image-skill 0.1.48 → 0.1.50

package/CHANGELOG.md

@@ -4,6 +4,23 @@ This changelog tracks the public `image-skill` CLI package and public skill
 mirror. The npm package metadata remains the authority for tarball integrity and
 provenance; this file is the human- and agent-readable release map.
 
+## 0.1.50 - 2026-06-14
+
+- Release (activation/self-fund): publish the post-0.1.49 public mirror payload
+  under an unpublished package version so `image-skill@latest` can include
+  `create --guide` ready-stage `data.self_fund_preparation` for pre-wall
+  browserless x402 quote preparation, plus the matching public contract docs.
+  No payment caps, provider routing, wallet action, provider spend, or media
+  spend changed in this release bump.
+
+## 0.1.49 - 2026-06-13
+
+- Release (activation/self-fund): publish the post-0.1.48 public mirror payload
+  under an unpublished package version so `image-skill@latest` can include the
+  top-up recovery quote commands made copy-runnable by #1894. No payment caps,
+  provider routing, wallet action, provider spend, or media spend changed in
+  this release bump.
+
 ## 0.1.48 - 2026-06-13
 
 - Release (activation/self-fund): publish the post-0.1.47 public mirror payload

package/SKILL.md

@@ -39,7 +39,7 @@ JSON is the default. Do not add `--json` to examples.
 npm_config_update_notifier=false npx -y image-skill@latest create --guide --prompt "a compact field camera on a stainless workbench"
 ```
 
-The guide is a free, zero-spend planning call. Given current auth, quota, and payment state, it returns `data.next_command`, `data.next_command_copy_runnable`, `data.next_command_missing_inputs`, `data.stage`, `data.guide_warning`, `data.next_command_effect`, `data.auth_ready`, `data.no_spend_evaluation`, `data.guide_recovery`, `data.recommended_no_spend_command` (alias of `data.no_spend_next_command`), `data.no_spend_next_command_effect`, `data.self_fund_next_command`, `data.self_fund_handoff`, `data.auth_handoff`, and `data.mutation`. It also preserves `data.checks.quota.top_up`, the same quota top-up recommendation returned by `usage quota`, so wallet-capable agents can see whether a browserless x402 top-up is recommended before the hard wall. Read `data.guide_warning` before running `data.next_command`: `next_command_safety` names whether the command is no-spend setup, read-only inspection, live-money payment action, or live media create. Run that next command only when `data.next_command_copy_runnable` is `true` and the warning says it is safe for your spend policy; when it is `false`, fill `data.next_command_missing_inputs` first. Prefer `data.guide_recovery` for no-doc recovery loops: it names the safest no-spend command and field, the live create or payment field that would spend, and the double-spend guard to check before any live retry. Repeat until `data.stage` is `ready_to_create`. At `ready_to_create`, `data.auth_ready.ready` and `data.auth_ready.next_command_auth_ready` are `true`: the returned create can reuse saved config, env token, or stdin token context without exposing a raw token. When `data.guide_warning.next_command_safety` is `live_media_create_credit_debit` and `data.no_spend_evaluation.stop_here` is `true`, `data.next_command` is the live create: run it only if media spend is allowed, otherwise stop before it and run `data.recommended_no_spend_command` for no-spend proof. The no-spend command is an authenticated hosted dry-run: it may create a recoverable `job.planned` receipt, but it has no provider call, credit debit, downloadable asset, or media write.
+The guide is a free, zero-spend planning call. Given current auth, quota, and payment state, it returns `data.next_command`, `data.next_command_copy_runnable`, `data.next_command_missing_inputs`, `data.stage`, `data.guide_warning`, `data.next_command_effect`, `data.auth_ready`, `data.no_spend_evaluation`, `data.guide_recovery`, `data.recommended_no_spend_command` (alias of `data.no_spend_next_command`), `data.no_spend_next_command_effect`, `data.self_fund_next_command`, `data.self_fund_handoff`, `data.self_fund_preparation`, `data.auth_handoff`, and `data.mutation`. It also preserves `data.checks.quota.top_up`, the same quota top-up recommendation returned by `usage quota`, so wallet-capable agents can see whether a browserless x402 top-up is recommended before the hard wall. Read `data.guide_warning` before running `data.next_command`: `next_command_safety` names whether the command is no-spend setup, read-only inspection, live-money payment action, or live media create. Run that next command only when `data.next_command_copy_runnable` is `true` and the warning says it is safe for your spend policy; when it is `false`, fill `data.next_command_missing_inputs` first. Prefer `data.guide_recovery` for no-doc recovery loops: it names the safest no-spend command and field, the live create or payment field that would spend, and the double-spend guard to check before any live retry. Repeat until `data.stage` is `ready_to_create`. At `ready_to_create`, `data.auth_ready.ready` and `data.auth_ready.next_command_auth_ready` are `true`: the returned create can reuse saved config, env token, or stdin token context without exposing a raw token. Read `data.self_fund_preparation` in this stage before spending the remaining free allowance: when `available` and `recommended` are true, `quote_command` creates an authenticated live-money quote/payment object but does not pay, settle a wallet transfer, debit credits, call a provider, or write media. Only a later buy/payment step can spend money. When `data.guide_warning.next_command_safety` is `live_media_create_credit_debit` and `data.no_spend_evaluation.stop_here` is `true`, `data.next_command` is the live create: run it only if media spend is allowed, otherwise stop before it and run `data.recommended_no_spend_command` for no-spend proof. The no-spend command is an authenticated hosted dry-run: it may create a recoverable `job.planned` receipt, but it has no provider call, credit debit, downloadable asset, or media write.
 
 Minimum success envelope on a create or edit:
 
@@ -180,6 +180,13 @@ reaches `quota_required`, read
 `data.checks.payments.preferred_method_summary.top_up_path` before quoting:
 `browserless_agent_self_fund` is the autonomous wallet path, while
 `human_payment_handoff` means a human/browser completion step is still required.
+When `create --guide` reaches `ready_to_create`, inspect
+`data.self_fund_preparation` before consuming the remaining free allowance. If
+it is available and recommended, `quote_command` is the pre-wall browserless
+x402 quote path: it creates an authenticated live-money quote/payment object
+without paying, settling a wallet transfer, debiting credits, calling a
+provider, or writing media. Only follow the later buy/status/wallet-settlement
+commands when delegated spend is allowed.
 For the browserless x402 path, `data.self_fund_handoff.wallet_settlement` names
 the payable-instructions fields to read after `credits buy` or `credits status`,
 plus the Base/USDC exact-amount and deposit-address fields. Use a delegated

package/bin/image-skill.mjs

@@ -15,7 +15,7 @@ import { Readable } from "node:stream";
 import { pipeline } from "node:stream/promises";
 import os from "node:os";
 
-const VERSION = "0.1.48";
+const VERSION = "0.1.50";
 const PACKAGE_NAME = "image-skill";
 const DEFAULT_API_BASE_URL = "https://api.image-skill.com";
 const DEFAULT_DOCS_BASE_URL = "https://image-skill.com";
@@ -1881,6 +1881,12 @@ async function createGuide(args, options = {}) {
     tokenSource: publicTokenSource,
     commandPrefix: guideCommandPrefix,
   });
+  const selfFundPreparation = createGuideSelfFundPreparation(stage, {
+    paymentSummary,
+    quotaTopUp: quota?.envelope.data?.top_up ?? null,
+    afterNext,
+    tokenSource: publicTokenSource,
+  });
   const guideRecovery = createGuideRecovery(stage, {
     blocker,
     nextCommand,
@@ -1996,6 +2002,7 @@ async function createGuide(args, options = {}) {
     self_fund_next_command: selfFundNextCommand,
     self_fund_next_command_label: selfFundNextCommandLabel,
     self_fund_handoff: selfFundHandoff,
+    self_fund_preparation: selfFundPreparation,
     after_next: afterNext,
     auth_handoff: authHandoff,
     escape_hatches: escapeHatches,
@@ -2628,7 +2635,7 @@ function createGuidePaymentCommands(
     "image-skill credits methods --json",
     "image-skill credits packs list --json",
     preferredMethod?.recovery?.quote_command ??
