agent-supply-chain
Use this skill when generating SHA-256 integrity manifests for agent plugins, verifying that installed plugins match their manifests, detecting tampered files, auditing dependency pinning, or building provenance chains for plugin promotion.
Version
1.0.0
Maturity
draft
Repository
agent-skills
License
GNU GPL v3
Skill metadata
SKILL.md
Agent Supply Chain Integrity
Generate and verify integrity manifests for AI agent plugins and tools. Detect tampering, enforce version pinning, and establish supply chain provenance.
Use this skill when
- Generating SHA-256 integrity manifests for agent plugins or tool packages before promotion
- Verifying that installed plugins match their published manifests
- Detecting tampered, modified, or untracked files in agent tool directories
- Auditing dependency pinning and version policies for agent components
- Building provenance chains for agent plugin promotion (dev → staging → production)
- Any request like "verify plugin integrity", "generate manifest", "check supply chain", or "sign this plugin"
Do not use this skill when
- The plugin is a simple local script with no distributable files or production promotion path.
- You need runtime governance or policy controls for agent tool calls during execution; use
agent-governanceinstead.
Inputs to gather
Required before implementing
- The list of plugins, tools, or agent packages used by the agent.
- The promotion pipeline (dev → staging → production) if any.
Helpful if present
- Existing CI pipeline config for where integrity checks should run.
First move
- Inventory all plugins, tools, and agent packages used by the agent.
- Generate an integrity manifest using Pattern 1.
- Add Pattern 2 verification to the existing CI pipeline.
Overview
Agent plugins and MCP servers have the same supply chain risks as npm packages or container images — except the ecosystem has no equivalent of npm provenance, Sigstore, or SLSA. This skill fills that gap.
Plugin Directory → Hash All Files (SHA-256) → Generate INTEGRITY.json
↓
Later: Plugin Directory → Re-Hash Files → Compare Against INTEGRITY.json
↓
Match? VERIFIED : TAMPERED
Pattern 1: Generate Integrity Manifest
Create a deterministic INTEGRITY.json with SHA-256 hashes of all plugin files.
import hashlib
import json
from datetime import datetime, timezone
from pathlib import Path
EXCLUDE_DIRS = {".git", "__pycache__", "node_modules", ".venv", ".pytest_cache"}
EXCLUDE_FILES = {".DS_Store", "Thumbs.db", "INTEGRITY.json"}
def hash_file(path: Path) -> str:
"""Compute SHA-256 hex digest of a file."""
h = hashlib.sha256()
with open(path, "rb") as f:
for chunk in iter(lambda: f.read(8192), b""):
h.update(chunk)
return h.hexdigest()
def generate_manifest(plugin_dir: str) -> dict:
"""Generate an integrity manifest for a plugin directory."""
root = Path(plugin_dir)
files = {}
for path in sorted(root.rglob("*")):
if not path.is_file():
continue
if path.name in EXCLUDE_FILES:
continue
if any(part in EXCLUDE_DIRS for part in path.relative_to(root).parts):
continue
rel = path.relative_to(root).as_posix()
files[rel] = hash_file(path)
# Chain hash: SHA-256 of all file hashes concatenated in sorted order
chain = hashlib.sha256()
for key in sorted(files.keys()):
chain.update(files[key].encode("ascii"))
manifest = {
"plugin_name": root.name,
"generated_at": datetime.now(timezone.utc).isoformat(),
"algorithm": "sha256",
"file_count": len(files),
"files": files,
"manifest_hash": chain.hexdigest(),
}
return manifest
# Generate and save
manifest = generate_manifest("my-plugin/")
Path("my-plugin/INTEGRITY.json").write_text(
json.dumps(manifest, indent=2) + "\n"
)
print(f"Generated manifest: {manifest['file_count']} files, "
f"hash: {manifest['manifest_hash'][:16]}...")
