oss-signal 0.5.1 → 0.6.3

package/CHANGELOG.md

@@ -2,6 +2,27 @@
 
 ## Unreleased
 
+## 0.6.3
+
+- Updated the release workflow to use Node 24 and npm 11.16 for npm Trusted Publishing support.
+- Published through GitHub Actions without an npm OTP.
+
+## 0.6.2
+
+- Switched the release workflow from token-gated publishing to npm Trusted Publishing with provenance.
+- Removed the repository-variable gate so tag releases can publish through GitHub Actions OIDC without npm OTP.
+
+## 0.6.1
+
+- Added GitHub Release creation to the tag-triggered release workflow.
+- Published the repository inventory release with a GitHub Release page and npm package verification path.
+
+## 0.6.0
+
+- Added repository inventory mode for auditing newline-delimited lists of local paths, GitHub URLs, and `owner/repo` shorthands.
+- Added GitHub Action inventory support with step summary output and average-score Action outputs.
+- Added inventory examples, reviewer verification steps, and maintainer playbook guidance.
+
 ## 0.5.1
 
 - Published the Issue-ready output release on a clean tag after release workflow hardening.

package/README.md

@@ -13,6 +13,18 @@ It checks the files and automation that reduce maintainer load: README, license,
 
 ![oss-signal example output](docs/assets/terminal-report.svg)
 
+## Maintainer Evidence Snapshot
+
+Public evidence for the maintainer workflow is collected in [docs/reviewer-evidence.md](docs/reviewer-evidence.md) and [docs/adoption-evidence.md](docs/adoption-evidence.md).
+
+- Published package: [`oss-signal@0.6.3`](https://www.npmjs.com/package/oss-signal), with `latest` pointing at `0.6.3`.
+- Published GitHub Action: [`SalmonPlays/oss-signal@v0.6.3`](https://github.com/SalmonPlays/oss-signal/tree/v0.6.3).
+- Public checks: CI, Repository health, and CodeQL are passing on `main`.
+- Self-audit: this repository scores **100/100 (A)** locally and through GitHub URL mode.
+- Field use: four public maintainer-readiness audits have been turned into four issues and four focused follow-up PRs.
+- Inventory mode: the CLI and Action can audit a newline-delimited list of repositories for organization-level triage.
+- Separate workflow demo: [oss-signal-adoption-demo](https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26883001038) runs the public Action tag and uploads Markdown, SARIF, and Issue-ready artifacts.
+
 ## Why
 
 Open-source projects often fail quietly because the maintainer workflow is undocumented. `oss-signal` gives maintainers a repeatable checklist they can run locally, in CI, or before asking contributors to help.
@@ -75,6 +87,14 @@ Use JSON in automation:
 oss-signal . --format json --fail-under 80
 ```
 
+Audit multiple repositories from one newline-delimited inventory file:
+
+```bash
+oss-signal --inventory docs/examples/inventory-targets.txt --format markdown --output inventory-report.md
+```
+
+See [docs/examples/inventory-report.md](docs/examples/inventory-report.md) for a generated inventory report.
+
 Write SARIF for GitHub Code Scanning or other dashboards:
 
 ```bash
@@ -122,21 +142,22 @@ Summary:
 
 See [docs/self-audit.md](docs/self-audit.md) for the full local self-audit report, [docs/examples/github-url-report.md](docs/examples/github-url-report.md) for the GitHub URL audit output, [docs/examples/github-issue-body.md](docs/examples/github-issue-body.md) for issue output, and [docs/examples/self-audit.sarif](docs/examples/self-audit.sarif) for SARIF output.
 
-The [Repository health workflow](.github/workflows/repository-health.yml) runs `SalmonPlays/oss-signal@v0.5.1`, uploads the Markdown report as an artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs.
+The [Repository health workflow](.github/workflows/repository-health.yml) runs `SalmonPlays/oss-signal@v0.6.3`, uploads the Markdown report as an artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs. The [Repository inventory workflow](.github/workflows/repository-inventory.yml) runs the inventory mode from CI and uploads a multi-repository report artifact.
 
 ## Field Audits
 
-`oss-signal` has been run against public repositories to produce maintainer-readiness reports and respectful issue drafts:
+`oss-signal` has been run against public repositories to produce maintainer-readiness reports, respectful issue drafts, and focused follow-up PRs:
 