-      "image-skill credits quote --pack starter-500 --payment-method stripe_x402.exact.usdc --idempotency-key KEY --json",
+      "image-skill credits quote --pack starter-500 --payment-method stripe_x402.exact.usdc --json",
     preferredMethod?.recovery?.purchase_command ??
       "image-skill credits buy --provider stripe_x402 --quote-id QUOTE_ID --idempotency-key KEY --json",
     preferredMethod?.recovery?.status_command ??
@@ -2955,6 +2962,70 @@ function createGuideSelfFundHandoff(stage, input) {
   };
 }
 
+function createGuideSelfFundPreparation(stage, input) {
+  if (stage !== "ready_to_create") {
+    return null;
+  }
+  const preferredMethod = input.paymentSummary.preferred_method;
+  const preferredSummary = input.paymentSummary.preferred_method_summary;
+  const quoteCommand = guidePaymentCommandByKind(
+    input.paymentSummary.suggested_commands,
+    "quote",
+  );
+  const available =
+    preferredMethod !== null &&
+    preferredSummary !== null &&
+    quoteCommand !== null;
+  const availableQuoteCommand = available ? quoteCommand : null;
+  const topUpPath = preferredSummary?.top_up_path ?? null;
+  const browserlessSelfFund = topUpPath === "browserless_agent_self_fund";
+  return {
+    available,
+    recommended: input.quotaTopUp?.recommended === true,
+    recommendation_reason: input.quotaTopUp?.recommendation_reason ?? null,
+    preferred_method: preferredMethod,
+    top_up_path: topUpPath,
+    inspect_methods_command: guidePaymentInspectionCommand(
+      input.paymentSummary.suggested_commands,
+      "methods",
+    ),
+    inspect_packs_command: guidePaymentInspectionCommand(
+      input.paymentSummary.suggested_commands,
+      "packs",
+    ),
+    quote_command: availableQuoteCommand,
+    quote_command_copy_runnable:
+      availableQuoteCommand !== null &&
+      createGuideNextCommandMissingInputs(availableQuoteCommand).length === 0,
+    quote_command_effect: {
+      label: "live_money_quote_no_charge",
+      no_spend: true,
+      live_money:
+        preferredMethod !== null &&
+        input.paymentSummary.live_money_methods.includes(preferredMethod),
+      provider_call: false,
+      hosted_create: false,
+      payment_object: true,
+      credit_debit: false,
+      media_write: false,
+      requires_wallet_for_buy: browserlessSelfFund,
+      max_amount_cents: preferredSummary?.max_amount_cents ?? null,
+      warning:
+        "data.self_fund_preparation.quote_command creates an authenticated live-money quote but does not pay, debit credits, call a provider, or write media. Only a later credits buy/payment step can spend money.",
+    },
+    after_next: input.afterNext,
+    auth: {
+      quote_command_requires_auth: true,
+      token_source: input.tokenSource,
+      secret_value_included: false,
+      accepted_methods: ["IMAGE_SKILL_TOKEN", "--token-stdin", "config"],
+    },
+    warning: browserlessSelfFund
+      ? "You can inspect or quote the browserless self-fund rail before credits run out; do not run buy or transfer funds unless delegated spend is allowed."
+      : "You can inspect the top-up path before credits run out; do not run buy or complete payment unless delegated spend is allowed.",
+  };
+}
+
 function createGuideWalletSettlementHandoff({
   preferredMethod,
   browserless,
@@ -3493,6 +3564,12 @@ function guidePaymentCommandByKind(commands, kind, commandPrefix = null) {
   return renderGuidePrefixedCommand(commandPrefix, command);
 }
 
+function guidePaymentInspectionCommand(commands, kind) {
+  const pattern =
+    kind === "methods" ? /\bcredits\s+methods\b/ : /\bcredits\s+packs\s+list\b/;
+  return commands.find((command) => pattern.test(command)) ?? null;
+}
+
 function renderInputImageGuideCommand(input) {
   const promptless = PROMPTLESS_EDIT_MODEL_IDS.has(input.modelId);
   return [

package/cli.md

@@ -237,7 +237,13 @@ step.
   it includes the recommendation reason, preferred browserless x402 method, and
   copy-runnable quote/buy/status command templates from `usage quota`.
 - `ready_to_create`: `data.next_command` is a live media create. Its
-  `data.next_command_effect.label` is `live_media_create_credit_debit`, with
+  `data.self_fund_preparation` is the pre-wall top-up affordance; when
+  `available` and `recommended` are true, `quote_command` creates an
+  authenticated live-money quote/payment object without paying, settling a
+  wallet transfer, debiting credits, calling a provider, or writing media.
+  Only follow later buy/status/wallet-settlement commands when delegated spend
+  is allowed. `data.next_command_effect.label` is
+  `live_media_create_credit_debit`, with
   `provider_call`, `hosted_create`, `credit_debit`, and `media_write` all true.
   `data.guide_warning.next_command_safety` is
   `live_media_create_credit_debit`, `data.guide_warning.no_spend_safe` is
@@ -964,8 +970,9 @@ image-skill create --guide --prompt "A compact field camera on a stainless workb
 `stage`, `next_command`, `next_command_copy_runnable`,
 `next_command_missing_inputs`, `guide_warning`, `auth_ready`,
 `no_spend_evaluation`, `recommended_no_spend_command`,
-`self_fund_next_command`, `self_fund_handoff`, `escape_hatches`, selected
-executable model and cost, auth/quota/payment blockers, and mutation flags. All
+`self_fund_next_command`, `self_fund_handoff`, `self_fund_preparation`,
+`escape_hatches`, selected executable model and cost, auth/quota/payment
+blockers, and mutation flags. All
 mutation flags must be false in guide mode: no provider call, hosted create,
 signup, payment object, credit debit, or media write.
 For next-command safety, read `next_command_copy_runnable`,

package/llms.txt

@@ -58,11 +58,11 @@ Claim states:
 - revoked: token or agent disabled
 
 First-run guide loop:
-1. Run image-skill create --guide --prompt PROMPT. This is the canonical fresh-agent entrypoint and the only required first command. It performs read-only hosted reachability, executable model availability, auth/quota, and payment rail checks and returns data.stage, data.next_command, data.guide_warning, data.next_command_effect, data.auth_ready, data.no_spend_evaluation, data.guide_recovery, data.no_spend_next_command, data.no_spend_next_command_effect, data.self_fund_next_command, data.self_fund_handoff, data.auth_handoff, data.escape_hatches, data.checks.quota.top_up, and data.mutation. Guide mode must report provider_call: false, hosted_create: false, hosted_signup: false, payment_object: false, credit_debit: false, and media_write: false.
