agent-supply-chain

Generate and verify SHA-256 `INTEGRITY.json` manifests for AI agent plugins and tools so tampering, missing files, and untracked additions are detected before promotion. Produces deterministic per-file hashes plus a chain-hash `manifest_hash`, verifies an installed plugin against a prior manifest, audits dependency pinning in `package.json` / `requirements.txt` / `pyproject.toml` (flagging `^`/`~`/`*`/`latest`), and runs a dev → staging → production promotion gate that also checks for required files and pinned MCP servers.