docs: add AI contribution policy (#3077)

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

Author: migmartri

AI_POLICY.md

@@ -0,0 +1,82 @@
+# AI Contribution Policy
+
+Chainloop is an open-source evidence store for Software Supply Chain
+attestations, SBOMs, VEX, SARIF, and other compliance artifacts. Correctness,
+security, and long-term maintainability are non-negotiable properties of the
+project.
+
+This policy sets clear expectations for AI-assisted contributions. It is not
+an anti-AI stance — maintainers and contributors alike use AI tools in their
+daily workflows, and we encourage you to do the same. AI can accelerate
+learning, improve documentation, generate test scaffolding, and help explore
+design alternatives. We welcome contributors who use AI as a productivity
+amplifier, not as a substitute for understanding.
+
+**AI tools are welcome in the Chainloop contributor workflow. The human
+contributor is always accountable for every line submitted.**
+
+## Contribution Guidelines
+
+The following rules apply to all contributions, regardless of how they were
+produced:
+
+- **Own your changes.** You must be able to explain every change you submit.
+  "The AI generated it" is never an acceptable answer during review.
+- **Design before coding.** For non-trivial changes, open a GitHub Issue with
+  clear reasoning before a PR. PRs that ignore established patterns will be
+  closed.
+- **Quality over quantity.** One well-understood, well-tested PR is worth more
+  than many AI-assisted drive-by fixes. A flood of low-effort PRs exhausts
+  maintainer attention and delays everyone in the queue.
+- **Tests are required.** Bug fixes need regression tests; new features need
+  unit and integration tests. AI-generated tests that do not actually exercise
+  the relevant behaviour will be rejected.
+- **Legal compliance.** Chainloop is [Apache 2.0 licensed](LICENSE).
+  Contributions must ensure:
+  - No third-party copyrighted material has been reproduced without a compatible
+    open source license and proper attribution.
+  - When AI tools are used, their terms do not impose restrictions incompatible
+    with Apache 2.0.
+
+## Disclosure
+
+If AI assisted in producing any part of your contribution, disclose it in the
+PR description. Add an `Assisted-by:` trailer to each affected commit:
+
+```
+Assisted-by: GitHub Copilot
+Assisted-by: Claude Code
+Assisted-by: ChatGPT o3
+```
+
+Disclosure is not a penalty — it is trust infrastructure. It preserves
+transparency, helps reviewers calibrate their attention, and keeps provenance
+clear for the project's long-term health.
+
+## Engaging With Maintainers
+
+- **Respond personally.** Do not pipe review feedback back into an AI and
+  apply the output blindly. Responses during review must reflect genuine
+  understanding of the code and the project's design goals.
+- **No AI ping-pong.** If maintainers observe a pattern of AI-driven responses
+  without real engagement, the PR will be closed without further explanation.
+- Maintainers reserve the right to close any low-effort AI contribution without
+  a detailed technical critique.
+
+## Maintainer Use of AI
+
+Maintainers also use AI tools: for reviewing changes, exploring implementation
+options, and improving documentation. The same disclosure and ownership
+expectations apply to maintainer-authored commits.
+
+## Acknowledgements
+
+This policy is inspired by the
+[go-git AI Policy](https://github.com/go-git/go-git/blob/main/AI_POLICY.md),
+the [Kubewarden AI Policy](https://github.com/kubewarden/community/blob/main/AI_POLICY.md),
+the [CloudNativePG AI Policy](https://github.com/cloudnative-pg/governance/blob/main/AI_POLICY.md),
+and the [Kyverno AI Usage Policy](https://github.com/kyverno/kyverno/blob/main/AI_POLICY.md).
+It aligns with the Linux Foundation's
+[Generative AI guidance](https://www.linuxfoundation.org/legal/generative-ai)
+and the CNCF community's evolving norms on sustainable AI-assisted open source
+development.

CLAUDE.md

@@ -256,8 +256,21 @@ All commits must meet these criteria:
 - **Example**: `git commit -S -s -m "feat: add new material type"`
 
 Code reviews are required for all submissions via GitHub pull requests.
+
+### AI Disclosure
+
+If AI assisted in producing any part of a contribution, disclose it in the PR description. Add an `Assisted-by:` trailer to each affected commit:
+
+```
+Assisted-by: GitHub Copilot
+Assisted-by: Claude Code
+Assisted-by: ChatGPT o3
+```
+
+See [AI_POLICY.md](AI_POLICY.md) for the full AI contribution policy.
+
 - make sure golang code is always formatted and golang-ci-lint is run
-- I do not want you to be in the co-author signoff
+- do not add co-author signoff lines — use `Assisted-by:` trailers for AI disclosure instead
 - when the schema is changed, run make generate, do not create a migration explicitly
 - If you are writing go code, adhere to best practices such as the ones in effective-go, or others. This could include, error handling patterns, interface design, package organization, concurrency patterns, etc.
 - When writing tests, use table-driven tests whenever possible
@@ -271,7 +284,7 @@ Code reviews are required for all submissions via GitHub pull requests.
 - if you add any new dependency to a constructor, remember to run wire ./...
 - when creating PR message, keep it high-level, what functionality was added, don't add info about testing, no icons, no info about how the message was generated.
 - app/controlplane/api/gen/frontend/google/protobuf/descriptor.ts is a special case that we don't want to upgrade, so if it upgrades, put it back to main
-- when creating a commit or PR message, NEVER add co-authored by or generated by Claude code
+- when creating a commit or PR message, NEVER add co-authored-by lines — use `Assisted-by:` trailers for AI disclosure instead
 - any call to authorization Enforce done from the biz or svc layer must be done using biz.AuthzUseCase
 - if you modify a schema, remember to run `make migration_sync`
 - after changing Helm chart source code (`deployment/chainloop/`), bump the **patch** version (not minor, not major) in the chart's `Chart.yaml`