+1. Run image-skill create --guide --prompt PROMPT. This is the canonical fresh-agent entrypoint and the only required first command. It performs read-only hosted reachability, executable model availability, auth/quota, and payment rail checks and returns data.stage, data.next_command, data.guide_warning, data.next_command_effect, data.auth_ready, data.no_spend_evaluation, data.guide_recovery, data.no_spend_next_command, data.no_spend_next_command_effect, data.self_fund_next_command, data.self_fund_handoff, data.self_fund_preparation, data.auth_handoff, data.escape_hatches, data.checks.quota.top_up, and data.mutation. Guide mode must report provider_call: false, hosted_create: false, hosted_signup: false, payment_object: false, credit_debit: false, and media_write: false.
 2. Read data.guide_warning, then follow data.next_command when its next_command_safety is safe for the current spend policy. Prefer data.guide_recovery for no-doc recovery: data.guide_recovery.no_spend_command_field and data.guide_recovery.no_spend_command name the safest no-spend command, data.guide_recovery.live_create_command_field and data.guide_recovery.live_payment_command_field name fields that would spend, and data.guide_recovery.double_spend_guard tells you when to check error.recovery, jobs, activity, or payment status before any live retry. Do not run doctor, models list, signup, whoami, quota, dry-run, or payment commands as a setup checklist before the guide asks for them.
 3. If data.stage is prompt_required, rerun data.next_command with the real prompt.
 4. If data.stage is auth_required, data.auth_ready.ready is false and data.guide_warning.next_command_safety is hosted_signup_no_spend_setup. Run data.next_command, then rerun the guide once. Hosted signup saves the restricted token to the public CLI config by default with 0600 permissions. If the configured config path is blocked, data.next_command sets IMAGE_SKILL_CONFIG_PATH="$PWD/.image-skill/config.json" and still runs a saved-config signup; do not switch to raw-token handoff unless recovery explicitly requires it. If the runtime intentionally uses --no-save --show-token, store the returned token in the agent runtime secret store, then rerun with IMAGE_SKILL_TOKEN or --token-stdin; data.auth_handoff.rerun_guide.with_env and data.auth_handoff.rerun_guide.with_stdin are copy-safe templates for that mode. Signup is anonymous by default: no contact inbox is required to get a restricted token. The optional --agent-contact flag takes an email-shaped durable contact inbox for the restricted agent identity, not a requirement to find an individual human; attach one later with image-skill claim request --contact INBOX --json when funding or durability makes it worth having. Hosted signup returns the raw restricted token only when --show-token is set, and only once. When providing a contact, use an agent-owned inbox when available; otherwise use an operator, team, or sponsor inbox that can receive future claim, billing, or abuse notices. Never invent an inbox or borrow an unrelated human email just to fill the flag — omit it instead. example.invalid addresses are only appropriate inside documented harness or proof runs. --human-email remains accepted as a compatibility alias, but the guide must not teach it. Anonymous signups mint a fresh agent identity on every call; reuse the saved config instead of re-running signup. --save is accepted as a compatibility no-op for the default save behavior; use --no-save only when the runtime has a separate secret store and does not want local config.
-5. At any guide stage, read data.checks.quota.top_up. When recommended is true, it includes recommendation_reason, preferred_payment_method, and copy-runnable quote/buy/status command templates for the browserless x402 top-up path. If data.stage is quota_required, data.guide_warning.next_command_safety is live_money_payment_action and data.guide_warning.payment_top_up_path summarizes the live-money path. Run data.self_fund_next_command to start the top-up. It aliases data.next_command and is the first payment command, usually an x402 or Stripe quote. First read data.checks.payments.preferred_method_summary.top_up_path: browserless_agent_self_fund means a wallet-equipped agent can complete the preferred live-money rail without a browser; human_payment_handoff means the agent can create the payment attempt but a human/browser step must complete before credits are granted. If the guide authenticated from env or stdin, prefer data.self_fund_handoff.auth.next_command.with_env or data.self_fund_handoff.auth.next_command.with_stdin so auth follows the payment command. Then follow data.self_fund_handoff.payment_commands.buy and status, and rerun data.self_fund_handoff.after_next once credits are granted. One Image Skill credit is $0.01. Credit quotes grant prepaid value units; create/edit operations debit model-priced credits reported as cost.credit_pricing. Starter preview currently gives bounded free-preview credits plus a four-job daily cap.
+5. At any guide stage, read data.checks.quota.top_up. When recommended is true, it includes recommendation_reason, preferred_payment_method, and copy-runnable quote/buy/status command templates for the browserless x402 top-up path. If data.stage is quota_required, data.guide_warning.next_command_safety is live_money_payment_action and data.guide_warning.payment_top_up_path summarizes the live-money path. Run data.self_fund_next_command to start the top-up. It aliases data.next_command and is the first payment command, usually an x402 or Stripe quote. First read data.checks.payments.preferred_method_summary.top_up_path: browserless_agent_self_fund means a wallet-equipped agent can complete the preferred live-money rail without a browser; human_payment_handoff means the agent can create the payment attempt but a human/browser step must complete before credits are granted. If the guide authenticated from env or stdin, prefer data.self_fund_handoff.auth.next_command.with_env or data.self_fund_handoff.auth.next_command.with_stdin so auth follows the payment command. Then follow data.self_fund_handoff.payment_commands.buy and status, and rerun data.self_fund_handoff.after_next once credits are granted. If data.stage is ready_to_create, inspect data.self_fund_preparation before consuming the remaining free allowance. When available and recommended are true, data.self_fund_preparation.quote_command is the pre-wall browserless x402 quote: it creates an authenticated live-money quote/payment object, but data.self_fund_preparation.quote_command_effect must show no provider call, no hosted create, no credit debit, no media write, and no wallet settlement until a later buy/payment step. One Image Skill credit is $0.01. Credit quotes grant prepaid value units; create/edit operations debit model-priced credits reported as cost.credit_pricing. Starter preview currently gives bounded free-preview credits plus a four-job daily cap.
 6. If data.stage is ready_to_create, data.next_command is the first bounded live create. data.guide_warning.next_command_safety must be live_media_create_credit_debit, data.guide_warning.no_spend_safe must be false, data.guide_warning.spend_required must be true, and data.guide_warning.recommended_command_field must be recommended_no_spend_command. data.auth_ready.ready and data.auth_ready.next_command_auth_ready must be true; data.auth_ready.next_command_requires_auth must be true, and the command can reuse saved config, IMAGE_SKILL_TOKEN, or --token-stdin context without exposing a raw token. data.next_command_effect.label must be live_media_create_credit_debit and its provider_call, hosted_create, credit_debit, and media_write flags are true. data.no_spend_evaluation.stop_here must be true, data.no_spend_evaluation.next_command_is_live_create must be true, and data.no_spend_evaluation.recommended_command_field must be recommended_no_spend_command. Run data.next_command only when media spend is allowed. In no-spend evaluations, or when you only need to prove readiness without media/provider work, stop before data.next_command and run data.recommended_no_spend_command instead. data.recommended_no_spend_command must equal data.no_spend_next_command. data.no_spend_next_command_effect.label must be dry_run_planned_job_no_provider_call_no_credit_debit_no_media_write: no_spend, hosted_create_dry_run, planned_job, and plan_receipt are true; activity_event is job.planned; provider_call, credit_debit, and media_write are false. This dry-run may create a recoverable planned job/activity receipt but no provider execution, debit, downloadable asset, or media write. If the guide authenticated from env or stdin, prefer data.auth_handoff.next_command.with_env or data.auth_handoff.next_command.with_stdin so auth follows the live create. In guide cost output, cost.estimated_usd_per_image and cost.estimated_debit_usd_per_image are the Image Skill debit dollars for one output; cost.estimated_provider_usd_per_image is only the upstream provider estimate. Use the guide's returned max_estimated_usd_per_image because it is sized to the credit debit the agent funds. Add --output-count N only after models show confirms the selected create model supports more than one output; credit_pricing.credits_required is the total debit across outputs, while max_estimated_usd_per_image remains a per-image Image Skill debit guard.
