An architectural blueprint for local model context grounding and on-device cryptographic commit attestation.
AI agents now generate a substantial portion of code modifications entering production codebases. While this increases software delivery velocity, it introduces a severe provenance vacuum, leaving audit logs vulnerable to identity spoofing and unauthenticated automated writes. We propose Matrix Scroll, a physical USB-C trust element designed around an RP2350 microcontroller and an NXP SE050 secure element, paired with a local Model Context Protocol (MCP) server named Digital Rain. The proposed architecture separates USB communication, display rendering, and touch detection from private key custody. We demonstrate how combining hardware key generation, local context relevance filters, and physical presence consent screens mitigates host-level key exfiltration and background malware-driven signature forgery, satisfying SOC 2 Change Management CC8 and SLSA provenance compliance frameworks.
AI code generation models have transitioned from autocomplete utilities into active agentic entities capable of editing hundreds of files in single sessions. However, current software configuration management systems (e.g., Git) rely on client-asserted identities (e.g., name and email configurations) which lack verification properties. Signing keys, where utilized, typically reside in the host filesystem, rendering them vulnerable to copy operations and remote exfiltration.
We propose a hardware-secured solution consisting of two distinct components operating across a hardware-software boundary: Digital Rain, a local context engine, and the Scroll Key & Scroll Token physical trust devices. Digital Rain indexes the codebase and packages modifications into canonical evidence records; our physical hardware generates an Ed25519 signing key inside a sealed secure element. For premium deployments, the Scroll Token also provides an interactive presence LCD and touch surface for manual out-of-band signature confirmation. This prevents background agents or malware from signing modifications without active human participation.
A core challenge of hardware cryptographic keys is protecting against background signing attacks. If a secure key is permanently inserted into a host workstation, malware running on that host can execute requests to sign arbitrary payloads. The host CPU cannot extract the private key, but it can use it at will.
The premium Scroll Token addresses this threat by introducing the UX of Consent. Built around a 1.3" high-contrast Sharp Memory LCD and a capacitive touch-to-sign sensor, the device acts as an out-of-band trust screen. The device lifecycle is strictly human-in-the-loop:
The architecture maintains a strict separation of concerns. The host operating system communicates with the RP2350 microcontroller. The RP2350 drives the display and presence sensors, but has no physical ability to read the private key. Key generation and signing are delegated via I2C to the NXP SE050 secure element.
┌─────────────────────────────────────────────┐
│ Your IDE (Cursor / VS Code / JetBrains) │
│ ── speaks MCP ──┐ │
└──────────────────┼────────────────────────────┘
│
┌────────▼─────────┐ grounds agents in
│ Digital Rain │ real, ranked context
│ (MCP + scanner) │
└────────┬─────────┘
│ asks for a signature over a manifest
┌────────▼─────────┐
│ Identity layer │ EmulatedProvider (disk key, today)
│ (Ed25519) │ HardwareProvider (SE050, roadmap)
└────────┬─────────┘
│ sign() — host OS cannot read key
┌────────▼─────────┐
│ Matrix Scroll │ RP2350 MCU + LCD Screen (Consent UI)
│ (Dual-Chip) ├──[I2C]── NXP SE050 (EAL6+ Secure Element)
└──────────────────┘
Digital Rain is a local-first MCP server exposing tools directly to developer editors. It provides lexical indexing using BM25 algorithms, avoiding vector embedding dependencies. For high-security environments, it provides graceful failover from cloud models (Anthropic, Gemini) to local LLM backends (Ollama) to ensure source code never leaves the host machine.
Digital Rain generates release manifests (`manifest.json`) by serializing the output files, the workspace state, and execution parameters. The serialization uses a strict canonical representation (sorted keys, compact delimiters, ASCII escaping) to ensure that verification behaves consistently across Windows, macOS, and Linux platforms.
Our hardware offering features two distinct physical configurations utilizing secure-element isolated cryptography:
| Feature / Spec | Scroll Key ($99) | Scroll Token ($199) |
|---|---|---|
| Secure Element | NXP SE050 (CC EAL6+) | NXP SE050 (CC EAL6+) |
| Controller | USB-C interface bridge | RP2350 microcontroller (isolated from key) |
| Consent Display | None (LED status indicator only) | 1.3" high-contrast Sharp Memory LCD (Mascot Avatar) |
| Presence Check | None (Zero-friction routing) | Capacitive Touch-consent plate |
| Interface | USB-C (Bus-Powered) | USB-C (Bus-Powered) |
| Form Factor | Pocket security key stick | Premium desk companion (black & lime aluminum) |
We align our public claims with the physical realities of the roadmap. The software layer and the emulated signing flow are fully functional today. The physical hardware is in pre-order staging.
| Capability | Status |
|---|---|
| Digital Rain MCP server, project scan, BM25 retrieval | Shipping (Emulated) |
| Anthropic / Gemini / Ollama local offline fallback | Shipping (Emulated) |
| Signed release manifests and verification script | Shipping (Emulated) |
| Scroll Key ($99 USB-C Security Key with NXP SE050) | Pre-order (Target Q3 2026) |
| Scroll Token ($199 Desk Companion with LCD Avatar & RP2350) | Pre-order (Target Q3 2026) |
| Touch-to-sign presence check & avatar consent UI (Scroll Token) | Planned with hardware |
| On-device signing of individual git commits | Roadmap |
Security vendors frequently claim that hardware keys satisfy SOC 2 or ISO 27001 compliance criteria. We clarify that compliance is an organizational certification. Matrix Scroll does not make an organization compliant; rather, it produces immutable, hardware-attested provenance evidence (attesting precisely which physical workstation produced a change). This evidence maps directly onto change management controls (e.g., SOC 2 CC8, SLSA Provenance Levels), facilitating audit proof collection.
By decoupling context indexing from key signing, and verifying user intent via a dedicated secure element key or an interactive LCD consent mascot screen, our hardware lineup establishes a robust trust bridge between AI agent automation and human accountability. Early adopters can integrate the entire software pipeline today using the emulated key provider.
© 2026 SSX 360 Corp. All rights reserved. Registered in Delaware.