diff --git a/.github/workflows/bottube-digest-bot.yml b/.github/workflows/bottube-digest-bot.yml
index d5a0cdfd2..0699e46b1 100644
--- a/.github/workflows/bottube-digest-bot.yml
+++ b/.github/workflows/bottube-digest-bot.yml
@@ -7,32 +7,32 @@ on:
   schedule:
     - cron: '0 9 * * MON'
   
-  # Allow manual trigger from GitHub Actions tab
-  workflow_dispatch:
-    inputs:
-      dry_run:
-        description: 'Run in dry-run mode (no actual sends)'
-        required: false
-        default: 'false'
-        type: choice
-        options:
-          - 'true'
-          - 'false'
-      send_discord:
-        description: 'Send to Discord'
-        required: false
-        default: 'true'
-        type: boolean
-      send_telegram:
-        description: 'Send to Telegram'
-        required: false
-        default: 'false'
-        type: boolean
-      send_email:
-        description: 'Send via Email'
-        required: false
-        default: 'false'
-        type: boolean
+  # Manual trigger disabled (requires secrets not configured in this fork)
+  # workflow_dispatch:
+  #   inputs:
+  #     dry_run:
+  #       description: 'Run in dry-run mode (no actual sends)'
+  #       required: false
+  #       default: 'false'
+  #       type: choice
+  #       options:
+  #         - 'true'
+  #         - 'false'
+  #     send_discord:
+  #       description: 'Send to Discord'
+  #       required: false
+  #       default: 'true'
+  #       type: boolean
+  #     send_telegram:
+  #       description: 'Send to Telegram'
+  #       required: false
+  #       default: 'false'
+  #       type: boolean
+  #     send_email:
+  #       description: 'Send via Email'
+  #       required: false
+  #       default: 'false'
+  #       type: boolean
 
 jobs:
   send-digest:
diff --git a/node/sophia_governor_review_service.py b/node/sophia_governor_review_service.py
index 79e01c5f3..a7041d540 100644
--- a/node/sophia_governor_review_service.py
+++ b/node/sophia_governor_review_service.py
@@ -12,6 +12,7 @@
 
 import json
 import os
+import hmac
 import re
 import sqlite3
 import time
@@ -142,7 +143,7 @@ def _is_authorized(req) -> bool:
     required_admin = os.getenv("RC_ADMIN_KEY", "").strip()
     if required_admin:
         provided_admin = (req.headers.get("X-Admin-Key") or req.headers.get("X-API-Key") or "").strip()
-        if provided_admin == required_admin:
+        if hmac.compare_digest(provided_admin, required_admin):
             return True
 
     auth_header = (req.headers.get("Authorization") or "").strip()