Commit envelopes
Matrix Scroll signs every agent-assisted merge — actor, tool, and scope in an Ed25519 envelope your assessor verifies offline.
PyPI SDK ↗Matrix Scroll signs merges locally; SSX360 hosts the control plane — commit envelopes, Scroll Gate CI, and audit packs assessors verify offline. We map a deliberate SDLC / change-management slice of FS AI RMF: the part institutions struggle to defend when Copilot, Cursor, and agent tools land on protected branches.
Voluntary framework — produces evidence aligned to FS AI RMF control objectives; not certified by CRI or Treasury. Scoped to SDLC / change-management only (not all 230 objectives).
For CRI / ecosystem reviewers
Matrix Scroll signs every agent-assisted merge — actor, tool, and scope in an Ed25519 envelope your assessor verifies offline.
PyPI SDK ↗Protected branches gate merges before deploy. Copilot, Cursor, and agent tools on main need examiner-ready proof — not policy slides alone.
CI integrationExport ssx360.evidence-pack.v1 JSON with compliance_mappings for FS AI RMF — verify in browser or CLI without trusting SSX360.
Sample packIllustrative rows for AI-authored code changes — internal shorthand, not official CRI RCM numbers. Full draft mapping · feedback welcome at mission@ssx360.com
| ID | Control theme | SSX360 evidence |
|---|---|---|
| SDLC-01 | Software changes attributable to human or agent actor | Envelope provenance.actor_type, provenance.tool |
| SDLC-02 | Unauthorized changes blocked on critical branches | Scroll Gate blocked / review events in ledger |
| SDLC-03 | Change record exportable for independent verification | Signed evidence pack + detached signature |
| SDLC-04 | Agent tooling declared at commit time | MCP / hook metadata in envelope |
| SDLC-05 | Payments-adjacent paths require trusted actor | financial-infra policy rule outcomes |
| AUD-01 | Sample-ready JSON for assessor review | compliance_mappings[] includes FS AI RMF entry |
| AUD-02 | Offline verification without platform trust | matrixscroll verify / browser verifier at ssx360.com/verify |