fix: address code review — image src, jq injection safe payload

nawi-25 · claude · nawi-25 · commit 67e8dde29d9a · 2026-03-20T15:08:01.000+02:00
- restore broken README image src to original GitHub asset URL
- use jq for safe JSON serialization in homebrew dispatch curl call
- add --fail to curl so failed dispatch is visible in CI logs

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -44,8 +44,8 @@ jobs:
       - name: Notify homebrew tap
         run: |
           VERSION=$(node -p "require('./package.json').version")
-          curl -s -X POST \
+          curl -s --fail -X POST \
             -H "Authorization: token ${{ secrets.AUTO_PR_TOKEN }}" \
             -H "Accept: application/vnd.github.v3+json" \
             https://api.github.com/repos/node9-ai/homebrew-node9/dispatches \
-            -d "{\"event_type\":\"new-release\",\"client_payload\":{\"version\":\"${VERSION}\"}}"
+            -d "$(jq -n --arg v "$VERSION" '{event_type:"new-release",client_payload:{version:$v}}')"
diff --git a/README.md b/README.md
@@ -16,7 +16,7 @@ While others try to _guess_ if a prompt is malicious (Semantic Security), Node9
 **AIs are literal.** When you ask an agent to "Fix my disk space," it might decide to run `docker system prune -af`.
 
 <p align="center">
-  <img src="an" width="100%">
+  <img src="https://github.com/user-attachments/assets/afae9caa-0605-4cac-929a-c14198383169" width="100%">
 </p>
 
 **With Node9, the interaction looks like this:**
