Security

Threat model

Attestation limits and L1 software-key assumptions.

What is defeated

Protects against silent out-of-band commit modification, signature stripping in transit, and unrecorded agent contribution. Once signed, any downstream tampering of the commit message, author, or canonical schema metadata will break the signature verification offline and in CI.

What is NOT defeated (L1 limits)

An emulated software key (L1) proves possession of the private key file, not the physical identity of the actor. A compromised developer machine, a malicious local agent, or an attacker with write access to the filesystem can sign envelopes that verify perfectly. In L1 mode, actor binding is advisory and relies on workstation access controls.

Trust anchor distribution & key rotation

Organizations establish trust by distributing public keys to verifiers (e.g., CI/CD runners using the --trusted-keys parameter). Revocation, multi-maintainer key rotation, and transparency-log integrations are active areas of protocol development. Matrix Scroll commits represent advisory self-attestations until external trust anchors or transparency logs are integrated.