From 0287bb77df575d9bc613894c5959d2e8d67313c6 Mon Sep 17 00:00:00 2001 From: shenxianpeng Date: Mon, 6 Jul 2026 23:31:13 +0300 Subject: [PATCH 1/5] chore: add AI attribution governance blog post and projects page - New blog post: AI Attribution Governance (v2.11.0) - New Projects page showcasing all three repos with versions - Home page: add Ecosystem module for quick project discovery - Navigation: add Projects tab --- docs/blog/posts/ai-attribution-governance.md | 183 +++++++++++++++++++ docs/index.md | 42 +++++ docs/projects.md | 90 +++++++++ mkdocs.yml | 1 + 4 files changed, 316 insertions(+) create mode 100644 docs/blog/posts/ai-attribution-governance.md create mode 100644 docs/projects.md diff --git a/docs/blog/posts/ai-attribution-governance.md b/docs/blog/posts/ai-attribution-governance.md new file mode 100644 index 0000000..57d2c1e --- /dev/null +++ b/docs/blog/posts/ai-attribution-governance.md @@ -0,0 +1,183 @@ +--- +date: + created: 2026-07-06 +readtime: 7 +categories: + - UPDATES +tags: + - commit-check + - ai + - governance + - compliance +authors: + - shenxianpeng +--- + +# AI Attribution Governance: Enforcing AI Disclosure Policies at the CI Level + +The open-source ecosystem is converging on a hard question: **when a commit is +written with AI assistance, how do we know — and how do we enforce the +disclosure policy?** + +Python's discourse, Linux kernel's `Assisted-by` trailer, Fedora's AI policy, +Apache's disclosure guidelines — every major project is grappling with this. +But until now, there has been **no tool at the CI level** to enforce whatever +policy a project chooses. + +Commit Check v2.11.0 introduces **AI Attribution Governance** — a +first-of-its-kind feature that detects known AI tool signatures in commit +messages and lets projects decide whether to forbid them outright. + + + +## The industry need + +The conversation around AI disclosure is no longer theoretical: + +- The **Linux kernel** standardized on the `Assisted-by:` trailer format +- The **Python community** [is actively discussing](https://discuss.python.org/t/should-claude-codes-usage-be-described-in-the-code-docs-somewhere/107969) whether Claude Code usage should be documented +- **VS Code** [issue #313962](https://github.com/microsoft/vscode/issues/313962) proposes replacing `Co-authored-by` with `Assisted-by` for AI agents +- **Fedora, Apache, OpenTelemetry, Rocky Linux, QEMU, Gentoo** each have different AI contribution policies + +But nobody had built a neutral enforcement layer that works in CI — until now. + +## Configuration: a single toggle + +Commit Check keeps it simple. One configuration value, three ways to set it: + +=== "TOML (cchk.toml)" + + ```toml + [commit] + ai_attribution = "forbid" + ``` + +=== "CLI" + + ```bash + commit-check --message --ai-attribution=forbid + ``` + +=== "Environment Variable" + + ```bash + CCHK_AI_ATTRIBUTION=forbid commit-check --message + ``` + +Two modes: + +| Mode | Behavior | +|------|----------| +| `"ignore"` | No validation (default, backward compatible) | +| `"forbid"` | Rejects any commit containing known AI tool signatures | + +There is no `require` mode or `ai_trailer_style` option — the signature +database recognizes all known formats automatically, and the policy is simply +whether you allow them or not. + +## Detected AI tool signatures + +Commit Check ships with a curated database of known AI tool markers. The +detection covers multiple signature formats per tool — `Co-authored-by`, +`Assisted-by`, body markers, and model names: + +| AI Tool | What gets detected | +|---------|-------------------| +| **Claude Code** | `Co-authored-by: Claude`, `Assisted-by: Claude:`, emoji markers, `Claude-Session:`, `Claude-Workflow:` | +| **GitHub Copilot** | `Co-authored-by: Copilot` | +| **OpenAI Codex** | `Co-authored-by: Codex` | +| **Gemini** | `Co-authored-by: