npm - trace-to-skill - Versions diffs - 0.1.109 → 0.1.111 - Mend

trace-to-skill 0.1.109 → 0.1.111

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +24 -6
package/docs/CODEX_DUPLICATE_AUDIT.md +15 -0
package/docs/OPENAI_OSS_BRIEF.md +2 -2
package/docs/USE_CASES.md +4 -2
package/fixtures/action-malicious-inputs.json +41 -0
package/fixtures/duplicate-audit-action-outputs.json +70 -0
package/llms.txt +3 -3
package/package.json +1 -1
package/schemas/duplicate-audit-action-outputs.schema.json +90 -0

package/README.md CHANGED Viewed

@@ -527,6 +527,7 @@ Stable machine-readable contracts are published with the npm package and release
 - [`schemas/usage-evidence-result.schema.json`](schemas/usage-evidence-result.schema.json) describes `trace-to-skill usage-evidence --format json`.
 - [`schemas/process-audit-result.schema.json`](schemas/process-audit-result.schema.json) describes `trace-to-skill process-audit --format json`.
 - [`schemas/issue-map-result.schema.json`](schemas/issue-map-result.schema.json) describes `trace-to-skill issue-map --format json`.
+- [`schemas/duplicate-audit-action-outputs.schema.json`](schemas/duplicate-audit-action-outputs.schema.json) describes the duplicate-audit Action output mapping in `fixtures/duplicate-audit-action-outputs.json`.
 - [`schemas/workspace-checkpoint-result.schema.json`](schemas/workspace-checkpoint-result.schema.json) describes `trace-to-skill checkpoint --format json`.
 These schemas let downstream Codex workflows, dashboards, and CI bots consume reports without scraping Markdown.
@@ -559,7 +560,7 @@ jobs:
       issues: write
     steps:
       - uses: actions/checkout@v5
-      - uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+      - uses: grnbtqdbyx-create/trace-to-skill@v0.1.111
         with:
           mode: all
           doctor-threshold: "85"
@@ -608,7 +609,7 @@ Composite action usage:
 ```yaml
 - id: trace-to-skill
-  uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+  uses: grnbtqdbyx-create/trace-to-skill@v0.1.111
   with:
     mode: all
     doctor-threshold: "85"
@@ -626,7 +627,7 @@ Issue-map action usage for direct GitHub issue demand mining:
 ```yaml
 - id: codex-issue-map
-  uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+  uses: grnbtqdbyx-create/trace-to-skill@v0.1.111
   with:
     mode: issue-map
     issue-map-repo: openai/codex
@@ -643,7 +644,7 @@ Issue-heat action usage for recency-weighted GitHub issue movement:
 ```yaml
 - id: codex-issue-heat
-  uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+  uses: grnbtqdbyx-create/trace-to-skill@v0.1.111
   with:
     mode: issue-heat
     issue-heat-repo: openai/codex
@@ -661,7 +662,7 @@ Duplicate-audit action usage for checking Codex Action duplicate suggestions:
 ```yaml
 - id: codex-duplicate-audit
-  uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+  uses: grnbtqdbyx-create/trace-to-skill@v0.1.111
   with:
     mode: duplicate-audit
     duplicate-audit-repo: openai/codex
@@ -717,9 +718,26 @@ Action outputs:
 | `duplicate-audit-report` | Markdown duplicate-audit report path |
 | `duplicate-audit-json` | JSON duplicate-audit report path |
+Duplicate-audit Action output mapping:
+| Output | Step output | Source |
+| --- | --- | --- |
+| `duplicate-audit-candidates` | `candidates` | `summary.candidateCount` |
+| `duplicate-audit-likely` | `likely` | `summary.likelyDuplicates` |
+| `duplicate-audit-related` | `related` | `summary.relatedNotDuplicates` |
+| `duplicate-audit-needs-review` | `needs-review` | `summary.needsHumanReview` |
+| `duplicate-audit-weak` | `weak` | `summary.weakMatches` |
+| `duplicate-audit-top-verdict` | `top-verdict` | `candidates[].verdict` |
+| `duplicate-audit-report` | `report` | `trace-to-skill-duplicate-audit.md` |
+| `duplicate-audit-json` | `json` | `trace-to-skill-duplicate-audit.json` |
+The machine-readable mapping lives in [`fixtures/duplicate-audit-action-outputs.json`](fixtures/duplicate-audit-action-outputs.json) and is described by [`schemas/duplicate-audit-action-outputs.schema.json`](schemas/duplicate-audit-action-outputs.schema.json). The regression test checks that JSON-derived outputs point at fields in [`schemas/duplicate-audit-result.schema.json`](schemas/duplicate-audit-result.schema.json).
 By default, generated reports are also appended to the GitHub Actions Job Summary. Set `job-summary: "false"` to disable that UI output.
-Tagged Action releases build and run the CLI from `$GITHUB_ACTION_PATH`, so a workflow pinned to a release tag such as `@v0.1.109` executes that release's checked-out source instead of pulling the default branch at runtime.
+Tagged Action releases build and run the CLI from `$GITHUB_ACTION_PATH`, so a workflow pinned to a release tag such as `@v0.1.111` executes that release's checked-out source instead of pulling the default branch at runtime.
+Action inputs are passed into bash steps through environment variables before the CLI receives them. The regression fixture at `fixtures/action-malicious-inputs.json` keeps quote, newline, command-substitution, and shell-separator examples out of `run:` scripts so workflow inputs are treated as data.
 ## Codex Skill