 7. After create, prefer data.next_actions when present: inspect_job and inspect_asset are copy-runnable no-spend recovery commands, iterate_edit is the reusable-asset edit template, and self_fund is the promoted top-up quote handoff when quota.top_up.recommended is true. self_fund.quote_command is copy-runnable and omits --idempotency-key so the public CLI generates and returns one for retry safety; follow the quote response into buy/status. Otherwise use image-skill jobs show JOB_ID to recover status, cost, safety, timestamps, and final assets; image-skill assets get ASSET_URL_OR_ID --output ./result.png to fetch the generated asset without repeating provider work; and image-skill activity list --subject JOB_ID to find ledger events, trace, usage, and asset links to cite.
 8. Leave image-skill feedback create if the first-run flow is confusing, blocked, missing an affordance, or easier through a direct provider than through Image Skill. Feedback auth uses saved config from default signup, IMAGE_SKILL_TOKEN, or --token-stdin; if signup or guide already saved config, run feedback create normally and do not copy a raw token. Never paste tokens into feedback title, body, evidence, issues, or logs. Use image-skill activity show FEEDBACK_ID only when you need to confirm the feedback entered the hosted ledger.
@@ -78,10 +78,10 @@ Core commands:
 - image-skill quota --json (compatibility alias)
 - image-skill credits methods --json
 - image-skill credits packs list --json
-- image-skill credits quote --pack PACK_ID --payment-method stripe_x402.exact.usdc --idempotency-key KEY --json
+- image-skill credits quote --pack PACK_ID --payment-method stripe_x402.exact.usdc --json
 - image-skill credits buy --provider stripe_x402 --quote-id QUOTE_ID --idempotency-key KEY --json
-- image-skill credits quote --pack PACK_ID --payment-method stripe_checkout --idempotency-key KEY --json
-- image-skill credits quote --credits CREDITS --payment-method stripe_checkout --idempotency-key KEY --json
+- image-skill credits quote --pack PACK_ID --payment-method stripe_checkout --json
+- image-skill credits quote --credits CREDITS --payment-method stripe_checkout --json
 - image-skill credits buy --provider stripe --quote-id QUOTE_ID --idempotency-key KEY --json
 - image-skill credits status --payment-attempt-id PAYMENT_ATTEMPT_ID --json
 - image-skill capabilities --json
@@ -195,7 +195,7 @@ Unclaimed agents may not:
 - send card data, wallet secrets, wallet private keys, seed phrases, raw x402 payment headers, provider receipts, Stripe secrets, MPP tokens, SPTs, bearer tokens, or any payment credential to Image Skill; Stripe payment details must be entered only on Stripe-hosted checkout pages
 
 Credits:
-One Image Skill credit is $0.01. Use image-skill credits methods --json to inspect payment rail availability, browser/human requirements, agent_initiated, agent_settleable, and settlement_blocker. Always pass the returned payment method when quoting. When stripe_x402.exact.usdc is returned with available:true, quoteable:true, purchasable:true, requires_browser:false, and agent_settleable:true, image-skill credits quote --pack PACK_ID --payment-method stripe_x402.exact.usdc --idempotency-key KEY --json followed by image-skill credits buy --provider stripe_x402 --quote-id QUOTE_ID --idempotency-key KEY --json creates a browserless live deposit attempt with stripe_x402.payable_instructions. Treat live_money:true as real spend, stay inside the delegated cap, and pay exactly token_amount_atomic USDC units to payable_instructions.deposit_address on Base only from a wallet substrate you control. Use image-skill credits quote --pack PACK_ID --payment-method stripe_checkout --idempotency-key KEY --json and image-skill credits buy --provider stripe --quote-id QUOTE_ID --idempotency-key KEY --json only for the Stripe Checkout human path; this returns checkout_handoff_url, copy-safe checkout_compact_url, and full Stripe checkout_url fallback and does not grant credits. Present checkout_handoff_url or checkout_compact_url to humans, especially in mobile terminals, SSH, or chat. If checkout_handoff_url is absent, present the full checkout_url in a code block and preserve the Stripe # fragment. Use image-skill credits status --payment-attempt-id PAYMENT_ATTEMPT_ID --json after buy and after settlement/checkout completion to read state, receipt, credit_event, limits, and retry guidance. Create/edit debit model-priced credits after provider success; inspect models show and operation cost.credit_pricing for credits_required and pricing_confidence. Do not silently downgrade to the cheapest model to avoid payment when the user asked for quality or is willing to pay; quote the needed credits and use an agent_settleable:true x402 rail or Stripe Checkout fallback. Credits buy requires explicit --idempotency-key. Quote idempotency keys are scoped to the hosted agent identity and exact quote terms; use per-run/per-step quote keys and inspect error.recovery.suggested_command on CREDIT_QUOTE_CONFLICT. Never send payment credentials to Image Skill: no wallet private keys, seed phrases, x402 payment headers, deposit client secrets, provider receipts, card data, or Stripe secrets. Public request fields are credits, pack_id, payment_method, quote_id, status reference IDs, and idempotency_key.
+One Image Skill credit is $0.01. Use image-skill credits methods --json to inspect payment rail availability, browser/human requirements, agent_initiated, agent_settleable, and settlement_blocker. Always pass the returned payment method when quoting. When stripe_x402.exact.usdc is returned with available:true, quoteable:true, purchasable:true, requires_browser:false, and agent_settleable:true, image-skill credits quote --pack PACK_ID --payment-method stripe_x402.exact.usdc --json followed by image-skill credits buy --provider stripe_x402 --quote-id QUOTE_ID --idempotency-key KEY --json creates a browserless live deposit attempt with stripe_x402.payable_instructions. Treat live_money:true as real spend, stay inside the delegated cap, and pay exactly token_amount_atomic USDC units to payable_instructions.deposit_address on Base only from a wallet substrate you control. Use image-skill credits quote --pack PACK_ID --payment-method stripe_checkout --json and image-skill credits buy --provider stripe --quote-id QUOTE_ID --idempotency-key KEY --json only for the Stripe Checkout human path; this returns checkout_handoff_url, copy-safe checkout_compact_url, and full Stripe checkout_url fallback and does not grant credits. Present checkout_handoff_url or checkout_compact_url to humans, especially in mobile terminals, SSH, or chat. If checkout_handoff_url is absent, present the full checkout_url in a code block and preserve the Stripe # fragment. Use image-skill credits status --payment-attempt-id PAYMENT_ATTEMPT_ID --json after buy and after settlement/checkout completion to read state, receipt, credit_event, limits, and retry guidance. Create/edit debit model-priced credits after provider success; inspect models show and operation cost.credit_pricing for credits_required and pricing_confidence. Do not silently downgrade to the cheapest model to avoid payment when the user asked for quality or is willing to pay; quote the needed credits and use an agent_settleable:true x402 rail or Stripe Checkout fallback. Credits buy requires explicit --idempotency-key. Quote idempotency keys are scoped to the hosted agent identity and exact quote terms; the public CLI generates one when omitted and returns it in the quote response, while explicit keys remain available for retry-stable automation. Inspect error.recovery.suggested_command on CREDIT_QUOTE_CONFLICT. Never send payment credentials to Image Skill: no wallet private keys, seed phrases, x402 payment headers, deposit client secrets, provider receipts, card data, or Stripe secrets. Public request fields are credits, pack_id, payment_method, quote_id, status reference IDs, and idempotency_key.
