trace-to-skill 0.1.108 → 0.1.110

package/README.md

@@ -559,7 +559,7 @@ jobs:
       issues: write
     steps:
       - uses: actions/checkout@v5
-      - uses: grnbtqdbyx-create/trace-to-skill@v0.1.108
+      - uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
         with:
           mode: all
           doctor-threshold: "85"
@@ -608,7 +608,7 @@ Composite action usage:
 
 ```yaml
 - id: trace-to-skill
-  uses: grnbtqdbyx-create/trace-to-skill@v0.1.108
+  uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
   with:
     mode: all
     doctor-threshold: "85"
@@ -626,7 +626,7 @@ Issue-map action usage for direct GitHub issue demand mining:
 
 ```yaml
 - id: codex-issue-map
-  uses: grnbtqdbyx-create/trace-to-skill@v0.1.108
+  uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
   with:
     mode: issue-map
     issue-map-repo: openai/codex
@@ -643,7 +643,7 @@ Issue-heat action usage for recency-weighted GitHub issue movement:
 
 ```yaml
 - id: codex-issue-heat
-  uses: grnbtqdbyx-create/trace-to-skill@v0.1.108
+  uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
   with:
     mode: issue-heat
     issue-heat-repo: openai/codex
@@ -661,7 +661,7 @@ Duplicate-audit action usage for checking Codex Action duplicate suggestions:
 
 ```yaml
 - id: codex-duplicate-audit
-  uses: grnbtqdbyx-create/trace-to-skill@v0.1.108
+  uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
   with:
     mode: duplicate-audit
     duplicate-audit-repo: openai/codex
@@ -703,19 +703,25 @@ Action outputs:
 | `issue-map-report` | Markdown issue-map report path |
 | `issue-map-json` | JSON issue-map report path |
 | `issue-heat-issues` | Number of GitHub issues fetched by issue-heat mode |
+| `issue-heat-considered` | Number of recent issues considered after filters |
+| `issue-heat-matched` | Number of recent issues matched to known failure classes |
 | `issue-heat-top-kind` | Hottest recent issue failure class |
 | `issue-heat-report` | Markdown issue-heat report path |
 | `issue-heat-json` | JSON issue-heat report path |
 | `duplicate-audit-candidates` | Number of duplicate candidates checked |
 | `duplicate-audit-likely` | Number of likely duplicate candidates |
 | `duplicate-audit-related` | Number of related but not exact duplicate candidates |
+| `duplicate-audit-needs-review` | Number of duplicate candidates needing human review |
+| `duplicate-audit-weak` | Number of weak duplicate matches |
 | `duplicate-audit-top-verdict` | Highest-confidence duplicate audit verdict |
 | `duplicate-audit-report` | Markdown duplicate-audit report path |
 | `duplicate-audit-json` | JSON duplicate-audit report path |
 
 By default, generated reports are also appended to the GitHub Actions Job Summary. Set `job-summary: "false"` to disable that UI output.
 
-Tagged Action releases build and run the CLI from `$GITHUB_ACTION_PATH`, so a workflow pinned to a release tag such as `@v0.1.108` executes that release's checked-out source instead of pulling the default branch at runtime.
+Tagged Action releases build and run the CLI from `$GITHUB_ACTION_PATH`, so a workflow pinned to a release tag such as `@v0.1.110` executes that release's checked-out source instead of pulling the default branch at runtime.
+
+Action inputs are passed into bash steps through environment variables before the CLI receives them. The regression fixture at `fixtures/action-malicious-inputs.json` keeps quote, newline, command-substitution, and shell-separator examples out of `run:` scripts so workflow inputs are treated as data.
 
 ## Codex Skill
 

package/docs/OPENAI_OSS_BRIEF.md

@@ -3,7 +3,7 @@
 | Field | Value |
 | --- | --- |
 | Repository | https://github.com/grnbtqdbyx-create/trace-to-skill |
-| Package | trace-to-skill@0.1.108 |
+| Package | trace-to-skill@0.1.110 |
 | License | Apache-2.0 |
 | Codex readiness | ready (100/100) |
 | Benchmark | pass, 46 cases |
@@ -27,7 +27,7 @@ API credits would power optional maintainer workflows on top of the local determ
 ## Evidence
 
