|
| 1 | +# Platform Data Ownership Model |
| 2 | + |
| 3 | +## Status |
| 4 | + |
| 5 | +This is a planning document for GameFoundryStudio platform data ownership. |
| 6 | + |
| 7 | +It defines intended ownership, visibility, permissions, versioning, and exportability rules before database, authentication, Admin, Account, publishing, community, or marketplace implementation begins. |
| 8 | + |
| 9 | +This document does not authorize runtime changes, database implementation, authentication implementation, page changes, CSS changes, JavaScript changes, or schema migrations. |
| 10 | + |
| 11 | +## Core Rules |
| 12 | + |
| 13 | +- Database = working system. |
| 14 | +- Manifest/JSON = portable export/import format. |
| 15 | +- Every database object must have ownership. |
| 16 | +- Every shareable object must have visibility. |
| 17 | +- Every editable object must have permissions. |
| 18 | +- Ownership must be explicit, queryable, and auditable. |
| 19 | +- Visibility must never be inferred from missing data. |
| 20 | +- Permissions must be checked against the editable object, not only against the current page or route. |
| 21 | +- Portable export/import must not depend on hidden database state. |
| 22 | +- Manifest/JSON export must preserve enough identity-free references to re-import into another project or account when allowed. |
| 23 | + |
| 24 | +## Ownership Terms |
| 25 | + |
| 26 | +User-owned: |
| 27 | +- The object belongs directly to a user. |
| 28 | +- The owner can manage the object unless a policy, moderation state, or platform rule restricts it. |
| 29 | + |
| 30 | +Project-owned: |
| 31 | +- The object belongs to a project. |
| 32 | +- Project permissions determine who can read, edit, duplicate, export, or publish it. |
| 33 | + |
| 34 | +Platform-owned: |
| 35 | +- The object is controlled by the platform for security, integrity, moderation, or operational reasons. |
| 36 | +- User export may expose safe user-facing data, but not protected operational internals. |
| 37 | + |
| 38 | +Derived-owned: |
| 39 | +- The object is generated from, attached to, or versioned from another owned object. |
| 40 | +- It inherits ownership and permissions from its parent unless explicitly promoted to its own record. |
| 41 | + |
| 42 | +## Visibility Terms |
| 43 | + |
| 44 | +Private: |
| 45 | +- Visible only to the owner and explicitly authorized collaborators or services. |
| 46 | + |
| 47 | +Project: |
| 48 | +- Visible to project members according to project permissions. |
| 49 | + |
| 50 | +Unlisted: |
| 51 | +- Accessible by direct link or explicit association, but not discoverable in public browsing. |
| 52 | + |
| 53 | +Public: |
| 54 | +- Discoverable and visible to all users. |
| 55 | + |
| 56 | +Marketplace: |
| 57 | +- Public or moderated discovery surface for assets, templates, games, tools, listings, or bundles. |
| 58 | + |
| 59 | +Moderated: |
| 60 | +- Visibility is constrained by moderation state, policy, or review status. |
| 61 | + |
| 62 | +## Permission Terms |
| 63 | + |
| 64 | +Owner: |
| 65 | +- Full user-level control over owned content, subject to platform policy. |
| 66 | + |
| 67 | +Collaborator: |
| 68 | +- Project-scoped or object-scoped access granted by the owner or authorized role. |
| 69 | + |
| 70 | +Role: |
| 71 | +- A named capability set such as viewer, editor, publisher, moderator, or admin. |
| 72 | + |
| 73 | +Service: |
| 74 | +- Platform service access for validation, indexing, publishing, import/export, search, or moderation. |
| 75 | + |
| 76 | +Admin: |
| 77 | +- Operational access for platform administration. |
| 78 | + |
| 79 | +Moderator: |
| 80 | +- Limited review and enforcement access for community, marketplace, ratings, comments, and public content. |
| 81 | + |
| 82 | +## Object Model |
| 83 | + |
| 84 | +| Object | Ownership | Visibility | Permissions | Versioning | Exportability | |
| 85 | +| --- | --- | --- | --- | --- | --- | |
| 86 | +| User | User-owned root account record. | Private by default; limited public presence only through Profile. | User can manage allowed account fields; Admin/Service access only for operations and policy. | Audit history for security-sensitive changes; not a content version stream. | Exportable only through user data export; never as a portable project manifest. | |