package/docs/CODEX_DUPLICATE_AUDIT.md CHANGED Viewed

@@ -12,6 +12,21 @@ trace-to-skill duplicate-audit --repo openai/codex --issue 25507 --format markdo
 trace-to-skill duplicate-audit duplicate-audit.json --format json
 ```
+## Action Output Mapping
+| Output | Step output | Source |
+| --- | --- | --- |
+| `duplicate-audit-candidates` | `candidates` | `summary.candidateCount` |
+| `duplicate-audit-likely` | `likely` | `summary.likelyDuplicates` |
+| `duplicate-audit-related` | `related` | `summary.relatedNotDuplicates` |
+| `duplicate-audit-needs-review` | `needs-review` | `summary.needsHumanReview` |
+| `duplicate-audit-weak` | `weak` | `summary.weakMatches` |
+| `duplicate-audit-top-verdict` | `top-verdict` | `candidates[].verdict` |
+| `duplicate-audit-report` | `report` | `trace-to-skill-duplicate-audit.md` |
+| `duplicate-audit-json` | `json` | `trace-to-skill-duplicate-audit.json` |
+The machine-readable mapping lives in `fixtures/duplicate-audit-action-outputs.json`; `schemas/duplicate-audit-action-outputs.schema.json` describes that fixture, and JSON-derived outputs must point at fields in `schemas/duplicate-audit-result.schema.json`.
 ## Summary
 - Candidates: 2

package/docs/OPENAI_OSS_BRIEF.md CHANGED Viewed

@@ -3,7 +3,7 @@
 | Field | Value |
 | --- | --- |
 | Repository | https://github.com/grnbtqdbyx-create/trace-to-skill |
-| Package | trace-to-skill@0.1.109 |
+| Package | trace-to-skill@0.1.111 |
 | License | Apache-2.0 |
 | Codex readiness | ready (100/100) |
 | Benchmark | pass, 46 cases |
@@ -27,7 +27,7 @@ API credits would power optional maintainer workflows on top of the local determ
 ## Evidence
 - Public repository: https://github.com/grnbtqdbyx-create/trace-to-skill
-- One-command package: npx trace-to-skill@0.1.109
+- One-command package: npx trace-to-skill@0.1.111
 - Open-source license: Apache-2.0
 - Codex readiness doctor: ready, 100/100, 0 failed checks.
 - Public fixture benchmark: pass, 46 cases.

package/docs/USE_CASES.md CHANGED Viewed

@@ -61,7 +61,7 @@ What it proves:
 Recommended CI surface:
 ```yaml
-- uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+- uses: grnbtqdbyx-create/trace-to-skill@v0.1.111
   with:
     mode: all
     doctor-threshold: "85"
@@ -74,7 +74,7 @@ Recommended CI surface:
 Duplicate-audit Action mode can also run from CI when you want a stable job summary for Codex Action duplicate suggestions:
 ```yaml
-- uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+- uses: grnbtqdbyx-create/trace-to-skill@v0.1.111
   with:
     mode: duplicate-audit
     duplicate-audit-repo: openai/codex
@@ -83,6 +83,8 @@ Duplicate-audit Action mode can also run from CI when you want a stable job summ
     github-token: ${{ github.token }}
 ```
+The published Action keeps user-controlled inputs out of shell scripts by passing them through step environment variables before invoking the CLI. `fixtures/action-malicious-inputs.json` covers quote, newline, command-substitution, and shell-separator cases so that future Action edits keep those values as data.
 ## 3. GitHub Issue Demand Mining
 Use this when you want to see what Codex users are actually complaining about on GitHub before choosing the next fixture, report template, or diagnostic helper.

