KobanKoban
← All posts

Coding agents install faster than your review process

Cursor and Claude Code run package managers in the background. By the time a human opens the diff, the dependency is already on disk.

Koban Team
  • coding-agents
  • supply-chain
  • macos

The old model assumed a human typed npm install, opened a PR, and a reviewer read the lockfile diff before merge. That sequence still happens, sometimes. It is no longer the default on agent-heavy Macs.

What changed

Coding agents like Cursor and Claude Code routinely:

  • Run npm install, pip install, or brew install to unblock a task
  • Add MCP server entries to ~/.cursor/mcp.json or Claude Desktop config files
  • Pull in transitive dependencies you never explicitly approved

The install completes on disk before any human sees a diff. Your review gate is downstream of the event.

Why blocking does not fix it

Approval workflows slow humans. Agents still write to lockfiles and config files in the background. Blocking npm at the network layer breaks legitimate work and pushes installs to personal machines or shadow IT.

The honest alternative is visibility: inventory what landed, diff each heartbeat, alert on drift.

What Koban watches

Koban parses lockfiles, package receipts, and MCP configs from known paths on macOS. It does not block installs or attribute them to a specific process. It answers a simpler question: did something new show up since the last snapshot?

That is enough to catch:

  • A new npm dependency an agent added overnight
  • An MCP server entry nobody filed a ticket for
  • A Homebrew cask that appeared outside your baseline

The practitioner takeaway

Treat agent-driven installs as a supply chain surface, not a workflow exception. Your fleet policy should assume packages and configs can change between reviews, and instrument for that reality instead of pretending the PR is always first.