Source code protection
with SHA-256 manifests.
When AI agents manage your infrastructure, how do you know they only did what you asked? When a CI/CD pipeline deploys to production, how do you verify nothing was tampered with in transit? When you come back Monday morning, how do you prove your codebase is exactly what it was on Friday?
sshDCommander solves this with SHA-256 deploy manifests— cryptographic proof of every file's integrity, generated during transfer and verifiable at any time.
The problem: trust, but verify
AI agents like Claude Code, Cursor, and Windsurf are increasingly managing real infrastructure. They execute commands, deploy code, modify configuration files. This is powerful — but it introduces a fundamental question of trust:
- Did the AI agent modify only the files you expected?
- Was the deployed artifact tampered with during transfer?
- Has an unauthorized process modified files on your server since the last deployment?
- Can you prove to an auditor exactly what is running in production right now?
Without cryptographic verification, the answer to all of these is: you don't know.
How it works
sshDCommander computes a SHA-256 hash for every file during SFTP transfer — not as a separate pass, but streaming during the upload itself. This hash is recorded in a JSON deploy manifest:
The manifest is a simple JSON file that records each file path, its SHA-256 hash, and the transfer timestamp:
Later — hours, days, or weeks — you can verify that every file on the server still matches the manifest:
What this protects against
Rogue AI agents
An AI agent modifies files it wasn't supposed to touch. The manifest catches the unauthorized change.
Supply chain attacks
A dependency or build artifact is tampered with before deployment. SHA-256 verification detects the difference.
Compromised pipelines
CI/CD infrastructure is breached and injects malicious code. Manifest comparison reveals the inserted files.
Configuration drift
Someone manually edits a config file on the server. Next verification flags the change with the exact file and mismatch.
Insider threats
An unauthorized actor modifies production files directly. The manifest provides cryptographic evidence of what changed.
Compliance auditing
Regulators ask what's running in production. The manifest is a timestamped, hash-verified inventory of every deployed file.
Why no competitor offers this
Traditional SSH tools transfer files and forget about them. They don't compute checksums during transfer, they don't maintain manifests, and they don't offer post-deployment verification. sshDCommander's SHA-256 manifest system is built into the transfer layer itself — not bolted on as an afterthought.
This matters especially in the age of AI-driven infrastructure management. When AI agents are deploying code, transferring files, and modifying server configurations, you need cryptographic proof of what happened— not just logs saying "a file was uploaded."
Integrating with your workflow
Manifests are standard JSON files. You can:
- Store them in git alongside your deployment scripts
- Compare manifests between deployments to see exactly what changed
- Run scheduled verification checks via cron or your monitoring system
- Include manifest verification in your CI/CD pipeline as a post-deploy gate
- Have AI agents automatically verify integrity after every deployment
Try it today
Source code protection via SHA-256 manifests is included in every sshDCommander base license. No add-ons, no extra cost. Start your 5-day free trial and deploy your first verified manifest in under a minute.