This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+14 more
Affected surfaces
Summary
AI summarySecurity hardening adds API‑key enforcement, SVG XSS sanitization, and spend caps.
Full changelog
prompt-to-asset 0.2.0
One brief → a validated multi-platform asset bundle. MCP server + CLI. Published to npm: npm i -g prompt-to-asset.
Install
# Global
npm i -g prompt-to-asset && p2a doctor
# Zero install
npx prompt-to-asset init --register
Claude Desktop: download prompt-to-asset-0.2.0.mcpb below and double-click.
Claude Code: claude mcp add prompt-to-asset -- npx -y prompt-to-asset
Cursor / VS Code / Windsurf: use the install badges in the README.
Smithery (universal): npx -y @smithery/cli install prompt-to-asset --client claude
Highlights
- 17 MCP tools covering logos, app icons, favicons, OG images, illustrations, hero art, splash screens + pipeline primitives (matte, vectorize, upscale, validate) + brand bundle parse +
asset_save_inline_svg/asset_ingest_externalround-trips +asset_train_brand_lora. - Zero-key first. Three modes —
inline_svg(host LLM writes SVG, deterministic),external_prompt_only(paste into your subscription),api(server-driven with free-tier routes through Pollinations / HF / Cloudflare / Stable Horde / Gemini free tier). - Routes across 30+ models — OpenAI gpt-image-1, Gemini / Imagen, Ideogram, Recraft, BFL Flux family, Stability SD/SDXL/SD3, Leonardo, fal.ai, Replicate, Cloudflare Workers AI, HF Inference, Pollinations, Stable Horde, ComfyUI (user-owned), paste-only surfaces for Midjourney / Firefly / Krea.
- Platform fan-out — iOS AppIconSet (14 sizes + 1024 marketing, iOS 18 dark/tinted), Android adaptive (foreground + background + monochrome), PWA (192/512/512-maskable + manifest + head snippet), favicon bundle (multi-res ICO + SVG + dark-mode + apple-touch), OG 1200×630 via Satori, Flutter
flutter_launcher_icons.yaml, visionOS scaffold, splash screens. - Security hardening: API keys in env only, provider-error redaction (
redact()),safePathallow-list on every path input, unconditional SVG XSS sanitizer before any write,P2A_MAX_SPEND_USD_PER_RUNcost cap, data-integrity invariant at boot. - Regenerate-until-validated loop on
asset_generate_logo(max_retries 0..4): tier-0 failure → repair plan (re-route on alpha fail, hex pin on palette drift, drop text on OCR fail) → retry with convergence stopping. - Clarifying questions.
asset_enhance_promptreturns structured questions when the brief is ambiguous (long wordmark, missing palette, generic brief) so the host LLM can surface them via AskUserQuestion before generating. - Evals harness (
evals/) — 9 golden briefs + committed baseline + CI regression gate.
CI matrix
203 tests / 201 passing / 2 skipped (network). 21/21 smoke checks. 9/9 eval briefs. 0 npm audit vulnerabilities. Multi-OS: Ubuntu Node 20/22/24 + macOS 22 + Windows 22. Coverage uploaded to Codecov. CodeQL + dependency-review + data-integrity workflows wired.
Docs
Assets attached to this release
prompt-to-asset-0.2.0.mcpb— Claude Desktop one-click install bundle.
Security Fixes
- API keys must be supplied via environment variables only; provider errors are redacted; unconditional SVG XSS sanitizer applied before any write; P2A_MAX_SPEND_USD_PER_RUN cost cap enforced.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About MohamedAbdallah-14/prompt-to-asset
Generates app icons, favicons, OG images, logos, and wordmarks. Routes each request across 30+ image models. Runs without an API key via Cloudflare Workers AI, NVIDIA NIM, HuggingFace, or Stable Horde. Three modes: inline SVG, external prompt-only, or full API. Validates contrast, OCR text accuracy, and palette before returning.
Related context
Beta — feedback welcome: [email protected]