The visibility, membership, and history rules that govern threads. Written for the people using Cove — board members, keymasters, curious skeptics — not the people writing it.
Everyone participating in a Cove hub is a keypair — an Ed25519 public key attested by the group’s root, plus the private key that lives on their device and nowhere else. The attestation is a signed record in the directory manifest: it names the person, their affiliation, their role, and the pubkey those things belong to.
You’re not a “user” with a username and password. You’re an attested keypair. Every message you post is signed by that private key on your own device before it leaves. The hub can prove you wrote it. Nobody can post in your name without your private key.
Threads come in two visibility shapes:
kind=’audience’ entry establishes the list. Anyone not in the list will not see the thread in their sidebar, their inbox, or their /sync response — the hub filters them out at every surface.
The audience-entry-establishes-visibility rule is enforced hub-side. A member who isn’t in the audience can’t just guess the thread name and read it — /sync returns an empty list to them, same as if the thread didn’t exist. The hub doesn’t 404 on private threads (that would leak existence); it just looks empty from the outside.
Anyone currently in the audience can rewrite the audience. To add Amy to a group thread you’re in, you tap the audience chip at the top of the thread, check her name, and save. Cove signs a new audience entry with the updated list.
The rule is anyone currently in the audience can grow (or shrink) the audience, not only the creator can. Cove doesn’t treat the creator as a permanent custodian of the group. If the group is you and two others, any of the three can add a fourth.
Same mechanism. Anyone in the audience opens the audience chip, unchecks the person, and saves. That signs a new audience entry with the shorter list. From that point forward, the removed person’s /sync requests return an empty list for that thread and it disappears from their sidebar.
Everything they saw before their removal stays visible to them locally — Cove can’t reach into their client and yank prior messages. But no new entries flow to them, and the hub won’t serve the thread’s history to them again if they clear their cache.
Not yet a first-class action — the UI currently guards against accidentally unchecking yourself in the audience-edit dialog. The intended way to leave today is to ask another member of the group to remove you. For a group of three that’s a text message; for a group of two, archiving the thread is usually the honest signal.
A proper “Leave this thread” button is on the roadmap. When it lands, it’ll respect the same rule — you sign an audience entry with yourself removed — just without the click-through required to talk another member into doing it.
When Cove decides whether to hand you a message, it consults the current audience — not the audience at the time the message was posted. This has a consequence people don’t always expect:
That’s deliberate. A board that adds a new officer to a private “board only” thread is welcoming them into the ongoing conversation, not into a walled section of it. Cove doesn’t make you re-explain last month’s decision every time somebody new joins.
If you need “only-from-here-onward” visibility for a specific member, use a fresh thread instead. That’s the honest signal: this is a different conversation.
Public threads follow the same logic. Every newly-attested member automatically sees every past public thread from the beginning. Notices posted before someone joined the group are readable by them the moment they authenticate.
Ephemeral threads carry a TTL — a delete-by date declared at creation. Everything works exactly like a permanent thread while it’s alive: signed messages, signed receipts, tamper-evident per-thread log, verifiable inclusion proofs. At expiration, the hub deletes the entries and publishes a signed tombstone in the main log that pins the thread’s final signed tree head.
Anything you can do in a permanent thread you can do in an ephemeral one, except: notices, membership entries, supersede entries, revocations, branches, archives, and reopens. Those are governance actions and don’t belong in a container that’s going to disappear. Ephemeral threads carry conversation and audience, nothing structural.
Only ephemeral threads can be deleted. Permanent threads are permanent by definition — the whole point of the tamper-evident log.
An ephemeral thread ends in one of two ways:
Revocation is a governance action, signed by the root key. It says “this pubkey is no longer a valid participant on this hub, as of this timestamp.”
From that moment:
/sync, they can’t /stream.Every notice, post, and reply generates a signed receipt from each recipient when they read it. The receipts are entries in the log — verifiable, timestamped, tamper-evident. They’re what makes “did Alice read this” a factual question with an audit trail, not a matter of trust.
The delivery-status card you can tap on any message answers “who has ack’d this?” against the current membership:
The receipt log is what makes “I never got the email” a claim that can be examined. The delivery card is what makes the examination cheap.
Rules can change — the shipped code is authoritative. If something on this page disagrees with what the current hub actually does, the hub wins and this doc is out of date. Ping the source repo with the discrepancy and we’ll fix it.