agent-supply-chain

# Agent Supply Chain Integrity Generate and verify integrity manifests for AI agent plugins and tools. Detect tampering, enforce version pinning, and establish supply chain provenance. ## Overview Agent plugins and MCP servers have the same supply chain risks as npm packages or container images — except the ecosystem has no equivalent of npm provenance, Sigstore, or SLSA. This skill fills that gap. ``` Plugin Directory → Hash All Files (SHA-256) → Generate INTEGRITY.json ↓ Later: Plugin Directory → Re-Hash Files → Compare Against INTEGRITY.json ↓ Match? VERIFIED : TAMPERED ``` ## When to Use - Before promoting a plugin from development to production - During code review of plugin PRs - As a CI step to verify no files were modified after review - When auditing third-party agent tools or MCP servers - Building a plugin marketplace with integrity requirements --- ## Pattern 1: Generate Integrity Manifest Create a deterministic `INTEGRITY.json` with SHA-256 hashes of all plugin files. ```python import hashlib import json from datetime import datetime, timezone from pathlib import Path EXCLUDE_DIRS = {".git", "__pycache__", "node_modules", ".venv", ".pytest_cache"} EXCLUDE_FILES = {".DS_Store", "Thumbs.db", "INTEGRITY.json"} def hash_file(path: Path) -> str: """Compute SHA-256 hex digest of a file.""" h = hashlib.sha2...