Monorepo Support

Audit individual skills inside a monorepo using /tree/ URL paths.

Overview

Many projects keep multiple MCP servers or tool plugins in a single repository. Oathe supports auditing individual subdirectories within a monorepo by using GitHub’s /tree/ URL format. Each subdirectory is treated as a standalone skill with its own audit ID and report.

Submitting a Subdirectory

To audit a specific skill inside a monorepo, submit a URL that includes the /tree/{branch}/{path} suffix:

curl -X POST https://audit-engine.oathe.ai/api/submit \
  -H "Content-Type: application/json" \
  -d '{"skill_url": "https://github.com/user/monorepo/tree/main/skills/my-skill"}'

The URL format follows GitHub’s convention:

https://github.com/{owner}/{repo}/tree/{branch}/{path/to/skill}
  • {branch} is the branch or tag name (e.g., main, v1.2.0).
  • {path/to/skill} is the relative path from the repository root to the skill directory.

How It Works

When Oathe receives a /tree/ URL, it:

  1. Clones the full repository at the specified branch or tag.
  2. Scopes the audit to the subdirectory indicated by the path.
  3. Analyzes only the files within that subdirectory and its children.
  4. Generates a report and trust score specific to that subdirectory.

The rest of the repository is not included in the analysis. This means two skills in the same monorepo can have entirely different trust scores and recommendations.

Audit Identity

Each subdirectory submission produces its own audit_id. The skill is identified by the combination of owner, repo, and path:

{
  "audit_id": "abc123",
  "owner": "user",
  "repo": "monorepo",
  "path": "skills/my-skill",
  "status": "queued"
}

Slug-based lookup endpoints also respect the path. For example, to retrieve the latest audit for a specific subdirectory:

GET https://audit-engine.oathe.ai/api/skill/user/monorepo/tree/main/skills/my-skill/summary

Limitations

  • The path must point to a directory, not an individual file.
  • Oathe does not automatically discover skills within a monorepo. You must submit each subdirectory explicitly.
  • Branch names containing slashes (e.g., feature/foo) are supported but must be URL-encoded in the submission.

Webhook Integration

When using GitHub webhooks with a monorepo, Oathe inspects the list of changed files in the push payload and triggers audits only for subdirectories that were modified. See the webhooks guide for setup details.