@jentic/api-scorecard-cli 1.0.0-alpha.1 → 1.0.0-alpha.11

package/README.md

@@ -85,7 +85,7 @@ npx @jentic/api-scorecard-cli@alpha score --detail diagnostics ./openapi.yaml
 
 ## Anonymous vs keyed access
 
-OpenAPI documents hosted under [jentic-public-apis](https://github.com/jentic/jentic-public-apis)
+OpenAPI documents from [Jentic Public APIs (OAK)](https://github.com/jentic/jentic-public-apis)
 score without any key. For everything else, set the MVP preview key:
 
 ```bash
@@ -95,6 +95,26 @@ export JENTIC_API_KEY=mvp-preview
 This is a documented public placeholder for the alpha preview — not a secret. Real key issuance
 arrives in a future release.
 
+## Verifying releases
+
+`@jentic/api-scorecard-cli` alpha tarballs ship with two Sigstore-signed attestations:
+npm provenance (where and how the tarball was built) and an SPDX 2.3 SBOM (the runtime
+dependency closure). Both are present from `1.0.0-alpha.7` onward; earlier alphas carry only
+provenance. Verify with the GitHub CLI:
+
+```bash
+npm pack @jentic/api-scorecard-cli@alpha
+
+# Verify provenance (gh's default predicate)
+gh attestation verify ./jentic-api-scorecard-cli-*.tgz --owner jentic
+
+# Verify the SBOM (non-default predicate, must be requested explicitly)
+gh attestation verify ./jentic-api-scorecard-cli-*.tgz --owner jentic \
+  --predicate-type https://spdx.dev/Document/v2.3
+```
+
+Each successful run reports `Loaded digest sha256:…` and lists the matching attestation.
+
 ## Status
 
 This project is in **alpha**. Track progress in

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jentic/api-scorecard-cli",
-  "version": "1.0.0-alpha.1",
+  "version": "1.0.0-alpha.11",
   "description": "Score an OpenAPI document against the Jentic API AI Readiness Framework (JAIRF).",
   "keywords": [
     "api",
@@ -62,5 +62,5 @@
   "engines": {
     "node": ">=20.10.0"
   },
-  "gitHead": "ac7a54279448e786f005d74874b1c2fac53ea7fd"
+  "gitHead": "6970c0d53d9d404f9822163013b81cf2561c60ce"
 }