Skip to content

Cron & Automation

Mitch‑Risk includes a cron endpoint that handles scheduled maintenance. An external scheduler (system cron, Kubernetes CronJob, etc.) hits this endpoint periodically.

Setup

bash
# Every 15 minutes
*/15 * * * * curl -H "X-Cron-Secret: $CRON_SECRET" https://risk.example.com/api/cron/run

CRON_SECRET is required in production — the app refuses to start without it. The endpoint returns 401 if the secret doesn't match (constant-time comparison).

Jobs (run in order)

#JobDescription
1RemindersEmails vendors when assessment is due in N days. Default offsets: 7 and 1 day before due. Configurable under Settings → Scheduling
2EscalationsEmails reviewer when assessment is overdue beyond threshold. Default: 3 days past due. Configurable under Settings → Scheduling
3Expiry noticesEmails risk owner when certification or contract is expiring. 30-day and 7-day windows
4Recurring assessmentsClones assessments set to quarterly/annual, sends new invitation, schedules next run
5Audit log pruningDeletes audit entries older than retention period (configurable)
6Email log pruningDeletes notification logs older than retention period (default: 14 days)
7Orphaned file sweepDeletes stored files not referenced by any evidence or attachment record. Grace period: files newer than 1 hour are preserved (safe for in-flight uploads)

Idempotency

All notification jobs (reminders, escalations, expiry notices) check for existing sent logs before re-sending. A job can run multiple times without duplicate emails.

Log retention

Log typeDefault retentionConfig location
Email logs14 daysSettings → Limits
Audit logsConfigurableSettings → Limits

Rate limit configuration

All abuse-protection limits are configurable under Settings → Limits:

LimitDefaultPurpose
Login attempts10/minPer-IP rate on credentials callback
Portal page loads30/minPer-visitor, prevents token scraping
Portal uploads10/minPer-visitor file upload limit
Portal submissions5/minPer-link, prevents rapid resubmission
Portal password5/minPer-link password attempt limit
Password reset1/minPer email, prevents spam
Break-glass10/minPer IP
API key default30/minPer IP, then per key prefix
Session timeout30 minIdle time before auto-logout (client-side countdown + server-enforced JWT exp)

The rate limiter is in-memory per process — sufficient for single-container deployment. For horizontal scaling, a Redis-backed limiter would be needed (not currently implemented).

Open-source, self-hosted third party vendor risk management.