oss-signal 0.6.0 → 0.6.4

package/CHANGELOG.md

@@ -2,6 +2,21 @@
 
 ## Unreleased
 
+## 0.6.3
+
+- Updated the release workflow to use Node 24 and npm 11.16 for npm Trusted Publishing support.
+- Published through GitHub Actions without an npm OTP.
+
+## 0.6.2
+
+- Switched the release workflow from token-gated publishing to npm Trusted Publishing with provenance.
+- Removed the repository-variable gate so tag releases can publish through GitHub Actions OIDC without npm OTP.
+
+## 0.6.1
+
+- Added GitHub Release creation to the tag-triggered release workflow.
+- Published the repository inventory release with a GitHub Release page and npm package verification path.
+
 ## 0.6.0
 
 - Added repository inventory mode for auditing newline-delimited lists of local paths, GitHub URLs, and `owner/repo` shorthands.

package/README.md

@@ -1,24 +1,31 @@
-# oss-signal
+<p align="center">
+  <img src="docs/assets/oss-signal-banner.svg" alt="OSS Maintainer Signal banner">
+</p>
+
+# OSS Maintainer Signal (`oss-signal`)
 
 [![CI](https://github.com/SalmonPlays/oss-signal/actions/workflows/ci.yml/badge.svg)](https://github.com/SalmonPlays/oss-signal/actions/workflows/ci.yml)
 [![Repository health](https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml/badge.svg)](https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml)
 [![GitHub release](https://img.shields.io/github/v/release/SalmonPlays/oss-signal.svg)](https://github.com/SalmonPlays/oss-signal/releases/latest)
 [![npm version](https://img.shields.io/npm/v/oss-signal.svg)](https://www.npmjs.com/package/oss-signal)
 [![npm downloads](https://img.shields.io/npm/dm/oss-signal.svg)](https://www.npmjs.com/package/oss-signal)
+[![Self audit](https://img.shields.io/badge/self--audit-100%2F100-brightgreen.svg)](docs/self-audit.md)
+[![Maintainer evidence](https://img.shields.io/badge/maintainer_evidence-public-blue.svg)](docs/reviewer-evidence.md)
 [![License: MIT](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
 
-`oss-signal` is a dependency-light CLI for auditing open-source repository maintenance readiness.
+`oss-signal` is a dependency-light maintainer-readiness CLI and GitHub Action for OSS projects that need repeatable triage, CI evidence, SARIF, inventory reports, and issue-ready cleanup notes.
 
-It checks the files and automation that reduce maintainer load: README, license, contributing guide, security policy, CI, tests, issue templates, pull request templates, Dependabot, and release notes. The output is a score plus concrete next steps in Markdown, JSON, SARIF, or a GitHub Issue-ready Markdown body.
+It checks the files and automation that reduce maintainer load: README, license, contributing guide, security policy, CI, tests, issue templates, pull request templates, Dependabot, and release notes. The output is a score plus concrete next steps in Markdown, JSON, SARIF, inventory, or a GitHub Issue-ready Markdown body.
 
 ![oss-signal example output](docs/assets/terminal-report.svg)
 
 ## Maintainer Evidence Snapshot
 
-Public evidence for the maintainer workflow is collected in [docs/reviewer-evidence.md](docs/reviewer-evidence.md) and [docs/adoption-evidence.md](docs/adoption-evidence.md).
+Public evidence for the maintainer workflow is collected in [docs/reviewer-evidence.md](docs/reviewer-evidence.md), [docs/adoption-evidence.md](docs/adoption-evidence.md), [docs/post-submission-update.md](docs/post-submission-update.md), and [docs/brand.md](docs/brand.md).
 
-- Published package: [`oss-signal@0.6.0`](https://www.npmjs.com/package/oss-signal), with `latest` pointing at `0.6.0`.
-- Published GitHub Action: [`SalmonPlays/oss-signal@v0.6.0`](https://github.com/SalmonPlays/oss-signal/tree/v0.6.0).
+- Published package: [`oss-signal@0.6.4`](https://www.npmjs.com/package/oss-signal), with `latest` pointing at `0.6.4`.
+- Published GitHub Action: [`SalmonPlays/oss-signal@v0.6.4`](https://github.com/SalmonPlays/oss-signal/tree/v0.6.4).
+- Post-submission version note: the application may reference earlier evidence; `0.6.4` is the current maintained release and is documented in [docs/post-submission-update.md](docs/post-submission-update.md).
 - Public checks: CI, Repository health, and CodeQL are passing on `main`.
 - Self-audit: this repository scores **100/100 (A)** locally and through GitHub URL mode.
 - Field use: four public maintainer-readiness audits have been turned into four issues and four focused follow-up PRs.
@@ -142,7 +149,7 @@ Summary:
 
 See [docs/self-audit.md](docs/self-audit.md) for the full local self-audit report, [docs/examples/github-url-report.md](docs/examples/github-url-report.md) for the GitHub URL audit output, [docs/examples/github-issue-body.md](docs/examples/github-issue-body.md) for issue output, and [docs/examples/self-audit.sarif](docs/examples/self-audit.sarif) for SARIF output.
 
-The [Repository health workflow](.github/workflows/repository-health.yml) runs `SalmonPlays/oss-signal@v0.6.0`, uploads the Markdown report as an artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs. The [Repository inventory workflow](.github/workflows/repository-inventory.yml) runs the inventory mode from CI and uploads a multi-repository report artifact.
+The [Repository health workflow](.github/workflows/repository-health.yml) runs `SalmonPlays/oss-signal@v0.6.4`, uploads the Markdown report as an artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs. The [Repository inventory workflow](.github/workflows/repository-inventory.yml) runs the inventory mode from CI and uploads a multi-repository report artifact.
 
