WEBHOOK_URL` and `ERROR_REPORT_TOKEN` in your environment (e.g., Vercel project settings → Environment Variables).
-- Send a POST request to `/api/report-error` with JSON that includes at least `error`.
+- Send a POST request to `/api/report-error` with header `x-error-report-token: <your token>` and JSON that includes at least `error`.
 - Optional fields: `summary`, `type`, `metadata` (object), `environment` (string or object with `name`).
 
 ## Example
 ```bash
 curl -X POST https://your-deployment.vercel.app/api/report-error \
   -H "Content-Type: application/json" \
+  -H "x-error-report-token: YOUR_TOKEN" \
   -d '{"error":"Search job failed","type":"search","metadata":{"account":"user@contoso.com"}}'
 ```
 

docs/scheduling.md

@@ -7,6 +7,8 @@ Runs the bot automatically at set times.
 - Turn on scheduling in `src/config.jsonc` under `scheduling.enabled`.
 - Choose a time using the cron or Task Scheduler fields already in the config.
 - Leave the machine or container running so the schedule can trigger.
+- Check the console after start: it prints the next run time. If you close the window or stop the container, the scheduler stops.
+- Serverless hosts (e.g., Vercel) will not keep the scheduler alive; run on a machine or container that stays on.
 
 ## Example
 ```jsonc