Keys never leave your machine
Fintech door-opener · voluntary framework

Signed proof for AI-assisted code changes

Matrix Scroll signs merges locally; SSX360 hosts the control plane — commit envelopes, Scroll Gate CI, and audit packs assessors verify offline. We map a deliberate SDLC / change-management slice of FS AI RMF: the part institutions struggle to defend when Copilot, Cursor, and agent tools land on protected branches.

Voluntary framework — produces evidence aligned to FS AI RMF control objectives; not certified by CRI or Treasury. Scoped to SDLC / change-management only (not all 230 objectives).

Three artifacts examiners ask for

Commit envelopes

Matrix Scroll signs every agent-assisted merge — actor, tool, and scope in an Ed25519 envelope your assessor verifies offline.

PyPI SDK

Scroll Gate (CI)

Protected branches gate merges before deploy. Copilot, Cursor, and agent tools on main need examiner-ready proof — not policy slides alone.

CI integration

Audit packs

Export ssx360.evidence-pack.v1 JSON with compliance_mappings for FS AI RMF — verify in browser or CLI without trusting SSX360.

Sample pack

Scoped control mapping (SDLC slice)

Illustrative rows for AI-authored code changes — internal shorthand, not official CRI RCM numbers. Full draft mapping · feedback welcome at mission@ssx360.com

IDControl themeSSX360 evidence
SDLC-01Software changes attributable to human or agent actorEnvelope provenance.actor_type, provenance.tool
SDLC-02Unauthorized changes blocked on critical branchesScroll Gate blocked / review events in ledger
SDLC-03Change record exportable for independent verificationSigned evidence pack + detached signature
SDLC-04Agent tooling declared at commit timeMCP / hook metadata in envelope
SDLC-05Payments-adjacent paths require trusted actorfinancial-infra policy rule outcomes
AUD-01Sample-ready JSON for assessor reviewcompliance_mappings[] includes FS AI RMF entry
AUD-02Offline verification without platform trustmatrixscroll verify / browser verifier at ssx360.com/verify
Read full mapping with PCI pairing →

What SSX360 maps

  • Signed commit envelopes with declared actor, tool, and scope
  • Scroll Gate CI on protected branches
  • Offline-verifiable evidence pack export
  • FS AI RMF and PCI DSS v4.0.1 Req 6.5 compliance_mappings
  • Financial-infra policy preset for payments and ledger paths

Out of scope

  • Model risk management and training-data governance
  • Board-level AI governance programs
  • Third-party AI vendor due diligence (beyond your code changes)
  • Full 230 FS AI RMF control objectives