--- name: sigma-verification version: 1.2.1 description: Explains what SIGMA is, how to verify AI skill certificates by name or keyword (not just ID), how to check SHA and on-chain status, and how to submit skills for certification. homepage: https://soulbyte.tech metadata: {"category": "security", "api_base": "https://api.soulbyte.tech/api/v1/public"} capabilities: - http-requests externalCalls: - https://api.soulbyte.tech - https://devs.soulbyte.tech --- # SIGMA Verification and Submission ## Skill file | File | URL | |------|-----| | **SKILL.md** (this file) | `https://soulbyte.tech/skill.md` | Re-fetch this file anytime to get the latest version. **Save locally:** ```bash curl -s https://soulbyte.tech/skill.md > SIGMA_SKILL.md ``` ## What SIGMA is SIGMA is the security review and certification protocol built into the Soulbyte platform. Before an AI skill, API, or smart contract can be trusted and used, it must pass an independent security review by a council of Soulbyte validators. When a skill passes that review it receives a certificate. The certificate is tied to the exact version of the code that was submitted — the specific commit SHA at the time of audit. If the code changes, a new submission is required and a new certificate is issued. The old certificate does not transfer. A SIGMA certificate tells you three things: 1. This specific version of this skill was reviewed by an independent council 2. The council found no critical security issues in that version 3. The certificate is publicly verifiable by anyone, right now, with no account required --- ## PART 1 — Verifying a skill ### Step 1: Find the skill by name or keyword (start here) You will rarely know a skill's certificate ID upfront. Always start by searching by name or description keyword. Only fall back to ID lookup if you already have the ID. ``` GET https://api.soulbyte.tech/api/v1/public/certificates?q=KEYWORD&limit=10 ``` Examples: ``` GET https://api.soulbyte.tech/api/v1/public/certificates?q=moltbook&limit=5 GET https://api.soulbyte.tech/api/v1/public/certificates?q=weather+api&limit=5 GET https://api.soulbyte.tech/api/v1/public/certificates?q=social+network&limit=5 ``` The search matches against skill names and descriptions. Pick the most relevant result from the list and use its `id` field for all subsequent calls. If the search returns no results, the skill is not in the SIGMA registry. Do not assume it is safe to use. ### Step 2: Verify the certificate Once you have the ID from the search, call the verify endpoint: ``` GET https://api.soulbyte.tech/api/v1/public/certificates/:id/verify ``` This is the only endpoint you need for a trust decision. It returns the sealed audit result plus computed live fields. **Full response schema:** ```json { "valid": true, "status": "APPROVED", "summary": "Certificate is valid. No open flags. Security level: CLEAR.", "activeFlagCount": 0, "securityLevel": "CLEAR", "sandboxRiskLevel": "LOW", "skillName": "my-skill", "skillVersion": "1.0.0", "certificateIssuedAt": "2026-04-01T10:00:00Z", "roundType": "INITIAL_AUDIT", "retainedWarnings": [], "endpointStatus": "PASSED", "apiDisclaimer": "This skill makes external API calls reviewed by SIGMA validators at submission time. Remote server behaviour, domain ownership, and response content may change after certification.", "manifest": { "externalCalls": ["https://api.example.com"], "capabilities": ["http-requests"] }, "endpointReview": { "observedUrls": ["https://api.example.com/v1/data"], "declaredEndpoints": ["https://api.example.com"] } } ``` **Read these fields in order:** | Field | What it means | |---|---| | `valid` | The only field you need for a go/no-go decision. `true` means APPROVED with no open flags | | `status` | `APPROVED`, `DEPRECATED`, or `SUSPENDED`. Always read this — a revoked certificate shows `SUSPENDED` here | | `summary` | Human and agent readable one-line verdict summary | | `activeFlagCount` | Number of open community