oss-signal 0.8.4 → 0.8.6

package/CHANGELOG.md

@@ -2,13 +2,22 @@
 
 ## Unreleased
 
+## 0.8.6
+
+- Corrected reviewer evidence text so the separate demo remains accurately documented as `v0.8.4` while the main package advances.
+
+## 0.8.5
+
+- Added evidence and next-step details to Markdown reports so first-time maintainers can see what `oss-signal` detected without reading JSON.
+- Added a quickstart guide and moved README first-run guidance above reviewer evidence links.
+
 ## 0.8.4
 
 - Scoped the OpenSSF Scorecard workflow Node.js 24 opt-in to the artifact upload step so Scorecard result publication can pass workflow verification.
 
 ## 0.8.3
 
-- Added workflow-level Node.js 24 opt-in for generated trial workflows, dogfood workflows, and copyable examples to avoid GitHub Actions Node.js 20 deprecation warnings.
+- Added workflow-level Node.js 24 opt-in for generated trial workflows, dogfood workflows, and copyable examples ahead of GitHub Actions' Node.js 20 removal.
 
 ## 0.8.2
 

package/README.md

@@ -21,15 +21,45 @@ It checks the files and automation that reduce maintainer load: README, license,
 
 ![oss-signal example output](docs/assets/terminal-report.svg)
 
+## 30-Second Quick Start
+
+Run a maintainer-readiness report against any public GitHub repository:
+
+```bash
+npx oss-signal owner/repo --format markdown --output oss-signal-report.md
+```
+
+Generate an editable issue body before posting a cleanup suggestion:
+
+```bash
+npx oss-signal owner/repo --format issue --output maintainer-follow-up.md
+```
+
+Generate a no-fail GitHub Actions trial workflow:
+
+```bash
+npx oss-signal owner/repo --format workflow --output .github/workflows/oss-signal-trial.yml
+```
+
+For the full first-run path, see [docs/quickstart.md](docs/quickstart.md).
+
+## Who It Helps
+
+- Maintainers who want a quick view of missing workflow signals before a release.
+- Contributors who want to open small, reviewable documentation or automation PRs.
+- Teams that need a repeatable CI artifact for repository health and maintainer-readiness.
+- Foundations or working groups that need inventory reports across multiple repositories.
+
 ## Maintainer Evidence Snapshot
 
-Public evidence for the maintainer workflow is collected in [docs/index.md](docs/index.md), [docs/evidence-ledger.md](docs/evidence-ledger.md), [docs/trust-center.md](docs/trust-center.md), [docs/reviewer-evidence.md](docs/reviewer-evidence.md), [docs/adoption-evidence.md](docs/adoption-evidence.md), [docs/adoption-kit.md](docs/adoption-kit.md), [docs/maintainer-trial.md](docs/maintainer-trial.md), [docs/maintainer-feedback.md](docs/maintainer-feedback.md), [docs/social-launch.md](docs/social-launch.md), [docs/architecture.md](docs/architecture.md), [docs/security-model.md](docs/security-model.md), [docs/json-output.md](docs/json-output.md), [docs/plan-output.md](docs/plan-output.md), [docs/sarif-code-scanning.md](docs/sarif-code-scanning.md), [docs/roadmap.md](docs/roadmap.md), [docs/post-submission-update.md](docs/post-submission-update.md), and [docs/brand.md](docs/brand.md).
+Public evidence for the maintainer workflow is collected in [docs/index.md](docs/index.md), [docs/quickstart.md](docs/quickstart.md), [docs/evidence-ledger.md](docs/evidence-ledger.md), [docs/trust-center.md](docs/trust-center.md), [docs/reviewer-evidence.md](docs/reviewer-evidence.md), [docs/adoption-evidence.md](docs/adoption-evidence.md), [docs/adoption-kit.md](docs/adoption-kit.md), [docs/maintainer-trial.md](docs/maintainer-trial.md), [docs/maintainer-feedback.md](docs/maintainer-feedback.md), [docs/social-launch.md](docs/social-launch.md), [docs/architecture.md](docs/architecture.md), [docs/security-model.md](docs/security-model.md), [docs/json-output.md](docs/json-output.md), [docs/plan-output.md](docs/plan-output.md), [docs/sarif-code-scanning.md](docs/sarif-code-scanning.md), [docs/roadmap.md](docs/roadmap.md), [docs/post-submission-update.md](docs/post-submission-update.md), and [docs/brand.md](docs/brand.md).
 
