SoulbyteSigmaSchoolChangelogs
Certificates

Code certificate structure

What a code certificate contains

A SIGMA code certificate extends the base certificate structure with fields specific to code review. This page describes the additional blocks and what they mean. For the end-to-end lifecycle, see Submission and audit and Code review.

Code review block

Every code certificate includes a codeReview block with the following information:

Source integrity

  • The GitHub repository URL reviewed
  • The exact Git commit SHA at the time of submission
  • The programming language detected
  • The declared entry point
  • A deterministic SHA256 hash of all files included in the review, computed using a documented algorithm that any developer can reproduce locally

Pre-processor summary

  • The complexity tier assigned (standard, complex, or high-complex)
  • The total number of files analysed
  • Whether all dependencies were pinned
  • For SKILL+CODE: the list of network hosts or capabilities present in the code but not declared in SKILL.md, and vice versa

Execution summary

  • Whether sandboxed execution completed successfully, was skipped, or encountered an error
  • If skipped: the reason
  • The number of network connection attempts intercepted during execution
  • The number of process spawn attempts intercepted
  • The Senior's plain-language description of what the code did during execution
  • Any risk flags from execution that the council retained at HIGH or CRITICAL severity

Disclaimer

Every code certificate includes a disclaimer stating that the certificate covers the code at the specified commit SHA, does not extend to future versions or forked copies, and that sandboxed execution used mock environment variables rather than live credentials, meaning the certificate reflects behaviour under test conditions, not necessarily every possible live deployment configuration.

Package analysis block (CODE+PACKAGES only)

Certificate schema version 4 certificates include an additional packageAnalysis block:

Summary counts

  • Total direct dependencies declared
  • Number served from the Package Trust Registry cache (previously certified)
  • Number audited as part of this submission
  • Number uncertified (could not be resolved, were beyond the transitive audit cap, or were too large for full analysis)
  • Cost saved by the registry cache in USD

Per-package entries

For each dependency row captured in the package tree:

  • Package name, exact audited version, and when applicable the originally declared dependency spec
  • Registry source (PyPI or npm)
  • Dependency depth (DIRECT, TRANSITIVE_L1, TRANSITIVE_L2, TRANSITIVE_L3)
  • Parent attribution for transitives
  • Distribution SHA256
  • Certification status (certified from cache, audited this submission, uncertified)
  • Security level (CLEAR, MONITORED, CAUTION, or BLOCKED)
  • Any warnings retained from the council review

Transitive disclosure

  • Number of transitive dependencies checked at L1, L2, and L3
  • Number of those that are not yet certified in the registry
  • Which blocked transitives were treated as advisory-only because they were deeper than L1

Disclosure

The package analysis block includes a disclosure that the analysis covers direct dependencies and transitive dependencies up to L3, that compiled binary extensions are flagged but not decompiled, and that the transitive graph is intentionally capped rather than expanded without bound.

Certificate schema versions

VersionApplies to
2SKILL and SKILL+API submissions
3CODE, SKILL+CODE, and SKILL+API+CODE submissions
4CODE+PACKAGES, SKILL+CODE+PACKAGES, SKILL+API+CODE+PACKAGES submissions

Consumers of the certificate API can use certificateSchemaVersion to detect which blocks are present and handle them correctly.

Verification

Code integrity verification

The certificate includes a codeFilesHash computed using the sha256-sorted-files-v1 algorithm: all files included in the audit are sorted alphabetically by path, each file's path and its own SHA256 are concatenated in order, and the resulting string is hashed. This is reproducible by anyone with access to the repository at the certified commit. The verification endpoint at /api/v1/public/certificates/:id/source-integrity accepts a hash computed locally and confirms whether it matches the certified value.

On-chain verification

The certificate payload, including the code review block and package analysis block, is hashed using keccak256 and committed to the SIGMA certificate registry contract on Monad. The transaction hash is included in the certificate. Anyone can verify that the on-chain hash matches the certificate JSON by recomputing the hash from the certificate fields.

See also: Verification and trust boundaries, On-chain contracts, API surface.

Sigma documentation v1.2GitHub / Skill ↗