User Accounts

Registration

Your username is a randomly generated string of exactly 7 lowercase alphanumeric characters. It becomes part of your permanent public identity (see Canvas Identification below) and cannot be changed after registration.

Your avatar is also generated at this point, initiated with two random colors (see Visual Identity below).

The password must have between 6 and 50 characters. Strength is evaluated with the zxcvbn algorithm: a minimum score of 3 out of 4 is required. The password is stored as an Argon2id hash in the database.

Registration is atomic: either all of the following records are created together in a single transaction, or nothing is stored.

When you confirm consent, a record is appended to the consent table containing your username, the version of the conditions you accepted, the consent text, and a timestamp. Each record also includes a SHA-256 hash computed over these fields and the hash of the previous consent record in the system, forming a global hash chain. This makes it computationally infeasible to alter any record without invalidating every hash that follows — providing cryptographic non-repudiation of every consent ever given on the platform.

Authentication & Login Security

Sessions are kept in encrypted, HTTP-only cookies signed with a 32-character server key, with a 7-day lifetime. The cookie contains a single field: your username. It carries no device fingerprint, IP address, or timestamp, and cannot be used for cross-site tracking.

Logins are protected by consecutive failed attempts triggering an exponential blockout period. Each failure doubles the waiting period before the next attempt is allowed. The intention is to prevent brute force attacks.

Passwords can be changed from your profile settings. The current password must be verified before a new one is accepted. The new password is subject to the same strength requirements as at registration (zxcvbn score ≥ 3). All password change attempts — successful or not — are written to the security events log.

Account deletion requires password verification and an explicit typed confirmation. Deletion:

• Sets your account status to deleted (soft delete)

• Replaces your password hash with an Argon2id hash of a randomly generated value, making authentication permanently impossible

• Resets your avatar colors and language preference

• Removes your geographies and interests

• Retains your canvases and your opinions, which retain the pseudonymous username but are no longer linked to any profile

• Leaves the consent chain intact (immutable audit trail)

The deletion is recorded as a security event with reason user_request.

User Profile

Visual Identity

Your username is graphically represented by an avatar generated with the DiceBear identicon algorithm, seeded deterministically from the username, so the same pattern is always reproduced from the same username. You can update both colors at any time from your profile settings. A dedicated color (id 0) is reserved exclusively for the ideīs system account.

User Geographies

You can associate your profile with up to 2 geographies. These signal where you are coming from and determine which canvases you are authorized to opine on (see Canvas Geography).

• A 5-day cooldown applies between geography changes.

• You cannot select both a territory and its direct parent simultaneously.

The platform does not verify that your geography selections correspond to your actual location.

User Interests

You can select up to 10 tags as personal interests from the platform's reference taxonomy. These have no effect currently.

Trust Level

Your account has a trust level that defaults to 1 at registration. It is intended as a signal of the reliability of your contributions, growing over time through valuable activity on the platform. The calculation logic is not yet implemented.

Inbox

The inbox is currently not functional. It will serve as a central point for system notifications.

Security & Audit

Security Events

All notable security-relevant actions are logged both to a dedicated security.log file and to the security_events database table.

Three log files are maintained on the server:

• audit.log — general user activity (info level)

• security.log — security events (warning level)

• issue.log — application errors and failures (error level)

The retention of logs is not yet limited.

IP Address

IP address data is not retained, neither by the platform nor by the Nginx reverse proxy logs.

Canvas System

Canvas Identification

Every canvas has a permanent public ID of the form {username}-{number} (e.g. alice7b-3). The number is assigned sequentially; you cannot publish more than 99 canvases. This identifier appears in all URLs and API routes and serves as the stable reference for linking between canvases (e.g. #ideīs-2).

Tags

Each canvas can carry up to 5 tags drawn from the platform's reference taxonomy. Tags are categorized as Purpose, Topic, or Channel. They are set in the draft and copied to each published version. Tags are also used for canvas discovery (see Canvas Discovery).

Draft Editing

Each canvas exists as a draft that you can freely edit. Publishing creates an immutable snapshot of the current draft as a new version — the draft itself remains and can continue to be edited toward the next publication.

All content is sanitized on the server using DOMPurify with a strict allowlist for security reasons. The abstract additionally blocks wholesale formatting (e.g. selecting all and bolding) to prevent structural abuse. A limited emoji set is permitted in the body only.

Language

The canvas language is detected using franc based on title and abstract. This is only used for the search functionality.

