> Start with env args like AGENT_ID for indicating which Merkle hash of which model(s) generated which code with which agent(s) and add those attributes to signed (-S) commit messages. For traceability; to find other faulty code generated by the same model and determine whether an agent or a human introduced the fault.
> Then, `git notes` is better for signature metadata because it doesn't change the commit hash to add signatures for the commit.
> And then, you'd need to run a local Rekor log to use Sigstore attestations on every commit.
> All contributors must indicate in the commit message of their contribution if they used AI to create them and the contributor is fully responsible for the content that they submit.
> This can be a label such as Assisted By: <Tool> or Generated by: <Tool> based on what was used.
But which metadata is better stored in git notes than in a commit message? JSON-LD can be integrated with JSON-LD SBOM metadata
> Start with env args like AGENT_ID for indicating which Merkle hash of which model(s) generated which code with which agent(s) and add those attributes to signed (-S) commit messages. For traceability; to find other faulty code generated by the same model and determine whether an agent or a human introduced the fault.
> Then, `git notes` is better for signature metadata because it doesn't change the commit hash to add signatures for the commit.
> And then, you'd need to run a local Rekor log to use Sigstore attestations on every commit.
> Sigstore.dev is https://SLSA.dev compliant.
> Sigstore grants short-lived release attestation signing keys for CI builds on a build farm to sign artifacts with.
> So, when jujutsu autocommits agent-generated code, what causes there to be an {{AGENT_ID}} in the commit message or git notes?
Does Entire solve for this?
Re: AI and DevOps Traceability: https://gemini.google.com/share/4c0c79c0f136