AGENTS.md moved AI performance up a model tier. Package trust needs the same.
AugmentCode studied AGENTS.md files across real codebases. Best result: a quality jump equivalent to upgrading from Haiku to Opus. The same principle that solved AI documentation discovery hasn’t been applied to npm package trust yet.
AugmentCode analyzed dozens of AGENTS.md files across real codebases. The best result: a performance jump equivalent to upgrading from Claude Haiku to Opus. Same model, same task, one structured context file.
The discovery data explains why:
- Root-level AGENTS.md: 100% agent discovery
- Directory-level READMEs: 80%+
- Nested READMEs: 40%
- Orphaned /docs folders: under 10%
The agent didn’t fail to understand the documentation. It never found it. A decision table at the root beat a thorough narrative buried three folders deep. Decision tables improved the best_practices metric 25%. Real codebase examples improved code_reuse 20%.
Since August 2025, over 60,000 open-source projects have adopted AGENTS.md. Developers built a convention around a discovery problem, submitted it to the Linux Foundation, and the ecosystem followed.
The pattern is familiar. HTML schema markup, robots.txt, llms.txt: each is a structured signal placed where a machine consumer expects to find it. Different layers, same mechanism. Put the context where the decision happens.
There is a layer missing this treatment.
When an AI agent installs an npm package — in Claude Code, in a CI pipeline, in an autonomous coding session — what trust signal is available? No behavioral score, no maintainer history, no commitment record. The agent reads the package name, maybe the README, and installs.
This gap is not new. Event-stream ran compromised for two months before detection. The axios compromise showed zero issues in npm audit while every structural risk indicator was in the red. The signals existed. They were not structured or placed where decisions happen.
The 60,000 repos that adopted AGENTS.md didn’t wait for IDE toolchains to fix the documentation discovery problem. They wrote the context file and put it at the root.
The same move is available at the package layer. A behavioral score at install time, surfaced where the agent actually chooses — not buried in a security blog or a stale GitHub issue.
That’s what Commit is.