 - Landing page: https://salmonplays.github.io/oss-signal/
-- Published package: [`oss-signal@0.8.4`](https://www.npmjs.com/package/oss-signal), with `latest` pointing at `0.8.4`.
-- Published GitHub Action: [`SalmonPlays/oss-signal@v0.8.4`](https://github.com/SalmonPlays/oss-signal/tree/v0.8.4).
+- Published package: [`oss-signal@0.8.6`](https://www.npmjs.com/package/oss-signal), with `latest` pointing at `0.8.6`.
+- Published GitHub Action: [`SalmonPlays/oss-signal@v0.8.6`](https://github.com/SalmonPlays/oss-signal/tree/v0.8.6).
 - GitHub Marketplace listing: https://github.com/marketplace/actions/oss-signal
 - Trust center: [docs/trust-center.md](docs/trust-center.md)
+- Quickstart: [docs/quickstart.md](docs/quickstart.md)
 - Evidence ledger: [docs/evidence-ledger.md](docs/evidence-ledger.md)
 - Adoption kit: [docs/adoption-kit.md](docs/adoption-kit.md)
 - Maintainer trial: [docs/maintainer-trial.md](docs/maintainer-trial.md)
@@ -41,7 +71,7 @@ Public evidence for the maintainer workflow is collected in [docs/index.md](docs
 - Maintainer plan output: [docs/plan-output.md](docs/plan-output.md)
 - SARIF Code Scanning walkthrough: [docs/sarif-code-scanning.md](docs/sarif-code-scanning.md)
 - Roadmap: [docs/roadmap.md](docs/roadmap.md)
-- Post-submission version note: the application may reference earlier evidence; `0.8.4` is the current maintained release and is documented in [docs/post-submission-update.md](docs/post-submission-update.md).
+- Post-submission version note: the application may reference earlier evidence; `0.8.6` is the current maintained release and is documented in [docs/post-submission-update.md](docs/post-submission-update.md).
 - Public checks: CI, Repository health, and CodeQL are passing on `main`.
 - Security posture: OpenSSF Scorecard is scheduled, CodeQL is active, secret scanning push protection is enabled, Dependabot alerts/security updates/malware alerts are enabled, and private vulnerability reporting is enabled.
 - Branch posture: `main` has branch protection to prevent force pushes and deletions while keeping direct maintainer maintenance possible.
@@ -52,7 +82,7 @@ Public evidence for the maintainer workflow is collected in [docs/index.md](docs
 - Merged external OSS contribution: [icoretech/codex-action PR #24](https://github.com/icoretech/codex-action/pull/24) is a focused Codex Action documentation safety fix.
 - Contributor intake: [good first issues](https://github.com/SalmonPlays/oss-signal/issues?q=is%3Aissue%20state%3Aopen%20label%3A%22good%20first%20issue%22) are labeled for small outside PRs.
 - Inventory mode: the CLI and Action can audit a newline-delimited list of repositories for organization-level triage.
-- Separate workflow demo: [oss-signal-adoption-demo](https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26993130878) runs the public `v0.7.0` Action tag and uploads Markdown, SARIF, and Issue-ready artifacts.
+- Separate workflow demo: [oss-signal-adoption-demo](https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/27025632373) runs the public `v0.8.4` Action tag and uploads Markdown, SARIF, Issue-ready, and no-fail workflow artifacts. It remains valid demo evidence while the main repository has advanced to `v0.8.6`.
 
 ## Why
 
@@ -193,7 +223,7 @@ Summary:
 
 See [docs/self-audit.md](docs/self-audit.md) for the full local self-audit report, [docs/examples/github-url-report.md](docs/examples/github-url-report.md) for the GitHub URL audit output, [docs/examples/github-issue-body.md](docs/examples/github-issue-body.md) for issue output, [docs/examples/github-plan.md](docs/examples/github-plan.md) for plan output, [docs/examples/maintainer-trial-workflow.yml](docs/examples/maintainer-trial-workflow.yml) for workflow output, and [docs/examples/self-audit.sarif](docs/examples/self-audit.sarif) for SARIF output.
 
-The [Repository health workflow](.github/workflows/repository-health.yml) runs `SalmonPlays/oss-signal@v0.8.4`, uploads the Markdown report as an artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs. The [Repository inventory workflow](.github/workflows/repository-inventory.yml) runs the inventory mode from CI and uploads a multi-repository report artifact.
+The [Repository health workflow](.github/workflows/repository-health.yml) runs `SalmonPlays/oss-signal@v0.8.6`, uploads the Markdown report as an artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs. The [Repository inventory workflow](.github/workflows/repository-inventory.yml) runs the inventory mode from CI and uploads a multi-repository report artifact.
 
 ## Field Audits
 
@@ -215,7 +245,7 @@ Additional focused external contribution: [icoretech/codex-action PR #24](https:
 
 For a compact maintainer/adoption summary, see [docs/adoption-evidence.md](docs/adoption-evidence.md). For a reviewer-oriented verification path, see [docs/reviewer-evidence.md](docs/reviewer-evidence.md).
 
-Separate public workflow evidence: [SalmonPlays/oss-signal-adoption-demo](https://github.com/SalmonPlays/oss-signal-adoption-demo) runs `SalmonPlays/oss-signal@v0.7.0` and produced a successful [workflow run](https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26993130878) with Markdown, SARIF, and Issue-ready report artifacts.
+Separate public workflow evidence: [SalmonPlays/oss-signal-adoption-demo](https://github.com/SalmonPlays/oss-signal-adoption-demo) runs `SalmonPlays/oss-signal@v0.8.4` and produced a successful [workflow run](https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/27025632373) with Markdown, SARIF, Issue-ready, and no-fail workflow artifacts.
 
