AI Trust Registry for Open-Source Agents
hvtracker.net ranks open-source AI agents by evidence-weighted trust signals, not GitHub hype.
HVTracker is an ever-growing leaderboard that tracks open-source AI agents across multiple categories and publishes public, machine-readable trust data for each project: activity, adoption, transparency, supply-chain safety, identity, provenance, evidence grade, and rank movement.
The core question is simple:
Which open-source AI agent projects look active, adopted, transparent, and verifiable right now?
The production HVTrust score is runtime-trust calibrated: the supply-chain base score plus a bounded adjustment for MCP support, external service dependencies, tool/plugin surface, and package-provenance drift (methodology v4.0). A soft ceiling and evidence-first tie-break keep strong agents from piling onto an identical 100 (v4.1), and a v4.2 correction re-derives the score from the base on every build so the bounded adjustment can't compound. Every agent also carries a separate Evidence Coverage grade (A–D) showing how many independent signal types back its score. See the methodology changelog and runtime-trust spec.
Accounts and sign-in (GitHub / Google OAuth), watchlist, the side-by-side compare tray, and crawlable static comparison pages at /compare/<a>-vs-<b>/ shipped in v3.1 and remain live.
- Browse the live trust registry: hvtracker.net
- Compare agents side by side: hvtracker.net/compare
- Read category comparison guides: hvtracker.net/blog
- Use the public API: hvtracker.net/data/latest.json
- Embed live trust badges in project READMEs
- docs/README.md - repo docs index
- docs/open-core.md - public/private product boundary
- docs/AI_HANDOVER.md - implementation handover for coding agents
- docs/launch-v1.md - launch and distribution notes
- 300+ active open-source AI agent projects (see live count)
- Curated categories spanning coding agents, frameworks, infra, security, and more
- ~30-min signal refresh cadence (tunable via
SIGNALS_REFRESH_MIN) - ~24h expected full data sweep across sources
- 90-day per-agent history where available
- JSON feed of agents and articles at
/feed.json - Railway-hosted site with a small FastAPI edge and generated public pages/data
Newly submitted agents are listed quickly using a pending-only refresh path, then normal cron jobs keep signals fresh.
Most AI agent directories are either manual lists or popularity rankings. Stars can tell you what is visible. They do not tell you whether a project has maintainers, a license, package provenance, signed commits, OSSF Scorecard data, or recent activity.
HVTracker combines curation with independently checkable public evidence. The default rank is HVTrust, a 0-100 score designed to reward verifiable trust signals and penalize thin evidence.
base = gate(
confidence x [ Safety(25) + Identity(18) + Transparency(17)
+ Maintenance(20) + Adoption(20) ]
- penalties
)
HVTrust = clamp(
base
+ RuntimeBonuses x min(1, (100 - base) / 20) # soft ceiling
- RuntimePenalties, # absolute
0..100
)
| Dimension | Max | What it measures |
|---|---|---|
| Safety / Integrity | 25 | OSSF Scorecard, package provenance, signed commits |
| Identity / Provenance | 18 | Verified listing status and build provenance |
| Transparency | 17 | License and OSSF transparency checks |
| Maintenance | 20 | Freshness and recent commit activity |
| Adoption | 20 | Log-scaled, capped stars and package downloads |
The base score is then runtime-trust calibrated (v4.0+): a bounded adjustment for MCP support, external service dependencies, tool/plugin surface, and package-provenance drift, re-derived from the base on every build. Confidence is based on present vs applicable signal types. Thin evidence limits how high an agent can rank, even if it is popular.
Read the full methodology: hvtracker.net/methodology
Each agent carries two independent A–D grades so the score and the depth of evidence behind it are never conflated.
Evidence Grade is the trust-score band — how trustworthy the evidence says the project is:
| Grade | Trust score |
|---|---|
| A | ≥ 80 |
| B | ≥ 65 |
| C | ≥ 50 |
| D | < 50 |
Evidence Coverage is separate — how many independent public signal types back that score (GitHub, package downloads, supply-chain, behavioural, discussion; five possible):
| Coverage | Meaning |
|---|---|
| A | Broad independent signal coverage (≥ 4 of 5 types) |
| B | Strong public evidence with some gaps (3) |
| C | Basic public evidence (2) |
| D | Mostly GitHub-only or thin evidence (1) |
A high score built on thin evidence keeps a low coverage grade, so breadth stays visible. Both are on every agent page and in the public API (evidence_grade, coverage_grade, signal_types).
HVTracker is not a security certification. Missing provenance, Scorecard, or signature data can mean a signal is unavailable, not that a project is unsafe.
Agents are curated across coding agents, agent frameworks, workflow platforms, browser & computer use, memory & knowledge, research & data, observability & evaluation, security & guardrails, protocols & tool integration, and more. Live per-category counts (they move as the registry grows) are on the site: hvtracker.net/categories.
The public dataset is licensed under CC BY 4.0. CORS is open for public endpoints.
| Endpoint | Description |
|---|---|
/data/latest.json |
Current public trust registry snapshot |
/data/agents/{slug}.json |
Per-agent record with history, events, and trust credential |
/data/build_report.json |
Build integrity report |
/data/signals/scorecard.json |
OSSF Scorecard signal cache |
/data/signals/provenance.json |
Package provenance signal cache |
/feed.json |
JSON Feed with agents and comparison guides |
/api/v1/mcp/verify?server=<id> |
Pre-connect, signed trust verdict for an agent or MCP server. Curated agents return a full verdict; an unlisted AI repo with ≥1,000 stars gets a free provisional verdict; others route to /submit. |
/api/v1/verify/recent |
Public feed of the last 100 checked projects (checks are public by default). |
/llms.txt |
LLM-readable project summary and key links |
Listed projects can embed live HVTrust and evidence-grade badges.