Gemini` | +| **Cursor** | `Co-authored-by: Cursor` | +| **Devin** | `Co-authored-by: Devin` | +| **Aider** | `Co-authored-by: Aider`, `Co-authored-by: ... (aider)` | +| **Windsurf** | `Co-authored-by: Windsurf` | +| **Tabby** | `Co-authored-by: Tabby` | +| **Generic AI** | `Assisted-by: : [tools]`, model names like `claude-sonnet-4`, `gpt-4-turbo` | + +## Built-in false positive prevention + +A `Co-authored-by: Claude` could theoretically be a human named Claude — but +in practice, AI tools use known noreply email addresses. Commit Check anchors +its detection to these, so: + +✅ `Co-authored-by: Claude ` — flagged +✅ `Assisted-by: Claude:claude-sonnet-4-20250514 [tools]` — flagged +❌ `Co-authored-by: Claude Monet ` — **not flagged** +❌ `Co-authored-by: Jane Doe ` — **not flagged** + +The kernel-style `Assisted-by:` format also handles optional trailing tool +lists correctly: + +```text +Assisted-by: Claude:claude-sonnet-4-20250514 coccinelle sparse +``` + +Only the AI tool marker is matched — the tool list is preserved as-is. + +## See it in action + +With a config file containing `ai_attribution = "forbid"`: + +```bash +# This commit message would be REJECTED +echo "fix: resolve race condition + +Co-authored-by: Claude " | commit-check -m +``` + +```text +[FAIL] ai-attribution: Commit message contains known AI tool signature: Claude +``` + +```bash +# This commit message passes cleanly +echo "fix: resolve race condition + +Co-authored-by: Jane Doe " | commit-check -m +``` + +```text +[PASS] commit message is valid +``` + +## Integration across the ecosystem + +The feature is available across every surface of Commit Check: + +- **CLI**: `--ai-attribution=forbid` +- **TOML config**: `[commit] ai_attribution = "forbid"` +- **Environment variables**: `CCHK_AI_ATTRIBUTION=forbid` +- **Python API**: `validate_message()` returns AI attribution results +- **`--format json`**: AI check status included in structured output +- **MCP Server** ([commit-check-mcp](https://github.com/commit-check/commit-check-mcp)): synced in v0.1.7 +- **GitHub Action** ([commit-check-action](https://github.com/commit-check/commit-check-action)): available once the underlying dependency is updated + +## What's next + +AI attribution governance in v2.11.0 is the foundation. Future work includes: + +1. **PR summaries** — show AI disclosure status per commit in pull requests +2. **MCP improvements** — AI agents query `describe_validation_rules` to + auto-comply before writing a commit +3. **Richer JSON metadata** — structured AI signature data for SBOM and audit + tooling + +## Try it today + +```bash +pip install commit-check==2.11.0 +echo "feat: add streaming support" | commit-check -m --ai-attribution=forbid +``` + +Or add it to your `cchk.toml`: + +```toml +[commit] +ai_attribution = "forbid" +``` + +And let CI enforce your AI disclosure policy — automatically, on every commit. + +--- + +*Clean commits. Clear standards. Transparent AI contributions.* diff --git a/docs/index.md b/docs/index.md index 5175a1d..64e7fa7 100644 --- a/docs/index.md +++ b/docs/index.md @@ -136,6 +136,48 @@ title: Commit Check +## Ecosystem + +Commit Check is a family of three projects — one engine, multiple surfaces. +Write your policy **once** in a `cchk.toml`, enforce it **everywhere**. + +
+ +- :fontawesome-brands-python: __commit-check__ `v2.11.0` + + --- + + **Core engine** — Python CLI, library & pre-commit hooks. + + :material-star: AI attribution governance, message patterns, JSON output + + [:octicons-arrow-right-24: Repo](https://github.com/commit-check/commit-check) + [:octicons-arrow-right-24: Docs](https://commit-check.github.io/commit-check/) + +- :material-github: __commit-check-action__ `v2.10.0` + + --- + + **GitHub Action** — seamless CI integration with PR comments. + + :material-star: Windows runner, PR title validation + + [:octicons-arrow-right-24: Repo](https://github.com/commit-check/commit-check-action) + +- :material-robot: __commit-check-mcp__ `v0.1.7` + + --- + + **MCP Server** — structured tools for AI coding agents. + + :material-star: AI attribution governance, message patterns + + [:octicons-arrow-right-24: Repo](https://github.com/commit-check/commit-check-mcp) + +