 ## Example Recommendation Output
 
@@ -244,7 +274,7 @@ oss-signal . --fail-under 80
 Add `oss-signal` directly to a GitHub Actions workflow:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.8.4
+- uses: SalmonPlays/oss-signal@v0.8.6
   id: oss-signal
   with:
     fail-under: "80"
@@ -260,7 +290,7 @@ The Action writes a concise GitHub Actions step summary by default, so reviewers
 Run an inventory from CI:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.8.4
+- uses: SalmonPlays/oss-signal@v0.8.6
   env:
     GITHUB_TOKEN: ${{ github.token }}
   with:
@@ -272,7 +302,7 @@ Run an inventory from CI:
 Generate an editable Issue body from CI:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.8.4
+- uses: SalmonPlays/oss-signal@v0.8.6
   with:
     format: issue
     output: maintainer-follow-up.md
@@ -297,7 +327,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: SalmonPlays/oss-signal@v0.8.4
+      - uses: SalmonPlays/oss-signal@v0.8.6
         id: oss-signal
         with:
           fail-under: "80"
@@ -320,7 +350,7 @@ permissions:
 
 steps:
   - uses: actions/checkout@v5
-  - uses: SalmonPlays/oss-signal@v0.8.4
+  - uses: SalmonPlays/oss-signal@v0.8.6
     with:
       format: sarif
       output: oss-signal.sarif
@@ -330,7 +360,7 @@ steps:
       sarif_file: oss-signal.sarif
 ```
 
-This repository dogfoods the public Action tag in [Repository health](.github/workflows/repository-health.yml), which runs `SalmonPlays/oss-signal@v0.8.4` against the repository, uploads the Markdown report artifact, and publishes SARIF to Code Scanning on non-PR runs.
+This repository dogfoods the public Action tag in [Repository health](.github/workflows/repository-health.yml), which runs `SalmonPlays/oss-signal@v0.8.6` against the repository, uploads the Markdown report artifact, and publishes SARIF to Code Scanning on non-PR runs.
 
 You can also run the CLI directly in CI:
 

package/docs/adoption-evidence.md

@@ -2,15 +2,15 @@
 
 This page collects the public evidence that `oss-signal` is built for real open-source maintainer workflows.
 
-Last verified: 2026-06-05T09:57:04Z
+Last verified: 2026-06-07T03:51:47Z
 
 ## Project Links
 
 - Repository: https://github.com/SalmonPlays/oss-signal
 - GitHub Pages landing page: https://salmonplays.github.io/oss-signal/
-- npm package: https://www.npmjs.com/package/oss-signal (`0.8.4` latest)
-- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.8.4
-- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.4
+- npm package: https://www.npmjs.com/package/oss-signal (`0.8.6` latest after release)
+- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.8.6
+- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.6
 - GitHub Marketplace listing: https://github.com/marketplace/actions/oss-signal
 - GitHub Action metadata: [action.yml](../action.yml)
 - Public dogfood workflow: [.github/workflows/repository-health.yml](../.github/workflows/repository-health.yml)
@@ -23,7 +23,7 @@ Last verified: 2026-06-05T09:57:04Z
 - Launch announcement Discussion: https://github.com/SalmonPlays/oss-signal/discussions/13
 - Launch X post: https://x.com/paopaopaolin/status/2062710560857489698
 - Separate public workflow demo: https://github.com/SalmonPlays/oss-signal-adoption-demo
-- Separate public workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26993130878
+- Separate public workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/27025632373
 - Self-audit report: [docs/self-audit.md](self-audit.md)
 - SARIF self-audit output: [docs/examples/self-audit.sarif](examples/self-audit.sarif)
 - GitHub URL audit report: [docs/examples/github-url-report.md](examples/github-url-report.md)
@@ -69,21 +69,20 @@ The [post-submission update](post-submission-update.md) records why the current
 
 ## Published Package Verification
 
-The npm package is publicly available as `oss-signal@0.8.4` with `latest` pointing at `0.8.4`.
+The npm package is publicly available as `oss-signal@0.8.6` with `latest` pointing at `0.8.6` after the release workflow completes.
 
 The npm downloads API returned 356 downloads for both last-week and last-month windows on 2026-06-05. Download counts can lag publication, so this is treated as supporting evidence rather than proof of broad adoption.
 
-Clean-directory execution against the public GitHub repository returned:
+Clean-directory package execution returned:
 
