image-skill 0.1.29 → 0.1.31

package/CHANGELOG.md

@@ -4,6 +4,24 @@ This changelog tracks the public `image-skill` CLI package and public skill
 mirror. The npm package metadata remains the authority for tarball integrity and
 provenance; this file is the human- and agent-readable release map.
 
+## 0.1.31 - 2026-06-03
+
+- Fix (guide): public `create --guide` copyable commands now preserve
+  `IMAGE_SKILL_CONFIG_PATH` when an agent uses a non-default config path, and
+  blocked-config recovery commands switch to the local writable fallback in the
+  emitted `npx image-skill@latest` command. Auth signup, rerun, escape hatch,
+  ready dry-run/create, and self-fund quote/buy/status commands all keep the
+  same config context so fresh tool processes do not silently lose auth.
+
+## 0.1.30 - 2026-06-03
+
+- Fix (provenance): replace the stale version-stamped "Current Published
+  Package" evidence with live npm metadata commands so agents verify the
+  package they are actually running instead of trusting a doc that can age
+  between releases.
+- Fix (security): remove the hard-coded current attestation URL and keep the
+  registry attestation check parameterized by package version.
+
 ## 0.1.29 - 2026-06-03
 
 - Fix (self-fund): public `credits quote` now requires an explicit

package/PROVENANCE.md

@@ -60,26 +60,29 @@ credits.
    The package should contain only the public CLI, public contracts, changelog,
    provenance note, and package metadata.
 
-## Current Published Package
+## Latest Release Evidence
 
-`image-skill@0.1.15` (published 2026-05-31) was published from public repo
-commit `fc136fe84431ad145379fc8639ba9e1480f54442`.
+Do not trust this file to name the current package after future publishes. npm
+metadata is the release evidence. For the current dist-tag, run:
 
-Release evidence:
+```bash
+npm view image-skill@latest version gitHead time.modified dist.integrity dist.tarball dist.attestations.url repository.url --json
+```
+
+For a pinned package, replace `latest` with the exact version:
+
+```bash
+npm view image-skill@VERSION version gitHead time.modified dist.integrity dist.tarball dist.attestations.url repository.url --json
+```
 
-- npm package: `image-skill@0.1.15`
-- npm tarball:
-  `https://registry.npmjs.org/image-skill/-/image-skill-0.1.15.tgz`
-- npm integrity:
-  `sha512-U8BkskNDnH3fDP1V4sV+rzRm9BnUx1Xl1M2kahNBfo8yaehk9BykI+ts5DBDuf+C2WToWLHds6ln+zNHAceXlw==`
-- npm attestation URL:
-  `https://registry.npmjs.org/-/npm/v1/attestations/image-skill@0.1.15`
+Use the returned `gitHead` as the public mirror commit, `dist.integrity` as the
+tarball integrity, and `dist.attestations.url` as the registry provenance URL.
 
 Dispute-evidence summary (for any false-positive supply-chain flag): zero
-dependencies, `npm audit` = 0 vulnerabilities, MIT licensed, published via
-GitHub Actions npm OIDC trusted publishing (no long-lived token), with two live
-registry attestations (`github/npm publish v0.1` and
-`https://slsa.dev/provenance/v1`).
+dependencies, `npm audit` = 0 vulnerabilities, MIT licensed, and published via
+GitHub Actions npm OIDC trusted publishing (no long-lived token). Published
+packages should expose npm registry attestations, including
+`github/npm publish v0.1` and `https://slsa.dev/provenance/v1`.
 
