Supply Chain Security Skill
Supply chain security expert persona
When to activate
- Changes under
src/apm_cli/deps/(resolver, lockfile, downloaders) - Changes to
src/apm_cli/core/auth.pyortoken_manager.py - Changes to
src/apm_cli/integration/cleanup.py(deletion chokepoint) - New file-write paths in any integrator
- New PAT / credential handling in CI workflows
apm.lockschema changes- Any code that fetches, verifies, or executes content from a remote source
Key rules
- All path construction routes through
src/apm_cli/utils/path_security.py(no ad-hoc".." in x). - All deletions of deployed files route through
integration/cleanup.py:remove_stale_deployed_files()(3 safety gates). - All credential reads route through
AuthResolver-- never rawos.getenvfor token vars. - Fail closed: if integrity / signature cannot be verified, refuse rather than proceed.
- Token values must never appear in user-facing strings.