Fix/50 post comment string v2

CHANGELOG.md

@@ -1,5 +1,93 @@
 # Changelog
 
+## [3.12.8](https://github.com/ubiquity-os/plugin-sdk/compare/v3.12.7...v3.12.8) (2026-04-21)
+
+
+### Miscellaneous Chores
+
+* release 3.12.8 ([5ae8569](https://github.com/ubiquity-os/plugin-sdk/commit/5ae8569de71ead132b33a6a4c96276837a3b783d))
+
+## [3.12.7](https://github.com/ubiquity-os/plugin-sdk/compare/v3.12.6...v3.12.7) (2026-04-21)
+
+
+### Miscellaneous Chores
+
+* release 3.12.7 ([814ad3e](https://github.com/ubiquity-os/plugin-sdk/commit/814ad3e14c0d63322930fa8a0dd95c722a92ed6e))
+
+## [3.12.6](https://github.com/ubiquity-os/plugin-sdk/compare/v3.12.5...v3.12.6) (2026-04-21)
+
+
+### Bug Fixes
+
+* update deno deploy metadata urls ([4b39838](https://github.com/ubiquity-os/plugin-sdk/commit/4b39838c788a4466447dbd28da37e12831bc94a2))
+* update Deno Deploy metadata urls ([e2446a2](https://github.com/ubiquity-os/plugin-sdk/commit/e2446a2c4f718488bbc97e07e85424c8e65be114))
+
+## [3.12.5](https://github.com/ubiquity-os/plugin-sdk/compare/v3.12.4...v3.12.5) (2026-04-06)
+
+
+### Bug Fixes
+
+* harden runtime manifest ref fallback ([648bd8f](https://github.com/ubiquity-os/plugin-sdk/commit/648bd8f7f493d1101d134302840cf19149f98743))
+* honor REF_NAME in runtime manifest ([4385d07](https://github.com/ubiquity-os/plugin-sdk/commit/4385d07c006850c03c4af082fadaffabfbcbefc8))
+* use REF_NAME for runtime manifest short_name ([1d2c307](https://github.com/ubiquity-os/plugin-sdk/commit/1d2c307299aeb721e899b97761dc47ac6737fcb9))
+
+## [3.12.4](https://github.com/ubiquity-os/plugin-sdk/compare/v3.12.3...v3.12.4) (2026-03-31)
+
+
+### Miscellaneous Chores
+
+* release 3.12.4 ([66eda52](https://github.com/ubiquity-os/plugin-sdk/commit/66eda521be7d45087318afcc200fc3beaf30e88f))
+
+## [3.12.3](https://github.com/ubiquity-os/plugin-sdk/compare/v3.12.2...v3.12.3) (2026-03-31)
+
+
+### Bug Fixes
+
+* derive manifest metadata from Deno runtime ([0787e10](https://github.com/ubiquity-os/plugin-sdk/commit/0787e103bd4b4b7b0679981317289b502454aa21))
+* handle relative runtime manifest urls ([67fd72e](https://github.com/ubiquity-os/plugin-sdk/commit/67fd72e782e0eb7bc1b99642e0d4c6fa59176556))
+
+## [3.12.2](https://github.com/ubiquity-os/plugin-sdk/compare/v3.12.1...v3.12.2) (2026-03-18)
+
+
+### Bug Fixes
+
+* lower configuration parse log verbosity ([1df2ad4](https://github.com/ubiquity-os/plugin-sdk/commit/1df2ad427cde69facd54be26519aef96bbb7da4e))
+* lower configuration parse log verbosity ([b653fa5](https://github.com/ubiquity-os/plugin-sdk/commit/b653fa56a0e16f799c0c3c5399d8fe18f9e63c22))
+
+## [3.12.1](https://github.com/ubiquity-os/plugin-sdk/compare/v3.12.0...v3.12.1) (2026-03-18)
+
+
+### Bug Fixes
+
+* normalize root URL manifest lookups ([d611e7f](https://github.com/ubiquity-os/plugin-sdk/commit/d611e7fb0f0d3ab2ae7a8c551f3aac4b96415413))
+
+## [3.12.0](https://github.com/ubiquity-os/plugin-sdk/compare/v3.11.2...v3.12.0) (2026-02-02)
+
+
+### Features
+
+* add llm retry helper ([2b6d1cc](https://github.com/ubiquity-os/plugin-sdk/commit/2b6d1cc9bc383107a6767fbcb9459fc7e59d56db))
+
+
+### Bug Fixes
+
+* handle string HTTP status codes in retry status extraction ([29c4d32](https://github.com/ubiquity-os/plugin-sdk/commit/29c4d3241bc4832af6a06db95af2da4f4a41ba01))
+
+## [3.11.2](https://github.com/ubiquity-os/plugin-sdk/compare/v3.11.1...v3.11.2) (2026-01-29)
+
+
+### Bug Fixes
+
+* export config schema ([54ac560](https://github.com/ubiquity-os/plugin-sdk/commit/54ac56022c57003c366dd236a385b95d2784584f))
+* export config schema ([e50a7d0](https://github.com/ubiquity-os/plugin-sdk/commit/e50a7d07cd4aa6fc446c5396433a9542391132bd))
+
+## [3.11.1](https://github.com/ubiquity-os/plugin-sdk/compare/v3.11.0...v3.11.1) (2026-01-28)
+
+
+### Miscellaneous Chores
+
+* release 3.11.1 ([82bc373](https://github.com/ubiquity-os/plugin-sdk/commit/82bc373ee0958456ec3c5d19d4d01be16190b19b))
+
 ## [3.11.0](https://github.com/ubiquity-os/plugin-sdk/compare/v3.10.0...v3.11.0) (2026-01-26)
 
