diff --git a/.Jules/sentinel.md b/.Jules/sentinel.md
new file mode 100644
index 0000000..e7de2a1
--- /dev/null
+++ b/.Jules/sentinel.md
@@ -0,0 +1,5 @@
+## 2025-05-14 - [Command Injection in GitHub Actions]
+
+**Vulnerability:** Direct expansion of untrusted GitHub context variables (e.g., `github.event.pull_request.body`, `github.head_ref`, `github.event.pull_request.user.login`) in `run` steps.
+**Learning:** Untrusted input from pull requests can contain shell-metacharacters that execute arbitrary commands when expanded directly into a shell script.
+**Prevention:** Always map untrusted GitHub context variables to environment variables and reference the environment variables in the `run` script.
diff --git a/.github/workflows/enforce-branch-naming.yml b/.github/workflows/enforce-branch-naming.yml
index 52331fd..02a71df 100644
--- a/.github/workflows/enforce-branch-naming.yml
+++ b/.github/workflows/enforce-branch-naming.yml
@@ -11,4 +11,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Validate
-        run: echo "Branch is ${{ github.head_ref }}"
+        env:
+          HEAD_REF: ${{ github.head_ref }}
+        run: echo "Branch is $HEAD_REF"
diff --git a/.github/workflows/pr-description-quality-enforcer.yml b/.github/workflows/pr-description-quality-enforcer.yml
index 58a353d..12b431b 100644
--- a/.github/workflows/pr-description-quality-enforcer.yml
+++ b/.github/workflows/pr-description-quality-enforcer.yml
@@ -22,8 +22,10 @@ jobs:
         with:
           persist-credentials: false
       - name: Validate PR Description
+        env:
+          PR_BODY: ${{ github.event.pull_request.body }}
         run: |
-          BODY="${{ github.event.pull_request.body }}"
+          BODY="$PR_BODY"
           LENGTH=${#BODY}
           if [ "$LENGTH" -lt 50 ]; then
             echo "PR description is too short ($LENGTH characters). Please provide more context."
diff --git a/.github/workflows/update-contributors-from-prs.yml b/.github/workflows/update-contributors-from-prs.yml
index 1ef8d64..3e14124 100644
--- a/.github/workflows/update-contributors-from-prs.yml
+++ b/.github/workflows/update-contributors-from-prs.yml
@@ -14,8 +14,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Add Contributor
+        env:
+          PR_USER: ${{ github.event.pull_request.user.login }}
         run: |
-          USER="${{ github.event.pull_request.user.login }}"
+          USER="$PR_USER"
           grep -q "$USER" ACKNOWLEDGMENTS.md || {
             echo "- $USER" >> ACKNOWLEDGMENTS.md
             git config user.name "KibaBot"
diff --git a/WORKFLOWS.md b/WORKFLOWS.md
index 71d43cb..0f850c4 100644
--- a/WORKFLOWS.md
+++ b/WORKFLOWS.md
@@ -1,5 +1,5 @@
 # GitHub Workflows Manual
-Generated on Sat May 23 03:05:55 UTC 2026
+Generated on Sat May 23 22:00:21 UTC 2026
 
 | Workflow Name | File Path |
 |---------------|-----------|