Software trust evidence
Dependency review evidence, recorded on every pull request
The problem
A dependency lands in a pull request and the review happens in a thread, a comment that scrolls away, or someone's memory. When a buyer or an incident asks "who looked at this, what did they see, and what did they decide?", there is no durable record tied to the exact package version that merged.
Why current tools miss it
Scanners list CVEs but stop at the finding and forget who reviewed it. GRC platforms track controls, not the dependency decision made at merge time. SBOMs inventory what shipped without the review history, and trust centers publish a posture instead of the per-PR evidence and the human call behind it.
How OpenSoyce records the evidence
On each pull request, OpenSoyce observes the dependency, package, CI, and AI-agent evidence and posts a comment that surfaces policy attention from those signals — read-only, no merge gate. The human risk decision is recorded against the exact package version, and when a team accepts a risk it is logged with an owner and an expiry that documents the call without removing the finding. The result is a signed evidence packet and a buyer-readable dossier, with a JSON export API and signed webhook events for downstream systems.
The boundary
OpenSoyce preserves and explains the evidence and the decision around each dependency; it does not decide trust. The signature and artifact binding attest integrity and origin, and your policy decides what merges. This is control-review evidence that may support SOC 2 reviews.