'%3e%3cpath%20d='M121%202C187.274%202%20241%2055.7258%20241%20122C241%20180.73%20198.809%20229.603%20143.084%20239.97V149.692H143.085V163.781C143.085%20154.334%20148.851%20150.652%20156.073%20148.427C157.161%20148.168%20158.234%20147.871%20159.291%20147.538C159.307%20147.534%20159.324%20147.529%20159.341%20147.525H159.33C177.858%20141.661%20191.376%20124.531%20191.841%20104.175H191.854V103.18C191.854%20103.15%20191.854%20103.121%20191.854%20103.092V91.1699C191.854%2091.1466%20191.854%2091.1229%20191.854%2091.0996V89.3594C191.854%2079.5641%20185.445%2073.4144%20175.598%2073.4141C165.75%2073.4142%20159.341%2079.5639%20159.341%2089.3594V102.883C159.32%20108.986%20154.367%20113.928%20148.259%20113.929C145.402%20113.929%20143.086%20111.613%20143.086%20108.757V74.9141H143.084V62.6289C143.084%2049.5367%20134.54%2041.3174%20121.409%2041.3174C108.279%2041.3177%2099.7344%2049.537%2099.7344%2062.6289V141.307C99.7139%20144.145%2097.4069%20146.441%2094.5635%20146.441C88.4427%20146.441%2083.4801%20141.479%2083.4795%20135.358V136.688H83.4785V121.872C83.4785%20112.076%2077.0695%20105.927%2067.2217%20105.927C57.3743%20105.927%2050.9658%20112.077%2050.9658%20121.872V136.688H50.9795C51.4442%20157.043%2064.9624%20174.173%2083.4902%20180.038H83.4785C83.4972%20180.043%2083.5165%20180.048%2083.5352%20180.053C84.5873%20180.385%2085.6563%20180.68%2086.7393%20180.938C93.9371%20183.154%2099.6897%20186.814%2099.7344%20196.184V240.121C43.6041%20230.083%201%20181.017%201%20122C1%2055.7258%2054.7258%202%20121%202ZM67.2227%20113.929C72.0107%20113.929%2075.8924%20117.811%2075.8926%20122.599C75.8924%20127.387%2072.0106%20131.268%2067.2227%20131.269C62.4347%20131.268%2058.5529%20127.387%2058.5527%20122.599C58.5529%20117.811%2062.4347%20113.929%2067.2227%20113.929ZM175.598%2081.416C180.386%2081.4164%20184.267%2085.298%20184.268%2090.0859C184.267%2094.8739%20180.386%2098.7555%20175.598%2098.7559C170.81%2098.7557%20166.928%2094.8741%20166.928%2090.0859C166.928%2085.2979%20170.81%2081.4161%20175.598%2081.416ZM121.409%2051.0713C127.394%2051.0714%20132.246%2055.9231%20132.246%2061.9082C132.246%2067.8935%20127.394%2072.746%20121.409%2072.7461C115.424%2072.7458%20110.571%2067.8934%20110.571%2061.9082C110.572%2055.9232%20115.424%2051.0716%20121.409%2051.0713Z'%20fill='currentColor'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_475_9215'%3e%3cpath%20d='M0.5%20120.5C0.5%2054.2258%2054.2258%200.5%20120.5%200.5V0.5C186.774%200.5%20240.5%2054.2258%20240.5%20120.5V120.5C240.5%20186.774%20186.774%20240.5%20120.5%20240.5V240.5C54.2258%20240.5%200.5%20186.774%200.5%20120.5V120.5Z'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
TECHNICAL WRITING
Agent Blame: A Deep Dive into Line-Level AI Code Attribution
January 26, 2026 · Murali Varadarajan
AI is writing more of our code than ever. Once it is committed, we lose visibility into where it came from and how much scrutiny it received.
Agent Blame adds line-level AI attribution to your repo and carries that attribution forward with commits, so you can review and debug with better context and you can measure adoption with real numbers.
Git blame tells you who committed a line. It does not tell you whether the line was human-authored or produced by an agent.
This creates real problems:
- Code review becomes guesswork. Was this logic intentionally designed, or accepted without scrutiny?
- Debugging loses context. Provenance changes how you investigate failures.
- Evaluating AI tools is vibes. Is Claude better than GPT-4 for your codebase? Without data, you're guessing.
- Knowledge transfer suffers. Junior devs learn from codebases. Are they absorbing an engineer's intent or an AI's defaults?
