74%Org DCO sign-off (90d avg)
77%Conventional commits (90d avg)
1391
Commits last 90d
293
Releases last 90d
Repo hygiene
| Signal | Coverage | Notes |
|---|---|---|
Branch protection on main | 13 / 18 | Required reviews + status checks. False on a private alpha is acceptable; it should flip before GA. |
CODEOWNERS present | 18 / 18 | Path-scoped reviewer routing; pairs with branch protection's required-reviewers rule. |
SECURITY.md present | 18 / 18 | NIST SSDF RV.1.3 + CRA Annex I Part II §5. |
NOTICE shipped | 18 / 18 | Apache-2.0 §4 attribution. |
| Median time tag → PyPI publish | 242 s | Provenance latency. Tight numbers (<60s) suggest direct CI-driven publish via Trusted Publisher. |
Per-package signals
| Package | DCO 90d | CC 90d | Verified 90d | Commits | Releases | Branch prot. | Time→PyPI |
|---|---|---|---|---|---|---|---|
| kaos-agents | 85% | 80% | 76% | 123 | 46 | 161 s | |
| kaos-citations | 85% | 80% | 80% | 40 | 8 | 190 s | |
| kaos-content | 91% | 85% | 56% | 85 | 20 | 180 s | |
| kaos-core | 81% | 78% | 49% | 73 | 19 | 337 s | |
| kaos-graph | 81% | 79% | 62% | 47 | 10 | 604 s | |
| kaos-llm-client | 82% | 72% | 67% | 51 | 15 | 151 s | |
| kaos-llm-core | 83% | 83% | 57% | 93 | 30 | 176 s | |
| kaos-mcp | 88% | 71% | 76% | 41 | 10 | 434 s | |
| kaos-ml-core | 55% | 75% | 42% | 64 | 9 | 242 s | |
| kaos-names | 93% | 85% | 67% | 27 | 4 | 167 s | |
| kaos-nlp-core | 92% | 83% | 58% | 52 | 16 | 1023 s | |
| kaos-nlp-transformers | 66% | 80% | 40% | 90 | 17 | 697 s | |
| kaos-office | 38% | 75% | 31% | 130 | 15 | 283 s | |
| kaos-pdf | 74% | 79% | 74% | 47 | 14 | 349 s | |
| kaos-source | 43% | 73% | 38% | 103 | 16 | 536 s | |
| kaos-tabular | 85% | 82% | 80% | 40 | 9 | 240 s | |
| kaos-ui | 91% | 86% | 46% | 103 | 15 | 55 s | |
| kaos-web | 27% | 47% | 20% | 182 | 20 | 214 s |
What we deliberately do not show
- No composite governance score. Buyers see through scores; they incentivize gaming cheap signals. We surface every signal raw.
- No maintainer identity (country, employer, real name). Encourages discrimination and false-positives on pseudonymous-but-trusted maintainers.
- No GitHub stars / fork counts.
event-stream,colors.js, andua-parser-jswere all high-star at the moment of compromise. - Verified commit ratio is never a binary green pill. Without branch-protection-required-signatures, a signed-commit ratio is decorative.