package/fixtures/action-malicious-inputs.json ADDED Viewed

@@ -0,0 +1,41 @@
+{
+  "purpose": "Regression fixture for composite Action inputs that must be treated as data, not shell syntax.",
+  "cases": [
+    {
+      "name": "semicolon command separator in traces path",
+      "input": "traces",
+      "env": "INPUT_TRACES",
+      "value": "runs; echo PWNED"
+    },
+    {
+      "name": "command substitution in doctor path",
+      "input": "doctor-path",
+      "env": "INPUT_DOCTOR_PATH",
+      "value": "$(touch /tmp/trace-to-skill-pwned)"
+    },
+    {
+      "name": "newline injection in issue-map repository",
+      "input": "issue-map-repo",
+      "env": "INPUT_ISSUE_MAP_REPO",
+      "value": "openai/codex\nmalicious=true"
+    },
+    {
+      "name": "double quote in duplicate candidates",
+      "input": "duplicate-audit-candidates",
+      "env": "INPUT_DUPLICATE_AUDIT_CANDIDATES",
+      "value": "25391,\"25488\""
+    },
+    {
+      "name": "single quote in comment repository",
+      "input": "issue-heat-comment-repository",
+      "env": "INPUT_ISSUE_HEAT_COMMENT_REPOSITORY",
+      "value": "owner/repo' --token leaked"
+    },
+    {
+      "name": "environment file redirection text in token",
+      "input": "github-token",
+      "env": "INPUT_GITHUB_TOKEN",
+      "value": "ghs_token >> $GITHUB_ENV"
+    }
+  ]
+}

package/fixtures/duplicate-audit-action-outputs.json ADDED Viewed

@@ -0,0 +1,70 @@
+{
+  "$schema": "../schemas/duplicate-audit-action-outputs.schema.json",
+  "action": "duplicate-audit",
+  "outputs": [
+    {
+      "actionOutput": "duplicate-audit-candidates",
+      "stepOutput": "candidates",
+      "kind": "json-field",
+      "jsonPath": "summary.candidateCount",
+      "type": "integer",
+      "description": "Number of duplicate candidates checked."
+    },
+    {
+      "actionOutput": "duplicate-audit-likely",
+      "stepOutput": "likely",
+      "kind": "json-field",
+      "jsonPath": "summary.likelyDuplicates",
+      "type": "integer",
+      "description": "Number of candidates scored as likely duplicates."
+    },
+    {
+      "actionOutput": "duplicate-audit-related",
+      "stepOutput": "related",
+      "kind": "json-field",
+      "jsonPath": "summary.relatedNotDuplicates",
+      "type": "integer",
+      "description": "Number of candidates that are related but not exact duplicates."
+    },
+    {
+      "actionOutput": "duplicate-audit-needs-review",
+      "stepOutput": "needs-review",
+      "kind": "json-field",
+      "jsonPath": "summary.needsHumanReview",
+      "type": "integer",
+      "description": "Number of candidates that need maintainer review."
+    },
+    {
+      "actionOutput": "duplicate-audit-weak",
+      "stepOutput": "weak",
+      "kind": "json-field",
+      "jsonPath": "summary.weakMatches",
+      "type": "integer",
+      "description": "Number of weak duplicate matches."
+    },
+    {
+      "actionOutput": "duplicate-audit-top-verdict",
+      "stepOutput": "top-verdict",
+      "kind": "json-field",
+      "jsonPath": "candidates[].verdict",
+      "type": "string",
+      "description": "Highest-confidence duplicate verdict, or an empty string when there are no candidates."
+    },
+    {
+      "actionOutput": "duplicate-audit-report",
+      "stepOutput": "report",
+      "kind": "artifact-path",
+      "path": "trace-to-skill-duplicate-audit.md",
+      "type": "path",
+      "description": "Markdown duplicate-audit report path generated by the Action."
+    },
+    {
+      "actionOutput": "duplicate-audit-json",
+      "stepOutput": "json",
+      "kind": "artifact-path",
+      "path": "trace-to-skill-duplicate-audit.json",
+      "type": "path",
+      "description": "JSON duplicate-audit report path conforming to schemas/duplicate-audit-result.schema.json."
+    }
+  ]
+}