 ## Field Audits
 
@@ -186,7 +193,7 @@ oss-signal . --fail-under 80
 Add `oss-signal` directly to a GitHub Actions workflow:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.6.0
+- uses: SalmonPlays/oss-signal@v0.6.4
   id: oss-signal
   with:
     fail-under: "80"
@@ -202,7 +209,7 @@ The Action writes a concise GitHub Actions step summary by default, so reviewers
 Run an inventory from CI:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.6.0
+- uses: SalmonPlays/oss-signal@v0.6.4
   env:
     GITHUB_TOKEN: ${{ github.token }}
   with:
@@ -214,7 +221,7 @@ Run an inventory from CI:
 Generate an editable Issue body from CI:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.6.0
+- uses: SalmonPlays/oss-signal@v0.6.4
   with:
     format: issue
     output: maintainer-follow-up.md
@@ -236,7 +243,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: SalmonPlays/oss-signal@v0.6.0
+      - uses: SalmonPlays/oss-signal@v0.6.4
         id: oss-signal
         with:
           fail-under: "80"
@@ -259,7 +266,7 @@ permissions:
 
 steps:
   - uses: actions/checkout@v4
-  - uses: SalmonPlays/oss-signal@v0.6.0
+  - uses: SalmonPlays/oss-signal@v0.6.4
     with:
       format: sarif
       output: oss-signal.sarif
@@ -269,7 +276,7 @@ steps:
       sarif_file: oss-signal.sarif
 ```
 
-This repository dogfoods the public Action tag in [Repository health](.github/workflows/repository-health.yml), which runs `SalmonPlays/oss-signal@v0.6.0` against the repository, uploads the Markdown report artifact, and publishes SARIF to Code Scanning on non-PR runs.
+This repository dogfoods the public Action tag in [Repository health](.github/workflows/repository-health.yml), which runs `SalmonPlays/oss-signal@v0.6.4` against the repository, uploads the Markdown report artifact, and publishes SARIF to Code Scanning on non-PR runs.
 
 You can also run the CLI directly in CI:
 
@@ -292,7 +299,7 @@ You can also run the CLI directly in CI:
 
 ## Release Process
 
-Releases use the checklist in [docs/release-process.md](docs/release-process.md). The repository also includes a tag-triggered [release workflow](.github/workflows/release.yml) that verifies the package, runs `npm publish --dry-run`, and can publish to npm with provenance when `NPM_TOKEN` is configured.
+Releases use the checklist in [docs/release-process.md](docs/release-process.md). The repository also includes a tag-triggered [release workflow](.github/workflows/release.yml) that verifies the package, creates a GitHub Release, and publishes to npm with Trusted Publishing provenance.
 
 ## Contributing
 

package/action.yml

@@ -1,8 +1,8 @@
 name: oss-signal
-description: Audit open-source repository maintenance readiness and produce actionable maintainer next steps.
+description: Audit OSS maintainer readiness and produce CI evidence, SARIF, inventory reports, and issue-ready cleanup notes.
 author: SalmonPlays
 branding:
-  icon: activity
+  icon: shield
   color: blue
 inputs:
   path:

package/docs/adoption-evidence.md

@@ -2,14 +2,14 @@
 
 This page collects the public evidence that `oss-signal` is built for real open-source maintainer workflows.
 
-Last verified: 2026-06-03T12:45:11Z
+Last verified: 2026-06-04T03:01:28Z
 
 ## Project Links
 
 - Repository: https://github.com/SalmonPlays/oss-signal
-- npm package: https://www.npmjs.com/package/oss-signal (`0.6.0` latest)
-- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.6.0
-- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.6.0
+- npm package: https://www.npmjs.com/package/oss-signal (`0.6.4` latest)
+- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.6.4
+- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.6.4
 - GitHub Action metadata: [action.yml](../action.yml)
 - Public dogfood workflow: [.github/workflows/repository-health.yml](../.github/workflows/repository-health.yml)
 - Public inventory workflow: [.github/workflows/repository-inventory.yml](../.github/workflows/repository-inventory.yml)
@@ -21,8 +21,10 @@ Last verified: 2026-06-03T12:45:11Z
 - GitHub Action workflow example: [docs/examples/github-action-workflow.yml](examples/github-action-workflow.yml)
 - Inventory target example: [docs/examples/inventory-targets.txt](examples/inventory-targets.txt)
 - Inventory report example: [docs/examples/inventory-report.md](examples/inventory-report.md)
+- Brand assets and GitHub settings copy: [docs/brand.md](brand.md)
 - Maintainer playbook: [docs/maintainer-playbook.md](maintainer-playbook.md)
 - Reviewer evidence quickstart: [docs/reviewer-evidence.md](reviewer-evidence.md)
+- Post-submission update: [docs/post-submission-update.md](post-submission-update.md)
 - Release process: [docs/release-process.md](release-process.md)
 - Codex for Open Source application brief: [docs/codex-for-oss-application.md](codex-for-oss-application.md)
 - Codex for Open Source form answers: [docs/codex-for-oss-form-answers.md](codex-for-oss-form-answers.md)
@@ -42,17 +44,19 @@ It also ships as a GitHub Action, so maintainers can gate repository hygiene in
 
 The [maintainer playbook](maintainer-playbook.md) documents the end-to-end workflow from audit to issue, pull request, CI gate, and Code Scanning evidence. The [release process](release-process.md) documents pre-release verification, tag consistency, npm publish checks, and post-release smoke tests.
 
+The [post-submission update](post-submission-update.md) records why the current npm package and Action tag may be newer than the version referenced during application submission.
+
 ## Published Package Verification
 
-The npm package is publicly available as `oss-signal@0.6.0` with `latest` pointing at `0.6.0`.
+The npm package is publicly available as `oss-signal@0.6.4` with `latest` pointing at `0.6.4`.
 
-The npm downloads API returned 356 downloads for both last-week and last-month windows on 2026-06-03. Download counts can lag publication, so this is treated as supporting evidence rather than proof of broad adoption.
+The npm downloads API returned 356 downloads for both last-week and last-month windows on 2026-06-04. Download counts can lag publication, so this is treated as supporting evidence rather than proof of broad adoption.
 
 Clean-directory execution against the public GitHub repository returned:
 
 ```json
 {
-  "version": "0.6.0",
+  "version": "0.6.4",
   "score": 100,
   "grade": "A",
   "source": "github"
@@ -63,11 +67,12 @@ Current public workflow status:
 
 - CI: passing
 - Repository health: passing
+- Repository inventory: passing
 - CodeQL: passing
 - Release: passing
 - Separate public workflow demo: passing
 
-The npm registry returned `0.6.0` for both the package version and `latest` dist-tag on 2026-06-03T12:45:11Z. The same check returned 356 downloads for the last-week and last-month windows.
+The npm registry returned `0.6.4` for both the package version and `latest` dist-tag on 2026-06-04T02:42:51Z. The same check returned 356 downloads for the last-week and last-month windows.
 