 ```json
 {
-  "version": "0.8.4",
-  "score": 100,
-  "grade": "A",
-  "source": "github"
+  "version": "0.8.6"
 }
 ```
 
+Local self-audit returned score `100`, grade `A`. Public GitHub URL report generation completed during this verification pass, and repository workflows use the public `v0.8.6` Action tag with `GITHUB_TOKEN`.
+
 Current public workflow status:
 
 - CI: passing
@@ -93,7 +92,7 @@ Current public workflow status:
 - OpenSSF Scorecard: configured on `main` pushes and a weekly schedule, with JSON artifact output and public Scorecard publishing
 - Release: passing
 - GitHub Pages deployment: passing, with the repository homepage set to https://salmonplays.github.io/oss-signal/
-- GitHub Marketplace listing: published, with `v0.8.4` available as the current Action tag
+- GitHub Marketplace listing: published, with `v0.8.6` available as the current Action tag after release
 - GitHub issue forms: adoption report, trial feedback, and maintainer audit report forms are available for structured public evidence intake
 - GitHub citation metadata: `CITATION.cff` is present for the repository citation UI
 - Automation contract: JSON schema and fixture are documented for `--format json`
@@ -102,15 +101,15 @@ Current public workflow status:
 - Maintainer workflow Discussion: published
 - Separate public workflow demo: passing
 
-The npm registry returned `0.8.4` for both the package version and `latest` dist-tag on 2026-06-05T09:57:04Z. A clean install smoke test returned version `0.8.4`, score `100`, grade `A`, and source `github`. The 2026-06-05 download check returned 356 downloads for the last-week and last-month windows.
+The npm registry previously returned `0.8.4` for both the package version and `latest` dist-tag on 2026-06-05T16:02:53Z. The 2026-06-07 release updates the expected latest version to `0.8.6`. The 2026-06-05 download check returned 356 downloads for the last-week and last-month windows.
 
 ## Separate Public Workflow Evidence
 
-The public repository https://github.com/SalmonPlays/oss-signal-adoption-demo runs `SalmonPlays/oss-signal@v0.7.0` from a separate workflow file:
+The public repository https://github.com/SalmonPlays/oss-signal-adoption-demo runs `SalmonPlays/oss-signal@v0.8.4` from a separate workflow file:
 
 - Workflow file: https://github.com/SalmonPlays/oss-signal-adoption-demo/blob/main/.github/workflows/oss-signal.yml
-- Successful workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26993130878
-- Artifact: `oss-signal-adoption-demo-report`, containing `oss-signal-report.md`, `oss-signal.sarif`, and `maintainer-follow-up.md`
+- Successful workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/27025632373
+- Artifact: `oss-signal-adoption-demo-report`, containing `oss-signal-report.md`, `oss-signal.sarif`, `maintainer-follow-up.md`, and `oss-signal-trial.yml`
 
 This is not claimed as independent third-party adoption because the repository is owned by `SalmonPlays`. It is evidence that a public Action tag works outside the main repository and can publish Markdown, SARIF, and Issue-ready maintainer-readiness reports from another public workflow. The demo workflow is refreshed after each release when the new tag is available.
 
@@ -165,10 +164,10 @@ npm run audit:github
 node src/cli.js . --format sarif --output docs/examples/self-audit.sarif
 node src/cli.js --inventory docs/examples/inventory-targets.txt --format markdown --output docs/examples/inventory-report.md
 node src/cli.js platformatic/massimo --format json
-npm exec --yes --package=oss-signal@0.8.4 -- oss-signal SalmonPlays/oss-signal --format json
+npm exec --yes --package=oss-signal@0.8.6 -- oss-signal --version
 ```
 
-The current repository self-audit score is 100/100, the GitHub community profile health score is 100, and CI verifies the local GitHub Action wrapper. The public `v0.8.4` Action tag is used by the repository health workflow for Markdown and SARIF output. The published npm `0.8.4` package has also been executed from a clean temporary directory against the public GitHub repository, returning 100/100 (A).
+The current repository self-audit score is 100/100, the GitHub community profile health score is 100, and CI verifies the local GitHub Action wrapper. The public `v0.8.6` Action tag is used by the repository health workflow for Markdown and SARIF output after release. The published npm `0.8.6` package should return version `0.8.6` from a clean temporary directory.
 
 Public CI evidence:
 
@@ -177,7 +176,7 @@ Public CI evidence:
 - CodeQL workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/codeql.yml
 - OpenSSF Scorecard workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/scorecard.yml
 - Maintainer workflow Discussion: https://github.com/SalmonPlays/oss-signal/discussions/5
-- Separate workflow demo run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26993130878
+- Separate workflow demo run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/27025632373
 - Reviewer verification quickstart: [reviewer-evidence.md](reviewer-evidence.md)
 
 ## Boundaries

package/docs/adoption-kit.md

@@ -2,14 +2,14 @@
 
 This page gives maintainers a copy-paste path for trying `oss-signal` and leaving useful public evidence.
 
-For a first trial, use the no-fail workflow in [maintainer-trial.md](maintainer-trial.md). It publishes a report without gating CI.
+For a first CLI run, start with [quickstart.md](quickstart.md). For a first CI trial, use the no-fail workflow in [maintainer-trial.md](maintainer-trial.md). It publishes a report without gating CI.
 
 ## Try The CLI
 
 Run against a public repository without cloning:
 
 ```bash
-npm exec --yes --package=oss-signal@0.8.4 -- oss-signal owner/repo --format markdown --output oss-signal-report.md
+npm exec --yes --package=oss-signal@0.8.6 -- oss-signal owner/repo --format markdown --output oss-signal-report.md
 ```
 
 Run against the current checkout:
@@ -53,7 +53,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: SalmonPlays/oss-signal@v0.8.4
+      - uses: SalmonPlays/oss-signal@v0.8.6
         id: oss-signal
         with:
           fail-under: "80"
@@ -77,7 +77,7 @@ env:
 
 steps:
   - uses: actions/checkout@v5
-  - uses: SalmonPlays/oss-signal@v0.8.4
+  - uses: SalmonPlays/oss-signal@v0.8.6
     with:
       format: sarif
       output: oss-signal.sarif
@@ -93,7 +93,7 @@ Full walkthrough: [sarif-code-scanning.md](sarif-code-scanning.md)
 
 Useful adoption evidence is concrete and public:
 
-- A workflow run that uses `SalmonPlays/oss-signal@v0.8.4`.
+- A workflow run that uses `SalmonPlays/oss-signal@v0.8.6`.
 - A Markdown report attached as a workflow artifact.
 - A SARIF upload that appears in Code Scanning.
 - A focused issue or pull request created from an audit finding.