-- [platformatic/massimo report](docs/outreach/platformatic-massimo-report.md) and [issue #159](https://github.com/platformatic/massimo/issues/159)
-- [supermarkt/checkjebon report](docs/outreach/supermarkt-checkjebon-report.md) and [issue #22](https://github.com/supermarkt/checkjebon/issues/22)
-- [sammorrisdesign/interactive-feed report](docs/outreach/sammorrisdesign-interactive-feed-report.md) and [issue #14](https://github.com/sammorrisdesign/interactive-feed/issues/14)
+- [platformatic/massimo report](docs/outreach/platformatic-massimo-report.md), [issue #159](https://github.com/platformatic/massimo/issues/159), and [PR #160](https://github.com/platformatic/massimo/pull/160)
+- [supermarkt/checkjebon report](docs/outreach/supermarkt-checkjebon-report.md), [issue #22](https://github.com/supermarkt/checkjebon/issues/22), and [PR #23](https://github.com/supermarkt/checkjebon/pull/23)
+- [sammorrisdesign/interactive-feed report](docs/outreach/sammorrisdesign-interactive-feed-report.md), [issue #14](https://github.com/sammorrisdesign/interactive-feed/issues/14), and [PR #15](https://github.com/sammorrisdesign/interactive-feed/pull/15)
+- [flox/install-flox-action report](docs/outreach/flox-install-flox-action-report.md), [issue #204](https://github.com/flox/install-flox-action/issues/204), and [PR #205](https://github.com/flox/install-flox-action/pull/205)
 
 See [docs/outreach](docs/outreach) for the reports and draft issue text. Drafts are not posted automatically; maintainers should only receive specific, useful, and respectful suggestions.
 
-For a compact maintainer/adoption summary, see [docs/adoption-evidence.md](docs/adoption-evidence.md).
+For a compact maintainer/adoption summary, see [docs/adoption-evidence.md](docs/adoption-evidence.md). For a reviewer-oriented verification path, see [docs/reviewer-evidence.md](docs/reviewer-evidence.md).
 
-Separate public workflow evidence: [SalmonPlays/oss-signal-adoption-demo](https://github.com/SalmonPlays/oss-signal-adoption-demo) runs `SalmonPlays/oss-signal@v0.4.0` and produced a successful [workflow run](https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26862361229) with a report artifact.
+Separate public workflow evidence: [SalmonPlays/oss-signal-adoption-demo](https://github.com/SalmonPlays/oss-signal-adoption-demo) runs `SalmonPlays/oss-signal@v0.5.1` and produced a successful [workflow run](https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26883001038) with Markdown, SARIF, and Issue-ready report artifacts.
 
 ## Example Recommendation Output
 
@@ -165,7 +186,7 @@ oss-signal . --fail-under 80
 Add `oss-signal` directly to a GitHub Actions workflow:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.5.1
+- uses: SalmonPlays/oss-signal@v0.6.3
   id: oss-signal
   with:
     fail-under: "80"
@@ -178,10 +199,22 @@ The Action writes a concise GitHub Actions step summary by default, so reviewers
 
 ![oss-signal GitHub Actions summary](docs/assets/github-step-summary.svg)
 
+Run an inventory from CI:
+
+```yaml
+- uses: SalmonPlays/oss-signal@v0.6.3
+  env:
+    GITHUB_TOKEN: ${{ github.token }}
+  with:
+    inventory: docs/examples/inventory-targets.txt
+    output: inventory-report.md
+    summary: "true"
+```
+
 Generate an editable Issue body from CI:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.5.1
+- uses: SalmonPlays/oss-signal@v0.6.3
   with:
     format: issue
     output: maintainer-follow-up.md
@@ -203,7 +236,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: SalmonPlays/oss-signal@v0.5.1
+      - uses: SalmonPlays/oss-signal@v0.6.3
         id: oss-signal
         with:
           fail-under: "80"
@@ -215,7 +248,7 @@ jobs:
           path: oss-signal-report.md
 ```
 
-See [docs/examples/github-action-workflow.yml](docs/examples/github-action-workflow.yml) for a copyable workflow and [docs/examples/github-code-scanning-workflow.yml](docs/examples/github-code-scanning-workflow.yml) for a workflow that uploads SARIF to GitHub Code Scanning.
+See [docs/examples/github-action-workflow.yml](docs/examples/github-action-workflow.yml) for a copyable workflow, [docs/examples/github-inventory-workflow.yml](docs/examples/github-inventory-workflow.yml) for an inventory workflow, and [docs/examples/github-code-scanning-workflow.yml](docs/examples/github-code-scanning-workflow.yml) for a workflow that uploads SARIF to GitHub Code Scanning.
 
 Upload SARIF to GitHub Code Scanning:
 
@@ -226,7 +259,7 @@ permissions:
 
 steps:
   - uses: actions/checkout@v4
-  - uses: SalmonPlays/oss-signal@v0.5.1
+  - uses: SalmonPlays/oss-signal@v0.6.3
     with:
       format: sarif
       output: oss-signal.sarif
@@ -236,7 +269,7 @@ steps:
       sarif_file: oss-signal.sarif
 ```
 
-This repository dogfoods the public Action tag in [Repository health](.github/workflows/repository-health.yml), which runs `SalmonPlays/oss-signal@v0.5.1` against the repository, uploads the Markdown report artifact, and publishes SARIF to Code Scanning on non-PR runs.
+This repository dogfoods the public Action tag in [Repository health](.github/workflows/repository-health.yml), which runs `SalmonPlays/oss-signal@v0.6.3` against the repository, uploads the Markdown report artifact, and publishes SARIF to Code Scanning on non-PR runs.
 
