Generates SHA-256 integrity manifests for agent plugins and MCP servers, then verifies nothing got modified or injected after review. You hash all files in a plugin directory, save INTEGRITY.json, and later check if current files match. It catches tampered code, untracked files that appeared post-audit, and unpinned dependency versions. The promotion gate pattern is smart: block prod deploys if verification fails or required files are missing. This is basically npm provenance or container signing but for the agent ecosystem, which has none of that infrastructure yet. If you're building a plugin marketplace or running CI on third-party tools, this closes a real gap.
npx skills add https://github.com/github/awesome-copilot --skill agent-supply-chain