> Start with env args like AGENT_ID for indicating which Merkle hash of which model(s) generated which code with which agent(s) and add those attributes to signed (-S) commit messages. For traceability; to find other faulty code generated by the same model and determine whether an agent or a human introduced the fault.
> Then, `git notes` is better for signature metadata because it doesn't change the commit hash to add signatures for the commit.
> And then, you'd need to run a local Rekor log to use Sigstore attestations on every commit.
> Sigstore.dev is https://SLSA.dev compliant.
> Sigstore grants short-lived release attestation signing keys for CI builds on a build farm to sign artifacts with.
> So, when jujutsu autocommits agent-generated code, what causes there to be an {{AGENT_ID}} in the commit message or git notes?
Does Entire solve for this?
Re: AI and DevOps Traceability: https://gemini.google.com/share/4c0c79c0f136