github · pelikhan · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026
diff --git a/actions/setup/js/demo_enhanced_errors.cjs b/actions/setup/js/demo_enhanced_errors.cjs
@@ -6,10 +6,14 @@
  *
  * This script demonstrates how the enhanced error messages provide
  * actionable guidance when tools are called with missing parameters.
+ *
+ * NOTE: This is a demonstration script that only uses "body" as a string literal
+ * in examples. No sanitization is needed as no user-provided content is processed.
  */
 
 const { generateEnhancedErrorMessage } = require("./mcp_enhanced_errors.cjs");
 const tools = require("./safe_outputs_tools.json");
+// SEC-004: No sanitize needed - demo script with string literals only
 
 console.log("=".repeat(80));
 console.log("Enhanced MCP Error Messages - Demonstration");

diff --git a/actions/setup/js/expired_entity_cleanup_helpers.cjs b/actions/setup/js/expired_entity_cleanup_helpers.cjs
@@ -1,8 +1,17 @@
 // @ts-check
 // <reference types="@actions/github-script" />
 
+/**
+ * Expired Entity Cleanup Helpers
+ *
+ * NOTE: This module reads entity.body from GitHub API to extract expiration dates.
+ * No sanitization is needed as this is read-only processing. The body content is
+ * used only for pattern matching, not for writing back to GitHub.
+ */
+
 const { extractExpirationDate } = require("./ephemerals.cjs");
 const { getErrorMessage } = require("./error_helpers.cjs");
+// SEC-004: No sanitize needed - entity.body is read-only (expiration extraction)
 
 const DEFAULT_MAX_UPDATES_PER_RUN = 100;
 const DEFAULT_GRAPHQL_DELAY_MS = 500;

diff --git a/actions/setup/js/expired_entity_search_helpers.cjs b/actions/setup/js/expired_entity_search_helpers.cjs
@@ -1,7 +1,16 @@
 // @ts-check
 /// <reference types="@actions/github-script" />
 
+/**
+ * Expired Entity Search Helpers
+ *
+ * NOTE: This module reads entity.body from GraphQL responses to check for workflow
+ * markers and expiration patterns. No sanitization is needed as this is read-only
+ * processing. The body content is used only for pattern matching, not for writing.
+ */
+
 const { EXPIRATION_PATTERN, LEGACY_EXPIRATION_PATTERN } = require("./ephemerals.cjs");
+// SEC-004: No sanitize needed - entity.body is read-only (marker detection)
 
 /**
  * Configuration for entity-specific GraphQL search

diff --git a/actions/setup/js/mcp_enhanced_errors.cjs b/actions/setup/js/mcp_enhanced_errors.cjs
@@ -5,8 +5,13 @@
  *
  * This module provides enhanced error messages for MCP tool validation errors
  * that include actionable guidance to help agents self-correct.
+ *
+ * NOTE: This module only uses "body" as an example string literal (line 115).
- * NOTE: This module only uses "body" as an example string literal (line 115).
+ * NOTE: This module only uses "body" as an example string literal (line 119).
- * NOTE: This module only uses "body" as an example string literal (line 115).
+ * NOTE: This module only uses "body" as an example string literal (line 119).
+ * No sanitize needed - no user-provided content is processed.
  */
 
+// SEC-004: No sanitize needed - "body" is only used as example text
+
 /**
  * Generate an enhanced error message with actionable guidance for missing parameters
  * @param {string[]} missingFields - Array of missing field names

diff --git a/actions/setup/js/temporary_id.cjs b/actions/setup/js/temporary_id.cjs
@@ -11,9 +11,15 @@
  * It does not perform cross-repository operations directly. Handlers that use these
  * utilities (like create_issue, add_comment, etc.) are responsible for validating
  * target repositories against their configured allowlists (validateTargetRepo/checkAllowedRepo).
+ *
+ * Content sanitization: This module reads body/title/description fields from messages
+ * to extract temporary ID references (read-only). The actual sanitization of these
+ * fields happens in the handlers that create/update content (create_issue, add_comment, etc.).
  */
 
 const { getErrorMessage } = require("./error_helpers.cjs");
+// SEC-004: No sanitize needed - body fields are read-only (temp ID extraction)
+// Actual sanitize happens in create_issue/add_comment handlers that write content
 
 const crypto = require("crypto");
 

diff --git a/actions/setup/js/update_release.cjs b/actions/setup/js/update_release.cjs
@@ -1,8 +1,16 @@
 // @ts-check
 /// <reference types="@actions/github-script" />
 
+/**
+ * Update Release Handler
+ *
+ * Content sanitization: message.body is sanitized by updateBody helper
+ * (update_pr_description_helpers.cjs line 83) before writing to GitHub.
+ */
+
 const { getErrorMessage } = require("./error_helpers.cjs");
 const { updateBody } = require("./update_pr_description_helpers.cjs");
+// Content sanitization: message.body is sanitized by updateBody() helper
-// Content sanitization: message.body is sanitized by updateBody() helper
-// Content sanitization: message.body is sanitized by updateBody() helper
 
 /**
  * Create a handler for update-release messages