feat: add sort functionality for top-level comments

[olliethedev]

Summary

• add sort functionality for top-level comments

Type of change

• Bug fix
• New plugin
• Feature / enhancement to an existing plugin
• Documentation
• Chore / refactor / tooling

Checklist

• pnpm build passes
• pnpm typecheck passes
• pnpm lint passes
• Tests added or updated (unit and/or E2E)
• Docs updated (docs/content/docs/) if consumer-facing types or behavior changed
• All three codegen-projects create successfully and pass E2E tests
• New plugin: submission checklist in CONTRIBUTING.md completed

Screenshots

---

Note

Medium Risk
Adds a new sort dimension to the infinite comment thread query key and request params, which can affect React Query caching and pagination behavior; also changes optimistic insertion logic, so ordering regressions are possible.

Overview
Adds configurable sorting for top-level CommentThread comments via a new sort prop ("asc" | "desc") plus a global defaultCommentSort override, defaulting to "desc" (newest first).

Threads now include sort in the commentsThread query discriminator/key and send it on the thread GET /comments requests; usePostComment adjusts optimistic inserts to prepend vs append based on sort. E2E load-more expectations and docs are updated accordingly, and @btst/stack is bumped to 2.12.0.

^{Reviewed by Cursor Bugbot for commit bc3a2ac. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
better-stack-docs	Ready	Preview, Comment	Apr 21, 2026 5:39pm
better-stack-playground	Ready	Preview, Comment	Apr 21, 2026 5:39pm

[cursor]

Security Assessment — No High-Confidence Vulnerabilities Found

This PR adds a sort prop ("asc" | "desc") for ordering top-level comments, wires it through the React Query cache key, and adjusts the optimistic-update logic in usePostComment.

Threat-by-threat analysis

Category	Finding
Injection (SQL / command / path)	The sort query parameter is validated server-side by z.enum(["asc", "desc"]) in CommentListQuerySchema before it reaches the DB adapter or getters.ts. Values outside the enum are rejected by Zod at the HTTP boundary. No injection risk.
Authn / authz bypasses	currentUserId continues to be excluded from the public query schema and is always resolved server-side via resolveCurrentUserId. The new sort field does not interact with any auth path. onBeforeList, onBeforeListByAuthor, and all other guard hooks are unchanged.
Secrets / token leakage / insecure logging	No credentials, tokens, or sensitive values are introduced. The new field is a display-order hint only.
Unsafe deserialization / SSRF / XSS / CSRF	No new network requests, no deserialization of untrusted payloads, and no HTML rendered from the sort value. The field never escapes to the DOM unsanitized.
Supply-chain / dependency risk	No new packages or version changes introduced. The only version bump is the @btst/stack minor from 2.11.8 → 2.12.0 (internal).

Minor observation (informational, not a vulnerability)

CommentsThreadDiscriminator.sort is typed as string | undefined rather than "asc" | "desc" | undefined. This is wider than needed and could allow an internally constructed discriminator to carry an arbitrary string into the React Query cache key — but there is no path from external HTTP input to that type without passing through the Zod enum guard first. No exploitable risk, though tightening the type would improve internal correctness.

Conclusion

No confirmed or high-confidence security vulnerabilities are introduced by this PR. The sort parameter is properly constrained at every trust boundary.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[github-actions]

✅ Shadcn registry updated — registry JSON files were rebuilt and committed to this branch.