Vouch: Fighting AI Slop with Explicit Trust Networks
Mitchell Hashimoto just released Vouch, a community trust management system that might be the most elegant response yet to the AI-generated contribution problem plaguing open source.
The Core Insight
Open source has always run on trust. The effort required to understand a codebase, implement a change, and submit meaningful contributions naturally filtered out low-quality work. For 20+ years, this implicit trust model worked.
Then AI tools made it trivial to generate plausible-looking but fundamentally broken contributions. The barrier to entry collapsed. The trust model broke.
Vouch’s answer is beautifully simple: make trust explicit. Maintain a flat file listing who is vouched (allowed to contribute) and who is denounced (blocked). Let trusted community members vouch for newcomers. Form webs of trust across projects with shared values.
# VOUCHED.td format
username # vouched
platform:username # vouched with platform
-platform:badactor # denounced
-github:spammer reason # denounced with explanation
Why This Matters
The AI Slop Problem Is Real
Projects are drowning in AI-generated pull requests that look reasonable on surface inspection but demonstrate zero understanding of the codebase. Reviewing them wastes maintainer time. Merging them introduces bugs. The old “trust and verify” model can’t scale when verification costs exceed original development.
Web of Trust Scaling
Individual project vouch lists can reference each other, creating transitive trust. A user proven trustworthy in Ghostty can automatically gain access to related projects. This mirrors how human trust actually works—recommendations from trusted sources carry weight.
Minimal Format, Maximum Interoperability
The .td (Trustdown) file format can be parsed with standard POSIX tools or any programming language without external libraries. One handle per line, alphabetically sorted, optional platform prefix, optional reason. It’s version-control friendly and human-readable.
Key Takeaways
- GitHub Actions integration:
check-prauto-closes PRs from unvouched/denounced users;manage-by-discussionlets collaborators vouch via comments - CLI tooling: Nushell-based module for checking, adding, and denouncing users
- Web of trust: Projects can import each other’s vouch lists for shared trust decisions
- Exit codes:
0= vouched,1= denounced,2= unknown—easily scriptable - Currently in use by Ghostty: Real-world deployment proving the concept
The Implementation
Vouch provides GitHub Actions for common workflows:
| Action | Description |
|---|---|
check-pr | Check PR authors on open/reopen, optionally auto-close unvouched |
manage-by-discussion | Collaborators vouch/denounce via discussion comments |
manage-by-issue | Same, but via issue comments |
The CLI handles local operations:
vouch check someuser # Check status
vouch add newcontributor # Vouch for someone
vouch denounce badactor --reason "AI slop" # Block with reason
Looking Ahead
Vouch tackles a symptom (low-quality AI contributions) rather than the disease (misaligned incentives around contribution metrics). But it’s a practical, deployable solution that projects can adopt today.
The web-of-trust aspect is particularly promising. As more projects adopt Vouch, the friction for legitimate contributors decreases—one vouch propagates across the ecosystem. Meanwhile, bad actors face increasing exclusion.
The question is adoption. Will enough projects adopt compatible trust lists to make the network effects meaningful? Ghostty’s use provides a proof of concept, but the real value comes from density.
For maintainers drowning in AI-generated PRs, Vouch offers immediate relief. For the broader ecosystem, it’s an experiment in explicit trust worth watching.
Based on analysis of github.com/mitchellh/vouch
Tags: #OpenSource #TrustNetworks #AISlop #GitHubActions #CommunityManagement