 ## Separate Public Workflow Evidence
 
@@ -92,7 +97,7 @@ The tool has been used to generate maintainer-readiness reports for public repos
 
 These issues and pull requests are evidence of the intended maintainer workflow: run a deterministic audit, explain the missing signals, and give maintainers a small set of actionable improvements. Each PR is intentionally limited to documentation or GitHub templates.
 
-All four follow-up PRs were still open when checked from GitHub on 2026-06-03T12:33:45Z. They are not claimed as accepted adoption unless a maintainer merges or otherwise endorses them.
+All four follow-up PRs were still open when checked from GitHub on 2026-06-04T02:42:51Z. They are not claimed as accepted adoption unless a maintainer merges or otherwise endorses them.
 
 ## Verification Commands
 
@@ -104,10 +109,10 @@ npm run audit:github
 node src/cli.js . --format sarif --output docs/examples/self-audit.sarif
 node src/cli.js --inventory docs/examples/inventory-targets.txt --format markdown --output docs/examples/inventory-report.md
 node src/cli.js platformatic/massimo --format json
-npm exec --yes --package=oss-signal@0.6.0 -- oss-signal SalmonPlays/oss-signal --format json
+npm exec --yes --package=oss-signal@0.6.4 -- oss-signal SalmonPlays/oss-signal --format json
 ```
 
-The current repository self-audit score is 100/100, the GitHub community profile health score is 100, and CI verifies the local GitHub Action wrapper. The public `v0.6.0` Action tag is used by the repository health workflow for Markdown and SARIF output. The published npm `0.6.0` package has also been executed from a clean temporary directory against the public GitHub repository, returning 100/100 (A).
+The current repository self-audit score is 100/100, the GitHub community profile health score is 100, and CI verifies the local GitHub Action wrapper. The public `v0.6.4` Action tag is used by the repository health workflow for Markdown and SARIF output. The published npm `0.6.4` package has also been executed from a clean temporary directory against the public GitHub repository, returning 100/100 (A).
 
 Public CI evidence:
 

package/docs/assets/github-social-preview.svg

@@ -0,0 +1,45 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="1280" height="640" viewBox="0 0 1280 640" role="img" aria-labelledby="title desc">
+  <title id="title">OSS Maintainer Signal social preview</title>
+  <desc id="desc">Social preview image for the oss-signal repository.</desc>
+  <defs>
+    <linearGradient id="bg" x1="0" y1="0" x2="1280" y2="640" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#020617"/>
+      <stop offset="0.45" stop-color="#0f172a"/>
+      <stop offset="1" stop-color="#064e3b"/>
+    </linearGradient>
+    <linearGradient id="mark" x1="100" y1="95" x2="360" y2="360" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#38bdf8"/>
+      <stop offset="0.55" stop-color="#2563eb"/>
+      <stop offset="1" stop-color="#22c55e"/>
+    </linearGradient>
+    <filter id="shadow" x="-20%" y="-20%" width="140%" height="140%">
+      <feDropShadow dx="0" dy="22" stdDeviation="28" flood-color="#000000" flood-opacity="0.38"/>
+    </filter>
+  </defs>
+  <rect width="1280" height="640" fill="url(#bg)"/>
+  <circle cx="1080" cy="88" r="250" fill="#22c55e" opacity="0.12"/>
+  <circle cx="158" cy="562" r="270" fill="#38bdf8" opacity="0.14"/>
+  <path d="M80 526c240-185 478-239 713-161 177 58 314 29 420-83" fill="none" stroke="#93c5fd" stroke-width="2" opacity="0.18"/>
+  <g transform="translate(92 112)" filter="url(#shadow)">
+    <rect width="264" height="264" rx="60" fill="url(#mark)"/>
+    <path d="M132 42l83 31v69c0 52-33 91-83 110-50-19-83-58-83-110V73l83-31z" fill="#020617" opacity="0.3"/>
+    <circle cx="132" cy="146" r="53" fill="#f8fafc"/>
+    <path d="M105 146l20 20 42-49" fill="none" stroke="#16a34a" stroke-width="17" stroke-linecap="round" stroke-linejoin="round"/>
+    <path d="M81 92c28-25 74-25 102 0" fill="none" stroke="#e0f2fe" stroke-width="12" stroke-linecap="round" opacity="0.86"/>
+  </g>
+  <text x="410" y="160" fill="#93c5fd" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="28" font-weight="800" letter-spacing="4">OSS-SIGNAL</text>
+  <text x="410" y="238" fill="#f8fafc" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="70" font-weight="850">OSS Maintainer Signal</text>
+  <text x="414" y="300" fill="#cbd5e1" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="31">A maintainer-readiness CLI and GitHub Action for OSS cleanup.</text>
+  <g font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="24" font-weight="800">
+    <rect x="414" y="366" width="176" height="56" rx="28" fill="#dcfce7"/>
+    <text x="448" y="402" fill="#166534">100/100 A</text>
+    <rect x="612" y="366" width="178" height="56" rx="28" fill="#dbeafe"/>
+    <text x="646" y="402" fill="#1e40af">npm latest</text>
+    <rect x="812" y="366" width="246" height="56" rx="28" fill="#e0f2fe"/>
+    <text x="851" y="402" fill="#075985">SARIF + Issues</text>
+  </g>
+  <g transform="translate(414 478)" font-family="ui-monospace, SFMono-Regular, Menlo, Consolas, monospace" font-size="23">
+    <text x="0" y="0" fill="#22c55e">$ npx oss-signal SalmonPlays/oss-signal</text>
+    <text x="0" y="44" fill="#e2e8f0">score: 100/100   grade: A   source: github</text>
+  </g>
+</svg>

package/docs/assets/oss-signal-banner.svg

@@ -0,0 +1,44 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="1280" height="420" viewBox="0 0 1280 420" role="img" aria-labelledby="title desc">
+  <title id="title">OSS Maintainer Signal banner</title>
+  <desc id="desc">A banner for oss-signal describing an OSS maintainer-readiness CLI and GitHub Action.</desc>
+  <defs>
+    <linearGradient id="bg" x1="0" y1="0" x2="1280" y2="420" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#020617"/>
+      <stop offset="0.52" stop-color="#0f172a"/>
+      <stop offset="1" stop-color="#052e16"/>
+    </linearGradient>
+    <linearGradient id="accent" x1="170" y1="42" x2="1080" y2="360" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#38bdf8"/>
+      <stop offset="0.55" stop-color="#2563eb"/>
+      <stop offset="1" stop-color="#22c55e"/>
+    </linearGradient>
+    <filter id="softShadow" x="-20%" y="-20%" width="140%" height="140%">
