Skip to content

Add AI tools policy #13726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Turbo87 wants to merge 4 commits into
base: main
Choose a base branch
from
+62 −0
Open

Add AI tools policy #13726

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5b71466
docs: Add `AI-TOOLS.md` policy from python/devguide
Turbo87 May 21, 2026
4590196
docs/AI-TOOLS: Drop Python-specific testing principles sentence
Turbo87 May 21, 2026
ec1c6b2
AGENTS: Link to `AI-TOOLS.md` from reference material list
Turbo87 May 21, 2026
7ecdf65
docs/CONTRIBUTING: Add `Using AI tools` section
Turbo87 May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,5 +220,6 @@ Before submitting:
- `/docs/ARCHITECTURE.md` - System architecture and design decisions
- `/docs/API-DESIGN.md` - JSON API conventions for new endpoints
- `/docs/PR-REVIEW.md` - Guidelines for reviewing pull requests
- `/docs/AI-TOOLS.md` - Guidelines for using AI tools when contributing
- `/script/import-database-dump.sh` - Import production database dump for testing
- `/.github/workflows/ci.yml` - CI pipeline definition and tool versions
55 changes: 55 additions & 0 deletions docs/AI-TOOLS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
# Guidelines for using AI tools

The person submitting an issue or PR is responsible for its content,
regardless of whether AI tools were used in its creation. Generative AI
tools can produce output quickly, but discretion, good judgment, and
critical thinking are the foundation of all good contributions. We value
good code, concise accurate documentation, and well scoped PRs without
unneeded code churn.

## Considerations for success

Authors must review the work done by AI tooling in detail to ensure it
actually makes sense before proposing it as a PR or filing it as an issue.

We expect PR authors and those filing issues to be able to explain their
proposed changes in their own words.

Disclosure of the use of AI tools in the PR description is appreciated,
while not required. Be prepared to explain how the tool was used and what
changes it made.
Comment on lines +18 to +20
Copy link
Copy Markdown

@clarfonthey clarfonthey May 22, 2026
edited by rustbot
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So ultimately I don't expect crates.io to have a lot of PRs or issues so I think that ultimately this is just me giving advice that you're free to ignore. But at least from what I found, even projects which strongly support AI tools have been in favour of disclosing just so they know what they're dealing with, and I think that it's okay to have a hard rule with no punishments for forgetting it.

Like, I figure the rate of issues/PRs is so low that you have the time/resources to just individually talk to each person and figure out what they're working with anyway, but it can be helpful to ask for to see what people are using.

Just a few examples of other policies that feel relevant here:

  • curl explicitly asks for AI disclosure in security reports
  • ghostty explicitly states "AI is welcome here" but still requests disclosure in basically the first bullet point

View changes since the review

Copy link
Copy Markdown
Contributor

@LawnGnome LawnGnome May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But at least from what I found, even projects which strongly support AI tools have been in favour of disclosing just so they know what they're dealing with, and I think that it's okay to have a hard rule with no punishments for forgetting it.

This would also be my preference.

I litigated this at some length within the Foundation when we were drafting our internal AI policy, so my apologies to @Turbo87 for the repeat, but the short version is that I believe that we should require disclosure for two primary reasons:

  1. Legal concerns. While I suspect our US-focused legal advice that LLM contributions are not subject to copyright will eventually end up being codified into international copyright law, this isn't even fully settled in the US, and we also have to operate in other, slower moving jurisdictions. If this does not end up being the result, we will need to be able to account for the origin of every contribution. Even if that outcome is unlikely, I think the minimal cost of requiring disclosure now is a small price to pay to make it easier to handle that eventuality.
  2. Review practicalities. While I don't think knowing LLMs have been used would meaningfully change how I review PRs from within the crates.io team, we do accept external contributions, and the sorts of things I expect to look for in review would change for a developer who used LLM assistance versus not, as would how I communicate with that contributor.

I don't want this to be some onerous process. I'd be happy with an Assisted-By or Co-Authored-By trailer in either the commit message or the PR description, much like the Linux kernel policy. But I do think it's important that we require this.

