A project trust management system. People must be vouched for before interacting with certain parts of a project (the exact parts are configurable to the project to enforce). People can also be explicitly denounced to block them from interacting with the project.
The implementation is generic and can be used by any project on any code forge, but we provide GitHub integration out of the box via GitHub actions and the CLI.
The vouch list is maintained in a single flat file using a minimal format that can be trivially parsed using standard POSIX tools and any programming language without external libraries.
Vouch lists can also form a web of trust. You can configure Vouch to read other project's lists of vouched or denounced users. This way, projects with shared values can share their trust decisions with each other and create a larger, more comprehensive web of trust across the ecosystem. Users already proven to be trustworthy in one project can automatically be assumed trustworthy in another project, and so on.
Warning
This is an experimental system in use by Ghostty. We'll continue to improve the system based on experience and feedback.
Open source has always worked on a system of trust and verify.
Historically, the effort required to understand a codebase, implement a change, and submit that change for review was high enough that it naturally filtered out many low quality contributions from unqualified people. For over 20 years of my life, this was enough for my projects as well as enough for most others.
Unfortunately, the landscape has changed particularly with the advent of AI tools that allow people to trivially create plausible-looking but extremely low-quality contributions with little to no true understanding. Contributors can no longer be trusted based on the minimal barrier to entry to simply submit a change.
But, open source still works on trust! And every project has a definite group of trusted individuals (maintainers) and a larger group of probably trusted individuals (active members of the community in any form). So, let's move to an explicit trust model where trusted individuals can vouch for others, and those vouched individuals can then contribute.
Who and how someone is vouched or denounced is left entirely up to the project integrating the system. Additionally, what consequences a vouched or denounced person has is also fully up to the project. Implement a policy that works for your project and community.
Integrating vouch into a GitHub project is easy with the provided GitHub Actions. By choosing which actions to use, you can fully control how users are vouched and what they can or can't do.
For an example, look at this repository! It fully integrates vouch.
Below is a list of the actions and a brief description of their function. See the linked README in the action directory for full usage details.
| Action | Trigger | Description |
|---|---|---|
| check-pr | pull_request_target |
Check if a PR author is vouched on open or reopen. Bots and collaborators with write access are automatically allowed. Optionally auto-close PRs from unvouched or denounced users. |
| manage-by-discussion | discussion_comment |
Let collaborators vouch, denounce, or unvouch users via discussion comments. Updates the vouched file and commits the change. |
| manage-by-issue | issue_comment |
Let collaborators vouch or denounce users via issue comments. Updates the vouched file and commits the change. |
The CLI is implemented as a Nushell module and only requires Nushell to run. There are no other external dependencies.
This is Nushell, so you can get help on any command:
use vouch *
help add
help check
help denounce
help gh-check-pr
help gh-manage-by-issueCheck a user's vouch status:
vouch check <username>Exit codes: 0 = vouched, 1 = denounced, 2 = unknown.
Add a user to the vouched list:
# Preview new file contents (default)
vouch add someuser
# Write the file in-place
vouch add someuser --writeDenounce a user:
# Preview new file contents (default)
vouch denounce badactor
# With a reason
vouch denounce badactor --reason "Submitted AI slop"
# Write the file in-place
vouch denounce badactor --writeRequires the GITHUB_TOKEN environment variable. If not set and gh
is available, the token from gh auth token is used.
Check if a PR author is vouched:
# Check PR author status (dry run)
vouch gh-check-pr 123 --repo owner/repo
# Auto-close unvouched PRs (dry run)
vouch gh-check-pr 123 --repo owner/repo --auto-close
# Actually close unvouched PRs
vouch gh-check-pr 123 --repo owner/repo --auto-close --dry-run=false
# Allow unvouched users, only block denounced
vouch gh-check-pr 123 --repo owner/repo --require-vouch=false --auto-closeOutputs status: skipped (bot/collaborator), vouched, allowed, or closed.
Manage contributor status via issue comments:
# Dry run (default)
vouch gh-manage-by-issue 123 456789 --repo owner/repo
# Actually perform the action
vouch gh-manage-by-issue 123 456789 --repo owner/repo --dry-run=falseResponds to comments from collaborators with write access:
vouch— vouches for the issue authorvouch @user— vouches for a specific uservouch <reason>— vouches for the issue author with a reasonvouch @user <reason>— vouches for a specific user with a reasondenounce— denounces the issue authordenounce @user— denounces a specific userdenounce <reason>— denounces the issue author with a reasondenounce @user <reason>— denounces a specific user with a reason
Keywords are customizable via --vouch-keyword and --denounce-keyword.
Outputs status: vouched, denounced, or unchanged.
The module also exports a lib submodule for scripting:
use vouch/lib.nu *
let records = open VOUCHED.td
$records | check-user "mitchellh" --default-platform github # "vouched", "denounced", or "unknown"
$records | add-user "newuser" # returns updated table
$records | denounce-user "badactor" "reason" # returns updated table
$records | remove-user "olduser" # returns updated tableThe vouch list is stored in a .td file. See
VOUCHED.example.td for an example. The file is
looked up at VOUCHED.td or .github/VOUCHED.td by default.
# Comments start with #
username
platform:username
-platform:denounced-user
-platform:denounced-user reason for denouncement
- One handle per line (without
@), sorted alphabetically. - Optionally specify a platform prefix:
platform:username(e.g.,github:mitchellh). - Denounce a user by prefixing with
-. - Optionally add details after a space following the handle.
The from td and to td commands are exported by the module, so
Nushell's open command works natively with .td files to decode
into structured tables and encode back to the file format with
comments and whitespace preserved.
Note
What is .td? This stands for "Trustdown," a play on the
word "Markdown." I intend to formalize a specification for trust
lists (with no opinion on how they're created or used) so that software
systems like this Vouch project and others can coordinate with each
other. I'm not ready to publish a specification until vouch itself
stabilizes usage more.