CodeQuill Logo CodeQuill Logo
CodeQuill Logo
Login with Github
Menu
Explore Pricing Docs About
Login with Github
CodeQuill

Trust Index

Product

How it Works Trust Index

Legal

Terms of Service Privacy Policy Contact

What is the Trust Index?

The CodeQuill Trust Index is an evidence-based reputation signal computed from verifiable, on-chain source activity. It measures how much consistent, independently referenced evidence exists for a repository or workspace.

The Trust Index is not a security guarantee, popularity metric, or social score. It is an informational signal derived from immutable, timestamped evidence that anyone can independently verify.

How is it computed?

The Trust Index is a score from 0 to 100, computed as a weighted combination of six independent factors. Each factor captures a different dimension of verifiable software evidence.

Snapshot Activity (25%)

Measures the volume of published, on-chain source snapshots. More snapshots indicate a higher commitment to verifiable evidence. Diminishing returns prevent spam -- the score saturates naturally after sustained activity.

Continuity (20%)

Rewards sustained activity over time. A repository that has been consistently snapshotting for 18 months scores higher than one that published 100 snapshots in a single day. Long gaps in activity reduce this score.

Release Governance (20%)

Measures release publishing maturity and governance decisions. Repositories that publish releases regularly, with accepted governance decisions, score higher. Revoked releases are excluded. Sustained release cadence matters more than volume.

Attestations (15%)

Captures supply-chain attestation behavior and external verification. Self-attestations contribute, but independent attestations from other workspaces carry significantly more weight. Without external attestors, the maximum score for this factor is capped.

Preservation Coverage (10%)

Rewards operational maturity by measuring the percentage of snapshots that have been preserved as encrypted, zero-custody archives. Full coverage earns the maximum score.

Dependency Graph (10%)

Rewards participation in a verifiable dependency graph. When other repositories declare yours as an upstream dependency (via attestation), it signals real-world reliance and independent verification of your code.

Trust Tiers

Scores are mapped to tiers that provide an at-a-glance reputation signal.

Score Tier What it means
0 -- 20 New Recently started publishing evidence. Limited history.
21 -- 40 Emerging Building a track record. Some verifiable activity over time.
41 -- 60 Established Consistent evidence production with governance and preservation.
61 -- 80 Trusted Strong, long-lived evidence footprint with external verification.
81 -- 100 Proven Exceptional evidence record with sustained external reliance.

Anti-Gaming Design

The Trust Index is designed to resist manipulation:

Diminishing returns -- All volume metrics use logarithmic scaling. Publishing 1,000 snapshots scores only marginally more than 100.
Self-only ceiling -- Without external attestors or downstream dependents, the maximum achievable score is approximately 70 out of 100.
Uniqueness enforced -- External signals count once per workspace. One attestor attesting 100 times counts the same as once.
Inactivity decay -- Scores gradually decrease after 6 months of no new evidence, with a floor at 50% of the computed score.
Deterministic -- Scores are computed from on-chain evidence. No manual overrides, no subjective inputs.

The CodeQuill Trust Index is an informational signal derived from verifiable source snapshots and related claims. It does not prove build correctness, artifact derivation, or supply-chain security.