Add safe-inputs documentation to site navigation

docs/astro.config.mjs

@@ -141,6 +141,7 @@ export default defineConfig({
 						{ label: 'AI Engines', link: '/reference/engines/' },
 						{ label: 'Tools', link: '/reference/tools/' },
 						{ label: 'Safe Outputs', link: '/reference/safe-outputs/' },
+						{ label: 'Safe Inputs', link: '/reference/safe-inputs/' },
 						{ label: 'Custom Safe Outputs', link: '/guides/custom-safe-outputs/' },
 						{ label: 'Imports', link: '/reference/imports/' },
 						{ label: 'Templating', link: '/reference/templating/' },

docs/src/content/docs/guides/mcps.md

@@ -275,6 +275,7 @@ tools:
 
 ## Related Documentation
 
+- [Safe Inputs](/gh-aw/reference/safe-inputs/) - Define custom inline tools without external MCP servers
 - [Tools](/gh-aw/reference/tools/) - Complete tools reference
 - [CLI Commands](/gh-aw/setup/cli/) - CLI commands including `mcp inspect`
 - [Imports](/gh-aw/reference/imports/) - Modularizing workflows with includes

docs/src/content/docs/labs.mdx

@@ -14,6 +14,7 @@ These are experimental agentic workflows used by the GitHub Next team to learn,
 | [AI Triage Campaign](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/ai-triage-campaign.md) | copilot | [![AI Triage Campaign](https://github.com/githubnext/gh-aw/actions/workflows/ai-triage-campaign.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/ai-triage-campaign.lock.yml) | - | - |
 | [Archie](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/archie.md) | copilot | [![Archie](https://github.com/githubnext/gh-aw/actions/workflows/archie.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/archie.lock.yml) | - | `/archie` |
 | [Artifacts Summary](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/artifacts-summary.md) | copilot | [![Artifacts Summary](https://github.com/githubnext/gh-aw/actions/workflows/artifacts-summary.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/artifacts-summary.lock.yml) | `0 6 * * 0` | - |
+| [Auto-Assign Issue](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/daily-assign-issue-to-user.md) | copilot | [![Auto-Assign Issue](https://github.com/githubnext/gh-aw/actions/workflows/daily-assign-issue-to-user.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/daily-assign-issue-to-user.lock.yml) | `30 2 * * *` | - |
 | [Basic Research Agent](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/research.md) | copilot | [![Basic Research Agent](https://github.com/githubnext/gh-aw/actions/workflows/research.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/research.lock.yml) | - | - |
 | [Blog Auditor](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/blog-auditor.md) | claude | [![Blog Auditor](https://github.com/githubnext/gh-aw/actions/workflows/blog-auditor.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/blog-auditor.lock.yml) | `0 12 * * 3` | - |
 | [Brave Web Search Agent](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/brave.md) | copilot | [![Brave Web Search Agent](https://github.com/githubnext/gh-aw/actions/workflows/brave.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/brave.lock.yml) | - | `/brave` |
@@ -30,6 +31,7 @@ These are experimental agentic workflows used by the GitHub Next team to learn,
 | [Copilot PR Prompt Pattern Analysis](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/copilot-pr-prompt-analysis.md) | copilot | [![Copilot PR Prompt Pattern Analysis](https://github.com/githubnext/gh-aw/actions/workflows/copilot-pr-prompt-analysis.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/copilot-pr-prompt-analysis.lock.yml) | `0 9 * * *` | - |
 | [Copilot Session Insights](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/copilot-session-insights.md) | claude | [![Copilot Session Insights](https://github.com/githubnext/gh-aw/actions/workflows/copilot-session-insights.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/copilot-session-insights.lock.yml) | `0 16 * * *` | - |
 | [Daily Code Metrics and Trend Tracking Agent](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/daily-code-metrics.md) | claude | [![Daily Code Metrics and Trend Tracking Agent](https://github.com/githubnext/gh-aw/actions/workflows/daily-code-metrics.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/daily-code-metrics.lock.yml) | `0 8 * * *` | - |
+| [Daily Copilot Token Consumption Report](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/daily-copilot-token-report.md) | copilot | [![Daily Copilot Token Consumption Report](https://github.com/githubnext/gh-aw/actions/workflows/daily-copilot-token-report.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/daily-copilot-token-report.lock.yml) | `0 11 * * 1-5` | - |
 | [Daily Documentation Updater](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/daily-doc-updater.md) | claude | [![Daily Documentation Updater](https://github.com/githubnext/gh-aw/actions/workflows/daily-doc-updater.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/daily-doc-updater.lock.yml) | `0 6 * * *` | - |
 | [Daily Fact About gh-aw](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/daily-fact.md) | codex | [![Daily Fact About gh-aw](https://github.com/githubnext/gh-aw/actions/workflows/daily-fact.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/daily-fact.lock.yml) | `0 11 * * 1-5` | - |
 | [Daily File Diet](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/daily-file-diet.md) | codex | [![Daily File Diet](https://github.com/githubnext/gh-aw/actions/workflows/daily-file-diet.lock.yml/badge.svg)](https://github.com/githubnext/gh-aw/actions/workflows/daily-file-diet.lock.yml) | `0 13 * * 1-5` | - |

docs/src/content/docs/reference/frontmatter.md

@@ -22,9 +22,9 @@ tools:
 
