Skip to content

Commit 760a762

Browse files
authored
chore: add AI attribution governance blog post and projects page (#11)
## Summary Updates the website to reflect the latest ecosystem updates across the commit-check organization. ### Changes 1. **New blog post** — `AI Attribution Governance: Enforcing AI Disclosure Policies at the CI Level` - Covers commit-check v2.11.0's new AI attribution governance feature - Industry background (Linux kernel, Python discourse, etc.) - Configuration guide, signature database, false-positive prevention - Ecosystem integration status 2. **New Projects page** (`docs/projects.md`) - Clear overview of all three repos (commit-check, commit-check-action, commit-check-mcp) - Latest versions and feature highlights - Quick-reference table for what to use when 3. **Home page improvement** (`docs/index.md`) - Added Ecosystem module with project cards and version badges - Links to new Projects page 4. **Navigation** (`mkdocs.yml`) - Added Projects tab to the top nav bar ### Preview Build passes with `mkdocs build --strict`. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a new Projects page and navigation entry to showcase the Commit Check ecosystem. * Expanded the site with an ecosystem overview linking the core product, GitHub Action, and MCP server. * **Documentation** * Published a new blog post about AI attribution governance, including policy settings, enforcement behavior, examples, and setup guidance. * Added project cards, release highlights, and quick links to help users find the right tool and docs faster. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
1 parent 932f8b0 commit 760a762

