verify_envelope
Verify signed commit envelopes offline using Ed25519 rules, applying trusted keys, mode filters, actor policies, and expiry checks to enforce team trust policies.
Instructions
Verify one signed commit envelope offline against RFC 8032 Ed25519 rules.
Read-only: no network or hosted API required. Provide ``commit_sha`` for the
default on-disk envelope, or ``envelope`` / ``envelope_path`` for an explicit
JSON file from CI or audit export. Apply ``trusted_keys``, ``require_mode``,
and actor policy lists to enforce team trust rules. Set ``check_expiry`` to
reject stale agent delegations.
Returns ``{ok, sha, actor_type, mode, ...}``; ``ok`` is false on signature,
policy, expiry, or missing-envelope errors.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| envelope | No | Path to a commit envelope JSON file to verify. Alias for envelope_path; use when importing bundles from CI artifacts or audit exports. | |
| workspace | No | Git repository root. Empty auto-detects from the working directory. | |
| commit_sha | No | Commit SHA whose local envelope file should be verified offline. | |
| check_expiry | No | When true, reject envelopes whose signed delegation or agent-scope manifest includes an expired ``expires_at`` timestamp (ISO 8601 UTC). | |
| require_mode | No | Policy filter on signature mode, e.g. emulated or hardware. Empty skips mode enforcement. | |
| trusted_keys | No | Path to a JSON policy file listing trusted Ed25519 public keys (device_id or base64 public keys). Alias for trusted_keys_file. | |
| envelope_path | No | Optional explicit path to an envelope JSON file instead of the default ``.matrixscroll/envelopes/<sha>.json`` location. | |
| deny_actor_types | No | If set, fail verification when provenance.actor_type matches any denied value. | |
| trusted_keys_file | No | Path to a JSON policy file listing trusted Ed25519 public keys. | |
| require_actor_types | No | If set, fail verification unless provenance.actor_type is in this list. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||