Compare // agent governance
Hardware vs passkey
Honest positioning for teams evaluating commit-time provenance — without naming competitors.
Hardware vs passkey
Ed25519
commit envelopes
offline-verifiable proof
local-only
CLI & HOOKS
repo never uploaded
Scroll Gate
PR enforcement
signed vs unsigned
SSX360
control plane
identity · billing · audit
Passkeys authenticate people. Provenance signs commits.
Software keys on disk can be copied by malware. Hardware keys in a secure element cannot export their seed. Phase 1 ships emulated Ed25519 today; the SE050 hardware path is an optional pilot trust upgrade — same verifier contract, stronger key residency.
Signing co-residency
Typical passkey stack
Browser/OS passkeys live in platform authenticators — fine for login, not for in-loop agent commits on a dev machine.
SSX360 + Matrix Scroll
Matrix Scroll signs at commit time on the same machine that produced the diff. Optional SE050 pilot keeps the private key off disk.
CI merge enforcement
Typical passkey stack
Passkey proofs rarely attach to every commit in a PR range or integrate with protected-branch gates.
SSX360 + Matrix Scroll
Scroll Gate verifies signed vs unsigned commits across the full PR range in GitHub Actions — warn or enforce before merge.
Agent workflow
Typical passkey stack
Passkey APIs are browser-centric; Python agents and CI runners need awkward bridges.
SSX360 + Matrix Scroll
Python-first: pip install, post-commit hooks, and an MCP server with provenance verbs for Cursor, Claude, and VS Code.
Offline verification
Typical passkey stack
Verification depends on platform attestation services and online ceremony replay.
SSX360 + Matrix Scroll
RFC 8032 Ed25519 envelopes verify offline in CLI, browser, and CI — same bytes, same contract.
Audit export
Typical passkey stack
Login audit logs ≠ signed commit envelopes with actor, tool, and scope metadata.
SSX360 + Matrix Scroll
Team+ exports evidence packs with envelope history, verification metadata, and procurement-ready JSON.
Scroll Gate runs in your CI today.
Community tier includes 100 hosted verifications per day. Emulated signing is the default evaluation path; hardware pilots are disclosed honestly on the trust page.