docs(policy): add AI contribution policy

[lmeyerov]

Summary

Adds repository AI contribution governance as a dedicated policy document.

Changes

• Adds new AI_POLICY.md with:
  • AI-assisted contribution expectations
  • autonomous contribution eligibility and scope limits
  • disclosure requirements
  • quality workflow and local-vs-CI validation expectations
  • reviewer/merge ownership and enforcement rules
• Adds a link to AI_POLICY.md in CONTRIBUTING.md.

Notes

• This is docs-only policy work.
• No code paths or runtime behavior changed.

Validation

• Docs-only change; no code execution required.

[lmeyerov]

Plan Attachment (Uncommitted)

Per policy requirement, attaching working plan without committing it:
plans/ai-policy-v2-tightening/plan.md

0-8 Coverage Summary

• 0: good-first-issue explicitly allowed for autonomous
• 1: autonomous eligibility relaxed to issue labeled help wanted, good-first-issue, and/or ai-friendly + disclosure + validation
• 2: AI-assisted disclosure now requires harness + model
• 3: autonomous disclosure requires harness + model + attached plan
• 4: policy now requires using ai/prompts/PLAN.md when viable and attaching uncommitted plan to PR
• 5: label section updated to reflect current repo labels plus optional future control labels
• 6: policy now prefers smaller and stacked AI PRs
• 7: policy now requires repeat-until-stable validation loops incl. audit/prioritize + red->green
• 8: policy rewritten shorter and more directly actionable

Attached Plan Content

# AI Policy V2 Tightening Plan
🔴 COLD START: reload skill first -> `agents/skills/plan/SKILL.md`
File: `plans/ai-policy-v2-tightening/plan.md` | Date: 2026-04-08 PDT | Branch: `docs/ai-contribution-policy` | PR: #1109 | Base: master @ 75110a5a2

## Context (read-only)
**Prompt**: tighten AI policy with requested changes 0-8; shorten policy; iterative validation loops; attach uncommitted plan to PR.
**Goal**: revise `AI_POLICY.md` and related docs to reflect requested governance changes while increasing readability and enforceability.
**Done when**: all items 0-8 are explicitly handled and validated.
**Constraints**:
- Do not commit plan files under `plans/`
- Keep changes on PR branch, not master
- Attach plan to PR

## Strategy
1. Convert request into explicit acceptance checklist (0-8).
2. Rewrite `AI_POLICY.md` to shorter, clearer structure and updated rules.
3. Validate in loops: spec-conformance audit, lint/testing rationale, DRY/professionalism, security.
4. Update PR with attached plan and summary of coverage.

## Acceptance Checklist
0. `good first issue` allowed for autonomous.
1. Autonomous eligibility less restrictive: issue labeled `help wanted`, `good-first-issue`, and/or `ai-friendly` + disclosure + verification.
2. AI-assisted disclosure includes harness + model.
3. Autonomous disclosure requires harness + model + plan.
4. Prefer `ai/prompts/PLAN.md` template when viable; do not commit plan.md; attach to PR.
5. Label meanings should reflect current/real labels.
6. Prefer smaller AI PRs; stacked when appropriate.
7. Validation must loop repeatedly; include audit/verify/prioritize step; red->green TDD style where applicable.
8. Shorten policy for agent readability.

## Status
⬜ TODO · 🔄 IN_PROGRESS · ✅ DONE · ❌ FAILED

## Steps

#### Step 1: Baseline and checklist mapping
✅ | Do: map user asks to policy edits and repo label reality | OK: explicit checklist and labels captured
Result:
- Current labels confirmed: `help wanted`, `good-first-issue`, `ai-friendly`, `security` exist.
- `ai:autonomous-ok` / `ai:autonomous-blocked` / `ai:autonomous` do not currently exist.
- Existing policy violates requested items 0,1,5,8 and partially 2,3,4,6,7.

#### Step 2: Rewrite policy text (shorter + requested semantics)
✅ | Do: edit `AI_POLICY.md` for 0-8 and concise structure | OK: first revised draft complete
Result:
- Rewrote `AI_POLICY.md` into shorter structure (13 sections, 209 lines, down from ~261).
- Applied requested semantic changes:
  - `good-first-issue` explicitly allowed for autonomous.
  - autonomous eligibility relaxed to issue labeled `help wanted`, `good-first-issue`, and/or `ai-friendly` + disclosure + validation loop.
  - AI-assisted disclosure now explicitly requires harness + model.
  - Autonomous disclosure requires harness + model + execution plan.
  - Added explicit requirement to use `ai/prompts/PLAN.md` when viable, keep plan uncommitted, attach to PR.
  - Added explicit preference for smaller/stacked AI PRs.
  - Added repeat-until-stable validation loop with audit/verify/prioritize + red->green workflow.
  - Label section now split into \"current labels\" and \"optional future control labels\".

#### Step 3: Update cross-doc references if needed
✅ | Do: verify `CONTRIBUTING.md` and `AGENTS.md` alignment with new policy semantics | OK: links and wording aligned
Result:
- `CONTRIBUTING.md` links to `AI_POLICY.md`.
- `AGENTS.md` references `AI_POLICY.md` for governance vs operational behavior.
- No additional cross-doc edits required for this pass.

#### Step 4: Iterative validation loop #1 (spec conformance)
✅ | Do: audit revised text against checklist 0-8 and fix gaps | OK: zero checklist gaps
Result:
- Initial audit found one wording issue: autonomous section still framed as \"all of the following\".
- Fixed to \"Baseline autonomous eligibility\" + separate statement that standard merge gates (CI + human maintainer approval) still apply.
- Re-audited checklist 0-8: all items now explicitly covered.

#### Step 5: Iterative validation loop #2 (quality/security/DRY readability)
✅ | Do: re-audit for duplication, ambiguity, enforcement clarity, security boundaries; apply prioritized fixes | OK: fresh pass yields no significant actionable hints
Result:
- Pass 2 checks:
  - Readability/length reduction achieved while preserving enforceable requirements.
  - Duplication reduced by consolidating definitions/flows.
  - Security boundaries retained in scoped \"not autonomous-safe by default\" list.
  - Validation loop now explicitly iterative and audit-first.
- No further significant policy-level improvements identified in this iteration.

#### Step 6: Attach uncommitted plan to PR + update PR summary
🔄 | Do: attach this plan to PR #1109 and summarize handled items | OK: plan attached and mapping visible in PR

#### Step 7: Final verification
⬜ | Do: verify git state, PR state, and checklist closure | OK: all 0-8 explicitly marked handled