package/llms.txt CHANGED Viewed

@@ -146,7 +146,7 @@ gh issue list --repo openai/codex --state all --limit 100 --json number,title,bo
 ## GitHub Action
 ```yaml
-- uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+- uses: grnbtqdbyx-create/trace-to-skill@v0.1.111
   with:
     mode: all
     doctor-threshold: "85"
@@ -159,7 +159,7 @@ gh issue list --repo openai/codex --state all --limit 100 --json number,title,bo
 ## Weekly Codex Issue Radar
 ```yaml
-- uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+- uses: grnbtqdbyx-create/trace-to-skill@v0.1.111
   with:
     mode: issue-map
     issue-map-repo: openai/codex
@@ -174,7 +174,7 @@ gh issue list --repo openai/codex --state all --limit 100 --json number,title,bo
 Duplicate audit Action mode:
 ```yaml
-- uses: grnbtqdbyx-create/trace-to-skill@v0.1.109
+- uses: grnbtqdbyx-create/trace-to-skill@v0.1.111
   with:
     mode: duplicate-audit
     duplicate-audit-repo: openai/codex

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "trace-to-skill",
-  "version": "0.1.109",
+  "version": "0.1.111",
   "description": "Turn failed AI coding-agent runs into reusable AGENTS.md rules, SKILL.md files, and eval evidence.",
   "type": "module",
   "main": "dist/src/index.js",

package/schemas/duplicate-audit-action-outputs.schema.json ADDED Viewed

@@ -0,0 +1,90 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://raw.githubusercontent.com/grnbtqdbyx-create/trace-to-skill/main/schemas/duplicate-audit-action-outputs.schema.json",
+  "title": "trace-to-skill duplicate-audit Action output mapping",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["action", "outputs"],
+  "properties": {
+    "action": {
+      "type": "string",
+      "const": "duplicate-audit"
+    },
+    "outputs": {
+      "type": "array",
+      "minItems": 1,
+      "items": {
+        "$ref": "#/$defs/outputMapping"
+      }
+    }
+  },
+  "$defs": {
+    "outputMapping": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["actionOutput", "stepOutput", "kind", "description"],
+      "properties": {
+        "actionOutput": {
+          "type": "string",
+          "pattern": "^duplicate-audit-[a-z0-9-]+$"
+        },
+        "stepOutput": {
+          "type": "string",
+          "pattern": "^[a-z0-9-]+$"
+        },
+        "kind": {
+          "type": "string",
+          "enum": ["json-field", "artifact-path"]
+        },
+        "jsonPath": {
+          "type": "string",
+          "pattern": "^[A-Za-z0-9_.\\[\\]-]+$"
+        },
+        "path": {
+          "type": "string"
+        },
+        "type": {
+          "type": "string",
+          "enum": ["integer", "string", "path"]
+        },
+        "description": {
+          "type": "string"
+        }
+      },
+      "allOf": [
+        {
+          "if": {
+            "properties": {
+              "kind": {
+                "const": "json-field"
+              }
+            },
+            "required": ["kind"]
+          },
+          "then": {
+            "required": ["jsonPath", "type"],
+            "not": {
+              "required": ["path"]
+            }
+          }
+        },
+        {
+          "if": {
+            "properties": {
+              "kind": {
+                "const": "artifact-path"
+              }
+            },
+            "required": ["kind"]
+          },
+          "then": {
+            "required": ["path", "type"],
+            "not": {
+              "required": ["jsonPath"]
+            }
+          }
+        }
+      ]
+    }
+  }
+}