From 94c4ef93bdf8a5f61f1282b64d0a75f98a011bc9 Mon Sep 17 00:00:00 2001
From: mibali <mtbdesigns01@gmail.com>
Date: Mon, 4 May 2026 18:20:53 +0100
Subject: [PATCH 1/2] fix: prevent setNativeValue throw on number/date inputs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Remove input[type="number"] from fieldSelector — number fields accept
  numeric input only and should not receive AI-generated text answers
- Wrap HTMLInputElement prototype setter call in try/catch so that any
  remaining constrained input types (date, range, etc.) fail silently
  via el.value fallback instead of throwing a DOMException

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 extension-ready/content.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/extension-ready/content.js b/extension-ready/content.js
index 2224597..57badd5 100644
--- a/extension-ready/content.js
+++ b/extension-ready/content.js
@@ -596,7 +596,6 @@ class DraftApplyExtension {
     return 'textarea,' +
       'input:not([type]),' +
       'input[type="text"],input[type="email"],input[type="tel"],input[type="search"],input[type="url"],' +
-      'input[type="number"],' +
       '[contenteditable="true"],[role="textbox"]';
   }
 
@@ -1204,7 +1203,12 @@ class DraftApplyExtension {
 
     if (el instanceof HTMLInputElement) {
       const setter = Object.getOwnPropertyDescriptor(HTMLInputElement.prototype, 'value')?.set;
-      setter?.call(el, value);
+      try {
+        setter?.call(el, value);
+      } catch {
+        // number/date/range inputs throw when value doesn't conform to their type
+        el.value = value;
+      }
       return;
     }
   }

From a222b68ac2c56d2e905c51e09c2f151bdbf4ad00 Mon Sep 17 00:00:00 2001
From: mibali <mtbdesigns01@gmail.com>
Date: Mon, 4 May 2026 18:21:58 +0100
Subject: [PATCH 2/2] fix: expose RateLimit-Reset header via CORS so clients
 can read retry time

cors() with no options doesn't set Access-Control-Expose-Headers, so the
browser strips RateLimit-* headers before fetch can read them. Expose all
four rate limit headers so the extension's rateLimitError() helper can
show the user the exact time they can retry.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 render-proxy/server.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/render-proxy/server.js b/render-proxy/server.js
index c29d9c2..b5875e4 100644
--- a/render-proxy/server.js
+++ b/render-proxy/server.js
@@ -38,7 +38,9 @@ if (!GROQ_API_KEY || !TOKEN_SECRET) {
 const app = express();
 app.disable('x-powered-by');
 app.use(helmet());
-app.use(cors());
+app.use(cors({
+  exposedHeaders: ['RateLimit-Limit', 'RateLimit-Remaining', 'RateLimit-Reset', 'RateLimit-Policy']
+}));
 app.use(express.json({ limit: '1mb' }));
 
 function base64url(buf) {