Skip to content

Releases: ConceptKernel/CK.Lib.Js

v1.5.3

Choose a tag to compare

@github-actions github-actions released this 01 Jul 20:20

CK.Lib.Js — latest published artifacts

One publishable surface ships from this repo today: the OCI static bundle (ckp:static) per SPEC.OCI.BUNDLE.v0.4, attestation-gated (this file renders only after gh attestation verify passes). The npm package @conceptkernel/cklib is staged in package.json (publish deferred until npm auth lands; the workflow's npm steps are gated on repo var NPM_PUBLISH). See Repo packages view for the full version history.

CK.Lib.Js OCI bundle — v1.5.3

Per PROVENANCE.md, every digest below verifies under gh attestation verify oci://… --repo ConceptKernel/CK.Lib.Js. Versions before v1.3.9 predate the attestation wiring and never appear here — re-publishing them would change digests and break the immutability promise.

docker pull ghcr.io/conceptkernel/ck-lib-js:1.5.3 → declare as a static_web (routed) or layer_sources (additive merge) entry in your bundle.yaml per SPEC.OCI.BUNDLE.v0.4. The bundle lands the facade + transport + cache at image root (/ck.js, /ck-client.js, /ck-store.js, /vendor/) ready for spec-standard COPY --from=cklib_source / dest/.

arch Pull URI Also tagged Digest Created (UTC)
amd64 ghcr.io/conceptkernel/ck-lib-js:1.5.3 latest sha256:2548a67bbe3120a082feb1f9a71d7017f3e8f37cf7d7922b310c3d4f66ae8470 2026-07-01 20:20:23 UTC
arm64 ghcr.io/conceptkernel/ck-lib-js:1.5.3 latest sha256:59be4ed3c0e9e6f1c8ec52fc5c961c385951485429a70d614704517b1ebc43d5 2026-07-01 20:20:23 UTC
Artifact type OCI image index (multi-arch); org.opencontainers.image.designation=ckp:static
Aggregate index ghcr.io/conceptkernel/ck-lib-js:1.5.3 (also tagged latest)
Aggregate digest sha256:0ceeb30beacbdc0f65fded1a547b705f81a69ee8633841a895d1ac85b6435c9c
Provenance SLSA Build Provenance v1, Sigstore-backed, pushed as OCI referrer
Built by Workflow run #28545233818
Built from commit 8d1e4985d0653b9b0070af4c38ae9e8c846d9e2c
Verify (CLI) gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.5.3 --repo ConceptKernel/CK.Lib.Js
Release notes https://github.com/ConceptKernel/CK.Lib.Js/releases/tag/v1.5.3
Repo packages view https://github.com/ConceptKernel/CK.Lib.Js/pkgs/container/ck-lib-js

Verifying any artifact above

# Multi-arch index (Docker's manifest negotiation picks the right arch)
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.5.3 \
  --repo ConceptKernel/CK.Lib.Js

# A specific per-arch leaf
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js@sha256:2548a67bbe3120a082feb1f9a71d7017f3e8f37cf7d7922b310c3d4f66ae8470 \
  --repo ConceptKernel/CK.Lib.Js

A successful verify means: signed by GitHub's Fulcio CA against the OIDC token of the v1.5.3 oci-publish workflow run, recorded in Sigstore's Rekor transparency log, subject digest matches the pulled artifact.

Use as static layer

In your bundle.yaml (per SPEC.OCI.BUNDLE.v0.3):

spec_version: 0.3
# Shape A — routed mount under a path the FastAPI/static server exposes:
static_web:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.5.3
    route: /cklib
    attestation_repo: ConceptKernel/CK.Lib.Js
# …or additive filesystem merge into the final image:
layer_sources:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.5.3
    into: /app/cklib/
    attestation_repo: ConceptKernel/CK.Lib.Js

The build MUST run gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.5.3 --repo ConceptKernel/CK.Lib.Js before the consuming image is pushed (SPEC.OCI.BUNDLE.v0.3 §4 build-time gate).

Browser consumption (after the bundle is mounted at /cklib/):

<script type="module">
  import { CKClient } from '/cklib/ck-client.js';
  const ck = new CKClient({ kernel: 'pgCK.Task' });
  await ck.connect();
</script>

Pin policy

  • latest tracks the most recent attested CK.Lib.Js tag on the multi-arch image index. Both arches resolve transparently via Docker's manifest negotiation — no latest-amd64 / latest-arm64 split.
  • Tagged versions are immutable on GHCR. Pin by version (1.5.3) in production bundles; use latest only for development.
  • The OCI bundle is anonymous public pull — no GHCR auth required.
  • Per PROVENANCE.md Rule 2: do not consider an artifact "shipped" if its digest does not verify under gh attestation verify.

See CHANGELOG.md for what changed per version, COMPLIANCE.md for the transport contract, README.md for the CK concept-kernel API.


Rendered automatically by .github/workflows/oci-publish.yml on 2026-07-01 20:20:23 UTC after gh attestation verify accepted the aggregate digest above.

v1.5.2

Choose a tag to compare

@github-actions github-actions released this 19 Jun 09:33

CK.Lib.Js — latest published artifacts

One publishable surface ships from this repo: the OCI static bundle (ckp:static designation) — the CKP concept-kernel JS client (dispatch-only) shipped as a Shape A filesystem-layer OCI image per SPEC.OCI.BUNDLE.v0.4. The npm package @conceptkernel/cklib is staged in package.json but not yet released. See Repo packages view for the full version history.

