SYS · CLAUDE-BLOG · V1.9.1 · ACTIVE
RELEASE · v1.9.1 · 2026-05-18
claude
blog.
The Content Operating System. Drafts that ship gated, audited, and production-grade, or do not ship at all.
LIVE
5 gates
187 tests
95/100
MIT
★ Lesson 1 · The 5-Gate Method
What you’ll learn in 2 minutes
M2The 5-gate Blog Delivery Contract
M4How to make a reviewer BLOCK, not advise
M5Hero image fallback ladder pattern
M6Closing OWASP / CWE findings end-to-end
G1 discover G2 format G3 visual G4 review G5 links
$ /blog write “why your AI blog tool is shipping broken drafts”
generating hero · banana mcp
drafting
Engineering · 7 min read
By Daniel Agrici · 2026-05-18 · gated by /blog write
security score · v1.8 → v1.9.1
G1
G2
G3
G4
G5
Finally. Drafts that don’t ship broken.
CLAUDE-BLOG · DELIVERY CONTRACT + AUDIT PASS · v1.9.0 → v1.9.101 / 12
SLIDE 02 · WHY THIS RELEASE
02 · The gap we filled

AI blog tools ship sloppy drafts. The user becomes the reviewer.

Three structural defects show up over and over in AI-authored content. v1.9 closes all three at the gate layer, before any draft reaches you.

SLOP 01
Broken hero images
no fallback ladder · 404 og:image
Most tools point at a stock URL and pray. When the link 404s the draft ships anyway. Visible the first time anyone shares it.
SLOP 02
No PDFs, no real renders
markdown-only · .md / .html drift
One format out. No print, no offline copy. Diagrams overflow on mobile. The HTML and markdown drift quietly apart.
SLOP 03
Reviewer scored, never blocked
advisory-only · prose feedback
A reviewer step that emits a score nobody reads. Sloppy drafts pass anyway because there is no gate, just a comment.
…this can’t ship.
CLAUDE-BLOG · WHY THIS RELEASE MATTERS02 / 12
SLIDE 03 · WHAT SHIPS
03 · What shipped in 1.9

Two releases, one outcome, five load-bearing surfaces.

v1.9.0 introduced the delivery contract. v1.9.1 hardened it against an eight-agent cybersecurity audit. Every number below is verifiable in the repo.

5
delivery gates
NEW IN v1.9
187
pytest tests
+27 NEW
29
sub-skills
95
security / 100
87 → 95
142
pinned packages
CLAUDE-BLOG · 5 · 187 · 29 · 95 · 14203 / 12
SLIDE 04 · DELIVERY CONTRACT
04 · The Blog Delivery Contract

Five gates run before any draft reaches you. No exceptions.

Each gate is code, not prose. Gate 4 is the blocking one. The other four make sure Gate 4 has something real to score.

GATE 1
Capability discovery
MCPs · agents · scripts
Write capabilities.json. Know what is loadable before drafting.
GATE 2
Format completeness
.md · .html · .pdf · hero
Every draft ships four artifacts. Deterministic renderer.
GATE 3
Visual verification
3 widths · overflow · JSON-LD
Playwright renders. Asserts no SVG overflow. Captures console errors.
GATE 4
Content review
BLOCKING · 90+ · zero P0
Reviewer agent scores rendered HTML. Below threshold, no delivery.
BLOCKING
GATE 5
Asset + link integrity
img src · 200 OK · wordCount
Every link resolves, every image exists, JSON-LD matches body.
Gate 4 is the one that bites.
CLAUDE-BLOG · 5-GATE DELIVERY CONTRACT · v1.9.004 / 12
SLIDE 05 · VISUAL VERIFICATION
05 · Gate 3: visual verification

Mobile breaks fail at the gate. Not in your face.

Playwright spins up a headless browser and renders the HTML at three widths. It asserts every SVG child fits inside its viewBox, swaps to dark mode, and watches the console for errors.

claude-blog.dev/article
375 px
Why your AI blog tool is broken
SVG within viewBox
dark-mode swap
no overflow-x
claude-blog.dev/article
768 px
Why your AI blog tool is shipping broken drafts
hero crop center
pull-quote breaks
TOC sticky
claude-blog.dev/article
1280 px
Why your AI blog tool is shipping broken drafts (and how to fix it)
sidebar layout
code-block scroll
social card OK
CLAUDE-BLOG · GATE 3 · PATCHRIGHT · 3 WIDTHS05 / 12
SLIDE 06 · BLOCKING REVIEWER
06 · Gate 4: the blocking one

Score 90+. Zero P0. Or no delivery.

The blog-reviewer agent scores the rendered HTML against six dimensions. Threshold is 90 of 100 with zero P0 issues. Below that, the orchestrator iterates, up to three times.

REVIEW.MD · 6 DIMENSIONS
/blog write · Why your AI blog tool is broken
Hook + answer-first opener17 / 18
Heading hierarchy + skimmability14 / 15
Citations + tier-1 sourcing22 / 22
Original perspective + E-E-A-T19 / 20
AI-citation readiness (FAQ + schema)13 / 15
No P0 editorial defects10 / 10
TOTAL · THRESHOLD 90
95
BLOCKING: false
P0 ISSUES: 0
Nonce: 4f2a8c11d6e93b7a · verified
Iteration: 1 of 3 · agent: blog-reviewer
95 / 100. Let it ship.
CLAUDE-BLOG · GATE 4 · BLOCKING TRUE | FALSE06 / 12
SLIDE 07 · HERO LADDER
07 · Every draft ships a real hero

Five-step fallback ladder. Block if none work.

