docs: permissions model across all Workspace file types#26
Open
LeslieOA wants to merge 2 commits into
Open
Conversation
Covers the intended permission model for all current and eventual Workspace file types (.md, .canvas, .table/), grounded in the Hypercore + UCAN findings from workspace-p2p-spike. Simple formats get flat read/edit/admin roles. .table/ gets the same by default, with opt-in field-level tiering (x-tier in schema.json) for sensitive tables such as HR records. Key distribution is peer-to-peer via UCAN delegation; no relay required. Links to workspace-p2p-spike FINDINGS.md, ucan-prior-research.md, and open issues #5 and #6 for the remaining unknowns. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Substantial revision following design-critique walkthrough. Corrects several conflations in the original draft and adds the engineering patterns that make the model workable. Key changes: - Split Hypercore writer keypair from symmetric encryption keys — two unrelated layers, doing different jobs (signed-append vs. content gating). The original draft blurred them. - Drop "re-encrypt history" language. Hypercore is append-only; key rotation applies to future writes only. Past blocks remain encrypted with whichever key was current when they were written. - Add Autobase as the multi-writer answer for collaborative docs (each writer keeps their own log; merged view computed locally). Single-writer Hypercores can't support Alice-edits-her-own-record. - Add UCAN vs. wrapped-key separation: UCAN authorises, the wrapped key (X25519 ECDH to recipient's public key) delivers the actual symmetric key material. Two artefacts, delivered together. - Add the encrypted-Hypercore-as-mailbox pattern for asynchronous key delivery. No separate infra — key distribution rides the same protocol as document data. One protocol all the way down. - Add topic-layer revocation as a second lever distinct from encryption-layer revocation. Encryption alone leaks metadata (log existence, sizes, timing); dropping the peer from the Hyperswarm topic closes that channel. - Add scaling section: simple model works to ~500 peers, asynchronous delivery to ~10k, MLS as the upgrade path beyond. - Add concrete worked example (1 admin + 3 managers + 50 employees + HR) with the keys-held and can-read tables. - Add metadata-leakage section being honest about what's still observable even with encryption (log existence, sizes, write patterns) and how the topic lever addresses it post-departure. Open questions list expanded with Autobase merge semantics, topic- layer connection authentication, and MLS integration as the enterprise-scale escape hatch. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
docs/PERMISSIONS.mdcovering the intended access-control model for.md,.canvas, and.table/filesread / edit / adminroles;.table/gets the same by default with opt-in field-level tiering viax-tierinschema.jsonworkspace-p2p-spike, with direct links toFINDINGS.md,ucan-prior-research.md, and the open issues tracking remaining unknownsNot in scope
Implementation — this is the intended design doc only. Tracked open questions link to the P2P spike repo.
🤖 Generated with Claude Code