Nipmod tightens API and CI posture

Nipmod said on May 22 it had shipped a v1.2.5 developer update that tightened the package tool’s API and continuous integration controls ahead of an official API release. The update adds OpenAPI support, cleans up archive and install-plan flows, and changes hosted API behavior so calls do not write into user workspaces, according to the company’s post on X and its documentation. Nipmod describes itself as a “verifiable package layer for agent code” built around package search, inspection, install planning and audit workflows. The company’s public docs already list hosted endpoints for search, inspect, install-plan, archive preparation and archive status, alongside CLI commands for install, update, SBOM export and audit. Nipmod’s quickstart says users can “ask for the safe plan before any workspace write” through the install-plan API, and says a local CLI should be used only when a workspace needs local writes. (github.com) ### Why does the workspace-write change matter for Nipmod’s API? Nipmod’s documentation says the hosted install-plan endpoint is meant to preview a verified dependency graph before any lockfile change. The new v1.2.5 posture extends that separation by ensuring hosted API calls do not mutate a user workspace, according to the company’s May 22 update. Nipmod’s MCP host documentation shows the same design choice in its agent tooling. (nipmod.com) The company says `nipmod mcp serve` is intended for hosts that “should not mutate a workspace by default,” and lists search, inspect, install_plan, verify, audit and SBOM among its read-only tools. Mutating commands including publish, add and install are not exposed through MCP, the docs say. ### What does OpenAPI support add here? Nipmod said v1.2.5 adds OpenAPI support as it prepares an official API for package discovery, trust checks and install plans. The company’s current docs already expose query-based HTTP endpoints for those functions, including `/api/search`, `/api/inspect` and `/api/install-plan`. The addition of OpenAPI gives integrators and package managers a machine-readable contract for those endpoints. (github.com) Nipmod did not publish a separate launch post for the official API in the materials reviewed, but its May 22 update said the release was nearing. That is an inference from the company’s stated support for OpenAPI and its existing public endpoint structure. ### Which CI and repository controls changed? (nipmod.com) Nipmod said the v1.2.5 update tightened CI with branch protection, signed commits and a cleanup of CodeQL usage. The company’s GitHub profile says GitHub is used as a public mirror for review, CI and developer access, while Gitlawb remains the canonical source for signed repository history and provenance. The same GitHub materials say Nipmod uses signed installers and signed tarballs, deterministic bundles, Ed25519 `did:key` identities and lockfiles pinned by `sha256` integrity. (nipmod.com) Those controls sit alongside the new CI changes and support the project’s stated focus on provenance and auditability. ### How does this fit Nipmod’s broader product design? Nipmod’s README says the service is meant to let agents answer four questions before install: who published a package, what exact bytes are being installed, which source commit produced them, and whether current trust, witness and advisory evidence exists. (github.com) Its docs also describe inspect, install-plan and audit as separate steps before a package write. (github.com) The MCP documentation applies the same model to agent hosts. Nipmod says host approval screens should expose read-only verification tools plus a gated `publish_plan` dry run, while signed local publish preflight stays in the terminal. Nipmod’s next public milestone is the official API launch referenced in its May 22 update. In the meantime, the company’s quickstart and discovery files already publish the current endpoint set, MCP server path and trust-related workflow documentation for developers and host integrations. (github.com) (nipmod.com) (github.com)