 
 Telemetry:
 - command or endpoint name

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "image-skill",
-  "version": "0.1.48",
+  "version": "0.1.50",
   "description": "Zero-setup durable creative-media CLI for agents (image + video + audio + 3D): guide-first creation, model and cost inspection, owned URLs, JSON recovery, payments, reusable assets, and feedback.",
   "type": "module",
   "private": false,

package/skill.md

@@ -39,7 +39,7 @@ JSON is the default. Do not add `--json` to examples.
 npm_config_update_notifier=false npx -y image-skill@latest create --guide --prompt "a compact field camera on a stainless workbench"
 ```
 
-The guide is a free, zero-spend planning call. Given current auth, quota, and payment state, it returns `data.next_command`, `data.next_command_copy_runnable`, `data.next_command_missing_inputs`, `data.stage`, `data.guide_warning`, `data.next_command_effect`, `data.auth_ready`, `data.no_spend_evaluation`, `data.guide_recovery`, `data.recommended_no_spend_command` (alias of `data.no_spend_next_command`), `data.no_spend_next_command_effect`, `data.self_fund_next_command`, `data.self_fund_handoff`, `data.auth_handoff`, and `data.mutation`. It also preserves `data.checks.quota.top_up`, the same quota top-up recommendation returned by `usage quota`, so wallet-capable agents can see whether a browserless x402 top-up is recommended before the hard wall. Read `data.guide_warning` before running `data.next_command`: `next_command_safety` names whether the command is no-spend setup, read-only inspection, live-money payment action, or live media create. Run that next command only when `data.next_command_copy_runnable` is `true` and the warning says it is safe for your spend policy; when it is `false`, fill `data.next_command_missing_inputs` first. Prefer `data.guide_recovery` for no-doc recovery loops: it names the safest no-spend command and field, the live create or payment field that would spend, and the double-spend guard to check before any live retry. Repeat until `data.stage` is `ready_to_create`. At `ready_to_create`, `data.auth_ready.ready` and `data.auth_ready.next_command_auth_ready` are `true`: the returned create can reuse saved config, env token, or stdin token context without exposing a raw token. When `data.guide_warning.next_command_safety` is `live_media_create_credit_debit` and `data.no_spend_evaluation.stop_here` is `true`, `data.next_command` is the live create: run it only if media spend is allowed, otherwise stop before it and run `data.recommended_no_spend_command` for no-spend proof. The no-spend command is an authenticated hosted dry-run: it may create a recoverable `job.planned` receipt, but it has no provider call, credit debit, downloadable asset, or media write.
+The guide is a free, zero-spend planning call. Given current auth, quota, and payment state, it returns `data.next_command`, `data.next_command_copy_runnable`, `data.next_command_missing_inputs`, `data.stage`, `data.guide_warning`, `data.next_command_effect`, `data.auth_ready`, `data.no_spend_evaluation`, `data.guide_recovery`, `data.recommended_no_spend_command` (alias of `data.no_spend_next_command`), `data.no_spend_next_command_effect`, `data.self_fund_next_command`, `data.self_fund_handoff`, `data.self_fund_preparation`, `data.auth_handoff`, and `data.mutation`. It also preserves `data.checks.quota.top_up`, the same quota top-up recommendation returned by `usage quota`, so wallet-capable agents can see whether a browserless x402 top-up is recommended before the hard wall. Read `data.guide_warning` before running `data.next_command`: `next_command_safety` names whether the command is no-spend setup, read-only inspection, live-money payment action, or live media create. Run that next command only when `data.next_command_copy_runnable` is `true` and the warning says it is safe for your spend policy; when it is `false`, fill `data.next_command_missing_inputs` first. Prefer `data.guide_recovery` for no-doc recovery loops: it names the safest no-spend command and field, the live create or payment field that would spend, and the double-spend guard to check before any live retry. Repeat until `data.stage` is `ready_to_create`. At `ready_to_create`, `data.auth_ready.ready` and `data.auth_ready.next_command_auth_ready` are `true`: the returned create can reuse saved config, env token, or stdin token context without exposing a raw token. Read `data.self_fund_preparation` in this stage before spending the remaining free allowance: when `available` and `recommended` are true, `quote_command` creates an authenticated live-money quote/payment object but does not pay, settle a wallet transfer, debit credits, call a provider, or write media. Only a later buy/payment step can spend money. When `data.guide_warning.next_command_safety` is `live_media_create_credit_debit` and `data.no_spend_evaluation.stop_here` is `true`, `data.next_command` is the live create: run it only if media spend is allowed, otherwise stop before it and run `data.recommended_no_spend_command` for no-spend proof. The no-spend command is an authenticated hosted dry-run: it may create a recoverable `job.planned` receipt, but it has no provider call, credit debit, downloadable asset, or media write.
 
 Minimum success envelope on a create or edit:
 
@@ -180,6 +180,13 @@ reaches `quota_required`, read
 `data.checks.payments.preferred_method_summary.top_up_path` before quoting:
 `browserless_agent_self_fund` is the autonomous wallet path, while
 `human_payment_handoff` means a human/browser completion step is still required.
+When `create --guide` reaches `ready_to_create`, inspect
+`data.self_fund_preparation` before consuming the remaining free allowance. If
+it is available and recommended, `quote_command` is the pre-wall browserless
+x402 quote path: it creates an authenticated live-money quote/payment object
+without paying, settling a wallet transfer, debiting credits, calling a
+provider, or writing media. Only follow the later buy/status/wallet-settlement
+commands when delegated spend is allowed.
 For the browserless x402 path, `data.self_fund_handoff.wallet_settlement` names
 the payable-instructions fields to read after `credits buy` or `credits status`,
 plus the Base/USDC exact-amount and deposit-address fields. Use a delegated

package/skills/image-skill/SKILL.md

@@ -39,7 +39,7 @@ JSON is the default. Do not add `--json` to examples.
 npm_config_update_notifier=false npx -y image-skill@latest create --guide --prompt "a compact field camera on a stainless workbench"
 ```
 
-The guide is a free, zero-spend planning call. Given current auth, quota, and payment state, it returns `data.next_command`, `data.next_command_copy_runnable`, `data.next_command_missing_inputs`, `data.stage`, `data.guide_warning`, `data.next_command_effect`, `data.auth_ready`, `data.no_spend_evaluation`, `data.guide_recovery`, `data.recommended_no_spend_command` (alias of `data.no_spend_next_command`), `data.no_spend_next_command_effect`, `data.self_fund_next_command`, `data.self_fund_handoff`, `data.auth_handoff`, and `data.mutation`. It also preserves `data.checks.quota.top_up`, the same quota top-up recommendation returned by `usage quota`, so wallet-capable agents can see whether a browserless x402 top-up is recommended before the hard wall. Read `data.guide_warning` before running `data.next_command`: `next_command_safety` names whether the command is no-spend setup, read-only inspection, live-money payment action, or live media create. Run that next command only when `data.next_command_copy_runnable` is `true` and the warning says it is safe for your spend policy; when it is `false`, fill `data.next_command_missing_inputs` first. Prefer `data.guide_recovery` for no-doc recovery loops: it names the safest no-spend command and field, the live create or payment field that would spend, and the double-spend guard to check before any live retry. Repeat until `data.stage` is `ready_to_create`. At `ready_to_create`, `data.auth_ready.ready` and `data.auth_ready.next_command_auth_ready` are `true`: the returned create can reuse saved config, env token, or stdin token context without exposing a raw token. When `data.guide_warning.next_command_safety` is `live_media_create_credit_debit` and `data.no_spend_evaluation.stop_here` is `true`, `data.next_command` is the live create: run it only if media spend is allowed, otherwise stop before it and run `data.recommended_no_spend_command` for no-spend proof. The no-spend command is an authenticated hosted dry-run: it may create a recoverable `job.planned` receipt, but it has no provider call, credit debit, downloadable asset, or media write.
