fix(security): resolve playwright goto-injection findings in JS template (INF-1647)

[cyrusagent]

Assignee: @KateZhang98 (kate)

Summary

Resolves the Semgrep javascript.playwright.security.audit.playwright-goto-injection finding(s) in .templates/js/template.js.

Decision: template-time, developer-provided URL

The page.goto(sessionUrl) call in this scaffold template receives its URL from top-level constants (WEBSITE_URL_1/2/3) that a developer hard-codes when generating a script. There is no runtime or untrusted input path — the values are developer-supplied scaffold input, not attacker-controllable. This matches the case the SAST hand-off explicitly endorses for a scoped suppression.

A custom allowlist/scheme guard was considered but rejected: the auto ruleset would not recognize a custom validator as a sanitizer, so the finding would persist regardless, and it would add noise to a scaffold whose URLs are static placeholders.

Change

Added a scoped, documented suppression on the single offending call site:

// nosemgrep: javascript.playwright.security.audit.playwright-goto-injection -- template scaffold; sessionUrl is a developer-provided constant (WEBSITE_URL_1/2/3) set at scaffold time, never runtime/untrusted input.
await page.goto(sessionUrl);

The original scan (2026-05-06) reported 7 findings; these were Semgrep's taint paths tracing the 3 placeholder constants through Promise.all → fetchData into the single page.goto. The repo currently has one call site, which this suppresses.

Verification

Semgrep is not installed in the agent runtime, so the scan could not be executed locally. The suppression uses the exact rule ID in the standard preceding-line nosemgrep form, which clears the finding. CI / a local semgrep scan --config=auto should now exit 0 for this file.

Closes INF-1647

---

Tip: I will respond to comments that @ mention @Cyrus-agent on this PR. You can also submit a review with all your feedback at once, and I will automatically wake up to address each comment.