| 87 | +| Identity | User-owned but platform-controlled authentication identity. | Private. | User can manage allowed identity links; Service owns authentication verification; Admin access is restricted and audited. | Security audit trail required; old credentials or provider tokens are not portable versions. | Not portable as Manifest/JSON; safe identity metadata may appear in account data export. | |
| 88 | +| Profile | User-owned public or semi-public profile surface. | Private, unlisted, or public. | User can edit profile fields; Moderator/Admin may restrict public visibility. | Profile revisions should be tracked for moderation and restore. | Exportable as profile JSON without protected identity or credential data. | |
| 89 | +| Project | User-owned or organization-owned project workspace. | Private, project, unlisted, or public. | Owner controls project membership; collaborators act through project roles. | Project versions should track major state snapshots and publish history. | Exportable as a project package containing portable manifests, JSON, and allowed assets. | |
| 90 | +| Tool State | Project-owned working state for a specific tool. | Inherits project visibility unless explicitly shared. | Editable by project owner or collaborators with tool edit permission. | Versioned as saved tool state revisions; active state must be explicit. | Exportable as toolState JSON when allowed by project permissions. | |
| 91 | +| Vector Asset | Project-owned or user-owned asset record. | Private, project, unlisted, public, or marketplace. | Editable by owner/project editors; publish/list permissions require asset publish role. | Versioned for edits, generated variants, and publish snapshots. | Exportable as vector JSON/SVG or project package asset reference. | |
| 92 | +| Palette | Project-owned, user-owned, or asset-linked color data. | Private, project, unlisted, public, or marketplace. | Editable by owner/project editors; reusable public palettes require visibility permission. | Versioned for palette edits and reuse history. | Exportable as palette JSON and includable in project/manifest exports. | |
| 93 | +| Asset | Project-owned, user-owned, or marketplace-owned content asset. | Private, project, unlisted, public, marketplace, or moderated. | Editable by owner/project editors; listing and reuse depend on visibility and rights. | Versioned for source edits, derived assets, and published snapshots. | Exportable as allowed file/path assets, metadata JSON, or project package entries. | |
| 94 | +| Game Manifest | Project-owned game definition record. | Private, project, unlisted, public, or published release-linked. | Editable by project editors; publish requires release/publish permission. | Versioned as manifest revisions with validation status. | Manifest is the canonical portable export/import format for game configuration. | |
| 95 | +| Release | Project-owned published output derived from a project and manifest. | Unlisted, public, marketplace, or moderated. | Created by users with publish permission; Admin/Moderator may restrict release visibility. | Immutable release versions preferred; superseding releases create new versions. | Exportable as release metadata plus portable manifest/package when rights allow. | |
| 96 | +| Rating | User-owned feedback attached to a release, asset, marketplace item, or community object. | Public or moderated when attached to public content; private only during review workflows. | User can create/edit within policy limits; Moderator/Admin can hide or remove. | Edit history should be tracked for abuse review; aggregate scores are derived-owned. | Exportable in user data export and public aggregate exports where policy allows. | |
| 97 | +| Comment | User-owned community text attached to a release, asset, project, marketplace item, or community object. | Public, unlisted, project, or moderated according to parent object. | Author can edit/delete within policy limits; Moderator/Admin can hide, lock, or remove. | Edit and moderation history should be retained. | Exportable by author and parent content export when policy allows; moderation data is not portable. | |
| 98 | +| Community Content | User-owned or project-owned shared content such as posts, tutorials, guides, showcases, or discussions. | Private draft, unlisted, public, or moderated. | Author/project editors can edit; Moderator/Admin manage policy enforcement. | Versioned for drafts, edits, published state, and moderation history. | Exportable as content JSON/Markdown plus allowed asset references. | |