4 files changed

Lines changed: 292 additions & 1 deletion

File tree

Lines changed: 203 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,203 @@
1+
---
2+
date:
3+
created: 2026-07-06
4+
readtime: 7
5+
categories:
6+
- UPDATES
7+
tags:
8+
- commit-check
9+
- ai
10+
- governance
11+
- compliance
12+
authors:
13+
- shenxianpeng
14+
---
15+
16+
# AI Attribution Governance: Enforcing AI Disclosure Policies at the CI Level
17+
18+
The open-source ecosystem is converging on a hard question: **when a commit is
19+
written with AI assistance, how do we know — and how do we enforce the
20+
disclosure policy?**
21+
22+
Python's discourse, Linux kernel's `Assisted-by` trailer, Fedora's AI policy,
23+
Apache's disclosure guidelines — every major project is grappling with this.
24+
But until now, there has been **no tool at the CI level** to enforce whatever
25+
policy a project chooses.
26+
27+
Commit Check v2.11.0 introduces **AI Attribution Governance** — a
28+
new feature that detects known AI tool signatures in commit
29+
messages and lets projects decide whether to forbid them outright.
30+
To our knowledge, no existing tool enforces this kind of policy at the CI
31+
level.
32+
33+
<!-- more -->
34+
35+
## The industry need
36+
37+
The conversation around AI disclosure is no longer theoretical:
38+
39+
- The **Linux kernel** standardized on the `Assisted-by:` trailer format — but deliberately stopped short of CI enforcement. As Sasha Levin noted at the Maintainers Summit, the kernel sets the convention, not the gate.
40+
- The **Python community** [is actively discussing](https://discuss.python.org/t/should-claude-codes-usage-be-described-in-the-code-docs-somewhere/107969) whether Claude Code usage should be documented
41+
- **VS Code** [issue #313962](https://github.com/microsoft/vscode/issues/313962) proposes replacing `Co-authored-by` with `Assisted-by` for AI agents
42+
- **Fedora** requires AI disclosure (recommends the `Assisted-by` trailer). **QEMU** and **Gentoo** go further and **forbid** AI-generated contributions entirely.
43+
44+
Each community defines its own policy — but none provides a neutral
45+
enforcement layer. That is the gap Commit Check fills.
46+
47+
## Configuration: a single toggle
48+
49+
Commit Check keeps it simple. One configuration value, three ways to set it:
50+
51+
=== "TOML (cchk.toml)"
52+
53+
```toml
54+
[commit]
55+
ai_attribution = "forbid"
56+
```
57+
58+
=== "CLI"
59+
60+
```bash
61+
commit-check --message --ai-attribution=forbid
62+
```
63+
64+
=== "Environment Variable"
65+
66+
```bash
67+
CCHK_AI_ATTRIBUTION=forbid commit-check --message
68+
```
69+
70+
Two modes:
71+
72+
| Mode | Behavior |
73+
|------|----------|
74+
| `"ignore"` | No validation (default, backward compatible) |
75+
| `"forbid"` | Rejects any commit containing known AI tool signatures |
76+
77+
There is no `require` mode in this release — only `ignore` and `forbid`. The
78+
reason is pragmatic: requiring a `Assisted-by` or similar trailer is a
79+
substantially harder problem (validating semantics, not just pattern-matching),
80+
and the most immediate demand from projects is the ability to say **no**. The
81+
kernel and Fedora communities that want `require` are on the roadmap (see
82+
[What's next](#whats-next)).
83+
84+
## Detected AI tool signatures
85+
86+
Commit Check ships with a curated database of known AI tool markers. The
87+
detection covers multiple signature formats per tool — `Co-authored-by`,
88+
`Assisted-by`, body markers, and model names:
89+
90+
| AI Tool | What gets detected |
91+
|---------|-------------------|
92+
| **Claude Code** | `Co-authored-by: Claude`, `Assisted-by: Claude:<model>`, emoji markers, `Claude-Session:`, `Claude-Workflow:` |
93+
| **GitHub Copilot** | `Co-authored-by: Copilot` |
94+
| **OpenAI Codex** | `Co-authored-by: Codex` |
95+
| **Gemini** | `Co-authored-by: Gemini` |
96+
| **Cursor** | `Co-authored-by: Cursor` |
97+
| **Devin** | `Co-authored-by: Devin` |
98+
| **Aider** | `Co-authored-by: Aider`, `Co-authored-by: ... (aider)` |
99+
| **Windsurf** | `Co-authored-by: Windsurf` |
100+
| **Tabby** | `Co-authored-by: Tabby` |
101+
| **Generic AI** | `Assisted-by: <tool>:<model> [tools]`, model names like `claude-sonnet-4`, `gpt-4-turbo` |
102+
103+
## Built-in false positive prevention
104+
105+
A `Co-authored-by: Claude` could theoretically be a human named Claude — but
106+
in practice, AI tools use known noreply email addresses. Commit Check anchors
107+
its detection to these, so:
108+
109+
🚫 `Co-authored-by: Claude <noreply@anthropic.com>`**detected**
110+
🚫 `Assisted-by: Claude:claude-sonnet-4-20250514 [tools]`**detected**
111+
`Co-authored-by: Claude Monet <monet@impressionism.fr>`**ignored**
112+
`Co-authored-by: Jane Doe <jane@example.com>`**ignored**
113+
114+
The kernel-style `Assisted-by:` format also handles optional trailing tool
115+
lists correctly:
116+
117+
```text
118+
Assisted-by: Claude:claude-sonnet-4-20250514 coccinelle sparse
119+
```
120+
121+
Only the AI tool marker is matched — the tool list is preserved as-is.
122+
123+
## See it in action
124+
125+
With a config file containing `ai_attribution = "forbid"`:
126+
127+
```bash
128+
# This commit message would be REJECTED
129+
echo "fix: resolve race condition
130+
131+
Co-authored-by: Claude <noreply@anthropic.com>" | commit-check -m
132+
```
133+
134+
```text
135+
[FAIL] ai-attribution: Commit message contains known AI tool signature: Claude
136+
```
137+
138+
```bash
139+
# This commit message passes cleanly
140+
echo "fix: resolve race condition
141+
142+
Co-authored-by: Jane Doe <jane@example.com>" | commit-check -m
143+
```
144+
145+
```text
146+
[PASS] commit message is valid
147+
```
148+
149+
## Integration across the ecosystem
150+
151+
The feature is available across nearly every surface of Commit Check:
152+
153+
- **CLI**: `--ai-attribution=forbid`
154+
- **TOML config**: `[commit] ai_attribution = "forbid"`
155+
- **Environment variables**: `CCHK_AI_ATTRIBUTION=forbid`
156+
- **Python API**: `validate_message()` returns AI attribution results
157+
- **`--format json`**: AI check status included in structured output
158+
- **MCP Server** ([commit-check-mcp](https://github.com/commit-check/commit-check-mcp)): synced in v0.1.7
159+
- **GitHub Action** ([commit-check-action](https://github.com/commit-check/commit-check-action)): coming in the next release
160+
161+
## Scope and limitations
162+
163+
AI Attribution Governance detects the **default behavior** of AI coding tools
164+
— the trailers, markers, and metadata they add automatically. It is not
165+
designed to catch intentional circumvention. If a developer manually removes
166+
the AI signature before committing, this feature will not flag it.
167+
168+
This is the same trust boundary that every linter operates within:
169+
`--no-verify` bypasses pre-commit hooks, and a determined author can always
170+
rewrite history. The goal is to **set a visible, enforceable policy** for the
171+
standard case — making AI disclosure the path of least resistance — and leave
172+
intentional evasion to code review and engineering culture.
173+
174+
## What's next
175+
176+
AI attribution governance in v2.11.0 is the foundation. Future work includes:
177+
178+
1. **`require` mode** — reject commits that are missing an `Assisted-by`
179+
trailer, serving projects like the Linux kernel and Fedora that mandate
180+
disclosure
181+
2. **PR summaries** — show AI disclosure status per commit in pull requests
182+
3. **MCP improvements** — AI agents query `describe_validation_rules` to
183+
auto-comply before writing a commit
184+
4. **Richer JSON metadata** — structured AI signature data for SBOM and audit
185+
tooling
186+
187+
## Try it today
188+
189+
```bash
190+
pip install commit-check==2.11.0
191+
echo "feat: add streaming support" | commit-check -m --ai-attribution=forbid
192+
```
193+
194+
Or add it to your `cchk.toml`:
195+
196+
```toml
197+
[commit]
198+
ai_attribution = "forbid"
199+
```
200+
201+
And let CI enforce your AI disclosure policy — automatically, on every commit.
202+
203+

docs/index.md

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -136,6 +136,48 @@ title: Commit Check
136136