 You can also run the CLI directly in CI:
 
@@ -255,11 +288,11 @@ You can also run the CLI directly in CI:
 - Ecosystem-specific profiles for Python, Rust, Go, and JavaScript packages
 - Release automation and provenance metadata checks
 - Maintainer score trends over time
-- Organization-level repository inventory reports
+- Organization-level repository inventory dashboards
 
 ## Release Process
 
-Releases use the checklist in [docs/release-process.md](docs/release-process.md). The repository also includes a tag-triggered [release workflow](.github/workflows/release.yml) that verifies the package, runs `npm publish --dry-run`, and can publish to npm with provenance when `NPM_TOKEN` is configured.
+Releases use the checklist in [docs/release-process.md](docs/release-process.md). The repository also includes a tag-triggered [release workflow](.github/workflows/release.yml) that verifies the package, creates a GitHub Release, and publishes to npm with Trusted Publishing provenance.
 
 ## Contributing
 

package/action.yml

@@ -9,8 +9,11 @@ inputs:
     description: Local repository path, GitHub URL, or owner/repo shorthand to audit.
     required: false
     default: "."
+  inventory:
+    description: Newline-delimited file of local paths, GitHub URLs, or owner/repo shorthands to audit as an inventory.
+    required: false
   format:
-    description: Output format, either markdown, json, sarif, or issue.
+    description: Output format, either markdown, json, sarif, or issue. Inventory mode supports markdown or json.
     required: false
     default: markdown
   output:
@@ -22,7 +25,7 @@ inputs:
     required: false
     default: "true"
   fail-under:
-    description: Fail the action when the score is below this number.
+    description: Fail the action when the score, or any inventory target score, is below this number.
     required: false
   max-files:
     description: Maximum files to inspect.
@@ -33,11 +36,11 @@ inputs:
     required: false
 outputs:
   score:
-    description: Numeric maintainer-readiness score.
+    description: Numeric maintainer-readiness score, or average score in inventory mode.
   grade:
-    description: Letter grade for the maintainer-readiness score.
+    description: Letter grade for the maintainer-readiness score, or average grade in inventory mode.
   failed:
-    description: Number of failed checks.
+    description: Number of failed checks, or total failed checks in inventory mode.
   report-path:
     description: Path to the generated report file, when output is enabled.
 runs:

package/docs/adoption-evidence.md

@@ -2,21 +2,27 @@
 
 This page collects the public evidence that `oss-signal` is built for real open-source maintainer workflows.
 
+Last verified: 2026-06-04T02:42:51Z
+
 ## Project Links
 
 - Repository: https://github.com/SalmonPlays/oss-signal
-- npm package: https://www.npmjs.com/package/oss-signal (`0.5.1` latest)
-- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.5.1
-- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.5.1
+- npm package: https://www.npmjs.com/package/oss-signal (`0.6.3` latest)
+- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.6.3
+- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.6.3
 - GitHub Action metadata: [action.yml](../action.yml)
 - Public dogfood workflow: [.github/workflows/repository-health.yml](../.github/workflows/repository-health.yml)
+- Public inventory workflow: [.github/workflows/repository-inventory.yml](../.github/workflows/repository-inventory.yml)
 - Separate public workflow demo: https://github.com/SalmonPlays/oss-signal-adoption-demo
-- Separate public workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26862361229
+- Separate public workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26883001038
 - Self-audit report: [docs/self-audit.md](self-audit.md)
 - SARIF self-audit output: [docs/examples/self-audit.sarif](examples/self-audit.sarif)
 - GitHub URL audit report: [docs/examples/github-url-report.md](examples/github-url-report.md)
 - GitHub Action workflow example: [docs/examples/github-action-workflow.yml](examples/github-action-workflow.yml)
+- Inventory target example: [docs/examples/inventory-targets.txt](examples/inventory-targets.txt)
+- Inventory report example: [docs/examples/inventory-report.md](examples/inventory-report.md)
 - Maintainer playbook: [docs/maintainer-playbook.md](maintainer-playbook.md)
+- Reviewer evidence quickstart: [docs/reviewer-evidence.md](reviewer-evidence.md)
 - Release process: [docs/release-process.md](release-process.md)
 - Codex for Open Source application brief: [docs/codex-for-oss-application.md](codex-for-oss-application.md)
 - Codex for Open Source form answers: [docs/codex-for-oss-form-answers.md](codex-for-oss-form-answers.md)
@@ -30,33 +36,64 @@ The CLI supports two practical modes:
 
 - Local repository audit for maintainers working in a clone.
 - Public GitHub repository audit for quick triage without cloning.
+- Repository inventory audit for maintainers comparing several repositories at once.
 
