sign_action
Sign an action envelope with Ed25519 identity to create verifiable provenance for CI, IaC, DB migrations, API calls, contract deploys, or agent delegation.
Instructions
Sign a universal provenance action envelope with the active Ed25519 identity.
Use for CI steps, IaC changes, DB migrations, API calls, contract deploys,
release manifests, or agent delegation grants. Typed actions (ci_step, etc.)
validate payload fields before signing. Side effects: writes ``save_path`` when set.
Returns ``{ok, signed, device_id, mode}`` with the RFC 8032 signature block attached.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| payload | Yes | JSON object to sign. Keys are canonicalized before Ed25519 signing per SPEC.md §4. Do not include a top-level signature block. | |
| key_path | No | Optional override for the Matrix Scroll identity store directory (defaults to MATRIXSCROLL_HOME or ~/.matrixscroll). Use for CI ephemeral keys. | |
| save_path | No | Optional file path to write the signed document. When empty, returns JSON only. | |
| action_type | Yes | Provenance action type: git_commit, ci_step, iac_change, db_migration, api_call, contract_deploy, or custom labels for evidence packs. Typed actions validate required payload fields per schemas/action-envelope.v1.json. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||