Two changes. 1. Privacy fix (NN#2/NN#3) — the citation and source list endpoints gated only on can_view_tree, so a non-member on a public/unlisted/site_members tree could enumerate citations and sources tied to a redacted living person, leaking that the person exists and has sourced facts (and possibly their name via a source title). #46 closed this for events/media/names/relationships but not citations/sources. Now citation_service.list_citations and source_service.{list_sources,get_source} delegate non-member reads to public_view_service, mirroring the #46 pattern: - citations: shown only when the cited fact resolves to FULL-visibility person(s) — covers the person_id, name_id, event_id (person or both-partner), and relationship_id (both-partner) target paths. - sources: shown only when they back at least one visible citation; a withheld source 404s (don't reveal it exists). Tests cover all four citation target types + source withholding + member-sees-all. 2. On-demand tree purge — owners can permanently delete a soft-deleted tree now instead of waiting out the 30-day auto-purge window. POST /trees/{id}/purge (owner-only): the tree must already be in the trash, and the caller retypes its name to confirm. Media objects are deleted from storage, then a single DELETE on trees cascades all tree-owned rows via the tree_id ON DELETE CASCADE; the audit entry survives (tree_id SET NULL). Frontend adds a "Delete forever" button to the Recently-deleted list. No migration. Suite: 102 passing. Signed-off-by: Justin Paul <justin@jpaul.me>
Provenance
Where it came from matters.
Provenance is self-hostable software for tracing where you come from — your family and your land. Build a family tree, document every claim with real sources, reconstruct the chain of ownership behind a piece of property, and keep all of it in a format you control, on infrastructure you run.
Your history shouldn't live behind a subscription. Your data shouldn't be someone else's product. The story of where you came from belongs to you — and to whoever comes after.
Why "Provenance"
Museums and collectors use the word for the chain of custody behind an object: where it came from, who held it, how it got here. A painting without provenance is just a painting. A painting with provenance is a story.
People and land work the same way. A name on a tree is just a name. A name with sources, photos, letters, and the small details of a life — that's a person. A parcel of farmland traced from its original federal patent through every deed and heir to the present day — that's a story too. Provenance treats both as facets of the same thing.
Every fact links to its source. Every claim can be traced. Nothing is just asserted; everything is shown.
What it does
- Build a tree that holds up. People, relationships, events, and places — with every fact linked to the document, photo, or record it came from.
- Bring your own archive. Scans, PDFs, photos, audio recordings — first-class citizens, not afterthoughts.
- A research assistant that proposes, never overwrites. The built-in AI assistant searches legal sources, lays out what it found, and waits for your approval before anything touches your data. You can point it at the major model providers or a self-hosted model — your keys, your choice.
- Standards over silos. GEDCOM import and export (5.5.1 / 7 common subset) — duplicate-aware import, citation-preserving export. Migrate in, migrate out.
- Privacy you control. Public, members-only (any signed-in user on your instance), unlisted, or private per tree; any individual can be hidden; living people are protected by default.
- Find your people. When another user's tree overlaps with yours, Provenance can surface an anonymous "possible match" — and only connects you if you both say yes.
- Run it your way. Container-native. Self-host behind Caddy and, if you like, a Cloudflare Tunnel. Multi-tenant, so your whole extended family — or a whole community of strangers — can coexist on one deployment. One-command backups (Postgres + object storage) and an instance-owner admin role keep operations in your hands.
Where it's headed — trace the land, not just the family. The same source-backed treatment for property: parcels, deeds, and ownership events, reconstructing chain-of-title and tying land to the people who held it. The people side ships today; the land half is on the roadmap, not yet built — but it's why Provenance exists, not an afterthought.
Who it's for
- The person who became the keeper of the photos after a parent passed
- Farm and rural families tracing land back to the original patent
- Researchers who want their citations to actually mean something
- Adoptees and donor-conceived people piecing together a fuller picture
- Anyone who looked at the big genealogy subscriptions and thought I don't want my family history to be someone else's recurring revenue
Principles
- Your data is yours. Open formats. Export anytime. Self-host anywhere.
- Sources or it didn't happen. Every fact can carry citations. The record holds what you know and how you know it.
- The assistant serves you. AI proposes; you decide. No autonomous writes, ever.
- Honest about hard things. Adoption, estrangement, complicated parentage, name changes, people who don't want to be on a tree — treated as normal, not edge cases.
- No dark patterns. No paywalled hints. No surprise upsells. No "you have new ancestors waiting" emails.
Licensing
Provenance is source-available, not open source (yet). It is licensed under the Business Source License 1.1:
- Free forever for personal, family, and non-commercial use — self-host all you like.
- Commercial hosting for a fee is not permitted without a separate license from the author.
- Each release converts to AGPL-3.0 (a true open-source license) four years after it ships.
In plain terms: run it for yourself, your family, or your community at no cost, forever. You just can't take this code and sell it as a hosted service — that's reserved for a possible future first-party offering. See LICENSE for the exact terms.
Status
Early and moving fast. The product is being built in the open, commit by commit, and stood up in a live home lab as it goes. See docs/PRD.md for the product requirements and roadmap.
If the principles above resonate, watch the repo, open an issue with your use case, or pitch in. See CONTRIBUTING.md.
Provenance. Where it came from matters.