// the find
mitchellh/vouch
A community trust management system based on explicit vouches to participate.
Vouch is a contributor allowlist system for open-source projects, built specifically to push back against AI-generated spam PRs and issues. You maintain a flat file of trusted contributors; GitHub Actions enforce it at the PR/issue gate. Mitchell Hashimoto built it for Ghostty and extracted it into a standalone tool.
The vouched file format is genuinely simple — one username per line, optionally prefixed with a platform, a minus sign to denounce. Any POSIX tool can parse it without a library. The GitHub Actions integration is well thought out: bots and write-access collaborators are automatically bypassed, so you won't accidentally lock out your own CI or co-maintainers. The dry-run default on all mutating CLI commands is the right call — you have to explicitly opt in to writing changes. The CODEOWNERS sync action is a nice touch that seeds the trust list from existing project structure.
The whole thing is written in Nushell, which means every GitHub Actions runner has to install Nushell before doing anything (the setup-vouch action handles this, but it's still an unusual runtime dependency for CI). The trust model has no concept of delegation levels — a vouched user can't vouch for others, only collaborators can, so growing a large community still bottlenecks on maintainers. The .td format is currently undocumented beyond this repo, so any external tooling that wants to interop with it is guessing at the spec until Trustdown is formally published. There's no audit trail baked into the system beyond git history — you can't easily answer 'who vouched this person and why' without grepping commit messages.