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ubiquity-os/plugin-sdk",
-  "version": "3.11.0",
+  "version": "3.12.8",
   "description": "SDK for plugin support.",
   "author": "Ubiquity DAO",
   "license": "MIT",

src/comment.ts

@@ -379,7 +379,7 @@
 
   async postComment(
     context: Context,
-    message: LogReturn | Error,
+    message: LogReturn | Error | string,
     options: CommentOptions = { updateComment: true, raw: false }
   ): Promise<WithIssueNumber<PostedGithubComment> | null> {
     await this._applyCommandResponsePolicy(context);
@@ -390,8 +390,13 @@
       return null;
     }
 
+    // Convert string to LogReturn-like object
+    const logMessage: LogReturn | Error = typeof message === "string"
+      ? ({ raw: message, diff: message, metadata: {} } as LogReturn)
+      : message;
+
     const shouldTagCommandResponse = this._shouldApplyCommandResponsePolicy(context);
-    const body = this._createCommentBody(context, message, {
+    const body = this._createCommentBody(context, logMessage, {
       ...options,
       commentKind: options.commentKind ?? (shouldTagCommandResponse ? COMMAND_RESPONSE_KIND : undefined),
     });

src/util.ts

@@ -21,7 +21,17 @@ export interface Options<TEnvSchema extends TSchema = TAnySchema, TSettingsSchem
 }
 
 export function sanitizeMetadata(obj: LogReturn["metadata"]): string {
-  return JSON.stringify(obj, null, 2).replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/--/g, "&#45;&#45;");
+  if (!obj) return "null";
+  // Extract callstack-related fields that should be preserved unescaped for linking
+  const { stack, callstack, caller, ...content } = obj;
+  // Escape content fields normally
+  const escapedContent = JSON.stringify(content, null, 2).replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/--/g, "&#45;&#45;");
+  const contentObj = JSON.parse(escapedContent);
+  // Merge callstack fields back without additional escaping (they are safe values)
+  if (stack !== undefined) contentObj.stack = stack;
+  if (callstack !== undefined) contentObj.callstack = callstack;
+  if (caller !== undefined) contentObj.caller = caller;
+  return JSON.stringify(contentObj, null, 2);
 }
 
 /**

tests/sanitize-metadata.test.ts

@@ -0,0 +1,45 @@
+import { describe, expect, it } from "@jest/globals";
+import { sanitizeMetadata } from "../src/util";
+
+describe("sanitizeMetadata", () => {
+  it("escapes dangerous characters in content fields", () => {
+    const obj = {
+      message: "<script>alert('xss')</script>",
+      status: 200,
+    };
+    const result = sanitizeMetadata(obj);
+    expect(result).toContain("&lt;script&gt;");
+    expect(result).not.toContain("<script>");
+    expect(result).toContain("200");
+  });
+
+  it("does not escape stack, callstack, or caller fields", () => {
+    const obj = {
+      message: "Error occurred",
+      stack: "Error: msg\n    at foo (file.js:10:5)\n    at bar (file.js:20:10)",
+      callstack: ["foo", "bar"],
+      caller: "myFunction",
+    };
+    const result = sanitizeMetadata(obj);
+    // stack should NOT be escaped (no &lt;/&gt;)
+    expect(result).toContain('"stack":');
+    expect(result).toContain("(file.js:10:5)");
+    expect(result).toContain("callstack");
+    expect(result).toContain("caller");
+    // content message should be escaped if it had special chars
+    expect(result).toContain("Error occurred");
+  });
+
+  it("handles null/undefined gracefully", () => {
+    expect(sanitizeMetadata(null)).toBe("null");
+    expect(sanitizeMetadata(undefined)).toBe("null");
+  });
+
+  it("escapes double-dash sequences in content", () => {
+    const obj = {
+      message: "text with -- double dash",
+    };
+    const result = sanitizeMetadata(obj);
+    expect(result).toContain("&#45;&#45;");
+  });
+});