CK.Lib.Js OCI bundle — v1.5.2

Per PROVENANCE.md, every digest below verifies under gh attestation verify oci://… --repo ConceptKernel/CK.Lib.Js. Versions before v1.3.9 predate the attestation wiring and never appear here — re-publishing them would change digests and break the immutability promise.

docker pull ghcr.io/conceptkernel/ck-lib-js:1.5.2 → declare as a static_web (routed) or layer_sources (additive merge) entry in your bundle.yaml per SPEC.OCI.BUNDLE.v0.4. The bundle lands the facade + transport + cache at image root (/ck.js, /ck-client.js, /ck-store.js, /vendor/) ready for spec-standard COPY --from=cklib_source / dest/.

arch Pull URI Also tagged Digest Created (UTC)
amd64 ghcr.io/conceptkernel/ck-lib-js:1.5.2 latest sha256:bcd4328ff6513f6df7f93918d8ad42b9e231281c860a5f4d640c9635ab4428fe 2026-06-19 09:33:15 UTC
arm64 ghcr.io/conceptkernel/ck-lib-js:1.5.2 latest sha256:40b62c04fd3d25a3c4f97c43f339d7cb20d019301a50dfddd685e413af6cb4bf 2026-06-19 09:33:15 UTC
Artifact type OCI image index (multi-arch); org.opencontainers.image.designation=ckp:static
Aggregate index ghcr.io/conceptkernel/ck-lib-js:1.5.2 (also tagged latest)
Aggregate digest sha256:6f167e6ce4caa196211d12bf6caa6e0b3fc3a8b375248de8cdfb0edf9894991b
Provenance SLSA Build Provenance v1, Sigstore-backed, pushed as OCI referrer
Built by Workflow run #27817676032
Built from commit 3cb4629f0eb2d10934d25a9ec2d58366fe576b1e
Verify (CLI) gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.5.2 --repo ConceptKernel/CK.Lib.Js
Release notes https://github.com/ConceptKernel/CK.Lib.Js/releases/tag/v1.5.2
Repo packages view https://github.com/ConceptKernel/CK.Lib.Js/pkgs/container/ck-lib-js

Verifying any artifact above

# Multi-arch index (Docker's manifest negotiation picks the right arch)
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.5.2 \
  --repo ConceptKernel/CK.Lib.Js

# A specific per-arch leaf
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js@sha256:bcd4328ff6513f6df7f93918d8ad42b9e231281c860a5f4d640c9635ab4428fe \
  --repo ConceptKernel/CK.Lib.Js

A successful verify means: signed by GitHub's Fulcio CA against the OIDC token of the v1.5.2 oci-publish workflow run, recorded in Sigstore's Rekor transparency log, subject digest matches the pulled artifact.

Use as static layer

In your bundle.yaml (per SPEC.OCI.BUNDLE.v0.3):

spec_version: 0.3
# Shape A — routed mount under a path the FastAPI/static server exposes:
static_web:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.5.2
    route: /cklib
    attestation_repo: ConceptKernel/CK.Lib.Js
# …or additive filesystem merge into the final image:
layer_sources:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.5.2
    into: /app/cklib/
    attestation_repo: ConceptKernel/CK.Lib.Js

The build MUST run gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.5.2 --repo ConceptKernel/CK.Lib.Js before the consuming image is pushed (SPEC.OCI.BUNDLE.v0.3 §4 build-time gate).

Browser consumption (after the bundle is mounted at /cklib/):

<script type="module">
  import { CKClient } from '/cklib/ck-client.js';
  const ck = new CKClient({ kernel: 'pgCK.Task' });
  await ck.connect();
</script>

Pin policy

  • latest tracks the most recent attested CK.Lib.Js tag on the multi-arch image index. Both arches resolve transparently via Docker's manifest negotiation — no latest-amd64 / latest-arm64 split.
  • Tagged versions are immutable on GHCR. Pin by version (1.5.2) in production bundles; use latest only for development.
  • The OCI bundle is anonymous public pull — no GHCR auth required.
  • Per PROVENANCE.md Rule 2: do not consider an artifact "shipped" if its digest does not verify under gh attestation verify.

See CHANGELOG.md for what changed per version, COMPLIANCE.md for the transport contract, README.md for the CK concept-kernel API.


Rendered automatically by .github/workflows/oci-publish.yml on 2026-06-19 09:33:15 UTC after gh attestation verify accepted the aggregate digest above.

v1.5.1

Choose a tag to compare

@github-actions github-actions released this 18 Jun 21:31

CK.Lib.Js — latest published artifacts

One publishable surface ships from this repo: the OCI static bundle (ckp:static designation) — the CKP concept-kernel JS client (dispatch-only) shipped as a Shape A filesystem-layer OCI image per SPEC.OCI.BUNDLE.v0.4. The npm package @conceptkernel/cklib is staged in package.json but not yet released. See Repo packages view for the full version history.

CK.Lib.Js OCI bundle — v1.5.1

Per PROVENANCE.md, every digest below verifies under gh attestation verify oci://… --repo ConceptKernel/CK.Lib.Js. Versions before v1.3.9 predate the attestation wiring and never appear here — re-publishing them would change digests and break the immutability promise.

docker pull ghcr.io/conceptkernel/ck-lib-js:1.5.1 → declare as a static_web (routed) or layer_sources (additive merge) entry in your bundle.yaml per SPEC.OCI.BUNDLE.v0.4. The bundle lands the facade + transport + cache at image root (/ck.js, /ck-client.js, /ck-store.js, /vendor/) ready for spec-standard COPY --from=cklib_source / dest/.

arch Pull URI Also tagged Digest Created (UTC)
amd64 ghcr.io/conceptkernel/ck-lib-js:1.5.1 latest sha256:b6461dd541f971a74954506c16af1a99d2c05732c2a37e8a51e09a85fae043f8 2026-06-18 21:31:20 UTC
arm64 ghcr.io/conceptkernel/ck-lib-js:1.5.1 latest sha256:bdee268033b6cdd9328538b7e28bb10adf68879cfb7d60418fec84745b7bbacf 2026-06-18 21:31:20 UTC
Artifact type OCI image index (multi-arch); org.opencontainers.image.designation=ckp:static
Aggregate index ghcr.io/conceptkernel/ck-lib-js:1.5.1 (also tagged latest)
Aggregate digest sha256:c72fa9b2bc933ab8954d3f2d6164b62ac4d7ffe1deeecbfb59ae9c87078860e2
Provenance SLSA Build Provenance v1, Sigstore-backed, pushed as OCI referrer
Built by Workflow run #27790532785
Built from commit f3d7be39b030235e86e7769b7ecc2b9f9a989639
Verify (CLI) gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.5.1 --repo ConceptKernel/CK.Lib.Js
Release notes https://github.com/ConceptKernel/CK.Lib.Js/releases/tag/v1.5.1
Repo packages view https://github.com/ConceptKernel/CK.Lib.Js/pkgs/container/ck-lib-js

