npm - trace-to-skill - Versions diffs - 0.1.109 → 0.1.110 - Mend

trace-to-skill 0.1.109 → 0.1.110

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +8 -6
package/docs/OPENAI_OSS_BRIEF.md +2 -2
package/docs/USE_CASES.md +4 -2
package/fixtures/action-malicious-inputs.json +41 -0
package/llms.txt +3 -3
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -559,7 +559,7 @@ jobs:
       issues: write
     steps:
       - uses: actions/checkout@v5
-      - uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+      - uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
         with:
           mode: all
           doctor-threshold: "85"
@@ -608,7 +608,7 @@ Composite action usage:
 ```yaml
 - id: trace-to-skill
-  uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+  uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
   with:
     mode: all
     doctor-threshold: "85"
@@ -626,7 +626,7 @@ Issue-map action usage for direct GitHub issue demand mining:
 ```yaml
 - id: codex-issue-map
-  uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+  uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
   with:
     mode: issue-map
     issue-map-repo: openai/codex
@@ -643,7 +643,7 @@ Issue-heat action usage for recency-weighted GitHub issue movement:
 ```yaml
 - id: codex-issue-heat
-  uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+  uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
   with:
     mode: issue-heat
     issue-heat-repo: openai/codex
@@ -661,7 +661,7 @@ Duplicate-audit action usage for checking Codex Action duplicate suggestions:
 ```yaml
 - id: codex-duplicate-audit
-  uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+  uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
   with:
     mode: duplicate-audit
     duplicate-audit-repo: openai/codex
@@ -719,7 +719,9 @@ Action outputs:
 By default, generated reports are also appended to the GitHub Actions Job Summary. Set `job-summary: "false"` to disable that UI output.
-Tagged Action releases build and run the CLI from `$GITHUB_ACTION_PATH`, so a workflow pinned to a release tag such as `@v0.1.109` executes that release's checked-out source instead of pulling the default branch at runtime.
+Tagged Action releases build and run the CLI from `$GITHUB_ACTION_PATH`, so a workflow pinned to a release tag such as `@v0.1.110` executes that release's checked-out source instead of pulling the default branch at runtime.
+Action inputs are passed into bash steps through environment variables before the CLI receives them. The regression fixture at `fixtures/action-malicious-inputs.json` keeps quote, newline, command-substitution, and shell-separator examples out of `run:` scripts so workflow inputs are treated as data.
 ## Codex Skill

package/docs/OPENAI_OSS_BRIEF.md CHANGED Viewed

@@ -3,7 +3,7 @@
 | Field | Value |
 | --- | --- |
 | Repository | https://github.com/grnbtqdbyx-create/trace-to-skill |
-| Package | trace-to-skill@0.1.109 |
+| Package | trace-to-skill@0.1.110 |
 | License | Apache-2.0 |
 | Codex readiness | ready (100/100) |
 | Benchmark | pass, 46 cases |
@@ -27,7 +27,7 @@ API credits would power optional maintainer workflows on top of the local determ
 ## Evidence
 - Public repository: https://github.com/grnbtqdbyx-create/trace-to-skill
-- One-command package: npx trace-to-skill@0.1.109
+- One-command package: npx trace-to-skill@0.1.110
 - Open-source license: Apache-2.0
 - Codex readiness doctor: ready, 100/100, 0 failed checks.
 - Public fixture benchmark: pass, 46 cases.

package/docs/USE_CASES.md CHANGED Viewed

@@ -61,7 +61,7 @@ What it proves:
 Recommended CI surface:
 ```yaml
-- uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+- uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
   with:
     mode: all
     doctor-threshold: "85"
@@ -74,7 +74,7 @@ Recommended CI surface:
 Duplicate-audit Action mode can also run from CI when you want a stable job summary for Codex Action duplicate suggestions:
 ```yaml
-- uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+- uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
   with:
     mode: duplicate-audit
     duplicate-audit-repo: openai/codex
@@ -83,6 +83,8 @@ Duplicate-audit Action mode can also run from CI when you want a stable job summ
     github-token: ${{ github.token }}
 ```
+The published Action keeps user-controlled inputs out of shell scripts by passing them through step environment variables before invoking the CLI. `fixtures/action-malicious-inputs.json` covers quote, newline, command-substitution, and shell-separator cases so that future Action edits keep those values as data.
 ## 3. GitHub Issue Demand Mining
 Use this when you want to see what Codex users are actually complaining about on GitHub before choosing the next fixture, report template, or diagnostic helper.

package/fixtures/action-malicious-inputs.json ADDED Viewed

@@ -0,0 +1,41 @@
+{
+  "purpose": "Regression fixture for composite Action inputs that must be treated as data, not shell syntax.",
+  "cases": [
+    {
+      "name": "semicolon command separator in traces path",
+      "input": "traces",
+      "env": "INPUT_TRACES",
+      "value": "runs; echo PWNED"
+    },
+    {
+      "name": "command substitution in doctor path",
+      "input": "doctor-path",
+      "env": "INPUT_DOCTOR_PATH",
+      "value": "$(touch /tmp/trace-to-skill-pwned)"
+    },
+    {
+      "name": "newline injection in issue-map repository",
+      "input": "issue-map-repo",
+      "env": "INPUT_ISSUE_MAP_REPO",
+      "value": "openai/codex\nmalicious=true"
+    },
+    {
+      "name": "double quote in duplicate candidates",
+      "input": "duplicate-audit-candidates",
+      "env": "INPUT_DUPLICATE_AUDIT_CANDIDATES",
+      "value": "25391,\"25488\""
+    },
+    {
+      "name": "single quote in comment repository",
+      "input": "issue-heat-comment-repository",
+      "env": "INPUT_ISSUE_HEAT_COMMENT_REPOSITORY",
+      "value": "owner/repo' --token leaked"
+    },
+    {
+      "name": "environment file redirection text in token",
+      "input": "github-token",
+      "env": "INPUT_GITHUB_TOKEN",
+      "value": "ghs_token >> $GITHUB_ENV"
+    }
+  ]
+}

package/llms.txt CHANGED Viewed

@@ -146,7 +146,7 @@ gh issue list --repo openai/codex --state all --limit 100 --json number,title,bo
 ## GitHub Action
 ```yaml
-- uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+- uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
   with:
     mode: all
     doctor-threshold: "85"
@@ -159,7 +159,7 @@ gh issue list --repo openai/codex --state all --limit 100 --json number,title,bo
 ## Weekly Codex Issue Radar
 ```yaml
-- uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+- uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
   with:
     mode: issue-map
     issue-map-repo: openai/codex
@@ -174,7 +174,7 @@ gh issue list --repo openai/codex --state all --limit 100 --json number,title,bo
 Duplicate audit Action mode:
 ```yaml
-- uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+- uses: grnbtqdbyx-create/trace-to-skill@v0.1.110
   with:
     mode: duplicate-audit
     duplicate-audit-repo: openai/codex

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "trace-to-skill",
-  "version": "0.1.109",
+  "version": "0.1.110",
   "description": "Turn failed AI coding-agent runs into reusable AGENTS.md rules, SKILL.md files, and eval evidence.",
   "type": "module",
   "main": "dist/src/index.js",