CODE submission category

CODE

The CODE category is for standalone Python or Node.js code with no SKILL.md manifest. It is the entry point for developers who have built an MCP server, an agent tool, a script, or any other executable artifact that they want to certify independently of a skill definition.

What SIGMA accepts:

• A public GitHub repository containing Python or Node.js source files
• An entry point declaration (the file that serves as the main executable)
• A dependency manifest if the code has external dependencies

What SIGMA reviews:

The static structure of all source files, runtime behaviour observed in a sandboxed execution environment, and the consistency between what the code does and what the developer described in their advisory note.

What the certificate covers:

The exact commit SHA of the repository at submission time. Future commits require a new submission.

When to use CODE vs CODE+PACKAGES:

Use CODE when the project has no external dependencies — only standard library modules. For any project that imports third-party packages, CODE+PACKAGES is strongly recommended. CODE submissions with external dependencies receive a certificate with a disclosure that the dependency supply chain was not reviewed.

Source requirements:

The repository must be public. SIGMA cannot certify private repositories because the certificate would be unverifiable by the developers and agents who rely on it.

Size limits:

The submission must not exceed 50 files or 512KB total. Individual files must not exceed 200KB. These limits exist so that the certificate reflects a complete analysis — SIGMA does not certify code it has not fully reviewed.

Related: Code review, Submitting code for review, Categories overview.