Verifying any artifact above

# Multi-arch index (Docker's manifest negotiation picks the right arch)
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.5.1 \
  --repo ConceptKernel/CK.Lib.Js

# A specific per-arch leaf
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js@sha256:b6461dd541f971a74954506c16af1a99d2c05732c2a37e8a51e09a85fae043f8 \
  --repo ConceptKernel/CK.Lib.Js

A successful verify means: signed by GitHub's Fulcio CA against the OIDC token of the v1.5.1 oci-publish workflow run, recorded in Sigstore's Rekor transparency log, subject digest matches the pulled artifact.

Use as static layer

In your bundle.yaml (per SPEC.OCI.BUNDLE.v0.3):

spec_version: 0.3
# Shape A — routed mount under a path the FastAPI/static server exposes:
static_web:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.5.1
    route: /cklib
    attestation_repo: ConceptKernel/CK.Lib.Js
# …or additive filesystem merge into the final image:
layer_sources:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.5.1
    into: /app/cklib/
    attestation_repo: ConceptKernel/CK.Lib.Js

The build MUST run gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.5.1 --repo ConceptKernel/CK.Lib.Js before the consuming image is pushed (SPEC.OCI.BUNDLE.v0.3 §4 build-time gate).

Browser consumption (after the bundle is mounted at /cklib/):

<script type="module">
  import { CKClient } from '/cklib/ck-client.js';
  const ck = new CKClient({ kernel: 'pgCK.Task' });
  await ck.connect();
</script>

Pin policy

  • latest tracks the most recent attested CK.Lib.Js tag on the multi-arch image index. Both arches resolve transparently via Docker's manifest negotiation — no latest-amd64 / latest-arm64 split.
  • Tagged versions are immutable on GHCR. Pin by version (1.5.1) in production bundles; use latest only for development.
  • The OCI bundle is anonymous public pull — no GHCR auth required.
  • Per PROVENANCE.md Rule 2: do not consider an artifact "shipped" if its digest does not verify under gh attestation verify.

See CHANGELOG.md for what changed per version, COMPLIANCE.md for the transport contract, README.md for the CK concept-kernel API.


Rendered automatically by .github/workflows/oci-publish.yml on 2026-06-18 21:31:20 UTC after gh attestation verify accepted the aggregate digest above.

v1.5.0

Choose a tag to compare

@github-actions github-actions released this 11 Jun 20:17

CK.Lib.Js — latest published artifacts

One publishable surface ships from this repo: the OCI static bundle (ckp:static designation) — the CKP concept-kernel JS client (dispatch-only) shipped as a Shape A filesystem-layer OCI image per SPEC.OCI.BUNDLE.v0.4. The npm package @conceptkernel/cklib is staged in package.json but not yet released. See Repo packages view for the full version history.

CK.Lib.Js OCI bundle — v1.5.0

Per PROVENANCE.md, every digest below verifies under gh attestation verify oci://… --repo ConceptKernel/CK.Lib.Js. Versions before v1.3.9 predate the attestation wiring and never appear here — re-publishing them would change digests and break the immutability promise.

docker pull ghcr.io/conceptkernel/ck-lib-js:1.5.0 → declare as a static_web (routed) or layer_sources (additive merge) entry in your bundle.yaml per SPEC.OCI.BUNDLE.v0.4. The bundle lands the facade + transport + cache at image root (/ck.js, /ck-client.js, /ck-store.js, /vendor/) ready for spec-standard COPY --from=cklib_source / dest/.

arch Pull URI Also tagged Digest Created (UTC)
amd64 ghcr.io/conceptkernel/ck-lib-js:1.5.0 latest sha256:ac321453247a2e0c8c8875ab2577680f636da1a15ea8a32ef5a7d3fbca6462ec 2026-06-11 20:17:51 UTC
arm64 ghcr.io/conceptkernel/ck-lib-js:1.5.0 latest sha256:c23779610dece09b5bb6f355ba2304e6ac05d82f816abf379fbb6ae19e7e34dc 2026-06-11 20:17:51 UTC
Artifact type OCI image index (multi-arch); org.opencontainers.image.designation=ckp:static
Aggregate index ghcr.io/conceptkernel/ck-lib-js:1.5.0 (also tagged latest)
Aggregate digest sha256:195c20713314653b5a6f0078be5783520754ba7010f457c87ad2da66d771117d
Provenance SLSA Build Provenance v1, Sigstore-backed, pushed as OCI referrer
Built by Workflow run #27374736960
Built from commit 9dcf5a47a96bc80606fca727ef97a287400d101f
Verify (CLI) gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.5.0 --repo ConceptKernel/CK.Lib.Js
Release notes https://github.com/ConceptKernel/CK.Lib.Js/releases/tag/v1.5.0
Repo packages view https://github.com/ConceptKernel/CK.Lib.Js/pkgs/container/ck-lib-js

Verifying any artifact above

# Multi-arch index (Docker's manifest negotiation picks the right arch)
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.5.0 \
  --repo ConceptKernel/CK.Lib.Js

# A specific per-arch leaf
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js@sha256:ac321453247a2e0c8c8875ab2577680f636da1a15ea8a32ef5a7d3fbca6462ec \
  --repo ConceptKernel/CK.Lib.Js

A successful verify means: signed by GitHub's Fulcio CA against the OIDC token of the v1.5.0 oci-publish workflow run, recorded in Sigstore's Rekor transparency log, subject digest matches the pulled artifact.