+The guide is a free, zero-spend planning call. Given current auth, quota, and payment state, it returns `data.next_command`, `data.next_command_copy_runnable`, `data.next_command_missing_inputs`, `data.stage`, `data.guide_warning`, `data.next_command_effect`, `data.auth_ready`, `data.no_spend_evaluation`, `data.guide_recovery`, `data.recommended_no_spend_command` (alias of `data.no_spend_next_command`), `data.no_spend_next_command_effect`, `data.self_fund_next_command`, `data.self_fund_handoff`, `data.self_fund_preparation`, `data.auth_handoff`, and `data.mutation`. It also preserves `data.checks.quota.top_up`, the same quota top-up recommendation returned by `usage quota`, so wallet-capable agents can see whether a browserless x402 top-up is recommended before the hard wall. Read `data.guide_warning` before running `data.next_command`: `next_command_safety` names whether the command is no-spend setup, read-only inspection, live-money payment action, or live media create. Run that next command only when `data.next_command_copy_runnable` is `true` and the warning says it is safe for your spend policy; when it is `false`, fill `data.next_command_missing_inputs` first. Prefer `data.guide_recovery` for no-doc recovery loops: it names the safest no-spend command and field, the live create or payment field that would spend, and the double-spend guard to check before any live retry. Repeat until `data.stage` is `ready_to_create`. At `ready_to_create`, `data.auth_ready.ready` and `data.auth_ready.next_command_auth_ready` are `true`: the returned create can reuse saved config, env token, or stdin token context without exposing a raw token. Read `data.self_fund_preparation` in this stage before spending the remaining free allowance: when `available` and `recommended` are true, `quote_command` creates an authenticated live-money quote/payment object but does not pay, settle a wallet transfer, debit credits, call a provider, or write media. Only a later buy/payment step can spend money. When `data.guide_warning.next_command_safety` is `live_media_create_credit_debit` and `data.no_spend_evaluation.stop_here` is `true`, `data.next_command` is the live create: run it only if media spend is allowed, otherwise stop before it and run `data.recommended_no_spend_command` for no-spend proof. The no-spend command is an authenticated hosted dry-run: it may create a recoverable `job.planned` receipt, but it has no provider call, credit debit, downloadable asset, or media write.
 
 Minimum success envelope on a create or edit:
 
@@ -180,6 +180,13 @@ reaches `quota_required`, read
 `data.checks.payments.preferred_method_summary.top_up_path` before quoting:
 `browserless_agent_self_fund` is the autonomous wallet path, while
 `human_payment_handoff` means a human/browser completion step is still required.
+When `create --guide` reaches `ready_to_create`, inspect
+`data.self_fund_preparation` before consuming the remaining free allowance. If
+it is available and recommended, `quote_command` is the pre-wall browserless
+x402 quote path: it creates an authenticated live-money quote/payment object
+without paying, settling a wallet transfer, debiting credits, calling a
+provider, or writing media. Only follow the later buy/status/wallet-settlement
+commands when delegated spend is allowed.
 For the browserless x402 path, `data.self_fund_handoff.wallet_settlement` names
 the payable-instructions fields to read after `credits buy` or `credits status`,
 plus the Base/USDC exact-amount and deposit-address fields. Use a delegated

package/skills/image-skill/references/cli.md

@@ -237,7 +237,13 @@ step.
   it includes the recommendation reason, preferred browserless x402 method, and
   copy-runnable quote/buy/status command templates from `usage quota`.
 - `ready_to_create`: `data.next_command` is a live media create. Its
-  `data.next_command_effect.label` is `live_media_create_credit_debit`, with
+  `data.self_fund_preparation` is the pre-wall top-up affordance; when
+  `available` and `recommended` are true, `quote_command` creates an
+  authenticated live-money quote/payment object without paying, settling a
+  wallet transfer, debiting credits, calling a provider, or writing media.
+  Only follow later buy/status/wallet-settlement commands when delegated spend
+  is allowed. `data.next_command_effect.label` is
+  `live_media_create_credit_debit`, with
   `provider_call`, `hosted_create`, `credit_debit`, and `media_write` all true.
   `data.guide_warning.next_command_safety` is
   `live_media_create_credit_debit`, `data.guide_warning.no_spend_safe` is
@@ -964,8 +970,9 @@ image-skill create --guide --prompt "A compact field camera on a stainless workb
 `stage`, `next_command`, `next_command_copy_runnable`,
 `next_command_missing_inputs`, `guide_warning`, `auth_ready`,
 `no_spend_evaluation`, `recommended_no_spend_command`,
-`self_fund_next_command`, `self_fund_handoff`, `escape_hatches`, selected
-executable model and cost, auth/quota/payment blockers, and mutation flags. All
+`self_fund_next_command`, `self_fund_handoff`, `self_fund_preparation`,
+`escape_hatches`, selected executable model and cost, auth/quota/payment
+blockers, and mutation flags. All
 mutation flags must be false in guide mode: no provider call, hosted create,
 signup, payment object, credit debit, or media write.
 For next-command safety, read `next_command_copy_runnable`,

package/skills/image-skill/references/llms.txt

@@ -58,11 +58,11 @@ Claim states:
 - revoked: token or agent disabled
 
 First-run guide loop:
-1. Run image-skill create --guide --prompt PROMPT. This is the canonical fresh-agent entrypoint and the only required first command. It performs read-only hosted reachability, executable model availability, auth/quota, and payment rail checks and returns data.stage, data.next_command, data.guide_warning, data.next_command_effect, data.auth_ready, data.no_spend_evaluation, data.guide_recovery, data.no_spend_next_command, data.no_spend_next_command_effect, data.self_fund_next_command, data.self_fund_handoff, data.auth_handoff, data.escape_hatches, data.checks.quota.top_up, and data.mutation. Guide mode must report provider_call: false, hosted_create: false, hosted_signup: false, payment_object: false, credit_debit: false, and media_write: false.
+1. Run image-skill create --guide --prompt PROMPT. This is the canonical fresh-agent entrypoint and the only required first command. It performs read-only hosted reachability, executable model availability, auth/quota, and payment rail checks and returns data.stage, data.next_command, data.guide_warning, data.next_command_effect, data.auth_ready, data.no_spend_evaluation, data.guide_recovery, data.no_spend_next_command, data.no_spend_next_command_effect, data.self_fund_next_command, data.self_fund_handoff, data.self_fund_preparation, data.auth_handoff, data.escape_hatches, data.checks.quota.top_up, and data.mutation. Guide mode must report provider_call: false, hosted_create: false, hosted_signup: false, payment_object: false, credit_debit: false, and media_write: false.
