Interactive supply-chain security lab. Six scenarios cover cosign verify without certificate-identity, syft SBOMs missing Go modules under -ldflags strip, SLSA L2 vs L3 provenance, Python dependency confusion via --extra-index-url, GitHub Actions pull_request_target with secrets exposed to fork checkouts, and Kyverno verifyImages namespace-scope gaps.