diff --git a/lib/ci-debug.sh b/lib/ci-debug.sh
index dd8a0a5..4fa15ba 100755
--- a/lib/ci-debug.sh
+++ b/lib/ci-debug.sh
@@ -17,11 +17,6 @@ REPO="${FORGE_REPO}"
 API="${WOODPECKER_SERVER}/api/repos/${WOODPECKER_REPO_ID}"
 
 api() {
-  # Validate API URL to prevent URL injection
-  if ! validate_url "$API"; then
-    echo "ERROR: API URL validation failed - possible URL injection attempt" >&2
-    return 1
-  fi
   curl -sf -H "Authorization: Bearer ${WOODPECKER_TOKEN}" "${API}/$1"
 }
 
diff --git a/lib/env.sh b/lib/env.sh
index 0c7a71b..cfaa523 100755
--- a/lib/env.sh
+++ b/lib/env.sh
@@ -144,62 +144,10 @@ log() {
   printf '[%s] %s\n' "$(date -u '+%Y-%m-%d %H:%M:%S UTC')" "$*"
 }
 
-# =============================================================================
-# URL VALIDATION HELPER
-# =============================================================================
-# Validates that a URL variable matches expected patterns to prevent
-# URL injection or redirection attacks (OWASP URL Redirection prevention).
-# Returns 0 if valid, 1 if invalid.
-# =============================================================================
-validate_url() {
-  local url="$1"
-  local allowed_hosts="${2:-}"
-
-  # Must start with http:// or https://
-  if [[ ! "$url" =~ ^https?:// ]]; then
-    return 1
-  fi
-
-  # Extract host and reject if it contains @ (credential injection)
-  if [[ "$url" =~ ^https?://[^@]+@ ]]; then
-    return 1
-  fi
-
-  # If allowed_hosts is specified, validate against it
-  if [ -n "$allowed_hosts" ]; then
-    local host
-    host=$(echo "$url" | sed -E 's|^https?://([^/:]+).*|\1|')
-    local valid=false
-    for allowed in $allowed_hosts; do
-      if [ "$host" = "$allowed" ]; then
-        valid=true
-        break
-      fi
-    done
-    if [ "$valid" = false ]; then
-      return 1
-    fi
-  fi
-
-  return 0
-}
-
-# =============================================================================
-# FORGE API HELPER
-# =============================================================================
-# Usage: forge_api GET /issues?state=open
-# Validates FORGE_API before use to prevent URL injection attacks.
-# =============================================================================
+# Forge API helper — usage: forge_api GET /issues?state=open
 forge_api() {
   local method="$1" path="$2"
   shift 2
-
-  # Validate FORGE_API to prevent URL injection
-  if ! validate_url "$FORGE_API"; then
-    echo "ERROR: FORGE_API validation failed - possible URL injection attempt" >&2
-    return 1
-  fi
-
   curl -sf -X "$method" \
     -H "Authorization: token ${FORGE_TOKEN}" \
     -H "Content-Type: application/json" \
@@ -231,23 +179,13 @@ forge_api_all() {
   done
   printf '%s' "$all_items"
 }
+# Backwards-compat alias
+codeberg_api_all() { forge_api_all "$@"; }
 
-# =============================================================================
-# WOODPECKER API HELPER
-# =============================================================================
-# Usage: woodpecker_api /repos/{id}/pipelines
-# Validates WOODPECKER_SERVER before use to prevent URL injection attacks.
-# =============================================================================
+# Woodpecker API helper
 woodpecker_api() {
   local path="$1"
   shift
-
-  # Validate WOODPECKER_SERVER to prevent URL injection
-  if ! validate_url "$WOODPECKER_SERVER"; then
-    echo "ERROR: WOODPECKER_SERVER validation failed - possible URL injection attempt" >&2
-    return 1
-  fi
-
   curl -sfL \
     -H "Authorization: Bearer ${WOODPECKER_TOKEN}" \
     "${WOODPECKER_SERVER}/api${path}" "$@"