Output (INTEGRITY.json):
{
"plugin_name": "my-plugin",
"generated_at": "2026-04-01T03:00:00+00:00",
"algorithm": "sha256",
"file_count": 12,
"files": {
".claude-plugin/plugin.json": "a1b2c3d4...",
"README.md": "e5f6a7b8...",
"skills/search/SKILL.md": "c9d0e1f2...",
"agency.json": "3a4b5c6d..."
},
"manifest_hash": "7e8f9a0b1c2d3e4f..."
}
Pattern 2: Verify Integrity
Check that current files match the manifest.
# Requires: hash_file() and generate_manifest() from Pattern 1 above
import json
from pathlib import Path
def verify_manifest(plugin_dir: str) -> tuple[bool, list[str]]:
"""Verify plugin files against INTEGRITY.json."""
root = Path(plugin_dir)
manifest_path = root / "INTEGRITY.json"
if not manifest_path.exists():
return False, ["INTEGRITY.json not found"]
manifest = json.loads(manifest_path.read_text())
recorded = manifest.get("files", {})
errors = []
# Check recorded files
for rel_path, expected_hash in recorded.items():
full = root / rel_path
if not full.exists():
errors.append(f"MISSING: {rel_path}")
continue
actual = hash_file(full)
if actual != expected_hash:
errors.append(f"MODIFIED: {rel_path}")
# Check for new untracked files
current = generate_manifest(plugin_dir)
for rel_path in current["files"]:
if rel_path not in recorded:
errors.append(f"UNTRACKED: {rel_path}")
return len(errors) == 0, errors
# Verify
passed, errors = verify_manifest("my-plugin/")
if passed:
print("VERIFIED: All files match manifest")
else:
print(f"FAILED: {len(errors)} issue(s)")
for e in errors:
print(f" {e}")
Output on tampered plugin:
FAILED: 3 issue(s)
MODIFIED: skills/search/SKILL.md
MISSING: agency.json
UNTRACKED: backdoor.py
Pattern 3: Dependency Version Audit
Check that agent dependencies use pinned versions.
import re
def audit_versions(config_path: str) -> list[dict]:
"""Audit dependency version pinning in a config file."""
findings = []
path = Path(config_path)
content = path.read_text()
if path.name == "package.json":
data = json.loads(content)
for section in ("dependencies", "devDependencies"):
for pkg, ver in data.get(section, {}).items():
if ver.startswith("^") or ver.startswith("~") or ver == "*" or ver == "latest":
findings.append({
"package": pkg,
"version": ver,
"severity": "HIGH" if ver in ("*", "latest") else "MEDIUM",
"fix": f'Pin to exact: "{pkg}": "{ver.lstrip("^~")}"'
})
elif path.name in ("requirements.txt", "pyproject.toml"):
for line in content.splitlines():
line = line.strip()
if ">=" in line and "<" not in line:
findings.append({
"package": line.split(">=")[0].strip(),
"version": line,
"severity": "MEDIUM",
"fix": f"Add upper bound: {line},<next_major"
})
return findings
Pattern 4: Promotion Gate
Use integrity verification as a gate before promoting plugins.
def promotion_check(plugin_dir: str) -> dict:
"""Check if a plugin is ready for production promotion."""
