From 6577e7cc234491cc1f83127b04f6469ae08d0f70 Mon Sep 17 00:00:00 2001 From: piiiico Date: Fri, 12 Jun 2026 08:52:14 +0000 Subject: [PATCH 1/3] Add supply-chain-gate plugin: plugin.json --- plugins/supply-chain-gate/.claude-plugin/plugin.json | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 plugins/supply-chain-gate/.claude-plugin/plugin.json diff --git a/plugins/supply-chain-gate/.claude-plugin/plugin.json b/plugins/supply-chain-gate/.claude-plugin/plugin.json new file mode 100644 index 0000000..5c265d4 --- /dev/null +++ b/plugins/supply-chain-gate/.claude-plugin/plugin.json @@ -0,0 +1,10 @@ +{ + "name": "supply-chain-gate", + "description": "Supply chain security gate — audit dependencies for behavioral risk and install IDE hooks that block CRITICAL packages", + "version": "1.0.0", + "author": { + "name": "piiiico", + "url": "https://github.com/piiiico/proof-of-commitment" + }, + "homepage": "https://getcommit.dev" +} From dab86206ab7bcb641e2a6eae11ff7f738d04c057 Mon Sep 17 00:00:00 2001 From: piiiico Date: Fri, 12 Jun 2026 08:52:28 +0000 Subject: [PATCH 2/3] Add supply-chain-gate plugin: audit command --- .../commands/supply-chain-audit.md | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 plugins/supply-chain-gate/commands/supply-chain-audit.md diff --git a/plugins/supply-chain-gate/commands/supply-chain-audit.md b/plugins/supply-chain-gate/commands/supply-chain-audit.md new file mode 100644 index 0000000..ed485df --- /dev/null +++ b/plugins/supply-chain-gate/commands/supply-chain-audit.md @@ -0,0 +1,25 @@ +--- +allowed-tools: Bash(npx:*), Bash(poc:*), Bash(cat:*) +description: Audit project dependencies for supply chain risk using behavioral signals +--- + +## Context + +- Lock files: !`ls package-lock.json yarn.lock pnpm-lock.yaml bun.lock Cargo.toml go.sum requirements.txt 2>/dev/null || echo "none found"` + +## Your task + +Run a supply chain security audit on this project using [Proof of Commitment](https://github.com/piiiico/proof-of-commitment). + +This scores dependencies on **behavioral commitment signals** — publisher depth, release consistency, maintenance patterns — that predict supply chain risk. Both axios and chalk scored CRITICAL *before* their 2026 compromises. + +```bash +npx -y proof-of-commitment $ARGUMENTS +``` + +If `$ARGUMENTS` is empty, the CLI auto-detects the best manifest in the current directory (package-lock.json > yarn.lock > pnpm-lock.yaml > package.json > requirements.txt > Cargo.toml > go.sum). + +After running: +1. Report CRITICAL and HIGH packages with their risk flags +2. For CRITICAL packages: explain what "single npm publisher" means as a risk +3. Suggest `poc hook` to install a pre-install gate that blocks CRITICAL packages automatically From 2310724446f5d07e89a141fd83c9d02ae3f8c236 Mon Sep 17 00:00:00 2001 From: piiiico Date: Fri, 12 Jun 2026 08:53:01 +0000 Subject: [PATCH 3/3] Add supply-chain-gate to Security section --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index e4de615..b20e38d 100644 --- a/README.md +++ b/README.md @@ -188,6 +188,7 @@ Install or disable them dynamically with the `/plugin` command — enabling you - [enterprise-security-reviewer](./plugins/enterprise-security-reviewer) - [legal-advisor](./plugins/legal-advisor) - [legal-compliance-checker](./plugins/legal-compliance-checker) +- [supply-chain-gate](./plugins/supply-chain-gate) ## Tutorials