Copy link
Copy Markdown

@traviscross traviscross May 22, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be interesting to hear from counsel on the first point. I would expect to hear a mixed set of pros and cons for each choice — widespread disclosure seems likely to carry some risks too for the Project. Regarding the second point, the relevant comment in the Python discussions was this one — in short, reviewers need to assume LLM use anyway.

Disclosure has more than minimal cost:

  • The transparency dilemma finding includes considerable data showing that, contrary to intuition, disclosure of LLM use erodes trust.
  • Once primed about LLM use, people start to see LLM fingerprints that aren't actually there — we're creatures that see faces in clouds. Disclosure can increase the risk of false accusations of more LLM use than was disclosed.
  • We're operating in an environment where people are actively shaming others who use LLMs. Highlighting one's use subjects one to the risk of this shaming.

Mandating disclosure has additional costs. It becomes something we need to enforce fairly and consistently. As part of a moderation policy, we'd be talking about banning people from the Project over this. If it turns out the policy is unenforceable and that people choose not to disclose due to these costs, then we'll have created a kind of policy fiction. That's not any good for us.

Similar to Python, we can encourage disclosure without incurring the costs that accompany mandating it.

Copy link
Copy Markdown

@clarfonthey clarfonthey May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, it is worth reiterating on the legal point that generally the result of using LLMs is the removal of copyright protections, not the addition of extra burdens, which does not matter given the extremely permissive license crates.io uses. It does matter for proprietary code and copyleft code, but for open source, permissively licensed work, it seems fine.

Additionally, it seems incredibly likely that if any copyright questions came up, e.g. someone was upset that code verbatim was used without authorisation, there would be ample time to fix the issue (removing the offending code) rather than these being immediate repercussions.

Most of the projects that I've seen be concerned with copyright issues are copyleft and thus specifically rely on copyright to enforce licencing, which just isn't the case here. So, while I do think there are other points to discuss, I don't think the legal point is particularly compelling here, which also matches the existing advice given by Foundation counsel on the matter.

Copy link
Copy Markdown
Member Author

@Turbo87 Turbo87 May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I do most of the PR reviews on crates.io at the moment (obviously excluding my own PRs…), and knowing whether AI was involved wouldn't change much how I review. The "explain your changes" requirement is already what I actually care about. For first-time contributors with zero context I agree disclosure can help, but that's a pretty different situation from someone opening a dozens of PRs each month.

On the legal point: the PSF landed on this exact wording without requiring disclosure. I don't know what their counsel actually said about it, so I'm only guessing, but I'd be a little surprised if a project that size shipped an AI policy without running it past their lawyers at some point. If that's roughly right, it makes me want to understand what's specifically different about our situation before treating the legal angle as a strong reason to go further than they did.

And I think Travis is right that disclosure has real downsides in the current climate. Adding a trailer to every PR also adds quite a bit of friction when LLM tooling is opening them, and getting that tooling to reliably add trailers is a whole separate problem.

That said, here are a few things I'd be happy to put in the policy, if it helps:

  • Bump "appreciated, while not required" to "encouraged, especially from new contributors"
  • Add something like "reviewers may ask about AI usage when it would help, and contributors should answer honestly"

Two other options to avoid the additional friction for regular contributors:

  1. We can flip the framing: say explicitly that reviewers should assume AI may have been used, and make disclosure of non-use the optional opt-in. At this point the vast majority of recent crates.io PRs had LLM involvement and IMHO it's better to optimize for the 90% case.

  2. One-time disclosure for regulars, recorded privately: contributors who use AI tooling regularly disclose it once (e.g. via a comment on a designated issue in the team's private ops guide repo) instead of repeating it on every PR. The record exists, so reviewers on the team have access and the legal/review-practicalities angle is covered, but the disclosure isn't sitting in a public list that anyone can scrape and turn into a target. For someone like me who opens a lot of PRs that drops the per-PR friction effectively to zero while still leaving the information available where it matters. First-time or external contributors would still get asked by a PR template or maybe by the reviewer.