Use as static layer

In your bundle.yaml (per SPEC.OCI.BUNDLE.v0.3):

spec_version: 0.3
# Shape A — routed mount under a path the FastAPI/static server exposes:
static_web:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.5.0
    route: /cklib
    attestation_repo: ConceptKernel/CK.Lib.Js
# …or additive filesystem merge into the final image:
layer_sources:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.5.0
    into: /app/cklib/
    attestation_repo: ConceptKernel/CK.Lib.Js

The build MUST run gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.5.0 --repo ConceptKernel/CK.Lib.Js before the consuming image is pushed (SPEC.OCI.BUNDLE.v0.3 §4 build-time gate).

Browser consumption (after the bundle is mounted at /cklib/):

<script type="module">
  import { CKClient } from '/cklib/ck-client.js';
  const ck = new CKClient({ kernel: 'pgCK.Task' });
  await ck.connect();
</script>

Pin policy

  • latest tracks the most recent attested CK.Lib.Js tag on the multi-arch image index. Both arches resolve transparently via Docker's manifest negotiation — no latest-amd64 / latest-arm64 split.
  • Tagged versions are immutable on GHCR. Pin by version (1.5.0) in production bundles; use latest only for development.
  • The OCI bundle is anonymous public pull — no GHCR auth required.
  • Per PROVENANCE.md Rule 2: do not consider an artifact "shipped" if its digest does not verify under gh attestation verify.

See CHANGELOG.md for what changed per version, COMPLIANCE.md for the transport contract, README.md for the CK concept-kernel API.


Rendered automatically by .github/workflows/oci-publish.yml on 2026-06-11 20:17:51 UTC after gh attestation verify accepted the aggregate digest above.

v1.4.3

Choose a tag to compare

@github-actions github-actions released this 11 Jun 17:46

CK.Lib.Js — latest published artifacts

One publishable surface ships from this repo: the OCI static bundle (ckp:static designation) — the CKP NATS WSS client (stripped, JWT) shipped as a Shape A filesystem-layer OCI image per SPEC.OCI.BUNDLE.v0.4. The npm package @conceptkernel/cklib is staged in package.json but not yet released. See Repo packages view for the full version history.

CK.Lib.Js OCI bundle — v1.4.3

Per PROVENANCE.md, every digest below verifies under gh attestation verify oci://… --repo ConceptKernel/CK.Lib.Js. Versions before v1.3.9 predate the attestation wiring and never appear here — re-publishing them would change digests and break the immutability promise.

docker pull ghcr.io/conceptkernel/ck-lib-js:1.4.3 → declare as a static_web (routed) or layer_sources (additive merge) entry in your bundle.yaml per SPEC.OCI.BUNDLE.v0.4. The stripped bundle lands a single module at image root (/ck-client.js) ready for spec-standard COPY --from=cklib_source / dest/.

arch Pull URI Also tagged Digest Created (UTC)
amd64 ghcr.io/conceptkernel/ck-lib-js:1.4.3 latest sha256:4e80af5b3c0ec58c96c275a4ed22b5857905ebf928f0d02a6b209989642d1192 2026-06-11 17:46:13 UTC
arm64 ghcr.io/conceptkernel/ck-lib-js:1.4.3 latest sha256:4e6593e37192cc3953bbdcc1e059e1a91451b6dec1b024954e6a21ada1cf0ab0 2026-06-11 17:46:13 UTC
Artifact type OCI image index (multi-arch); org.opencontainers.image.designation=ckp:static
Aggregate index ghcr.io/conceptkernel/ck-lib-js:1.4.3 (also tagged latest)
Aggregate digest sha256:f2f6c2df8401aef1f236a4c87d8ce722c4fdc2840d3d8d186a3daf3210c33211
Provenance SLSA Build Provenance v1, Sigstore-backed, pushed as OCI referrer
Built by Workflow run #27366230475
Built from commit aa4d960e07345eba9917aa5d777e83d75aed8f5f
Verify (CLI) gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.4.3 --repo ConceptKernel/CK.Lib.Js
Release notes https://github.com/ConceptKernel/CK.Lib.Js/releases/tag/v1.4.3
Repo packages view https://github.com/ConceptKernel/CK.Lib.Js/pkgs/container/ck-lib-js

Verifying any artifact above

# Multi-arch index (Docker's manifest negotiation picks the right arch)
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.4.3 \
  --repo ConceptKernel/CK.Lib.Js

# A specific per-arch leaf
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js@sha256:4e80af5b3c0ec58c96c275a4ed22b5857905ebf928f0d02a6b209989642d1192 \
  --repo ConceptKernel/CK.Lib.Js

A successful verify means: signed by GitHub's Fulcio CA against the OIDC token of the v1.4.3 oci-publish workflow run, recorded in Sigstore's Rekor transparency log, subject digest matches the pulled artifact.

Use as static layer

In your bundle.yaml (per SPEC.OCI.BUNDLE.v0.3):

spec_version: 0.3
# Shape A — routed mount under a path the FastAPI/static server exposes:
static_web:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.4.3
    route: /cklib
    attestation_repo: ConceptKernel/CK.Lib.Js
# …or additive filesystem merge into the final image:
layer_sources:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.4.3
    into: /app/cklib/
    attestation_repo: ConceptKernel/CK.Lib.Js

The build MUST run gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.4.3 --repo ConceptKernel/CK.Lib.Js before the consuming image is pushed (SPEC.OCI.BUNDLE.v0.3 §4 build-time gate).

Browser consumption (after the bundle is mounted at /cklib/):

<script type="module">
  import { CKClient } from '/cklib/ck-client.js';
  const ck = new CKClient({ kernel: 'pgCK.Task' });
  await ck.connect();
</script>

Pin policy

  • latest tracks the most recent attested CK.Lib.Js tag on the multi-arch image index. Both arches resolve transparently via Docker's manifest negotiation — no latest-amd64 / latest-arm64 split.
  • Tagged versions are immutable on GHCR. Pin by version (1.4.3) in production bundles; use latest only for development.
  • The OCI bundle is anonymous public pull — no GHCR auth required.
  • Per PROVENANCE.md Rule 2: do not consider an artifact "shipped" if its digest does not verify under gh attestation verify.

See CHANGELOG.md for what changed per version, COMPLIANCE.md for the transport contract, README.md for the CKClient API.


