Say all you want about the inferior efficiency and so on, but if nothing else they have proven that it's viable, even commercially. So the rare earths are really not as vital as they have been made out to be.
If you compare this situation to before AI could successfully pretend to be human, it's not THAT much different. FOSS projects have always had to be mindful of the possibility of contributions from hostile parties wanting to add back doors and such. The only difference now is that an AI can overwhelm a maintainer with slop, in either commend or code form, or both.
A voluntary model would be nice - what X (more or less) does currently. You can elect to be verified by X, and it will show the badge, or you can opt out and not get the badge, but you can still use it.
If phones could reliably tag an incoming call as "ID provided" or not, then people who cared could screen calls appropriately, and people who wanted to protect their identity could still have a phone.
I did this with two scripts - one that produces and cached sha1 sums of files, and another that consumes the output of the first (or any of the *sum progs) and produces stats about duplicate files, with options to delete or hard-link them.
I find myself doing this all the time now
I will temporarily add a line to cause a fatal error, to check that it's the right file (and, depending on the situation, also the right line)
Maybe a combination of private fork with comments and separate markdown files with notes (maybe in the same private fork)
Consider using special "symbols" in comments like "MYDOCS_XXX" that you search for in your modified version of the code base, and refer to in other places. These will survive renames of function names etc by the upstream authors.