{"slug": "who-actually-wrote-that-commit-you-or-your-ai-agent", "title": "Who actually wrote that commit... you, or your AI agent?", "summary": "Matrix Scroll is an open-source tool that attaches signed provenance envelopes to Git commits, recording whether a human or an AI agent authored the change. It enables offline verification of commit authorship, addressing the growing need for audit trails in AI-assisted development. The tool is available as a Python package and GitHub Action, with hardware-backed signing in development.", "body_md": "Your Git history can tell you that a workstation pushed a commit. What it can't tell you is who or whatactually produced the change. Was it you? An AI agent running inside your IDE? A CI job? Some vendor tool you forgot you'd wired in?\n\nFor a long time that question was academic. It isn't anymore. The more code we write with AI in the loop, the shakier one quiet assumption gets: that there's a human author behind every commit. Audit trails, incident reviews, compliance workflows; they all lean on it. And it's breaking.\n\nMatrix Scroll is a small, open attempt to fix that. It attaches a signed provenance envelope to a commit, and anyone can verify it offline.\n\nAn agent-assisted commit can carry a signed JSON envelope that records:\n\nThe signing input is strict and frankly kind of boring — which is the entire point. It has to be reproducible byte-for-byte across implementations, so:\n\nThe device ID comes from the first eight uppercase hex characters of SHA-256(public_key), formatted as MS-XXXX-XXXX. Verifying is the easy part: take the canonical manifest bytes, check them against the embedded public key and signature. No central service in the middle.\n\nThere's a browser verifier that runs entirely client-side. Nothing gets uploaded:\n\n```\n(̿▀̿‿ ̿▀̿ ̿) :    https://matrixscroll.com/verify/\n```\n\nGive it ten seconds:\n\nThat round trip is basically the whole idea: a signature that genuinely fails the moment the bytes change.\n\n```\npip install \"matrixscroll==0.2.6\"\nmatrixscroll hook-install\nmatrixscroll hook-status\n```\n\nMark a commit as agent-produced:\n\n```\nexport MATRIXSCROLL_ACTOR_TYPE=agent\nexport MATRIXSCROLL_TOOL=agent-runner\ngit commit -m \"feat: agent change\"\nmatrixscroll envelope-verify \"$(git rev-parse HEAD)\"\n# ok: true / actor: agent / tool: agent-runner\n```\n\nWant to gate a pull request in CI? The GitHub Action (\"Scroll Gate\") verifies every commit in a PR range before merge:\n\n```\n- uses: SSX360/matrixscroll-verify-action@v1  with:\n    matrixscroll-version: \"0.2.6\"\n    require-mode: # ...\n```\n\nHooks default to warn mode. Set `\"enforce\": true`\n\nin `.git/matrixscroll/config.json`\n\nif you want failed signing to actually block.\n\nThis is the part I want to be straight about, because security tools earn trust by being precise about scope.\n\nMatrix Scroll is commit-time provenance. It answers one narrow question: \"who signed this commit before it merged?\" That's not the same question the established supply-chain tools answer.\n\n| Tool | Layer | Signs commits? | Records AI/agent identity? |\n|---|---|---|---|\n| Matrix Scroll | Commit | Yes | Yes |\n| Sigstore / cosign | Artifact | No | No |\n| GitHub attestations | CI artifact | No | No |\n| SLSA | Build framework | N/A | No |\n\nSigstore, SLSA, and GitHub attestations secure build outputs — what came out of CI. They're good tools and Matrix Scroll doesn't replace any of them. It just sits one step earlier, on the commit itself.\n\nAnd to be clear about what it isn't: it's not IAM, not sandboxing, not a prompt filter, not an agent runtime. It's the provenance layer. That's all.\n\nHere's where things actually stand.\n\n**Shipping now:** PyPI 0.2.6, the Git hooks, the browser verifier, and PR-range verification via the GitHub Action.\n\n**In progress:** hardware-backed signing on a dedicated secure element (SE050), external Ed25519 key backends, and transparency-log integration.\n\nThe default today uses software-emulated keys — an \"L1\" mode — meant for local dev, demos, and CI. Hardware-rooted keys are the next trust layer, not the thing I'm leading with.\n\nSo if your threat model includes a fully compromised local machine, the emulated path won't save you yet. That's exactly what the hardware work is for. I'd rather just say that than oversell it.\n\nThe protocol, JSON schemas, and conformance vectors are all open, so anyone can implement the format or pick it apart.\n\nIf you've thought about provenance for AI-assisted code — or you think the commit is the wrong layer to solve this at — I'd genuinely like to hear it in the comments.\n\nfin.", "url": "https://wpnews.pro/news/who-actually-wrote-that-commit-you-or-your-ai-agent", "canonical_source": "https://dev.to/matrixscroll/who-actually-wrote-that-commit-you-or-your-ai-agent-513g", "published_at": "2026-06-21 12:50:02+00:00", "updated_at": "2026-06-21 13:06:58.288110+00:00", "lang": "en", "topics": ["developer-tools", "ai-agents", "ai-safety", "ai-policy", "ai-infrastructure"], "entities": ["Matrix Scroll", "GitHub", "PyPI", "Sigstore", "SLSA", "SSX360", "SE050", "Ed25519"], "alternates": {"html": "https://wpnews.pro/news/who-actually-wrote-that-commit-you-or-your-ai-agent", "markdown": "https://wpnews.pro/news/who-actually-wrote-that-commit-you-or-your-ai-agent.md", "text": "https://wpnews.pro/news/who-actually-wrote-that-commit-you-or-your-ai-agent.txt", "jsonld": "https://wpnews.pro/news/who-actually-wrote-that-commit-you-or-your-ai-agent.jsonld"}}