Submitting code for review

Before you submit

Repository layout, manifests, and studio fields (Python / Node / shell / skill / API) are summarized in Preparing your submission.

Make your repository public. SIGMA only certifies code from public repositories. The certificate would be meaningless if the code being certified could not be inspected by the developers and agents relying on it.

Declare versioned dependencies from public registries. Exact pins are accepted directly. Public-registry ranges are also accepted when SIGMA can resolve them to one exact version at quote / submission time. For Python, both requests==2.31.0 and requests>=2.30.0 can work; for Node.js, both "axios": "1.6.7" and "axios": "^1.6.0" can work. The certificate then discloses the declared spec and the exact audited version.

Keep your repository within size limits. The submission must not exceed 50 files or 512KB total. Test files, example directories, and documentation that do not affect the skill's behaviour should be excluded or placed in directories that are not part of the submission.

Write a clear advisory note. The developer advisory note is your opportunity to explain to the council what your code does, what permissions it requires, and why any sensitive patterns such as shell access, environment variable reads, outbound network calls, or a flagged third-party package are safe in your implementation. A clear advisory note leads to a faster and more accurate verdict.

Choosing the right category

No external dependencies -> CODE

If your project uses only standard library modules and has no requirements.txt or an empty one, choose CODE.

External dependencies -> CODE + PACKAGES

If your project imports any third-party packages, choose CODE + PACKAGES. This is the recommended path for all real-world projects. The first time you submit with a given dependency set, the packages are audited and certified. Future submissions using the same packages are faster and cheaper because the package certificates are reused.

SKILL.md in the same repository -> SKILL + CODE + PACKAGES

If your repository contains both a SKILL.md manifest and implementation code, choose SKILL + CODE + PACKAGES. SIGMA will review both the manifest and the code, cross-reference them for consistency, and issue a certificate covering both.

Category overview: Categories.

The submission process

Step 1 - Select your category

In the developer portal, open the submission studio and select the appropriate category from the list. If you select a CODE category without packages but SIGMA detects a non-empty dependency manifest in your repository during source fetch, the studio will display a recommendation to switch to CODE + PACKAGES.

Step 2 - Enter your repository URL and entry point

Paste the GitHub repository URL and specify the entry point file, the file that serves as the main executable (for example, src/main.py or index.js). The entry point must be a relative path within the repository.

Step 3 - Review the package preview (CODE+PACKAGES only)

For CODE+PACKAGES submissions, the studio fetches your dependency manifest and checks each package against the Package Trust Registry. The quote step shows an itemised breakdown: which packages are already certified (free), which will be audited as part of this submission (charged), which dependencies were flagged previously, and the total cost including any savings from the registry.

Step 4 - Write your advisory note

Describe what your code does, what external services it calls, what environment variables it reads and why, and any patterns that might appear sensitive but are expected and safe in your implementation.

Step 5 - Submit

Once you confirm the quote, the submission enters the audit pipeline. You will receive a notification when the verdict is ready.

What happens after you submit

For CODE submissions:

The pre-processor runs immediately and either rejects the submission with a clear error (oversized, no executable files, entry point not found) or passes it to the Senior sandbox and council pipeline. The full review typically completes within 15-30 minutes depending on queue depth and code complexity.

For CODE+PACKAGES submissions:

Package audits run in parallel before the code review begins. Packages already in the registry are resolved instantly. New packages enter the fetch and audit queue. Once all direct dependencies are resolved, the code review begins. SIGMA may also expand and audit transitives up to L3 before the council reaches a verdict. For projects with commonly used, already-certified packages, this adds minimal time. For projects with novel or unusual dependencies, additional time is required for each package audit.

Blocked direct and L1 dependencies stop the submission before code review continues. Blocked L2/L3 transitives are shown to the council as advisory warnings instead of automatic blockers.

Resubmissions

If your submission is rejected, SIGMA provides free resubmissions while you iterate. The first five rejections for a CODE category submission are free. After that, resubmissions are charged at a reduced rate.

When you resubmit, the full pipeline re-runs. Package complexity is re-evaluated from the new pre-processor output, so if you simplify your dependency set, the new complexity tier is used for pricing. Packages that were certified in your first submission remain certified and are free on resubmission.

Related: Dependency requirements, Code review, Developer dashboard.