Matrix Scroll

Sign the tool surface. Verify at install.

Paste an MCP server's tools JSON. Fingerprint it. Diff a re-scan against your baseline and catch the rug-pull.

Runs entirely in this tab via WebCrypto. Nothing is uploaded. Same hashes as the CLI.

baseline — tools at install time
re-scan — tools after the "update"

Do it for real — live servers, Ed25519 signatures, CI gates

pip install matrixscroll

# live-scan any MCP server and write the manifest
matrixscroll mcp scan --connect stdio --server-command "npx -y some-mcp-server" -o manifest.json --pretty

# sign the install-time baseline
matrixscroll mcp sign manifest.json -o baseline.signed.json

# after any update: re-scan, re-sign, verify — drift exits 2 and fails CI
matrixscroll mcp verify current.signed.json --baseline baseline.signed.json --pretty

Offline verify. Zero cloud, zero signup. matrixscroll 0.6.0 on PyPI. Spec is CC0: ssx360.mcp-manifest.v1