← Tech
Exploration Design stage — this describes architecture being explored, not what's currently built.
User A promote User B share Hive

Scope & Promotion

21 Mar 2026 · Tristan Wright

Private by Default

Everything you and your agents learn is private to you. Your projects, your memories, your discoveries — nobody else sees them unless you explicitly choose to share.

The current system scopes memories by userId and projectId. The target architecture extends this into a three-level hierarchy:

  • Project scope — specific to one project. “This app uses Tailwind 4.”
  • User scope — shared across all your projects. “I prefer TypeScript.”
  • Hive scope — shared with the whole team. “We deploy to DigitalOcean.”

Each level would inherit from the one above. When your agent is working on a project, it could read project memories, your user memories, and hive memories — but only write to the project or user level.

Domains — Cross-Cutting Organisation

Knowledge doesn’t fit neatly into a hierarchy. A pricing decision spans business and engineering. A deployment pattern spans engineering and marketing (for landing pages). So in the planned design, domains are tags, not scope levels.

Each domain would have a steward — someone who reviews promoted content for that area. Stewards advise, they don’t gate. A memory can belong to multiple domains.

  • business — pricing, fundraising, strategy
  • product — features, UX, user research
  • engineering — stack, infra, patterns
  • marketing — content, positioning, growth

The Promotion Bridge

Moving knowledge from user scope to hive scope would be treated as a security boundary. The planned design uses two isolated memory systems with a carefully controlled bridge. None of this is implemented yet — it describes the target architecture.

  1. Candidate emerges — a memory is validated by 2 or more distinct users (not just reused by one person). High-sensitivity memories are ineligible.
  2. User notification — the originating user is notified: “A learning from your session is being considered for sharing.” They can approve, reject, or edit.
  3. Source-blind review — the domain steward sees the memory without attribution. Is this generic enough to share? An adversarial LLM check screens for harmful or misleading content.
  4. Promotion — the memory enters hive scope. Attribution is stripped (replaced with a system identifier). Domain tags are assigned.
  5. Retroactive withdrawal — you can view and withdraw your promoted memories at any time. Downstream briefings regenerate.
Technical Detail — Scope Hierarchy 
hive (global)
  └── user_alice
       ├── project_alpha
       └── project_beta
  └── user_bob
       └── project_gamma

Read inherits down. Write to own scope only. Promotion requires review.

The planned promotion queue would use a separate Convex table:

// promotionCandidates table — planned, not yet implemented
{
  source_fact: Id<"facts">,
  status: "pending" | "approved" | "rejected" | "withdrawn",
  distinct_user_validations: number,  // must be >= 2
  sensitivity_check: "pass" | "flagged",
  adversarial_check: "pass" | "flagged" | "pending",
  originator_consent: "approved" | "rejected" | "pending",
  reviewer: Id<"users"> | null,       // domain steward
}

Why domains aren’t a scope layer: a founder owns business AND product. A project spans marketing AND engineering. Forcing domains into a hierarchy creates artificial single-parent assignments. Tags with stewards handles reality.