137137
</div>
138138

139+
## Ecosystem
140+
141+
Commit Check is a family of three projects — one engine, multiple surfaces.
142+
Write your policy **once** in a `cchk.toml`, enforce it **everywhere**.
143+
144+
<div class="grid cards" markdown>
145+
146+
- :fontawesome-brands-python: __commit-check__ `v2.11.0`
147+
148+
---
149+
150+
**Core engine** — Python CLI, library & pre-commit hooks.
151+
152+
:material-star: AI attribution governance, message patterns, JSON output
153+
154+
[:octicons-arrow-right-24: Repo](https://github.com/commit-check/commit-check)
155+
[:octicons-arrow-right-24: Docs](https://commit-check.github.io/commit-check/)
156+
157+
- :material-github: __commit-check-action__ `v2.10.0`
158+
159+
---
160+
161+
**GitHub Action** — seamless CI integration with PR comments.
162+
163+
:material-star: Windows runner, PR title validation
164+
165+
[:octicons-arrow-right-24: Repo](https://github.com/commit-check/commit-check-action)
166+
167+
- :material-robot: __commit-check-mcp__ `v0.1.7`
168+
169+
---
170+
171+
**MCP Server** — structured tools for AI coding agents.
172+
173+
:material-star: AI attribution governance, message patterns
174+
175+
[:octicons-arrow-right-24: Repo](https://github.com/commit-check/commit-check-mcp)
176+
177+
</div>
178+
179+
[See all projects →](projects.md){ .md-button }
180+
139181
## Quick Start
140182

141183
=== "GitHub Actions"

docs/projects.md

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
---
2+
hide:
3+
- toc
4+
---
5+
6+
# Projects
7+
8+
The commit-check ecosystem is built on a simple architecture: **one policy engine,
9+
multiple enforcement surfaces.** Write your `cchk.toml` once — every surface
10+
reads the same file.
11+
12+
```mermaid
13+
graph TB
14+
subgraph Policy["📄 cchk.toml"]
15+
direction LR
16+
Config[One policy file]
17+
end
18+
19+
subgraph Engine["⚙️ commit-check<br/>(Python core)"]
20+
direction LR
21+
CLI[CLI & pre-commit]
22+
API[Python API]
23+
end
24+
25+
subgraph Surfaces["🚀 Enforcement surfaces"]
26+
Action[commit-check-action<br/>GitHub Action]
27+
MCP[commit-check-mcp<br/>MCP Server]
28+
end
29+
30+
Config --> Engine
31+
CLI --> Action
32+
API --> MCP
33+
Action --> CI[CI Pipeline]
34+
MCP --> Agent[AI Coding Agent]
35+
```
36+
37+
| Surface | What it does | Get started |
38+
|---------|-------------|-------------|
39+
| **commit-check** | CLI tool, pre-commit hooks, and Python library. The core engine that runs all validations. | [`commit-check/commit-check`](https://github.com/commit-check/commit-check) |
40+
| **commit-check-action** | GitHub Action wrapping the core engine. Posts results as check runs, job summaries, and PR comments. | [`commit-check/commit-check-action`](https://github.com/commit-check/commit-check-action) |
41+
| **commit-check-mcp** | MCP server that exposes validations as structured tools for AI coding agents (Claude Code, Cursor, Copilot, etc.). | [`commit-check/commit-check-mcp`](https://github.com/commit-check/commit-check-mcp) |

mkdocs.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ copyright: "© Copyright 2022 - 2026, shenxianpeng."
88
nav:
99
- Home: index.md
1010
- Getting Started: getting-started.md
11+
- Projects: projects.md
1112
- Blog:
1213
- blog/index.md
1314
# exclude_docs: |
@@ -55,7 +56,11 @@ theme:
5556

5657

5758
markdown_extensions:
58-
- pymdownx.superfences
59+
- pymdownx.superfences:
60+
custom_fences:
61+
- name: mermaid
62+
class: mermaid
63+
format: !!python/name:pymdownx.superfences.fence_code_format
5964
- attr_list
6065
- md_in_html
6166
- pymdownx.tabbed:

0 commit comments

Comments
 (0)