+      <feDropShadow dx="0" dy="20" stdDeviation="22" flood-color="#000000" flood-opacity="0.35"/>
+    </filter>
+  </defs>
+  <rect width="1280" height="420" fill="url(#bg)"/>
+  <circle cx="1052" cy="92" r="180" fill="#22c55e" opacity="0.13"/>
+  <circle cx="115" cy="365" r="220" fill="#0ea5e9" opacity="0.16"/>
+  <path d="M102 344c245-176 464-222 657-139 149 64 276 54 419-32" fill="none" stroke="#38bdf8" stroke-width="2" opacity="0.18"/>
+  <g transform="translate(88 76)" filter="url(#softShadow)">
+    <rect width="196" height="196" rx="44" fill="url(#accent)"/>
+    <path d="M98 33l62 23v51c0 39-25 68-62 82-37-14-62-43-62-82V56l62-23z" fill="#020617" opacity="0.3"/>
+    <circle cx="98" cy="108" r="39" fill="#f8fafc"/>
+    <path d="M78 108l15 15 31-36" fill="none" stroke="#16a34a" stroke-width="13" stroke-linecap="round" stroke-linejoin="round"/>
+    <path d="M60 68c21-19 55-19 76 0" fill="none" stroke="#e0f2fe" stroke-width="9" stroke-linecap="round" opacity="0.85"/>
+  </g>
+  <text x="332" y="116" fill="#93c5fd" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="24" font-weight="700" letter-spacing="3">OSS-SIGNAL</text>
+  <text x="332" y="176" fill="#f8fafc" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="58" font-weight="800">OSS Maintainer Signal</text>
+  <text x="334" y="222" fill="#cbd5e1" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="26">Audit maintainer readiness, then turn findings into CI gates, SARIF, issues, and PRs.</text>
+  <g font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="18" font-weight="700">
+    <rect x="334" y="266" width="144" height="42" rx="21" fill="#dcfce7"/>
+    <text x="359" y="293" fill="#166534">100/100 A</text>
+    <rect x="494" y="266" width="142" height="42" rx="21" fill="#dbeafe"/>
+    <text x="521" y="293" fill="#1e40af">npm 0.6.4</text>
+    <rect x="652" y="266" width="178" height="42" rx="21" fill="#e0f2fe"/>
+    <text x="681" y="293" fill="#075985">GitHub Action</text>
+    <rect x="846" y="266" width="168" height="42" rx="21" fill="#fef9c3"/>
+    <text x="876" y="293" fill="#854d0e">Inventory mode</text>
+  </g>
+  <text x="335" y="356" fill="#64748b" font-family="ui-monospace, SFMono-Regular, Menlo, Consolas, monospace" font-size="22">$ npx oss-signal SalmonPlays/oss-signal</text>
+</svg>

package/docs/assets/oss-signal-icon.svg

@@ -0,0 +1,27 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="512" height="512" viewBox="0 0 512 512" role="img" aria-labelledby="title desc">
+  <title id="title">OSS Maintainer Signal icon</title>
+  <desc id="desc">A shield-shaped signal mark with a check in the center, representing maintainer-readiness verification.</desc>
+  <defs>
+    <linearGradient id="bg" x1="72" y1="60" x2="444" y2="452" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#0ea5e9"/>
+      <stop offset="0.48" stop-color="#2563eb"/>
+      <stop offset="1" stop-color="#16a34a"/>
+    </linearGradient>
+    <linearGradient id="glow" x1="120" y1="80" x2="420" y2="420" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#ffffff" stop-opacity="0.85"/>
+      <stop offset="1" stop-color="#ffffff" stop-opacity="0.2"/>
+    </linearGradient>
+    <filter id="shadow" x="-20%" y="-20%" width="140%" height="140%">
+      <feDropShadow dx="0" dy="18" stdDeviation="20" flood-color="#020617" flood-opacity="0.32"/>
+    </filter>
+  </defs>
+  <rect width="512" height="512" rx="112" fill="#020617"/>
+  <circle cx="406" cy="116" r="82" fill="#22c55e" opacity="0.18"/>
+  <circle cx="120" cy="384" r="96" fill="#38bdf8" opacity="0.16"/>
+  <path d="M256 62l156 58v126c0 98-62 170-156 204-94-34-156-106-156-204V120l156-58z" fill="url(#bg)" filter="url(#shadow)"/>
+  <path d="M256 96l122 46v102c0 74-45 133-122 164-77-31-122-90-122-164V142l122-46z" fill="#08111f" opacity="0.26"/>
+  <path d="M171 263c0-47 38-85 85-85s85 38 85 85-38 85-85 85-85-38-85-85z" fill="#f8fafc"/>
+  <path d="M215 263l31 31 62-72" fill="none" stroke="#16a34a" stroke-width="28" stroke-linecap="round" stroke-linejoin="round"/>
+  <path d="M178 162c22-20 49-31 78-31s56 11 78 31" fill="none" stroke="#dbeafe" stroke-width="20" stroke-linecap="round" opacity="0.9"/>
+  <path d="M143 126c31-32 71-50 113-50s82 18 113 50" fill="none" stroke="url(#glow)" stroke-width="18" stroke-linecap="round" opacity="0.55"/>
+</svg>

package/docs/brand.md

@@ -0,0 +1,43 @@
+# Brand Assets
+
+Display name: **OSS Maintainer Signal**
+
+Package, CLI, and GitHub Action name: `oss-signal`
+
+The display name is intentionally more descriptive for reviewers, while `oss-signal` stays stable for npm, GitHub Action tags, existing links, and the submitted application evidence.
+
+## Assets
+
+- Icon: [assets/oss-signal-icon.svg](assets/oss-signal-icon.svg)
+- Icon PNG: [assets/oss-signal-icon.png](assets/oss-signal-icon.png)
+- README banner: [assets/oss-signal-banner.svg](assets/oss-signal-banner.svg)
+- GitHub social preview source: [assets/github-social-preview.svg](assets/github-social-preview.svg)
+- GitHub social preview PNG: [assets/github-social-preview.png](assets/github-social-preview.png)
+
+## GitHub Settings Copy
+
+Recommended repository description:
+
+> Maintainer-readiness CLI and GitHub Action for OSS triage, CI evidence, inventory reports, SARIF, and issue-ready cleanup.
+
+Recommended repository topics:
+
+```text
+open-source
+maintainer-tools
+github-action
+cli
+repository-health
+sarif
+triage
+oss
+```
+
+## Manual UI Settings
+
+These cannot be committed through git:
+
+- Repository social preview: upload `docs/assets/github-social-preview.png` in GitHub repository settings.
+- GitHub profile or organization avatar: upload `docs/assets/oss-signal-icon.png`.
+
+The repository name should remain `oss-signal` unless the npm package and GitHub Action distribution are intentionally migrated.

package/docs/codex-for-oss-application.md

@@ -1,15 +1,16 @@
 # Codex for Open Source Application Brief
 
-Snapshot: 2026-06-03T12:45:11Z
+Snapshot: 2026-06-04T02:42:51Z
 
 This document summarizes why `oss-signal` is a fit for OpenAI's Codex for Open Source program. The official program page says open-source maintainers can apply, with emphasis on core maintainers, widely used public projects, and projects that play an important ecosystem role: https://developers.openai.com/community/codex-for-oss
 
