Use case · supply-chain defense
Stop the worm at publish, not at install.
Mini Shai-Hulud spread through compromised npm publish tokens. SynOI Supply Chain Guard wraps `npm publish` so every release requires out-of-band human approval before any consumer-side scanner ever sees a malicious version.
Coming soon
The full SCG architecture story expands here as the public beta lands in Q1 2027. Today: publisher-side HITL is a distinct layer from consumer-side scanning. Both should exist. Neither is the other.
- Supply Chain Guard · publisher-side HITL on `npm publish` and equivalents
- Registry Mirror · npm-compatible mirror with state-divergence detection on install
- PR Bot · GitHub App comments on package-lock changes with divergence verdicts
- OID Resolver · public content-addressed attestation surface
- in-toto attestations · consumable by any SLSA-aware verifier