 2. Read data.guide_warning, then follow data.next_command when its next_command_safety is safe for the current spend policy. Prefer data.guide_recovery for no-doc recovery: data.guide_recovery.no_spend_command_field and data.guide_recovery.no_spend_command name the safest no-spend command, data.guide_recovery.live_create_command_field and data.guide_recovery.live_payment_command_field name fields that would spend, and data.guide_recovery.double_spend_guard tells you when to check error.recovery, jobs, activity, or payment status before any live retry. Do not run doctor, models list, signup, whoami, quota, dry-run, or payment commands as a setup checklist before the guide asks for them.
 3. If data.stage is prompt_required, rerun data.next_command with the real prompt.
 4. If data.stage is auth_required, data.auth_ready.ready is false and data.guide_warning.next_command_safety is hosted_signup_no_spend_setup. Run data.next_command, then rerun the guide once. Hosted signup saves the restricted token to the public CLI config by default with 0600 permissions. If the configured config path is blocked, data.next_command sets IMAGE_SKILL_CONFIG_PATH="$PWD/.image-skill/config.json" and still runs a saved-config signup; do not switch to raw-token handoff unless recovery explicitly requires it. If the runtime intentionally uses --no-save --show-token, store the returned token in the agent runtime secret store, then rerun with IMAGE_SKILL_TOKEN or --token-stdin; data.auth_handoff.rerun_guide.with_env and data.auth_handoff.rerun_guide.with_stdin are copy-safe templates for that mode. Signup is anonymous by default: no contact inbox is required to get a restricted token. The optional --agent-contact flag takes an email-shaped durable contact inbox for the restricted agent identity, not a requirement to find an individual human; attach one later with image-skill claim request --contact INBOX --json when funding or durability makes it worth having. Hosted signup returns the raw restricted token only when --show-token is set, and only once. When providing a contact, use an agent-owned inbox when available; otherwise use an operator, team, or sponsor inbox that can receive future claim, billing, or abuse notices. Never invent an inbox or borrow an unrelated human email just to fill the flag — omit it instead. example.invalid addresses are only appropriate inside documented harness or proof runs. --human-email remains accepted as a compatibility alias, but the guide must not teach it. Anonymous signups mint a fresh agent identity on every call; reuse the saved config instead of re-running signup. --save is accepted as a compatibility no-op for the default save behavior; use --no-save only when the runtime has a separate secret store and does not want local config.
-5. At any guide stage, read data.checks.quota.top_up. When recommended is true, it includes recommendation_reason, preferred_payment_method, and copy-runnable quote/buy/status command templates for the browserless x402 top-up path. If data.stage is quota_required, data.guide_warning.next_command_safety is live_money_payment_action and data.guide_warning.payment_top_up_path summarizes the live-money path. Run data.self_fund_next_command to start the top-up. It aliases data.next_command and is the first payment command, usually an x402 or Stripe quote. First read data.checks.payments.preferred_method_summary.top_up_path: browserless_agent_self_fund means a wallet-equipped agent can complete the preferred live-money rail without a browser; human_payment_handoff means the agent can create the payment attempt but a human/browser step must complete before credits are granted. If the guide authenticated from env or stdin, prefer data.self_fund_handoff.auth.next_command.with_env or data.self_fund_handoff.auth.next_command.with_stdin so auth follows the payment command. Then follow data.self_fund_handoff.payment_commands.buy and status, and rerun data.self_fund_handoff.after_next once credits are granted. One Image Skill credit is $0.01. Credit quotes grant prepaid value units; create/edit operations debit model-priced credits reported as cost.credit_pricing. Starter preview currently gives bounded free-preview credits plus a four-job daily cap.
+5. At any guide stage, read data.checks.quota.top_up. When recommended is true, it includes recommendation_reason, preferred_payment_method, and copy-runnable quote/buy/status command templates for the browserless x402 top-up path. If data.stage is quota_required, data.guide_warning.next_command_safety is live_money_payment_action and data.guide_warning.payment_top_up_path summarizes the live-money path. Run data.self_fund_next_command to start the top-up. It aliases data.next_command and is the first payment command, usually an x402 or Stripe quote. First read data.checks.payments.preferred_method_summary.top_up_path: browserless_agent_self_fund means a wallet-equipped agent can complete the preferred live-money rail without a browser; human_payment_handoff means the agent can create the payment attempt but a human/browser step must complete before credits are granted. If the guide authenticated from env or stdin, prefer data.self_fund_handoff.auth.next_command.with_env or data.self_fund_handoff.auth.next_command.with_stdin so auth follows the payment command. Then follow data.self_fund_handoff.payment_commands.buy and status, and rerun data.self_fund_handoff.after_next once credits are granted. If data.stage is ready_to_create, inspect data.self_fund_preparation before consuming the remaining free allowance. When available and recommended are true, data.self_fund_preparation.quote_command is the pre-wall browserless x402 quote: it creates an authenticated live-money quote/payment object, but data.self_fund_preparation.quote_command_effect must show no provider call, no hosted create, no credit debit, no media write, and no wallet settlement until a later buy/payment step. One Image Skill credit is $0.01. Credit quotes grant prepaid value units; create/edit operations debit model-priced credits reported as cost.credit_pricing. Starter preview currently gives bounded free-preview credits plus a four-job daily cap.
 6. If data.stage is ready_to_create, data.next_command is the first bounded live create. data.guide_warning.next_command_safety must be live_media_create_credit_debit, data.guide_warning.no_spend_safe must be false, data.guide_warning.spend_required must be true, and data.guide_warning.recommended_command_field must be recommended_no_spend_command. data.auth_ready.ready and data.auth_ready.next_command_auth_ready must be true; data.auth_ready.next_command_requires_auth must be true, and the command can reuse saved config, IMAGE_SKILL_TOKEN, or --token-stdin context without exposing a raw token. data.next_command_effect.label must be live_media_create_credit_debit and its provider_call, hosted_create, credit_debit, and media_write flags are true. data.no_spend_evaluation.stop_here must be true, data.no_spend_evaluation.next_command_is_live_create must be true, and data.no_spend_evaluation.recommended_command_field must be recommended_no_spend_command. Run data.next_command only when media spend is allowed. In no-spend evaluations, or when you only need to prove readiness without media/provider work, stop before data.next_command and run data.recommended_no_spend_command instead. data.recommended_no_spend_command must equal data.no_spend_next_command. data.no_spend_next_command_effect.label must be dry_run_planned_job_no_provider_call_no_credit_debit_no_media_write: no_spend, hosted_create_dry_run, planned_job, and plan_receipt are true; activity_event is job.planned; provider_call, credit_debit, and media_write are false. This dry-run may create a recoverable planned job/activity receipt but no provider execution, debit, downloadable asset, or media write. If the guide authenticated from env or stdin, prefer data.auth_handoff.next_command.with_env or data.auth_handoff.next_command.with_stdin so auth follows the live create. In guide cost output, cost.estimated_usd_per_image and cost.estimated_debit_usd_per_image are the Image Skill debit dollars for one output; cost.estimated_provider_usd_per_image is only the upstream provider estimate. Use the guide's returned max_estimated_usd_per_image because it is sized to the credit debit the agent funds. Add --output-count N only after models show confirms the selected create model supports more than one output; credit_pricing.credits_required is the total debit across outputs, while max_estimated_usd_per_image remains a per-image Image Skill debit guard.
