image-skill 0.1.29 → 0.1.30
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +9 -0
- package/PROVENANCE.md +18 -15
- package/SECURITY.md +5 -2
- package/bin/image-skill.mjs +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,15 @@ This changelog tracks the public `image-skill` CLI package and public skill
|
|
|
4
4
|
mirror. The npm package metadata remains the authority for tarball integrity and
|
|
5
5
|
provenance; this file is the human- and agent-readable release map.
|
|
6
6
|
|
|
7
|
+
## 0.1.30 - 2026-06-03
|
|
8
|
+
|
|
9
|
+
- Fix (provenance): replace the stale version-stamped "Current Published
|
|
10
|
+
Package" evidence with live npm metadata commands so agents verify the
|
|
11
|
+
package they are actually running instead of trusting a doc that can age
|
|
12
|
+
between releases.
|
|
13
|
+
- Fix (security): remove the hard-coded current attestation URL and keep the
|
|
14
|
+
registry attestation check parameterized by package version.
|
|
15
|
+
|
|
7
16
|
## 0.1.29 - 2026-06-03
|
|
8
17
|
|
|
9
18
|
- Fix (self-fund): public `credits quote` now requires an explicit
|
package/PROVENANCE.md
CHANGED
|
@@ -60,26 +60,29 @@ credits.
|
|
|
60
60
|
The package should contain only the public CLI, public contracts, changelog,
|
|
61
61
|
provenance note, and package metadata.
|
|
62
62
|
|
|
63
|
-
##
|
|
63
|
+
## Latest Release Evidence
|
|
64
64
|
|
|
65
|
-
|
|
66
|
-
|
|
65
|
+
Do not trust this file to name the current package after future publishes. npm
|
|
66
|
+
metadata is the release evidence. For the current dist-tag, run:
|
|
67
67
|
|
|
68
|
-
|
|
68
|
+
```bash
|
|
69
|
+
npm view image-skill@latest version gitHead time.modified dist.integrity dist.tarball dist.attestations.url repository.url --json
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
For a pinned package, replace `latest` with the exact version:
|
|
73
|
+
|
|
74
|
+
```bash
|
|
75
|
+
npm view image-skill@VERSION version gitHead time.modified dist.integrity dist.tarball dist.attestations.url repository.url --json
|
|
76
|
+
```
|
|
69
77
|
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
`https://registry.npmjs.org/image-skill/-/image-skill-0.1.15.tgz`
|
|
73
|
-
- npm integrity:
|
|
74
|
-
`sha512-U8BkskNDnH3fDP1V4sV+rzRm9BnUx1Xl1M2kahNBfo8yaehk9BykI+ts5DBDuf+C2WToWLHds6ln+zNHAceXlw==`
|
|
75
|
-
- npm attestation URL:
|
|
76
|
-
`https://registry.npmjs.org/-/npm/v1/attestations/image-skill@0.1.15`
|
|
78
|
+
Use the returned `gitHead` as the public mirror commit, `dist.integrity` as the
|
|
79
|
+
tarball integrity, and `dist.attestations.url` as the registry provenance URL.
|
|
77
80
|
|
|
78
81
|
Dispute-evidence summary (for any false-positive supply-chain flag): zero
|
|
79
|
-
dependencies, `npm audit` = 0 vulnerabilities, MIT licensed, published via
|
|
80
|
-
GitHub Actions npm OIDC trusted publishing (no long-lived token)
|
|
81
|
-
|
|
82
|
-
`https://slsa.dev/provenance/v1
|
|
82
|
+
dependencies, `npm audit` = 0 vulnerabilities, MIT licensed, and published via
|
|
83
|
+
GitHub Actions npm OIDC trusted publishing (no long-lived token). Published
|
|
84
|
+
packages should expose npm registry attestations, including
|
|
85
|
+
`github/npm publish v0.1` and `https://slsa.dev/provenance/v1`.
|
|
83
86
|
|
|
84
87
|
## Trust Rules For Agents
|
|
85
88
|
|
package/SECURITY.md
CHANGED
|
@@ -34,8 +34,11 @@ Attestations are also served directly by the registry:
|
|
|
34
34
|
https://registry.npmjs.org/-/npm/v1/attestations/image-skill@VERSION
|
|
35
35
|
```
|
|
36
36
|
|
|
37
|
-
For the current
|
|
38
|
-
|
|
37
|
+
For the current dist-tag, read the live attestation URL from npm metadata:
|
|
38
|
+
|
|
39
|
+
```bash
|
|
40
|
+
npm view image-skill@latest dist.attestations.url --json
|
|
41
|
+
```
|
|
39
42
|
|
|
40
43
|
For an agent-readable trust packet that combines npm metadata, hosted contract
|
|
41
44
|
hashes, API health, model availability, and safe commands, run:
|
package/bin/image-skill.mjs
CHANGED
|
@@ -7,7 +7,7 @@ import { Readable } from "node:stream";
|
|
|
7
7
|
import { pipeline } from "node:stream/promises";
|
|
8
8
|
import os from "node:os";
|
|
9
9
|
|
|
10
|
-
const VERSION = "0.1.
|
|
10
|
+
const VERSION = "0.1.30";
|
|
11
11
|
const PACKAGE_NAME = "image-skill";
|
|
12
12
|
const DEFAULT_API_BASE_URL = "https://api.image-skill.com";
|
|
13
13
|
const DEFAULT_DOCS_BASE_URL = "https://image-skill.com";
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "image-skill",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.30",
|
|
4
4
|
"description": "Zero-setup durable creative-media CLI for agents (image + video + audio + 3D): guide-first creation, model and cost inspection, owned URLs, JSON recovery, payments, reusable assets, and feedback.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"private": false,
|