Identity And Hashing

Public contract for stable skill IDs, removed rows, and content hashes.

Stable Skill IDs

skill_id is the stable identifier Sigildex assigns to a skill row. When the same source is re-indexed, the existing UUID is carried forward. A skill can move through many scans and safety verdicts without changing skill_id.

If a row is no longer in the served index, /inspect returns 404 NOT_FOUND. /verify is an oracle-style lookup: for removed or unknown content it returns HTTP 200 with {"matched": false, "verification": "unknown"}.

Content Hash Recipe

All public hashes use lowercase sha256:<hex>.

• GitHub rows: content_hash is the SHA-256 digest of the raw SKILL.md file bytes at the pinned commit, including frontmatter. Use the bytes as fetched; do not trim, normalize newlines, or parse frontmatter before hashing.
• ClawHub rows: content_hash is the SHA-256 digest of the served SKILL.md content returned by Sigildex.

Reference Snippet

import { createHash } from "node:crypto";

export function sigildexContentHash(bytes) {
  return "sha256:" + createHash("sha256").update(bytes).digest("hex");
}

For GitHub, pass the raw file bytes from the pinned commit. For ClawHub, pass the served content bytes exactly as returned.

Pin And Verify

/inspect.pin returns {skill_id, source_url, content_hash, commit_sha, verdict, audited_at}. Store that object next to the installed skill. On load or in CI, call /verify with content_hash, source_url, or both. If both are supplied, the source URL is resolved first and the hash is checked against the matched row.