 ## Frontmatter Elements
 
-The frontmatter combines standard GitHub Actions properties (`on`, `permissions`, `run-name`, `runs-on`, `timeout-minutes`, `concurrency`, `env`, `environment`, `container`, `services`, `if`, `steps`, `cache`) with GitHub Agentic Workflows-specific elements (`description`, `source`, `github-token`, `imports`, `engine`, `strict`, `roles`, `features`, `safe-outputs`, `network`, `tools`).
+The frontmatter combines standard GitHub Actions properties (`on`, `permissions`, `run-name`, `runs-on`, `timeout-minutes`, `concurrency`, `env`, `environment`, `container`, `services`, `if`, `steps`, `cache`) with GitHub Agentic Workflows-specific elements (`description`, `source`, `github-token`, `imports`, `engine`, `strict`, `roles`, `features`, `safe-inputs`, `safe-outputs`, `network`, `tools`).
 
-Tool configurations (such as `bash`, `edit`, `github`, `web-fetch`, `web-search`, `playwright`, `cache-memory`, and custom MCP servers) are specified under the `tools:` key. See [Tools](/gh-aw/reference/tools/) for complete tool configuration documentation.
+Tool configurations (such as `bash`, `edit`, `github`, `web-fetch`, `web-search`, `playwright`, `cache-memory`, and custom MCP servers) are specified under the `tools:` key. Custom inline tools can be defined with the `safe-inputs:` key. See [Tools](/gh-aw/reference/tools/) and [Safe Inputs](/gh-aw/reference/safe-inputs/) for complete documentation.
 
 ### Trigger Events (`on:`)
 
@@ -170,6 +170,10 @@ network:
     - "api.example.com"    # Custom domain
 ```
 
+### Safe Inputs (`safe-inputs:`)
+
+Enables defining custom MCP tools inline using JavaScript or shell scripts. See [Safe Inputs](/gh-aw/reference/safe-inputs/) for complete documentation on creating custom tools with controlled secret access.
+
 ### Safe Outputs (`safe-outputs:`)
 
 Enables automatic issue creation, comment posting, and other safe outputs. See [Safe Outputs Processing](/gh-aw/reference/safe-outputs/).

docs/src/content/docs/reference/glossary.md

@@ -46,6 +46,9 @@ Capabilities that an AI agent can use during workflow execution. Tools are confi
 
 ## Security and Outputs
 
+### Safe Inputs
+Custom MCP tools defined inline in the workflow frontmatter using JavaScript or shell scripts. Allows lightweight tool creation without external dependencies while maintaining controlled access to secrets. Tools are generated at runtime and mounted as an MCP server. Each tool can have typed input parameters, default values, and environment variables. Configured using the `safe-inputs:` section in frontmatter.
+
 ### Safe Outputs
 Pre-approved actions the AI can take without requiring elevated permissions. The AI generates structured output describing what it wants to create (issues, comments, pull requests), which is processed by separate, permission-controlled jobs. Configured using the `safe-outputs:` section in frontmatter. This approach lets AI agents create GitHub content without direct write access, reducing security risks.
 
@@ -199,6 +202,7 @@ on:
 For detailed documentation on specific topics, see:
 - [Frontmatter Reference](/gh-aw/reference/frontmatter/)
 - [Tools Reference](/gh-aw/reference/tools/)
+- [Safe Inputs Reference](/gh-aw/reference/safe-inputs/)
 - [Safe Outputs Reference](/gh-aw/reference/safe-outputs/)
 - [Using MCPs Guide](/gh-aw/guides/mcps/)
 - [Security Guide](/gh-aw/guides/security/)

docs/src/content/docs/reference/tools.md

@@ -195,6 +195,7 @@ MCP servers run in isolated environments with controlled network access. See [MC
 
 ## Related Documentation
 
+- [Safe Inputs](/gh-aw/reference/safe-inputs/) - Define custom inline tools with JavaScript or shell scripts
 - [Frontmatter](/gh-aw/reference/frontmatter/) - All frontmatter configuration options
 - [Network Permissions](/gh-aw/reference/network/) - Network access control for AI engines
 - [MCPs](/gh-aw/guides/mcps/) - Complete Model Context Protocol setup and usage