AI supply chain · software trust evidence
Review the AI systems changing your software
AI coding agents, editor skills and rules, and MCP servers now write code in your repos. They add packages, edit manifests, and run tools across your codebase, often before a human looks. Each one declares its own reach into your filesystem, your network, and your secrets. This page treats those agent surfaces as evidence subjects: capture what each declares, record the human decision around it, and share a packet a buyer can independently check.
The problem
An agent installs a dependency, edits a lockfile, and connects an MCP server while a developer watches the diff scroll by. The capability surface shifts every time someone adds a new skill or connector, and that surface lives in config files scattered across machines. When a buyer's reviewer asks what is installed, what each agent can actually reach, and who decided to allow it, the answer is gone. Scanners read your source and dependencies, not the agent runtime that introduced them, so the agent itself is never the subject. GRC platforms hold questionnaire answers, not the skills and MCP servers on a developer's machine. The executable-capability evidence an agent declares, and the human call made about it, falls between every tool you already run.
What to review
AI coding agents and CLI agents
Claude Code, Cursor agents, CLI agents, and bots edit your repos and run tools on your behalf. Review the capability surface each one declares: filesystem reach (broad or scoped paths), network access (declared hosts or unbounded), secret-style scopes (tokens, keys, env, vault), the tools it can invoke, and its update source. A declared permission marks reach the buyer still weighs; installed records presence, and your policy decides trust.
Agent skills and editor rules
Skills, Cursor rules, and instruction files steer what an agent does and which tools it reaches for. Review each as an evidence subject: its prompt and instruction files, declared tool scope (a wildcard or all-scope grant is worth a look), the publisher or source it came from, and whether it is pinned to a version and digest or pulls from a rolling source. A signature attests integrity and origin only, and the buyer still reviews the skill; a missing signal is just an unknown the reviewer chases down.
MCP servers and connectors
MCP servers and connectors bridge an agent to your filesystem, network, secrets, and external tools. Review what each declares: connector scopes, network access, secret-style credentials, the tools it exposes, and whether its source auto-updates. An MCP connection records a capability your policy still decides on. Capture the declared capability and record who decided to connect it.
How OpenSoyce records it
OpenSoyce observes each installed agent, skill, and MCP server as an evidence subject: its name, version, source, declared permissions, tools, MCP connections, connector scopes, network and filesystem access, update source, and digest. It surfaces capability review signals from that manifest, such as broad filesystem access, declared network access, secret-style scopes, a wildcard tool scope, or an auto-updating source, and each one is a prompt to look, never a verdict. It records the human risk decision around any signal with an accountable owner and an expiry that leaves the original finding standing. The inventory and the decision render into a signed evidence packet, a buyer-readable dossier, and a JSON export, where the signature attests integrity and origin only, and the full review history travels with the record for the reader to weigh.
Review surfaces
The boundary
OpenSoyce preserves and explains what each agent, skill, and MCP server declares, and it leaves the agent-safety decision to your policy. Installed records presence and your policy decides trust; a declared permission marks reach the buyer still weighs; an MCP connection records a capability your reviewer still decides on; and a missing signal stays an open unknown for the reviewer to chase. A captured manifest is observed evidence the buyer independently checks, and a capability signal is a prompt to look, never a verdict. The signature attests integrity and origin only, and your policy decides trust.