Open protocol for signed AI-assisted code provenance.
Every AI-generated change in your IDE can be cryptographically signed by an Ed25519 identity and verified offline with a public key and one command. The v0.1.x reference implementation ships a well-tested software root of trust; SSX360/NXP SE050 hardware signing is the compatible reference-device path in progress.
-
📜 Spec:— wire format, canonical encoding, schemas.
SPEC.md -
🛡 Agentic AI controls: maps Matrix Scroll to the joint
docs/AGENTIC_AI_SECURITY.md
Careful Adoption of Agentic AI Servicesguidance. - 🔐
Algorithm: Ed25519 (RFC 8032). Private keys are never exposed by the SDK API. - 🧪
Conformance vectors:— for non-Python implementations.vectors/
- 🌐 Site:https://matrixscroll.com - 🔧 Reference device:SSX360(NXP SE050 hardware path in progress).
pip install matrixscroll
python
import matrixscroll
print(matrixscroll.status())
signed = matrixscroll.sign_manifest({"release": "v1.0.0", "artifacts": [...]})
assert matrixscroll.verify_manifest(signed)
bash
$ matrixscroll status
{
"available": true,
"device_id": "MS-A3F2-9C81",
"mode": "emulated",
"public_key": "...",
"schema": "matrixscroll.identity.v1"
}
$ matrixscroll sign release.json > release.signed.json
$ matrixscroll verify release.signed.json
{"device_id": "MS-A3F2-9C81", "mode": "emulated", "ok": true, "signed_at": "..."}
matrixscroll verify
exits 0 on a valid signature, 2 on any failure (tampered manifest, missing signature block, wrong schema/algorithm, mismatched device id, malformed public key, unreadable file). Pipe it from CI without parsing the output.
your IDE / agent / CI
│
│ manifest (release, commit, evidence pack, SBOM, anything)
▼
matrixscroll.sign_manifest(...)
│
│ canonical JSON (sorted keys, ASCII-escaped, no NaN,
│ signature block excluded from input)
▼
IdentityProvider ──► Ed25519 signature
(Emulated today,
SSX360 / SE050 tomorrow)
│
▼
signed manifest ──► matrixscroll.verify_manifest(...)
(anyone, anywhere, offline)
The same Python API is designed to serve the local software emulator and the
physical SSX360 device path. Switch with the MATRIXSCROLL_MODE
environment
variable; in v0.1.x, hardware
mode reports unavailable until the SE050 transport ships.
| Level | Provider | Backed by | Status |
|---|---|---|---|
| L1 Emulated | |||
EmulatedProvider |
|||
| Software key, file-backed (0600) | ✅ Shipping | ||
| L2 Hardware | |||
HardwareProvider |
|||
| NXP SE050 secure element (SSX360) | 🛠 Stage-0 prototype | ||
| L3 Attested | |||
| future | L2 + remote attestation | 🗺 Roadmap |
status()
exposes the active level via the mode
and available
fields so read-only dashboards can render before the hardware path is wired.
- Emulated key store:
~/.matrixscroll/device.json
(override withMATRIXSCROLL_HOME
). - The directory is created
0700
; the seed file is opened0600
withO_CREAT|O_EXCL
so the private seed is never momentarily world-readable and a race cannot silently clobber an existing key store. - A corrupt or truncated store
fails loud(IdentityError
) rather than silently minting a fresh identity. Identity rotation is an explicit operation. - The planned hardware path holds nothing private on disk — the seed is sealed in the secure element. In v0.1.x, this path is a typed availability stub.
Matrix Scroll is a protocol. This Python package is the reference. We welcome implementations in Rust, Go, TypeScript, and embedded C — run them against vectors/ to self-certify. See
CONTRIBUTING.md
.The repo includes a machine-readable control matrix at controls/agentic_ai_controls.json, an example bounded-agent evidence manifest at
examples/agentic_ai_evidence_manifest.json
tests/test_agentic_guidance.py
. These prove each
claim maps to repo evidence and that signed agent scope changes fail verify.- Code:
Apache-2.0(LICENSE
). - Specification text (
SPEC.md
,vectors/
):CC0 1.0— public domain.
See SECURITY.md. Report vulnerabilities privately to
or via a GitHub Security Advisory.