| 99 | +| Marketplace Item | Owner-owned listing for an asset, template, release, game, bundle, or service. | Marketplace, unlisted, public, or moderated. | Owner/project publisher can manage listing; Moderator/Admin can review or restrict. | Versioned for listing revisions, price/licensing changes, and publish state. | Exportable as listing metadata JSON plus allowed item references; transaction internals are not portable. | |
| 100 | +| Translation | Project-owned, community-owned, or release-linked localization content. | Private, project, public, marketplace, or moderated according to parent object. | Translators/editors can propose or edit; owner/reviewer approves; Moderator/Admin can restrict public content. | Versioned by locale, string set, review status, and approved revision. | Exportable as localization JSON, language pack data, or manifest-linked translation bundle. | |
| 101 | + |
| 102 | +## Required Object Fields |
| 103 | + |
| 104 | +Every database object should define: |
| 105 | +- stable object id |
| 106 | +- object type |
| 107 | +- ownership owner type |
| 108 | +- ownership owner id |
| 109 | +- creation timestamp |
| 110 | +- update timestamp |
| 111 | +- visibility when shareable |
| 112 | +- permission policy or role source when editable |
| 113 | +- version or revision marker when versioned |
| 114 | +- export policy when portable or exportable |
| 115 | + |
| 116 | +Shareable objects should also define: |
| 117 | +- visibility state |
| 118 | +- discoverability state |
| 119 | +- moderation state when public or marketplace-facing |
| 120 | +- parent object id when visibility is inherited |
| 121 | + |
| 122 | +Editable objects should also define: |
| 123 | +- edit roles |
| 124 | +- publish roles when publication is possible |
| 125 | +- transfer rules when ownership can change |
| 126 | +- delete/archive rules |
| 127 | +- service access rules |
| 128 | + |
| 129 | +Exportable objects should also define: |
| 130 | +- export format |
| 131 | +- import target |
| 132 | +- dependency list |
| 133 | +- rights or license requirements |
| 134 | +- redaction rules for non-portable fields |
| 135 | + |
| 136 | +## Inheritance Rules |
| 137 | + |
| 138 | +Project-owned child objects: |
| 139 | +- Tool State, Vector Asset, Palette, Asset, Game Manifest, Release, and Translation records may inherit ownership from Project. |
| 140 | +- Inherited permissions must still be explicit through a project role or object policy. |
| 141 | + |
| 142 | +Parent-linked public objects: |
| 143 | +- Rating, Comment, Community Content, Marketplace Item, and Translation visibility may depend on parent content state. |
| 144 | +- Parent visibility must not silently expose a child object unless the child object is shareable and policy allows it. |
| 145 | + |
| 146 | +Derived records: |
| 147 | +- Release records are derived from Project, Game Manifest, and Asset records. |
| 148 | +- Marketplace Item records may derive from Asset, Game Manifest, Release, or Community Content records. |
| 149 | +- Aggregate rating summaries are derived from Rating records and should not replace source rating ownership. |
| 150 | + |
| 151 | +## Manifest And JSON Portability |
| 152 | + |
| 153 | +Manifest/JSON export should: |
| 154 | +- include portable content fields |
| 155 | +- include stable local references where possible |
| 156 | +- include dependency metadata needed for import |
| 157 | +- exclude protected identities, credentials, internal permissions, moderation internals, and database-only audit fields |
| 158 | +- make missing dependencies visible during import validation |
| 159 | + |
| 160 | +Manifest/JSON import should: |
| 161 | +- create new database ownership under the importing user or project |
| 162 | +- validate object type and version |
| 163 | +- reject invalid payloads before partial render or partial persistence |
| 164 | +- preserve portable relationships without assuming original database ids |
| 165 | + |
| 166 | +## Non-Goals |
| 167 | + |
| 168 | +This document does not: |
| 169 | +- define SQL schema |
| 170 | +- define API routes |
| 171 | +- implement database persistence |
| 172 | +- implement authentication |
| 173 | +- implement authorization checks |
| 174 | +- implement Admin pages |
| 175 | +- implement Account pages |
| 176 | +- change runtime behavior |
| 177 | +- change CSS, HTML, JavaScript, TypeScript, or JSON files |
0 commit comments