Rendered automatically by .github/workflows/oci-publish.yml on 2026-06-11 17:46:13 UTC after gh attestation verify accepted the aggregate digest above.

v1.4.2

Choose a tag to compare

@github-actions github-actions released this 10 Jun 22:27

CK.Lib.Js — latest published artifacts

One publishable surface ships from this repo: the OCI static bundle (ckp:static designation) — the CKP NATS WSS client (stripped, JWT) shipped as a Shape A filesystem-layer OCI image per SPEC.OCI.BUNDLE.v0.4. The npm package @conceptkernel/cklib is staged in package.json but not yet released. See Repo packages view for the full version history.

CK.Lib.Js OCI bundle — v1.4.2

Per PROVENANCE.md, every digest below verifies under gh attestation verify oci://… --repo ConceptKernel/CK.Lib.Js. Versions before v1.3.9 predate the attestation wiring and never appear here — re-publishing them would change digests and break the immutability promise.

docker pull ghcr.io/conceptkernel/ck-lib-js:1.4.2 → declare as a static_web (routed) or layer_sources (additive merge) entry in your bundle.yaml per SPEC.OCI.BUNDLE.v0.4. The stripped bundle lands a single module at image root (/ck-client.js) ready for spec-standard COPY --from=cklib_source / dest/.

arch Pull URI Also tagged Digest Created (UTC)
amd64 ghcr.io/conceptkernel/ck-lib-js:1.4.2 latest sha256:964429f04ecdc2d94c6fd4458780ff753bd645cc3926fc6a189795be8c01006c 2026-06-10 22:27:53 UTC
arm64 ghcr.io/conceptkernel/ck-lib-js:1.4.2 latest sha256:7238270a25f478f9d5b7d7325d864d4ed9ef526497c6d072dd73d552149d1f3e 2026-06-10 22:27:53 UTC
Artifact type OCI image index (multi-arch); org.opencontainers.image.designation=ckp:static
Aggregate index ghcr.io/conceptkernel/ck-lib-js:1.4.2 (also tagged latest)
Aggregate digest sha256:479298c029b656d01f54d0fe588124b54e60e78ddfa1a1739b56101473a33188
Provenance SLSA Build Provenance v1, Sigstore-backed, pushed as OCI referrer
Built by Workflow run #27310388130
Built from commit d1c692f5c2e77777cfcc5bd42a596c0e5ff63bf1
Verify (CLI) gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.4.2 --repo ConceptKernel/CK.Lib.Js
Release notes https://github.com/ConceptKernel/CK.Lib.Js/releases/tag/v1.4.2
Repo packages view https://github.com/ConceptKernel/CK.Lib.Js/pkgs/container/ck-lib-js

Verifying any artifact above

# Multi-arch index (Docker's manifest negotiation picks the right arch)
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.4.2 \
  --repo ConceptKernel/CK.Lib.Js

# A specific per-arch leaf
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js@sha256:964429f04ecdc2d94c6fd4458780ff753bd645cc3926fc6a189795be8c01006c \
  --repo ConceptKernel/CK.Lib.Js

A successful verify means: signed by GitHub's Fulcio CA against the OIDC token of the v1.4.2 oci-publish workflow run, recorded in Sigstore's Rekor transparency log, subject digest matches the pulled artifact.

Use as static layer

In your bundle.yaml (per SPEC.OCI.BUNDLE.v0.3):

spec_version: 0.3
# Shape A — routed mount under a path the FastAPI/static server exposes:
static_web:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.4.2
    route: /cklib
    attestation_repo: ConceptKernel/CK.Lib.Js
# …or additive filesystem merge into the final image:
layer_sources:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.4.2
    into: /app/cklib/
    attestation_repo: ConceptKernel/CK.Lib.Js

The build MUST run gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.4.2 --repo ConceptKernel/CK.Lib.Js before the consuming image is pushed (SPEC.OCI.BUNDLE.v0.3 §4 build-time gate).

Browser consumption (after the bundle is mounted at /cklib/):

<script type="module">
  import { CKClient } from '/cklib/ck-client.js';
  const ck = new CKClient({ kernel: 'pgCK.Task' });
  await ck.connect();
</script>

Pin policy

  • latest tracks the most recent attested CK.Lib.Js tag on the multi-arch image index. Both arches resolve transparently via Docker's manifest negotiation — no latest-amd64 / latest-arm64 split.
  • Tagged versions are immutable on GHCR. Pin by version (1.4.2) in production bundles; use latest only for development.
  • The OCI bundle is anonymous public pull — no GHCR auth required.
  • Per PROVENANCE.md Rule 2: do not consider an artifact "shipped" if its digest does not verify under gh attestation verify.

See CHANGELOG.md for what changed per version, COMPLIANCE.md for the transport contract, README.md for the CKClient API.


Rendered automatically by .github/workflows/oci-publish.yml on 2026-06-10 22:27:53 UTC after gh attestation verify accepted the aggregate digest above.

v1.4.1

Choose a tag to compare

@github-actions github-actions released this 10 Jun 22:11

CK.Lib.Js — latest published artifacts

One publishable surface ships from this repo: the OCI static bundle (ckp:static designation) — the CKP NATS WSS client (stripped, JWT) shipped as a Shape A filesystem-layer OCI image per SPEC.OCI.BUNDLE.v0.4. The npm package @conceptkernel/cklib is staged in package.json but not yet released. See Repo packages view for the full version history.