-It also ships as a GitHub Action, so maintainers can gate repository hygiene in CI, show the result in the GitHub Actions step summary, upload a Markdown report as a workflow artifact, and upload failed maintainer-readiness checks as SARIF for GitHub Code Scanning. This repository dogfoods the public Action tag through the Repository health workflow.
+It also ships as a GitHub Action, so maintainers can gate repository hygiene in CI, show the result in the GitHub Actions step summary, upload a Markdown report as a workflow artifact, run inventory reports, and upload failed maintainer-readiness checks as SARIF for GitHub Code Scanning. This repository dogfoods the public Action tag through the Repository health and Repository inventory workflows.
 
 The [maintainer playbook](maintainer-playbook.md) documents the end-to-end workflow from audit to issue, pull request, CI gate, and Code Scanning evidence. The [release process](release-process.md) documents pre-release verification, tag consistency, npm publish checks, and post-release smoke tests.
 
+## Published Package Verification
+
+The npm package is publicly available as `oss-signal@0.6.3` with `latest` pointing at `0.6.3`.
+
+The npm downloads API returned 356 downloads for both last-week and last-month windows on 2026-06-04. Download counts can lag publication, so this is treated as supporting evidence rather than proof of broad adoption.
+
+Clean-directory execution against the public GitHub repository returned:
+
+```json
+{
+  "version": "0.6.3",
+  "score": 100,
+  "grade": "A",
+  "source": "github"
+}
+```
+
+Current public workflow status:
+
+- CI: passing
+- Repository health: passing
+- CodeQL: passing
+- Release: passing
+- Separate public workflow demo: passing
+
+The npm registry returned `0.6.3` for both the package version and `latest` dist-tag on 2026-06-04T02:42:51Z. The same check returned 356 downloads for the last-week and last-month windows.
+
 ## Separate Public Workflow Evidence
 
-The public repository https://github.com/SalmonPlays/oss-signal-adoption-demo runs `SalmonPlays/oss-signal@v0.4.0` from a separate workflow file:
+The public repository https://github.com/SalmonPlays/oss-signal-adoption-demo runs `SalmonPlays/oss-signal@v0.5.1` from a separate workflow file:
 
 - Workflow file: https://github.com/SalmonPlays/oss-signal-adoption-demo/blob/main/.github/workflows/oss-signal.yml
-- Successful workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26862361229
-- Artifact: `oss-signal-adoption-demo-report`, containing `oss-signal-report.md` and `oss-signal.sarif`
+- Successful workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26883001038
+- Artifact: `oss-signal-adoption-demo-report`, containing `oss-signal-report.md`, `oss-signal.sarif`, and `maintainer-follow-up.md`
 
-This is not claimed as independent third-party adoption because the repository is owned by `SalmonPlays`. It is evidence that the public `v0.4.0` Action tag works outside the main repository and can publish maintainer-readiness reports from another public workflow.
+This is not claimed as independent third-party adoption because the repository is owned by `SalmonPlays`. It is evidence that the public `v0.5.1` Action tag works outside the main repository and can publish Markdown, SARIF, and Issue-ready maintainer-readiness reports from another public workflow.
 
 ## Public Field Audits And PRs
 
 The tool has been used to generate maintainer-readiness reports for public repositories and convert them into respectful cleanup issues:
 
-| Repository | Report | Posted issue | Follow-up PR |
-| --- | --- | --- | --- |
-| `platformatic/massimo` | [report](outreach/platformatic-massimo-report.md) | https://github.com/platformatic/massimo/issues/159 | https://github.com/platformatic/massimo/pull/160 |
-| `supermarkt/checkjebon` | [report](outreach/supermarkt-checkjebon-report.md) | https://github.com/supermarkt/checkjebon/issues/22 | https://github.com/supermarkt/checkjebon/pull/23 |
-| `sammorrisdesign/interactive-feed` | [report](outreach/sammorrisdesign-interactive-feed-report.md) | https://github.com/sammorrisdesign/interactive-feed/issues/14 | https://github.com/sammorrisdesign/interactive-feed/pull/15 |
+| Repository | Report | Posted issue | Follow-up PR | Status |
+| --- | --- | --- | --- | --- |
+| `platformatic/massimo` | [report](outreach/platformatic-massimo-report.md) | https://github.com/platformatic/massimo/issues/159 | https://github.com/platformatic/massimo/pull/160 | open, clean |
+| `supermarkt/checkjebon` | [report](outreach/supermarkt-checkjebon-report.md) | https://github.com/supermarkt/checkjebon/issues/22 | https://github.com/supermarkt/checkjebon/pull/23 | open, clean |
+| `sammorrisdesign/interactive-feed` | [report](outreach/sammorrisdesign-interactive-feed-report.md) | https://github.com/sammorrisdesign/interactive-feed/issues/14 | https://github.com/sammorrisdesign/interactive-feed/pull/15 | open |
+| `flox/install-flox-action` | [report](outreach/flox-install-flox-action-report.md) | https://github.com/flox/install-flox-action/issues/204 | https://github.com/flox/install-flox-action/pull/205 | open, checks pending |
 