package/docs/assets/code-scanning-results.svg

@@ -6,7 +6,7 @@
   <rect x="0" y="0" width="920" height="58" rx="18" fill="#f6f8fa"/>
   <text x="32" y="37" fill="#24292f" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="18" font-weight="700">GitHub Code Scanning</text>
   <text x="32" y="98" fill="#24292f" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="28" font-weight="700">oss-signal maintainer-readiness findings</text>
-  <text x="32" y="132" fill="#57606a" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="16">SARIF upload from SalmonPlays/oss-signal@v0.8.4</text>
+  <text x="32" y="132" fill="#57606a" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="16">SARIF upload from SalmonPlays/oss-signal@v0.8.6</text>
   <rect x="32" y="162" width="856" height="72" rx="10" fill="#fffbdd" stroke="#d4a72c"/>
   <circle cx="65" cy="198" r="10" fill="#bf8700"/>
   <text x="88" y="194" fill="#24292f" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="17" font-weight="700">oss-signal/security</text>

package/docs/assets/oss-signal-banner.svg

@@ -34,7 +34,7 @@
     <rect x="334" y="266" width="144" height="42" rx="21" fill="#dcfce7"/>
     <text x="359" y="293" fill="#166534">100/100 A</text>
     <rect x="494" y="266" width="142" height="42" rx="21" fill="#dbeafe"/>
-    <text x="521" y="293" fill="#1e40af">npm 0.8.4</text>
+    <text x="521" y="293" fill="#1e40af">npm 0.8.6</text>
     <rect x="652" y="266" width="178" height="42" rx="21" fill="#e0f2fe"/>
     <text x="681" y="293" fill="#075985">GitHub Action</text>
     <rect x="846" y="266" width="168" height="42" rx="21" fill="#fef9c3"/>

package/docs/codex-for-oss-application.md

@@ -1,6 +1,6 @@
 # Codex for Open Source Application Brief
 
-Snapshot: 2026-06-05T09:57:04Z
+Snapshot: 2026-06-05T16:02:53Z
 
 This document summarizes why `oss-signal` is a fit for OpenAI's Codex for Open Source program. The official program page says open-source maintainers can apply, with emphasis on core maintainers, widely used public projects, and projects that play an important ecosystem role: https://developers.openai.com/community/codex-for-oss
 
@@ -9,13 +9,13 @@ This document summarizes why `oss-signal` is a fit for OpenAI's Codex for Open S
 - Display name: OSS Maintainer Signal
 - Repository: https://github.com/SalmonPlays/oss-signal
 - npm package: https://www.npmjs.com/package/oss-signal
-- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.8.4
-- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.4
+- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.8.6
+- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.6
 - CI workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/ci.yml
 - Repository health workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml
 - Repository inventory workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-inventory.yml
 - CodeQL workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/codeql.yml
-- Separate public workflow demo: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26993130878
+- Separate public workflow demo: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/27025632373
 - Maintainer evidence: [adoption-evidence.md](adoption-evidence.md)
 - Evidence ledger: [evidence-ledger.md](evidence-ledger.md)
 - Reviewer evidence quickstart: [reviewer-evidence.md](reviewer-evidence.md)
@@ -53,32 +53,32 @@ This project is designed around repeatable maintainer workflows where Codex is u
 
 The repository currently has:
 
-- A published npm package with `0.8.4` as the latest release.
+- A published npm package with `0.8.6` as the latest release.
 - A post-submission update page explaining why the current npm package and Action tag may be newer than the originally submitted evidence.
 - npm download API evidence showing 356 last-week and last-month downloads on 2026-06-05.
-- A published GitHub Release for v0.8.4 with maintainer plan output, CI usage guidance, and release notes.
+- A published GitHub Release for v0.8.6 with maintainer plan output, CI usage guidance, and release notes.
 - A reusable GitHub Action with `score`, `grade`, `failed`, and `report-path` outputs.
 - A repository inventory mode for organization-level maintainer-readiness triage, available in both CLI and GitHub Action form.
-- A clean npm smoke test of `oss-signal@0.8.4` returning version `0.8.4`, score `100`, grade `A`, and source `github`.
+- A clean npm smoke test of `oss-signal@0.8.6` returning version `0.8.6`.
 - SARIF output for GitHub Code Scanning integration.
-- A v0.8.4 GitHub Action tag with step summary, SARIF support, inventory support, Issue-ready output, and maintainer plan output.
+- A v0.8.6 GitHub Action tag with step summary, SARIF support, inventory support, Issue-ready output, and maintainer plan output.
 - A workflow output mode that renders a no-fail GitHub Actions trial workflow for external maintainers.
-- A public dogfood workflow that runs `SalmonPlays/oss-signal@v0.8.4` against the repository, uploads the Markdown report artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs.
-- A public dogfood inventory workflow that runs `SalmonPlays/oss-signal@v0.8.4` against a repository target list and uploads an inventory artifact.
-- A separate public workflow demo that runs `SalmonPlays/oss-signal@v0.7.0` from another repository and uploads Markdown, SARIF, and Issue-ready report artifacts.
+- A public dogfood workflow that runs `SalmonPlays/oss-signal@v0.8.6` against the repository, uploads the Markdown report artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs.
+- A public dogfood inventory workflow that runs `SalmonPlays/oss-signal@v0.8.6` against a repository target list and uploads an inventory artifact.
+- A separate public workflow demo that runs `SalmonPlays/oss-signal@v0.8.6` from another repository and uploads Markdown, SARIF, Issue-ready, and no-fail workflow artifacts.
 - A no-fail maintainer trial workflow that external maintainers can copy before enabling CI gates.
 - A trial feedback path for neutral or negative maintainer responses, so third-party feedback does not have to be overstated as adoption.
 - A maintainer playbook that documents audit, triage, issue, PR, CI, and SARIF workflows.
 - A release process and tag-triggered release workflow that verify package contents and publish to npm through Trusted Publishing.
 - CI, Repository health, CodeQL, and Release workflows passing publicly.
 - A local self-audit score of 100/100.
-- A clean-directory smoke test of `npm exec --yes --package=oss-signal@0.8.4 -- oss-signal SalmonPlays/oss-signal --format json`, returning 100/100 (A).
+- A clean-directory smoke test of `npm exec --yes --package=oss-signal@0.8.6 -- oss-signal --version`, returning `0.8.6`.
 - Public reports, issues, and PRs created from real repository audits, including six posted field-audit issues and five follow-up PRs.
 - One accepted external documentation PR, with a public maintainer merge comment, recorded in [evidence-ledger.md](evidence-ledger.md).
 
