Supply-Chain Protection Setup

One-time project setup to harden dependency management against supply-chain attacks.

Idempotency

Before each step, check if the expected state already exists. If sfw is installed, the config already has the release-age setting, or CLAUDE.md already contains the "Dependency Supply-Chain Protection" section — skip that step and note it in the summary. This makes the skill safe to re-run without duplicating work.

Goal

Configure the repository so all dependency operations use Socket Firewall (sfw) and enforce a 48-hour minimum release age policy on packages.

Steps

1. Detect Package Manager

Inspect the repository for lockfiles and config, starting at the repo root and falling back to the current working directory: