|
|
|
|
|
|
by P-MATRIX
85 days ago
|
|
|
The real gap here isn't CI — it's that the agent had no cost model for what 'add this dependency' actually means at runtime. It knew how to write the import; it had no concept of the blast radius if the package was compromised. Post-deploy audits and container isolation catch things after they're already in, but risk assessment before the tool call is what closes the loop. That's a different problem than scanning output. |
|
|