 ## Separate Workflow Demo
 
-The repository https://github.com/SalmonPlays/oss-signal-adoption-demo runs the public `SalmonPlays/oss-signal@v0.7.0` Action tag from a separate workflow. The successful run at https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26993130878 uploaded an `oss-signal-adoption-demo-report` artifact containing Markdown, SARIF, and Issue-ready output.
+The repository https://github.com/SalmonPlays/oss-signal-adoption-demo runs the public `SalmonPlays/oss-signal@v0.8.4` Action tag from a separate workflow. The successful run at https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/27025632373 uploaded an `oss-signal-adoption-demo-report` artifact containing Markdown, SARIF, Issue-ready, and no-fail workflow output.
 
 This is intentionally described as a separate public workflow demo rather than third-party adoption because the repository is also owned by `SalmonPlays`. It still proves that the published Action tag is consumable outside the main repository.
 
@@ -113,5 +113,5 @@ Prepared official form answers are in [codex-for-oss-form-answers.md](codex-for-
 ## Next Evidence To Collect
 
 - More merged external PRs or maintainer replies on field-audit PRs.
-- A public workflow run in an independent maintainer-owned repository using `SalmonPlays/oss-signal@v0.8.4`, ideally with SARIF or inventory upload enabled.
+- A public workflow run in an independent maintainer-owned repository using `SalmonPlays/oss-signal@v0.8.6`, ideally with SARIF or inventory upload enabled.
 - npm download data once the registry starts reporting weekly/monthly counts.

package/docs/codex-for-oss-form-answers.md

@@ -1,6 +1,6 @@
 # Codex for Open Source Form Answers
 
-Snapshot: 2026-06-05T09:57:04Z
+Snapshot: 2026-06-05T16:02:53Z
 
 This page prepares concise answers for the official Codex for Open Source application form: https://openai.com/form/codex-for-oss/
 
@@ -50,7 +50,7 @@ Primary maintainer
 ## Why This Repository Qualifies
 
 ```text
-oss-signal is a public OSS maintainer tool for reducing triage and review load. It ships as npm package oss-signal@0.8.4 and GitHub Action SalmonPlays/oss-signal@v0.8.4, supports Markdown/JSON/SARIF/Issue/Plan/Inventory/Workflow output, passes CI/CodeQL/Release, has a 100/100 self-audit, no-fail maintainer trial and feedback paths, six public field-audit issues, five public field-audit PRs, and one merged external Codex Action documentation PR.
+oss-signal is a public OSS maintainer tool for reducing triage and review load. It ships as npm package oss-signal@0.8.6 and GitHub Action SalmonPlays/oss-signal@v0.8.6, supports Markdown/JSON/SARIF/Issue/Plan/Inventory/Workflow output, passes CI/CodeQL/Release, has a 100/100 self-audit, no-fail maintainer trial and feedback paths, six public field-audit issues, five public field-audit PRs, and one merged external Codex Action documentation PR.
 ```
 
 ## Interest
@@ -81,16 +81,16 @@ Use Codex/API credits to run repeatable public repository audits, draft focused
 ## Anything Else
 
 ```text
-The project is early, so I am not overstating adoption. Current evidence includes npm 0.8.4 latest, 356 npm downloads reported by the registry API on 2026-06-05, a published v0.8.4 release, a reusable GitHub Action with inventory and workflow output, no-fail maintainer trial and feedback paths, a clean npm smoke test returning 100/A, public CI/Repository health/CodeQL/Release, six field-audit issues, five field-audit PRs, and a separate public workflow demo with artifacts.
+The project is early, so I am not overstating adoption. Current evidence includes npm 0.8.6 latest, 356 npm downloads reported by the registry API on 2026-06-05, a published v0.8.6 release, a reusable GitHub Action with inventory and workflow output, no-fail maintainer trial and feedback paths, a clean npm version smoke test, public CI/Repository health/CodeQL/Release, six field-audit issues, five field-audit PRs, and a separate public workflow demo with artifacts.
 ```
 