 ## Project
 
+- Display name: OSS Maintainer Signal
 - Repository: https://github.com/SalmonPlays/oss-signal
 - npm package: https://www.npmjs.com/package/oss-signal
-- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.6.0
-- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.6.0
+- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.6.4
+- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.6.4
 - CI workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/ci.yml
 - Repository health workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml
 - Repository inventory workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-inventory.yml
@@ -17,13 +18,15 @@ This document summarizes why `oss-signal` is a fit for OpenAI's Codex for Open S
 - Separate public workflow demo: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26883001038
 - Maintainer evidence: [adoption-evidence.md](adoption-evidence.md)
 - Reviewer evidence quickstart: [reviewer-evidence.md](reviewer-evidence.md)
+- Post-submission update: [post-submission-update.md](post-submission-update.md)
+- Brand assets and GitHub settings copy: [brand.md](brand.md)
 - Form answer pack: [codex-for-oss-form-answers.md](codex-for-oss-form-answers.md)
 - Maintainer playbook: [maintainer-playbook.md](maintainer-playbook.md)
 - Release process: [release-process.md](release-process.md)
 
 ## What `oss-signal` Does
 
-`oss-signal` is a dependency-light CLI and GitHub Action for OSS maintainers. It audits maintainer-readiness signals that lower recurring maintainer load:
+`oss-signal`, presented as OSS Maintainer Signal, is a dependency-light CLI and GitHub Action for OSS maintainers. It audits maintainer-readiness signals that lower recurring maintainer load:
 
 - README, license, contribution, support, security, code of conduct, and changelog files.
 - CI, tests, issue templates, pull request templates, Dependabot, and CodeQL-style security workflow.
@@ -47,22 +50,23 @@ This project is designed around repeatable maintainer workflows where Codex is u
 
 The repository currently has:
 
-- A published npm package with `0.6.0` as the latest release.
-- npm download API evidence showing 356 last-week and last-month downloads on 2026-06-03.
-- A published GitHub Release for v0.6.0 with repository inventory release notes and CI usage guidance.
+- A published npm package with `0.6.4` as the latest release.
+- A post-submission update page explaining why the current npm package and Action tag may be newer than the originally submitted evidence.
+- npm download API evidence showing 356 last-week and last-month downloads on 2026-06-04.
+- A published GitHub Release for v0.6.4 with repository inventory release notes and CI usage guidance.
 - A reusable GitHub Action with `score`, `grade`, `failed`, and `report-path` outputs.
 - A repository inventory mode for organization-level maintainer-readiness triage, available in both CLI and GitHub Action form.
-- A clean npm smoke test of `oss-signal@0.6.0` returning version `0.6.0`, score `100`, grade `A`, and source `github`.
+- A clean npm smoke test of `oss-signal@0.6.4` returning version `0.6.4`, score `100`, grade `A`, and source `github`.
 - SARIF output for GitHub Code Scanning integration.
-- A v0.6.0 GitHub Action tag with step summary, SARIF support, inventory support, and Issue-ready output.
-- A public dogfood workflow that runs `SalmonPlays/oss-signal@v0.6.0` against the repository, uploads the Markdown report artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs.
-- A public dogfood inventory workflow that runs `SalmonPlays/oss-signal@v0.6.0` against a repository target list and uploads an inventory artifact.
+- A v0.6.4 GitHub Action tag with step summary, SARIF support, inventory support, and Issue-ready output.
+- A public dogfood workflow that runs `SalmonPlays/oss-signal@v0.6.4` against the repository, uploads the Markdown report artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs.
+- A public dogfood inventory workflow that runs `SalmonPlays/oss-signal@v0.6.4` against a repository target list and uploads an inventory artifact.
 - A separate public workflow demo that runs `SalmonPlays/oss-signal@v0.5.1` from another repository and uploads Markdown, SARIF, and Issue-ready report artifacts.
 - A maintainer playbook that documents audit, triage, issue, PR, CI, and SARIF workflows.
-- A release process and tag-triggered release workflow that verify package contents and support npm provenance publishing when repository secrets are configured.
+- A release process and tag-triggered release workflow that verify package contents and publish to npm through Trusted Publishing.
 - CI, Repository health, CodeQL, and Release workflows passing publicly.
 - A local self-audit score of 100/100.
-- A clean-directory smoke test of `npm exec --yes --package=oss-signal@0.6.0 -- oss-signal SalmonPlays/oss-signal --format json`, returning 100/100 (A).
+- A clean-directory smoke test of `npm exec --yes --package=oss-signal@0.6.4 -- oss-signal SalmonPlays/oss-signal --format json`, returning 100/100 (A).
 - Public reports, issues, and PRs created from real repository audits, including four posted field-audit issues and four follow-up PRs.
 
 ## Separate Workflow Demo
@@ -99,5 +103,5 @@ Prepared official form answers are in [codex-for-oss-form-answers.md](codex-for-
 ## Next Evidence To Collect
 
 - One or more merged external PRs.
-- A public workflow run in an independent maintainer-owned repository using `SalmonPlays/oss-signal@v0.6.0`, ideally with SARIF or inventory upload enabled.
+- A public workflow run in an independent maintainer-owned repository using `SalmonPlays/oss-signal@v0.6.4`, ideally with SARIF or inventory upload enabled.
 - npm download data once the registry starts reporting weekly/monthly counts.

package/docs/codex-for-oss-form-answers.md

@@ -1,6 +1,6 @@
 # Codex for Open Source Form Answers
 
-Snapshot: 2026-06-03T12:45:11Z
+Snapshot: 2026-06-04T02:42:51Z
 
 This page prepares concise answers for the official Codex for Open Source application form: https://openai.com/form/codex-for-oss/
 
@@ -50,7 +50,7 @@ Primary maintainer
 ## Why This Repository Qualifies
 