 These issues and pull requests are evidence of the intended maintainer workflow: run a deterministic audit, explain the missing signals, and give maintainers a small set of actionable improvements. Each PR is intentionally limited to documentation or GitHub templates.
 
+All four follow-up PRs were still open when checked from GitHub on 2026-06-04T02:42:51Z. They are not claimed as accepted adoption unless a maintainer merges or otherwise endorses them.
+
 ## Verification Commands
 
 From this repository:
@@ -65,18 +102,20 @@ From this repository:
 npm run check
 npm run audit:github
 node src/cli.js . --format sarif --output docs/examples/self-audit.sarif
+node src/cli.js --inventory docs/examples/inventory-targets.txt --format markdown --output docs/examples/inventory-report.md
 node src/cli.js platformatic/massimo --format json
-npm exec --yes --package=oss-signal@0.5.1 -- oss-signal SalmonPlays/oss-signal --format json
+npm exec --yes --package=oss-signal@0.6.3 -- oss-signal SalmonPlays/oss-signal --format json
 ```
 
-The current repository self-audit score is 100/100, the GitHub community profile health score is 100, and CI verifies the local GitHub Action wrapper. The public `v0.5.1` Action tag is used by the repository health workflow for Markdown and SARIF output. The published npm `0.5.1` package has also been executed from a clean temporary directory against the public GitHub repository, returning 100/100 (A).
+The current repository self-audit score is 100/100, the GitHub community profile health score is 100, and CI verifies the local GitHub Action wrapper. The public `v0.6.3` Action tag is used by the repository health workflow for Markdown and SARIF output. The published npm `0.6.3` package has also been executed from a clean temporary directory against the public GitHub repository, returning 100/100 (A).
 
 Public CI evidence:
 
 - CI workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/ci.yml
 - Repository health workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml
 - CodeQL workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/codeql.yml
-- Separate workflow demo run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26862361229
+- Separate workflow demo run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26883001038
+- Reviewer verification quickstart: [reviewer-evidence.md](reviewer-evidence.md)
 
 ## Boundaries
 

package/docs/codex-for-oss-application.md

@@ -1,6 +1,6 @@
 # Codex for Open Source Application Brief
 
-Snapshot: 2026-06-03T05:11:50Z
+Snapshot: 2026-06-04T02:42:51Z
 
 This document summarizes why `oss-signal` is a fit for OpenAI's Codex for Open Source program. The official program page says open-source maintainers can apply, with emphasis on core maintainers, widely used public projects, and projects that play an important ecosystem role: https://developers.openai.com/community/codex-for-oss
 
@@ -8,13 +8,15 @@ This document summarizes why `oss-signal` is a fit for OpenAI's Codex for Open S
 
 - Repository: https://github.com/SalmonPlays/oss-signal
 - npm package: https://www.npmjs.com/package/oss-signal
-- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.5.1
-- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.5.1
+- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.6.3
+- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.6.3
 - CI workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/ci.yml
 - Repository health workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml
+- Repository inventory workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-inventory.yml
 - CodeQL workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/codeql.yml
-- Separate public workflow demo: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26862361229
+- Separate public workflow demo: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26883001038
 - Maintainer evidence: [adoption-evidence.md](adoption-evidence.md)
+- Reviewer evidence quickstart: [reviewer-evidence.md](reviewer-evidence.md)
 - Form answer pack: [codex-for-oss-form-answers.md](codex-for-oss-form-answers.md)
 - Maintainer playbook: [maintainer-playbook.md](maintainer-playbook.md)
 - Release process: [release-process.md](release-process.md)
@@ -27,13 +29,14 @@ This document summarizes why `oss-signal` is a fit for OpenAI's Codex for Open S
 - CI, tests, issue templates, pull request templates, Dependabot, and CodeQL-style security workflow.
 - Package metadata and lockfile hygiene.
 
-The output is a deterministic score plus actionable next steps in Markdown, JSON, or SARIF. The GitHub Action also writes a workflow step summary so maintainers and reviewers can see the result without downloading an artifact.
+The output is a deterministic score plus actionable next steps in Markdown, JSON, SARIF, or an Issue-ready Markdown body. The GitHub Action also writes a workflow step summary so maintainers and reviewers can see the result without downloading an artifact.
 
 ## Why Codex Helps
 
 This project is designed around repeatable maintainer workflows where Codex is useful:
 
 - Run audits against public repositories without cloning.
+- Compare several repositories with an inventory report.
 - Convert findings into focused cleanup issues or pull requests.
 - Keep repository hygiene visible in CI.
 - Upload failed maintainer-readiness checks to GitHub Code Scanning through SARIF.
@@ -44,23 +47,27 @@ This project is designed around repeatable maintainer workflows where Codex is u
 
 The repository currently has:
 
-- A published npm package with `0.5.1` as the latest release.
-- A published GitHub Release for v0.5.1 with issue-output release notes and CI usage guidance.
+- A published npm package with `0.6.3` as the latest release.
+- npm download API evidence showing 356 last-week and last-month downloads on 2026-06-04.
+- A published GitHub Release for v0.6.3 with repository inventory release notes and CI usage guidance.
 - A reusable GitHub Action with `score`, `grade`, `failed`, and `report-path` outputs.
+- A repository inventory mode for organization-level maintainer-readiness triage, available in both CLI and GitHub Action form.
+- A clean npm smoke test of `oss-signal@0.6.3` returning version `0.6.3`, score `100`, grade `A`, and source `github`.
 - SARIF output for GitHub Code Scanning integration.
-- A v0.5.1 GitHub Action tag with step summary, SARIF support, and Issue-ready output.
-- A public dogfood workflow that runs `SalmonPlays/oss-signal@v0.5.1` against the repository, uploads the Markdown report artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs.