 ## Evidence Links
 
 - npm package: https://www.npmjs.com/package/oss-signal
-- GitHub Release v0.8.4: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.8.4
+- GitHub Release v0.8.6: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.8.6
 - Main repository health workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml
 - Separate workflow demo repository: https://github.com/SalmonPlays/oss-signal-adoption-demo
-- Separate successful workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26993130878
+- Separate successful workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/27025632373
 - Adoption evidence: https://github.com/SalmonPlays/oss-signal/blob/main/docs/adoption-evidence.md
 - Evidence ledger: https://github.com/SalmonPlays/oss-signal/blob/main/docs/evidence-ledger.md
 - Maintainer trial: https://github.com/SalmonPlays/oss-signal/blob/main/docs/maintainer-trial.md

package/docs/evidence-ledger.md

@@ -1,6 +1,6 @@
 # Evidence Ledger
 
-Last verified: 2026-06-05T09:57:04Z
+Last verified: 2026-06-05T16:02:53Z
 
 This ledger keeps the strongest public `oss-signal` evidence in one reviewer-friendly place. It separates accepted evidence from supporting demos and open follow-up work.
 
@@ -8,15 +8,15 @@ This ledger keeps the strongest public `oss-signal` evidence in one reviewer-fri
 
 | Signal | Evidence | Status | Reviewer note |
 | --- | --- | --- | --- |
-| Installable CLI | https://www.npmjs.com/package/oss-signal | `0.8.4` is `latest` | Reviewers can run `npm exec --yes --package=oss-signal@0.8.4 -- oss-signal SalmonPlays/oss-signal --format json`. |
+| Installable CLI | https://www.npmjs.com/package/oss-signal | `0.8.6` is `latest` | Reviewers can run `npm exec --yes --package=oss-signal@0.8.6 -- oss-signal --version`. |
 | npm download API | 356 downloads for last-week and last-month windows | Checked 2026-06-05T09:57:04Z | Supporting distribution signal only; not claimed as broad adoption. |
-| GitHub Action release | https://github.com/SalmonPlays/oss-signal/tree/v0.8.4 | Published tag | Public Action tag used by repository workflows; the separate demo is refreshed after release publication. |
+| GitHub Action release | https://github.com/SalmonPlays/oss-signal/tree/v0.8.6 | Published tag | Public Action tag used by repository workflows; the separate demo is refreshed after release publication. |
 | GitHub Marketplace | https://github.com/marketplace/actions/oss-signal | Published listing | Free Action listing under Code quality. |
 | Maintainer trial path | [maintainer-trial.md](maintainer-trial.md) | Published | External maintainers can try the Action without failing CI, then share a workflow run or adoption report. |
 | Maintainer feedback path | [maintainer-feedback.md](maintainer-feedback.md) | Published | External maintainers can leave useful public feedback even when the tool is not adopted. |
-| Main repository dogfood | https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml | Passing | Runs `SalmonPlays/oss-signal@v0.8.4` against this repository. |
+| Main repository dogfood | https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml | Passing | Runs `SalmonPlays/oss-signal@v0.8.6` against this repository. |
 | Inventory dogfood | https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-inventory.yml | Passing | Exercises multi-repository inventory mode. |
-| Separate public workflow demo | https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26993130878 | Passing | Separate public repository runs `SalmonPlays/oss-signal@v0.7.0` and uploads Markdown, SARIF, and issue-ready artifacts. |
+| Separate public workflow demo | https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/27025632373 | Passing | Separate public repository runs `SalmonPlays/oss-signal@v0.8.4` and uploads Markdown, SARIF, issue-ready, and no-fail workflow artifacts. |
 | Accepted external contribution | https://github.com/icoretech/codex-action/pull/24 | Merged 2026-06-04 | External maintainer merged the focused Codex Action documentation safety fix and left a merge comment. |
 | Maintainer merge comment | https://github.com/icoretech/codex-action/pull/24#issuecomment-4623923361 | Public maintainer response | Stronger than an open PR because the external maintainer accepted the change. |
 | Field-audit issues | [adoption evidence](adoption-evidence.md#public-field-audits-and-prs) | Six posted issues | These show the audit-to-maintainer-follow-up workflow, but are not counted as adoption unless maintainers reply, act, or endorse them. |

package/docs/examples/github-action-workflow.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: SalmonPlays/oss-signal@v0.8.4
+      - uses: SalmonPlays/oss-signal@v0.8.6
         id: oss-signal
         with:
           fail-under: "80"

package/docs/examples/github-code-scanning-workflow.yml

@@ -18,13 +18,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: SalmonPlays/oss-signal@v0.8.4
+      - uses: SalmonPlays/oss-signal@v0.8.6
         id: oss-signal
         with:
           fail-under: "80"
           output: oss-signal-report.md
           summary: "true"
-      - uses: SalmonPlays/oss-signal@v0.8.4
+      - uses: SalmonPlays/oss-signal@v0.8.6
         with:
           format: sarif
           output: oss-signal.sarif

package/docs/examples/github-inventory-workflow.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: SalmonPlays/oss-signal@v0.8.4
+      - uses: SalmonPlays/oss-signal@v0.8.6
         id: oss-signal
         env:
           GITHUB_TOKEN: ${{ github.token }}