 ```text
-oss-signal is a public OSS maintainer tool for reducing triage and review load. It ships as npm package oss-signal@0.6.0 and GitHub Action SalmonPlays/oss-signal@v0.6.0, supports Markdown/JSON/SARIF/Issue/Inventory output, passes CI/CodeQL/Release, has a 100/100 self-audit, and has four public field-audit issues plus four PRs.
+oss-signal is a public OSS maintainer tool for reducing triage and review load. It ships as npm package oss-signal@0.6.4 and GitHub Action SalmonPlays/oss-signal@v0.6.4, supports Markdown/JSON/SARIF/Issue/Inventory output, passes CI/CodeQL/Release, has a 100/100 self-audit, and has four public field-audit issues plus four PRs.
 ```
 
 ## Interest
@@ -81,13 +81,13 @@ Use Codex/API credits to run repeatable public repository audits, draft focused
 ## Anything Else
 
 ```text
-The project is early, so I am not overstating adoption. Current evidence includes npm 0.6.0 latest, 356 npm downloads reported by the registry API, a published v0.6.0 release, a reusable GitHub Action with inventory mode, a clean npm smoke test returning 100/A, public CI/Repository health/CodeQL/Release, four field-audit issues, four PRs, and a workflow demo with artifacts.
+The project is early, so I am not overstating adoption. Current evidence includes npm 0.6.4 latest, 356 npm downloads reported by the registry API, a published v0.6.4 release, a reusable GitHub Action with inventory mode, a clean npm smoke test returning 100/A, public CI/Repository health/CodeQL/Release, four field-audit issues, four PRs, and a workflow demo with artifacts.
 ```
 
 ## Evidence Links
 
 - npm package: https://www.npmjs.com/package/oss-signal
-- GitHub Release v0.6.0: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.6.0
+- GitHub Release v0.6.4: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.6.4
 - Main repository health workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml
 - Separate workflow demo repository: https://github.com/SalmonPlays/oss-signal-adoption-demo
 - Separate successful workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26883001038

package/docs/examples/github-action-workflow.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: SalmonPlays/oss-signal@v0.6.0
+      - uses: SalmonPlays/oss-signal@v0.6.4
         id: oss-signal
         with:
           fail-under: "80"

package/docs/examples/github-code-scanning-workflow.yml

@@ -15,13 +15,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: SalmonPlays/oss-signal@v0.6.0
+      - uses: SalmonPlays/oss-signal@v0.6.4
         id: oss-signal
         with:
           fail-under: "80"
           output: oss-signal-report.md
           summary: "true"
-      - uses: SalmonPlays/oss-signal@v0.6.0
+      - uses: SalmonPlays/oss-signal@v0.6.4
         with:
           format: sarif
           output: oss-signal.sarif

package/docs/examples/github-inventory-workflow.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: SalmonPlays/oss-signal@v0.6.0
+      - uses: SalmonPlays/oss-signal@v0.6.4
         id: oss-signal
         env:
           GITHUB_TOKEN: ${{ github.token }}

package/docs/examples/github-url-report.md

@@ -2,7 +2,7 @@
 
 Repository: `https://github.com/SalmonPlays/oss-signal`
 Source: GitHub (SalmonPlays/oss-signal@main)
-Generated: 2026-06-03T12:53:35.922Z
+Generated: 2026-06-04T02:43:33.542Z
 
 Score: **100/100** (A)
 

package/docs/examples/inventory-report.md

@@ -1,6 +1,6 @@
 # OSS Signal Inventory
 
-Generated: 2026-06-03T12:53:38.785Z
+Generated: 2026-06-04T02:42:56.030Z
 Repositories: 3
 Average score: **73/100** (C)
 Score range: 55-100

package/docs/examples/self-audit.sarif

@@ -6,7 +6,7 @@
       "tool": {
         "driver": {
           "name": "oss-signal",
-          "semanticVersion": "0.6.0",
+          "semanticVersion": "0.6.4",
           "informationUri": "https://github.com/SalmonPlays/oss-signal",
           "rules": [
             {
@@ -400,7 +400,7 @@
         "score": 100,
         "grade": "A",
         "source": "local",
-        "generatedAt": "2026-06-03T12:53:52.213Z"
+        "generatedAt": "2026-06-04T03:22:19.351Z"
       }
     }
   ]

package/docs/maintainer-playbook.md

@@ -71,7 +71,7 @@ The field-audit examples in [docs/outreach](outreach) show this pattern for publ
 Add the GitHub Action to keep the signal visible:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.6.0
+- uses: SalmonPlays/oss-signal@v0.6.4
   id: oss-signal
   with:
     fail-under: "80"
@@ -84,7 +84,7 @@ The Action writes `score`, `grade`, `failed`, and `report-path` outputs, and wri
 For a repository inventory, commit a newline-delimited target list and pass it through the Action:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.6.0
+- uses: SalmonPlays/oss-signal@v0.6.4
   env:
     GITHUB_TOKEN: ${{ github.token }}
   with:
@@ -104,7 +104,7 @@ permissions:
 
 steps:
   - uses: actions/checkout@v4
-  - uses: SalmonPlays/oss-signal@v0.6.0
+  - uses: SalmonPlays/oss-signal@v0.6.4
     with:
       format: sarif
       output: oss-signal.sarif
@@ -120,7 +120,7 @@ See [docs/examples/github-code-scanning-workflow.yml](examples/github-code-scann
 
 Useful evidence for maintainers and reviewers:
 
-- A public workflow run that uses `SalmonPlays/oss-signal@v0.6.0`.
+- A public workflow run that uses `SalmonPlays/oss-signal@v0.6.4`.
 - A generated Markdown report attached as an artifact.
 - A SARIF upload in Code Scanning.
 - A small issue or PR that follows from an audit finding.

package/docs/post-submission-update.md

@@ -0,0 +1,68 @@
+# Post-Submission Update
+
+Application submitted: 2026-06-03
+
+Latest verification: 2026-06-04T03:01:28Z
+