[](https://hvtracker.net/agents/<slug>/)
[](https://hvtracker.net/agents/<slug>/)Example:
[](https://hvtracker.net/agents/dify/)
[](https://hvtracker.net/agents/dify/)The exact snippet is shown on every agent profile page.
HVTracker uses an open-core model.
- Public: methodology, specs, curated registry entries, current trust scores, public profiles, correction flow, and the public data API.
- Private later: hosted alerts, watchlists, extended history, team workflows, and higher-volume API access.
The code in this repository remains under the repo's existing MIT license. Public registry data remains licensed under CC BY 4.0. The brand, hosted service, private enrichment, and future enterprise workflows are not implicitly included in that public-data license.
Read docs/open-core.md before widening the public API or changing what gets stored internally.
HVTracker publishes crawlable, data-backed comparison pages:
- Category pages:
/categories/<category>/ - Agent comparison pages:
/compare/<agent-a>-vs-<agent-b>/ - Blog comparison guides:
/blog/<category>-top-agents/
These pages are generated from the current registry data, included in sitemap.xml, and linked from feed.json and llms.txt.
agents.json ──┐
├──> fetch_and_build.py ──> index.html
history/ ───┤ agents/<slug>/index.html
scorecard- ───┘ data/latest.json
cache.json data/agents/<slug>.json
fetch_and_build.pyreads curated agents fromagents.json.- Public APIs are fetched in parallel where safe and serially where rate limits require it.
- HVTrust scores, evidence grades, rank deltas, trust breakdowns, and events are computed.
- Static pages, JSON endpoints, badges, specs, feed files, sitemap, and build reports are generated.
- Railway serves the generated site from a persistent volume and refreshes it on a 2-hour cadence.
python fetch_and_build.py # full refresh
python fetch_and_build.py --batch 1/6 # one staggered batch
python fetch_and_build.py --pending-only
python fetch_and_build.py --render-only--pending-onlyrefreshes newly listed agents without running a full batch.--render-onlyrebuilds pages from cached render state without API calls.
If you want to deploy production yourself without waiting on an automated GitHub-triggered Railway build:
./scripts/deploy_production.sh --sourceUse --source after your change is already pushed or merged to main.
If you need an emergency deploy from your current local workspace instead:
./scripts/deploy_production.sh --localBoth modes target the current Railway production web service and wait for
the deployment to finish. Add --skip-checks if you intentionally want to
skip the local verification step.
git clone https://github.com/YugantM/hvtracker.git
cd hvtracker
pip install -r requirements.txt
export GITHUB_TOKEN=$(gh auth token) # or a personal access token
python fetch_and_build.py --render-only
python3 -m http.server 4173Open http://127.0.0.1:4173.
Use Docker when you want discovery, dry-run additions, renders, and the app to run in the same local container environment.
docker compose up --build webThis serves the app at http://127.0.0.1:8080.
For registry work, run the tooling service against your checked-out repo so
changes to agents.json or candidates.json persist locally:
export GITHUB_TOKEN=... # required for GitHub discovery/API-backed refreshes
docker compose run --rm tooling python discover_agents.py
docker compose run --rm tooling python auto_add_agents.py --dry-run
docker compose run --rm tooling python fetch_and_build.py --render-only
docker compose run --rm tooling python -m pytest tests/test_discovery.py tests/test_data_integrity.pyFor manual candidate review, edit docs/import-candidates.json with either
owner/name, full GitHub URLs, or object entries, then query:
curl -s http://127.0.0.1:8080/api/import-candidates | python -m json.tool
curl -s "http://127.0.0.1:8080/api/import-candidates?status=new&tracked=false" | python -m json.toolNotes:
toolingbind-mounts the repo into/workspace, so file changes are written back to your local checkout.auto_add_agents.pywrites toagents.jsononly without--dry-run.fetch_and_build.py --render-onlystays local and avoids external API calls.
Production runs on Railway with:
- FastAPI for health, API, forms, and dynamic badge routes
- Generated site output stored on a persistent volume
- A 2-hour scheduler that refreshes one leaderboard batch per run
Use the agent listing issue template.
A listed project should be:
- A public, non-archived GitHub repository with an open-source license
- An AI agent or an agent framework whose primary purpose is agent construction
- Clearly agent-specific in its own codebase, not a general AI SDK, model repo, cookbook, or generic app framework
- Active within the last 12 months
- Not already listed
Include the canonical repository, preferred display name, category suggestion, package names, and any correction details.
For the strict plain-language boundary, see docs/strict-inclusion-rubric.md.
- Trust Credential v0.1
- Methodology v2.0
- Eligibility v1.0
- Listing v0.1
- Data Schema v0.1
- Provenance v0.1
- Build Report v0.1
hvtracker/
├── fetch_and_build.py # Core build, scoring, and rendering
├── template.html # Main registry template
├── templates/ # Agent, category, blog, compare, and spec templates
├── agents.json # Curated agent registry
├── specs.py # Specification content
├── scan_scorecards.py # Weekly OSSF Scorecard scan
├── discover_agents.py # Weekly discovery scan
├── docs/ # Launch, research, and operating docs
├── data/ # Generated public data endpoints
├── agents/ # Generated per-agent pages
├── badge/ # Generated SVG badges
└── blog/ # Generated and static articles
The public data is licensed under CC BY 4.0. Review docs/open-core.md before changing the public/private data boundary for a future company-backed edition.