Publication & Versioning

Publishing your draft creates a new immutable version record. Versions follow a major.minor scheme (e.g. 1.0, 1.1, 2.0). Each publication also applies a decay factor to all existing opinions on that canvas, reducing their weight to reflect that evaluations of an older version are less representative of the current content (see Opinion Weight & Decay below).

Minor update (e.g. 1.0 → 1.1):

• Minimum 1 day since the previous publication.

• Minor counter resets to 0 at each major update.

• Maximum minor counter: 9.

Major update (e.g. 1.0 → 2.0, 1.9 → 2.0):

• Minimum (10 − m) days since the previous publication, where m is the current minor version. This means an update of the type 1.0 → 2.0 is only possible after 10 days.

• Signals a substantial revision of the canvas. In the future, this will generate a notification to users who have bookmarked the canvas.

A major update from version 1.m is exactly equivalent to taking the remaining (10 − m) minor steps consecutively: the minimum waiting period is the same ((10 − m) days) and the opinion weight decay applied is identical ((10 − m) successive minor decay factors). Whether you increment through the remaining minor versions or jump directly to a major update, the time cost and statistical effect on existing opinions are the same.

Canvas Geography

Each canvas is associated with a geography that defines the scope of the idea and determines who may evaluate it. You must set the geography on your first publication; it cannot be changed afterwards. A canvas scoped to a specific territory can be evaluated by users who have that territory (or a child of it) in their profile. A canvas scoped to WORLD can be evaluated by any user.

You can assign up to 2 geographies at first publication. If two are assigned, they must not be in a parent-child relationship.

Canvas Discovery (/explore)

You can browse and filter published canvases by:

• Keyword (up to 30 characters, full-text search)

• Tags (up to 3 tag IDs)

• Geography

• Language

• Sort order: most recently updated or most recently created, ascending or descending

Filtering by evaluation metrics is defined in the data model but not yet implemented.

Opinions & Evaluations

Overview

You can submit an opinion on any published canvas within your geographic scope, provided it is not your own. Each opinion consists of:

• A prompt — a framing statement that contextualizes the evaluation (selected from a reference list).

• One or more metric responses — scored choices on specific dimensions of the idea.

• A general comment — between 20 and 300 characters.

You can update your opinion after each canvas update; the previous version is marked as replaced and the new one takes effect.

Note that you cannot opine on your own canvases and that one of your user geographies must fall within one of the canvas' geographies.

Metrics

Each metric response records a choice of −1 (negative), 0 (neutral), or +1 (positive). A justification of 10–200 characters is required for any negative score. You must evaluate at least one metric to submit an opinion.

Prompts

Six prompts are currently available to guide constructive feedback.

Opinion Weight & Decay

Each opinion carries a weight (initially 1.0) that determines its influence on the aggregate statistics. When a canvas is updated, all existing opinion weights are multiplied by a decay factor to reflect that evaluations of an older version are less representative of the current content. The cumulative effect is an exponential decay of opinion influence over successive canvas updates.

• Minor update: each weight is multiplied by 0.5^(1/10) ≈ 0.933. Applied 10 times over a full minor cycle, the cumulative effect halves all weights.

• Major update from version 1.m: each weight is multiplied by 0.5^((10−m)/10). This is exactly the product of the (10 − m) minor decay factors that would have been applied by the remaining minor steps, so the two paths are equivalent.

Statistical Aggregation

Aggregate weighted statistics per metric per canvas version are maintained in real time using Welford's online algorithm for numerically stable computation of weighted means and variances. This allows opinions to be added or removed individually without recomputing from scratch.

Each aggregate record stores: count, weighted mean, Welford variance, and total weight.

Bookmarks

You can bookmark any published canvas. Bookmarks are stored with a creation timestamp. The number of bookmarks a canvas has received is tracked as a platform metric. When inbox notifications are implemented, you will receive a canvas_update notification when a bookmarked canvas is updated.

Roadmap

Short-term

• System notifications in the inbox (welcome message, canvas updates, release notes).

• User-defined prompts for opinions.

• Addition of canvas release notes to provide feedback.

Mid-term

• To enhance authentication and enable password recovery, optional storage of hashed email addresses (i.e., the platform will not hold a plaintext email address)

• Trust level calculation logic and limits/permissions.

• Enhancements to the canvas editor

• Improved canvas discovery, including promotion of canvases based on user interests

Long-term (aspirational)

• Challenges — structured calls for ideas on a defined topic.

• Database integrity proofs

• User ownership proof to allow you to prove that you are the author of a given canvas without relying on platform-held credentials

• Messaging between trusted users