T1 starter · marketing / content: one task is the whole media pipeline. Generated images land on disk under a declared boundary — outputs carry paths and sha256 hashes, never image bytes.
The job
Every landing page, blog post and QR campaign needs an OG image, and someone ends up producing them one by one in a chat window. This workflow turns that into a step: creative brief in, rendered variants + a provenance manifest out, ready for the site build to pick up.The shape
The file
t1-og-images.nika.yaml
Why it reads like that
provider: mockfirst — it renders real, decodable PNGs offline, deterministically, with zero keys: the pipeline is testable in CI as-is. Production is a one-line flip togemini(GEMINI_API_KEY) oropenai(OPENAI_API_KEY); the keys are engine-configured, never workflow args.permits.fs.writeis the contract —./assets/og/**is the ONLY place assets may land; a templatedoutput_dirthat escapes it failsNIKA-SEC-004before any byte is written.nika check --infer-permitswrites this block for you.- assets, not blobs —
tasks.hero.output.imagesis a list of{ path, filename, width, height, sha256, … }entries, and a*.manifest.jsonlands beside the files (request echo · hashes · usage · yourmetadata:fields). Base64 never rides outputs, logs or traces. n: 2for A/B — OpenAI renders n natively; Gemini runs n sequential calls (documented); mock renders n distinct deterministic variants.