paybondpaybond
Sign in

Kit package provenance and verification

Verify npm and PyPI Kit packages were built from the official Paybond repository with provenance and attestations.

Paybond Kit ships as @paybond/kit on npm and paybond-kit on PyPI. Tagged releases in this repository build both packages in CI, attach CycloneDX SBOMs, and publish with supply-chain evidence.

npm (@paybond/kit)

What CI publishes

Tagged releases run npm publish --provenance --access public from kit/ts after npm run verify:release passes. npm records a provenance statement that links the tarball to the GitHub Actions workflow run and commit.

Verify on npmjs.com

  1. Open the package page: https://www.npmjs.com/package/@paybond/kit.
  2. Select the version you installed.
  3. Open the Provenance section (or the package Security tab on supported npm UI versions).
  4. Confirm the linked repository is github.com/nonameuserd/paybond-kit (or the current canonical Kit repository) and the build commit matches the tag you intended.
  5. Optionally compare the published version with paybond version locally.

Verify from the CLI

npx -p @paybond/kit paybond version
npx -p @paybond/kit paybond version --verbose --format json

--verbose prints runtime, platform, config paths, gateway URL, request ID, MCP tool count, and a redacted credential source — useful when comparing a consumer environment against a known-good release.

PyPI (paybond-kit)

Trusted Publishing

PyPI releases use Trusted Publishing (OIDC) via pypa/gh-action-pypi-publish instead of long-lived API tokens in CI. Maintainers configure the PyPI trusted publisher for this GitHub repository and workflow.

When PyPI attestations are available for the project, CI uploads them with the release action (attestations: true).

Verify on pypi.org

  1. Open https://pypi.org/project/paybond-kit/.
  2. Select the release version.
  3. Review Project links and any Attestations / provenance metadata shown for the files.
  4. Confirm the linked source repository and tag match the Paybond release tag.

Verify from the CLI

pip install paybond-kit==<version>
paybond version
paybond version --verbose --format json

Support bundles

For support tickets, attach a redacted diagnostic bundle (never paste raw API keys):

paybond diagnose --redacted
paybond diagnose --redacted --format json

diagnose --redacted is required; output always masks credentials and only reports credential source (process_env, env_file, or missing).

SBOM artifacts

CI uploads CycloneDX SBOMs for each Kit package:

ArtifactScope
paybond-kit-ts.sbom.cdx.json@paybond/kit npm package tree
paybond-kit-python.sbom.cdx.jsonpaybond-kit Python package tree

Download them from the GitHub Actions run for the release tag (workflow artifacts). Repository-wide SBOMs remain in the paybond-repository-sbom artifact.

Maintainer checklist

  1. Bump kit/ts/package.json and kit/python/pyproject.toml versions together.
  2. Run scripts/kit-release-gates.sh --release locally when possible (requires trivy for SBOM checks).
  3. Push an annotated tag; wait for CI kit-release-gates, package SBOM, and publish jobs.
  4. Confirm npm provenance and PyPI trusted-publisher metadata on the registries.
  5. Update server.json and follow MCP Registry publish checklist if the MCP registry version changes.