Skip to content

YugantM/hvtracker

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

478 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

HVTracker

AI Trust Registry for Open-Source Agents

hvtracker.net ranks open-source AI agents by evidence-weighted trust signals, not GitHub hype.

HVTracker is an ever-growing leaderboard that tracks open-source AI agents across multiple categories and publishes public, machine-readable trust data for each project: activity, adoption, transparency, supply-chain safety, identity, provenance, evidence grade, and rank movement.

The core question is simple:

Which open-source AI agent projects look active, adopted, transparent, and verifiable right now?


Version 4

The production HVTrust score is runtime-trust calibrated: the supply-chain base score plus a bounded adjustment for MCP support, external service dependencies, tool/plugin surface, and package-provenance drift (methodology v4.0). A soft ceiling and evidence-first tie-break keep strong agents from piling onto an identical 100 (v4.1), and a v4.2 correction re-derives the score from the base on every build so the bounded adjustment can't compound. Every agent also carries a separate Evidence Coverage grade (A–D) showing how many independent signal types back its score. See the methodology changelog and runtime-trust spec.

Accounts and sign-in (GitHub / Google OAuth), watchlist, the side-by-side compare tray, and crawlable static comparison pages at /compare/<a>-vs-<b>/ shipped in v3.1 and remain live.


What You Can Do

Repository Docs


Current Snapshot

  • 300+ active open-source AI agent projects (see live count)
  • Curated categories spanning coding agents, frameworks, infra, security, and more
  • ~30-min signal refresh cadence (tunable via SIGNALS_REFRESH_MIN)
  • ~24h expected full data sweep across sources
  • 90-day per-agent history where available
  • JSON feed of agents and articles at /feed.json
  • Railway-hosted site with a small FastAPI edge and generated public pages/data

Newly submitted agents are listed quickly using a pending-only refresh path, then normal cron jobs keep signals fresh.


Why HVTracker Exists

Most AI agent directories are either manual lists or popularity rankings. Stars can tell you what is visible. They do not tell you whether a project has maintainers, a license, package provenance, signed commits, OSSF Scorecard data, or recent activity.

HVTracker combines curation with independently checkable public evidence. The default rank is HVTrust, a 0-100 score designed to reward verifiable trust signals and penalize thin evidence.

base = gate(
  confidence x [ Safety(25) + Identity(18) + Transparency(17)
                 + Maintenance(20) + Adoption(20) ]
  - penalties
)

HVTrust = clamp(
  base
  + RuntimeBonuses x min(1, (100 - base) / 20)   # soft ceiling
  - RuntimePenalties,                            # absolute
  0..100
)
Dimension Max What it measures
Safety / Integrity 25 OSSF Scorecard, package provenance, signed commits
Identity / Provenance 18 Verified listing status and build provenance
Transparency 17 License and OSSF transparency checks
Maintenance 20 Freshness and recent commit activity
Adoption 20 Log-scaled, capped stars and package downloads

The base score is then runtime-trust calibrated (v4.0+): a bounded adjustment for MCP support, external service dependencies, tool/plugin surface, and package-provenance drift, re-derived from the base on every build. Confidence is based on present vs applicable signal types. Thin evidence limits how high an agent can rank, even if it is popular.

Read the full methodology: hvtracker.net/methodology


Two grades: Evidence Grade and Evidence Coverage

Each agent carries two independent A–D grades so the score and the depth of evidence behind it are never conflated.

Evidence Grade is the trust-score band — how trustworthy the evidence says the project is:

Grade Trust score
A ≥ 80
B ≥ 65
C ≥ 50
D < 50

Evidence Coverage is separate — how many independent public signal types back that score (GitHub, package downloads, supply-chain, behavioural, discussion; five possible):

Coverage Meaning
A Broad independent signal coverage (≥ 4 of 5 types)
B Strong public evidence with some gaps (3)
C Basic public evidence (2)
D Mostly GitHub-only or thin evidence (1)

A high score built on thin evidence keeps a low coverage grade, so breadth stays visible. Both are on every agent page and in the public API (evidence_grade, coverage_grade, signal_types).

HVTracker is not a security certification. Missing provenance, Scorecard, or signature data can mean a signal is unavailable, not that a project is unsafe.


Categories

Agents are curated across coding agents, agent frameworks, workflow platforms, browser & computer use, memory & knowledge, research & data, observability & evaluation, security & guardrails, protocols & tool integration, and more. Live per-category counts (they move as the registry grows) are on the site: hvtracker.net/categories.


Public Data API

The public dataset is licensed under CC BY 4.0. CORS is open for public endpoints.

Endpoint Description
/data/latest.json Current public trust registry snapshot
/data/agents/{slug}.json Per-agent record with history, events, and trust credential
/data/build_report.json Build integrity report
/data/signals/scorecard.json OSSF Scorecard signal cache
/data/signals/provenance.json Package provenance signal cache
/feed.json JSON Feed with agents and comparison guides
/api/v1/mcp/verify?server=<id> Pre-connect, signed trust verdict for an agent or MCP server. Curated agents return a full verdict; an unlisted AI repo with ≥1,000 stars gets a free provisional verdict; others route to /submit.
/api/v1/verify/recent Public feed of the last 100 checked projects (checks are public by default).
/llms.txt LLM-readable project summary and key links

Trust Badges

Listed projects can embed live HVTrust and evidence-grade badges.

[![HVTrust](https://hvtracker.net/badge/<slug>.svg)](https://hvtracker.net/agents/<slug>/)
[![Evidence Grade](https://hvtracker.net/badge/<slug>-grade.svg)](https://hvtracker.net/agents/<slug>/)

Example:

[![HVTrust](https://hvtracker.net/badge/dify.svg)](https://hvtracker.net/agents/dify/)
[![Evidence Grade](https://hvtracker.net/badge/dify-grade.svg)](https://hvtracker.net/agents/dify/)

The exact snippet is shown on every agent profile page.


