Open Lore NetworkOLN
Network/Journal/Users As Graph Entities And The Atlas Customization Ladder
All entries
Entry 027

Users as graph entities, the Atlas customization ladder, and content isolation

Date
2026-06-05
Status
Decided
Authority
Creator

Decision

Members are first-class entities on the graph. A member is a node; the things they do are typed edges:

  • Contribution edges (authored / curated) and judgment edges (votes, citations, corrections) are captured freely — attribution is already constitutional (Layer 9) and judgment already feeds consensus and credits.
  • Consumption edges (reads, likes) are captured deliberately: which ones are public is an explicit decision (see G-049), and they must never become an engagement-optimization target (G-010).

Customization is a four-rung cascade, each scope isolated so it cannot bleed up or sideways:

  1. Network chrome (top bar) — OLN-owned, always present, non-overridable (brand anchor + a trusted, un-spoofable nav).
  2. Franchise theme — sub-header, sub-footer, background, color tokens, wordmark.
  3. Community theme — the same, further, scoped per community space.
  4. Personal space — the user's own raw HTML / CSS / JS and widgets.

Declarative-only on the main origin. Rungs 1–3, plus the structured /@handle profile, are themed only through validated tokens and allowlisted assets — never arbitrary HTML/CSS/JS. Indexed, main-origin pages stay safe and consistent.

Two-tier personal space (the Atlas ladder):

  • Safe tier, for everyone, on the indexed apex profile (/@handle): token theming + OLN-authored widgets (contribution graph, badge wall, LoreLine feed) the user places but does not code.
  • Full tier, opt-in, on an isolated origin: raw HTML/JS/widgets on a separate registrable domain, per-user subdomain, submitted to the Public Suffix List — completely outside theopenlore.net's cookie scope. (Domain selection pending, G-050.)

Guiding principle: isolate by (trust × indexability). High-trust + want-indexed → the apex. Zero-trust + executable → the isolated origin; and user-uploaded files → a cookieless usercontent origin.

Reasoning

The Samy worm (MySpace, 2005) is the canonical failure of user HTML/JS on the main origin — it self-propagated through profile markup. A separate registrable domain (the github.com vs github.io model) is the proven isolation; a mere subdomain of theopenlore.net is not enough, because cookies scope to the registrable domain (eTLD+1).

Fandom is the customization lesson. Its declarative Theme Designer (background, colors, wordmark) is safe and beloved; arbitrary Common.css / Common.js was a years-long security, consistency, and performance tax that had to be clawed back, painfully. Bound the freedom from day one — loosening later is easy, revoking is not.

The ladder serves both ends. The ~95% who never hand-write HTML get a rich, safe, indexed identity that is a real graph node; power users get a true sandbox where their code can harm no one.

Open threads

  • Consumption-edge privacy and visibility model (G-049).
  • Customization theme-token schema, CSS scoping, and the user-content domain (G-050).
  • Profile recognition / badge data model (G-051).