Methodology

What HVTracker Measures

HVTracker measures open-source AI agent projects using public, independently checkable signals. The goal is to show project health, maintenance momentum, community adoption, and basic supply-chain trust without relying on vendor claims or self-reported submissions.

The leaderboard currently tracks GitHub activity, package downloads, Hacker News discussion, category ranking, rank movement, and trust/provenance signals where they are available in public APIs.

Health Score And Trust Score

The health score is a 0-100 composite. It is intentionally simple and based only on four GitHub-derived components:

• Stars · 30% — Stars are a rough adoption signal. HVTracker log-scales stars so very large repositories do not dominate the leaderboard linearly.
• Freshness · 25% — Freshness rewards projects that have pushed recently. The score decays over roughly six months without a push.
• Activity · 25% — Activity uses commits from the last four weeks. It rewards active development, but also log-scales the value so unusually busy repos do not overwhelm the rest of the score.
• Community · 20% — Forks are used as a proxy for downstream reuse and developer interest. Like stars, forks are log-scaled.

HVTrust is a separate trust-oriented score that combines activity, adoption, transparency, safety, and identity signals. Downloads, Hacker News mentions, and supply-chain signals are displayed for context and auditability.

Displayed Signals

GitHub repository data

Stars, forks, last push date, recent commits, language, description, and open issue count come from the GitHub REST API.

GitHub's commit activity endpoint can return stale or delayed results. When possible, HVTracker falls back to recent commit counts and flags low-confidence commit cells with a question mark.

Package downloads

Weekly downloads are fetched from npm and PyPI for projects that have package names configured in agents.json. If a project has both package ecosystems configured, the values are summed and labeled by source.

Downloads are install events, not unique users. They can include CI, mirrors, bots, and automated environments.

Hacker News mentions

HN mentions count matching stories from the last 30 days using the Algolia Hacker News API and curated search terms.

Generic project names can create false positives or false negatives, so not every project has an HN query configured.

Rank movement

Rank deltas compare the current run with the most recent prior daily snapshot in output/history. Historical snapshots also power the biggest-movers strip and per-agent rank sparklines.

Trust And Provenance Signals

HVTracker surfaces supply-chain signals separately from the health score. These indicators help readers judge release hygiene and verifiability, but they do not currently affect rank.

npm provenance

For npm packages, HVTracker checks whether the latest published version exposes provenance attestations in the npm registry's dist.attestations field.

PyPI provenance

For PyPI packages, HVTracker checks whether latest-release files expose PEP 740 provenance metadata through PyPI's Simple API JSON response.

OSSF Scorecard

Where available through deps.dev, HVTracker displays the OpenSSF Scorecard overall score and individual checks. Scorecard coverage is not guaranteed for every repository.

Signed commit ratio

HVTracker samples recent commits and reports the percentage that GitHub marks as verified through GPG, SSH, S/MIME, or GitHub's own signing flow.

A verified signature confirms that GitHub considers the commit signed; it does not prove code quality, maintainer intent, or release safety.

How Often Data Updates

The GitHub Actions workflow refreshes six staggered batches every 4 hours. A full refresh cycle completes in 24 hours. Each successful run regenerates the leaderboard, agent pages, public JSON endpoints, feed.json, sitemap.xml, and a dated history snapshot.

Known Limitations

• Stars are imperfect. Stars can reflect popularity, hype, age, or marketing, not necessarily production quality.
• Commit counts are noisy. A high commit count can mean active development, churn, imports, generated files, or repository maintenance work.
• Downloads are not users. Package download numbers can include automation and duplicate installs.
• HN mentions are approximate. Curated search terms reduce noise but cannot perfectly capture discussion.
• Trust signals are partial. Missing provenance or Scorecard data can mean the signal is unavailable, not necessarily that a project is unsafe.
• No qualitative review yet. HVTracker does not currently score documentation quality, API stability, model/provider compatibility, benchmark performance, or real-world adoption.
• No formal SLSA level. HVTracker displays observable provenance and Scorecard signals but does not claim an authoritative SLSA build level.

Corrections And Project Submissions

To suggest a correction, submit a missing package name, propose a category change, or request a new project, open a GitHub issue or pull request. Include the project repository, the preferred display name, the category you believe fits best, and any npm or PyPI package names that should be tracked.

New projects should be open-source AI agent projects or closely related infrastructure. Categories are curated manually to keep the leaderboard useful and comparable.

Versioning

Methodology changes are versioned explicitly. Every revision is recorded in the changelog below. Raw data snapshots are preserved on each build so past leaderboard states remain auditable — see the historical snapshots in the repository.

Changelog

• v2.0 (current) — Added supply chain trust signals: npm provenance, PyPI attestations (PEP 740), OSSF Scorecard (via deps.dev), signed commit ratio. These are displayed independently, not folded into the composite score.
• v1.1 — Added npm, PyPI, and Hacker News data sources. Daily historical snapshots now archived.
• v1.0 (May 2026) — Initial methodology. GitHub-only signals: stars, freshness, activity, community (forks).