Open-Core Boundary

HVTracker uses an open-core model.

  • Public: methodology, specs, curated registry entries, current trust scores, public profiles, correction flow, and the public data API.
  • Private later: hosted alerts, watchlists, extended history, team workflows, and higher-volume API access.

The code in this repository remains under the repo's existing MIT license. Public registry data remains licensed under CC BY 4.0. The brand, hosted service, private enrichment, and future enterprise workflows are not implicitly included in that public-data license.

Read docs/open-core.md before widening the public API or changing what gets stored internally.


SEO And Comparison Pages

HVTracker publishes crawlable, data-backed comparison pages:

  • Category pages: /categories/<category>/
  • Agent comparison pages: /compare/<agent-a>-vs-<agent-b>/
  • Blog comparison guides: /blog/<category>-top-agents/

These pages are generated from the current registry data, included in sitemap.xml, and linked from feed.json and llms.txt.


How It Works

agents.json ──┐
               ├──> fetch_and_build.py ──> index.html
history/    ───┤                           agents/<slug>/index.html
scorecard-  ───┘                           data/latest.json
cache.json                                 data/agents/<slug>.json
  1. fetch_and_build.py reads curated agents from agents.json.
  2. Public APIs are fetched in parallel where safe and serially where rate limits require it.
  3. HVTrust scores, evidence grades, rank deltas, trust breakdowns, and events are computed.
  4. Static pages, JSON endpoints, badges, specs, feed files, sitemap, and build reports are generated.
  5. Railway serves the generated site from a persistent volume and refreshes it on a 2-hour cadence.

Build Modes

python fetch_and_build.py              # full refresh
python fetch_and_build.py --batch 1/6  # one staggered batch
python fetch_and_build.py --pending-only
python fetch_and_build.py --render-only
  • --pending-only refreshes newly listed agents without running a full batch.
  • --render-only rebuilds pages from cached render state without API calls.

Manual Production Deploy

If you want to deploy production yourself without waiting on an automated GitHub-triggered Railway build:

./scripts/deploy_production.sh --source

Use --source after your change is already pushed or merged to main.

If you need an emergency deploy from your current local workspace instead:

./scripts/deploy_production.sh --local

Both modes target the current Railway production web service and wait for the deployment to finish. Add --skip-checks if you intentionally want to skip the local verification step.


Running Locally

git clone https://github.com/YugantM/hvtracker.git
cd hvtracker
pip install -r requirements.txt

export GITHUB_TOKEN=$(gh auth token)  # or a personal access token
python fetch_and_build.py --render-only

python3 -m http.server 4173

Open http://127.0.0.1:4173.

Local Docker Workflow

Use Docker when you want discovery, dry-run additions, renders, and the app to run in the same local container environment.

docker compose up --build web

This serves the app at http://127.0.0.1:8080.

For registry work, run the tooling service against your checked-out repo so changes to agents.json or candidates.json persist locally:

export GITHUB_TOKEN=...  # required for GitHub discovery/API-backed refreshes

docker compose run --rm tooling python discover_agents.py
docker compose run --rm tooling python auto_add_agents.py --dry-run
docker compose run --rm tooling python fetch_and_build.py --render-only
docker compose run --rm tooling python -m pytest tests/test_discovery.py tests/test_data_integrity.py

For manual candidate review, edit docs/import-candidates.json with either owner/name, full GitHub URLs, or object entries, then query:

curl -s http://127.0.0.1:8080/api/import-candidates | python -m json.tool
curl -s "http://127.0.0.1:8080/api/import-candidates?status=new&tracked=false" | python -m json.tool

Notes:

  • tooling bind-mounts the repo into /workspace, so file changes are written back to your local checkout.
  • auto_add_agents.py writes to agents.json only without --dry-run.
  • fetch_and_build.py --render-only stays local and avoids external API calls.

Production runs on Railway with:

  • FastAPI for health, API, forms, and dynamic badge routes
  • Generated site output stored on a persistent volume
  • A 2-hour scheduler that refreshes one leaderboard batch per run

Submit Or Correct An Agent

Use the agent listing issue template.

A listed project should be:

  • A public, non-archived GitHub repository with an open-source license
  • An AI agent or an agent framework whose primary purpose is agent construction
  • Clearly agent-specific in its own codebase, not a general AI SDK, model repo, cookbook, or generic app framework
  • Active within the last 12 months
  • Not already listed

Include the canonical repository, preferred display name, category suggestion, package names, and any correction details.

For the strict plain-language boundary, see docs/strict-inclusion-rubric.md.


Specifications


Repository Layout

hvtracker/
├── fetch_and_build.py        # Core build, scoring, and rendering
├── template.html             # Main registry template
├── templates/                # Agent, category, blog, compare, and spec templates
├── agents.json               # Curated agent registry
├── specs.py                  # Specification content
├── scan_scorecards.py        # Weekly OSSF Scorecard scan
├── discover_agents.py        # Weekly discovery scan
├── docs/                     # Launch, research, and operating docs
├── data/                     # Generated public data endpoints
├── agents/                   # Generated per-agent pages
├── badge/                    # Generated SVG badges
└── blog/                     # Generated and static articles

License

The public data is licensed under CC BY 4.0. Review docs/open-core.md before changing the public/private data boundary for a future company-backed edition.

About

AI Agent Trust Registry — independent, evidence-based trust scores for 300+ open-source AI agents. Runtime-trust calibrated (MCP, dependencies, provenance drift), with side-by-side comparison and embeddable live badges. Ranked by verifiable signals, not hype.

Topics

Resources

License

Stars

5 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors