Install with proof, not faith.
Agents run the tools you install with real permissions. Plinth treats that as a supply-chain problem and answers it on-chain: every build is hashed, every publisher is identified, every version is immutable.
Integrity hash on every release
Publishing computes a content hash of the build and anchors it on Solana. Install verifies the bytes match before the tool can run — a tampered package fails closed.
Provenance you can trace
Each version records who published it and when. Walk a tool's full release history on-chain — no silent re-publishing under the same version.
Scoped, least-privilege permissions
Manifests declare exactly what a tool may touch — network, filesystem, keys. The runtime enforces those scopes; anything undeclared is denied.
Staked verification & slashing
Verified tools are backed by a publisher's $PLINTH stake. Confirmed malicious behavior slashes it — trust has a cost to fake.
What's anchored on-chain
{
"tool": "@plinth/postgres",
"version": "3.4.0",
"integrity": ""sha256:9f2a…c1d4",
"publisher": "tessera",
"scopes": ["net:read","net:write"],
"staked": "12,000 PLINTH",
"anchored": "tx 4Kp…uZ"
}Immutable versions
Once a version is anchored it can't be edited — only superseded by a new one. An agent that pinned 3.4.0 always gets exactly those bytes.
Fails closed
If a hash doesn't match, the publisher can't be verified, or a scope is violated, the install is rejected. The default is to not run.
Open to audit
Anyone can resolve a tool's record and re-check its integrity independently. Security here isn't a promise — it's a read.