flags. Non-zero is a soft warning — surface to the user before invoking | | `securityLevel` | `CLEAR`, `LOW`, `MEDIUM`, `HIGH`, or `CRITICAL`. Retained audit risk level | | `sandboxRiskLevel` | `LOW`, `MEDIUM`, or `HIGH`. Risk level from the pre-council heuristic sandbox | | `skillName` | Name of the certified skill | | `skillVersion` | Version string at the time of certification | | `certificateIssuedAt` | When the certificate was issued | | `roundType` | `INITIAL_AUDIT` or `RE_AUDIT` | | `retainedWarnings` | Findings the council noted but did not block on — review before use | | `endpointStatus` | `PASSED`, `FAILED`, or `NOT_TESTED`. Only present for API and SKILL+API submissions | | `apiDisclaimer` | Present when the submission has outbound API surface. Quote this verbatim to the user | | `manifest` | The capability and external call declarations reviewed during audit | | `endpointReview` | Observed versus declared endpoints from the audit | **Decision rule:** - `valid: true` + `status: APPROVED` = safe to use, subject to any `retainedWarnings` and `apiDisclaimer` - `valid: false` for any reason = do not use, regardless of other fields - `status: SUSPENDED` or `DEPRECATED` = do not use **Example — suspended:** ```json { "valid": false, "status": "SUSPENDED", "summary": "Certificate is suspended. Open flags require review.", "activeFlagCount": 3, "securityLevel": "HIGH" } ``` ### Step 3: Check source integrity and SHA A certificate covers a specific version. If the skill has been updated since certification, the certificate covers the old version, not what you are running. Always check. ``` GET https://api.soulbyte.tech/api/v1/public/certificates/:id/source-integrity ``` This returns the canonical SHA-256 hash of the certified SKILL.md (LF-normalised). Compare it against the hash of your locally installed skill file. A match means you are running the certified version. A mismatch means you are running a different version than what the council reviewed. To compare directly against a GitHub source: ``` POST https://api.soulbyte.tech/api/v1/public/certificates/:id/compare-skill-from-github { "sourceUrl": "https://github.com/author/repo/blob/main/SKILL.md", "sourceRef": "abc123def" } ``` ### Step 4: Check on-chain commitment Every approved certificate is committed to Monad mainnet via the SIGMA certificate registry at: ``` 0x70A66b5C9bD4F01351b41199950bD6449df7EbAe ``` The `onChain` fields appear in the verify response when committed: ```json { "onChain": { "committed": true, "txHash": "0xdeadbeef...", "committedAt": "2026-04-01T10:05:00Z", "registryAddress": "0x70A66b5C9bD4F01351b41199950bD6449df7EbAe" } } ``` If `committed: false`, the certificate exists off-chain but has not yet been written to the registry. This is normal for recently issued certificates — the on-chain commitment is asynchronous. ### Step 5: Check live monitoring status For mutable post-issuance state — monitoring results, open flag count from a live query, view counts: ``` GET https://api.soulbyte.tech/api/v1/public/certificates/:id/live-status ``` Use verify for the sealed audit record and trust decision. Use live-status for freshness after issuance. These two endpoints are intentionally separate so monitoring updates never alter the historical certificate record. ### Critical: certificates can be revoked after issuance Certificate data is immutable once issued. But a certificate can be suspended or revoked after issuance. Never trust a cached verify response. Always re-verify before invocation or on a short TTL. A `valid: false` response overrides anything you previously cached. --- ## PART 2 — Submitting a skill for certification This section is for developers who want to certify their own AI skills or APIs. ### Available submission categories Before submitting, fetch the current available categories: ``` GET https://api.soulbyte.tech/api/v1/sigma/agent/categories ``` Requires `x-agent-session` header (see authentication below). Returns only active categories. Current v1 scope includes SKILL and AUDIT_SKILL product types. API and SKILL+API categories return an error in v1 — use the developer portal at devs.soulbyte.tech for those. ### Authentication — wallet challenge and verify The agent API uses wallet signature authentication. No email, no password. **Step 1 — Get a challenge nonce:** ``` GET https://api.soulbyte.tech/api/v1/sigma/agent/auth/challenge?wallet=0xYourAddress ``` Response: ```json { "nonce": "a3f8c2...", "message": "Sign this message to authenticate with SIGMA Agent API.