diff --git a/README.md b/README.md
index e4de615..b20e38d 100644
--- a/README.md
+++ b/README.md
@@ -188,6 +188,7 @@ Install or disable them dynamically with the `/plugin` command — enabling you
 - [enterprise-security-reviewer](./plugins/enterprise-security-reviewer)
 - [legal-advisor](./plugins/legal-advisor)
 - [legal-compliance-checker](./plugins/legal-compliance-checker)
+- [supply-chain-gate](./plugins/supply-chain-gate)
 
 
 ## Tutorials
diff --git a/plugins/supply-chain-gate/.claude-plugin/plugin.json b/plugins/supply-chain-gate/.claude-plugin/plugin.json
new file mode 100644
index 0000000..5c265d4
--- /dev/null
+++ b/plugins/supply-chain-gate/.claude-plugin/plugin.json
@@ -0,0 +1,10 @@
+{
+  "name": "supply-chain-gate",
+  "description": "Supply chain security gate — audit dependencies for behavioral risk and install IDE hooks that block CRITICAL packages",
+  "version": "1.0.0",
+  "author": {
+    "name": "piiiico",
+    "url": "https://github.com/piiiico/proof-of-commitment"
+  },
+  "homepage": "https://getcommit.dev"
+}
diff --git a/plugins/supply-chain-gate/commands/supply-chain-audit.md b/plugins/supply-chain-gate/commands/supply-chain-audit.md
new file mode 100644
index 0000000..ed485df
--- /dev/null
+++ b/plugins/supply-chain-gate/commands/supply-chain-audit.md
@@ -0,0 +1,25 @@
+---
+allowed-tools: Bash(npx:*), Bash(poc:*), Bash(cat:*)
+description: Audit project dependencies for supply chain risk using behavioral signals
+---
+
+## Context
+
+- Lock files: !`ls package-lock.json yarn.lock pnpm-lock.yaml bun.lock Cargo.toml go.sum requirements.txt 2>/dev/null || echo "none found"`
+
+## Your task
+
+Run a supply chain security audit on this project using [Proof of Commitment](https://github.com/piiiico/proof-of-commitment).
+
+This scores dependencies on **behavioral commitment signals** — publisher depth, release consistency, maintenance patterns — that predict supply chain risk. Both axios and chalk scored CRITICAL *before* their 2026 compromises.
+
+```bash
+npx -y proof-of-commitment $ARGUMENTS
+```
+
+If `$ARGUMENTS` is empty, the CLI auto-detects the best manifest in the current directory (package-lock.json > yarn.lock > pnpm-lock.yaml > package.json > requirements.txt > Cargo.toml > go.sum).
+
+After running:
+1. Report CRITICAL and HIGH packages with their risk flags
+2. For CRITICAL packages: explain what "single npm publisher" means as a risk
+3. Suggest `poc hook` to install a pre-install gate that blocks CRITICAL packages automatically