-- A separate public workflow demo that runs `SalmonPlays/oss-signal@v0.4.0` from another repository and uploads a report artifact.
+- A v0.6.3 GitHub Action tag with step summary, SARIF support, inventory support, and Issue-ready output.
+- A public dogfood workflow that runs `SalmonPlays/oss-signal@v0.6.3` against the repository, uploads the Markdown report artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs.
+- A public dogfood inventory workflow that runs `SalmonPlays/oss-signal@v0.6.3` against a repository target list and uploads an inventory artifact.
+- A separate public workflow demo that runs `SalmonPlays/oss-signal@v0.5.1` from another repository and uploads Markdown, SARIF, and Issue-ready report artifacts.
 - A maintainer playbook that documents audit, triage, issue, PR, CI, and SARIF workflows.
 - A release process and tag-triggered release workflow that verify package contents and support npm provenance publishing when repository secrets are configured.
-- CI and CodeQL workflows passing on `main`.
+- CI, Repository health, CodeQL, and Release workflows passing publicly.
 - A local self-audit score of 100/100.
-- A clean-directory smoke test of `npm exec --yes --package=oss-signal@0.5.1 -- oss-signal SalmonPlays/oss-signal --format json`, returning 100/100 (A).
-- Public reports, issues, and PRs created from real repository audits.
+- A clean-directory smoke test of `npm exec --yes --package=oss-signal@0.6.3 -- oss-signal SalmonPlays/oss-signal --format json`, returning 100/100 (A).
+- Public reports, issues, and PRs created from real repository audits, including four posted field-audit issues and four follow-up PRs.
 
 ## Separate Workflow Demo
 
-The repository https://github.com/SalmonPlays/oss-signal-adoption-demo runs the public `SalmonPlays/oss-signal@v0.4.0` Action tag from a separate workflow. The successful run at https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26862361229 uploaded an `oss-signal-adoption-demo-report` artifact containing Markdown and SARIF output.
+The repository https://github.com/SalmonPlays/oss-signal-adoption-demo runs the public `SalmonPlays/oss-signal@v0.5.1` Action tag from a separate workflow. The successful run at https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26883001038 uploaded an `oss-signal-adoption-demo-report` artifact containing Markdown, SARIF, and Issue-ready output.
 
 This is intentionally described as a separate public workflow demo rather than third-party adoption because the repository is also owned by `SalmonPlays`. It still proves that the published Action tag is consumable outside the main repository.
 
@@ -68,9 +75,10 @@ This is intentionally described as a separate public workflow demo rather than t
 
 | Repository | Report | Issue | PR | Status |
 | --- | --- | --- | --- | --- |
-| `platformatic/massimo` | [report](outreach/platformatic-massimo-report.md) | https://github.com/platformatic/massimo/issues/159 | https://github.com/platformatic/massimo/pull/160 | open, mergeable |
-| `supermarkt/checkjebon` | [report](outreach/supermarkt-checkjebon-report.md) | https://github.com/supermarkt/checkjebon/issues/22 | https://github.com/supermarkt/checkjebon/pull/23 | open, mergeable |
-| `sammorrisdesign/interactive-feed` | [report](outreach/sammorrisdesign-interactive-feed-report.md) | https://github.com/sammorrisdesign/interactive-feed/issues/14 | https://github.com/sammorrisdesign/interactive-feed/pull/15 | open, mergeable |
+| `platformatic/massimo` | [report](outreach/platformatic-massimo-report.md) | https://github.com/platformatic/massimo/issues/159 | https://github.com/platformatic/massimo/pull/160 | open, clean |
+| `supermarkt/checkjebon` | [report](outreach/supermarkt-checkjebon-report.md) | https://github.com/supermarkt/checkjebon/issues/22 | https://github.com/supermarkt/checkjebon/pull/23 | open, clean |
+| `sammorrisdesign/interactive-feed` | [report](outreach/sammorrisdesign-interactive-feed-report.md) | https://github.com/sammorrisdesign/interactive-feed/issues/14 | https://github.com/sammorrisdesign/interactive-feed/pull/15 | open |
+| `flox/install-flox-action` | [report](outreach/flox-install-flox-action-report.md) | https://github.com/flox/install-flox-action/issues/204 | https://github.com/flox/install-flox-action/pull/205 | open, checks pending |
 
 These PRs are intentionally small and maintainer-friendly. They add documentation or GitHub templates rather than changing product code.
 
@@ -78,7 +86,7 @@ These PRs are intentionally small and maintainer-friendly. They add documentatio
 
 Recommended application angle:
 
-`oss-signal` is not yet a widely adopted project, but it is a public OSS maintainer tool built specifically for repeatable Codex-assisted maintenance. The project already has a working CLI, npm distribution, GitHub Action, passing CI/CodeQL, self-audit evidence, and three public field-audit PRs. Codex support would be used to continue auditing repositories, prepare focused maintainer PRs, improve Action automation, and document repeatable OSS maintenance workflows.
+`oss-signal` is not yet a widely adopted project, but it is a public OSS maintainer tool built specifically for repeatable Codex-assisted maintenance. The project already has a working CLI, npm distribution, GitHub Action, passing CI/CodeQL, self-audit evidence, four public field-audit issues, and four public field-audit PRs. Codex support would be used to continue auditing repositories, prepare focused maintainer PRs, improve Action automation, and document repeatable OSS maintenance workflows.
 
 Prepared official form answers are in [codex-for-oss-form-answers.md](codex-for-oss-form-answers.md). The applicant still needs to fill personal identity fields and their OpenAI Organization ID directly.
 
@@ -91,5 +99,5 @@ Prepared official form answers are in [codex-for-oss-form-answers.md](codex-for-
 ## Next Evidence To Collect
 
 - One or more merged external PRs.
-- A public workflow run in an independent maintainer-owned repository using `SalmonPlays/oss-signal@v0.5.1`, ideally with SARIF upload enabled.
+- A public workflow run in an independent maintainer-owned repository using `SalmonPlays/oss-signal@v0.6.3`, ideally with SARIF or inventory upload enabled.
 - npm download data once the registry starts reporting weekly/monthly counts.

package/docs/codex-for-oss-form-answers.md

@@ -1,6 +1,6 @@
 # Codex for Open Source Form Answers
 
-Snapshot: 2026-06-03T05:11:50Z
+Snapshot: 2026-06-04T02:42:51Z
 
 This page prepares concise answers for the official Codex for Open Source application form: https://openai.com/form/codex-for-oss/
 
@@ -50,7 +50,7 @@ Primary maintainer
 ## Why This Repository Qualifies
 
