146691be00
The middleware matcher intercepts /api/cron/* but the prefix was absent from publicPaths, so unauthenticated scheduler calls were 307'd to /login and the cron handlers never ran. All 9 cron routes already enforce x-cron-secret, so opening the prefix is safe and unblocks the new final-document-reminders cron (and repairs the existing crons). Same class of gap as the /lunch/pick fix. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>