+This page explains why the version referenced during the Codex for Open Source application review may be older than the current npm package and GitHub Action tag.
+
+## Why The Version Changed
+
+The application points reviewers to the public repository and package evidence. After submission, `oss-signal` continued normal OSS maintenance and shipped additional public releases.
+
+The older submission evidence remains valid. The current `latest` npm version simply supersedes it with a stronger release and automation story.
+
+## Release Timeline
+
+| Version | Public evidence | What changed |
+| --- | --- | --- |
+| `v0.6.0` | npm package and tag | Added repository inventory mode for auditing lists of repositories. |
+| `v0.6.1` | GitHub Release | Added tag-triggered release automation. |
+| `v0.6.2` | GitHub Release | Registered npm Trusted Publishing release flow. |
+| `v0.6.3` | npm package, GitHub Release, Action tag | Completed npm Trusted Publishing from GitHub Actions without manual OTP. |
+| `v0.6.4` | npm package, GitHub Release, Action tag | Published OSS Maintainer Signal brand assets and npm/GitHub metadata polish. |
+
+## Current Evidence
+
+- npm package: https://www.npmjs.com/package/oss-signal (`0.6.4` latest)
+- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.6.4
+- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.6.4
+- Release workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/release.yml
+- Repository health workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml
+- Reviewer evidence quickstart: [reviewer-evidence.md](reviewer-evidence.md)
+- Adoption evidence: [adoption-evidence.md](adoption-evidence.md)
+
+## Clean Verification
+
+The public registry returned `0.6.4` for both package version and `latest` dist-tag after the brand refresh release on 2026-06-04.
+
+```bash
+npm view oss-signal version dist-tags --json
+```
+
+Expected result:
+
+```json
+{
+  "version": "0.6.4",
+  "dist-tags": {
+    "latest": "0.6.4"
+  }
+}
+```
+
+A clean npm execution against the public GitHub repository returned version `0.6.4`, score `100`, grade `A`, and source `github`.
+
+```bash
+npm exec --yes --package=oss-signal@0.6.4 -- oss-signal SalmonPlays/oss-signal --format json
+```
+
+## Review Impact
+
+This version difference should be read as post-submission maintenance progress, not as a mismatch. It strengthens the evidence in three ways:
+
+- The package now has a successful npm Trusted Publishing release from GitHub Actions.
+- The GitHub Action tag, npm package, release notes, and documentation all point to `0.6.4`.
+- The repository has public CI, Repository health, Repository inventory, CodeQL, and Release workflow evidence.
+
+This does not replace the remaining adoption gap. The strongest next evidence would still be independent maintainer-owned workflow usage or merged external maintainer PRs.

package/docs/release-notes/v0.6.1.md

@@ -0,0 +1,18 @@
+# oss-signal v0.6.1
+
+`oss-signal` v0.6.1 publishes the repository inventory release with GitHub Release automation enabled.
+
+## Highlights
+
+- Keeps the v0.6 inventory mode for auditing newline-delimited lists of repositories.
+- Keeps GitHub Action inventory support with step summary output and average-score outputs.
+- Adds release workflow automation that creates a GitHub Release from `docs/release-notes/`.
+- Verifies npm package contents before release publication.
+
+## Verification
+
+```bash
+npm run check
+node src/cli.js --inventory docs/examples/inventory-targets.txt --format markdown
+npm publish --dry-run
+```

package/docs/release-notes/v0.6.2.md

@@ -0,0 +1,17 @@
+# oss-signal v0.6.2
+
+`oss-signal` v0.6.2 switches release publishing to npm Trusted Publishing.
+
+## Highlights
+
+- Publishes from GitHub Actions through npm Trusted Publishing and OIDC.
+- Keeps npm provenance enabled with `npm publish --provenance`.
+- Removes the old `NPM_TOKEN` / `NPM_PUBLISH_ENABLED` gate from release publishing.
+- Keeps the v0.6 repository inventory CLI and GitHub Action support.
+
+## Verification
+
+```bash
+npm run check
+npm publish --dry-run
+```

package/docs/release-notes/v0.6.3.md

@@ -0,0 +1,16 @@
+# oss-signal v0.6.3
+
+`oss-signal` v0.6.3 completes the move to npm Trusted Publishing.
+
+## Highlights
+
+- Uses Node 24 and npm 11.16 in the release workflow for Trusted Publishing support.
+- Publishes from GitHub Actions without a manual npm OTP.
+- Keeps GitHub Release creation, package verification, and the v0.6 repository inventory workflow.
+
+## Verification
+
+```bash
+npm run check
+npm publish --dry-run
+```

package/docs/release-notes/v0.6.4.md

@@ -0,0 +1,17 @@
+# oss-signal v0.6.4
+
+`oss-signal` v0.6.4 publishes the OSS Maintainer Signal brand refresh.
+
+## Changes
+
+- Adds a README banner, icon, and GitHub social preview assets.
+- Adds `docs/brand.md` with recommended GitHub repository description, topics, and UI asset guidance.
+- Updates the npm package description and keywords to better reflect maintainer-readiness, GitHub Action, SARIF, and inventory workflows.
+- Updates the GitHub Action metadata description and branding icon.
+
+## Verification
+
+```bash
+npm run check
+npm publish --dry-run
+```

package/docs/release-process.md

@@ -49,11 +49,11 @@ git push origin main --tags
 
 Create a GitHub Release for the tag and use the release notes in `docs/release-notes/` when available.
 
-For example, `v0.6.0` uses [docs/release-notes/v0.6.0.md](release-notes/v0.6.0.md).
+For example, `v0.6.4` uses [docs/release-notes/v0.6.4.md](release-notes/v0.6.4.md).
 
 ## npm Publish
 
-Manual publish path:
+Manual publish path, used only as a fallback:
 
