v0.1.111

What changed

• Added schemas/duplicate-audit-action-outputs.schema.json for the duplicate-audit GitHub Action output mapping.
• Added fixtures/duplicate-audit-action-outputs.json mapping Action outputs to step outputs, JSON result fields, and generated artifact paths.
• Added a regression test that verifies every duplicate-audit Action output is documented, wired in action.yml, and points at an existing duplicate-audit JSON schema field when JSON-derived.
• Linked the mapping from README and docs/CODEX_DUPLICATE_AUDIT.md.

Verification

• Red test: mapping test failed before the schema/fixture existed.
• npm run check
• npm audit --omit=dev
• npm pack --dry-run --json
• GitHub Actions CI: success on b0fe4ff
• Codex Readiness: success on b0fe4ff

v0.1.110

What changed

• Added fixtures/action-malicious-inputs.json with quote, newline, command-substitution, shell-separator, and environment-file-looking Action input cases.
• Extended the composite Action regression test so user-controlled inputs must stay out of run: shell scripts and pass through INPUT_* environment variables.
• Updated README/use-case docs and published examples to v0.1.110.

Verification

• npm run check
• npm audit --omit=dev
• npm pack --dry-run --json
• GitHub Actions CI: success on 2d839e1
• Codex Readiness: success on 2d839e1

v0.1.109

What's new

• Hardens the composite GitHub Action by passing user-controlled inputs through step env variables before using them in bash commands.
• Adds regression coverage that fails if risky Action inputs are interpolated directly into shell scripts.
• Clarifies the repo policy: default CLI analysis remains offline; explicit GitHub-facing commands may use the GitHub API.
• Adds bug report and feature request issue templates plus a pull request template to improve contributor intake and public maintainer signal.
• Updates Action examples, use-case docs, llms.txt, and OpenAI OSS brief evidence to v0.1.109.

Verification

• npm run check passed with 111 tests.
• git diff --check passed.
• npm audit --omit=dev found 0 vulnerabilities.
• npm pack --dry-run --json produced trace-to-skill@0.1.109 without compiled tests.
• CI: https://github.com/grnbtqdbyx-create/trace-to-skill/actions/runs/26759945963
• Codex Readiness: https://github.com/grnbtqdbyx-create/trace-to-skill/actions/runs/26759945583

v0.1.108

What's new

• Adds duplicate-audit mode to the composite GitHub Action so maintainers can check Codex duplicate suggestions from CI and get stable JSON, Markdown, outputs, and job summaries.
• Dogfoods the new Action mode in the repository's Codex Readiness workflow using fixtures/codex-duplicate-audit.json.
• Updates README, use-case docs, llms.txt, and OpenAI OSS brief evidence to the v0.1.108 release surface.
• Stabilizes the stdin issue-heat fixture test by using a wide fixture window instead of a date-fragile 8-hour window.

Verification

• npm run check
• git diff --check
• npm pack --dry-run --json
• GitHub CI: https://github.com/grnbtqdbyx-create/trace-to-skill/actions/runs/26756957990
• Codex Readiness: https://github.com/grnbtqdbyx-create/trace-to-skill/actions/runs/26756958022

v0.1.107

v0.1.107

Adds duplicate-audit, a Codex Action duplicate-suggestion verifier for OpenAI/Codex issue triage.

What's new

• New CLI: trace-to-skill duplicate-audit --repo openai/codex --issue 25507
• Fetches the issue, Codex Action duplicate suggestions, candidate issues, and comments from GitHub.
• Compares deterministic failure kinds, labels, platform/surface signals, and title overlap.
• Separates likely_duplicate from related_not_duplicate, needs_human_review, and weak_match.
• Ships a JSON schema, fixture, and generated demo report.

Proof before release

• npm run check: 109 tests passed plus doctor/lint/smoke checks.
• git diff --check: passed.
• npm pack --dry-run: trace-to-skill-0.1.107.tgz, 189 entries, includes duplicate audit CLI, docs, schema, and fixture.
• Live GitHub smoke on openai/codex#25507: candidate #25391 classified as likely_duplicate with confidence 100 and shared codex_plugin_runtime + codex_windows_helper_path kinds.

trace-to-skill v0.1.106

Adds issue-heat automation: Action mode, stable issue comment updater, init workflow integration, and self-dogfooding in Codex Readiness. This lets maintainers keep a public hot-issue tracking comment for what is moving right now without committing generated reports.\n\nProof before release:\n- npm run check: 107 tests plus doctor/lint/smoke checks passed\n- YAML parse, git diff --check, npm pack --dry-run passed\n- Codex Readiness dogfooded mode: issue-heat on the fixture export\n- live openai/codex issue-heat verified Windows helper/plugin hot clusters\n- issue-heat-comment dry-run targets #8

trace-to-skill v0.1.105

Adds issue-heat, a recency-weighted GitHub issue movement report for Codex maintainers. It complements issue-map by showing what is moving right now, ranking recent clusters by recency, labels, comments, reactions, severity, and the first support artifact to generate.\n\nProof before release:\n- npm run check: 106 tests plus doctor/lint/smoke checks passed\n- YAML parse, git diff --check, npm pack --dry-run passed\n- live openai/codex issue-heat verified Windows helper/plugin hot clusters while excluding weak_evidence and premature_completion from hot output

trace-to-skill v0.1.104

Adds surface-matrix, a Codex surface support matrix that turns issue-map clusters into blocked/degraded support rows for platform availability, remote workspaces, MCP visibility, plugin runtime, file-tree navigation, and context visibility.\n\nProof before release:\n- npm run check: 104 tests plus doctor/lint/smoke checks passed\n- YAML parse, git diff --check, npm pack --dry-run passed\n- live openai/codex surface-matrix verified platform and remote issue examples (#10410, #4313, #11023, #10450)

trace-to-skill v0.1.103

Adds usage-doctor attribution for OpenAI Codex token-burn demand around #14593 and related usage-drain issues.\n\nWhat changed:\n- New usage-doctor alias for usage-evidence\n- Usage receipt now includes confidence-ranked attribution buckets\n- Buckets cover quota-window accounting, rapid-drain repros, prompt-cache collapse, large cached-context replay, background polling, compaction loops, retry/tool loops, subagent fan-out, and idle/background drain\n- Each bucket includes signal count, line-linked evidence, and next evidence to collect\n- JSON schema and OpenAI OSS brief updated\n\nValidation:\n- npm run check\n- YAML workflow parse\n- git diff --check\n- npm pack --dry-run\n- synthetic usage-doctor attribution proof\n- live openai/codex issue-map proof for #14593

trace-to-skill v0.1.102

Adds project policy coverage to sensitive-audit for OpenAI Codex issue #2847 demand around deterministic sensitive-file exclusion.\n\nWhat changed:\n- sensitive-audit now reports whether project-level .codexignore, .agentignore, .aiexclude, and .gitignore exist\n- reports covered and missing recommended patterns without reading sensitive file contents\n- schema now exposes policyCoverage for downstream tooling\n- docs and OpenAI OSS brief mention sensitive-file policy coverage\n\nValidation:\n- npm run check\n- YAML workflow parse\n- git diff --check\n- npm pack --dry-run\n- synthetic sensitive-audit policy coverage proof\n- live openai/codex issue-map proof for #2847