Dependency and Supply-Chain Scanning for Agents
0/4 steps0%

Step 1 of 4

Intercept dependency additions

Every new dependency is a trust decision - catch it at the source.

First time here? Paste the Context Pack first so the AI understands your project - open it from the header above.

Prompt Capsule
Hook the dependency-adding actions. Identify every way the agent can add a dependency: package-manager install commands (pip install, npm/yarn add, etc.), direct edits to manifests (requirements.txt, package.json, pyproject, go.mod), and lockfile edits. Route these through a supply-chain gate before they take effect: parse out the package name(s) and version(s) being added, and pause for the checks (next steps) rather than executing immediately. Distinguish adding a NEW dependency (full gate) from updating an existing reviewed one (lighter path). Ensure no install path bypasses the gate - including the agent writing a manifest and running install as separate steps. Verify by having the agent attempt an install and confirming the gate intercepts it.
Paste into EmergentFull Build: complete implementation prompt with explicit requirements

Quick is short. Full Build is recommended for most steps. Strict forces real logic when the AI keeps faking output.

Actual change check

Expected after this step

All dependency-adding paths intercepted before taking effect.

Should NOT happen

  • An existing feature broke
  • A button only logs to console
  • Data disappears after refresh
  • Errors fail silently with no visible state

This is what should exist before you continue. If reality does not match, do not move on.

Track what changed, failed, or needs follow-up. Notes export with the flow.

Made with Emergent