fix: close CRON_SECRET fail-open auth in check-renders + sponsor-outreach

When CRON_SECRET env var is undefined, the auth check compared against
'Bearer undefined' — an attacker could bypass auth by sending that header.

Now checks !cronSecret first and returns 503 if not configured, matching
the pattern already applied to check-research and ingest routes.

Author: Miriad

app/api/cron/check-renders/route.ts

@@ -527,8 +527,13 @@ async function handleStuckDocs(client: SanityClient): Promise<{ audioGen: number
  */
 export async function GET(request: NextRequest) {
   // Auth check
+  const cronSecret = process.env.CRON_SECRET;
+  if (!cronSecret) {
+    console.error('[PIPELINE] CRON_SECRET not configured');
+    return Response.json({ error: 'Server misconfigured' }, { status: 503 });
+  }
   const authHeader = request.headers.get('authorization');
-  if (authHeader !== `Bearer ${process.env.CRON_SECRET}`) {
+  if (authHeader !== `Bearer ${cronSecret}`) {
     console.error('[PIPELINE] Unauthorized cron request');
     return Response.json({ error: 'Unauthorized' }, { status: 401 });
   }

app/api/cron/sponsor-outreach/route.ts

@@ -11,8 +11,13 @@ const COOLDOWN_DAYS = 14
 
 export async function POST(request: Request) {
   // Auth: Bearer token check against CRON_SECRET
+  const cronSecret = process.env.CRON_SECRET;
+  if (!cronSecret) {
+    console.error('[SPONSOR] CRON_SECRET not configured');
+    return new Response('Server misconfigured', { status: 503 });
+  }
   const authHeader = request.headers.get('authorization')
-  if (authHeader !== `Bearer ${process.env.CRON_SECRET}`) {
+  if (authHeader !== `Bearer ${cronSecret}`) {
     console.error('[SPONSOR] Outreach cron: unauthorized request')
     return new Response('Unauthorized', { status: 401 })
   }