← Back to Blogs
HN Story

Combating AI Slop: How Archestra Used Git's --author Flag to Stop Bot Spam

May 19, 2026

Combating AI Slop: How Archestra Used Git's --author Flag to Stop Bot Spam

The rise of Large Language Models (LLMs) has brought a paradoxical challenge to open source: while AI can accelerate development, it has also enabled a flood of "AI slop"—low-quality, untested, and often hallucinated contributions that overwhelm maintainers. For the team at Archestra, this became a crisis when a $900 bounty for MCP Apps support attracted not just talented developers, but a swarm of AI bots.

What followed was a deluge of 253 comments on a single issue and 27 pull requests for a single provider integration, most of which were completely untested. The result was a "wall of noise" that buried legitimate contributors and forced team members to spend half a day every week simply cleaning up garbage.

The Failure of Traditional Filtering

Before turning to more drastic measures, the Archestra team attempted several standard mitigation strategies:

  • Reputation Bots: They built "London-Cat," a bot that calculated contributor reputation based on merged PRs. While helpful for identification, it didn't stop the influx of spam.
  • AI Sheriffs: They implemented an automated "AI sheriff" to close suspicious PRs, though this occasionally resulted in the accidental closure of legitimate contributions.

Ultimately, the team realized that as long as the barrier to entry was zero, AI bots would continue to exploit bounties and open issues to pump their own metrics or "farm" GitHub karma.

The "Nuclear Option": A Clever GitHub Hack

To reclaim their repository, Archestra implemented a strict onboarding process. However, GitHub lacks a native, granular whitelist for who can open PRs or leave comments. To solve this, the team leveraged a specific GitHub setting: "Limit to prior contributors."

Under this setting, only users who have previously committed to the main branch can interact with the repo. The challenge is that legitimate new contributors are also blocked by this rule. To bypass this, Archestra developed a workaround using Git's --author flag.

How the Whitelisting Works

Git distinguishes between the author (who wrote the code) and the committer (who applied the change to the repo). By using the --author flag, a maintainer can create a commit that is attributed to another user.

  1. Onboarding: A potential contributor completes a CAPTCHA and agrees to ethical AI rules on a dedicated website.
  2. Identification: A GitHub Action retrieves the user's unique GitHub ID via the API to find their noreply email address (<id>+<username>@users.noreply.github.com).
  3. Attribution: The system automatically creates a commit to main (e.g., updating an EXTERNAL_CONTRIBUTORS.md file) using the command: git commit --author="their-username <ID+their-username@users.noreply.github.com>" -m "chore: add user to external contributors"
  4. Activation: Because the user is now the author of a commit on main, GitHub recognizes them as a "prior contributor," granting them the ability to comment and open PRs.

Community Perspectives and Counterpoints

The approach sparked significant debate on Hacker News, highlighting the broader tension between AI productivity and repository health.

Security and Technical Concerns

Some users pointed out that this hack might introduce security risks. As one commenter, @captn3m0, noted:

"Contributors to a repository have higher rights, such as avoiding approval requirements for fork PR runs... A malicious user could meet this requirement by getting a simple typo or other innocuous change accepted by a maintainer."

Additionally, some questioned the long-term viability of the solution. @optionalsquid observed that the spam hadn't disappeared but had simply shifted from PRs to the commit history, noting that over 10% of the repo's commits were now essentially noise generated by the onboarding process.

The "Bounty" Problem

There is a strong sentiment that financial incentives in open source may be the root cause of the "slop." @jart argued that rewards should focus on respect and recognition rather than money, which attracts anonymous accounts and bots:

"Reward people with respect and recognition instead. Weird anonymous accounts no one's ever heard of will leave, because someone (or something) who's concealing their identity has nothing to gain from recognition."

Others suggested a "Pfand" (deposit) system, where contributors pay a small fee to submit a PR, which is refunded upon acceptance, creating a financial barrier that bots cannot easily overcome.

The Broader Impact on Open Source

This situation underscores a growing divide between the metrics reported by platforms like GitHub—which may celebrate "massive growth" in contributions—and the actual experience of maintainers. When AI-generated activity is counted as "contribution," the data becomes a vanity metric that obscures the degradation of quality.

For the Archestra team, the choice was clear: prioritize the quality of the human conversation over the quantity of AI-generated noise. While the workaround is esoteric, it reflects a necessary evolution in how open source projects must defend their boundaries in the age of LLM-driven automation.

References

HN Stories