Microsoft's default Copilot attribution puts a metadata flag in your git history. That flag is forgeable, copyright-ambiguous, and tells you nothing about who actually authorized the change. The attribution problem needs a different abstraction. VS Code 1.118 shipped with a default: when Copilot contributes to a commit, the commit automatically gets Co-Authored-By: GitHub Copilot <copilot@github.com> in its trailer. Opt-out, not opt-in. 682 points on Hacker News. 317 comments. The loudest objection in the thread: "I can add that line manually. What does it prove?" That question deserves an actual answer. What "Co-Authored-By" Actually Is Co-Authored-By is a git commit trailer — a key-value pair appended after the commit message body. GitHub renders it, but git itself treats it as freeform text. There is no cryptographic binding between the trailer and the commit content. No signature. No verification.…