The problem
AI coding agents are everywhere. Copilot, Cursor, Claude Code, Codex -- they're writing code in repos with no AI policy.
Most repos have a LICENSE file. Many have CONTRIBUTING.md. Almost none have an AI policy.
Can a contributor submit AI-generated code? Does it need review? Can agents modify CI pipelines? Should the project opt out of training data collection?
What projects are doing about it
A few projects already check these files into their repos:
AI_POLICY.md declares how AI tools interact with the codebase -- what's permitted, how AI-generated code is handled, training data preferences.
AGENTS.md gives AI coding agents their operating instructions -- code style, testing requirements, restricted paths, commit conventions. The AGENTS.md spec is already supported by Codex, Copilot, and Cursor.
CLAUDE.md configures Claude Code specifically, referencing the AGENTS.md rules.
Projects like CloudNativePG, Kyverno, and Kubewarden already ship these files.
aipolicy: a generator for these files
aipolicy.1mb.dev generates all three files from presets.
Three presets:
- Open -- AI tools welcome, no restrictions
- Standard -- AI-assisted code requires human review
- Strict -- AI tools restricted, explicit maintainer approval
The URL encodes your configuration, so you can share a direct link to your exact setup:
https://aipolicy.1mb.dev/?preset=standard&ai_usage=restricted&training_optout=yes
CLI works too:
curl -O https://aipolicy.1mb.dev/presets/standard/{AI_POLICY,AGENTS,CLAUDE}.md
Why bother?
Even for solo projects:
- Contributors and AI agents know the rules before submitting code
- The project's training data position is explicit, not assumed
For teams, it turns the "should we allow Copilot on this repo?" conversation into a file that's checked in next to your LICENSE.
AGENTS.md and CLAUDE.md aren't just documentation -- agents actually read them. It's closer to .editorconfig than to a code of conduct.
The tool itself
No framework, no build step, no backend. Vanilla HTML, CSS, and JavaScript running on GitHub Pages. MIT licensed.
- Web: aipolicy.1mb.dev
- Source: github.com/1mb-dev/aipolicy
Top comments (5)
policy files as a pattern makes a lot of sense - it externalizes the governance layer so you can version it and review it separately from the code. the generator approach is smart too, better than everyone hand-rolling their own from scratch and getting different things. i have been thinking about this from a PM angle: who owns the policy file on a team? feels like it should be product but ends up being whoever set up the agent
Same thing that happened with Dockerfiles and CI configs. Nobody owns it until someone notices it's wrong. In practice that's whoever reviews PRs.
the PR reviewer default is so true. nobody owns the meta layer until something goes wrong. then everyone owns it retroactively.
Really interesting that we're seeing the emergence of a standard here. The parallel to LICENSE and CONTRIBUTING.md is apt — these started as "nice to have" and became essential repo hygiene.
One thing I've noticed working with AGENTS.md in practice: the hardest part isn't declaring what agents can/can't do, it's keeping the policy current as the tooling evolves. A generator that can version these files and flag when new capabilities emerge (like a new agent that supports CI modification) would be incredibly useful.
Curious whether you've seen any projects doing automated compliance checks — like a CI step that validates AI-generated PRs against the repo's AI policy.
Version drift is the harder problem. aipolicy generates a snapshot right now - you configure, you get a file. A mode that diffs against the previous version and flags when new agent capabilities show up is on my list but not built yet.
On CI enforcement - the closest I've seen is repos linting for AGENTS.md presence, like they lint for LICENSE. But that's "does the file exist" not "does the PR comply with it." The actual enforcement step - validating that a PR respected the policy boundaries - needs the CI to parse what the policy permits and compare against what changed. Nobody's doing that well yet, as far as I know.
If you've seen anything closer, I'd want to look at it.