diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..d429c55 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,66 @@ +# Contributing to Provenance + +Thanks for your interest in helping build Provenance. This document covers how to contribute and the one legal step we ask of every contributor. + +## A note on the license + +Provenance is **source-available** under the [Business Source License 1.1](LICENSE), not (yet) open source. It is free for personal, family, and non-commercial use, and each release converts to AGPL-3.0 four years after it ships. Contributing does not change those terms. Please make sure you're comfortable with the license before sending a change. + +## Developer Certificate of Origin (DCO) + +We use the [Developer Certificate of Origin](https://developercertificate.org/) instead of a heavier contributor agreement. It's a lightweight, well-understood mechanism (the same one the Linux kernel uses) that lets you certify you have the right to submit your contribution. + +In practice: **sign off every commit.** Add a `Signed-off-by` line by committing with `-s`: + +```sh +git commit -s -m "Your message" +``` + +That appends a line like: + +``` +Signed-off-by: Your Name +``` + +By signing off, you certify the statement at — in short, that the contribution is yours to give (or you have the right to submit it) and that you understand it will be distributed under the project's license. Commits without a sign-off can't be merged. + +> Why DCO and not just a handshake: it keeps the project's licensing chain clean, so the maintainer can relicense or dual-license in the future (for example, the planned conversion to AGPL-3.0, or a possible first-party hosted offering) without having to track down every past contributor. + +## Before you start + +- **Open an issue first** for anything beyond a small fix. Describe the use case, not just the proposed change — Provenance is opinionated about UX for casual users, and context helps. +- Check [docs/PRD.md](docs/PRD.md) to see where a feature fits in the roadmap and whether it's currently in or out of scope. +- For anything touching **privacy, the AI assistant's write path, or the hint-matching engine**, expect extra scrutiny. These are the areas where mistakes do real harm, so changes there need a clear design discussion before code. + +## Development setup + +> The stack is still standing up; this section will firm up as Phase 0 lands. The shape: + +- **Frontend:** Next.js + React + TypeScript + Tailwind + shadcn/ui +- **Backend:** Python + FastAPI +- **Database:** PostgreSQL +- **Object storage:** S3-compatible (MinIO locally) +- Everything is container-native and configured via environment variables. + +Local development runs via the project's compose stack. See the `README` and `docs/` for current instructions as they're published. + +## Pull request guidelines + +- Keep PRs focused — one logical change per PR. +- Reference the issue the PR addresses. +- Every commit signed off (`-s`); see DCO above. +- Include tests for new behavior where a test surface exists. +- Update docs (including the PRD if scope changes) in the same PR. +- Write clear commit messages: a concise summary line, then a body explaining *why* if it isn't obvious. + +## Reporting security and privacy issues + +Please **do not** open a public issue for a security vulnerability or a privacy-leak concern (especially anything that could expose living people's data or break the hint-matching anonymity guarantees). Report it privately to the maintainer so it can be fixed before disclosure. + +## Code of conduct + +Participation in this project is governed by the [Code of Conduct](CODE_OF_CONDUCT.md). By taking part, you agree to uphold it. + +--- + +*Provenance is built in the open, commit by commit. Thanks for being part of it.*