← statichum.studio

May 7, 2026

Audit-Before-You-Deploy Health Score for Self-Hosted Apps After the BookLore-to-Grimmory Detonation

dev tool real project ••• trending

BookLore's solo maintainer ACX got caught merging 20,000-line AI-slop PRs, banned community members who flagged it, then nuked the GitHub, Discord, and website overnight in March-April 2026. The community refloated as Grimmory, but every self-hoster running selfh.st-popular apps now has the same nervous question: 'how do I tell, before I deploy this, whether it's a one-person time bomb?' Demand is for a continuously-updated health score per self-hosted project (bus factor, AI-PR ratio, license stability, fork-readiness, last-90-days incident log). Think Snyk for trust, not vulnerabilities.

builder note

The trap is trying to be a security scanner. The win is the soft signal... PR turn-around variance, contributor count trend, the ratio of AI-shaped PRs, plus a public 'maintainer-banned-a-contributor' incident log scraped from GitHub blocks/issue locks. Sell to the homelab+selfh.st audience, not enterprises (Snyk owns that).

landscape (3 existing solutions)

Existing tools score security and license, not governance and bus-factor. The actual question self-hosters ask before adoption ('is this a one-person project that's about to nuke itself?') has no public signal.

OpenSSF Scorecard Aimed at supply-chain security signals (signed releases, branch protection, SAST). Doesn't model 'maintainer hostility,' AI-slop ratio, or 'this person bans contributors who critique their PR'.
selfh.st Curated weekly newsletter and app catalog, but it's editorial. No score, no per-project history, no alert when a previously-good project goes off the rails.
AlternativeTo / awesome-selfhosted Both are list directories. Neither flags maintainer behavior or surfaces governance risk before you adopt.

sources (4)

other https://www.xda-developers.com/single-maintainer-open-source... "Booklore just detonated" 2026-04-13
other https://lemmy.self-hosted.site/post/378975 "Probably want to stop using Booklore" 2026-03-15
other https://dbtechreviews.com/2026/04/13/before-you-trust-anothe... "Before you trust another selfhosted app read this" 2026-04-13
other https://github.com/grimmory-tools/grimmory "An independent community fork of Booklore" 2026-03-12
self-hostedopen-sourcegovernancetrustsupply-chain