Skip to content

chore(script): extend check_ai_attribution to scan commit messages #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
BunsDev merged 2 commits into from
May 21, 2026
Merged

chore(script): extend check_ai_attribution to scan commit messages #81

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8c42325
chore(script): extend check_ai_attribution to scan commit messages
BunsDev May 20, 2026
0163b36
fix: harden AI_ATTRIBUTION_BASE_REF against option injection
BunsDev May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions script/check_ai_attribution
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,53 @@ for pattern in "${patterns[@]}"; do
"$pattern" . >> "$tmp" || true
done

# Commit-message scan. The file-content scan above only catches attribution that
# lives in tracked files; an agent that follows the default `Co-Authored-By: ...`
# trailer for git commits would slip past it. Scan commit-message bodies of
# commits ahead of the base ref (default: origin/main) against the same patterns.
#
# Override the base ref with AI_ATTRIBUTION_BASE_REF for CI or non-standard
# setups. Skips silently when no usable base ref exists (fresh clone, detached
# HEAD on the base itself, etc.) so the existing file-scan behavior is preserved.
if git rev-parse --git-dir >/dev/null 2>&1; then
base_ref="${AI_ATTRIBUTION_BASE_REF:-}"
if [[ -z "$base_ref" ]]; then
for candidate in origin/main main origin/master master; do
if git rev-parse --verify --quiet "$candidate" >/dev/null; then
base_ref="$candidate"
break
fi
done
fi

if [[ -n "$base_ref" ]]; then
# Reject refs that start with '-' to prevent option injection
if [[ "$base_ref" == -* ]]; then
echo "AI_ATTRIBUTION_BASE_REF must not start with '-': $base_ref" >&2
exit 1
fi

# Resolve to a commit SHA to avoid option injection
base_sha=$(git rev-parse --verify --quiet -- "${base_ref}^{commit}" 2>/dev/null) || base_sha=""

if [[ -n "$base_sha" ]]; then
while IFS= read -r sha; do
[[ -z "$sha" ]] && continue
body="$(git log -1 --pretty=format:%B "$sha")"
for pattern in "${patterns[@]}"; do
# Emit one prefixed line per matching message line.
if matched="$(printf '%s\n' "$body" | rg --pcre2 --no-line-number --no-filename "$pattern" 2>/dev/null)"; then
while IFS= read -r line; do
[[ -z "$line" ]] && continue
printf '[commit-msg %s] %s\n' "$sha" "$line" >> "$tmp"
done <<< "$matched"
fi
done
done < <(git log "$base_sha..HEAD" --pretty=tformat:%H 2>/dev/null || true)
fi
fi
fi

if [[ ! -s "$tmp" ]]; then
echo "AI attribution guard passed."
exit 0
Expand Down