methodology

The RST Continuum

Your technology estate isn't in one place. It's a scatter plot. Every service, every process, every compliance obligation sits at its own position on the R-to-T spectrum. The question isn't which phase you're in — it's where everything is, and what moves first.

0.0
R
fragile · unknown
unmanaged
0.5
S
stabilised · monitored
proactive
1.0
T
governed · proven
auditable

The R-S-T model is not a pipeline. It's a coordinate system. Any organisation, any system, any team sits at a point on a continuum — and not one point, but hundreds.

Your payments stack might be T while your identity service is R and your CI pipeline is somewhere in the middle of S. Your GDPR posture might be T but your PCI DSS position is deep R. Your London office might be S while the acquisition you closed last quarter is uncharted territory.

Nothing is uniformly one thing. Everything is a blend. The question is never "which phase you're in." The question is "where is everything, and what moves first?" The platform maps the scatter plot, then sequences the work — dependency-aware, risk-weighted, evidence-backed.

Example estate — position map
payments-api     S (0.60)  high
identity-service  R (0.20)  high
ci-pipeline      S (0.40)  medium
gdpr-compliance   T (0.80)  high
pci-dss          R (0.10)  low
customer-db      R (0.30)  high
event-bus        S (0.70)  medium
disaster-recovery R (0.10)  low
composite        S (0.40)
OSS AI Governance — 20 Repository Scatter Plot

X axis: RST position (health score 0.0–1.0)  ·  Y axis: GitHub stars (log scale)  ·  Node size: clause pass count  ·  Border: verdict  ·  Click any node to inspect

Category ai-coding ai-framework ai-infra ai-examples ai-platform
Verdict compliant contract breach
Node size 1–2 clauses 3–4 clauses 5–6 clauses
Click any node to inspect its RST position and clause results
What the data reveals
Finding 01
Star count is not a governance proxy
The most popular repos — langchain (98k stars), cursor (55k), openai-cookbook (60k) — are spread across the full RST spectrum. GitHub stars measure community adoption, not governance maturity. The scatter plot makes this visible: high-Y nodes appear at every X position.
Finding 02
Framework projects outperform application projects
Repos in the ai-framework category (blue nodes) cluster in the 0.65–0.82 RST range. Application-layer repos show more variance. The hypothesis: framework maintainers invest more heavily in CI, testing, and documentation — the DC-G clauses — which drives up composite RST scores.
Finding 03
The alwaysAllow problem is systemic
35% of repos with agent config files have non-empty alwaysAllow lists — blanket tool permission grants that bypass per-call confirmation. This pattern appears across every category, suggesting it is a copy-paste default, not a deliberate security decision.
Map your own estate

Run the ticketyboo scanner on your repos to plot them on the continuum. Each scan produces a Development Receipt with your RST score, clause breakdown, and signed evidence bundle.

R S T 0.0 0.5 1.0 disaster-recovery identity-service customer-db ci-pipeline deploy-process payments-api event-bus gdpr-compliance
Scan a repo free → Read the methodology →

Where does your estate sit on the continuum?

The ticketyboo scanner produces RST scores, clause breakdowns, and signed Development Receipts. Free for public repositories.

Scan a repo → View the OSS benchmark →