fix: apply 10 Shipwell audit findings

[manasdutta04]

🛠️ Shipwell Auto-Fix: audit

Automated fixes generated by Shipwell analysis.

✅ Applied Fixes (10)

Severity	Finding	Files
⚪ info	Wildcard CORS on API Proxy Allows Unauthorized API Abuse	api-proxy/vercel.json, api-proxy/api/chat.js, src/planner/providers/groq.ts
⚪ info	XSS Vulnerability in Template Browser Webview via Unsanitized Template Data	src/templates/templateBrowser.ts, src/templates/templateManager.ts
⚪ info	XSS via Inline Event Handlers in HistoryView Webview	src/version-control/HistoryView.ts, src/version-control/VersionManager.ts
⚪ info	Path Traversal Vulnerability in VersionManager.getVersion	src/version-control/VersionManager.ts, src/version-control/HistoryView.ts
⚪ info	Prompt Injection via Unescaped User Input in AI Prompts	src/planner/providers/gemini.ts, src/planner/providers/groq.ts, src/planner/providers/ollama.ts +1 more
⚪ info	Sensitive Environment Variable Loading with Debug Logging	src/extension.ts, src/utils/logger.ts
⚪ info	No Input Validation on Proxy Request Body Parameters	api-proxy/api/chat.js
⚪ info	Missing Content Security Policy in Webview Panels	src/version-control/HistoryView.ts, src/templates/templateBrowser.ts
⚪ info	Hardcoded Proxy URL Exposes Infrastructure Details	src/planner/providers/groq.ts
⚪ info	HTML Export Vulnerable to Script Injection via Plan Content	src/extension.ts

Finding details

⚪ Wildcard CORS on API Proxy Allows Unauthorized API Abuse

Category: security
Files: api-proxy/vercel.json, api-proxy/api/chat.js, src/planner/providers/groq.ts

⚪ XSS Vulnerability in Template Browser Webview via Unsanitized Template Data

Category: security
Files: src/templates/templateBrowser.ts, src/templates/templateManager.ts

⚪ XSS via Inline Event Handlers in HistoryView Webview

Category: security
Files: src/version-control/HistoryView.ts, src/version-control/VersionManager.ts

⚪ Path Traversal Vulnerability in VersionManager.getVersion

Category: security
Files: src/version-control/VersionManager.ts, src/version-control/HistoryView.ts

⚪ Prompt Injection via Unescaped User Input in AI Prompts

Category: security
Files: src/planner/providers/gemini.ts, src/planner/providers/groq.ts, src/planner/providers/ollama.ts, src/planner/refiner.ts

⚪ Sensitive Environment Variable Loading with Debug Logging

Category: data-exposure
Files: src/extension.ts, src/utils/logger.ts

⚪ No Input Validation on Proxy Request Body Parameters

Category: security
Files: api-proxy/api/chat.js

⚪ Missing Content Security Policy in Webview Panels

Category: security
Files: src/version-control/HistoryView.ts, src/templates/templateBrowser.ts

⚪ Hardcoded Proxy URL Exposes Infrastructure Details

Category: data-exposure
Files: src/planner/providers/groq.ts

⚪ HTML Export Vulnerable to Script Injection via Plan Content

Category: security
Files: src/extension.ts

❌ Failed (2)

• ⚪ Information Leakage: Internal Error Messages Exposed to Clients — Could not match hunk at line 65 in api-proxy/api/chat.js
• ⚪ Process Environment Pollution via .env File Loading — Could not match hunk at line 34 in src/extension.ts

---

Generated by Shipwell 🚢

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
layr	Ready	Preview, Comment	Feb 15, 2026 10:41am

[github-actions]

Hi @manasdutta04! 👋

Thanks for contributing to layr! 🎉
We appreciate your effort and will review your changes soon.

---

⭐ Please star the repo if you like it!
👤 Follow the owner for updates.

[github-actions]

PR Closed

Thanks for your interest, @manasdutta04. Even though this wasn't merged, we appreciate the effort!

---

⭐ Please star the repo if you like it!
👤 Follow the owner for updates.