🚪

The arrival stance

Every visitor, before they identify

For visitors who are strangers to the protocol. No signed-in identity anywhere. A regular stance, not a protocol special case. Every land that speaks IBP runs one, with permissions configured per land. That single configuration surface covers the full spectrum from a fully closed personal land to a fully open public space.

Note. Arrival is not what happens when an identified visitor reaches a different land. Identities carry across lands; the receiving land's policy assigns the visitor a stance other than arrival. How the layer handles that →

Back to IBP The Seed Governing

One protocol rule, then everything is land config

IBP makes exactly two structural commitments about arrival. Beyond these, every land decides for itself what an arrival can see, do, or say.

Every land has an arrival stance. Required so unestablished visitors have something to be. Without it, an anonymous request would have no stance to attach to and no permissions to check against.

BE addressed at the auth-being is always permitted from an arrival. The bootstrap rule. Without this, an arrival could never register or claim, and could never become anything other than an arrival.

That's it. SEE, DO, SUMMON, and every other BE operation are land-configured. Permission for an arrival to do any of them is whatever metadata the land has set for the arrival stance.

The configuration spectrum

One configuration surface (the arrival stance's permissions per verb) covers the full range from "completely closed" to "fully open." Land owners pick where on the spectrum their land sits.

Closed

Private personal land

BE-claim only (login by the owner). BE-register disabled. SEE, DO, SUMMON all denied. Nothing is visible to arrivals. Useful for personal installations or private workspaces.

Closed

Invite-only community

BE-register requires an invite code (or is disabled). BE-claim available for existing members. SEE limited to a public "about" surface, or nothing. Private communities, research environments, internal lands.

Middle

Public profiles, sign-in for participation

Arrival can SEE positions with visibility: public (introduction, what kind of place it is, what beings live here, public artifacts). To do anything beyond viewing requires BE-register or BE-claim. Common pattern for community sites that want discoverability without anonymous interaction.

Middle

Open browsing, sign-in for engagement

Broader SEE: arrivals can browse everything marked public. Still can't SUMMON or DO until they sign in. Useful for content-oriented lands like a publication, a research archive, a public garden.

Middle

Limited interaction without sign-in

Arrival gets specific DO permissions at specific scopes. Leave a guestbook entry, submit an inquiry, fill out a contact form. The land lets visitors interact in bounded ways without requiring registration.

Open

Public-facing beings reachable

Arrival can SUMMON to specific public-facing beings named in allowed_targets (a greeter, help desk, guide). Still can't reach private beings. The land has public beings as part of its surface for unauthenticated visitors.

Open

Fully open community

Arrival has near-full permissions: SEE public, DO with allowed_actions: "*", SUMMON with allowed_targets: "*". Sign-in is optional and just for persistence and identity. Useful for very open community spaces.

Configuration shape

The arrival stance's permissions live in the land's metadata under the role namespace. Each verb gets its own simple allow rule. The kernel checks them on every request from an arrival.

// at the Land Position
metadata.beings.arrival.permissions = {
  see:  { allowed_visibility: ["public"] },
  do:   { allowed_actions: [] },
  summon: { allowed_targets: [] },
  be:   { allowed_operations: ["register", "claim"] }
}

// land-level BE flags read by the auth-being
metadata.auth.register_enabled = true
metadata.auth.claim_enabled    = true

What this shape supports. SEE on positions whose visibility field is in the allow list (the Node schema already carries visibility). DO actions restricted to a named list, or "*" for all, or [] for none. SUMMON targeted at a named role list ("@auth", "@guide"), or "*", or []. BE operations restricted to a subset of register / claim / release / switch.

The shape extends in place as lands surface needs for richer rule semantics: glob path matching, conflict resolution between overlapping rules, per-action scope-and-namespace constraints. Same metadata namespace, richer rule shape.

The same configuration shape works for every stance a land defines. The kernel function that reads it and enforces it is Portal Authorization. See how the layer works →

Deployment templates

Most lands fall into a small number of recognizable patterns. The TreeOS reference implementation ships templates so installers don't have to author arrival permissions from scratch. The defaults are conservative; pick a template to open up.

Personal home

SEE: denied

DO: denied

SUMMON: denied

BE: claim only (register disabled)

Your own land for personal use. Nothing visible to arrivals. Only you log in.

Community

SEE: public surfaces

DO: denied

SUMMON: @auth, @host

BE: register, claim

Multi-user land. Public profile content visible. Anyone can register or claim. Participation requires sign-in.

Public service

SEE: public surfaces

DO: bounded (forms, guestbook)

SUMMON: public beings (greeter, support)

BE: register, claim

Service-oriented land. Visitors can interact in bounded ways without signing in. Sign-in optional for richer access.

The architectural pattern this expresses

The arrival stance is not a special protocol concept. It is just a stance whose permissions a land happens to configure for "someone who has arrived but hasn't been welcomed." The same authorization layer that checks any other stance's permissions checks the arrival stance.

This means the protocol commits to almost nothing about arrivals (two rules, see above) and pushes all the variation to the land's configuration. The web's flexibility comes partly from HTTP being minimal and HTML/CSS/JS handling all the expressiveness above. IBP follows the same pattern. The substrate stays small; the lands handle their own character.

The same architectural move applies to other stances a land might define. A "guest" stance for recognized visitors with ongoing presence. A "member" stance for full participants. A "moderator," "contributor," "owner." Each is a role with permissions. Land owners shape the taxonomy that fits their land's character. The protocol stays uniform underneath.

Different lands feel different because they configure differently, not because the protocol has different modes.