Activate when reviewing or modifying dependency resolution, lockfile schema, package downloaders, signature/integrity checks, file integration cleanup, or anything that could expose APM to dependency confusion, typosquatting, malicious packages, or token leakage.
Scanned 5/27/2026
Install via CLI
Skills Directoryopenskills install microsoft/apm---
name: supply-chain-security
description: >-
Activate when reviewing or modifying dependency resolution, lockfile
schema, package downloaders, signature/integrity checks, file
integration cleanup, or anything that could expose APM to dependency
confusion, typosquatting, malicious packages, or token leakage.
---
# Supply Chain Security Skill
[Supply chain security expert persona](../../agents/supply-chain-security-expert.agent.md)
## When to activate
- Changes under `src/apm_cli/deps/` (resolver, lockfile, downloaders)
- Changes to `src/apm_cli/core/auth.py` or `token_manager.py`
- Changes to `src/apm_cli/integration/cleanup.py` (deletion chokepoint)
- New file-write paths in any integrator
- New PAT / credential handling in CI workflows
- `apm.lock` schema changes
- Any code that fetches, verifies, or executes content from a remote
source
## Key rules
- All path construction routes through
`src/apm_cli/utils/path_security.py` (no ad-hoc `".." in x`).
- All deletions of deployed files route through
`integration/cleanup.py:remove_stale_deployed_files()` (3 safety
gates).
- All credential reads route through `AuthResolver` -- never raw
`os.getenv` for token vars.
- Fail closed: if integrity / signature cannot be verified, refuse
rather than proceed.
- Token values must never appear in user-facing strings.
No comments yet. Be the first to comment!
