Visibility & Privacy⚓︎
This document defines how visibility, participation, and privacy are modeled in DMS. It ensures that while the system preserves memory, sensitive data remains protected.
DMS separates access and privacy into four independent layers:
| Layer | Purpose | Controls | Answers |
|---|---|---|---|
| Scope | Eligibility | Auto-assignment policy | Who can join this Topic? |
| Role | Participation | Presence in the Topic | Am I part of this Topic? |
| Permissions | Authority | Action capabilities | What can I do here? |
| Sensitive | Exposure | Content-level override | What can I see here? |
:material-flowchart: Access Evaluation Flow⚓︎
graph TD
User(["👤 User"]) --> Access{ }
Access -->|Attempts Access| Topic["📁 Topic"]
Topic --- CheckRole{"🆔 Has Role?"}
CheckRole ---|No| Deny["🚫 Access Denied<br/>(404 Not Found)"]
CheckRole ---|Yes| CheckSens{"🔒 Sensitive?"}
CheckSens ---|No| Show["✅ Show Content"]
CheckSens ---|Yes| CheckOwn{"👑 Is Owner?"}
CheckOwn ---|Yes| Show
CheckOwn ---|No| Redact["👁️ Show Redacted"]
%% Styles
linkStyle default stroke:#ccc,stroke-width:1px;
style Deny fill:#ffebee,stroke:none,color:#c62828
style Show fill:#e8f5e9,stroke:none,color:#2e7d32
style Redact fill:#fff3e0,stroke:none,color:#ef6c00
style User fill:#eceff1,stroke:none
style Topic fill:#eceff1,stroke:noneScope — Default Role Assignment⚓︎
Scope defines the "Gravity" of a Topic—who is pulled into it by default. It defines who is eligible to receive an automatic Role upon creation or organizational event.
Scope Policies⚓︎
| Scope | Default Role Assignment |
|---|---|
| Private | Creator → Owner |
| Team | Team members → Observer |
| Organization | Organization members → Observer |
| Public | Everyone → Observer |
Scope Management
- Only Owners may change the Scope of a Topic.
- All Scope changes are logged in the Topic history to prevent "silent" exposure.
- Scope changes only affect future automatic assignments; they do not revoke manually assigned roles.
Role — The Participation Gateway⚓︎
A User can see and participate in a Topic only if they hold an explicit Role. Without a Role, the Topic is effectively non-existent (404) to that user.
Without a Role
The Topic is hidden from search, dashboards, and global feeds.
Direct links will return a "Not Found" error to prevent metadata leakage.
The User does not appear in the participant list or historical audit trail.
Sensitive — Content Exposure Override⚓︎
Individual entries (Choices, Reasons, Reviews, Lessons) may be flagged as Sensitive. This is a surgical content-level control that layers over the Role-based permissions.
Sensitive entries
Are hidden from all Roles except Owners.
Remain part of the permanent immutable record for audit purposes.
Do not affect the overall visibility of the Topic itself.
Use Cases for Sensitive Flag
- Protecting Personal Identifiable Information (PII) or legal data.
- Maintaining "Safe Spaces" for raw thinking or controversial rationale.
- Redacting internal reasoning from external or client-level observers.
TODO & Future Considerations⚓︎
- Define "Redaction" UI states (e.g., "Content Restricted" message) for Non-Owners.
- Finalize "Organization" scope inheritance rules for multi-tenant setups.
- Determine if "Emergency Access" protocols are required for legal compliance.