With v0.7.0, it expands into cross-stack supply-chain review and attestation policy checks for local workflows, CI gates, and MCP-compatible agents.

This release adds: - cross-stack scanning for Docker, GitHub Actions, Terraform, and Helm - normalized findings with riskLevel, policyAction, and recommendedAction - attestation verification with deterministic verdicts: allow, review, or block - non-mutating MCP tools for supply-chain and attestation workflows

The goal is to make software change review more deterministic across dependencies, supply-chain exposure, and release trust posture.

Would love feedback on: - whether this feels meaningfully different from PR-first dependency automation - what’s missing for real CI usage - whether the local/MCP review model is actually useful