What we do today. What we don't yet.

RuleSell is in beta. This page is the honest record of which trust signals are real right now and which are on the roadmap. If you spot a gap between what we claim and what we ship, email trust@rulesell.com.

What ships today

These are the trust guarantees currently enforced in production. You can verify every one of them on any listing detail page.

Every listing credits a real GitHub author

Each ruleset stores sourceAuthorLogin, sourceUrl, sourceLicense (SPDX identifier), and sourcePushedAt (last commit date on the upstream repo). These fields are rendered on the listing page and link back to the original GitHub repo. No synthetic authors. No AI-generated avatars.

Weekly freshness check — stale assets auto-archive

We re-scrape GitHub stats (stars, last commit, open issues) once a week. Listings whose upstream repo hasn't been pushed in more than 180 days get archived automatically and removed from marketplace results until the author refreshes or reclaims them.

Claim flow for real authors

Endpoint: POST /api/claims. Authors sign in with GitHub and submit a claim; if the authenticated login matches the listing's sourceAuthorLogin (case-insensitive), the listing is instantly marked isClaimed, ownership transfers to the claimant, and a MAINTAINER_VERIFIED badge is added. Non-matching claims land in the admin review queue at /dashboard/admin/claims. If something looks off, email support@rulesell.com.

License-based rejection at ingest time

Our ingest pipeline refuses assets under copyleft-strong licenses (GPL-2.0, GPL-3.0, AGPL-3.0, LGPL variants). Listings carry their detected SPDX license in sourceLicense. Anything without a clear permissive or unlicensed status is rejected rather than published in a gray area.

How this renders on a listing

Every OSS-sourced listing carries three badges you can verify against the upstream GitHub repo in one click.

Maintainer verified

Shown when isClaimed === true. Links to the claim record.

1,200 GitHub stars

Read from sourceStars, refreshed every Sunday.

Updated 14d ago

Derived from sourcePushedAt on the upstream repo.

Open a listing like any MCP server to see them in context. If a badge is missing, it means the signal is explicitly unavailable — we don't fabricate defaults.

What we refuse to ship yet

These are things other marketplaces claim without building. We don't have them in production, so they're listed here instead. If you want to be emailed the day any of these goes live, send your GitHub handle to founders@rulesell.com.

Automated malware scanning

Planned Q2 2026

No VirusTotal integration, no on-upload binary scanning in production today. Current protection is manual admin review for flagged uploads only.

Semgrep rules on upload

Planned

Static analysis for insecure patterns (hardcoded secrets, dangerous shell execution, credential leakage) is on the roadmap but not wired up. Uploads are reviewed manually when flagged.

Quality Score with six real signals

Basic baseline live

Today's Quality Score uses three signals only: isClaimed (author has verified ownership), sourceStars (upstream GitHub stars), and freshness (sourcePushedAt recency). The planned signals — token efficiency, install success rate, schema cleanliness, security scan results — require CLI telemetry and scanning that are not in production. We don't display a number we haven't computed.

Reviews with verified-install gate

Frontend exists, gate missing

The review UI is built but there is currently no enforced link between installing an asset via the CLI and being allowed to review it. Until the CLI telemetry lands, we are not showcasing user reviews as a trust signal.

Payments and payouts

Payments are not active during the beta.

Every listing is free while we build out Stripe Connect payouts. When payments ship, we'll publish the exact platform fee, payout cadence, and tax handling here — we are not going to tell you a number we can't back up yet. Creators who publish free assets during beta get first access to paid publishing when it opens.

Want early access? founders@rulesell.com.

Found a broken trust promise?

If a listing misattributes an author, a claimed asset looks wrong, or a license looks misidentified, write to trust@rulesell.com. For DMCA takedowns use dmca@rulesell.com.