skill-audit

# Skill Audit — On-Chain Provenance Registry

## Commands

### /check-skill <name>
Look up on-chain provenance for a skill before installing.
1. Read all three tables (registry, audits, vouches) for the given skill ID
2. Compute trust level from audit verdicts
3. Display: trust badge, author, hash, version, audit history, vouch count

### /audit-skill <name> <severity>
Submit an audit verdict (requires IQ tokens in wallet).
Severities: S (secure), L (low), M (medium), H (high), C (critical)
Optionally run ZeroLeaks first and inscribe full report via codeIn.

### /vouch-skill <name> [score]
Community endorsement. Score 1-5 (default 5).

### /register-skill <path>
Register a local skill with on-chain hash.
1. Read skill.md at given path
2. Normalize and SHA-256 hash the content
3. Write registration row with short hash (first 8 hex chars)

## Trust Badges
- MALICIOUS: BLOCK installation, warn user
- FLAGGED: Strong warning
- CAUTIONED: Mild warning
- VERIFIED: Green checkmark
- AUDITED: Has audits but not yet verified secure
- REGISTERED: In registry, no audits yet
- UNKNOWN: Not in registry — warn "no on-chain provenance"
- Hash mismatch: Warn "content differs from registered version"

## Implementation

Package: [`@rocketlabs/skill-audit`](https://www.npmjs.com/package/@rocketlabs/skill-audit)

```javascript
const { checkSkill, registerSkill, auditSkill, vouchForSkill, hashSkill } = require('@rocketlabs/skill-audit');
```

### checkSkill({ connection, skillId, rpcUrl })
Returns: `{ trustLevel, skill, audits, vouches, summary }`
Free (RPC read only, no SOL needed).

### registerSkill({ connection, signer, skillId, author, shortHash, version, codeInTx, rpcUrl })
Writes to `skill_registry` table. Public — anyone can register.

### auditSkill({ connection, signer, skillId, auditor, severity, categories, codeInTx, rpcUrl })
Writes to `skill_audits` table. IQ-token-gated — signer must hold IQ tokens.
Severity: S/L/M/H/C. Categories: dir,enc,per,soc,tec,cre,mny,cot,pol,asc...