 ```text
-oss-signal is a public OSS maintainer tool for reducing triage and review load. It ships as npm package oss-signal@0.5.1 and GitHub Action SalmonPlays/oss-signal@v0.5.1, supports Markdown/JSON/SARIF/Issue output, passes CI/CodeQL, and has public field-audit issues/PRs plus a separate workflow demo.
+oss-signal is a public OSS maintainer tool for reducing triage and review load. It ships as npm package oss-signal@0.6.3 and GitHub Action SalmonPlays/oss-signal@v0.6.3, supports Markdown/JSON/SARIF/Issue/Inventory output, passes CI/CodeQL/Release, has a 100/100 self-audit, and has four public field-audit issues plus four PRs.
 ```
 
 ## Interest
@@ -60,6 +60,12 @@ Codex Security
 API credits for my project
 ```
 
+## Codex Security Use
+
+```text
+Use Codex Security to review oss-signal's CLI, GitHub Action, SARIF output, and repository-audit workflow for vulnerabilities before maintainers rely on it in CI. The project analyzes public repository metadata and writes reports, so security coverage helps catch unsafe workflow assumptions, dependency issues, and action-handling risks before field-audit PRs are shared with other OSS maintainers.
+```
+
 ## OpenAI Organization ID
 
 ```text
@@ -75,20 +81,21 @@ Use Codex/API credits to run repeatable public repository audits, draft focused
 ## Anything Else
 