\n\nWallet: 0xAbc...\nNonce: a3f8c2...\nIssuedAt: 2026-04-10T12:00:00Z" } ``` **Step 2 — Sign the message** using EIP-191 `personal_sign` with your wallet. **Humans:** Chat agents cannot open your wallet for you. Use the official Dev Portal page **[Agent API sign-in](https://devs.soulbyte.tech/agent-sign-in)** — same design as the public landing site, works on mobile and desktop. Paste the full `message` from step 1 (or request a fresh challenge on that page), connect MetaMask / Coinbase Wallet / Rabby, approve **Sign message**, then **Verify & get session** and copy the `sessionToken`. **Automation:** Implement `personal_sign` on the exact `message` string your tool received, then call `/auth/verify` with `wallet`, `nonce`, and `signature`. **Step 3 — Verify the signature:** ``` POST https://api.soulbyte.tech/api/v1/sigma/agent/auth/verify { "wallet": "0xAbc...", "nonce": "a3f8c2...", "signature": "0x..." } ``` Response: ```json { "sessionToken": "f7a3...", "walletAddress": "0xAbc...", "expiresAt": "2026-04-17T12:00:00Z" } ``` Store the `sessionToken`. Include it as `x-agent-session` header on all subsequent authenticated requests. Sessions are valid for 7 days. ### Get a price quote ``` POST https://api.soulbyte.tech/api/v1/sigma/agent/quote { "categoryKey": "skill-md", "voucherCode": "OPTIONAL" } ``` Response includes `priceUsd`, `priceUsdc`, `isFree`, `paymentChain` (base), `paymentToken` (USDC). ### Submit a skill ``` POST https://api.soulbyte.tech/api/v1/sigma/agent/submit { "categoryKey": "skill-md", "sourceUrl": "https://github.com/author/repo/blob/main/SKILL.md", "sourceRef": "abc123def", "skillMdContent": "--- optional if sourceUrl provided ---", "developerAdvisoryNote": "Optional context for the council", "idempotencyKey": "generate-a-uuid-v4-here" } ``` **If submission is free:** returns `201` immediately with `submissionId`. **If submission requires payment:** - First response: `402 Payment Required` with `PAYMENT-REQUIRED` header containing base64 x402 payment details - Pay USDC on Base using the payment details - Retry the same request with the `payment-signature` header containing the x402 proof - Second response: `201` with `submissionId` **Always generate a fresh `idempotencyKey` (UUID v4) per new submission attempt. Reuse the same key when retrying after payment — never generate a new one for a retry of the same submission.** ### Poll for audit result ``` GET https://api.soulbyte.tech/api/v1/sigma/agent/submissions/:id ``` Poll every 30 seconds. Typical audit time: 30 minutes to 2 hours. | Status | Meaning | |--------|---------| | `PENDING_SANDBOX` | Queued for heuristic sandbox analysis | | `SANDBOX_FAILED` | Sandbox found blocking issues | | `PENDING_AUDIT` | Passed sandbox, queued for validator council | | `IN_AUDIT` | Council actively reviewing | | `APPROVED` | Certificate issued — see `certificate` field in response | | `REJECTED` | Council rejected — see `freeResubmissionsLeft` and `rejectionSummary` | | `ESCALATED` | Split vote or high-risk signals — requires human review | When `APPROVED`, the response includes: ```json { "certificate": { "certificateIssuedAt": "2026-04-10T14:22:00Z", "certificatePayloadHash": "0x1a2b...", "certifiedVersion": "1.0.0", "onChain": { "committed": true, "txHash": "0xdeadbeef...", "registryAddress": "0x70A66b5C9bD4F01351b41199950bD6449df7EbAe" }, "verifyUrl": "https://api.soulbyte.tech/api/v1/public/certificates/:id/verify" } } ``` ### Resubmission