 7. After create, prefer data.next_actions when present: inspect_job and inspect_asset are copy-runnable no-spend recovery commands, iterate_edit is the reusable-asset edit template, and self_fund is the promoted top-up quote handoff when quota.top_up.recommended is true. self_fund.quote_command is copy-runnable and omits --idempotency-key so the public CLI generates and returns one for retry safety; follow the quote response into buy/status. Otherwise use image-skill jobs show JOB_ID to recover status, cost, safety, timestamps, and final assets; image-skill assets get ASSET_URL_OR_ID --output ./result.png to fetch the generated asset without repeating provider work; and image-skill activity list --subject JOB_ID to find ledger events, trace, usage, and asset links to cite.
 8. Leave image-skill feedback create if the first-run flow is confusing, blocked, missing an affordance, or easier through a direct provider than through Image Skill. Feedback auth uses saved config from default signup, IMAGE_SKILL_TOKEN, or --token-stdin; if signup or guide already saved config, run feedback create normally and do not copy a raw token. Never paste tokens into feedback title, body, evidence, issues, or logs. Use image-skill activity show FEEDBACK_ID only when you need to confirm the feedback entered the hosted ledger.
@@ -78,10 +78,10 @@ Core commands:
 - image-skill quota --json (compatibility alias)
 - image-skill credits methods --json
 - image-skill credits packs list --json
-- image-skill credits quote --pack PACK_ID --payment-method stripe_x402.exact.usdc --idempotency-key KEY --json
+- image-skill credits quote --pack PACK_ID --payment-method stripe_x402.exact.usdc --json
 - image-skill credits buy --provider stripe_x402 --quote-id QUOTE_ID --idempotency-key KEY --json
-- image-skill credits quote --pack PACK_ID --payment-method stripe_checkout --idempotency-key KEY --json
-- image-skill credits quote --credits CREDITS --payment-method stripe_checkout --idempotency-key KEY --json
+- image-skill credits quote --pack PACK_ID --payment-method stripe_checkout --json
+- image-skill credits quote --credits CREDITS --payment-method stripe_checkout --json
 - image-skill credits buy --provider stripe --quote-id QUOTE_ID --idempotency-key KEY --json
 - image-skill credits status --payment-attempt-id PAYMENT_ATTEMPT_ID --json
 - image-skill capabilities --json
@@ -195,7 +195,7 @@ Unclaimed agents may not:
 - send card data, wallet secrets, wallet private keys, seed phrases, raw x402 payment headers, provider receipts, Stripe secrets, MPP tokens, SPTs, bearer tokens, or any payment credential to Image Skill; Stripe payment details must be entered only on Stripe-hosted checkout pages
 
 Credits:
-One Image Skill credit is $0.01. Use image-skill credits methods --json to inspect payment rail availability, browser/human requirements, agent_initiated, agent_settleable, and settlement_blocker. Always pass the returned payment method when quoting. When stripe_x402.exact.usdc is returned with available:true, quoteable:true, purchasable:true, requires_browser:false, and agent_settleable:true, image-skill credits quote --pack PACK_ID --payment-method stripe_x402.exact.usdc --idempotency-key KEY --json followed by image-skill credits buy --provider stripe_x402 --quote-id QUOTE_ID --idempotency-key KEY --json creates a browserless live deposit attempt with stripe_x402.payable_instructions. Treat live_money:true as real spend, stay inside the delegated cap, and pay exactly token_amount_atomic USDC units to payable_instructions.deposit_address on Base only from a wallet substrate you control. Use image-skill credits quote --pack PACK_ID --payment-method stripe_checkout --idempotency-key KEY --json and image-skill credits buy --provider stripe --quote-id QUOTE_ID --idempotency-key KEY --json only for the Stripe Checkout human path; this returns checkout_handoff_url, copy-safe checkout_compact_url, and full Stripe checkout_url fallback and does not grant credits. Present checkout_handoff_url or checkout_compact_url to humans, especially in mobile terminals, SSH, or chat. If checkout_handoff_url is absent, present the full checkout_url in a code block and preserve the Stripe # fragment. Use image-skill credits status --payment-attempt-id PAYMENT_ATTEMPT_ID --json after buy and after settlement/checkout completion to read state, receipt, credit_event, limits, and retry guidance. Create/edit debit model-priced credits after provider success; inspect models show and operation cost.credit_pricing for credits_required and pricing_confidence. Do not silently downgrade to the cheapest model to avoid payment when the user asked for quality or is willing to pay; quote the needed credits and use an agent_settleable:true x402 rail or Stripe Checkout fallback. Credits buy requires explicit --idempotency-key. Quote idempotency keys are scoped to the hosted agent identity and exact quote terms; use per-run/per-step quote keys and inspect error.recovery.suggested_command on CREDIT_QUOTE_CONFLICT. Never send payment credentials to Image Skill: no wallet private keys, seed phrases, x402 payment headers, deposit client secrets, provider receipts, card data, or Stripe secrets. Public request fields are credits, pack_id, payment_method, quote_id, status reference IDs, and idempotency_key.
+One Image Skill credit is $0.01. Use image-skill credits methods --json to inspect payment rail availability, browser/human requirements, agent_initiated, agent_settleable, and settlement_blocker. Always pass the returned payment method when quoting. When stripe_x402.exact.usdc is returned with available:true, quoteable:true, purchasable:true, requires_browser:false, and agent_settleable:true, image-skill credits quote --pack PACK_ID --payment-method stripe_x402.exact.usdc --json followed by image-skill credits buy --provider stripe_x402 --quote-id QUOTE_ID --idempotency-key KEY --json creates a browserless live deposit attempt with stripe_x402.payable_instructions. Treat live_money:true as real spend, stay inside the delegated cap, and pay exactly token_amount_atomic USDC units to payable_instructions.deposit_address on Base only from a wallet substrate you control. Use image-skill credits quote --pack PACK_ID --payment-method stripe_checkout --json and image-skill credits buy --provider stripe --quote-id QUOTE_ID --idempotency-key KEY --json only for the Stripe Checkout human path; this returns checkout_handoff_url, copy-safe checkout_compact_url, and full Stripe checkout_url fallback and does not grant credits. Present checkout_handoff_url or checkout_compact_url to humans, especially in mobile terminals, SSH, or chat. If checkout_handoff_url is absent, present the full checkout_url in a code block and preserve the Stripe # fragment. Use image-skill credits status --payment-attempt-id PAYMENT_ATTEMPT_ID --json after buy and after settlement/checkout completion to read state, receipt, credit_event, limits, and retry guidance. Create/edit debit model-priced credits after provider success; inspect models show and operation cost.credit_pricing for credits_required and pricing_confidence. Do not silently downgrade to the cheapest model to avoid payment when the user asked for quality or is willing to pay; quote the needed credits and use an agent_settleable:true x402 rail or Stripe Checkout fallback. Credits buy requires explicit --idempotency-key. Quote idempotency keys are scoped to the hosted agent identity and exact quote terms; the public CLI generates one when omitted and returns it in the quote response, while explicit keys remain available for retry-stable automation. Inspect error.recovery.suggested_command on CREDIT_QUOTE_CONFLICT. Never send payment credentials to Image Skill: no wallet private keys, seed phrases, x402 payment headers, deposit client secrets, provider receipts, card data, or Stripe secrets. Public request fields are credits, pack_id, payment_method, quote_id, status reference IDs, and idempotency_key.
 
 Telemetry:
 - command or endpoint name