Addresses egilewski (Codex) CR on PR #52351: the run_job() credential-exfil backstop caught every exception around _validate_cron_base_url() and set err = None, so an unexpected validator/import error let an unvetted stored provider/base_url pair reach resolve_runtime_provider() — the very sink this checkpoint exists to guard. A synthetic validator-exception probe with a legacy custom:legit + off-host base_url job slipped through (validator_exception ALLOW). Now fail closed: if the validator raises and the job carries a base_url override (the exfil precondition), refuse the run. A job with no base_url override can't exfiltrate via this path — the validator would return None — so it still runs, keeping the common no-override jobs from wedging on an unrelated error. Operator fallback providers come from config, not the job, so they are unaffected. Adds two regressions: validator-exception + base_url -> blocked; validator-exception without base_url -> still allowed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| scripts | ||
| __init__.py | ||
| blueprint_catalog.py | ||
| jobs.py | ||
| scheduler.py | ||
| scheduler_provider.py | ||
| suggestion_catalog.py | ||
| suggestions.py | ||