CK.Lib.Js OCI bundle — v1.4.1

Per PROVENANCE.md, every digest below verifies under gh attestation verify oci://… --repo ConceptKernel/CK.Lib.Js. Versions before v1.3.9 predate the attestation wiring and never appear here — re-publishing them would change digests and break the immutability promise.

docker pull ghcr.io/conceptkernel/ck-lib-js:1.4.1 → declare as a static_web (routed) or layer_sources (additive merge) entry in your bundle.yaml per SPEC.OCI.BUNDLE.v0.4. The stripped bundle lands a single module at image root (/ck-client.js) ready for spec-standard COPY --from=cklib_source / dest/.

arch Pull URI Also tagged Digest Created (UTC)
amd64 ghcr.io/conceptkernel/ck-lib-js:1.4.1 latest sha256:9d2b1a696603931be90ad8e392ac7e4fa34a829c4d5f8cb43869e67767fb66b7 2026-06-10 22:11:48 UTC
arm64 ghcr.io/conceptkernel/ck-lib-js:1.4.1 latest sha256:fd9dc1490e58bc0e7f92227231be5dac708a3812def1b6db5e13a8b5afee77ab 2026-06-10 22:11:48 UTC
Artifact type OCI image index (multi-arch); org.opencontainers.image.designation=ckp:static
Aggregate index ghcr.io/conceptkernel/ck-lib-js:1.4.1 (also tagged latest)
Aggregate digest sha256:abee2d6d2433a91c33a5eaa08d80fd443cf7c9bd744cbd07935f2e85e05157f8
Provenance SLSA Build Provenance v1, Sigstore-backed, pushed as OCI referrer
Built by Workflow run #27309647843
Built from commit 1cd434616421f3d9d8afd9fb6613fc968f893e58
Verify (CLI) gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.4.1 --repo ConceptKernel/CK.Lib.Js
Release notes https://github.com/ConceptKernel/CK.Lib.Js/releases/tag/v1.4.1
Repo packages view https://github.com/ConceptKernel/CK.Lib.Js/pkgs/container/ck-lib-js

Verifying any artifact above

# Multi-arch index (Docker's manifest negotiation picks the right arch)
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.4.1 \
  --repo ConceptKernel/CK.Lib.Js

# A specific per-arch leaf
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js@sha256:9d2b1a696603931be90ad8e392ac7e4fa34a829c4d5f8cb43869e67767fb66b7 \
  --repo ConceptKernel/CK.Lib.Js

A successful verify means: signed by GitHub's Fulcio CA against the OIDC token of the v1.4.1 oci-publish workflow run, recorded in Sigstore's Rekor transparency log, subject digest matches the pulled artifact.

Use as static layer

In your bundle.yaml (per SPEC.OCI.BUNDLE.v0.3):

spec_version: 0.3
# Shape A — routed mount under a path the FastAPI/static server exposes:
static_web:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.4.1
    route: /cklib
    attestation_repo: ConceptKernel/CK.Lib.Js
# …or additive filesystem merge into the final image:
layer_sources:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.4.1
    into: /app/cklib/
    attestation_repo: ConceptKernel/CK.Lib.Js

The build MUST run gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.4.1 --repo ConceptKernel/CK.Lib.Js before the consuming image is pushed (SPEC.OCI.BUNDLE.v0.3 §4 build-time gate).

Browser consumption (after the bundle is mounted at /cklib/):

<script type="module">
  import { CKClient } from '/cklib/ck-client.js';
  const ck = new CKClient({ kernel: 'pgCK.Task' });
  await ck.connect();
</script>

Pin policy

  • latest tracks the most recent attested CK.Lib.Js tag on the multi-arch image index. Both arches resolve transparently via Docker's manifest negotiation — no latest-amd64 / latest-arm64 split.
  • Tagged versions are immutable on GHCR. Pin by version (1.4.1) in production bundles; use latest only for development.
  • The OCI bundle is anonymous public pull — no GHCR auth required.
  • Per PROVENANCE.md Rule 2: do not consider an artifact "shipped" if its digest does not verify under gh attestation verify.

See CHANGELOG.md for what changed per version, COMPLIANCE.md for the transport contract, README.md for the CKClient API.


Rendered automatically by .github/workflows/oci-publish.yml on 2026-06-10 22:11:48 UTC after gh attestation verify accepted the aggregate digest above.

v1.4.0

Choose a tag to compare

@github-actions github-actions released this 05 Jun 12:57

CK.Lib.Js — latest published artifacts

One publishable surface ships from this repo: the OCI static bundle (ckp:static designation) — a CKP v3.8 JavaScript client library shipped as a Shape A filesystem-layer OCI image per SPEC.OCI.BUNDLE.v0.3. The npm package @conceptkernel/cklib is staged in package.json but not yet released. See Repo packages view for the full version history.

CK.Lib.Js OCI bundle — v1.4.0

Per PROVENANCE.md, every digest below verifies under gh attestation verify oci://… --repo ConceptKernel/CK.Lib.Js. Versions before v1.3.9 predate the attestation wiring and never appear here — re-publishing them would change digests and break the immutability promise.

docker pull ghcr.io/conceptkernel/ck-lib-js:1.4.0 → declare as a static_web (routed) or layer_sources (additive merge) entry in your bundle.yaml per SPEC.OCI.BUNDLE.v0.3. Files land at image root (/ck-client.js, /ck-page.js, /vendor/) ready for spec-standard COPY --from=cklib_source / dest/.

arch Pull URI Also tagged Digest Created (UTC)
amd64 ghcr.io/conceptkernel/ck-lib-js:1.4.0 latest sha256:f91c1f35011ac4eb112fd45b906ad01ced7508fc36c236ff1b6ba5f1227185fb 2026-06-05 12:57:58 UTC
arm64 ghcr.io/conceptkernel/ck-lib-js:1.4.0 latest sha256:7d023e5275764ca0c3527c396946c113dadb5644067229c1c0c20973f4774365 2026-06-05 12:57:58 UTC
Artifact type OCI image index (multi-arch); org.opencontainers.image.designation=ckp:static
Aggregate index ghcr.io/conceptkernel/ck-lib-js:1.4.0 (also tagged latest)
Aggregate digest sha256:5b5d06f96d207ba894fea01c341d4906f34422246c3d9cee59d3fd5557d7517d
Provenance SLSA Build Provenance v1, Sigstore-backed, pushed as OCI referrer
Built by Workflow run #27016162011
Built from commit 3d625b96dfa5dab63fd59aa4b3b1c92dee096003
Verify (CLI) gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.4.0 --repo ConceptKernel/CK.Lib.Js
Release notes https://github.com/ConceptKernel/CK.Lib.Js/releases/tag/v1.4.0
Repo packages view https://github.com/ConceptKernel/CK.Lib.Js/pkgs/container/ck-lib-js

Verifying any artifact above

# Multi-arch index (Docker's manifest negotiation picks the right arch)
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.4.0 \
  --repo ConceptKernel/CK.Lib.Js

# A specific per-arch leaf
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js@sha256:f91c1f35011ac4eb112fd45b906ad01ced7508fc36c236ff1b6ba5f1227185fb \
  --repo ConceptKernel/CK.Lib.Js

A successful verify means: signed by GitHub's Fulcio CA against the OIDC token of the v1.4.0 oci-publish workflow run, recorded in Sigstore's Rekor transparency log, subject digest matches the pulled artifact.