 ## Trust Rules For Agents
 

package/SECURITY.md

@@ -34,8 +34,11 @@ Attestations are also served directly by the registry:
 https://registry.npmjs.org/-/npm/v1/attestations/image-skill@VERSION
 ```
 
-For the current release that is
-`https://registry.npmjs.org/-/npm/v1/attestations/image-skill@0.1.15`.
+For the current dist-tag, read the live attestation URL from npm metadata:
+
+```bash
+npm view image-skill@latest dist.attestations.url --json
+```
 
 For an agent-readable trust packet that combines npm metadata, hosted contract
 hashes, API health, model availability, and safe commands, run:

package/bin/image-skill.mjs

@@ -7,7 +7,7 @@ import { Readable } from "node:stream";
 import { pipeline } from "node:stream/promises";
 import os from "node:os";
 
-const VERSION = "0.1.29";
+const VERSION = "0.1.31";
 const PACKAGE_NAME = "image-skill";
 const DEFAULT_API_BASE_URL = "https://api.image-skill.com";
 const DEFAULT_DOCS_BASE_URL = "https://image-skill.com";
@@ -1472,6 +1472,12 @@ async function createGuide(args) {
   });
   const authConfigWrite =
     stage === "auth_required" ? await probeConfigWritable() : null;
+  const guideCommandPrefix = createGuideCommandPrefix({
+    configPath:
+      authConfigWrite?.ok === false
+        ? LOCAL_WRITABLE_CONFIG_PATH
+        : configuredImageSkillConfigPath(),
+  });
   const blocker = createGuideBlocker(stage, {
     requestedModelId,
     quota,
@@ -1486,7 +1492,7 @@ async function createGuide(args) {
     aspectRatio: selectedAspectRatio,
     apiBaseUrl: explicitApiBaseUrl(args),
     paymentSummary,
-    commandPrefix: PUBLIC_NPX_COMMAND_PREFIX,
+    commandPrefix: guideCommandPrefix,
     authConfigWritable: authConfigWrite?.ok ?? true,
   });
   const escapeHatches = createGuideEscapeHatches({
@@ -1497,7 +1503,7 @@ async function createGuide(args) {
     budgetGuard,
     aspectRatio: selectedAspectRatio,
     apiBaseUrl: explicitApiBaseUrl(args),
-    commandPrefix: PUBLIC_NPX_COMMAND_PREFIX,
+    commandPrefix: guideCommandPrefix,
   });
   const nextCommandEffect = createGuideNextCommandEffect(stage, {
     estimatedCredits,
@@ -1532,7 +1538,7 @@ async function createGuide(args) {
       ? renderGuideCommand(
           trimmedPrompt,
           explicitApiBaseUrl(args),
-          PUBLIC_NPX_COMMAND_PREFIX,
+          guideCommandPrefix,
         )
       : null;
   const authHandoff = createGuideAuthHandoff(stage, {
@@ -1551,6 +1557,7 @@ async function createGuide(args) {
     nextCommand,
     afterNext,
     tokenSource: publicTokenSource,
+    commandPrefix: guideCommandPrefix,
   });
   return createGuideSuccess(quota?.envelope.actor ?? null, {
     schema: "image-skill.create-guide.v1",
@@ -2210,6 +2217,7 @@ function createGuideSelfFundHandoff(stage, input) {
   const statusCommand = guidePaymentCommandByKind(
     input.paymentSummary.suggested_commands,
     "status",
+    input.commandPrefix,
   );
 
   return {
@@ -2226,10 +2234,12 @@ function createGuideSelfFundHandoff(stage, input) {
       quote: guidePaymentCommandByKind(
         input.paymentSummary.suggested_commands,
         "quote",
+        input.commandPrefix,
       ),
       buy: guidePaymentCommandByKind(
         input.paymentSummary.suggested_commands,
         "buy",
+        input.commandPrefix,
       ),
       status: statusCommand,
     },
@@ -2598,13 +2608,7 @@ function renderGuideSignupCommand(input) {
       : ["--api-base-url", shellQuote(input.apiBaseUrl)]),
     "--json",
   ].join(" ");
-  const command = renderGuidePrefixedCommand(
-    input.commandPrefix,
-    signupCommand,
-  );
-  return input.authConfigWritable === false
-    ? renderWritableConfigCommand(command)
-    : command;
+  return renderGuidePrefixedCommand(input.commandPrefix, signupCommand);
 }
 
 function renderTokenStdinCommand(command) {
@@ -2621,14 +2625,18 @@ function firstPaymentActionCommand(commands) {
   );
 }
 
-function guidePaymentCommandByKind(commands, kind) {
+function guidePaymentCommandByKind(commands, kind, commandPrefix = null) {
   const pattern =
     kind === "quote"
       ? /\bcredits\s+quote\b/
       : kind === "buy"
         ? /\bcredits\s+buy\b/
         : /\bcredits\s+status\b/;
-  return commands.find((command) => pattern.test(command)) ?? null;
+  const command = commands.find((candidate) => pattern.test(candidate)) ?? null;
+  if (command === null || commandPrefix === null) {
+    return command;
+  }
+  return renderGuidePrefixedCommand(commandPrefix, command);
 }
 
 function renderImageTo3dGuideCommand(input) {
@@ -2685,6 +2693,43 @@ function renderGuidePrefixedCommand(commandPrefix, command) {
   return `${commandPrefix} ${stripImageSkillCommandPrefix(command)}`;
 }
 
+function createGuideCommandPrefix(input = {}) {
+  const configPath =
+    input.configPath === undefined
+      ? configuredImageSkillConfigPath()
+      : input.configPath;
+  return renderShellEnvPrefixedCommand(
+    {
+      npm_config_update_notifier: "false",
+      ...(configPath === null ? {} : { IMAGE_SKILL_CONFIG_PATH: configPath }),
+    },
+    "npx -y image-skill@latest",
+  );
+}
+
+function configuredImageSkillConfigPath() {
+  const configPath = process.env.IMAGE_SKILL_CONFIG_PATH;
+  return typeof configPath === "string" && configPath.length > 0
+    ? configPath
+    : null;
+}
+
+function renderShellEnvPrefixedCommand(env, command) {
+  const assignments = Object.entries(env).map(
+    ([name, value]) => `${name}=${shellEnvAssignmentValue(name, value)}`,
+  );
+  return assignments.length === 0
+    ? command
+    : `${assignments.join(" ")} ${command}`;
+}
+
+function shellEnvAssignmentValue(name, value) {
+  if (name.startsWith("npm_config_") && /^(?:true|false|\d+)$/.test(value)) {
+    return value;
+  }
+  return shellQuote(value);
+}
+
 function renderWritableConfigCommand(command) {
   return `IMAGE_SKILL_CONFIG_PATH="${LOCAL_WRITABLE_CONFIG_PATH}" ${command}`;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "image-skill",
-  "version": "0.1.29",
+  "version": "0.1.31",
   "description": "Zero-setup durable creative-media CLI for agents (image + video + audio + 3D): guide-first creation, model and cost inspection, owned URLs, JSON recovery, payments, reusable assets, and feedback.",
   "type": "module",
   "private": false,