From 27ad506ccac07e37b8762915a77df3b37bc7c2a3 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Mon, 27 Apr 2026 22:08:13 +0200 Subject: [PATCH 1/4] docs: add AI contribution policy Establishes guidelines for AI-assisted contributions including accountability standards, disclosure requirements, and review expectations. Signed-off-by: Miguel Martinez Trivino --- AI_POLICY.md | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 AI_POLICY.md diff --git a/AI_POLICY.md b/AI_POLICY.md new file mode 100644 index 000000000..0658f1417 --- /dev/null +++ b/AI_POLICY.md @@ -0,0 +1,38 @@ +# AI Contribution Policy for Chainloop + +The Chainloop project welcomes AI tools as productivity aids while maintaining +strict accountability standards. + +## Core Principle + +**The human contributor is always accountable for every line submitted.** +Contributors must be able to explain all changes; attribution to AI is +insufficient. + +## Essential Guidelines + +- **Ownership & Understanding:** You must comprehend every modification you + submit. AI-generated code requires full comprehension before contribution. +- **Design First:** Substantial changes need a prior GitHub Issue with clear + reasoning. Ad-hoc pull requests violating established patterns will be + rejected. +- **Testing Mandatory:** Bug fixes require regression tests; new features need + unit and integration tests. Ineffective test code will be rejected. +- **Legal Requirements:** Ensure no unlicensed copyrighted material exists and + that AI tool terms don't conflict with Apache 2.0 licensing. + +## Disclosure Requirements + +Document AI assistance in pull request descriptions using commit trailers like: + +- `Assisted-by: GitHub Copilot` +- `Assisted-by: Claude Code` + +Transparency maintains project integrity and helps reviewers appropriately +calibrate their focus. + +## Review Engagement + +Respond personally to feedback rather than resubmitting AI-refined responses. +Maintainers will close PRs showing patterns of disengaged AI-driven revisions +without detailed explanation. From e342160489382dde45542f9431117a21a4819111 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Mon, 27 Apr 2026 22:09:24 +0200 Subject: [PATCH 2/4] docs: align AI policy closer to go-git reference Add introductory sentence and closing acknowledgement paragraph to match the go-git AI_POLICY.md structure. Signed-off-by: Miguel Martinez Trivino --- AI_POLICY.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/AI_POLICY.md b/AI_POLICY.md index 0658f1417..88b6760f7 100644 --- a/AI_POLICY.md +++ b/AI_POLICY.md @@ -1,7 +1,7 @@ # AI Contribution Policy for Chainloop The Chainloop project welcomes AI tools as productivity aids while maintaining -strict accountability standards. +strict accountability standards. Here are the key requirements: ## Core Principle @@ -36,3 +36,8 @@ calibrate their focus. Respond personally to feedback rather than resubmitting AI-refined responses. Maintainers will close PRs showing patterns of disengaged AI-driven revisions without detailed explanation. + +--- + +This balanced approach encourages AI adoption while prioritizing code quality +and human accountability. From 5e5e4054fc3a0d8016a14e75462930e2f2ec919f Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Mon, 27 Apr 2026 22:09:55 +0200 Subject: [PATCH 3/4] docs: rewrite AI policy to closely follow go-git structure Adapt the go-git AI_POLICY.md for Chainloop, replacing RFC requirement with GitHub Issue, and adding acknowledgements. Signed-off-by: Miguel Martinez Trivino --- AI_POLICY.md | 99 ++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 69 insertions(+), 30 deletions(-) diff --git a/AI_POLICY.md b/AI_POLICY.md index 88b6760f7..395ee51fe 100644 --- a/AI_POLICY.md +++ b/AI_POLICY.md @@ -1,43 +1,82 @@ -# AI Contribution Policy for Chainloop +# AI Contribution Policy -The Chainloop project welcomes AI tools as productivity aids while maintaining -strict accountability standards. Here are the key requirements: +Chainloop is an open-source evidence store for Software Supply Chain +attestations, SBOMs, VEX, SARIF, and other compliance artifacts. Correctness, +security, and long-term maintainability are non-negotiable properties of the +project. -## Core Principle +This policy sets clear expectations for AI-assisted contributions. It is not +an anti-AI stance — maintainers and contributors alike use AI tools in their +daily workflows, and we encourage you to do the same. AI can accelerate +learning, improve documentation, generate test scaffolding, and help explore +design alternatives. We welcome contributors who use AI as a productivity +amplifier, not as a substitute for understanding. -**The human contributor is always accountable for every line submitted.** -Contributors must be able to explain all changes; attribution to AI is -insufficient. +**AI tools are welcome in the Chainloop contributor workflow. The human +contributor is always accountable for every line submitted.** -## Essential Guidelines +## Contribution Guidelines -- **Ownership & Understanding:** You must comprehend every modification you - submit. AI-generated code requires full comprehension before contribution. -- **Design First:** Substantial changes need a prior GitHub Issue with clear - reasoning. Ad-hoc pull requests violating established patterns will be - rejected. -- **Testing Mandatory:** Bug fixes require regression tests; new features need - unit and integration tests. Ineffective test code will be rejected. -- **Legal Requirements:** Ensure no unlicensed copyrighted material exists and - that AI tool terms don't conflict with Apache 2.0 licensing. +The following rules apply to all contributions, regardless of how they were +produced: -## Disclosure Requirements +- **Own your changes.** You must be able to explain every change you submit. + "The AI generated it" is never an acceptable answer during review. +- **Design before coding.