# Verification

> Public contract for stable skill IDs, removed rows, and content hashes.

These fields are produced by the endpoints in the [Reference](https://sigildex.ai/docs/api): see [`/inspect`](https://sigildex.ai/docs/api#post-inspect) for `source.content_hash`, `safety.audited_content_hash`, and `pin`, and [`/verify`](https://sigildex.ai/docs/api#get-verify) for the lookup response.

## Stable Skill IDs

`skill_id` is the stable identifier Sigildex assigns to a skill row. When the same source is re-indexed, the existing UUID is carried forward. A skill can move through many scans and safety verdicts without changing `skill_id`.

If a row is no longer in the served index, `/inspect` returns `404 NOT_FOUND`. `/verify` is an oracle-style lookup: for removed or unknown content it returns HTTP 200 with `{"matched": false, "verification": "unknown"}`.

## Content Hash Recipe

All public hashes use lowercase `sha256:<hex>`.

- GitHub rows: `content_hash` is the SHA-256 digest of the raw SKILL.md file bytes at the pinned commit, including frontmatter. Use the bytes as fetched; do not trim, normalize newlines, or parse frontmatter before hashing.
- ClawHub rows: `content_hash` is the SHA-256 digest of the served SKILL.md content returned by Sigildex.

## Reference Snippet

```js
import { createHash } from "node:crypto";

export function sigildexContentHash(bytes) {
  return "sha256:" + createHash("sha256").update(bytes).digest("hex");
}
```

For GitHub, pass the raw file bytes from the pinned commit. For ClawHub, pass the served content bytes exactly as returned.

## Pin And Verify

`/inspect.pin` returns `{skill_id, source_url, content_hash, commit_sha, verdict, audited_at}`. Store that object next to the installed skill. On load or in CI, call `/verify` with `content_hash`, `source_url`, or both. If both are supplied, the source URL is resolved first and the hash is checked against the matched row.