feat(ai-security): add /security-supply-chain skill (v2.2.0)

New interactive skill that hardens projects against npm supply chain
attacks by configuring pnpm's minimum-release-age quarantine and
frozen lockfile enforcement. Detects package manager, checks pnpm
version, and recommends pnpm migration for npm/Yarn/Bun users.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: charlesjones-dev

.claude-plugin/marketplace.json

@@ -6,7 +6,7 @@
   },
   "metadata": {
     "description": "A curated list of custom Claude Code plugins, agents, and skills for developers.",
-    "version": "2.1.0",
+    "version": "2.2.0",
     "pluginRoot": "./plugins"
   },
   "plugins": [
@@ -98,8 +98,8 @@
     {
       "name": "ai-security",
       "source": "./plugins/ai-security",
-      "description": "AI-powered security auditing with interactive skill, automated agents, and web dependency scanning for comprehensive vulnerability detection and reporting",
-      "version": "1.4.0",
+      "description": "AI-powered security auditing with interactive skills, automated agents, web dependency scanning, and supply chain hardening for comprehensive vulnerability detection and reporting",
+      "version": "1.5.0",
       "keywords": [
         "ai",
         "security",
@@ -110,6 +110,9 @@
         "owasp",
         "scanning",
         "defensive",
+        "supply-chain",
+        "dependencies",
+        "pnpm",
         "skills"
       ],
       "author": {

CHANGELOG.md

@@ -7,6 +7,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.2.0] - 2026-03-31
+
+### Added
+
+#### AI-Security Plugin (v1.5.0)
+
+- `/security-supply-chain` new skill for hardening projects against npm supply chain attacks
+  - Detects package manager (pnpm, npm, Yarn, Bun) and validates compatibility
+  - Configures pnpm's `minimum-release-age` in `.npmrc` to quarantine newly published packages
+  - Interactive timeframe selection with previews (24 hours, 3 days, 7 days, or custom)
+  - Scans CI/CD configs for frozen lockfile usage and offers to add `frozen-lockfile=true`
+  - Checks pnpm version and offers upgrade if below 10.16.0 minimum
+  - Recommends pnpm migration for npm/Yarn/Bun users who lack quarantine protection
+  - Creates two defense layers: time-based quarantine (local dev) + frozen lockfile (CI/CD)
+
 ## [2.1.0] - 2026-03-22
 
 ### Added

README.md

@@ -1,6 +1,6 @@
 # Claude Code Plugins for Developers
 
-[![Version](https://img.shields.io/badge/version-2.1.0-blue.svg)](https://github.com/charlesjones-dev/claude-code-plugins-dev/releases)
+[![Version](https://img.shields.io/badge/version-2.2.0-blue.svg)](https://github.com/charlesjones-dev/claude-code-plugins-dev/releases)
 [![License](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
 [![GitHub Issues](https://img.shields.io/github/issues/charlesjones-dev/claude-code-plugins-dev.svg)](https://github.com/charlesjones-dev/claude-code-plugins-dev/issues)
 [![GitHub Stars](https://img.shields.io/github/stars/charlesjones-dev/claude-code-plugins-dev.svg)](https://github.com/charlesjones-dev/claude-code-plugins-dev/stargazers)
@@ -23,7 +23,7 @@ This Claude Code plugin marketplace provides plugins that extend Claude Code's c
 | [ai-git](plugins/ai-git/) | AI-powered git automation and workflow streamlining | `/git-init`, `/git-commit-push`, `/git-commit-push-pr` | - |
 | [ai-learn](plugins/ai-learn/) | AI-powered Socratic learning mode for guided problem-solving | `/learn`, `/learn-review` | - |
 | [ai-performance](plugins/ai-performance/) | AI-powered performance optimization and bottleneck detection | `/performance-audit` | `performance-auditor` |
-| [ai-security](plugins/ai-security/) | AI-powered security auditing with reproducible reports | `/security-init`, `/security-audit`, `/security-scan-dependencies` | `security-auditor`, `security-dependency-scanner` |
+| [ai-security](plugins/ai-security/) | AI-powered security auditing with reproducible reports | `/security-init`, `/security-audit`, `/security-scan-dependencies`, `/security-supply-chain` | `security-auditor`, `security-dependency-scanner` |
 | [ai-statusline](plugins/ai-statusline/) | AI-powered status line customization with progress bars | `/statusline-wizard`, `/statusline-edit` | - |
 | [ai-workflow](plugins/ai-workflow/) | AI-powered development workflow automation | `/workflow-plan-phases`, `/workflow-implement-phases`, `/workflow-preflight`, `/workflow-ship`, `/workflow-principles` | - |
 | [ai-compliance](plugins/ai-compliance/) | AI-powered license compliance auditing and attribution generation | `/compliance-license-audit`, `/compliance-notice-generate` | - |

