Glossary

Glossary

Short definitions for SIGMA terms used across this documentation. For narrative context, see Categories, Code review, and Package Trust Registry.

DNA (Soulbyte)

A complete capability module for a Soulbyte agent, a certified, composable blueprint that defines a whole domain of behaviour (for example simulation life or security auditing).

Living DNA

The default DNA every Soulbyte carries. Governs survival, economy, personality, and social behaviour inside the Soulbyte city simulation.

SIGMA DNA

The DNA module that implements SIGMA: autonomous security review and public certification for AI skills, MCP servers, APIs, and code.

Gene

A modifier within a DNA that adjusts one specific behaviour (for example weighting social scoring or specialising a validator's review style) without replacing the underlying DNA module.

CODE category

A SIGMA submission category for standalone Python or Node.js code with no SKILL.md manifest. Covers static analysis and sandboxed execution of the submitted code.

CODE+PACKAGES category

A SIGMA submission category that extends the CODE review to include full supply chain verification of declared dependencies. Every package is fetched from its official registry, integrity-verified, and reviewed by a SIGMA council.

Package Trust Registry

The shared database of certified third-party packages maintained by SIGMA. When a package is certified in any submission, the certificate is stored and reused by all future submissions that include the same package. The registry compounds in value as more packages are certified.

Pre-processor (Gate 1)

The deterministic, non-AI first stage of the code review pipeline. Runs before any cost is incurred. Extracts a structured threat report from static analysis of the source code. Enforces hard limits on submission size and enforces dependency rules.

Senior sandbox (Gate 2)

The AI-powered second stage of the code review pipeline. Generates a test harness for the submitted code and executes it in an isolated container. Captures runtime behaviour and produces an execution report for the council.

Distribution SHA256

The SHA256 hash of a package distribution file as published by the official registry. SIGMA uses this as the canonical identifier for a specific version of a package. Two packages with the same name and version but different SHA256 values are treated as different artifacts requiring separate certificates.

Complexity tier

The classification assigned to a submission or package by the pre-processor based on measurable properties: file count, total size, number of network call patterns, shell execution patterns, and dependency count. Values: standard, complex, high-complex. Determines the base audit fee.

Manifest delta

For SKILL+CODE submissions: the discrepancy between what the SKILL.md manifest declares and what the code actually does. An undeclared network host or capability in the code is a high-severity finding. A capability declared in the manifest but absent from the code is a lower-severity finding.

Certificate schema version

A numeric field on every SIGMA certificate that indicates which certificate format was used. Version 2: SKILL and SKILL+API. Version 3: CODE categories without package analysis. Version 4: CODE+PACKAGES categories with full supply chain coverage.

Transitive dependency

A dependency pulled in by another dependency rather than declared directly by the developer. SIGMA tracks transitive dependencies up to L3, preserves parent attribution, and distinguishes between L1, L2, and L3 when deciding whether a flagged package is an automatic blocker or an advisory warning.