What we Built
At Mesa, we built Agent Blame to make AI-assisted code visible after it lands in git.
Agent Blame has two surfaces:
CLI
Line-level attribution in the terminal by combining git blame with attribution stored in git notes.
- In the screenshot, attribution appears next to each AI-written line, including the IDE and model used; human-written lines are unmarked.
- In the screenshot footer, we display the AI vs. human composition for the file as a percentage.
Chrome Extension
The Chrome extension brings attribution into GitHub in two places.
PR Line Markers
Inline markers in GitHub PR diffs. Hover shows provider, model, and confidence. Also shows a PR-level summary, including AI percentage.
Analytics Dashboard
A repo-level view in GitHub Insights that tracks AI percentage and trends, broken down by tool, model, and contributor.
- Repository-wide AI percentage
- Breakdown by tool (Cursor vs Claude Code vs OpenCode)
- Breakdown by model (GPT-4o, Claude Opus, Sonnet, etc.)
- Per-contributor statistics
- PR history with trends
All updated automatically on merge.
How it actually works
This is not a "detector." We don't guess after the fact whether a line looks AI-written.
Instead, we capture provenance at the moment an agent edits a file, then attach that provenance to what lands in git.
Two constraints shaped everything:
- No backend: Attribution lives with the code and is readable from a clone.
- Precision-first: We'd rather miss attribution than incorrectly label human-authored work.
Here's the end-to-end pipeline:
Capture Phase
Cursor, Claude Code, and OpenCode expose hooks that fire when an agent edits a file. We intercept those events. Each tool gives slightly different raw data (strings vs patches vs full file snapshots), so we normalize them into the same internal representation: the set of newly added lines.
For each added line, we compute two SHA256 hashes:
- An exact hash
- A normalized hash with whitespace stripped
We store those hashes in a local SQLite database as pending edits. At this point, the agent produced the line, but it has not been committed.
Match Phase
On commit, a post-commit hook parses the commit diff, finds which lines were actually added, hashes them, and looks them up in the pending-edit store.
Matching rules:
- Exact match → confidence 1.0
- Normalized match → confidence 0.95
When we find a match, we write attribution to git notes for that commit: file path, line range, provider, model, and confidence.
Analytics Phase
A GitHub Actions workflow runs on merge. It addresses the practical problem that squash and rebase merges create new commit SHAs, which can otherwise orphan attribution.
On merge, the workflow:
- Detects merge type (merge commit vs squash vs rebase)
- Transfers attribution to the final commit(s) using content-based matching
- Aggregates metrics (AI lines vs total added lines), with breakdowns by provider, model, and contributor
- Writes aggregates into a stable notes ref so the analytics surface can render trends over time
Display Phase
Everything reads from git:
- The CLI merges git blame output with git notes attribution
- The Chrome extension fetches notes and injects markers into PR diffs
- The dashboard reads aggregate notes and renders trends in GitHub Insights
Nothing requires a separate backend, and nothing needs to phone home.
Why this architecture?
There are two obvious ways to build attribution:
- A centralized service + database that receives events and serves attribution back.
- A repo-native approach where attribution travels with the code.
A service makes cross-repo analytics and policy enforcement easier, but it also becomes a dependency: accounts, availability, data retention, security reviews, and a "source of truth" that lives outside the repo.
We picked the repo-native route for a simple reason: provenance should be inspectable wherever the code is inspectable. If you can clone a repo, you should be able to answer "where did this come from?" without logging into anything or being online.
Why git notes
Git notes let us attach metadata to commits without rewriting history. They're first-class git objects (refs pointing to objects), which means attribution is:
- versioned and reviewable,
- compatible with existing git tooling,
- and auditable in the same way as the code it annotates.
Operational reality: notes are refs, so they propagate like refs. Teams can either push/fetch the notes ref explicitly, or configure remotes to include it by default. When notes aren't available, the UI degrades to "unknown" rather than guessing.
Design principle: precision over recall
Agent Blame is intentionally conservative. If you rename variables, restructure logic, or rework AI output before it hits git, the final code is human-authored and reviewed from the repository's perspective. We treat it that way.
That principle drives the matcher: false attribution is worse than missing attribution. So we will miss some cases by design:
- heavily edited output won't match,
- changes introduced outside hook capture won't be attributed.
Those misses are acceptable because the system's value comes from trustworthy signals in review, not perfect coverage.
Agent Blame is open source
We would love feedback, especially if you find edge cases that break things.