Vouch is an open-source contributor trust management system designed to address the challenges posed by the proliferation of AI tools that lower the barrier to entry for contributions, thereby diminishing the effectiveness of traditional implicit trust models in open-source projects.

The core methodology of Vouch centers on an explicit "trust and verify" mechanism *before* participation. Unlike traditional models where trust is earned through code contributions and subsequent review, Vouch requires contributors to be explicitly "vouched" for prior to engaging in substantive project activities like submitting pull requests.

Key components and technical details include:

• Explicit Vouching: A trusted contributor, often a project maintainer or an already-vouched individual, must explicitly endorse a new participant. This acts as a gatekeeping mechanism to filter out low-quality, AI-generated, or malicious contributions.
• Denouncement: Conversely, the system allows for explicit "denouncement" of malicious actors. Denouncement records are made public, enabling other projects to reference and consider this negative reputation.
• Decentralized Policy: Vouch does not impose a universal standard for vouching or denouncing. Each open-source project autonomously defines its own criteria and policies for who can vouch, who can be vouched for, and the conditions under which denouncement occurs. This empowers communities to tailor the system to their specific needs and values.
• Transparent and Version-Controlled Data: All trust data (vouching and denouncing records) is stored within the project's repository as a single, plaintext file, typically named VOUCHED. This file is version-controlled alongside the project's code, ensuring transparency, immutability (via Git history), and portability across different platforms. This design choice emphasizes the decentralized nature of trust management, as the trust data resides with the code itself, not on an external, centralized service.
• Web of Trust (WoT) Concept: In the long term, Vouch envisions forming a distributed Web of Trust. This allows for the sharing of trust information between projects, where a highly reputable project's vouch for an individual might influence another project's decision. However, this is not automatically binding; downstream projects retain the autonomy to accept or reject the trust from upstream projects. Projects that engage in indiscriminate vouching or denouncing may naturally be marginalized from this trust network.
• Integration and Management: Vouch is designed for easy integration, particularly with GitHub. It leverages GitHub Actions for automated checks and allows for management via issue or pull request comments using keywords (e.g., lgtm for vouching, denounce). Command-line tools like $vouch.nu check <user>$, $vouch.nu add <user>$, $vouch.nu denounce <user>$, $vouch.nu gh-check-pr <pr>$, and $vouch.nu gh-manage-by-issue <issue> <comment>$ provide direct interaction.
• Limited Scope of Authority: A crucial design aspect is that being vouched for only grants *participation* rights, not higher-level permissions such as merging code, pushing directly, or making releases. These critical operations remain subject to existing code review processes and system controls. Only project administrators or established collaborators can issue vouches, limiting potential social engineering risks.
• Focus on Spam Filtering: While trust management can have security implications, Vouch is primarily positioned as a "spam filter" or "noise minimization layer" for low-quality, AI-generated contributions, rather than a robust defense against state-sponsored supply chain attacks. It aims to make it "costly" (in terms of social effort, not monetary) for low-effort, high-volume contributors to engage, thus reducing the "cost externalization" borne by maintainers in reviewing such submissions.

The system embodies the concept of "Attestation" for "Identity" based on a "Policy." Here, an "attestation" is a signed claim (e.g., "This person is trustworthy") that is structurally analogous to other signed claims (e.g., "This commit passed tests"). Vouch specifically targets this human-centric attestation within a project's policy layer, aiming to be a platform-independent reputation infrastructure via standardized metadata stored within the repository itself.