AI & Development 6 min read

Day 6: Co-Author Signature and Copyright Risk

The agent started signing commits as co-author. It seemed harmless — until I started asking what it means from a copyright perspective.

What is a co-author signature

A git commit has a convention called Co-authored-by: — a tag in the commit message that lists additional contributors. Cursor IDE, GitHub Copilot and a number of other tools started using this convention to label AI as a co-author.

It typically looks like this: 

feat: implement user authentication

Co-authored-by: Claude <claude@anthropic.com>

On day six I discovered that the orchestrator was automatically adding this tag to every commit. The setting was inherited from the IDE's default configuration.

Cursor prompt leaks

Around the same time, the security community saw leaks of system prompts from Cursor IDE. These prompts, among other things, instructed the model on how to add co-author signatures — and also contained conditions under which it should not add them.

A system prompt leak isn't necessarily a data security incident, but it highlights how little developers know about what their AI tools are doing in the background. A co-author signature might just be a git tag — or it might be the first step toward a legal dispute over code ownership.

USCO and copyright of AI-generated code

The U.S. Copyright Office (USCO) has repeatedly confirmed its position: AI-generated content without significant human creative contribution is not eligible for copyright protection in the US. If the agent wrote the code and the human merely approved the result, copyright protection is at least debatable.

The EU situation is different — the Directive on Copyright in the Digital Single Market and GDPR don't address this question directly, and case law is still being established. But the outcome is similar: legal uncertainty.

For companies building proprietary software, this is not an academic question. If your code isn't protected by copyright, competitors can legally copy it.

How we solved the problem

The fix was technically simple: disable the co-author signature in the orchestrator and Cursor IDE configuration. No hook, no post-processing — just removing a default setting I didn't know was there.

From that point on, commit messages contain no reference to AI. The code is produced with AI assistance, but the author is the developer — and the commit reflects that.

Recommendation: Check the configuration of your AI IDE. If you use Cursor, GitHub Copilot or a similar tool, verify whether it's automatically adding co-author signatures. The setting is usually in git hooks or in the tool's configuration.

Broader implications for teams

This incident raised a question every team working with agentic AI development should ask: who is the author of the code?

Technical answer: the author is whoever pressed commit. Legal answer: depends on jurisdiction, degree of human creativity, and what the contract with the AI tool provider says. Practical answer: establish an internal policy before a problem arises.

Want to see how business processes can be automated? Book a consultation — we start where vibe-coding ends.

In the next episode

Day 7: The experiment finale. Semi-automatic mode with hooks, code quality assessment and what to take away from the full week.