Use as static layer

In your bundle.yaml (per SPEC.OCI.BUNDLE.v0.3):

spec_version: 0.3
# Shape A — routed mount under a path the FastAPI/static server exposes:
static_web:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.4.0
    route: /cklib
    attestation_repo: ConceptKernel/CK.Lib.Js
# …or additive filesystem merge into the final image:
layer_sources:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.4.0
    into: /app/cklib/
    attestation_repo: ConceptKernel/CK.Lib.Js

The build MUST run gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.4.0 --repo ConceptKernel/CK.Lib.Js before the consuming image is pushed (SPEC.OCI.BUNDLE.v0.3 §4 build-time gate).

Browser consumption (after the bundle is mounted at /cklib/):

<script type="module">
  import { CKPage } from '/cklib/ck-page.js';
  await CKPage.init();
</script>

Pin policy

  • latest tracks the most recent attested CK.Lib.Js tag on the multi-arch image index. Both arches resolve transparently via Docker's manifest negotiation — no latest-amd64 / latest-arm64 split.
  • Tagged versions are immutable on GHCR. Pin by version (1.4.0) in production bundles; use latest only for development.
  • The OCI bundle is anonymous public pull — no GHCR auth required.
  • Per PROVENANCE.md Rule 2: do not consider an artifact "shipped" if its digest does not verify under gh attestation verify.

See CHANGELOG.md for what changed per version, COMPLIANCE.md for the v3.8 transport contract, README.md for the full ESM export surface.


Rendered automatically by .github/workflows/oci-publish.yml on 2026-06-05 12:57:58 UTC after gh attestation verify accepted the aggregate digest above.

v1.3.14

Choose a tag to compare

@github-actions github-actions released this 05 Jun 12:43

CK.Lib.Js — latest published artifacts

One publishable surface ships from this repo: the OCI static bundle (ckp:static designation) — a CKP v3.8 JavaScript client library shipped as a Shape A filesystem-layer OCI image per SPEC.OCI.BUNDLE.v0.3. The npm package @conceptkernel/cklib is staged in package.json but not yet released. See Repo packages view for the full version history.

CK.Lib.Js OCI bundle — v1.3.14

Per PROVENANCE.md, every digest below verifies under gh attestation verify oci://… --repo ConceptKernel/CK.Lib.Js. Versions before v1.3.9 predate the attestation wiring and never appear here — re-publishing them would change digests and break the immutability promise.

docker pull ghcr.io/conceptkernel/ck-lib-js:1.3.14 → declare as a static_web (routed) or layer_sources (additive merge) entry in your bundle.yaml per SPEC.OCI.BUNDLE.v0.3. Files land at image root (/ck-client.js, /ck-page.js, /vendor/) ready for spec-standard COPY --from=cklib_source / dest/.

arch Pull URI Also tagged Digest Created (UTC)
amd64 ghcr.io/conceptkernel/ck-lib-js:1.3.14 latest sha256:b165bc094fa7166ef2b3d09d654f3675d562470ff8d9334d68b9590de8954ff1 2026-06-05 12:43:39 UTC
arm64 ghcr.io/conceptkernel/ck-lib-js:1.3.14 latest sha256:c3fa7d704892beeec3fb56e42fd4114a7e18188a61ac783437c7a3dbcd60ae11 2026-06-05 12:43:39 UTC
Artifact type OCI image index (multi-arch); org.opencontainers.image.designation=ckp:static
Aggregate index ghcr.io/conceptkernel/ck-lib-js:1.3.14 (also tagged latest)
Aggregate digest sha256:9bb4b5c868fc8b913c9d93dcaf622d7e1aa5dbdc67bbcb520b73f0e8e6878729
Provenance SLSA Build Provenance v1, Sigstore-backed, pushed as OCI referrer
Built by Workflow run #27015504725
Built from commit 932fa3d11f3408c768fa98b3a910951a9ca091f5
Verify (CLI) gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.3.14 --repo ConceptKernel/CK.Lib.Js
Release notes https://github.com/ConceptKernel/CK.Lib.Js/releases/tag/v1.3.14
Repo packages view https://github.com/ConceptKernel/CK.Lib.Js/pkgs/container/ck-lib-js

Verifying any artifact above

# Multi-arch index (Docker's manifest negotiation picks the right arch)
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.3.14 \
  --repo ConceptKernel/CK.Lib.Js

# A specific per-arch leaf
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js@sha256:b165bc094fa7166ef2b3d09d654f3675d562470ff8d9334d68b9590de8954ff1 \
  --repo ConceptKernel/CK.Lib.Js

A successful verify means: signed by GitHub's Fulcio CA against the OIDC token of the v1.3.14 oci-publish workflow run, recorded in Sigstore's Rekor transparency log, subject digest matches the pulled artifact.

Use as static layer

In your bundle.yaml (per SPEC.OCI.BUNDLE.v0.3):

spec_version: 0.3
# Shape A — routed mount under a path the FastAPI/static server exposes:
static_web:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.3.14
    route: /cklib
    attestation_repo: ConceptKernel/CK.Lib.Js
# …or additive filesystem merge into the final image:
layer_sources:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.3.14
    into: /app/cklib/
    attestation_repo: ConceptKernel/CK.Lib.Js

The build MUST run gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.3.14 --repo ConceptKernel/CK.Lib.Js before the consuming image is pushed (SPEC.OCI.BUNDLE.v0.3 §4 build-time gate).