 - Public repository: https://github.com/grnbtqdbyx-create/trace-to-skill
-- One-command package: npx trace-to-skill@0.1.108
+- One-command package: npx trace-to-skill@0.1.110
 - Open-source license: Apache-2.0
 - Codex readiness doctor: ready, 100/100, 0 failed checks.
 - Public fixture benchmark: pass, 46 cases.

package/docs/USE_CASES.md

@@ -61,7 +61,7 @@ What it proves:
 Recommended CI surface:
 
 ```yaml
-- uses: grnbtqdbyx-create/trace-to-skill@v0.1.108
+- uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
   with:
     mode: all
     doctor-threshold: "85"
@@ -74,7 +74,7 @@ Recommended CI surface:
 Duplicate-audit Action mode can also run from CI when you want a stable job summary for Codex Action duplicate suggestions:
 
 ```yaml
-- uses: grnbtqdbyx-create/trace-to-skill@v0.1.108
+- uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
   with:
     mode: duplicate-audit
     duplicate-audit-repo: openai/codex
@@ -83,6 +83,8 @@ Duplicate-audit Action mode can also run from CI when you want a stable job summ
     github-token: ${{ github.token }}
 ```
 
+The published Action keeps user-controlled inputs out of shell scripts by passing them through step environment variables before invoking the CLI. `fixtures/action-malicious-inputs.json` covers quote, newline, command-substitution, and shell-separator cases so that future Action edits keep those values as data.
+
 ## 3. GitHub Issue Demand Mining
 
 Use this when you want to see what Codex users are actually complaining about on GitHub before choosing the next fixture, report template, or diagnostic helper.

package/fixtures/action-malicious-inputs.json

@@ -0,0 +1,41 @@
+{
+  "purpose": "Regression fixture for composite Action inputs that must be treated as data, not shell syntax.",
+  "cases": [
+    {
+      "name": "semicolon command separator in traces path",
+      "input": "traces",
+      "env": "INPUT_TRACES",
+      "value": "runs; echo PWNED"
+    },
+    {
+      "name": "command substitution in doctor path",
+      "input": "doctor-path",
+      "env": "INPUT_DOCTOR_PATH",
+      "value": "$(touch /tmp/trace-to-skill-pwned)"
+    },
+    {
+      "name": "newline injection in issue-map repository",
+      "input": "issue-map-repo",
+      "env": "INPUT_ISSUE_MAP_REPO",
+      "value": "openai/codex\nmalicious=true"
+    },
+    {
+      "name": "double quote in duplicate candidates",
+      "input": "duplicate-audit-candidates",
+      "env": "INPUT_DUPLICATE_AUDIT_CANDIDATES",
+      "value": "25391,\"25488\""
+    },
+    {
+      "name": "single quote in comment repository",
+      "input": "issue-heat-comment-repository",
+      "env": "INPUT_ISSUE_HEAT_COMMENT_REPOSITORY",
+      "value": "owner/repo' --token leaked"
+    },
+    {
+      "name": "environment file redirection text in token",
+      "input": "github-token",
+      "env": "INPUT_GITHUB_TOKEN",
+      "value": "ghs_token >> $GITHUB_ENV"
+    }
+  ]
+}

package/llms.txt

@@ -146,7 +146,7 @@ gh issue list --repo openai/codex --state all --limit 100 --json number,title,bo
 ## GitHub Action
 
 ```yaml
-- uses: grnbtqdbyx-create/trace-to-skill@v0.1.108
+- uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
   with:
     mode: all
     doctor-threshold: "85"
@@ -159,7 +159,7 @@ gh issue list --repo openai/codex --state all --limit 100 --json number,title,bo
 ## Weekly Codex Issue Radar
 
 ```yaml
-- uses: grnbtqdbyx-create/trace-to-skill@v0.1.108
+- uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
   with:
     mode: issue-map
     issue-map-repo: openai/codex
@@ -174,7 +174,7 @@ gh issue list --repo openai/codex --state all --limit 100 --json number,title,bo
 Duplicate audit Action mode:
 
 ```yaml
-- uses: grnbtqdbyx-create/trace-to-skill@v0.1.108
+- uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
   with:
     mode: duplicate-audit
     duplicate-audit-repo: openai/codex

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "trace-to-skill",
-  "version": "0.1.108",
+  "version": "0.1.110",
   "description": "Turn failed AI coding-agent runs into reusable AGENTS.md rules, SKILL.md files, and eval evidence.",
   "type": "module",
   "main": "dist/src/index.js",