package/docs/examples/github-url-report.json

@@ -1,6 +1,6 @@
 {
   "tool": "oss-signal",
-  "version": "0.8.4",
+  "version": "0.8.6",
   "root": "https://github.com/SalmonPlays/oss-signal",
   "source": {
     "type": "github",
@@ -14,7 +14,7 @@
     "openIssues": 5,
     "healthPercentage": 100
   },
-  "generatedAt": "2026-06-05T15:23:38.632Z",
+  "generatedAt": "2026-06-07T03:57:48.351Z",
   "score": 100,
   "grade": "A",
   "summary": {

package/docs/examples/github-url-report.md

@@ -2,7 +2,7 @@
 
 Repository: `https://github.com/SalmonPlays/oss-signal`
 Source: GitHub (SalmonPlays/oss-signal@main)
-Generated: 2026-06-05T15:23:38.632Z
+Generated: 2026-06-07T03:57:48.351Z
 
 Score: **100/100** (A)
 
@@ -17,23 +17,23 @@ Score: **100/100** (A)
 
 ## Checks
 
-| Status | Check | Why it matters |
-| --- | --- | --- |
-| PASS | README | A clear README is the front door for users and contributors. |
-| PASS | License | A license tells downstream users what they may legally do with the code. |
-| PASS | Contributing guide | Maintainers get better issues and pull requests when expectations are documented. |
-| PASS | Security policy | Responsible disclosure needs a private, documented path. |
-| PASS | Code of conduct | Community norms reduce ambiguity during difficult interactions. |
-| PASS | Changelog | Users need a durable place to understand release impact. |
-| PASS | Support policy | Support boundaries help maintainers avoid turning every request into unpaid consulting. |
-| PASS | Continuous integration | CI catches regressions before maintainers merge changes. |
-| PASS | Tests | Tests make review safer and lower the cost of outside contributions. |
-| PASS | Issue templates | Issue templates collect the facts maintainers need to reproduce and triage. |
-| PASS | Pull request template | PR templates nudge contributors to include tests, docs, and review context. |
-| PASS | Dependency update automation | Automated dependency updates reduce security and compatibility drift. |
-| PASS | Static security analysis | Static analysis finds common vulnerability patterns before releases. |
-| PASS | Node package metadata | Package metadata makes installation, testing, and release automation discoverable. |
-| PASS | Dependency lockfile | Lockfiles make CI and contributor setup reproducible. |
+| Status | Check | Evidence / next step | Why it matters |
+| --- | --- | --- | --- |
+| PASS | README | `README.md` | A clear README is the front door for users and contributors. |
+| PASS | License | `LICENSE` | A license tells downstream users what they may legally do with the code. |
+| PASS | Contributing guide | `CONTRIBUTING.md` | Maintainers get better issues and pull requests when expectations are documented. |
+| PASS | Security policy | `SECURITY.md` | Responsible disclosure needs a private, documented path. |
+| PASS | Code of conduct | `CODE_OF_CONDUCT.md` | Community norms reduce ambiguity during difficult interactions. |
+| PASS | Changelog | `CHANGELOG.md` | Users need a durable place to understand release impact. |
+| PASS | Support policy | `SUPPORT.md` | Support boundaries help maintainers avoid turning every request into unpaid consulting. |
+| PASS | Continuous integration | `.github/workflows/ci.yml`, `.github/workflows/codeql.yml`, `.github/workflows/release.yml`, `.github/workflows/repository-health.yml`, `.github/workflows/repository-inventory.yml` | CI catches regressions before maintainers merge changes. |
+| PASS | Tests | `test/action.test.js`, `test/index.test.js` | Tests make review safer and lower the cost of outside contributions. |
+| PASS | Issue templates | `.github/ISSUE_TEMPLATE/adoption_report.yml`, `.github/ISSUE_TEMPLATE/audit_report.yml`, `.github/ISSUE_TEMPLATE/bug_report.md`, `.github/ISSUE_TEMPLATE/config.yml`, `.github/ISSUE_TEMPLATE/feature_request.md` | Issue templates collect the facts maintainers need to reproduce and triage. |
+| PASS | Pull request template | `.github/PULL_REQUEST_TEMPLATE.md` | PR templates nudge contributors to include tests, docs, and review context. |
+| PASS | Dependency update automation | `.github/dependabot.yml` | Automated dependency updates reduce security and compatibility drift. |
+| PASS | Static security analysis | `.github/workflows/ci.yml`, `.github/workflows/codeql.yml`, `.github/workflows/release.yml`, `.github/workflows/repository-health.yml`, `.github/workflows/repository-inventory.yml` | Static analysis finds common vulnerability patterns before releases. |
+| PASS | Node package metadata | `package.json` | Package metadata makes installation, testing, and release automation discoverable. |
+| PASS | Dependency lockfile | `package-lock.json` | Lockfiles make CI and contributor setup reproducible. |
 
 ## Recommended Next Steps
 

package/docs/examples/maintainer-trial-workflow.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: SalmonPlays/oss-signal@v0.8.4
+      - uses: SalmonPlays/oss-signal@v0.8.6
         id: oss-signal
         with:
           output: oss-signal-report.md