# Matrix Scroll โ€“ sign AI-generated code changes with Ed25519, verify offline > Source: > Published: 2026-06-19 13:23:33+00:00 **Open protocol for signed AI-assisted code provenance.** Every AI-generated change in your IDE can be cryptographically signed by an Ed25519 identity and verified offline with a public key and one command. The v0.1.x reference implementation ships a well-tested software root of trust; SSX360/NXP SE050 hardware signing is the compatible reference-device path in progress. - ๐Ÿ“œ **Spec:**โ€” wire format, canonical encoding, schemas.`SPEC.md` - ๐Ÿ›ก **Agentic AI controls:** maps Matrix Scroll to the joint`docs/AGENTIC_AI_SECURITY.md` *Careful Adoption of Agentic AI Services*guidance. - ๐Ÿ” **Algorithm:** Ed25519 (RFC 8032). Private keys are never exposed by the SDK API. - ๐Ÿงช **Conformance vectors:**โ€” for non-Python implementations.`vectors/` - ๐ŸŒ **Site:**[https://matrixscroll.com](https://matrixscroll.com) - ๐Ÿ”ง **Reference device:**[SSX360](https://matrixscroll.com/device)(NXP SE050 hardware path in progress). ``` pip install matrixscroll python import matrixscroll # What identity is active on this machine? print(matrixscroll.status()) # {'schema': 'matrixscroll.identity.v1', 'available': True, # 'mode': 'emulated', 'device_id': 'MS-A3F2-9C81', ...} # Sign anything (a release manifest, a commit envelope, a SBOM, an evidence pack) signed = matrixscroll.sign_manifest({"release": "v1.0.0", "artifacts": [...]}) # Verify, anywhere, offline assert matrixscroll.verify_manifest(signed) bash $ matrixscroll status { "available": true, "device_id": "MS-A3F2-9C81", "mode": "emulated", "public_key": "...", "schema": "matrixscroll.identity.v1" } $ matrixscroll sign release.json > release.signed.json $ matrixscroll verify release.signed.json {"device_id": "MS-A3F2-9C81", "mode": "emulated", "ok": true, "signed_at": "..."} ``` `matrixscroll verify` exits **0** on a valid signature, **2** on any failure (tampered manifest, missing signature block, wrong schema/algorithm, mismatched device id, malformed public key, unreadable file). Pipe it from CI without parsing the output. ``` your IDE / agent / CI โ”‚ โ”‚ manifest (release, commit, evidence pack, SBOM, anything) โ–ผ matrixscroll.sign_manifest(...) โ”‚ โ”‚ canonical JSON (sorted keys, ASCII-escaped, no NaN, โ”‚ signature block excluded from input) โ–ผ IdentityProvider โ”€โ”€โ–บ Ed25519 signature (Emulated today, SSX360 / SE050 tomorrow) โ”‚ โ–ผ signed manifest โ”€โ”€โ–บ matrixscroll.verify_manifest(...) (anyone, anywhere, offline) ``` The same Python API is designed to serve the local software emulator and the physical SSX360 device path. Switch with the `MATRIXSCROLL_MODE` environment variable; in v0.1.x, `hardware` mode reports unavailable until the SE050 transport ships. | Level | Provider | Backed by | Status | |---|---|---|---| L1 Emulated | `EmulatedProvider` | Software key, file-backed (0600) | โœ… Shipping | L2 Hardware | `HardwareProvider` | NXP SE050 secure element (SSX360) | ๐Ÿ›  Stage-0 prototype | L3 Attested | future | L2 + remote attestation | ๐Ÿ—บ Roadmap | `status()` exposes the active level via the `mode` and `available` fields so read-only dashboards can render before the hardware path is wired. - Emulated key store: `~/.matrixscroll/device.json` (override with`MATRIXSCROLL_HOME` ). - The directory is created `0700` ; the seed file is opened`0600` with`O_CREAT|O_EXCL` so the private seed is never momentarily world-readable and a race cannot silently clobber an existing key store. - A corrupt or truncated store **fails loud**(`IdentityError` ) rather than silently minting a fresh identity. Identity rotation is an explicit operation. - The planned hardware path holds nothing private on disk โ€” the seed is sealed in the secure element. In v0.1.x, this path is a typed availability stub. Matrix Scroll is a protocol. This Python package is the reference. We welcome implementations in Rust, Go, TypeScript, and embedded C โ€” run them against [ vectors/](/SSX360/matrixscroll/blob/main/vectors) to self-certify. See `CONTRIBUTING.md` .The repo includes a machine-readable control matrix at [ controls/agentic_ai_controls.json](/SSX360/matrixscroll/blob/main/controls/agentic_ai_controls.json), an example bounded-agent evidence manifest at [, and executable checks in](/SSX360/matrixscroll/blob/main/examples/agentic_ai_evidence_manifest.json) `examples/agentic_ai_evidence_manifest.json` `tests/test_agentic_guidance.py` . These prove each claim maps to repo evidence and that signed agent scope changes fail verify.- Code: **Apache-2.0**(`LICENSE` ). - Specification text ( `SPEC.md` ,`vectors/` ):**CC0 1.0**โ€” public domain. See [ SECURITY.md](/SSX360/matrixscroll/blob/main/SECURITY.md). Report vulnerabilities privately to **or via a GitHub Security Advisory.**