Browser consumption (after the bundle is mounted at /cklib/):

<script type="module">
  import { CKPage } from '/cklib/ck-page.js';
  await CKPage.init();
</script>

Pin policy

  • latest tracks the most recent attested CK.Lib.Js tag on the multi-arch image index. Both arches resolve transparently via Docker's manifest negotiation — no latest-amd64 / latest-arm64 split.
  • Tagged versions are immutable on GHCR. Pin by version (1.3.14) in production bundles; use latest only for development.
  • The OCI bundle is anonymous public pull — no GHCR auth required.
  • Per PROVENANCE.md Rule 2: do not consider an artifact "shipped" if its digest does not verify under gh attestation verify.

See CHANGELOG.md for what changed per version, COMPLIANCE.md for the v3.8 transport contract, README.md for the full ESM export surface.


Rendered automatically by .github/workflows/oci-publish.yml on 2026-06-05 12:43:39 UTC after gh attestation verify accepted the aggregate digest above.

v1.3.13

Choose a tag to compare

@github-actions github-actions released this 04 Jun 16:37

CK.Lib.Js — latest published artifacts

One publishable surface ships from this repo: the OCI static bundle (ckp:static designation) — a CKP v3.8 JavaScript client library shipped as a Shape A filesystem-layer OCI image per SPEC.OCI.BUNDLE.v0.3. The npm package @conceptkernel/cklib is staged in package.json but not yet released — see SPEC.CK.LIB.JS.PUBLIC.v1.0. See Repo packages view for the full version history.

CK.Lib.Js OCI bundle — v1.3.13

Per PROVENANCE.md, every digest below verifies under gh attestation verify oci://… --repo ConceptKernel/CK.Lib.Js. Versions before v1.3.9 predate the attestation wiring and never appear here — re-publishing them would change digests and break the immutability promise.

docker pull ghcr.io/conceptkernel/ck-lib-js:1.3.13 → declare as a static_web (routed) or layer_sources (additive merge) entry in your bundle.yaml per SPEC.OCI.BUNDLE.v0.3. Files land at image root (/ck-client.js, /ck-page.js, /vendor/) ready for spec-standard COPY --from=cklib_source / dest/.

arch Pull URI Also tagged Digest Created (UTC)
amd64 ghcr.io/conceptkernel/ck-lib-js:1.3.13 latest sha256:b52dd99d872e302ed3d4b9e7474650c26aa084bcf9ddbbabc43e74cbb470af18 2026-06-04 16:37:08 UTC
arm64 ghcr.io/conceptkernel/ck-lib-js:1.3.13 latest sha256:28b0dae581504f103e633f50edd637d3858517a224b6a3ba73d505c3635e4fdb 2026-06-04 16:37:08 UTC
Artifact type OCI image index (multi-arch); org.opencontainers.image.designation=ckp:static
Aggregate index ghcr.io/conceptkernel/ck-lib-js:1.3.13 (also tagged latest)
Aggregate digest sha256:8634729ad019422549a763310d04fe8ba4d0e0a5c22d09729ddc4eae390888a1
Provenance SLSA Build Provenance v1, Sigstore-backed, pushed as OCI referrer
Built by Workflow run #26965540714
Built from commit d819efa2c40feae08420550d3a1aa69aa4a5e672
Verify (CLI) gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.3.13 --repo ConceptKernel/CK.Lib.Js
Release notes https://github.com/ConceptKernel/CK.Lib.Js/releases/tag/v1.3.13
Repo packages view https://github.com/ConceptKernel/CK.Lib.Js/pkgs/container/ck-lib-js

Verifying any artifact above

# Multi-arch index (Docker's manifest negotiation picks the right arch)
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.3.13 \
  --repo ConceptKernel/CK.Lib.Js

# A specific per-arch leaf
gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js@sha256:b52dd99d872e302ed3d4b9e7474650c26aa084bcf9ddbbabc43e74cbb470af18 \
  --repo ConceptKernel/CK.Lib.Js

A successful verify means: signed by GitHub's Fulcio CA against the OIDC token of the v1.3.13 oci-publish workflow run, recorded in Sigstore's Rekor transparency log, subject digest matches the pulled artifact.

Use as static layer

In your bundle.yaml (per SPEC.OCI.BUNDLE.v0.3):

spec_version: 0.3
# Shape A — routed mount under a path the FastAPI/static server exposes:
static_web:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.3.13
    route: /cklib
    attestation_repo: ConceptKernel/CK.Lib.Js
# …or additive filesystem merge into the final image:
layer_sources:
  - source_image: ghcr.io/conceptkernel/ck-lib-js:1.3.13
    into: /app/cklib/
    attestation_repo: ConceptKernel/CK.Lib.Js

The build MUST run gh attestation verify oci://ghcr.io/conceptkernel/ck-lib-js:1.3.13 --repo ConceptKernel/CK.Lib.Js before the consuming image is pushed (SPEC.OCI.BUNDLE.v0.3 §4 build-time gate).

Browser consumption (after the bundle is mounted at /cklib/):

<script type="module">
  import { CKPage } from '/cklib/ck-page.js';
  await CKPage.init();
</script>

Pin policy

  • latest tracks the most recent attested CK.Lib.Js tag on the multi-arch image index. Both arches resolve transparently via Docker's manifest negotiation — no latest-amd64 / latest-arm64 split.
  • Tagged versions are immutable on GHCR. Pin by version (1.3.13) in production bundles; use latest only for development.
  • The OCI bundle is anonymous public pull — no GHCR auth required.
  • Per PROVENANCE.md Rule 2: do not consider an artifact "shipped" if its digest does not verify under gh attestation verify.

See CHANGELOG.md for what changed per version, COMPLIANCE.md for the v3.8 transport contract, README.md for the full ESM export surface.


Rendered automatically by .github/workflows/oci-publish.yml on 2026-06-04 16:37:08 UTC after gh attestation verify accepted the aggregate digest above.