docs: require DCO signoff on every commit (fixes #6 from adversarial review)
All checks were successful
CI / fmt (pull_request) Successful in 1m38s
CI / clippy (pull_request) Successful in 2m22s
CI / test (1.85) (pull_request) Successful in 5m27s
CI / test (stable) (pull_request) Successful in 6m7s
CI / deny (pull_request) Successful in 2m3s

Every commit MUST be signed off (git commit -s). Preserves the
copyright-holder's option to dual-license later — without a DCO/CLA
instrument, every external contribution erodes that option (ADR-0004).
Particularly load-bearing under multi-agent parallel authorship, where
multiple sessions commit in parallel and the DCO is the only per-commit
aggregation instrument.

Adds DCO.md with the full Linux-Foundation DCO text + the agents-sign-off-
with-the-human's-identity rule. AGENTS.md Git workflow gains the DCO bullet.
This commit is contained in:
opencode controller
2026-07-01 20:12:49 -04:00
parent aae485536e
commit 7270a608dc
2 changed files with 91 additions and 0 deletions

View File

@@ -250,6 +250,15 @@ and "why isn't X here?" questions. Consult it before adding anything.
each land as separate commits when practical. Don't bundle unrelated work.
- **Never commit secrets.** The `.gitignore` already covers `.env*`, `*.pem`, `*.key`. If
a new secret pattern appears, extend `.gitignore` in the same commit.
- **Developer Certificate of Origin (DCO) — REQUIRED on every commit.** Every commit
MUST be signed off (`git commit -s` or `git commit --signoff`) to attest the author
has the right to contribute the code under the project's license (GPL-3.0-or-later,
ADR-0004). This preserves the copyright-holder's option to dual-license later —
without a DCO/CLA instrument, every external contribution erodes that option. See
[`DCO.md`](DCO.md) for the full text. The signoff line (`Signed-off-by: Name <email>`)
is the canonical attestation; CI (planned) will reject unsigned commits. Agents
committing on behalf of a human MUST sign off with the human's name + email, not
their own identity.
- **PR description template** (for non-trivial PRs):
```
## What lands

82
DCO.md Normal file
View File

@@ -0,0 +1,82 @@
# Developer Certificate of Origin (DCO)
Version 1.1
Copyright (C) 2004, 2006 The Linux Foundation. All rights reserved.
Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
---
## How to sign off
Every commit MUST be signed off. Use `git commit -s` (or `git commit --signoff`)
to add the attestation line automatically:
```
$ git commit -s -m "feat: add barge-in reflex"
commit 0123456789abcdef...
Author: A.D. Lee <alee@example.com>
Date: Wed Jul 2 10:00:00 2026 +0000
feat: add barge-in reflex
Signed-off-by: A.D. Lee <alee@example.com>
```
The `Signed-off-by: Name <email>` line is the canonical DCO attestation. The
name and email MUST match the git author identity.
## Why DCO (not a CLA)
The DCO is a per-commit attestation (lightweight, no registration), not a
Contributor License Agreement (which would require a one-time grant + tracking).
The DCO preserves the copyright-holder's option to dual-license the project
later — every contributor retains their own copyright but attests they have the
right to contribute under GPL-3.0-or-later (the project's license, ADR-0004).
See [ADR-0004](docs/adr/0004-license.md) for the license decision and the
dual-license rationale.
## For agents committing on behalf of a human
An AI agent that commits code on behalf of a human operator MUST sign off with
the **human's** name + email, not the agent's own identity. The human is the
contributor of record; the agent is the instrument. The DCO attestation
certifies the human's right to contribute, not the agent's.
```
# Correct — the human (alee) is the contributor of record
Signed-off-by: A.D. Lee <alee@example.com>
# WRONG — the agent is not a legal entity that can hold copyright
Signed-off-by: opencode-agent <agent@example.com>
```
CI (planned) will reject commits missing a valid `Signed-off-by` line matching
the author identity.