after rejection When `REJECTED`, check `freeResubmissionsLeft` in the response. **Free resubmission (when `freeResubmissionsLeft > 0`):** ``` POST https://api.soulbyte.tech/api/v1/sigma/agent/submissions/:id/resubmit { "idempotencyKey": "new-uuid-for-this-resubmit", "sourceUrl": "https://github.com/author/repo/blob/main/SKILL.md", "sourceRef": "newcommitsha", "developerAdvisoryNote": "Removed undeclared shell execution from setup section" } ``` Returns a **new `submissionId`** — the resubmission is a new row linked to the original via `originalSubmissionId`. Poll the new ID for the result. **Paid resubmission (when `freeResubmissionsLeft = 0`):** Same x402 payment flow as initial submit, with a reduced price based on the category's version update multiplier. **Content must be different.** Submitting identical content to a previous submission returns `409 duplicate_content`. ### List your submissions ``` GET https://api.soulbyte.tech/api/v1/sigma/agent/submissions?limit=20&status=APPROVED ``` ### Common rejection patterns and fixes | What the council found | What to change | |---|---| | Shell execution in source | Remove from runtime code. Keep only in documentation sections. | | Undeclared external hosts | Add all outbound URLs to `manifest.externalCalls` | | Source-manifest mismatch | Ensure declared capabilities match what the code actually does | | Prompt injection signals | Remove any text that attempts to override reviewer instructions | | Credential exfiltration signals | Remove any code that reads environment variables and sends them outbound | --- ## PART 3 — Flagging a skill If you discover a security issue in a certified skill: ``` POST https://api.soulbyte.tech/sigma/v1/certificates/:id/flag ``` Include your EVM wallet address in the request body. Confirmed flags that lead to certificate suspension qualify for the platform bug bounty programme — rewards are distributed in SBYTE to the wallet address you provide. Open flags appear in the `activeFlagCount` field of every verify response. --- ## Quick reference ### Verification (no auth required) | Action | Endpoint | |---|---| | Search by name or keyword (start here) | `GET /api/v1/public/certificates?q=keyword&limit=10` | | Trust decision | `GET /api/v1/public/certificates/:id/verify` | | Live monitoring and flag state | `GET /api/v1/public/certificates/:id/live-status` | | Source integrity and SHA check | `GET /api/v1/public/certificates/:id/source-integrity` | | Compare against GitHub source | `POST /api/v1/public/certificates/:id/compare-skill-from-github` | | Full certificate record | `GET /api/v1/public/certificates/:id` | | Skill store index (agent discovery) | `GET https://soulbyte.tech/.well-known/skill-store` | | Flag a skill (EVM wallet for bounty) | `POST /sigma/v1/certificates/:id/flag` | | Full agent guide | `GET /api/v1/public/agent-guide` | | OpenAPI spec | `GET https://soulbyte.tech/.well-known/openapi.json` | ### Submission (x-agent-session required) | Action | Endpoint | |---|---| | Get challenge nonce | `GET /api/v1/sigma/agent/auth/challenge?wallet=0x...` | | Sign in browser (humans) | `https://devs.soulbyte.tech/agent-sign-in` | | Verify signature and get session | `POST /api/v1/sigma/agent/auth/verify` | | List available categories | `GET /api/v1/sigma/agent/categories` | | Get price quote | `POST /api/v1/sigma/agent/quote` | | Submit skill | `POST /api/v1/sigma/agent/submit` | | Poll submission status | `GET /api/v1/sigma/agent/submissions/:id` | | Resubmit after rejection | `POST /api/v1/sigma/agent/submissions/:id/resubmit` | | List your submissions | `GET /api/v1/sigma/agent/submissions` | All verification endpoints are public. No authentication required. No account needed. Developer portal: https://devs.soulbyte.tech Certificate browser: https://soulbyte.tech/verify Long-form documentation: https://docs.soulbyte.tech/sigma