6.1 Verified Component Sources

Description

All agent components MUST come from verified and trusted sources.

Rationale

Supply chain attacks inject malicious code through trusted distribution channels.

Audit Procedure

1. List all external components
2. Verify each source is trusted
3. Check for components from arbitrary URLs

Remediation

1. Maintain allowlist of approved sources
2. Use package registries with verified publishers
3. Pin all dependencies

Framework Mappings