When users grant trust to an agent-enabled project or repository, that grant is bound to the project identity at consent time but not to the actual capability surface (MCP servers, exposed tools, permissions) present at that moment. Projects can silently expand their capability surface post-consent with no re-prompting, no versioning, and no revocation mechanism, meaning users unknowingly authorize capabilities they never reviewed. A capability-surface versioning and binding primitive—analogous to dependency lockfiles but for trust decisions—is entirely absent from current agent frameworks.

When users grant trust to AI agent projects, the capability surface (tools, MCP servers, permissions) can silently expand post-consent with no re-prompting or revocation — users unknowingly authorize capabilities they never reviewed.

Developer teams and enterprises deploying MCP-based agent workflows where security review, compliance, or user consent integrity matters (DevSecOps leads, platform engineers at AI-forward companies).

Enterprises already pay for dependency scanning (Snyk, Socket.dev) and permission governance (Vanta, Drata); this is the identical pain pattern emerging for agent capabilities, and compliance teams will block agent adoption without it.

Ship an open-source CLI + GitHub Action that snapshots a project's capability surface into a signed `capabilities.lock` file, diffs on every CI run, and blocks or re-prompts on undeclared expansions; wrap with a hosted registry/dashboard as the paid SaaS layer.

Subset of the $15B+ DevSecOps/supply-chain-security market, initially targeting the ~500K+ developers actively building with MCP and agent frameworks — growing rapidly as agent adoption scales.