…ion (#10) (#185)

* Initial plan

* Add comprehensive unit tests for JavaScript files with Vitest and Makefile targets



* Add coverage/ directory to .gitignore to exclude build artifacts



---------

Co-authored-by: Copilot <[email protected]>
Co-authored-by: pelikhan <[email protected]>

This commit fixes CodeQL alert #10 (go/unsafe-quoting) in pkg/workflow/redact_secrets.go
by properly escaping single quotes and backslashes before embedding secret references
in YAML strings.

**Issue**: JSON values containing single quotes could break out of enclosing quotes,
potentially leading to command/SQL/code injection (CWE-78, CWE-89, CWE-94).

**Fix**: Added escapeSingleQuote() helper function that:
- Escapes backslashes first to prevent interference
- Escapes single quotes to prevent breaking out of quoted strings
- Applied escaping to all secret references before embedding in YAML

**Security Impact**: Prevents potential injection attacks when secret names contain
special characters that could manipulate the generated YAML structure.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Fixes code scanning alert #10: Potentially unsafe quoting (go/unsafe-quoting)

**Problem:**
The code was using an escaped secret name in the GitHub Actions expression
context (${{ secrets.%s }}), which is incorrect. The escapeSingleQuote()
function escapes single quotes and backslashes for use in single-quoted
YAML strings, but GitHub Actions expressions don't use single quotes.

**Solution:**
Use the original, unescaped secretName in the GitHub Actions expression
since secret names are already validated to only contain safe characters
(uppercase letters, numbers, and underscores) via the validateSecretReferences
function.

The escaped version is still used for the environment variable name prefix
(SECRET_%s) where it's needed for YAML quoting.

**Security Impact:**
This fix prevents potential injection vulnerabilities where escaped
characters could be misinterpreted in the GitHub Actions expression context.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

- Add editWikiHandler to safe_outputs_handlers.cjs: generates incremental
  patch from a wiki clone directory committed by the agent
- Register edit_wiki in safe_outputs_tools_loader.cjs handler map
- Add wiki_dir parameter to edit_wiki tool schema (safe_outputs_tools.json)
- Fix unused createAuthenticatedGitHubClient import in edit_wiki.cjs
- Fix commitTitleSuffix regex to handle [PATCH N/M] and [PATCH vN] prefixes
- Fix edit_wiki.go default max from 0 to 1 (aligns with schema constraint)
- Update smoke-codex.md: add edit-wiki to safe-outputs and test #10 that
  clones the wiki, creates a haiku page, links it from Home.md, commits,
  and calls the edit_wiki safe-output tool

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/125b6501-1921-46a1-a885-289ae2df5adc

Co-authored-by: pelikhan <[email protected]>