# IRDB scheduler — busybox crond schedule.
#
# Drives /internal/jobs/tick once a minute. The api dispatches whichever
# periodic jobs are due (recompute-scores, cleanup-audit, enrich-pending,
# refresh-geoip). job_locks mediates between replicas so duplicate ticks
# are correct but wasteful.
#
# -m 280 caps the request below the 1-minute cadence so we never queue
# overlapping ticks.
#
# SEC_REVIEW F25: target localhost — the scheduler service uses
# `network_mode: "service:api"` so it shares the api container's network
# namespace and reaches FrankenPHP via loopback. The api's /internal/*
# gate is now loopback-only on both Caddy and PHP layers; reaching it
# from a sibling docker-bridge peer (the previous `http://api:8081`
# routing) would 404.
* * * * * curl -sf -m 280 -X POST -H "Authorization: Bearer $INTERNAL_JOB_TOKEN" http://localhost:8081/internal/jobs/tick > /dev/null