Files
provenance/CONTRIBUTING.md
T

67 lines
3.6 KiB
Markdown

# Contributing to Provenance
Thanks for your interest in helping build Provenance. This document covers how to contribute and the one legal step we ask of every contributor.
## A note on the license
Provenance is **source-available** under the [Business Source License 1.1](LICENSE), not (yet) open source. It is free for personal, family, and non-commercial use, and each release converts to AGPL-3.0 four years after it ships. Contributing does not change those terms. Please make sure you're comfortable with the license before sending a change.
## Developer Certificate of Origin (DCO)
We use the [Developer Certificate of Origin](https://developercertificate.org/) instead of a heavier contributor agreement. It's a lightweight, well-understood mechanism (the same one the Linux kernel uses) that lets you certify you have the right to submit your contribution.
In practice: **sign off every commit.** Add a `Signed-off-by` line by committing with `-s`:
```sh
git commit -s -m "Your message"
```
That appends a line like:
```
Signed-off-by: Your Name <you@example.com>
```
By signing off, you certify the statement at <https://developercertificate.org/> — in short, that the contribution is yours to give (or you have the right to submit it) and that you understand it will be distributed under the project's license. Commits without a sign-off can't be merged.
> Why DCO and not just a handshake: it keeps the project's licensing chain clean, so the maintainer can relicense or dual-license in the future (for example, the planned conversion to AGPL-3.0, or a possible first-party hosted offering) without having to track down every past contributor.
## Before you start
- **Open an issue first** for anything beyond a small fix. Describe the use case, not just the proposed change — Provenance is opinionated about UX for casual users, and context helps.
- Check [docs/PRD.md](docs/PRD.md) to see where a feature fits in the roadmap and whether it's currently in or out of scope.
- For anything touching **privacy, the AI assistant's write path, or the hint-matching engine**, expect extra scrutiny. These are the areas where mistakes do real harm, so changes there need a clear design discussion before code.
## Development setup
> The stack is still standing up; this section will firm up as Phase 0 lands. The shape:
- **Frontend:** Next.js + React + TypeScript + Tailwind + shadcn/ui
- **Backend:** Python + FastAPI
- **Database:** PostgreSQL
- **Object storage:** S3-compatible (MinIO locally)
- Everything is container-native and configured via environment variables.
Local development runs via the project's compose stack. See the `README` and `docs/` for current instructions as they're published.
## Pull request guidelines
- Keep PRs focused — one logical change per PR.
- Reference the issue the PR addresses.
- Every commit signed off (`-s`); see DCO above.
- Include tests for new behavior where a test surface exists.
- Update docs (including the PRD if scope changes) in the same PR.
- Write clear commit messages: a concise summary line, then a body explaining *why* if it isn't obvious.
## Reporting security and privacy issues
Please **do not** open a public issue for a security vulnerability or a privacy-leak concern (especially anything that could expose living people's data or break the hint-matching anonymity guarantees). Report it privately to the maintainer so it can be fixed before disclosure.
## Code of conduct
Participation in this project is governed by the [Code of Conduct](CODE_OF_CONDUCT.md). By taking part, you agree to uphold it.
---
*Provenance is built in the open, commit by commit. Thanks for being part of it.*