+ +[See all projects →](projects.md){ .md-button } + ## Quick Start === "GitHub Actions" diff --git a/docs/projects.md b/docs/projects.md new file mode 100644 index 0000000..53a743d --- /dev/null +++ b/docs/projects.md @@ -0,0 +1,90 @@ +--- +hide: + - toc +--- + +# Projects + +The Commit Check ecosystem consists of three open-source projects that work +together to enforce commit quality standards across your entire workflow. + +
+ +- :fontawesome-brands-python: __commit-check__ + + --- + + **The core engine.** A Python CLI and library for validating commit + messages, branch names, author identity, sign-off trailers, push safety, + and AI attribution. + + - Latest release: **v2.11.0** + - Highlights: AI attribution governance, message patterns, JSON output, + Python API + - Works as: CLI tool, pre-commit hooks, importable library + + [:octicons-arrow-right-24: GitHub](https://github.com/commit-check/commit-check) + [:octicons-arrow-right-24: Docs](https://commit-check.github.io/commit-check/) + +- :material-github: __commit-check-action__ + + --- + + **GitHub Action** that wraps the core engine into a seamless CI step. + Validates PR commits and posts results as check runs, job summaries, and + PR comments. + + - Latest release: **v2.10.0** + - Highlights: Windows runner support, PR title validation, PR comments + - Works as: GitHub Action in your workflows + + [:octicons-arrow-right-24: GitHub](https://github.com/commit-check/commit-check-action) + [:octicons-arrow-right-24: Docs](https://github.com/commit-check/commit-check-action?tab=readme-ov-file#usage) + +- :material-robot: __commit-check-mcp__ + + --- + + **MCP Server** that exposes commit-check validations as structured tools + for AI coding agents like Claude Code, Cursor, and Copilot. + + - Latest release: **v0.1.7** + - Highlights: AI attribution governance sync, message pattern support, + push safety validation, MCP Registry published + - Works as: MCP server in your AI agent's config + + [:octicons-arrow-right-24: GitHub](https://github.com/commit-check/commit-check-mcp) + [:octicons-arrow-right-24: MCP Registry](https://registry.mcpx.dev) + +
+ +## How they fit together + +```mermaid +graph LR + A[commit-check
Python Core] --> B[commit-check-action
GitHub Action] + A --> C[commit-check-mcp
MCP Server] + B --> D[CI Pipeline] + C --> E[AI Coding Agent] +``` + +The same `cchk.toml` policy file drives **all three** — write it once, enforce +it everywhere. + +## Release history + +| Project | Latest | Recent updates | +|---------|--------|----------------| +| commit-check | v2.11.0 | AI attribution governance, message patterns, JSON output | +| commit-check-action | v2.10.0 | Windows runner, PR title validation | +| commit-check-mcp | v0.1.7 | AI attribution sync, message patterns, MCP Registry | + +## Quick links + +| What do you need? | Use this | +|-------------------|----------| +| Validate commits in CI | [commit-check-action](https://github.com/commit-check/commit-check-action) | +| Validate commits locally | [commit-check CLI](https://github.com/commit-check/commit-check) | +| Validate commits via pre-commit | [commit-check hooks](https://commit-check.github.io/commit-check/example.html#running-as-pre-commit-hook) | +| Let AI agents auto-comply | [commit-check-mcp](https://github.com/commit-check/commit-check-mcp) | +| Configure policy once | [`cchk.toml` reference](https://commit-check.github.io/commit-check/configuration.html) | diff --git a/mkdocs.yml b/mkdocs.yml index f767755..1eedaac 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -8,6 +8,7 @@ copyright: "© Copyright 2022 - 2026, shenxianpeng." nav: - Home: index.md - Getting Started: getting-started.md + - Projects: projects.md - Blog: - blog/index.md # exclude_docs: | From a29ed35828a85a420811c0fca771ba4cf64f350b Mon Sep 17 00:00:00 2001 From: shenxianpeng Date: Mon, 6 Jul 2026 23:34:23 +0300 Subject: [PATCH 2/5] chore: simplify projects page, remove redundant content - Remove project cards duplicated from home page - Remove release history table (hard to keep current) - Remove quick links section (duplicates Getting Started) - Focus on architecture diagram and surface comparison table --- docs/projects.md | 109 +++++++++++++---------------------------------- 1 file changed, 30 insertions(+), 79 deletions(-) diff --git a/docs/projects.md b/docs/projects.md index 53a743d..8226890 100644 --- a/docs/projects.md +++ b/docs/projects.md @@ -5,86 +5,37 @@ hide: # Projects -The Commit Check ecosystem consists of three open-source projects that work -together to enforce commit quality standards across your entire workflow. - -
- -- :fontawesome-brands-python: __commit-check__ - - --- - - **The core engine.** A Python CLI and library for validating commit - messages, branch names, author identity, sign-off trailers, push safety, - and AI attribution. - - - Latest release: **v2.11.0** - - Highlights: AI attribution governance, message patterns, JSON output, - Python API - - Works as: CLI tool, pre-commit hooks, importable library - - [:octicons-arrow-right-24: GitHub](https://github.com/commit-check/commit-check) - [:octicons-arrow-right-24: Docs](https://commit-check.github.io/commit-check/) - -- :material-github: __commit-check-action__ - - --- - - **GitHub Action** that wraps the core engine into a seamless CI step. - Validates PR commits and posts results as check runs, job summaries, and - PR comments. - - - Latest release: **v2.10.0** - - Highlights: Windows runner support, PR title validation, PR comments - - Works as: GitHub Action in your workflows - - [:octicons-arrow-right-24: GitHub](https://github.com/commit-check/commit-check-action) - [:octicons-arrow-right-24: Docs](https://github.com/commit-check/commit-check-action?tab=readme-ov-file#usage) - -- :material-robot: __commit-check-mcp__ - - --- - - **MCP Server** that exposes commit-check validations as structured tools - for AI coding agents like Claude Code, Cursor, and Copilot. - - - Latest release: **v0.1.7** - - Highlights: AI attribution governance sync, message pattern support, - push safety validation, MCP Registry published - - Works as: MCP server in your AI agent's config - - [:octicons-arrow-right-24: GitHub](https://github.com/commit-check/commit-check-mcp) - [:octicons-arrow-right-24: MCP Registry](https://registry.mcpx.dev) - -
- -## How they fit together +The commit-check ecosystem is built on a simple architecture: **one policy engine, +multiple enforcement surfaces.** Write your `cchk.toml` once — every surface +reads the same file. ```mermaid -graph LR - A[commit-check
Python Core] --> B[commit-check-action
GitHub Action] - A --> C[commit-check-mcp
MCP Server] - B --> D[CI Pipeline] - C --> E[AI Coding Agent] +graph TB + subgraph Policy["📄 cchk.toml"] + direction LR + Config[One policy file] + end + + subgraph Engine["⚙️ commit-check
(Python core)"] + direction LR + CLI[CLI & pre-commit] + API[Python API] + end + + subgraph Surfaces["🚀 Enforcement surfaces"] + Action[commit-check-action
GitHub Action] + MCP[commit-check-mcp
