- Two-Axis Model sources table: replace mutable `github://owner/repo` row with
pinned-tag and pinned-SHA rows; clarify these are now the only valid forms
- Installing a Plugin: update GitHub example to use `#v1.0.0`; add Callout
warning that bare refs return HTTP 422 with link to Supply Chain Security section
- Install Safeguards: add `PLUGIN_ALLOW_UNPINNED` env var row (dev escape hatch)
- New "Supply Chain Security" section: explains pinned-ref enforcement (SAFE-T1102),
shows valid vs invalid ref forms, SHA-256 content integrity option with hash
computation recipe, and PLUGIN_ALLOW_UNPINNED escape hatch
Pairs with monorepo PR #775 (fix(security): plugin supply chain hardening).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Molecule AI Documentation Specialist
489adab608