plugins/ai-security/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "ai-security",
-  "version": "1.4.0",
-  "description": "AI-powered security auditing with interactive skill, automated agents, and web dependency scanning for comprehensive vulnerability detection and reporting",
+  "version": "1.5.0",
+  "description": "AI-powered security auditing with interactive skills, automated agents, web dependency scanning, and supply chain hardening for comprehensive vulnerability detection and reporting",
   "author": {
     "name": "Charles Jones",
     "url": "https://charlesjones.dev"
@@ -13,6 +13,9 @@
     "compliance",
     "auditing",
     "auditor",
+    "supply-chain",
+    "dependencies",
+    "pnpm",
     "skills"
   ]
 }

plugins/ai-security/README.md

@@ -191,6 +191,48 @@ Scan a deployed website for outdated dependencies, known CVEs, and security misc
 # ✅ Report saved to /docs/security with timestamp
 ```
 
+### `/security-supply-chain`
+
+Harden your project against npm supply chain attacks by configuring pnpm's `minimum-release-age` quarantine and frozen lockfile enforcement.
+
+**What it does:**
+
+- 🔍 **Detects your package manager** (pnpm, npm, Yarn, Bun) and validates compatibility
+- 🛡️ **Configures `minimum-release-age`** in `.npmrc` to quarantine newly published packages
+- 🔒 **Offers frozen lockfile enforcement** via `.npmrc` for reproducible CI/CD builds
+- ⬆️ **Checks pnpm version** and offers to upgrade if below the 10.16.0 minimum
+- 🎯 **Interactive timeframe selection** with previews (24 hours, 3 days, 7 days, or custom)
+- 📊 **Scans CI/CD configs** to detect existing frozen lockfile usage
+- 💡 **Recommends pnpm migration** for npm/Yarn/Bun users who lack this protection
+
+**How it works:**
+
+```
+/security-supply-chain
+# Detects pnpm as package manager
+# Checks pnpm version (needs 10.16.0+)
+# Checks existing .npmrc configuration
+# Ask: Choose quarantine timeframe (24h, 3d, 7d, custom)
+# Ask: Add frozen-lockfile=true?
+# Shows preview of all changes
+# Writes .npmrc configuration
+# Verifies changes were applied correctly
+```
+
+**Defense layers created:**
+
+```
+Layer 1 - Quarantine (local development):
+  Prevents installing packages published less than X days ago.
+  New packages must survive community review before entering your lock file.
+
+Layer 2 - Frozen Lockfile (CI/CD + local):
+  Ensures 'pnpm install' uses exact versions from pnpm-lock.yaml.
+  Builds fail if the lock file is out of sync.
+```
+
+**Learn more:** [Stop Supply Chain Attacks: Why Your Build Pipeline Should Use Locked Dependencies](https://charlesjones.dev/blog/npm-supply-chain-attacks-ci-cd-locked-dependencies)
+
 **Comparison: `/security-audit` vs `/security-scan-dependencies`**
 
 | Feature | `/security-audit` | `/security-scan-dependencies` |
@@ -586,10 +628,10 @@ This timestamp-based naming ensures multiple audits on the same day don't overwr
 ## 📦 Plugin Details
 
 - **Name:** AI-Security
-- **Version:** 1.4.0
+- **Version:** 1.5.0
 - **Type:** Comprehensive Security Toolkit
 - **Features:**
-  - Skills: `/security-init`, `/security-audit`, `/security-scan-dependencies`
+  - Skills: `/security-init`, `/security-audit`, `/security-scan-dependencies`, `/security-supply-chain`
   - Agents: `security-auditor`, `security-dependency-scanner`
 - **License:** MIT
 - **Author:** Charles Jones