Methodology Versioning
How Oathe tracks scoring methodology changes and marks outdated audits as stale.
What Methodology Version Tracks
Every audit produced by Oathe is tagged with a methodology_version string that captures the exact scoring logic used to generate the result. This includes:
- Dimension weights — how much each scoring dimension contributes to the overall trust score.
- Thresholds — the cutoff values that map trust scores to verdicts (SAFE, CAUTION, DANGEROUS, MALICIOUS).
- Detection patterns — the rule sets and heuristics used to identify risky behaviors in skill code.
When any of these components change, the methodology version is incremented.
Current Version
The current methodology version is 1.0.0. This version is returned in every audit report under the methodology_version field:
{
"audit_id": "abc123",
"methodology_version": "1.0.0",
"trust_score": 85,
"recommendation": "INSTALL",
"verdict": "SAFE"
}Stale Audits
When the methodology is updated, all existing audits produced under older versions are marked as stale. A stale audit is still accessible by its audit_id, but it is excluded from slug-based lookups:
GET /api/skill/{owner}/{repo}/latest— returns only the most recent non-stale audit.GET /api/skill/{owner}/{repo}/summary— returns only non-stale results.
This ensures that consumers always receive results generated by the current scoring logic.
The stale Field
Search and listing endpoints include a stale field on each result:
| Value | Meaning |
|---|---|
0 | Current — produced with the active methodology version. |
1 | Outdated — produced with a previous methodology version. |
Filter on stale: 0 if you want only current results. Stale audits are retained for historical reference and reproducibility.
What Triggers a Version Bump
The methodology version is incremented when:
- A scoring dimension is added, removed, or reweighted.
- The trust score formula changes.
- Recommendation thresholds are adjusted.
- A significant change to detection patterns alters scoring outcomes across a meaningful number of skills.
Minor pattern updates that do not change overall scoring behavior do not trigger a version bump.
Re-auditing After a Version Bump
Stale audits are not automatically re-run. To get a fresh result under the new methodology, resubmit the skill via POST /api/submit. The new audit will replace the stale one in slug-based lookups.