Skip to main content
Glama

verify_envelope

Verify signed commit envelopes offline using Ed25519 rules, applying trusted keys, mode filters, actor policies, and expiry checks to enforce team trust policies.

Instructions

Verify one signed commit envelope offline against RFC 8032 Ed25519 rules.

Read-only: no network or hosted API required. Provide ``commit_sha`` for the
default on-disk envelope, or ``envelope`` / ``envelope_path`` for an explicit
JSON file from CI or audit export. Apply ``trusted_keys``, ``require_mode``,
and actor policy lists to enforce team trust rules. Set ``check_expiry`` to
reject stale agent delegations.

Returns ``{ok, sha, actor_type, mode, ...}``; ``ok`` is false on signature,
policy, expiry, or missing-envelope errors.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
envelopeNoPath to a commit envelope JSON file to verify. Alias for envelope_path; use when importing bundles from CI artifacts or audit exports.
workspaceNoGit repository root. Empty auto-detects from the working directory.
commit_shaNoCommit SHA whose local envelope file should be verified offline.
check_expiryNoWhen true, reject envelopes whose signed delegation or agent-scope manifest includes an expired ``expires_at`` timestamp (ISO 8601 UTC).
require_modeNoPolicy filter on signature mode, e.g. emulated or hardware. Empty skips mode enforcement.
trusted_keysNoPath to a JSON policy file listing trusted Ed25519 public keys (device_id or base64 public keys). Alias for trusted_keys_file.
envelope_pathNoOptional explicit path to an envelope JSON file instead of the default ``.matrixscroll/envelopes/<sha>.json`` location.
deny_actor_typesNoIf set, fail verification when provenance.actor_type matches any denied value.
trusted_keys_fileNoPath to a JSON policy file listing trusted Ed25519 public keys.
require_actor_typesNoIf set, fail verification unless provenance.actor_type is in this list.

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault

No arguments

Behavior5/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations provided, so description carries full burden. Discloses read-only offline behavior, explains return format including error conditions (signature, policy, expiry, missing-envelope), and parameter effects. No contradictions.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

Concise paragraph front-loading purpose, then parameter guidance, then return description. Every sentence adds value, no unnecessary words. Well-structured for quick agent comprehension.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given 10 parameters and no annotations, description covers main use cases, return value, and error conditions. Could detail more edge cases, but with output schema existing, it is sufficiently complete. Mention of return tuple helps.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, baseline 3. Description adds meaning by grouping parameters, explaining usage contexts (default vs explicit envelope), and clarifying policy filters. Provides context beyond the schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: verify one signed commit envelope offline using RFC 8032 Ed25519. It uses a specific verb+resource and distinguishes from siblings like verify_pr_range and create_envelope by specifying offline single-envelope verification.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

Describes when to use different parameter combinations (commit_sha for default envelope, envelope/envelope_path for explicit files) and states it works offline without network API. Could be more explicit about when to use this vs verify_pr_range (batch), but context is clear.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/SSX360/matrixscroll'

If you have feedback or need assistance with the MCP directory API, please join our Discord server