Background
Organisations contributing to open source or operating under IP/CLA requirements often need to enforce or restrict specific git commit trailers. Two distinct use cases have been identified:
point 1 — DCO enforcement (Signed-off-by)
The Developer Certificate of Origin requires contributors to sign off each commit with a Signed-off-by: Name <email> trailer whose email matches the commit author. This is a hard compliance requirement for many FINOS projects, CNCF projects, and the Linux kernel.
The proxy is well-placed to enforce this at push time — before commits reach the upstream — and give the author an actionable rejection message identifying exactly which SHAs are missing the trailer.
point 2 — Co-author policy (Co-Authored-By)
Co-Authored-By is increasingly relevant as AI tooling adds attribution trailers to commits. Organisations have legitimate but opposing opinions on this:
- Ban co-authors entirely — AI attribution may interfere with CLA tracking or IP assignment; some legal teams want a single attributable human author per commit
- Allowlist specific co-authors — permit known internal tooling or approved AI assistants (matched by email domain or full address) while rejecting unknown attributions
- Require co-authors — some teams mandate attribution for pair programming or AI-assisted commits as an audit trail
The same local-part and domain-part email filter patterns used elsewhere in commit policy should apply here, so orgs can express rules like "co-authors must be @company.com or noreply@anthropic.com".
Scope
This issue is intentionally non-prescriptive about config shape. The goal is to establish that the proxy should allow an organisation to enforce their own policy around these two trailer fields — whatever form that takes in the final implementation. Design of the config structure should happen at implementation time with reference to the existing commitPolicy object.
Reference
Background
Organisations contributing to open source or operating under IP/CLA requirements often need to enforce or restrict specific git commit trailers. Two distinct use cases have been identified:
point 1 — DCO enforcement (
Signed-off-by)The Developer Certificate of Origin requires contributors to sign off each commit with a
Signed-off-by: Name <email>trailer whose email matches the commit author. This is a hard compliance requirement for many FINOS projects, CNCF projects, and the Linux kernel.The proxy is well-placed to enforce this at push time — before commits reach the upstream — and give the author an actionable rejection message identifying exactly which SHAs are missing the trailer.
point 2 — Co-author policy (
Co-Authored-By)Co-Authored-Byis increasingly relevant as AI tooling adds attribution trailers to commits. Organisations have legitimate but opposing opinions on this:The same local-part and domain-part email filter patterns used elsewhere in commit policy should apply here, so orgs can express rules like "co-authors must be
@company.comornoreply@anthropic.com".Scope
This issue is intentionally non-prescriptive about config shape. The goal is to establish that the proxy should allow an organisation to enforce their own policy around these two trailer fields — whatever form that takes in the final implementation. Design of the config structure should happen at implementation time with reference to the existing
commitPolicyobject.Reference
git help interpret-trailerscommitConfig.requireSignedOffBy