checks = {}
# 1. Integrity manifest exists and verifies
passed, errors = verify_manifest(plugin_dir)
checks["integrity"] = {
"passed": passed,
"errors": errors
}
# 2. Required files exist
root = Path(plugin_dir)
required = ["README.md"]
missing = [f for f in required if not (root / f).exists()]
# Require at least one plugin manifest (supports both layouts)
manifest_paths = [
root / ".github/plugin/plugin.json",
root / ".claude-plugin/plugin.json",
]
if not any(p.exists() for p in manifest_paths):
missing.append(".github/plugin/plugin.json (or .claude-plugin/plugin.json)")
checks["required_files"] = {
"passed": len(missing) == 0,
"missing": missing
}
# 3. No unpinned dependencies
mcp_path = root / ".mcp.json"
if mcp_path.exists():
config = json.loads(mcp_path.read_text())
unpinned = []
for server in config.get("mcpServers", {}).values():
if isinstance(server, dict):
for arg in server.get("args", []):
if isinstance(arg, str) and "@latest" in arg:
unpinned.append(arg)
checks["pinned_deps"] = {
"passed": len(unpinned) == 0,
"unpinned": unpinned
}
# Overall
all_passed = all(c["passed"] for c in checks.values())
return {"ready": all_passed, "checks": checks}
result = promotion_check("my-plugin/")
if result["ready"]:
print("Plugin is ready for production promotion")
else:
print("Plugin NOT ready:")
for name, check in result["checks"].items():
if not check["passed"]:
print(f" FAILED: {name}")
CI Integration
Add to your GitHub Actions workflow:
- name: Verify plugin integrity
run: |
PLUGIN_DIR="${{ matrix.plugin || '.' }}"
cd "$PLUGIN_DIR"
python -c "
from pathlib import Path
import json, hashlib, sys
def hash_file(p):
h = hashlib.sha256()
with open(p, 'rb') as f:
for c in iter(lambda: f.read(8192), b''):
h.update(c)
return h.hexdigest()
manifest = json.loads(Path('INTEGRITY.json').read_text())
errors = []
for rel, expected in manifest['files'].items():
p = Path(rel)
if not p.exists():
errors.append(f'MISSING: {rel}')
elif hash_file(p) != expected:
errors.append(f'MODIFIED: {rel}')
if errors:
for e in errors:
print(f'::error::{e}')
sys.exit(1)
print(f'Verified {len(manifest[\"files\"])} files')
"
Best Practices
| Practice | Rationale |
|---|---|
| Generate manifest after code review | Ensures reviewed code matches production code |
| Include manifest in the PR | Reviewers can verify what was hashed |
| Verify in CI before deploy | Catches post-review modifications |
| Chain hash for tamper evidence | Single hash represents entire plugin state |
| Exclude build artifacts | Only hash source files — .git, pycache, node_modules excluded |
| Pin all dependency versions | Unpinned deps = different code on every install |
Outputs
INTEGRITY.jsonmanifest with SHA-256 file hashes and chain hash for a plugin directory.- Verification report listing any MISSING, MODIFIED, or UNTRACKED files.
- Dependency version audit findings with severity and fix suggestions.
- Promotion gate check result with pass/fail for integrity, required files, and pinned dependencies.
Workflow
See the sections above for the integrity manifest and promotion gate workflow.
Guardrails
- Must not allow plugins with unverified checksums to load in production.
- Must not promote an artifact without verifying its manifest first.
- Should fail closed when a checksum verification error occurs.
- Should store manifests in source control so they can be audited.
- Should run dependency version audits on every dependency upgrade.
Validation
After implementing supply chain controls, verify end-to-end integrity:
Run
generate_manifest()on a fresh plugin directory and confirmINTEGRITY.jsonis written with the correct file count.Modify a tracked file and re-run
verify_manifest()— confirm the output includesMODIFIED: <file>.Add an untracked file and re-verify — confirm the output includes
UNTRACKED: <file>.Run
promotion_check()before any production promotion and confirm all checks (integrity, required files, pinned deps) pass.Run the CI verification step in
references/ci-integration.mdand confirm the workflow exits 0 on a clean plugin.Smoke test:
- should trigger: "Generate a SHA-256 manifest for this plugin and verify it in CI."
- should not trigger: "Add runtime tool allowlists to this agent." (→
agent-governance)
Examples
- "Lock in the state of
my-agent-plugin/after code review" → rungenerate_manifest("my-agent-plugin/"), commitINTEGRITY.jsonto the PR. - "Verify that the deployed plugin hasn't been tampered with since the last review" → run
verify_manifest("my-agent-plugin/")and check for MODIFIED or UNTRACKED entries. - "Gate our plugin release pipeline on integrity" → use
promotion_check()as a pre-deploy step; fail the pipeline if any check does not pass.
Reference files
references/ci-integration.md— GitHub Actions workflow template for manifest verification in CI