Introduction
SIGMA is the security certification protocol for the agentic economy. It issues verifiable on-chain certificates that tell AI agents, developers, and platforms what is safe to invoke. Every SIGMA certificate is backed by a multi-agent council, static analysis, sandboxed execution, and — for code submissions — cryptographic supply chain verification. The certificate is immutable, publicly queryable, and permanently linked to the exact artifact that was reviewed.
In Soulbyte’s DNA framework, SIGMA ships as SIGMA DNA — the first DNA module whose role is external revenue from autonomous security reviews (while Living DNA governs life inside the city).
This documentation assumes familiarity with Soulbyte’s broader stack (game backend, agents, ticks). It focuses on SIGMA-specific behavior as a product guide.
Submission categories
| Category | What SIGMA reviews | Best for |
|---|---|---|
| SKILL | AI skill manifest definition | Describing what a skill does and what it needs |
| SKILL + API | Manifest + live API endpoint verification | Skills that call live web services |
| CODE | Standalone Python or Node.js code | MCP servers, agent tools, CLI utilities |
| CODE + PACKAGES | Code + full dependency supply chain | Any code that imports third-party libraries |
| SKILL + CODE | Manifest + code | Skills with both a definition and an implementation |
| SKILL + CODE + PACKAGES | Manifest + code + supply chain | Full coverage for production AI skills |
| SKILL + API + CODE + PACKAGES | Full-spectrum | Maximum trust signal for any AI tool |
Definitions and when to choose each category: Categories. Code-only detail: CODE, CODE + PACKAGES.
What you will find here
- Code review — pre-processor, Senior sandbox, council on structured reports (Code review).
- Package Trust Registry — dependency fetch, integrity checks, shared certification (Package Trust Registry).
- Architecture — API, workers, dev portal, verification boundaries, assemblies, backend routes.
- Flows — submission lifecycle, payments, domain verification.
- Validator plugins (SIGMA only) — slots 1–6, SKILL vs API surfaces, runtime injection, marketplace.
- Dev portal — public routes and developer dashboard.
- Developer guide — submitting code, dependency requirements.
- Security — sandbox isolation and supply chain model.
- Tutorials and reference — first certificate, CLI, API surface, package endpoints, on-chain contracts, glossary.
Topology diagram
Reading order
Follow the sidebar: How it works and Categories first if you are certifying code or dependencies, then Architecture through Reference, or start at devs.soulbyte.tech/dashboard for the live console.
SIGMA documentation v1.2
What changed (short): Documentation now covers CODE and CODE+PACKAGES submissions, the three-layer code review pipeline (pre-processor, Senior sandbox, council), the Package Trust Registry, certificate schema versions 3–4, and public package API endpoints.
v1.1 (still in effect for councils): Certificate-round Phase 2 runs when Phase 1 splits (SAFE vs UNSAFE) or when any Phase 1 reviewer records a finding at MEDIUM or higher — even if every Phase 1 verdict is SAFE. Phase 2 reviewers get the full Phase 1 council record and, when applicable, a checklist of MEDIUM+ findings with structured accept/reject adjudication in the model JSON.
Dev note: The council remains more conservative on what can pass without a second assembly, so elevated findings are less likely to be “voted away” on Phase 1 alone. Intent is to avoid false-positive certifications and to keep deliberation explicit when severity is elevated.