MCP Server] + end + + Config --> Engine + CLI --> Action + API --> MCP + Action --> CI[CI Pipeline] + MCP --> Agent[AI Coding Agent] ``` -The same `cchk.toml` policy file drives **all three** — write it once, enforce -it everywhere. - -## Release history - -| Project | Latest | Recent updates | -|---------|--------|----------------| -| commit-check | v2.11.0 | AI attribution governance, message patterns, JSON output | -| commit-check-action | v2.10.0 | Windows runner, PR title validation | -| commit-check-mcp | v0.1.7 | AI attribution sync, message patterns, MCP Registry | - -## Quick links - -| What do you need? | Use this | -|-------------------|----------| -| Validate commits in CI | [commit-check-action](https://github.com/commit-check/commit-check-action) | -| Validate commits locally | [commit-check CLI](https://github.com/commit-check/commit-check) | -| Validate commits via pre-commit | [commit-check hooks](https://commit-check.github.io/commit-check/example.html#running-as-pre-commit-hook) | -| Let AI agents auto-comply | [commit-check-mcp](https://github.com/commit-check/commit-check-mcp) | -| Configure policy once | [`cchk.toml` reference](https://commit-check.github.io/commit-check/configuration.html) | +| Surface | What it does | Get started | +|---------|-------------|-------------| +| **commit-check** | CLI tool, pre-commit hooks, and Python library. The core engine that runs all validations. | [`commit-check/commit-check`](https://github.com/commit-check/commit-check) | +| **commit-check-action** | GitHub Action wrapping the core engine. Posts results as check runs, job summaries, and PR comments. | [`commit-check/commit-check-action`](https://github.com/commit-check/commit-check-action) | +| **commit-check-mcp** | MCP server that exposes validations as structured tools for AI coding agents (Claude Code, Cursor, Copilot, etc.). | [`commit-check/commit-check-mcp`](https://github.com/commit-check/commit-check-mcp) | From ecaf88e5124faf3dbb64ba55826f08d0d62e6ecd Mon Sep 17 00:00:00 2001 From: shenxianpeng Date: Mon, 6 Jul 2026 23:35:34 +0300 Subject: [PATCH 3/5] chore: replace mermaid chart with markdown cards for compatibility --- docs/projects.md | 55 +++++++++++++++++++++++++++--------------------- 1 file changed, 31 insertions(+), 24 deletions(-) diff --git a/docs/projects.md b/docs/projects.md index 8226890..251904d 100644 --- a/docs/projects.md +++ b/docs/projects.md @@ -9,30 +9,37 @@ The commit-check ecosystem is built on a simple architecture: **one policy engin multiple enforcement surfaces.** Write your `cchk.toml` once — every surface reads the same file. -```mermaid -graph TB - subgraph Policy["📄 cchk.toml"] - direction LR - Config[One policy file] - end - - subgraph Engine["⚙️ commit-check
(Python core)"] - direction LR - CLI[CLI & pre-commit] - API[Python API] - end - - subgraph Surfaces["🚀 Enforcement surfaces"] - Action[commit-check-action
GitHub Action] - MCP[commit-check-mcp
MCP Server] - end - - Config --> Engine - CLI --> Action - API --> MCP - Action --> CI[CI Pipeline] - MCP --> Agent[AI Coding Agent] -``` +
+ +- :material-file-document-outline: **One policy: `cchk.toml`** + + --- + + Write your rules once, enforce everywhere. + + ↓ + +- :fontawesome-brands-python: **commit-check** (core engine) + + --- + + CLI · pre-commit · Python API + + ↓ + +- :material-github: **commit-check-action** + + --- + + GitHub Action → CI Pipeline + +- :material-robot: **commit-check-mcp** + + --- + + MCP Server → AI Coding Agent + +
| Surface | What it does | Get started | |---------|-------------|-------------| From 0bb98054c1f0d8e2093ecead30bb0918919152d1 Mon Sep 17 00:00:00 2001 From: shenxianpeng Date: Mon, 6 Jul 2026 23:37:45 +0300 Subject: [PATCH 4/5] chore: enable Mermaid diagrams via material theme config --- docs/projects.md | 55 +++++++++++++++++++++--------------------------- mkdocs.yml | 6 +++++- 2 files changed, 29 insertions(+), 32 deletions(-) diff --git a/docs/projects.md b/docs/projects.md index 251904d..8226890 100644 --- a/docs/projects.md +++ b/docs/projects.md @@ -9,37 +9,30 @@ The commit-check ecosystem is built on a simple architecture: **one policy engin multiple enforcement surfaces.** Write your `cchk.toml` once — every surface reads the same file. -