 ```bash
 npm publish --access public
@@ -61,14 +61,14 @@ npm publish --access public
 
 Automation path:
 
-The tag-triggered [release workflow](../.github/workflows/release.yml) runs the same checks and verifies the package with `npm publish --dry-run`.
+The tag-triggered [release workflow](../.github/workflows/release.yml) runs the same checks, verifies the package with `npm publish --dry-run`, creates a GitHub Release, and publishes to npm with Trusted Publishing provenance.
 
-It publishes with provenance only when both release controls are configured:
+Trusted Publishing must be configured on npm for:
 
-- Repository secret `NPM_TOKEN` contains an npm automation token.
-- Repository variable `NPM_PUBLISH_ENABLED` is set to `true`.
-
-If either control is missing, the workflow prints a notice and stops after dry-run verification. This keeps tag verification useful when npm publishing is handled manually.
+- Package: `oss-signal`
+- Repository: `SalmonPlays/oss-signal`
+- Workflow file: `release.yml`
+- Permission: npm publish
 
 ## Post-Release Verification
 

package/docs/reviewer-evidence.md

@@ -1,9 +1,13 @@
 # Reviewer Evidence Quickstart
 
-Last verified: 2026-06-03T12:45:11Z
+Last verified: 2026-06-04T03:01:28Z
 
 This page gives reviewers a short path to verify that `oss-signal` is a real OSS maintainer workflow tool, not only a demo repository.
 
+## Application Version Note
+
+The Codex for Open Source application was submitted on 2026-06-03. The npm package and Action tag continued to move after submission as normal OSS maintenance. If any submitted field references older evidence, treat `0.6.4` as the current maintained release and see [post-submission-update.md](post-submission-update.md).
+
 ## Five-Minute Verification
 
 1. Confirm the public package:
@@ -12,12 +16,12 @@ This page gives reviewers a short path to verify that `oss-signal` is a real OSS
 npm view oss-signal version dist-tags --json
 ```
 
-Expected result: `version` is `0.6.0`, and `dist-tags.latest` is `0.6.0`.
+Expected result: `version` is `0.6.4`, and `dist-tags.latest` is `0.6.4`.
 
 2. Run the published package against the public repository:
 
 ```bash
-npm exec --yes --package=oss-signal@0.6.0 -- oss-signal SalmonPlays/oss-signal --format json
+npm exec --yes --package=oss-signal@0.6.4 -- oss-signal SalmonPlays/oss-signal --format json
 ```
 
 Expected result: score `100`, grade `A`, source `github`.
@@ -40,8 +44,8 @@ Expected result: a Markdown table with one row per repository, average score, sc
 
 5. Inspect the public Action tag:
 
-- Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.6.0
-- Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.6.0
+- Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.6.4
+- Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.6.4
 - Action metadata: [../action.yml](../action.yml)
 
 6. Inspect field-audit evidence:
@@ -67,7 +71,9 @@ This project does not claim broad independent adoption yet. The separate workflo
 
 ## Primary Evidence Pages
 
+- Brand assets and GitHub settings copy: [brand.md](brand.md)
 - Adoption evidence: [adoption-evidence.md](adoption-evidence.md)
+- Post-submission update: [post-submission-update.md](post-submission-update.md)
 - Maintainer playbook: [maintainer-playbook.md](maintainer-playbook.md)
 - Release process: [release-process.md](release-process.md)
 - Rules and scoring weights: [rules.md](rules.md)

package/docs/self-audit.md

@@ -2,7 +2,7 @@
 
 Repository: `/Users/amon/Documents/Codex/2026-06-01/openai-s/outputs/oss-signal`
 Source: local
-Generated: 2026-06-03T12:53:52.423Z
+Generated: 2026-06-04T03:22:19.295Z
 
 Score: **100/100** (A)
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "oss-signal",
-  "version": "0.6.0",
-  "description": "A dependency-light CLI that audits open-source repository maintenance readiness.",
+  "version": "0.6.4",
+  "description": "Maintainer-readiness CLI and GitHub Action for OSS triage, CI evidence, inventory reports, SARIF, and issue-ready cleanup.",
   "type": "module",
   "bin": {
     "oss-signal": "src/cli.js"
@@ -34,8 +34,12 @@
   "keywords": [
     "open-source",
     "maintainer",
+    "maintainer-tools",
     "audit",
     "repository",
+    "repository-health",
+    "github-action",
+    "sarif",
     "cli"
   ],
   "author": "SalmonPlays",

package/src/index.js

@@ -2,7 +2,7 @@ import { promises as fs } from "node:fs";
 import https from "node:https";
 import path from "node:path";
 
-export const VERSION = "0.6.0";
+export const VERSION = "0.6.4";
 
 const SARIF_RULE_LOCATIONS = {
   readme: "README.md",