Commit-time proof
Matrix Scroll signs a provenance envelope before merge, not only a build artifact after CI. That keeps the proof attached to the commit history itself.
Keep your current controls. Add commit-time provenance.
Sigstore, SLSA, GitHub artifact attestations, Semgrep, branch protection, and Matrix Scroll answer different questions. Matrix Scroll focuses on who signed a change before push, then lets reviewers verify that proof offline or in CI.
Shipping now: PyPI
0.2.6, Git hooks, Scroll Gate PR verification, browser verifier, and emulated-mode evaluation.In progress: SSX360 SE050 hardware preview and verifier-compatible external Ed25519 signer guidance.
Not: IAM, sandboxing, prompt filtering, or an agent runtime.
| Tool | Layer | Signs commits? | Agent identity? | Hardware path? |
|---|---|---|---|---|
| Matrix Scroll | Commit | Yes, commit envelope | Yes | Yes, preview path |
| agentmark | Commit + CI gate | Yes | Yes | No |
| Alien Agent ID | Commit + identity network | Yes | Yes | No |
| ForgeProof | File-level provenance | No | Partial | No |
| Sigstore / cosign | Artifact / container | No | No | No |
| GitHub artifact attestations / SLSA | Build / artifact | No | No | No |
What Matrix Scroll adds
Actor and tool metadata
The envelope records actor type, tool, mode, and optional bounded scope. That is the missing context most artifact systems do not model.
Offline verification
Reviewers can verify the same proof in the CLI, browser, and CI without a hosted control plane. Start at /verify/ and carry the same contract into CI.
Honest gaps we are still building
Hardware is preview-only
The SE050 path is real roadmap work, but the public launch mode is still emulated. We do not claim non-exportable keys are shipping broadly today.
Adoption proof is early
Matrix Scroll is still building public case studies, multi-agent envelopes, and deeper Rekor or GUAC export stories. The core verifier contract ships now; the surrounding enterprise plane is still growing.