Docs // authorization primitive
Agent Authorization Authority
They receipt the model call. We receipt everything the machine does.
Agent Authorization Authority
Ed25519
commit envelopes
offline-verifiable proof
local-only
CLI & HOOKS
repo never uploaded
Scroll Gate
PR enforcement
signed vs unsigned
SSX360
control plane
identity · billing · audit
Identity says who the agent is. Authorization proves what it was allowed to do — and who said so. SSX360 signs commits, MCP tool surfaces, and agent runs with offline-verifiable Ed25519 records.
Compliance evidence packs (FS AI RMF, PCI, DORA) price every rung — they are the billing system, not the pitch.
Authorization ladder
| Rung | Status | Surface |
|---|---|---|
| L1 Code | LIVE | Commits and releases — matrixscroll 0.6.0 |
| L2 Tools | LIVE | MCP manifests and tool surfaces — Trust Scanner |
| L3 Actions | 2026 | Agent runs and NHI authorization records |
| L4 Money | 2027–28 | AP2 mandates and Vault Card — demo only in 2026 |
| L5 Silicon | 2029+ | Device attestation — optionality |
1 · MCP manifest baseline (L2)
Security teams blocking MCP need signed install-time baselines and drift detection — the wedge for Agent Trust at $499/mo.
pip install "matrixscroll==0.6.0" # Scan and sign MCP install-time baseline matrixscroll mcp scan --connect stdio --server-command "npx -y @modelcontextprotocol/server-filesystem ." \ -o baseline.json --pretty matrixscroll mcp sign baseline.json matrixscroll mcp verify baseline.json
2 · Agent authorization record (L3)
Per-org: signed agent identity, MCP manifest baselines, drift alerts, and authorization ledger — unblock agents safely.
matrixscroll sign-action --action-type agent_run \
--payload '{"tool":"mcp-filesystem","scope":"read"}'
matrixscroll verify-envelope envelope.json3 · Evidence pack export
Offline-verifiable JSON with compliance_mappings — your assessor verifies without trusting SSX360.
# Export authorization ledger + compliance mappings (signed in) ssx360 evidence export --format json
Public sample: evidence-pack-sample.json · schema docs
10-minute demo path
- MCP scan → sign baseline → verify (unblock agents safely)
- sign_action envelope for an agent run
- Signed commit + Scroll Gate on a protected branch
- Authorization ledger view + evidence pack verify in browser