Hero generation tries banana first, falls back through Gemini, then premium stock, then openverse. If nothing returns a real image, the gate blocks delivery with setup steps. No silent 404s.

01
Banana MCP
orchestrator level · when nanobanana-mcp is loaded
MCP
02
Gemini API direct
google-genai · when GOOGLE_AI_API_KEY is set
API
03
Premium stock APIs
Unsplash · Pexels · Pixabay · any key suffices
STOCK
04
Openverse public API
CC-licensed · no key required · always available
CC
05
Block with setup steps
if none succeed · honest diagnostic to the user
BLOCK
Never a silent 404.
CLAUDE-BLOG · GENERATE_HERO.PY · 5-STEP FALLBACK07 / 12
SLIDE 08 · CYBERSECURITY AUDIT
08 · Then we ran the audit

Eight cybersecurity agents. Eleven findings. All closed.

OWASP Top 10:2021, CWE Top 25:2024, MITRE ATT&CK mapping. Each agent scored independently. Composite score went from 87 to 95 of 100 after the v1.9.1 hardening pass.

A1
Vulnerability
OWASP Top 10 + CWE Top 25 + CVE database
A2
Secrets
hardcoded keys · committed creds · token leaks
A3
Dependencies
supply chain · CVE bounds · typosquats
A4
IaC
install scripts · permissions · path traversal
A5
Threat intel
malware · backdoor · C2 · MITRE ATT&CK
A6
Authorization
OAuth · token storage · session boundaries
A7
AI-gen code
agent provenance · prompt injection vectors
A8
Compliance
OWASP coverage · CWE mapping · score band
CLAUDE-BLOG · 8-AGENT AUDIT · v1.9.1 HARDENING08 / 12
SLIDE 09 · WHAT CLOSED
09 · What got closed

Every HIGH and MEDIUM finding. Closed.

Eleven audit findings landed. v1.9.1 closes all HIGH and MEDIUM severity items, plus the LOW and INFO ones worth fixing. Each fix is wired to a regression test so the same class of bug cannot recur silently.

VULN-801HIGH
SSRF + IMDS attack path
scheme allowlist · private IP refuse · 25MB cap
VULN-802HIGH
Iteration counter unenforced
code-enforced .iteration-count · cap = 3
VULN-401HIGH
Supply chain non-determinism
uv.lock · 142 packages · SHA-256 pinned
VULN-803MED
Counterfeit reviewer pass
nonce-bound review.md provenance · 32-hex
AUTH-001MED
OAuth client_secret in token blob
split secret out · re-read from config
VULN-804MED
Gate 5 redirect-follow
no-redirect opener · scheme check inline
VULN-IAC-001MED
Installer hashes unpublished
SHA-256 published in README · verify step
VULN-S01LOW
API key echo in setup
_mask_api_key helper · AIza****WXYZ style
v1.9.1 · shipped
"Why your AI blog tool is shipping broken drafts"
Tests: 160 → 187 (+27)
Security score: 87 → 95 / 100
Composite: ~94 / 100
Band: Exceptional
Every HIGH + MED. Closed.
CLAUDE-BLOG · v1.9.1 · 11 FINDINGS CLOSED09 / 12
SLIDE 10 · ECOSYSTEM
10 · The full sub-skill map

Twenty-nine sub-skills. One orchestrator. Every job.

claude-blog sub-skill map
CLAUDE-BLOG · ASSETS/DIAGRAMS/03-SUB-SKILL-MAP-A.SVG10 / 12
SLIDE 11 · ROADMAP
11 · What v1.10 and beyond bring

v1.9 is shipped. Nonce-mandatory, AOL, citations are next.

claude-blog roadmap
CLAUDE-BLOG · v1.9 NOW · v1.10+ NEXT11 / 12
SLIDE 12 · INSTALL
v1.9.1 · ready to install

One line. Five gates. Ship it.

$curl -sSL https://raw.githubusercontent.com/AgriciDaniel/claude-blog/main/install.sh | bash
★ NEXT LESSON
Build this for your stack
subscribe · new lessons drop weekly
INSTALL + PRACTICE
Run the 5 gates locally
github.com/AgriciDaniel/claude-blog
COURSE COMMUNITY
Join AI Marketing Hub
lessons · weekly threads · 2,700+ members
Catch the next one. Same gates.
CLAUDE-BLOG · THANKS FOR WATCHING12 / 12
01 / 12
? for help · O overview · S presenter · A autoplay

Keyboard map

→ / Space / NNext slide
← / PPrevious slide
1 – 9Jump to slide 1–9
0Jump to last slide
Home / EndFirst / Last slide
RReplay reveals
OOverview grid
SPresenter view
AAutoplay (12s/slide)
FFullscreen
?Show / hide this help
EscClose overlay
Append ?print=1 to the URL for a printable view

Slide overview

Presenter view

SLIDE 01
Cover
Open. Banner slams.
NEXT
Why this release
00:00
since last advance