From f02f8211c6ec2d0f111819b9273baff3fe7b4e62 Mon Sep 17 00:00:00 2001
From: mantrakp04 <mantrakp@gmail.com>
Date: Wed, 17 Jun 2026 10:01:07 -0700
Subject: [PATCH] fix: build authHeaders via Map in rewrite-template-source
 route

Per team dynamic-key-object rule (greptile P2): accumulate the forwarded
x-stack-*/x-hexclave-* auth headers in a Map<string, string> to avoid
prototype-pollution risk, then convert to a plain object at the call
boundary into rewriteTemplateSourceWithAI.
---
 .../api/latest/internal/rewrite-template-source/route.tsx    | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/apps/backend/src/app/api/latest/internal/rewrite-template-source/route.tsx b/apps/backend/src/app/api/latest/internal/rewrite-template-source/route.tsx
index d0c6c73ba..93bec5d7f 100644
--- a/apps/backend/src/app/api/latest/internal/rewrite-template-source/route.tsx
+++ b/apps/backend/src/app/api/latest/internal/rewrite-template-source/route.tsx
@@ -31,14 +31,15 @@ export const POST = createSmartRouteHandler({
     // (which is a fresh HTTP request to /ai/query/generate) is authenticated
     // and resolves to the authenticated model tier rather than falling back
     // to the unauthenticated one.
-    const authHeaders: Record<string, string> = {};
+    const authHeadersMap = new Map<string, string>();
     for (const [key, value] of Object.entries(fullReq.headers)) {
       if (value == null) continue;
       const lower = key.toLowerCase();
       if (lower.startsWith("x-stack-") || lower.startsWith("x-hexclave-")) {
-        authHeaders[key] = value.join(",");
+        authHeadersMap.set(key, value.join(","));
       }
     }
+    const authHeaders: Record<string, string> = Object.fromEntries(authHeadersMap);
 
     const rewriteResult = await rewriteTemplateSourceWithAI(body.template_tsx_source, authHeaders);
     if (rewriteResult.status === "error") {