Keys never leave your machine

Docs // authorization primitive

Agent Authorization Authority

They receipt the model call. We receipt everything the machine does.

Agent Authorization Authority

Ed25519

commit envelopes

offline-verifiable proof

local-only

CLI & HOOKS

repo never uploaded

Scroll Gate

PR enforcement

signed vs unsigned

SSX360

control plane

identity · billing · audit

Identity says who the agent is. Authorization proves what it was allowed to do — and who said so. SSX360 signs commits, MCP tool surfaces, and agent runs with offline-verifiable Ed25519 records.

Compliance evidence packs (FS AI RMF, PCI, DORA) price every rung — they are the billing system, not the pitch.

Authorization ladder

RungStatusSurface
L1 CodeLIVECommits and releases — matrixscroll 0.6.0
L2 ToolsLIVEMCP manifests and tool surfaces — Trust Scanner
L3 Actions2026Agent runs and NHI authorization records
L4 Money2027–28AP2 mandates and Vault Card — demo only in 2026
L5 Silicon2029+Device attestation — optionality

1 · MCP manifest baseline (L2)

Security teams blocking MCP need signed install-time baselines and drift detection — the wedge for Agent Trust at $499/mo.

terminal
pip install "matrixscroll==0.6.0"

# Scan and sign MCP install-time baseline
matrixscroll mcp scan --connect stdio --server-command "npx -y @modelcontextprotocol/server-filesystem ." \
  -o baseline.json --pretty
matrixscroll mcp sign baseline.json
matrixscroll mcp verify baseline.json

2 · Agent authorization record (L3)

Per-org: signed agent identity, MCP manifest baselines, drift alerts, and authorization ledger — unblock agents safely.

terminal
matrixscroll sign-action --action-type agent_run \
  --payload '{"tool":"mcp-filesystem","scope":"read"}'
matrixscroll verify-envelope envelope.json

3 · Evidence pack export

Offline-verifiable JSON with compliance_mappings — your assessor verifies without trusting SSX360.

terminal
# Export authorization ledger + compliance mappings (signed in)
ssx360 evidence export --format json

Public sample: evidence-pack-sample.json · schema docs

10-minute demo path

  1. MCP scan → sign baseline → verify (unblock agents safely)
  2. sign_action envelope for an agent run
  3. Signed commit + Scroll Gate on a protected branch
  4. Authorization ledger view + evidence pack verify in browser