chore(script): extend check_ai_attribution to scan commit messages

[BunsDev]

Summary

`./script/check_ai_attribution` currently scans only tracked file content for AI-attribution patterns. Agentic sessions that follow the default `Co-Authored-By: Claude` git trailer slip past it — the attribution lives in commit metadata, not in any file.

This change adds a second pass that scans commit-message bodies of commits ahead of the base ref against the same pattern set the file scan already uses.

• Base ref auto-detected as the first of `origin/main`, `main`, `origin/master`, `master` that resolves; override with `AI_ATTRIBUTION_BASE_REF` for CI or non-standard setups.
• Findings are prefixed `[commit-msg ] ` so they're distinguishable from file-content hits.
• No-ops cleanly when no base ref is reachable (fresh clone, detached HEAD on the base itself).
• Existing file-scan behavior is unchanged — additive only.

Motivation

A concurrent `claude --dangerously-skip-permissions` session in this repo landed commit `6872184f fix(warpui/mac): preserve subview click cycles in WarpWindow sendEvent` on branch `castcodes/fix-browser-hittest` with a trailing `Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com` line. The existing guard reported "AI attribution guard passed." against that branch because it never inspects `git log`.

Test plan

• On a clean branch (no commits ahead of `origin/main`): `./script/check_ai_attribution` → `AI attribution guard passed.` exit 0.
• With a fixture empty commit whose body contains `Co-Authored-By: Claude Opus 4.7 ...`: `./script/check_ai_attribution` → fails with `[commit-msg ] Co-Authored-By: Claude Opus 4.7 ...`, exit 1.
• Replayed against the real `6872184f` commit (cherry-picked locally onto the chore branch): guard fails with the expected commit-msg line; cherry-pick discarded.
• CI: confirm the new path runs cleanly on `origin/main` (where the commit range is empty) without false positives.

Notes

• The patterns array is unchanged; same patterns, two sources (files + commit messages).
• The `--pretty=tformat:%H` (not `format:%H`) is intentional — `format:` omits the trailing newline on the last record, which would silently drop the most recent commit from the `while read -r` loop.
• This does NOT add a `commit-msg` git hook; the guard runs at presubmit time, not at every commit. A hook is a complementary follow-up if you want fail-fast.

[Copilot]

Pull request overview

Extends script/check_ai_attribution so the AI-attribution guard also scans commit message bodies (for commits ahead of a detected base ref) in addition to the existing tracked-file content scan, preventing “Co-Authored-By: …” trailers from slipping through.

Changes:

• Auto-detect a base ref (or allow override via AI_ATTRIBUTION_BASE_REF) and scan base_ref..HEAD commit message bodies.
• Reuse the existing attribution regex pattern set for commit-message scanning.
• Prefix commit-message findings with [commit-msg <sha>] for source clarity.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.