Trust and health report

agency-orchestrator - trust report

Sourced, dated trust signals - maintenance label posture, repository provenance, and security scan status. Not a composite safety grade.

GraphCanon updated today · GitHub synced today

Maintenance

Recency and activity heuristics from public GitHub metadata (maintenance label, momentum); methodology: github_public_v1.

Very active96% signal

last push 0d ago · last release 1w · 11 releases (90d)

Provenance

Repository identity and fork provenance (github_public_v1).

  • GitHub repo id: 1188191061
  • Not a fork
  • Personal account
  • Computed today

Security intelligence

Source-by-source security scan results from public intelligence providers. Missing, partial, or failed queries are shown explicitly and are not treated as clean.

OSV dependency advisories

Published findings
Last query
today
Scanner
osv@v1
Stored findings
28
View source evidence

deps.dev advisories

Not queried
Scanner
deps.dev@v1
View source evidence

OpenSSF Scorecard

Not queried
Scanner
openssf-scorecard@v1

Weekly public scans omit some checks at scale.

View source evidence

Dependency advisories (deduplicated)

GHSA-92pp-h63x-v22m
@hono/node-server@1.19.11 · osv@v1
package-lock.json
GHSA-q3j6-qgpj-74h6
fast-uri@3.1.0 · osv@v1
package-lock.json
GHSA-v39h-62p7-jpjc
fast-uri@3.1.0 · osv@v1
package-lock.json
GHSA-26pp-8wgv-hjvm
hono@4.12.9 · osv@v1
package-lock.json
GHSA-2gcr-mfcq-wcc3
hono@4.12.9 · osv@v1
package-lock.json
GHSA-3hrh-pfw6-9m5x
hono@4.12.9 · osv@v1
package-lock.json
GHSA-458j-xx4x-4375
hono@4.12.9 · osv@v1
package-lock.json
GHSA-69xw-7hcm-h432
hono@4.12.9 · osv@v1
package-lock.json
GHSA-88fw-hqm2-52qc
hono@4.12.9 · osv@v1
package-lock.json
GHSA-9vqf-7f2p-gf9v
hono@4.12.9 · osv@v1
package-lock.json
GHSA-f577-qrjj-4474
hono@4.12.9 · osv@v1
package-lock.json
GHSA-hm8q-7f3q-5f36
hono@4.12.9 · osv@v1
package-lock.json
GHSA-j6c9-x7qj-28xf
hono@4.12.9 · osv@v1
package-lock.json
GHSA-p77w-8qqv-26rm
hono@4.12.9 · osv@v1
package-lock.json
GHSA-qp7p-654g-cw7p
hono@4.12.9 · osv@v1
package-lock.json
GHSA-r5rp-j6wh-rvv4
hono@4.12.9 · osv@v1
package-lock.json
GHSA-rv63-4mwf-qqc2
hono@4.12.9 · osv@v1
package-lock.json
GHSA-wgpf-jwqj-8h8p
hono@4.12.9 · osv@v1
package-lock.json
GHSA-wmmm-f939-6g9c
hono@4.12.9 · osv@v1
package-lock.json
GHSA-wwfh-h76j-fc44
hono@4.12.9 · osv@v1
package-lock.json
GHSA-xf4j-xp2r-rqqx
hono@4.12.9 · osv@v1
package-lock.json
GHSA-xpcf-pg52-r92g
hono@4.12.9 · osv@v1
package-lock.json
GHSA-xrhx-7g5j-rcj5
hono@4.12.9 · osv@v1
package-lock.json
GHSA-v2v4-37r5-5v8g
ip-address@10.1.0 · osv@v1
package-lock.json
GHSA-h67p-54hq-rp68
js-yaml@4.1.1 · osv@v1
package-lock.json
GHSA-27v5-c462-wpq7
path-to-regexp@8.3.0 · osv@v1
package-lock.json
GHSA-j3q9-mxjg-w52f
path-to-regexp@8.3.0 · osv@v1
package-lock.json
GHSA-q8mj-m7cp-5q26
qs@6.15.0 · osv@v1
package-lock.json

Method and caveats: these are sourced, dated heuristics from public GitHub data and external security intelligence providers. A status like "no published findings from this source" is not a guarantee of safety. Read the full trust methodology · JSON report at /api/graphcanon/tools/jnmetacode-agency-orchestrator/trust.

Common questions

Is agency-orchestrator maintained?
GraphCanon rates agency-orchestrator "Very active" (96% maintenance signal from public GitHub metadata, computed today). Last push was 0 days ago. 11 GitHub releases in the last 90 days. This is a recency heuristic, not a guarantee the project will stay maintained.
Is agency-orchestrator safe to use?
Last scanned today (deps profile). Status: 28 low - 28 low finding(s) in the latest scan. GraphCanon does not claim the project is safe or vulnerability-free; review findings on the trust report. GraphCanon does not certify agency-orchestrator as safe - review maintenance, provenance, and scan findings on this page before adopting.
Is agency-orchestrator a fork?
No. agency-orchestrator is not flagged as a fork in GitHub metadata at the time of the last refresh.
Does agency-orchestrator have known security vulnerabilities?
Last scanned today (deps profile). Status: 28 low - 28 low finding(s) in the latest scan. GraphCanon does not claim the project is safe or vulnerability-free; review findings on the trust report.
How often is the agency-orchestrator trust report updated?
Trust signals refresh on GitHub ingest/refresh cycles and optional dependency/MCP scans. This report was computed today (methodology github_public_v1).
What does GraphCanon never claim about agency-orchestrator?
We never publish a composite safety grade, pen-test endorsement, or "verified secure" label for agency-orchestrator. Signals are sourced heuristics with explicit limits - see trust methodology.
How does GraphCanon assess trust for agency-orchestrator?
Signals are sourced from public GitHub metadata and optional dependency/MCP manifest scans, each tagged with methodology version and computed date. GraphCanon does not publish a composite safety grade. Read trust methodology for full scope and limits.

Was this helpful?

Anonymous feedback helps us improve pages and translations.