Strata

Score-gated deploys already exist, thestrata-mcp-check@v1 GitHub Action, blocks PRs when risk score crosses a threshold. Ships today. What you're describing is one layer up: block the deploy because the tool's scope changed from the approval baseline, regardless of whether the score moved. That's the more interesting gate. Not shipped yet. The gap is storing what you approved and diffing forward from it. Score threshold is a blunt instrument; approval-diff gate is surgical.

Semantic drift is the right stress test and you're correct that the threat feed doesn't fully close it. What it gives you: "shell_exec gained file:// access since 3 days ago." What it doesn't give you: "this tool had narrower scope when you approved it" as we're not storing the approval baseline to diff against. That's the gap. Same tool name, broadened auth, no new flag because nothing explicitly tripped. You'd miss it unless you're tracking scope snapshots at approval time and comparing forward. Package owner change detection is a separate surface, more supply chain than runtime. On our list, not shipped. Worth talking through if you want to map out what the baseline comparison would need to look like.

The diff point is exactly right, and it sharpens the requirement. What Strata has today: the threat feed tells you what changed since any timestamp — so you can ask "what's different since 3 days ago" and get capability additions, score drops, new injection detections. Affected_only=true scopes it to servers you've actually connected to. What's missing is the approval-state anchor. There's a difference between "changed since last scan" and "changed since a human last signed off on this." The latter requires storing what the state looked like at the moment of approval and diffing against it specifically — so the review packet says "net_egress was not present when you approved this" not just "net_egress is present now." That's the right next feature and you've named it clearly. The threat feed infrastructure is already there; it's the approval-state snapshot that needs to be added. Adding it to the roadmap.

100% agree — a score without a reason is just a speedbump. Strata surfaces the why: per-flag breakdown (why net_egress is flagged, which specific tools trigger shell_exec), injection scan results, and a real-time threat feed that tracks what changed since the last scan — score drops, new capability additions, quarantine events. "What changed since last approval" is exactly the threat feed use case. Set affected_only=true and you get a changelog for every server your agent depends on.