Copy link
Copy Markdown

@clarfonthey clarfonthey May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean, ultimately, I do think that the small number of contributions is more than sufficient to prefer an ad hoc method of explaining/disclosing since, like I said, you probably have the bandwidth to just talk to everyone individually about their changes. I think that encouraging more transparency is good, but if you think the downsides outweigh the upsides here, that's fair.


Whether you are using AI tools or not, keep the following principles in
mind for the quality of your contribution:

- Consider whether the change is necessary
- Make minimal, focused changes
- Follow existing coding style and patterns
- Write tests that exercise the change
- Keep backwards compatibility with prior releases in mind. Existing
tests may be ensuring specific API behaviors are maintained.

Pay close attention to AI generated recommendations for testing changes.
Always review the output before opening a pull request or issue,
including proposed PR or issue titles and descriptions.

## Acceptable uses

Some of the acceptable uses of generative AI include:

- Assistance with writing comments, especially in a non-native language
- Gaining understanding of existing code
- Supplementing contributor knowledge for code, tests, and documentation

## Unacceptable uses

Maintainers may close issues and PRs that are not useful or productive,
Copy link
Copy Markdown

@clarfonthey clarfonthey May 22, 2026
edited by rustbot
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, I think it would be worth clarifying a bit more what "productive" means here, since it feels a little vague and it's not exactly clear what you're looking for. (I'm fine if you keep using the term "productive" as long as it's defined, just, maybe a few examples would help.)

Just guessing at what you mean, what might be worth mentioning:

  • Typo fixes/aesthetic improvements that don't actually affect any public stuff: probably not helpful, can be submitted in large quantities by these tools
  • Poorly justified changes, e.g. "I updated this page to be more readable" without any reasonable explanation
  • Careless changes / author just wasn't paying attention and just clicked submit when they shouldn't have

View changes since the review

Copy link
Copy Markdown
Member Author

@Turbo87 Turbo87 May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I see where you're coming from but I'd actually prefer to leave "productive" deliberately vague.

To be honest I'm not sure all your examples land for me. Typo fixes for instance often seem fine. The kind of thing I'd see as unproductive is more like a PR where the author clearly doesn't understand what the LLM produced and is just acting as a transport medium between the model and the reviewer. But that's just one example, and I'd really rather leave it to maintainer judgment than enumerate it.

My worry with putting cases in the policy is that they get read as an exhaustive list. A PR that doesn't fit any listed category becomes harder to push back on ("but the policy doesn't say this counts"), and we'd be locking ourselves into whatever taxonomy we write down today. The point of this section, as I read it, is to give maintainers cover to use judgment on cases that don't fit cleanly into rules.

Happy to revisit if it turns out to be confusing in practice.

regardless of whether AI tools were used or not.

If a contributor repeatedly opens unproductive issues or PRs, they may be
blocked from contributing to the project because it is disruptive and
disrespectful of the maintainers time.

It is not acceptable to alter or bypass existing tests, or remove desired
functionality, in order to make a failing test pass. Such changes are not
a real fix.
6 changes: 6 additions & 0 deletions docs/CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# Contributing to crates.io

- [Attending the weekly team meetings](#attending-the-weekly-team-meetings)
- [Using AI tools](#using-ai-tools)
- [Finding an issue to work on](#finding-an-issue-to-work-on)
- [Submitting a Pull Request](#submitting-a-pull-request)
- [Reviewing Pull Requests](#reviewing-pull-requests)
Expand All @@ -17,6 +18,11 @@ everyone who wants to contribute to crates.io to participate.

[Zulip]: https://rust-lang.zulipchat.com/#narrow/stream/318791-t-crates-io/

## Using AI tools

If you use AI tools to help draft issues, PRs, or comments, please
review [`docs/AI-TOOLS.md`](AI-TOOLS.md) for our guidelines.

## Finding an issue to work on

We try to keep a variety of issues tagged with
Expand Down