Software trust evidence
Evidence for the risk of every connected MCP server
The problem
Your team connects MCP servers, agent skills, and CLI agents that quietly hold filesystem access, network reach, secret scopes, and auto-updating sources. When a reviewer asks what is installed and what each one can touch, you have config files scattered across machines and no record of who looked or what they decided.
Why current tools miss it
Scanners and SBOM tools index packages, not the agentic software wrapped around them: an MCP server carries prompts, tool permissions, and connector scopes that a dependency graph never sees. GRC platforms and trust centers track controls and attestations, not the declared capabilities of the agents installed in your own environment, so the connected-server attack surface stays invisible.
How OpenSoyce records the evidence
Paste the agent skills, Cursor rules, MCP servers, bots, and CLI agents you can discover, and OpenSoyce captures each as an evidence subject: kind, version, publisher, declared permissions, tools, MCP servers, connector scopes, network and filesystem access, update source, and digest. It surfaces capability review signals (an MCP server declared, broad filesystem access, secret-style scopes, an auto-updating source) as a review prompt, then records the human risk decision around them with owner and expiry. The inventory and the decision render into a signed evidence packet, a buyer-readable dossier, and a JSON export, where the signature and artifact binding attest integrity and origin only, and the full review history travels with the record for the reader to weigh.
The boundary
OpenSoyce preserves and explains what each agent and MCP server declares; it does not decide trust. A declared permission is not an approved permission, an MCP connection is not an approval, and the absence of a signal is not a clean bill: the captured manifest is observed evidence, and your policy decides what each signal means.