# Contributing to Provenance Thanks for your interest in helping build Provenance. This document covers how to contribute and the one legal step we ask of every contributor. ## A note on the license Provenance is **source-available** under the [Business Source License 1.1](LICENSE), not (yet) open source. It is free for personal, family, and non-commercial use, and each release converts to AGPL-3.0 four years after it ships. Contributing does not change those terms. Please make sure you're comfortable with the license before sending a change. ## Developer Certificate of Origin (DCO) We use the [Developer Certificate of Origin](https://developercertificate.org/) instead of a heavier contributor agreement. It's a lightweight, well-understood mechanism (the same one the Linux kernel uses) that lets you certify you have the right to submit your contribution. In practice: **sign off every commit.** Add a `Signed-off-by` line by committing with `-s`: ```sh git commit -s -m "Your message" ``` That appends a line like: ``` Signed-off-by: Your Name ``` By signing off, you certify the statement at — in short, that the contribution is yours to give (or you have the right to submit it) and that you understand it will be distributed under the project's license. Commits without a sign-off can't be merged. > Why DCO and not just a handshake: it keeps the project's licensing chain clean, so the maintainer can relicense or dual-license in the future (for example, the planned conversion to AGPL-3.0, or a possible first-party hosted offering) without having to track down every past contributor. ## Before you start - **Open an issue first** for anything beyond a small fix. Describe the use case, not just the proposed change — Provenance is opinionated about UX for casual users, and context helps. - Check [docs/PRD.md](docs/PRD.md) to see where a feature fits in the roadmap and whether it's currently in or out of scope. - For anything touching **privacy, the AI assistant's write path, or the hint-matching engine**, expect extra scrutiny. These are the areas where mistakes do real harm, so changes there need a clear design discussion before code. ## Development setup > The stack is still standing up; this section will firm up as Phase 0 lands. The shape: - **Frontend:** Next.js + React + TypeScript + Tailwind + shadcn/ui - **Backend:** Python + FastAPI - **Database:** PostgreSQL - **Object storage:** S3-compatible (MinIO locally) - Everything is container-native and configured via environment variables. Local development runs via the project's compose stack. See the `README` and `docs/` for current instructions as they're published. ## Pull request guidelines - Keep PRs focused — one logical change per PR. - Reference the issue the PR addresses. - Every commit signed off (`-s`); see DCO above. - Include tests for new behavior where a test surface exists. - Update docs (including the PRD if scope changes) in the same PR. - Write clear commit messages: a concise summary line, then a body explaining *why* if it isn't obvious. ## Reporting security and privacy issues Please **do not** open a public issue for a security vulnerability or a privacy-leak concern (especially anything that could expose living people's data or break the hint-matching anonymity guarantees). Report it privately to the maintainer so it can be fixed before disclosure. ## Code of conduct Participation in this project is governed by the [Code of Conduct](CODE_OF_CONDUCT.md). By taking part, you agree to uphold it. --- *Provenance is built in the open, commit by commit. Thanks for being part of it.*