fix(webhook): validate URL before sending

Skip sending webhook if URL contains unexpanded $VAR or doesn't
start with http:// or https://. Logs a warning with job_id and URL.

Author: aster-void

src/actor/job/executor.rs

@@ -111,7 +111,26 @@ pub async fn execute_job(job: &Job, sot_path: &PathBuf, runner: &RunnerConfig) -
 
         let runner_env = load_runner_env_vars(sot_path, runner);
         for webhook in &job.webhook {
-            send_webhook(&webhook.to_url(runner_env.as_ref()), &payload).await;
+            let url = webhook.to_url(runner_env.as_ref());
+            if url.contains('$') {
+                warn!(
+                    target: "rollcron::webhook",
+                    job_id = %job.id,
+                    url = %url,
+                    "Webhook URL contains unexpanded variable, skipping"
+                );
+                continue;
+            }
+            if !url.starts_with("http://") && !url.starts_with("https://") {
+                warn!(
+                    target: "rollcron::webhook",
+                    job_id = %job.id,
+                    url = %url,
+                    "Webhook URL must start with http:// or https://, skipping"
+                );
+                continue;
+            }
+            send_webhook(&url, &payload).await;
         }
     }
 

src/config.rs

@@ -1025,4 +1025,17 @@ jobs:
             "https://discord.com/api/webhooks/from_env"
         );
     }
+
+    #[test]
+    fn webhook_undefined_env_var_kept_as_is() {
+        let env_vars = HashMap::new(); // empty
+
+        let webhook = WebhookConfig {
+            webhook_type: "discord".to_string(),
+            url: "$UNDEFINED_VAR".to_string(),
+        };
+
+        // Undefined vars are kept as-is (caller should validate)
+        assert_eq!(webhook.to_url(Some(&env_vars)), "$UNDEFINED_VAR");
+    }
 }