- -- :material-file-document-outline: **One policy: `cchk.toml`** - - --- - - Write your rules once, enforce everywhere. - - ↓ - -- :fontawesome-brands-python: **commit-check** (core engine) - - --- - - CLI · pre-commit · Python API - - ↓ - -- :material-github: **commit-check-action** - - --- - - GitHub Action → CI Pipeline - -- :material-robot: **commit-check-mcp** - - --- - - MCP Server → AI Coding Agent - -
+```mermaid +graph TB + subgraph Policy["📄 cchk.toml"] + direction LR + Config[One policy file] + end + + subgraph Engine["⚙️ commit-check
(Python core)"] + direction LR + CLI[CLI & pre-commit] + API[Python API] + end + + subgraph Surfaces["🚀 Enforcement surfaces"] + Action[commit-check-action
GitHub Action] + MCP[commit-check-mcp
MCP Server] + end + + Config --> Engine + CLI --> Action + API --> MCP + Action --> CI[CI Pipeline] + MCP --> Agent[AI Coding Agent] +``` | Surface | What it does | Get started | |---------|-------------|-------------| diff --git a/mkdocs.yml b/mkdocs.yml index 1eedaac..62af7d7 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -56,7 +56,11 @@ theme: markdown_extensions: - - pymdownx.superfences + - pymdownx.superfences: + custom_fences: + - name: mermaid + class: mermaid + format: !!python/name:pymdownx.superfences.fence_code_format - attr_list - md_in_html - pymdownx.tabbed: From 716c7ad8fab3d5d45ed1753393fc0176f9893124 Mon Sep 17 00:00:00 2001 From: shenxianpeng Date: Mon, 6 Jul 2026 23:47:18 +0300 Subject: [PATCH 5/5] chore: address blog review - soften claims, add limitations, fix semantics --- docs/blog/posts/ai-attribution-governance.md | 56 +++++++++++++------- 1 file changed, 38 insertions(+), 18 deletions(-) diff --git a/docs/blog/posts/ai-attribution-governance.md b/docs/blog/posts/ai-attribution-governance.md index 57d2c1e..503d7c4 100644 --- a/docs/blog/posts/ai-attribution-governance.md +++ b/docs/blog/posts/ai-attribution-governance.md @@ -25,8 +25,10 @@ But until now, there has been **no tool at the CI level** to enforce whatever policy a project chooses. Commit Check v2.11.0 introduces **AI Attribution Governance** — a -first-of-its-kind feature that detects known AI tool signatures in commit +new feature that detects known AI tool signatures in commit messages and lets projects decide whether to forbid them outright. +To our knowledge, no existing tool enforces this kind of policy at the CI +level. @@ -34,12 +36,13 @@ messages and lets projects decide whether to forbid them outright. The conversation around AI disclosure is no longer theoretical: -- The **Linux kernel** standardized on the `Assisted-by:` trailer format +- The **Linux kernel** standardized on the `Assisted-by:` trailer format — but deliberately stopped short of CI enforcement. As Sasha Levin noted at the Maintainers Summit, the kernel sets the convention, not the gate. - The **Python community** [is actively discussing](https://discuss.python.org/t/should-claude-codes-usage-be-described-in-the-code-docs-somewhere/107969) whether Claude Code usage should be documented - **VS Code** [issue #313962](https://github.com/microsoft/vscode/issues/313962) proposes replacing `Co-authored-by` with `Assisted-by` for AI agents -- **Fedora, Apache, OpenTelemetry, Rocky Linux, QEMU, Gentoo** each have different AI contribution policies +- **Fedora** requires AI disclosure (recommends the `Assisted-by` trailer). **QEMU** and **Gentoo** go further and **forbid** AI-generated contributions entirely. -But nobody had built a neutral enforcement layer that works in CI — until now. +Each community defines its own policy — but none provides a neutral +enforcement layer. That is the gap Commit Check fills. ## Configuration: a single toggle @@ -71,9 +74,12 @@ Two modes: | `"ignore"` | No validation (default, backward compatible) | | `"forbid"` | Rejects any commit containing known AI tool signatures | -There is no `require` mode or `ai_trailer_style` option — the signature -database recognizes all known formats automatically, and the policy is simply -whether you allow them or not. +There is no `require` mode in this release — only `ignore` and `forbid`. The +reason is pragmatic: requiring a `Assisted-by` or similar trailer is a +substantially harder problem (validating semantics, not just pattern-matching), +and the most immediate demand from projects is the ability to say **no**. The +kernel and Fedora communities that want `require` are on the roadmap (see +[What's next](#whats-next)). ## Detected AI tool signatures @@ -100,10 +106,10 @@ A `Co-authored-by: Claude` could theoretically be a human named Claude — but in practice, AI tools use known noreply email addresses. Commit Check anchors its detection to these, so: -✅ `Co-authored-by: Claude ` — flagged -✅ `Assisted-by: Claude:claude-sonnet-4-20250514 [tools]` — flagged -❌ `Co-authored-by: Claude Monet ` — **not flagged** -❌ `Co-authored-by: Jane Doe ` — **not flagged** +🚫 `Co-authored-by: Claude ` — **detected** +🚫 `Assisted-by: Claude:claude-sonnet-4-20250514 [tools]` — **detected** +✅ `Co-authored-by: Claude Monet ` — **ignored** +✅ `Co-authored-by: Jane Doe ` — **ignored** The kernel-style `Assisted-by:` format also handles optional trailing tool lists correctly: @@ -142,7 +148,7 @@ Co-authored-by: Jane Doe " | commit-check -m ## Integration across the ecosystem -The feature is available across every surface of Commit Check: +The feature is available across nearly every surface of Commit Check: - **CLI**: `--ai-attribution=forbid` - **TOML config**: `[commit] ai_attribution = "forbid"` @@ -150,16 +156,32 @@ The feature is available across every surface of Commit Check: - **Python API**: `validate_message()` returns AI attribution results - **`--format json`**: AI check status included in structured output - **MCP Server** ([commit-check-mcp](https://github.com/commit-check/commit-check-mcp)): synced in v0.1.7 -- **GitHub Action** ([commit-check-action](https://github.com/commit-check/commit-check-action)): available once the underlying dependency is updated +- **GitHub Action** ([commit-check-action](https://github.com/commit-check/commit-check-action)): coming in the next release + +## Scope and limitations + +AI Attribution Governance detects the **default behavior** of AI coding tools +— the trailers, markers, and metadata they add automatically. It is not +designed to catch intentional circumvention. If a developer manually removes +the AI signature before committing, this feature will not flag it. + +This is the same trust boundary that every linter operates within: +`--no-verify` bypasses pre-commit hooks, and a determined author can always +rewrite history. The goal is to **set a visible, enforceable policy** for the +standard case — making AI disclosure the path of least resistance — and leave +intentional evasion to code review and engineering culture. ## What's next AI attribution governance in v2.11.0 is the foundation. Future work includes: -1. **PR summaries** — show AI disclosure status per commit in pull requests -2. **MCP improvements** — AI agents query `describe_validation_rules` to +1. **`require` mode** — reject commits that are missing an `Assisted-by` + trailer, serving projects like the Linux kernel and Fedora that mandate + disclosure +2. **PR summaries** — show AI disclosure status per commit in pull requests +3. **MCP improvements** — AI agents query `describe_validation_rules` to auto-comply before writing a commit -3. **Richer JSON metadata** — structured AI signature data for SBOM and audit +4. **Richer JSON metadata** — structured AI signature data for SBOM and audit tooling ## Try it today @@ -178,6 +200,4 @@ ai_attribution = "forbid" And let CI enforce your AI disclosure policy — automatically, on every commit. ---- -*Clean commits. Clear standards. Transparent AI contributions.*