Probes a GitHub repo, npm package, or website for the code-signing trust roots that gate your supply chain: Sigstore Cosign attestations, SLSA provenance level, in-toto attestations, npm --provenance flag, GitHub release artifact signatures. Flags ECDSA-only roots as PQC-migration targets per NIST guidance. Pairs with the PQC Analyzer and PQC Migration Plan Generator.