 ```text
-The project is early, so I am not overstating adoption. Current evidence includes npm 0.5.1, a published v0.5.1 release, a reusable GitHub Action, self-audit score 100/100, public CodeQL/CI, public field-audit PRs, and a separate public workflow run using SalmonPlays/oss-signal@v0.4.0 with a report artifact.
+The project is early, so I am not overstating adoption. Current evidence includes npm 0.6.3 latest, 356 npm downloads reported by the registry API, a published v0.6.3 release, a reusable GitHub Action with inventory mode, a clean npm smoke test returning 100/A, public CI/Repository health/CodeQL/Release, four field-audit issues, four PRs, and a workflow demo with artifacts.
 ```
 
 ## Evidence Links
 
 - npm package: https://www.npmjs.com/package/oss-signal
-- GitHub Release v0.5.1: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.5.1
+- GitHub Release v0.6.3: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.6.3
 - Main repository health workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml
 - Separate workflow demo repository: https://github.com/SalmonPlays/oss-signal-adoption-demo
-- Separate successful workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26862361229
+- Separate successful workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26883001038
 - Adoption evidence: https://github.com/SalmonPlays/oss-signal/blob/main/docs/adoption-evidence.md
 
 ## Character Counts
 
-- Why this repository qualifies: 299/500
+- Why this repository qualifies: 328/500
+- Codex Security use: 399/500
 - API credit use: 312/500
-- Anything else: 309/500
+- Anything else: 376/500

package/docs/examples/github-action-workflow.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: SalmonPlays/oss-signal@v0.5.1
+      - uses: SalmonPlays/oss-signal@v0.6.3
         id: oss-signal
         with:
           fail-under: "80"

package/docs/examples/github-code-scanning-workflow.yml

@@ -15,13 +15,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: SalmonPlays/oss-signal@v0.5.1
+      - uses: SalmonPlays/oss-signal@v0.6.3
         id: oss-signal
         with:
           fail-under: "80"
           output: oss-signal-report.md
           summary: "true"
-      - uses: SalmonPlays/oss-signal@v0.5.1
+      - uses: SalmonPlays/oss-signal@v0.6.3
         with:
           format: sarif
           output: oss-signal.sarif

package/docs/examples/github-inventory-workflow.yml

@@ -0,0 +1,27 @@
+name: Repository inventory
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 9 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  inventory:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: SalmonPlays/oss-signal@v0.6.3
+        id: oss-signal
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          inventory: docs/examples/inventory-targets.txt
+          output: inventory-report.md
+          summary: "true"
+      - uses: actions/upload-artifact@v4
+        with:
+          name: oss-signal-inventory-report
+          path: inventory-report.md

package/docs/examples/github-url-report.md

@@ -2,7 +2,7 @@
 
 Repository: `https://github.com/SalmonPlays/oss-signal`
 Source: GitHub (SalmonPlays/oss-signal@main)
-Generated: 2026-06-03T05:12:35.946Z
+Generated: 2026-06-04T02:43:33.542Z
 
 Score: **100/100** (A)
 

package/docs/examples/inventory-report.md

@@ -0,0 +1,14 @@
+# OSS Signal Inventory
+
+Generated: 2026-06-04T02:42:56.030Z
+Repositories: 3
+Average score: **73/100** (C)
+Score range: 55-100
+Failed checks: 15
+
+| Repository | Source | Score | Failed | Top next steps |
+| --- | --- | ---: | ---: | --- |
+| SalmonPlays/oss-signal | GitHub (SalmonPlays/oss-signal@main) | 100/100 (A) | 0 | None |
+| platformatic/massimo | GitHub (platformatic/massimo@main) | 64/100 (D) | 7 | Security policy, Changelog, Issue templates |
+| flox/install-flox-action | GitHub (flox/install-flox-action@main) | 55/100 (F) | 8 | Contributing guide, Security policy, Code of conduct |
+

package/docs/examples/inventory-targets.txt

@@ -0,0 +1,5 @@
+# Newline-delimited targets for oss-signal --inventory.
+# Entries can be local paths, GitHub URLs, or owner/repo shorthands.
+SalmonPlays/oss-signal
+platformatic/massimo
+flox/install-flox-action

package/docs/examples/self-audit.sarif

@@ -6,7 +6,7 @@
       "tool": {
         "driver": {
           "name": "oss-signal",
-          "semanticVersion": "0.5.1",
+          "semanticVersion": "0.6.3",
           "informationUri": "https://github.com/SalmonPlays/oss-signal",
           "rules": [
             {
@@ -400,7 +400,7 @@
         "score": 100,
         "grade": "A",
         "source": "local",
-        "generatedAt": "2026-06-03T05:12:33.963Z"
+        "generatedAt": "2026-06-04T02:42:52.048Z"
       }
     }
   ]