** For non-trivial changes, open a GitHub Issue with + clear reasoning before a PR. PRs that ignore established patterns will be + closed. +- **Quality over quantity.** One well-understood, well-tested PR is worth more + than many AI-assisted drive-by fixes. A flood of low-effort PRs exhausts + maintainer attention and delays everyone in the queue. +- **Tests are required.** Bug fixes need regression tests; new features need + unit and integration tests. AI-generated tests that do not actually exercise + the relevant behaviour will be rejected. +- **Legal compliance.** Chainloop is [Apache 2.0 licensed](LICENSE). + Contributions must ensure: + - No third-party copyrighted material has been reproduced without a compatible + open source license and proper attribution. + - When AI tools are used, their terms do not impose restrictions incompatible + with Apache 2.0. -Document AI assistance in pull request descriptions using commit trailers like: +## Disclosure -- `Assisted-by: GitHub Copilot` -- `Assisted-by: Claude Code` +If AI assisted in producing any part of your contribution, disclose it in the +PR description. Add an `Assisted-by:` trailer to each affected commit: -Transparency maintains project integrity and helps reviewers appropriately -calibrate their focus. +``` +Assisted-by: GitHub Copilot +Assisted-by: Claude Code +Assisted-by: ChatGPT o3 +``` -## Review Engagement +Disclosure is not a penalty — it is trust infrastructure. It preserves +transparency, helps reviewers calibrate their attention, and keeps provenance +clear for the project's long-term health. -Respond personally to feedback rather than resubmitting AI-refined responses. -Maintainers will close PRs showing patterns of disengaged AI-driven revisions -without detailed explanation. +## Engaging With Maintainers ---- +- **Respond personally.** Do not pipe review feedback back into an AI and + apply the output blindly. Responses during review must reflect genuine + understanding of the code and the project's design goals. +- **No AI ping-pong.** If maintainers observe a pattern of AI-driven responses + without real engagement, the PR will be closed without further explanation. +- Maintainers reserve the right to close any low-effort AI contribution without + a detailed technical critique. -This balanced approach encourages AI adoption while prioritizing code quality -and human accountability. +## Maintainer Use of AI + +Maintainers also use AI tools: for reviewing changes, exploring implementation +options, and improving documentation. The same disclosure and ownership +expectations apply to maintainer-authored commits. + +## Acknowledgements + +This policy is inspired by the +[go-git AI Policy](https://github.com/go-git/go-git/blob/main/AI_POLICY.md), +the [Kubewarden AI Policy](https://github.com/kubewarden/community/blob/main/AI_POLICY.md), +the [CloudNativePG AI Policy](https://github.com/cloudnative-pg/governance/blob/main/AI_POLICY.md), +and the [Kyverno AI Usage Policy](https://github.com/kyverno/kyverno/blob/main/AI_POLICY.md). +It aligns with the Linux Foundation's +[Generative AI guidance](https://www.linuxfoundation.org/legal/generative-ai) +and the CNCF community's evolving norms on sustainable AI-assisted open source +development. From b240595bf19b85492d00ae2644fa9cd86133f48f Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Mon, 27 Apr 2026 22:13:53 +0200 Subject: [PATCH 4/4] docs: add AI disclosure requirements to CLAUDE.md Replace co-author signoff prohibition with Assisted-by trailer requirement, aligning with the new AI_POLICY.md. Signed-off-by: Miguel Martinez Trivino --- CLAUDE.md | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 6454f0dea..4d60f14b9 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -256,8 +256,21 @@ All commits must meet these criteria: - **Example**: `git commit -S -s -m "feat: add new material type"` Code reviews are required for all submissions via GitHub pull requests. + +### AI Disclosure + +If AI assisted in producing any part of a contribution, disclose it in the PR description. Add an `Assisted-by:` trailer to each affected commit: + +``` +Assisted-by: GitHub Copilot +Assisted-by: Claude Code +Assisted-by: ChatGPT o3 +``` + +See [AI_POLICY.md](AI_POLICY.md) for the full AI contribution policy. + - make sure golang code is always formatted and golang-ci-lint is run -- I do not want you to be in the co-author signoff +- do not add co-author signoff lines — use `Assisted-by:` trailers for AI disclosure instead - when the schema is changed, run make generate, do not create a migration explicitly - If you are writing go code, adhere to best practices such as the ones in effective-go, or others. This could include, error handling patterns, interface design, package organization, concurrency patterns, etc. - When writing tests, use table-driven tests whenever possible @@ -271,7 +284,7 @@ Code reviews are required for all submissions via GitHub pull requests. - if you add any new dependency to a constructor, remember to run wire ./... - when creating PR message, keep it high-level, what functionality was added, don't add info about testing, no icons, no info about how the message was generated. - app/controlplane/api/gen/frontend/google/protobuf/descriptor.ts is a special case that we don't want to upgrade, so if it upgrades, put it back to main -- when creating a commit or PR message, NEVER add co-authored by or generated by Claude code +- when creating a commit or PR message, NEVER add co-authored-by lines — use `Assisted-by:` trailers for AI disclosure instead - any call to authorization Enforce done from the biz or svc layer must be done using biz.AuthzUseCase - if you modify a schema, remember to run `make migration_sync` - after changing Helm chart source code (`deployment/chainloop/`), bump the **patch** version (not minor, not major) in the chart's `Chart.yaml`