Supply-chain hygiene audit

A defense-in-depth audit against npm-ecosystem supply-chain attacks (typosquatting, hijacked maintainer accounts, malicious postinstall scripts). Walks the user through their developer machine + the current project + CI workflows, then offers fixes one-by-one with explicit confirmation.

Operating rules (read first)

1. Audit before fix. Always run the full audit and present findings before proposing any change.
2. Confirm every write. Show the file path and the exact content you will write. Ask y/n. Never batch-apply.
3. Never execute remote installers. If Safe Chain is missing, print the install command and link; do not run curl ... | sh yourself.
4. Never auto-edit CI workflow files. YAML structure varies (matrices, reusable workflows). Print the snippet and the suggested path; let the user place it.
5. Render policy values at runtime. Read policy.json from this skill's directory and substitute {{VERSION}} etc. into templates before showing them.
6. Surface intentional overrides as warnings, not failures. ignore-scripts=false is a deliberate choice — flag for review, recommend @lavamoat/allow-scripts, do not propose flipping.

Phase 1 — Detect environment

Run these in parallel: