Skip to main content
ForgeOS / Trust Index

ForgeOS Trust Index - a 0-100 package trust score across eight dimensions.

ForgeOS

FORGEOS TRUST INDEX

Know what you're shipping.

Transparent, deterministic trust scoring for every package in your stack. No guesswork, no LLMs at query time - just evidence.

All SyncTek packages are scored by FTI. Scores are public. See our scores

@synctek/forgeos · Live score
FTI Score - @synctek/forgeos
76 VERIFIED

@synctek/forgeos

Security 72
Maintainability 76
Documentation 81
Community Health 51
Supply Chain 68
Improvement Velocity 50
Governance 95
Operational 89

Ed25519 sig: sha256:aaf8e233… [verified]

FTI shield-shaped trust network visualization showing interconnected package trust relationships

What is FTI?

The ForgeOS Trust Index (FTI) is a package trust scoring system that produces a single score from 0 to 100 for any package in your stack. It is built for engineering teams that need an objective, auditable signal about what they're pulling into their stack.

Deterministic

Same input always produces the same score. No randomness, no LLM at query time.

Cryptographically signed

Every score is Ed25519-signed. Tamper-evident - verify the score matches what we computed.

Updated nightly

Live data from package registries, GitHub, and CVE databases. Scores reflect current reality.

Fully explainable

Every dimension is broken down. Know exactly why a package scored what it scored.

How FTI differs from npm audit

  • - npm audit covers CVEs only. FTI scores Security, Maintainability, Supply Chain, Documentation, Community Health, Improvement Velocity, Governance, and Operational - eight independent dimensions in one composite signal.
  • - npm audit results change each run. FTI is deterministic - same data, same score, always. You can diff scores across deploys and point to exact regressions.
  • - npm audit can't be embedded as a badge, verified cryptographically, or tracked over time. FTI badges are live, scores are Ed25519-signed, and score history is queryable via API.

SCORING MODEL

Eight dimensions. One score.

Each dimension is independently measured. The final score is a deterministic composite - cryptographically signed and fully auditable.

Security 72

CVE count, dependency audit, code security patterns, signing status, and SBOM presence.

Solid dependency auditing and SBOM generation in place. Score reflects some transitive CVE exposure and unsigned sub-dependencies inherited from the npm ecosystem.

Automated CVE remediation pipeline shipping Q2. Package signing for all published artifacts in progress.

Maintainability 76

Complexity metrics, test coverage, PR merge velocity, code churn rate, and type safety adoption.

High test coverage, consistent PR velocity, and low code churn. Our governance gates enforce quality at every merge.

Targeting 95+ with stricter complexity thresholds and full TypeScript strict mode adoption.

Documentation 81

README completeness, API doc coverage, changelog hygiene, contributing guide, and tutorials.

Comprehensive API docs, detailed README, maintained changelog, and contributing guide. One of our strongest dimensions.

Adding interactive tutorials and expanding example coverage for edge cases.

Community Health 51

Contributor count (bus factor), issue response time, PR review time, and governance documentation.

Our lowest score - and we own it. Small core team means high bus factor risk and slower external issue response times. This is the reality of an early-stage product.

Open-sourcing core modules to invite external contributors. Hiring community manager. Targeting 50+ by Q3.

Supply Chain 68

Dependency count, vulnerable transitive deps, license conflicts, signing status, and provenance.

Clean direct dependencies with full provenance. Score reflects transitive dependency depth inherent in the Node.js ecosystem.

Dependency pinning audit underway. Evaluating vendoring critical sub-dependencies.

Improvement Velocity 50

Score trajectory over 30, 90, and 180 days - is this package trending better or worse?

Baseline score - we launched FTI scoring recently, so the 90-day trend window is still filling. Active development means this will climb as scoring history accumulates.

Nightly rescoring active. Expect this to reflect our improvement pace within 60 days.

Governance 95

Release process maturity, CODEOWNERS presence, branch protection, and change approval workflows.

Ed25519-signed audit trail, mandatory gate approvals, and separation of duties built into the development workflow from day one.

Adding automated release signing verification and expanding CODEOWNERS granularity.

Operational 89

API uptime, response latency, error rates, and monitoring coverage.

Good uptime with room to improve on response latency percentiles. Monitoring coverage expanding.

Adding edge caching for read-heavy endpoints. Targeting sub-200ms p95 latency.

TRUST TIERS

What the score means

Scores map to five tiers. Badges update automatically as the nightly rescore runs.

Exemplary

95–100

Production-grade. Ship with confidence.

Trusted

85–94

Strong trust posture. Minor gaps.

Verified

70–84

Meets trust baseline. Safe to ship.

Standard

50–69

Acceptable. Improvement recommended.

Risky

0–49

Significant concerns. Review before shipping.

API ACCESS

Check any package

Badges are public - no key needed. Trust profiles require your ForgeOS API key (found in your dashboard settings).

Explore the live scoreboard

7K packages scored across PyPI, npm, Cargo, and Go.

Open scoreboard
Embed badge - no API key needed PUBLIC 
![FTI](https://forgeos-api.synctek.io/v1/badge/pypi/requests/shield)
Trust profile - requires ForgeOS API key AUTH 
# Your API key is in ForgeOS Dashboard → Settings
curl -H "X-API-Key: fos_live_abc123..." \
  https://forgeos-api.synctek.io/v1/trust/pypi/requests
Sample response - JSON 200 OK 
{
  "package": "npm:@synctek/forgeos",
  "composite": 69.35,
  "dimensions": {
    "security": 86.15,
    "maintainability": 73.21,
    "documentation": 66.75,
    "community_health": 47.05,
    "supply_chain": 74.00,
    "improvement_velocity": 50.00,
    "governance": 83.40,
    "operational": 65.20
  },
  "algorithm_version": "fti-v1.0.0",
  "signature": "sha256:aaf8e233..."
}
View full API documentation

FTI PRICING

FTI is part of ForgeOS.

FTI scoring is bundled with every ForgeOS plan. Badge embeds are always free. A standalone metered API is available for AI agents that don't need a full ForgeOS subscription.

Free
$0 /mo

5 FTI scores/day. Badge embeds unlimited.

Get started
  • 5 FTI scores/day
  • Badge embeds (unlimited)
  • Public trust profiles
  • GET /v1/methodology (free, public)
Pro
$49 /mo

Unlimited FTI scoring. Full 8-dimension breakdown.

Start free trial
  • Unlimited FTI scores
  • Recommendations
  • Comparative analysis
  • Score history & webhooks
Team
$29 /seat/mo

Unlimited FTI. 3-seat min. Shared projects.

Start free trial
  • Everything in Pro
  • Shared FTI dashboard
  • Team trust policy config
Enterprise
Custom

Dedicated infrastructure. Private registry. SLA.

Contact us
  • Everything in Team
  • Private registry scoring
  • Custom SLA
  • On-prem option
Standalone FTI API - for AI agents

No ForgeOS subscription required.

AI agents, CI/CD pipelines, and external tools can query FTI directly via metered API. Pay only for what you use. API key authentication. Billed monthly via Stripe.

POST /v1/score $0.003/call
POST /v1/recommend $0.005/call
POST /v1/compare $0.008/call
GET /v1/methodology Free · public
Get API key API docs →

OUR PACKAGES

We eat our own cooking

Every SyncTek package is scored by FTI. We publish the scores publicly - no exceptions.

ForgeOS CLI

npm · @synctek/forgeos

View product →
FTI Score - @synctek/forgeos

SpecterQA

pypi · specterqa

View product →
FTI Score - SpecterQA

GET STARTED

Get started with ForgeOS

FTI is one piece of the ForgeOS governance stack. Gate enforcement, signed audit ledgers, SharedMind, and 21 MCP tools ship together - first gate running in under 10 minutes.

Quickstart guide Explore ForgeOS →